March 9, 2009, 2:39PM
A recap of the 2nd OWASP conference
Comment By Christian Heinrich
The second Open Web Application Security Project (OWASP) Conference held on the Gold Coast is regarded as the leading Web Application Security conference within the Asia Pacific region attracting both Australian and overseas speakers and attendees.
The conference continued its community atmosphere with open discussions and sharing of ideas on Web Application Security during the various social events each night including a gala dinner.
PRESENTATIONS – DAY ONE
The keynote delivered by Roger Thornton provided a historical timeline from when companies relied on a firewall to protect their insecure mail servers and web servers to the state of the art today where security is incorporated during the development of these server applications and their associated clients.
Andrew van der Stock, who is the major contributor to the OWASP Developer Guide and widely known OWASP Top Ten, argued that incorporating application security testing during development resulted in more vulnerabilities being removed from the software prior to shipping then conducting penetration testing once the software is developed.
Editor's Pick
Brett Moore demonstrated various OWASP Top Ten Vulnerabilities in a number of decoy web sites with the appearance of New Zealand security entities.
Sumit Siddharth demonstrated his “bsqlbf” tool to exploit Blind SQL Injection vulnerabilities and concluded with an SQL Injection within Oracle to leverage a Web Proxy to exploit another SQL Injection within Microsoft SQL Server on the same network.
PRESENTATIONS – DAY TWO
Adi Sharabani demonstrated active Man in the Middle (MitM) scenarios to attack web applications with “Surf Jacking” and “Sidejacking” once the password has finished transmitting over a secure connection and then reverted back to sending application communication in the clear during his keynote.
Alex Kouzemtchenko exploited the Cross Site Scripting (XSS) Filter in Internet Explorer 8 to obtain Cookies, including authentication Cookies used in Cross Site Request Forgery (CSRF).
Pravir Chandra, leader of the OWASP “CLASP” Project, presented the free Software Assurance Maturity Model (SAMM) which provides a well-defined way for organizations to iteratively improve security in software development.
CONCLUSION
In keeping with the sprit of openness fostered within the OWASP community, the slides and their associated video of each presentation are available online.
Overall, the conference provided the best value for money over any other security conference held on the Gold Coast in which to learn the state of the art from speakers and socialize with other attendees.
* Christian Heinrich is the OWASP "Google Hacking" project lead.
Commenting on this Article is closed.
Today's Most Popular
- Anatomy of a LulzSec Attack 'Singles Out' Web 2.0 Weakness
- Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops
- OPINION: Are Anonymous Members Forged in the Crucible of IT Compliance?
- Common Firewall Feature Enables TCP Hijacking Attacks
- Facebook Cancellation Malware Disguised As Adobe Update Making Rounds
Most Commented Stories
-
Forget 'Brogrammers,' Women Have The Edge In DEFCON Social Engineering Contest (9)
-
Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops (10)
-
The Internet Crime Complaint Center recently warned of malware targeting travelers connecting to Wi-Fi. When traveling, do you (1)
-
HULK DDoS Tool Smash Web Server, Server Fall Down (4)
-
Report: Diablo III Users Find Accounts Hacked, Gold Stolen And New 'Mystery' Friends (2)
Newsletter Sign-up
Take Our Poll
The Internet Crime Complaint Center recently warned of malware targeting travelers connecting to Wi-Fi. When traveling, do you
Connect to anything
20%
Only connect to password-protected, secure connections
38%
Only use websites with HTTPS
28%
I don’t pay attention to how I access the internet while traveling
14%
Total votes: 65
Follow Threatpost
 |  |  |  |
| Tumblr |
