The second Open Web Application Security Project (OWASP) Conference held on the Gold Coast is regarded as the leading Web Application Security conference within the Asia Pacific region attracting both Australian and overseas speakers and attendees.
The conference continued its community atmosphere with open discussions and sharing of ideas on Web Application Security during the various social events each night including a gala dinner.
PRESENTATIONS – DAY ONE
The keynote delivered by Roger Thornton provided a historical timeline from when companies relied on a firewall to protect their insecure mail servers and web servers to the state of the art today where security is incorporated during the development of these server applications and their associated clients.
Andrew van der Stock, who is the major contributor to the OWASP Developer Guide and widely known OWASP Top Ten, argued that incorporating application security testing during development resulted in more vulnerabilities being removed from the software prior to shipping then conducting penetration testing once the software is developed.
Brett Moore demonstrated various OWASP Top Ten Vulnerabilities in a number of decoy web sites with the appearance of New Zealand security entities.
Sumit Siddharth demonstrated his “bsqlbf” tool to exploit Blind SQL Injection vulnerabilities and concluded with an SQL Injection within Oracle to leverage a Web Proxy to exploit another SQL Injection within Microsoft SQL Server on the same network.
PRESENTATIONS – DAY TWO
Adi Sharabani demonstrated active Man in the Middle (MitM) scenarios to attack web applications with “Surf Jacking” and “Sidejacking” once the password has finished transmitting over a secure connection and then reverted back to sending application communication in the clear during his keynote.
Alex Kouzemtchenko exploited the Cross Site Scripting (XSS) Filter in Internet Explorer 8 to obtain Cookies, including authentication Cookies used in Cross Site Request Forgery (CSRF).
Pravir Chandra, leader of the OWASP “CLASP” Project, presented the free Software Assurance Maturity Model (SAMM) which provides a well-defined way for organizations to iteratively improve security in software development.
CONCLUSION
In keeping with the sprit of openness fostered within the OWASP community, the slides and their associated video of each presentation are available online.
Overall, the conference provided the best value for money over any other security conference held on the Gold Coast in which to learn the state of the art from speakers and socialize with other attendees.
* Christian Heinrich is the OWASP “Google Hacking” project lead.