Podcast 19

OWASP Podcast Series #19

OWASP NEWS March 2009 (in May) Recorded April 29th, 2009 Published May 11th, 2009

http://images.apple.com/itunes/overview/images/overview-icon-itunes20081106.jpg https://www.owasp.org/images/d/d3/Feed-icon-32x32.png mp3

Participants
Host: Jim Manico Copy Editor: Andre Gironda Participants: Jeff Williams, Arshan Dabirsiaghi, Andre Gironda

Articles
3/18 http://www.gdssecurity.com/l/b/2009/03/17/source-boston-iis7-slides-posted/

Brian Holyfield of Gotham Digital Science posted his slides from SOURCE Boston on IIS7 Security

3/19 http://blogs.msdn.com/sdl/archive/2009/03/19/why-the-new-sdl-threat-modeling-approach-works.aspx

http://blogs.msdn.com/sdl/archive/2009/03/30/speaker-to-suits.aspx

Adam Shostack of the Microsoft SDL Blog posts about Threat-modeling and what he refers to as "boundary objects"

3/22 http://securityninja.co.uk/blog/?p=244

The Security Ninja posts some information on the recent release of the OWASP Security Spending Benchmarks Project

3/23 http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2009/03/20/exposing-flash-application-vulnerabilities-with-swfscan.aspx

The HP Application Security Center releases SWFScan, a free, new Windows-based tool to help developers find and fix security vulnerabilities in applications developed with the Adobe Flash Platform

3/23 http://voices.washingtonpost.com/securityfix/2009/03/web_fraud_20_data_search_tools.html

Brian Krebs from the Washington Post demonstrates some very scary Web 2.0 websites where thieves can purchase personal data such as social security numbers, mother's maiden names, and other info for rock-bottom prices

3/24 http://www.theregister.co.uk/2009/03/24/hackersblog_quits/

John Leyden of The Register reports that the HackersBlog Romanian group responsible for the high-profile SQL injection attacks has disbanded

3/24 http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html

SearchSecurity Editor, Robert Westervelt, points to a survey that show that more companies seek third-party web app code review

3/25 http://www.thespanner.co.uk/2009/03/25/xss-rays/

Gareth Heyes releases a new tool, XSS Rays, that he built for Microsoft.

3/27 http://1raindrop.typepad.com/1_raindrop/2009/03/the-he-got-game-rule.html

Gunnar Peterson posts on his blog about a book that he feels should influence the security community beyond application developers and application security professionals

3/30 http://www.cigital.com/justiceleague/2009/03/30/maturity-models-vs-top-10-lists/

John Steven argues that Top N lists and Maturity Models are good for tracking industry success, but maybe not organizational success

3/31 http://googleonlinesecurity.blogspot.com/2009/03/reducing-xss-by-way-of-automatic.html

The Google Online Security Blog announces a templating system that can reduce XSS by way of Auto Context-Aware Escaping