Podcast 8

OWASP Podcast Series #8

OWASP NEWS PART 1 February 2009 Recorded First Week in February 2009

http://images.apple.com/itunes/overview/images/overview-icon-itunes20081106.jpg https://www.owasp.org/images/d/d3/Feed-icon-32x32.png mp3

Thank you to Dre for co-producing and preparing the news segments. Thank you to Marcin for "debugging" the early edits.

OWASP AppSec News
http://www.suspekt.org/2009/02/06/some-facts-about-the-phplist-vulnerability-and-the-phpbbcom-hack/ http://hackedphpbb.blogspot.com/2009/01/place-holder.html http://www.owasp.org/index.php/Category:OWASP_Scrubbr

http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project http://michael-coates.blogspot.com/2009/02/xss-prevention.html http://nickcoblentz.blogspot.com/2009/01/owasps-xss-prevention-cheat-sheet.html

While many of you may be familiar with the ha.ckers.org RSnake XSS Cheat Sheet, Michael Coates and Nick Coblentz talk about the advantages of the OWASP XSS Prevention Cheat Sheet. Michael says it's "cool" because it addresses: Injecting Up vs Injecting Down, Attribute Escaping, Javascripting Escaping, CSS Escaping, and URL Escaping http://blogs.msdn.com/sdl/archive/2009/01/27/sdl-and-the-cwe-sans-top-25.aspx

http://www.securitycatalyst.com/is-this-helpful/ Bryan Sullivan and Michael Howard put together some information about the Top 25 Most Dangerious programming errors on the SDL blog, including a mapping of the Microsoft SDL to each Common Weakness, or CWE, and how to best address each weakness through education, threat-modeling, a specific Microsoft tool, and/or manual review http://denimgroup.typepad.com/denim_group/2009/01/owasp-san-antonio-slide-deck-online.html Dan Cornell of the Denim Group recently spoke at the San Antonio OWASP on "Vulnerability Management in an Application Security World". In this presentation, Dan's agenda focuses in on what to do after you've found vulnerabilities in an application, as well as the different perspectives from a classic IT security group versus the one-track, bug-track mind of developers. http://keepitlocked.net/archive/2009/01/27/socalcodecamp-presentation-quot-top-ten-tips-for-tenacious-defense-for-asp-net-application-quot.aspx

Another presentation came across the blog world from Alex Smolen @ Foundstone. He spoke at SoCal Code Camp on the "Top Ten Tips for Tenacious Defense in ASP.NET". I know that a lot of people ask, "What are the specific protections that OWASP recommends, and which are out of beta or stable enough to use?" Alex seems to have a prescription. http://www.cgisecurity.com/2009/01/web-application-scanners-comparison.html

http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=213000085 cgisecurity.com brings us a news piece on a recent web application security scanner comparison. Someone named "anantasec" posted a 26-page evaluation of three commercial WASS tools. He tested 13 web applications, 3 demo applications provided by the vendors, and some tests to verify Javascript execution capabilities. http://shreeraj.blogspot.com/2009/01/infosecworld-08-presenting-research.html

Shreeraj Shah posted on his blog about an upcoming event that may be worth checking out. He is speaking at Infosecworld on "Defending Against the Worst Web-Based Application Vulnerabilities in 2009", which is being held in Florida on Wednesday, March 11th. His "next generation" attack research includes topics such as SQL over JSON, XSS with RSS feeds, and XPATH over SOAP http://www.cigital.com/justiceleague/2009/01/22/let-the-posturing-begin/

jOHN Steven of Cigital posts on the Justice League blog about hybrid analysis tools. jOHN approaches hybrid analysis from the stance that A) there are strengths to each tool and each type of analysis, and B) While unpopular today, it is valuable to drive dynamic testing efforts from static analysis results http://jobsearchtech.about.com/od/educationfortechcareers/g/CSSLP.htm

More information has become available about the CSSLP, or The Certified Secure Software Lifecycle Professional certification from (ISC)2. While highly talked about during and after the OWASP AppSec USA 08 conference, the CSSLP is set to debut in June, 2009, when the first exams will become available. The certification appears to focus on 7 key areas or "domains": Secure Software Concepts, Requirements, Design, Implementation, Testing, Acceptance, and Deployment. http://ounceopen.squarespace.com

The OWASP legend, Dinis Cruz and OunceLabs Advanced Research Team have a website for O2, or OunceOpen. O2 was developed by Security Professionals FOR security professionals, and is designed to automate the security consultant's brain! http://research.zscaler.com Mike Sutton, Jeff Forristal, and Brenda Larcom of the ZScaler Research team have posted a record 48 innovative posts since September on topics such as web application security and cloud computing. This is probably the top blog to watch in 2009 by our guesses!