Podcast 13

OWASP Podcast Series #13

OWASP NEWS March 2009 Host: Jim Manico Copy Editor: Andre Gironda Participants: Jeff Williams, Arshan Dabirsiaghi, Andre Gironda Recorded March 15, 2009 Published March 23, 2009

http://images.apple.com/itunes/overview/images/overview-icon-itunes20081106.jpg https://www.owasp.org/images/d/d3/Feed-icon-32x32.png mp3

OWASP AppSec News
Feb 10 - https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/business/1093-BSI.html The Build Security In website asks "What measures do vendors use for software assurance?". Jeremy Epstein performed a study with 8 independent software vendors about their techniques and motivations for implementing an internal software assurance program similar in theory to the Microsoft SDL. Feb 11 - http://www.communities.hp.com/securitysoftware/blogs/rafal/archive/2009/02/10/an-unfortunate-case-of-learned-behavior.aspx

Rafal Los of HP postulates that all tools and all human testers have shortcomings, demonstrated by the fact that there are so many inconsistencies in pen-testing activities. Feb 13 - http://www.cigital.com/justiceleague/2009/02/13/do-cloud-based-apps-destroy-web-app-security/ Feb 19 - http://nickcoblentz.blogspot.com/2009/02/create-security-strategy-before.html Scott Matsumoto waxes philosophical about the effect of cloud computing on web applications, while Nick Coblentz discusses plans for web application security integration with cloud computing. Feb 14 - http://wivet.googlecode.com Wivet, a benchmarking project that aims to statistically analyze web link extractors (that is - gauge the quality of a web application security scanner's ability to crawl) recently released version 3 and updated their wiki with new information about scanner results and a future look through their wishlist. Feb 16 - http://www.owasp.org/index.php/Cincinnati#November_Meeting The OWASP local chapter in Cincinnati has recently posted a presentation given in November 2008 by Jeremiah Blatz of Foundstone on "Web Application Hacking for Developers". Feb 18 - http://www.blackhat.com/html/bh-dc-09/bh-dc-09-archives.html#Smith The presentaitons and whitepapers for BlackHat DC 2009 were made available, including a fabulous presentation from Colin Ames, Delchi, and Val Smith on "Dissecting Web Attacks". Feb 15 - http://www.dragoslungu.com/2009/02/15/gartner-magic-quadrant-on-static-application-security-testing-feb-2009/

Feb 20 - http://www.cigital.com/justiceleague/2009/02/19/gartner-and-static-analysis/ Gartner releases a Magic Quadrant on Static Application Security Testing John Steven at Cigital weighs in with his SAST views Feb 20 - http://www.securitycatalyst.com/the-balkanization-of-web-application-security/ Bill Pennington theorizes, "most people in the web application security space are a specialist in one particular area, source code review, black box testing, web application firewalls or developer training. This lack of knowledge of the other solutions generally breeds fear and contempt".<br/ > Feb 22 - http://appsecnotes.blogspot.com/2009/02/dirbuster-shoots-and-scores.html<br/ > Dave Ferguson discusses the OWASP DirBuster tool, developed by James Fisher.<br/ > Feb 22 - http://funkatron.com/site/comments/safely-parsing-json-in-javascript/<br/ > A discussion about safely parsing JSON in Javascript, which includes Douglas Crocker's prescriptions.<br/ > Feb 23 - http://www.owasp.org/index.php/Category:OWASP_Web_Application_Scanner_Specification_Project<br/ > A new OWASP project: web application scanner specification<br/ > Feb 25 - http://shreeraj.blogspot.com/2009/02/article-on-web-2.html<br/ > Shreeraj Shah brings attention to the latest issue of INSECURE magazine, issue 20. The recent magazine includes his article on "Web 2.0 case studies: challenges, approaches and vulnerabilities".<br/ > Feb 25 - http://www.owasp.org/index.php/OWASP_AU_Conference_2009<br/ > Feb 27 - http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html<br/ > Ory Segal of IBM/Watchfire posts on their blog about a paper/presentation entitled, "Active MITM attacks", which was a part of the keynote ad the OWASP AU Conference. Mar 4 - http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=7cef15a8-8ae6-48eb-9621-ee35c2547773<br/ > The Microsoft Download Center releases a new paper on "Security Guidance for Writing and Deploying Silverlight Applications"<br/ > We bring you an update on the happenings at the OWASP AU Conference 2009.<br/ > Mar 5 - http://www.lookout.net/2009/03/05/presenting-idn-spoofing-threats-to-icanns-security-committee/<br/ > Chris Weber of Casaba Security talked about IDN spoofing threats at ICANN’s security committee. According to Chris, these attacks still work against all updated, modern browsers!<br/ > Mar 6 - http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet<br/ > A new OWASP wiki page, the SQL injection cheat sheet, is up!<br/ > Mar 9 - http://www.cgisecurity.com/2009/03/revisiting-browser-v-middleware-attacks-in-the-era-of-deep-packet-inspection.html<br/ > http://www.cgisecurity.com/2009/03/socket-capable-browser-plugins-result-in-transparent-proxy-abuse.html<br/ > Robert Auger and Dan Kaminsky provide papers on new attack research. Robert's paper is entitled, "Socket Capable Browser Plug-ins Result In Transparent Proxy Abuse" and Dan Kaminsky added a bit on that work to include Active FTP Application Layer Gateways in his paper.<br/ > Mar 9 - http://hackademix.net/2009/03/09/cross-site-xbl-returns-from-the-dead/<br/ > http://www.h-online.com/security/Swindlers-using-new-CSS-method-attack-eBay--/news/112803<br/ > Giorgio Maone of the NoScript project reports that Cross-Site XBL is now again executable in Firefox 3 and that Microsoft may also have issues. Mar 10 - http://bernardodamele.blogspot.com/2009/03/presenting-at-owasp-london-chapter.html<br/ > Bernardo Damele, the author of sqlmap, presented on SQL injection at the OWASP Front Range Denver Conference as well as at the OWASP London Chapter<br/ > Mar 12 - http://www.lookout.net/2009/03/12/uniview-character-lookup-tool/<br/ > Chris Weber of Casaba Security points out an online character lookup tool from Richard Ishida called Uniview. Chris mentions that this tool is good for using Unicode code points to get a list of the Unicode characters he often references in his presentations.<br/ > Mar 12 - https://www.casabasecurity.com/content/watcher-security-tool-web-applications<br/ > Chris Weber and the folks at Casaba Security must be busy, because they are also releasing another tool, Watcher, on the Codeplex website. Watcher appears to be a passive-proxy extension to Fiddler, a Microsoft web proxy for Internet Explorer.<br/ > Mar 13 - http://www.owasp.org/index.php/Don%E2%80%99t_Write_Your_Own_Security_Code:_The_OWASP_Enterprise_Security_API%27<br/ > Another new OWASP page on ESAPI includes a presentation from Jeff Williams<br/ > <br/ > Society of Payment Security Professionals<br/ > https://www.paymentsecuritypros.com/en/articles/search.asp?category=Articles<br/ > https://www.paymentsecuritypros.com/en/users/login.asp?/appsecurityusergroup/index.asp<br/ > SPSP has recently posted information about Education and Training Validity, as well as Certification Validation. Ed Bellis of Orbitz and Trey Ford of WhiteHatSec are heading up the AppSec working group within SPSP, but the information about the group and wiki are currently members only.<br/ > <br/ > Safari and GIFAR<br/ > Feb 13 - http://xs-sniper.com/blog/2009/02/13/stealing-more-files-with-safari/

Feb 24 - http://riosec.com/updates-on-gifar-vulnerability<br/ > Feb 25 - http://www.cgisecurity.com/2009/02/apple-goes-public-with-security-in-safari-4.html<br/ > Billy Rios speaks about the recent Safari security bugs and GIFAR. Robert Auger speaks to the recent security improvements upcoming in Safari version 4.<br/ > <br/ > OWASP Software Assurance Day 2009 Feb 23 - http://www.owasp.org/index.php/OWASP_Software_Assurance_Day_DC_2009<br/ > OWASP SnowFROC Feb 12 - http://cleartext.wordpress.com/2009/02/12/march-events/<br/ > Two new OWASP events for the month of March!<br/ > <br/ > OWASP AppSec EU 2009 Mar 1 - http://www.owasp.org/index.php/AppSecEU09<br/ > AppSecEU09 updated with speaker list! <br/ > CanSecWest Vancouver 2009<br/ > http://cansecwest.com/speakers.html<br/ > An updated speakers list shows that Jeff "rfp" Forristal of Zscaler Research will be presenting on "Network design for effective HTTP traffic filtering" and Chris Weber of Casaba Security will present on "Exploiting Unicode-enabled software". Most security analysts expect to see new Safari, Flash, and/or other exploits in the PWN2OWN Contest!<br/ >