Archives

Categories

Recent Comments

Subscribe to this blog's feed
Bookmark and Share

Community

06/16/2009

Bar Camp Seattle presentation on web application security

I gave a 30 minute introduction to web application security at Bar Camp Seattle this weekend. Here are my slides:


Web Application Security 2009 Web Application Security 2009 dankney These slides are for my standard "Introduction to Web Application Security" presentation. I cover some basic secure design principals and go through the OWASP Top 10 Web Vulnerabilities as well as some common strategies for mitigating them.

I originally planned on giving a non-technical introduction to threat modeling, but the literally everyone at my session was a developer, so I swapped out for this one at the last minute.

I guess this means I have a non-technical talk ready to go at a moments notice. Never a bad thing ...

Posted at 07:01 PM in Community, Security, Software | | Comments (0) | TrackBack (0)

|

05/28/2009

LayerOne presentation video

The folks at LayerOne have already posted video of the talks. There were some excellent talks. If you have the time, I'd especially recommend David Bryan's talk on GNURadio and Joe McCray's Advanced SQL Injection.

 Here's my talk, Is XSS Solvable? (and yes, I know I speak too quickly):

 

Posted at 09:19 AM in Community, Security, Software | | Comments (0) | TrackBack (0)

|

05/21/2009

Speaking at LayerOne on Saturday

I will be giving a talk called Is XSS Solvable? at LayerOne this Saturday in Anaheim, California. If you're in the LA area, the conference is inexpensive and has some great talks lined up; I'd encourage you to come.

I'll post slides and source code once the talk is finished.

, , , , , , , , , , , ,

Posted at 02:54 PM in Community, Security, Software | | Comments (0)

|

08/14/2008

Free and Open Source Nessus replacement released

The OpenVAS project, a free and open source replacement for Nessus, announced its first stable release yesterday afternoon. This release includes server installation packages for OpenSUSE, Fedora, Mandrake, Gentoo, and FreeBSD. A client only package is available for Windows.

Nessus, one of the standards in vulnerability scanners, was an open source project until a couple of years ago. This project is a fork from the last open version.

From Full Disclosure:

The OpenVAS project is proud to announce the release of the first stable
version of the "Open Vulnerability Assessment System". OpenVAS is a fork of
the Nessus security scanner; while Nessus switched to a proprietary license,
OpenVAS will continue to improve the scanner and will provide all components
as Free Software.{From FullDisclosure: OpenVAS Stable Release]

Posted at 10:02 PM in Community, News, Security, Software | | Comments (0) | TrackBack (0)

|

08/11/2008

Georgian president to hold open telephone press conference

Georgian President Mikheil Saakashvili will be giving an open press conference via telephone this afternoon. As far as I know, this event is unprecedented in providing access to online and community; sponsorship by a major news organization is not required to directly interact with a head of state.

From RBN:

Tbilisi, Georgia - Mikheil Saakashvili, President of Georgia, will be giving a briefing for international media via teleconference on Monday, August 11, at 11:00 CET (13:00 TBS, 10:00 UK Time, 05:00 ET).
WHEN: The call will take place on Monday, August 11, at 13:00 Tbilisi Time (11:00 Central European Time, 10:00 UK Time, 05:00 Eastern Standard Time); the call will run for approximately 30 minutes.
HOW TO JOIN THE CALL: To join the call, dial +1.706.679.3044 (internationally) or 877.810.6130 (in the USA) Provide the operator with this conference ID: 59983245 [From Russian Business Network (RBN): RBN - Georgia CyberWarfare - Conference Call]

Posted at 01:53 PM in Community, News | | Comments (0) | TrackBack (0)

|

08/10/2008

Last HOPE audio is available

Audio recordings from the Last HOPE conference are available online here. It's a long and diverse list of topics that really reflects the history of both the conference and 2600 magazine. I'm sure you can find something that matches your interests and skill level.

I've tossed some onto an iPod for listening this week.

Posted at 07:10 PM in Community, Culture, News | | Comments (0) | TrackBack (0)

|

08/06/2008

EFF announces project to protect coders

The EFF announced today a new project to shelter developers from legal threats while working on new and emerging technologies.

From LWN:

The Electronic Frontier Foundation (EFF) today launches its Coders' Rights Project -- a new initiative to protect programmers and developers from legal threats hampering their cutting-edge research.

* * *

"Coders who explore technology through innovation and research play a vital role in developing and securing the software and hardware we use everyday. Yet this important work can be stymied by bogus legal threats," said EFF Civil Liberties Director Jennifer Granick, who is heading up the project. "EFF's Coders' Rights Project will provide a front-line defense for coders facing legal challenges for legitimate research activities." [From EFF's Coders' Rights Project [LWN.net]]

Posted at 07:45 PM in Community, News, Software | | Comments (0) | TrackBack (0)

|

07/25/2008

Microsoft embraces open source

Today at OSCON, hell froze over.

According to The Register, Microsoft has decided to embrace (some) free/open source software and has joined the Apache software foundation to the tune of $100k a year.

From The Register:

After years of hostility towards Free Software Foundation (FSF) licensing (here and here) Microsoft has announced the first in a series of PHP patches - and it's using an FSF license.
Microsoft told The Reg it's submitted a patch to the community for the ADOdb database abstraction library for PHP to add support for the PHP SQL Driver developed with PHP shop Zend Technologies. The patch is under the FSF's Lesser GPL (LGPL).
And, in a further move towards greater support of open source, Microsoft is becoming a platinum member of the Apache Software Foundation (ASF), paying $100,000 annual membership. The move follows work between the two to support the Office Open XML file formats in Apache's POI project. [From Microsoft pledges love and money to open source | The Register]

This is a smart move on Microsoft's part. There is an enormous amount of innovation going on in the open software communities, and rather than fighting that innovation, Microsoft can now leverage it. This move will make the Windows platform more compatible for open source projects and open a new marketplace for the core operating environments such as Windows Server and SQL server.

More importantly, though, it makes it much easier for many developers to jump back and forth between platforms, coding in whichever environment makes the most sense for a project.

One has to wonder if this is Ray Ozzie's first major change as the new Chief Software Architect at Microsoft. If so, he's started out on the right foot

, , , , , , , , , , , ,

Posted at 05:40 PM in Community, Culture, News, Systems | | Comments (0)

|

07/24/2008

Formation of Open Web Foundation announced at OSCON

Today at OSCON, David Recordon of Six Apart (which produces Movable Type, the software that drives this blog) announced the formation of the Open Web Foundation.

From O'Reilly Radar:

To make sure that we working towards the same goal foundations (like OpenID) and specs (like OAuth) are created. Each time some of the same mistakes are made. The Open Web Foundation's goal it to provide a home for community created specs. with mentorship, resources and infrastructure. Hopefully this will help teams spend time on making the spec. [From Announcing the Open Web Foundation - O'Reilly Radar]

This is a very good thing -- standardized, community-driven specifications can be written at the speed of innovation instead of waiting for one format or another to win out (or waiting for Steve Balmer to giveth).

Here are the slides from the announcement:

Posted at 07:12 PM in Community, Mobility, News, Software, Systems | | Comments (0) | TrackBack (0)

|

07/21/2008

Open source software struggles with security

Information Security Magazine's online portal, points to a study released today by Fortify Software software about the security of open source projects.

From Search Security:

Enterprises often rely on open source software to save development time and money, but they should rely on open source for good security, according to a study released today. The review of 11 popular projects revealed numerous vulnerabilities and a general absence of sound security practices.

* * *

The study discovered thousands of vulnerabilities, including nearly 23,000 cross-site scripting flaws and more than 15,000 SQL injection flaws. Of more concern, perhaps, is that there's little evidence open source projects have made finding and remediating security issues a priority. The number of flaws stayed about the same or even increased through each of three new versions of six of the packages tested. (CRM/groupware Hipergate had by far the most issues, more than 14,000.) [From Open source projects fall short on security]

Linus Torvalds doesn't think that security issues are any more important than other bugs. I think that attitude is reflected in results like these. The vulnerabilities in the study were located via an automated scanner then verified by hand. These are the types of bugs that an attacker can find with minimal effort.

With proprietary software, massive vulnerability such as this would express its urgency in the stock price, forcing management to expedite patching. At Microsoft, the security team has the power to stop software from shipping if there are significant vulnerabilities that put their customers at risk.

In open source software, bug fixes are prioritized according to the interests of charismatic leaders instead of being driven be the needs of the end user. Linus is, in effect, making Steve Balmer's case for him.

The full text of the study can be found here.

Posted at 06:48 PM in Community, Culture, News, Security, Software | | Comments (2) | TrackBack (0)

|

Next »