[OWASP Hartford] Ideas for 2011

James McGovern JMcGovern at virtusa.com
Fri Dec 10 13:08:17 EST 2010 

Awhile back, I indicated that I wanted to pursue a slightly different
direction for the Hartford chapter next year. In my humble opinion, the
model where we had speakers (and lots of great ones) has ran its course.
I wanted to move towards an approach that is much deeper and more
personal in nature by proposing workshops. While I didn't have a
solidified outline at the time, my thoughts are starting to crystallize
around a one-day session that covers the following:

 

1.       Instead of just attending a lecture, everyone would be required
to show up with a full development environment that was either Java or
.NET based. We would do it real-time and hands-on.

2.       The subject area covered would be:

a.       Input Validation (Leveraging the ESAPI library)

                                                               i.
Canonicalization, decoding and filtering

                                                             ii.
Handling structured data (credit cards, SSN, Drivers License, etc)

                                                            iii.
Handling unstructured data (comments, blogs, tweets, etc)

b.      How applications can detect they are under attack (Leveraging
the AppSensor library)

                                                               i.
Forced browsing

                                                             ii.
Request velocity

                                                            iii.
Unexpected encodings

                                                           iv.
Impersonation (sudden user switch)

c.       How applications should handle session management concerns

                                                               i.
Across requests (more than a discussion regarding cookies)

                                                             ii.
Session invalidation (timeout, logout, attacks)

                                                            iii.
Work across containers, SSO tokens, etc

d.      Advanced security techniques

                                                               i.
Frame busting

                                                             ii.
CAPTCHA

                                                            iii.
Re-authentication

                                                           iv.
XACML

                                                             v.
Logging

 

Am I headed in a direction that is valuable to the Hartford chapter
membership? Please note I have probably already enumerated topics that
will definitely take more than a day to do full justice. Let me know
your feedback: Good, bad or indifferent...

 

James McGovern
Insurance SBU 

Virtusa Corporation

http://twitter.com/McGovernTheory

  <http://www.virtusa.com/>    <http://www.virtusa.com/blog/>   
<https://twitter.com/VirtusaCorp>   
<http://www.linkedin.com/companies/virtusa>   
<http://www.facebook.com/VirtusaCorp> 

 


Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list and 2010 FinTech 100 among others.

---------------------------------------------------------------------------------------------

This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.

---------------------------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-hartford/attachments/20101210/e25432be/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1397 bytes
Desc: image001.jpg
Url : https://lists.owasp.org/pipermail/owasp-hartford/attachments/20101210/e25432be/attachment.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 744 bytes
Desc: image002.gif
Url : https://lists.owasp.org/pipermail/owasp-hartford/attachments/20101210/e25432be/attachment.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1211 bytes
Desc: image003.gif
Url : https://lists.owasp.org/pipermail/owasp-hartford/attachments/20101210/e25432be/attachment-0001.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 789 bytes
Desc: image004.gif
Url : https://lists.owasp.org/pipermail/owasp-hartford/attachments/20101210/e25432be/attachment-0002.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 763 bytes
Desc: image005.gif
Url : https://lists.owasp.org/pipermail/owasp-hartford/attachments/20101210/e25432be/attachment-0003.gif

More information about the Owasp-hartford mailing list