[Owasp-seattle] OWASP meeting 8/11
Mark.Jacobs at symetra.com
Mon Aug 3 16:27:56 EDT 2009
I plan to attend -- I've never been to an OWASP meeting, so looking
forward to it!
Mark Jacobs, CISSP
IT Risk Management
Date: Tue, 28 Jul 2009 19:10:28 -0700
From: Mike de Libero <mikede at mde-dev.com>
Subject: [Owasp-seattle] Next Seattle OWASP Meeting : 8/11/2009
To: owasp-seattle at lists.owasp.org
Message-ID: <7CA328E6-4DFD-465C-ABEA-B4D7F02FD4B3 at mde-dev.com>
Content-Type: text/plain; charset=WINDOWS-1252; format=flowed;
I know, I know it has been too long since our last meeting, but
better late then never :). Anyways here are the pertinent details.
Please let me know if you are coming so I can order enough food and
drinks for everyone.
Location: Bellevue Las Margaritas
437 108th Ave NE
Bellevue, WA 98004
Date: 8/11/2009 @ 6:30ish
Speaker: Anil Kumar Revuru
The Microsoft Anti-Cross-Site Scripting Library
The Microsoft Anti-Cross-Site Scripting Library V3.0 (Anti-XSS V3.0)
is an encoding library designed to help developers protect their
ASP.NET web-based applications from XSS attacks. It differs from most
encoding libraries in that it uses the white-listing technique ?
sometimes referred to as the principle of inclusions ? to provide
protection against XSS attacks. This approach works by first defining
a valid or allowable set of characters, and encodes anything outside
this set (invalid characters or potential attacks). The white listing
approach provides several advantages over other encoding schemes. The
following are some new features of Anti-XSS library v3.0.
? An expanded white list that supports more languages
? Performance improvements
? Performance data sheets (in the online help)
? Support for Shift_JIS encoding for mobile browsers
? Security Runtime Engine (SRE) HTTP module
? A sample application
In this session, we will learn in-depth how Anti-XSS works and learn
more about its new features.
Anil Kumar Revuru currently works for Information Security Tools team
in Microsoft as Senior SDE where he is responsible for architecting
security tools. In his previous life at Microsoft, Anil conducted
security design reviews, threat modeling, and application and source-
code assessments. He has authored security tools and has presented
security courses internally at Microsoft. He excelled in his abilities
by developing security tools such as Microsoft Threat Analysis and
Modeling Tool and Anti-XSS Library. Anil holds a Diploma in Mechanical
Engineering from JNTU Hyderabad. Anil displayed expert proficiency in
the substantive and technical areas of design and development. Has
keen interest in photography, xbox and computer hardware.
Speaker: Andre Gironda
Using ASVS with the Code Review Guide, Testing Guide, and Time
The OWASP Application Security Verification Standards, which defines
four levels of web application security verification, lays down a
framework for security architecture review. While the ASVS includes
many requirements for controls, it does not suggest which tools,
techniques, timeline or methodologies to utilize. The OWASP Code
Review and Testing Guides provide the technical practices and suggest
or hint at tools, but also lack the timeline and methodology necessary
to complete an application penetration-test or SDLC integration
project for proper application security hygiene.
This presentation will provide the 1000 foot view all the way down to
the nitty gritty details of how to perform ASVS activities using OWASP
resources, as well as some OWASP and non-OWASP tools (freeware or
demoware). Example timelines for typical ASVS activities, including
reports, will be discussed so that any sort of application security
project can be scoped properly, delivered on-time, and within budget.
Andre Gironda is an application security specialist with a global
security consulting firm providing IT security services to the Fortune
500 and financial institutions as well as U.S. and foreign
governments. Prior to his current employment, Andre held a number of
payment application security positions in addition to working for the
largest online auction website. He is currently a leader for the Open
Web Application Security Project (OWASP), where he co-produces the
global OWASP News Podcast.
Mike de Libero
Owasp-seattle mailing list
Owasp-seattle at lists.owasp.org
End of Owasp-seattle Digest, Vol 21, Issue 1
More information about the Owasp-seattle