[Owasp-twincities] OWASP Feb. 14 Meeting Notes
Robert Sullivan
msp.sullivan at gmail.com
Thu Feb 16 11:03:10 EST 2006
OWASP Twin Cities 2/14/2006
Main Presentation:
Joe Teff gave a insightful tutorial on DREAD.(Thanks Joe)
Joe described three things you should do to make DREAD work:
1. Use the formula Risk =Probability * Impact
2. Impact = D * A
Here D is the damage assessed in terms of Confidentiality, Integrity,
Availability. A stands for Affected Users, or the size of the user base.
3. Probability = R + E + D.
Here R (Reproducibility) is the difficulty to reproduce. E (Exploitability)
is the difficulty to execute the attack and D (Discoverability) is the
likelihood that it will be found.
4. Use a small number of well defined values.
For more information on DREAD and Threat Modelling check links:
Threat Modeling, Microsoft Press, Frank Swiderski & Window Snyder
Books or papers by David C. LeBlanc, author of Writing Secure Code,
Microsoft Press
Severity Rating System (2002), Microsoft
http://www.microsoft.com/technet/security/bulletin/rating.mspx
Threat Modeling on the MSDN Library, 2003
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/thcmch03.asp
Book Discussion:
We discussed security books and decided to read Spies Among Us by Ira
Winkler. Pick up a copy. We'll discuss the first two case studies (Spy vs.
Spy and Nuclear Meltdown) at the April meeting.
WebGoat:
Bob Sullivan demonstrated a few Cross-Site-Scripting and SQL-injection
attacks using WebGoat. WebGoat is a useful tool for showing and teaching
about vulnerabilities.
We discussed building a 'password reset' lesson.
It turns out that WebGoat 4.0 (not released yet) has a password reset
lesson.
However, version 4.0 needs some cool lessons in:
- forced browsing (much easier with WebGoat's new use of JSPs),
- session management
- denial of service
- web services (especially exploits with xml)
- anything else that is not already there
If you have an interest in building a 4.0 lesson please respond to the list,
here, with your suggestion. If you are up to the challenge of helping to
finish and release 4.0 contact Bruce Mahew at:
bruce.mayhew at aspectsecurity.com.
Next Meeting:
Lorna from Integral Business Solutions (Roseville) suggested that we could
meet there in April. Better yet, Integral would provide food. Watch for a
date and agenda in the next two weeks.
We are looking for presentation ideas and people willing to present. If you
have any suggestions or would like to present yourself please contact Bob
Sullivan and the OWASP Twin Cities mailing list.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-twincities/attachments/20060216/7c1b1f02/attachment.html
More information about the Owasp-twincities
mailing list