[Owasp-alabama] 2010 Meetings

owasp-alabama at lists.owasp.org owasp-alabama at lists.owasp.org
Tue Jan 5 19:22:23 EST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Jan 5, 2010, at 12:33 PM, owasp-alabama at lists.owasp.org wrote:

> @josh
>
> I think thats a great idea.
>
> @Daniel
>
> I totally agree. I hand-picked this guy that is flying in because of  
> that very reason. I know him personally, and he isn't selling a  
> company, nor himself. He's a great guy.

Who is it?

> Daniel, how about giving us some ideas on what you'd like to see?


> What would provide the MOST benefit for you and the folks you know?

Please note that my perspective on hacking is not defined only by the  
lens of webapplication security.
Application security == Application security in my mind.

Being a bugtracker/pentester/hacker,....I would appreciate some of the  
following things.

Topically, I would enjoy topics on the following:
- ----------------------------------------------------------------
* Visualization , and ways to aid in fuzzing efforts through graphical  
representation.(read as code coverage in binary analysis type  
situations).

* Input validation and input tracing methods - it would be nice to  
know if there are some tools out there that other people have that I  
don't..
	* Manual & and product based to aid in fuzzing and source code review.

* Source code analysis tools perspectives specifically quality versus  
quantity in automated solutions. Even though I am well aware that  
automated source code analysis will only find 60% of the bugs it would  
be nice to hear other people's input on this and possibly developers  
of some of the bigger source code analysis tools (this would be killer).

* Philosophy & Story telling. In this arena it would be nice to see  
what some of the older generation of bug finders overcame, what  
mindset was critical for success and how success was obtained in  
situations where (insert genx toolset did not exist).

* Analysis and perspective of design vulnerabilities assessors in the  
area and or profession have seen in the last x years. I am always  
interested in seeing what others see and the more patterns one can  
know about the more they can succeed in an application review.

* I think it would be good for everyone to talk more on limiting risk  
through parameterized sql queries....

* Threat Modeling and commentary on good SDLC - possibly getting some  
of the guys from Microsoft might be nice for this since they have one  
of the best qa/sdlc's out there.

* Positive things about php would probably help someone who is cynical  
to all things php...

* Commentary on security from developer just introduced to security  
versus someone who has been a developer for x amount of years...  
commentary is always valuable for context.

- ---------------------------------------------------------------------------------------------------------------------------------------------------

To be honest , I would like to see some of the old school heaver  
hitter bug finders.
Speaker wise, here are some people I follow and always love to hear  
what they say......

Eg:  ( * indicating speakers if given budget from owasp could be a  
possibility - indicating probably no chance in hell )
	* Mark Dowd
	* John McDonald
	* Justin Schuh
	* Charlie Miller
	- Halvar Flake
	- Fx
	* Dino
	* Andres Andreu (haven't heard from him in a while, is he still  
around... ?)
	- Anyone who wrote some of the older phrack articles.
	- Older members from the original @stake/L0pht crew.

People I care not to hear a thing from include:
	* Jeremiah Grossman
	* Ed Skoudis

| Daniel Uriah Clemens
| Packetninjas L.L.C | | http://www.packetninjas.net
| c. 205.567.6850      | | o. 866.267.8851
"Moments of sorrow are moments of sobriety"











-----BEGIN PGP SIGNATURE-----

iD8DBQFLQ9e/lZy1vkUrR4MRAmamAJ4u7n1/9V0ggsOjYtSS86tNYo9v+wCeOllk
yZTgKlsxdCtZUAHfG000PkA=
=u7Mr
-----END PGP SIGNATURE-----


More information about the Owasp-alabama mailing list