[Owasp-alabama] 2010 Meetings

owasp-alabama at lists.owasp.org owasp-alabama at lists.owasp.org
Tue Jan 5 20:39:34 EST 2010

Great Feedback!!!
Where the heck is everyone else on this list!?!?

See my responses inline.


On Tue, Jan 5, 2010 at 6:22 PM, <owasp-alabama at lists.owasp.org> wrote:

> Hash: SHA1
> On Jan 5, 2010, at 12:33 PM, owasp-alabama at lists.owasp.org wrote:
> > @josh
> >
> > I think thats a great idea.
> >
> > @Daniel
> >
> > I totally agree. I hand-picked this guy that is flying in because of
> > that very reason. I know him personally, and he isn't selling a
> > company, nor himself. He's a great guy.
> Who is it?
I will disclose as soon as he has given me his final word. =)  He is double
checking with wife/work etc, but is nearly sure he'll be there.

> > Daniel, how about giving us some ideas on what you'd like to see?
> > What would provide the MOST benefit for you and the folks you know?
> Please note that my perspective on hacking is not defined only by the
> lens of webapplication security.
> Application security == Application security in my mind.
Not sure I follow you here. The only way I can speak to this is that OWASP
is solely focused on Web application security, and although security in
*all* arenas is important, these talks/speakers/meetings won't cover other
aspects such as malware analysis, OS security (although some web server
stuff is relevant), spam, reversing, etc. I hope I didn't misunderstand you,
and if I did, my bad.

> Being a bugtracker/pentester/hacker,....I would appreciate some of the
> following things.
> Topically, I would enjoy topics on the following:
> - ----------------------------------------------------------------
> * Visualization , and ways to aid in fuzzing efforts through graphical
> representation.(read as code coverage in binary analysis type
> situations).
Fuzzing is definitely a hot topic in the WAS area, and will be our first
topic should my scheduled speaker be able to present.

> * Input validation and input tracing methods - it would be nice to
> know if there are some tools out there that other people have that I
> don't..
Great stuff!

> * Manual & and product based to aid in fuzzing and source code review.
100% on board here too.

> * Source code analysis tools perspectives specifically quality versus
> quantity in automated solutions. Even though I am well aware that
> automated source code analysis will only find 60% of the bugs it would
> be nice to hear other people's input on this and possibly developers
> of some of the bigger source code analysis tools (this would be killer).
This is totally doable. OWASP doesn't endorse products or companies, but we
often engage in mutually beneficial situations. This would be one of those.
Any specific products you're interested in? I can make some calls.

> * Philosophy & Story telling. In this arena it would be nice to see
> what some of the older generation of bug finders overcame, what
> mindset was critical for success and how success was obtained in
> situations where (insert genx toolset did not exist).
Coolness! Anyone on the list up for doing this? Most of my stuff is NDA
protected, and would likely be so vague it would take away any coolness.

> * Analysis and perspective of design vulnerabilities assessors in the
> area and or profession have seen in the last x years. I am always
> interested in seeing what others see and the more patterns one can
> know about the more they can succeed in an application review.
Very cool.

> * I think it would be good for everyone to talk more on limiting risk
> through parameterized sql queries....
I agree. Maybe we can roll this up into a technical 2-hour preso on common
WA risk mitigation?

> * Threat Modeling and commentary on good SDLC - possibly getting some
> of the guys from Microsoft might be nice for this since they have one
> of the best qa/sdlc's out there.
Yea I'm a big preacher of the security in the SDLC. Totally with you here.

> * Positive things about php would probably help someone who is cynical
> to all things php...
There are positives to php? j/k
I think this would be best presented in a way that empowers those php
developers among us to be more secure with our code. In theory, any language
at any level can be secure. Problem is, IMO, php just makes it really easy
to do it wrong. I must say PHP has gotten better over the years, but it sure
wouldn't be my first choice for an enterprise app platform.

> * Commentary on security from developer just introduced to security
> versus someone who has been a developer for x amount of years...
> commentary is always valuable for context.
I can put this one together as well. Good stuff.

> -
> ---------------------------------------------------------------------------------------------------------------------------------------------------
> To be honest , I would like to see some of the old school heaver
> hitter bug finders.
> Speaker wise, here are some people I follow and always love to hear
> what they say......
> Eg:  ( * indicating speakers if given budget from owasp could be a
> possibility - indicating probably no chance in hell )
>        * Mark Dowd
>        * John McDonald
>        * Justin Schuh
>        * Charlie Miller
>        - Halvar Flake
>        - Fx
>        * Dino
>        * Andres Andreu (haven't heard from him in a while, is he still
> around... ?)
>        - Anyone who wrote some of the older phrack articles.
>        - Older members from the original @stake/L0pht crew.
I think the big question here is if these guys have anything to offer us.
Before you all flame me, I don't get caught up in "big names" in the
security world, so I don't know these guys from bob @ autozone. If enough
people ask for a certain person, or someone can provide a really good reason
we should invite one of these folks, then I'll present it to OWASP. Nice
thing is, as our chapter grows, so will our budget and we'll have more
 Also, its great to have a list of speakers to choose from, thanks for that.

> People I care not to hear a thing from include:
>        * Jeremiah Grossman
>        * Ed Skoudis

I've heard of JG, but not Ed, why not from these guys? Just curious.

So this is great. I think what I'll do is formalize these, and put a poll
together for the folks to vote on.

Anyone else care to share?

> | Daniel Uriah Clemens
> | Packetninjas L.L.C | | http://www.packetninjas.net
> | c. 205.567.6850      | | o. 866.267.8851
> "Moments of sorrow are moments of sobriety"
> iD8DBQFLQ9e/lZy1vkUrR4MRAmamAJ4u7n1/9V0ggsOjYtSS86tNYo9v+wCeOllk
> yZTgKlsxdCtZUAHfG000PkA=
> =u7Mr
> _______________________________________________
> Owasp-alabama mailing list
> Owasp-alabama at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-alabama
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-alabama/attachments/20100105/fa1989d0/attachment.html 

More information about the Owasp-alabama mailing list