[Owasp-alabama] 2010 Meetings

owasp-alabama at lists.owasp.org owasp-alabama at lists.owasp.org
Tue Jan 5 21:59:21 EST 2010

It seems we have identified several "technical" topics to discuss this year,
but let's keep in mind that the average C-level IT Security executive will
not get much value about "finding bugs" or advanced discussion on code
review technique. That's is why it will be important to break the meetings
down into executive/technical discussions.  


Any suggestions from the list for management level focus/topics? Or do we
want to focus on lower level specialty topics?


Regarding speakers-  it's great to have a known security speaker present to
the chapter. The talks are usually very polished etc..  but what I would
like to see is local members talking about issues they have faced, problems
they have solved, and open discussions that provide value.  Because at the
end of the day, we want the meeting to be successful and provide knowledge
and information that may be taken away and used. 









From: owasp-alabama-bounces at lists.owasp.org
[mailto:owasp-alabama-bounces at lists.owasp.org] On Behalf Of
owasp-alabama at lists.owasp.org
Sent: Tuesday, January 05, 2010 7:40 PM
To: owasp-alabama at lists.owasp.org
Subject: Re: [Owasp-alabama] 2010 Meetings


Great Feedback!!! 
Where the heck is everyone else on this list!?!?

See my responses inline.


On Tue, Jan 5, 2010 at 6:22 PM, <owasp-alabama at lists.owasp.org> wrote:

Hash: SHA1

On Jan 5, 2010, at 12:33 PM, owasp-alabama at lists.owasp.org wrote:

> @josh
> I think thats a great idea.
> @Daniel
> I totally agree. I hand-picked this guy that is flying in because of
> that very reason. I know him personally, and he isn't selling a
> company, nor himself. He's a great guy.

Who is it?

I will disclose as soon as he has given me his final word. =)  He is double
checking with wife/work etc, but is nearly sure he'll be there.

> Daniel, how about giving us some ideas on what you'd like to see?

> What would provide the MOST benefit for you and the folks you know?

Please note that my perspective on hacking is not defined only by the
lens of webapplication security.
Application security == Application security in my mind.

Not sure I follow you here. The only way I can speak to this is that OWASP
is solely focused on Web application security, and although security in
*all* arenas is important, these talks/speakers/meetings won't cover other
aspects such as malware analysis, OS security (although some web server
stuff is relevant), spam, reversing, etc. I hope I didn't misunderstand you,
and if I did, my bad.

Being a bugtracker/pentester/hacker,....I would appreciate some of the
following things.

Topically, I would enjoy topics on the following:
- ----------------------------------------------------------------
* Visualization , and ways to aid in fuzzing efforts through graphical
representation.(read as code coverage in binary analysis type

Fuzzing is definitely a hot topic in the WAS area, and will be our first
topic should my scheduled speaker be able to present.

* Input validation and input tracing methods - it would be nice to
know if there are some tools out there that other people have that I

Great stuff! 

* Manual & and product based to aid in fuzzing and source code review.

100% on board here too. 

* Source code analysis tools perspectives specifically quality versus
quantity in automated solutions. Even though I am well aware that
automated source code analysis will only find 60% of the bugs it would
be nice to hear other people's input on this and possibly developers
of some of the bigger source code analysis tools (this would be killer).

This is totally doable. OWASP doesn't endorse products or companies, but we
often engage in mutually beneficial situations. This would be one of those.
Any specific products you're interested in? I can make some calls.  

* Philosophy & Story telling. In this arena it would be nice to see
what some of the older generation of bug finders overcame, what
mindset was critical for success and how success was obtained in
situations where (insert genx toolset did not exist).

Coolness! Anyone on the list up for doing this? Most of my stuff is NDA
protected, and would likely be so vague it would take away any coolness.

* Analysis and perspective of design vulnerabilities assessors in the
area and or profession have seen in the last x years. I am always
interested in seeing what others see and the more patterns one can
know about the more they can succeed in an application review.

Very cool.  

* I think it would be good for everyone to talk more on limiting risk
through parameterized sql queries....

I agree. Maybe we can roll this up into a technical 2-hour preso on common
WA risk mitigation? 

* Threat Modeling and commentary on good SDLC - possibly getting some
of the guys from Microsoft might be nice for this since they have one
of the best qa/sdlc's out there.

Yea I'm a big preacher of the security in the SDLC. Totally with you here. 

* Positive things about php would probably help someone who is cynical
to all things php...

There are positives to php? j/k 
I think this would be best presented in a way that empowers those php
developers among us to be more secure with our code. In theory, any language
at any level can be secure. Problem is, IMO, php just makes it really easy
to do it wrong. I must say PHP has gotten better over the years, but it sure
wouldn't be my first choice for an enterprise app platform.

* Commentary on security from developer just introduced to security
versus someone who has been a developer for x amount of years...
commentary is always valuable for context.

I can put this one together as well. Good stuff. 


To be honest , I would like to see some of the old school heaver
hitter bug finders.
Speaker wise, here are some people I follow and always love to hear
what they say......

Eg:  ( * indicating speakers if given budget from owasp could be a
possibility - indicating probably no chance in hell )
       * Mark Dowd
       * John McDonald
       * Justin Schuh
       * Charlie Miller
       - Halvar Flake
       - Fx
       * Dino
       * Andres Andreu (haven't heard from him in a while, is he still
around... ?)
       - Anyone who wrote some of the older phrack articles.
       - Older members from the original @stake/L0pht crew.

I think the big question here is if these guys have anything to offer us.
Before you all flame me, I don't get caught up in "big names" in the
security world, so I don't know these guys from bob @ autozone. If enough
people ask for a certain person, or someone can provide a really good reason
we should invite one of these folks, then I'll present it to OWASP. Nice
thing is, as our chapter grows, so will our budget and we'll have more
 Also, its great to have a list of speakers to choose from, thanks for that.

People I care not to hear a thing from include:
       * Jeremiah Grossman
       * Ed Skoudis

I've heard of JG, but not Ed, why not from these guys? Just curious. 

So this is great. I think what I'll do is formalize these, and put a poll
together for the folks to vote on.

Anyone else care to share? 

| Daniel Uriah Clemens
| Packetninjas L.L.C | | http://www.packetninjas.net
| c. 205.567.6850      | | o. 866.267.8851
"Moments of sorrow are moments of sobriety"



Owasp-alabama mailing list
Owasp-alabama at lists.owasp.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-alabama/attachments/20100105/61030623/attachment-0001.html 

More information about the Owasp-alabama mailing list