[Owasp-alabama] 2010 Meetings

owasp-alabama at lists.owasp.org owasp-alabama at lists.owasp.org
Tue Jan 5 22:14:27 EST 2010


Well said.

Our slot is 4 hours, so we can easily break it into 2, 2 hour presos. I can
fill the slot on the non-technical with some of my contacts locally, but
only for a few meetings. I mostly play in the technical arena.



-Brad Causey
CISSP, MCSE, C|EH, CIFI, CGSP

http://www.owasp.org
--
Never underestimate the time, expense, and effort an opponent will expend to
break a code. (Robert Morris)
--


On Tue, Jan 5, 2010 at 8:59 PM, <owasp-alabama at lists.owasp.org> wrote:

>  It seems we have identified several “technical” topics to discuss this
> year, but let’s keep in mind that the average C-level IT Security executive
> will not get much value about “finding bugs” or advanced discussion on code
> review technique. That’s is why it will be important to break the meetings
> down into executive/technical discussions.
>
>
>
> Any suggestions from the list for management level focus/topics? Or do we
> want to focus on lower level specialty topics?
>
>
>
> Regarding speakers-  it’s great to have a known security speaker present to
> the chapter. The talks are usually very polished etc..  but what I would
> like to see is local members talking about issues they have faced, problems
> they have solved, and open discussions that provide value.  Because at the
> end of the day, we want the meeting to be successful and provide knowledge
> and information that may be taken away and used.
>
>
>
>
>
>
>
> JP
>
>
>
>
>
>
>
>
>
> *From:* owasp-alabama-bounces at lists.owasp.org [mailto:
> owasp-alabama-bounces at lists.owasp.org] *On Behalf Of *
> owasp-alabama at lists.owasp.org
> *Sent:* Tuesday, January 05, 2010 7:40 PM
>
> *To:* owasp-alabama at lists.owasp.org
> *Subject:* Re: [Owasp-alabama] 2010 Meetings
>
>
>
> Great Feedback!!!
> Where the heck is everyone else on this list!?!?
>
> See my responses inline.
>
> -Brad
>
>  On Tue, Jan 5, 2010 at 6:22 PM, <owasp-alabama at lists.owasp.org> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> On Jan 5, 2010, at 12:33 PM, owasp-alabama at lists.owasp.org wrote:
>
> > @josh
> >
> > I think thats a great idea.
> >
> > @Daniel
> >
> > I totally agree. I hand-picked this guy that is flying in because of
> > that very reason. I know him personally, and he isn't selling a
> > company, nor himself. He's a great guy.
>
> Who is it?
>
> I will disclose as soon as he has given me his final word. =)  He is double
> checking with wife/work etc, but is nearly sure he'll be there.
>
>
> > Daniel, how about giving us some ideas on what you'd like to see?
>
>
> > What would provide the MOST benefit for you and the folks you know?
>
> Please note that my perspective on hacking is not defined only by the
> lens of webapplication security.
> Application security == Application security in my mind.
>
>  Not sure I follow you here. The only way I can speak to this is that
> OWASP is solely focused on Web application security, and although security
> in *all* arenas is important, these talks/speakers/meetings won't cover
> other aspects such as malware analysis, OS security (although some web
> server stuff is relevant), spam, reversing, etc. I hope I didn't
> misunderstand you, and if I did, my bad.
>
>
> Being a bugtracker/pentester/hacker,....I would appreciate some of the
> following things.
>
> Topically, I would enjoy topics on the following:
> - ----------------------------------------------------------------
> * Visualization , and ways to aid in fuzzing efforts through graphical
> representation.(read as code coverage in binary analysis type
> situations).
>
>  Fuzzing is definitely a hot topic in the WAS area, and will be our first
> topic should my scheduled speaker be able to present.
>
>
> * Input validation and input tracing methods - it would be nice to
> know if there are some tools out there that other people have that I
> don't..
>
>  Great stuff!
>
>
> * Manual & and product based to aid in fuzzing and source code review.
>
>  100% on board here too.
>
>
> * Source code analysis tools perspectives specifically quality versus
> quantity in automated solutions. Even though I am well aware that
> automated source code analysis will only find 60% of the bugs it would
> be nice to hear other people's input on this and possibly developers
> of some of the bigger source code analysis tools (this would be killer).
>
>  This is totally doable. OWASP doesn't endorse products or companies, but
> we often engage in mutually beneficial situations. This would be one of
> those. Any specific products you're interested in? I can make some calls.
>
>
> * Philosophy & Story telling. In this arena it would be nice to see
> what some of the older generation of bug finders overcame, what
> mindset was critical for success and how success was obtained in
> situations where (insert genx toolset did not exist).
>
>  Coolness! Anyone on the list up for doing this? Most of my stuff is NDA
> protected, and would likely be so vague it would take away any coolness.
>
>
> * Analysis and perspective of design vulnerabilities assessors in the
> area and or profession have seen in the last x years. I am always
> interested in seeing what others see and the more patterns one can
> know about the more they can succeed in an application review.
>
>  Very cool.
>
>
> * I think it would be good for everyone to talk more on limiting risk
> through parameterized sql queries....
>
>  I agree. Maybe we can roll this up into a technical 2-hour preso on
> common WA risk mitigation?
>
>
> * Threat Modeling and commentary on good SDLC - possibly getting some
> of the guys from Microsoft might be nice for this since they have one
> of the best qa/sdlc's out there.
>
>  Yea I'm a big preacher of the security in the SDLC. Totally with you
> here.
>
>
> * Positive things about php would probably help someone who is cynical
> to all things php...
>
>  There are positives to php? j/k
> I think this would be best presented in a way that empowers those php
> developers among us to be more secure with our code. In theory, any language
> at any level can be secure. Problem is, IMO, php just makes it really easy
> to do it wrong. I must say PHP has gotten better over the years, but it sure
> wouldn't be my first choice for an enterprise app platform.
>
>
> * Commentary on security from developer just introduced to security
> versus someone who has been a developer for x amount of years...
> commentary is always valuable for context.
>
>  I can put this one together as well. Good stuff.
>
>
> -
> ---------------------------------------------------------------------------------------------------------------------------------------------------
>
> To be honest , I would like to see some of the old school heaver
> hitter bug finders.
> Speaker wise, here are some people I follow and always love to hear
> what they say......
>
> Eg:  ( * indicating speakers if given budget from owasp could be a
> possibility - indicating probably no chance in hell )
>        * Mark Dowd
>        * John McDonald
>        * Justin Schuh
>        * Charlie Miller
>        - Halvar Flake
>        - Fx
>        * Dino
>        * Andres Andreu (haven't heard from him in a while, is he still
> around... ?)
>        - Anyone who wrote some of the older phrack articles.
>        - Older members from the original @stake/L0pht crew.
>
>  I think the big question here is if these guys have anything to offer us.
> Before you all flame me, I don't get caught up in "big names" in the
> security world, so I don't know these guys from bob @ autozone. If enough
> people ask for a certain person, or someone can provide a really good reason
> we should invite one of these folks, then I'll present it to OWASP. Nice
> thing is, as our chapter grows, so will our budget and we'll have more
> flexibility.
>  Also, its great to have a list of speakers to choose from, thanks for
> that.
>
>
> People I care not to hear a thing from include:
>        * Jeremiah Grossman
>        * Ed Skoudis
>
>
> I've heard of JG, but not Ed, why not from these guys? Just curious.
>
> So this is great. I think what I'll do is formalize these, and put a poll
> together for the folks to vote on.
>
> Anyone else care to share?
>
>
> | Daniel Uriah Clemens
> | Packetninjas L.L.C | | http://www.packetninjas.net
> | c. 205.567.6850      | | o. 866.267.8851
> "Moments of sorrow are moments of sobriety"
>
>
>
>
>
>
>
>
>
>
>  -----BEGIN PGP SIGNATURE-----
>
> iD8DBQFLQ9e/lZy1vkUrR4MRAmamAJ4u7n1/9V0ggsOjYtSS86tNYo9v+wCeOllk
> yZTgKlsxdCtZUAHfG000PkA=
> =u7Mr
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Owasp-alabama mailing list
> Owasp-alabama at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-alabama
>
>
>
> _______________________________________________
> Owasp-alabama mailing list
> Owasp-alabama at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-alabama
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-alabama/attachments/20100105/9630f898/attachment.html 


More information about the Owasp-alabama mailing list