[Owasp-alabama] 2010 Meetings

owasp-alabama at lists.owasp.org owasp-alabama at lists.owasp.org
Thu Jan 28 08:58:45 EST 2010


All,

Matt Tesauro will be our speaker during the February meeting. He will be
doing a "fuzzing with jbrofuzz" presentation.

-Brad Causey
CISSP, MCSE, C|EH, CIFI, CGSP

http://www.owasp.org
--
In security, an action that is not explicitly denied is inherently allowed.
--


On Tue, Jan 5, 2010 at 7:39 PM, Brad Causey <bradcausey at gmail.com> wrote:

> Great Feedback!!!
> Where the heck is everyone else on this list!?!?
>
> See my responses inline.
>
> -Brad
>
>
> On Tue, Jan 5, 2010 at 6:22 PM, <owasp-alabama at lists.owasp.org> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>> On Jan 5, 2010, at 12:33 PM, owasp-alabama at lists.owasp.org wrote:
>>
>> > @josh
>> >
>> > I think thats a great idea.
>> >
>> > @Daniel
>> >
>> > I totally agree. I hand-picked this guy that is flying in because of
>> > that very reason. I know him personally, and he isn't selling a
>> > company, nor himself. He's a great guy.
>>
>> Who is it?
>>
> I will disclose as soon as he has given me his final word. =)  He is double
> checking with wife/work etc, but is nearly sure he'll be there.
>
>>
>> > Daniel, how about giving us some ideas on what you'd like to see?
>>
>>
>> > What would provide the MOST benefit for you and the folks you know?
>>
>> Please note that my perspective on hacking is not defined only by the
>> lens of webapplication security.
>> Application security == Application security in my mind.
>>
> Not sure I follow you here. The only way I can speak to this is that OWASP
> is solely focused on Web application security, and although security in
> *all* arenas is important, these talks/speakers/meetings won't cover other
> aspects such as malware analysis, OS security (although some web server
> stuff is relevant), spam, reversing, etc. I hope I didn't misunderstand you,
> and if I did, my bad.
>
>>
>> Being a bugtracker/pentester/hacker,....I would appreciate some of the
>> following things.
>>
>> Topically, I would enjoy topics on the following:
>> - ----------------------------------------------------------------
>> * Visualization , and ways to aid in fuzzing efforts through graphical
>> representation.(read as code coverage in binary analysis type
>> situations).
>>
> Fuzzing is definitely a hot topic in the WAS area, and will be our first
> topic should my scheduled speaker be able to present.
>
>>
>> * Input validation and input tracing methods - it would be nice to
>> know if there are some tools out there that other people have that I
>> don't..
>>
> Great stuff!
>
>
>> * Manual & and product based to aid in fuzzing and source code review.
>>
> 100% on board here too.
>
>>
>> * Source code analysis tools perspectives specifically quality versus
>> quantity in automated solutions. Even though I am well aware that
>> automated source code analysis will only find 60% of the bugs it would
>> be nice to hear other people's input on this and possibly developers
>> of some of the bigger source code analysis tools (this would be killer).
>>
> This is totally doable. OWASP doesn't endorse products or companies, but we
> often engage in mutually beneficial situations. This would be one of those.
> Any specific products you're interested in? I can make some calls.
>
>>
>> * Philosophy & Story telling. In this arena it would be nice to see
>> what some of the older generation of bug finders overcame, what
>> mindset was critical for success and how success was obtained in
>> situations where (insert genx toolset did not exist).
>>
> Coolness! Anyone on the list up for doing this? Most of my stuff is NDA
> protected, and would likely be so vague it would take away any coolness.
>
>>
>> * Analysis and perspective of design vulnerabilities assessors in the
>> area and or profession have seen in the last x years. I am always
>> interested in seeing what others see and the more patterns one can
>> know about the more they can succeed in an application review.
>>
> Very cool.
>
>>
>> * I think it would be good for everyone to talk more on limiting risk
>> through parameterized sql queries....
>>
> I agree. Maybe we can roll this up into a technical 2-hour preso on common
> WA risk mitigation?
>
>>
>> * Threat Modeling and commentary on good SDLC - possibly getting some
>> of the guys from Microsoft might be nice for this since they have one
>> of the best qa/sdlc's out there.
>>
> Yea I'm a big preacher of the security in the SDLC. Totally with you here.
>
>>
>> * Positive things about php would probably help someone who is cynical
>> to all things php...
>>
> There are positives to php? j/k
> I think this would be best presented in a way that empowers those php
> developers among us to be more secure with our code. In theory, any language
> at any level can be secure. Problem is, IMO, php just makes it really easy
> to do it wrong. I must say PHP has gotten better over the years, but it sure
> wouldn't be my first choice for an enterprise app platform.
>
>>
>> * Commentary on security from developer just introduced to security
>> versus someone who has been a developer for x amount of years...
>> commentary is always valuable for context.
>>
> I can put this one together as well. Good stuff.
>
>>
>> -
>> ---------------------------------------------------------------------------------------------------------------------------------------------------
>>
>> To be honest , I would like to see some of the old school heaver
>> hitter bug finders.
>> Speaker wise, here are some people I follow and always love to hear
>> what they say......
>>
>> Eg:  ( * indicating speakers if given budget from owasp could be a
>> possibility - indicating probably no chance in hell )
>>        * Mark Dowd
>>        * John McDonald
>>        * Justin Schuh
>>        * Charlie Miller
>>        - Halvar Flake
>>        - Fx
>>        * Dino
>>        * Andres Andreu (haven't heard from him in a while, is he still
>> around... ?)
>>        - Anyone who wrote some of the older phrack articles.
>>        - Older members from the original @stake/L0pht crew.
>>
> I think the big question here is if these guys have anything to offer us.
> Before you all flame me, I don't get caught up in "big names" in the
> security world, so I don't know these guys from bob @ autozone. If enough
> people ask for a certain person, or someone can provide a really good reason
> we should invite one of these folks, then I'll present it to OWASP. Nice
> thing is, as our chapter grows, so will our budget and we'll have more
> flexibility.
>  Also, its great to have a list of speakers to choose from, thanks for
> that.
>
>>
>> People I care not to hear a thing from include:
>>        * Jeremiah Grossman
>>        * Ed Skoudis
>>
>
> I've heard of JG, but not Ed, why not from these guys? Just curious.
>
> So this is great. I think what I'll do is formalize these, and put a poll
> together for the folks to vote on.
>
> Anyone else care to share?
>
>>
>> | Daniel Uriah Clemens
>> | Packetninjas L.L.C | | http://www.packetninjas.net
>> | c. 205.567.6850      | | o. 866.267.8851
>> "Moments of sorrow are moments of sobriety"
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>>
>> iD8DBQFLQ9e/lZy1vkUrR4MRAmamAJ4u7n1/9V0ggsOjYtSS86tNYo9v+wCeOllk
>> yZTgKlsxdCtZUAHfG000PkA=
>> =u7Mr
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> Owasp-alabama mailing list
>> Owasp-alabama at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-alabama
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-alabama/attachments/20100128/fdf08e79/attachment.html 


More information about the Owasp-alabama mailing list