[Owasp-alabama] 2010 Meetings

owasp-alabama at lists.owasp.org owasp-alabama at lists.owasp.org
Thu Jan 28 12:11:45 EST 2010

Hash: SHA1

> Who is it?
> I will disclose as soon as he has given me his final word. =)  He is  
> double checking with wife/work etc, but is nearly sure he'll be there.
> > Daniel, how about giving us some ideas on what you'd like to see?
> > What would provide the MOST benefit for you and the folks you know?
> Please note that my perspective on hacking is not defined only by the
> lens of webapplication security.
> Application security == Application security in my mind.
> Not sure I follow you here. The only way I can speak to this is that  
> OWASP is solely focused on Web application security, and although  
> security in *all* arenas is important, these talks/speakers/meetings  
> won't cover other aspects such as malware analysis, OS security  
> (although some web server stuff is relevant), spam, reversing, etc.  
> I hope I didn't misunderstand you, and if I did, my bad.

I guess my beef with this mindset in general is if your saying  
application security and web application being different these are  
basically one and the same.
Certain vulnerability classes definitely emerge from web applications  
which do not exist in other applications but there are many things to  
learn from application security in general which helps aid in web  
application security.
I guess my point is hunting is hunting. When people just talk about  
web application being exclusive from penetration testing and or other  
avenues of application security where confidentiality, integrity or  
availability are at stake I wonder where this thinking originates  
from? Does it come from business or does it come from a hunters mindset?

I guess I may be a bit old school but I remember when differentiating  
a web application test from a pentest didn't really exist because the  
goal was penetration through any means necessary. At some time after  
2003 did people start talking about how web application security was  
an exclusive area away from penetration testing and application  
security, all the while when viewed through the eyes of an attacker or  
hunter I thought this differentiation in semantics only makes sense in  
the context of deliverables and business objectives.

Not that I don't make those distinctions in an engagement and  
consultation, but at times its best to blend things together to get a  
bigger picture of how seemingly low risk vulnerabilities actually work  
in concert with the overall environment of where a web application  

So wrapping up my point I think its very important for web application  
testing and application testing know the differentiators in how the  
hunt for bugs is performed. The tools may differ and the vulnerability  
classes being hunted for may differ but in many aspects many of the  
techniques and basic fundamentals of bug finding (hunting) remain  
absolutely the same.
> Eg:  ( * indicating speakers if given budget from owasp could be a
> possibility - indicating probably no chance in hell )

I mention these people because over the course of the last 10 years  
they have contributed greatly to the world in which we live. (Eg.  
Application Security , and Information Security In General.
I will provide brief feedback on these characters below in hopes that  
others on the list will be spurred on to learn more about why I  
mentioned these people.

>        * Mark Dowd
>        * John McDonald
>        * Justin Schuh

Mark Dowd and McDonald Authors of 'The Art of Software Security  
Assessment'. Mark Dowd is known to have super human abilities in bug  
tracking. I think John , or Justin Schuh (also an author) worked for  
Bottom line if your in the business of performing security reviews you  
need this book and should follow what these guys say. They know their  

>        * Charlie Miller

Charlie Miller is a great hacker and differentiates himself on some  
extreme fuzzing skills.
His latest co-authored book entitled 'Fuzzing for software security  
and quality assurance'.
I highly recommend this book and I also recommend others to view the  
things Charlie Miller has authored on various security websites as  
well as papers and talks presented at blackhat over the years.

>        - Halvar Flake

One of the best binary reverse engineers of our time and to be honest  
a hackers-hacker.
He teaches a great class on binary reversing at blackhat as well as  
authored BinDiff and BinNavi. You really need to look into Halvar. He  
is probably one of the best hackers on the planet , yet a very humble  

>        - Fx

Hacker who posted a good amount of information on creating exploits  
for cisco IOS.

>        * Dino

Once again another emerging character in the scene of great bug  
trackers. I think it was defcon 8 where he came in second in the CTF  
challenge as a sole member of his own team. He has one the PwnToOwn  
competition at CansecWest (which i highly recommend going to cansec if  
you can)

>        * Andres Andreu (haven't heard from him in a while, is he still
> around... ?)

Authored one of the first official books on web application security.  
He has a fuzzing framework/toolkit for SOAP and web application stuff.

>        - Anyone who wrote some of the older phrack articles.
>        - Older members from the original @stake/L0pht crew.

L0pht was one of the first pentest teams that got big notoriety.

> I think the big question here is if these guys have anything to  
> offer us. Before you all flame me, I don't get caught up in "big  
> names" in the security world, so I don't know these guys from bob @  
> autozone. If enough people ask for a certain person, or someone can  
> provide a really good reason we should invite one of these folks,  
> then I'll present it to OWASP. Nice thing is, as our chapter grows,  
> so will our budget and we'll have more flexibility.
>  Also, its great to have a list of speakers to choose from, thanks  
> for that.

It is always good to know the older generation and to have people to  
aspire towards. Otherwise one's ego gets inflated due to not knowing  
where they really are in reality to the other hunters on the scene.
There is always something to learn. I am surprised you didn't know how  
these guys have contributed to the practical aspects of hacking/ 
pentesting/application security/web application security....

> People I care not to hear a thing from include:
>        * Jeremiah Grossman
>        * Ed Skoudis
> I've heard of JG, but not Ed, why not from these guys? Just curious.

Grossman sells ego more than practical security IMHO.
Which makes me sick. I'm more into ok, lets logically take this apart  
discuss it and put ego's aside.
Ed, is cool but not as in the details technically than I would  
personally enjoy. (from I heard from other speakers along side him at  

I hope this email doesn't come across as a super flame or  chastising,  
but I want it to come across that there may be others in the  
Birmingham / Alabama area which have high expectations in the  
technical speakers which are brought to the table.

| Daniel Uriah Clemens
| Packetninjas L.L.C | | http://www.packetninjas.net
| c. 205.567.6850      | | o. 866.267.8851
"Moments of sorrow are moments of sobriety"



More information about the Owasp-alabama mailing list