[Owasp-alabama] 2010 Meetings
owasp-alabama at lists.owasp.org
owasp-alabama at lists.owasp.org
Thu Jan 28 12:11:45 EST 2010
-----BEGIN PGP SIGNED MESSAGE-----
> Who is it?
> I will disclose as soon as he has given me his final word. =) He is
> double checking with wife/work etc, but is nearly sure he'll be there.
> > Daniel, how about giving us some ideas on what you'd like to see?
> > What would provide the MOST benefit for you and the folks you know?
> Please note that my perspective on hacking is not defined only by the
> lens of webapplication security.
> Application security == Application security in my mind.
> Not sure I follow you here. The only way I can speak to this is that
> OWASP is solely focused on Web application security, and although
> security in *all* arenas is important, these talks/speakers/meetings
> won't cover other aspects such as malware analysis, OS security
> (although some web server stuff is relevant), spam, reversing, etc.
> I hope I didn't misunderstand you, and if I did, my bad.
I guess my beef with this mindset in general is if your saying
application security and web application being different these are
basically one and the same.
Certain vulnerability classes definitely emerge from web applications
which do not exist in other applications but there are many things to
learn from application security in general which helps aid in web
I guess my point is hunting is hunting. When people just talk about
web application being exclusive from penetration testing and or other
avenues of application security where confidentiality, integrity or
availability are at stake I wonder where this thinking originates
from? Does it come from business or does it come from a hunters mindset?
I guess I may be a bit old school but I remember when differentiating
a web application test from a pentest didn't really exist because the
goal was penetration through any means necessary. At some time after
2003 did people start talking about how web application security was
an exclusive area away from penetration testing and application
security, all the while when viewed through the eyes of an attacker or
hunter I thought this differentiation in semantics only makes sense in
the context of deliverables and business objectives.
Not that I don't make those distinctions in an engagement and
consultation, but at times its best to blend things together to get a
bigger picture of how seemingly low risk vulnerabilities actually work
in concert with the overall environment of where a web application
So wrapping up my point I think its very important for web application
testing and application testing know the differentiators in how the
hunt for bugs is performed. The tools may differ and the vulnerability
classes being hunted for may differ but in many aspects many of the
techniques and basic fundamentals of bug finding (hunting) remain
absolutely the same.
> Eg: ( * indicating speakers if given budget from owasp could be a
> possibility - indicating probably no chance in hell )
I mention these people because over the course of the last 10 years
they have contributed greatly to the world in which we live. (Eg.
Application Security , and Information Security In General.
I will provide brief feedback on these characters below in hopes that
others on the list will be spurred on to learn more about why I
mentioned these people.
> * Mark Dowd
> * John McDonald
> * Justin Schuh
Mark Dowd and McDonald Authors of 'The Art of Software Security
Assessment'. Mark Dowd is known to have super human abilities in bug
tracking. I think John , or Justin Schuh (also an author) worked for
Bottom line if your in the business of performing security reviews you
need this book and should follow what these guys say. They know their
> * Charlie Miller
Charlie Miller is a great hacker and differentiates himself on some
extreme fuzzing skills.
His latest co-authored book entitled 'Fuzzing for software security
and quality assurance'.
I highly recommend this book and I also recommend others to view the
things Charlie Miller has authored on various security websites as
well as papers and talks presented at blackhat over the years.
> - Halvar Flake
One of the best binary reverse engineers of our time and to be honest
He teaches a great class on binary reversing at blackhat as well as
authored BinDiff and BinNavi. You really need to look into Halvar. He
is probably one of the best hackers on the planet , yet a very humble
> - Fx
Hacker who posted a good amount of information on creating exploits
for cisco IOS.
> * Dino
Once again another emerging character in the scene of great bug
trackers. I think it was defcon 8 where he came in second in the CTF
challenge as a sole member of his own team. He has one the PwnToOwn
competition at CansecWest (which i highly recommend going to cansec if
> * Andres Andreu (haven't heard from him in a while, is he still
> around... ?)
Authored one of the first official books on web application security.
He has a fuzzing framework/toolkit for SOAP and web application stuff.
> - Anyone who wrote some of the older phrack articles.
> - Older members from the original @stake/L0pht crew.
L0pht was one of the first pentest teams that got big notoriety.
> I think the big question here is if these guys have anything to
> offer us. Before you all flame me, I don't get caught up in "big
> names" in the security world, so I don't know these guys from bob @
> autozone. If enough people ask for a certain person, or someone can
> provide a really good reason we should invite one of these folks,
> then I'll present it to OWASP. Nice thing is, as our chapter grows,
> so will our budget and we'll have more flexibility.
> Also, its great to have a list of speakers to choose from, thanks
> for that.
It is always good to know the older generation and to have people to
aspire towards. Otherwise one's ego gets inflated due to not knowing
where they really are in reality to the other hunters on the scene.
There is always something to learn. I am surprised you didn't know how
these guys have contributed to the practical aspects of hacking/
pentesting/application security/web application security....
> People I care not to hear a thing from include:
> * Jeremiah Grossman
> * Ed Skoudis
> I've heard of JG, but not Ed, why not from these guys? Just curious.
Grossman sells ego more than practical security IMHO.
Which makes me sick. I'm more into ok, lets logically take this apart
discuss it and put ego's aside.
Ed, is cool but not as in the details technically than I would
personally enjoy. (from I heard from other speakers along side him at
I hope this email doesn't come across as a super flame or chastising,
but I want it to come across that there may be others in the
Birmingham / Alabama area which have high expectations in the
technical speakers which are brought to the table.
| Daniel Uriah Clemens
| Packetninjas L.L.C | | http://www.packetninjas.net
| c. 205.567.6850 | | o. 866.267.8851
"Moments of sorrow are moments of sobriety"
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Owasp-alabama