[Owasp-alabama] 2010 Meetings

owasp-alabama at lists.owasp.org owasp-alabama at lists.owasp.org
Thu Jan 28 12:48:05 EST 2010


Dan, can you stop with the inline comments... Be normal....


Chad

On Thu, Jan 28, 2010 at 11:11 AM,  <owasp-alabama at lists.owasp.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>> Who is it?
>> I will disclose as soon as he has given me his final word. =)  He is
>> double checking with wife/work etc, but is nearly sure he'll be there.
>>
>> > Daniel, how about giving us some ideas on what you'd like to see?
>>
>>
>> > What would provide the MOST benefit for you and the folks you know?
>>
>> Please note that my perspective on hacking is not defined only by the
>> lens of webapplication security.
>> Application security == Application security in my mind.
>> Not sure I follow you here. The only way I can speak to this is that
>> OWASP is solely focused on Web application security, and although
>> security in *all* arenas is important, these talks/speakers/meetings
>> won't cover other aspects such as malware analysis, OS security
>> (although some web server stuff is relevant), spam, reversing, etc.
>> I hope I didn't misunderstand you, and if I did, my bad.
>>
>
>
> I guess my beef with this mindset in general is if your saying
> application security and web application being different these are
> basically one and the same.
> Certain vulnerability classes definitely emerge from web applications
> which do not exist in other applications but there are many things to
> learn from application security in general which helps aid in web
> application security.
> I guess my point is hunting is hunting. When people just talk about
> web application being exclusive from penetration testing and or other
> avenues of application security where confidentiality, integrity or
> availability are at stake I wonder where this thinking originates
> from? Does it come from business or does it come from a hunters mindset?
>
> I guess I may be a bit old school but I remember when differentiating
> a web application test from a pentest didn't really exist because the
> goal was penetration through any means necessary. At some time after
> 2003 did people start talking about how web application security was
> an exclusive area away from penetration testing and application
> security, all the while when viewed through the eyes of an attacker or
> hunter I thought this differentiation in semantics only makes sense in
> the context of deliverables and business objectives.
>
> Not that I don't make those distinctions in an engagement and
> consultation, but at times its best to blend things together to get a
> bigger picture of how seemingly low risk vulnerabilities actually work
> in concert with the overall environment of where a web application
> lives.
>
> So wrapping up my point I think its very important for web application
> testing and application testing know the differentiators in how the
> hunt for bugs is performed. The tools may differ and the vulnerability
> classes being hunted for may differ but in many aspects many of the
> techniques and basic fundamentals of bug finding (hunting) remain
> absolutely the same.
>>
>>
>> Eg:  ( * indicating speakers if given budget from owasp could be a
>> possibility - indicating probably no chance in hell )
>
> I mention these people because over the course of the last 10 years
> they have contributed greatly to the world in which we live. (Eg.
> Application Security , and Information Security In General.
> I will provide brief feedback on these characters below in hopes that
> others on the list will be spurred on to learn more about why I
> mentioned these people.
>
>>        * Mark Dowd
>>        * John McDonald
>>        * Justin Schuh
>
>
> Mark Dowd and McDonald Authors of 'The Art of Software Security
> Assessment'. Mark Dowd is known to have super human abilities in bug
> tracking. I think John , or Justin Schuh (also an author) worked for
> NSA.
> Bottom line if your in the business of performing security reviews you
> need this book and should follow what these guys say. They know their
> stuff.
>
>
>>        * Charlie Miller
>
> Charlie Miller is a great hacker and differentiates himself on some
> extreme fuzzing skills.
> His latest co-authored book entitled 'Fuzzing for software security
> and quality assurance'.
> I highly recommend this book and I also recommend others to view the
> things Charlie Miller has authored on various security websites as
> well as papers and talks presented at blackhat over the years.
>
>
>>        - Halvar Flake
>
> One of the best binary reverse engineers of our time and to be honest
> a hackers-hacker.
> He teaches a great class on binary reversing at blackhat as well as
> authored BinDiff and BinNavi. You really need to look into Halvar. He
> is probably one of the best hackers on the planet , yet a very humble
> guy.
>
>>        - Fx
>
> Hacker who posted a good amount of information on creating exploits
> for cisco IOS.
>
>>        * Dino
>
> Once again another emerging character in the scene of great bug
> trackers. I think it was defcon 8 where he came in second in the CTF
> challenge as a sole member of his own team. He has one the PwnToOwn
> competition at CansecWest (which i highly recommend going to cansec if
> you can)
>
>>        * Andres Andreu (haven't heard from him in a while, is he still
>> around... ?)
>
> Authored one of the first official books on web application security.
> He has a fuzzing framework/toolkit for SOAP and web application stuff.
>
>>        - Anyone who wrote some of the older phrack articles.
>>        - Older members from the original @stake/L0pht crew.
>
> L0pht was one of the first pentest teams that got big notoriety.
>
>> I think the big question here is if these guys have anything to
>> offer us. Before you all flame me, I don't get caught up in "big
>> names" in the security world, so I don't know these guys from bob @
>> autozone. If enough people ask for a certain person, or someone can
>> provide a really good reason we should invite one of these folks,
>> then I'll present it to OWASP. Nice thing is, as our chapter grows,
>> so will our budget and we'll have more flexibility.
>>  Also, its great to have a list of speakers to choose from, thanks
>> for that.
>
>
> It is always good to know the older generation and to have people to
> aspire towards. Otherwise one's ego gets inflated due to not knowing
> where they really are in reality to the other hunters on the scene.
> There is always something to learn. I am surprised you didn't know how
> these guys have contributed to the practical aspects of hacking/
> pentesting/application security/web application security....
>
>> People I care not to hear a thing from include:
>>        * Jeremiah Grossman
>>        * Ed Skoudis
>>
>> I've heard of JG, but not Ed, why not from these guys? Just curious.
>>
>
> Grossman sells ego more than practical security IMHO.
> Which makes me sick. I'm more into ok, lets logically take this apart
> discuss it and put ego's aside.
> Ed, is cool but not as in the details technically than I would
> personally enjoy. (from I heard from other speakers along side him at
> Sans)
>>
>
>
> I hope this email doesn't come across as a super flame or  chastising,
> but I want it to come across that there may be others in the
> Birmingham / Alabama area which have high expectations in the
> technical speakers which are brought to the table.
>
> | Daniel Uriah Clemens
> | Packetninjas L.L.C | | http://www.packetninjas.net
> | c. 205.567.6850      | | o. 866.267.8851
> "Moments of sorrow are moments of sobriety"
>
>
>
>
>
>
>
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
>
> iD8DBQFLYcVRlZy1vkUrR4MRAjcZAKCMBJcxKpKn0KzgQkf3lP0qJd142QCfYFaU
> PXdmO/RNWF23tWRx34fACng=
> =Uu0b
> -----END PGP SIGNATURE-----
> _______________________________________________
> Owasp-alabama mailing list
> Owasp-alabama at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-alabama
>



-- 
Thanks,

Chad Holmes

http://www.linkedin.com/in/chadholmes


More information about the Owasp-alabama mailing list