[Owasp-alabama] 2010 Meetings
owasp-alabama at lists.owasp.org
owasp-alabama at lists.owasp.org
Thu Jan 28 12:50:53 EST 2010
Very good input Daniel. I really appreciate you taking the time.
I don't take offense easily, so no worries about that.
One thing to keep in mind is that OWASP is an entire organization devoted
wholly to web security. Reversing, network level ,etc, type stuff isn't
really in play here. Now I totally agree that the lessons that apply to WAS
aren't all new, and are many are totally learned from general application
Now here is where my opinion differs:
In my opinion, WAS is drastically different from application security in
that it is a tiered architecture with many elements that simply don't exist
in binary application security (forgive my spin on terminology, just
differentiating one from the other, although I realize the terminology isn't
Let me give a few examples of why I feel this way. Take a standard
client-server binary type application, like AV for example. You have the
software, a socket/protocol, and a server. There are definitely plenty of
attack vectors there, and depending on the design of the software
infrastructure, it could even be larger. But the point is that you control
the client sofware, what capabilities is has, and you control the
socket/protocol, and even the server and how it acts. Lets contrast that
with web applications:
You have a client browser, which you do not control versions or
configuration of. You also have frameworks and implementations of various
underlying sofwares such as flash, java, silverlight, etc, that you have no
control over. Then we are transporting our client/server data over a set of
largely broken protocols that have more holes than a unpatched win 98 box
(little humor =) ). On the server side, it gets even more fun, where you
have a web server, app server, and database server which all carry their own
set of issues at the infrastructure level and at the code level.
All of this to say that I personally feel as though there are enough
significant differences between the two that it warrants a separation. Also
keep in mind that many of the up and coming developers weren't raised on
C++, but were raised on Java and .net. I will say that knowing history keeps
you from repeating it, and the lessons of the past do apply, but I think its
perfectly acceptable to be a web security guy (like me) and not a binary
guy. (loose term) If you are badass enough to do both, and do them well,
then dude, you are a better man that I. =)
I think there is a place for the "big picture" of security, but its not
local OWASP training sessions.
I'm just kicking dialog back and forth here, and I still respect you even if
I don't agree with you. So feel free to continue to express your feelings.
Who knows, you might even change my mind. =)
CISSP, MCSE, C|EH, CIFI, CGSP
In security, an action that is not explicitly denied is inherently allowed.
On Thu, Jan 28, 2010 at 11:11 AM, <owasp-alabama at lists.owasp.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> > Who is it?
> > I will disclose as soon as he has given me his final word. =) He is
> > double checking with wife/work etc, but is nearly sure he'll be there.
> > > Daniel, how about giving us some ideas on what you'd like to see?
> > > What would provide the MOST benefit for you and the folks you know?
> > Please note that my perspective on hacking is not defined only by the
> > lens of webapplication security.
> > Application security == Application security in my mind.
> > Not sure I follow you here. The only way I can speak to this is that
> > OWASP is solely focused on Web application security, and although
> > security in *all* arenas is important, these talks/speakers/meetings
> > won't cover other aspects such as malware analysis, OS security
> > (although some web server stuff is relevant), spam, reversing, etc.
> > I hope I didn't misunderstand you, and if I did, my bad.
> I guess my beef with this mindset in general is if your saying
> application security and web application being different these are
> basically one and the same.
> Certain vulnerability classes definitely emerge from web applications
> which do not exist in other applications but there are many things to
> learn from application security in general which helps aid in web
> application security.
> I guess my point is hunting is hunting. When people just talk about
> web application being exclusive from penetration testing and or other
> avenues of application security where confidentiality, integrity or
> availability are at stake I wonder where this thinking originates
> from? Does it come from business or does it come from a hunters mindset?
> I guess I may be a bit old school but I remember when differentiating
> a web application test from a pentest didn't really exist because the
> goal was penetration through any means necessary. At some time after
> 2003 did people start talking about how web application security was
> an exclusive area away from penetration testing and application
> security, all the while when viewed through the eyes of an attacker or
> hunter I thought this differentiation in semantics only makes sense in
> the context of deliverables and business objectives.
> Not that I don't make those distinctions in an engagement and
> consultation, but at times its best to blend things together to get a
> bigger picture of how seemingly low risk vulnerabilities actually work
> in concert with the overall environment of where a web application
> So wrapping up my point I think its very important for web application
> testing and application testing know the differentiators in how the
> hunt for bugs is performed. The tools may differ and the vulnerability
> classes being hunted for may differ but in many aspects many of the
> techniques and basic fundamentals of bug finding (hunting) remain
> absolutely the same.
> > Eg: ( * indicating speakers if given budget from owasp could be a
> > possibility - indicating probably no chance in hell )
> I mention these people because over the course of the last 10 years
> they have contributed greatly to the world in which we live. (Eg.
> Application Security , and Information Security In General.
> I will provide brief feedback on these characters below in hopes that
> others on the list will be spurred on to learn more about why I
> mentioned these people.
> > * Mark Dowd
> > * John McDonald
> > * Justin Schuh
> Mark Dowd and McDonald Authors of 'The Art of Software Security
> Assessment'. Mark Dowd is known to have super human abilities in bug
> tracking. I think John , or Justin Schuh (also an author) worked for
> Bottom line if your in the business of performing security reviews you
> need this book and should follow what these guys say. They know their
> > * Charlie Miller
> Charlie Miller is a great hacker and differentiates himself on some
> extreme fuzzing skills.
> His latest co-authored book entitled 'Fuzzing for software security
> and quality assurance'.
> I highly recommend this book and I also recommend others to view the
> things Charlie Miller has authored on various security websites as
> well as papers and talks presented at blackhat over the years.
> > - Halvar Flake
> One of the best binary reverse engineers of our time and to be honest
> a hackers-hacker.
> He teaches a great class on binary reversing at blackhat as well as
> authored BinDiff and BinNavi. You really need to look into Halvar. He
> is probably one of the best hackers on the planet , yet a very humble
> > - Fx
> Hacker who posted a good amount of information on creating exploits
> for cisco IOS.
> > * Dino
> Once again another emerging character in the scene of great bug
> trackers. I think it was defcon 8 where he came in second in the CTF
> challenge as a sole member of his own team. He has one the PwnToOwn
> competition at CansecWest (which i highly recommend going to cansec if
> you can)
> > * Andres Andreu (haven't heard from him in a while, is he still
> > around... ?)
> Authored one of the first official books on web application security.
> He has a fuzzing framework/toolkit for SOAP and web application stuff.
> > - Anyone who wrote some of the older phrack articles.
> > - Older members from the original @stake/L0pht crew.
> L0pht was one of the first pentest teams that got big notoriety.
> > I think the big question here is if these guys have anything to
> > offer us. Before you all flame me, I don't get caught up in "big
> > names" in the security world, so I don't know these guys from bob @
> > autozone. If enough people ask for a certain person, or someone can
> > provide a really good reason we should invite one of these folks,
> > then I'll present it to OWASP. Nice thing is, as our chapter grows,
> > so will our budget and we'll have more flexibility.
> > Also, its great to have a list of speakers to choose from, thanks
> > for that.
> It is always good to know the older generation and to have people to
> aspire towards. Otherwise one's ego gets inflated due to not knowing
> where they really are in reality to the other hunters on the scene.
> There is always something to learn. I am surprised you didn't know how
> these guys have contributed to the practical aspects of hacking/
> pentesting/application security/web application security....
> > People I care not to hear a thing from include:
> > * Jeremiah Grossman
> > * Ed Skoudis
> > I've heard of JG, but not Ed, why not from these guys? Just curious.
> Grossman sells ego more than practical security IMHO.
> Which makes me sick. I'm more into ok, lets logically take this apart
> discuss it and put ego's aside.
> Ed, is cool but not as in the details technically than I would
> personally enjoy. (from I heard from other speakers along side him at
> I hope this email doesn't come across as a super flame or chastising,
> but I want it to come across that there may be others in the
> Birmingham / Alabama area which have high expectations in the
> technical speakers which are brought to the table.
> | Daniel Uriah Clemens
> | Packetninjas L.L.C | | http://www.packetninjas.net
> | c. 205.567.6850 | | o. 866.267.8851
> "Moments of sorrow are moments of sobriety"
> -----BEGIN PGP SIGNATURE-----
> -----END PGP SIGNATURE-----
> Owasp-alabama mailing list
> Owasp-alabama at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-alabama