[Owasp-alabama] 2010 Meetings
owasp-alabama at lists.owasp.org
owasp-alabama at lists.owasp.org
Thu Jan 28 15:31:27 EST 2010
by the way, this conversation isn't limited to Daniel and I. All you guys on
the list, please weight in.
These are the type conversations that can really shape our local chapter and
what we do as a group. If the majority of you guys agree with Daniel, now
would be a great time to speak up. My opinion is not set in stone, nor is
how the OWASP Alabama chapter operates. I'd love to hear both sides of the
fence, and who knows, maybe we'll learn something.
CISSP, MCSE, C|EH, CIFI, CGSP
In security, an action that is not explicitly denied is inherently allowed.
On Thu, Jan 28, 2010 at 11:50 AM, Brad Causey <bradcausey at gmail.com> wrote:
> Very good input Daniel. I really appreciate you taking the time.
> I don't take offense easily, so no worries about that.
> One thing to keep in mind is that OWASP is an entire organization devoted
> wholly to web security. Reversing, network level ,etc, type stuff isn't
> really in play here. Now I totally agree that the lessons that apply to WAS
> aren't all new, and are many are totally learned from general application
> Now here is where my opinion differs:
> In my opinion, WAS is drastically different from application security in
> that it is a tiered architecture with many elements that simply don't exist
> in binary application security (forgive my spin on terminology, just
> differentiating one from the other, although I realize the terminology isn't
> Let me give a few examples of why I feel this way. Take a standard
> client-server binary type application, like AV for example. You have the
> software, a socket/protocol, and a server. There are definitely plenty of
> attack vectors there, and depending on the design of the software
> infrastructure, it could even be larger. But the point is that you control
> the client sofware, what capabilities is has, and you control the
> socket/protocol, and even the server and how it acts. Lets contrast that
> with web applications:
> You have a client browser, which you do not control versions or
> configuration of. You also have frameworks and implementations of various
> underlying sofwares such as flash, java, silverlight, etc, that you have no
> control over. Then we are transporting our client/server data over a set of
> largely broken protocols that have more holes than a unpatched win 98 box
> (little humor =) ). On the server side, it gets even more fun, where you
> have a web server, app server, and database server which all carry their own
> set of issues at the infrastructure level and at the code level.
> All of this to say that I personally feel as though there are enough
> significant differences between the two that it warrants a separation. Also
> keep in mind that many of the up and coming developers weren't raised on
> C++, but were raised on Java and .net. I will say that knowing history keeps
> you from repeating it, and the lessons of the past do apply, but I think its
> perfectly acceptable to be a web security guy (like me) and not a binary
> guy. (loose term) If you are badass enough to do both, and do them well,
> then dude, you are a better man that I. =)
> I think there is a place for the "big picture" of security, but its not
> local OWASP training sessions.
> I'm just kicking dialog back and forth here, and I still respect you even
> if I don't agree with you. So feel free to continue to express your
> feelings. Who knows, you might even change my mind. =)
> -Brad Causey
> CISSP, MCSE, C|EH, CIFI, CGSP
> In security, an action that is not explicitly denied is inherently allowed.
> On Thu, Jan 28, 2010 at 11:11 AM, <owasp-alabama at lists.owasp.org> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> > Who is it?
>> > I will disclose as soon as he has given me his final word. =) He is
>> > double checking with wife/work etc, but is nearly sure he'll be there.
>> > > Daniel, how about giving us some ideas on what you'd like to see?
>> > > What would provide the MOST benefit for you and the folks you know?
>> > Please note that my perspective on hacking is not defined only by the
>> > lens of webapplication security.
>> > Application security == Application security in my mind.
>> > Not sure I follow you here. The only way I can speak to this is that
>> > OWASP is solely focused on Web application security, and although
>> > security in *all* arenas is important, these talks/speakers/meetings
>> > won't cover other aspects such as malware analysis, OS security
>> > (although some web server stuff is relevant), spam, reversing, etc.
>> > I hope I didn't misunderstand you, and if I did, my bad.
>> I guess my beef with this mindset in general is if your saying
>> application security and web application being different these are
>> basically one and the same.
>> Certain vulnerability classes definitely emerge from web applications
>> which do not exist in other applications but there are many things to
>> learn from application security in general which helps aid in web
>> application security.
>> I guess my point is hunting is hunting. When people just talk about
>> web application being exclusive from penetration testing and or other
>> avenues of application security where confidentiality, integrity or
>> availability are at stake I wonder where this thinking originates
>> from? Does it come from business or does it come from a hunters mindset?
>> I guess I may be a bit old school but I remember when differentiating
>> a web application test from a pentest didn't really exist because the
>> goal was penetration through any means necessary. At some time after
>> 2003 did people start talking about how web application security was
>> an exclusive area away from penetration testing and application
>> security, all the while when viewed through the eyes of an attacker or
>> hunter I thought this differentiation in semantics only makes sense in
>> the context of deliverables and business objectives.
>> Not that I don't make those distinctions in an engagement and
>> consultation, but at times its best to blend things together to get a
>> bigger picture of how seemingly low risk vulnerabilities actually work
>> in concert with the overall environment of where a web application
>> So wrapping up my point I think its very important for web application
>> testing and application testing know the differentiators in how the
>> hunt for bugs is performed. The tools may differ and the vulnerability
>> classes being hunted for may differ but in many aspects many of the
>> techniques and basic fundamentals of bug finding (hunting) remain
>> absolutely the same.
>> > Eg: ( * indicating speakers if given budget from owasp could be a
>> > possibility - indicating probably no chance in hell )
>> I mention these people because over the course of the last 10 years
>> they have contributed greatly to the world in which we live. (Eg.
>> Application Security , and Information Security In General.
>> I will provide brief feedback on these characters below in hopes that
>> others on the list will be spurred on to learn more about why I
>> mentioned these people.
>> > * Mark Dowd
>> > * John McDonald
>> > * Justin Schuh
>> Mark Dowd and McDonald Authors of 'The Art of Software Security
>> Assessment'. Mark Dowd is known to have super human abilities in bug
>> tracking. I think John , or Justin Schuh (also an author) worked for
>> Bottom line if your in the business of performing security reviews you
>> need this book and should follow what these guys say. They know their
>> > * Charlie Miller
>> Charlie Miller is a great hacker and differentiates himself on some
>> extreme fuzzing skills.
>> His latest co-authored book entitled 'Fuzzing for software security
>> and quality assurance'.
>> I highly recommend this book and I also recommend others to view the
>> things Charlie Miller has authored on various security websites as
>> well as papers and talks presented at blackhat over the years.
>> > - Halvar Flake
>> One of the best binary reverse engineers of our time and to be honest
>> a hackers-hacker.
>> He teaches a great class on binary reversing at blackhat as well as
>> authored BinDiff and BinNavi. You really need to look into Halvar. He
>> is probably one of the best hackers on the planet , yet a very humble
>> > - Fx
>> Hacker who posted a good amount of information on creating exploits
>> for cisco IOS.
>> > * Dino
>> Once again another emerging character in the scene of great bug
>> trackers. I think it was defcon 8 where he came in second in the CTF
>> challenge as a sole member of his own team. He has one the PwnToOwn
>> competition at CansecWest (which i highly recommend going to cansec if
>> you can)
>> > * Andres Andreu (haven't heard from him in a while, is he still
>> > around... ?)
>> Authored one of the first official books on web application security.
>> He has a fuzzing framework/toolkit for SOAP and web application stuff.
>> > - Anyone who wrote some of the older phrack articles.
>> > - Older members from the original @stake/L0pht crew.
>> L0pht was one of the first pentest teams that got big notoriety.
>> > I think the big question here is if these guys have anything to
>> > offer us. Before you all flame me, I don't get caught up in "big
>> > names" in the security world, so I don't know these guys from bob @
>> > autozone. If enough people ask for a certain person, or someone can
>> > provide a really good reason we should invite one of these folks,
>> > then I'll present it to OWASP. Nice thing is, as our chapter grows,
>> > so will our budget and we'll have more flexibility.
>> > Also, its great to have a list of speakers to choose from, thanks
>> > for that.
>> It is always good to know the older generation and to have people to
>> aspire towards. Otherwise one's ego gets inflated due to not knowing
>> where they really are in reality to the other hunters on the scene.
>> There is always something to learn. I am surprised you didn't know how
>> these guys have contributed to the practical aspects of hacking/
>> pentesting/application security/web application security....
>> > People I care not to hear a thing from include:
>> > * Jeremiah Grossman
>> > * Ed Skoudis
>> > I've heard of JG, but not Ed, why not from these guys? Just curious.
>> Grossman sells ego more than practical security IMHO.
>> Which makes me sick. I'm more into ok, lets logically take this apart
>> discuss it and put ego's aside.
>> Ed, is cool but not as in the details technically than I would
>> personally enjoy. (from I heard from other speakers along side him at
>> I hope this email doesn't come across as a super flame or chastising,
>> but I want it to come across that there may be others in the
>> Birmingham / Alabama area which have high expectations in the
>> technical speakers which are brought to the table.
>> | Daniel Uriah Clemens
>> | Packetninjas L.L.C | | http://www.packetninjas.net
>> | c. 205.567.6850 | | o. 866.267.8851
>> "Moments of sorrow are moments of sobriety"
>> -----BEGIN PGP SIGNATURE-----
>> -----END PGP SIGNATURE-----
>> Owasp-alabama mailing list
>> Owasp-alabama at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-alabama