[Owasp-boston] May 4 Meeting, Group news

Weiler, Jim Jim.Weiler at Staples.com
Fri Apr 29 09:55:56 EDT 2005


Hi Folks,


********************   May 4 Meeting   **********************************
Patrick Hynds, CTO of CriticalSites, Microsoft Regional Director, MCSE+I,
MCSD, MCDBA, MCP+Site Builder, MCT
will give a presentation on passwords.

Passwords: Keys to the Kingdom
Passwords can be your friend, but more often they are your enemy. In this
session we discuss the fatal mistakes made by organizations and specifically
developers relative to password creation, storage and policy.  This session
has something for everyone, developers and network admins alike so long as
they are interested in keeping their systems secure.

I've seen Patrick speak and he's a very knowledgable and entertaining guy
with lots of experience and interesting stories. He's also given lots of
presentations in the Microsoft room we meet in so he's very familiar with
the room, which is useful for this meeting because I won't be there. I'll be
taking the first public offering of Foundstone's Java Security class in
Dallas; I'll let you know how the class went. I'll have to save the
remaining Microsoft giveaway software for the June meeting.


*********************  June 1 Meeting   *******************
Fishnet Security is an information security solutions provider and they've
recently opened a New England office in Westboro. One of their top technical
guys, Arian Evans will be presenting and he wanted to know which of 3
possible topics would be of interest, so send me or the OWASP Boston list an
email stating your preferences - 

1. Secrets of Session Attacks and Strong Session Handling
 
New ways to attack webapps, new ways to implement dynamic tokens and
entrypoints to defend the session which has the added benefit of stopping
the vast majority of XSS exploitation and breaking automated scanners/webapp
hacking tools.
 
2. Tools of the Trade:
 
This is an overview of the OWASP Tools project which I lead. It basically
outlines application security, provides a taxonomy of seven types of ways to
test applications, and breaks down all the tools that are available and
which testing categories they fit into. This came about as a response to all
the vendor FUD and answering the same questions over and over; wanted to
create a single, independent resource on tools and testing techniques.
 
3. Flash Forward:
 
This is new research on next-generation UIs (Flash, Windows Avalon) and what
binary formats and vector-based rendering mean to security (changes the
scanning game, no arbitrary javascript injection/XSS or related silliness,
etc.) and to application design.


*********************  Group News   *************
Don't forget all OWASP Boston group members get a 20% discount on O'Reilly,
No Starch, Paraglyph, Pragmatic Bookshelf, SitePoint, and Syngress books and
O'Reilly conferences. Just use code DSUG.

The presentations from the April meeting by Jon Levin and Jothy Rosenberg
should be on the OWASP Boston site by this weekend.


Jim Weiler
Staples North American Application Services
Application Architect
508 2533884




More information about the Owasp-boston mailing list