[Owasp-boston] OWASP Boston Tuesday mtg - still on, even better

Weiler, Jim Jim.Weiler at starwoodhotels.com
Mon Mar 9 09:47:35 EDT 2009

The Source Boston Java Security class was cancelled but Sahba is still
coming to present at our OWASP meeting.  The Firefox add-in tools they
have are very interesting; if you can't afford a web app vulnerability
scanner product (and even if you can) these tools should be in your

Anybody want to be a Pizza Sponsor?

Web Application Source Code Threat Analysis; Pen Test Tools, from
Security Compass 

Tool demo - 

Exploit-Me Series - Free Firefox Application Penetration Testing Suite 

The Exploit-Me series of tools are plug-ins to Firefox that allow for
easy "right-click" style parameter fuzzing for web applications. The
toolset is made specifically for security consultants, developers and QA
staff to facilitate testing of applications. Sahba Kazerooni of Security
Compass will demonstrate the use of the XSS-Me and SQL Inject Me tools. 

Main Presentation 

Framework-Level Threat Analysis - Adding science to the art of source
code review 

A traditional Threat Model is an effective tool for determining the
threats that pose a risk to the architectural components of an
application. But what if we wish to enumerate the threats that face the
developmental components? Framework-Level Threat Analysis is a systemic
approach to code review that speaks to the development staff by
examining the underlying object model of an application. 

In Framework-Level Threat Analysis, you are reviewing the application's
source code and breaking it down to it's various components (servlet
container, servlets, controller, delegate, command/business object, DAO,
etc...), very similar to how you break down an app into its various
architectural components in a standard TM. You then analyze a good
number of use cases and model the way that data moves between the
various components. The next step is to analyze each of the components
in the path (can be as detailed as reviewing class by class) and
document which security controls are happening where in the call flow.
Once you've done that, it becomes visually apparent which security
controls are missing in each use case. 

Sahba Kazerooni is a security consultant with a strong background in
J2EE software architecture and development. At Security Compass he
harvests his unique blend of development and security knowledge in
threat modeling, runtime security assessment, and source code review of
client applications while at the same time leveraging his field
experience to deliver Security Compass' one-of-a-kind training
curriculum to organizations around the world. Mr. Kazerooni is an expert
in application security assessments, having performed threat analysis,
penetration testing, and source code review on numerous client
applications. Sahba also plays a critical role in the developing and
delivering the curriculum of Security Compass training services. He has
developed and taught courses on various topics such as Exploiting and
Defending Web Applications, Application Security Awareness, and Secure
Coding in J2EE. He has presented at conferences around the world,
including the Black Hat Security Conference in Amsterdam. He delivers
Java secure coding training at the SANS Institute and has provided
numerous presentations through ISC2 to their elite network of certified
information security professionals. 

Jim Weiler   CISSP
Starwood Hotels and Resorts
Sr. Mgr. Information Security Risk Assessment
Office - 781 356 0067
Cell - 781 654 6048

This electronic message transmission contains information from the Company that may be proprietary, confidential and/or privileged. 
The information is intended only for the use of the individual(s) or entity named above.  If you are not the intended recipient, be 
aware that any disclosure, copying or distribution or use of the contents of this information is prohibited.  If you have received 
this electronic transmission in error, please notify the sender immediately by replying to the address listed in the "From:" field. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-boston/attachments/20090309/9928c066/attachment.html 

More information about the Owasp-boston mailing list