[Owasp-boston] OWASP RI: Tuesday, Aug 18 - Access in Maliceland

Patrick Laverty patrick.laverty at owasp.org
Tue Aug 4 14:39:11 UTC 2015


Hi Everyone,

Just wanted to let you know that in two weeks, we will have the honor of
hosting Gunnar Peterson to talk about access control security. The
description and his bio are below.

The meeting will be at Swipely's offices, 10 Dorrance Street in Providence,
6:30 pm. I hope you all can attend. Please either reply to this email or
use the RSVP on our meet up page here:
http://www.meetup.com/Providence-Web-Application-Security-Meetup-OWASP-RI/events/224267880/

We are always open for new speakers or suggested topics. We don't currently
have any other future talks lined up, so now is the time to send over
either offers to present or topic ideas.

Thank you!

Access in Maliceland
John Lambert observed attackers win because while defenders think in lists,
attackers think in graphs. Access control systems divide the system a
priori into secure and insecure states. But that’s only worth the paper its
printed on. A Attackers see the system as it is, for attackers, the access
control scheme is the beginning of the game not the end. Determined
attackers seek out access control models and then find holes that they can
leverage. Access control systems that purport to protect the system are
built on assumptions from which reality diverges. Application security
needs a new approach to access control- adding feedback loops for risk
based decisions, fine-grained, dynamic access control.

Security is a business with a very long list of issues and requirements.
The spreadsheets are miles long. This makes it essential to find reusable
solution patterns that can address multiple problems.This presentation
looks at both medium term improvements and code examples to improve access
control decisions and overall security today

About the Speaker
Gunnar Peterson (@oneraindrop) focuses on security architecture consulting
and training. Experience includes Associate Editor for IEEE Security &
Privacy Journal, a Microsoft MVP for App security, an IANS Research Faculty
member, a Securosis Contributing Analyst, and a Visiting Scientist at
Carnegie Mellon Software Engineering Institute. He maintains a popular
information security blog at http://1raindrop.typepad.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-boston/attachments/20150804/3259cce9/attachment.html>


More information about the Owasp-boston mailing list