[Owasp-leaders] Creating OWASP 4.0!
John.Steven at owasp.org
Tue Dec 14 09:16:03 EST 2010
Excellent. Glad to have you on-board.
We're going to need a few people to help with each session first
because this is our maiden voyage and second because we want to make
sure that we're leading a dynamic discussion and helping everyone get
hands-on immediately and stay caught up with what advancements are
made in the session.
I'm going to orchestrate some planning calls between now and the
summit, so we can hash out what materials you and Dan will build/bring
to the session.
When I train these days, I'm consistently shocked at 1) how commonly
people gravitate to this vuln. and yet 2) the amount of confusion
still surrounding its causes and effective mitigation.. So I think
it's going to be the toughest one to navigate. Hopefully, we can
dispel some of the nonsense. ;-)
On Tue, Dec 14, 2010 at 9:09 AM, Eric Sheridan <eric.sheridan at owasp.org> wrote:
> I'd be happy to assist/lead in the Protecting Against CSRF session. As owner of CSRFGuard, I will be able to provide some useful discussion points including real world integration challenges.
> On Dec 13, 2010, at 11:54 PM, Dan Cornell <dan at denimgroup.com> wrote:
>> (added a couple of individuals to this list to hopefully make sure everyone from both this email and the similar thread on "Creating OWASP 4.0" gets the email)
>>> 5 Protecting against CSRF ????????
>>> * Hygiene
>>> * Discuss/show Frames-busting, cross-domain policy,
>>> * Discuss referrer and other red herrings
>>> * Tokens (crafting, scoping, and checking)
>>> * Discussions, techniques on scale
>>> * Discussions, techniques on CAPTCHA, re-auth, etc.
>> I'd be happy to take this one on. I'll need to make sure my facilitator duties would be compatible with other commitments during the Summit, but assuming that is the case I'd be happy to referee the discussion and help bang out some code.
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
More information about the OWASP-Leaders