[Owasp-portland] What are you more interested in learning about?

Wil Clouser clouserw at gmail.com
Fri May 7 20:34:47 EDT 2010


On Thu, May 6, 2010 at 8:53 PM, Timothy D. Morgan
<tmorgan-owasp at vsecurity.com> wrote:
> Hey Wil,
>
>> I like your ideas.  Some more off the top of my head:
>
> Good.  Do any of the items on my list stand out as ones you'd like to
> hear about first?

I think cryptography stuff is interesting.

>> - HTML 5 vulnerabilities and/or surface area.  Video/Audio/Canvas
>> aside, seems like there is room for some discussion about data
>> attributes, local storage, offline apps, geolocation, etc.
>
> I'm definitely interested in hearing more about HTML 5 security.
>
>> - Pros and Cons of CSP (https://wiki.mozilla.org/Security/CSP)
>
> This would also be awesome to hear more about.  I've personally become
> more interested in how HTTP/HTML/browser/etc standards can address
> broad categories of issues.
>
>> - Threats and exploits using Unicode.  The O'Reilly book on Unicode is
>> 700 pages long and I think I've met 2 people in my life that fully
>> understand Unicode and encoding.  This area seems ripe for abuse.
>
> Hah, you've met 2?  I haven't met any, though I've hand to wrestle
> with it a bit now and again, and enjoy UTF-7 XSS. =)
>
>> - Logging best practices, both in the app and on the backend
>> (aggregation, storage, analysis)
>>
>> - Vulnerabilities we can expect due to the rise of mobile devices.
>> I'm not sure there is a presentation here, but something to think
>> about:  alternate views of data for the small screens, alternate
>> routes onto a network, complete trust in app stores, etc.
>
> All of these are great ideas.  Would you like to present on some of
> them?

Ha, I see what you did there. ;)  I'm familiar with them, but not
necessarily from a security standpoint - at least not from a high
level standpoint.  The most interesting thing I could talk about on
the list is CSP, but it won't be anything you don't know if you've
read the wiki pages on it.

> A note to everyone: we don't necessarily need a polished formal
> presentation from you to come and start a discussion on a topic.  A
> handful of slides (or a sketch on a white board) along with a topic
> you're passionate about is more than enough to get us thinking.
> Think of it as play Discussion Leader.
>
> We clearly haven't had a strong start to getting regular meetings
> going, and it's primarily because we've had a heck of a time getting
> folks to commit to speaking.  I plan on jumping in more when I can,
> but I think everyone will start to get kind of sick of listening to me
> after a while.

I'll try to come up with some topics that I have more experience with.

Wil


More information about the Owasp-portland mailing list