[Owasp-portland] What are you more interested in learning about?

Mike Lonergan mikethecanuck at gmail.com
Fri May 7 23:51:58 EDT 2010


Well heck, if the bar is so low I'll throw my hat in the ring. I get
fired up about:
- threat modeling
- Chicken Little syndrome
- authentication
- *useful* distinctions in crypto-land
- the overuse of firewalls, IDS and NAT

I'm sure no one here's ever heard of me, so a little intro is in
order: I've done security consulting as a blue badge for both
Microsoft and Intel (my current employer), and while I started out my
career as an infrastructure security guy, I'm pretty heavily into the
design side of SDL now.  I've got plenty of opinions (and a few of 'em
may be worthwhile), and I monkey around with a few .NET code projects
on Codeplex.

Happy to help get some momentum going, especially if there are a few
willing zealots in the room to banter back & forth on a hot button
issue with me.

Oh, and BTW I'm Canadian (and insufferably vocal about it).

Cheers,
Mike Lonergan

On May 6, 2010, at 8:53 PM, "Timothy D\. Morgan" <tmorgan-owasp at vsecurity.com
 > wrote:

> Hey Wil,
>
>> I like your ideas.  Some more off the top of my head:
>
> Good.  Do any of the items on my list stand out as ones you'd like to
> hear about first?
>
>> - HTML 5 vulnerabilities and/or surface area.  Video/Audio/Canvas
>> aside, seems like there is room for some discussion about data
>> attributes, local storage, offline apps, geolocation, etc.
>
> I'm definitely interested in hearing more about HTML 5 security.
>
>> - Pros and Cons of CSP (https://wiki.mozilla.org/Security/CSP)
>
> This would also be awesome to hear more about.  I've personally become
> more interested in how HTTP/HTML/browser/etc standards can address
> broad categories of issues.
>
>> - Threats and exploits using Unicode.  The O'Reilly book on Unicode
>> is
>> 700 pages long and I think I've met 2 people in my life that fully
>> understand Unicode and encoding.  This area seems ripe for abuse.
>
> Hah, you've met 2?  I haven't met any, though I've hand to wrestle
> with it a bit now and again, and enjoy UTF-7 XSS. =)
>
>> - Logging best practices, both in the app and on the backend
>> (aggregation, storage, analysis)
>>
>> - Vulnerabilities we can expect due to the rise of mobile devices.
>> I'm not sure there is a presentation here, but something to think
>> about:  alternate views of data for the small screens, alternate
>> routes onto a network, complete trust in app stores, etc.
>
> All of these are great ideas.  Would you like to present on some of
> them?
>
> A note to everyone: we don't necessarily need a polished formal
> presentation from you to come and start a discussion on a topic.  A
> handful of slides (or a sketch on a white board) along with a topic
> you're passionate about is more than enough to get us thinking.
> Think of it as play Discussion Leader.
>
> We clearly haven't had a strong start to getting regular meetings
> going, and it's primarily because we've had a heck of a time getting
> folks to commit to speaking.  I plan on jumping in more when I can,
> but I think everyone will start to get kind of sick of listening to me
> after a while.
>
>
> tim
> _______________________________________________
> Owasp-portland mailing list
> Owasp-portland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-portland


More information about the Owasp-portland mailing list