[Owasp-portland] Owasp-portland Digest, Vol 31, Issue 3

Cathryn Olds COlds at themillcasino.com
Wed Mar 20 22:47:44 UTC 2013


I would vote for:
Title: Access Control Design Best Practices
Title: Cross Site Scripting Advanced Defense

Thank you,
Cathryn S. Olds, MSISA
IT Security Administrator
The Mill Casino Hotel
541-217-2271

-----Original Message-----
From: owasp-portland-bounces at lists.owasp.org [mailto:owasp-portland-bounces at lists.owasp.org] On Behalf Of owasp-portland-request at lists.owasp.org
Sent: Wednesday, March 20, 2013 3:35 PM
To: owasp-portland at lists.owasp.org
Subject: Owasp-portland Digest, Vol 31, Issue 3

Send Owasp-portland mailing list submissions to
        owasp-portland at lists.owasp.org

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.owasp.org/mailman/listinfo/owasp-portland
or, via email, send a message with subject or body 'help' to
        owasp-portland-request at lists.owasp.org

You can reach the person managing the list at
        owasp-portland-owner at lists.owasp.org

When replying, please edit your Subject line so it is more specific than "Re: Contents of Owasp-portland digest..."


Today's Topics:

   1. Re: Please Vote:  Jim Manico Topics (Tim)
   2. Re: Please Vote: Jim Manico Topics (Jake Evans)
   3. Re: Please Vote:  Jim Manico Topics (Amy K. Farrell)
   4. Re: Please Vote: Jim Manico Topics (Bob Uva)


----------------------------------------------------------------------

Message: 1
Date: Wed, 20 Mar 2013 14:45:54 -0700
From: Tim <tim.morgan at owasp.org>
To: owasp-portland at lists.owasp.org
Subject: Re: [Owasp-portland] Please Vote:  Jim Manico Topics
Message-ID: <20130320214554.GL531 at sentinelchicken.org>
Content-Type: text/plain; charset=us-ascii


I've only received one reply to this request...

I know how many people are on this mailing list and how many of them are eager to learn more about security.  So I find a ~1% response rate to be pretty sad.

What are you most interested in?   Reply on or off list as you desire.

tim



On Sun, Mar 10, 2013 at 11:42:16AM -0700, Tim wrote:
>
>
> Hi all,
>
> Jim Manico has offered to give another talk for us, tentatively
> scheduled for June 5.  Here are some of the topics he offered to
> present. Please let me know which of these interest you the most:
>
>
> ===
> Title: Top Ten Web Defenses
> We cannot firewall or patch our way to secure websites. In the past,
> security professionals thought firewalls, Secure Sockets Layer (SSL),
> patching, and privacy policies were enough. Today, however, these
> methods are outdated and ineffective, as attacks on prominent,
> well-protected websites are occurring every day. Citigroup, PBS, Sega,
> Nintendo, Gawker, AT&T, the CIA, the US Senate, NASA, Nasdaq, the
> NYSE, Zynga, and thousands of others have something in common  all
> have had websites compromised in the last year. No company or industry
> is immune. Programmers need to learn to build websites differently.
> This talk will review the top coding techniques developers need to
> master in order to build a low-risk, high-security web application.
>
> Title: Securing the SDLC
> The earlier you address security in the engineering of software, the
> less expensive it will be for your organization. This talk will not
> only discuss critical security activities necessary to build secure
> software, but it will also address the unique aspects of secure
> software creation specific to various cloud architectures.
>
> Title: Authentication Best Practices for Developers This module will
> discuss the security mechanisms found within an authentication (AuthN)
> layer of a web application.  We will review a series of historical
> authentication threats. We will also discuss a variety of
> authentication design patterns necessary to build a low-risk
> high-security web application. Session management threats and best
> practices will also be covered. This module will include several
> technical demonstrations and code review labs.
>
> Title: Access Control Design Best Practices Access Control is a
> necessary security control at almost every layer within a web
> application. This talk will discuss several of the key access control
> anti-patterns commonly found during website security audits. These
> access control anti-patterns include hard-coded security policies, lack of
> horizontal access control, and "fail open" access control mechanisms. In
> reviewing these and other access control problems, we will discuss and
> design a positive access control mechanism that is data contextual,
> activity based, configurable, flexible, and deny-by-default - among
> other positive design attributes that make up a robust web-based
> access-control mechanism.
>
> Title: Cross Site Site Scripting Advanced Defense This talk will
> discuss the past methods used for cross-site scripting
> (XSS) defense that were only partially effective. Learning from these
> lessons, we will also discuss present day defensive methodologies that are
> effective, but place an undue burden on the developer. We will then
> finish with a discussion of advanced XSS defense methodologies that
> shift the burden of XSS defense from the developer to various
> frameworks. These include auto-escaping template technologies,
> browser-based defenses such as Content Security Policy, and other
> Javascript sandboxes such as the Google CAJA project.
>
> Build Application Security Controls into Legal Contracts Every large
> organization is building web application software in some way,
> normally at great expense. It is a significant organizational and
> technical challenge simply to complete complex software projects. It
> is and even greater challenge to do so in a secure fashion.The earlier
> security is addressed in the engineering of software, the less
> expensive it will be for your organization. This talk will discuss
> several critical web application security-centric computer programming
> techniques necessary to build low-risk web-based applications. This
> talk will also describe strategic ways to add prescriptive security
> control contract language into software procurement or outsourcing
> contract language to encourage even third party developers to build secure code.
>
>
>
> BIO: Jim Manico is the VP of Security Architecture for WhiteHat
> Security, a web security firm. He authors and delivers developer
> security awareness training for WhiteHat Security and has a background
> as a software developer and architect. Jim is also a global board
> member for the OWASP foundation. He manages and participates in
> several OWASP projects, including the OWASP cheat sheet series and the OWASP podcast series.
> ===
>
> thanks,
> tim


------------------------------

Message: 2
Date: Wed, 20 Mar 2013 14:25:30 -0700
From: Jake Evans <jake.evans at gmail.com>
To: Tim <tim.morgan at owasp.org>
Cc: owasp-portland at lists.owasp.org
Subject: Re: [Owasp-portland] Please Vote: Jim Manico Topics
Message-ID:
        <CAK7y4fh_B0ZgXihr=f566PSJQOqput=K9uKL8TikxEt4k7GGsg at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

I'm definitely interested (apologies for the late reply).  My talk preferences are:

1. Title: Cross Site Site Scripting Advanced Defense 2. Title: Top Ten Web Defenses 3. Title: Securing the SDLC

Also interested in more FLOSSHack.  :)

Jake

On Wed, Mar 20, 2013 at 2:45 PM, Tim <tim.morgan at owasp.org> wrote:

>
> I've only received one reply to this request...
>
> I know how many people are on this mailing list and how many of them
> are eager to learn more about security.  So I find a ~1% response rate
> to be pretty sad.
>
> What are you most interested in?   Reply on or off list as you desire.
>
> tim
>
>
>
> On Sun, Mar 10, 2013 at 11:42:16AM -0700, Tim wrote:
> >
> >
> > Hi all,
> >
> > Jim Manico has offered to give another talk for us, tentatively
> > scheduled for June 5.  Here are some of the topics he offered to
> > present. Please let me know which of these interest you the most:
> >
> >
> > ===
> > Title: Top Ten Web Defenses
> > We cannot firewall or patch our way to secure websites. In the past,
> > security professionals thought firewalls, Secure Sockets Layer
> > (SSL), patching, and privacy policies were enough. Today, however,
> > these methods are outdated and ineffective, as attacks on prominent,
> > well-protected websites are occurring every day. Citigroup, PBS,
> > Sega, Nintendo, Gawker, AT&T, the CIA, the US Senate, NASA, Nasdaq,
> > the NYSE, Zynga, and
> thousands
> > of others have something in common  all have had websites
> > compromised in the last year. No company or industry is immune.
> > Programmers need to
> learn
> > to build websites differently. This talk will review the top coding
> > techniques developers need to master in order to build a low-risk,
> > high-security web application.
> >
> > Title: Securing the SDLC
> > The earlier you address security in the engineering of software, the
> > less expensive it will be for your organization. This talk will not
> > only discuss critical security activities necessary to build secure
> > software, but it will also address the unique aspects of secure
> > software creation specific to various cloud architectures.
> >
> > Title: Authentication Best Practices for Developers This module will
> > discuss the security mechanisms found within an authentication
> > (AuthN) layer of a web application.  We will review a series of
> > historical authentication threats. We will also discuss a variety of
> > authentication design patterns necessary to build a low-risk
> > high-security web application. Session management threats and best
> > practices will also be covered. This module will include several
> technical
> > demonstrations and code review labs.
> >
> > Title: Access Control Design Best Practices Access Control is a
> > necessary security control at almost every layer within a web
> > application. This talk will discuss several of the key
> access
> > control anti-patterns commonly found during website security audits.
> These
> > access control anti-patterns include hard-coded security policies,
> > lack
> of
> > horizontal access control, and "fail open" access control
> > mechanisms. In reviewing these and other access control problems, we
> > will discuss and design a positive access control mechanism that is
> > data contextual, activity based, configurable, flexible, and
> > deny-by-default - among other positive design attributes that make
> > up a robust web-based access-control mechanism.
> >
> > Title: Cross Site Site Scripting Advanced Defense This talk will
> > discuss the past methods used for cross-site scripting
> > (XSS) defense that were only partially effective. Learning from
> > these lessons, we will also discuss present day defensive
> > methodologies that
> are
> > effective, but place an undue burden on the developer. We will then
> finish
> > with a discussion of advanced XSS defense methodologies that shift
> > the burden of XSS defense from the developer to various frameworks.
> > These include auto-escaping template technologies, browser-based
> > defenses such as Content Security Policy, and other Javascript
> > sandboxes such as the Google CAJA project.
> >
> > Build Application Security Controls into Legal Contracts Every large
> > organization is building web application software in some
> way,
> > normally at great expense. It is a significant organizational and
> > technical challenge simply to complete complex software projects. It
> > is and even greater challenge to do so in a secure fashion.The
> > earlier security is addressed in the engineering of software, the
> > less expensive it will be for your organization. This talk will
> > discuss several critical web application security-centric computer
> > programming techniques
> necessary
> > to build low-risk web-based applications. This talk will also
> > describe strategic ways to add prescriptive security control
> > contract language
> into
> > software procurement or outsourcing contract language to encourage
> > even third party developers to build secure code.
> >
> >
> >
> > BIO: Jim Manico is the VP of Security Architecture for WhiteHat
> > Security, a web security firm. He authors and delivers developer
> > security awareness training for WhiteHat Security and has a
> > background as a software developer and architect. Jim is also a
> > global board member for the OWASP foundation. He manages and
> > participates in several OWASP projects, including the OWASP cheat sheet series and the OWASP podcast series.
> > ===
> >
> > thanks,
> > tim
> _______________________________________________
> Owasp-portland mailing list
> Owasp-portland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-portland
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-portland/attachments/20130320/91b6ea69/attachment-0001.html>

------------------------------

Message: 3
Date: Wed, 20 Mar 2013 15:14:33 -0700
From: "Amy K. Farrell" <amykfarrell at gmail.com>
To: owasp-portland at lists.owasp.org
Subject: Re: [Owasp-portland] Please Vote:  Jim Manico Topics
Message-ID: <514A34C9.4050800 at gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Thanks for the reminder, Tim.

My top picks would be:

 >> Title: Securing the SDLC
 >> Title: Access Control Design Best Practices

I think the reason that I forgot to reply is that I meant to forward this to some colleagues (and I was on vacation when this came out), so I'll do that now and perhaps I'll scare up some more interest.

 - Amy



------------------------------

Message: 4
Date: Wed, 20 Mar 2013 15:34:45 -0700
From: Bob Uva <robertuva at gmail.com>
To: Tim <tim.morgan at owasp.org>
Cc: owasp-portland at lists.owasp.org
Subject: Re: [Owasp-portland] Please Vote: Jim Manico Topics
Message-ID:
        <CA+A5A1SYPOpStOXUXdtX9A-uDa1+DgEnfasuHMEzKex9+xgF0Q at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

My preferences would be:

1. Cross Site Site Scripting Advanced Defense 2. Securing the SDLC

Bob

On Wed, Mar 20, 2013 at 2:45 PM, Tim <tim.morgan at owasp.org> wrote:

>
> I've only received one reply to this request...
>
> I know how many people are on this mailing list and how many of them
> are eager to learn more about security.  So I find a ~1% response rate
> to be pretty sad.
>
> What are you most interested in?   Reply on or off list as you desire.
>
> tim
>
>
>
> On Sun, Mar 10, 2013 at 11:42:16AM -0700, Tim wrote:
> >
> >
> > Hi all,
> >
> > Jim Manico has offered to give another talk for us, tentatively
> > scheduled for June 5.  Here are some of the topics he offered to
> > present. Please let me know which of these interest you the most:
> >
> >
> > ===
> > Title: Top Ten Web Defenses
> > We cannot firewall or patch our way to secure websites. In the past,
> > security professionals thought firewalls, Secure Sockets Layer
> > (SSL), patching, and privacy policies were enough. Today, however,
> > these methods are outdated and ineffective, as attacks on prominent,
> > well-protected websites are occurring every day. Citigroup, PBS,
> > Sega, Nintendo, Gawker, AT&T, the CIA, the US Senate, NASA, Nasdaq,
> > the NYSE, Zynga, and
> thousands
> > of others have something in common  all have had websites
> > compromised in the last year. No company or industry is immune.
> > Programmers need to
> learn
> > to build websites differently. This talk will review the top coding
> > techniques developers need to master in order to build a low-risk,
> > high-security web application.
> >
> > Title: Securing the SDLC
> > The earlier you address security in the engineering of software, the
> > less expensive it will be for your organization. This talk will not
> > only discuss critical security activities necessary to build secure
> > software, but it will also address the unique aspects of secure
> > software creation specific to various cloud architectures.
> >
> > Title: Authentication Best Practices for Developers This module will
> > discuss the security mechanisms found within an authentication
> > (AuthN) layer of a web application.  We will review a series of
> > historical authentication threats. We will also discuss a variety of
> > authentication design patterns necessary to build a low-risk
> > high-security web application. Session management threats and best
> > practices will also be covered. This module will include several
> technical
> > demonstrations and code review labs.
> >
> > Title: Access Control Design Best Practices Access Control is a
> > necessary security control at almost every layer within a web
> > application. This talk will discuss several of the key
> access
> > control anti-patterns commonly found during website security audits.
> These
> > access control anti-patterns include hard-coded security policies,
> > lack
> of
> > horizontal access control, and "fail open" access control
> > mechanisms. In reviewing these and other access control problems, we
> > will discuss and design a positive access control mechanism that is
> > data contextual, activity based, configurable, flexible, and
> > deny-by-default - among other positive design attributes that make
> > up a robust web-based access-control mechanism.
> >
> > Title: Cross Site Site Scripting Advanced Defense This talk will
> > discuss the past methods used for cross-site scripting
> > (XSS) defense that were only partially effective. Learning from
> > these lessons, we will also discuss present day defensive
> > methodologies that
> are
> > effective, but place an undue burden on the developer. We will then
> finish
> > with a discussion of advanced XSS defense methodologies that shift
> > the burden of XSS defense from the developer to various frameworks.
> > These include auto-escaping template technologies, browser-based
> > defenses such as Content Security Policy, and other Javascript
> > sandboxes such as the Google CAJA project.
> >
> > Build Application Security Controls into Legal Contracts Every large
> > organization is building web application software in some
> way,
> > normally at great expense. It is a significant organizational and
> > technical challenge simply to complete complex software projects. It
> > is and even greater challenge to do so in a secure fashion.The
> > earlier security is addressed in the engineering of software, the
> > less expensive it will be for your organization. This talk will
> > discuss several critical web application security-centric computer
> > programming techniques
> necessary
> > to build low-risk web-based applications. This talk will also
> > describe strategic ways to add prescriptive security control
> > contract language
> into
> > software procurement or outsourcing contract language to encourage
> > even third party developers to build secure code.
> >
> >
> >
> > BIO: Jim Manico is the VP of Security Architecture for WhiteHat
> > Security, a web security firm. He authors and delivers developer
> > security awareness training for WhiteHat Security and has a
> > background as a software developer and architect. Jim is also a
> > global board member for the OWASP foundation. He manages and
> > participates in several OWASP projects, including the OWASP cheat sheet series and the OWASP podcast series.
> > ===
> >
> > thanks,
> > tim
> _______________________________________________
> Owasp-portland mailing list
> Owasp-portland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-portland
>



--
Bob Uva
Portland, OR
mobile: 503-810-6387
eMail: robertuva at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-portland/attachments/20130320/bd36b10c/attachment.html>

------------------------------

_______________________________________________
Owasp-portland mailing list
Owasp-portland at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-portland


End of Owasp-portland Digest, Vol 31, Issue 3
*********************************************

The Mill Casino Hotel
3201 Tremont Ave
North Bend, OR  97459
541 756-8800 or
800 953-4800

Please consider the environment before printing this e-mail.

*** Confidentiality Notice ***
This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you   have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any  attachments from your system.


More information about the Owasp-portland mailing list