[Owasp-seattle] Next Seattle OWASP Meeting : 8/11/2009

Mike de Libero mikede at mde-dev.com
Tue Jul 28 22:10:28 EDT 2009

Hello Everyone,

	I know, I know it has been too long since our last meeting, but hey  
better late then never :).  Anyways here are the pertinent details.   
Please let me know if you are coming so I can order enough food and  
drinks for everyone.

Location: Bellevue Las Margaritas

437 108th Ave NE

Bellevue, WA 98004

(425) 453-0535

Date: 8/11/2009 @ 6:30ish


Speaker: Anil Kumar Revuru

The Microsoft Anti-Cross-Site Scripting Library

The Microsoft Anti-Cross-Site Scripting Library V3.0 (Anti-XSS V3.0)  
is an encoding library designed to help developers protect their  
ASP.NET web-based applications from XSS attacks. It differs from most  
encoding libraries in that it uses the white-listing technique —  
sometimes referred to as the principle of inclusions — to provide  
protection against XSS attacks. This approach works by first defining  
a valid or allowable set of characters, and encodes anything outside  
this set (invalid characters or potential attacks). The white listing  
approach provides several advantages over other encoding schemes. The  
following are some new features of Anti-XSS library v3.0.

	• An expanded white list that supports more languages
	• Performance improvements
	• Performance data sheets (in the online help)
	• Support for Shift_JIS encoding for mobile browsers
	• Security Runtime Engine (SRE) HTTP module
	• A sample application
In this session, we will learn in-depth how Anti-XSS works and learn  
more about its new features.

Anil Kumar Revuru currently works for Information Security Tools team  
in Microsoft as Senior SDE where he is responsible for architecting  
security tools. In his previous life at Microsoft, Anil conducted  
security design reviews, threat modeling, and application and source- 
code assessments. He has authored security tools and has presented  
security courses internally at Microsoft. He excelled in his abilities  
by developing security tools such as Microsoft Threat Analysis and  
Modeling Tool and Anti-XSS Library. Anil holds a Diploma in Mechanical  
Engineering from JNTU Hyderabad. Anil displayed expert proficiency in  
the substantive and technical areas of design and development. Has  
keen interest in photography, xbox and computer hardware.


Speaker: Andre Gironda

Using ASVS with the Code Review Guide, Testing Guide, and Time  

The OWASP Application Security Verification Standards, which defines  
four levels of web application security verification, lays down a  
framework for security architecture review. While the ASVS includes  
many requirements for controls, it does not suggest which tools,  
techniques, timeline or methodologies to utilize. The OWASP Code  
Review and Testing Guides provide the technical practices and suggest  
or hint at tools, but also lack the timeline and methodology necessary  
to complete an application penetration-test or SDLC integration  
project for proper application security hygiene.

This presentation will provide the 1000 foot view all the way down to  
the nitty gritty details of how to perform ASVS activities using OWASP  
resources, as well as some OWASP and non-OWASP tools (freeware or  
demoware). Example timelines for typical ASVS activities, including  
reports, will be discussed so that any sort of application security  
project can be scoped properly, delivered on-time, and within budget.

Andre Gironda is an application security specialist with a global  
security consulting firm providing IT security services to the Fortune  
500 and financial institutions as well as U.S. and foreign  
governments. Prior to his current employment, Andre held a number of  
payment application security positions in addition to working for the  
largest online auction website. He is currently a leader for the Open  
Web Application Security Project (OWASP), where he co-produces the  
global OWASP News Podcast.

Mike de Libero

More information about the Owasp-seattle mailing list