[Owasp-twincities] January Agenda Ideas
Robert E Sullivan
robert_e_sullivan at uhc.com
Wed Jan 4 10:52:12 EST 2006
Happy New Year.
Maybe you saw the news that 2 Million people had been notified of a lost
backup tape last month. I received one of those letters from my mortgage
Then, yesterday, I received another letter. It says that they found the
tape. That's really good news to me personally. However, it looks like the
cost of responding to a breach just went up.
Instead of just sending one letter, and providing some free credit-check
services they are sending two letters. At 27 cents a piece that is 1.08$
Million for postage alone. 2006 is sure to be an exciting year in
information security .
Ideas for the January Meeting (1/10 6:00pm Golden Valley Library)
For the next meeting I would like to see us kick around some ideas on the
(Do not be bashful, this is a small group and we need you to reply.)
That will give us all some specific ideas of what we can contriubute or
take away from the meetings.
1. Present and discuss a few WebGoat Lessons
- Can you volunteer to present a WebGoat lesson or
- vote for one of these:
o How to Perform Database Cross Site Scripting
o How to Spoof and Authentication Cookie
o How to Exploit Hidden Fields
o How to Discover Clues in the HTML
o How to Perform Parameter Injection
o How to Perform SQL Injection
o How to Exploit Thread Safety Problems
o How to Exploit Unchecked Email
o How to Spoof an Authentication Cookie
2. Choose a book to read and discuss a chapter each month
- You can nominate a security book that you would like to read and discuss
(I don't see anything newer than 2003, are security books dead?)
3. Discuss Threat Modeling as a group
- What methods have you used (Home Grown, STRIDE/DREAD, Trike, ...)?
- What are the strengths/weaknesses of each method?
- What works?
- What doesn't?
- You really have an opinion on a Threat Modelling discussion:
o good idea
o bad idea
o here ar some specific resources that we found useful
This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity to
which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-twincities