[Owasp-twincities] January Agenda Ideas

Robert E Sullivan robert_e_sullivan at uhc.com
Wed Jan 4 10:52:12 EST 2006


Ok,
Happy New Year.

Maybe you saw the news that 2 Million people had been notified of a lost 
backup tape last month. I received one of those letters from my mortgage 
company ABN-AMRO. 
Then, yesterday, I received another letter. It says that they found the 
tape. That's really good news to me personally. However, it looks like the 
cost of responding to a breach just went up.

Instead of just sending one letter, and providing some free credit-check 
services they are sending two letters. At 27 cents a piece that is 1.08$ 
Million for postage alone. 2006 is sure to be an exciting year in 
information security .

Ideas for the January Meeting (1/10 6:00pm Golden Valley Library)
For the next meeting I would like to see us kick around some ideas on the 
mailing list.
(Do not be bashful, this is a small group and we need you to reply.)
That will give us all some specific ideas of what we can contriubute or 
take away from the meetings.

1. Present and discuss a few WebGoat Lessons
- Can you volunteer to present a WebGoat lesson or
- vote for one of these:
   o How to Perform Database Cross Site Scripting
   o How to Spoof and Authentication Cookie
   o How to Exploit Hidden Fields
   o How to Discover Clues in the HTML
   o How to Perform Parameter Injection
   o How to Perform SQL Injection
   o How to Exploit Thread Safety Problems
   o How to Exploit Unchecked Email
   o How to Spoof an Authentication Cookie

2. Choose a book to read and discuss a chapter each month
- You can nominate a security book that you would like to read and discuss
(I don't see anything newer than 2003, are security books dead?)

3. Discuss Threat Modeling as a group
- What methods have you used (Home Grown, STRIDE/DREAD, Trike, ...)?
- What are the strengths/weaknesses of each method?
- What works?
- What doesn't?

- You really have an opinion on a Threat Modelling discussion:
  o good idea
  o bad idea
  o here ar some specific resources that we found useful

Thanks,
Bob Sullivan

This e-mail, including attachments, may include confidential and/or 
proprietary information, and may be used only by the person or entity to 
which it is addressed. If the reader of this e-mail is not the intended 
recipient or his or her authorized agent, the reader is hereby notified 
that any dissemination, distribution or copying of this e-mail is 
prohibited. If you have received this e-mail in error, please notify the 
sender by replying to this message and delete this e-mail immediately.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-twincities/attachments/20060104/fb9c8716/attachment.html 


More information about the Owasp-twincities mailing list