[Owasp-twincities] January meeting cancelled: Bi-Monthly beginning Feb 14

Scott.Ammon Scott.Ammon at target.com
Thu Jan 12 10:10:14 EST 2006


 
I'd like to also discuss the possibility of working on a project that
would facilitate the vulnerability assessment  and/or audit of
apps/Webapps for IT Audit/Assurance/Security folks who are not
developers.  For example, working off of the SSE-CMM to create a
general, repeatable process which could then be customized to the
organization.  
 
Ten years ago I entered the IT industry as a developer but went on to
the network/sysadmin side of the house.  I've focused my expertise on IT
Security & IT audit for the past seven years.  Consequently, in relation
to my peers, I have a bit more understanding of what is important for
app. security but still not enough to conduct manual audits/assessments
properly and thoroughly.  I really feel a gap exists in this area and
security tools like Appscan etc.... are relied upon too much.  Further,
most IT security and audit shops just choose not to look at the apps. in
depth as they are too complex.  As I think you'll agree, perimeter or
zoned security is meaningless if the application can be compromised.
 
With the increase in compliance and regulatory pressures (SOX, PCI,
BASEL, GLBA, HIPAA) as well as the momentum that is being gained by
other legislation, I think this is an area that requires more attention
and any work towards a useable process would be well received.
 
I would appreciate any feedback you may have.  
 
Regards,
 
S. Scott Ammon 


 

 

________________________________

From: owasp-twincities-admin at lists.sourceforge.net
[mailto:owasp-twincities-admin at lists.sourceforge.net] On Behalf Of
Gunnar Peterson
Sent: Wednesday, January 11, 2006 5:26 AM
To: Robert E Sullivan
Cc: owasp-twincities at lists.sourceforge.net
Subject: Re: [Owasp-twincities] January meeting cancelled: Bi-Monthly
beginning Feb 14

 

For a future meeting it would be fun to see if Mick Bauer (Paranoid
Penguin columnist in Linux Journal and O'Reilly author) to talk about
securing Linux Web Servers. I emailed him, and perhaps Joe could also
see if he would be game?

 

-gp

 

On Jan 8, 2006, at 10:57 PM, Robert E Sullivan wrote:






The January meeting is cancelled. 
(Thanks for the suggestion Sam and others) 
Beginning Feb 14 we will have bi-monthly meetings. 

I have attached the Feb. agenda. Our goal will be to have the agenda's
done a month before the meetings. 

OWASP-TwinCities Agenda: Feburary 14, 6:00 p.m. Golden Valley Library 

1. Speaker/Main Topic 
Topic: Threat Modeling in DREAD

Speaker: Joe Teff, CISSP, SCJP
Joe does security code review, security consulting and corporate
information security at Wells Fargo. 

2. Book: 
Choose a book to read and discuss. Here is a list to start with: 
(I took recent, multi-platform books from the list at
www.webappsec.org/web_security_books.shtml) 

Innocent Code: A Security Wake-Up Call for Web Programmers by Sverre H.
Huseby, John Wiley & Sons, 2/5/2004, 246pp 
HackNotes(tm) Web Security Pocket Reference by Mike Shema, 6/30/2003,
240pp 
Improving Web Application Security: Threats and Countermeasures by
Microsoft Corporation, Microsoft, 9/24/2003, 958pp 
Web Application Security Assessment by I. Chaudhry, S. Clarke, S. Veney,
E. Rachner, J. Sutton, Microsoft, 8/13/2003, 300pp 
How to Break Software Security by James A. Whittaker and Herbert H.
Thompson, 5/9/2003 208pp 
Exploiting Software : How to Break Code by Greg Hoglund and Gary McGraw,
2/17/2004 512pp 

3. Demonstration: 
Bob Sullivan will show SQL Injection and Cross Site Scripting WebGoat
lessons. 
Other WebGoat demonstrations will be welcome. 

4. Conference presentation planning 
We will discuss plans for the MN-ISSA conference May 17 & 18. 

Your comments to the list are welcome, especially if you have a book or
topic to suggest. 

This e-mail, including attachments, may include confidential and/or 
proprietary information, and may be used only by the person or entity to

which it is addressed. If the reader of this e-mail is not the intended 
recipient or his or her authorized agent, the reader is hereby notified 
that any dissemination, distribution or copying of this e-mail is 
prohibited. If you have received this e-mail in error, please notify the

sender by replying to this message and delete this e-mail immediately.

 


--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.17/227 - Release Date:
1/11/2006



--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.17/227 - Release Date:
1/11/2006


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-twincities/attachments/20060112/847bfd6c/attachment.html 


More information about the Owasp-twincities mailing list