[Owasp-twincities] January meeting cancelled: Bi-Monthly beginning Feb 14

Gunnar Peterson gunnar at arctecgroup.net
Thu Jan 19 06:15:40 EST 2006


The focus on assurance techniques in combination with design and  
development (OWASP's main focus) makes a lot of sense. Brian Snow  
talked about how these two relate in his paper We Need Assurance. I  
blogged/annotated here:

http://1raindrop.typepad.com/1_raindrop/2005/12/the_road_to_ass.html

and

http://1raindrop.typepad.com/1_raindrop/2005/12/assurance_techn.html

-gp

On Jan 12, 2006, at 9:10 AM, Scott.Ammon wrote:

>
> I'd like to also discuss the possibility of working on a project  
> that would facilitate the vulnerability assessment  and/or audit of  
> apps/Webapps for IT Audit/Assurance/Security folks who are not  
> developers.  For example, working off of the SSE-CMM to create a  
> general, repeatable process which could then be customized to the  
> organization.
>
> Ten years ago I entered the IT industry as a developer but went on  
> to the network/sysadmin side of the house.  I've focused my  
> expertise on IT Security & IT audit for the past seven years.   
> Consequently, in relation to my peers, I have a bit more  
> understanding of what is important for app. security but still not  
> enough to conduct manual audits/assessments properly and  
> thoroughly.  I really feel a gap exists in this area and security  
> tools like Appscan etc.... are relied upon too much.  Further, most  
> IT security and audit shops just choose not to look at the apps. in  
> depth as they are too complex.  As I think you'll agree, perimeter  
> or zoned security is meaningless if the application can be  
> compromised.
>
> With the increase in compliance and regulatory pressures (SOX, PCI,  
> BASEL, GLBA, HIPAA) as well as the momentum that is being gained by  
> other legislation, I think this is an area that requires more  
> attention and any work towards a useable process would be well  
> received.
>
> I would appreciate any feedback you may have.
>
> Regards,
>
> S. Scott Ammon
>
>
>
>
> From: owasp-twincities-admin at lists.sourceforge.net [mailto:owasp- 
> twincities-admin at lists.sourceforge.net] On Behalf Of Gunnar Peterson
> Sent: Wednesday, January 11, 2006 5:26 AM
> To: Robert E Sullivan
> Cc: owasp-twincities at lists.sourceforge.net
> Subject: Re: [Owasp-twincities] January meeting cancelled: Bi- 
> Monthly beginning Feb 14
>
>
>
> For a future meeting it would be fun to see if Mick Bauer (Paranoid  
> Penguin columnist in Linux Journal and O'Reilly author) to talk  
> about securing Linux Web Servers. I emailed him, and perhaps Joe  
> could also see if he would be game?
>
>
>
> -gp
>
>
>
> On Jan 8, 2006, at 10:57 PM, Robert E Sullivan wrote:
>
>
>
>
>
> The January meeting is cancelled.
> (Thanks for the suggestion Sam and others)
> Beginning Feb 14 we will have bi-monthly meetings.
>
> I have attached the Feb. agenda. Our goal will be to have the  
> agenda's done a month before the meetings.
>
> OWASP-TwinCities Agenda: Feburary 14, 6:00 p.m. Golden Valley Library
>
> 1. Speaker/Main Topic
> Topic: Threat Modeling in DREAD
>
> Speaker: Joe Teff, CISSP, SCJP
> Joe does security code review, security consulting and corporate  
> information security at Wells Fargo.
>
> 2. Book:
> Choose a book to read and discuss. Here is a list to start with:
> (I took recent, multi-platform books from the list at  
> www.webappsec.org/web_security_books.shtml)
>
> Innocent Code: A Security Wake-Up Call for Web Programmers by  
> Sverre H. Huseby, John Wiley & Sons, 2/5/2004, 246pp
> HackNotes(tm) Web Security Pocket Reference by Mike Shema,  
> 6/30/2003, 240pp
> Improving Web Application Security: Threats and Countermeasures by  
> Microsoft Corporation, Microsoft, 9/24/2003, 958pp
> Web Application Security Assessment by I. Chaudhry, S. Clarke, S.  
> Veney, E. Rachner, J. Sutton, Microsoft, 8/13/2003, 300pp
> How to Break Software Security by James A. Whittaker and Herbert H.  
> Thompson, 5/9/2003 208pp
> Exploiting Software : How to Break Code by Greg Hoglund and Gary  
> McGraw, 2/17/2004 512pp
>
> 3. Demonstration:
> Bob Sullivan will show SQL Injection and Cross Site Scripting  
> WebGoat lessons.
> Other WebGoat demonstrations will be welcome.
>
> 4. Conference presentation planning
> We will discuss plans for the MN-ISSA conference May 17 & 18.
>
> Your comments to the list are welcome, especially if you have a  
> book or topic to suggest.
>
> This e-mail, including attachments, may include confidential and/or
> proprietary information, and may be used only by the person or  
> entity to
> which it is addressed. If the reader of this e-mail is not the  
> intended
> recipient or his or her authorized agent, the reader is hereby  
> notified
> that any dissemination, distribution or copying of this e-mail is
> prohibited. If you have received this e-mail in error, please  
> notify the
> sender by replying to this message and delete this e-mail immediately.
>
>
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.371 / Virus Database: 267.14.17/227 - Release Date:  
> 1/11/2006
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.1.371 / Virus Database: 267.14.17/227 - Release Date:  
> 1/11/2006
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-twincities/attachments/20060119/69120814/attachment.html 


More information about the Owasp-twincities mailing list