[Owasp-vancouver] October 21st Meeting: Microsoft SDL and OpenID Security Analysis

Yvan Boily yvanboily at gmail.com
Tue Oct 12 14:15:50 EDT 2010

*OWASP Chapter Meeting Announcement*

I am pleased to announce the next OWASP Vancouver meeting!  We will have the
meeting on October 21st, and Sierra Systems is once again hosting our

This month we have two speakers, Vishal Khandve, and San-Tsai Sun

*Speaker:* Vishal Khandve
*Topic :* An Overview of the Microsoft SDL.

*Presentation Abstract:*
A presentation on individual Microsoft security development practices, which
Roles and responsibilities for individuals involved in the application
development process.
Mandatory security activities.
Optional security activities.
Application security verification process.

*Speaker Bio: *
Currently working for a multinational bank, Vishal is responsible for
metrics and reporting on security development.
Vishal has over 6 years of experience in the IT industry, with domains
ranging from ERP, CRM, and Human Resourcing, and holds a  Masters in
Computer Science from the University of Pune.

*Speaker:* San-Tsai Sun
*Title :* OpenID Security Analysis and Evaluation

Presentation Abstract:*
OpenID is a promising user-centric Web single sign-on protocol. According to
the OpenID Foundation, there are currently more than one billion
OpenID-enabled user accounts provided by major service providers such as
Google, Yahoo and AOL. In this presentation, I will present OpenID security
analysis and the evaluation results on 200 OpenID-enabled websites.  Our
preliminary result shows that more than 50% of OpenID-enabled websites are
vulnerable to cross-site request forgery attack (CSRF) that allow an
attacker to modify the victim's account profile information directly; and
 75% of evaluated websites allow an attacker to force the victim to login
their websites as the attacker stealthily. With additional practical
adversary capabilities (e.g., trick users to use a malicious wireless access
point or install a malicious browser extension) that enable an attacker to
intercept the authentication response from the identity provider, the
attacker can impersonate the victim on 65% of OpenID-enabled websites and
re-masquerade the victim on 6% of the websites by simply applying the
intercepted authentication responses. To the end, I will demonstrate the
attack vectors employed in the evaluation process and discuss our proposed
countermeasure for the current OpenID-enabled websites and future OpenID

*Speaker Bio:*
San-Tsai Sun is a PhD candidate in the Electrical and Computer Engineering
department (ECE) at the University of British Columbia (UBC). He works in
the the Laboratory for Education and Research in Secure Systems Engineering
(LERSSE) under the supervision of Professor
Konstantin Beznosov. His research interests include Web application
security, Web 2.0 security and privacy, and distributed access control
architecture. His PhD dissertation focuses on improving the security and
usability of access control mechanism in Web related systems. Before joining
UBC, he was an Information Technology Director at the UCOM Training Center
in the Systex Corporation, Taiwan.

Please confirm attendance by voting at
http://micropoll.com/t/KERPsZBO91(this is an anonymous poll  to get a
rough estimate of attendees)

*Date & Time:* Thursday, October 21st, 2010 @ 5:30pm

Sierra Systems
1177 West Hastings Street, Suite 2500
Vancouver, BC V6E 2K3


More information about the Owasp-vancouver mailing list