This is our first recorded session, in the near future we will workout all the kinks, meanwhile enjoy the recording and feel free to leave a feedback for us. See the previous post for the power point deck.
Tuesday, September 8, 2009
Friday, September 4, 2009
September Meeting Recap: Application Lifecycle: Security! with Brent Huston
I believe Brent drew in one of our largest crowds last night to discuss application security and his patent pending technique HoneyPointing. Great presentation and informative discussion ensued.
Slide decks posted on Web Application Security and Hiving Introduction. Check back for the meeting recording!
Also thanks to Cardinal Solutions for sponsoring the meeting.
Thanks for coming. We'll see you at the next meeting Thursday November 5th!
Funny story about this post: When I first posted my notes from the meeting (below), I included the HTML script tags surrounding a JavaScript alert. It was well-formed. I just did a quick cut and paste from One Note into the Blogger interface. Low and behold, Blogger is susceptible to XSS! When I first viewed the site, up popped the JavaScript "test" alert. Nice!
My Notes:
• Brent Huston
○ MicroSolved, Inc.
○ www.microsolved.com
○ www.stateofsecurity.com
• 64% of compromised apps are XSS and SQL Injection
• Data-layer DMZ technique to protect from compromising internal network
• SQL Injection
○ Best way to test for SQL Injection: use a single quote '
• XSS
○ Best way to test for XSS: [script tag] alert("test") ; [script tag]
○ Solution: filter, validate all input on the server; don't echo input
• Authentication bypass
○ Don't turn site on until ready…Google indexes
○ Name your pages randomly
○ Best way to test for Auth Bypass: request pages without auth
○ BrainWebScan tool at Microsolved.com
• Resources
○ OWASP - www.owasp.org
○ Web App Security Consortium - webappsec.org
○ Wikipedia
○ Google
○ NIST
○ State of Security Blog - stateofsecurity.com
○ Twitter: @lbhuston, @honeypoint
○ Book: Hacking Exposed
• FAQ
○ Web Application Firewall (WAF) about 85% effective but don't depend on them solely
○ Never trust the client: JavaScript validation isn't secure
○ Investigate the attack surface
○ SSL != security
○ Database really matters
• Honeypoint
○ Technique Brent Huston developed; patent pending
○ HPSS, managed service or use NetCat
○ Technology that emulates fake items: services, servers, people, etc.
○ E.g. leaving a light on at home to give the appearance that someone is home
○ Avoid security personnel burnout
○ Use a plug-in to block IP address on router/firewall when malicious attacks detected
Slide decks posted on Web Application Security and Hiving Introduction. Check back for the meeting recording!
Also thanks to Cardinal Solutions for sponsoring the meeting.
Thanks for coming. We'll see you at the next meeting Thursday November 5th!
Funny story about this post: When I first posted my notes from the meeting (below), I included the HTML script tags surrounding a JavaScript alert. It was well-formed. I just did a quick cut and paste from One Note into the Blogger interface. Low and behold, Blogger is susceptible to XSS! When I first viewed the site, up popped the JavaScript "test" alert. Nice!
My Notes:
• Brent Huston
○ MicroSolved, Inc.
○ www.microsolved.com
○ www.stateofsecurity.com
• 64% of compromised apps are XSS and SQL Injection
• Data-layer DMZ technique to protect from compromising internal network
• SQL Injection
○ Best way to test for SQL Injection: use a single quote '
• XSS
○ Best way to test for XSS: [script tag] alert("test") ; [script tag]
○ Solution: filter, validate all input on the server; don't echo input
• Authentication bypass
○ Don't turn site on until ready…Google indexes
○ Name your pages randomly
○ Best way to test for Auth Bypass: request pages without auth
○ BrainWebScan tool at Microsolved.com
• Resources
○ OWASP - www.owasp.org
○ Web App Security Consortium - webappsec.org
○ Wikipedia
○ NIST
○ State of Security Blog - stateofsecurity.com
○ Twitter: @lbhuston, @honeypoint
○ Book: Hacking Exposed
• FAQ
○ Web Application Firewall (WAF) about 85% effective but don't depend on them solely
○ Never trust the client: JavaScript validation isn't secure
○ Investigate the attack surface
○ SSL != security
○ Database really matters
• Honeypoint
○ Technique Brent Huston developed; patent pending
○ HPSS, managed service or use NetCat
○ Technology that emulates fake items: services, servers, people, etc.
○ E.g. leaving a light on at home to give the appearance that someone is home
○ Avoid security personnel burnout
○ Use a plug-in to block IP address on router/firewall when malicious attacks detected
Subscribe to:
Posts (Atom)
