Archiv pro měsíc: Prosinec 2013

AppSec USA 2013 – Abbas Naderi and the OWASP PHP Security Project

"There are a lot of security flaws in websites like Facebook and WordPress applications. Most of those flaws are because the developers first create the application and then consider the security." -- Abbas Naderi PHP is one of the most used programming languages for the web. The problem with PHP has always been that it's easy to get started programming with PHP, but that's also one of its biggest flaws when considering application security. Abbas Naderi leads the OWASP PHP Security Project, which is a sample framework to demonstrate proper usage of the tools and libraries, as well as providing guidelines for new PHP projects. In this segment of OWASP 24/7, I talk with Abbas about the PHPSEC project as well as one of his other project, RBAC. About Abbas Naderi Abbas Naderi Afooshteh is a renowned security expert in the middle east, he has ranked first in many national and global CTFs and has been in the field for more than 8 years. He is the current Iran Chapter Leader at OWASP, and has 5 years of activity in OWASP resulting in many projects such as OWASP RBAC Project, OWASP PHP Security Project, OWASP WebGoatPHP Project and etc. He has participated in many other projects such as Cheat Sheets and ESAPI. Abbas has studied software engineering and information technology in his BS and MS and is now going to CMU to study Information Security for MS+PhD. He spends many hours daily leading OWASP projects and mentoring new enthusiastics that join projects, as well as shaping bright ideas into OWASP projects.More can be found at https://abiusx.com/cv

AppSec USA 2013 – Abbas Naderi and the OWASP PHP Security Project

"There are a lot of security flaws in websites like Facebook and WordPress applications. Most of those flaws are because the developers first create the application and then consider the security." -- Abbas Naderi PHP is one of the most used programming languages for the web. The problem with PHP has always been that it's easy to get started programming with PHP, but that's also one of its biggest flaws when considering application security. Abbas Naderi leads the OWASP PHP Security Project, which is a sample framework to demonstrate proper usage of the tools and libraries, as well as providing guidelines for new PHP projects. In this segment of OWASP 24/7, I talk with Abbas about the PHPSEC project as well as one of his other project, RBAC. About Abbas Naderi Abbas Naderi Afooshteh is a renowned security expert in the middle east, he has ranked first in many national and global CTFs and has been in the field for more than 8 years. He is the current Iran Chapter Leader at OWASP, and has 5 years of activity in OWASP resulting in many projects such as OWASP RBAC Project, OWASP PHP Security Project, OWASP WebGoatPHP Project and etc. He has participated in many other projects such as Cheat Sheets and ESAPI. Abbas has studied software engineering and information technology in his BS and MS and is now going to CMU to study Information Security for MS+PhD. He spends many hours daily leading OWASP projects and mentoring new enthusiastics that join projects, as well as shaping bright ideas into OWASP projects.More can be found at https://abiusx.com/cv

AppSec USA 2013: Zed Attack Proxy Project with Simon Bennetts

"You can't automate all tests. There are a lot of things you can't find automatically. You have to have somebody who knows what they are looking for." -- Simon Bennetts In today's segment, I talk with Simon Bennetts, project lead for the OWASP Zed Attack Proxy Project or "ZAP" for short. Simon is working on a user friendly tool for integrated penetration testing of web applications. Our discussion took place at AppSec USA 2013. We begin with an overview of the ZAP project and talk about how it came about. About Simon Bennetts Simon Bennetts (a.k.a. Psiinon) has been developing web applications since 1997, and strongly believes that you cannot build secure web applications without knowing how to attack them. He works for Mozilla as part of their Security Team. Some of the projects Simon works on: -- OWASP Zed Attack Proxy project lead -- OWASP Vulnerable Web Applications Directory Project joint project lead -- Mozilla Zest project lead -- Mozilla Plug-n-Hack joint project lead -- Bodge It Store project lead -- OWASP Web Application Security Testing Cheat Sheet joint author -- OWASP AppSensor contributor -- wavsep contributor -- OWASP Data Exchange Format project lead (currently inactive)

AppSec USA 2013: Zed Attack Proxy Project with Simon Bennetts

"You can't automate all tests. There are a lot of things you can't find automatically. You have to have somebody who knows what they are looking for." -- Simon Bennetts In today's segment, I talk with Simon Bennetts, project lead for the OWASP Zed Attack Proxy Project or "ZAP" for short. Simon is working on a user friendly tool for integrated penetration testing of web applications. Our discussion took place at AppSec USA 2013. We begin with an overview of the ZAP project and talk about how it came about. About Simon Bennetts Simon Bennetts (a.k.a. Psiinon) has been developing web applications since 1997, and strongly believes that you cannot build secure web applications without knowing how to attack them. He works for Mozilla as part of their Security Team. Some of the projects Simon works on: -- OWASP Zed Attack Proxy project lead -- OWASP Vulnerable Web Applications Directory Project joint project lead -- Mozilla Zest project lead -- Mozilla Plug-n-Hack joint project lead -- Bodge It Store project lead -- OWASP Web Application Security Testing Cheat Sheet joint author -- OWASP AppSensor contributor -- wavsep contributor -- OWASP Data Exchange Format project lead (currently inactive)

AppSec USA 2013 – Michael Coates on the AppSensor Project

Michael Coates has a vision: smart applications that come to their own defense. "We need to get to that point where we realize that our apps are in a military zone, they are being attacked all the time." -- Michael Coates In this segment of OWASP 24/7, I speak with Michael Coates, Chairman of the OWASP Board and the founder of the AppSensor Project. Michael's contention is that applications should be smarter, that an app should "know" when it is being attacked and have a proactive, built-in response. We discuss the AppSensor project in depth: what is it, why was it created. We start our discussion with the background and reasoning behind the project. "The real damage is when they know how your application works. They attack your business logic. They do things to violate the custom aspects of your application." -- Michael Coates About Michael Coates Michael Coates is the Chairman of the OWASP board. In addition, he is the creator of OWASP AppSensor, a project dedicated to creating attack aware applications that leverage real time detection and response capabilities. Michael is also the Director of Product Security at Shape Security, a Silicon Valley startup developing an entirely new type of web security product to protect web sites against modern attacks. Previously, Michael was the Director of Security Assurance at Mozilla where he founded and grew the Security Assurance and Web Security programs to 25 people. Throughout Michael's career he has advised major corporations and governments on secure architecture and software security. He’s also performed hundreds of technical security assessments for financial, enterprise, and cellular customers worldwide. Michael also maintains a security blog at michael-coates.blogspot.com Michael holds a Master of Science degree in Computer, Information and Network Security from DePaul University and a Bachelor of Science degree in Computer Science from the University of Illinois at Urbana-Champaign.

AppSec USA 2013 – Michael Coates on the AppSensor Project

Michael Coates has a vision: smart applications that come to their own defense. "We need to get to that point where we realize that our apps are in a military zone, they are being attacked all the time." -- Michael Coates In this segment of OWASP 24/7, I speak with Michael Coates, Chairman of the OWASP Board and the founder of the AppSensor Project. Michael's contention is that applications should be smarter, that an app should "know" when it is being attacked and have a proactive, built-in response. We discuss the AppSensor project in depth: what is it, why was it created. We start our discussion with the background and reasoning behind the project. "The real damage is when they know how your application works. They attack your business logic. They do things to violate the custom aspects of your application." -- Michael Coates About Michael Coates Michael Coates is the Chairman of the OWASP board. In addition, he is the creator of OWASP AppSensor, a project dedicated to creating attack aware applications that leverage real time detection and response capabilities. Michael is also the Director of Product Security at Shape Security, a Silicon Valley startup developing an entirely new type of web security product to protect web sites against modern attacks. Previously, Michael was the Director of Security Assurance at Mozilla where he founded and grew the Security Assurance and Web Security programs to 25 people. Throughout Michael's career he has advised major corporations and governments on secure architecture and software security. He’s also performed hundreds of technical security assessments for financial, enterprise, and cellular customers worldwide. Michael also maintains a security blog at michael-coates.blogspot.com Michael holds a Master of Science degree in Computer, Information and Network Security from DePaul University and a Bachelor of Science degree in Computer Science from the University of Illinois at Urbana-Champaign.

AppSec USA 2013 – The OWASP Application Security CISO Guide with Marco Morana and Tobias Gondrom

"The CISCO Guide provides guidance and visibility to CISOs on how to initiate an application security program, how to make the business case, how to manage the risks of applications and how to measure the those risks. The guide is structured as a journey, because application security is not a destination, it is a journey." Marco Marona Marco Marona, is the coordinator of the OWASP Application Security Guide For CISOs Project and Tobias Gondrom is the project lead for the OWASP CISO Survey. They have combined resources to provide us when a CISO framework for implementing an application security program. During our discussion at AppSec USA 2013, we talked about the origin of the projects and how they can be used to make a business case for application security. "If you have a security strategy that is about a two year time frame, you have a higher chance of increasing your application security investments.The question is then, 'How do you write that strategy?' That question is answered in the CISO Guide." -- Tobias Gondrom I start by asking Marco about the purpose of the CISO Guide.

AppSec USA 2013 – The OWASP Application Security CISO Guide with Marco Morana and Tobias Gondrom

"The CISCO Guide provides guidance and visibility to CISOs on how to initiate an application security program, how to make the business case, how to manage the risks of applications and how to measure the those risks. The guide is structured as a journey, because application security is not a destination, it is a journey." Marco Marona Marco Marona, is the coordinator of the OWASP Application Security Guide For CISOs Project and Tobias Gondrom is the project lead for the OWASP CISO Survey. They have combined resources to provide us when a CISO framework for implementing an application security program. During our discussion at AppSec USA 2013, we talked about the origin of the projects and how they can be used to make a business case for application security. "If you have a security strategy that is about a two year time frame, you have a higher chance of increasing your application security investments.The question is then, 'How do you write that strategy?' That question is answered in the CISO Guide." -- Tobias Gondrom I start by asking Marco about the purpose of the CISO Guide.