Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

OWASP AppSec 2004

From: dave <dave () immunitysec com>
Date: Fri, 25 Jun 2004 18:02:32 -0400
So I wanted to report on the OWASP conference last weekend after they put the slides up, but I haven't seen that happen yet. So I'll just go over it and pretend you can see them.
First of all, for a Saturday and Sunday in Hoboken - the thing thing was packed. People came from all over the place. Mostly NYC and DC, but also a fair number from London and other places. I've noticed a trend towards holding conferences in academic settings. It makes a lot of sense because a tiny room at a hotel is 1K a day. This means a big room at a hotel, which gets you nothing special, is a lot of money. So you have to make the tickets really pricey. I didn't pay for OWASP, since I was speaking, but 300 dollars is not that much.
Anyways, on to the talks. I thought the general tone of the conference was very much like an open source project's conference, and not like BlackHat, Defcon, PacSec, or any of the security cons I've been to. It was interesting to see how much support OWASP has from various banks and large financials here in the city, which all want OWASP to succeed so they can save money on their bottom line, much like they want Linux to succeed.
The official topic was "cutting through vendor hype", although I think few talks addressed that directly. Most of the talks were high level, with Dinis Cruz's being one of the rare ones that was not. Apparantly people are running their ASP.NET hosting environments in "Full Trust" which means that they rely on having separate user ID's for security, which they can't do for some reason. What was also interesting was that few people in the room had any knoweldge of Win32. Windows really hasn't penetrated this market at all. Dinis noticed that there are SYSTEM identity tokens popping into random processes in Windows 2000. I told them about that 2 years ago while reviewing IIS 6, and we determined it was harmless, but Dinis thinks maybe if you use DuplicateToken on it (it'll return False, but still work), you can do something. I never figured it out.
I challenged all the "static analysis" software vendors in the room (at least one came up and answered) to analyze pre-TESO-fixes CVS and tell me if they found any of the bugs. One of them did say they would do some open source projects and get back to me, and if they do, you will read about it here, and if they don't you should not buy their tool (or any static analysis tool that has not proven itself in this way).
One thing I liked was the new oPORTAL stuff, or whatever they're calling their pet portal project. A portal is different from a content management system, it turns out. But in any case, it looks like it'll be nice, when they get it releasable.
WebGoat, on the other hand, is fucking fantastic. It's a breeze to install (one click), fully configurable, and provices point and click "lessons" which teach people how to look at web security. The only thing missing is more lessons. (esp. advanced lessons).
The only talk I had trouble in was *"Security Considerations in the System Development Life Cycle of Web Services-based Systems - Toto, We're Not in Kansas Any More . . .* - George Capehart, Founding Member of Capehart Associates LLC" He's from the south, so he talked really slow, and the talk started out really interesting, but I lost it with the slow pace. Also, each slide was 10000 words crammed into the page, so it was impossible to really read at a distace. Slides should have very few words. Actually, the Japanese do totally crazy stuff with slideshows. You have to see it to believe it. It's an experience. I tend to stick with the lists of bullets and pictures. But that would not fly in Japan. It would look half-hearted, like I whipped it up this morning.
There were a lot of people stabbing at that holy grail - meaningful metrics. It's an impossible thing. One person's "High risk" is another person's "Low risk" and that's always the way it's going to be.
That's all I have. If anyone has more comments on it, feel free to send them on in. Overall, I think it was a huge success - people networked, people learned, etc. I learned at least one thing, which is my criteria for success. 

-dave


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: