- Brian Peister
I am thrilled to formally announce that registration is OPEN for this year’s OWASP United States conference.
AppSec US 2010 will be held September 7th through September 10th, 2010 and will be hosted by the Orange County and Los Angeles Chapters at the University of California, Irvine, the only school in the University of California system with a dedicated school of Information and Computer Science.
The keynote speakers have been confirmed! The tremendous response to the call for papers is now being transformed into a jam packed two day, multi track agenda! Additionally, training providers are being locked in for an outstanding selection of one and two day classes.
The event information as well as links to registration can be found here: http://www.owasp.org/index.php/AppSec_US_2010,_CA#tab=Welcome
Registration can be completed here: https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=3c8f8c26-a4b3-40d6-9daa-1f541ea0ccc2
Now is the time to make your plans to attend this year’s premier application security event hosted by the world’s foremost community of security professionals, the OWASP Foundation!
If you have any questions, or need additional information, please do not hesitate to contact me. I look forward to seeing everyone in California this fall!Kate Hartmann
OWASP Malaysia : Contribution In MSC Malaysia Open Source Conference MOSC2010
OWASP Malaysia is actively contribute to MOSC2010 by arangging speakers for the conference and OWASP Malaysia Chapter Leader - Mohd Fazli Azran is one of the committe member for MOSC2010.
Speakers from OWASP
OWASP Joomla CMS Vulnerability Scanner - Aung Khan, YGN Ethical Hacker
OWASP and What It Can Do For You - Cecil Su, OWASP Global, Singapore.
MOSC2010 include security topics like
Joomla! 1.6 Security
Easy DNSSEC Deployment with OPENDNSSEC
Internet Malicious Miscreant
For OWASP Malaysia, this will create awareness about security and OWASP.
For more information about MOSC2010
I am glad to announce the first round of speakers that have been selected for the OWASP New Zealand Day 2010 conference.
* Scott Bell - Security-Assessment.com - Web Application Vulnerabilities: How far does the rabbit hole go?
* Dean Carter - The Ramblings of an ex-QSA
* Paul Craig - Security-Assessment.com - "Oh F#!K" : What To Do When You Get Pwned
* Graeme Neilson - Aura Software Security & Kirk Jackson - Xero - Tales from the Crypt0
The conference web site has been updated with a speakers section and talk abstracts:
Please note that CFP (Call for Paper) is still open and it will close on the 30th June. There are still available slots for talks.
For more information about the CFP and submission, please refer to my previous post:
I am delighted to announce that 160 people registered so far to attend the event.
This is an excellent result for OWASP in New Zealand and thanks for spreading the voice.
If you are reading this post and you haven't registered yet, please do it by visiting:
Please feel free to invite other people who might be interested to join us.
The event registration will end on the 30th June 2010.
For those of you using LinkedIn, please feel free to join the group "OWASP New Zealand Chapter" at:
Again thanks to everyone for helping the OWASP NZ chapter. Special thanks to
the University of Auckland for providing the venue.
The final list of speakers and the conference agenda will be published on
the 1st July.
Roberto Suggi Liverani
OWASP NZ Leader
OWASP New Zealand Day 2010 is kindly offered and supported by the
- University of Auckland (Department of Computer Science) - www.auckland.ac.nz
- NZISF (New Zealand Information Security Forum) -
- Security-Assessment.com - www.security-assessment.com
- Lateral Security - www.lateralsecurity.com
Hello OWASP Leaders. I wanted to let you all know that a new version of the OWASP ModSecurity Core Rule Set (CRS) is now available (v2.0.7).
There are some interesting updates, most notably -
1) The new CSRF protection ruleset.
The ruleset uses ModSecurity's Content Injection capabilities to append an updated version of the csrf.js file from the OWASP CSRFGuard Project (http://code.google.com/p/owaspcsrfguard/source/browse/trunk/main/OWASP-CSRFGuard/src/org/owasp/csrfguard/handlers/csrf.js) to the end of the response data. ModSecurity generates the CSRF token and inserts it into the JS data and then validates it on subsequent requests.
The advantage of using ModSecurity for this is if you are running it on an Apache reverse proxy, then you add in CSRF tokens to any back-end web app regardless of the language.
A call for assistance - the csrf.js code works well however it should probably be extended to handle AJAX calles, etc... If there are any JS ninjas who want to tackle updating the JS code to perhaps add the csrf tokens using OnSubmit or something, let me know.
2) App Defect Rule - Missing HTTPOnly flags
One ruleset will identify if the HTTPOnly flag is missing when the app hands out Set-Cookie SessionIDs. It can optionally fix the issue by passing ENV data to Apache which will append the HTTPOnly flag through a ResponseHeader directive.
3) App Defect Rule - Missing Output Escaping of User-Supplied Data
This is an interesting concept where we are attempting to do some crude Dynamic Taint Propagation tracking related to XSS/Missing Output Escaping. As opposed to trying to identify and block potential XSS payloads on the inbound, we are instead focusing in on the underlying vuln - resources that don't properly track user-supplied data and encode/escape it when given back to clients.
The ruleset basically looks for inbound data that contains meta-characters that are often used in XSS attacks (<,>,/, etc...) and then it stores the entire parameter data in a temporary variable and then inspects the response body to see if the same exact payload is present. If it is, then the app is not properly escaping it. This ruleset works in limited testing but I am interested to see how it fairs once the ModSecurity community starts testing it out :)
Please let me know if anyone has any questions, comments or would like to help out with future
Ryan C. Barnett
WASC Web Hacking Incident Database Project Leader
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Keynote: "The changing face of cryptography"
Fred Piper was appointed Professor of Mathematics at the University of London in 1975 and has worked in information security since 1979. In 1985, he formed a company, Codes & Ciphers Ltd, which offers consultancy advice in all aspects of information security. He has acted as a consultant to over 80 companies including a number of financial institutions and major industrial companies in the UK, Europe, Asia, Australia, South Africa and the USA. The consultancy work has been varied and has included algorithm design and analysis, work on EFTPOS and ATM networks, data systems, security audits, risk analysis and the formulation of security policies. He has lectured worldwide on information security, both academically and commercially, has published more than 100 papers and is joint author of Cipher Systems (1982), one of the first books to be published on the subject of protection of communications, Secure Speech Communications (1985), Digital Signatures - Security & Controls (1999) and Cryptography: A Very Short Introduction (2002).
Damien Gordon Phd (Dublin institute of Technology)
Keynote: "Hackers and Hollywood: The Implications of the Popular Media Representation of Computer Hacking"
Damian Gordon is a lecturer with the School of Computing at the Dublin Institute of Technology and is Programme Co-ordinator for the School's Masters in Computing (Assistive Technology). He was primary researcher on two EU funded projects whose particular focus was looking at issues associated with technoacceptance - the ILT and the E4 projects - and was Educational Advisor for the Ireland-China EMERSION project. His research interests include Differentiated Instruction, Computer Security, Technostress, ICT and Special Needs, Virtual Learning Environments, Image reconstruction from specular reflections, and Lateral Thinking Techniques.
Building on the success of AppSec DC 2009, OWASP is pleased to announce the OWASP AppSecDC 2010 conference held at the Walter E. Washington Convention Center on November 8th through 11th 2010. Plenary sessions will be on November 10th and 11th preceded by Web Application Security Training on November 8th and 9th.