By Dan Cornell
As expected, BSides Austin 2012 was a blast. I don't know what it is about the BSides events, but they always draw a fun crowd; Austin 2012 was no different. I gave a short training class on software vulnerability management with some specific examples on fixing SQL injection and Cross-Site Scripting (XSS). I'd have to say the most interesting part of the class for me was the discussion about how to determine what vulnerabilities to fix as well as how improving software development practices in other areas (continuous integration, automated testing, DevOps-style deployment and so on) makes fixing vulnerabilities cheaper and easier.
Slides are online here:
The abstract for the short training session was:
The OWASP Top 10 lists injection flaws and cross-site scripting (XSS) as the two most significant application security risks (https://www.owasp.org/index.php/Top_10_2010-Main) This training session will walk through methods for fixing identified SQL injection and cross-site scripting vulnerabilities – highlighting common mistakes that are made as well as more secure approaches. Code examples will be provided for popular platforms including Java EE and ASP.NET.
dan _at_ denimgroup.com