LogoSquare

Denim Group Website

About

My Photo
Powered by TypePad

Recent Posts

Categories

Subscribe to this blog's feed

Archives

Add me to your TypePad People list
Denim Group



Programming Blogs - Blog Catalog Blog Directory

November 12, 2008

OWASP EU Summit in Portugal: The Final Chapter

By Dan Cornell

If you have been following these posts you know that the OWASP EU Summit in Portugal was an exhilarating, but exhausting, week - lots of work, lots of play and much was accomplished.  So you would think that it would make sense to relax on Saturday, get some rest and be up early for our 3:30am bus to the airport.

You would think.

Instead, Thursday night I had a conversation that went something like this:

Bringer of Bad Ideas: "Hey, are you coming to Africa on Saturday?"
Me: "Excuse me?"
BBI: "Africa.  We're renting a van and driving through Spain.  Then we're going to take a ferry to Africa for the day.  Morocco.  Are you coming?"
Me: "Naturally."

And so it begins.

IMG_2175
In the van.  Driving through Portugal.  Or is it Spain?  Hard to tell...

IMG_2184
Wind farms in Spain.  Someone call T. Boone Pickens.

IMG_2197 

Some of the coastal fortresses in Tarifa near the where the ferry docked.

IMG_2207 

More interesting architecture in Tarifa.

IMG_2213 

Tom Brennan and I as the ferry was pulling away.

IMG_2218  

Leaving Tarifa.

IMG_2222 

This is a little tricky to see, but this photo has Europe on the left and Africa on the right.

IMG_2229 

Pulling into port in Tangier.

IMG_2233 

Intrepid adventurers.

IMG_2234 

For extra credit: Find the American in this picture.

IMG_2237 

Traffic on the streets of Tangier.

IMG_2247 

Me.  Next to a cannon.

IMG_2249 

Crowds in the marketplace.

IMG_2256  

Ana, Tom and I.  Someone thought it would be a great idea to get out of the crowds and hubbub of the bazaar and take refuge in the solitude of the deserted, dark alleyway.  The wisdom of this was called into question a few minutes after this picture was taken when we turned the corner to find four local "gentlemen" and their giant pit bull.  Fortunately we passed without incident.

IMG_2260  

Kids playing soccer in an alleyway.

IMG_2284 

Public toilet in a coffee shop.  Moments like this were what made this trip an "adventure"

IMG_2287 

Running through the Casbah desperately trying to make it to our ferry.  We managed to inadvertently pick up a "guide" along the way who promised to lead us to the port, but in reality just took us by a bunch of stores and tried to get us to stop in and shop.

IMG_2288

Back on the ferry.  Barely.  Everyone present and accounted for.

IMG_2292 

On the drive home, we wanted to stop in Sevilla and grab a traditional Spanish dinner.  The first restaurant we went to had this pig's leg displayed in their entrance way.  This was perhaps a bit too "authentic" for our crew so we moved on.

IMG_2293 

We finally found a great place surrounded by orange trees.  Time constraints kept us from enjoying a long dinner of tapas, sangria, etc but we did manage to have a great meal before heading back to the van.

IMG_2295 

And here's Tom goofing off on the back of the van.  Apparently he didn't get the memo that we didn't have a lot of time to make it back to Portugal and ultimately the hotel if we wanted to make our return flights.

We traveled across three countries and two continents in the course of a day and had a great time doing it.  Fun had by all and no major incidents.  This was certainly not an OWASP event, per se, but it was a great capstone activity for the Summit. Thanks to all my fellow travelers for planning and executing an amazing trip.

--Dan
dan _at_ denimgroup.com

PS: Here are some of Darren's photos online.

November 12, 2008 in Conferences, Dan Cornell, Denim Group, Food and Drink, OWASP, Pro Services Life, Speaking Events, Travel, Web/Tech | | Comments (1) | TrackBack (0)

OWASP EU Summit in Portugal: Friday

By Dan Cornell

IMG_0140

The EU Summit finished up with a recap of the results to come out of the various working groups and an open OWASP Board meeting.  The full results of the Board meeting will be laid out on the Wiki shortly, but for me the most exciting development was the creation of several Global Committees for OWASP that will essentially act as middle managemnt for the organization.  Up until now there have been contributors, project/chapter leaders and board members.  That has served OWASP well for a number of years, but with the scale of the organization, it has become evident that we need more coordination to avoid rework and prevent conflicts.  To address this, several Global Committees are being set up to centralize conversations and thinking in several important areas.

I will be serving with Michael Coates on the Global Membership Committee working to increase the value of OWASP membership to the individuals and organizations who become members as well as working to increase the number of individuals and organizations who are OWASP members.  If you have any thoughts or questions about this, please feel free to contact Michael or I.

Overall the summit was an incredible experience.  I have been working with OWASP for a long time - first as a consumer of OWASP materials and then as the San Antonio Chapter lead as well as working on projects like Sprajax and the Open Review Project (ORPRO).  To see the growth that the application security space has undergone during this time has been amazing, and to see OWASP grow along with it has been even more so.  OWASP is a great gathering place for intelligent and dedicated individuals who are experts in their discipline.  I have seen others comment that they view this summit as "the end of the beginning" for OWASP and I think that rings true.  I'm looking forward to working with the Summit attendees and the OWASP community as a whole to continue the work we started there.

--Dan
dan _at_ denimgroup.com

November 12, 2008 in Conferences, Dan Cornell, Denim Group, Information Security, Open Source, OWASP, Pro Services Life, Security, Travel, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

OWASP EU Summit in Portugal: Thursday

By Dan Cornell

IMG_2162

I must admit - by Thursday I was feeling a little rough.  Mostly because of the two evening soccer (football?) games.  That's far too much running in too short a period of time for me.  Regardless, Thursday shaped up to be another great day with some great project presentations and working groups.  Projects I saw Thursday included:

  • James Walden - Source Code Review Project - The Open Review Project (ORPRO) has been working with James Walden and his folks to get all OWASP projects run through at least an automated security source code review.  James presented on his work over the summer getting workflows set up and working with the automated review platform.
  • Stephan Evans - Securing WebGoat with mod_security - This was a very interesting presentation on how to address the security vulnerabilities in WebGoat using mod_security rules.  It was cool to see how Lua scripting can be used to address issues that go beyond the typical technical vulnerabilities like SQL injection and cross site scripting (XSS).
  • Arturo Busleiman - Enigform and mod_OpenPGP Project - This is an interesting approach to securing web communications that leverages the PGP infrastructure rather than relying on SSL.
  • Marcin Wielgoszewski - AntiSamy.NET Project - This is a port of the AntiSamy project to work for .NET environments.

Working groups I attended were:

  • Intra-Government Working Group - Lots of great ideas here in two areas.  First - how to get OWASP involved with governmental standards bodies so that we can act as a resource as well as influence standards and practices.  Second - how to better communicate with government consumers on how to best use OWASP resources to make their infrastructures safer.
  • OWASP Strategic Planning -  Too many topics to mention here - the results should be coming out in a press release and a summary of the event.
  • Chapter Leaders Working Group - It was great to have an opportunity to interact with chapter leaders running chapters in a variety of state of maturity.  Certainly lots of good suggestions that I can bring back to use for the San Antonio chapter.

Mercifully, the Chapter Leaders session ran all the way until our late dinner time so we couldn't play another game of soccer.

--Dan
dan _at_ denimgroup.com

November 12, 2008 in Application Security Tools, Conferences, Dan Cornell, Denim Group, Fortify, Information Security, Open Source, OWASP, Pro Services Life, Security, Speaking Events, Static Analysis, Training, Travel, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

OWASP EU Summit in Portugal: Wednesday

By Dan Cornell

IMG_0138

Wednesday was another day packed full of project presentations and working group sessions.  The project presentations I attended included:

  • Eduardo Neves - Positive Security Project - Many security programs are focused solely on the negative - what should not be done and so on.  This project is intended to create awareness of the "good" activities teams can perform to build security in.
  • Martin Knobloch - Education Project - This goal of this project is to organize OWASP materials so that they can be used in programs to educate developers about application security.  So far they have put together two full training classes with slide decks.
  • Juan Carlos Calderon - Internationalization - This project aims to get OWASP materials translated into a variety of languages to as to better distribute them to the developers that need them.
  • Lucilla Mancini - PASSWD - The PASSWD project aims to use modeling to predict the security state of applications.
  • Me (Dan Cornell) - Open Review Project (ORPRO) - This is a project I have been working with Mario deBoer and the folks from Fortify with for the past couple of months.  The goal is to make security code review services - both automated and manual - available to open source projects.  We are currently working with the folks from Moodle and will be looking to expand that involvement to other projects in the future.  (We're always looking for volunteers, so if you are interesting in performing security reviews for open source code please let me know!)

The working group I attended was:

  • Education Project Working Group - Lots of great discussions in this group including how to best structure the courses of instruction as well as thoughts about using the LiveCD Project as a distribution mechanism for courseware.

--Dan
dan _at_ denimgroup.com

November 12, 2008 in Application Security Tools, Conferences, Dan Cornell, Denim Group, Fortify, Information Security, Open Source, OWASP, Pro Services Life, Security, Speaking Events, Static Analysis, Training, Travel, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

OWASP EU Summit in Portugal: Tuesday

By Dan Cornell

[Running a little behind, as usual.  Over the course of today I'll be putting up a series of posts to finish out my OWASP EU Summit notes.]

First of all, my favorite part of Tuesday was that I won a t-shirt at the Sensepost training class on offensive web application hacking.  H4x0r skillz!

IMG_0130
 

In addition to that, Tuesday was a really productive day.  I had the opportunity to attend a number of sessions where folks presented their Summer of Code projects and OWASP projects in general:

  • Jason Li - JSP Testing Tool - This tools tests JSP tag libraries to determine which attributes are properly escaped when they are written out to the HTML stream.  It does this by generating a large number of JSP/HTML examples with various payloads placed into the tags' attributes.  When the page renders, unescaped payloads change colors of parts of the DOM so you can see which attributes are "dangerous"  This is a very cool approach and it would be interesting to see how it applied to ASP.NET web controls as well.
  • Paolo Perego - Orizon - Orizon is a framework for code analysis that can apply various rules to look for security defects.  It currently supports Java and there are plans to make it support .NET.  Source code files are broken down into a number of XML representations and then those XML representations are run through a rules engine to identify potential security issues.
  • Alex Smolen - ESAPI.NET - This is the .NET version of the ESAPI.  Currently it is basically a word-for-word port of the Java ESAPI into C#, but the plan is to update the .NET version to accomodate existing security capabilities of the .NET platform such as the Membership API and the AntiXSS library.

I also had an opportunity to attend a number of working groups:

The energy and enthusiasm at this event was incredible.  As you'll see from the following posts we covered a lot of ground during the week and a lot got accomplished.

--Dan
dan _at_ denimgroup.com

November 12, 2008 in Application Security Tools, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Fortify, Information Security, Java, Open Source, OWASP, Pro Services Life, Security, Speaking Events, Static Analysis, Threat Modeling, Training, Travel, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

November 05, 2008

OWASP EU Summit in Portugal: Monday

By Dan Cornell

OWASPBoard

This week I'm in Portugal at the OWASP EU Summit '08.

Just after I arrived on Monday I had the opportunity to talk about AJAX security and sprajax to a group of students at the 1 day OWASP event at the University of Algarve.  The slide deck was a shortened version of the one from when I presented at OWASP Montgomery.  I always enjoy speaking to University students because you have to work hard to frame the material in the appropriate context.  For example - how do you explain SQL injection to someone who has never written a database application?  How to explain PCI compliance to someone who has never worked inside an enterprise that takes credit cards?

I finally got some sleep Monday night after a day and a half of flights, airport wait time, presentations to University students and the conference kickoff.  This is shaping up to be a great event.  More to come.

--Dan
dan _at_ denimgroup.com

November 05, 2008 in AJAX, Application Security Tools, Conferences, Dan Cornell, Denim Group, Fortify, Information Security, Java, Open Source, OWASP, Pro Services Life, Science, Security, Static Analysis, Threat Modeling, Training, Travel, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)