A day at OWASP Conference

Gepubliceerd
2008-09-08 03:10
Written by
deepak.srivastava - member of the CiviCRM community - view blog guidelines
CiviCRM India team had an opportunity to attend the OWASP-conference, New Delhi. It was a two day conference but we - Kurund, Sunil & I decided to attend the second day training/workshops just to stay away from theoretical lectures. We landed in Delhi on day-1 evening to avoid any last minute rush. And we realized the temperature in Mumbai was much better and Delhi being a bit hot. We had a booking in Ginger Hotel - value for money i must say :). Next day cool-morning we took rickshaw to Habitat-Center (the venue) and made exactly on time but the lectures due to some reason started late by an hour which was a bit disappointing. Workshops that we decided to attend ( based on lecturer's profile ) were - 1. Application Security Assessment (Threats and Exploits) and 2. Web 2.0 Security In Application Security Assessment we had sessions on - web security industry, attacks & trends, few security incidents/breaks, change in the attack trend, next generation attacks (sql injection, parameter tempering ..etc), security cycle, root cause of vulnerabilities (programming errors 64% and misconfiguration & other problems 36%), various entry points, tracing, url misinterpretation, handler mismatch, directory browsing, information leakage from errors, mysql errors, source code disclosure, malicious code injection, server side code injections, sql injection/poisoning, XSS, CSFR, session hijacking, injecting fault. In Web 2.0 Security session included - web 2.0 overview, web 2.0 attack surface, CSFR, XSS, security critical areas, error handling and logging. Discussion mostly revolved around AJAX which could be next popular attacking platform. All discussions were general and didn't target any specific projects (like flaws in open source projects ..etc) but very certain that atleast 4 out of 10 would apply to your project. We really liked the examples/tricks that were shown, of course a few looked outdated/old. No doubt soon security assessment will be a major part of development cycle. Attending this session atleast has improved/changed my way of looking at web applications :).