During the last week of September, I attended the OWASP AppSec NY 2008 conference @ NYC. It was for 2 days and had several sessions running in parallel. Some of those that impressed me were
1. WAF - Web Application Firewall. This is like a hardware appliance that you plug in front of your web server. It intercepts all traffic to your webservers and analyzes for attack patterns (for eg : check for a 'and 1 = 1' pattern to narrow on a SQL injection attack). Security is not a layer / tier in your application stack / model but should be inherent in every part of it. So I was quite skeptical if this WAF is just a hype or myth or some marketing.. but I guess you can use WAF when things look really bad. For eg, if you are aware that your web app is under attack and dont have time to analyze and fix it, just plug in a WAF. Also I am planning to work on a survey paper on IDS for this sem. so I am kind of looking at analyzing how IDS in WAF works and their pros and cons.
2. Clickjacking - Although security researchers Jeremiah Grossman and Robert Hansen decided not to "zero-day" on this, they had a great presentation on some of the most common and interesting attacks that happen due to business logic flaws and coding flaws.
3. ESAPI - This is the Enterprise Security API. It is build on top of the various security functionality libraries like javax.crypto, JAAS etc. It looks really neat and makes sense. It is pioneered by Jeff Williams who is the chair of OWASP. I was really impressed with his simplicity
4. Security issues while Offshoring - This was presented by Rohyt Belani and he gave a great case study. I thoroughly enjoyed his theme that Offshore ITES companies should sell security as their differentiator.
All the presentations are made online. You can watch them here . Enjoy
No comments:
Post a Comment