OWASP Top 10 Quiz

We had recently developed a quiz to help an organization test their developer's knowledge of OWASP top 10. I thought it would be a good idea to make it public and let other organization use it for their development teams as well. This is a very basic quiz but I do plan to add different levels and more questions to it and bring randomness in the questions as well.

I would greatly appreciate any feedback or suggestions that others may have.

http://owasp.myappsecurity.com/2011/07/12/quiz/

OWASP threat modeling project

We are starting an OWASP threat modeling project to standardize a threat modeling approach which can be used by various companies. During the OWASP portugal summit I had a very meaningful and positive discussion on this topic and got support from a lot of people in the community. You can find out the results of the discussion at the OWASP Threat Modeling project page

If you would like to join the project, please join the mailing list at

https://lists.owasp.org/mailman/listinfo/owasp-threat-modelling-project

Here are some of the topics to be taken up in the first meeting (most probably to be scheduled for next week)

1. High level project roadmap with milestones.
2. Call for participants
3. Review existing resources within OWASP to align with threat modeling project.
4. Come up with a threat modeling methodology
5. Publish the first draft

Intellipass - A behavior based password lockout mechanism

I am pleased to announce Intellipass (a behavior based password lockout mechanism). Most of the password lockout mechanism today are static, which means, they lock a user out after a certain number of incorrect password attempts. This feature is implemented to prevent brute force attempts against the login functionality. Even though this feature does what it’s supposed to, it has its own shortcomings too.
From a security point of view, this feature can be abused by a bad guy to lock most or all of the users by writing a script with all the possible permutations and combinations for a username (which are mostly alphabets, if not alphanumerical), resulting in a denial of service.
From usability point of view, there is always a debate as to the number of attempts to be allowed before locking a user account. Most websites allow 3 attempts while some (very few) allow 5 or sometimes 7. What is the right number for this feature is a subject of debate or at least a different blog post. However, It is a big inconvenience for the user if he is locked out.

Till now, there is no other option but to implement a static password lockout mechanism, which has become a de-facto standard for almost every website. Intellipass tries to bridge the gap between the security and the usability aspect of this feature. By storing every login attempt of a user, Intellipass can intelligently understand user’s past behavior and act accordingly. For ex. If a user locks himself out every time, then Intellipass will dynamically increase the number of attempts from 3 to 5 or from 5 to 7. On the other hand, if a user logs in first or second time every time he or she tried to login in the past, but for some reason has taken 3 attempts this time, Intellipass will automatically reduce the number of attempts from 7 to 5 or 5 to 3. The second component of Intellipass is throwing in a random captcha or insert a time delay between the login attempts to prevent automated attacks.

Initial release will be in JAVA. We are requesting for everyone to send in their suggestions and ideas as to what can be done to make Intellipass usable by various companies. More details on Intellipass can be found here.

Free Hands on Workshop on Web Application Security in New York City

Ever wondered how a hacker hacks all these credit cards? Do you think hacking a website is difficult? What are the skills required to hack a website?

ISSA NY Metro chapter is organizing a 3 hour workshop on web application security. This session will show you how easy it is to steal credit card numbers, SSN, etc by doing a SQL injection attack or how you can steal passwords, hijack a session using Cross Site Scripting (XSS). This session will not only make you think like a hacker but also make you find and exploit vulnerabilities in a live web application that closely resembles those containing your personal information, credit card numbers and even medical history.Attendance is free for ISSA members and $35 for non members. This is a hands on session so please bring a laptop to this event to fully benefit from the material that will be presented. If you do not have a laptop, you should still attend and share with another member, or follow along on the big screen. PLease do not send RSVP, instead register at the link below.

Only 30 seats left


Event Type : Workshop / Hands on Training
Date & Time : May 27, 2010 2pm - 5pm
Price : Free for members, 35 for non-members

Location :

PriceWaterHouseCoopers
300 Madison Ave (Corner 42 Street)
New York, NY 10017


Registration Link - http://guest.cvent.com/EVENTS/Info/Summary.aspx?e=f1707482-d496-4011-b4cb-0e9e212012d7
Event Link - http://www.nymissa.org/2010/04/23/tricks-of-the-trade-web-application-security-2/

MyAppSecurity - Secure Your Applications

As some of you know that I joined WhiteHat Security as a Director of Education Services since Dec 2007 to build their training division from scratch. Though it has been a very demanding job but it has been very satisfying too. I enjoyed working with various companies, training their developers and QA professionals and resolving their web application security issues. Through training, I not only trained people at various companies but also got a chance to interact with different development and security professionals and understand the challenges they were facing and guided them in building a solution that works.

Though WhiteHat is more about finding problems (vulnerabilities) and they do a wonderful job of it, I consider myself more of a solutions guy, meaning how to fix those vulnerabilities and that is where my past experience as a developer and architect, helps me a lot. Not to mention my experience as a Technology Risk Officer at Citigroup, where I contributed in building a Technology Risk Management program to protect their web applications. So, being a solutions guy, training was a perfect fit for me at WhiteHat but now I want to do more than just training, I want to utilize my skills to help companies in addressing their web application security challenges through my own company "MyAppSecurity".

I also want to thank WhiteHat for giving me the opportunity to work with some of the brightest brains in the industry. Its been a wonderful experience and I got to learn so many things not just about the security field but also about on the operation side of a small business. I will definitely be using this experience in establishing my own company. I want to wish WhiteHat Security luck in achieving their goals. I am definitely keeping my stock options :)

If any of you guys are looking for solutions to resolve your web application security challenges, feel free to shoot me an email at anurag (at) myappsecurity (dot) com or call me at 919-244-0803.

WASSEC Project Leader Change Announcement

There is going to be a new project leader (Brian Shura : bshura73_at_gmail_dot_com) for WASSEC (Web Application Security Scanner Evaluation Criteria) as of today. The leadership change will help me free up some time to work on other projects.

We've identified an excellent candidate who will take over WASSEC from where I left. I have already given him an overview of the project, its status and the contributors. I will be helping him initially in the background until he comes upto speed and will continue to assist him should he need any help from me in the future. His Bio is mentioned below

"Brian Shura is in charge of web application security for a large financial institution. He regularly conducts application security assessments using both manual and automated techniques, and has led formal product evaluations of security scanners and web application firewalls.

Prior to his role in application security, Brian spent five years working as a developer on large Internet-facing websites. When not working on web application security initiatives, Brian enjoys badminton, fishing, and hiking the Appalachian Trail."

OWASP AppSec India Conference 2008

OWASP Delhi Chapter is hosting a grand application security event in New Delhi, India. With a lot of Executives and business folks also attending the event, it clearly shows the attention web application security is getting in India and I am sure a lot of it could also be because India is one of the major offshore development hub for US projects and most of these companies sending projects offshore must have started to ask for secure coding practices. It's a great step forward as it will not only create awareness as a whole but also the code developed in india will start to get more secure.






OWASP AppSec India Conference 2008
Date: August 20th & 21st 2008
Venue: Hotel Intercontinental EROS,
Nehru Place,
New Delhi, INDIA.

https://www.owasp.org/index.php/OWASP_AppSec_India_Conference_2008

This is a two day event with first day being the conference on “Application Security Trends and Challenges” and Second day dedicated to six sessions of Multi-track training /workshops covering today’s hot Application Security topics. We have a great line up of world renowned Application Security experts and Gurus, who have spoken & presented at world’s biggest and prestigious Information Security Conferences including BlackHat, BlueHat, RSA WorldCon, DefCON, OSCON, ISACA, MISTI, EUSec, AusCERT, ISC2 Secure World and HackInTheBox etc.

By making your team attend this event can add immediate value to your organization in terms of People, Processes and Technology. The OWASP AppSec India Conference 2008 is the first ever event focusing on Application security Trends and challenges and is the right place to learn the best practices in Application security from the Industry experts and gurus in this space.

On the other hand, sponsoring this event proudly showcases your commitment towards information security. It enables your clients to uniquely identify you as a Security savvy organization that is focused on delivering trustworthy computing in a tangible manner providing measurable benefits.

There is an exclusive CxO Power summit event (invitation only event) on the eve of first conference day and as a sponsor you benefit to interact with your C-Level Colleagues & other VIP delegates from Corporate & Government sector that can help build valuable business relationships.

WASC OWASP Party @ Blackhat

WASC-OWASP Party at Blackhat

Blackhat Vegas is around the corner. Our WASC-OWASP party last year rocked with around 300 people showing up. There was a huge line outside the shadow bar and it was by far the best party at Blackhat last year. If you weren't able to make it last year, do not miss it this time. Get your wristband from breach's booth at Blackhat.

Join the leading minds in web application security for cocktails and appetizers
at the Shadow Bar inside Caesar's Palace.

When: Wednesday, August 6, 7:30 PM – 9:30 PM
Where: Shadow Bar, Caesar's Palace, Las Vegas
RSVP: Visit the Breach Security booth at BlackHat to get your wristband
Contact: egoldberg@breach.com

Sponsored by:
Breach Security