WASSEC Project Leader Change Announcement

There is going to be a new project leader (Brian Shura : bshura73_at_gmail_dot_com) for WASSEC (Web Application Security Scanner Evaluation Criteria) as of today. The leadership change will help me free up some time to work on other projects.

We've identified an excellent candidate who will take over WASSEC from where I left. I have already given him an overview of the project, its status and the contributors. I will be helping him initially in the background until he comes upto speed and will continue to assist him should he need any help from me in the future. His Bio is mentioned below

"Brian Shura is in charge of web application security for a large financial institution. He regularly conducts application security assessments using both manual and automated techniques, and has led formal product evaluations of security scanners and web application firewalls.

Prior to his role in application security, Brian spent five years working as a developer on large Internet-facing websites. When not working on web application security initiatives, Brian enjoys badminton, fishing, and hiking the Appalachian Trail."

OWASP AppSec India Conference 2008

OWASP Delhi Chapter is hosting a grand application security event in New Delhi, India. With a lot of Executives and business folks also attending the event, it clearly shows the attention web application security is getting in India and I am sure a lot of it could also be because India is one of the major offshore development hub for US projects and most of these companies sending projects offshore must have started to ask for secure coding practices. It's a great step forward as it will not only create awareness as a whole but also the code developed in india will start to get more secure.






OWASP AppSec India Conference 2008
Date: August 20th & 21st 2008
Venue: Hotel Intercontinental EROS,
Nehru Place,
New Delhi, INDIA.

https://www.owasp.org/index.php/OWASP_AppSec_India_Conference_2008

This is a two day event with first day being the conference on “Application Security Trends and Challenges” and Second day dedicated to six sessions of Multi-track training /workshops covering today’s hot Application Security topics. We have a great line up of world renowned Application Security experts and Gurus, who have spoken & presented at world’s biggest and prestigious Information Security Conferences including BlackHat, BlueHat, RSA WorldCon, DefCON, OSCON, ISACA, MISTI, EUSec, AusCERT, ISC2 Secure World and HackInTheBox etc.

By making your team attend this event can add immediate value to your organization in terms of People, Processes and Technology. The OWASP AppSec India Conference 2008 is the first ever event focusing on Application security Trends and challenges and is the right place to learn the best practices in Application security from the Industry experts and gurus in this space.

On the other hand, sponsoring this event proudly showcases your commitment towards information security. It enables your clients to uniquely identify you as a Security savvy organization that is focused on delivering trustworthy computing in a tangible manner providing measurable benefits.

There is an exclusive CxO Power summit event (invitation only event) on the eve of first conference day and as a sponsor you benefit to interact with your C-Level Colleagues & other VIP delegates from Corporate & Government sector that can help build valuable business relationships.

WASC OWASP Party @ Blackhat

WASC-OWASP Party at Blackhat

Blackhat Vegas is around the corner. Our WASC-OWASP party last year rocked with around 300 people showing up. There was a huge line outside the shadow bar and it was by far the best party at Blackhat last year. If you weren't able to make it last year, do not miss it this time. Get your wristband from breach's booth at Blackhat.

Join the leading minds in web application security for cocktails and appetizers
at the Shadow Bar inside Caesar's Palace.

When: Wednesday, August 6, 7:30 PM – 9:30 PM
Where: Shadow Bar, Caesar's Palace, Las Vegas
RSVP: Visit the Breach Security booth at BlackHat to get your wristband
Contact: egoldberg@breach.com

Sponsored by:
Breach Security

Web Application Security Summit

SANS and WASC have organized a Web Application Security Summit in Vegas.

Web Application Security Summit
Jeremiah Grossman, Summit Chair
with Robert “RSnake” Hansen, Gary McGraw, and Caleb Sima
June 2-3, 2008 • Paris Hotel & Casino • Las Vegas, NV


On June 2-3, Various Application Security folks working in the enterprises will share the lessons learned in their application security initiatives. Case studies in application security initiatives will be presented and dozens of questions will be answered. In the last few years, there has been a huge surge in web application attacks since that around 70% of all web applications had security flaws...and now 80% of new malware is focused on the application layer.

Applications have become the easier attack target. With that change, the criminals added a new security challenge—not only must corporations and schools and governments ensure secure configuration and effective patch management, now they must also ensure the applications they deploy have no security flaws. The WhatWorks in Application Security Summit 2008 brings together the pioneers who have already faced the application security problem. If you are spending or about to spend a lot of money and want to make sure the investment actually improves security these are real users who can tell you what works and what doesn’t.


Agenda

• Is this a developer problem or a security problem? What is the role of each and how do they work together?
• What are the primary attack vectors criminals are using to compromise applications and which programming errors account for the vast majority of those attacks?
• How can we ensure our programmers know the common security flaws and can consistently eliminate them from the code we are deploying? Training? Testing? Hiring? And how can we make sure our outsourced programmers and suppliers also have those skills?
• How do you architect security into the development lifecycle? How do you implement a layered approach to application security? What is SDLC and is it enough?
• In addition to the Credit Card Industry (PCI) Standard, what other standards demand improved application security and what do they specifically require?
• Which application security software tools work best? Do we need a combination of these tools or will one suffice?
• Black-box: web application scanners
• White box: code reviewers
• Application security firewalls
• How often do the tools create false positives and what are the best practices for dealing with false positives? And much more…

This could be a great place to learn from other's experiences who have been in the hot seat and have real live experience and insight of what worked for them and what didn't and why.

You can get a 10% discount if you register early.
To register go to: https://www.sans.org/registration/register.php?conferenceid=11223 and use the discount, WASC10

RSA Conference Pictures

RSA Conference 2008 is almost over. As usual there were so many companies showcasing their products and services or in some cases just a little bit of fun like video games, rock climbing, etc.

I personally think there were more companies talking about web application security then last year. We still need some more companies with secure SDLC solutions to come out there. In addition, there were booths from NSA, US Cert (DOJ), MITRE, ISSA, ISACA, CERT (Carnegie Melon), etc.

I got a press pass :)

WASC meetup at RSA - pictures

WASC meetup at RSA was a huge success. More then 100 people showed up and it was a lot of fun sharing ideas and experiences with our peers. I am posting some of the pictures I took below.

Caleb Sima(HP), Robert Auger(WASC)

Neil Daswani (Google), Robi papp (Accuvant)

Pool was so much fun.

Dawn Van Hoegaerdan (Whitehat Security), Jermiah Grossman, Rachel Miller (Shift Communiations)

Dawn, James(SecTheory), Robert Hansen (SecTheory), Rachel Miller

Steve Orin(intel), Billy Hoffman(HP)

Bryan Sullivan (Microsoft)

Dan (Mozilla), Robert Kelly

Jeff Gall (Whitehat Security)

Heather Cason (Breach Security, Stephanie Fohn (CEO - Whitehat Security)

Daniel Herrera and Mitch Poortinga(Whitehat Security) with James (SecTheory)

Andy Steingruebl (Paypal)

The food was delicious

Sheeraj Shah(BlueInfy), Nish Bhalla (SecurityCompass), Rohit Sethi(SecurityCompass)

Robert Auger (left) and Robert Hansen(right) ganging up on Dan from Mozilla (center). He is still standing strong (as you can tell)

Caleb Sima (HP) with Amit Klein (Trusteer)

Dawn and Rachel with Amit klein

Dawn and Rachel with Steve Orin

Other posts on WASC Meetup
http://jeremiahgrossman.blogspot.com/2008/04/wasc-meet-up-rsa-2008.html

Malware installation attempt via phishing

I got this email yesterday and it immediately caught my attention, maybe due to the recent news about malware being installed via legitimate website. Or maybe most of the previous phishing attempts were about stealing username/passwords. This one is about installing something on their machine (which i am sure is some sort of malware). This might be a shift in the approach and of course it makes a lot of business sense for bad guys too. Why steal username/password of one site when you can install a keylogger and get hell of a lot more information. Moreover, this is also less effort on the part of phishers since they don't have to go through the hassle of setting up the phishing site (no matter how automated it has become for them) and the window of attack could be bigger then the traditional phishing approach.

I think their new motto is "if they are dumb enough to enter their username/password, then they are dumb enough to install a malware".

Check out the email below and please be very careful with the link.


From: "Bank of America"
Date: March 22, 2008 5:59:08 AM PDT
To:
Subject: important reminder: digital certificate issued

Dear Bank of America Direct User:
Our records indicate that a new digital certificate has been issued to your Bank of America Direct user ID.
Digital certificates are computer-based records issued to individual user IDs that allow Bank of America Direct to validate your identity and protect your information from unauthorized access. In order to access Bank of America Direct, you must use a valid digital certificate.

Installation Instructions
To install your newly-granted digital certificate, please access the Digital Certificate Pick-Up site at:

http://direct-certs.bankofamerica.com/direct/certpickup.asp?session=971974397406832591921867087087815132658676515377821210267
Actual Url - http://direct-certs.bankofamerica.com.vllrvop.mobi/direct/certpickup.asp?session=971974397406832591921867087087815132658676515377821210267


Please have your Bank of America Direct login information readily available when completing this process.
Should you have any questions regarding this process, please consult your Company Administrator or contact your regional customer support center for further assistance.

Sincerely,
Bank of America Direct Technical Care Center

NOTE: This is an automatically generated communication.

WASC meetup at RSA

RSA conference is around the corner and a lot of people from the webappsec field would be coming over to the conference. This is a perfect opportunity to meet with your peers. To facilitate that, WASC is organizing a meetup on April 9, 2008 12pm to 2pm. Whitehat Security has graciously accepted to sponsor the event. Please click on the image to see a larger version of the invite.

Last year WASC meetup @RSA
http://myappsecurity.blogspot.com/2007/02/today-at-wasc-meetup-quite-lot-of-crowd.html

Certification for Web Application Security Professional

Web Application Security Consortium and SANS has partnered together to define, train, test and certify the individuals. WASC is a leading web application security organization and SANS is a leader in training and certification. Together they have the subject matter expertise and process expertise to make this a huge success.


Why do we need this certification?

As more and more software is moving to a Web-based delivery model modern applications are becoming increasingly sophisticated and vital to business. With online business, come a number of new security risks that are exacerbated by immature Web application security programs.

With 9 out of 10 websites having vulnerabilities, the security state of the Web is dire. Due to lack of options many people are being hired into the web application security field to take up positions without a solid understanding of the attack techniques and defense strategies to match. Often newcomers are confused by the complexities involved and desire something that’ll help them think like a hacker, identify their tactics, and thwart their attacks.
The certification will assist future web application security professionals entering the field to get a strong grasp of the requirements and get up to speed with the in-depth knowledge of web application security.


What is this certification about?

This certification enables web application security professionals to showcase their skills to potential employers, customers or vendors. And for employers this certification will assist them in evaluating the qualifications of respective candidates. Those certified are required to possess quality baseline set of skills to be considered web application security professionals.



We are doing a survey of the topics to be covered in the certification. If you have experience in the web application security industry, please spare few minutes to take part in this survey.


https://www.surveymonkey.com/s.aspx?sm=kuEP2xG3RslU42_2ftRRs1Lg_3d_3d