tag:blogger.com,1999:blog-344224972024-03-13T01:30:01.425-04:00Anurag Agarwals' Threat Modeling BlogAnurag Agarwalhttp://www.blogger.com/profile/00132226679618654350noreply@blogger.comBlogger88125tag:blogger.com,1999:blog-34422497.post-47942315184847225962012-10-11T14:37:00.000-04:002012-10-11T14:37:56.272-04:00Test your knowledge on Encryption with our latest quizAfter a summer of high profile attacks on encryption including password, credit card and private user information exposure, new attacks on SSL and just plain lack of encryption all together on important data, it seems like something as critical as implementing encryption through an organization is a difficult and expensive task requiring skilled experts. But with terabytes of information on Anurag Agarwalhttp://www.blogger.com/profile/00132226679618654350noreply@blogger.com0tag:blogger.com,1999:blog-34422497.post-35834974495647542692012-06-26T12:00:00.004-04:002012-06-26T12:01:26.737-04:00Application Security Quiz
After speaking with a lot of developers we realized they are
looking for a fun, quick way to enhance their knowledge about the secure coding
aspects of development. We have put together a series of interactive quizzes
which test security professionals’ and software developers’ secure development
awareness while teaching them how to build more secure software. Please find
links to the first twoAnurag Agarwalhttp://www.blogger.com/profile/00132226679618654350noreply@blogger.com0tag:blogger.com,1999:blog-34422497.post-42491712171095735582011-07-31T15:03:00.001-04:002011-07-31T15:03:30.374-04:00OWASP Top 10 QuizWe had recently developed a quiz to help an organization test their developer's knowledge of OWASP top 10. I thought it would be a good idea to make it public and let other organization use it for their development teams as well. This is a very basic quiz but I do plan to add different levels and more questions to it and bring randomness in the questions as well.
I would greatly appreciate anyAnurag Agarwalhttp://www.blogger.com/profile/00132226679618654350noreply@blogger.com5tag:blogger.com,1999:blog-34422497.post-29947748408536623772011-04-13T10:57:00.000-04:002011-04-13T10:57:14.661-04:00OWASP threat modeling projectWe are starting an OWASP threat modeling project to standardize a threat modeling approach which can be used by various companies. During the OWASP portugal summit I had a very meaningful and positive discussion on this topic and got support from a lot of people in the community. You can find out the results of the discussion at the OWASP Threat Modeling project page
If you would like to join Anurag Agarwalhttp://www.blogger.com/profile/00132226679618654350noreply@blogger.com0tag:blogger.com,1999:blog-34422497.post-15139909481431771582010-08-19T17:48:00.000-04:002010-08-19T18:03:37.817-04:00Intellipass - A behavior based password lockout mechanismI am pleased to announce Intellipass (a behavior based password lockout mechanism). Most of the password lockout mechanism today are static, which means, they lock a user out after a certain number of incorrect password attempts. This feature is implemented to prevent brute force attempts against the login functionality. Even though this feature does what it’s supposed to, it has its own Anurag Agarwalhttp://www.blogger.com/profile/00132226679618654350noreply@blogger.com4tag:blogger.com,1999:blog-34422497.post-16916694732972270442010-05-06T18:16:00.000-04:002010-05-06T18:17:53.074-04:00Free Hands on Workshop on Web Application Security in New York CityEver wondered how a hacker hacks all these credit cards? Do you think hacking a website is difficult? What are the skills required to hack a website?ISSA NY Metro chapter is organizing a 3 hour workshop on web application security. This session will show you how easy it is to steal credit card numbers, SSN, etc by doing a SQL injection attack or how you can steal passwords, hijack a sessionAnurag Agarwalhttp://www.blogger.com/profile/00132226679618654350noreply@blogger.com1tag:blogger.com,1999:blog-34422497.post-5237424475489784572010-05-05T20:21:00.000-04:002010-05-05T21:47:32.793-04:00MyAppSecurity - Secure Your ApplicationsAs some of you know that I joined WhiteHat Security as a Director of Education Services since Dec 2007 to build their training division from scratch. Though it has been a very demanding job but it has been very satisfying too. I enjoyed working with various companies, training their developers and QA professionals and resolving their web application security issues. Through training, I not only Anurag Agarwalhttp://www.blogger.com/profile/00132226679618654350noreply@blogger.com1tag:blogger.com,1999:blog-34422497.post-61870387252379105452008-08-11T17:02:00.000-04:002008-08-11T17:05:31.755-04:00WASSEC Project Leader Change AnnouncementThere is going to be a new project leader (Brian Shura : bshura73_at_gmail_dot_com) for WASSEC (Web Application Security Scanner Evaluation Criteria) as of today. The leadership change will help me free up some time to work on other projects.We've identified an excellent candidate who will take over WASSEC from where I left. I have already given him an overview of the project, its status and the Anurag Agarwalhttp://www.blogger.com/profile/00132226679618654350noreply@blogger.com2tag:blogger.com,1999:blog-34422497.post-6510698476988325332008-06-19T02:31:00.000-04:002008-06-19T02:50:36.702-04:00OWASP AppSec India Conference 2008OWASP Delhi Chapter is hosting a grand application security event in New Delhi, India. With a lot of Executives and business folks also attending the event, it clearly shows the attention web application security is getting in India and I am sure a lot of it could also be because India is one of the major offshore development hub for US projects and most of these companies sending projects Anurag Agarwalhttp://www.blogger.com/profile/00132226679618654350noreply@blogger.com0tag:blogger.com,1999:blog-34422497.post-45001121532338393462008-06-19T02:30:00.001-04:002008-06-19T02:30:58.553-04:00WASC OWASP Party @ BlackhatWASC-OWASP Party at BlackhatBlackhat Vegas is around the corner. Our WASC-OWASP party last year rocked with around 300 people showing up. There was a huge line outside the shadow bar and it was by far the best party at Blackhat last year. If you weren't able to make it last year, do not miss it this time. Get your wristband from breach's booth at Blackhat.Join the leading minds in web applicationAnurag Agarwalhttp://www.blogger.com/profile/00132226679618654350noreply@blogger.com0tag:blogger.com,1999:blog-34422497.post-6680463887541780552008-04-15T14:48:00.000-04:002008-04-15T15:11:03.484-04:00Web Application Security SummitSANS and WASC have organized a Web Application Security Summit in Vegas.Web Application Security SummitJeremiah Grossman, Summit Chairwith Robert “RSnake” Hansen, Gary McGraw, and Caleb SimaJune 2-3, 2008 • Paris Hotel & Casino • Las Vegas, NVOn June 2-3, Various Application Security folks working in the enterprises will share the lessons learned in their application security initiatives. Anurag Agarwalhttp://www.blogger.com/profile/00132226679618654350noreply@blogger.com0tag:blogger.com,1999:blog-34422497.post-10933433464759655912008-04-11T19:47:00.001-04:002008-04-11T20:18:41.512-04:00RSA Conference PicturesRSA Conference 2008 is almost over. As usual there were so many companies showcasing their products and services or in some cases just a little bit of fun like video games, rock climbing, etc.I personally think there were more companies talking about web application security then last year. We still need some more companies with secure SDLC solutions to come out there. In addition, there were Anurag Agarwalhttp://www.blogger.com/profile/00132226679618654350noreply@blogger.com0tag:blogger.com,1999:blog-34422497.post-26927424911977730562008-04-11T14:26:00.001-04:002008-04-12T17:19:31.813-04:00WASC meetup at RSA - picturesWASC meetup at RSA was a huge success. More then 100 people showed up and it was a lot of fun sharing ideas and experiences with our peers. I am posting some of the pictures I took below.Caleb Sima(HP), Robert Auger(WASC)Neil Daswani (Google), Robi papp (Accuvant)Pool was so much fun.Dawn Van Hoegaerdan (Whitehat Security), Jermiah Grossman, Rachel Miller (Shift Communiations)Dawn, James(Anurag Agarwalhttp://www.blogger.com/profile/00132226679618654350noreply@blogger.com7tag:blogger.com,1999:blog-34422497.post-30046641446412466102008-03-22T21:53:00.000-04:002008-03-22T22:19:38.159-04:00Malware installation attempt via phishingI got this email yesterday and it immediately caught my attention, maybe due to the recent news about malware being installed via legitimate website. Or maybe most of the previous phishing attempts were about stealing username/passwords. This one is about installing something on their machine (which i am sure is some sort of malware). This might be a shift in the approach and of course it makes aAnurag Agarwalhttp://www.blogger.com/profile/00132226679618654350noreply@blogger.com3tag:blogger.com,1999:blog-34422497.post-40639503964943948392008-03-06T21:13:00.000-05:002008-03-06T21:28:34.757-05:00WASC meetup at RSARSA conference is around the corner and a lot of people from the webappsec field would be coming over to the conference. This is a perfect opportunity to meet with your peers. To facilitate that, WASC is organizing a meetup on April 9, 2008 12pm to 2pm. Whitehat Security has graciously accepted to sponsor the event. Please click on the image to see a larger version of the invite.Last year WASC Anurag Agarwalhttp://www.blogger.com/profile/00132226679618654350noreply@blogger.com0tag:blogger.com,1999:blog-34422497.post-50871626695559374012008-02-21T14:15:00.002-05:002008-02-21T14:24:54.446-05:00Certification for Web Application Security ProfessionalWeb Application Security Consortium and SANS has partnered together to define, train, test and certify the individuals. WASC is a leading web application security organization and SANS is a leader in training and certification. Together they have the subject matter expertise and process expertise to make this a huge success.Why do we need this certification?As more and more software is moving toAnurag Agarwalhttp://www.blogger.com/profile/00132226679618654350noreply@blogger.com15tag:blogger.com,1999:blog-34422497.post-88810823663544346472008-01-29T17:29:00.000-05:002008-01-29T17:34:30.305-05:00New IRS Scam via SMS messagesI got a text message today which said likeFrom:TAX@internalrefunding.com------Message-----Subject: NOTICEYou have .30 IRS UNITS pending forrefunding, completethe form usingwww.internalrefunding.com ASAPMy first reaction was "What the f***" but then I started thinking "Could it be IRS?", if yes, then "Why send a SMS?"Then my paranoid mind started working and even though I haven't heard of a scam Anurag Agarwalhttp://www.blogger.com/profile/00132226679618654350noreply@blogger.com1tag:blogger.com,1999:blog-34422497.post-20383304249176237772008-01-23T21:48:00.000-05:002008-01-24T13:05:49.571-05:00IETF starts working on security requirements for HTTPAndre sent me a link on "Security Requirements for HTTP". It is exciting to see at least security issues of HTTP protocol are being addressed by IETF. This is a first draft and they are starting to identify the problems and will address them as a final part of this document.http://www.ietf.org/internet-drafts/draft-ietf-httpbis-security-properties-00.txtRecent IESG practice dictates that IETF Anurag Agarwalhttp://www.blogger.com/profile/00132226679618654350noreply@blogger.com0tag:blogger.com,1999:blog-34422497.post-54873314535095974972008-01-21T17:10:00.000-05:002008-01-25T17:52:49.464-05:00Do you have to fix XSS vulns to be PCI Compliant? ScanAlert Says NoI was reading Jeremiah's blog about ScanAlert's Response - ScanAlert - XSS is not our problemI had blogged earlier about Should ScanAlert be revoked of their PCI Scanning abilities?The interesting thing here is that if Hacker Safe is not detecting XSS attacks and I can bet they would not be detecting SQL injection attacks as well. So, what part of web application attacks are they trying to detectAnurag Agarwalhttp://www.blogger.com/profile/00132226679618654350noreply@blogger.com4tag:blogger.com,1999:blog-34422497.post-14600143089526307062008-01-21T14:16:00.000-05:002008-01-21T14:25:00.931-05:00The Fortification MovieLast week i went to see the documentary by fortify on "The new face of Cybercrime". I went there thinking that it would be something that shows what cybercrime is all about and how bad guys are breaking into websites to steal credit card numbers, SSN, etc. and selling it on the black market to make money. Basically a visual representation of what we deal with, day in, day out. But it turned out Anurag Agarwalhttp://www.blogger.com/profile/00132226679618654350noreply@blogger.com0tag:blogger.com,1999:blog-34422497.post-74024110889832261602008-01-08T14:07:00.001-05:002008-01-08T14:23:21.390-05:00Calling all web hacks of 2007Jeremiah Grossman is trying to gather all the neat researches behind web hacks of 2007."The hardest part is collecting a rather complete list of references to vote on, they’re all over the place, so that’s the reason for this post. Below is what I’ve gathered so far, and if you know of others, please comment them in with the title and link and I’ll add them. In the next few days the list will be Anurag Agarwalhttp://www.blogger.com/profile/00132226679618654350noreply@blogger.com0tag:blogger.com,1999:blog-34422497.post-22963922513216215152008-01-07T17:18:00.001-05:002008-01-07T17:56:27.427-05:00Should ScanAlert be revoked of their PCI Scanning abilities?I was passed on this link today about "Hacker Safe Website gets hit by Hacker". For those who don't know, Hacker Safe is a service provided by Scan Alert (which is set to be acquired by McAfee). I am not going to go into the details of how safe are the sites displaying the logo "Hacker Safe". I don't even want to go into the details of what level of scanning services are provided by ScanAlert Anurag Agarwalhttp://www.blogger.com/profile/00132226679618654350noreply@blogger.com11tag:blogger.com,1999:blog-34422497.post-46695219200377345482007-11-19T19:49:00.000-05:002007-11-19T20:26:44.782-05:00AppSec 2007 pictures of breach partyOWASP and WASC AppSec Conference is over and it was by far the best conference i have ever been to. I was able to meet up with so many fantastic people, some of them i have exchanged emails with before and was good to see them in person. The conference topics and the presentation were really good. It was also my first time moderating a panel and it was a great experience. With such a sensitive Anurag Agarwalhttp://www.blogger.com/profile/00132226679618654350noreply@blogger.com1tag:blogger.com,1999:blog-34422497.post-40717851946878216682007-11-07T14:50:00.000-05:002007-11-07T14:57:46.288-05:00Who are the real culprits for PCI compliance?There was an article in SearchSecurity today on TJX issue.Don't blame PCI DSS for TJX troubles, IT pros sayhttp://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1280854,00.html?track=sy160&asrc=RSS_RSS-10_160Here is an excerpt from the articleThe auditor said TJX passed a PCI DSS check-up, but that the auditor failed to notice some key problems."They had no network monitoringAnurag Agarwalhttp://www.blogger.com/profile/00132226679618654350noreply@blogger.com8tag:blogger.com,1999:blog-34422497.post-2722285544706563622007-11-05T19:30:00.001-05:002007-11-05T19:34:47.883-05:00Panel discussion on Website Vulnerability Disclosure during AppSec Conference on Nov 15As most of you know that OWASP-WASC AppSec Conference is held in ebay between Nov12-Nov15 including the training sessions. There are very many exciting topics to look forward to in the conference and not to forget the vendor parties at the end of the day. One of the things i am excited about is the panel discussion on Website Vulnerability Disclosure (which i will be moderating). We have some Anurag Agarwalhttp://www.blogger.com/profile/00132226679618654350noreply@blogger.com2