[TriLUG] Web Security and OWASP
Steve Pinkham
steve.pinkham at gmail.com
Sat Mar 13 22:46:53 EST 2010
Thanks again to Michael for the talk. I think he did a great job
covering complex issues in a short timespan.
If you want to dig in deeper to web security, I recommend highly
http://owasp.org.
Some of their most useful resources are listed in the blue box near the
top of the page. The ASVS(software security lifecycle), ESAPI(security
libraries), OWASP Top 10(list of common flaws, with simple explanations
and links to more information) and their developer and code review
guides are probably the most useful for the development side. The
amount of other resources they have is huge.
The XSS Prevention Cheat Sheet
http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
and SQL injection Cheat Sheet
http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
are the absolute minimum you need to know to effectively block those
attacks.
Also, I mentioned the local OWASP-NC chapter
http://www.owasp.org/index.php/Raleigh
http://www.meetup.com/owaspnc/
but forgot to mention the most important part... There is usually free
beer for attendees provided by the chapter leader, though you're
encouraged to bring your own to share, especially if you're picky. ;-)
Hope to see some of you there, and hope you had fun clicking on all my
email links. They're not malicious, I swear. ;-)
One more link: I run a project with web security testing tools,
vulnerable targets and documentation preconfigured on a virtual machine
called Web Security Dojo. You can find it at
http://dojo.mavensecurity.com if you're interested. It includes some
getting started information, though we're working on more.
My expertise is in the attack side of web security, so I'd be happy to
field any further questions people have about that.
--
| Steven Pinkham, Security Researcher |
| http://www.mavensecurity.com |
| GPG public key ID CD31CAFB |
More information about the TriLUG
mailing list