I hosted the OWASP Bay Area Application Security Summit at the Microsoft facility in Mountain View on June 25, 2008. This half-day summit was a great success, as we had excellent speakers, 80-90 participants, and great food / drinks.
I kicked it off with some trends about application security and how hackers continue to have a ball by breaking into sites and stealing important information and transferring funds. In spite of 75% of attacks through the Web sites, a vast majority of the Web sites continue to be vulnerable with most corporations, government agencies, and Universities frozen in an inertia state and not taking concrete action to resolve this issue. Speakers:
The ever-charming Dr. Chenxi Wang, principal analyst with Forrester, gave an excellent talk on Consumerization of Enterprises - a security conundrum. Although not directly related to application security, the presentation covered an interesting insight into how consumer technologies like the iPhone and other Web 2.0 technologies can merge with an enterprise environment. Enterprises want better control, security, compliance and confidentiality which, a lot of times, are in conflict with features offered by personal technology such as convenience, flexibility, and personalization. Having one identity for everything is also critical to have these two separate segments merge. She concluded by saying that we have to fix our security issues first before can even think about merging these two worlds... in other words, still a long way to go.
She was followed by the bright PH.D student from Stanford, Collin Jackson, who talked about some new Cross-Site Request Forgery attacks and defenses. In a CSRF of course the attacker is exploiting the trust a site has in the user's credentials and we are starting to see more of these types of attacks. Collin talked about a specific log-in CSRF attack which can trick the user into sharing the log-in information with the attacker. He talked about three defenses including secret validation token, referer validation, and customer HTTP Header.
Tom Stracener from Cenzic was next and he talked about Google Gadget Security, or lack thereof. With some very interesting examples, he shared the vulnerabilities in Google Gadgets and how hackers exploit implementation of these Gadgets.
Our final speaker was Neil Daswani from Google who gave a very exciting talk on how cybercriminals steal money using some very detailed examples of XSRF (same as CSRF) and XSSI (Cross-Site Scripting Inclusion). Hackers are certainly getting very creative and very organized.
We ended the evening with a nice Spanish fiesta including wine and beer while networking and brooding about continuous security issues for the millions of Web sites out there. All in all, it was a very productive day with some excellent presentations and intelligent audience participation on the various Web Application Security issues hounding the industry.
These presentations are all available on the OWASP Website: https://www.owasp.org/index.php/Bay_Area_Past_Events by
Mandeep Khera
Mandeep@cenzic.com |
