SANS has just opened a survey to understand more about the challenges and risks that companies are facing in application security, and what tools and practices people have found are most effective in managing appsec problems.
Please follow this link and take 5-10 minutes to answer the survey questions:
Help shape the future of application security practices and technologies and also enter to win a $300 American Express gift card, which will be awarded to one lucky winner!
Sponsored by NT OBJECTives, Qualys, Whitehat Security and Veracode, this survey will remain online until November 7, 2012. Results will be published at http://www.sans.org/info/113477 on December 13, 2012, during a related
Here are some recent appsec webcasts for your viewing pleasure:
- Web Application Threats: Combining XSS and CSRF to own the world!
Kevin Johnson covers Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). Specifically, "how they can be used to exploit users and applications, how to find them and what their combined power can accomplish."
- Innovation in Application Security: Application Risk Management
John Sapp discusses "business critical application security trends and the need for comprehensive approaches to secure software development" including coverage of what "application attacks are most prevalent now, the importance of the secure development lifecycle (SDL), and cost-effective methods to implement a program-level commitment to
We have three cool webcasts lined up next week:
1) SQL Injection for the Penetration Tester on April 27
Eric Conrad will kick off the week of webcasts with something every penetration tester should know about. "Both normal and blind SQL attacks will be described, including reading and altering databases, creating local files, and gaining command shell access to the database server."
2) Defending Web Applications: Going back to to First Principles on April 28
In this talk Johannes and Jason "will outline current attacks against web applications, why they evade detection by network defenses and how to build defensible applications by going back to simple defensive principles. Each of the attacks will be illustrated from a defensive as well as offensive point of view showing the
Felipe Moreno will be giving a webcast on Groundspeed, a Firefox add-on that allows penetration testers to manipulate the interface of web applications in order to adapt it to penetration test needs, removing the annoying client-side limitations and making the test more efficient.
"Not much has changed since the beginning of the web application penetration testing in terms of process for performing manual input validation tests. Place a client proxy between the browser and the application, generate requests, intercept them and modify the HTTP parameters. It's true that we have seen some nice improvements at the client proxy level (compare the old Achilles to the last version of the Burp suite), but the general approach still remains the same. This webcast will propose a new way to look at input data and a new approach to manually test
Kevin Johnson will be giving a cool webcast called "Social Zombies" where he "explores the various concerns related to malware delivery through social network sites. Ignoring the FUD and confusion being sowed today, this presentation will examine the risks and then present tools that can be used to exploit these issues. We discuss how social networks work and the various privacy and security concerns that are caused by the trust mass that is social networks. We use this privacy confusion to exploit members and their companies during our penetration tests."
Sign up here!