Web Application Security in Denver

Web Application Security is a growing interest for me. Some activities I attended last week seem to show that it's a growing interest in general. Last Wednesday night the OWASP Denver chapter hosted a meeting about about 50 people at Raytheon Polar Services in Southeast Denver. After the free pizza and administrivia, the meat of the presentation was from the two major developers of Grendel Scan.

The Open Web Application Security Project - Denver

As chapter organizer David Campbell said, OWASP could also stand for Owning Web Applications while Sipping Pints. All I can say is that if you're a developer you should go to at least one OWASP meeting. You'll learn enough that you'll be scared - which is the right place to start. Then you can harness that fear and learn enough to be empowered to protect your code. If you're a manager, you need to give your employees time off so they'll go to this.

Then, you shold look for tools that can help your developers and QA folks in their work.

Vulnerability Assessments With Grendel Scan

Grendel Scan is a vulnerability assessment tool written by David Byrne and Eric Duprey, employees of TrustWave and Echostar respectively. It is a surprisingly powerful tool given that they've only been working on it for about a year. The 1.0 version will be released at the upcoming DefCon and I think it will instantly become pretty popular. In my initial testing it found weaknesses while providing relatively few false positives. Unfortunately, the version currently

But, as the authors of Grendel stressed several times, scanning tools are just a start. What you really need is a complete end-to-end consciousness of security issues.

HP / SpiDynamics - Live Hacking Workshop

Given that this session was run by a big company, hosted for free in a hotel conference room and included a free breakfast I was quite happily surprised that it was not a sales pitch. David Nester has my respect for that.

The session gave really useful information: first about taking a prioritized "risk management" approach to security and second about some of the basics of security vulnerabilities. He covered SQL Injection, Authentication Weakness, Application Logic weaknesses, Cross Site Scripting, AJAX Weaknesses, Attacking the Host (OS/Network), and User Training.

The presentation was quite practical - nobody can follow the "perfect" path to security. Instead they promote a risk weighted approach so that your effortss are matched to the size of your exposure.

You can view the presentation slides online. They also offer a free SQL Injection scanner - Scrawler.