OWASP AppSec 2008 — Analyzing the WHID
The first presentation I saw after the Keynote was Ofer Shezaf, presenting an analysis of recent results in the Web Hacking Incidents Database (WHID), a compilation of publicly disclosed Web Hacking Incidents hosted by the Web Application Security Consortium (WASC). Ofer, who works for Breach Security, discussed the issues of trying to measure the effects and impact of security measures on web security. Documenting actual incidents covers definite risk factors from “real” bad guys, but even so, figuring out metrics for web applications is very difficult to assess. Many web compromises other than defacements are stealthy in nature, and many …
OWASP AppSec 2008 Keynote
The keynote for this year was a tag team of various OWASP board members. Tom Brennan played host to the panel, as he was not only on the board, but a local chapter lead and primary organizer of the conference. Jeff Williams started the keynote out by discussing the promise of software, and how we are not fulfilling that promise. Currently, Jeff said, the security community is failing. The focus is on penetration testing and exploits, and not how code is written, and researchers are chasing obscure problems, and not looking at the “big questions” (which are also the hard …