Seba

Kenneth Van Wyk and Bart De Win will be doing presentations during our upcoming chapter meeting on March 4 in Leuven, Belgium.

More details on our BeLux chapter page.

Ken will also be doing a CAcert/Thawte x.509 “signing” event.   If you’re using either of these free x.509 certificate services, and are still trying to get the 50 assurance points necessary to have your real name on your certificates, stop by with two forms of government-issued ID (and photocopies, if using Thawte — not necessary for CAcert).  Ken’ll be happy to help out with either/both 10 Thawte points or 35 CAcert points.  No charge, of course.

Warning: a personal entry on the blog. I’ll be posting some more online in the coming months. Let me know if you appreciate these or not.

I am delighted to tell that a previous colleague and personal friend has taken up the challenge to work with me again.

Joel Quinet, part of the Belgium OWASP board, has joint us at Telindus since this month.

I just send the call for presentation on a number of mailing lists and will also be sending some targetted mails around.

It is online now.

Don’t hesitate to propose your topic or forward to people you think might be interested.

Follow up on the OpenId post last week. Pdp has warned us against CSRF  attacks against OpenId  functionality:

“I hope that you understand the impact of this issue as it is one of the main things you will see when you deal with OpenID enabled systems. OpenID does make life easier bur if you don’t implement the infrastructure properly, you are asking for some serious trouble. “

More information online, recommended reading.

What a coincidence: 2 posts in a row on Yahoo!

It was just a matter of time. It is just impossible to automatically create a CAPTCHA that can not be beaten by another algorithm.

See the claim by these ’security researchers from Russia’ online. Anyhow CAPTCHA can easily be cicumvented by the so-called “relay attack,” where you’re relaying the CAPTCHA through a site where you’ve got enough traffic in order to generate a useful number of CAPTCHA solution events on the fly.

Instead of being tricked into the cat and mouse game, alternatives should be considered. Try scenarios without a CAPTCHA, or consider using reCAPTCHA

“About 60 million CAPTCHAs are solved by humans around the world every day. In each case, roughly ten seconds of human time are being spent. Individually, that’s not a lot of time, but in aggregate these little puzzles consume more than 150,000 hours of work each day. What if we could make positive use of this human effort? reCAPTCHA does exactly that by channeling the effort spent solving CAPTCHAs online into ‘reading’ books.”

Yahoo announced they will support and integrate OpenID. This is a big push forward for the OpenID project.

OpenID eliminates the need for multiple usernames across different websites, simplifying the online experience. Not only does it make life easier, it does increase overall authentication security for the involved web applications.

Let’s hope the other big online players do also include this. To get started using an OpenID, get one at e.g. myopenid. Once you have an OpenID, you can use it at a number of sites.

I you have a blogger account, it can also use your blog’s URL as an OpenID URL.

It’s dead easy: I just created my OpenID URL at Verisign and published my details to the OpenIDDirectory. I did the latter already signing in with Verisign’s OpenID :-).

Hi, 

I am doing a yearly chapter survey (see below). I encourage you to do the same: it provides us with valuable feedback in Belgium.

Next time I would love to do it online. Does anybody have experience with http://www.surveymonkey.com/ ? Are there other sites you have done this with? 

Our Survey 2007:In order to make our chapter meetings better I would like to ask you some questions, feedback and suggestions. Please fill in the 6 questions below, I will summarize the results after February 1st. 

Q1: Do you consider yourself: 

1. “New to beginner” on (Web)AppSec topics
2. “Having some knowledge-experience” on (Web)AppSec topics
3. “Advanced to expert” on (Web)AppSec topics 

Q2: How many chapter meetings would you like to attend in 2008:

1. 1
2. 2
3. 3
4. 4

Q3: Will you come to the OWASP AppSec EU conference in
Brussels on May 22-23?

1. Yes
2. No

Q4: If given some time to prepare a topic, would you consider preparing a session for a chapter meeting:

1. Yes
2. No

Q5: What is your opinion of the Owasp events in 2007?

1. A waste of time
2. Somewhat interesting, but I will not come anymore
3. I liked it, and will maybe come to some chapter meetings in 2008
4. Great! I would recommend it to everybody implicated or interested in (Web)AppSec 

Q6: What would you recommend to make our chapter meetings more interesting for you?

We are joining forces in Europe

AppSec Eu 08 is working together with the CONFidence 2008 conference in Poland on OWASP topics. People will also get discounts when going to the other conference.

It is already known for some time, but here I want to make it even more official: the OWASP AppSec Conference is coming to Belgium in May.

More details on http://www.owasp.org/index.php/OWASP_AppSec_Europe_2008_-_Belgium

I will be announcing topics and details in the coming weeks and months.

Hope to see you all there!

It’s been too long since my last post. In April I started working for Telindus
Belgium taking up the lead for application and content security. Needless to say that the last months were a bit busy. 

I have started the Education project http://www.owasp.org/index.php/Education and as this is part of the Spoc007 we need to move forward with it. I am now putting about 2 hours of work into it per week and aim to finish the Spoc007 goals be the end of July. 

In fall I will be turning the chapter resources work into an OWASP project to refocus the work of the last years put into chapter progress.

Next post will be sooner…