Seba

No, this post is not about iPod security.

I just wanted to share my current iPod favorites. As it is Nano model allowing only 2 GB, I have to be picky.

• Arctic Monkey
• Buena Vista Social Club
• Daan, Deus (Belgian groups)
• The Best of Moby
• Kill Bill soundtrack
• Nine inch Nails (with teeth)
• Outkast (The Love Below)
• Queens of the Stone Age (Lullabies to Paralyze)
• Massive Attack (100th Window)

I will be adding the great new album ‘A Weekend in the City’ of Bloc Party. As you see something for every mood.

Now this post would not be security related if I didn’t point you to the security pod casts that I also listen to regularly:

• Risky Business: new from down under
• Silver Bullet Security Podcast: GaryMcGraw interview. Transcripts are also published in IEEE Security & Privacy

And recently I found 2 pages on OWASP: Security Podcasts and Reviews of security podcasts.

Enjoy !

I suppose you already know of the dangers of malicious Javascript and Cross-Site-Scripting (XSS), otherwise you wouldn’t read OWASP blogs, would you :-).

What worries me are the next stages. Recently XSS was the attack vector discovered in Google’s popular Desktop Search. One of the tools referenced in the research paper is the XSS proxy tool. This reminded me of the post by PDP on persistent XSS, stating “Persistent XSS is more dangerous since it allow attackers to control exploited clients for longer”.

The idea is that you can infect the victim browser with XSS that ‘phones home’ and stays persistent in the victim’s browser. You can expect XSS-based bot nets, analogous to their classic Trojan nephews.

Another result of this kind of infection, is that it only takes one XSS vulnerability within a popular web site to infect clients for a longer period of time. Even when the XSS is fixed on the web application, browsers can stay infected for longer periods of time. Sounds a lot like the Domain Contamination by Amit Klein, but then client side!

We should not think that there is no profit to make with JS Badware, this excellent paper on “Man in the Browser” attacks by Philipp Gühring shows what can be done with infected browsers. You can expect XSS-based attack kits targeting web-banking customers really soon! People do make money with attack kits, as RSA showed recently.

The different stories above sketch a grim picture of where the following battlefields of malware will be: your browser! I am curious on how the Anti-Virus companies will provide protection against these new threats. Self-modifying JavaScript (tool kits) will be coming to a browser near you soon!

This is all related to the return of the ‘fat’ client. Your client connection to online web applications is getting incredibly complex. See Ajax, see support for off-line functionality in the upcoming Firefox3, see Adobe’s FLEX and Appolo developments.

Interesting times are ahead of us …

I am realizing that currently the OWASP chapter organization is not very democratic.

Chapter leaders are not elected. Currently you only have to apply for chapter leadership and without much control you’ll be granted OWASP chapter leadership.

This is not necessarily bad, and I have no knowledge of abuse. I do however know that in some countries there are disagreements on how the OWASP chapter activities are organized. Let me know your thoughts on that (on- or offline)?

Nevertheless, I think it would be better to have an OWASP chapter leader (re)election on a regular base. But how to organize this without creating a administrative hassle?

I have also seen that some countries have OWASP ‘boards’ that organize the chapter meetings. I think this is a good thing, it spreads the workload among different people. If an election was to be organized, board election is also something to think about?

I hope this will become part of How OWASP Works.

I am looking forward to your comments. Because of the increasing amount of blog comment spamming attempts, you will now have to be registered.

This interesting blog posting strengthent my conviction that we have too narrow-minded a view on the developers that create (web) applications.

If we want improve the development processes from a security standpoint it is critical that we first identify the ‘actual’ development process that is going on. This is most often not the view that e.g. Project Management Office has on the development efforts.

In the cases where the development proces is driven by “geeks” we have to concentrate our efforts on educating these geeks. This will have a higher pay-off than trying to improve the processes, as these processes will probably only exist on paper.

The security community has to stop thinking that development is still performed with the classical waterfall model. Nowadays a lot of development is done “agile” with XP driven development cycles.

Hi,

Some weeks ago I went to the OWASP meeting in the Netherlands (http://www.owasp.org/index.php/Netherlands). I had an interesting discussion on security techniques within the development cycle with the panel and other invited people.

It was too bad the invitation came rather late and it was just scheduled after the holiday season: I think more people could have been interested in this chapter meeting.

Anyway, the reason for this post is: I helped Bert (NL chapter leader) in starting the chapter and if time permits I go to their chapter meetings as well. I think we have to support each other as much as possible in growing the chapters into active communities.

Of course the Netherlands are not far away from Belgium, but I encourage ’senior’ chapter leaders to help the newcomers with advice and support. One of the tools you can use is the Chapter Leader Handbook. Other items can also be added to the chapter resources.

But the best way to help them start and sustain is to actively give ideas on topics that were discussed during your own chapter meetings and to post your material on the chapter page and let us know!

regards,

Seba

Upon request by Diniz - good idea! - I have started the OWASP Chapter Leader Handbook. This wiki page should become the source of information for beginning and experienced Chapter Leaders.

Please share your good and bad experiences on this page with the other Chapter Leaders!

Have a good Year!

Yes, there is some time left besides OWASP.

I’ve been to a Front242 concert last Friday in a re-opened club in Leuven.

This Belgian band is the (grand)father of a lot of electronic music. If you’re into electro check them out!

Now on the OWASP time: I try to organize 4 events per year. 

Be prepared to invest up to 8 hours preparation and administration time per OWASP chapter meeting.

It starts with finding speakers / topics. Then you have to organize the place and sponsoring.

Besides posting the meeting on the OWASP web site - including the upcoming events -, I do send an invitation mail to the BE chapter mailing list and a personal mail to a broader mailing list. The best timing is about 3 weeks before the chaper meeting with a reminder one week before the chapter meeting.

After the meeting there is some administration: the CISSP attendance sheet and the meeting minutes online.

Regards,

Seba

A member of the PHP security team has left in apparent disgust over the team’s security practices.

http://www.heise-security.co.uk/news/82500

What hope is left to make PHP safer if even PHP security team members are giving up?

An important point is discussed here: Should PHP be made secure from ‘inside’ or must the PHP users develop more secure.

I think the truth is somewhere in between, but it is a long road…

Rgds,

 Seba

I just realized that the results were not presented during the New Years drink, we had better things to do than that

Hereby the uploaded results of least year.

regards,

 Seba

About a year and a half ago I volunteered to start the Belgian OWASP chapter.

I have to say: it made interesting times.

With this blog I want to share the experience and encourage others to start your chapter or aid your current chapter in bringing the OWASP message home.

I just launched the second poll for the OWASP BE chapter with the following questions:

Q1: Do you consider yourself:
a) “New to beginner” on (Web)AppSec topics
b) “Having some knowledge-experience� on (Web)AppSec topics
c) “Advanced to expert” on (Web)AppSec topics

Q2: How many chapter meetings would you like to attend in 2007:
a) 1
b) 2
c) 3
d) 4

Q3: If given some time to prepare a topic, would you consider preparing a session for a chapter meeting:
a) yes
b) no

Q4: What is your opinion of the Owasp events this year?
a) A waste of time
b) Somewhat interesting, but I will not come anymore
c) I liked it, and will maybe come to some chapter meetings next year
d) Great! I would recommend it to everybody implicated or interested in (Web)AppSec

Q5: What would you recommend to make our chapter meetings more interesting for you?

Let’s hope we have lot’s of responses and good feedback.

The results of last year were published during the New Years drink of 2006 and can be found on the chapter page: http://www.owasp.org/index.php/Belgium

Untill next time…

Seba