* Graph Analysis for WebApps: From Nodes to Edges - Simon Roses Femerling
* The OWASP Education Project - Martin Knobloch
* Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking -
Matias Madou
* Threat Modeling for Application Designers & Architects - Shay Zalalichin
* Scanstud: Evaluating static analysis tools - Martin Johns,
* Office 2.0: Software as a Service, Security on the Sidelines? - John
Heasman
* How Data Privacy affects Applications and Databases - Dirk De Maeyer
* The OWASP Anti-Samy project - Jason Li
Wes Brown
Building and Using an Automated Malware Analysis Pipeline
Robert Zigweid
Threat Modeling: Learn to Optimize Your Security Budget
REGISTRATION
Pre-registration for the Conference, Seminars, and Workshops will be increasing in price soon so register today! Here is our current pricing schedule for ToorCon 11:
change their browsers to these unsafe settings, in order to get their own
products to work.
Given that such a setting could affect ALL controls - not just the ones
from the original vendor who needed it - I think this needs to be factored
into any software developer's threat model.
It would be very informative for someone somewhere to do a study to see
how many browsers are running with such unsafe settings. I wouldn't be
surprised if it's 10% or more.
We are seeking training proposals on the following topics (in no particular order):
- Application Threat Modeling
- Business Risks with Application Security
- Hands-on Source Code Review
> PG> No, this is an entirely new level of attack,
> "New level of attack", what makes you believe that?
As I previously stated, unlike Peter I don't consider this a new level of
attack, I'm just a bit surprised that the threat model wasn't examined by
Microsoft a little more closely before they decided to include the gadget
API. Unlike other APIs that Microsoft have released there was no legacy
requirement to include all of the new functionality highlighted in my paper.
Moreover, irrespective of the design decisions how did at least 3 Microsoft
gadgets get through SDL without input validation being tested and the
========================================================================
Severity
Users who are serious about securing their data and communication
against a threat model that includes others gaining access to their
machines (either through hardware seizure or multiple user accounts)
should change their passphrases and scrub their disks.
=========================================================================
Affected Versions
fix the vulnerability (no reply received).
. 2008-04-16: Core requests again information concerning Microsoft's
schedule to produce a fix. The advisory publication is rescheduled for
May 12th, 2008.
. 2008-04-25: Vendor informs that they are wrapping up the investigation
and threat model analysis and that fixes will not be included in the
Word Security Bulletin of May. Vendor estimates that it will take a few
months to produce and test a fix for the vulnerability. Vendor promises
an update on May 23th.
. 2008-04-25: Core sends additional information with low level details
of the vulnerability.
SMC> change their browsers to these unsafe settings, in order to get their own
SMC> products to work.
SMC> Given that such a setting could affect ALL controls - not just the ones
SMC> from the original vendor who needed it - I think this needs to be factored
SMC> into any software developer's threat model.
SMC> It would be very informative for someone somewhere to do a study to see
SMC> how many browsers are running with such unsafe settings. I wouldn't be
SMC> surprised if it's 10% or more.
IBWAS and OWASP is currently soliciting training proposals for the OWASP Ibero-American Web Applications Security 2010 Conference (IBWAS'10) which will take place at ISCTE-IUL, Lisboa, Portugal, on November 24 through November 26, 2010.
There will be training courses on November 24 followed by plenary sessions on the 25 and 26 with multiple tracks per day.
We are seeking training proposals on the following topics (in no particular order):
- Application Threat Modeling
- Business Risks with Application Security
- Hands-on Source Code Review
- Metrics for Application Security
- OWASP Tools and Projects
- Privacy Concerns with Applications and Data Storage
> PG> No, this is an entirely new level of attack,
> "New level of attack", what makes you believe that?
As I previously stated, unlike Peter I don't consider this a new level of
attack, I'm just a bit surprised that the threat model wasn't examined by
Microsoft a little more closely before they decided to include the gadget
API. Unlike other APIs that Microsoft have released there was no legacy
requirement to include all of the new functionality highlighted in my paper.
Moreover, irrespective of the design decisions how did at least 3 Microsoft
gadgets get through SDL without input validation being tested and the
