ESP: Si estáis por Madrid durante los días 10 y 11 de Diciembre no os podéis perder IBWAS09, organizado por OWASP (Capítulos Irlanda, Portugal y España) con una selección de ponentes de lujo! Nosotros estaremos  ¿y tú?

US: If you are in Madrid on 10 and 11 December don’t miss IBWAS09, organized by OWASP (chapters Ireland, Portugal and Spain) with an awesome speaker list! We will be there  ¿and you?

On episode 54 of the OWASP podcast, OWASP chapter head for Germany, Georg Hess and CEO and co-founder of art of defence speaks with Matt Tesauro at the OWASP’s AppSecDC show on the top 10 release candidate 2010 and the impacts it will have on the industry.

Listen here for OWASP insight on the release candidate.

A first release candidate for the OWASP Top 10 2010 was released a while ago. In my view the best enhancement is the new design of document.

As I worked on some short executive summaries for my company, I always struggled how to get a lot of information in the shortest form possible. The new OWASP Top10 PDF design is kind of perfect for this matter.

Document (Download as PDF):

If you consider yourself a well-educated follower of all things info security related, then the Owasp O2 Platform project shouldn’t come as a surprise. If that’s not the case, here is a quick breakdown:

What: A series of Open Source modules that allow you, the tester, to better understand an applications security profile.

Why: It’s a known fact that black-box assessments won’t result in all the possible vulnerabilities being discovered. A hybrid approach is needed, when applicable source code and access is available.This is where O2 comes into the picture. A more detailed explanation can be found here.

Dinis, being the bundle of infosec energy we all know and love, has written a series of blog posts discussing the future of O2, namely:

• Part I – IBM Application Security related tools & “AppScan 2011″
• Part II – Why IBM will ‘solve the problem’
• Part III – Why I said NO to IBM … for now
• Part IV – O2 needs to be Commercially Supported

All good points, albeit it with some fundamental flaws. In Part 1, he talks about a fictional company called AppSEC, which is primarily an IBM shop. The problem here is that whilst IBM is a big company, anyone who’s worked with IBM tools in the past know they often don’t really do the job well. All I need to mutter are the fabled words of ‘Lotus Notes’ to know what a total abortion some of their tools are like. AppSEC, like many new consultancies who cannot afford more senior staff, rely on automated tools like AppScan.

AppScan is ok for catching low-hanging fruit, but it does not replace the experience and knowledge obtained from testing hundreds of applications. I’d query any companies approach to security that relies on any given tool to achieve a full-spread of testing. The rest of the post goes on to mention how the test would flow, including some pretty nifty ideas, albeit it rather impractical ones.

Maybe in 2011 security assessments will look like this, but in 10 years of doing this, i’ve yet to see one that does.

In Part II, he thinks that IBM will solve the problem, which again is something I find rather impossible. Having worked with IBM and some of their more talented employees, this is a distant dream and one I doubt will come true. IBM, like any other large company, has invested in Application Security by purchasing big name products and stamping the IBM badge on them. The basis of their approach is building ’smarter’ technologies. So if that’s the case, why have we been inundated with dump technologies to date?

SQL injection is still a major hassle to anyone on the Internet, as is Cross-Site Scripting. Are we saying that up to now, all developments have been dumb and now all of a sudden IBM have the ability to go smart? What changed?

The final post is about the commercial support of O2, one I do agree with. However, as with any tool that’s developed by a security professional, a massive amount of common sense is missing. The framework is hard to use, the documentation is lacking and the overall support just isn’t there. For any chance of having a company support O2, some drastic work has to be done to make it appealing to people in the industry, and right now it’s not.

Dinis is looking for a company or department which provides the following services:

• Support: 9 to 5 (or 24h), Level 1 and Level 2 support (via email, phone, tweet, online forums and mailing lists)
• Training: provide online and classroom based training to both new and advanced users
• QA: Test new releases of O2
• Documentation
• Security Review of O2 itself
• Build Certified versions of O2 (just like ReddHat)
• Manage source control and user-submitted content
• On Demand customization of O2 Modules
• Professional Services
• Integration Services: building new parsers / plug-ins for consuming & instrument other tools. Adding support to new languages and technologies (ABAP SmallTalk, SQL, COBOL, etc…)
• Bug Fixing of existing O2 Modules
• Development of new O2 Features

All good and great, but something that will require vast am0unts of investment from said company and right now the world’s economy is still reeling from a nasty meltdown and investment isn’t forthcoming.

The problem with this industry is that we love to make things complicated. It’s often like a special badge that shows we can do it, but just because we can doesn’t mean we should. The basic idea behind O2 is brilliant, the execution isn’t. It’s confusing and lacking in so many different areas that i’d hedge a bet and say it’s not attractive to any potential investor as they cannot see what they’d get out of it.

If you want to attract support, here is what I think would help:

1. Tidy up the house. Explain what the tool does in an easy to understand language. Show examples, with diagrams and make sure everyone who has a basic level of IT knowledge understands it.
2. Train a group of core people up who can be evangelists of the project. Having one or two people isn’t enough, it’s just another Open Source project that has a limited future
3. Ease of use. I cannot stress this enough, a tool that is hard to use ISN’T used!

I do see a future for O2 but not until some basic changes have been made to make it more attractive to investors.

Det här är en samling blandade inlägg som jag tyckt varit intressanta och som jag ska använda någon gång.

• Mastering CSS Coding: Getting Started

  En av dom bästa sakerna med internet är alla howtos, saker skrivna av människor som har stor koll vad dom håller på med för att hjälpa dig och mig som inte har en aning. Den här CSS-guiden har för första gången gett mig koll på vad som är vad, bra illustrerad!

• The Food Lab: Perfect Boiled Eggs

  Som en stor fantast av howtos och av kokta ägg måste jag dela med mig av den här utförliga vetenskapliga undersökningen av hur man kokar ägg!

• Doit.im Is a Cross-Platform GTD Task Management App

  Jag letar fortfarande efter en taskmanager som har allt jag önskar. När den här kommer till Android och jag har skaffat mig en android-tvåa ska jag helt klart prova den!

• Säkerhet och Unicode

  OWASP har alltid bra inlägg om säkerhet. Här frågar dom sig om du kan skilja på punkter i domännamn?

• Google Should Make Apple Beg For Maps Navigation

  Google släpper sina bästa applikationer till iPhone och till Android. Med navigation släpper dom för första gången nånting till Android först, ska Apple få tilllgång till det?

• Försvarsunderrättelsedomstolen tar form

  Inte mer än tre ledamöter åt gången varav en har underrättelsebakgrund. Det blir färre att pressa för att få igenom allt. Nu kommer det inte behövas så många beslut för att avlyssna hela svenska folket heller, bara hitta nån misstänkt per län typ. Vem delar du “trafikstråk” med?

• One million giraffes, GO!

  Hur ser din giraff ut?

• Corporate law firm targets whistle-blowers and anonymous commenters

  An advokatfirma som inriktar sig på att hitta dom som försöker vara anonyma på nätet. Sensmoralen är väl att du ska vara väldigt försiktig innan du säger nånting, överhuvudtaget. Med datalagringsdirektiv och FRA-kablar så finns det ju fler ställen som kan råka läcka som dom kommer rikta in sig på!

• Trolltyg, del 6: Trollmi!

  Rasmus skriver alltid så djävla bra. Det finns inte ord för hur mycket jag beundrar det som kommer från den mannens tangentbord. Nätkärlek!

• “Star Ship” Chandelier Boldly Lights Where No Lamp Has Lit Before

  Nånting att hänga ovanför vardagsrumsbordet kanske! Tyckte den var snygg och nördpoängen är hög.

• Inkörsporten

  Det räcker egentligen med att citera en mening ur det här inlägget för att man ska tänka efter: “Nej, anledningen till att illegala droger är en inkörsport är just att de är illegala.”

• ESAPI Python Edition

  Indatavalidering är sexigt. Python är sexigt. Sånt här gör mig upphetsad… typ.

• Inga utländska frimärken på e-posten…

  Kanske inte så konstigt att man inte tycker FRA är ett problem när man låter myndigheters mail gå genom främmande makts kablar. Okrypterat. Sånt här gör mig mörkrädd, har svenska myndigheter inga som helst säkerhetsansvariga. Dom borde få sparken om detta är sant.

• Nytt läge

  HAX skriver lite om sina tankar nere i Bryssel. Inte så mycket om någon enskild politisk fråga just här, men det är den här känslan han har som gör att jag vill bli riksdagskandidat för Piratpartiet. Jag vill känna att jag kan påverka!

• Microsoft pulls Windows 7 tool after GPL violation claims

  Microsoft har programmerare som också tycker att det finns bra saker i GPL-ad kod. Så bra att dom kopierade in det i Windows-verktyg. Aja baja, inte utan att GPLa verktyget!

• Den franska högern prioriterar

  Anais beskriver vilka besparingar som den franska högern vill göra. Mänskliga rättigheter, individers rättigheter och frihet verkar vara saker som ska kosta mindre framöver!

• Den skånska bynazismen

  Diskussionen kring Vellinge i media känns vid tillfällen onyanserad, men jag kommer ihåg när jag bodde i Skåne. Varje gång jag åkte buss, i princip, så höll jag på att bli rent ut sagt förbannd för det satt alltid nått rasistsvin bakom mig och diskuterade negrer och apor. Det finns ett reellt problem med främlingsfientlighet i Skåne och det är inte bara Vellinge som lider av problemet.

• EFF lawyers grin like holy fools, surrounded by a fan of formerly secret government documents

  Varje gång ett dokument som tidigare varit hemligstämplat blir släppt till allmänheten är det en vinst för demokratin. Nuff said.

• Komiker – hör upp!

  Youtube är inget problem, det är gratis marknadsföring. Jag kommer dock inte kolla ett Betnér-klipp på youtube fram tills den 18 Mars då jag ser han på nordanåteatern. Vill inte ha sett nått av det materialet innan.

• No shit sherlock….. Årets DOH! ….

  Om man tror att jorden inte kan vara mer än sex-sju-tusen år kan man kanske inte ha så stor tillit till vetenskap…

Around the Blogosphere…
This week we’ve been on the ground at the OWASP AppSecDC Conference, where the Top 10 Most Critical Web Application Security Risks have been made available as a release candidate.  The new top 10 is about risks, not just vulnerabilities.  Our friend, Jeremiah Grossman shared the OWASP document and posted comments live from the show.  It will be interesting to see how these new risks will impact the industry—such as PCI compliance and the Cloud Security Alliance.  Check out #OWASP for real time commentary.

Dark Reading…
New Security Certification On The Horizon For Cloud Services
Writer, Kelly Jackson Higgins speaks with Jim Reavis, co-founder and executive director of the Cloud Security Alliance about the need for security certification for cloud security service providers.  Some are currently using SAS 70 and ISO 27001, but experts say neither is sufficient for providing potential cloud customers with assurances that the provider has deployed proper security or that their data is sufficiently locked down.  According to Reavis we should expect the industry to move forward with this certificate around the first quarter of 2010.

SearchSecurity.com…
Web Application Vulnerability Assessment Shows Patching Progress
In this article, Robert Westervelt discusses how companies are making progress in Web application security. According to the latest research by WhiteHat Inc., they found a 61% vulnerability resolution rate, which is a slight increase. There is still much work that needs to be done since 64% of websites contain at least one serious vulnerability. WhiteHat is now focusing on figuring out what works for companies that are resolving the most serious vulnerabilities quickly.

Dark Reading…
Cost, Strength Of Security Drive Users Toward SaaS Offerings
Using an excerpt from Dark Reading’s report, “Security Software as a Service: Navigating The New MSSP Landscape”, Charlotte Dunlap investigates the pros and cons of security SaaS and provides tips on choosing the right provider.  She also cites an interesting study conducted by Infonetics Research— 81 percent of respondents said improving the strength of the enterprise’s security is the No. 1 reason for moving to the SaaS model.  Other top reasons cited: cost, time to deploy, and centralized management.   One key point: 82 percent of those surveyed plan to use SaaS offerings to augment, not replace, their existing security deployments.  This is a great overview of businesses’ perceptions of SaaS and their intent to move to the cloud.  For more information on this topic, download Dark Reading’s report here.

SC Magazine…
Vulnerability Assessment Integration with Web Application Firewalls
This article by Jeremiah Grossman discusses how even for proactive organizations, finding and fixing flaws in website code is a complex, time and resource intensive task. He provides a must-have checklist for organizations that includes production-safe scanning, accuracy, a precise reporting format, assessment repeatability, WAF/IDS SSL support and flexible and actionable rules. It would be ideal if a 100 percent secure code was developed, but until then Jeremiah says the integration of website vulnerability assessment and Web application firewalls allow IT security professionals to have control over website security. Having the right solution can noticeably improve how an organization handles and overcomes web vulnerability.

It’s been some time since I’ve written. I’m in the middle of some pretty large life changes. I’m in the middle of divorce proceedings. On top of that, I’m changing jobs.

My employer had been an independent software shop. It was bought by a big financial giant right before I was hired on. Recently, a lot of the old guard management left, leaving the big giant management to fill the void. There has been a large culture shift for our little agile company doing distributed systems work going into a mainframe, brick and mortar style world.

My last project as an employee for them is to produce an internal presentation on PCI compliance and the OWASP Top 10 vulnerabilities and how they apply to our application. There is a wealth of information on security vulnerabilities, that’s for certain! While researching the presentation, I was surprised to learn about the number and quality of the tools that exist for probing applications.

Monday, I’m dipping my toes into the consulting waters for the first time. I’ve taken a gig with a consulting firm I’ve worked with before. I’ll be filling a position at a large network bandwidth provider, writing software to integrate their systems. In theory, it’s a step up, though it can be hard to tell with the different styles of compensation. I’m looking forward to reporting about it in future posts.

What’s up in your world?

30 minutes every week on data security, privacy, and the law…..(plus or minus ten)

On this week’s program:

* Why are web drive-by downloads proliferating like cockroaches?

* Sixty Minutes just covered a data security story. We rate the coverage.

* Our take on this week’s news.

–> Stream This Week’s Show with our Built-In Flash Player:

–> Scroll down to see links and show notes for this week’s show

–> Stream, subscribe or download Episode 78 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

–> A simple way to listen to the show from with stricter firewalls: Listen from Odeo. This site works better if you are behind a more restrictive enterprise firewall.

Please visit our sponsors, and be sure to let them know you heard about them on The Data Security Podcast:

• Vipre Anti-Virus, the complete Antimalware solution by Sunbelt Software. If you TRY the enterprise version, you get the home version for FREE! Go to: http://www.testdrivevipre.com .

• GamaSec Web App Scans: Spots cyber-hazards on your web site, and has advanced zero-day protection. GET YOUR FREE BASIC WEB APP SCAN, plus a special offer just for listeners to The Data Security Podcast. Go here to sign up, and add the offer code: Podcast.

• SonicWall;  Get the super fast UTM firewall that’s rated Five Stars (the Best rating) by Secure Computing Magazine.  Data Clone Labs is the premier SonicWall Medallion Partner for all your security needs.

• DeviceLock; Software that controls, manages and helps encrypt USB drives and other removable media. Get a free trial on their site, and be sure to let them know you heard about them on The Data Security Podcast.

Show Notes for Episode 78 of the Data Security Podcast

* Conversation:  Ira talks with Georg Hess, CEO and Co-Founder, Art of Defence, about network scans versus web application scans. OWASP AppSec DC 2009 takes place this week,  November 10-13th, in Washington, DC. The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Their mission is to make application security visible,  so that people and organizations can make informed decisions about true application security risks.

* Tales From The Dark Web:  Our take on the 60 Minutes segment Sabotaging The System:  Could hackers get into the computer systems that run crucial elements of the world’s infrastructure, such as the power grids, water works or even a nation’s military arsenal? Be sure to watch this video segment with the highest level non-technical boss in your organization. Also, make sure you, and your non-technical boss watch the “Web Extras” from this segment.  One of the stunning parts of the segment was the claim that private companies are more vulnerable because the companies only care about profit. Unlike government networks, which are more secure (uh?).  If that was the case, how can that be squared against the portion of the segment that revealed that the Feds lost 12TB of data from the DOD, DOE, DOC and possible NASA, in 2007? Where was the profit motive that stopped good security in those organizations? Security expert Robert Graham explores this, and other issues, in this posting: Brazil outage NOT caused by hackers.

* From Our Take on The News:  New open-source voting technology – the developer is looking for jurisdictions to try it for free.  Read the Wired account.

* From Our Take on The News:  A technical overview of the newly discovered SSL vulnerabilities and possible mitigation. Ben Laurie has excellent, technical blog postings about the SSL protocol flaw.

* From Our Take on The News:  Voters hate traffic surveillance cameras — proven in three U. S. cities in last week’s elections. (As if we still need proof.) Great coverage of traffic surveillance and related matters in Maryland. (But the topic is universal).

* From The Wrap:  First iPhone worm found, details at F-Secure.  A how-to for changing the SSH default password in your jailbroken iPhone; one uses a computer connected to your iPhone to change the SSH settings.  Note: If you are not using a jailbroken iPhone, you don’t need to make changes to be protected from this particular attack.

Online Security Authority…
Building Security Into Your Organizations Web Applications to Begin With
This post discusses the importance of Web application protection being the chief component in the Web application development process and having it integrated from the ground up. It suggests the essential trick is a modification of attitude and awareness among the company software developers. Security imperfections should be viewed as only another category of application defect. During the entire process of software development, the focus must be on addressing the ever-changing potential for deficiencies, and the perception of new vulnerabilities and exploitation strategies.

CIO…
Six Steps to Pull App Security Back to the Future
Bill Brenner speaks with fellow OWASP member Matt Fisher about some of the key problems with app security today and together they drive in to six different ways to change these. Bill wrote this article in conjunction with the upcoming OWASP show, AppSecDC. This is a great read; provides helpful background information and links to other app security articles.

Dark Reading…
Tech Insight: Managing Vulnerability In The Cloud
Writer, Curt Franklin explores the common issue, how do you manage vulnerabilities in your IT infrastructures when it is in the cloud? Although this is in your provider’s hand, Curt provides readers with some best practices and tips for controlling it.

Perhaps the most commonly discussed web application security issue is Cross-Site Scripting, or XSS.  (While the ‘X’ makes it sound cool, it’s also there to prevent confusion over Cascading Style Sheets, the original CSS.)

The Security Ninja site is doing an overview of various aspects of the OWASP ESAPI toolkit, and the latest post is on output validation — the area of validation and encoding that pertains to preventing XSS attacks.

They take a simple, easy to follow walkthrough approach to common issues in application security while illuminating features of the ESAPI library.

Links:

Security Ninja Post: http://www.securityninja.co.uk/output-validation-using-the-owasp-esapi

OWASP Enterprise Security API (ESAPI): http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

Para quem não conseguiu uma “cadeira” na AppSec 2009 e pensou que perderia a conferência se enganou, a conferência terá suas palestras transmitidas pela internet no dia do evento.

Acesse a url e confira: www.camara.gov.br/webcamara

Mais informações: http://www.owasp.org/index.php/AppSec_Brasil_2009_%28pt-br%29

fonte: cisspBR@yahoogroups.com
imagem: http://www.imagebank.com

It’s getting closer to OWASP’s AppSecDC show, Nov 10-13, and this year’s show will feature the announcement of an updated Top 10 web vulnerabilities list for the first time since 2007. This list impacts the entire WebAppSec industry and there are a number of interesting effects anticipated here.

How will these updates impact PCI-DSS which is currently in the process of redefining requirements for a virtualized market? The OWASP Top 10 forms an important part of PCI so any updates are sure to have an impact.

What impact will this have on the Cloud Security Alliance’s (CSA) guidelines for the industry? Again, they factored the Top 10 in predominantly. The CSA is preparing an update of these guidelines before the end of the year. Our Alex Meisel is contributing heavily this time around to the WAF section.

If you’re going and would like to meet up with Art of Defence’s Georg Hess, leave a comment and we’ll get you on his calendar.

Hope to see you in DC!

slide : http://give1get2.sourceforge.net/give1get2/support/docs/Give1Get2_Slides_EN.pdf

pdf : http://give1get2.sourceforge.net/give1get2/support/docs/Give1Get2_Guide_Dev_EN.pdf

The French version is the primary source for all translations.

Problems & Vision:

Creating a world without poverty to enable education, reducing disease and reducing mortality.

The paradigm shift

The existing paradigm solves some problems, so it was accepted in the past. However, at this moment, it does not meet the demand of everyone. So there was a challenge and a demand for change.

I studied the market for existing solutions. Not being satisfied (because if I was happy the issue was already resolved), so I decided to create this software. Because, in my opinion, we must phase out barriers to trade. (ref Treaty establishing the European Community, 1957)

The software “Give1Get2″ is designed to build an alternative trading market to existing financial markets. The software specialised in online fund raising. It facilitates free trade in the international economy. This software was created to meet the financing needs of economic agents in Europe and globally in order to finance, among other things, research, education and innovation.

Principles & Qualities:

– Freedom, Citizenship, Responsibility, Equality, Solidarity,
– Open, rule based, predictable, nondiscriminatory

Objective:

Make a pilot project (functional, no set-up fees, free to use, legal, available (7/7j, 24/24h) and based on a win-win strategy) for an international trading platform from a PSP payment API (Moneybookers) and the FreePay Trading System (FTS) to help raise account balance of participants. (+1 Euro each time)

Directed: The main objective has been achieved.

The software has been tested in real conditions with personal accounts for the 3 possible cases of purchase (less, equal and higher) and in each case, it worked perfectly.

Simple example: when 1 Euro was sent, are received 2 Euros (factor 2: 1 * 2 = 2). The motto “Give 1. Get 2.” was chosen in this way. The starting amount is chosen by the user and may use the system as often as he wants. Example: 1234 Euros sent -> 2468 Euros received.

Target:

Target User: This software is being implemented, primarily targeting users of the PSP used speaking French or English and have minimal skills in finance (Moneybookers saves 9 million customers, according to Moneybookers). The goal is not to limit it to this category but can reach the largest number of users.

Target Developer: Those targeted for downloading and installing the software are programmers (preferably web developer) and / or companies wishing to establish a trading platform.

The platform does not take a percentage of the funds it raises. In this sense, an organization that would use it could be a non-profitable organization.

Revenues

The link to the sponsorship program is here: http://www.moneybookers.com/app/referral.pl

There are over 9 million customers who use Moneybookers (Moneybookers depending). The target population is mainly covered that already included. The affiliate can not take commissions on those already listed. (he did not himself sponsored, implied)

For people who are not registered yet, they can apply directly to the url http://moneybookers.com/: in this case, the partner does not take commission.

Either option, register with the affiliate link (the URL provided in a footnote on the script) in this case, the affiliate will receive commissions on what wins the PSP (up to 30 % and limited to 100 Euros maximum) This is not an additional cost (30-70 division). It is therefore completely transparent to the user.

This incentive, I have put in place to increase the number of my partners on this project. I thought it was legitimate in order to pay the fixed costs (domain name) and variable operating costs (bandwidth, database) of each partner sites.

In addition, each user also has the ability to sponsor others in making requests for payments. I think it’s a fairness.

Interoperability: How do I know if the API electronic purse of a financial institution is compatible with FSX to FreePay?

Financial Institution:

1. It must be able to create an account.

2. Supply: The user can supply his account with different means of payment (check, credit card, bank transfer etc.) and remove.

3. It must have a minimum of funds in its account (balance at least 1 euro). (must also take into account the costs of financial institution)

Optional (but strongly recommended): Approval Financial: The financial institution must be approved by at least one regulator.

Separation of tests and the real: The customer transfers between normal and test client are prohibited.

On the FSX:

1. It must be able to pass an order on the FSX and get on the payment platform. (POST or GET)

2. B2B, B2C, C2B & C2C: Let the payment works in 2 directions (merchant-seller while being accessible client-customer, merchant-customer and customer-merchant), briefly allow P2P. The right of withdrawal depends on the status of persons making the transactions and all, it is defined on the site of PSP.

2a. (optional: but it’s better to do) should be able to enable process automation. (XML)

3. XML: It is necessary that the source site (merchant / FSX) to obtain a trace of the transaction from the payment platform. (xml sent and saved in the database tables in sql)

Existing: What is Moneybookers?

- Moneybookers is a payment service secure online that lets you send and receive money instantly from an e-mail. Opening an account is free, and loading and withdrawal of money is through a credit card (Visa, Mastercard, Diners, American Express, JCB, Delta / Visa Debit and Visa Electron) or by bank transfer.

- Moneybookers is translated into 12 different languages. (English, German, French, Spanish, Italian, Polish, Modern Greek, Romanian, Russian, Turkish, Chinese, Czech)

- Transaction costs are low and the deals can be found in the account history at any time.

- Moneybookers is an issuer of electronic money that allows the merchant (or merchant company) to accept online payments from customers worldwide with no installation fees or monthly fees. (in English: Payment Service Provider)

- Moneybookers Ltd. is a company registered in the Trade Registry of England and Wales under No. 4260907. Headquarters: Welken House, 10-11 Charterhouse Square, London, EC1M 6EH. It is licensed under the laws of the United Kingdom and the European Union and regulated by the Financial Services Authority (FSA), the Financial Services Authority in the United Kingdom.
Source:

• The Official Website of Moneybookers http://moneybookers.com/
• Electronic Commerce (EC Directive) Regulations’ – Legal Notice http://www.moneybookers.com/app/help.pl?s=ecrcpr
• Financial Services Authority of the United Kingdom (FSA) : http://www.fsa.gov.uk/
• Registration Number with Moneybookers FSA: 214225 http://www.fsa.gov.uk/register/firmSearchForm.do
• Financial Services and Markets Act 2000 : http://www.opsi.gov.uk/acts/acts2000/ukpga_20000008_en_1
• The Electronic Commerce (EC Directive) Regulations 2002 http://www.opsi.gov.uk/si/si2002/20022013.htm

Why a relationship with a PSP:

The division of roles: The software can be seen as a plugin that interacts with the main software (financial institution) to bring him a new feature. The software is an open system that sends information to the internal (history) and outside (order).
- The financial institution converts capital into e-money, make payments and make the conversion of checks.
- The software can place orders for payment, exchanging payment orders and can make claims.

Dependence: The software is towards simplicity as compared to the previous version (FreePay), he subtracted the processes needed to manage money. This software saves the cost of initial capital (1 million Euros) for the creation of a financial institution issuing electronic money (in: e-money issuer) within the European Union. (ref: Article 4 paragraph 1 of Directive 2000 46 EC).

Independence: Each organization that sets up the software Give1Get2 is autonomous from other organizations. It is dependent only financial institution which helps to make payments (1 to many relationship).

The trading system is based on a win-win. The trading platform is a place of confrontation in the supply of financial securities and the demand for money under the idea of laissez-faire economics. There are no goods exchanged on the system. It is a zero sum game in terms of the payment platform but not the trading system (1 euro securitized token issued for the initiation, exchange +1 +1 for each party to each transaction). It’s a virtuous circle. There is no entrance fee. It is a system of person to person (P2P) which further allows users to place trades on a payment platform. This was designed so that there is no risk of inverse proportionality. Since there is no order of sale, it may not be a stock market crash. All system users can get rich, but not at the same time. The user can then become, as it makes a trader. (en: Market Operator)

The gain is also adjustable (0 to 100% Sample: 25 euros become real to 100% -> 50 euros securitized). This allows the user to speculate whether or not to do so. This allows the user to transform its capital and more capital represented by shares. (And then convert its shares capital by the sale, eg 50 euros securitized -> 50 euro real). Finally: EUR 25 real -> 50 euro real. This was to be demonstrated.

Economic Explanation: The software is not intended to create inflation.

From what I know, there are two types of inflation:

– Inflation of prices: Higher prices for goods and services during a period of time. (source: Wikipedia) The income increases more slowly as rising commodity prices. → decrease in purchasing power. What is problematic. But what has Give1Get2 is to increase the income of players in the system, thereby increasing purchasing power. There are no services for sale on the platform and use is free. The “products” are selling financial claims payments. The purchase price is determined by the buyers themselves. If they decide to buy more expensive it is to earn more.

– Inflation of the money: When money suffers a global money creation. Money in circulation increases via interest rates. However, the software Give1Get2 not intended to increase the money supply or decrease it. There is no interest rate not in this system. For only the responsibility of banks.

The software allows the movement of money between players.

Financial Explanation:

Consider this example: Bob wants to send 10 cents to EUR Alice via Moneybookers.

Alice to a balance of EUR 10.82. Bob has a balance of EUR 78.19. Bob sending 10 cents to Alice. The balance of Bob becomes 78.09 EUR. The balance goes to Alice 10.92 EUR. This is without counting the cost variables (0.01) and fixed costs (0.29). Ultimately, the balance of Alice is EUR 10.62 at the end of the operation.

We note that the gain (10 cents) is less than the loss (30 cents). Bob was negatively charged (-0.10 EUR, which is normal). Alice was also negatively charged (total EUR -0.20). Thus a lose-lose situation.

For a win-lose, we can establish a minimum quota of money to be set in automatic settings for all purchases through the API. Test: Bob (balance: EUR 78.09), after mature reflection, wants to send Alice to 3 euros (balance: EUR 8.52) via Moneybookers. Bob now has a balance of EUR 75.09. Alice has a balance of approximately EUR 11.12 (8.52 +3.00 -0.10 -0.29).

What we are seeing? Bob was negatively charged (EUR -3.00), while Alice was positively charged (difference +2.60 EUR). This is a win-lose.

Download

The software is based on a policy of transparency and sustainable development. The chosen license is the GNU GPL. It is free software. Thus, it has been made freely available on SourceForge.net to be downloaded and installed on servers online.

* Download the complete solution directly (the most current):

http://give1get2.com/give1get2.zip
http://give1get2.com/give1get2.7z (requires software 7zip)

* Mirror full download (stable):

http://sourceforge.net/projects/give1get2/

* [Moneybookers] Demo in action:

http://www.moneybookers.com/app/help.pl?s=m_gateway_demo
https://www.moneybookers.com/app/test_payment.pl

* [Moneybookers] The documentation for free download:

http://www.moneybookers.com/merchant/en/moneybookers_gateway_manual.pdf
http://www.moneybookers.com/merchant/en/automated_payments_interface_manual.pdf (not needed)

Software Installation

1. Buy a domain name (mytradingplatformsample.com) at a Registrar.

2. Getting accommodation containing enough space (approx 50 MB) and sufficient bandwidth (several Giga) depending on the number of users expected. (and POP3, FTP, and MySQL included)

3. De-compress the files previously downloaded. (as above)

4. Edit the file ’scripts sql tables & champs.sql’: at line 85, replace the email (alice@give1get2.com) and the merchant id (6173206) with your email and your merchant id obtained from moneybookers at the opening of your account. Replace the email as per your email on line 108.

5. Create a database “mocha” (without the double quotes) in your administration panel (usually the URL http://mytradingplatformsample.com/phpmyadmin/)

Create a user and give access rights to the database for reading and writing. (if not already done automatically).

6. Click the SQL tab, paste the data file ’scripts sql tables & champs.sql’ in the textbox and click Run. No error message should appear.

7. Change the default values by those who have been provided by the host in the file ‘params.php’ (without the single quotes) line 31 (host), line 32 (user), line 33 (password), line 34 (database)

8. On the web server, copy and paste the modified source (with default settings) in 7z and zip. Also create a folder /give1get2/. Upload files via FTP (ex FireFTP, a Firefox extension) with the parameters of the host ( ‘params.php’) in the directory previously created.

9. Launch the browser http://mytradingplatformsample.com/give1get2/. The index page should be displayed without an error message. Sources (7z and zip) should be downloadable from a tab ‘literature’ or ‘download’.

10. Suggest your site on search engines (eg http://www.google.com/addurl/?continue=/addurl)

11. Generate an XML sitemap and put it in the root (eg http://www.xml-sitemaps.com/)

12. Optimize your website (eg with Google Webmaster Tools)

Prerequisite:

The only equipment needed is a PC, operating system, Internet connection and web browser.

Designed in XHTML, CSS, JavaScript, PHP and SQL (CRUD). Requires MySQL, phpMyAdmin, POP3 for mail, FTP and a web browser. Has been tested and works with Apache (> = 1.3.33), MySQL (> = 4.1.9), PHP (> = 4.3.10), PhpMyAdmin (> = 2.6.1).

It’s a multitier architecture (data, business logic and presentation). The architecture is based on the project FreePay: http://freepay.fr/freepay.zip To deepen FreePay documentation is available. http://freepay.fr/freepay/nav_telechargement.php?option=documentation

The diagram of treatment processes the merchant side of the financial institution has been copied in an picture in attachment. “moneybookers_payment_gateway_api_details_interaction_diagram.png”

This script is also based on the API documentation “Moneybookers Payment Gateway – Merchant Integration Manual” (in English) – Version: <6.5>. http://www.moneybookers.com/merchant/fr/moneybookers_gateway_manual.pdf (43 pages) A new version may be out on time or you read these lines, which could cause problems.

The script takes into account that the fields by way of simplification. Regarding the optional fields: refer to official documentation.

The ISIN code is used again in this software (ISO 6166). The codification created the ZZ is to make a clear distinction and there have no ambiguity with the countries or territories with securities, according to ISO 3166-1.

The status of a transaction (statements):

2 : Processed
1 : Test // status added, not in the documentation
0 : Pending
-1 : Cancelled
-2 : Failed
-3 : Chargeback

The Stages of development (How)

Vision: The payment module FreePay and all of the modules below are replaced by the external API Moneybookers (financial institution approved by the FSA).

Consequences: The support payment module is outsourced. The project name no longer matches. The meta tags do not correspond. Menus no longer match.

1. Copy FreePay. All necessary modules are not removed unless the FSX. (+ Check that it works)

2. API Implementation Moneybookers (+ check that it works)

3. Mashup of two (Mashup)
creation of specific interface
creation of specific process
creation of the specific database (+ check that it works through a simulator engine of payment)

4. Re-factoring: Optimization Mashup (+ check that it works)

5. Publication on Internet

Architecture

The source code is in French. The source code comments are in French too. Except for the financial standards that are in English. The project is oriented towards internationalization (I18N).

All images are in a specific folder (/images).
All CSS (Stylesheets cascading) are in a specific folder (/style).
All that was attractive to user support is in the /support.
The documentation is in the /support /docs.
Everything concerning the internationalization is in the folder named “services/i18n.

The programming style is procedural: the methods are called in a specific order.

The visible part is composed of the main page of the history and documentation.

Restricting access is done through the sessions for the hidden part (payment process).

As a web project, the human-machine interface is based on an architecture is client/server. And the server to a 3-tier architecture (database, processing, presentation).

The database

It is composed of 4 tables per financial institution: ( “scripts sql tables & champs.sql” at the root)

-2 for the securities (already existing in FSX):

– List of past transactions carried on securities.
– List of securities for sale in their current states.

– 2 orders of payments (the before and after):

– List of past orders in the securities of FSX.
– List of payment orders sent by the API.

It is composed of 2 insertions in the tables corresponding to a title and its history.

The stages of payment for a user in FSX

The user has created and supplied a Moneybookers account. (https://www.moneybookers.com/app/register.pl)

1. The link to the login page is on the first page top right. The connection is with the email and digital identifier (Customer ID) associated with Moneybookers account.
(Visible beneath the menu in the interface Moneybookers). (No password is managed by Moneybookers upon payment to avoid external recovery)

2. The user goes to the purchase page and a ISIN number (defined as the value and benefit if necessary).

The purchase order is saved and accessible via the menu of the same name. It summarizes the status of the transaction (Active / Standby, Fails / Canceled or Finished).

3. According to the parameters ( “params.php”) defined by the administrator, the user is redirected either:
– On the test server (mb_test_payment.php) and valid
– Or Moneybookers ( https://www.moneybookers.com/app/payment.pl)

The redirection is done through a GET (passing all the required parameters). The solution has been chosen is a javascript redirect. (<script type=’text/javascript’>Code</ script>)

4. If the person given the right parameters, it falls just a password. Otherwise, it creates the account.

5. The payment is reversed or validated by the user. Moneybookers transfer money between the parties. Moneybookers sends a return code “HTTP 200″ POST only the status_url previously sent ( “Payment/pay/status_report.php”) and redirects the user to the platform FSX defined above.

– The software uses a coupling data (parameter passing).

if (isset ($ _POST [ 'mb_transaction_id'])) ($mb_transaction_id = $ _POST['mb_transaction_id'];)

– The data are then filtered for security reasons. ( “status_report_filtre.php”) Verifies that all fields are filled, they have the right kind, good length and good data (technical filtering whitelist).

example: checking that the original data (IP) is really from the financial institution to avoid any fraudulent attempt to send play money. (attack type “man in the middle”)

The amount returned by moneybookers be less than the amount indicated in the reservation (due to the taking of commission (fixed and variable) of the payment platform or GET parameters that can be modified en route by the user). The transfer of ownership of securities is based on new figures sent by the API only to avoid these problems.

6. Then, if all criteria are validated then the data are stored in the table of the api. (+ Current date) and displays as required by the file ‘pay_liste.php’ the customer reflected in his eyes when he returns to Give1Get2.

7. continuing process of transferring ownership (the transaction on hold “pending” changes to “done”) with the transaction number recovered by Moneybookers previously sent)

Each sale of title, money is saved in the accounts of the financial institution. In a crisis (such as unavailability of the platform title), the money, it is always available.

8. The user can see his tracks and refresh the page (F5). It can also use the emailling to expedite the payment process, then:
– The seller receives an email notification informing the FSX the transfer of title and the reception of money. (Transmitter + Silver + currency)
– The buyer receives an email notification from the financial institution. (+ Silver + dollar + product code)

9. Disconnecting the trading platform (FSX)

Views:

The architecture views is common FreePay (header and footer together on every page).

Menu: (Home, History of titles, title Buy, Purchase Order (Confirmation is visible if the order was successful) Consult your titles, Contact Us, Documentation)

– The user can see the transaction history.
– The user can buy a ISIN number.
– The user can consult the list of purchase orders and click on the transaction number for details of the transaction (if it succeeded).
– The user can see his tracks.

Compliance with W3C standards: has been validated XHTML 1.0 Transitional and CSS 2.0 in Mozilla Firefox, Internet Explorer and Safari.

Controllers:

These are the same as those of FreePay. PHP and Javascript for the client and server respectively.

Transactions that fail after 1 day were classified as having failed. (status to -2).

Security

The application has been designed and tested CAL9000 (OWASP) to be protected against attacks like Cross Site Scripting (XSS). In the Top 10 vulnerabilities in 2007 by the Open Web Application Security Project (OWASP).

Test and Verify:

The test accounts are opened at the initiative of customers. Funding test are given free Moneybookers.

Pass the following test series: Requires minimum 2 users. (Alice and Bob) Preparation: Note the financial position of existing users: “Balance in Euro” and “Balance of ISIN” for each.

Make a purchase and for 3 cases (less than, equal, higher), check:
– The balance of the buyer (Alice) has he fallen?
– The value of the security of the buyer (Alice) has she grown?
– The balance of the receiver (Bob) has he grown?
– The titles of the receiver (Bob) have decreased?
– The receiver (Bob) as been notified by email?

Next development platform:

FaceBook + Paypal

Legal

I think my system is legal because I am doing research in this direction before putting it free. I believe it is in line with the principles of the European Union. (http://europa.eu/scadplus/european_convention/objectives_en.htm). I joined in the “Support”> “docs” reference documents concerning the legislative, legal and regulatory framework that could be pertinent.

The website of the European Commission is very instructive on this issue. (http://ec.europa.eu/internal_market/top_layer/index_24_en.htm) Category: European Commission> Internal Market> Single Market for Services> Financial Services. I am not completely agree on the choice of this category since the trading platform offers a free service (without compensation) and does not manage money (only confirmation that the money has been transferred).

Fund investments> Alternative investments: there is a Draft Directive on fund managers known as “alternative. The draft guideline can still be changed, and the final version will not necessarily apply to specific cases. http://ec.europa.eu/internal_market/investment/alternative_investments_en.htm

Payment services> E-Money: The trading platform does not change. So, this concerns only the PSP Moneybookers. http://ec.europa.eu/internal_market/payments/emoney/index_en.htm

Payment services> e-Invoicing: PSP is Moneybookers which manages billing (it may disable) Only one copy is kept for archive purposes by the trading platform (or nothing depending on the setting) http://ec.europa.eu/internal_market/payments/einvoicing/index_en.htm

Financial conglomerates: Depending on the size of the trading system Give1Get2 and structure, it can enter or not enter this category. It is the selection of the contractors as opportunities for merger / acquisitions. http://ec.europa.eu/internal_market/financial-conglomerates/index_en.htm

Electronic Business: It depends on what is done by customers in return for money sent. http://ec.europa.eu/internal_market/e-commerce/directive_en.htm

Copyright:

My copyright is protected by the GNU General Public License. http://www.gnu.org/licenses/gpl.html

My creations are protected at European level by Council Directive 91/250/EEC of 14 May 1991 on the legal protection of computer programs. (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31991L0250:EN:HTML)

My designs are protected internationally by the Berne Convention for the Protection of Literary and Artistic Works (currently managed by the World Intellectual Property Organization (WIPO), specialized agency within the UN). (source: http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html)

Disclaimer:

Using this application value of acceptance of the disclaimer as follows: The author assumes no responsibility for any consequences arising from the use of this application.

Script comes with no warranty.

If you have a problem of a financial nature relating to your moneybookers account, please contact Moneybookers customer service.

Bu sayıda bahsedilmiş konular;

• “Açılıma Ayak Uydurmak” yazısında yakın zamanda hayata geçirmeyi planladığımız İngilizce E-Dergi`den,
• “Web Güvenliğine Ses Getirin” yazısında 26 Eylül`de yaptığımız buluşmadan,
• “Django ve Güvenlik” yazısında, Django çatısının güvenlik alt yapısından,
• “X-Forwarded-For HTTP Başlığının Kötüye Kullanımı” yazısında, X-Forwarded-For HTTP başlığının kötüye kullanılmasından
• “Yazılım Güvenliğinde İnsiyatif Alın” yazısında, olgunluk modelleri ve yazılım güvenliğine uygulanmasından,
• “ModSecurity Core Rule Set” yazısında, ModSecurity`nin yeni kuralları ve getirdikleri ve götürdüklerinden,

bunlardır.

http://dergi.webguvenligi.org/

adresinden dergiye olaşabilirsiniz.

Only limited seats are available and the offer will open up on 6th October 2009 and will be valid only till 15th October 2009. Hope to see you gaining the benefits from this promo-campaign.

Detailed event agenda with pricing information and conditions attached to the offer is available at our wiki: http://www.owasp.org/index.php/SecurityByte_and_OWASP_Asia_AppSec_Conference_2009

Despite the goofy name, Security Ninja in the UK — the site’s subtitle is “Security News, Research & Guidance” — has some good resources for application security, and is a solid contribution to the discussion around application security that’s been growing over the last few years.  The primary contributor to the Security Ninja site is a security analyst working with an application called Realex Payments.

At the Security Ninja site they’ve developed 8 secure development principles which include:

1. Input Validation
2. Output Validation
3. Error Handling
4. Authentication and Authorization
5. Session Management
6. Secure Communications
7. Secure Resource Access
8. Secure Storage

While they dive into more detail for each of these topics, they also are posting a series of articles mapping each of these to features of the OWASP Enterprise Security API (ESAPI) project.

You can read the first posting regarding input validation using the OWASP ESAPI here: http://www.securityninja.co.uk/input-validation-using-the-owasp-esapi.

Libraries such as those OWASP provides are great resources; having real-life examples to work with makes them even more useful.  I hope the Security Ninja continues the series, adding to the ongoing development of the AppSec body of knowledge.

Links:

• Security Ninja website & on Twitter
• OWASP ESAPI
• Input validation with the OWASP ESAPI

OWASP Türkiye temsilciliğini de yapan Web Güvenlik Topluluğu‘nun 26 Eylül cumartesi günkü buluşması Beyoğlu’ndaki Turkcell Akademi binasında gerçekleşti. Toplantıda topluluğun genel durumu, bitmiş / devam eden  projeler ve yeni proje teklifleri konuşuldu. E-derginin daha geniş kullanıcı kitlesine ulaştırılması da öne çıkan konulardan biriydi.

SANS firmasının Türkiye’deki mentorlarından İbrahim Saruhan “Sosyal Ağlarda Güvenlik” temalı bir sunum yaptı. Sunumda Facebook ve Twitter gibi iki büyük ağda DDoS ataklarına olanak sağlayabilecek açıklar üzerinde duruldu.

Son olarak Halil Öztürkci ve İbrahim Saruhan, SANS kuruluşunun Türkiye’de ilk kez açacağı “Security 560: Network Penetration Testing and Ethical Hacking” eğitimi hakkında bilgi verdiler. İlgilenenler için detaylı bilgi >>

Sonuç olarak samimi bir havada geçen buluşmanın benim için faydalı geçtiğini düşünüyorum.

I recently read a very interesting article, Tech Insight: XSS Exposed, by Dark Reading’s John Sawyer. He discusses how a cross-site scripting (XSS) attack can steal a user’s credentials, exploit their Web browsers and take action on their behalf without their knowledge. I wanted to add some of my thoughts on this article and share ways users can prevent and protect themselves against these attacks.

As stated in the article, XSS is always caused by missing input validation, the place where hyperguard comes into play. It scans every request (and therefore every user input) for malicious code that wants to be stored or executed. When a user is tricked into clicking a link containing XSS, the request is denied by the distributed web application firewall (dWAF) and the script will not run. Also, the script will not get stored into a database if the dWAF prohibits the request with the data from entering the web application. The problem with persistent XSS is that it is typically done on a prepared site that has bait for the victim, resulting in running malicious code.

The mechanism behind the protection that hyperguard delivers is easy and contains blacklist rules. These patterns know what an XSS looks like and causes the dWAF to deny the request. The second and more secure approach is to whitelist all input in the application. This is more work, but it helps to create a very secure web application, where every user input is validated. XSS attacks can take on many forms so you should never trust input from users.

In John’s article, he mentions OWASP’s XSS Prevention Cheat Sheet, which provides detailed information on when and where encoding should be done. XSS attacks should be taken seriously because they do happen often and can be very costly for businesses. It is important to take the necessary steps to prevent them and learn how to protect yourself if they do occur.

Great article on the 16^th from SearchSOA.com by Rob Barry. He interviews a developer at Mozilla Labs – Joe Walker – about a few of the OWASP Top 10 and how to develop around them. Walker’s focus as a developer is on creating / patching / managing security threats to apps. What’s missing from Barry’s article, however, is the incredible pain this approach causes companies right now.

Refactoring code once it’s in use (particularly WebApps and cloud services) is incredibly expensive, time consuming and difficult. Source code scanners play a role in easing some of this pain, although web application firewalls (WAF’s) are a much more practical fix, AND, linking the scanner software directly with the WAF cuts down the need for application downtime.

If done right, the scanner detects software vulnerabilities and feeds any findings directly into the WAF. For our distributed WAF (dWAF) solution, hyperguard, all security lapses identified by a scanner are immediately presented to the administrator through dynamic ruleset suggestions. Conflicting dWAF rulesets, which may leave holes in web application shielding, are prevented. In plain English, this means that development, testing and deployment of new application security policies can happen in real-time without ever relaxing the established defenses or risking false positives. ‘Patches’ are applied through the dWAF until regular maintenance cycles can be scheduled to refactor the actual application code.

OWASP is combined with NULL Bangalore

19th September 2009

The following talks are scheduled

1. SSL Cipher Ennumeration by Gursev
This is what he will be covering
    # Aim: Enumerate all ciphers suites supported by the web server.
    # Application: Auditing of cipher suites supported by web server.
Testing ciphers supported by web servers is mandatory for various
activities like PCI tests, Penetration testing
       and possibly other compliance issues.
    # Discuss about SSL basics (very basics)
    # Then we dig down and write a quick script using OpenSSL and Ruby
to help achieve the same.

2. Demonstration of a tool – Amit Parekh
3. Demo of the GIFAR attack – Amit Gupta
4. Discussion on security incidents in the past – Led by Gursev //
This may or mayn’t happen depending on the time we have

The talk Practical Aspects of Taking your Application to the Cloud by
Simran Gambhir is postponed till after he recovers from a broken foot.
Get well soon dude!

VENUE DETAILS

    Praxeva India Services Pvt. Ltd, Atrium Business Center, 66/1 2nd
Floor, Coles Road, Frazer Town, Bangalore-560005

Praxeva India Office Location on Google Map -
http://www.praxeva.com/contact_us.html

* End of mosque road there is a CCD, from there, if you look
diagonally opposite (onto coles road), you will see a pizza hut
(approx 100 meters). The office is on the 3rd floor of the pizza
hut building.

I just wanted to make sure everyone remembers to register for this great conference in DC this year.  From their website:

Press Release August 20th 2009 — Speaker Agenda Released and Registration Open!

We are pleased to announce that the OWASP DC chapter will host the OWASP AppSec 2009 conference in Washington, DC. The AppSec DC OWASP Conference will be a premier gathering of Information Security leaders. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 600-700 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.

AppSec DC 2009 will be held at the Walter E. Washington Convention Center (801 Mount Vernon Place NW Washington, DC 20001) on November 10th through 13th 2009.

Who Should Attend AppSec DC 2009:

• Application Developers
• Application Testers and Quality Assurance
• Application Project Management and Staff
• Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
• Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
• Security Managers and Staff
• Executives, Managers, and Staff Responsible for IT Security Governance
• IT Professionals Interesting in Improving IT Security

Source: http://null.co.in/2009/09/07/null-bangalore-meeting-on-5th-september-2009-an-update/

NEXT MEETING on 19th SEPTEMBER 2009 – 10 AM

The following talks are scheduled

1. Practical Aspects of Taking your Application to the Cloud – Simran Gambhir
2. Discussion on security incidents in the past – Led by Gursev
3. Demonstration of a tool – Amit Parekh

VENUE DETAILS

Venue : Praxeva India Services Pvt. Ltd, Atrium Business Center,
66/1 2nd Floor, Coles Road, Frazer Town, Bangalore-560005

Map Location : http://www.praxeva.com/contact_us.html

* End of mosque road there is a CCD, from there, if you look diagonally
opposite (onto coles road), you will see a pizza hut (approx 100 meters). The
office is on the 3rd floor of the pizza hut building.

I recently read Web security is about scalability, a very interesting post by Jeremiah Grossman of White Hat Security. He discusses the importance of scalability in overcoming today’s Web security challenges. I would like to add some of my thoughts.

It has taken the industry over 10 years to realize that when dealing with Web application vulnerabilities, they must also deal with the scalability issues these applications face. This needs to happen in parallel with normal security testing. As Jeremiah highlights the incredible scaling needed today:

“Consider that there are 240+ million websites, millions more added every month, an unknown number of Intranet Web applications, 17+ million developers, and over one billion people on the Web. Any solution capable of making a real difference must be valued by its potential worldwide impact.”

Testing a web application on a single system (how most are tested before being sent out into the world) without taking into account scalability is costly. Once that application hits it’s performance limit it usually means a redesign and rewrite of core elements to make it more scalable, changing how and what is important to test. Think of the OWASP top 10 on Jeremiah’s scale!

Cluster computing, or cloud computing, presents a remedy to developing, testing and scaling web applications in a much more practical sense.

Flip the coin to protecting the applications once they’re live and in action, and Jeremiah’s scalability point becomes painfully apparent. Web application firewall’s (WAF) are the industry standard for this purpose, however they are predominantly hardware. Hardware doesn’t scale – you have to buy another box. More boxes, more resource drain, less virtualized resources and on and on.

The article Jeremiah references in his post (check here for the white paper), outlines my view of what the market needs from a WAF.