Wednesday, October 3, 2007

SANS Network Security 2007 (Post Conference)

Well, I'm back from Vegas, and I've finally found a few minutes to post. The Securing Critical Web Applications and Web Services class was quite good. Interestingly enough, it wasn't actually a SANS class. Instead, it was taught by Jeff Williams, the founder and CEO of Aspect Security and the current chair of the Open Web Application Security Project (OWASP). Basically, we covered the security vulnerabilities in the OWASP Top Ten list plus some discussion specifically about AJAX and web services. We also used an intentionally very poorly written web application called Web Goat and a proxy tool called Web Scarab for some hands-on experience. Both are available for free on the OWASP site. At the very least, I highly recommend that anybody doing web development should thoroughly read and understand the vulnerabilities noted on the top ten list. It's a little frightening to see what a decent hacker can do and the complexity of the tools readily available to them. For anybody that uses the internet, here's my tip of the year:

Never use tabbed browsing to open any other website at the same time as one that contains any secure information or has the ability to perform transactions that involve anything important like money or your identity. Keep in mind that once you log in to the secure site, the sites in other tabs can access the secure site because they are open in the same browser. For more information on how this is done, check out the OWASP page on cross-site request forgery. To be even safer, use the profiles feature of Firefox to run under a limited profile with scripts disabled when accessing a highly secure site.

Since we often reference OWASP where I work, it was very interesting to meet and converse with the chair of the project. He was excited to hear about somebody actually making use of their work. As he noted, there must be many people doing the same because the traffic on their site is high. However, he seldom gets the opportunity to meet most users. If anybody is interested in the field, he did mention that Aspect Security is hiring, and it seemed like it would be a good company to work for. Certainly, Jeff knows his stuff and would be a good person in the industry with whom to connect.

That's it for tonight. I'll post again soon and share some tips on things to do in Vegas if you're there for a couple days at a conference.

No comments: