On 9/3/2011 11:22 AM, Kevin W. Wall wrote:
On Fri, Sep 2, 2011 at 6:19 PM, Chris Schmidt chrisisb...@gmail.com wrote:
On Sep 2, 2011, at 10:44 AM, Goertzel, Karen [USA]
goertzel_ka...@bah.com wrote:
What we need is to start building software that can fight back. Then we
could become part
I agree on the terminology of whitehat vs. blackhat here Sergio, but in
almost every other regard I disagree completely.
To design and build proper software and hardware there are a lot of
conferences out there, as well as trainings and a huge amount of literature.
There are very good books
Friends, Romans, Countrymen - Lend me your ears!
It is my pleasure to announce the official release of ESAPI 2.0GA!
This release features some key enhancements over ESAPI 1.4.x including,
but not limited to:
* Upgrade baseline to use Java5
* Completely redesigned and rewrote
All -
In addition to last night's release of ESAPI 2.0GA, I would like to
direct your attention to a new section on the ESAPI page on Google Code.
ESAPI Contribs
http://code.google.com/p/owasp-esapi-java/wiki/esapi_contribs_home
Download page for Contribs is located
For example, there are HIPPA access control requirements that demand that you
only give doctors access to transmit patient data in a minimal way; only
transmitting data needed for a diagnosis. Good luck coding that. It's also
bad medicine.
Sounds like contextual access control to me -
I would assume just about any app with a shopping cart does. This is of course
compounded by libraries like struts and spring mvc that autobind your form
variables for you. Use a form with a double in it and your boned.
Sent from my iPwn
On Feb 14, 2011, at 8:57 AM, Wall, Kevin
Jeff Williams did a talk about this at Blackhat last year as well for Java
Rootkits.
Paper here:
http://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-En
terpriseJavaRootkits-PAPER.pdf
On 12/17/10 8:56 AM, Chris Wysopal cwyso...@veracode.com wrote:
Here is a paper that
My gut feel here is that we gain a lot more by merging the work done here
into ESAPI. CSRFGuard is and has been a great project, but as it stands
unmaintained right now (although it is a very simple project, with a very
low level of maintenance) it seems to me that a lot of traction and momentum
, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___
--
Chris Schmidt
OWASP ESAPI Developer
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API