Re: [SC-L] informIT: Building versus Breaking

On 9/3/2011 11:22 AM, Kevin W. Wall wrote: On Fri, Sep 2, 2011 at 6:19 PM, Chris Schmidt chrisisb...@gmail.com wrote: On Sep 2, 2011, at 10:44 AM, Goertzel, Karen [USA] goertzel_ka...@bah.com wrote: What we need is to start building software that can fight back. Then we could become part

Re: [SC-L] informIT: Building versus Breaking

I agree on the terminology of whitehat vs. blackhat here Sergio, but in almost every other regard I disagree completely. To design and build proper software and hardware there are a lot of conferences out there, as well as trainings and a huge amount of literature. There are very good books

[SC-L] ESAPI 2.0GA Released!

Friends, Romans, Countrymen - Lend me your ears! It is my pleasure to announce the official release of ESAPI 2.0GA! This release features some key enhancements over ESAPI 1.4.x including, but not limited to: * Upgrade baseline to use Java5 * Completely redesigned and rewrote

[SC-L] ESAPI Contribs now Live!

All - In addition to last night's release of ESAPI 2.0GA, I would like to direct your attention to a new section on the ESAPI page on Google Code. ESAPI Contribs http://code.google.com/p/owasp-esapi-java/wiki/esapi_contribs_home Download page for Contribs is located

Re: [SC-L] Question about HIPAA Compliance in application development

For example, there are HIPPA access control requirements that demand that you only give doctors access to transmit patient data in a minimal way; only transmitting data needed for a diagnosis. Good luck coding that. It's also bad medicine. Sounds like contextual access control to me -

Re: [SC-L] Java DOS

I would assume just about any app with a shopping cart does. This is of course compounded by libraries like struts and spring mvc that autobind your form variables for you. Use a form with a double in it and your boned. Sent from my iPwn On Feb 14, 2011, at 8:57 AM, Wall, Kevin

Re: [SC-L] [WEB SECURITY] Re: Backdoors in custom software applications

Jeff Williams did a talk about this at Blackhat last year as well for Java Rootkits. Paper here: http://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-En terpriseJavaRootkits-PAPER.pdf On 12/17/10 8:56 AM, Chris Wysopal cwyso...@veracode.com wrote: Here is a paper that

Re: [SC-L] [Esapi-dev] OWASP CSRFGuard

My gut feel here is that we gain a lot more by merging the work done here into ESAPI. CSRFGuard is and has been a great project, but as it stands ­ unmaintained right now (although it is a very simple project, with a very low level of maintenance) it seems to me that a lot of traction and momentum

Re: [SC-L] working on java security help from experts

, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ -- Chris Schmidt OWASP ESAPI Developer http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API