In addition to running CGISecurity I also participate heavily in The Web Application Security Consortium and its projects. I sent the following email to The Web Security Mailing List seeking participants for v2 of the WASC Threat Classification document. "I'm sending this email to the list seeking people to contribute towards...
The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2007. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. We ascertain which classes of attacks...
WASC and OWASP are throwing a party this year during blackhat at the shadow bar which is being sponsored by Breach. This will be the 3rd party at the shadow bar, and 2nd joint WASC/OWASP conference. If you want to chat appsec this is where everyone in appsec will be.
Announcement Link: http://jeremiahgrossman.blogspot.com/2008/03/wasc-rsa-meet-up-2008.html
"An innovative malware honeypot project backed by a leading consortium of IT security experts is preparing to re-launch its global sensor network after Jan. 1 in an effort to dupe more cyber-criminals into handing over information about their latest attack methods. Project link: The Web Application Security Consortium's Distributed Open Proxy...
Romain Gaucher writes "The Web Application Security Consortium is pleased to announce the first results of the Script Mapping project! At this stage in the project we were able to cover most of the test cases for Internet Explorer 7, Firefox 2 and Safari 3. The results can be found on...
The WASC/OWASP event went very well as over 250 showed up. Below are some pictures of the event by a few of the sttendee's including Anurag a WASC officer. I will add some more pictures as they become available including news stories covering the event. Anurag Picture Link: http://myappsecurity.blogspot.com/2007/11/appsec-2007-pictures-of-breach-party.html Wayne Picture...
WASC is having a meetup in Silicon Valley in Cupertino California. If you're interested in attending visit the meetup link below and RSVP. These meetings are a good way to find out what WASC (The Web Application Security Consortium) is all about, chat with fellow security people, and drink beer. Meetup...
"OWASP and WASC have joined forces for this year's AppSec 2007 conference being held at eBay in San Jose, CA on Nov 12-15. A huge concentration of industry leading experts will be in attendance presenting high quality web application security content. AppSec 2007 offers a unique opportunity for security professionals, software...
The Web Application Security Consortium is pleased to announce a new project " Web Application Security Scanner Evaluation Criteria (WASSEC)". Currently WASC is seeking volunteers from various sections of the community including penetration testers, scanner vendors, security researchers and also end users to contribute to the project. A brief description of...
Vegas was interesting this year to say the least. For starters I finally got to attend NOT as a vendor which I gotta say was pretty nice. Here are the talks I attended. Intranet Invasion With Anti-DNS Pinning It's All About The Timing Tactical Exploitation (Part 1) Dangling Pointer IsGameOver(), anyone?...
I'll be leaving for blackhat shortly and site updates will slow down a bit as well as moderation of the web security mailing list. If you're in vegas and want to chat appsec, be sure to RSVP to the huge OWASP/WASC party, I'll be there with just about every other application...
This year OWASP and WASC have decided to have a joint party at Blackhat vegas. I'll be there with many of the other appsec industry people. RSVP if you want to attend!
The Web Application Security Consortium (WASC) is pleased to announce the inital release of data collected by the Distributed Open Proxy Honeypot Project. This first release of information is for data gathered from January - April, 2007. During this timeframe, we had 7 internationally placed honeypot sensors deployed and sending their...
WASC is organizing a Meet-Up during the JavaOne Conference (May 8-11 @ San Francisco Moscone Center). As usual this will be an informal gathering. No agenda, slide-ware, or sponsors. We're expecting maybe 10-20 like minded webappsec people to share some food, drinks, and stimulating conversation. Everyone is welcome and it should...
The Web Application Security Consortium is proud to present 'The Importance of Application Classification in Secure Application Development' by Rohit Sethi. In this article Rohit describes the importance of Application Classification during the secure development process. Article Link: http://www.webappsec.org/projects/articles/041607.shtml
Jeremiah Grossman sent this out to the web security mailing list today. "Normally we hold WASC Meet-Ups during large conferences (RSA/ BlackHat) where a lot of web application security people are at same place at the same time. Around the S.F. Bay Area there's enough webappsec people that we we no...
"I'm sending this email to the list seeking people to contribute towards The Threat Classification Version 2.0. Time has passed since the initial TC release, and it's important to keep this widely utilized document up to date. Project Homepage http://www.webappsec.org/projects/threat/ Interested participants can contact 'contact_@_webappsec.org" Announcement Link: http://www.webappsec.org/lists/websecurity/archive/2007-03/msg00041.html
This years RSA Conference is being held at the San Francisco Moscone Center [2] (February 5 � 9) and every year, for the past couple years, we�ve coordinated an informal WASC Meet-Up. Usually about 20 or so people in the web application security community show up to have some fun sharing...
The Web Application Security Consortium is proud to present 'MX Injection: Capturing and Exploiting Hidden Mail Servers' written by Vicente Aguilera Diaz of Internet Security Auditors. In this article Vicente discusses how an attacker can inject additional commands into an online web mail application communicating with an IMAP/SMTP server. Article Link:...
Jeremiah Grossman sent this out to the web security mailing list today. "Normally we hold WASC Meet-Ups during large conferences (RSA/ BlackHat) where a lot of web application security people are at same place at the same time. Around the S.F. Bay Area there's enough webappsec people that we we no...
The Web Application Security Consortium is pleased to announce v1.0 of The Web Application Firewall Evaluation Criteria. WAFEC is a result of a collaboration between web application firewall vendors and independent security professionals to create a comprehensive, vendor-neutral, web application firewall evaluation criteria.
