LDC 2014

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

LDC 2014

Bil Corry-3
For those planning to attend LDC this year, I am giving a couple of talks
on security and wanted to see if there is anything in particular that would
be valuable.

It was suggested to me to make one talk about new/interesting/biggest
exploits for 2014.

Other possible topics:

   * OWASP Top 10 - either a repeat of last year, or I can focus on a
couple of them and go deep.

   * Security testing with Burp Proxy - using a browser proxy to test a
webapp for common vulns (XSS, SQLi, CSRF).

   * Clickjacking - go over the attack, the impact, and how to protect
against it.

   * Security Web Headers - discuss CSP, XFO, STS headers and why/when to
use them

   * Cookie security - discuss security issues of cookies, such as domain
scoping, HTTPOnly and SECURE flags, cookie eviction, cookie jar limits,
oversize cookies = DoS, etc.

   * <insert your topic here>


Also, I noticed the morning of October 1 is open, for those arriving a day
sooner.  If it's of interest, we can find a spot to sit and have an open
discussion about security topics or discuss your particular situation.  Or
I can demonstrate using a browser proxy to perform security testing and/or
I can show a rudimentary method to break CAPTCHAs and/or how to manually
de-obfuscate JavaScript.  Anyhow, just a thought to make that morning
interesting.

Replies on- or off-list welcomed.

Thanks,

- Bil
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: LDC 2014

Rick Draper-2
Hi Bil

I hope that I can make it - maybe something on using JSONP securely to leverage data exchange between applications

Very best regards

Rick Draper

-------------------------------------
Sent from my iPhone. Please excuse typographical errors & brevity

On 6 Jun 2014, at 7:17 pm, Bil Corry <[hidden email]> wrote:

For those planning to attend LDC this year, I am giving a couple of talks
on security and wanted to see if there is anything in particular that would
be valuable.

It was suggested to me to make one talk about new/interesting/biggest
exploits for 2014.

Other possible topics:

  * OWASP Top 10 - either a repeat of last year, or I can focus on a
couple of them and go deep.

  * Security testing with Burp Proxy - using a browser proxy to test a
webapp for common vulns (XSS, SQLi, CSRF).

  * Clickjacking - go over the attack, the impact, and how to protect
against it.

  * Security Web Headers - discuss CSP, XFO, STS headers and why/when to
use them

  * Cookie security - discuss security issues of cookies, such as domain
scoping, HTTPOnly and SECURE flags, cookie eviction, cookie jar limits,
oversize cookies = DoS, etc.

  * <insert your topic here>


Also, I noticed the morning of October 1 is open, for those arriving a day
sooner.  If it's of interest, we can find a spot to sit and have an open
discussion about security topics or discuss your particular situation.  Or
I can demonstrate using a browser proxy to perform security testing and/or
I can show a rudimentary method to break CAPTCHAs and/or how to manually
de-obfuscate JavaScript.  Anyhow, just a thought to make that morning
interesting.

Replies on- or off-list welcomed.

Thanks,

- Bil
#############################################################
This message is sent to you because you are subscribed to
 the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>


#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: LDC 2014

Brad Lindsay
In reply to this post by Bil Corry-3
I'd love to get a tutorial on security testing - either as part of the
conference or as part of an informal group the morning of Oct. 1st

Brad
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: LDC 2014

Jonathan Guthrie-3
In reply to this post by Bil Corry-3
Hi Bil, so glad you're coming again this year!

My 2 picks would be these:

On Jun 6, 2014, at 5:17 AM, Bil Corry <[hidden email]> wrote:

>   * Security testing with Burp Proxy - using a browser proxy to test a
> webapp for common vulns (XSS, SQLi, CSRF).
>
>   * Clickjacking - go over the attack, the impact, and how to protect
> against it.

Thanks!
Jono

----------------------------
Jonathan Guthrie
[hidden email]
@iamjono
LassoSoft Inc.
AIM Chatroom: lassochat

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>