Annual Conference IT Audit & Controls 2009

Conducting workshop and talk ...

W3 Conducting an Enterprise Application Audit DEMO
Date: Monday, 12 October 2009
Time: 9am - 5pm

The focus of this workshop is to analyze applications within an enterprise architecture to discover vulnerabilities. You will learn scanning, auditing and source code review methodologies – all critical tools to enable application analysis. The workshop features real-life cases, demonstrations, scanning tools and defense plans.
This workshop will cover:
• The most common vulnerabilities and proven methodologies for their detection
• Auditing for compliance and standards like PCI-DSS, OWASP Top 10 and CVE/CWE Top 25 errors
• Common programming errors and source-code scanning methodologies
• Conducting an architecture and design audit to ensure security
• Securing SDLC with best practices
• Effective scanning tools and approaches
• Mitigation strategies and frameworks

5 Auditing and Securing Web/Enterprise 2.0 Applications and Architectures
Date: Tuesday, 13 October 2009
Time: 10:30am - 12pm

• Web 2.0 threats, hacks and incidents
• Auditing and assessing the security of Web 2.0 architectures and design
• Web 2.0 vulnerabilities and mitigation
• Discovering JSON-based SQL injections, XML-driven XSS, CSRF 2.0, RSS feed injections, widget exploits, mashup hacks and more
• Auditing Web 2.0 source code and frameworks
• New tools, methodologies and audit strategies for Web 2.0

OWASP - Belgium chapter talk...

It was fun in presenting at OWASP Belgium chapter a week back before kicking the BruCON training on Web 2.0. Presented techniques on Web 2.0 assessments and some demos on scanning RIA and Flex apps.

PDF of presentation - here (http://www.owasp.org/index.php/File:Shreeraj_OWASP_Belgium.pdf)

Talk on - Application Source Code Audit - Why, What and How

Enterprise application source code, independent of languages and platforms, is a major source of vulnerabilities. This talk is designed to focus on enterprise architecture and application analytics to discover vulnerabilities. One of the CSI surveys on vulnerability distribution suggests that in 64% of cases, a vulnerability crops up due to programming errors and in 36% of cases, due to configuration issues. We will be covering analysis and audit techniques, for assessment and review of enterprise application source code. Essentially all three important aspects of the audit will be addresses – Why it is needed, What to do and how to achieve.

Online meet - here (http://www.brighttalk.com/summit/itaudit2)

ScanEx - Scanning for iframe and script Injections and External References (Beta)

This is a simple utility which runs against target site and look for external references and cross domain malicious injections. There are several vulnerable sites which get manipulated with these types of injections and compromised. The site gets registered with stopbadware and other databases as well. This tool helps in doing initial scanning to look from obvious injections. At this point it is looking into iframe and script tags as defined in regex file.

Download

Paper from Blueinfy Labs - Cross Widget DOM Spying

Widgets, Gadgets or Modules are very common and powerful feature of Web 2.0 applications. It converts single loaded page in the browser to multi-threaded application. It allows end user to work on multiple little utilities and windows from one page. Widget framework is supported by various Ajax libraries and lot of code is getting created by developers to allow this feature. Once framework is in place various different users can leverage APIs and libraries to develop their own little widget and deploy on the application domain. Any user of the application can register that widget and start utilizing its feature. This scenario opens up possibility of Cross Widget DOM Spying. This paper is going to describe that scenario and its understanding.

Read here

Web 2.0 Hacking Training at BruCon...

Training Detail ...

Introduction and adaptation of new technologies like Ajax, Rich Internet Applications and Web Services has changed the dimension of Application Hacking. We are witnessing new ways of hacking web based applications and it needs better understanding of technologies to secure applications. The only constant in this space is change. In this dynamically changing scenario in the era of Web 2.0 it is important to understand new threats that emerge in order to build constructive strategies to protect corporate application assets. Application layers are evolving and lot of client side attack vectors are on the rise like Ajax based XSS, CSRF, Widget injections, RSS exploits, Mashup manipulations and client side logic exploitations. At the same time various new attack vectors are evolving around SOA by attacking SOAP, XML-RPC and REST. It is time to understand these advanced attack vectors and defense strategies.

The course is designed by the author of "Web Hacking: Attacks and Defense", “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application security and research as part of curriculum to address new challenges. Application Hacking 2.0 is hands-on class. The class features real life cases, hands one exercises, new scanning tools and defense mechanisms. Participants would be methodically exposed to various different attack vectors and exploits. In the class instructor will explain new tools like wsScanner, scanweb2.0, AppMap, AppCodeScan etc. for better pen-testing and application audits.

For more details see Web 2.0 Hacking – Attacks and Defense