A Tale Of Two OWASPS

Dave G. | September 14th, 2007 | Filed Under: Gatherings

It was the best of times, it was the worst of times. I take that back. It was mostly the latter. I had to be out the door by 4:30AM to catch my plane to Chicago. Which would be bad enough under normal conditions, but I just moved to a new apartment, and those noisy kids are keeping me up past 11PM again. Two boot, when I get downstairs I realize that the cab strike has begun. Still, capitalism prevailed and a cab pulled over and took me to JFK.

Chicago

I was flying to Chicago for both a meeting and to go to their OWASP meetup. The meeting was hosted at ABN AMRO by Cory Scott (ex-@stake). If I had to guess there were close to thirty people there. Everyone really seemed to know each other. There were two talks:

1. “Automated Thrash Testing - Andrew Gironda (“Dre” on our blog).” While I am still not 100% clear on what Automated Thrash Testing is, Dre did map a lot of QA processes back to security. I think. I learned a lot about QA processes, but it would have been nice if it focused a little more on security testing. To be fair, my mind was slowing turning into mush thanks to a lack of sleep around the middle of his talk.

2. “Defeating Information Leak Prevention - Matasano’s Own Eric Monti (This is Eric’s talk from Blackhat).” I didn’t get to see all of Eric’s talk at Blackhat, so getting to see the parts that I missed was excellent. Unfortunately, I am biased so I will refrain from commenting on Eric’s talk.

This followed by drinking. By the time drinking was underway I was only partially conscious. There was a lot of good conversation, ranging from application testing to how one could make their friends fight to the death if you win the lottery. Then I cab it back to the airport where I fall asleep and wake up to a security guard knocking on my door wondering how I overslept a wake-up call and room service. This knock was clearly outlined in the manual under “Is your guest deceased?”.

New York

I catch the next flight back to New York. After two hours of sitting next to the Chicago finalist for the World’s Sexiest bartender contest, I arrive back in New York City. Just in time for day 2 of the New York City Cab Strike. After the world’s longest taxi experience, I arrive at Matasano HQ on Wall St. This gives me just enough time to check email, relay events and head to OWASP New York.

Hosted at the American Stock Exchange, its a totally different vibe. Somewhere in the neighborhood of 75 people. Wooden room. Sandwiches. A podium. Sandwiches. A lot more people dressed formally. Sandwiches. Four speakers:

1. “OWASP update.” Tom Brennan For better or for worse, OWASP NY/NJ is a lot more connected to OWASP Central. In this case, it meant not listening to Jeff’s message to all of OWASP due to technical difficulties. There was definitely more mention of memberships. Which, as I said before, is a good thing. Tom also ran through some OWASP stats and some questions to engage the audience. The stats weren’t too surprising but there was a funny moment when the stat on what part of the industry came out and there were zero law enforcement on the list. This is funny because of:

2. “Hackers…BotNets oh My! Obtain a briefing on the current BotNet investigations etc.”, NYC FBI Cyber Crime Unit. This was a pretty good session. Not surprising is the fact that BotNet authors are getting smarter. Surprising is that international law enforcement co-operation appears to be getting better. Especially Romania <-> USA co-operation. Apparently, getting a wiretap in Romania is unusually fast. I thought I detected a little bit of envy that it was so easy. That look disappeared quickly as several in the audience basically volunteered to hack Romanian BotNet herders. The questions at this point were all about slicing and dicing what would be tolerated by the FBI. This part of the Q&A should have ended with him yelling in an Austrian accent “It’s not a tumoor!”, but he managed to not pull out his gun and rid the world of three heckling pen testers.

3. “Why today’s vulnerability assessments are failing and a case for industry standardization”, Mark Clancy. This speaker pointed out that it is really difficult to look at the results of a vulnerability assessment and determine the competency of the testers, the severity of the results, the amount of coverage and more. This is a real problem for consumers of penetration testing results (think Enterprises). When you have an F10 organization, the number of vulnerability assessments that have to reviewed is astonishing. They are often coming from vendors who hired their own penetration testing team. Then they are often editted down by the vendor. There was a great moment where he stopped talking and people started to solution, but then realized that there were no easy answers.

4. “Stock fluctuation from an unrecognized influence”, Justine Bone-Aitel, Immunity Security. I’m not sure this was an accurate title for the talk, but it’s always good to see the Immunity folks. The best part of the talk was the statistics on Immunity’s zero day. I am so serious when I say they should do an entire talk around their statistics on tracking their zero day.

5. “Financial Real-Time Threats: Impacting Trading Floor Operations/JBroFuzz: Effective Fuzzing for Network and Web Applications”, Dr. Yiannis Pavlosoglou , Information Risk Management. This session wasn’t as crisp as I would have liked. I think it was an anatomy of an attack combined with this is what a trading floor might look like. The anatomy of an attack part didn’t seem to be particularly convincing. Due to time constraints and technical difficulties, this talk got cut short.

They also went out drinking, but I was out of steam.

What did I learn from this whole lotta OWASP?

There is a lot of regionality to OWASP. The feel at both OWASPs were totally different and both totally appropriate for their locations. While both OWASPs had their differences, thematically they were on target. Most importantly, OWASP members like to go out drinking.