<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Hi Professor,</div><div class=""><br class=""></div><div class="">I joined the "Cyber Security Meet-up @ UBS" on April 15th. (<a href="http://www.meetup.com/OWASP-NYC/events/219884058/" class="">http://www.meetup.com/OWASP-NYC/events/219884058/</a>)</div><div class=""><br class=""></div><div class="">There are totally four sessions:</div><div class="">1. New York Metro Joint Cyber Security Conference</div><div class="">2. Exploiting SAP ASE via SQL injections in database core</div><div class="">2. Teaching the Teachers: Building NextGen Cyber Warriors & Defenders</div><div class="">4. Unifying Appsec Automation Across Dev and Ops with Deep Security Instrumentation</div><div class=""><br class=""></div><div class="">The first session is just an introduction of a organization named OWASP. It seems like a advertisement more or less.</div><div class=""><br class=""></div><div class="">The second session is about SQL injections, which I think is the most useful part. The speaker is Martin Rakhmanov. At first, he talked about what is SQL injection and how it happens. SQL injection is to insert malicious SQL statements into an entry field for execution. If the database system has an improper privilege management, it will be very dangerous. SQL statements, like CREATE and RESTORE, allow users to run in the highest privileges. Martin gave some examples to show how SQL injection worked under a high privilege. He showed us a real SQL injection by a common web application and got full access to the database. At the end, he gave us some suggestions: gave as low as possible privileges to an application, close the useless function and patch on time.</div><div class=""><br class=""></div><div class="">The third session is about a current situation that many teachers and students do not know much about the security. He thought security was a very important thing for the growing of cyber security field and the threats we are facing, and students should take cyber security class in school. What more, they pointed that the companies should help to improve the education of cyber security.</div><div class=""><br class=""></div><div class="">The last session, whose speaker was Jeff Williams, is my favorite part. Jeff gave a serious survey result, that only 10% of the applications had been tested and only 22.4% of them are secure. The speed of security tests is lower than development. And it is complicated because the developer and the security tester are not the same person. Then he introduced two tools, STAT and DAST to check the program security automatically. They are all eclipse plug-ins and very convenient to use. STAT is a static testing tool to find out the vulnerabilities in the source code. And DAST is a dynamic testing tool that check the context while the program is running. As Jeff said, these tools could save a lot of time for developers .</div><div class="">
<div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br class="Apple-interchange-newline">Best Regards,</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br class=""></div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">Xiakun Lu</div>
</div>
<br class=""></body></html>