[cs615asa] OWASP NY/NJ Chapter Meeting (Meetup Summary)

Josh Dolisca jdolisca at stevens.edu
Mon May 1 18:15:26 EDT 2017


Hello All,



The meetup I decided to participate in was the April 2017 OWASP NY/NJ
Chapter Meeting in Rockaway, NJ.

OWASP (Open Web Application Security Project) is a not-for-profit
charitable organization whose focus is improving the security of software.
They’re mission is to make security concerns and best practices available
to all individuals and organizations, whether big or small. They have
chapters all over the world and have many active users that collaborate on
hundreds of different projects. Participation in this project is open to
the public and all their publication and projects are open to all under a
free and open software license. More information on the organization can be
found on their website, which will be included under the sources section.

The chapter meeting discussion centered around 4 main topics: turbo talks
on new findings around vulnerabilities, bringing awareness of security and
hacking to non-profit organizations, a talk on credential disclosure
vulnerabilities and HTTP POST DoS webserver attacks, and the OWASP Top 10
RCL for 2017 which revolves around the top 10 most critical web application
security risks.

The turbo talk for this meeting was about a vulnerability in Netgear
switches that essentially allowed anyone with a specific URL could reset
the password of the switch. This opened the floor to two-factor
authentication.

The non-profit awareness talk was about a service that OWASP is trying to
kick off. They would like to essentially analyze where these small
organizations have vulnerabilities and make them aware of the risk they are
at. It is up to the organization to do what they want with this
information, but there are a suite of products that are offered that can
help cover a wide variety of risks. This lead to a discussion of whether
people would be up to this because in some instances ignorance is bliss. If
an issue comes up and they knew about it, it would be more detrimental than
if they were not aware.

The third topic of the meeting was regarding was a discussion of best
practices about authentication error messages. We talked about how you
could actually determine whether a user exists if the authentication error
message differs between failed usernames and failed passwords. Programs
were displayed that can take advantage of this and using regex, we can
brute force a password and log in. We then branched off to HTTP POST
attacks that cause denial of service (DoS). The discussion was how to
prevent this from occurring.

The last talk was the OWASP Top 10 RCL. This was primarily brought up to
discuss whether some of the items on the list were actually vulnerabilities
or underrated standards. This Top 10 is reviewed throughout the year to
ensure the vulnerabilities listed are as least disputed as possible. The
link to the OWASP Top 10 page is listed below.

I chose this meetup primarily due to location and the broad scope that
security plays in the role of a sysadmin. This is a group whose mission is
to assist in making security vulnerabilities known to everyone. On top of
your own due diligence, it is nice to know that there are more sets of eyes
looking at the integrity of many viable applications. Their work can help
shape the standards of software infrastructure for any given company.
Certain applications, whether it’s web, network, or backup,  can be chosen
based on the risks their vulnerabilities present which will shape how you
build and maintain your systems. Bringing your own knowledge to the table
to enlighten others on your own findings is also part of the ethical
responsibility of a sysadmin. It is also interesting to see how many
different industries the members come from. Adding the fact that anyone can
join any of the projects they have running, it makes a great community to
be a part of.

Thank you for taking the time to read my long winded email.

Related links:

OWASP Home Page: https://www.owasp.org/index.php/Main_Page

Meetup Agenda: https://www.meetup.com/owaspnycnj/events/236948534/

Top 10 RCL:  https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

National Vulnerabilities Database: https://nvd.nist.gov/

Charitable Hacking Analysis: https://penteston.com/


-- 
Regards

Josh-Erik Dolisca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.stevens.edu/pipermail/cs615asa/attachments/20170501/69a21c6e/attachment.html>


More information about the cs615asa mailing list