OWASP Top Ten 2010: understanding the attacks

Antonio Fontes (09.Mar.2011 at 13:15)
Talk at ConFoo 2011 (English - US)

Rating: 0 of 5

The OWASP foundation recently published the 2010 version of its reference document describing the top 10 web application security risks.

During this talk, ten intrusion techniques will be shown to the audience, to have a better understanding of the risks described in the OWASP Top 10 2010 document.

Agenda:
- Basic theory on risks, threats and software vulnerabilities
- Presentation of the 10 intrusion techniques
- Best practices when working with the OWASP Top 10 2010
- Discussion, questions

Note: due to the reduced time available, the talk will focus on explaining the intrusion techniques on web applications. Developers interested in working on the defensive coding aspects should also participate in the secure development training.

Who are you?

Claim talk

By clicking this button you are declaring that you are the speaker responsible for it and a claim request will be sent to the administrator of the event.

If the claim is approved you will be able to edit the information for this talk.

Are you sure?

 
Comments closed.

Comments

Rating: 2 of 5

11.Mar.2011 at 17:34 by Anonymous

I really didn't get anything from this presentation that I couldn't have got by reading the OWASP Top Ten document. It could have been improved by real-life examples, by giving us insight beyond what was in the document, and by Antonio improving his speaking style, which was very boring. He didn't seem interested in his own subject!

Speaker comment:

12.Mar.2011 at 12:27 by Antonio Fontes (5 comments)

Hi Anonymous,

Explaining the top10 is quite challenging for one major reason: as you mentioned, a document is freely available and everyone attending a talk about the Top10 could alternatively just download it and read it.

Unfortunately, as the speaker, I had to chose whether I would introduce the existence of this document and its content to an audience who didn't integrate these sorts of risks, or to an audience who seeks advanced insight on some of the entries. I asked the audience who was technical and almost half of it raised hands, this brought me into taking sides.

I'd typically say that you can either jump over the surface of each risk, or dedicate an entire hour on each item, in particular complex topics such as injection, XSS attacks or authentication/crypto issues. For example back in Geneva next week, I will attend a 60 minutes talk on the A2 "Cross-site scripting" by an expert in this topic, he will deliver insights on advanced XSS attacks and defense techniques. I guess that kind of talk would have been more into your focus but for that, I guess you'd have to attend a conference with a stronger focus on information security.

I received both good and bad critics on this talk. Some saying it wasn't technical enough, others saying it was a very good awareness raising talk. I honestly don't think I could satisfy both sides in less than 50 minutes :)

Regarding my speaking style for that session, I am 100% with you, this wasn't my best day and I found switching to English much harder than I had expected :) I hope you had the opportunity to attend the threat modeling session the next day, I chose a completely different presentation style and I would definitely appreciate having your feedback on that one, too.

Anyway, thank you for attending the talk and for returning me your feedback. I appreciate it and it will help me improve some aspects of the talk. Let's hope there is a better "next time"!

antonio

PS: as you can see, I am giving myself a rate of 3 :)

© Joind.in 2014