OWASP Top Ten 2010: understanding the attacks

Comments

Comments are closed.

Anonymous at 17:34 on 11 Mar 2011

I really didn't get anything from this presentation that I couldn't have got by reading the OWASP Top Ten document. It could have been improved by real-life examples, by giving us insight beyond what was in the document, and by Antonio improving his speaking style, which was very boring. He didn't seem interested in his own subject!

Hi Anonymous,

Explaining the top10 is quite challenging for one major reason: as you mentioned, a document is freely available and everyone attending a talk about the Top10 could alternatively just download it and read it.

Unfortunately, as the speaker, I had to chose whether I would introduce the existence of this document and its content to an audience who didn't integrate these sorts of risks, or to an audience who seeks advanced insight on some of the entries. I asked the audience who was technical and almost half of it raised hands, this brought me into taking sides.

I'd typically say that you can either jump over the surface of each risk, or dedicate an entire hour on each item, in particular complex topics such as injection, XSS attacks or authentication/crypto issues. For example back in Geneva next week, I will attend a 60 minutes talk on the A2 "Cross-site scripting" by an expert in this topic, he will deliver insights on advanced XSS attacks and defense techniques. I guess that kind of talk would have been more into your focus but for that, I guess you'd have to attend a conference with a stronger focus on information security.

I received both good and bad critics on this talk. Some saying it wasn't technical enough, others saying it was a very good awareness raising talk. I honestly don't think I could satisfy both sides in less than 50 minutes :)


Regarding my speaking style for that session, I am 100% with you, this wasn't my best day and I found switching to English much harder than I had expected :) I hope you had the opportunity to attend the threat modeling session the next day, I chose a completely different presentation style and I would definitely appreciate having your feedback on that one, too.

Anyway, thank you for attending the talk and for returning me your feedback. I appreciate it and it will help me improve some aspects of the talk. Let's hope there is a better "next time"!

antonio

PS: as you can see, I am giving myself a rate of 3 :)