BROADCASTS.com

b'Web applications are constantly under attack, and must defend themselves. Sadly, today, most cannot. \\n \\nThere are several key elements to building self-defending software but only a few are focused on today, including input validation, output encoding, and error handling. Strong Session Handing and effective Authorization mechanisms are almost completely ignored in web application software development. Many of the threats are well known, but the techniques for building applications that can defend themselves against the known threat landscape are still ignored due to lack of documentation, lack of sample code, and lack of awareness of the threats and attack methods. \\n \\nThis ignorance is dangerous; The landscape has changed. In April 2005 alone, zero-day scripted session attacks were discovered in the wild for eBay and other high-profile web applications that you use. \\n \\nSession and Authorization attacks are real, mature, and increasing in frequency of use in the wild. They are also misunderstood or ignored by most of the development and web application security community. \\n \\nThis presentation will:\\n \\n * Summarize and categorize what State, Session, and Authorization attacks are. \\n * Provide you with a simple, effective Taxonomy for understanding the threats. \\n * Provide you with an entirely new understanding of Cross-Site Scripting (XSS). \\n * Disclose new Session and Authorization attacks released in recent months. \\n * Show you how to attack your intranet from the Internet using Your browser without You knowing. \\n * Unveil the Paraegis Project which will provide free web app security code for .NET, J2EE, and Flash frameworks. \\n * Paraegis will include functional code elements for DAT generation and stopping automated scanners/scripts. \\n * Paraegis will show you how to reduce the attack surface of XSS from "all people all the time" to "one person one time" resulting in XSS vulnerabilities being virtually unexploitable. \\n \\nThe techniques presented are simple, innovative, realistically usable, and predominantly missing in today\'s webapp designs. The Paraegis Project will release code that will not only demonstrate this, but that you will be able to use in your applications for free. \\n \\nArian Evans has spent the last seven years pondering information security and disliking long bios. His focus has been on intrusion detection and application security. \\n \\nHe currently works for FishNet Security researching and developing new methodologies for evaluating the security posture of applications and databases, in addition to helping FishNet clients design, deploy, and defend their applications. Arian works with clients worldwide for FishNet Security, and has worked with the Center for Internet Security, FBI, and various client organizations on web application-related hacking incident response. \\n \\nArian contributes to the information security community in the form of vulnerability research and advisories, writing courseware and teaching classes on how to build secure web applications, and questioning everything. He frequently breaks things, and sometimes figures out how to put them back together again. \\nDaniel Thompson is the lead interface developer for Secure Passage, a software company specializing in network device change management. His interest in computer graphics and visual design started over fifteen years ago while searching for an efficient way to create fake documents. Currently Daniel works with Java, C# and ActionScript to create secure, dependable, distributed applications. He targest .JSP, ASP.NET and the Macromedia Flash Player for delivery to the browser and Eclipse SWT and Microsoft WindowsForms for delivery to the desktop. In his spare time he works on data visualization and generative graphics, as well as the occasional game. \\n \\nDan became interested in information security when Arian Evans started reading his email.'