OWASP Top Ten Tools and Tactics
- Russ McRee, ISC Handler
If you've spent any time defending web applications as a security analyst, or perhaps as a developer seeking to adhere to SDLC practices, you have likely utilized or referenced the OWASP Top 10. Intended first as an awareness mechanism, the Top 10 covers the most critical web application security flaws via consensus reached by a global consortium of application security experts. The OWASP Top 10 promotes managing risk in addition to awareness training, application testing, and remediation. To manage such risk, application security practitioners and developers need an appropriate tool kit. This presentation will explore tooling, tactics, analysis, and mitigation for each of the Top 10. This discussion is a useful addition for attendees of Security 542: Web App Penetration Testing and Ethical Hacking.
Russ McRee is a senior security analyst, researcher, and founder of holisticinfosec.org, where he advocates a holistic approach to the practice of information assurance. As manager of Microsoft Online Service's Security Incident Management team his focuses are incident response and web application security. He writes toolsmith, a monthly column for the ISSA Journal, and has written for numerous other publications including Information Security, (IN)SECURE, and OWASP. Russ speaks regularly at conferences such as DEFCON, Black Hat, RSA, FIRST, RAID, SecureWorld Expo, as well as ISSA events. IBM's ISS X-Force cited him as the 6th ranked Top Vulnerability Discoverers of 2009. Additionally, Russ volunteers as a handler for the SANS Internet Storm Center (ISC).
The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:
- SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
- Special Events: SANS-hosted events and other non-technical recreational offerings. This category includes, but is not limited to, Receptions and Information Tables.
- Vendor: Events hosted by external vendor exhibitors.
|GIAC Program Overview||Jeff Frisk, GIAC Director||Special Events|
|SANS Technology Institute Brief||President Stephen Northcutt||Special Events|
|Dude, Your Car is PWNed!||Rob VandenBrink, ISC Handler||SANS@Night|
|Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems||Manuel Humberto Santander Pelaez, ISC Handler||SANS@Night|
|OWASP Top Ten Tools and Tactics||Russ McRee, ISC Handler||SANS@Night|
|Updates on the Exploit Kits Front: You are the Target!||Pedro Bueno, ISC Handler||SANS@Night|
|Packet and Malware Collection for the Home Network, Research Starts at Home!||Richard Porter, ISC Handler||SANS@Night|
|Critical Infrastructure Control Systems Cybersecurity||Matt Luallen||SANS@Night|
|Everything's Hacked! What We Can Do To Help Secure Embedded Devices||Jay Radcliffe||SANS@Night|
|The SANS360: The Security Crystal Ball||Rob Lee, Moderator||SANS@Night|
|What's New in Windows 8 and Server 2012?||Jason Fossen||SANS@Night|
Monday, July 9
Tuesday, July 10
Thursday, July 12
|Test your Knowledge and Capture-the-Flag Skills in an Interactive Security Challenge!||Yori Kvitchko||Thursday, July 12th, 6:30pm - 9:30pm||Special Events|
Friday, July 13
|Test your Knowledge and Capture-the-Flag Skills in an Interactive Security Challenge!||Yori Kvitchko||Friday, July 13th, 6:30pm - 9:30pm||Special Events|