http://myappsecurity.blogspot.com/ennoreply@blogger.com (Anurag Agarwal)Wed, 21 Dec 2011 02:42:01 PSTBlogger http://www.blogger.com86125noreply@blogger.comnohttp://feedproxy.google.com/~r/AnuragAgarwal-ApplicationSecurityEvangelist/~3/O4h1tLobOeI/owasp-top-10-quiz.htmlQuizWeb Application SecurityOWASP ProjectsOWASP Top 10noreply@blogger.com (Anurag Agarwal)Sun, 31 Jul 2011 12:03:30 PDTtag:blogger.com,1999:blog-34422497.post-4249171217109573558We had recently developed a quiz to help an organization test their developer's knowledge of OWASP top 10. I thought it would be a good idea to make it public and let other organization use it for their development teams as well. This is a very basic quiz but I do plan to add different levels and more questions to it and bring randomness in the questions as well. I would greatly appreciate any1http://myappsecurity.blogspot.com/2011/07/owasp-top-10-quiz.htmlhttp://feedproxy.google.com/~r/AnuragAgarwal-ApplicationSecurityEvangelist/~3/klhpJSYIU6I/owasp-threat-modeling-project.htmlThreat ModelingWeb Application Securitynoreply@blogger.com (Anurag Agarwal)Wed, 13 Apr 2011 07:57:14 PDTtag:blogger.com,1999:blog-34422497.post-2994774840853662377We are starting an OWASP threat modeling project to standardize a threat modeling approach which can be used by various companies. During the OWASP portugal summit I had a very meaningful and positive discussion on this topic and got support from a lot of people in the community. You can find out the results of the discussion at the OWASP Threat Modeling project page If you would like to join 0http://myappsecurity.blogspot.com/2011/04/owasp-threat-modeling-project.htmlhttp://feedproxy.google.com/~r/AnuragAgarwal-ApplicationSecurityEvangelist/~3/WqKLJZ3Pkw0/intellipass-behavior-based-password.htmlcaptchapassword lockoutIntellipassnoreply@blogger.com (Anurag Agarwal)Thu, 19 Aug 2010 15:03:37 PDTtag:blogger.com,1999:blog-34422497.post-1513990948143177158I am pleased to announce Intellipass (a behavior based password lockout mechanism). Most of the password lockout mechanism today are static, which means, they lock a user out after a certain number of incorrect password attempts. This feature is implemented to prevent brute force attempts against the login functionality. Even though this feature does what it’s supposed to, it has its own 4http://myappsecurity.blogspot.com/2010/08/intellipass-behavior-based-password.htmlhttp://feedproxy.google.com/~r/AnuragAgarwal-ApplicationSecurityEvangelist/~3/kA954yBi8dY/free-hands-on-workshop-on-web.htmlSQL InjectionWeb HackingCSRFWeb Application SecurityXSSnoreply@blogger.com (Anurag Agarwal)Thu, 06 May 2010 15:17:53 PDTtag:blogger.com,1999:blog-34422497.post-1691669473297227044Ever wondered how a hacker hacks all these credit cards? Do you think hacking a website is difficult? What are the skills required to hack a website?ISSA NY Metro chapter is organizing a 3 hour workshop on web application security. This session will show you how easy it is to steal credit card numbers, SSN, etc by doing a SQL injection attack or how you can steal passwords, hijack a session1http://myappsecurity.blogspot.com/2010/05/free-hands-on-workshop-on-web.htmlhttp://feedproxy.google.com/~r/AnuragAgarwal-ApplicationSecurityEvangelist/~3/cg1OFGRj7yA/myappsecurity-secure-your-applications.htmlThreat ModelingRisk ManagementSDLSecure Codingnoreply@blogger.com (Anurag Agarwal)Wed, 05 May 2010 18:47:32 PDTtag:blogger.com,1999:blog-34422497.post-523742447548978457As some of you know that I joined WhiteHat Security as a Director of Education Services since Dec 2007 to build their training division from scratch. Though it has been a very demanding job but it has been very satisfying too. I enjoyed working with various companies, training their developers and QA professionals and resolving their web application security issues. Through training, I not only 1http://myappsecurity.blogspot.com/2010/05/myappsecurity-secure-your-applications.htmlhttp://feedproxy.google.com/~r/AnuragAgarwal-ApplicationSecurityEvangelist/~3/nxnkHMofRa4/wassec-project-leader-change.htmlWASCWeb Application Security Scanner Evaluation CriteriaWASSECnoreply@blogger.com (Anurag Agarwal)Mon, 11 Aug 2008 14:05:31 PDTtag:blogger.com,1999:blog-34422497.post-6187038725237910545There is going to be a new project leader (Brian Shura : bshura73_at_gmail_dot_com) for WASSEC (Web Application Security Scanner Evaluation Criteria) as of today. The leadership change will help me free up some time to work on other projects.We've identified an excellent candidate who will take over WASSEC from where I left. I have already given him an overview of the project, its status and the 2http://myappsecurity.blogspot.com/2008/08/wassec-project-leader-change.htmlhttp://feedproxy.google.com/~r/AnuragAgarwal-ApplicationSecurityEvangelist/~3/M5oihPg4F-w/owasp-appsec-india-conference-2008.htmlOWASP AppSec India Conference 2008noreply@blogger.com (Anurag Agarwal)Wed, 18 Jun 2008 23:50:36 PDTtag:blogger.com,1999:blog-34422497.post-651069847698832533OWASP Delhi Chapter is hosting a grand application security event in New Delhi, India. With a lot of Executives and business folks also attending the event, it clearly shows the attention web application security is getting in India and I am sure a lot of it could also be because India is one of the major offshore development hub for US projects and most of these companies sending projects 0http://myappsecurity.blogspot.com/2008/06/owasp-appsec-india-conference-2008.htmlhttp://feedproxy.google.com/~r/AnuragAgarwal-ApplicationSecurityEvangelist/~3/BcNGc2SXljg/wasc-owasp-party-blackhat.htmlWASCBreachOWASPBlack hatnoreply@blogger.com (Anurag Agarwal)Wed, 18 Jun 2008 23:30:58 PDTtag:blogger.com,1999:blog-34422497.post-4500112153233839346WASC-OWASP Party at BlackhatBlackhat Vegas is around the corner. Our WASC-OWASP party last year rocked with around 300 people showing up. There was a huge line outside the shadow bar and it was by far the best party at Blackhat last year. If you weren't able to make it last year, do not miss it this time. Get your wristband from breach's booth at Blackhat.Join the leading minds in web application0http://myappsecurity.blogspot.com/2008/06/wasc-owasp-party-blackhat.htmlhttp://feedproxy.google.com/~r/AnuragAgarwal-ApplicationSecurityEvangelist/~3/115-3k9GTlo/web-application-security-summit.htmlWASCSANSWeb application security Summitnoreply@blogger.com (Anurag Agarwal)Tue, 15 Apr 2008 12:11:03 PDTtag:blogger.com,1999:blog-34422497.post-668046388754178055SANS and WASC have organized a Web Application Security Summit in Vegas.Web Application Security SummitJeremiah Grossman, Summit Chairwith Robert “RSnake” Hansen, Gary McGraw, and Caleb SimaJune 2-3, 2008 • Paris Hotel & Casino • Las Vegas, NVOn June 2-3, Various Application Security folks working in the enterprises will share the lessons learned in their application security initiatives. Case 0http://myappsecurity.blogspot.com/2008/04/web-application-security-summit.htmlhttp://feedproxy.google.com/~r/AnuragAgarwal-ApplicationSecurityEvangelist/~3/RnyG3dk9M1o/rsa-conference-pictures.htmlRSA Conference Picturesnoreply@blogger.com (Anurag Agarwal)Fri, 11 Apr 2008 17:18:41 PDTtag:blogger.com,1999:blog-34422497.post-1093343346475965591RSA Conference 2008 is almost over. As usual there were so many companies showcasing their products and services or in some cases just a little bit of fun like video games, rock climbing, etc.I personally think there were more companies talking about web application security then last year. We still need some more companies with secure SDLC solutions to come out there. In addition, there were 0http://myappsecurity.blogspot.com/2008/04/rsa-conference-pictures.htmlhttp://feedproxy.google.com/~r/AnuragAgarwal-ApplicationSecurityEvangelist/~3/53SsNFjt7ls/wasc-meetup-at-rsa-pictures.htmlWASC meetupRSA conferencenoreply@blogger.com (Anurag Agarwal)Sat, 12 Apr 2008 14:19:31 PDTtag:blogger.com,1999:blog-34422497.post-2692742491197773056WASC meetup at RSA was a huge success. More then 100 people showed up and it was a lot of fun sharing ideas and experiences with our peers. I am posting some of the pictures I took below.Caleb Sima(HP), Robert Auger(WASC)Neil Daswani (Google), Robi papp (Accuvant)Pool was so much fun.Dawn Van Hoegaerdan (Whitehat Security), Jermiah Grossman, Rachel Miller (Shift Communiations)Dawn, James(7http://myappsecurity.blogspot.com/2008/04/wasc-meetup-at-rsa-pictures.htmlhttp://feedproxy.google.com/~r/AnuragAgarwal-ApplicationSecurityEvangelist/~3/2m7CVqqO4M0/malware-installation-attempt-via.htmlphishingmalwarenoreply@blogger.com (Anurag Agarwal)Sat, 22 Mar 2008 19:19:38 PDTtag:blogger.com,1999:blog-34422497.post-3004664144641246610I got this email yesterday and it immediately caught my attention, maybe due to the recent news about malware being installed via legitimate website. Or maybe most of the previous phishing attempts were about stealing username/passwords. This one is about installing something on their machine (which i am sure is some sort of malware). This might be a shift in the approach and of course it makes a3http://myappsecurity.blogspot.com/2008/03/malware-installation-attempt-via.htmlhttp://feedproxy.google.com/~r/AnuragAgarwal-ApplicationSecurityEvangelist/~3/RWm9Q5s5ndM/wasc-meetup-at-rsa.htmlWASC meetupWeb Application Security meetup RSA conferencenoreply@blogger.com (Anurag Agarwal)Thu, 06 Mar 2008 18:28:34 PSTtag:blogger.com,1999:blog-34422497.post-4063950396494394839RSA conference is around the corner and a lot of people from the webappsec field would be coming over to the conference. This is a perfect opportunity to meet with your peers. To facilitate that, WASC is organizing a meetup on April 9, 2008 12pm to 2pm. Whitehat Security has graciously accepted to sponsor the event. Please click on the image to see a larger version of the invite.Last year WASC 0http://myappsecurity.blogspot.com/2008/03/wasc-meetup-at-rsa.htmlhttp://feedproxy.google.com/~r/AnuragAgarwal-ApplicationSecurityEvangelist/~3/3lZi_yiINUg/certification-for-web-application.htmlCertification for Web Application Security Professionalnoreply@blogger.com (Anurag Agarwal)Thu, 21 Feb 2008 11:24:54 PSTtag:blogger.com,1999:blog-34422497.post-5087162669555937401Web Application Security Consortium and SANS has partnered together to define, train, test and certify the individuals. WASC is a leading web application security organization and SANS is a leader in training and certification. Together they have the subject matter expertise and process expertise to make this a huge success.Why do we need this certification?As more and more software is moving to15http://myappsecurity.blogspot.com/2008/02/certification-for-web-application.htmlhttp://feedproxy.google.com/~r/AnuragAgarwal-ApplicationSecurityEvangelist/~3/28yvNbYPovw/new-irs-scam-via-sms-messages.htmlNew IRS Scam via SMS messagesnoreply@blogger.com (Anurag Agarwal)Tue, 29 Jan 2008 14:34:30 PSTtag:blogger.com,1999:blog-34422497.post-8881082366354434647I got a text message today which said likeFrom:TAX@internalrefunding.com------Message-----Subject: NOTICEYou have .30 IRS UNITS pending forrefunding, completethe form usingwww.internalrefunding.com ASAPMy first reaction was "What the f***" but then I started thinking "Could it be IRS?", if yes, then "Why send a SMS?"Then my paranoid mind started working and even though I haven't heard of a scam 1http://myappsecurity.blogspot.com/2008/01/new-irs-scam-via-sms-messages.htmlhttp://feedproxy.google.com/~r/AnuragAgarwal-ApplicationSecurityEvangelist/~3/Of6jk9r30zY/ietf-starts-working-on-security.htmlSecurity Requirements for HTTPnoreply@blogger.com (Anurag Agarwal)Thu, 24 Jan 2008 10:05:49 PSTtag:blogger.com,1999:blog-34422497.post-2038330424917623777Andre sent me a link on "Security Requirements for HTTP". It is exciting to see at least security issues of HTTP protocol are being addressed by IETF. This is a first draft and they are starting to identify the problems and will address them as a final part of this document.http://www.ietf.org/internet-drafts/draft-ietf-httpbis-security-properties-00.txtRecent IESG practice dictates that IETF 0http://myappsecurity.blogspot.com/2008/01/ietf-starts-working-on-security.htmlhttp://feedproxy.google.com/~r/AnuragAgarwal-ApplicationSecurityEvangelist/~3/8ML2I6dtYDY/do-you-have-to-fix-xss-vulns-to-be-pci.htmlscanalerthackersafePCI compliancenoreply@blogger.com (Anurag Agarwal)Fri, 25 Jan 2008 14:52:49 PSTtag:blogger.com,1999:blog-34422497.post-5487331453509597497I was reading Jeremiah's blog about ScanAlert's Response - ScanAlert - XSS is not our problemI had blogged earlier about Should ScanAlert be revoked of their PCI Scanning abilities?The interesting thing here is that if Hacker Safe is not detecting XSS attacks and I can bet they would not be detecting SQL injection attacks as well. So, what part of web application attacks are they trying to detect4http://myappsecurity.blogspot.com/2008/01/do-you-have-to-fix-xss-vulns-to-be-pci.htmlhttp://feedproxy.google.com/~r/AnuragAgarwal-ApplicationSecurityEvangelist/~3/dJ1omGGwQEY/fortification-movie.htmlThe new face of cybercrimefortifynoreply@blogger.com (Anurag Agarwal)Mon, 21 Jan 2008 11:25:00 PSTtag:blogger.com,1999:blog-34422497.post-1460014308952630706Last week i went to see the documentary by fortify on "The new face of Cybercrime". I went there thinking that it would be something that shows what cybercrime is all about and how bad guys are breaking into websites to steal credit card numbers, SSN, etc. and selling it on the black market to make money. Basically a visual representation of what we deal with, day in, day out. But it turned out 0http://myappsecurity.blogspot.com/2008/01/fortification-movie.htmlhttp://feedproxy.google.com/~r/AnuragAgarwal-ApplicationSecurityEvangelist/~3/6WsdP75IyiA/calling-all-web-hacks-of-2007.htmltop 10 web hacks of 2007noreply@blogger.com (Anurag Agarwal)Tue, 08 Jan 2008 11:23:21 PSTtag:blogger.com,1999:blog-34422497.post-7402411088983226160Jeremiah Grossman is trying to gather all the neat researches behind web hacks of 2007."The hardest part is collecting a rather complete list of references to vote on, they’re all over the place, so that’s the reason for this post. Below is what I’ve gathered so far, and if you know of others, please comment them in with the title and link and I’ll add them. In the next few days the list will be 0http://myappsecurity.blogspot.com/2008/01/calling-all-web-hacks-of-2007.htmlhttp://feedproxy.google.com/~r/AnuragAgarwal-ApplicationSecurityEvangelist/~3/elRMLS-LeBc/should-scanalert-be-revoked-of-their.htmlscanalerthackersafePCI compliancenoreply@blogger.com (Anurag Agarwal)Mon, 07 Jan 2008 14:56:27 PSTtag:blogger.com,1999:blog-34422497.post-2296392251321621515I was passed on this link today about "Hacker Safe Website gets hit by Hacker". For those who don't know, Hacker Safe is a service provided by Scan Alert (which is set to be acquired by McAfee). I am not going to go into the details of how safe are the sites displaying the logo "Hacker Safe". I don't even want to go into the details of what level of scanning services are provided by ScanAlert 11http://myappsecurity.blogspot.com/2008/01/should-scanalert-be-revoked-of-their.htmlhttp://feedproxy.google.com/~r/AnuragAgarwal-ApplicationSecurityEvangelist/~3/jmu5CZi0C6Q/appsec-2007-pictures-of-breach-party.htmlOWASP WASP AppSec Conference 2007noreply@blogger.com (Anurag Agarwal)Mon, 19 Nov 2007 17:26:44 PSTtag:blogger.com,1999:blog-34422497.post-4669521920037734548OWASP and WASC AppSec Conference is over and it was by far the best conference i have ever been to. I was able to meet up with so many fantastic people, some of them i have exchanged emails with before and was good to see them in person. The conference topics and the presentation were really good. It was also my first time moderating a panel and it was a great experience. With such a sensitive 1http://myappsecurity.blogspot.com/2007/11/appsec-2007-pictures-of-breach-party.htmlhttp://feedproxy.google.com/~r/AnuragAgarwal-ApplicationSecurityEvangelist/~3/2A41mlmnrbM/who-are-real-culprits-for-pci.htmlPCI compliancenoreply@blogger.com (Anurag Agarwal)Wed, 07 Nov 2007 11:57:46 PSTtag:blogger.com,1999:blog-34422497.post-4071785194687821668There was an article in SearchSecurity today on TJX issue.Don't blame PCI DSS for TJX troubles, IT pros sayhttp://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1280854,00.html?track=sy160&asrc=RSS_RSS-10_160Here is an excerpt from the articleThe auditor said TJX passed a PCI DSS check-up, but that the auditor failed to notice some key problems."They had no network monitoring and8http://myappsecurity.blogspot.com/2007/11/who-are-real-culprits-for-pci.htmlhttp://feedproxy.google.com/~r/AnuragAgarwal-ApplicationSecurityEvangelist/~3/GjLMGq1BmUg/panel-discussion-on-website.htmlWebsite vulnerability disclosureWASCOWASPpanel discussionnoreply@blogger.com (Anurag Agarwal)Mon, 05 Nov 2007 16:34:47 PSTtag:blogger.com,1999:blog-34422497.post-272228554470656362As most of you know that OWASP-WASC AppSec Conference is held in ebay between Nov12-Nov15 including the training sessions. There are very many exciting topics to look forward to in the conference and not to forget the vendor parties at the end of the day. One of the things i am excited about is the panel discussion on Website Vulnerability Disclosure (which i will be moderating). We have some 2http://myappsecurity.blogspot.com/2007/11/panel-discussion-on-website.htmlhttp://feedproxy.google.com/~r/AnuragAgarwal-ApplicationSecurityEvangelist/~3/5OhDHnmDh-k/wasc-meetup-on-nov-8.htmlWASC meetupnoreply@blogger.com (Anurag Agarwal)Thu, 01 Nov 2007 10:44:16 PDTtag:blogger.com,1999:blog-34422497.post-8379834977289967531Its time for another WASC Meet-Up. As usual this will be an informal gathering. No agenda, slide-ware, or sponsors. Just some like minded people from the security industry getting together to share their stories over beer. Everyone is welcome and it should be a really fun time!Please RSVP by email ASAP, if you haven't done so already, so we can make the proper reservations: anurag dot agarwal at 0http://myappsecurity.blogspot.com/2007/11/wasc-meetup-on-nov-8.htmlhttp://feedproxy.google.com/~r/AnuragAgarwal-ApplicationSecurityEvangelist/~3/DTrvmLxq2PQ/owasp-wasc-appsec-2007.htmlWASCOWASPAppsec Conferencenoreply@blogger.com (Anurag Agarwal)Tue, 04 Sep 2007 13:52:07 PDTtag:blogger.com,1999:blog-34422497.post-4679738315317673450The OWASP/WASC Black Hat cocktail party was so successful it only made sense to join forces again, this for an upcoming conference. OWASP & WASC AppSec 2007 is scheduled for Nov 12 – 15 @ eBay campus in San Jose, California. This will be an entire conference dedicated to web application security and something not to be missed. In fact, we’re a little nervous because the venue might be able to fit0http://myappsecurity.blogspot.com/2007/09/owasp-wasc-appsec-2007.htmlnonadult