[TriLUG] Web Security and OWASP

Steve Pinkham steve.pinkham at gmail.com
Sat Mar 13 22:46:53 EST 2010

Thanks again to Michael for the talk. I think he did a great job 
covering complex issues in a short timespan.

If you want to dig in deeper to web security, I recommend highly 
Some of their most useful resources are listed in the blue box near the 
top of the page. The ASVS(software security lifecycle), ESAPI(security 
libraries), OWASP Top 10(list of common flaws, with simple explanations 
and links to more information) and their developer and code review 
guides are probably the most useful for the development side.  The 
amount of other resources they have is huge.

The XSS Prevention Cheat Sheet 
and SQL injection Cheat Sheet
are the absolute minimum you need to know to effectively block those 

Also, I mentioned the local OWASP-NC chapter


but forgot to mention the most important part... There is usually free 
beer for attendees provided by the chapter leader, though you're 
encouraged to bring your own to share, especially if you're picky.  ;-)

Hope to see some of you there, and hope you had fun clicking on all my 
email links. They're not malicious, I swear. ;-)

One more link: I run a project with web security testing tools, 
vulnerable targets and documentation preconfigured on a virtual machine 
called Web Security Dojo.  You can find it at 
http://dojo.mavensecurity.com if you're interested.  It includes some 
getting started information, though we're working on more.

My expertise is in the attack side of web security, so I'd be happy to 
field any further questions people have about that.
  | Steven Pinkham, Security Researcher    |
  | http://www.mavensecurity.com           |
  | GPG public key ID CD31CAFB             |

More information about the TriLUG mailing list