Conferência Ibérica sobre Segurança de Aplicações Web - IBWAS'09


O OWASP está a patrocinar a primeira conferência ibérica na área. A chamada de trabalhos está aberta:

First Iberic Conference on Web-Applications Security (IBWAS’09)
Escuela Universitaria de Ingeniería Técnica de Telecomunicacíon - Universidad Politécnica de Madrid
10th – 11th December 2009
Madrid, Spain
[organised by OWASP Spain and OWASP Portugal]

Announce and Call for Papers

Introduction
------------
There is a change in the information systems development paradigm. The emergence of Web 2.0 technologies led to the extensive deployment and use of web-based applications and web services as a way to developed new and flexible information systems. Such systems are easy to develop, deploy and maintain and demonstrate impressive features for users, resulting in their current wide use.

As a result of this paradigm shift, the security requirements have also changed. These web-based information systems have different security requirements, when compared to traditional systems. Important security issues have been found and privacy concerns have also been raised recently. In addition, the emerging Cloud Computing paradigm promises even greater flexibility; however corresponding security and privacy issues still need to be examined. The security environment should involve not only the surrounding environment but also the application core.

This conference aims to bring together application security experts, researchers, educators and practitioners from the industry, academia and international communities such as OWASP, in order to discuss open problems and new solutions in application security. In the context of this track academic researchers will be able to combine interesting results with the experience of practitioners and software engineers.

Conference proceedings will be published by Springer in the "Communications in Computer and Information Science" (CCIS) series.

Keynote Speakers
----------------
* Bruce Schneier, acclaimed security guru, author, BT CSTO (confirmed)
* Inspector Jorge Martín from the High Tech Crime Unit of the Spanish National Police (confirmed)


Conference Topics
-----------------
Suggested topics for papers submission include (but are not limited to):
• Secure application development
• Security of service oriented architectures
• Security of development frameworks
• Threat modelling of web applications
• Cloud computing security
• Web applications vulnerabilities and analysis (code review, pen-test, static analysis etc.)
• Metrics for application security
• Countermeasures for web application vulnerabilities
• Secure coding techniques
• Platform or language security features that help secure web applications
• Secure database usage in web applications
• Access control in web applications
• Web services security
• Browser security
• Privacy in web applications
• Standards, certifications and security evaluation criteria for web applications
• Application security awareness and education
• Security for the mobile web
• Attacks and Vulnerability Exploitation

More information: http://www.ibwas.com

novo estudo: principais vulnerabilidades

um novo estudo do SANS Institute: http://www.sans.org/top-cyber-security-risks/

principais conclusões:
  • Priority One: Client-side software that remains unpatched.
  • Priority Two: Internet-facing web sites that are vulnerable.
  • Operating systems continue to have fewer remotely-exploitable vulnerabilities that lead to massive Internet worms.
  • Rising numbers of zero-day vulnerabilitiesnumbers

perigos da virtualização


Enthusiasm for virtualisation creates security problems


um excerto:

"Organisations that rush into server virtualisation are storing up trouble for themselves, security experts have warned. They say that many implementations have been done with little or no consideration for the added virtualisation security risks.

"Most people don't realise the security issues, and those that do understand are quite happy to accept the platitudes from the suppliers that virtualisation is secure," said Ian Kilpatrick, chairman of Wick Hill Group Ltd., a distributor focusing on the security market.

Kilpatrick said that running multiple virtual machines (VMs) within a single server is inherently harder to control and requires higher levels of security. But in his experience, companies are relying on the same weak controls they used before the introduction of virtualisation.

"Communicating from one physical server to another can be easily controlled, but in a virtual environment, it is more complex. If I get in as a guest on a virtual machine, then it is much easier to get to others. If I can breach one VM, then I can breach many," he said.

Stronger authentication of users will limit that risk, but as Kilpatrick said, "90% of the world is not using any form of two-factor authentication. Anyone working in a virtual environment without two-factor authentication is a lunatic. If I can get on to the hypervisor and get administrator rights to the whole thing, I have the keys to the farm."

He added that security fears have been ignored because virtualisation is so attractive in most other respects. In a time of economic belt-tightening, the technology allows companies to make better use of resources, reduce the number of actual servers they run, cut infrastructure costs and also reduce their energy bills."


artigo completo
em SearchSecurity

Livros

Existem vários livros com histórias de polícias e ladrões verdadeiras envolvendo hackers e ataques informáticos. São uma leitura sempre divertida para quem gosta da área.

Acabo de reencontrar um clássico do género que li há muitos anos, tantos que já não me lembrava da sua existência:

The Hacker Crackdown, law and disorder on the electronic frontier
Bruce Sterling, 1994
disponível no projecto Gutenberg

Outro clássico:

The Cuckoo's Egg
Clifford Stoll, 1990

virus, vermes e hackers ao longo dos anos

Mantido pela Wikipedia:

Timeline of computer viruses and worms

List of convicted computer criminals

Interessante e útil como referência.

segurança aos quadradinhos

virtualização?!


os perigos da cripto de chave pública