mercoledì 29 aprile 2009

OpenVAS Developer Conference #2 (July 9th - 12th) - WorkShop

a one day workshop (July 8th 2009) prior to the
OpenVAS Developer Conference #2 (July 9th - 12th)
will be conducted for OpenVAS users.

The following topics will be covered:

1. OpenVAS architecture
2. Installation of OpenVAS on Linux systems
3. OpenVAS scanning
OpenVAS features
Creation of policies and running the scan
Credentiated and Credential less scanning
The OpenVAS knowledge base
Logs
Scanning different network devices: Windows, Unix
Reports
4. OpenVAS Administration
5. Writing NASL plugins
6. OpenVAS integrated tools

Price: EURO 300,-

The money will be utilized to cover the travel costs for students and other
private OpenVAS developers to join the OpenVAS developer's conference.

The workshop is held in english language by Chandrashekhar B of the
company SecPod (India). SecPod will not charge for this and so
100% of the money will help to physically gather a forceful developers
team to prepare for OpenVAS 3.0.

If you are interested and willing to register, please send a mail to
openvas-devcon@intevation.de at the earliest confirming your attendance.

Details on the workshop will also be updated here:
http://www.openvas.org/openvas-devcon2.html

martedì 28 aprile 2009

OWASP AppSec DC 2009 Conference Call for Papers

Hello,

OWASP is currently soliciting papers for the OWASP AppSec DC 2009
Conference that will take place at the Walter E. Washington Convention
Center in Washington, DC on November 10th through 13th of 2009. There
will be training courses on November 10th and 11th followed by plenary
sessions on the 12th and 13th with each day having at least three
tracks. AppSec DC may also have BOF, break out, or speed talks in
addition to the standard schedule depending on the submissions we receive.

We are seeking people and organizations that want to present on any of
the following topics (in no particular order):
- Business Risks with Application Security.
- Starting and Managing Secure Development Lifecycle Programs.
- Web Services-, XML- and Application Security.
- Metrics for Application Security.
- Application Threat Modeling.
- Hands-on Source Code Review.
- Web Application Security Testing.
- OWASP Tools and Projects.
- Secure Coding Practices (J2EE/.NET).
- Privacy Concerns with Applications and Data Storage
- Web Application Security countermeasures
- Technology specific presentations on security such as AJAX, XML, etc.
- Anything else relating to OWASP and Application Security.

To make a submission you must include :
- Presenter(s) name(s)
- Presenter(s) Email and/or Phone number(s)
- Presenter(s) bio(s)
- Title
- Abstract
- Any supporting research/tools (will not be released outside of CFP
committee)

Submission deadline is June 15th 2009 at 11:59 PM Eastern Standard
Time. Submit Proposals To mark.bristow(at)owasp.org with the subject
line "APPSEC DC CFP SUBMISSION" (an automated filter is used).
Additional information can be found in the FAQ.

Conference Website: https://www.owasp.org/index.php/OWASP_AppSec_DC_2009
FAQ: https://www.owasp.org/index.php/OWASP_AppSec_DC_2009_-_FAQ
CFP w/ FAQ: http://www.owasp.org/images/6/65/AppSec_DC_2009_CFP.pdf

Please forward to all interested practitioners and colleagues.

Regards.

domenica 26 aprile 2009

The OpenSQLiNG project starts

I'm glad to announce the start, of the next generation open source sql injection tool, see the project page page for details at: http://opensqling.sourceforge.net/

  • Database Environment : Project is a database abstraction layer (API)
  • Intended Audience : Advanced End Users, Developers, System Administrators
  • License : GNU General Public License (GPL)
  • Operating System : OS Independent (Written in an interpreted language)
  • Programming Language : Java, Jython
  • Topic : Security
  • Translations : English
  • User Interface : Command-line, Web-based, Plugins

Summary

OpenSQLi-NG (pronounced Open SQLi N-G) is the next generation open source sql injection tool, build upon a powerful Client/Server plugins-based architecture, It silently test and exploit (on-demand) SQL injections conditions, its core features are DBMS fingerprint, database enumeration and the operating system commands execution. it's coded in python with java class libraries, this makes it completly OS-independent. a Web-Interface will also be available.
Note that this is only the engine of a big vulnarability scanner that I'm planning to implement.