vivek saxena | 14 Feb 07:53 2010
Picon

# How To Start

Hi All,

 

i am new to Penetration testing and Security testing/ i know the theoretical knowledge of Penetration testing but <at> syntax (injection) i need to improve ..

Just wanted to know how to proceed with it.

There is one question that i would like to ask that how to find out Vulnerability in DAO Pattern.

And How to Test HTTPS and SSL based application.

 

-Vivek

 

organiser@syscan.org | 13 Feb 06:30 2008

SyScan'08 Call for Paper/Training

CALL FOR PAPERS/TRAINING

SyScan'08 Hong Kong will be held on May 29th and 30th at Langham Place.
SyScan'08 Singapore will be held on July 3rd and 4th at Novotel Clarke Quay.

CFP COMMITTEE
The Call for Papers committee for SyScan’08 comprises of the following 
personnel:

1. Thomas Lim – Organiser of SyScan and CEO of COSEINC
2. Dave Aitel – Founder and CTO of Immunitysec
3. Marc Maiffret – Ex-Founder and Chief Hacking Officer of eEye
4. Matthew “Shok” Conover – Symantec

The CFP committee will review all submissions and determine the final 
list of speakers for SyScan’08.

CONFERENCE TOPICS
The focus for SyScan’08 will include the following:

Operating Systems
• Vista
• Linux
Mobile Devices/Embedded systems
• SmartPhones
• PDAs
• Game Consoles
Web 2.0
• Web services
• PHP
• .Net
• Web applications
Networking/Telecommunication
• VoIP
• 3G/3.5G network
• IPv6
• WLAN/WiFi
• GPRS
Malware
BotNets
Virtualization

Additional topics for SyScan’08 Hong Kong:

Security Policy/Best Practices
Legislation
Industry Specifics –
• Finance
• Hotels

Any topics that will catch the attention of the CFP committee and/or the 
world.

TRAINING TOPICS
SyScan’08 training topics will focus on the following areas:

Web Applications
• .Net applications
• Java applications
Networks
• VoIP
• 3G/3.5G network
• IPv6
• WLAN/WiFi
• GPRS
Securing Windows/Linux Systems
Databases
Storage

PRIVILEGES
Speakers’ Privileges:
• Return economy class air-ticket for one person.
• 3 nights of accommodation.
• Breakfast, lunch and dinner during conference.
• After-conference party.
• A very healthy dose of alcohol and fun.
• S$500 cash for speakers with brand new presentations.

Trainers’ Privileges:
• 50% of net profit of class.
• 2 nights of accommodation (conference) (applicable for Singapore only).
• After-conference party.
• A very healthy dose of alcohol and fun.

Please note that the net profit for each class is determined by the 
difference between the total fee collected for each class and the total 
expenses incurred for each class. The expenses of each class would 
include the return economy air-ticket of the trainer, 3 nights of 
accommodation (training) and the rental of the training venue.

CFP SUBMISSION:
CFP submission must include the following information:

1) Brief biography including list of publications and papers published 
previously or training classes conducted previously.

2) Proposed presentation/training title, category, synopsis and description.

3) Contact Information (full name, alias, handler, e-mail, postal 
address, phone, fax, photo, country of origin, special dietary requirement).

4) Employment and/or affiliations information.

5) Any significant presentation and educational/training 
experience/background.

6) Why is your material different or innovative or significant or an 
important tutorial?

Please note that all speakers will be allocated 50 minutes of 
presentation time. Any speakers that require more time must inform the 
CFP committee during the CFP submission.

Training classes will be 2 full days. Please inform the CFP committee if 
your class is shorter or longer than 2 days during your CFP submission.

All submissions must be in English in either MS Office or PDF format. 
The more information you provide, the better the chance for selection. 
Please send submission to cfp <at> syscan.org.

IMPORTANT DATES
Hong Kong
Final CFP Submission – 29th February 2008
Notification of Acceptance – 30th March 2008.
Final Submission for Accepted Presentation Material (Speakers) – 15th 
April 2008

Singapore
Final CFP Submission – 30th April 2008
Notification of Acceptance – 30th May 2008.
Final Submission for Accepted Presentation Material (Speakers) – 15th 
June 2008

OTHER INFORMATION
Please feel free to visit SyScan website to get a feel what this 
conference is all about – SHARE AND HAVE FUN!

By agreeing to speak at the SyScan'07 you are granting SyScan Pte. Ltd. 
the rights to reproduce, distribute, advertise and show your 
presentation including but not limited to http://www.syscan.org, printed 
and/or electronic advertisements, and all other mediums.

--

-- 
Thank you
Thomas Lim
Organiser
SyScan'07
www.syscan.org

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

organiser@syscan.org | 18 Dec 08:12 2007

SyScan'08 Call For Paper/Training

*About SyScan'08*
The Symposium on Security for Asia Network aims to be a very different 
security conference from the rest of the security conferences that the 
information security community in Asia has come to be so familiar and 
frustrated with.
SyScan is a non-product, non-vendor biased security conference. It is 
the aspiration of SyScan to congregate in Asia the best security experts 
in their various fields, to share their research, discovery and 
experience with all security enthusiasts in Asia.

Speakers who have presented in previous SyScan conferences are among the 
best and brightest in the respective field.
Many of theses previous presentations were outstanding and awesome, with 
the industry still in active discussion today.
This will continue to be case as the highly regarded members of the Call 
for Paper (CFP) committee will ensure only the top speakers with the 
best content will speak at SyScan. Your participation in SyScan will 
help you to maintain your technological leadership and stay abreast of 
the latest developments in this rapidly moving technological field.

This two-day symposium would be held in a relaxed and informal 
atmosphere, allowing all participants to enjoy themselves whilst 
expanding their knowledge on information security. This is a 
single-track conference.

*SyScan’08 HONG KONG*
To address the increasing importance of information security in Hong 
Kong, SyScan will be going to Hong Kong in 2008.
SyScan’08 Hong Kong will provide an opportunity for foreign security 
specialists to be exposed to the Hong Kong security community and 
collaborate on practical solutions to computer security issues.

Date: May 29th – 30th, 2008.
Venue: To be determined.

*SyScan’08 SINGAPORE*
Date: July 3rd – 4th, 2008.
Venue: Novotel Clarke Quay Singapore.

*CFP COMMITTEE*
The Call for Paper committee for SyScan’08 comprises of the following 
personnel:
1. Thomas Lim – Organiser of SyScan and CEO of COSEINC
2. Dave Aitel – Founder and CTO of Immunitysec
3. Marc Maiffret – Founder and Chief Hacking Officer of eEye
4. Matthew “Shok” Conover – Symantec

The CFP committee will review all submissions and determine the final 
list of speakers for SyScan’08.

*CONFERENCE TOPICS*
The focus for SyScan’08 will include the following:

*Operating Systems*
• Vista
• Linux
*Mobile Devices/Embedded systems*
• SmartPhones
• PDAs
• Game Consoles
*Web 2.0*
• Web services
• PHP
• .Net
• Web applications
*Networking/Telecommunication*
• VoIP
• 3G/3.5G network
• IPv6
• WLAN/WiFi
• GPRS
*Malware
BotNets
Virtualization
*
*Additional topics for SyScan’08 Hong Kong:*
Security Policy/Best Practices
Legislation
Industry Specifics –
• Finance
• Hotels

Any topics that will catch the attention of the CFP committee and/or the 
world.

*TRAINING TOPICS*
SyScan’08 training topics will focus on the following areas:
*
Web Applications*
• .Net applications
• Java applications
*Networks*
• VoIP
• 3G/3.5G network
• IPv6
• WLAN/WiFi
• GPRS
*Securing Windows/Linux Systems
Databases
**Storage*

*PRIVILEGES*
*Speakers’ Privileges:*
• Return economy class air-ticket for one person.
• 3 nights of accommodation.
• Breakfast, lunch and dinner during conference.
• After-conference party.
• A very healthy dose of alcohol and fun.
• S$500 cash for speakers with brand new presentations.

*Trainers’ Privileges:*
• 50% of net profit of class.
• 2 nights of accommodation (conference) (applicable for Singapore only).
• After-conference party.
• A very healthy dose of alcohol and fun.

Please note that the net profit for each class is determined by the 
difference between the total fee collected for each class and the total 
expenses incurred for each class. The expenses of each class would 
include the return economy air-ticket of the trainer, 3 nights of 
accommodation (training) and the rental of the training venue.

*CFP SUBMISSION:*
CFP submission must include the following information:

1) Brief biography including list of publications and papers published 
previously or training classes conducted previously.
2) Proposed presentation/training title, category, synopsis and description.
3) Contact Information (full name, alias, handler, e-mail, postal 
address, phone, fax, photo, country of origin, special dietary requirement).
4) Employment and/or affiliations information.
5) Any significant presentation and educational/training 
experience/background.
6) Why is your material different or innovative or significant or an 
important tutorial?

Please note that all speakers will be allocated 50 minutes of 
presentation time. Any speakers that require more time must inform the 
CFP committee during the CFP submission.

Training classes will be 2 full days. Please inform the CFP committee if 
your class is shorter or longer than 2 days during your CFP submission.

All submission must be in English in either MS Office or PDF format. The 
more information you provide, the better the chance for selection. 
Please send submission to *cfp <at> syscan.org*.

*IMPORTANT DATES*
*Hong Kong*
Final CFP Submission – 29th February 2008
Notification of Acceptance – 30th March 2008.
Final Submission for Accepted Presentation Material (Speakers) – 15th 
April 2008

*Singapore*
Final CFP Submission – 30th April 2008
Notification of Acceptance – 30th May 2008.
Final Submission for Accepted Presentation Material (Speakers) – 15th 
June 2008

*OTHER INFORMATION*
Please feel free to visit SyScan website to get a feel what this 
conference is all about – SHARE AND HAVE FUN!

By agreeing to speak at the SyScan'07 you are granting SyScan Pte. Ltd. 
the rights to reproduce, distribute, advertise and show your 
presentation including but not limited to http://www.syscan.org, printed 
and/or electronic advertisements, and all other mediums.

--

-- 
Thank you
Thomas Lim
Organiser
SyScan'07
www.syscan.org

Mark Curphey | 5 Dec 19:02 2006

Administrivia

A couple of small things

1. A few people pointed out that I approved a post about what appears to be
commercial software. Having moderated the webappsec list for a number of
years where this issue was somewhat emotive, I am well aware of the
potential for unscrupulous vendors to start product placement on seemingly
independent mailing lists and for a slippery slope to start. What we did on
webappsec was to instigate a rule where only OSI compliant software or that
with no license (totally free) was allowed through. This worked well for
webappsec, however I would argue that there is a lot less mature info sec
security management software and I suspect many readers actually want to
hear about experiences of tools like Archer, Xacta etc. Therefore I will
monitor it and if it starts to become an issue (I'll use some lexical
analysis software as an experiment) well instigate the OSI rule.  

For the record Fred was obviously not doing this and has done nothing wrong,
just evoked some passion among some.

2. I have moved back from the States to the South of France. This means two
things. The first is that I currently am waiting on DSL and so have
temperamental internet access to approve posts at present. The second is
time zones for approving messages are different. 

3. I have been working on a project with some talented folks from this list.
It will be called the ISM Community. While we have a lot of work to do
before we release our first project just after Christmas (as well as a good
community web site with blogs, forum, articles etc) we are looking for a
broad range of beta testers to implement a Practical Risk Assessment
Methodology in the real world and provide feedback. If anyone is interested
in applying a fast, practical quantitative methodology along with worksheets
and templates we would love to hear from you. We obviously don't want your
risk results but do want feedback, suggestions and you experience of using
it in the real world so if you have any RA's to do in the last two weeks of
December, can commit to providing some detailed feedback and critique then
please send me an email offline. 

Your time will be rewarded with an ISM-Community t-shirt!

mrsecmgr | 5 Dec 11:33 2006

Study Shows IT Security Holds The Key To Compliance

http://www.informationweek.com/news/showArticle.jhtml?articleID=1966

01378

Given Symantec were part of this group recomending not spending 
money on expensive consultants I guess they are disbanding their 
own security consulting team?
By Larry Greenemeier
InformationWeek
Dec 4, 2006

Companies most likely to successfully navigate today's regulatory 
environment need to automate IT security functions rather than blow 

their budgets on pricey consultants or services, and they need to 
do more frequent auditing of the systems and data security. So says 

the IT Policy Compliance Group Monday in its latest report on the 
relationship between regulatory compliance and IT security 
spending.

The group, formed last year by the Computer Security Institute, the 

Institute of Internal Auditors, and Symantec and formerly known as 
the Security Compliance Counsel, began its study assuming that 
larger organizations had more resources to throw at any given 
compliance project. While this is true, they were surprised to 
learn that larger organizations don't necessarily perform better 
than their smaller counterparts when it comes to actually achieving 

compliance, says Jim Hurley, managing director of the IT Policy 
Compliance Group and a director of research for Symantec. "It's not 

a matter of resources, it's what you do with them," he adds.

Nothing has driven spending on IT security products and services 
over the past few years more than the need to comply with a flurry 
of new regulations flowing out of Washington, including the Health 
Information Portability and Accountability Act, Sarbanes-Oxley, and 

Gramm-Leach-Bliley. Last week saw the debut of the newly amended 
Federal Rules of Civil Procedure, which force companies to better 
manage electronically stored information that can be used as 
evidence in civil court cases. There have been 114,000 new 
regulations introduced in North America alone since 1981, Adam 
Losner, VP of finance for the Securities Industry Automation Corp., 

said at a September IT Policy Compliance Group meeting at the 
Interop show in New York. Next year, expect a federal data breach 
notification law to be added to the list.

The IT Policy Compliance Group's study, which surveyed the spending 

patterns of 876 organizations, found that those most successful in 
meeting compliance demands are spending $1 on IT security for every 

$30,000 in revenue, assets under management, or agency budget, 
depending upon the type of organization. Those lagging behind in 
terms of compliance are spending $1 on IT security for every 
$90,000.

Only about 11% of the organizations surveyed reported that they've 
suffered fewer than three compliance problems in the past year. 
Nearly 70% experience between three and 15 IT compliance problems 
annually, while the rest had to correct as many as hundreds of IT 
compliance deficiencies in a single year, a situation that can lead 

to fines as well as the siphoning of resources from other important 

IT projects.

Hurley says a good rule of thumb for compliance spending is to 
allocate more than 10% of the overall IT budget on security 
systems, including configuration change management systems, as well 

as auditing, monitoring, and reporting tools. Other helpful 
investments include software for managing IT security policies, 
standards, controls, and documentation. Another key to successful 
compliance, the group found, is regular auditing. Those that 
audited the security of their systems monthly were far more 
successful at achieving compliance than those who audited only once 

annually.

Hand in hand with this was the observation that organizations are 
better served spending their security dollars on hardware and 
software such as configuration and change management applications, 
antivirus, user-access control systems, and reporting tools, which 
facilitate more frequent audits, rather than spending the money to 
hire more contractors and outside services. Organizations with the 
fewest compliance problems are spending 9% more to automate audit 
functions and 11% less on contractors and outside services.

IT leadership also is an important ingredient in achieving and 
maintaining compliance. "At the board level, executives want to 
know their level of risk related to compliance, so [chief 
information security officers], chief privacy officers, and chief 
risk officers have to be able to connect spending on IT security 
with meeting the demands of various regulations," says Rocco 
Grillo, director of the security practice at risk-assessment firm 
Protiviti, which Monday officially joined the IT Policy Compliance 
Group.

Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

Fred Cohen | 3 Dec 17:39 2006
Picon

Some new software I think might be of interest to group members

I recently released two new software products that are available for  
free download and testing. They are called Influence and Security  
Decisions. I thought group members might want to download and try them.

Influence is a software program that applies psychological research  
results to the practical challenges of influencing others. It takes  
information from you about your situations, analyzes them, and tells  
you the risks and rewards for different influence strategies you  
might try. It's kind of like an all seeing eye into the future...

Security Decisions 2007 puts sound information security practices  
into a usable form for decision makers in enterprises of all sizes.  
Make better and well documented security decisions more quickly and  
with a sound basis, starting right now...

Both can be accessed by going to http://all.net/ and pressing on the  
proper picture. This takes you to an information page with a download  
capability. I would love to get feedback from group members.

FC

-- This communication is confidential to the parties it is intended  
to serve --
Fred Cohen & Associates                 tel/fax: 925-454-0171
     http://all.net/              572 Leona Drive      Livermore, CA  
94550

Maarten Van Horenbeeck | 12 Jun 09:41 2006
Picon

Re: Convergence

Hi Tom,

> What do y'all think of the trend (according to CSO magazine
> anyways) of converging physical and information security under a
> single span of control?

Great thread, I look forward to reading other people's opinion on this.

This is a trend that I've observed in a number of vertical industries
now, and in my humble opinion it makes perfect sense. I don't see why
"physical" and "information" security should be regarded as two separate
domains. There is a great deal of overlap and a common goal.

All domains of security contribute to the end goal of protecting the
organization's ability to function. This includes protecting the
information systems, applications, employees and data used by the
organization. In order to protect each of these efficiently, actions are
required in the domains of physical security, network security,
communications security and many more.

In order to efficiently address any threats, work needs to be done on a
policy level. The advantages of performing this work under one
management team are obvious: by combining requirements of both domains
in a single corporate-wide policy one can make the resulting set of
policies smaller, better tuned to another and easier to interpret.

One reason why these were essentially split responsibilities was the
easier match between physical security policy and law. In the past,
breaches of physical security were in fact more likely to lead to the
breach of a certain law. While it was still applicable, this made the
policy aspect matter less, having the teams focus more on deterrence and
enforcement. With the advent of information systems, this line has
become much less clear: a lot of policy work that is done today actually
reflects activities in the physical domain.

Other advantages are obvious in incident response: when a potential
policy breach requires an investigation, an INFOSEC professional often
needs support from the corporate security team. INFOSEC breaches very
easily echo into the domain of physical security and vice versa (think
dumpsterdiving, social engineering). Further synergies can be identified
in business continuity & disaster recovery and related fields.

Naturally it remains a clash of philosophies: Information Security
departments often consist of people coming from an IT background, often
with a more "experimental" view of risk and security than the same
people within corporate security. This is something that does require
capable and culturally sensitive management to address.

My small prediction is that in the future, as even more business
processes are brought online, parts of competitive intelligence as well
will start moving in the direction of operational security, and as such
corporate security. In a market where the application of information
assets is a requirement to remain competitive, various sorts of crime
will flock towards these assets and efficient intelligence gathering
will become a prerequisite for being able to address them.

Best regards,
Maarten

--

-- 
Maarten Van Horenbeeck, CISSP GCIA GCIH
maarten <at> daemon.be - http://www.daemon.be/maarten

Mark Curphey | 4 May 13:58 2006

PSRC Wiki Update

Hi

Just thought we would let you know we are starting to get some good content
on the PSRC Wiki. It's a long way to go before its "really" useful but its
heading in the right direction. 

I added some content about US Breach Laws yesterday
(http://psrc.wikispaces.com/USABreachLaws)

Michael Smith and Vivek Chudgar have also added some great content about
security frameworks and policies. 

Got someone thing add? Something to contribute? 

http://psrc.wikispaces.com


Gmane