Subscribe: Anurag Agarwal - Application Security Evangelist
Added By: Feedage Forager Feedage Grade C rated
Language: English
application security  application  conference  hacker  new  owasp  project  security  threat modeling  wasc  web application  web 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Anurag Agarwal - Application Security Evangelist

Anurag Agarwals' Threat Modeling Blog

Updated: 2018-01-17T16:21:31.260-05:00


Test your knowledge on Encryption with our latest quiz


After a summer of high profile attacks on encryption including password, credit card and private user information exposure, new attacks on SSL and just plain lack of encryption all together on important data, it seems like something as critical as implementing encryption through an organization is a difficult and expensive task requiring skilled experts. But with terabytes of information on

Application Security Quiz


After speaking with a lot of developers we realized they are looking for a fun, quick way to enhance their knowledge about the secure coding aspects of development. We have put together a series of interactive quizzes which test security professionals’ and software developers’ secure development awareness while teaching them how to build more secure software. Please find links to the first two

OWASP Top 10 Quiz


We had recently developed a quiz to help an organization test their developer's knowledge of OWASP top 10. I thought it would be a good idea to make it public and let other organization use it for their development teams as well. This is a very basic quiz but I do plan to add different levels and more questions to it and bring randomness in the questions as well. I would greatly appreciate any

OWASP threat modeling project


We are starting an OWASP threat modeling project to standardize a threat modeling approach which can be used by various companies. During the OWASP portugal summit I had a very meaningful and positive discussion on this topic and got support from a lot of people in the community. You can find out the results of the discussion at the OWASP Threat Modeling project page If you would like to join

Intellipass - A behavior based password lockout mechanism


I am pleased to announce Intellipass (a behavior based password lockout mechanism). Most of the password lockout mechanism today are static, which means, they lock a user out after a certain number of incorrect password attempts. This feature is implemented to prevent brute force attempts against the login functionality. Even though this feature does what it’s supposed to, it has its own

Free Hands on Workshop on Web Application Security in New York City


Ever wondered how a hacker hacks all these credit cards? Do you think hacking a website is difficult? What are the skills required to hack a website?ISSA NY Metro chapter is organizing a 3 hour workshop on web application security. This session will show you how easy it is to steal credit card numbers, SSN, etc by doing a SQL injection attack or how you can steal passwords, hijack a session

MyAppSecurity - Secure Your Applications


As some of you know that I joined WhiteHat Security as a Director of Education Services since Dec 2007 to build their training division from scratch. Though it has been a very demanding job but it has been very satisfying too. I enjoyed working with various companies, training their developers and QA professionals and resolving their web application security issues. Through training, I not only

WASSEC Project Leader Change Announcement


There is going to be a new project leader (Brian Shura : bshura73_at_gmail_dot_com) for WASSEC (Web Application Security Scanner Evaluation Criteria) as of today. The leadership change will help me free up some time to work on other projects.We've identified an excellent candidate who will take over WASSEC from where I left. I have already given him an overview of the project, its status and the

OWASP AppSec India Conference 2008


OWASP Delhi Chapter is hosting a grand application security event in New Delhi, India. With a lot of Executives and business folks also attending the event, it clearly shows the attention web application security is getting in India and I am sure a lot of it could also be because India is one of the major offshore development hub for US projects and most of these companies sending projects

WASC OWASP Party @ Blackhat


WASC-OWASP Party at BlackhatBlackhat Vegas is around the corner. Our WASC-OWASP party last year rocked with around 300 people showing up. There was a huge line outside the shadow bar and it was by far the best party at Blackhat last year. If you weren't able to make it last year, do not miss it this time. Get your wristband from breach's booth at Blackhat.Join the leading minds in web application

Web Application Security Summit


SANS and WASC have organized a Web Application Security Summit in Vegas.Web Application Security SummitJeremiah Grossman, Summit Chairwith Robert “RSnake” Hansen, Gary McGraw, and Caleb SimaJune 2-3, 2008 • Paris Hotel & Casino • Las Vegas, NVOn June 2-3, Various Application Security folks working in the enterprises will share the lessons learned in their application security initiatives. Case

RSA Conference Pictures


RSA Conference 2008 is almost over. As usual there were so many companies showcasing their products and services or in some cases just a little bit of fun like video games, rock climbing, etc.I personally think there were more companies talking about web application security then last year. We still need some more companies with secure SDLC solutions to come out there. In addition, there were

WASC meetup at RSA - pictures


WASC meetup at RSA was a huge success. More then 100 people showed up and it was a lot of fun sharing ideas and experiences with our peers. I am posting some of the pictures I took below.Caleb Sima(HP), Robert Auger(WASC)Neil Daswani (Google), Robi papp (Accuvant)Pool was so much fun.Dawn Van Hoegaerdan (Whitehat Security), Jermiah Grossman, Rachel Miller (Shift Communiations)Dawn, James(

Malware installation attempt via phishing


I got this email yesterday and it immediately caught my attention, maybe due to the recent news about malware being installed via legitimate website. Or maybe most of the previous phishing attempts were about stealing username/passwords. This one is about installing something on their machine (which i am sure is some sort of malware). This might be a shift in the approach and of course it makes a

WASC meetup at RSA


RSA conference is around the corner and a lot of people from the webappsec field would be coming over to the conference. This is a perfect opportunity to meet with your peers. To facilitate that, WASC is organizing a meetup on April 9, 2008 12pm to 2pm. Whitehat Security has graciously accepted to sponsor the event. Please click on the image to see a larger version of the invite.Last year WASC

Certification for Web Application Security Professional


Web Application Security Consortium and SANS has partnered together to define, train, test and certify the individuals. WASC is a leading web application security organization and SANS is a leader in training and certification. Together they have the subject matter expertise and process expertise to make this a huge success.Why do we need this certification?As more and more software is moving to

New IRS Scam via SMS messages


I got a text message today which said NOTICEYou have .30 IRS UNITS pending forrefunding, completethe form ASAPMy first reaction was "What the f***" but then I started thinking "Could it be IRS?", if yes, then "Why send a SMS?"Then my paranoid mind started working and even though I haven't heard of a scam

IETF starts working on security requirements for HTTP


Andre sent me a link on "Security Requirements for HTTP". It is exciting to see at least security issues of HTTP protocol are being addressed by IETF. This is a first draft and they are starting to identify the problems and will address them as a final part of this document. IESG practice dictates that IETF

Do you have to fix XSS vulns to be PCI Compliant? ScanAlert Says No


I was reading Jeremiah's blog about ScanAlert's Response - ScanAlert - XSS is not our problemI had blogged earlier about Should ScanAlert be revoked of their PCI Scanning abilities?The interesting thing here is that if Hacker Safe is not detecting XSS attacks and I can bet they would not be detecting SQL injection attacks as well. So, what part of web application attacks are they trying to detect

The Fortification Movie


Last week i went to see the documentary by fortify on "The new face of Cybercrime". I went there thinking that it would be something that shows what cybercrime is all about and how bad guys are breaking into websites to steal credit card numbers, SSN, etc. and selling it on the black market to make money. Basically a visual representation of what we deal with, day in, day out. But it turned out

Calling all web hacks of 2007


Jeremiah Grossman is trying to gather all the neat researches behind web hacks of 2007."The hardest part is collecting a rather complete list of references to vote on, they’re all over the place, so that’s the reason for this post. Below is what I’ve gathered so far, and if you know of others, please comment them in with the title and link and I’ll add them. In the next few days the list will be

Should ScanAlert be revoked of their PCI Scanning abilities?


I was passed on this link today about "Hacker Safe Website gets hit by Hacker". For those who don't know, Hacker Safe is a service provided by Scan Alert (which is set to be acquired by McAfee). I am not going to go into the details of how safe are the sites displaying the logo "Hacker Safe". I don't even want to go into the details of what level of scanning services are provided by ScanAlert

AppSec 2007 pictures of breach party


OWASP and WASC AppSec Conference is over and it was by far the best conference i have ever been to. I was able to meet up with so many fantastic people, some of them i have exchanged emails with before and was good to see them in person. The conference topics and the presentation were really good. It was also my first time moderating a panel and it was a great experience. With such a sensitive

Who are the real culprits for PCI compliance?


There was an article in SearchSecurity today on TJX issue.Don't blame PCI DSS for TJX troubles, IT pros say,289142,sid14_gci1280854,00.html?track=sy160&asrc=RSS_RSS-10_160Here is an excerpt from the articleThe auditor said TJX passed a PCI DSS check-up, but that the auditor failed to notice some key problems."They had no network monitoring and

Panel discussion on Website Vulnerability Disclosure during AppSec Conference on Nov 15


As most of you know that OWASP-WASC AppSec Conference is held in ebay between Nov12-Nov15 including the training sessions. There are very many exciting topics to look forward to in the conference and not to forget the vendor parties at the end of the day. One of the things i am excited about is the panel discussion on Website Vulnerability Disclosure (which i will be moderating). We have some