RSS Feed

Entries in OWASP (9)


AppSec USA 2013 in NYC!

Next week the GDS and SendSafely teams will be at the 2013 OWASP AppSec USA conference, right here in New York City.  If you are interested in attending and not already registered for the conference you can do so on the AppSec USA website at (use our discount code EXPO_GDS to receive a free Expo pass).   The talks looks great and we couldn’t me more excited about it being hosted in our very own hometown!

Several members from our team will be presenting at this year’s conference.  Ron Gutierrez will be presenting the “Contain Yourself: Building Secure Containers for Mobile Devices” talk covering the use of Secure Containers and related techniques on mobile devices, their advantages, disadvantages, and limitations from a security perspective.  Ron speaks at on Thursday, November 21st at 9am.  For more details on the talk visit

Brian Holyfield and Erik Larsson will be presenting a talk on lessons learned while implementing Content Security Policy for  Be sure to mark your schedule and attend “Pushing CSP to PROD: Case Study of a Real-World Content-Security Policy Implementation” on Wednesday, November 20th at 3pm. For more details on the talk visit

If you are planning to attend, please be sure to stop by our booth (#33) during the conference to say hello! 


Securing Development with PMD 

Back in April I presented my Securing Development with PMD (Teaching an Old Dog New Tricks) presentation at OWASP AppSec DC. The main idea was to demonstrate how security can be integrated into development without introducing new tools to existing developer toolsets. As an example, I discussed how PMD, a well-known open source static analysis tool that finds code quality issues in Java source code, can be extended with custom rules to find common application security bugs. With minimal change to existing PMD deployments and without having to learn to use another new tool, Java developers can identify and remediate both code quality and security bugs together. You can download my presentation here and the latest version of the GDS Secure Coding Ruleset for PMD can be found on our GitHub web page here. I encourage developers as well as pen-testers to use and improve the ruleset. Enjoy!


OWASP NYC Slides Posted

The deck from my recent OWASP session has been posted.

The discussion focused on identifying and exploiting Padding Oracles in custom web applications, and walked through specifics on how to use PadBuster in a variety of common scenarios. Hopefully those using PadBuster will find the second half of the deck a useful reference.


Slides & Code from OWASP Appsec DC Posted

The slides from the "Unlocking the Toolkit: Attacking Google Web Toolkit" talk I gave at OWASP Appsec DC last week is available for download on the OWASP Appsec DC Wiki Page. Additionally, the source code for the GWTFuzzer proof of concept tool that was demonstrated during the talk as well as updated versions of the GWTEnum and GWTParse tools can be downloaded on github.


OWASP NYNJMetro - Pentesting Adobe Flex Applications

I've uploaded my slides from the presentation I gave last week at the OWASP NYC Chapter on Pentesting Adobe Flex Applications.

In an upcoming post, I'll describe in detail working with custom objects and how to craft AMF messages containing them and other data types.