24
edits
WebAppSec: Difference between revisions
→Mozilla Web Application Security
| (47 intermediate revisions by 5 users not shown) | |||
| Line 3: | Line 3: | ||
Welcome to the home page for Mozilla Web Application Security. This page will provide security information related to Mozilla hosted web applications and web services. | Welcome to the home page for Mozilla Web Application Security. This page will provide security information related to Mozilla hosted web applications and web services. | ||
== Secure Development Guidance == | |||
[[WebAppSec/Web_App_Severity_Ratings|Web Application Security Severity Ratings]] | |||
[[WebAppSec/Secure_Coding_Guidelines|Secure Coding Guidelines]] | [[WebAppSec/Secure_Coding_Guidelines|Secure Coding Guidelines]] | ||
| Line 15: | Line 15: | ||
[[WebAppSec/Security_Review_Request|Security Review Request]] | [[WebAppSec/Security_Review_Request|Security Review Request]] | ||
[[WebAppSec/Wordpress_Security_Review_Process|Wordpress Theme or Plugin - Security Install Process]] | |||
==Filing a Web Security Bug== | |||
For instructions regarding the use of Bugzilla to file a web security bug, visit: [[WebAppSec/Filing_In_Bugzilla|Filing a Web Security Bug in Bugzilla]] | |||
== Presentations == | == Presentations == | ||
Infrastructure security will be presenting on various security topics on a regular basis. These courses are free and open to anyone that would like to attend. For those that are remote, please join us on air.mozilla.org to remotely watch the presentation. | |||
===Schedule-2012=== | |||
===Schedule-2011-Archive=== | |||
===='''April 23, 2011 - Stanford Open Source Bootcamp'''==== | |||
* Topic: Securing Web Applications through Hands On Security Hacking | |||
* Slides: [http://people.mozilla.org/~mcoates/WebAppSec-Training.html Securing Web Applications] | |||
===='''[https://wiki.mozilla.org/WebAppSec/Presentations/2011-07-14-MobileHacking July 14, 2011 - Mobile Hacking]'''==== | |||
* Topic: Blake Turrentine presents Mobile Hacking courseware for BlackHat 2011 | |||
* Time: 6pm-9:30pm Pacific | |||
* Location: Mountain View (10 Forward) (Sorry, no streaming) | |||
* Remote Participation: No, lab element requires in-person attendance | |||
* Limited Space - [https://wiki.mozilla.org/WebAppSec/Presentations/2011-07-14-MobileHacking#RSVP RSVP Required] | |||
===='''July 20, 2011 - Hands-On Hacking Brownbag - Cross Site Scripting''' ==== | |||
* Topic: Cross Site Scripting | |||
* Time: 12pm-1pm Pacific | |||
* Location: Mountain View (10 Forward) | |||
* Remote Participation: Yes, streaming via air.mozilla.org | |||
* '''''Important''''' Lab Setup - Please setup your VM test instance prior to the session - [http://people.mozilla.org/~mcoates/WebSecurityLab.html#installation instructions] | |||
* 10 minute online video - [http://www.youtube.com/watch?v=_Z9RQSnf8-g&feature=channel_video_title Cross Site Scripting] | |||
* Archived [http://www.slideshare.net/michael_coates/cross-site-scripting-mozilla-security-learning-center Slides] | |||
===='''August 16, 2011 - Hands-On Hacking Brownbag - SQL Injection'''==== | |||
* Topic: SQL Injection | |||
* Time: 12pm-1pm Pacific | |||
* Location: Mountain View (10 Forward) | |||
* Remote Participation: Yes, streaming via [http://air.mozilla.org air.mozilla.org] | |||
* Lab Setup - Please setup your VM test instance prior to the session - [http://people.mozilla.org/~mcoates/WebSecurityLab.html instructions] | |||
* 10 minute online video - [http://www.youtube.com/watch?v=pypTYPaU7mM&feature=channel_video_title Injection Attacks] | |||
* Archived [http://www.slideshare.net/michael_coates/sql-injection-mozilla-security-learning-center Slides] | |||
===='''August 25, 2011 - OWASP Bay Area Chapter Meeting '''==== | |||
* Topic: Application Security Topics | |||
** 6:00 PM - 6:30 PM .............Check-in, registration, networking | |||
** 6:30 PM – 6:35 PM ........... Welcome Remarks/Agenda - Mandeep Khera | |||
** 6:35 PM - 7:45 PM ............ Enabling Browser Security in Web Applications- Michael Coates, Mozilla | |||
** 7:45 PM – 8:30 PM…......... Blackhat spam SEO - Julien Sobrier, Zscaler | |||
* Time: 6pm-9:30pm Pacific | |||
* Location: Mountain View (10 Forward) | |||
* Remote Participation: Yes, streaming via [http://air.mozilla.org air.mozilla.org] | |||
* RSVP Required (for in person) [http://www.regonline.com/owaspsiliconvalleychaptermeeting RSVP Here] | |||
===='''September 21, 2011 - CEF Logging for Attack Aware Applications'''==== | |||
* Topic: Implementing CEF logging to improve the security of web based applications | |||
* Time: 12pm-1pm Pacific | |||
* Location: Mountain View (10 Forward) | |||
* Remote Participation: Yes, streaming via [http://air.mozilla.org air.mozilla.org] | |||
* Archived Video , Slides - Will be available after the session | |||
===='''December 5, 2011 - Cross-Site Request Forgery and other cross domain technologies'''==== | |||
* Topic: Dealing with CSRF, the talk will also cover Cross-Origin Resource Sharing and the postMessage API | |||
* Time: 12pm-1pm Pacific | |||
* Location: Mountain View (10 Forward) | |||
* Remote Participation: Yes, streaming via [http://air.mozilla.org air.mozilla.org] | |||
* Archived Video , Slides - Will be available after the session | |||
===='''December 14, 2011 - What You See and What You Get - An Attacker's perspective'''==== | |||
* Topic: The talk covers how an attacker views a software system, how that differs from more common perspectives and what that teaches us about how to make secure products | |||
* Time: 5-6pm GMT | |||
* Location: Adsetts Learning Center (room 6619), Sheffield Hallam University, UK | |||
* Remote Participation: No | |||
* Archived Video - to be made available soon | |||
====Future Topics==== | |||
* Future topics: Content Security Policy, Strict Transport Security, Clickjacking & X-Frame-Options | |||
* Hands-On Hacking Classes Planned For Each Month | |||
* Submit an idea for a topic or brownbag to webappsec@mozilla.org | |||
== Security Learning Materials == | |||
=== Online Videos === | |||
* [http://www.youtube.com/user/AppsecTutorialSeries 10 Minute Security Training Videos] (More to come) | |||
** [http://www.youtube.com/watch?v=CDbWvEwBBxo Application Security Basics] | |||
** [http://www.youtube.com/watch?v=pypTYPaU7mM&feature=related Injection Attacks] | |||
** [http://www.youtube.com/watch?v=_Z9RQSnf8-g&feature=channel_video_title Cross Site Scripting] | |||
** Additional videos under development | |||
=== Security Presentations === | |||
* [http://www.slideshare.net/michael_coates/cross-site-scripting-mozilla-security-learning-center Cross Site Scripting Basics] | |||
* [http://www.slideshare.net/michael_coates/sql-injection-mozilla-security-learning-center SQL Injection Basics] | |||
=== Security Guides === | |||
* [https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet XSS Prevention Cheat Sheet] | |||
* [https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet SQL Prevention Cheat Sheet] | |||
=== Good Reads=== | |||
* [https://www.owasp.org/index.php/Top_10_2010 OWASP Top 10 Application Security Risks] | |||
== Mozilla WebAppSec Mailing List == | |||
Interested in discussing web application security concerns and the impact on Mozilla web applications? Then this is the list for you. Please note, this is a public list and is not the appropriate channel to discuss open security vulnerabilities (please file a bug in bugzilla). | |||
webappsec@mozilla.org | |||
https://mail.mozilla.org/listinfo/webappsec | |||
Infrastructure Security Blog - http://blog.mozilla.com/webappsec/ | |||