24
edits
WebAppSec: Difference between revisions
→Mozilla Web Application Security
| (40 intermediate revisions by 4 users not shown) | |||
| Line 2: | Line 2: | ||
Welcome to the home page for Mozilla Web Application Security. This page will provide security information related to Mozilla hosted web applications and web services. | Welcome to the home page for Mozilla Web Application Security. This page will provide security information related to Mozilla hosted web applications and web services. | ||
== Secure Development Guidance == | == Secure Development Guidance == | ||
| Line 17: | Line 15: | ||
[[WebAppSec/Security_Review_Request|Security Review Request]] | [[WebAppSec/Security_Review_Request|Security Review Request]] | ||
[[WebAppSec/Wordpress_Security_Review_Process|Wordpress Theme or Plugin - Security Install Process]] | |||
==Filing a Web Security Bug== | |||
For instructions regarding the use of Bugzilla to file a web security bug, visit: [[WebAppSec/Filing_In_Bugzilla|Filing a Web Security Bug in Bugzilla]] | |||
== Presentations == | == Presentations == | ||
Infrastructure security will be presenting on various security topics on a regular basis. These courses are free and open to anyone that would like to attend. For those that are remote, please join us on air.mozilla.org to remotely watch the presentation. | Infrastructure security will be presenting on various security topics on a regular basis. These courses are free and open to anyone that would like to attend. For those that are remote, please join us on air.mozilla.org to remotely watch the presentation. | ||
===Schedule=== | ===Schedule-2012=== | ||
* '''[https://wiki.mozilla.org/WebAppSec/Presentations/2011-07-14-MobileHacking July 14, 2011 - Mobile Hacking]''' | |||
===Schedule-2011-Archive=== | |||
===='''April 23, 2011 - Stanford Open Source Bootcamp'''==== | |||
** Limited Space - RSVP Required | * Topic: Securing Web Applications through Hands On Security Hacking | ||
* Slides: [http://people.mozilla.org/~mcoates/WebAppSec-Training.html Securing Web Applications] | |||
===='''[https://wiki.mozilla.org/WebAppSec/Presentations/2011-07-14-MobileHacking July 14, 2011 - Mobile Hacking]'''==== | |||
* Topic: Blake Turrentine presents Mobile Hacking courseware for BlackHat 2011 | |||
* '''August 16, 2011 - Hands-On Hacking Brownbag''' | * Time: 6pm-9:30pm Pacific | ||
* Location: Mountain View (10 Forward) (Sorry, no streaming) | |||
** Time: 12pm-1pm Pacific | * Remote Participation: No, lab element requires in-person attendance | ||
** Location: Mountain View (10 Forward) | * Limited Space - [https://wiki.mozilla.org/WebAppSec/Presentations/2011-07-14-MobileHacking#RSVP RSVP Required] | ||
* | ===='''July 20, 2011 - Hands-On Hacking Brownbag - Cross Site Scripting''' ==== | ||
* Topic: Cross Site Scripting | |||
* Time: 12pm-1pm Pacific | |||
* Location: Mountain View (10 Forward) | |||
* Remote Participation: Yes, streaming via air.mozilla.org | |||
* '''''Important''''' Lab Setup - Please setup your VM test instance prior to the session - [http://people.mozilla.org/~mcoates/WebSecurityLab.html#installation instructions] | |||
* 10 minute online video - [http://www.youtube.com/watch?v=_Z9RQSnf8-g&feature=channel_video_title Cross Site Scripting] | |||
* Archived [http://www.slideshare.net/michael_coates/cross-site-scripting-mozilla-security-learning-center Slides] | |||
===='''August 16, 2011 - Hands-On Hacking Brownbag - SQL Injection'''==== | |||
* Topic: SQL Injection | |||
* Time: 12pm-1pm Pacific | |||
* Location: Mountain View (10 Forward) | |||
* Remote Participation: Yes, streaming via [http://air.mozilla.org air.mozilla.org] | |||
* Lab Setup - Please setup your VM test instance prior to the session - [http://people.mozilla.org/~mcoates/WebSecurityLab.html instructions] | |||
* 10 minute online video - [http://www.youtube.com/watch?v=pypTYPaU7mM&feature=channel_video_title Injection Attacks] | |||
* Archived [http://www.slideshare.net/michael_coates/sql-injection-mozilla-security-learning-center Slides] | |||
===='''August 25, 2011 - OWASP Bay Area Chapter Meeting '''==== | |||
* Topic: Application Security Topics | |||
** 6:00 PM - 6:30 PM .............Check-in, registration, networking | |||
** 6:30 PM – 6:35 PM ........... Welcome Remarks/Agenda - Mandeep Khera | |||
** 6:35 PM - 7:45 PM ............ Enabling Browser Security in Web Applications- Michael Coates, Mozilla | |||
** 7:45 PM – 8:30 PM…......... Blackhat spam SEO - Julien Sobrier, Zscaler | |||
* Time: 6pm-9:30pm Pacific | |||
* Location: Mountain View (10 Forward) | |||
* Remote Participation: Yes, streaming via [http://air.mozilla.org air.mozilla.org] | |||
* RSVP Required (for in person) [http://www.regonline.com/owaspsiliconvalleychaptermeeting RSVP Here] | |||
===='''September 21, 2011 - CEF Logging for Attack Aware Applications'''==== | |||
* Topic: Implementing CEF logging to improve the security of web based applications | |||
* Time: 12pm-1pm Pacific | |||
* Location: Mountain View (10 Forward) | |||
* Remote Participation: Yes, streaming via [http://air.mozilla.org air.mozilla.org] | |||
* Archived Video , Slides - Will be available after the session | |||
===='''December 5, 2011 - Cross-Site Request Forgery and other cross domain technologies'''==== | |||
* Topic: Dealing with CSRF, the talk will also cover Cross-Origin Resource Sharing and the postMessage API | |||
* Time: 12pm-1pm Pacific | |||
* Location: Mountain View (10 Forward) | |||
* Remote Participation: Yes, streaming via [http://air.mozilla.org air.mozilla.org] | |||
* Archived Video , Slides - Will be available after the session | |||
''' | ===='''December 14, 2011 - What You See and What You Get - An Attacker's perspective'''==== | ||
* | * Topic: The talk covers how an attacker views a software system, how that differs from more common perspectives and what that teaches us about how to make secure products | ||
* | * Time: 5-6pm GMT | ||
* Location: Adsetts Learning Center (room 6619), Sheffield Hallam University, UK | |||
* Remote Participation: No | |||
* Archived Video - to be made available soon | |||
====Future Topics==== | |||
* Future topics: Content Security Policy, Strict Transport Security, Clickjacking & X-Frame-Options | |||
* Hands-On Hacking Classes Planned For Each Month | |||
* Submit an idea for a topic or brownbag to webappsec@mozilla.org | |||
== Security Learning Materials == | == Security Learning Materials == | ||
* [ | === Online Videos === | ||
* [http://www.youtube.com/user/AppsecTutorialSeries 10 Minute Security Training Videos] (More to come) | |||
** [http://www.youtube.com/watch?v=CDbWvEwBBxo Application Security Basics] | ** [http://www.youtube.com/watch?v=CDbWvEwBBxo Application Security Basics] | ||
** [http://www.youtube.com/watch?v=pypTYPaU7mM&feature=related Injection Attacks] | ** [http://www.youtube.com/watch?v=pypTYPaU7mM&feature=related Injection Attacks] | ||
** [http://www.youtube.com/watch?v=_Z9RQSnf8-g&feature=channel_video_title Cross Site Scripting] | |||
** Additional videos under development | |||
=== Security Presentations === | |||
* [http://www.slideshare.net/michael_coates/cross-site-scripting-mozilla-security-learning-center Cross Site Scripting Basics] | |||
* [http://www.slideshare.net/michael_coates/sql-injection-mozilla-security-learning-center SQL Injection Basics] | |||
=== Security Guides === | |||
* [https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet XSS Prevention Cheat Sheet] | |||
* [https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet SQL Prevention Cheat Sheet] | |||
=== Good Reads=== | |||
* [https://www.owasp.org/index.php/Top_10_2010 OWASP Top 10 Application Security Risks] | |||
== Mozilla WebAppSec Mailing List == | == Mozilla WebAppSec Mailing List == | ||
Interested in discussing web application security concerns and the impact on Mozilla web applications? Then this is the list for you. Please note, this is a public list and is not the appropriate channel to discuss open security vulnerabilities (please file a bug in bugzilla). | Interested in discussing web application security concerns and the impact on Mozilla web applications? Then this is the list for you. Please note, this is a public list and is not the appropriate channel to discuss open security vulnerabilities (please file a bug in bugzilla). | ||
webappsec@mozilla.org | |||
https://mail.mozilla.org/listinfo/webappsec | https://mail.mozilla.org/listinfo/webappsec | ||
Infrastructure Security Blog - http://blog.mozilla.com/webappsec/ | Infrastructure Security Blog - http://blog.mozilla.com/webappsec/ | ||