R&D » Uncategorized

Speaking @ 10th Annual SecureIT conference- “Practical Web Application Security and OWASP Top 10 implementation on Microsoft Platform”

Adnan Masood — Tue, 06 Mar 2012 03:23:30 +0000

On March 18th, I will be speaking at the 10th Annual SecureIT conference in a workshop titled “Practical Web Application Security and OWASP Top 10 implementation on Microsoft Platform”. This is a joint session with Tin Zaw, chapter leader and president of OWASP LA.

Here is the abstract.

Practical Web Application Security and OWASP Top 10 implementation on Microsoft Platform

Presenters: Adnan Masood, Tin Zaw

This session is a hands-on introduction to the web application security threats using the OWASP top 10 list of potential security flaws. The OWASP Top Ten provides a powerful awareness list for web application security and represents a broad consensus about what the most critical web application security flaws are.

Focusing on Microsoft platform with examples in ASP.NETand ASP.NETMVC, we will go over some of the common exploits and techniques for writing secure code in the light of OWASP top 10. In this code centric talk, we will discuss built in security features ofASP.NET and MVC such as cross site request forgery token and secure cookies and how to leverage them to write secure code. The OWASP Top 10 Web Application Security Risks for 2010 which will be covered in this presentation include Injection flaws, Cross-Site Scripting (XSS), Broken Authentication and Session Management, Insecure Direct Object References, Cross-Site Request Forgery (CSRF),Security Misconfiguration, Insecure Cryptographic Storage, Failure to Restrict URL Access, Insufficient Transport Layer Protection and Unvalidated Redirects and Forwards.

Thriving with Paradigm Shifts (or how not to become a dinosaur)

Adnan Masood — Thu, 16 Feb 2012 08:15:07 +0000

Like most production systems, life happens in real time; and there has been several major paradigm shifts happening lately. It’s easy to shrug AJAX off as revamped XMLHTTP from late 90′s but we all know this isn’t exactly the case. With the thought process, frameworks and development around emerging technologies, sands are shifting faster than ever before.

For an outside viewer, changes are huge. What follows is not absolute technology-counterpart-comparison but rather area under the drift. Traditional RDBMS to NoSQL, traditional Web Servers to Node and nginx, from typesafe languages to dynamic typing, tradional MVC (spring/asp.net) to full stack scaffoldings (RoR), HTTP/SOAP to REST/JSON, postbacks to async, scaling up to Hadoop, ACID to CAP, proprietary data centers to cloud and the list goes on. Again, this list is not necessarily an absolute comparison of technology counterparts but these analogies have definitely come a long way since Tim O’Reilly did his famous what is web 2.0 definition and table (see below) in 2005.

Web 1.0		Web 2.0
DoubleClick	–>	Google AdSense
Ofoto	–>	Flickr
Akamai	–>	BitTorrent
mp3.com	–>	Napster
Britannica Online	–>	Wikipedia
personal websites	–>	blogging
evite	–>	upcoming.org and EVDB
domain name speculation	–>	search engine optimization
page views	–>	cost per click
screen scraping	–>	web services
publishing	–>	participation
content management systems	–>	wikis
directories (taxonomy)	–>	tagging (“folksonomy”)
stickiness	–>	syndication

For computer scientists and software engineers with sound foundation in algorithms, operating systems, database systems (including distributed databases), computer networking and enterprise architecture, the situation isn’t quite hostile. There is no need to feel threatened by falling behind the learning curve due to lack of fundamental understanding and aptitude. However one should definitely be concerned if it’s due to, in Seth Godin’s terms, lizard brain laziness in learning and prototyping about these up and coming changes.

The fundamentals of distributed databases hasn’t changed much; however the ever-networked nature of world wide web has made it more plausible then ever to use them in practice. To draw an analogy from OSI model, majority of delta is happening in the application layer. This learning curve can only be overcome through training activities learning and persistent efforts. The same way we have avoided architectural astronauts and anti-patterns by writing code and optimizing it to solve real business and technology problems, it would be bridged by coding up mapreduce or improve technical vocabulary while idling through yet another View Model implementation. At least that’s how I envision it.

“Once a new technology rolls over you, if you’re not part of the steamroller, you’re part of the road.”

-Stewart Brand

Bayesian Inference, Prediction and Decision-Making II Short Course

Adnan Masood — Wed, 26 Oct 2011 23:35:15 +0000

The San Francisco Bay Area Chapter of the American Statistical Association Sponsored One Day Short Course

Bayesian Inference, Prediction and Decision-Making II

November 6, 2011

Lecturer
Professor David Draper
Department of Applied Mathematics and Statistics
Baskin School of Engineering
University of California, Santa Cruz

Lecture notes:(PDF format)

Lecture notes: part 1 (Bayesian model specification) (101 pages)

Lecture notes: part 2 (Bayesian hierarchical modeling) (79 pages)

SGV.NET User Group Meeting – Learning Silverlight 4 w/ Volkan Uzun – Wed 4/21/2010

Adnan Masood — Mon, 19 Apr 2010 13:58:08 +0000

Abstract: Silverlight 4 enhances the building of business applications, media applications, and applications that reach beyond the browser. New features include printing support, significant enhancements for using forms over data, full support in the Google Chrome web browser, WCF RIA services, modular development with MEF, full support in Visual Studio 2010, bi-directional text, web camera and microphone support, rich text editing, improved data binding features, HTML support, MVVM and commanding support, new capabilities for local desktop integration running in the new “Trusted Application” mode such as COM automation and local file access.

While Silverlight turns into a mainstream RIA technology for enterprise level applications; this presentation will focus on and demonstrate a selected group of Silverlight 4 features to highlight its potential. The content will include useful pointers for further study and experimentation.

About the Speaker: Volkan is currently working at California State University as an Information Technology Consultant. He has a passion for creating accessible and secure applications and loves to share his knowledge with the developer community. He was the instructor for the IEDOTNETUG ASP.NET Web Forms class in 2008 and this year he taught teaching ASP.NET MVC. Volkan is holding a MS degree in Computer Science from California State University.

He has been developing softtware since 1999; former companies he worked for include Wincor-Nixdorf and Denizbank; where he was involved in systems engineering and programming. He is certified as MCTS on SQL Server 2005 and MCTS on ASP.NET Web development.

Read Volkan’s blog at http://www.msnetprogrammer.net/blog.

for further details, please check out the San Gabriel Valley .net user group website

Startups For the Rest of Us – A Podcast by Rob Walling

Adnan Masood — Sun, 18 Apr 2010 20:08:07 +0000

I wanted to pass along a bit of info about Rob Walling, the co-founder of San Gabriel Valley .NET Developers group newest project. a podcast!.

The podcast is called Startups for the Rest of Us. Rob’sco-host is Mike Taber, the guy behind SingleFounder.com.

The focus of the podcast is bootstrapped startups and Micropreneurs. A new episode every Tuesday. The first episode is live at the podcast website and you can listen to it in your browser or download the MP3. It also provide full written transcripts of each episode in the show notes. Episodes will be concise and run 20-30 minutes so you can listen during a jog, a short commute or part of a lunch hour.

Check it out if you’re the podcasting type:

iTunes (this link opens iTunes)
RSS
Email

If you listen and like it, find it in iTunes using the link above, rate it and post a comment.

KDD 2010 Educational Data Mining Challenge

Adnan Masood — Sat, 17 Apr 2010 15:33:49 +0000

KDD data mining challenge has we have decided to push back the challenge start date to Monday, April 19 at 2pm EDT due to feedback on development datasets. They are trying to validate the challenge data sets and also have pushed back the competition end date to Tuesday, June 8 at 2pm EDT.

Following is the KDD Data Mining challenge details via the homepage https://pslcdatashop.web.cmu.edu/KDDCup/

This year’s challenge

How generally or narrowly do students learn? How quickly or slowly? Will the rate of improvement vary between students? What does it mean for one problem to be similar to another? It might depend on whether the knowledge required for one problem is the same as the knowledge required for another. But is it possible to infer the knowledge requirements of problems directly from student performance data, without human analysis of the tasks?

This year’s challenge asks you to predict student performance on mathematical problems from logs of student interaction with Intelligent Tutoring Systems. This task presents interesting technical challenges, has practical importance, and is scientifically interesting.

Task description

At the start of the competition, we will provide 5 data sets: 3 development data sets and 2 challenge data sets. Each of the data sets will be divided into a training portion and a test portion. Student performance labels will be withheld for the test portion of the challenge data sets but available for the development data sets. The competition task will be to develop a learning model based on the challenge and/or development data sets, use this algorithm to learn from the training portion of the challenge data sets, and then accurately predict student performance in the test sections. At the end of the competition, the actual winner will be determined based on their model’s performance on an unseen portion of the challenge test sets. We will only evaluate each team’s last submission of the challenge sets.

OWASP and ISSA-LA Meetings

Adnan Masood — Thu, 15 Apr 2010 07:09:06 +0000

Topic: The intersection of social and technical attacks in Web 2.0 applications
Speakers: Mike Bailey and Mike Murray
OWASP April meeting is at 7:30PM on April 21st, at Symantec in Culver City. There will be pizza.

More info: http://www.owasp.org/index.php/Los_Angeles
RSVP: http://owaspla.eventbrite.com/

ISSA-LA also has monthly lunch meeting on April 21st.
http://www.issa-la.org/Default.aspx?id=1086

ISSA-LA is planning “2nd Annual Information Security Summit:
Unleashing The Power of Collaboration”. It is a full day conference on June 16th at UCLA.
http://www.issa-la.org/Default.aspx?id=1086

Last but not least, OWASP AppSec USA 2010 is from September 7-10 at UC
Irvine. Early registration will be open soon. Volunteers are still needed.
http://www.appsecUSA.org

via Tin Zaw.

‘Eureka machine’ works out laws of nature | Science | guardian.co.uk

Adnan Masood — Sat, 10 Apr 2010 07:45:48 +0000

‘Eureka machine’ works out laws of nature | Science | guardian.co.uk.

We’ve reached a point in science where there’s a lot of data to deal with. It’s not Newton looking at an apple, or Galileo looking at heavenly bodies any more, it’s more complex than that,” said Hod Lipson, the computer engineer who led the project. …

Wed April 21st – Web Sites for Mobile Clients using .NET 4.0 w/ Woody Pewit – SGV.NET User Group Meeting

Adnan Masood — Sat, 03 Apr 2010 05:40:41 +0000

This meeting is now changed with Volkan Uzun’s talk on Silverlight 4.

Next User Group Meeting Wed April 21st

Web Sites for Mobile Clients using .NET 4.0 w/ Woody Pewit – SGV.NET User Group Meeting

Abstract: Many developers know how to make great web sites for desktop browsers but how can a developer take that same effort and make sites that look good to mobile browsers? In this talk we will review different mobile browsers and see what they support and how developers can make a website that can look good in a desktop browser and still look good on a mobile browser. We will see some new tools in Visual Studio 2010 that make creating sites like this more productive.

For more details, check out the San Gabriel Valley .NET user’s group website.

10 Immutable Laws of Security

Adnan Masood — Mon, 18 Jan 2010 16:22:31 +0000

Read the following “10 Immutable Laws of Security” on technet recently, thought they are definitely worth sharing; old but worthy gems.

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore

Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore

Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore

Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more

Law #5: Weak passwords trump strong security

Law #6: A computer is only as secure as the administrator is trustworthy

Law #7: Encrypted data is only as secure as the decryption key

Law #8: An out of date virus scanner is only marginally better than no virus scanner at all

Law #9: Absolute anonymity isn’t practical, in real life or on the Web

Law #10: Technology is not a panacea