Garrett Gee

Tonight was another good OWASP Bay Area meeting. Over 50 people attended the meeting, and I hope these numbers continue to rise.

The first talk was on Adobe Flash security. Here are my notes:

• Cross-site flashing takes advantage of the html flash parameter allowscriptaccess=always
• Stefano Di Paola released SWFIntruder a few months ago to help analyze Flash applications at runtime

The second talk was on PCI. I was surprised that the discussion around this topic was lively, as I thought it would be pretty boring. Anyway, here are my notes from this talk.

• Criminals are getting better
  • Tiny wireless skimmers are point of sale devices
  • In-line wiretaps to record transactions
• Current PCI spec doesn’t require end to end encryption
• Visa’s PABP - Payment Application Best Practice
• PA-DSS - PCI Council adapted version of Visa’s PABP
• Section 6.6 is required by June 30, 2008
  • Requires either a code review or a web application firewall for front facing sites
  • But what defines a code review? Static vs dynamic
• Section 11.3 talks about pentesting

The next Bay Area meeting will be in the East Bay, probably somewhere in Pleasanton. If you want to give a talk at the next meeting, please drop me a line.

I only took a few pictures at this event, but they can be found on flickr.

Update: There is a great blog on PCI at pcianswers.com.