Tonight was another good OWASP Bay Area meeting. Over 50 people attended the meeting, and I hope these numbers continue to rise.

The first talk was on Adobe Flash security. Here are my notes:

  • Cross-site flashing takes advantage of the html flash parameter allowscriptaccess=always
  • Stefano Di Paola released SWFIntruder a few months ago to help analyze Flash applications at runtime

The second talk was on PCI. I was surprised that the discussion around this topic was lively, as I thought it would be pretty boring. Anyway, here are my notes from this talk.

  • Criminals are getting better
    • Tiny wireless skimmers are point of sale devices
    • In-line wiretaps to record transactions
  • Current PCI spec doesn’t require end to end encryption
  • Visa’s PABP – Payment Application Best Practice
  • PA-DSS – PCI Council adapted version of Visa’s PABP
  • Section 6.6 is required by June 30, 2008
    • Requires either a code review or a web application firewall for front facing sites
    • But what defines a code review? Static vs dynamic
  • Section 11.3 talks about pentesting

The next Bay Area meeting will be in the East Bay, probably somewhere in Pleasanton. If you want to give a talk at the next meeting, please drop me a line.

I only took a few pictures at this event, but they can be found on flickr.

Update: There is a great blog on PCI at