We are pleased to announce our November meeting. It will be held on November 7, 2013 in Reston. Food and drinks will be provided as always. Our presenter this month is local to Northern Virginia and has been a regular attendee and contributor for a long time.
Fire talks are always welcome, as well. If you have something you want to share with the group (tools, techniques, current events, etc.) bring it with you and don't worry about slides.
Abstract: CSRF- Not All Defenses Are Created Equal
CSRF is an often misunderstood vulnerability. In this talk I will introduce CSRF and the basic defenses against it. Then I will go through all of the various major solutions and describe how they
implement the general solution and the positives and negatives of each implementation.
The general solution is to implement the synchronizer token pattern. This is usually done in the framework and not by the individual developer. For example .net applications can use the antiforgerytoken (for MVC applications) or viewstateuserkey. Tomcat web server and F5 load balancers also now include CSRF prevention filters. OWASP of course has the CSRF guard. All of these solutions though are slightly different and can lead to different side effects, some of which are little understood and poorly documented. Some side effects can impact usability, or cause worse security problems while trying to defend against CSRF.
Ari has been in infosec for about 10 years. A former penetration tester, he has since migrated over to the defensive side, and spends most of his time working with developers trying to address application security concerns, and trying to bridge the gap between development and security. He can be found at www.defensium.com.