Network security has made some major advances in the past couple decades, so much so, that is has become incredibly difficult to attack a well secured network perimeter as a means of accessing the data and systems contained therein. So it’s no wonder that malicious users have begun pursuing other avenues and skirting the perimeter defenses all together. From the attacker’s standpoint, breaching a network is all about economics and ROI. It just doesn’t make sense to mount an attack that will cost substantially more time and resources, when an easier path presents itself. How has this become possible? It’s simple, network defenses generally work in a very binary fashion; either a user is allowed access, or they are not. So when an administrator makes the decision to allow anonymous traffic into the network on port 80, they are inadvertently creating a tunnel through the perimeter defenses. This alone would not be an issue, but unfortunately, layer 7 has not received the same level of attention from the security industry as its layer 3 counterparts. With the majority of traffic on port 80 going unchecked, it makes far more sense to target the web servers behind the network as a primary entry point. Once a successful breach has occurred, the attacker can then utilize the compromised web server as a jumping point to the other systems within the network (completely bypassing perimeter defenses).
This group is intended to bring security conscious IT professionals together to both learn and discuss various topics as they relate to layer 7 security, and specifically Web Security. Events in this group will range from educational sessions, penetration testing tutorials, hacking demonstrations, hacking competitions and challenges, discussion panels, and hands on workshops. The content of the events will also range from advanced to beginner, the designation of which will be posted in the event description.
The primary audience for this group is web developers, but the information presented should be useful to a wide range of professionals. Advanced sessions are more likely to be code heavy and technical in nature, while beginner sessions will be higher level and focus more on concepts instead of examples and techniques.