The future (and past) of web application security how to detect and protect against value attacks presented at AUScert 2009

by Andrew Stock,

Summary : 2008 was a bumper year for value attacks. Criminals are finally getting over the sophomoric desire to own large numbers of hosts, turning their attention to getting a lot of money instead. This is bad if you have stuff the criminals want.
Unfortunately, web application scanners (source and dynamic) cannot easily (if at all) detect or scan for this entire class of attack - you need to do the hard work.
In this presentation, you'll learn how to:
* Figure out where the value in your application is
* Identify weaknesses in your processes by identifying all the paths to your assets
* Protect your application against value and process attacks by careful and minor changes to your design
* Identify if folks are trying to do 'interesting' things using ESAPI's intrusion detector classes