I arrived yesterday to Krakow, Poland for the annual European OWASP conference where I will be presenting Imperva's take on Business Logic Attacks. The first day started with an insightful presentation by Ross Anderson from Cambridge University. Ross spoke about the economics of security, describing the financial mechanisms at the core of business that affect the level of security a business will seek to implement. Ross also explained some social factors that influence application security. As an example, he described a research conducted by one of his students that measured how much private information people will be willing to disclose in different scenarios. The results were surprising, people were willing to disclose more information in an unknown web site with no assurance to their privacy than in a formal research poll that explicitly stated the measures taken to insure privacy. Ross explained that people tend to consider privacy only when they are made aware of it and that this drives many businesses to "hide" privacy issues from their users even when privacy is clearly an issue like in social networks applications.
Another interesting speaker was Esteban Ribicic that talked about web application harvesting (or scraping). Actually, I will be talking about this type of attack in my presentation tomorrow in a slightly wider context.
Stay tuned for more updates from this event...