OWASP - User contributions [en]

Top User Recommendations

2012-02-09T15:43:19Z

Adish: Top 7 user recommendations for safely browsing the net

= Top Consumer Guidelines =

We keep seeing users suffer from leakage of personal information, identity theft and even actual money transactions made under their behalf.
The following list of key practical guidelines would lower the impact of most of these attacks (Page maintained by Adi Sharabani (Adi dot Sharabani at owasp dot org)

== 1. Keep your device up to date / i.e. keep your body in shape ==
Whether you are using an iPhone, Android Phone, PC or Mac, the software of those devices should always be up to date. Each new update could contain a security fix for a vulnerability that was discovered in those products. When the updates are released, hackers around the world analyze it, deduct what is the vulnerability that was fixed, and create a new exploit that would work on unpatched computers.
If your computer or device is not up-to-date you are very much likely to be hacked.

== 2. Don’t connect to untrusted networks / i.e. don’t go into dangerous parking lot ==
Hackers can easily hack into users from the same local network. They can obtain different levels of control on any device in the network, monitor everything it is doing on the internet, including everything the victims type or do in their web browser and even manipulate the information the victims see. This can be simply done either by a malicious user of the same network, or by an infected computer that connects to that network.
As a rule of thumb, users should try to avoid using untrusted networks - i.e. networks that has users which you do not know. If you have a cellular data plan, try to use it as it is much harder for hackers to hack into it. If you have a home wireless network, put a password on it, so others would not be able to join in, and hack into your devices.

== 3. Use passwords wisely / i.e. don’t use the same lock for you home and gym locker ==
In mid 2010, Turkish hackers hacked into several small Israeli web sites. They managed to retrieved the names and passwords of users of those sites. The impact should have been relatively minor. However, many users of those sites used the same passwords for their gmail, Facebook, and other more sensitive applications. The Turkish hackers could thus take those passwords and log into their victim’s more sensitive systems, reading their email or logging into their social networks.
As a user you are not responsible for the security of the websites you browse to. However, having the same password for different web sites, will allow hackers who broke into one site to enter your credentials in the other site.
In addition, it is clearly not wise to use simple passwords like “qwertyui” - these are easily guessed by automated tools that try to enumerate passwords to hopefully guess the right one.

== 4. Supply sensitive information through an encrypted channel / i.e don’t shout your pin number in the middle of the mall ==
Companies should transfer you to an encrypted channel before asking or sending sensitive information. Using an encrypted channel, blocks others from seeing or changing the communication between yourself and the website you browse to. Before filling in any sensitive information such as credit cards or passwords make sure that you are on an encrypted channel to the website you planned to send the information to.
Each browser reflects the fact it is currently under an encrypted channel in a different way. Know how your device reflects this information and verify that before filling in the sensitive information. This is usually marked by an “https” prefix before the address and an icon of a lock in a location the website could not control (such as the toolbar of your browser). For example:
IPhone:
SHAPE \* MERGEFORMAT

Android:
SHAPE \* MERGEFORMAT

Chrome:
SHAPE \* MERGEFORMAT

Internet Explorer:
<Need to add screenshot>

Firefox:
SHAPE \* MERGEFORMAT

Safari:
SHAPE \* MERGEFORMAT

== 5. Trust your instincts / i.e. Don’t eat in smelly restaurants ==
While you cannot control the security of the sites you browse to, it is in your power to decide which sites to use, and when to provide your personal information. If the site doesn’t have a budget for investing in clean and nice interface, it probably doesn’t have the budget to secure its database. If something looks fishy to you, the site might not be legitimate at all.

== 6. Don’t trust incoming data / i.e. don’t let the con artist full you ==
Many of the phishing attacks in which hackers pretend to be someone else, starts by hackers approaching you. If you got an email saying that “you just won 1 million dollars” - don’t trust it. Moreover, hackers could easily forge the origin of the mail making you believe it was sent from someone else. In general, it is always better not to follow anything that was handed to you and you didn’t ask for - this is the same for the physical world as well. While it is sometimes inconvenient, it is wiser not to trust links you get in email. If an email was send to you from someone you don’t know, consider ignoring it. If you get an email from Facebook with a friendship request, it is better to simply go to Facebook and see that request rather than clicking on a link a hacker could have sent you.

== 7. Track your accounts / i.e. Verify your body parts are in-tacked ==
Even if you follow every single security recommendation, you are always at some level of risk. For example, hackers might not be able to hack into your phone or computer, but hacking into a site that keeps your credit card will allow them to use it. Regularly checking your account balance, and recent transactions will allow you to verify that this did not happen.

OWASP AU Conference 2009 Presentations

2009-02-27T17:23:38Z

Adish:

{|
! width="350" align="left"|
! width="250" align="center" |
! width="300" align="center" |
|-
| align="center"|[[Image:Owasp_au2009_conf_logo.jpg]]
|}

== Presentations ==

The following presentation abstracts are provided to understand the details of the presentations. This year OWASP will be video recording the event again and all videos will be kept online and available through the OWASP wiki.

== Christian Heinrich ==
'''TCP Input Text & Download Indexed Cache'''

Two Proof of Concept (PoC) will be demonstrated that implement the Google SOAP Search API to support the "reconnaissance" phase of a Penetration Test:

1. "Download Indexed Cache", which retrieves content indexed within the Google Cache to support the testing specified in the "Search Engine Reconnaissance" section of the recently released OWASP Testing Guide v3, which is a superior methodology to the Google Hacking Database (GHDB).

2. "TCP Input Text", which extracts TCP Ports and hostnames from Google Search Results into a .csv file and executes nmap and/or nc aka netcat for assurance of a listening TCP service.

Mitigating controls, such as <META> Tags and robots.txt, based on the recommendations within the "Spiders/Robots/Crawlers" section of the recently released OWASP Testing Guide v3, will be presented.

== Andrew Vanderstock ==
'''The future (and past) of web application security: how to detect and protect against value attacks.'''

2008 was a bumper year for value attacks. Criminals are finally getting over the sophomoric desire to 0wn large numbers of hosts, turning their attention to getting a lot of money instead. This is bad if you have stuff the criminals want.

Unfortunately, web application scanners (source and dynamic) cannot easily (if at all) detect or scan for this entire class of attack - you need to do the hard work.

In this presentation, you'll learn how to:

* Figure out where the value in your application is
* Identify weaknesses in your processes by identifying all the paths to your assets
* Protect your application against value and process attacks by careful and minor changes to your design
* Identify if folks are trying to do "interesting" things using ESAPI's intrusion detector classes

With some luck, there might even be a demo!

Andrew van der Stock is a leading web application researcher active in the builder web application community. Andrew has recently returned from a two year stint working in the USA.

Andrew is the project lead and lead author for the following OWASP projects:

* OWASP Developer Guide 3.0
* OWASP Top 10 2009
* ESAPI for PHP port

He is looking for contributors to all of the above projects. He helped start the Melbourne and Sydney OWASP chapters. Previously, Andrew was Executive Director of OWASP from 2005 to 2007.

He is the moderator of webappsec@securityfocus.com, and has contributed the web application section of the SANS Top 20 since 2005.
He helped set the SANS GSSP Secure Programmer (Java) certification, and thus is deemed to hold this certification as he literally knows all the answers (he peeked).

In previous lives, he has assisted with the following open source projects:

* UltimaBB, forum software - fork of XMB
* XMB, forum software
* SAGE-AU President of SAGE AU in 2000-2001, General Committee member 1999-2000, and a long time member.
* pnm2ppa HP print drivers for Unix and work-alike systems
* XFree86 Device drivers for Matrox Millennium I/II/Mystique (mid 90's vintage stuff)

In his now copious spare time, Andrew continues to run AussieVeeDubbers, one of Australia's largest car forums, and one of the world's largest VW car forums.

== Ranjita Shankar Iyer ==
'''A Prescriptive approach to Secure SDLC'''

The old adage goes “Prevention is better than cure”. Similarly, many security vulnerabilities can be easily prevented if security was taken into consideration at the beginning of the development process. As application security professionals, we’ve seen that uncovering serious vulnerabilities and subsequent attempts to repair with production-ready applications significantly increase costs to the enterprise and delay project timelines. Moreover, despite the immense amount of literature on application vulnerabilities we find that developers are still unaware or only have very limited knowledge of common threats and secure coding practices. This often leads to the commonly sighted flaws such as the following:
- Implementation of client-side controls only that are easily bypassed
- Incorrect implementation of regular expressions to block XSS and SQL injection attacks
- Including too much sensitive business logic in applications that utilize FLEX and other RIA technologies
- Insecure use of API's and frameworks such as struts and spring
There are a number of commercial secure coding tools that facilitate developers to incorporate security controls upfront during the development and build process, but commercial products tend to be expensive, and not practical to provide to every developer. Commercial products are also a black-box to developers and enterprise security teams, where it’s unclear on how vulnerabilities were identified.

Leveraging our expertise in the field, we have developed an extensive data grid that maps standard security requirements (grouped into categories such as User Authentication, Input Validation, Session Management etc ) to sample implementation snippets in popular frameworks such as .Net, Java Struts and FLEX. This data grid draws on work already complied by open source communities such as OWASP that has a variety of tools and resources to help developers in understanding and resolving security issues. Furthermore the major frameworks mentioned above also often provide a large set of security APIs at the developer’s disposal. Leveraging these existing APIs lessens the burden of implementing security correctly and our data grid references these API's where appropriate.

However, experience has shown us that such resources alone are not effective in preventing security code flaws. Therefore we are launching an open-source, extensible, secure coding analysis tool that delivers information from the data grid to the developer as they are writing code in their favorite IDE's. The plug-in tool takes a prescriptive approach and prompts the developer with useful information and repair techniques using existing security APIs within major frameworks and open-source resources, such as ESAPI. The tool has an innovative extensible design, whereby modules can be easily extended to incorporate any framework and any vulnerability. Deliberate design decisions have been made to accommodate future frameworks and the customizable vulnerability identification engine can also be tailored to accommodate specific business risks and regulatory policy requirements.

Speaker Bio's

1) Ranjita Shankar Iyer CISSP, GSEC
Application Security Architect - Morgan Stanley
Ranjita is an application security specialist with over 8 years of experience developing and securing business critical applications. She is currently a Security Architect at Morgan Stanley and assesses complex applications across the firm to ensure that they are employing appropriate security controls to protect highly confidential client and employee data. Prior to this, she was at EY at the Advanced Security Center performing attack and penetration tests for fortune 100 financial services clients. She is well versed in the many challenges that organizations face with regards to introducing security into the software development lifecycle.

2) Kai Huang CISSP, GSEC
Application Security Specialist - Ernst & Young
Kai is part of E&Y Global Information Security group, and is responsible for reviewing and advising security matters for a wide range of applications and information systems consumed by E&Y. Prior to GIS, Kai was a member of the E&Y Advanced Security Center, performing web application, internet, intranet tests for EY's Fortune 500 clients. Kai's primary areas of interest are web application security and VOIP research and tool development. Prior to E&Y, Kai worked at CIGNA as a CIRT member.

== Sumit Siddharth ==
''' Recent Advancements in SQL Injection Exploitation Techniques '''

This talk will cover different variants of SQL Injections and will demonstrate a variety of exploitation techniques. Starting with the very basics, the talk will progress to more complex scenarios and will discuss exploiting SQL injections which seem to be un-exploitable. The talk will have a number of demonstrations including the scenarios where this vulnerability goes undetected even by the most popular commercial scanners costing $$. Along the way, a number of freely available tools for exploiting SQL Injections will be discussed along with their pros and cons.

'''About the Speaker:'''

Sumit Siddharth (sid) works as a senior IT security consultant for Portcullis Computer Security Ltd in U.K. Sid has authored a number of articles, advisories, white papers over the years and has been a speaker at a number of IT security conferences. He also owns the popular IT security blog www.notsosecure.com.

== Peter Freiberg ==
'''Determining attack surface and creating security test cases through observing business testing'''

Application security testing is often a last minute black box activity where security testers rely on gut feel and intuition to determine how a system should work in order to compromise it. Even when coupled with source code analysis, a manual review or specialist software will not see all the data flows and context which pass through a system.

By introducing web proxies that passively capture data flows from User Acceptance Testing we can observe the context of how the application should work. Using a newly created proxy log analysis tool, SPLAT, the following benefits can be obtained:
• Automatically determine the attack surface of an application
o What URLs are seen by users?
o Are these shared between roles?
o What pieces of data or parameters are passed and where?
• Automatically create test cases for some OWASP Top 10 Vulnerabilities
• Determine the data flows within your application
• Potentially find disclosure of sensitive information such as credit cards and tax file numbers
• Generate comparable metrics from testing phases

== Siddharth Anbalahan ==
''' Advanced Techniques in Code Reviews '''

Learn how experts blend manual and automated techniques to accelerate code reviews. When you review large apps, you’ll love these nifty tricks to find famous, and some not-so-famous flaws. Using demos & code snippets we show how the blended technique is better than simple scanning or manual checks. You learn to write custom scripts that slash review time to 1/5th and get a ready-to-use checklist.
Session Learning Objectives
The 3 learning objectives of the session are:
- Learn how to code review large applications efficiently
- Learn a structured approach to code reviews
- Develop a checklist to use in future code reviews
Participants will be able to do code reviews as mandated by PCI for all applications that handle credit card information.

== Brett Moore ==
'''Vulnerabilities In Action'''

Common application vulnerabilities have been known for years now, and developers have been told about the threats and how to prevent these flaws. Even so, web applications are still been developed that are vulnerable to some of the oldest and most well known security flaws. The aim of this presentation is to show the attendees how vulnerabilities are discovered and exploited in real world situations, and the devastating effect that a flaw can have on the security of an application. The presentation will demonstrate multiple different application vulnerabilities across various development languages and operating systems. All of the commonly seen vulnerabilities will be demonstrated, aligned with the OWASP top 10 rating system. Attendees will be able to learn about the real dangers that application vulnerabilities pose, by seeing them been exploited as they would in a real compromise situation. The demonstration will be done again a ‘virtual’ network of vulnerable systems that will contain both server and application level flaws, giving a real world insight to an application compromise.

== Karmendra Kohli ==
'''Wooden Swords and Plastic Guns - Insecure Security Defenses'''

"Securing applications insecurely gives a false sense of security. This session shows how popular security defenses are implemented wrongly, how apps are fitted with wooden swords and plastic guns. Based on our experience of testing 300+ applications, we show the most common errors in security defenses like CAPTCHAs, Encryption, Cache Control, etc.
Using code snippets and demos, we present actual encounters with insecurely secured applications. The audience will see how insecure implementations of CAPTCHAs allow bots to comfortably bypass defenses and perform automated registrations, post feedback, flood surveys and much more. We take you on a walk-through of how various insecure implementations of hashing defeats its very purpose. The audience learns how wrong use of cache control tags leads to authentication bypass, and disclosure of information among other weaknesses. We show how these wooden swords are a cause for concern. We explain what developers need to keep in mind so they implement security techniques "securely" - learn how to avoid subtle errors, and do things right the first time. With each topic we conclude with implementation best practices so developers / project managers / application owners can practice it from their next day at work."

== Tom Brennan ==
'''OWASP 3.0 - Where we came from, where we are, where we are going.'''

== Rajkumar Pandian Sakthivel ==
'''Web Application Security – A Reality Check'''

Web Applications, harnessing the power of Internet has become a dominant factor in the web centric business .The power of Web applications have enabled businesses “flourish”, contributing to economic growth. To obey the Law of Polarities, the vulnerabilities present in the Web applications have caused an “impediment” to the growth of businesses resulting in huge losses. When the maturity of “containing” and combating Network Security Attacks (comprising of OS and Network Protocol vulnerabilities) has improved a lot with the help of Firewalls, Intrusion Prevention Systems and VPN, the overall scenario of Web application security looks grim. Security evangelists and enthusiasts have taken up the task of spreading the awareness of Web Application security. This paper discusses the current trends in the state of web application security and does a Reality Check. Different approaches of the software development community like Panic and patch approach (Web application attacked-Panic-Provide patch), Ritualistic approach (We have a policy in our company to check vulnerabilities in web apps, so we do something) and oblivious approach (Should it be done? I never knew it) is discussed.

The second part of the paper calls for a collaborative effort from the Developers, Testers, Marketing people and users. The paper also suggests that Web application Security should be an intrinsic factor of the Design, Development & Testing phases. The importance of Decision makers to understand, support and promote the web application security is discussed. The theme of “Securing Web applications – Passion, Art and Character” is advocated.

== Drew Ames ==
'''Improving Application Security using pre-processing input filters – a case study'''

Recently, CQR Consulting were engaged to assist one of our customers who was having significant difficulties due to compromise through their published web applications. A review of their code and development practices showed that the quickest and most efficient way to prevent multiple attacks was through the implementation of a pre-processing validation filter.

This presentation will discuss the issues, approach and results of the development effort in creating a pre-processing validation filter. It will present the risks which can be mitigated in such a way and others which need further controls to successfully manage.

The information provided will assist attendees in the decision between roll-your-own, WAF appliance or full scale code re-write.

== Mark Goudie ==
'''An Insight into the World of Computer Forensics'''

Security breaches and the compromise of sensitive information are a very real concern for
organisations worldwide. When such incidents occur, rapid response is critical. The damage
must be contained quickly, customer data protected, the root cause found and remedied, and an
accurate record of events and losses produced for authorities.
Furthermore, the investigation process must collect this evidence without adversely affecting the
integrity of the information assets involved in the crime.
The Data Breach Investigations Report – a study that integrates a vast amount of factual
evidence from forensic investigations over the last four years – provides a unique insight into
the world of computer forensics.
The Report is unique in that it offers an objective, first-hand view of data breaches directly from
casebooks, which represent a large proportion of total known compromised records during 2006
and 2007, including three of the five largest data breaches ever reported. Industry sectors
covered include Financial Services; Food and Beverage; Retail; and Technology.
The expansive statistical data set generated through activities including litigation support, ediscovery,
expert witness testimony, chain-of-custody, mock-incident training, and incident
response program development offers an interesting glimpse into the trends surrounding
computer crime and data compromise.
In a finding that may surprise some, the study found that most data breaches were caused by
external sources (73%). Breaches attributed to insiders (18%), though fewer in number, were
much larger than those caused by outsiders when they did occur.
Notably, at the commencement of the study, the main avenue of attack was the network or
operating system. However over time, the typical attack vector has moved up the stack to the
application layer.
And Asia Pacific is becoming a “hot” region for both the source and victim for the data breach,
with the vast majority of these cases involving software failure at some level.
Key points to be covered in the presentation include demographics, data breach sources, types
of threats, targeted and opportunistic attacks, pathways, data compromises, discover methods,
anti-forensics, and unknown unknowns.

== Malathi Carthigaser ==
'''STRAW - A security Threat & Risk Assessment Methodology for Web Applications'''

Myriad threat and risk assessment methodologies exist, but few that are considered suitable for adequately communicating the risks associated with web applications. In this presentation, a new methodology, the STRAW model will be outlined, that is consistent with current models (such as OWASP Risk Rating Methodology, AS 4360, STRIDE/DREAD etc.), but which extends upon them to provide the following benefits:

• Comprehensive matrix structure to capture all risk components and ratings.

• Enumerates a wide range of factors contributing to impact and likelihood ratings.

• Threat analysis is incorporated within the matrix.

• Related threat events/vulnerabilities are clearly cross-referenced to allow consideration of the combined effects of multiple related vulnerabilities.

• Easily understandable, and a common communication tool for both technical and business parties.

The STRAW model is intended to be used after a security review has been completed, as a way of rating the severity of vulnerabilities/weaknesses identified, and subsequently, to aid in prioritising the security issues, and determining mitigation options and effort estimates.

It is a proven model that has been successfully employed in many projects to date.

== Benjamin Mossé ==
'''Browser Rider: what you never expected your browser could do to you'''

Browser exploitation is in fashion but it doesn't seem that there's a popular tool to build and run attacks. Browser Rider will try to fill the gap by providing a framework to build, deploy and manage payloads that exploit the browser. This project aims on the long term to provide a powerful, simple and flexible interface to any client side attack for hackers.

Proposal

Browser security has become one of the most discussed subjects. This is mainly due to two things: First, nowadays malwares are not spread over emails any longer but through web application often using JavaScript obfuscation to avoid anti-virus detection. Second as the web is growing new technologies are constantly appearing to enhance the user experience but also offering many new attack vectors. In both cases it is important to understand that the browser offers an easy mechanism for bypassing firewalls and other perimeter security to gain unauthorised access or commit other security breach.

From a security consultant point of view it can be hard to justify the risk of vulnerabilities that affect the browser such as cross-site scripting, cross-site request forgery and unauthorized redirection vulnerabilities as they do not impact directly the server or the database.

Browser rider is a security tool to exploit browser vulnerabilities. It offers several existing payloads but also provides a complete programming framework to develop exploits. It also acts as a management system to deploy your attacks and control the infected browsers.

The first part of this presentation will introduce the audience to the tool and demonstrate many attacks that can be ported to the browser using the Browser Rider. The second part will technically explain how the tool works (i.e. obfuscation, signature detection avoidance, polymorphism, program architecture, framework), how to write your own exploits with it and deploy them.

On the long term Browser Rider aims at becoming a complete solution to execute, develop and test browser based attacks for security consultants.

== Paul Theriault ==
'''Plug-in Purgatory'''

Browser plug-ins allow web developers to embed content in web pages which is otherwise unsupported by the browser. This additional content requires additional system resources and sometimes extended system privileges in order to run. Most plug-ins are expected to release these resources once a page has been unloaded, but as will be discussed in this presentation, bugs and unexpected side-effects in the implementation of these plug-ins may allow an attacker to develop content which does not get unloaded as intended. As a result, an attacker is able to execute attacks ranging from simple abuse of system resources, to persistent bi-directional command and control channels.
This talk will discuss several approaches to this attack, and also examine the susceptibility to these attacks in common browser plug-ins.

Bio

Paul Theriault is a Senior Consultant with SIFT, and has extensive experience in both technical and policy areas of IT security ranging from application code review and testing, to business-wide risk assessment and management. With a background in web development, Paul's security research interests are centered on all things web - browsers, bytecode and everything in between.

== Alex Kouzemtchenko ==
'''Examining and Bypassing the IE8 XSS Filter'''

Even with continued focus on XSS vulnerabilities, they are clearly not going away, and the issues are not being properly solved by even the safest frameworks, such as .NET. As such Microsoft has implemented defence-in-depth client-side protections inside Internet Explorer 8 in the form of the XSS Filter to make exploitation of these vulnerabilities either harder or impossible.

This talk will examine the specific situations that the XSS Filter tries to protect users in, the scenarios where it does not prevent attacks, several bypass techniques for these filters and ways in which the XSS Filter's functionality can be abused to help perform attacks, such as Clickjacking or even XSS.

Bio:

Alex Kouzemtchenko has been an active member of the web application security research community for the past several years, publishing several papers and has presented his findings at several conferences such as Bluehat, the Chaos Communications Congress, RUXCON, Power of Community and XCon. Alex is the R&D Team Lead at SIFT where he gets paid to find new ways to break things and apply that work to consulting engagements.

== Adi Sharabani ==
'''Active Man in the Middle Attacks'''

We've all known for a long time that using a public wireless network is risky. We all think twice before logging into our bank account or accessing any kind of sensitive information. But what about simply reading the news on our favorite news site?
In this presentation, we will show how using a public network can expose you to practically any web-related client-side security issue on any domain, no matter how careful you think you're being. These issues range from XSS on any domain, through XSRF, to leaking of browser data and more.

We will show how the currently known best practices, which are supposed to keep you from harm when reading a blog in the neighborhood coffee shop, may be overcome. We'll demonstrate how such best practices are only useful against what we call "Passive" attacks, which are passively gathering data from the network. We will introduce a new type of attack coined "Active attacks", and see how they easily work around a careful user's attempt to browse responsibly in a public network. We will demonstrate how these attacks can steal information from past browsing activities. and how they can monitor your future browsing, inside the safetey of your home and your organization's networks.

* More information on these attacks can be found on the [http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html Watchfire's blog]

Bio:

Adi Sharabani manages the IBM Rational Application Security Research Group, responsible for product and industry research activities that pertain to Web application security. Adi joined IBM through the acquisition of Watchfire, a market leader in web application security testing. Prior to security research, Adi was a senior software developer on the AppScan team responsible for the invention and development of many of its key features.

OWASP AU Conference 2009 Agenda

2009-02-27T17:13:51Z

Adish: /* OWASP Australia 2009 Conference Schedule - February 26th & 27th 2009 */

The following Agenda is provided currently with approved and accepted Speaking spots. As more information is provided details will be posted online.

== OWASP Australia 2009 Conference Schedule - February 26th & 27th 2009 ==

{| style="width:80%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white" | Wednesday Feb 25, 2009
|-
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" |
| style="width:40%; background:#BCA57A" |
|-
| style="width:10%; background:#7B8ABD" | 17:30 - 19:00 || colspan="2" style="width:80%; background:#669966" align="left" | '''Conference Welcome Cocktail Party''' - ''Sponsored by Fortify Inc.'' Presentation on the Fortify Software Assurance Maturity Model.

This is a great opportunity to settle in, meet people at the conference and meet up with industry peers.

Location: Conference Facility Foyer @ Gold Coast Convention Center (Level 1 FOYER)
|-
|}

{| style="width:80%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white" | Day 1 - Thursday Feb 26, 2009
|-
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | '''Track 1 (Rooms 5 & 6)'''
| style="width:40%; background:#BCA57A" | '''Track 2 (Rooms 7 & 8)'''
|-
| style="width:10%; background:#7B8ABD" | 08:00-09:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Coffee - ''Espresso Coffee (Sponsored by IBM) provided.''
|-
| style="width:10%; background:#7B8ABD" | 09:00-09:15 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''Welcome to OWASP AU 2009''' - Justin Derry (OWASP Conference Chair AU2009 & Fortify Practice Director Asia Pacific)
|-
| style="width:10%; background:#7B8ABD" | 09:15-10:45 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''Keynote:''' Roger Thorton, CTO Fortify Inc
|-
| style="width:10%; background:#7B8ABD" | 10:45-11:15 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | ''Morning Tea/Coffee, Vendor Technology Expo'' - ''Espresso Coffee (Sponsored by IBM) provided.''
|-
| style="width:10%; background:#7B8ABD" | 11:15-12:15 || style="width:40%; background:#BC857A" align="left" | Christian Heinrich & Darren Skidmore - ''PCI-DSS Application Security''
| style="width:40%; background:#BCA57A" align="left" | Ranjita Shankar Iyer - ''A Prescriptive approach to Secure SDLC''
|-
| style="width:10%; background:#7B8ABD" | 12:15-13:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | ''Lunch, Vendor Technology Expo''
|-
| style="width:10%; background:#7B8ABD" | 13:30-14:30 || style="width:40%; background:#BC857A" align="left" | Andrew Vanderstock - ''The future (and past) of web application security how to detect and protect against value attacks''
| style="width:40%; background:#BCA57A" align="left" | Siddharth Anbalahan - ''Advanced Techniques in Code Reviews''
|-
| style="width:10%; background:#7B8ABD" | 14:45-15:45 || style="width:40%; background:#BC857A" align="left" | Peter Freiberg - ''Determining attack surface and creating security test cases through observing business testing''
| style="width:40%; background:#BCA57A" align="left" | Brett Moore - ''Vulnerabilities In Action''
|-
| style="width:10%; background:#7B8ABD" | 15:45-16:15 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | ''Afternoon Tea/Coffee, Vendor Technology Expo'' - ''Espresso Coffee (Sponsored by IBM) provided.''
|-
| style="width:10%; background:#7B8ABD" | 16:15-17:15 || style="width:40%; background:#BC857A" align="left" | Sumit Siddharth - ''Recent Advancements in SQL Injection Exploitation Techniques''
| style="width:40%; background:#BCA57A" align="left" | Karmendra Kohli - ''Wooden Swords and Plastic Guns - Insecure Security Defenses''
|-
| style="width:10%; background:#7B8ABD" | 17:15-18:00 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel - Industry Experts, Talking about real Application Security Threats. ''(You ask the questions, in this informative 45 minutes of panel discussion on relevant industry issues.)''
|-
| style="width:10%; background:#7B8ABD" | 18:30-19:00 || colspan="2" style="width:80%; background:#669966" align="left" | '''OWASP Social Gathering:''' Pre-Dinner Drinks & Cocktails

Location: Conference Facility Foyer @ Gold Coast Convention Center (Level 1 FOYER)
|-
| style="width:10%; background:#7B8ABD" | 19:00-22:00 || colspan="2" style="width:80%; background:#669966" align="left" | '''OWASP Social Gathering:''' Gala Dinner, Entertainment and Networking Opportunity. ''This is Free to all attendees and will be a great night.''

Location: Conference Facility Foyer @ Gold Coast Convention Center (Level 1 FOYER)
|-
|}

{| style="width:80%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white" | Day 2 - Friday Feb 27, 2009
|-
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | '''Track 1 (Rooms 5 & 6)'''
| style="width:40%; background:#BCA57A" | '''Track 2 (Rooms 7 & 8)'''
|-
| style="width:10%; background:#7B8ABD" | 08:00-09:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Coffee - ''Espresso Coffee (Sponsored by IBM) provided.''
|-
| style="width:10%; background:#7B8ABD" | 09:00-9:15 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''Conference Day 2 Open''' - Justin Derry (OWASP Conference Chair AU2009 & Fortify Practice Director Asia Pacific)
|-
| style="width:10%; background:#7B8ABD" | 09:15-10:45 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''Keynote:''' Adi Sharabani (IBM Rational Application Security Research) ''[http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html Web-Based Man-in-the-Middle Attacks]''
|-
| style="width:10%; background:#7B8ABD" | 10:45-11:15 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | ''Morning Tea/Coffee, Vendor Technology Expo'' - ''Espresso Coffee (Sponsored by IBM) provided.''
|-
| style="width:10%; background:#7B8ABD" | 11:15 -12:15 || style="width:40%; background:#BC857A" align="left" | Alex Kouzemtchenko - ''Examining and Bypassing the IE8 XSS Filter''
| style="width:40%; background:#BCA57A" align="left" | Paul Theriault - ''Plug-in Purgatory''
|-
| style="width:10%; background:#7B8ABD" | 12:15-13:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | ''Lunch, Vendor Technology Expo''
|-
| style="width:10%; background:#7B8ABD" | 13:30-14:00 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | Panel Discussion - OWASP Australia Discussion. ''(Help us to plan for OWASP chapter sessions, presentations and the 2010 conference in this session.)''
|-
| style="width:10%; background:#7B8ABD" | 14:00-14:45 || style="width:40%; background:#BC857A" align="left" | Mark Goudie - ''An Insight into the World of Computer Forensics''
| style="width:40%; background:#BCA57A" align="left" | Malathi Carthigaser - STRAW ''- A security Threat & Risk Assessment Methodology for Web Applications''
|-
| style="width:10%; background:#7B8ABD" | 14:45-15:45 || style="width:40%; background:#BC857A" align="left" | Drew Ames - ''Improving Application Security using pre-processing input filters – a case study''
| style="width:40%; background:#BCA57A" align="left" | Pravir Chandra (OWASP CLASP Project) - ''The Software Assurance Maturity Model (SAMM), a new OWASP Project''
|-
| style="width:10%; background:#7B8ABD" | 15:45-16:15 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | ''Afternoon Tea/Coffee, Vendor Technology Expo'' - ''Espresso Coffee (Sponsored by IBM) provided.''
|-
| style="width:10%; background:#7B8ABD" | 16:15-17:15 || style="width:40%; background:#BC857A" align="left" | Christian Heinrich - ''Googleless''
| style="width:40%; background:#BCA57A" align="left" | Benjamin Mosse - ''Browser Rider: what you never expected your browser could do to you.''
|-
| style="width:10%; background:#7B8ABD" | 17:15-17:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | '''Conference Close''', Justin Derry (OWASP Conference Chair AU2009 & Fortify Practice Director Asia Pacific)
|-
| style="width:10%; background:#7B8ABD" | 17:30-19:00 || colspan="2" style="width:80%; background:#669966" align="left" | '''Happy Hour & Half''' - Drinks and Cocktails in Vendor Technology Expo
A Great opportunity to talk about relevant topics presented on and meet/discuss topics with presenters from the day.
|-
|}

== OWASP Australia 2009 Conference Facilities Map ==
To assist delegates the following map of the Conference Facilities is provided. The Gold Coast Convention Center has provided OWASP with the entire top floor of the Conference Facility for all services including presentations, meals and the vendor technology expo.

[http://www.owasp.org/index.php/OWASP_AU_Conference_2009 http://www.owasp.org/images/1/16/OWASP-AUS_CONFERENCE_LAYOUT_FIRSTFLOOR.png]

OWASP NYC AppSec 2008 Conference

2009-01-29T17:39:20Z

Adish:

__NOTOC__
== Introduction ==
This event was a great success, drawing together professionals from all around the world. Please see the agenda below for copies of the presentations and videos of all the talks!!

Conference Description: This vendor agnostic conference has tracks for management, security, audit and development professionals interested in the state of the appsec industry and its trends. Presented by some of the brightest people in the industry, this event is a must attend for anyone looking to improve their information security posture and threat awareness. With assistance from: [http://www.webappsec.org WASC], [http://www.nym-infragard.us NYM InfraGard], [http://aitglobal.com AITGlobal], [http://nyphp.org/index.php NYC PHP], [http://www.nycbug.org NYCBUG], [http://www.isacany.net NYC ISACA], [http://www.nymissa.org NYC ISSA] and our event co-sponsors you are invited to (2) days of hardcore hands-on training and (2) full days of Seminars and Technology Pavilion from the world's best application security technology minds, all held in the New York City, Midtown.
 
<h2>SEE BELOW FOR VIDEO AND SLIDES - [http://picasaweb.google.com/jinxpuppy CLICK HERE FOR PHOTOS]</h2>
<center> [http://www.linkedin.com/e/gis/36874 Join the OWASP Linked'In Group]
- - -
[https://www.owasp.org/index.php/Category:OWASP_Video For Previous OWASP Conference Video CLICK HERE]</center>
<hr>

== 2008 OWASP USA, NYC Conference Schedule – FULL VIDEO 50+ Speakers see below ==
{| style="width:80%" border="0" align="center"
! colspan="4" align="center" style="background:#4058A0; color:white" |

<h2>Day 1 – Sept 24th, 2008 </h2>
|-
| style="width:10%; background:#7B8ABD" | || style="width:30%; background:#BC857A" | Track 1: BALLROOM
| style="width:30%; background:#BCA57A" | Track 2: SKYLINE
| style="width:30%; background:#99FF99" | Track 3: TIMESQUARE
|-
| style="width:10%; background:#7B8ABD" | 07:30-08:50 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | Doors Open for Attendee/Speaker Registration
''avoid lines come early get your caffeine fix and use free wifi''
|-
| style="width:10%; background:#7B8ABD" | 09:00-09:45 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | '''OWASP Version 3.0 who we are, how we got here and where we are going?''' 
''OWASP Foundation: [[Contact | Jeff Williams]], [[Contact | Dinis Cruz]], [[Contact | Dave Wichers]], [[Contact | Tom Brennan]], [[Contact | Sebastien Deleersnyder]]'' 
<center>{{#ev:googlevideo|-228977859802026041}}</center> 
[http://www.owasp.org/images/b/b7/AppSecNYC08-Delivering_AppSec_Info.ppt Dave Wicher's Slides] / Jeff William's Slides / Dinis Cruz's Slides
|-
| style="width:10%; background:#7B8ABD" | 10:00-10:45 || style="width:30%; background:#BC857A" align="center" | '''[[AppSecEU08_Trends_in_Web_Hacking_Incidents:_What%27s_hot_for_2008 | Analysis of the Web Hacking Incidents Database (WHID)]]''' 
''[http://blog.shezaf.com Ofer Shezaf]'' 
[http://video.google.com/videoplay?docid=1130960689238372157&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''[http://www.webappsecroadmap.com Web Application Security Road Map]''' 
''[http://joesecurity.blogspot.com Joe White]'' 
[http://video.google.com/videoplay?docid=-237406228011458703&hl=en VIDEO] / [https://sites.google.com/a/webappsecroadmap.com/main/announcements/owasp-appsec-2008-presentation-has-been-uploaded SLIDES]
| style="width:30%; background:#99FF99" align="center" |
'''[https://buildsecurityin.us-cert.gov/swa/acqwg.html DHS Software Assurance Initiatives]''' 
''[http://www.linkedin.com/pub/0/ab/3b7 Stan Wisseman] & [http://www.linkedin.com/pub/1/439/923 Joe Jarzombek]'' 
[http://video.google.com/videoplay?docid=-6505795148329572484&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 11:00-11:45 || style="width:30%; background:#BC857A" align="center" |
'''Http Bot Research''' 
''[http://www.shadowserver.org/wiki/pmwiki.php?n=Shadowserver.Mission Andre M. DiMino - ShadowServer Foundation]'' 
[http://video.google.com/videoplay?docid=1400503643786264015&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''OWASP "Google Hacking" Project''' 
''[http://www.linkedin.com/in/ChristianHeinrich Christian Heinrich]'' 
[http://video.google.com/videoplay?docid=5419982525671711780&hl=en VIDEO] / SLIDES
| style="width:30%; background:#99FF99" align="center" |
'''MalSpam Research''' 
'' [http://www.knujon.com/bios.html Garth Bruen]'' 
[http://video.google.com/videoplay?docid=-8813268235790993111&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | [[OWASP_NYC_AppSec_2008_Conference/ctf | Capture the Flag]] Sign-Up
''LUNCH - Provided by event sponsors @ TechExpo''
|-
| style="width:10%; background:#7B8ABD" | 12:00-12:45 || style="width:30%; background:#BC857A" align="center" |
'''Get Rich or Die Trying - Making Money on The Web, The Black Hat Way''' 
''[http://www.linkedin.com/in/treyford Trey Ford], [http://www.linkedin.com/in/tombrennan Tom Brennan], [http://www.linkedin.com/pub/0/205/77a Jeremiah Grossman]'' 
[http://video.google.com/videoplay?docid=-7209323310151363553&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''Framework-level Threat Analysis: Adding Science to the Art of Source-code review''' 
''[[OWASP_NYC_AppSec_2008_Conference-rohit-sethi | Rohit Sethi]] & [[OWASP_NYC_AppSec_2008_Conference-sahba-kazerooni | Sahba Kazerooni]]'' 
[http://video.google.com/videoplay?docid=8935251380629216945&hl=en VIDEO] / SLIDES
| style="width:30%; background:#99FF99" align="center" |
'''Automated Web-based Malware Behavioral Analysis''' 
''[http://www.linkedin.com/pub/3/359/b1a Tyler Hudak]'' 
[http://video.google.com/videoplay?docid=4204600308807371535&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 13:00-13:45 || style="width:30%; background:#BC857A" align="center" |
'''[http://blogs.adobe.com/psirt/2008/09/thanks_to_jeremiah_grossman_an.html New 0-Day Browser Exploits: Clickjacking - yea, this is bad...]''' 
''[http://jeremiahgrossman.blogspot.com Jeremiah Grossman] & [http://ha.ckers.org/blog/about Robert "RSnake" Hansen]'' 
[http://video.google.com/videoplay?docid=-5747622209791380934&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''Web Intrusion Detection with ModSecurity''' 
''[http://www.breach.com/company/executive-team/ Ivan Ristic]'' 
[http://video.google.com/videoplay?docid=-7391448618249578180&hl=en VIDEO] / [[Media:OWASP_NYC_2008-Web_Intrusion_Detection_with_ModSecurity.pdf|SLIDES]]
| style="width:30%; background:#99FF99" align="center" |
'''Using Layer 8 and OWASP to Secure Web Applications''' 
''[http://www.linkedin.com/in/davidstern2000 David Stern] & [http://www.linkedin.com/in/romangarber Roman Garber]'' 
[http://video.google.com/videoplay?docid=-3883297889781954509&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 14:00-14:45 || style="width:30%; background:#BC857A" align="center" | '''Application Security Industry Outlook Panel:''' 
''[http://www.linkedin.com/pub/0/497/86a Jim Routh] CISO DTCC, 
[http://www.linkedin.com/pub/0/bb1/68a Sunil Seshadri] CISO NYSE-Euronet, 
[http://www.linkedin.com/in/bernik Joe Bernik] SVP, RBS Americas, 
[http://www.linkedin.com/pub/8/878/240 Jennifer Bayuk] Infosec Consultant, 
[http://www.linkedin.com/in/philvenables Philip Venables] CISO, Goldman Sachs, 
[http://www.linkedin.com/in/crecalde Carlos Recalde] SVP, Lehman Brothers, 
Moderator: [http://www.linkedin.com/in/mahidontamsetti Mahi Dontamsetti]'' 
[http://video.google.com/videoplay?docid=-7051719323294878516&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''[http://www.owasp.org/index.php/Security_Assessing_Java_RMI Security Assessing Java RMI] ''' 
''[http://www.linkedin.com/in/adamboulton Adam Boulton]'' 
[http://video.google.com/videoplay?docid=1673714450539106400&hl=en VIDEO] / SLIDES
| style="width:30%; background:#99FF99" align="center" |
'''JBroFuzz 0.1 - 1.1: Building a Java Fuzzer for the Web''' 
''[[OWASP_NYC_AppSec_2008_Conference-SPEAKER-Yiannis_Pavlosoglou | Yiannis Pavlosoglou]]'' 
[http://video.google.com/videoplay?docid=-1551704659206071145&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 15:00-15:45 || style="width:30%; background:#BC857A" align="center" |
'''OWASP Testing Guide - Offensive Assessing Financial Applications''' 
'' [[OWASP_NYC_AppSec_2008_Conference-daniel-cuthbert | Daniel Cuthbert]]'' 
[http://video.google.com/videoplay?docid=-3228312539505217121&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''Flash Parameter Injection (FPI)''' 
''Ayal Yogev & Adi Sharabani'' 
[http://video.google.com/videoplay?docid=7818654218575619118&hl=en VIDEO] / [http://blog.watchfire.com/FPI.ppt SLIDES] / [http://blog.watchfire.com/FPI.pdf PAPER]
| style="width:30%; background:#99FF99" align="center" |
'''[[OWASP_NYC_AppSec_2008_Conference-SPEAKER-Andres_Riancho | w3af - A Framework to own the web]]''' 
''Andres Riancho'' 
[http://video.google.com/videoplay?docid=4354579888802327250&hl=en VIDEO] / VIDEO
|-
| style="width:10%; background:#7B8ABD" | 16:00-16:45 || style="width:30%; background:#BC857A" align="center" |
'''OWASP Enterprise Security API [[ESAPI | (ESAPI) Project]]''' 
'' [http://www.aspectsecurity.com/management.htm Jeff Williams]'' 
[http://video.google.com/videoplay?docid=-2912157383449643073&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''Cross-Site Scripting Filter Evasion''' 
''Alexios Fakos'' 
[http://video.google.com/videoplay?docid=-6974576754943514571&hl=en VIDEO] / SLIDES
| style="width:30%; background:#99FF99" align="center" |
'''[[OWASP_NYC_AppSec_2008_Conference-SPEAKER-GunterOllmann | Multidisciplinary Bank Attacks]]''' 
''Gunter Ollmann'' 
[http://video.google.com/videoplay?docid=3041861094296331549&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 17:00-17:45 || style="width:30%; background:#BC857A" align="center" |
'''Open Discussion On Application Security''' 
''Joe Bernik & Steve Antoniewicz'' 
[http://video.google.com/videoplay?docid=6718671647859572098&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''Mastering PCI Section 6.6''' 
''[http://www.linkedin.com/pub/1/228/6a5 Taylor McKinley] and [http://www.linkedin.com/in/jacobwest Jacob West]'' 
[http://video.google.com/videoplay?docid=-2544477786674220116&hl=en VIDEO] / SLIDES
| style="width:30%; background:#99FF99" align="center" |
'''Case Studies: Exploiting application testing tool deficiencies via "out of band" injection''' 
''[http://www.linkedin.com/pub/0/a91/aa2 Vijay Akasapu] & [http://www.linkedin.com/pub/9/279/381 Marshall Heilman]'' 
[http://video.google.com/videoplay?docid=7623989457736720764&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 18:00-18:45 || style="width:30%; background:#BC857A" align="center" |
'''[http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project Spearfishing and the OWASP Live CD]''' 
''[http://www.linkedin.com/in/packetfocus Joshua Perrymon]'' 
[http://video.google.com/videoplay?docid=-4419524791864555496&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''Phundamental Security - Coding Secure w/PHP''' 
''[http://www.linkedin.com/in/zaunere Hans Zaunere]'' 
[http://video.google.com/videoplay?docid=3477751371038020741&hl=en VIDEO] / SLIDES
| style="width:30%; background:#99FF99" align="center" |
'''[[Payment_Card_Data_Security_and_the_new_Enterprise_Java | Payment Card Data Security and the new Enterprise Java]]''' 
''[[OWASP_NYC_AppSec_2008_Conference-SPEAKER-Dr._B._V._Kumar | Dr. B. V. Kumar]] & [[OWASP_NYC_AppSec_2008_Conference-SPEAKER-Abhay_Bhargav | Mr. Abhay Bhargav]]'' 
[http://video.google.com/videoplay?docid=4488848043144792234&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 19:00-20:00 || style="width:30%; background:#BC857A" align="center" |
'''OWASP Chapter Leader / Project Leader working session''' 
''OWSAP Board/Chapter Leaders''
| style="width:30%; background:#BCA57A" align="center" |
'''(ISC)2 Cocktail Hour''' 
All welcome to attend for a special announcement presented by: 
[https://www.isc2.org/cgi-bin/content.cgi?page=351 W. Hord Tipton, Executive Director of (ISC)2]
| style="width:30%; background:#99FF99" align="center" |
'''Technology Movie Night''' 
''[http://www.youtube.com/watch?v=LlKDkTbUFhU&feature=related Sneakers], [http://www.youtube.com/watch?v=tAcEzhQ7oqA WarGames], [http://hackersarepeopletoo.com HackersArePeopleToo], [http://www.youtube.com/watch?v=4Be-ZzcXVLw TigerTeam]'' 
from 19:00 - 23:00

|-
| style="width:10%; background:#7B8ABD" | 20:00-23:00+ || colspan="3" style="width:80%; background:#C2C2C2" align="center" | OWASP Event Party/Reception Event badge required for admission [[OWASP_NYC_AppSec_2008_Conference/ctf | Food, Drinks w/ New & Old Friends - break out the laptop and play capture the flag for fun and prizes.]] ''Location: HOTEL BALLROOM''
 
|-
! colspan="10" align="center" style="background:#4058A0; color:white" |

<h2>Day 2 – Sept 25th, 2008 </h2>
|-
| style="width:10%; background:#99FF99" | 08:00-10:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | BREAKFAST - Provided by event sponsors @ TechExpo

|-
| style="width:10%; background:#7B8ABD" | 08:00-08:45 || style="width:30%; background:#BC857A" align="center" |
'''Software Development and Management: The Last Security Frontier''' 
''[http://blog.isc2.org/isc2_blog/tipton/index.html W. Hord Tipton], CISSP-ISSEP, CAP, CISA, CNSS and former Chief Information Officer for the U.S. Department of the Interior Executive Director and member of the Board of Directors, (ISC)²'' 
[http://video.google.com/videoplay?docid=-4023599059084294937&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''[[AppSecEU08_Best_Practices_Guide_Web_Application_Firewalls | Best Practices Guide for Web Application Firewalls]]''' 
''Alexander Meisel'' 
[http://video.google.com/videoplay?docid=-2977259539412442033&hl=en VIDEO] / SLIDES
| style="width:30%; background:#99FF99" align="center" |
'''The Good The Bad and The Ugly - Pen Testing VS. Source Code Analysis
''' 
''[http://www.linkedin.com/in/tommyryan Thomas Ryan]'' 
[http://video.google.com/videoplay?docid=-442445248884665643&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 09:00-09:45 || style="width:30%; background:#BC857A" align="center" |
'''OWASP Web Services Top Ten''' 
''[http://1raindrop.typepad.com Gunnar Peterson]'' 
[http://video.google.com/videoplay?docid=5680040858618100893&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''[http://www.trutv.com/video/tiger-team/tiger-team-101-1-of-4.html Red And Tiger Team Application Security Projects]''' 
''[http://www.linkedin.com/pub/1/373/994 Chris Nickerson]'' 
[http://video.google.com/videoplay?docid=-1638710543904774703&hl=en VIDEO] / SLIDES
| style="width:30%; background:#99FF99" align="center" |
'''OpenSource Tools''' 
''Prof. Li-Chiou Chen & Chienitng Lin, [http://www.pace.edu/page.cfm?doc_id=16399 Pace Univ]'' 
[http://video.google.com/videoplay?docid=6174945058170583976&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 10:00-10:45 || style="width:30%; background:#BC857A" align="center" |
'''Building a tool for Security consultants: A story of a customized source code scanner''' 
''Dinis Cruz'' 
[http://video.google.com/videoplay?docid=5269154656993046978&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''"Help Wanted" [http://www.infosecleaders.com/survey 7 Things You Need to Know APPSEC/INFOSEC Employment]''' 
''[http://www.linkedin.com/pub/0/29/685 Lee Kushner]'' 
[http://video.google.com/videoplay?docid=5330096815878108179&hl=en VIDEO] / SLIDES
| style="width:30%; background:#99FF99" align="center" |
'''Industry Analysis with Forrester Research''' 
''[http://www.forrester.com/rb/analyst/chenxi_wang Chenxi Wang]'' 
[http://video.google.com/videoplay?docid=1391450504589087806&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 11:00-11:45 || style="width:30%; background:#BC857A" align="center" |
'''Software Assurance Maturity Model (SAMM)''' 
''Pravir Chandra'' 
[http://video.google.com/videoplay?docid=-7453282550277559385&hl=en VIDEO] / [https://www.owasp.org/images/2/2e/OWASP_CLASP_SAMM.ppt SLIDES]
| style="width:30%; background:#BCA57A" align="CENTER" |
'''Security in Agile Development''' 
''[[User:Wichers | Dave Wichers]]'' 
[http://video.google.com/videoplay?docid=-8287209466278543377&hl=en VIDEO] / [http://www.owasp.org/images/a/a3/AppSecNYC08-Agile_and_Secure.ppt SLIDES]
| style="width:30%; background:#99FF99" align="center" |
'''Secure Software Impact''' 
''[http://ouncelabs.com/company/team.asp Jack Danahy]'' 
[http://video.google.com/videoplay?docid=-3851913297265683210&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 12:00-12:45 || style="width:30%; background:#BC857A" align="center" |
'''Next Generation Cross Site Scripting Worms ''' 
''[http://i8jesus.com/?page_id=5 Arshan Dabirsiaghi]'' 
[http://video.google.com/videoplay?docid=-2782535918275323123&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''Security of Software-as-a-Service (SaaS)''' 
''[http://www.linkedin.com/pub/6/372/45a James Landis]'' 
[http://video.google.com/videoplay?docid=-513622114181563795&hl=en VIDEO] / SLIDES
| style="width:30%; background:#99FF99" align="center" |
'''[http://reversebenchmarking.com/About.html Open Reverse Benchmarking Project]''' 
''Marce Luck & [http://www.linkedin.com/pub/1/507/616 Tom Stracener]'' 
[http://video.google.com/videoplay?docid=4352770935920515328&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | [[OWASP_NYC_AppSec_2008_Conference/ctf | Capture the Flag]] Status
''LUNCH - Provided @ TechExpo''
|-
| style="width:10%; background:#7B8ABD" | 13:00-13:45 || style="width:30%; background:#BC857A" align="center" |
'''[[NIST SAMATE Static Analysis Tool Exposition (SATE) | NIST and SAMATE Static Analysis Tool Exposition (SATE)]]''' 
''[[OWASP_NYC_AppSec_2008_Conference-vadim-okun | Vadim Okun]]'' 
[http://video.google.com/videoplay?docid=-7567012344169452280&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''[[User_talk:Jian | Lotus Notes/Domino Web Application Security]]''' 
''[[User_talk:Jian | Jian Hui Wang]]'' 
[http://video.google.com/videoplay?docid=8645149711234878540&hl=en VIDEO] / SLIDES
| style="width:30%; background:#99FF99" align="center" |
'''Shootout @ Blackbox Corral''' 
''Larry Suto'' 
[http://video.google.com/videoplay?docid=-1565567642122481539&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 14:00-14:45 || style="width:30%; background:#BC857A" align="center" |
'''Practical Advanced Threat Modeling''' 
''John Steven'' 
[http://video.google.com/videoplay?docid=-734106766899160289&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''[http://www.owasp.org/index.php/Category:OWASP_Orizon_Project The OWASP Orizon Project: towards version 1.0]''' 
''[[User:Thesp0nge | Paolo Perego]]'' 
[http://video.google.com/videoplay?docid=-9104434795648450379&hl=en VIDEO] / [http://www.owasp.org/index.php/Image:The_Owasp_Orizon_Project_Towards_version_1.0_v1.0.ppt#file SLIDES]
| style="width:30%; background:#99FF99" align="center" |
'''[[Building_Usable_Security | Building Usable Security]]''' 
''[[Zed_Abbadi | Zed Abbadi]]'' 
[http://video.google.com/videoplay?docid=8782541141810029760&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 15:00-15:45 || style="width:30%; background:#BC857A" align="center" |
'''Off-shoring Application Development? Security is Still Your Problem''' 
''Rohyt Belani'' 
[http://video.google.com/videoplay?docid=1042293104444687505&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''[[OWASP_EU_Summit_2008 | OWASP EU Summit Portugal]]''' 
''Dinis Cruz'' 
[http://video.google.com/videoplay?docid=-7044581008789784268&hl=en VIDEO] / SLIDES
| style="width:30%; background:#99FF99" align="center" |
'''A Security Architecture Case Study''' 
''[http://johanpeeters.com Johan Peeters]'' 
[http://video.google.com/videoplay?docid=-4553372140069628300&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 16:00-16:45 || style="width:30%; background:#BC857A" align="center" |
'''Vulnerabilities in application interpreters and runtimes''' 
''Erik Cabetas'' 
[http://video.google.com/videoplay?docid=7859413573034669384&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''Cryptography For Penetration Testers''' 
''Chris Eng'' 
[http://video.google.com/videoplay?docid=-5187022592682372937&hl=en VIDEO] / SLIDES
| style="width:30%; background:#99FF99" align="center" |
'''Memory Corruption and Buffer Overflows''' 
''[http://www.immunitysec.com Dave Aitel]'' 
[http://video.google.com/videoplay?docid=-1012125050474412771&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 17:00-17:45 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''Event Wrap-Up / Speaker & CTF Awards and Sponsor Raffles'''

<center>{{#ev:googlevideo|8211027328063203438}}</center> 
[http://video.google.com/videoplay?docid=8211027328063203438&hl=en VIDEO]
|-
| style="width:10%; background:#7B8ABD" | 18:30-19:30 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | OWASP Foundation, Chapter Leader Meeting - to collect ideas to make OWASP better!
|}

 
<center> So did you like the content? Lets us know.. [http://www.owasp.org/index.php/Contact Contact Us] </center>
 

== EVENT SPONSORS ==

<hr>
<center>[https://www.owasp.org/images/b/bc/APPSEC2008Sponsor.pdf Diamond Sponsor] - [http://www.imperva.com http://www.owasp.org/images/d/de/Imperva_2color_RGB.jpg] 
 [https://www.owasp.org/images/b/bc/APPSEC2008Sponsor.pdf Platinum Sponsor] - [http://www.cenzic.com https://www.owasp.org/images/b/bf/CenzicLogo_RGB.gif] - [http://www.whitehatsec.com http://www.owasp.org/images/archive/4/4d/20080703021901%21Whitehat.gif] - [http://www-935.ibm.com/services/us/gbs/app/html/gbs_applicationservices.html?cm_re=masthead-_-business-_-apps-allappserv https://www.owasp.org/images/4/47/Ibm.jpg] </center> 
[https://www.owasp.org/images/b/bc/APPSEC2008Sponsor.pdf Gold, Silver, Expo & Other Sponsors] - [http://www.isc2.org http://www.owasp.org/images/4/45/Isc2logo.gif] - [http://www.f5.com http://www.owasp.org/images/7/7e/50px-F5_50px.jpg] - [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif] - [http://www.qualys.com https://www.owasp.org/images/a/ae/Qualys.gif] - [http://www.ouncelabs.com https://www.owasp.org/images/6/6e/OunceLabs_logo.jpg] - [http://www.fortify.com https://www.owasp.org/images/a/ac/Fortify.jpg] - [http://www.cigital.com/ https://www.owasp.org/images/b/be/Cigital_OWASP.GIF] - [http://www.acunetix.com https://www.owasp.org/images/e/eb/Acuneti.gif] - [http://www.denimgroup.com http://www.owasp.org/images/5/56/Denimgroup.jpg] - [http://www.accessitgroup.com https://www.owasp.org/images/6/6d/Accessit.JPG] -
[http://www.fishnetsecurity.com https://www.owasp.org/images/4/4a/Fishnet_security.png] - [http://www.airtightnetworks.net https://www.owasp.org/images/8/8b/Airtight.gif] -
[http://www.artofdefence.com https://www.owasp.org/images/d/dc/AOD_Logo.gif] -
[http://www.securityuniversity.net https://www.owasp.org/images/0/0d/Security_university.jpg] -
[http://www.breach.com https://www.owasp.org/images/9/9c/Breach_logo.gif] - [http://www.armorize.com https://www.owasp.org/images/c/ce/Armorize_Logo.png] -[http://www.barracudanetworks.com/ https://www.owasp.org/images/a/a2/Barracuda_Color_Logo.jpg] - [http://www.symantec.com https://www.owasp.org/images/2/26/New_Symantec_Logo.jpg] - [http://www.prevalent.net https://www.owasp.org/images/4/47/Prev_Logo_with_Tag_Line.jpg] - [http://www.mclabs.com https://www.owasp.org/images/9/91/MicroTek.jpg] - [http://www.protiviti.com https://www.owasp.org/images/c/cf/Protiviti.jpg]
 
<center>[https://www.owasp.org/images/b/bc/APPSEC2008Sponsor.pdf Sponsorship Opportunities]</center>
<hr>

== CPE Credits ==

Much of the content is eligible for CPE credits. Please check with your institution regarding specific requirements.

'''The CISM cpe policy (www.isaca.org/cismcpepolicy) states''':

One continuing professional education hour is earned for each fifty minutes of active participation (excluding lunches and breaks) in a professional educational activity. Continuing professional education hours are only earned in full-hour increments and rounding must be down. For example, a CISA who attends an eight-hour presentation (480 minutes) with 90 minutes of breaks will earn seven (7) continuing professional education hours.

Activities that qualify for CPE must be directly applicable to the management, design or assessment of an enterprise's information security as per the CISM job practice"

'''Earn (ISC)2 CPE Credits at 2008 OWASP USA, NYC'''

Attendance at the 2008 OWASP NYC Training Courses or Conferences will earn you Continuing Professional Education (CPE) credits as follows:
Training Courses: September 22-23, 2008
• 16 CPE units for 2 days of training (Monday - Tuesday)
• 8 CPE units for 1 day of training (Monday or Tuesday Only)
Conferences: September 24-25, 2008
Earn 1 CPE per hour of conference attendance

== [http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference_Training OWASP NYC AppSec 2008 Training Courses - September 22nd and 23rd, 2008 ] ==

All classes begin at 9AM and end at 5:30PM

{| style="width:80%" border="0" align="center"
! align="center" style="background:#4058A0; color:white" | T1. Defensive Programming - 2-Days - $1350
|-
| style="background:#F2F2F2" | This class will teach you how to program defensively. A must for developers, managers, testers and security professionals. Learn the latest techniques to build attack resistant code, protect from current and future vulnerabilities and how to secure an application from both implementation bugs and design flaws. [[:Category:OWASP_AppSec_Conference_Training#T1._Defensive_Programming_-_2-Day_Course_-_Sep_22-23.2C_2008 | Learn More Here]]

Instructor: Jason Rouse, Technical Manager, [http://www.cigital.com/training/series http://www.owasp.org/images/b/be/Cigital_OWASP.GIF]'''
|-
{| style="width:80%" border="0" align="center"
! align="center" style="background:#4058A0; color:white" | T2. Secure Coding for Java EE - 2-Days - $1350
|-
| style="background:#F2F2F2" | This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of Java focused content, including:
# Java EE security overview,
# All coding examples and recommendations are specifically focused on Java and Java servers, and
# 3 additional hands on coding labs where the students find and then fix security vulnerabilities in a Java EE application developed for the class.

[[:Category:OWASP_AppSec_Conference_Training#T2._Secure_Coding_for_Java_EE-_2-Day_Course_-_Sep_22-23.2C_2008 | Learn More Here]]

Instructor: Dave Wichers: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]
'''
|-
! align="center" style="background:#4058A0; color:white" | T3. Web Services and XML Security - 2-Days - $1350
|-
| style="background:#F2F2F2" | The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software. [[:Category:OWASP_AppSec_Conference_Training#T3._Web_Services_and_XML_Security_-_2-Day_Course_-_Sep_22-23.2C_2008 | Learn More Here]]

Instructor: Gunnar Peterson''' [http://www.arctecgroup.net https://www.owasp.org/images/b/bf/Arctec.jpg]
|-
! align="center" style="background:#4058A0; color:white" | T4. Advanced Web Application Security Testing - 2-Days - $1350
|-
| style="background:#F2F2F2" | Course Overview While all developers need to know the basics of web application security testing, application security specialists will want to know all the advanced techniques for finding and diagnosing security problems in applications. Aspect’s Advanced Web Application Security Testing training is based on a decade of work verifying the security of critical applications. The course is taught by an experienced application security practitioner in an interactive manner. [[:Category:OWASP_AppSec_Conference_Training#T4._Advanced_Web_Application_Security_Testing_-_2-Day_Course_-_Sep_22-23.2C_2008 | Learn More Here]]

Instructor: Eric Sheridan: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''
|-
! align="center" style="background:#4058A0; color:white" | T5. Leading the Development of Secure Applications 1-Day - Sept 22nd- $675
|-
| style="background:#F2F2F2" | In this one-day management session you’ll get the answers to the ten key questions that most CIOs and development managers face when trying to improve security in the development process. The course provides proven techniques and valuable lessons learned that can be applied to projects at any phase of their application’s lifecycle. [[:Category:OWASP_AppSec_Conference_Training#T5._Leading_the_Development_of_Secure_Applications_-_1-Day_Course_-_Sep_22.2C_2008 | Learn More Here]]
Instructor: John Pavone: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''
|-
{| style="width:80%" border="0" align="center"
|-
! align="center" style="background:#4058A0; color:white" | T6. Building Secure Rich Internet Applications 1-Day - Sept 23rd- $675
|-
| style="background:#F2F2F2" | Rich Internet applications using technologies like Ajax, Flash, ActiveX, and Java Applets require special attention to secure. This one day training addresses the special issues that arise in this type of application development. [[:Category:OWASP_AppSec_Conference_Training#T6._Building_Secure_Rich_Internet_Applications_-_1-Day_Course_-_Sep_23.2C_2008 | Learn More Here]]
Instructor: Arshan Dabirsiaghi: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''
|-
{| style="width:80%" border="0" align="center"

! align="center" style="background:#4058A0; color:white" | T8. Secure Coding for .NET - 2-Days - $1350
|-
| style="background:#F2F2F2" | This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of .NET focused content, including:
# .NET security overview,
# All coding examples and recommendations are specifically focused on C#.NET and/or VB.NET and IIS servers, and
# 3 additional hands on coding labs where the students find and then fix security vulnerabilities in a .NET application developed for the class. Both C# and VB.NET versions of the hands on coding labs are available.

[[:Category:OWASP_AppSec_Conference_Training#T8._Writing_Secure_Code_ASP.NET_-_Sep_22-23.2C_2008 | Learn More Here]]

Instructor: Jerry Hoff: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]
|}

<h2> HOTELS / TRAVEL </h2>
[http://www.parkcentralny.com Park Central Hotel]

[http://maps.google.com/maps?near=7th+Ave+%26+W+56th+St,+New+York,+NY&geocode=&q=hotels&f=l&sll=40.766339,-73.980539&sspn=0.007654,0.02223&ie=UTF8&ll=40.764681,-73.980668&spn=0.007655,0.02223&z=16 Hotels close to the venue]

What is around APPSEC2008 - [http://www.parkcentralny.com/attractions/attractions.cfm Area Attractions]

New York City MTA: http://www.mta.nyc.ny.us/nyct/index.html

New York City Subway & walking directions: http://www.hopstop.com/?city=newyork

New York Sights & Sounds - SightsSounds

New York City Travel Guide - http://www.nytoday.com/

New York City Attractions - http://www.nycvisit.com

New York TV Show Tickets - Get free tickets to TV shows! - http://www.nytix.com/

New York City local news: http://www.ny1news.com

OWASP NYC AppSec 2008 Conference

2009-01-29T17:38:13Z

Adish:

__NOTOC__
== Introduction ==
This event was a great success, drawing together professionals from all around the world. Please see the agenda below for copies of the presentations and videos of all the talks!!

Conference Description: This vendor agnostic conference has tracks for management, security, audit and development professionals interested in the state of the appsec industry and its trends. Presented by some of the brightest people in the industry, this event is a must attend for anyone looking to improve their information security posture and threat awareness. With assistance from: [http://www.webappsec.org WASC], [http://www.nym-infragard.us NYM InfraGard], [http://aitglobal.com AITGlobal], [http://nyphp.org/index.php NYC PHP], [http://www.nycbug.org NYCBUG], [http://www.isacany.net NYC ISACA], [http://www.nymissa.org NYC ISSA] and our event co-sponsors you are invited to (2) days of hardcore hands-on training and (2) full days of Seminars and Technology Pavilion from the world's best application security technology minds, all held in the New York City, Midtown.
 
<h2>SEE BELOW FOR VIDEO AND SLIDES - [http://picasaweb.google.com/jinxpuppy CLICK HERE FOR PHOTOS]</h2>
<center> [http://www.linkedin.com/e/gis/36874 Join the OWASP Linked'In Group]
- - -
[https://www.owasp.org/index.php/Category:OWASP_Video For Previous OWASP Conference Video CLICK HERE]</center>
<hr>

== 2008 OWASP USA, NYC Conference Schedule – FULL VIDEO 50+ Speakers see below ==
{| style="width:80%" border="0" align="center"
! colspan="4" align="center" style="background:#4058A0; color:white" |

<h2>Day 1 – Sept 24th, 2008 </h2>
|-
| style="width:10%; background:#7B8ABD" | || style="width:30%; background:#BC857A" | Track 1: BALLROOM
| style="width:30%; background:#BCA57A" | Track 2: SKYLINE
| style="width:30%; background:#99FF99" | Track 3: TIMESQUARE
|-
| style="width:10%; background:#7B8ABD" | 07:30-08:50 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | Doors Open for Attendee/Speaker Registration
''avoid lines come early get your caffeine fix and use free wifi''
|-
| style="width:10%; background:#7B8ABD" | 09:00-09:45 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | '''OWASP Version 3.0 who we are, how we got here and where we are going?''' 
''OWASP Foundation: [[Contact | Jeff Williams]], [[Contact | Dinis Cruz]], [[Contact | Dave Wichers]], [[Contact | Tom Brennan]], [[Contact | Sebastien Deleersnyder]]'' 
<center>{{#ev:googlevideo|-228977859802026041}}</center> 
[http://www.owasp.org/images/b/b7/AppSecNYC08-Delivering_AppSec_Info.ppt Dave Wicher's Slides] / Jeff William's Slides / Dinis Cruz's Slides
|-
| style="width:10%; background:#7B8ABD" | 10:00-10:45 || style="width:30%; background:#BC857A" align="center" | '''[[AppSecEU08_Trends_in_Web_Hacking_Incidents:_What%27s_hot_for_2008 | Analysis of the Web Hacking Incidents Database (WHID)]]''' 
''[http://blog.shezaf.com Ofer Shezaf]'' 
[http://video.google.com/videoplay?docid=1130960689238372157&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''[http://www.webappsecroadmap.com Web Application Security Road Map]''' 
''[http://joesecurity.blogspot.com Joe White]'' 
[http://video.google.com/videoplay?docid=-237406228011458703&hl=en VIDEO] / [https://sites.google.com/a/webappsecroadmap.com/main/announcements/owasp-appsec-2008-presentation-has-been-uploaded SLIDES]
| style="width:30%; background:#99FF99" align="center" |
'''[https://buildsecurityin.us-cert.gov/swa/acqwg.html DHS Software Assurance Initiatives]''' 
''[http://www.linkedin.com/pub/0/ab/3b7 Stan Wisseman] & [http://www.linkedin.com/pub/1/439/923 Joe Jarzombek]'' 
[http://video.google.com/videoplay?docid=-6505795148329572484&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 11:00-11:45 || style="width:30%; background:#BC857A" align="center" |
'''Http Bot Research''' 
''[http://www.shadowserver.org/wiki/pmwiki.php?n=Shadowserver.Mission Andre M. DiMino - ShadowServer Foundation]'' 
[http://video.google.com/videoplay?docid=1400503643786264015&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''OWASP "Google Hacking" Project''' 
''[http://www.linkedin.com/in/ChristianHeinrich Christian Heinrich]'' 
[http://video.google.com/videoplay?docid=5419982525671711780&hl=en VIDEO] / SLIDES
| style="width:30%; background:#99FF99" align="center" |
'''MalSpam Research''' 
'' [http://www.knujon.com/bios.html Garth Bruen]'' 
[http://video.google.com/videoplay?docid=-8813268235790993111&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | [[OWASP_NYC_AppSec_2008_Conference/ctf | Capture the Flag]] Sign-Up
''LUNCH - Provided by event sponsors @ TechExpo''
|-
| style="width:10%; background:#7B8ABD" | 12:00-12:45 || style="width:30%; background:#BC857A" align="center" |
'''Get Rich or Die Trying - Making Money on The Web, The Black Hat Way''' 
''[http://www.linkedin.com/in/treyford Trey Ford], [http://www.linkedin.com/in/tombrennan Tom Brennan], [http://www.linkedin.com/pub/0/205/77a Jeremiah Grossman]'' 
[http://video.google.com/videoplay?docid=-7209323310151363553&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''Framework-level Threat Analysis: Adding Science to the Art of Source-code review''' 
''[[OWASP_NYC_AppSec_2008_Conference-rohit-sethi | Rohit Sethi]] & [[OWASP_NYC_AppSec_2008_Conference-sahba-kazerooni | Sahba Kazerooni]]'' 
[http://video.google.com/videoplay?docid=8935251380629216945&hl=en VIDEO] / SLIDES
| style="width:30%; background:#99FF99" align="center" |
'''Automated Web-based Malware Behavioral Analysis''' 
''[http://www.linkedin.com/pub/3/359/b1a Tyler Hudak]'' 
[http://video.google.com/videoplay?docid=4204600308807371535&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 13:00-13:45 || style="width:30%; background:#BC857A" align="center" |
'''[http://blogs.adobe.com/psirt/2008/09/thanks_to_jeremiah_grossman_an.html New 0-Day Browser Exploits: Clickjacking - yea, this is bad...]''' 
''[http://jeremiahgrossman.blogspot.com Jeremiah Grossman] & [http://ha.ckers.org/blog/about Robert "RSnake" Hansen]'' 
[http://video.google.com/videoplay?docid=-5747622209791380934&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''Web Intrusion Detection with ModSecurity''' 
''[http://www.breach.com/company/executive-team/ Ivan Ristic]'' 
[http://video.google.com/videoplay?docid=-7391448618249578180&hl=en VIDEO] / [[Media:OWASP_NYC_2008-Web_Intrusion_Detection_with_ModSecurity.pdf|SLIDES]]
| style="width:30%; background:#99FF99" align="center" |
'''Using Layer 8 and OWASP to Secure Web Applications''' 
''[http://www.linkedin.com/in/davidstern2000 David Stern] & [http://www.linkedin.com/in/romangarber Roman Garber]'' 
[http://video.google.com/videoplay?docid=-3883297889781954509&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 14:00-14:45 || style="width:30%; background:#BC857A" align="center" | '''Application Security Industry Outlook Panel:''' 
''[http://www.linkedin.com/pub/0/497/86a Jim Routh] CISO DTCC, 
[http://www.linkedin.com/pub/0/bb1/68a Sunil Seshadri] CISO NYSE-Euronet, 
[http://www.linkedin.com/in/bernik Joe Bernik] SVP, RBS Americas, 
[http://www.linkedin.com/pub/8/878/240 Jennifer Bayuk] Infosec Consultant, 
[http://www.linkedin.com/in/philvenables Philip Venables] CISO, Goldman Sachs, 
[http://www.linkedin.com/in/crecalde Carlos Recalde] SVP, Lehman Brothers, 
Moderator: [http://www.linkedin.com/in/mahidontamsetti Mahi Dontamsetti]'' 
[http://video.google.com/videoplay?docid=-7051719323294878516&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''[http://www.owasp.org/index.php/Security_Assessing_Java_RMI Security Assessing Java RMI] ''' 
''[http://www.linkedin.com/in/adamboulton Adam Boulton]'' 
[http://video.google.com/videoplay?docid=1673714450539106400&hl=en VIDEO] / SLIDES
| style="width:30%; background:#99FF99" align="center" |
'''JBroFuzz 0.1 - 1.1: Building a Java Fuzzer for the Web''' 
''[[OWASP_NYC_AppSec_2008_Conference-SPEAKER-Yiannis_Pavlosoglou | Yiannis Pavlosoglou]]'' 
[http://video.google.com/videoplay?docid=-1551704659206071145&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 15:00-15:45 || style="width:30%; background:#BC857A" align="center" |
'''OWASP Testing Guide - Offensive Assessing Financial Applications''' 
'' [[OWASP_NYC_AppSec_2008_Conference-daniel-cuthbert | Daniel Cuthbert]]'' 
[http://video.google.com/videoplay?docid=-3228312539505217121&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''Flash Parameter Injection (FPI)''' 
''Ayal Yogev & Adi Sharabani'' 
[http://video.google.com/videoplay?docid=7818654218575619118&hl=en VIDEO] / [http://blog.watchfire.com/FPI.ppt SLIDES] / [http://blog.watchfire.com/FPI.pdf Paper]
| style="width:30%; background:#99FF99" align="center" |
'''[[OWASP_NYC_AppSec_2008_Conference-SPEAKER-Andres_Riancho | w3af - A Framework to own the web]]''' 
''Andres Riancho'' 
[http://video.google.com/videoplay?docid=4354579888802327250&hl=en VIDEO] / VIDEO
|-
| style="width:10%; background:#7B8ABD" | 16:00-16:45 || style="width:30%; background:#BC857A" align="center" |
'''OWASP Enterprise Security API [[ESAPI | (ESAPI) Project]]''' 
'' [http://www.aspectsecurity.com/management.htm Jeff Williams]'' 
[http://video.google.com/videoplay?docid=-2912157383449643073&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''Cross-Site Scripting Filter Evasion''' 
''Alexios Fakos'' 
[http://video.google.com/videoplay?docid=-6974576754943514571&hl=en VIDEO] / SLIDES
| style="width:30%; background:#99FF99" align="center" |
'''[[OWASP_NYC_AppSec_2008_Conference-SPEAKER-GunterOllmann | Multidisciplinary Bank Attacks]]''' 
''Gunter Ollmann'' 
[http://video.google.com/videoplay?docid=3041861094296331549&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 17:00-17:45 || style="width:30%; background:#BC857A" align="center" |
'''Open Discussion On Application Security''' 
''Joe Bernik & Steve Antoniewicz'' 
[http://video.google.com/videoplay?docid=6718671647859572098&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''Mastering PCI Section 6.6''' 
''[http://www.linkedin.com/pub/1/228/6a5 Taylor McKinley] and [http://www.linkedin.com/in/jacobwest Jacob West]'' 
[http://video.google.com/videoplay?docid=-2544477786674220116&hl=en VIDEO] / SLIDES
| style="width:30%; background:#99FF99" align="center" |
'''Case Studies: Exploiting application testing tool deficiencies via "out of band" injection''' 
''[http://www.linkedin.com/pub/0/a91/aa2 Vijay Akasapu] & [http://www.linkedin.com/pub/9/279/381 Marshall Heilman]'' 
[http://video.google.com/videoplay?docid=7623989457736720764&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 18:00-18:45 || style="width:30%; background:#BC857A" align="center" |
'''[http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project Spearfishing and the OWASP Live CD]''' 
''[http://www.linkedin.com/in/packetfocus Joshua Perrymon]'' 
[http://video.google.com/videoplay?docid=-4419524791864555496&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''Phundamental Security - Coding Secure w/PHP''' 
''[http://www.linkedin.com/in/zaunere Hans Zaunere]'' 
[http://video.google.com/videoplay?docid=3477751371038020741&hl=en VIDEO] / SLIDES
| style="width:30%; background:#99FF99" align="center" |
'''[[Payment_Card_Data_Security_and_the_new_Enterprise_Java | Payment Card Data Security and the new Enterprise Java]]''' 
''[[OWASP_NYC_AppSec_2008_Conference-SPEAKER-Dr._B._V._Kumar | Dr. B. V. Kumar]] & [[OWASP_NYC_AppSec_2008_Conference-SPEAKER-Abhay_Bhargav | Mr. Abhay Bhargav]]'' 
[http://video.google.com/videoplay?docid=4488848043144792234&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 19:00-20:00 || style="width:30%; background:#BC857A" align="center" |
'''OWASP Chapter Leader / Project Leader working session''' 
''OWSAP Board/Chapter Leaders''
| style="width:30%; background:#BCA57A" align="center" |
'''(ISC)2 Cocktail Hour''' 
All welcome to attend for a special announcement presented by: 
[https://www.isc2.org/cgi-bin/content.cgi?page=351 W. Hord Tipton, Executive Director of (ISC)2]
| style="width:30%; background:#99FF99" align="center" |
'''Technology Movie Night''' 
''[http://www.youtube.com/watch?v=LlKDkTbUFhU&feature=related Sneakers], [http://www.youtube.com/watch?v=tAcEzhQ7oqA WarGames], [http://hackersarepeopletoo.com HackersArePeopleToo], [http://www.youtube.com/watch?v=4Be-ZzcXVLw TigerTeam]'' 
from 19:00 - 23:00

|-
| style="width:10%; background:#7B8ABD" | 20:00-23:00+ || colspan="3" style="width:80%; background:#C2C2C2" align="center" | OWASP Event Party/Reception Event badge required for admission [[OWASP_NYC_AppSec_2008_Conference/ctf | Food, Drinks w/ New & Old Friends - break out the laptop and play capture the flag for fun and prizes.]] ''Location: HOTEL BALLROOM''
 
|-
! colspan="10" align="center" style="background:#4058A0; color:white" |

<h2>Day 2 – Sept 25th, 2008 </h2>
|-
| style="width:10%; background:#99FF99" | 08:00-10:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | BREAKFAST - Provided by event sponsors @ TechExpo

|-
| style="width:10%; background:#7B8ABD" | 08:00-08:45 || style="width:30%; background:#BC857A" align="center" |
'''Software Development and Management: The Last Security Frontier''' 
''[http://blog.isc2.org/isc2_blog/tipton/index.html W. Hord Tipton], CISSP-ISSEP, CAP, CISA, CNSS and former Chief Information Officer for the U.S. Department of the Interior Executive Director and member of the Board of Directors, (ISC)²'' 
[http://video.google.com/videoplay?docid=-4023599059084294937&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''[[AppSecEU08_Best_Practices_Guide_Web_Application_Firewalls | Best Practices Guide for Web Application Firewalls]]''' 
''Alexander Meisel'' 
[http://video.google.com/videoplay?docid=-2977259539412442033&hl=en VIDEO] / SLIDES
| style="width:30%; background:#99FF99" align="center" |
'''The Good The Bad and The Ugly - Pen Testing VS. Source Code Analysis
''' 
''[http://www.linkedin.com/in/tommyryan Thomas Ryan]'' 
[http://video.google.com/videoplay?docid=-442445248884665643&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 09:00-09:45 || style="width:30%; background:#BC857A" align="center" |
'''OWASP Web Services Top Ten''' 
''[http://1raindrop.typepad.com Gunnar Peterson]'' 
[http://video.google.com/videoplay?docid=5680040858618100893&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''[http://www.trutv.com/video/tiger-team/tiger-team-101-1-of-4.html Red And Tiger Team Application Security Projects]''' 
''[http://www.linkedin.com/pub/1/373/994 Chris Nickerson]'' 
[http://video.google.com/videoplay?docid=-1638710543904774703&hl=en VIDEO] / SLIDES
| style="width:30%; background:#99FF99" align="center" |
'''OpenSource Tools''' 
''Prof. Li-Chiou Chen & Chienitng Lin, [http://www.pace.edu/page.cfm?doc_id=16399 Pace Univ]'' 
[http://video.google.com/videoplay?docid=6174945058170583976&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 10:00-10:45 || style="width:30%; background:#BC857A" align="center" |
'''Building a tool for Security consultants: A story of a customized source code scanner''' 
''Dinis Cruz'' 
[http://video.google.com/videoplay?docid=5269154656993046978&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''"Help Wanted" [http://www.infosecleaders.com/survey 7 Things You Need to Know APPSEC/INFOSEC Employment]''' 
''[http://www.linkedin.com/pub/0/29/685 Lee Kushner]'' 
[http://video.google.com/videoplay?docid=5330096815878108179&hl=en VIDEO] / SLIDES
| style="width:30%; background:#99FF99" align="center" |
'''Industry Analysis with Forrester Research''' 
''[http://www.forrester.com/rb/analyst/chenxi_wang Chenxi Wang]'' 
[http://video.google.com/videoplay?docid=1391450504589087806&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 11:00-11:45 || style="width:30%; background:#BC857A" align="center" |
'''Software Assurance Maturity Model (SAMM)''' 
''Pravir Chandra'' 
[http://video.google.com/videoplay?docid=-7453282550277559385&hl=en VIDEO] / [https://www.owasp.org/images/2/2e/OWASP_CLASP_SAMM.ppt SLIDES]
| style="width:30%; background:#BCA57A" align="CENTER" |
'''Security in Agile Development''' 
''[[User:Wichers | Dave Wichers]]'' 
[http://video.google.com/videoplay?docid=-8287209466278543377&hl=en VIDEO] / [http://www.owasp.org/images/a/a3/AppSecNYC08-Agile_and_Secure.ppt SLIDES]
| style="width:30%; background:#99FF99" align="center" |
'''Secure Software Impact''' 
''[http://ouncelabs.com/company/team.asp Jack Danahy]'' 
[http://video.google.com/videoplay?docid=-3851913297265683210&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 12:00-12:45 || style="width:30%; background:#BC857A" align="center" |
'''Next Generation Cross Site Scripting Worms ''' 
''[http://i8jesus.com/?page_id=5 Arshan Dabirsiaghi]'' 
[http://video.google.com/videoplay?docid=-2782535918275323123&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''Security of Software-as-a-Service (SaaS)''' 
''[http://www.linkedin.com/pub/6/372/45a James Landis]'' 
[http://video.google.com/videoplay?docid=-513622114181563795&hl=en VIDEO] / SLIDES
| style="width:30%; background:#99FF99" align="center" |
'''[http://reversebenchmarking.com/About.html Open Reverse Benchmarking Project]''' 
''Marce Luck & [http://www.linkedin.com/pub/1/507/616 Tom Stracener]'' 
[http://video.google.com/videoplay?docid=4352770935920515328&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | [[OWASP_NYC_AppSec_2008_Conference/ctf | Capture the Flag]] Status
''LUNCH - Provided @ TechExpo''
|-
| style="width:10%; background:#7B8ABD" | 13:00-13:45 || style="width:30%; background:#BC857A" align="center" |
'''[[NIST SAMATE Static Analysis Tool Exposition (SATE) | NIST and SAMATE Static Analysis Tool Exposition (SATE)]]''' 
''[[OWASP_NYC_AppSec_2008_Conference-vadim-okun | Vadim Okun]]'' 
[http://video.google.com/videoplay?docid=-7567012344169452280&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''[[User_talk:Jian | Lotus Notes/Domino Web Application Security]]''' 
''[[User_talk:Jian | Jian Hui Wang]]'' 
[http://video.google.com/videoplay?docid=8645149711234878540&hl=en VIDEO] / SLIDES
| style="width:30%; background:#99FF99" align="center" |
'''Shootout @ Blackbox Corral''' 
''Larry Suto'' 
[http://video.google.com/videoplay?docid=-1565567642122481539&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 14:00-14:45 || style="width:30%; background:#BC857A" align="center" |
'''Practical Advanced Threat Modeling''' 
''John Steven'' 
[http://video.google.com/videoplay?docid=-734106766899160289&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''[http://www.owasp.org/index.php/Category:OWASP_Orizon_Project The OWASP Orizon Project: towards version 1.0]''' 
''[[User:Thesp0nge | Paolo Perego]]'' 
[http://video.google.com/videoplay?docid=-9104434795648450379&hl=en VIDEO] / [http://www.owasp.org/index.php/Image:The_Owasp_Orizon_Project_Towards_version_1.0_v1.0.ppt#file SLIDES]
| style="width:30%; background:#99FF99" align="center" |
'''[[Building_Usable_Security | Building Usable Security]]''' 
''[[Zed_Abbadi | Zed Abbadi]]'' 
[http://video.google.com/videoplay?docid=8782541141810029760&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 15:00-15:45 || style="width:30%; background:#BC857A" align="center" |
'''Off-shoring Application Development? Security is Still Your Problem''' 
''Rohyt Belani'' 
[http://video.google.com/videoplay?docid=1042293104444687505&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''[[OWASP_EU_Summit_2008 | OWASP EU Summit Portugal]]''' 
''Dinis Cruz'' 
[http://video.google.com/videoplay?docid=-7044581008789784268&hl=en VIDEO] / SLIDES
| style="width:30%; background:#99FF99" align="center" |
'''A Security Architecture Case Study''' 
''[http://johanpeeters.com Johan Peeters]'' 
[http://video.google.com/videoplay?docid=-4553372140069628300&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 16:00-16:45 || style="width:30%; background:#BC857A" align="center" |
'''Vulnerabilities in application interpreters and runtimes''' 
''Erik Cabetas'' 
[http://video.google.com/videoplay?docid=7859413573034669384&hl=en VIDEO] / SLIDES
| style="width:30%; background:#BCA57A" align="center" |
'''Cryptography For Penetration Testers''' 
''Chris Eng'' 
[http://video.google.com/videoplay?docid=-5187022592682372937&hl=en VIDEO] / SLIDES
| style="width:30%; background:#99FF99" align="center" |
'''Memory Corruption and Buffer Overflows''' 
''[http://www.immunitysec.com Dave Aitel]'' 
[http://video.google.com/videoplay?docid=-1012125050474412771&hl=en VIDEO] / SLIDES
|-
| style="width:10%; background:#7B8ABD" | 17:00-17:45 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''Event Wrap-Up / Speaker & CTF Awards and Sponsor Raffles'''

<center>{{#ev:googlevideo|8211027328063203438}}</center> 
[http://video.google.com/videoplay?docid=8211027328063203438&hl=en VIDEO]
|-
| style="width:10%; background:#7B8ABD" | 18:30-19:30 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | OWASP Foundation, Chapter Leader Meeting - to collect ideas to make OWASP better!
|}

 
<center> So did you like the content? Lets us know.. [http://www.owasp.org/index.php/Contact Contact Us] </center>
 

== EVENT SPONSORS ==

<hr>
<center>[https://www.owasp.org/images/b/bc/APPSEC2008Sponsor.pdf Diamond Sponsor] - [http://www.imperva.com http://www.owasp.org/images/d/de/Imperva_2color_RGB.jpg] 
 [https://www.owasp.org/images/b/bc/APPSEC2008Sponsor.pdf Platinum Sponsor] - [http://www.cenzic.com https://www.owasp.org/images/b/bf/CenzicLogo_RGB.gif] - [http://www.whitehatsec.com http://www.owasp.org/images/archive/4/4d/20080703021901%21Whitehat.gif] - [http://www-935.ibm.com/services/us/gbs/app/html/gbs_applicationservices.html?cm_re=masthead-_-business-_-apps-allappserv https://www.owasp.org/images/4/47/Ibm.jpg] </center> 
[https://www.owasp.org/images/b/bc/APPSEC2008Sponsor.pdf Gold, Silver, Expo & Other Sponsors] - [http://www.isc2.org http://www.owasp.org/images/4/45/Isc2logo.gif] - [http://www.f5.com http://www.owasp.org/images/7/7e/50px-F5_50px.jpg] - [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif] - [http://www.qualys.com https://www.owasp.org/images/a/ae/Qualys.gif] - [http://www.ouncelabs.com https://www.owasp.org/images/6/6e/OunceLabs_logo.jpg] - [http://www.fortify.com https://www.owasp.org/images/a/ac/Fortify.jpg] - [http://www.cigital.com/ https://www.owasp.org/images/b/be/Cigital_OWASP.GIF] - [http://www.acunetix.com https://www.owasp.org/images/e/eb/Acuneti.gif] - [http://www.denimgroup.com http://www.owasp.org/images/5/56/Denimgroup.jpg] - [http://www.accessitgroup.com https://www.owasp.org/images/6/6d/Accessit.JPG] -
[http://www.fishnetsecurity.com https://www.owasp.org/images/4/4a/Fishnet_security.png] - [http://www.airtightnetworks.net https://www.owasp.org/images/8/8b/Airtight.gif] -
[http://www.artofdefence.com https://www.owasp.org/images/d/dc/AOD_Logo.gif] -
[http://www.securityuniversity.net https://www.owasp.org/images/0/0d/Security_university.jpg] -
[http://www.breach.com https://www.owasp.org/images/9/9c/Breach_logo.gif] - [http://www.armorize.com https://www.owasp.org/images/c/ce/Armorize_Logo.png] -[http://www.barracudanetworks.com/ https://www.owasp.org/images/a/a2/Barracuda_Color_Logo.jpg] - [http://www.symantec.com https://www.owasp.org/images/2/26/New_Symantec_Logo.jpg] - [http://www.prevalent.net https://www.owasp.org/images/4/47/Prev_Logo_with_Tag_Line.jpg] - [http://www.mclabs.com https://www.owasp.org/images/9/91/MicroTek.jpg] - [http://www.protiviti.com https://www.owasp.org/images/c/cf/Protiviti.jpg]
 
<center>[https://www.owasp.org/images/b/bc/APPSEC2008Sponsor.pdf Sponsorship Opportunities]</center>
<hr>

== CPE Credits ==

Much of the content is eligible for CPE credits. Please check with your institution regarding specific requirements.

'''The CISM cpe policy (www.isaca.org/cismcpepolicy) states''':

One continuing professional education hour is earned for each fifty minutes of active participation (excluding lunches and breaks) in a professional educational activity. Continuing professional education hours are only earned in full-hour increments and rounding must be down. For example, a CISA who attends an eight-hour presentation (480 minutes) with 90 minutes of breaks will earn seven (7) continuing professional education hours.

Activities that qualify for CPE must be directly applicable to the management, design or assessment of an enterprise's information security as per the CISM job practice"

'''Earn (ISC)2 CPE Credits at 2008 OWASP USA, NYC'''

Attendance at the 2008 OWASP NYC Training Courses or Conferences will earn you Continuing Professional Education (CPE) credits as follows:
Training Courses: September 22-23, 2008
• 16 CPE units for 2 days of training (Monday - Tuesday)
• 8 CPE units for 1 day of training (Monday or Tuesday Only)
Conferences: September 24-25, 2008
Earn 1 CPE per hour of conference attendance

== [http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference_Training OWASP NYC AppSec 2008 Training Courses - September 22nd and 23rd, 2008 ] ==

All classes begin at 9AM and end at 5:30PM

{| style="width:80%" border="0" align="center"
! align="center" style="background:#4058A0; color:white" | T1. Defensive Programming - 2-Days - $1350
|-
| style="background:#F2F2F2" | This class will teach you how to program defensively. A must for developers, managers, testers and security professionals. Learn the latest techniques to build attack resistant code, protect from current and future vulnerabilities and how to secure an application from both implementation bugs and design flaws. [[:Category:OWASP_AppSec_Conference_Training#T1._Defensive_Programming_-_2-Day_Course_-_Sep_22-23.2C_2008 | Learn More Here]]

Instructor: Jason Rouse, Technical Manager, [http://www.cigital.com/training/series http://www.owasp.org/images/b/be/Cigital_OWASP.GIF]'''
|-
{| style="width:80%" border="0" align="center"
! align="center" style="background:#4058A0; color:white" | T2. Secure Coding for Java EE - 2-Days - $1350
|-
| style="background:#F2F2F2" | This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of Java focused content, including:
# Java EE security overview,
# All coding examples and recommendations are specifically focused on Java and Java servers, and
# 3 additional hands on coding labs where the students find and then fix security vulnerabilities in a Java EE application developed for the class.

[[:Category:OWASP_AppSec_Conference_Training#T2._Secure_Coding_for_Java_EE-_2-Day_Course_-_Sep_22-23.2C_2008 | Learn More Here]]

Instructor: Dave Wichers: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]
'''
|-
! align="center" style="background:#4058A0; color:white" | T3. Web Services and XML Security - 2-Days - $1350
|-
| style="background:#F2F2F2" | The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software. [[:Category:OWASP_AppSec_Conference_Training#T3._Web_Services_and_XML_Security_-_2-Day_Course_-_Sep_22-23.2C_2008 | Learn More Here]]

Instructor: Gunnar Peterson''' [http://www.arctecgroup.net https://www.owasp.org/images/b/bf/Arctec.jpg]
|-
! align="center" style="background:#4058A0; color:white" | T4. Advanced Web Application Security Testing - 2-Days - $1350
|-
| style="background:#F2F2F2" | Course Overview While all developers need to know the basics of web application security testing, application security specialists will want to know all the advanced techniques for finding and diagnosing security problems in applications. Aspect’s Advanced Web Application Security Testing training is based on a decade of work verifying the security of critical applications. The course is taught by an experienced application security practitioner in an interactive manner. [[:Category:OWASP_AppSec_Conference_Training#T4._Advanced_Web_Application_Security_Testing_-_2-Day_Course_-_Sep_22-23.2C_2008 | Learn More Here]]

Instructor: Eric Sheridan: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''
|-
! align="center" style="background:#4058A0; color:white" | T5. Leading the Development of Secure Applications 1-Day - Sept 22nd- $675
|-
| style="background:#F2F2F2" | In this one-day management session you’ll get the answers to the ten key questions that most CIOs and development managers face when trying to improve security in the development process. The course provides proven techniques and valuable lessons learned that can be applied to projects at any phase of their application’s lifecycle. [[:Category:OWASP_AppSec_Conference_Training#T5._Leading_the_Development_of_Secure_Applications_-_1-Day_Course_-_Sep_22.2C_2008 | Learn More Here]]
Instructor: John Pavone: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''
|-
{| style="width:80%" border="0" align="center"
|-
! align="center" style="background:#4058A0; color:white" | T6. Building Secure Rich Internet Applications 1-Day - Sept 23rd- $675
|-
| style="background:#F2F2F2" | Rich Internet applications using technologies like Ajax, Flash, ActiveX, and Java Applets require special attention to secure. This one day training addresses the special issues that arise in this type of application development. [[:Category:OWASP_AppSec_Conference_Training#T6._Building_Secure_Rich_Internet_Applications_-_1-Day_Course_-_Sep_23.2C_2008 | Learn More Here]]
Instructor: Arshan Dabirsiaghi: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''
|-
{| style="width:80%" border="0" align="center"

! align="center" style="background:#4058A0; color:white" | T8. Secure Coding for .NET - 2-Days - $1350
|-
| style="background:#F2F2F2" | This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of .NET focused content, including:
# .NET security overview,
# All coding examples and recommendations are specifically focused on C#.NET and/or VB.NET and IIS servers, and
# 3 additional hands on coding labs where the students find and then fix security vulnerabilities in a .NET application developed for the class. Both C# and VB.NET versions of the hands on coding labs are available.

[[:Category:OWASP_AppSec_Conference_Training#T8._Writing_Secure_Code_ASP.NET_-_Sep_22-23.2C_2008 | Learn More Here]]

Instructor: Jerry Hoff: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]
|}

<h2> HOTELS / TRAVEL </h2>
[http://www.parkcentralny.com Park Central Hotel]

[http://maps.google.com/maps?near=7th+Ave+%26+W+56th+St,+New+York,+NY&geocode=&q=hotels&f=l&sll=40.766339,-73.980539&sspn=0.007654,0.02223&ie=UTF8&ll=40.764681,-73.980668&spn=0.007655,0.02223&z=16 Hotels close to the venue]

What is around APPSEC2008 - [http://www.parkcentralny.com/attractions/attractions.cfm Area Attractions]

New York City MTA: http://www.mta.nyc.ny.us/nyct/index.html

New York City Subway & walking directions: http://www.hopstop.com/?city=newyork

New York Sights & Sounds - SightsSounds

New York City Travel Guide - http://www.nytoday.com/

New York City Attractions - http://www.nycvisit.com

New York TV Show Tickets - Get free tickets to TV shows! - http://www.nytix.com/

New York City local news: http://www.ny1news.com

OWASP Israel 2008 Conference at the Interdisciplinary Center Herzliya (IDC)

2008-09-04T12:31:56Z

Adish:

{{Template:OWASP_IL_2008_Sponsors}}

== Time and Location ==

The OWASP Israel 2008 conference will be held on September 14th at the Interdisciplinary Center Herzliya from 8:30 to 17:00. This time we are raising the bar and will be holding a full day '''two tracks''' event. The tracks would be split according by level: a beginners track and an experts track.

You can find the IDC on
[http://local.google.com/maps?f=q&hl=en&q=%D7%94%D7%9E%D7%A8%D7%9B%D7%96+%D7%94%D7%91%D7%99%D7%9F+%D7%AA%D7%97%D7%95%D7%9E%D7%99+%D7%94%D7%A8%D7%A6%D7%9C%D7%99%D7%94,+%D7%94%D7%A8%D7%A6%D7%9C%D7%99%D7%94,+Israel&sll=32.166567,34.812605&sspn=0.007974,0.019312&ie=UTF8&cd=1&geocode=FbD26gEdeo0TAg&ll=32.177047,34.835844&spn=0.007973,0.019312&z=16&iwloc=addr Google map] or use the [http://portal.idc.ac.il/he/Main/about_idc/campus_tour/Pages/MapsDirections.aspx instructions] on the IDC web site. Signs at the Campus will lead you the conference halls.

== Registration ==

The conference is '''free and open to all''', but please register by sending an e-mail to me at ofer@shezaf.com. We need to know how many people will arrive in order to be prepared.

== Agenda ==

(Not final, minor changes and additions possible)

{| class="wikitable" <hiddentext>generated with [[:de:Wikipedia:Helferlein/VBA-Macro for EXCEL tableconversion]] V1.7<\hiddentext>

|- style="background-color:#000000;font-size:11pt;font-weight:bold;color:#FFFFFF" valign="top"

| width="315" height="16" | Title

| width="156" | Presentation

| width="91" | Copmany
|- style="background-color:#D8D8D8;font-size:11pt" valign="top"

| height="15" | [[OWASP_Israel_2008_Conference_Erez_Metula|.NET Framework rootkits - backdoors inside your Framework]]

| Erez Metula

| 2Bsecure
|- style="font-size:11pt" valign="top"

| height="30" | [[OWASP_Israel_2008_Conference_Ivan_Ristic|No More Signatures: Defending Web Applications from 0-Day Attacks with ModProfiler Using Traffic Profiling]]

| Ivan Ristic

| Breach
|- style="background-color:#D8D8D8;font-size:11pt" valign="top"

| height="15" | [http://www.owasp.org/index.php/AppSecEU08_Trends_in_Web_Hacking_Incidents:_What%27s_hot_for_2008 Trends in Web Hacking: What's hot in 2008]

| Ofer Shezaf

| Breach
|- style="font-size:11pt" valign="top"

| height="30" | [[OWASP_Israel_2008_Conference_Amichai_Shulman|Web Application Security and Search Engines – Beyond Google Hacking]]

| Amichai Shulman

| Imperva
|- style="background-color:#D8D8D8;font-size:11pt" valign="top"

| height="15" | [[OWASP_Israel_2008_Conference_Yuli_Stremovsky|GreenSQL - an open source database security gateway]]

| Yuli Stremovsky

|  
|- style="font-size:11pt" valign="top"

| height="15" | [[OWASP_Israel_2008_Conference_Alon_Roser|eVoting]]

| Dr. Alon Roser

| IDC
|- style="background-color:#D8D8D8;font-size:11pt" valign="top"

| height="15" | [[OWASP_Israel_2008_Conference_Adi_Sharabani|Black Box vs. White Box - pros and cons]]

| Adi Sharabani & Yinnon Haviv

| IBM/Watchfire
|- style="font-size:11pt" valign="top"

| height="15" | [[OWASP_Israel_2008_Conference_Ofer_Maor|Testing the Tester – Measuring Quality of Security Testing]]

| Ofer Maor

| Hacktics
|- style="background-color:#D8D8D8;font-size:11pt" valign="top"

| height="15" | [[OWASP_Israel_2008_Conference_Shai_Chen|Achilles’ heel – Hacking Through Java Protocols]]

| Shai Chen

| Hacktics
|- style="font-size:11pt" valign="top"

| height="15" | [[OWASP_Israel_2008_Conference_Amir_Herzberg|Defending against Phishing without Client-side Code]]

| Prof. Amir Herzberg

| Bar Ilan Univeristy
|- style="background-color:#D8D8D8;font-size:11pt" valign="top"

| height="30" | [[OWASP_Israel_2008_Conference_Ronen_Bachar|Automated Crawling & Security Analysis of Flash/Flex based Web Applications]]

| Ronen Bachar

| IBM/Watchfire
|- style="font-size:11pt" valign="top"

| height="15" | [[OWASP_Israel_2008_Conference_Maty_Siman|Application Security - The code analysis way]]

| Maty Siman

| Checkmarx
|- style="background-color:#D8D8D8;font-size:11pt" valign="top"

| height="15" | [[OWASP_Israel_2008_Conference_David_Movshovitz|AJAX - new technologies new threats]]

| Dr. David Movshovitz

| IDC
|- style="font-size:11pt" valign="top"

| height="16" | [[OWASP_Israel_2008_Conference_Ohad_Ben_Cohen|Korset: Code-based Intrusion Detection System for Linux]]

| Ohad Ben-Cohen

|  
|}

Note that the [[OWASP_Israel_2008_Conference_Turbo_Talks|Turbo Talk (Rump) Session]] is still open for submissions.

== Call for participation ==

Being a community event, we are staring a call for involvement, which means it is the time to speak up if you want to:

* [[OWASP_Israel_2008_Conference_Turbo_Talks|Turbo Talk (Rump) Session]] - a new feature in this conference, consisting of a series of 5-minute talks.
: The deadline for submissions for the rump session is '''Monday, September 8, 2008'''.
* [[OWASP IL Sponsorship|Call for sponsors]]
* Help in organizing
* Otherwise participate (plenty of time for that, but if you know you will come, speak up)

'''This is also a good time to raise other ideas you have regarding the conference'''. Many of you have been to previous conferences and have great ideas, so don't be shy and speak up.

== Agenda ==

The [[OWASP_IL_CFP|CFP]] is underway and the program would be published by mid August.

== The people behind the conference ==

OWASP Israel is made by the people who contribute their time and brain to its success. The following people are working to ensure that OWASP Israel 2008 is a success.

If you feel that you also can contribute or have interesting ideas regarding the conference, don't hesitate to contact me.

=== Steering Committee ===

The steering committee includes prominent individuals in the field of information security and help set the program for the conference:

* Adi Sharabani (IBM)
* Dr. David Movshovitz (Interdisciplinary Center Herzliya)
* Ofer Maor (Hacktics)
* Ofer Shezaf (Breach Security)
* Ory Segal (IBM)
* Shay Zalalichin (ComSec)
* Yossi Oren (Proxy Software Systems)

=== Organization Committee ===

The organization committee is in charge of making this all happen:

* Dr. Anat Bremler-Barr (Interdisciplinary Center Herzliya)
* Daniel Kallner
* Ofer Shezaf (Breach Security)
* Shay Shuker

~ [[User:Oshezaf|Ofer Shezaf]],Conference Chair 
[mailto:ofer@shezaf.com ofer@shezaf.com]

[[Category:OWASP Israel 2008]]

OWASP NYC AppSec 2008 Conference

2008-07-09T17:00:19Z

Adish: /* 2008 OWASP USA, NYC Conference Schedule – Sept 24th - Sept 25th */

= 2008 OWASP USA, NYC =
Last Update: {{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}

<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 http://www.owasp.org/images/6/61/Banner2_irfan.jpg]</center>
 
<hr>
<center>[http://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Diamond Sponsor] 1/1 - [http://www.imperva.com http://www.owasp.org/images/d/de/Imperva_2color_RGB.jpg] 
 [https://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Platinum Sponsor] 2/3 - [http://www.whitehatsec.com http://www.owasp.org/images/archive/4/4d/20080703021901%21Whitehat.gif] - [http://www.cenzic.com/ https://www.owasp.org/images/b/bf/CenzicLogo_RGB.gif] - [http://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf http://www.owasp.org/images/f/f8/Sponsorsm.gif] </center> 
[http://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Gold, Silver & Other Sponsors] - [http://www.isc2.org http://www.owasp.org/images/4/45/Isc2logo.gif] - [http://www.f5.com http://www.owasp.org/images/7/7e/50px-F5_50px.jpg] - [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif] - [http://www.foundstone.com/us/education-overview.asp http://www.owasp.org/images/2/26/Foundstone.jpg] - [http://www.proactiverisk.com https://www.owasp.org/images/9/97/Proactiverisk_logo.jpg] - [http://www.ouncelabs.com https://www.owasp.org/images/6/6e/OunceLabs_logo.jpg] - [http://www.fortify.com https://www.owasp.org/images/a/ac/Fortify.jpg] - [http://www.cigital.com/ https://www.owasp.org/images/b/be/Cigital_OWASP.GIF] - [http://www.accessitgroup.com https://www.owasp.org/images/6/6d/Accessit.JPG] - [http://evangelyze.net/marketing.asp https://www.owasp.org/images/1/10/Evlogo.jpg] - [http://www.arctecgroup.net http://www.owasp.org/images/b/bf/Arctec.jpg] - [http://www.airtightnetworks.net https://www.owasp.org/images/8/8b/Airtight.gif] - [http://www.securityuniversity.net/ https://www.owasp.org/images/0/0d/Security_university.jpg] - [http://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf http://www.owasp.org/images/f/f8/Sponsorsm.gif]
 
<center>[https://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Sponsorship Opportunities] -- [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-PRESS Press Registration] -- [http://www.owasp.org/index.php/Member_Offers Other OWASP Member Offers] </center>
<hr>
In association with: [http://www.webappsec.org WASC], [http://www.nym-infragard.us NYM InfraGard], [http://aitglobal.com AITGlobal], [http://nyphp.org/index.php NYC PHP], [http://www.nycbug.org NYCBUG], [http://www.isacany.net ISACA], [http://www.issa.org ISSA] and [http://www.pace.edu Pace University] you're invited to (2) days of Seminars and Technology Pavilion from the world's best application security technology minds, (2) days of hardcore hands-on training, all held at [http://www.pace.edu/page.cfm?doc_id=16157 Pace University], located in downtown New York City at One Pace Plaza New York, NY 10038. Event Fees: $350 Members / $400 Non-Members / $200 for Students for [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference#OWASP_NYC_AppSec_2008_Training_Courses_-_September_22nd_and_23rd.2C_2008 2 days of hands on training classes] are also available.
<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 http://www.owasp.org/images/7/7f/Register.gif]
To Get more involved and discuss this upcoming event [http://owaspfoundation.ning.com click here for forums] or visit other OWASP [http://www.owasp.org/index.php/Member_Offers member offers]
</center>

== 2008 OWASP USA, NYC Conference Schedule – Sept 24th - Sept 25th ==
<center>[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference/speakeragreement OWASP Speaker Agreement]</center>
{| style="width:80%" border="0" align="center"
! colspan="4" align="center" style="background:#4058A0; color:white" | Day 1 – Sept 24th, 2008
|-
| style="width:10%; background:#7B8ABD" | || style="width:30%; background:#BC857A" | Track 1:
| style="width:30%; background:#BCA57A" | Track 2:
| style="width:30%; background:#99FF99" | Track 3:
|-
| style="width:10%; background:#7B8ABD" | 07:30-10:00 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''Doors Open for Attendee/Speaker Registration & [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference#Technology_Pavilion_-_September_24th_and_25th Exhibit/Sponsor Area]'''

|-
| style="width:10%; background:#7B8ABD" | 09:00-09:45 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | OWASP Version 3.0 who we are, where we are.. where we are going
''[http://www.owasp.org/index.php/Contact OWASP Foundation]: Jeff Williams, Dinis Cruz, Dave Wichers, Tom Brennan, Sebastien Deleersnyder, Paolo Perego, Kate Hartmann & Alison Shrader
''
|-
| style="width:10%; background:#7B8ABD" | 10:00-10:45 || style="width:30%; background:#BC857A" align="left" | [http://www.owasp.org/index.php/AppSecEU08_Trends_in_Web_Hacking_Incidents:_What%27s_hot_for_2008 Analysis of the Web Hacking Incidents Database (WHID)]
''[http://blog.shezaf.com Ofer Shezaf]''
| style="width:30%; background:#BCA57A" align="left" | [http://www.webappsecroadmap.com Web Application Security Road Map] 
''[http://joesecurity.blogspot.com Joe White]''
| style="width:30%; background:#99FF99" align="left" |[https://buildsecurityin.us-cert.gov/swa/acqwg.html Enhancing the software acquisition process to address software assurance issues.]
''Stan Wisseman''
|-
| style="width:10%; background:#7B8ABD" | 11:00-11:45 || style="width:30%; background:#BC857A" align="left" | Web Security Education using Open Source Tools
''Prof. Li-Chiou Chen & Chienitng Lin, [http://www.pace.edu/page.cfm?doc_id=16399 Pace Univ]''
| style="width:30%; background:#BCA57A" align="left" | Http Bot Research
''[http://www.shadowserver.org/wiki/pmwiki.php?n=Shadowserver.Mission Andre M. DiMino - ShadowServer Foundation]''
| style="width:30%; background:#99FF99" align="left" | MalSpam Research
'' [http://www.knujon.com/bios.html Garth Bruen]''
|-
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference/ctf Capture the Flag] Sign-Up
''LUNCH - Provided by event sponsors @ TechExpo''
|-
| style="width:10%; background:#7B8ABD" | 12:00-12:30 || style="width:30%; background:#BC857A" align="left" | e-Gateway
''[http://www.linkedin.com/in/tommyryan Tom Ryan]''
| style="width:30%; background:#BCA57A" align="left" | Framework-level Threat Analysis: Adding Science to the Art of Source-code review
''Nishchal Bhalla''
| style="width:30%; background:#99FF99" align="left" | Automated Web-based Malware Behavioral Analysis
'' Tyler Hudak''
|-
| style="width:10%; background:#7B8ABD" | 13:00-13:45 || style="width:30%; background:#BC857A" align="left" | Offensive Assessing Financial Applications
'' [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-daniel-cuthbert Daniel Cuthbert]''
| style="width:30%; background:#BCA57A" align="left" | WAF ModSecurity
''[http://www.thinkingstone.com/about/ivan-ristic.html Ivan Ristic]''
| style="width:30%; background:#99FF99" align="left" | OWASP & NYC
''[http://www.linkedin.com/in/davidstern2000 David Stern]''
|-
| style="width:10%; background:#7B8ABD" | 14:00-14:45 || style="width:30%; background:#BC857A" align="left" | Logic Attacks and Inefficiencies of Robotic Detection
''[http://ha.ckers.org/blog/about Robert "RSnake" Hansen], CEO SecTheory''
| style="width:30%; background:#BCA57A" align="left" | Reverse Engineering .NET
''Adam Boulton''
| style="width:30%; background:#99FF99" align="left" | JBroFuzz 0.1 - 1.1: Building a Java Fuzzer for the Web
''[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Yiannis_Pavlosoglou Yiannis Pavlosoglou]''
|-
| style="width:10%; background:#7B8ABD" | 15:00-15:45 || style="width:30%; background:#BC857A" align="left" |Industry Panel w/ Jennifer Bayuk CISO Bear Stearns, Mark Clancy EVP CitiGroup, Jim Routh CISO DTCC, Sunil Seshadri CISO NYSE-Euronet, Warren Axelrod SVP Bank of America, Joe Bernik Royal Bank of Scotland & Philip Venables CIRO, Goldman, Sachs
| style="width:30%; background:#BCA57A" align="left" | [http://www.owasp.org/index.php/Wild_Wild_Web_on_Security_Planet Wild Wild Web on Security Planet]
''[http://www.expresscertifications.com/company/execmgt.aspx Mano Paul] CEO Express Certifications''
| style="width:30%; background:#99FF99" align="left" |[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-GunterOllmann Multidisciplinary Bank Attacks]
''Gunter Ollmann''
|-
| style="width:10%; background:#7B8ABD" | 16:00-16:45 || style="width:30%; background:#BC857A" align="left" | OWASP Enterprise Security API [http://www.owasp.org/index.php/ESAPI (ESAPI) Project]
'' [http://www.aspectsecurity.com/management.htm Jeff Williams] & Jim Manico''
| style="width:30%; background:#BCA57A" align="left" | Shootout @ Blackbox Corral
''Larry Suto ''
| style="width:30%; background:#99FF99" align="left" | 80% 10% 10%
'' [http://www.blogger.com/profile/07177656204885181542 Andy Steingruebl], Security @ PayPal''
|-
| style="width:10%; background:#7B8ABD" | 17:00-17:45 || style="width:30%; background:#BC857A" align="left" | Threading the Needle:

Bypassing web application/service security controls using Encoding, Transcoding, Filter Evasion, and other Canonicalization Attacks
'' [http://www.linkedin.com/in/arianevans Arian Evans]''
| style="width:30%; background:#BCA57A" align="left" |Shhhh Don’t Tell Anybody
''[http://www.linkedin.com/in/ppetkov Petko D. Petkov]''
| style="width:30%; background:#99FF99" align="left" | [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Andres_Riancho W3AF Open Source App Scanner]
''Andres Riancho''
|-
| style="width:10%; background:#7B8ABD" | 18:00-18:45 || style="width:30%; background:#BC857A" align="left" | [http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project OWASP Live CD]
'' [http://www.linkedin.com/in/packetfocus Joshua Perrymon]''
| style="width:30%; background:#BCA57A" align="left" | Coding Secure w/PHP
''[http://www.linkedin.com/in/zaunere Hans Zaunere]''
| style="width:30%; background:#99FF99" align="left" | [http://www.owasp.org/index.php/Payment_Card_Data_Security_and_the_new_Enterprise_Java Payment Card Data Security and the new Enterprise Java]
''Dr. B. V. Kumar & Mr. Abhay Bhargav''
|-
| style="width:10%; background:#7B8ABD" | 20:00-23:00 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | OWASP NYC AppSec 2008 VIP Party
''Location: TBD''
|-
! colspan="10" align="center" style="background:#4058A0; color:white" | Day 2 – Sept 25th, 2008
|-
| style="width:10%; background:#99FF99" | 08:00-10:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | BREAKFAST - Provided by event sponsors @ TechExpo

|-
| style="width:10%; background:#7B8ABD" | 08:00-08:45 || style="width:30%; background:#BC857A" align="left" | State of the Union
''[http://www.aeispeakers.com/speakerbio.php?SpeakerID=1192 Prof. Howard A. Schmidt, CISSP, CISM (Hon.)] Current (ISC)² Security Strategist and Former White House Cyber Security Advisor''
| style="width:30%; background:#BCA57A" align="left" | Best Practices Guide: Web Application Firewalls
''Dr. Georg Hess''
| style="width:30%; background:#99FF99" align="left" | TOPIC
''SPEAKER''

|-
| style="width:10%; background:#7B8ABD" | 09:00-09:45 || style="width:30%; background:#BC857A" align="left" | Good vs. Evil JavaScript
''[http://jeremiahgrossman.blogspot.com Jeremiah Grossman]''
| style="width:30%; background:#BCA57A" align="left" | OWASP V2 Testing Guide 4.2.3 Spidering and Googling in depth
''[http://www.linkedin.com/in/ChristianHeinrich Christian Heinrich]''
| style="width:30%; background:#99FF99" align="left" | OWASP Web Services Top Ten
''[http://1raindrop.typepad.com Gunnar Peterson]''
|-
| style="width:10%; background:#7B8ABD" | 10:00-10:45 || style="width:30%; background:#BC857A" align="left" | OWASP Update
''Dinis Cruz/Jeff Williams + Surprise Guest''
| style="width:30%; background:#BCA57A" align="left" | Help Wanted 7 Things You Need to Know APPSEC/INFOSEC Employment
''[http://www.linkedin.com/pub/0/29/685 Lee Kushner]''
| style="width:30%; background:#99FF99" align="left" | APPSEC Industry Analysts
''Speaker TBD''
|-
| style="width:10%; background:#7B8ABD" | 11:00-11:45 || style="width:30%; background:#BC857A" align="left" | [http://www.owasp.org/index.php/Category:OWASP_CLASP_Project CLASP (Comprehensive, Lightweight Application Security Process)]
''Pravir Chandra''
| style="width:30%; background:#BCA57A" align="left" | Next Generation Cross Site Scripting Worms
''[http://i8jesus.com/?page_id=5 Arshan Dabirsiaghi]''
| style="width:30%; background:#99FF99" align="left" | Secure Software Impact
''[http://ouncelabs.com/company/team.asp Jack Danahy]''
|-
| style="width:10%; background:#7B8ABD" | 12:00-12:45 || style="width:30%; background:#BC857A" align="left" | Security in Agile Development
''[http://www.owasp.org/index.php/User:Wichers Dave Wichers]''
| style="width:30%; background:#BCA57A" align="left" | Security of Software-as-a-Service (SaaS)
''[http://www.linkedin.com/pub/6/372/45a James Landis]''
| style="width:30%; background:#99FF99" align="left" | [http://reversebenchmarking.com/About.html Open Reverse Benchmarking Project]
''Marce Luck & [http://www.linkedin.com/pub/1/507/616 Tom Stracener]''
|-
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference/ctf Capture the Flag] Status
''LUNCH - Provided @ TechExpo''
|-
| style="width:10%; background:#7B8ABD" | 13:00-13:45 || style="width:30%; background:#BC857A" align="left" | Security Research Report
''[http://www.linkedin.com/pub/5/742/233 Dinis Cruz]''
| style="width:30%; background:#BCA57A" align="left" | [http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project Pantera Advances]
''[http://www.linkedin.com/pub/1/598/855 Simon Roses Femerling]''
| style="width:30%; background:#99FF99" align="left" | Lotus Notes Insecurity
''Jian Hui Wang''
|-
| style="width:10%; background:#7B8ABD" | 14:00-14:45 || style="width:30%; background:#BC857A" align="left" | Practical Advanced Threat Modeling
''John Steven''
| style="width:30%; background:#BCA57A" align="left" | [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project Owasp Orizon]
''Paolo Perego''
| style="width:30%; background:#99FF99" align="left" | Building Usable Security
''Zed Abbadi''
|-
| style="width:10%; background:#7B8ABD" | 15:00-15:45 || style="width:30%; background:#BC857A" align="left" | [http://www.owasp.org/index.php/Input_validation:_the_Good%2C_the_Bad_and_the_Ugly Input validation: the Good, the Bad and the Ugly]
''Johan Peeters''
| style="width:30%; background:#BCA57A" align="left" | Off-shoring Application Development? Security is Still Your Problem
''Rohyt Belani''
| style="width:30%; background:#99FF99" align="left" | NIST SAMATE Static Analysis Tool Exposition (SATE)
''Vadim Okun''
|-
| style="width:10%; background:#7B8ABD" | 16:00-16:45 || style="width:30%; background:#BC857A" align="left" | Vulnerabilities in application interpreters and runtimes
''Erik Cabetas''
| style="width:30%; background:#BCA57A" align="left" | Flash Parameter Injection (FPI)
''Ayal Yogev & Adi Sharabani''
| style="width:30%; background:#99FF99" align="left" | Cross-Site Scripting Filter Evasion
''Alexios Fakos''
|-
| style="width:10%; background:#7B8ABD" | 17:00-17:45 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''Wizdom of Crowds / CTF Awards & Raffles'''
|-
| style="width:10%; background:#7B8ABD" | 18:30-19:30 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | OWASP Foundation, Chapter Leader Meeting
|}

<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 http://www.owasp.org/images/7/7f/Register.gif]</center>

== Technology Pavilion - September 24th and 25th ==

Want to see the latest offerings from technology product and service firms, visit the Technology Pavilion. On September 24th and 25th. 2 full days of exhibits by service providers and manufacturers from around the world.

Do you want to preview the event space [http://www.flickr.com/photos/21550725@N04/sets/72157604662279903/detail Click Here]

<hr>

== [http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference_Training OWASP NYC AppSec 2008 Training Courses - September 22nd and 23rd, 2008] ==
{| style="width:80%" border="0" align="center"
! align="center" style="background:#4058A0; color:white" | T1. Defensive Programming - 2-Days - $1350
|-
| style="background:#F2F2F2" | This class will teach you how to program defensively. A must for developers, managers, testers and security professionals. Learn the latest techniques to build attack resistant code, protect from current and future vulnerabilities and how to secure an application from both implementation bugs and design flaws. The instructor Pravir Chandra is well known security expert, project lead for OWASP CLASP project and former co-founder & CTO of secure software [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]

Instructor: Jason Rouse, Sr. Consultant, [http://www.cigital.com/training/series http://www.owasp.org/images/b/be/Cigital_OWASP.GIF]'''
|-
{| style="width:80%" border="0" align="center"
! align="center" style="background:#4058A0; color:white" | T2. Secure Coding for Java EE - 2-Days - $1350
|-
| style="background:#F2F2F2" | This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of Java focused content, including:
# Java EE security overview,
# All coding examples and recommendations are specifically focused on Java and Java servers, and
# 3 additional hands on coding labs where the students find and then fix security vulnerabilities in a Java EE application developed for the class.

[[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]

Instructor: This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]
'''
|-
! align="center" style="background:#4058A0; color:white" | T3. Web Services and XML Security - 2-Days - $1350
|-
| style="background:#F2F2F2" | The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]

Instructor: Gunnar Peterson''' [http://www.arctecgroup.net https://www.owasp.org/images/b/bf/Arctec.jpg]
|-
! align="center" style="background:#4058A0; color:white" | T4. Advanced Web Application Security Testing - 2-Days - $1350
|-
| style="background:#F2F2F2" | Course Overview While all developers need to know the basics of web application security testing, application security specialists will want to know all the advanced techniques for finding and diagnosing security problems in applications. Aspect’s Advanced Web Application Security Testing training is based on a decade of work verifying the security of critical applications. The course is taught by an experienced application security practitioner in an interactive manner. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]

Instructor: This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''
|-
! align="center" style="background:#4058A0; color:white" | T5. Leading the Development of Secure Applications 1-Day - Sept 22nd- $675
|-
| style="background:#F2F2F2" | In this one-day management session you’ll get the answers to the ten key questions that most CIOs and development managers face when trying to improve security in the development process. The course provides proven techniques and valuable lessons learned that can be applied to projects at any phase of their application’s lifecycle. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]
Instructor: This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''
|-
! align="center" style="background:#4058A0; color:white" | T7. Encryption Programming Using SKSML - 2-Days - $1350
|-
| style="background:#F2F2F2" | Application developers are increasingly required to protect sensitive data through encryption. While there are many libraries that can assist with cryptography, there are few to none that focus on encryption key management.

This class will introduce you to an OASIS standards protocol - Symmetric Key Services Markup Language (SKSML) - and show you how it can be used to securely encrypt sensitive data and manage encryption keys across the enterprise. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]

Instructor: Arshad Noor, CTO, StrongAuth Inc.''' [http://www.strongauth.com https://www.owasp.org/images/8/86/StrongAuth.jpg]
|-
{| style="width:80%" border="0" align="center"
! align="center" style="background:#4058A0; color:white" | T8. Writing Secure Code ASP.NET - 2-Days - $1350
|-
| style="background:#F2F2F2" | Understand the key security features of the .NET platform, the common web security pitfalls developers make, and how to build secure and reliable web applications using ASP.NET. Students are lead through hands on code examples that highlight issues and prescribe solutions. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]

The instructors are Foundstone's Technical Director, Rudolph Araujo and Foundstone's Professional Services Conlultant, Alex Smolen. [http://www.foundstone.com/us/education-overview.asp https://www.owasp.org/images/2/26/Foundstone.jpg]
|}
<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 https://www.owasp.org/images/7/7f/Register.gif]</center>

<h2> HOTELS / TRAVEL </h2>
[http://maps.google.com/maps?near=Pace+Plz,+New+York,+NY+10038+(Pace+University+New+York+Cmps)&geocode=15467452012610799558,40.711640,-74.005820&q=hotel&f=l&dq=Pace+University-New+York&ie=UTF8&z=15&om=0 Hotels in the area of the event]

New York City MTA: http://www.mta.nyc.ny.us/nyct/index.html

New York City Subway & walking directions: http://www.hopstop.com/?city=newyork

New York Sights & Sounds - SightsSounds

New York City Travel Guide - http://www.nytoday.com/

New York City Attractions - http://www.nycvisit.com

New York TV Show Tickets - Get free tickets to TV shows! - http://www.nytix.com/

New York City local news: http://www.ny1news.com

<h2>EVENT SPONSORSHIP </h2>The OWASP Conferences & Training security technologists including CSOs,admins, application admins, MIS directors, homeland defense chiefs. These important influencers drive buying decisions exclusive access to its audiences. OWASP has established strategic relationships with security—print publications, newsletters, portals, consultants,message—and leadership positioning OWASP events. OWASP’s mission is supported by organizations who share our application, and software security communities. This approach should be part of your mix.

[https://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Sponsorship Opportunities]- Register online: [http://guest.cvent.com/i.aspx?4W,M3,09e3b490-ba93-4474-851e-be803b1a01c2 click here]

OWASP NYC AppSec 2008 Conference

2008-05-21T08:22:56Z

Adish:

<center>[[Image:NYC08_468x60_72_newdates.gif]]</center>

= OWASP NYC AppSec 2008 - September 22th-25th 2008 =
Last Update: {{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}
In association with: [http://www.webappsec.org WASC], [http://www.nym-infragard.us NYM InfraGard], [http://aitglobal.com AITGlobal], [http://nyphp.org/index.php NYC PHP], [http://www.nycbug.org NYCBUG], [http://www.isacany.net ISACA], [http://www.issa.org ISSA] and [http://www.pace.edu Pace University] you're invited to (2) days of Seminars and Technology Pavilion from the world's best application security technology minds, (2) days of hardcore hands-on training, all held at [http://www.pace.edu/page.cfm?doc_id=16157 Pace University], located in downtown New York City at One Pace Plaza New York, NY 10038. Event Fees: $350 for 2 days of seminars, $675 for 1-day training classes and $1,350 for 2-day courses. [http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 https://www.owasp.org/images/7/7f/Register.gif] - do you want to preview the event space [http://www.flickr.com/photos/21550725@N04/sets/72157604662279903/detail Click Here]
<hr>
[https://www.owasp.org/images/6/60/NY_Sponsorship.pdf Diamond Sponsor] - [http://www.imperva.com https://www.owasp.org/images/d/de/Imperva_2color_RGB.jpg] 
 
[https://www.owasp.org/images/6/60/NY_Sponsorship.pdf Platinum Sponsor] - [http://www.cenzic.com/ https://www.owasp.org/images/b/bf/CenzicLogo_RGB.gif] 
 
[https://www.owasp.org/images/6/60/NY_Sponsorship.pdf Gold & Silver Sponsors] -[http://www.accessitgroup.com/products/inspectit.php https://www.owasp.org/images/6/6d/Accessit.JPG] - [http://www.fortify.com https://www.owasp.org/images/a/ac/Fortify.jpg] - [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif] - [http://www.cigital.com/ https://www.owasp.org/images/b/be/Cigital_OWASP.GIF] - [http://www.ouncelabs.com/ https://www.owasp.org/images/6/6e/OunceLabs_logo.jpg]
[http://www.proactiverisk.com https://www.owasp.org/images/9/97/Proactiverisk_logo.jpg]

 
<center>[https://www.owasp.org/images/9/98/NY_Sponsorship_Form.pdf Sponsorship Opportunities] -- [https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-PRESS Press Registration] -- [http://www.owasp.org/index.php/Member_Offers Other OWASP Member Offers] </center>
<hr>

== OWASP NYC AppSec 2008 Conference Schedule – Sept 24th - Sept 25th ==
{| style="width:80%" border="0" align="center"
! colspan="4" align="center" style="background:#4058A0; color:white" | Day 1 – Sept 24th, 2008
|-
| style="width:10%; background:#7B8ABD" | || style="width:30%; background:#BC857A" | Track 1:
| style="width:30%; background:#BCA57A" | Track 2:
| style="width:30%; background:#7B8ABD" | Track 3:
|-
| style="width:10%; background:#7B8ABD" | 08:00-09:30 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''Registration Opens and Tech Expo'''
|-
| style="width:10%; background:#7B8ABD" | 09:15-10:15 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | Introduction, OWASP Version 3.0 where we are.. where we are going
''OWASP Foundation Board Jeff Williams, Tom Brennan, Dinis Cruz, Sebastien Deleersnyder & Dave Wichers''
|-
| style="width:10%; background:#7B8ABD" | 10:30-11:30 || style="width:30%; background:#BC857A" align="left" | Logic Attacks and Inefficiencies of Robotic Detection
''Robert "RSnake" Hansen CEO [http://www.sectheory.com SecTheory]''
| style="width:30%; background:#BCA57A" align="left" | Offensive Assessing Financial Apps
''Daniel Cuthbert''
| style="width:30%; background:#7B8ABD" align="left" | Web Intrusion Detection with ModSecurity
''Ivan Ristic''
|-
| style="width:10%; background:#7B8ABD" | 11:30-12:30 || style="width:30%; background:#BC857A" align="left" | Reverse Engineering .NET
''Adam Boulton''
| style="width:30%; background:#BCA57A" align="left" | [http://www.owasp.org/index.php/Category:OWASP_JBroFuzz JBroFuzz] 0.1 - 1.1: [https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Yiannis_Pavlosoglou Building a Java Fuzzer for the Web]
''[https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Yiannis_Pavlosoglou Yiannis Pavlosoglou] - Senior Director - [http://www.ouncelabs.com Ounce Labs] ''
| style="width:30%; background:#7B8ABD" align="left" | [http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project OWASP LIVE CD]
''Joshua Perrymon - CEO [http://www.packetfocus.com Packetfocus]''
|-
| style="width:10%; background:#7B8ABD" | 12:30-13:30 || style="width:30%; background:#BC857A" align="left" | Multidisciplinary Bank Attacks
''Gunter Ollmann, Director Security Strategy, [http://www.iss.net IBM Internet Security Systems]''
| style="width:30%; background:#BCA57A" align="left" | OWASP CLASP
''Pravir Chandra''
| style="width:30%; background:#7B8ABD" align="left" | Shootout at the Blackbox Corral
''Dinis Cruz & Larry Suto''
|-
| style="width:10%; background:#7B8ABD" | 13:30-14:30 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | Collective Intelligence - Jennifer Bayuk-CISO Bear Stearns, Mark Clancy EVP CitiGroup, Jim Routh CISO DTCC, Sunil Seshadri CISO NYSE-Euronet, Warren Axelrod SVP Bank of America, Joe Bernik Royal Bank of Scotland & Philip Venables CIRO, Goldman, Sachs
Moderator: Mahi Dontamsetti
|-
| style="width:10%; background:#7B8ABD" | 14:30-15:30 || style="width:30%; background:#BC857A" align="left" | [https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Andres_Riancho w3af, a framework to own the web] -
[https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Andres_Riancho ''Andres Riancho''], [http://www.cybsec.com/ Cybsec]

| style="width:30%; background:#BCA57A" align="left" | [[AppSecEU08_Trends_in_Web_Hacking_Incidents:_What's_hot_for_2008 | Trends in Web Hacking: What's hot in 2008 Analysis of the Web Hacking Incidents Database (WHID)]]
''[http://blog.shezaf.com Ofer Shezaf], Breach''
| style="width:30%; background:#7B8ABD" align="left" | Security in Agile Development
''Dave Wichers, COO [http://www.aspectsecurity.com Aspect Security]''
|-
| style="width:10%; background:#7B8ABD" | 15:30-16:30 || style="width:30%; background:#BC857A" align="left" | [http://www.owasp.org/index.php/ESAPI OWASP Enterprise Security API (ESAPI) Project]
''Jeff Williams, CEO [http://www.aspectsecurity.com Aspect Security]''
| style="width:30%; background:#BCA57A" align="left" | Next Generation Cross Site Scripting Worms
''Arshan Dabirsiaghi, Director of Research [http://www.aspectsecurity.com Aspect Security]''
| style="width:30%; background:#7B8ABD" align="left" | "Threading the Needle:
Bypassing web application/service security controls using Encoding, Transcoding, Filter Evasion, and other Canonicalization Attacks."
''Arian Evans, Director of Operations [http://www.whitehatsec.com WhiteHat Security]''
|-
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || style="width:30%; background:#BC857A" align="left" | Shhhh Don’t Tell Anybody
''Petko D. Petkov, a.k.a. pdp''
| style="width:30%; background:#BCA57A" align="left" | Secure PHP
''Hans Zaunere, CEO [http://www.nyphp.com NYCPHP]''
| style="width:30%; background:#7B8ABD" align="left" | Payment Card Data Security and the new Enterprise Java
''Dr. B. V. Kumar & Mr. Abhay ''
|-
| style="width:10%; background:#7B8ABD" | 17:30-18:30 || style="width:30%; background:#BC857A" align="left" | Notes Security
''Jian Hui Wang''
| style="width:30%; background:#BCA57A" align="left" | Mastering PCI Section 6.6
''Taylor McKinley and Jacob West''
| style="width:30%; background:#7B8ABD" align="left" | AppSec Techniques
''JD Glaser, CEO [http://www.ntobjectives.com/company/management.php NTO Objectives]''
|-
| style="width:10%; background:#7B8ABD" | 18:30 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''Web Application Capture the Flag - [http://isis.poly.edu/projects Polytechnic University]'''
|-
| style="width:10%; background:#7B8ABD" | 20:00 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | ''' Speaker/Attendee Reception'''
|-
! colspan="4" align="center" style="background:#4058A0; color:white" | Day 2 – Sept 25th, 2008
|-
| style="width:10%; background:#7B8ABD" | 8:00-10:00 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | Breakfast @ Tech-Expo
|-
| style="width:10%; background:#7B8ABD" | 0900-10:00 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''"We have all the tools, policies, frameworks, documents, community support available what works... what does not?" ' Industry Panel: <TBD>, <TBD>, <TBD>, <TBD>, <TBD> Moderator: Daniel Cuthbert''
|-
| style="width:10%; background:#7B8ABD" | 10:00-11:00 || style="width:30%; background:#BC857A" align="left" | Practical Advanced Threat Modeling
''John Steven''
| style="width:30%; background:#BCA57A" align="left" | [http://reversebenchmarking.com Open Reverse Benchmarking Project]
''Marce Luck & Tom Stracener''
| style="width:30%; background:#7B8ABD" align="left" | Building Usable Security
''Zed Abbadi''
|-
| style="width:10%; background:#7B8ABD" | 11:00-12:00 || style="width:30%; background:#BC857A" align="left" | Offshoring Application Development? Security is Still Your Problem
''Rohyt Belani''
| style="width:30%; background:#BCA57A" align="left" | OWASP Orizon Project
''Paolo Perego''
| style="width:30%; background:#7B8ABD" align="left" | NIST SAMATE Static Analysis Tool Exposition (SATE)
''Vadim Okun''
|-
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || style="width:30%; background:#BC857A" align="left" | The Art and Nature of Web Application Security
''Mano Paul CEO [http://www.expresscertifications.com Express Certifications]''
| style="width:30%; background:#BCA57A" align="left" | Software Liability
''Jack Danahy''
| style="width:30%; background:#7B8ABD" align="left" | Cross-Site Scripting Filter Evasion
''Alexios Fakos''
|-
| style="width:10%; background:#7B8ABD" | 13:00-14:00 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | OWASP Projects "Dinis Cruz & OWASP Project Leaders"
|-
| style="width:10%; background:#7B8ABD" | 14:00-15:00 || style="width:30%; background:#BC857A" align="left" | Projects with OWASP
''Steve Malson''
| style="width:30%; background:#BCA57A" align="left" | OWASP Pantera Advances
''Simon Roses Femerling''
| style="width:30%; background:#7B8ABD" align="left" | Software-as-a-Service (SaaS)
''James Landis''
|-
| style="width:10%; background:#7B8ABD" | 15:00-16:00 || style="width:30%; background:#BC857A" align="left" | "Out of Band" Injection
''Vijay Akasapu & Marshall Heilman''
| style="width:30%; background:#BCA57A" align="left" | OWASP V2 Testing Guide 4.2.3 Spidering and Googling in depth
''Christian Heinrich''
| style="width:30%; background:#7B8ABD" align="left" | Caution, Java ahead
''Jeremiah Grossman CTO [http://www.whitehatsec.com WhiteHat Security]''
|-
| style="width:10%; background:#7B8ABD" | 16:00-17:00 || style="width:30%; background:#BC857A" align="left" | [[Input validation: the Good, the Bad and the Ugly]]
''[[Johan Peeters]]''
| style="width:30%; background:#BCA57A" align="left" | Flash Parameter Injection (FPI)
''Ayal Yogev & Yuval Baror''
| style="width:30%; background:#7B8ABD" align="left" | Learning the .Net Debugging API
''Kevin Spett''
|-
| style="width:10%; background:#7B8ABD" | 17:00-18:00 || style="width:30%; background:#BC857A" align="left" | Secure System Development Life Cycle (SSDLC) Methodology for SOA
''Ken Huang''
| style="width:30%; background:#BCA57A" align="left" | Web Security Education using Open Source Tools
''Prof. Li-Chiou Chen & Chienitng Lin''
| style="width:30%; background:#7B8ABD" align="left" | Friend or Foe: Penetration Testing VS Source Code Analysis
''Tom Ryan''
|-
| style="width:10%; background:#7B8ABD" | 18:30 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''Closing Remarks / CTF Awards / Raffles'''
|-
| style="width:10%; background:#7B8ABD" | 21:00 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''Farewell dinner.. Go secure the world'''
|}

<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 https://www.owasp.org/images/7/7f/Register.gif]</center>

== Technology Pavilion - September 24th and 25th ==

Want to see the latest offerings from technology product and service firms, visit the Technology Pavilion. On September 24th and 25th there will be 2 full days of exhibits by service providers and manufacturers from around the world.

<hr>

== [https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference_Training OWASP NYC AppSec 2008 Training Courses - September 22nd and 23rd, 2008] ==
{| style="width:80%" border="0" align="center"
! align="center" style="background:#4058A0; color:white" | T1. Defensive Programming - 2-Days - $1350
|-
| style="background:#F2F2F2" | This class will teach you how to program defensively. A must for developers, managers, testers and security professionals. Learn the latest techniques to build attack resistant code, protect from current and future vulnerabilities and how to secure an application from both implementation bugs and design flaws. The instructor Pravir Chandra is well known security expert, project lead for OWASP CLASP project and former co-founder & CTO of secure software [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]

Instructor: Pravir Chandra, Project Lead OWASP [[:Category:OWASP_CLASP_Project | CLASP]] Project, Principal Consultant, [http://www.cigital.com https://www.owasp.org/images/b/be/Cigital_OWASP.GIF]'''
|-
! align="center" style="background:#4058A0; color:white" | T2. Secure Coding for Java EE - 2-Days - $1350
|-
| style="background:#F2F2F2" | This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of Java focused content, including:
# Java EE security overview,
# All coding examples and recommendations are specifically focused on Java and Java servers, and
# 3 additional hands on coding labs where the students find and then fix security vulnerabilities in a Java EE application developed for the class.

[[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]

Instructor: This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]
'''
|-
! align="center" style="background:#4058A0; color:white" | T3. Web Services and XML Security - 2-Days - $1350
|-
| style="background:#F2F2F2" | The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]

Instructor: Gunnar Peterson''' [http://www.arctecgroup.net https://www.owasp.org/images/b/bf/Arctec.jpg]
|-
! align="center" style="background:#4058A0; color:white" | T4. Advanced Web Application Security Testing - 2-Days - $1350
|-
| style="background:#F2F2F2" | Course Overview While all developers need to know the basics of web application security testing, application security specialists will want to know all the advanced techniques for finding and diagnosing security problems in applications. Aspect’s Advanced Web Application Security Testing training is based on a decade of work verifying the security of critical applications. The course is taught by an experienced application security practitioner in an interactive manner. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]

Instructor: This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''
|-
! align="center" style="background:#4058A0; color:white" | T5. Leading the Development of Secure Applications 1-Day - Sept 22nd- $675
|-
| style="background:#F2F2F2" | In this one-day management session you’ll get the answers to the ten key questions that most CIOs and development managers face when trying to improve security in the development process. The course provides proven techniques and valuable lessons learned that can be applied to projects at any phase of their application’s lifecycle. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]
Instructor: This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''
|-
! align="center" style="background:#4058A0; color:white" | T6. Application Security Forensics - 1-Day - Sep 23rd - $675
|-
| style="background:#F2F2F2" | Web application forensics and incident response, requires a solid understanding of web application, security issues – this 1 day class will provide you with a crashcourse on chain of custody and issues related to dealing with a breach
|-
! align="center" style="background:#4058A0; color:white" | T7. Encryption Programming Using SKSML - 2-Days - $1350
|-
| style="background:#F2F2F2" | Application developers are increasingly required to protect sensitive data through encryption. While there are many libraries that can assist with cryptography, there are few to none that focus on encryption key management.

This class will introduce you to an OASIS standards protocol - Symmetric Key Services Markup Language (SKSML) - and show you how it can be used to securely encrypt sensitive data and manage encryption keys across the enterprise. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]

Instructor: Arshad Noor, CTO, StrongAuth Inc.''' [http://www.strongauth.com https://www.owasp.org/images/8/86/StrongAuth.jpg]
|}
<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 https://www.owasp.org/images/7/7f/Register.gif]</center>

<h2> HOTELS / TRAVEL </h2>
[http://maps.google.com/maps?near=Pace+Plz,+New+York,+NY+10038+(Pace+University+New+York+Cmps)&geocode=15467452012610799558,40.711640,-74.005820&q=hotel&f=l&dq=Pace+University-New+York&ie=UTF8&z=15&om=0 Hotel's in the area of the event]

New York City MTA: http://www.mta.nyc.ny.us/nyct/index.html

New York City Subway & walking directions: http://www.hopstop.com/?city=newyork

New York Sights & Sounds - SightsSounds

New York City Travel Guide - http://www.nytoday.com/

New York City Attractions - http://www.nycvisit.com

New York TV Show Tickets - Get free tickets to TV shows! - http://www.nytix.com/

New York City local news: http://www.ny1news.com

<h2>EVENT SPONSORSHIP </h2>The OWASP Conferences & Training security technologists including CSOs,admins, application admins, MIS directors, homeland defense chiefs. These important influencers drive buying decisions exclusive access to its audiences. OWASP has established strategic relationships with security—print publications, newsletters, portals, consultants,message—and leadership positioning OWASP events. OWASP’s mission is supported by organizations who share our application, and software security communities. This approach should be part of your mix.

[https://www.owasp.org/images/9/98/NY_Sponsorship_Form.pdf Sponsorship Opportunities]- Register online: [http://guest.cvent.com/i.aspx?4W,M3,09e3b490-ba93-4474-851e-be803b1a01c2 click here]

Israel

2007-05-08T11:47:46Z

Adish:

{{Chapter Template|chaptername=Israel|extra=The chapter leader is [mailto:ofers@breach.com Ofer Shezaf]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-israel|emailarchives=http://lists.owasp.org/pipermail/owasp-israel}}

== 2nd OWASP IL mini conference at IDC, May 21th 2007 ==

Following the big success of the 1st one, we are glad to announce the 2nd OWASP IL mini conference at Interdisciplinary Center Herzliya (IDC). The mini conference is a non-commercial event focusing on web application security. As you can see in the program below, we have carefully selected the presentations and we hope they are all relevant, informative and most importantly, none commercial. Never the less, we are happy to say that we were able to get very distinguish companies to sponsor the event and make sure that the refreshments would be great.

The meeting will be held on Monday, May 21st, Starting at 13:30 at IDC Herzliya campus. Participation is free and open to all, but please inform us (e-mail to ofers@breach.com) that you are coming as space is limited. Feel free to spread the word about this meeting to anyone you feel would be interested. You can also register to get the [http://lists.owasp.org/mailman/listinfo/owasp-israel OWASP Israel mailing list] and receive updates regarding chapter's meetings. For further details please contact us.

Dr. Anat Bremler-Barr 
Program Academic Director, Information Security Program 
Efi Arazi School of Computer Science, IDC Herzliya

Ofer Shezaf 
CTO, Breach Security 
Chapter Leader, OWASP Israel

The meeting is sponsored by Breach Security, Checkpoint, Hacktics, Applicure Technologies, Microsoft, Zend and the Interdisciplinary Center Herzliya (IDC).

[[Image:Breach_logo.gif]]    [[Image:Applicure_logo.JPG|160px]]   [[Image:OWASP_IL_Sponsor_Hacktics.jpg|160px]][[Image:OWASP_IL_Sponsor_Zend.jpg|110px]][[Image:OWASP_IL_Sponsor_Checkpoint.gif]][[Image:OWASP_IL_Sponsor_Microsoft.gif]]

The agenda of the meeting is:

'''Gathering and Refreshments''' 
13:30 - 14:00

<big>'''Updates from OWASP Europe, Milan'''</big> 
'''Ofer Shezaf, OWASP IL chapter leader, CTO, [http://www.breach.com/ Breach Security]''' 
14:00 - 14:15

Since the conference is just a few days after OWASP Europe 2007 in Milan, and since most of you would not have a chance to be there, I will try to convey the content and spirit of this unique conference to you.

In addition you will hear Yair Amit, who will repeat the presentation he is going to make in OWASP Europe, and Erez Metula will build his lecture on OWASP chief evangelist's presentation about .NET. For my presentation in OWASP Europe, you had to come to the previous OWASP IL Mini Conference.

<big>'''Pen-Testing at Microsoft: FuzzGuru fuzzing framework'''</big> 
'''John Neystadt, Lead Program Manager, Microsoft Forefront Edge, Microsoft''' 
14:15 - 15:00

Fuzzing is the main systematic methodology used these days by hackers to find vulnerabilities in web and other applications. Fuzzing can find buffer overrun, denial-of-service and information disclosure vulnerabilities. It should be done for C++, C#/Java, ASP/JP code.

FuzzGuru is a generic network fuzzing development framework developed in Microsoft Israel Development Center and is formally recommended best practice for all products developed in Microsoft.

In this talk John will present some fuzzing testing theory, demonstrate the tools and discuss Microsoft fuzzing practices.

<big>'''Unregister Attacks in SIP'''</big> 
'''Ronit Halachmi-Bekel, IDC''' 
15:00 - 15:40

The presentation discusses a research work done at the IDS about the "unregister attack", a new kind of a denial of service attack on SIP servers. In this attack, the attacker sends a spoofed "unregister" message to a SIP server and cancels the registration of the victim at that server. This prevents the victim user from receiving any calls.

The research also offers a solution: the SIP One-Way Hash Function Algorithm (SOHA), motivated by the one-time password mechanism. SOHA prevents the unregister attack in all situations. The algorithm is easy to deploy since it requires only a minor modification and is fully backwards compatible and requires no additional configuration from the user or the server.

The paper is a joint work with Dr. Anat Bremler-Barr and Jussi Kangasharju. The paper was presented at the 14th IEEE International Conference on Network Protocols (ICNP).

'''Break''' 
15:40 - 16:00

<big>'''Application Denial of Service; is it Really That Easy?'''</big> 
'''Shay Chen, Hacktics''' 
16:00 - 16:40

Denial of service attacks, which are quite a nuisance on the network layer, are a nightmare when done on the application layer, but are equally underrated.

On our last conference, Dr. Anat Bremler-Bar discussed some of the theoretical aspects of application layer denial of service attacks. Shay Chen will expand and explore the practicalities of application layer denial of service. He will show real world techniques, real life stories and personal experiences conducting DOS attacks during penetration testing on major Israeli sites.

<big>'''Behavioral Analysis for Generating A Positive Security Model For Applications'''</big> 
'''Ofer Shezaf, OWASP IL chapter leader, CTO, Breach Security''' 
16:40 - 17:10

In the last OWASP IL conference, as well as in OWASP Europe in Milan, I explored the potential of a negative security model for securing applications. While a negative security model can provide some level of security, most agree that a positive security model is preferable for protection application.

However, building a rule set to provide positive security is a difficult and never ending project. Modern tools employ behavioral analysis to build automatically those rules. The presentation will discuss the algorithms and methods used to build automatically an application layer positive security rule set as well as the problems and limitation of such as approach.

<big>'''Overtaking Google Desktop - Leveraging XSS to Raise Havoc'''</big> 
'''Yair Amit, Senior Security Researcher, Watchfire''' 
17:10 - 17:50

Yair will present a ground breaking research paper by Watchfire application security team. The paper describes an innovative attack methodology against Google Desktop which enables a malicious individual to achieve a remote, persistent access to sensitive data, and potentially a full system control.

This represents a significant real world example of a new generation of computer attacks which take advantage of Web application vulnerabilities utilizing the increasing power of the Web browser. Their purpose is to remotely access private information.

This presentation would be presented by Yair the week before at OWASP Europe in Milan.

'''Break''' 
17:50 - 18:00

<big>'''Application Security is Not Just About Development'''</big> 
'''David Lewis, CISM, CISA, CISSP, Rosenblum Holtzman''' 
18:00 - 18:20

What many developers forget about is that the application even though it is a very important part of securing the "Gold", data, there are other risks that require their attention. These risks require their understanding and preventative measures need to be implemented, managed and validated to limit the exposure to themselves and their organizations. E.g. Developers do not see the need for securing their code.

One of the things I will provide you during my presentation is why you should secure your code. It is one of the ways you will keep your job.

<big>'''.NET reverse engineering'''</big> 
'''Erez Metula, Application Security Department Manager, 2Bsecure''' 
18:20 - 19:20

The presentation will introduce MSIL (Microsoft Intermediate Language) and debugging MSIL. Based on this foundation the presentation will explore and demonstrate tools and techniques for changing the behavior of .NET assemblies and the CLR using reversing engineering techniques.

== 6th OWASP IL meeting, January 24th 2007 ==

The 6th OWASP IL meeting was held on January 24th 2007, at 17:15, at Breach Security offices in Herzelya and was sponsored by [[www.breach.com|Breach Security]]. The meeting was very successful, with nearly 50 people attending the meeting.

The agenda of the meeting was:

<big>'''[[media:OWASP_IL_Source_Code_Analysis_and_Application_Security.pdf|Source Code Analysis and Application Security - Cheating the Maze]]'''</big>

'''Maty Siman, Founder & CTO, [http://www.checkmarx.com/ Checkmarx]'''

During the last few years automatically analyzing source code in order to find security vulnerabilities became a popular method in the field of Application Security. The presentation will discuss the theory and research of static code analysis, the application of static code analysis for security, comparing this method to other application security defense technologies and will demonstrate the use of static code analysis for application security.

<big>'''[[media:OWASP_IL_WCF_Security.pdf|Security Implications of .Net 3.0 and the Windows Communication Foundation (WCF)]]'''</big>

'''Emmanuel Cohen-Yashar (Manu), Senior .NET technology consultant, [http://www.sela.co.il Sela Group]'''

Windows Communication Foundation (WCF) is the new Microsoft communication framework bundled as part of of .NET Framework 3.0, the new .NET Windows API succeeding Win32 with the release of Windows Vista. WCF programming model unifies Web Services, .NET Remoting, Distributed Transactions, and Message Queues into a single Service-oriented programming model for distributed computing. The presentation will describe the tenets of SOA – Service Oriented Architecture, introduce WCF and discuss the security implications of this broad new communication paradigm.

<big>'''[[media:OWASP_IL_The_Universal_XSS_PDF_Vulnerability.pdf|Analysis of the Universal XSS PDF vulnerability - Cause, Solutions and Fun Stuff]]'''</big>

'''Ofer Shezaf, CTO, [http://www.breach.com Breach Security], Leader of [http://www.modsecurity.org/projects/rules/index.html ModSecurity Core Rule Set] open source project '''

Recently a new vulnerability was discovered in commonly used versions of Adobe Acrobat software. Unlike common XSS attacks that require a specific vulnerability in the attacked web site, in this case the vulnerability in Acrobat is sufficient and no fault is required in the attacked web site, and any site that serves PDF files is vulnerable. Therefore it is called "universal XSS" vulnerability.

The presentation will describe the vulnerability, the theoretical and practical solutions for the vulnerability as well as some very funny stories about the dynamics of such a high profile vulnerability, or in other words, what happens when you try to get a car mechanic to fix an application security vulnerability.

== OWASP IL mini conference at IDC, November 13th 2006 ==

OWASP IL and the Interdisciplinary Center Herzliya (IDC) held a half day conference on application security on Nov 13th 2006. The event marked the establishment of a new academic program on information security in the net era at IDC's Efi Arazi School of Computer Science. More than 90! people attended the conference, enjoyed professional catering and heard no less than 7 presentations.

The meeting was sponsored by [[www.breach.com|Breach Security]] and [[www.applicure.com|Applicure Technologies]].

[[Image:Breach_logo.gif]]   [[Image:Applicure_logo.JPG|180px]]

Use the links in the event program to access the presentations themselves:

'''14:30 – 15:00 Gathering and refreshments (hopefully more elaborate than Pizza this time!)''' [[Image:OWASP_IL_IDC.jpg|right]]

'''15:00 – 15:10 Introducing the new information security program at the net era at the Efi Arazi School of Computer Science, IDC Herzliya'''

Dr. Anat Bremler-Barr, Program Academic Director.

<big>'''15:10 – 15:40 Sophisticated Denial of Service attacks'''</big>

Dr. Anat Bremler-Barr, Efi Arazi School of Computer Science, IDC Herzliya

In Denial of Service attack, the attackers consume the resources of the victim, a server or a network, causing degradation in performance or even total failure of the victim. The basic DDoS attack is a simple brute force flooding, where the attacker sends as much traffic as he can to consume the network resources. In contrast, the sophisticated DDoS attack aims to hurt the weakest point in the victim's applications by sending specific traffic type that burdens the application the most. In this talk we will cover recent works that show that several common mechanisms are vulnerable to sophisticated DDoS attacks. For example, Crosby and Wallach showed that using bandwidth of less than a typical dialup modem can bring a dedicated Bro server to its knees. We will discuss some basic guidelines of how to design applications to be resilient to sophisticated attacks.

<big>'''15:40 – 16:00 [[Media:Enterprise_portals_security.pdf|Malicious content in enterprise portals]]'''</big>

Shalom Carmel, A security icon, the world's authority on hacking AS/400 and a BlackHat 2006 speaker

In 2005, enterprise portals rank in the top 10 of CIO technology focus areas in many surveys. The main drivers of the portal business growth are the horizontal portal suites, which provide content management capabilities, application integration tools, and specific solutions for collaboration and knowledge management. This lecture will address the security problems an enterprise may have due to the various content management abilities in a typical Portal implementation, and will focus on cross site scripting attacks.

<big>'''16:00 – 16:30 Information Warfare against commercial companies – lessons from dealing with hostile internet entities'''</big>

Ariel Pisetsky, CISO and Infrastructure Manager, NetVision

During the recent war in the north, many information security events where detected in private and government organization. These events, usually no more than web site defacement, provide an opportunity to examine a large scale hostile activity against web sites affiliated with Israel. Commercial companies with no direct relation to the war found themselves under a direct attack or indirectly affected due to attacks on ISPs and the Internet Infrastructure in Israel.

In the presentation we will discuss what happened during this summer of war, whether it can be classified as information warfare and what are the lessons that can be learnt going forward

'''16:30 – 16:45 Break, coffee, tea & fruits'''

<big>'''16:45 – 17:15 [[Media:Secure_coding.pdf|Real vs. Virtual Patching]]'''</big>

Ravid Lazinski, Technical Manager, Applicure Technologies

The penetration team has found a bug. What's next? In order to prevent exploitation, the application has to be patched.

The presentation will discuss the advantage and disadvantages of the two available solutions: patching the application or using an external patching solution in a process called "virtual patching".

<big>'''17:15 – 17:45 [[Media:The_Core_Rule_Set.pdf|"The Core Rule Set": Generic detection of application layer attacks]]'''</big>

Ofer Shezaf, CTO, Breach Security, OWASP IL chapter Leader, Director, the Web Application Security Consortium

Web Applications are unique, each one having its own vulnerabilities and therefore a positive security model is usually considered the optimal way to protect them. The [http://www.modsecurity.org ModSecurity] open source project has recently released a "core rule set", essentially a set of super signatures that try to provide significant security to custom application without the effort of defining a positive security model.

The lecture will discuss generic application security signatures and rules, how they differ from network centric signatures and their strengths and limitations when dealing with the OWASP top 10 attacks.

'''17:50 – 18:00 Break'''

<big>'''18:00 – 18:30 [[Media:OWASP_10_Most_Common_Backdoors.pdf|The OWASP Top Ten Backdoors]]'''</big>

Yaniv Simsolo, Application Security Consultant, Comsec Consulting

Just as the OWASP Top Ten outlines the top ten mistakes that developers make in applications, the top ten backdoors discuss the features developed on purpose, that do just the same: leave the application vulnerable. Backdoors are more common than developers and system professionals think. Hackers and malicious users can exploit backdoors easily, without leaving any special traces in the system. An SQL interface to an application, providing a lot of flexibility but little security is a good example of such a backdoor.

The presentation will discuss common backdoors found in web applications and how they relate to the OWASP top 10.

<big>'''18:30 – 19:15 [[Media:Hacking_The_FrameWork.ppt|Hacking The Framework]]'''</big>

Nimrod Luria, Head Of Consulting Services, 2Bsecure

Modern development environment such as .Net and J2EE promise enhanced security by relying on the framework services rather than good coding. The presentation will demonstrate using real hacking demos the weak points in such frameworks using .Net as an example.

== 4th OWASP IL meeting, July 26th 2006 ==

The 4th OWASP IL meeting was held on July 26th 2006 at [http://www.breach.com Breach Security] offices with the following presentations:

<big>'''[[Media:OWASP_IL_0706_Comsec_ShayZ_Crypto_1_0_2.pdf|Exposing cryptography for software developers]]'''</big>

'''Shai Zalalichin, Head of AppSec group, [http://www.comsec.co.il Comsec]'''

Encryption is a very important tool in the application security tool chest, but is also a very complex technology. The presentation will explore common pitfalls & countermeasures that every developer should follow when writing crypto-aware applications.

The presentation was originally given at OWASP Europe conference in May.

<big>'''[[Media:OWASP_IL_Preventing_spoofing_phishing_and_spam.pdf|Preventing Spoofing, Phishing and Spamming by Secure Usability and Cryptography]]'''</big>

'''[http://www.cs.biu.ac.il/~herzbea/ Prof. Amir Herzberg], dept. of computer science, Bar-Ilan University, Israel'''

Spoofing, Phishing and spamming are of the worst security problems in the Internet. Amir will present vulnerabilities in the current email and web systems, causing the proliferation of such attacks. Amir will then discuss some recent proposals made by him as well as others to improve security against these threats. Some solutions involve secure usability,
some use (simple) cryptographic protocols, while others involve both areas.