OWASP - User contributions [en]

Minneapolis St Paul

2009-08-04T15:21:18Z

Afongen: /* Minneapolis - Saint Paul OWASP Board Members */

{{Chapter Template|chaptername=Minneapolis St Paul|extra=The chapter leader is [Kuai]|mailinglistsite=https://lists.owasp.org/mailman/listinfo/owasp-twincities|emailarchives=https://lists.owasp.org/pipermail/owasp-twincities}}
<paypal>Minneapolis St Paul</paypal>

== Platinum Sponsors ==

[http://www.bestbuy.com http://www.owasp.org/images/6/67/Best_Buy_logo.jpg]

The OWASP MSP chapter is very thankful for generous support from platinum sponsor '''[http://www.bestbuy.com/ Best Buy]'''.

== OWASP Minneapolis-St. Paul 2009 Half Day Conference - August 24, 2009 ==

The OWASP Minneapolis-St. Paul (MSP) chapter is pleased to announce '''[[OWASP Minneapolis St Paul 2009_Conference | an afternoon of information security presentations on August 24, 2009]]''' at the [http://www1.umn.edu/twincities/maps/StCen/StCen-map.html St. Paul Student Center] [http://www.spsc.umn.edu/about/directory/lower.php Auditorium/Theater] on the [http://www1.umn.edu/twincities/index.php University of Minnesota - Twin Cities] campus.

'''[[OWASP Minneapolis St Paul 2009_Conference | Go the the event page to learn more and register today!]]'''

== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 ==
Thanks to all who joined us on October 21, 2008 for a [https://www.owasp.org/index.php/OWASP_Minneapolis_St_Paul_2008_Conference '''mini conference''' in October 2008] at University of Minnesota's Saint Paul campus. Our first conference was a great success, with around 150 people attending! We look forward to the next one.

== Upcoming Meetings ==

=== OWASP Minneapolis-St. Paul 2009 Half Day Conference ===

'''The OWASP Minneapolis-St.Paul 2009 half day conference is scheduled for August 24, 2009. See above for more details.'''

=== Thank You ===
A big thanks goes to [http://strategicit.org/center/ Center for Strategic Information Technology and Security] for sponsoring our regular monthly meeting location.

We are currently looking for a meeting sponsor for refreshments and book give-aways for the monthly meetings.

== Upcoming Events ==

=== OWASP Minneapolis-St. Paul 2009 Half Day Conference ===

'''The OWASP Minneapolis-St.Paul 2009 half day conference is scheduled for August 24, 2009. See above for more details.'''

=== Secure360 ===
[http://www.secure360.org/ Secure360] is an annual
conference providing high quality educational sessions and networking
opportunities while working to identify developing trends in risk
management, physical security, governance, audit, information security,
contingency planning and human capital.

=== DC612 meetings ===
DC612 meets the 2nd Thursday of the month 
http://www.dc612.org/

== Videos ==

Videos of several past meetings are available at https://www.owasp.org/index.php/Category:OWASP_Video#Videos

=== Most recent videos: ===

Cassio Goldschmidt - Tracking the Progress of an SDL Program: Lessons from the Gym - OWASP (MSP) - 29 June 2009 (55 minutes) [http://www.slideshare.net/webappsecguy/tracking-the-progress-of-an-sdl-program-lessons-from-the-gym-1684512 Slidecast] | [http://www.comotheory.com/owasp/20090629-Cassio_Goldschmidt-Tracking_the_Progress_of_an_SDL_Program_-_Lessons_from_the_Gym.mp3 MP3] | [http://www.owasp.org/images/0/0e/20090629-Cassio_Goldschmidt-Tracking_the_Progress_of_an_SDL_Program_-_Lessons_from_the_Gym.pptx PPTX] | [http://www.comotheory.com/owasp/20090629-Cassio_Goldschmidt-Tracking_the_Progress_of_an_SDL_Program_-_Lessons_from_the_Gym.mp4 MP4...please right click and save]

Gunnar Peterson - OWASP Top Ten Web Services - OWASP (MSP) - 27 April 2009 (1 hour, 27 minutes) [http://www.comotheory.com/owasp/20090427-Gunnar_Peterson_-_OWASP_Top_Ten_Web_Services.mp4 MP4...please right click and save] | Slides Forthcoming

Dan Cornell - Vulnerability Management in an Application Security World - OWASP (MSP) - 16 March 2009 (1 hour, 52 minutes) [http://video.google.com/videoplay?docid=3200887090385342211&hl=en Google Video] | [http://www.owasp.org/images/1/16/VulnerabilityManagementInAnApplicaitonSecurityWorld_OWASPMSP_20090316.pdf PDF]

Rick Ensenbach - Proactive Lifecycle Security Management - OWASP (MSP) - 16 February 2009 (69 minutes) [http://video.google.com/videoplay?docid=2838721966098123222&hl=en Part 1 Google Video] | [http://video.google.com/videoplay?docid=1766766374336659744&hl=en Part 2 Google Video] | [https://www.owasp.org/images/f/f8/Proactive_Lifecycle_Security_Management_Presentation_for_OWASP_Mpls-Stp_Chapter_Meeting_-_2-16-09.ppt PPT] | [https://www.owasp.org/images/9/9c/Generic_System_Security_Plan.doc Handout: Service/System Security Plan template (DOC)]

== Minneapolis - Saint Paul OWASP Board Members ==
President: [mailto:kuai.hinojosa(at)gmail.com Kuai Hinojosa] 
Vice President: [mailto:lorna.alamri(at)owasp.org Lorna Alamri]

[[Category:Minnesota]]

Minneapolis St Paul

2009-06-04T20:44:35Z

Afongen: /* Bruce Schneier - Special OWASP Chapter Meeting August 24th */

{{Chapter Template|chaptername=Minneapolis St Paul|extra=The chapter leader is [Kuai]|mailinglistsite=https://lists.owasp.org/mailman/listinfo/owasp-twincities|emailarchives=https://lists.owasp.org/pipermail/owasp-twincities}}
<paypal>Minneapolis St Paul</paypal>

=== Upcoming Meetings ===
<h3>June 29th OWASP Meeting – Cassio Goldschmidt 
Tracking the progress of an SDL program: lessons from the gym</h3>

Monday, June 29th, 2009, 6:00 p.m.

Forcing muscle growth is a long process which requires high intensity weight training and high mental concentration. While the ultimate goal is often clear, one of the greatest mistakes bodybuilders consistently make is to overlook the importance of tracking their weight lifting progress.

Like a successful bodybuilding workout, a security development lifecycle program must consistently log simple to obtain, yet meaningful metrics throughout the entire process. Good metrics must lack subjectivity and clearly aid decision makers to determine areas that need improvement. In this presentation we’ll discuss metrics used to classify and appropriately compare security vulnerabilities found in different phases of the SDL by different teams working in different locations and in different products. We’ll also discuss how to easily provide decision makers different views of the same data and verify whether the process is indeed catching critical vulnerabilities internally.

=== Speaker Bio ===
Cassio Goldschmidt is senior manager of the product security team under the Office of the CTO at Symantec Corporation. In this role he leads efforts across the company to ensure the secure development of software products. His responsibilities include managing Symantec’s internal secure software development process, training, threat modeling and penetration testing. Cassio’s background includes over 12 years of technical and managerial experience in the software industry. During the six years he has been with Symantec, he has helped to architect, design and develop several top selling product releases, conducted numerous security classes, and coordinated various penetration tests.

Cassio represents Symantec on the SAFECode technical committee and (ISC)2 in the development of the CSSLP certification. He holds a bachelor degree in computer science from Pontificia Universidade Catolica do Rio Grande Do Sul, a masters degree in software engineering from Santa Clara University, and a masters of business administration from the University of Southern California.

=== Where/When ===
Date: Monday, June 29th, 2009 
Time: 6:00 p.m. 

UAW-Ford-MnSCU Training Center 
966 South Mississippi River Boulevard 
Saint Paul, Minnesota 55116

=== Agenda ===
5:30 pm – Room opens for Networking 
6:00pm - Welcome: OWASP chapter updates, Conference Announcement! 
6:30pm – Cassio Goldschmidt – Tracking the progress of an SDL program: lessons from the gym 
8:00 pm - Upcoming Events reminder and meeting wrap-up

Email lalamri@go-integral.com if you plan to attend so we can order enough refreshments.

===Thank You===
[http://strategicit.org/center/ Center for Strategic Information Technology and Security] for sponsoring our meeting location.

We currently are looking for a meeting sponsor for refreshments for the meeting and for the book give-away.

== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 ==
Thanks to all who joined us on October 21, 2008 for a [https://www.owasp.org/index.php/OWASP_Minneapolis_St_Paul_2008_Conference '''mini conference''' in October 2008] at University of Minnesota's Saint Paul campus. Our first conference was a great success, with around 150 people attending! We look forward to the next one.

== Videos ==

Videos of several past meetings are available at https://www.owasp.org/index.php/Category:OWASP_Video#Videos

=== Most recent videos: ===

[http://www.comotheory.com/owasp/20090427-Gunnar_Peterson_-_OWASP_Top_Ten_Web_Services.mp4 Gunnar Peterson - OWASP Top Ten Web Services - OWASP (MSP) - 27 April 2009 (1 hour, 27 minutes) (MP4, 220 MB...please right click and save)] | Slides Forthcoming

[http://video.google.com/videoplay?docid=3200887090385342211&hl=en Dan Cornell - Vulnerability Management in an Application Security World - OWASP (MSP) - 16 March 2009 (1 hour, 52 minutes)] | [http://www.owasp.org/images/1/16/VulnerabilityManagementInAnApplicaitonSecurityWorld_OWASPMSP_20090316.pdf Slides (PDF)]

Rick Ensenbach - Proactive Lifecycle Security Management - OWASP (MSP) - 16 February 2009 ([http://video.google.com/videoplay?docid=2838721966098123222&hl=en Part 1] of 2 - 35 minutes) ([http://video.google.com/videoplay?docid=1766766374336659744&hl=en Part 2] of 2 - 34 minutes) | [https://www.owasp.org/images/f/f8/Proactive_Lifecycle_Security_Management_Presentation_for_OWASP_Mpls-Stp_Chapter_Meeting_-_2-16-09.ppt Slides (PPT)] | [https://www.owasp.org/images/9/9c/Generic_System_Security_Plan.doc Handout: Service/System Security Plan template (DOC)]

== Upcoming Events ==
=== Bruce Schneier - Special OWASP Chapter Meeting August 24th ===
Please join us to Welcome Bruce Schneier at the University of Minnesota's Bell Museum Auditorium August 24th

=== Secure360 ===
[http://www.secure360.org/ Secure360] is an annual
conference providing high quality educational sessions and networking
opportunities while working to identify developing trends in risk
management, physical security, governance, audit, information security,
contingency planning and human capital.

=== DC612 meetings ===
DC612 meets the 2nd Thursday of the month 
http://www.dc612.org/

== Minneapolis - Saint Paul OWASP Board Members ==
President: [mailto:kuai.hinojosa(at)gmail.com Kuai Hinojosa] 
Vice President: [mailto:lorna.alamri(at)owasp.org Lorna Alamri] 
Secretary: [mailto:sam.buchanan@gmail.com Sam Buchanan]

[[Category:Minnesota]]

Minneapolis St Paul

2009-06-04T20:26:20Z

Afongen: /* Where/When */

{{Chapter Template|chaptername=Minneapolis St Paul|extra=The chapter leader is [Kuai]|mailinglistsite=https://lists.owasp.org/mailman/listinfo/owasp-twincities|emailarchives=https://lists.owasp.org/pipermail/owasp-twincities}}
<paypal>Minneapolis St Paul</paypal>

=== Upcoming Meetings ===
<h3>June 29th OWASP Meeting – Cassio Goldschmidt 
Tracking the progress of an SDL program: lessons from the gym</h3>

Monday, June 29th, 2009, 6:00 p.m.

Forcing muscle growth is a long process which requires high intensity weight training and high mental concentration. While the ultimate goal is often clear, one of the greatest mistakes bodybuilders consistently make is to overlook the importance of tracking their weight lifting progress.

Like a successful bodybuilding workout, a security development lifecycle program must consistently log simple to obtain, yet meaningful metrics throughout the entire process. Good metrics must lack subjectivity and clearly aid decision makers to determine areas that need improvement. In this presentation we’ll discuss metrics used to classify and appropriately compare security vulnerabilities found in different phases of the SDL by different teams working in different locations and in different products. We’ll also discuss how to easily provide decision makers different views of the same data and verify whether the process is indeed catching critical vulnerabilities internally.

=== Speaker Bio ===
Cassio Goldschmidt is senior manager of the product security team under the Office of the CTO at Symantec Corporation. In this role he leads efforts across the company to ensure the secure development of software products. His responsibilities include managing Symantec’s internal secure software development process, training, threat modeling and penetration testing. Cassio’s background includes over 12 years of technical and managerial experience in the software industry. During the six years he has been with Symantec, he has helped to architect, design and develop several top selling product releases, conducted numerous security classes, and coordinated various penetration tests.

Cassio represents Symantec on the SAFECode technical committee and (ISC)2 in the development of the CSSLP certification. He holds a bachelor degree in computer science from Pontificia Universidade Catolica do Rio Grande Do Sul, a masters degree in software engineering from Santa Clara University, and a masters of business administration from the University of Southern California.

=== Where/When ===
Date: Monday, June 29th, 2009 
Time: 6:00 p.m. 

UAW-Ford-MnSCU Training Center 
966 South Mississippi River Boulevard 
Saint Paul, Minnesota 55116

=== Agenda ===
5:30 pm – Room opens for Networking 
6:00pm - Welcome: OWASP chapter updates, Conference Announcement! 
6:30pm – Cassio Goldschmidt – Tracking the progress of an SDL program: lessons from the gym 
8:00 pm - Upcoming Events reminder and meeting wrap-up

Email lalamri@go-integral.com if you plan to attend so we can order enough refreshments.

===Thank You===
[http://strategicit.org/center/ Center for Strategic Information Technology and Security] for sponsoring our meeting location.

We currently are looking for a meeting sponsor for refreshments for the meeting and for the book give-away.

== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 ==
Thanks to all who joined us on October 21, 2008 for a [https://www.owasp.org/index.php/OWASP_Minneapolis_St_Paul_2008_Conference '''mini conference''' in October 2008] at University of Minnesota's Saint Paul campus. Our first conference was a great success, with around 150 people attending! We look forward to the next one.

== Videos ==

Videos of several past meetings are available at https://www.owasp.org/index.php/Category:OWASP_Video#Videos

=== Most recent videos: ===

[http://www.comotheory.com/owasp/20090427-Gunnar_Peterson_-_OWASP_Top_Ten_Web_Services.mp4 Gunnar Peterson - OWASP Top Ten Web Services - OWASP (MSP) - 27 April 2009 (1 hour, 27 minutes) (MP4, 220 MB...please right click and save)] | Slides Forthcoming

[http://video.google.com/videoplay?docid=3200887090385342211&hl=en Dan Cornell - Vulnerability Management in an Application Security World - OWASP (MSP) - 16 March 2009 (1 hour, 52 minutes)] | [http://www.owasp.org/images/1/16/VulnerabilityManagementInAnApplicaitonSecurityWorld_OWASPMSP_20090316.pdf Slides (PDF)]

Rick Ensenbach - Proactive Lifecycle Security Management - OWASP (MSP) - 16 February 2009 ([http://video.google.com/videoplay?docid=2838721966098123222&hl=en Part 1] of 2 - 35 minutes) ([http://video.google.com/videoplay?docid=1766766374336659744&hl=en Part 2] of 2 - 34 minutes) | [https://www.owasp.org/images/f/f8/Proactive_Lifecycle_Security_Management_Presentation_for_OWASP_Mpls-Stp_Chapter_Meeting_-_2-16-09.ppt Slides (PPT)] | [https://www.owasp.org/images/9/9c/Generic_System_Security_Plan.doc Handout: Service/System Security Plan template (DOC)]

== Upcoming Events ==
=== Bruce Schneier - Special OWASP Chapter Meeting August 24th ===
Please join us to Welcome Bruce Schneier at the University Of Minnesota's Bell Museum Auditorium August 24th

=== Secure360 ===
[http://www.secure360.org/ Secure360] is an annual
conference providing high quality educational sessions and networking
opportunities while working to identify developing trends in risk
management, physical security, governance, audit, information security,
contingency planning and human capital.

=== DC612 meetings ===
DC612 meets the 2nd Thursday of the month 
http://www.dc612.org/

== Minneapolis - Saint Paul OWASP Board Members ==
President: [mailto:kuai.hinojosa(at)gmail.com Kuai Hinojosa] 
Vice President: [mailto:lorna.alamri(at)owasp.org Lorna Alamri] 
Secretary: [mailto:sam.buchanan@gmail.com Sam Buchanan]

[[Category:Minnesota]]

Minneapolis St Paul

2009-04-18T20:49:12Z

Afongen: /* Upcoming Meetings */

{{Chapter Template|chaptername=Minneapolis St Paul|extra=The chapter leader is [Kuai]|mailinglistsite=https://lists.owasp.org/mailman/listinfo/owasp-twincities|emailarchives=https://lists.owasp.org/pipermail/owasp-twincities}}
<paypal>Minneapolis St Paul</paypal>

== Upcoming Meetings ==
<h3>April OWASP Meeting – Gunnar Peterson 
OWASP Top Ten Web Services</h3>

Monday, April 27, 2009, 6:00 p.m.

What do Web apps, Web 2.0, Cloud Computing, SOA, and Rest all have in common? They all use Web services for functionality, data access and integration. Unfortunately, by default Web services also lack a security model. The OWASP Top Ten Web Services goes into the technical details of the vulnerabilities, remediations, and examples of common

Web services security issues like authentication and authorization flaws, how sensitive data is disclosed, and why security standards like WS-Security and SAML can be your best friend or your worst nightmare.

=== Speaker Bio ===
Gunnar Peterson Managing Principal Arctec Group, a Twin Cities based consulting and training firm. He is also Visiting Scientist at Carnegie Mellon University Software Engineering Institute, editor for IEEE Security & Privacy Journal "Build Security In," and lead on OWASP Top Ten Web Services. He maintains a popular information security blog at http://1raindrop.typepad.com

=== Where/When ===
Date: Monday, April 27, 2009 
Time: 6:00 p.m. 

Location: L3000 - third Floor of the Library Building, Wheelock Whitney Hall, Minneapolis Community and Technical College (Room and building change from last meeting.)

Address: 1501 Hennepin Avenue, Minneapolis, MN 55403 

Directions: http://www.minneapolis.edu/campusmaps/index.cfm or http://www.minneapolis.edu/directions.cfm

=== Agenda ===
5:30 pm – Room opens for Networking 
6:00pm - Welcome: OWASP chapter updates, Conference Announcement! 
6:30pm – Gunnar Peterson – OWASP Top Ten Web Services 
8:00 pm - Upcoming Events reminder and meeting wrap-up

Email lalamri@go-integral.com if you plan to attend so we can order enough refreshments.

===Thank You===
[http://strategicit.org/center/ Center for Strategic Information Technology and Security] for sponsoring our meeting location.

We currently are looking for a meeting sponsor for refreshments for the meeting and for the book give-away.

== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 ==
Thanks to all who joined us on October 21, 2008 for a [https://www.owasp.org/index.php/OWASP_Minneapolis_St_Paul_2008_Conference '''mini conference''' in October 2008] at University of Minnesota's Saint Paul campus. Our first conference was a great success, with around 150 people attending! We look forward to the next one.

== Videos ==

Videos of several past meetings are available at https://www.owasp.org/index.php/Category:OWASP_Video#Videos

=== Most recent videos: ===

[http://video.google.com/videoplay?docid=3200887090385342211&hl=en Dan Cornell - Vulnerability Management in an Application Security World - OWASP (MSP) - 16 March 2009 (1 hour, 52 minutes)] | [http://www.owasp.org/images/1/16/VulnerabilityManagementInAnApplicaitonSecurityWorld_OWASPMSP_20090316.pdf Slides (PDF)]

Rick Ensenbach - Proactive Lifecycle Security Management - OWASP (MSP) - 16 February 2009 ([http://video.google.com/videoplay?docid=2838721966098123222&hl=en Part 1] of 2 - 35 minutes) ([http://video.google.com/videoplay?docid=1766766374336659744&hl=en Part 2] of 2 - 34 minutes) | [https://www.owasp.org/images/f/f8/Proactive_Lifecycle_Security_Management_Presentation_for_OWASP_Mpls-Stp_Chapter_Meeting_-_2-16-09.ppt Slides (PPT)] | [https://www.owasp.org/images/9/9c/Generic_System_Security_Plan.doc Handout: Service/System Security Plan template (DOC)]

[http://video.google.com/videoplay?docid=1665928867290955158 Kuai Hinojosa - OWASP MN Mini Conference Introduction - 21 October 2008 (3 minutes)]

== Upcoming Events ==
=== Secure360 ===
[http://www.secure360.org/ Secure360] is an annual
conference providing high quality educational sessions and networking
opportunities while working to identify developing trends in risk
management, physical security, governance, audit, information security,
contingency planning and human capital.

=== DC612 meetings ===
DC612 meets the 2nd Thursday of the month 
http://www.dc612.org/

== Minneapolis - Saint Paul OWASP Board Members ==
President: [mailto:kuai.hinojosa(at)gmail.com Kuai Hinojosa] 
Vice President: [mailto:lorna.alamri(at)owasp.org Lorna Alamri] 
Secretary: [mailto:sam.buchanan@gmail.com Sam Buchanan]

[[Category:Minnesota]]

Minneapolis St Paul

2009-02-27T04:17:33Z

Afongen: March meeting info

{{Chapter Template|chaptername=Minneapolis St Paul|extra=The chapter leader is [Kuai]|mailinglistsite=https://lists.owasp.org/mailman/listinfo/owasp-twincities|emailarchives=https://lists.owasp.org/pipermail/owasp-twincities}}
<paypal>Minneapolis St Paul</paypal>

== Upcoming Meetings ==
<h3>March OWASP Meeting – Dan Cornell 
Vulnerability Management in an Application Security World</h3>

Monday March 16, 2009, 5:30 p.m.

Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities.

This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups.

=== Speaker Bio ===
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization's technology team overseeing methodology development and project execution for Denim Group's customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group's open source tool for assessing the security of AJAX-enabled web applications.

=== Where/When ===
Date: Monday March 16, 2009 
Time: 5:30 p.m. 

Location: MEC M.1600, (1st Floor of the Management Education Center)
 Minneapolis Community and Technical College / Metro State University http://www.minneapolis.edu/campusmaps/

Address: 1501 Hennepin Avenue, Minneapolis, MN 55403 

Directions: http://www.minneapolis.edu/directions.cfm - The building entrance is at the corner of 13th St and Harmon Pl.

=== Agenda ===
5:30 pm – Networking and optional sign-in for CISSP credits 
6:00 pm - Introduction and Welcome: OWASP chapter updates 
6:15 pm – Dan Cornell 
8:00 pm - Upcoming Events reminder and meeting wrap-up

====Thank you ===

Center for Strategic Information Technology and Security for sponsoring our meeting location.

We currently are looking for a meeting sponsor for refreshments for the meeting and for the book give-away.

== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 ==
Thanks to all who joined us on October 21, 2008 for a [https://www.owasp.org/index.php/OWASP_Minneapolis_St_Paul_2008_Conference '''mini conference''' in October 2008] at University of Minnesota's Saint Paul campus. Our first conference was a great success, with around 150 people attending! We look forward to the next one.

== Videos ==

Videos of several past meetings are available at https://www.owasp.org/index.php/Category:OWASP_Video#Videos

=== Most recent videos: ===

Rick Ensenbach - Proactive Lifecycle Security Management - OWASP (MSP) - 16 February 2008 ([http://video.google.com/videoplay?docid=2838721966098123222&hl=en Part 1] of 2 - 35 minutes) ([http://video.google.com/videoplay?docid=1766766374336659744&hl=en Part 2] of 2 - 34 minutes) | [https://www.owasp.org/images/f/f8/Proactive_Lifecycle_Security_Management_Presentation_for_OWASP_Mpls-Stp_Chapter_Meeting_-_2-16-09.ppt Slides (PPT)] | [https://www.owasp.org/images/9/9c/Generic_System_Security_Plan.doc Handout: Service/System Security Plan template (DOC)]

[http://video.google.com/videoplay?docid=1665928867290955158 Kuai Hinojosa - OWASP MN Mini Conference Introduction - 21 October 2008 (3 minutes)]

[http://video.google.com/videoplay?docid=-2772176093312625908&hl=en Video: Jeremiah Grossman - Get Rich or Die Trying - Making Money on The Web, The Black Hat Way - OWASP (MSP) - 9 September 2008 (Partial Video - 38 Minutes)] | [https://www.owasp.org/images/5/5d/OWASP_Minneapolis_20080908_Jeremiah_Grossman.pdf Slides (PDF)]

== Upcoming Events ==
=== Secure360 ===
[http://www.secure360.org/ Secure360] is an annual
conference providing high quality educational sessions and networking
opportunities while working to identify developing trends in risk
management, physical security, governance, audit, information security,
contingency planning and human capital.

=== DC612 meetings ===
DC612 meets the 2nd Thursday of the month 
http://www.dc612.org/

== Minneapolis - Saint Paul OWASP Board Members ==
President: [mailto:kuai.hinojosa(at)gmail.com Kuai Hinojosa] 
Vice President: [mailto:lorna.alamri(at)owasp.org Lorna Alamri] 
Secretary: [mailto:sam.buchanan@gmail.com Sam Buchanan]

[[Category:Minnesota]]

Minneapolis St Paul

2009-02-17T05:18:11Z

Afongen: added link to Secure360

{{Chapter Template|chaptername=Minneapolis St Paul|extra=The chapter leader is [Kuai]|mailinglistsite=https://lists.owasp.org/mailman/listinfo/owasp-twincities|emailarchives=https://lists.owasp.org/pipermail/owasp-twincities}}
<paypal>Minneapolis St Paul</paypal>

== Upcoming Meetings ==
=== February 16, 2008, 6:00 pm: Rick Eisenbach (UPDATE! NEW LOCATION: T-1000) ===
'''UPDATE! LOCATION FOR THIS MEETNG CHANGED TO:''' Minneapolis Community and Technical College '''T-1000'''. This is the gourmet dining room that we have used in the past on the main floor, by the large common eating area.

''OLD LOCATION: Minneapolis Community and Technical College, room L3100''

==== Proactive Lifecycle Security Management ====
Security Authorization Process Overview

Security professionals are often faced with the daunting task of having to retrofit security controls into systems after it has already been put into production. The bad news is that this commonly occurs after sensitive or confidential information has been exposed as a result of a preventable system vulnerability, which often leads to public embarrassment, unnecessary litigation, regulatory fines, loss of customer confidence and numerous man-hours spent performing incident response and breach notification activities.

Attend this session and learn how to ensure that security is addressed early in the system development/acquisition process by implementing a simple, scalable process that Federal agencies and the Department of Defense have practiced for years. You will also learn how this process can help with other regulatory and industry compliance requirements such as Payment Card Industry, Health Insurance Portability and Accountability Act, Sarbanes-Oxley and Gramm-Leach-Bliley.

Mr. Ensenbach will also discuss available resources you can use and provide and example of a "System Security Plan" that you can immediately start using in your own organization and get you started on implementing your own security authorization process.

This is a "must" attend session for all organizations that are required to comply with Federal Information Security Management Act (FISMA).

==== Speaker Bio ====
Mr. Ensenbach is an information security professional with over 25 years of experience in the field of information security. Mr. Ensenbach has worked for a diverse range of organizations. He has been responsible for creating the information security programs for the Air Force, 934th Airlift Wing - Air Force Reserve, Children's Hospitals and Clinics of Minnesota and Conseco Finance. He has also consulted independently and for several security consulting companies. He currently works in the State of Minnesota's Enterprise Security Office.

Mr. Ensenbach's background includes information security risk management, security auditing and regulatory compliance assessments, policy/standards development, program development and strategic planning. He has an extensive knowledge of regulatory requirements (e.g. HIPAA, GLBA, FFIEC) and internationally accepted standards such as NIST, ISO17799/27001 and COBIT.

==== Agenda ====

Date: February 16, 2009 
Time: 6:00 p.m. 
Location: '''UPDATE! LOCATION FOR THIS MEETNG CHANGED TO:''' Minneapolis Community and Technical College '''T-1000'''. This is the gourmet dining room that we have used in the past on the main floor, by the large common eating area. See '''building T''' on the campus map at http://www.minneapolis.edu/campusmaps/ 
Address: 1501 Hennepin Avenue, Minneapolis, MN 55403 

''Old Location: L3100 (Third Floor of the Library Building, Wheelock Whitney Hall) Minneapolis Community and Technical College.''

Directions: http://www.minneapolis.edu/directions.cfm

5:30 pm - Networking 
6:00pm - Introduction and optional sign-in for CISSP credits 
6:10pm - Welcome: OWASP chapter updates, Conference Announcement! 
6:30pm – Rick Ensenbach 
8:80 pm - Upcoming Events reminder and meeting wrap-up 

==== Thank you ====
Center for Strategic Information Technology and Security for sponsor our location

We currently are looking for a meeting sponsor for refreshments for the meeting and for the book give-away.

== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 ==
Thanks to all who joined us on October 21, 2008 for a [https://www.owasp.org/index.php/OWASP_Minneapolis_St_Paul_2008_Conference '''mini conference''' in October 2008] at University of Minnesota's Saint Paul campus. Our first conference was a great success, with around 150 people attending! We look forward to the next one.

== Videos ==

Videos of several past meetings are available at https://www.owasp.org/index.php/Category:OWASP_Video#Videos

=== Most recent videos: ===

[http://video.google.com/videoplay?docid=1665928867290955158 Kuai Hinojosa - OWASP MN Mini Conference Introduction - 21 October 2008 (3 minutes)

[http://video.google.com/videoplay?docid=-2772176093312625908&hl=en Video: Jeremiah Grossman - Get Rich or Die Trying - Making Money on The Web, The Black Hat Way - OWASP (MSP) - 9 September 2008 (Partial Video - 38 Minutes)] | [https://www.owasp.org/images/5/5d/OWASP_Minneapolis_20080908_Jeremiah_Grossman.pdf Slides (PDF)]

Gunnar Peterson - Breaking Web Services - OWASP (MSP) - 7 July 2008 ([http://video.google.com/videoplay?docid=-7859027646762182620&hl=en Part 1] of 2 - original aspect ratio) ([http://video.google.com/videoplay?docid=-7066675474788394571&hl=en Part 2] of 2 - distorted aspect ratio)
[https://www.owasp.org/images/b/b9/OWASP-MSP-GunnarPetersonHandout20080707.pdf Handout for the presentation (5.4 MB PDF)]

== Upcoming Events ==
=== Secure360 ===
[http://www.secure360.org/ Secure360] is an annual
conference providing high quality educational sessions and networking
opportunities while working to identify developing trends in risk
management, physical security, governance, audit, information security,
contingency planning and human capital.

=== DC612 meetings ===
DC612 meets the 2nd Thursday of the month 
http://www.dc612.org/

== Minneapolis - Saint Paul OWASP Board Members ==
President: [mailto:kuai.hinojosa(at)gmail.com Kuai Hinojosa] 
Vice President: [mailto:lorna.alamri(at)owasp.org Lorna Alamri] 
Secretary: [mailto:sam.buchanan@gmail.com Sam Buchanan]

[[Category:Minnesota]]

Minneapolis St Paul

2009-02-12T17:03:52Z

Afongen: /* Upcoming Meetings */

{{Chapter Template|chaptername=Minneapolis St Paul|extra=The chapter leader is [Kuai]|mailinglistsite=https://lists.owasp.org/mailman/listinfo/owasp-twincities|emailarchives=https://lists.owasp.org/pipermail/owasp-twincities}}
<paypal>Minneapolis St Paul</paypal>

== Upcoming Meetings ==
=== February 16, 2008, 6:00 pm: Rick Eisenbach ===
Minneapolis Community and Technical College, room L3100

==== Proactive Lifecycle Security Management ====
Security Authorization Process Overview

Security professionals are often faced with the daunting task of having to retrofit security controls into systems after it has already been put into production. The bad news is that this commonly occurs after sensitive or confidential information has been exposed as a result of a preventable system vulnerability, which often leads to public embarrassment, unnecessary litigation, regulatory fines, loss of customer confidence and numerous man-hours spent performing incident response and breach notification activities.

Attend this session and learn how to ensure that security is addressed early in the system development/acquisition process by implementing a simple, scalable process that Federal agencies and the Department of Defense have practiced for years. You will also learn how this process can help with other regulatory and industry compliance requirements such as Payment Card Industry, Health Insurance Portability and Accountability Act, Sarbanes-Oxley and Gramm-Leach-Bliley.

Mr. Ensenbach will also discuss available resources you can use and provide and example of a "System Security Plan" that you can immediately start using in your own organization and get you started on implementing your own security authorization process.

This is a "must" attend session for all organizations that are required to comply with Federal Information Security Management Act (FISMA).

==== Speaker Bio ====
Mr. Ensenbach is an information security professional with over 25 years of experience in the field of information security. Mr. Ensenbach has worked for a diverse range of organizations. He has been responsible for creating the information security programs for the Air Force, 934th Airlift Wing - Air Force Reserve, Children's Hospitals and Clinics of Minnesota and Conseco Finance. He has also consulted independently and for several security consulting companies. He currently works in the State of Minnesota's Enterprise Security Office.

Mr. Ensenbach's background includes information security risk management, security auditing and regulatory compliance assessments, policy/standards development, program development and strategic planning. He has an extensive knowledge of regulatory requirements (e.g. HIPAA, GLBA, FFIEC) and internationally accepted standards such as NIST, ISO17799/27001 and COBIT.

==== Agenda ====

Date: February , 2009 
Time: 6:00 p.m. 
Location: L3100 (Third Floor of the Library Building, Wheelock Whitney Hall) Minneapolis Community and Technical College. See building L on the campus map http://www.minneapolis.edu/campusmaps/ 
Address: 1501 Hennepin Avenue, Minneapolis, MN 55403 
Directions: http://www.minneapolis.edu/directions.cfm

5:30 pm - Networking 
6:00pm - Introduction and optional sign-in for CISSP credits 
6:10pm - Welcome: OWASP chapter updates, Conference Announcement! 
6:30pm – Rick Ensenbach 
8:80 pm - Upcoming Events reminder and meeting wrap-up 

==== Thank you ====
Center for Strategic Information Technology and Security for sponsor our location

We currently are looking for a meeting sponsor for refreshments for the meeting and for the book give-away.

== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 ==
Thanks to all who joined us on October 21, 2008 for a [https://www.owasp.org/index.php/OWASP_Minneapolis_St_Paul_2008_Conference '''mini conference''' in October 2008] at University of Minnesota's Saint Paul campus. Our first conference was a great success, with around 150 people attending! We look forward to the next one.

== Videos ==

Videos of several past meetings are available at https://www.owasp.org/index.php/Category:OWASP_Video#Videos

=== Most recent videos: ===

[http://video.google.com/videoplay?docid=1665928867290955158 Kuai Hinojosa - OWASP MN Mini Conference Introduction - 21 October 2008 (3 minutes)

[http://video.google.com/videoplay?docid=-2772176093312625908&hl=en Video: Jeremiah Grossman - Get Rich or Die Trying - Making Money on The Web, The Black Hat Way - OWASP (MSP) - 9 September 2008 (Partial Video - 38 Minutes)] | [https://www.owasp.org/images/5/5d/OWASP_Minneapolis_20080908_Jeremiah_Grossman.pdf Slides (PDF)]

Gunnar Peterson - Breaking Web Services - OWASP (MSP) - 7 July 2008 ([http://video.google.com/videoplay?docid=-7859027646762182620&hl=en Part 1] of 2 - original aspect ratio) ([http://video.google.com/videoplay?docid=-7066675474788394571&hl=en Part 2] of 2 - distorted aspect ratio)
[https://www.owasp.org/images/b/b9/OWASP-MSP-GunnarPetersonHandout20080707.pdf Handout for the presentation (5.4 MB PDF)]

<h2>Upcoming Events:</h2>
February 16 meeting, information above.

We are looking for sponsors! Contact Kuai or Lorna if you are interested - any contributions to the local chapter would be highly appreciated.

'''DC612''' meetings 
2nd Thursday of the month 
http://www.dc612.org/

== Minneapolis - Saint Paul OWASP Board Members ==
President: [mailto:kuai.hinojosa(at)gmail.com Kuai Hinojosa] 
Vice President: [mailto:lorna.alamri(at)owasp.org Lorna Alamri] 
Secretary: [mailto:sam.buchanan@gmail.com Sam Buchanan]

[[Category:Minnesota]]

Minneapolis St Paul

2009-02-12T16:54:02Z

Afongen:

Minneapolis St Paul

2009-01-22T03:02:30Z

Afongen: /* OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 */

OWASP Minneapolis St Paul 2008 Conference

2008-10-30T02:44:05Z

Afongen: embedded video in page

== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 ==
The [[Minneapolis St Paul|Minneapolis - Saint Paul Chapter]] were very pleased to bring together a line-up of internationally known speakers for a day of application security talks at the University of Minnesota's [http://www1.umn.edu/twincities/maps/StCen/StCen-map.html St. Paul Student Center].

Video of the presentations is slowly making its way to this page. Check the agenda below for links.

== Thank You To Our Sponsors ==

[http://www.strategicit.org/ https://www.owasp.org/images/8/81/MN-center-strategic-it-security.gif] 
[http://www.strategicit.org/ Center for Strategic Information Technology and Security]

[http://www.go-integral.net/ http://www.go-integral.net/files/integral_logo.png] 
[http://www.go-integral.com/ Integral Business Solutions]

[http://www.symantec.com/ https://www.owasp.org/images/2/26/New_Symantec_Logo.jpg] 
[http://www.symantec.com/ Symantec]

Conference space provided courtesy of the [http://www.umn.edu/oit/ University of Minnesota Office of Information Technology]

== Agenda ==
<table width="80%" border="0">
<tr>
<td style="background-color:#AEB7D5; padding: 1px;">8:00-9:00</td>
<td style="background-color:#D5B4AE; padding: 5px;">Registration / Check-In</td>
</tr>
<tr>
<td style="background-color:#AEB7D5; padding: 5px;">9:00-9:30</td>
<td style="background-color:#D5B4AE; padding: 5px;">'''Kuai Hinojosa''' [http://video.google.com/videoplay?docid=1665928867290955158 Video] OWASP MN President Conference Introduction 

{{#ev:googlevideo|1665928867290955158}}
</td>
</tr>
<tr>
<td style="background-color:#AEB7D5; padding: 5px;">9:30-10:30</td>
<td style="background-color:#D5B4AE; padding: 5px;">
'''Jeff Williams''' CEO, [http://www.aspectsecurity.com/ Aspect Security] OWASP founder; Chair, OWASP Foundation 

Application security is getting more complicated every day with increasing connectivity, more mixing of code and data, more parsers, more interpreters, more assets, and more functionality available. We have to take steps now to simplify the problem. So if you're tired of securing one application at a time, and wrestling with the same vulnerabilities again and again, is establishing your organization's ESAPI is one of the best things you can do?

'''Bio''':
I'm Jeff Williams, I work as CEO of Aspect Security and I serve as the volunteer Chair of the OWASP Foundation. I've worked on a number of projects at OWASP, including creating the OWASP Top 10, WebGoat, Stinger, Secure Software Contract Annex, Honeycomb Project and the Enterprise Security API. You can find more about my background here: http://myappsecurity.blogspot.com/2007/03/reflection-on-jeff-williams.html.
</td>
</tr>

<tr>
<td style="background-color:#AEB7D5; padding: 1px;">10:30-11:00</td>
<td style="background-color:#D5B4AE; padding: 5px;">'''Arshan Dabirsiaghi''' Director of Research, [http://www.aspectsecurity.com/ Aspect Security]

Many of the challenges we face in application security could be solved at an architectural layer without trying to accomplish the impossible task of fixing millions of websites with billions of lines of code behind them. The OWASP [[Intrinsic Security Working Group]] is a new OWASP effort focused on addressing root causes of application security problems and fixing them where it's easiest. Sometimes that means pushing a browser to include a feature, or asking a language framework to provide a new API, or helping standard-makers come up with useable security protections.

Our goal with the OWASP ISWG is to leverage the collective security know-how of OWASP into practical advice and suggestions for all those technologies that our applications lean on in one way or another. We've got the modest goal of fixing the Internet - what could be more valuable?

'''Bio''': Arshan Dabirsiaghi is the Director of Research at Aspect Security. Arshan has over seven of years of professional experience writing code, four years of professionally auditing code, and many years of hobbying in both. At Aspect Security, Arshan performs the normal array of security assurance work, including code reviews, architecture reviews and penetration testing. He spends the balance of his work time teaching classes all over the world and doing research into next generation web application attacks and defenses.

Arshan earned his Master’s degree in Computer Science from Towson University with a focus on Information Security. He has delivered tutorials at Blackhat and OWASP conferences and has been a featured speaker at a number of security and artificial intelligence conferences. Arshan is also the author of the OWASP AntiSamy project and the founder of the OWASP Intrinsic Security Working Group.
</td>
</tr>

<tr>
<td style="background-color: #AEB7D5; padding: 5px;">11:00-12:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">
Lunch
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">12:30-13:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Anil Kumar Revuru'''
 [http://www.miscrosoft.com/ Microsoft] 

Microsoft Connected Information Security Framework (CISF) and Tools: 
The Connected Information Security Group, part of Microsoft internal Information Security organization are working on a technology framework and set of applications to support corporate information security management programs. The Microsoft corporate Information Security Organization (and a few 'early adopter' customers) will be dog-fooding early prototypes in late 2008/early 2009. This presentation provides a short overview of the problem space and current thinking on our approach to solving it.

'''Bio''':
Anil Kumar Revuru currently works for Microsoft as a Security Technologist where he is responsible for architecting security tools. In his previous life at Microsoft, Anil was conducting security design reviews, threat modeling, and application and source-code assessments. Previously as a Security Consultant for a security services vendor, he helped Fortune 100 clients evaluate the security of their software products and applications. He has authored security tools and has presented courses internally at Microsoft.

Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development, He also made significant contribution to the security development of products at V-Empower Inc. After joining in Microsoft, he worked towards finding security weaknesses and providing necessary countermeasures to application teams. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool used for application threat modeling
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">1:30-2:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">'''Brian Chess''' [http://www.fortify.com/ Fortify Software]

Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution.

Highlights include: 
* The most common security short-cuts and why they lead to security failures
* Why programmers are in the best position to get security right
* Where to look for security problems
* How static analysis helps
* The critical attributes and algorithms that make or break a static analysis tool

We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review.

'''Bio''': Dr. Chess's research focuses on methods for creating secure systems. He received his Ph.D. from the University of California at Santa Cruz, where he applied his background in integrated circuit test and verification to the problem of identifying security errors in software. In addition to authoring numerous patents and technical papers, Dr. Chess has more than ten years of experience in the commercial software arena, having led development efforts at Hewlett Packard and NetLedge
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">2:30-3:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
Break
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">3:00-4:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Elliot Glazer''' [http://www.dtcc.com/ DTCC]

Information Security Architecture Layers and Key Processes:

* Information Security Architecture is driven by an Information Security Strategy and Principles. It is also critical the architecture support the Business Strategy:
** Security Functional Architecture: the layout of key functions in security to be accomplished, which drives security requirements.
** Security Technical Architecture: the solutions and standards to implement key functions, usually an overlay on top of the Functional Architecture. This is generally a definition of components, intended to be leveraged for reuse by organization, business, line of business or across the enterprise.
** Security Reference Architecture: the implementation of Technical Architecture components into a strategy, platform, or particular complex solution set, to be used as a model for other, like needs. This is usually a set of components organized together.
** Security Technology Lifecycle – the process of phasing in and out, technology and process solutions that improve the security environment. Six phases ranging from researching new solutions to exiting old and failing solutions are defined.
** Security Program Implementation Planning – the process of identifying high level scheduling based on priority and available resources, for solutions defined in the Technical Architecture. Priority is generally established based on risk. The program also helps in the planning cycles for budgeting, as it will try to take a multiyear view.

'''Bio''': Elliott has over 25 years of information technology experience and has worked in the security field for over 10 years. He is currently Director of Security Architecture for the Depository Trust and Clearing Corporation (DTCC), where he has created a number of innovative solutions in the areas of security monitoring and security architecture. He also provides consulting to the organization on critical security issues. Prior to this, Mr. Glazer was Vice President for Security Solutions at American Express, leading many large and small solutions for the Internet, Security, Privacy, and Customer Servicing. Previous to this, Elliott held leadership positions at Citigroup, Sprint International, and BT Dialcom in software development and operations. He has led architecture, development, and operations organizations including an enterprise architecture group, Internet software development, and distrbitured operations among others.
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">4:00-5:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Corey Benninger''' [http://intrepidusgroup.com/ Intrepidus Group] 

Exploring the how poor application security mixed with a phishing is leading to a costly cocktail of disaster. This talk will go over real world examples of phishing attacks that have taken advantage of cross site scripting flaws, SQL injection vulnerabilities, session fixation attacks, and others web application flaws. Learn what phishers are doing to take their attacks to the next level by chaining multiple vulnerabilities together. The presentation will also share resources that help to track phishing trends and research.

'''Bio''': Corey is a Principal Consultant with the Intrepidus Group, specializing in
web and mobile application security. He has performed code reviews and
conducted application penetration tests for numerous Fortune 500 clients.

Prior to joining Intrepidus Group’s professional services team, Corey served
as a Senior Consultant and Trainer at Foundstone.

Corey is a polished public speaker and has been invited to speak at leading
conferences like Black Hat, OWASP AppSec, NYCBSDCon, Secure Development
World and Infragard. In addition, his expert opinion has been published in
industry publications like eWeek. He has also published several whitepapers
on cutting edge security issues, like vulnerabilities in AJAX, and the
security implications of web browser data caching. He is the co-founder and
leader of the OWASP Mobile Security Project, a consortium of mobile security
developers and experts.

Corey has an undergraduate degree from Boston University. He is a Certified
Information Systems Security Professional (CISSP).
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 1px;">
5:00-5:15
</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Richard Stallman'''

Richard Matthew Stallman is a software developer and software freedom activist. In 1983 he announced the project to develop the GNU operating system, a Unix-like operating system meant to be entirely free software, and has been the project's leader ever since. With that announcement Stallman also launched the Free Software Movement. In October 1985 he started the Free Software Foundation.

The GNU/Linux system, which is a variant of GNU that also uses the kernel Linux developed by Linus Torvalds, are used in tens or hundreds of millions of computers, and are now preinstalled in computers available in retail stores. However, the distributors of these systems often disregard the ideas of freedom which make free software important.

That is why, since the mid-1990s, Stallman has spent most of his time in political advocacy for free software, and spreading the ethical ideas of the movement, as well as campaigning against both software patents and dangerous extension of copyright laws. Before that, Stallman developed a number of widely used software components of the GNU system, including the original Emacs, the GNU Compiler Collection, the GNU symbolic debugger (gdb), GNU Emacs, and various other programs for the GNU operating system.

Stallman pioneered the concept of copyleft, and is the main author of the GNU General Public License, the most widely used free software license.

Stallman gives speeches frequently about free software and related topics. Common speech titles include "The GNU Operating System and the Free Software movement", "The Dangers of Software Patents", and "Copyright and Community in the Age of the Computer Networks". A fourth common topic consists of explaining the changes in version 3 of the GNU General Public License, which was released in June 2007. </td>
</tr>

</table>

Minneapolis St Paul

2008-10-24T01:44:31Z

Afongen: added link to Kuai's introduction

Minneapolis St Paul

2008-10-24T01:42:35Z

Afongen: added email address for Sam

OWASP Minneapolis St Paul 2008 Conference

2008-10-24T01:30:16Z

Afongen: removed parking info

== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 ==
The [[Minneapolis St Paul|Minneapolis - Saint Paul Chapter]] were very pleased to bring together a line-up of internationally known speakers for a day of application security talks at the University of Minnesota's [http://www1.umn.edu/twincities/maps/StCen/StCen-map.html St. Paul Student Center].

Video of the presentations is slowly making its way to this page. Check the agenda below for links.

== Thank You To Our Sponsors ==

[http://www.strategicit.org/ https://www.owasp.org/images/8/81/MN-center-strategic-it-security.gif] 
[http://www.strategicit.org/ Center for Strategic Information Technology and Security]

[http://www.go-integral.net/ http://www.go-integral.net/files/integral_logo.png] 
[http://www.go-integral.com/ Integral Business Solutions]

[http://www.symantec.com/ https://www.owasp.org/images/2/26/New_Symantec_Logo.jpg] 
[http://www.symantec.com/ Symantec]

Conference space provided courtesy of the [http://www.umn.edu/oit/ University of Minnesota Office of Information Technology]

== Agenda ==
<table width="80%" border="0">
<tr>
<td style="background-color:#AEB7D5; padding: 1px;">8:00-9:00</td>
<td style="background-color:#D5B4AE; padding: 5px;">Registration / Check-In</td>
</tr>
<tr>
<td style="background-color:#AEB7D5; padding: 5px;">9:00-9:30</td>
<td style="background-color:#D5B4AE; padding: 5px;">'''Kuai Hinojosa''' [http://video.google.com/videoplay?docid=1665928867290955158 Video] OWASP MN President Conference Introduction</td>
</tr>
<tr>
<td style="background-color:#AEB7D5; padding: 5px;">9:30-10:30</td>
<td style="background-color:#D5B4AE; padding: 5px;">
'''Jeff Williams''' CEO, [http://www.aspectsecurity.com/ Aspect Security] OWASP founder; Chair, OWASP Foundation 

Application security is getting more complicated every day with increasing connectivity, more mixing of code and data, more parsers, more interpreters, more assets, and more functionality available. We have to take steps now to simplify the problem. So if you're tired of securing one application at a time, and wrestling with the same vulnerabilities again and again, is establishing your organization's ESAPI is one of the best things you can do?

'''Bio''':
I'm Jeff Williams, I work as CEO of Aspect Security and I serve as the volunteer Chair of the OWASP Foundation. I've worked on a number of projects at OWASP, including creating the OWASP Top 10, WebGoat, Stinger, Secure Software Contract Annex, Honeycomb Project and the Enterprise Security API. You can find more about my background here: http://myappsecurity.blogspot.com/2007/03/reflection-on-jeff-williams.html.
</td>
</tr>

<tr>
<td style="background-color:#AEB7D5; padding: 1px;">10:30-11:00</td>
<td style="background-color:#D5B4AE; padding: 5px;">'''Arshan Dabirsiaghi''' Director of Research, [http://www.aspectsecurity.com/ Aspect Security]

Many of the challenges we face in application security could be solved at an architectural layer without trying to accomplish the impossible task of fixing millions of websites with billions of lines of code behind them. The OWASP [[Intrinsic Security Working Group]] is a new OWASP effort focused on addressing root causes of application security problems and fixing them where it's easiest. Sometimes that means pushing a browser to include a feature, or asking a language framework to provide a new API, or helping standard-makers come up with useable security protections.

Our goal with the OWASP ISWG is to leverage the collective security know-how of OWASP into practical advice and suggestions for all those technologies that our applications lean on in one way or another. We've got the modest goal of fixing the Internet - what could be more valuable?

'''Bio''': Arshan Dabirsiaghi is the Director of Research at Aspect Security. Arshan has over seven of years of professional experience writing code, four years of professionally auditing code, and many years of hobbying in both. At Aspect Security, Arshan performs the normal array of security assurance work, including code reviews, architecture reviews and penetration testing. He spends the balance of his work time teaching classes all over the world and doing research into next generation web application attacks and defenses.

Arshan earned his Master’s degree in Computer Science from Towson University with a focus on Information Security. He has delivered tutorials at Blackhat and OWASP conferences and has been a featured speaker at a number of security and artificial intelligence conferences. Arshan is also the author of the OWASP AntiSamy project and the founder of the OWASP Intrinsic Security Working Group.
</td>
</tr>

<tr>
<td style="background-color: #AEB7D5; padding: 5px;">11:00-12:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">
Lunch
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">12:30-13:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Anil Kumar Revuru'''
 [http://www.miscrosoft.com/ Microsoft] 

Microsoft Connected Information Security Framework (CISF) and Tools: 
The Connected Information Security Group, part of Microsoft internal Information Security organization are working on a technology framework and set of applications to support corporate information security management programs. The Microsoft corporate Information Security Organization (and a few 'early adopter' customers) will be dog-fooding early prototypes in late 2008/early 2009. This presentation provides a short overview of the problem space and current thinking on our approach to solving it.

'''Bio''':
Anil Kumar Revuru currently works for Microsoft as a Security Technologist where he is responsible for architecting security tools. In his previous life at Microsoft, Anil was conducting security design reviews, threat modeling, and application and source-code assessments. Previously as a Security Consultant for a security services vendor, he helped Fortune 100 clients evaluate the security of their software products and applications. He has authored security tools and has presented courses internally at Microsoft.

Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development, He also made significant contribution to the security development of products at V-Empower Inc. After joining in Microsoft, he worked towards finding security weaknesses and providing necessary countermeasures to application teams. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool used for application threat modeling
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">1:30-2:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">'''Brian Chess''' [http://www.fortify.com/ Fortify Software]

Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution.

Highlights include: 
* The most common security short-cuts and why they lead to security failures
* Why programmers are in the best position to get security right
* Where to look for security problems
* How static analysis helps
* The critical attributes and algorithms that make or break a static analysis tool

We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review.

'''Bio''': Dr. Chess's research focuses on methods for creating secure systems. He received his Ph.D. from the University of California at Santa Cruz, where he applied his background in integrated circuit test and verification to the problem of identifying security errors in software. In addition to authoring numerous patents and technical papers, Dr. Chess has more than ten years of experience in the commercial software arena, having led development efforts at Hewlett Packard and NetLedge
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">2:30-3:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
Break
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">3:00-4:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Elliot Glazer''' [http://www.dtcc.com/ DTCC]

Information Security Architecture Layers and Key Processes:

* Information Security Architecture is driven by an Information Security Strategy and Principles. It is also critical the architecture support the Business Strategy:
** Security Functional Architecture: the layout of key functions in security to be accomplished, which drives security requirements.
** Security Technical Architecture: the solutions and standards to implement key functions, usually an overlay on top of the Functional Architecture. This is generally a definition of components, intended to be leveraged for reuse by organization, business, line of business or across the enterprise.
** Security Reference Architecture: the implementation of Technical Architecture components into a strategy, platform, or particular complex solution set, to be used as a model for other, like needs. This is usually a set of components organized together.
** Security Technology Lifecycle – the process of phasing in and out, technology and process solutions that improve the security environment. Six phases ranging from researching new solutions to exiting old and failing solutions are defined.
** Security Program Implementation Planning – the process of identifying high level scheduling based on priority and available resources, for solutions defined in the Technical Architecture. Priority is generally established based on risk. The program also helps in the planning cycles for budgeting, as it will try to take a multiyear view.

'''Bio''': Elliott has over 25 years of information technology experience and has worked in the security field for over 10 years. He is currently Director of Security Architecture for the Depository Trust and Clearing Corporation (DTCC), where he has created a number of innovative solutions in the areas of security monitoring and security architecture. He also provides consulting to the organization on critical security issues. Prior to this, Mr. Glazer was Vice President for Security Solutions at American Express, leading many large and small solutions for the Internet, Security, Privacy, and Customer Servicing. Previous to this, Elliott held leadership positions at Citigroup, Sprint International, and BT Dialcom in software development and operations. He has led architecture, development, and operations organizations including an enterprise architecture group, Internet software development, and distrbitured operations among others.
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">4:00-5:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Corey Benninger''' [http://intrepidusgroup.com/ Intrepidus Group] 

Exploring the how poor application security mixed with a phishing is leading to a costly cocktail of disaster. This talk will go over real world examples of phishing attacks that have taken advantage of cross site scripting flaws, SQL injection vulnerabilities, session fixation attacks, and others web application flaws. Learn what phishers are doing to take their attacks to the next level by chaining multiple vulnerabilities together. The presentation will also share resources that help to track phishing trends and research.

'''Bio''': Corey is a Principal Consultant with the Intrepidus Group, specializing in
web and mobile application security. He has performed code reviews and
conducted application penetration tests for numerous Fortune 500 clients.

Prior to joining Intrepidus Group’s professional services team, Corey served
as a Senior Consultant and Trainer at Foundstone.

Corey is a polished public speaker and has been invited to speak at leading
conferences like Black Hat, OWASP AppSec, NYCBSDCon, Secure Development
World and Infragard. In addition, his expert opinion has been published in
industry publications like eWeek. He has also published several whitepapers
on cutting edge security issues, like vulnerabilities in AJAX, and the
security implications of web browser data caching. He is the co-founder and
leader of the OWASP Mobile Security Project, a consortium of mobile security
developers and experts.

Corey has an undergraduate degree from Boston University. He is a Certified
Information Systems Security Professional (CISSP).
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 1px;">
5:00-5:15
</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Richard Stallman'''

Richard Matthew Stallman is a software developer and software freedom activist. In 1983 he announced the project to develop the GNU operating system, a Unix-like operating system meant to be entirely free software, and has been the project's leader ever since. With that announcement Stallman also launched the Free Software Movement. In October 1985 he started the Free Software Foundation.

The GNU/Linux system, which is a variant of GNU that also uses the kernel Linux developed by Linus Torvalds, are used in tens or hundreds of millions of computers, and are now preinstalled in computers available in retail stores. However, the distributors of these systems often disregard the ideas of freedom which make free software important.

That is why, since the mid-1990s, Stallman has spent most of his time in political advocacy for free software, and spreading the ethical ideas of the movement, as well as campaigning against both software patents and dangerous extension of copyright laws. Before that, Stallman developed a number of widely used software components of the GNU system, including the original Emacs, the GNU Compiler Collection, the GNU symbolic debugger (gdb), GNU Emacs, and various other programs for the GNU operating system.

Stallman pioneered the concept of copyleft, and is the main author of the GNU General Public License, the most widely used free software license.

Stallman gives speeches frequently about free software and related topics. Common speech titles include "The GNU Operating System and the Free Software movement", "The Dangers of Software Patents", and "Copyright and Community in the Age of the Computer Networks". A fourth common topic consists of explaining the changes in version 3 of the GNU General Public License, which was released in June 2007. </td>
</tr>

</table>

OWASP Minneapolis St Paul 2008 Conference

2008-10-24T01:28:32Z

Afongen: Removed "Tentative" from "Tentative Agenda"

== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 ==
The [[Minneapolis St Paul|Minneapolis - Saint Paul Chapter]] were very pleased to bring together a line-up of internationally known speakers for a day of application security talks at the University of Minnesota's [http://www1.umn.edu/twincities/maps/StCen/StCen-map.html St. Paul Student Center].

Video of the presentations is slowly making its way to this page. Check the agenda below for links.

== Thank You To Our Sponsors ==

[http://www.strategicit.org/ https://www.owasp.org/images/8/81/MN-center-strategic-it-security.gif] 
[http://www.strategicit.org/ Center for Strategic Information Technology and Security]

[http://www.go-integral.net/ http://www.go-integral.net/files/integral_logo.png] 
[http://www.go-integral.com/ Integral Business Solutions]

[http://www.symantec.com/ https://www.owasp.org/images/2/26/New_Symantec_Logo.jpg] 
[http://www.symantec.com/ Symantec]

Conference space provided courtesy of the [http://www.umn.edu/oit/ University of Minnesota Office of Information Technology]

== Agenda ==
<table width="80%" border="0">
<tr>
<td style="background-color:#AEB7D5; padding: 1px;">8:00-9:00</td>
<td style="background-color:#D5B4AE; padding: 5px;">Registration / Check-In</td>
</tr>
<tr>
<td style="background-color:#AEB7D5; padding: 5px;">9:00-9:30</td>
<td style="background-color:#D5B4AE; padding: 5px;">'''Kuai Hinojosa''' [http://video.google.com/videoplay?docid=1665928867290955158 Video] OWASP MN President Conference Introduction</td>
</tr>
<tr>
<td style="background-color:#AEB7D5; padding: 5px;">9:30-10:30</td>
<td style="background-color:#D5B4AE; padding: 5px;">
'''Jeff Williams''' CEO, [http://www.aspectsecurity.com/ Aspect Security] OWASP founder; Chair, OWASP Foundation 

Application security is getting more complicated every day with increasing connectivity, more mixing of code and data, more parsers, more interpreters, more assets, and more functionality available. We have to take steps now to simplify the problem. So if you're tired of securing one application at a time, and wrestling with the same vulnerabilities again and again, is establishing your organization's ESAPI is one of the best things you can do?

'''Bio''':
I'm Jeff Williams, I work as CEO of Aspect Security and I serve as the volunteer Chair of the OWASP Foundation. I've worked on a number of projects at OWASP, including creating the OWASP Top 10, WebGoat, Stinger, Secure Software Contract Annex, Honeycomb Project and the Enterprise Security API. You can find more about my background here: http://myappsecurity.blogspot.com/2007/03/reflection-on-jeff-williams.html.
</td>
</tr>

<tr>
<td style="background-color:#AEB7D5; padding: 1px;">10:30-11:00</td>
<td style="background-color:#D5B4AE; padding: 5px;">'''Arshan Dabirsiaghi''' Director of Research, [http://www.aspectsecurity.com/ Aspect Security]

Many of the challenges we face in application security could be solved at an architectural layer without trying to accomplish the impossible task of fixing millions of websites with billions of lines of code behind them. The OWASP [[Intrinsic Security Working Group]] is a new OWASP effort focused on addressing root causes of application security problems and fixing them where it's easiest. Sometimes that means pushing a browser to include a feature, or asking a language framework to provide a new API, or helping standard-makers come up with useable security protections.

Our goal with the OWASP ISWG is to leverage the collective security know-how of OWASP into practical advice and suggestions for all those technologies that our applications lean on in one way or another. We've got the modest goal of fixing the Internet - what could be more valuable?

'''Bio''': Arshan Dabirsiaghi is the Director of Research at Aspect Security. Arshan has over seven of years of professional experience writing code, four years of professionally auditing code, and many years of hobbying in both. At Aspect Security, Arshan performs the normal array of security assurance work, including code reviews, architecture reviews and penetration testing. He spends the balance of his work time teaching classes all over the world and doing research into next generation web application attacks and defenses.

Arshan earned his Master’s degree in Computer Science from Towson University with a focus on Information Security. He has delivered tutorials at Blackhat and OWASP conferences and has been a featured speaker at a number of security and artificial intelligence conferences. Arshan is also the author of the OWASP AntiSamy project and the founder of the OWASP Intrinsic Security Working Group.
</td>
</tr>

<tr>
<td style="background-color: #AEB7D5; padding: 5px;">11:00-12:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">
Lunch
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">12:30-13:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Anil Kumar Revuru'''
 [http://www.miscrosoft.com/ Microsoft] 

Microsoft Connected Information Security Framework (CISF) and Tools: 
The Connected Information Security Group, part of Microsoft internal Information Security organization are working on a technology framework and set of applications to support corporate information security management programs. The Microsoft corporate Information Security Organization (and a few 'early adopter' customers) will be dog-fooding early prototypes in late 2008/early 2009. This presentation provides a short overview of the problem space and current thinking on our approach to solving it.

'''Bio''':
Anil Kumar Revuru currently works for Microsoft as a Security Technologist where he is responsible for architecting security tools. In his previous life at Microsoft, Anil was conducting security design reviews, threat modeling, and application and source-code assessments. Previously as a Security Consultant for a security services vendor, he helped Fortune 100 clients evaluate the security of their software products and applications. He has authored security tools and has presented courses internally at Microsoft.

Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development, He also made significant contribution to the security development of products at V-Empower Inc. After joining in Microsoft, he worked towards finding security weaknesses and providing necessary countermeasures to application teams. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool used for application threat modeling
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">1:30-2:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">'''Brian Chess''' [http://www.fortify.com/ Fortify Software]

Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution.

Highlights include: 
* The most common security short-cuts and why they lead to security failures
* Why programmers are in the best position to get security right
* Where to look for security problems
* How static analysis helps
* The critical attributes and algorithms that make or break a static analysis tool

We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review.

'''Bio''': Dr. Chess's research focuses on methods for creating secure systems. He received his Ph.D. from the University of California at Santa Cruz, where he applied his background in integrated circuit test and verification to the problem of identifying security errors in software. In addition to authoring numerous patents and technical papers, Dr. Chess has more than ten years of experience in the commercial software arena, having led development efforts at Hewlett Packard and NetLedge
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">2:30-3:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
Break
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">3:00-4:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Elliot Glazer''' [http://www.dtcc.com/ DTCC]

Information Security Architecture Layers and Key Processes:

* Information Security Architecture is driven by an Information Security Strategy and Principles. It is also critical the architecture support the Business Strategy:
** Security Functional Architecture: the layout of key functions in security to be accomplished, which drives security requirements.
** Security Technical Architecture: the solutions and standards to implement key functions, usually an overlay on top of the Functional Architecture. This is generally a definition of components, intended to be leveraged for reuse by organization, business, line of business or across the enterprise.
** Security Reference Architecture: the implementation of Technical Architecture components into a strategy, platform, or particular complex solution set, to be used as a model for other, like needs. This is usually a set of components organized together.
** Security Technology Lifecycle – the process of phasing in and out, technology and process solutions that improve the security environment. Six phases ranging from researching new solutions to exiting old and failing solutions are defined.
** Security Program Implementation Planning – the process of identifying high level scheduling based on priority and available resources, for solutions defined in the Technical Architecture. Priority is generally established based on risk. The program also helps in the planning cycles for budgeting, as it will try to take a multiyear view.

'''Bio''': Elliott has over 25 years of information technology experience and has worked in the security field for over 10 years. He is currently Director of Security Architecture for the Depository Trust and Clearing Corporation (DTCC), where he has created a number of innovative solutions in the areas of security monitoring and security architecture. He also provides consulting to the organization on critical security issues. Prior to this, Mr. Glazer was Vice President for Security Solutions at American Express, leading many large and small solutions for the Internet, Security, Privacy, and Customer Servicing. Previous to this, Elliott held leadership positions at Citigroup, Sprint International, and BT Dialcom in software development and operations. He has led architecture, development, and operations organizations including an enterprise architecture group, Internet software development, and distrbitured operations among others.
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">4:00-5:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Corey Benninger''' [http://intrepidusgroup.com/ Intrepidus Group] 

Exploring the how poor application security mixed with a phishing is leading to a costly cocktail of disaster. This talk will go over real world examples of phishing attacks that have taken advantage of cross site scripting flaws, SQL injection vulnerabilities, session fixation attacks, and others web application flaws. Learn what phishers are doing to take their attacks to the next level by chaining multiple vulnerabilities together. The presentation will also share resources that help to track phishing trends and research.

'''Bio''': Corey is a Principal Consultant with the Intrepidus Group, specializing in
web and mobile application security. He has performed code reviews and
conducted application penetration tests for numerous Fortune 500 clients.

Prior to joining Intrepidus Group’s professional services team, Corey served
as a Senior Consultant and Trainer at Foundstone.

Corey is a polished public speaker and has been invited to speak at leading
conferences like Black Hat, OWASP AppSec, NYCBSDCon, Secure Development
World and Infragard. In addition, his expert opinion has been published in
industry publications like eWeek. He has also published several whitepapers
on cutting edge security issues, like vulnerabilities in AJAX, and the
security implications of web browser data caching. He is the co-founder and
leader of the OWASP Mobile Security Project, a consortium of mobile security
developers and experts.

Corey has an undergraduate degree from Boston University. He is a Certified
Information Systems Security Professional (CISSP).
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 1px;">
5:00-5:15
</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Richard Stallman'''

Richard Matthew Stallman is a software developer and software freedom activist. In 1983 he announced the project to develop the GNU operating system, a Unix-like operating system meant to be entirely free software, and has been the project's leader ever since. With that announcement Stallman also launched the Free Software Movement. In October 1985 he started the Free Software Foundation.

The GNU/Linux system, which is a variant of GNU that also uses the kernel Linux developed by Linus Torvalds, are used in tens or hundreds of millions of computers, and are now preinstalled in computers available in retail stores. However, the distributors of these systems often disregard the ideas of freedom which make free software important.

That is why, since the mid-1990s, Stallman has spent most of his time in political advocacy for free software, and spreading the ethical ideas of the movement, as well as campaigning against both software patents and dangerous extension of copyright laws. Before that, Stallman developed a number of widely used software components of the GNU system, including the original Emacs, the GNU Compiler Collection, the GNU symbolic debugger (gdb), GNU Emacs, and various other programs for the GNU operating system.

Stallman pioneered the concept of copyleft, and is the main author of the GNU General Public License, the most widely used free software license.

Stallman gives speeches frequently about free software and related topics. Common speech titles include "The GNU Operating System and the Free Software movement", "The Dangers of Software Patents", and "Copyright and Community in the Age of the Computer Networks". A fourth common topic consists of explaining the changes in version 3 of the GNU General Public License, which was released in June 2007. </td>
</tr>

</table>

== Parking and Transportation ==
Public Parking: http://www1.umn.edu/pts/publicparking.htm 
Map of St. Paul Campus Parking (PDF): http://www1.umn.edu/pts/maps/spcont.pdf 
Campus Connector Shuttle: http://www1.umn.edu/pts/shuttle.htm 
Metro Bus information: http://www1.umn.edu/pts/metrobuses.htm

OWASP Minneapolis St Paul 2008 Conference

2008-10-24T01:27:50Z

Afongen: Made the intro more past-tense, mentioned videos (thanks, Adam!)

== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 ==
The [[Minneapolis St Paul|Minneapolis - Saint Paul Chapter]] were very pleased to bring together a line-up of internationally known speakers for a day of application security talks at the University of Minnesota's [http://www1.umn.edu/twincities/maps/StCen/StCen-map.html St. Paul Student Center].

Video of the presentations is slowly making its way to this page. Check the agenda below for links.

== Thank You To Our Sponsors ==

[http://www.strategicit.org/ https://www.owasp.org/images/8/81/MN-center-strategic-it-security.gif] 
[http://www.strategicit.org/ Center for Strategic Information Technology and Security]

[http://www.go-integral.net/ http://www.go-integral.net/files/integral_logo.png] 
[http://www.go-integral.com/ Integral Business Solutions]

[http://www.symantec.com/ https://www.owasp.org/images/2/26/New_Symantec_Logo.jpg] 
[http://www.symantec.com/ Symantec]

Conference space provided courtesy of the [http://www.umn.edu/oit/ University of Minnesota Office of Information Technology]

== Tentative Agenda ==
<table width="80%" border="0">
<tr>
<td style="background-color:#AEB7D5; padding: 1px;">8:00-9:00</td>
<td style="background-color:#D5B4AE; padding: 5px;">Registration / Check-In</td>
</tr>
<tr>
<td style="background-color:#AEB7D5; padding: 5px;">9:00-9:30</td>
<td style="background-color:#D5B4AE; padding: 5px;">'''Kuai Hinojosa''' [http://video.google.com/videoplay?docid=1665928867290955158 Video] OWASP MN President Conference Introduction</td>
</tr>
<tr>
<td style="background-color:#AEB7D5; padding: 5px;">9:30-10:30</td>
<td style="background-color:#D5B4AE; padding: 5px;">
'''Jeff Williams''' CEO, [http://www.aspectsecurity.com/ Aspect Security] OWASP founder; Chair, OWASP Foundation 

Application security is getting more complicated every day with increasing connectivity, more mixing of code and data, more parsers, more interpreters, more assets, and more functionality available. We have to take steps now to simplify the problem. So if you're tired of securing one application at a time, and wrestling with the same vulnerabilities again and again, is establishing your organization's ESAPI is one of the best things you can do?

'''Bio''':
I'm Jeff Williams, I work as CEO of Aspect Security and I serve as the volunteer Chair of the OWASP Foundation. I've worked on a number of projects at OWASP, including creating the OWASP Top 10, WebGoat, Stinger, Secure Software Contract Annex, Honeycomb Project and the Enterprise Security API. You can find more about my background here: http://myappsecurity.blogspot.com/2007/03/reflection-on-jeff-williams.html.
</td>
</tr>

<tr>
<td style="background-color:#AEB7D5; padding: 1px;">10:30-11:00</td>
<td style="background-color:#D5B4AE; padding: 5px;">'''Arshan Dabirsiaghi''' Director of Research, [http://www.aspectsecurity.com/ Aspect Security]

Many of the challenges we face in application security could be solved at an architectural layer without trying to accomplish the impossible task of fixing millions of websites with billions of lines of code behind them. The OWASP [[Intrinsic Security Working Group]] is a new OWASP effort focused on addressing root causes of application security problems and fixing them where it's easiest. Sometimes that means pushing a browser to include a feature, or asking a language framework to provide a new API, or helping standard-makers come up with useable security protections.

Our goal with the OWASP ISWG is to leverage the collective security know-how of OWASP into practical advice and suggestions for all those technologies that our applications lean on in one way or another. We've got the modest goal of fixing the Internet - what could be more valuable?

'''Bio''': Arshan Dabirsiaghi is the Director of Research at Aspect Security. Arshan has over seven of years of professional experience writing code, four years of professionally auditing code, and many years of hobbying in both. At Aspect Security, Arshan performs the normal array of security assurance work, including code reviews, architecture reviews and penetration testing. He spends the balance of his work time teaching classes all over the world and doing research into next generation web application attacks and defenses.

Arshan earned his Master’s degree in Computer Science from Towson University with a focus on Information Security. He has delivered tutorials at Blackhat and OWASP conferences and has been a featured speaker at a number of security and artificial intelligence conferences. Arshan is also the author of the OWASP AntiSamy project and the founder of the OWASP Intrinsic Security Working Group.
</td>
</tr>

<tr>
<td style="background-color: #AEB7D5; padding: 5px;">11:00-12:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">
Lunch
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">12:30-13:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Anil Kumar Revuru'''
 [http://www.miscrosoft.com/ Microsoft] 

Microsoft Connected Information Security Framework (CISF) and Tools: 
The Connected Information Security Group, part of Microsoft internal Information Security organization are working on a technology framework and set of applications to support corporate information security management programs. The Microsoft corporate Information Security Organization (and a few 'early adopter' customers) will be dog-fooding early prototypes in late 2008/early 2009. This presentation provides a short overview of the problem space and current thinking on our approach to solving it.

'''Bio''':
Anil Kumar Revuru currently works for Microsoft as a Security Technologist where he is responsible for architecting security tools. In his previous life at Microsoft, Anil was conducting security design reviews, threat modeling, and application and source-code assessments. Previously as a Security Consultant for a security services vendor, he helped Fortune 100 clients evaluate the security of their software products and applications. He has authored security tools and has presented courses internally at Microsoft.

Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development, He also made significant contribution to the security development of products at V-Empower Inc. After joining in Microsoft, he worked towards finding security weaknesses and providing necessary countermeasures to application teams. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool used for application threat modeling
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">1:30-2:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">'''Brian Chess''' [http://www.fortify.com/ Fortify Software]

Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution.

Highlights include: 
* The most common security short-cuts and why they lead to security failures
* Why programmers are in the best position to get security right
* Where to look for security problems
* How static analysis helps
* The critical attributes and algorithms that make or break a static analysis tool

We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review.

'''Bio''': Dr. Chess's research focuses on methods for creating secure systems. He received his Ph.D. from the University of California at Santa Cruz, where he applied his background in integrated circuit test and verification to the problem of identifying security errors in software. In addition to authoring numerous patents and technical papers, Dr. Chess has more than ten years of experience in the commercial software arena, having led development efforts at Hewlett Packard and NetLedge
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">2:30-3:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
Break
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">3:00-4:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Elliot Glazer''' [http://www.dtcc.com/ DTCC]

Information Security Architecture Layers and Key Processes:

* Information Security Architecture is driven by an Information Security Strategy and Principles. It is also critical the architecture support the Business Strategy:
** Security Functional Architecture: the layout of key functions in security to be accomplished, which drives security requirements.
** Security Technical Architecture: the solutions and standards to implement key functions, usually an overlay on top of the Functional Architecture. This is generally a definition of components, intended to be leveraged for reuse by organization, business, line of business or across the enterprise.
** Security Reference Architecture: the implementation of Technical Architecture components into a strategy, platform, or particular complex solution set, to be used as a model for other, like needs. This is usually a set of components organized together.
** Security Technology Lifecycle – the process of phasing in and out, technology and process solutions that improve the security environment. Six phases ranging from researching new solutions to exiting old and failing solutions are defined.
** Security Program Implementation Planning – the process of identifying high level scheduling based on priority and available resources, for solutions defined in the Technical Architecture. Priority is generally established based on risk. The program also helps in the planning cycles for budgeting, as it will try to take a multiyear view.

'''Bio''': Elliott has over 25 years of information technology experience and has worked in the security field for over 10 years. He is currently Director of Security Architecture for the Depository Trust and Clearing Corporation (DTCC), where he has created a number of innovative solutions in the areas of security monitoring and security architecture. He also provides consulting to the organization on critical security issues. Prior to this, Mr. Glazer was Vice President for Security Solutions at American Express, leading many large and small solutions for the Internet, Security, Privacy, and Customer Servicing. Previous to this, Elliott held leadership positions at Citigroup, Sprint International, and BT Dialcom in software development and operations. He has led architecture, development, and operations organizations including an enterprise architecture group, Internet software development, and distrbitured operations among others.
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">4:00-5:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Corey Benninger''' [http://intrepidusgroup.com/ Intrepidus Group] 

Exploring the how poor application security mixed with a phishing is leading to a costly cocktail of disaster. This talk will go over real world examples of phishing attacks that have taken advantage of cross site scripting flaws, SQL injection vulnerabilities, session fixation attacks, and others web application flaws. Learn what phishers are doing to take their attacks to the next level by chaining multiple vulnerabilities together. The presentation will also share resources that help to track phishing trends and research.

'''Bio''': Corey is a Principal Consultant with the Intrepidus Group, specializing in
web and mobile application security. He has performed code reviews and
conducted application penetration tests for numerous Fortune 500 clients.

Prior to joining Intrepidus Group’s professional services team, Corey served
as a Senior Consultant and Trainer at Foundstone.

Corey is a polished public speaker and has been invited to speak at leading
conferences like Black Hat, OWASP AppSec, NYCBSDCon, Secure Development
World and Infragard. In addition, his expert opinion has been published in
industry publications like eWeek. He has also published several whitepapers
on cutting edge security issues, like vulnerabilities in AJAX, and the
security implications of web browser data caching. He is the co-founder and
leader of the OWASP Mobile Security Project, a consortium of mobile security
developers and experts.

Corey has an undergraduate degree from Boston University. He is a Certified
Information Systems Security Professional (CISSP).
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 1px;">
5:00-5:15
</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Richard Stallman'''

Richard Matthew Stallman is a software developer and software freedom activist. In 1983 he announced the project to develop the GNU operating system, a Unix-like operating system meant to be entirely free software, and has been the project's leader ever since. With that announcement Stallman also launched the Free Software Movement. In October 1985 he started the Free Software Foundation.

The GNU/Linux system, which is a variant of GNU that also uses the kernel Linux developed by Linus Torvalds, are used in tens or hundreds of millions of computers, and are now preinstalled in computers available in retail stores. However, the distributors of these systems often disregard the ideas of freedom which make free software important.

That is why, since the mid-1990s, Stallman has spent most of his time in political advocacy for free software, and spreading the ethical ideas of the movement, as well as campaigning against both software patents and dangerous extension of copyright laws. Before that, Stallman developed a number of widely used software components of the GNU system, including the original Emacs, the GNU Compiler Collection, the GNU symbolic debugger (gdb), GNU Emacs, and various other programs for the GNU operating system.

Stallman pioneered the concept of copyleft, and is the main author of the GNU General Public License, the most widely used free software license.

Stallman gives speeches frequently about free software and related topics. Common speech titles include "The GNU Operating System and the Free Software movement", "The Dangers of Software Patents", and "Copyright and Community in the Age of the Computer Networks". A fourth common topic consists of explaining the changes in version 3 of the GNU General Public License, which was released in June 2007. </td>
</tr>

</table>

== Parking and Transportation ==
Public Parking: http://www1.umn.edu/pts/publicparking.htm 
Map of St. Paul Campus Parking (PDF): http://www1.umn.edu/pts/maps/spcont.pdf 
Campus Connector Shuttle: http://www1.umn.edu/pts/shuttle.htm 
Metro Bus information: http://www1.umn.edu/pts/metrobuses.htm

Minneapolis St Paul

2008-10-23T21:51:48Z

Afongen: Removed conference notice.

Minneapolis St Paul

2008-10-23T21:23:23Z

Afongen: Changed conference blurb from an announcement to a thank you.

OWASP Minneapolis St Paul 2008 Conference

2008-10-22T02:23:39Z

Afongen: removed registration link, since, well, the conference is over.

== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 ==
The [[Minneapolis St Paul|Minneapolis - Saint Paul Chapter]] invites you to attend the first ever Minnesota OWASP Conference on October 21st.

We're very excited out the line up of internationally known speakers we were able to bring together for this one day of Application Security talks at the University of Minnesota's [http://www1.umn.edu/twincities/maps/StCen/StCen-map.html St. Paul Student Center] ([[#Parking and Transportation|parking and transportation]] information below). There is a nominal fee of $25.00 per person, which includes lunch. Seating is limited and we expect this event to sell out. '''On site registration is not expected''' to be available the day of the event -- and we need to have a reasonably accurate lunch count -- so please [http://guest.cvent.com/i.aspx?4W,M3,c2618ba0-022d-434e-a053-39fcc4120313 register] prior to the event to guarantee your seat (and lunch!).

<paypal>Minneapolis conference</paypal>

== Thank You To Our Sponsors ==

[http://www.strategicit.org/ https://www.owasp.org/images/8/81/MN-center-strategic-it-security.gif] 
[http://www.strategicit.org/ Center for Strategic Information Technology and Security]

[http://www.go-integral.net/ http://www.go-integral.net/files/integral_logo.png] 
[http://www.go-integral.com/ Integral Business Solutions]

[http://www.symantec.com/ https://www.owasp.org/images/2/26/New_Symantec_Logo.jpg] 
[http://www.go-integral.com/ Symantec]

Conference space provided courtesy of the [http://www.umn.edu/oit/ University of Minnesota Office of Information Technology]

== Tentative Agenda ==
<table width="80%" border="0">
<tr>
<td style="background-color:#AEB7D5; padding: 1px;">8:00-9:00</td>
<td style="background-color:#D5B4AE; padding: 5px;">Registration / Check-In</td>
</tr>
<tr>
<td style="background-color:#AEB7D5; padding: 5px;">9:00-9:30</td>
<td style="background-color:#D5B4AE; padding: 5px;">'''Kuai Hinojosa''' OWASP MN President Conference Introduction</td>
</tr>
<tr>
<td style="background-color:#AEB7D5; padding: 5px;">9:30-10:30</td>
<td style="background-color:#D5B4AE; padding: 5px;">
'''Jeff Williams''' CEO, [http://www.aspectsecurity.com/ Aspect Security] OWASP founder; Chair, OWASP Foundation 

Application security is getting more complicated every day with increasing connectivity, more mixing of code and data, more parsers, more interpreters, more assets, and more functionality available. We have to take steps now to simplify the problem. So if you're tired of securing one application at a time, and wrestling with the same vulnerabilities again and again, is establishing your organization's ESAPI is one of the best things you can do?

'''Bio''':
I'm Jeff Williams, I work as CEO of Aspect Security and I serve as the volunteer Chair of the OWASP Foundation. I've worked on a number of projects at OWASP, including creating the OWASP Top 10, WebGoat, Stinger, Secure Software Contract Annex, Honeycomb Project and the Enterprise Security API. You can find more about my background here: http://myappsecurity.blogspot.com/2007/03/reflection-on-jeff-williams.html.
</td>
</tr>

<tr>
<td style="background-color:#AEB7D5; padding: 1px;">10:30-11:00</td>
<td style="background-color:#D5B4AE; padding: 5px;">'''Arshan Dabirsiaghi''' Director of Research, [http://www.aspectsecurity.com/ Aspect Security]

Many of the challenges we face in application security could be solved at an architectural layer without trying to accomplish the impossible task of fixing millions of websites with billions of lines of code behind them. The OWASP [[Intrinsic Security Working Group]] is a new OWASP effort focused on addressing root causes of application security problems and fixing them where it's easiest. Sometimes that means pushing a browser to include a feature, or asking a language framework to provide a new API, or helping standard-makers come up with useable security protections.

Our goal with the OWASP ISWG is to leverage the collective security know-how of OWASP into practical advice and suggestions for all those technologies that our applications lean on in one way or another. We've got the modest goal of fixing the Internet - what could be more valuable?

'''Bio''': Arshan Dabirsiaghi is the Director of Research at Aspect Security. Arshan has over seven of years of professional experience writing code, four years of professionally auditing code, and many years of hobbying in both. At Aspect Security, Arshan performs the normal array of security assurance work, including code reviews, architecture reviews and penetration testing. He spends the balance of his work time teaching classes all over the world and doing research into next generation web application attacks and defenses.

Arshan earned his Master’s degree in Computer Science from Towson University with a focus on Information Security. He has delivered tutorials at Blackhat and OWASP conferences and has been a featured speaker at a number of security and artificial intelligence conferences. Arshan is also the author of the OWASP AntiSamy project and the founder of the OWASP Intrinsic Security Working Group.
</td>
</tr>

<tr>
<td style="background-color: #AEB7D5; padding: 5px;">11:00-12:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">
Lunch
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">12:30-13:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Anil Kumar Revuru'''
 [http://www.miscrosoft.com/ Microsoft] 

Microsoft Connected Information Security Framework (CISF) and Tools: 
The Connected Information Security Group, part of Microsoft internal Information Security organization are working on a technology framework and set of applications to support corporate information security management programs. The Microsoft corporate Information Security Organization (and a few 'early adopter' customers) will be dog-fooding early prototypes in late 2008/early 2009. This presentation provides a short overview of the problem space and current thinking on our approach to solving it.

'''Bio''':
Anil Kumar Revuru currently works for Microsoft as a Security Technologist where he is responsible for architecting security tools. In his previous life at Microsoft, Anil was conducting security design reviews, threat modeling, and application and source-code assessments. Previously as a Security Consultant for a security services vendor, he helped Fortune 100 clients evaluate the security of their software products and applications. He has authored security tools and has presented courses internally at Microsoft.

Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development, He also made significant contribution to the security development of products at V-Empower Inc. After joining in Microsoft, he worked towards finding security weaknesses and providing necessary countermeasures to application teams. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool used for application threat modeling
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">1:30-2:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">'''Brian Chess''' [http://www.fortify.com/ Fortify Software]

Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution.

Highlights include: 
* The most common security short-cuts and why they lead to security failures
* Why programmers are in the best position to get security right
* Where to look for security problems
* How static analysis helps
* The critical attributes and algorithms that make or break a static analysis tool

We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review.

'''Bio''': Dr. Chess's research focuses on methods for creating secure systems. He received his Ph.D. from the University of California at Santa Cruz, where he applied his background in integrated circuit test and verification to the problem of identifying security errors in software. In addition to authoring numerous patents and technical papers, Dr. Chess has more than ten years of experience in the commercial software arena, having led development efforts at Hewlett Packard and NetLedge
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">2:30-3:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
Break
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">3:00-4:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Elliot Glazer''' [http://www.dtcc.com/ DTCC]

Information Security Architecture Layers and Key Processes:

* Information Security Architecture is driven by an Information Security Strategy and Principles. It is also critical the architecture support the Business Strategy:
** Security Functional Architecture: the layout of key functions in security to be accomplished, which drives security requirements.
** Security Technical Architecture: the solutions and standards to implement key functions, usually an overlay on top of the Functional Architecture. This is generally a definition of components, intended to be leveraged for reuse by organization, business, line of business or across the enterprise.
** Security Reference Architecture: the implementation of Technical Architecture components into a strategy, platform, or particular complex solution set, to be used as a model for other, like needs. This is usually a set of components organized together.
** Security Technology Lifecycle – the process of phasing in and out, technology and process solutions that improve the security environment. Six phases ranging from researching new solutions to exiting old and failing solutions are defined.
** Security Program Implementation Planning – the process of identifying high level scheduling based on priority and available resources, for solutions defined in the Technical Architecture. Priority is generally established based on risk. The program also helps in the planning cycles for budgeting, as it will try to take a multiyear view.

'''Bio''': Elliott has over 25 years of information technology experience and has worked in the security field for over 10 years. He is currently Director of Security Architecture for the Depository Trust and Clearing Corporation (DTCC), where he has created a number of innovative solutions in the areas of security monitoring and security architecture. He also provides consulting to the organization on critical security issues. Prior to this, Mr. Glazer was Vice President for Security Solutions at American Express, leading many large and small solutions for the Internet, Security, Privacy, and Customer Servicing. Previous to this, Elliott held leadership positions at Citigroup, Sprint International, and BT Dialcom in software development and operations. He has led architecture, development, and operations organizations including an enterprise architecture group, Internet software development, and distrbitured operations among others.
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">4:00-5:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Corey Benninger''' [http://intrepidusgroup.com/ Intrepidus Group] 

Exploring the how poor application security mixed with a phishing is leading to a costly cocktail of disaster. This talk will go over real world examples of phishing attacks that have taken advantage of cross site scripting flaws, SQL injection vulnerabilities, session fixation attacks, and others web application flaws. Learn what phishers are doing to take their attacks to the next level by chaining multiple vulnerabilities together. The presentation will also share resources that help to track phishing trends and research.

'''Bio''': Corey is a Principal Consultant with the Intrepidus Group, specializing in
web and mobile application security. He has performed code reviews and
conducted application penetration tests for numerous Fortune 500 clients.

Prior to joining Intrepidus Group’s professional services team, Corey served
as a Senior Consultant and Trainer at Foundstone.

Corey is a polished public speaker and has been invited to speak at leading
conferences like Black Hat, OWASP AppSec, NYCBSDCon, Secure Development
World and Infragard. In addition, his expert opinion has been published in
industry publications like eWeek. He has also published several whitepapers
on cutting edge security issues, like vulnerabilities in AJAX, and the
security implications of web browser data caching. He is the co-founder and
leader of the OWASP Mobile Security Project, a consortium of mobile security
developers and experts.

Corey has an undergraduate degree from Boston University. He is a Certified
Information Systems Security Professional (CISSP).
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 1px;">
5:00-5:15
</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Richard Stallman'''

Richard Matthew Stallman is a software developer and software freedom activist. In 1983 he announced the project to develop the GNU operating system, a Unix-like operating system meant to be entirely free software, and has been the project's leader ever since. With that announcement Stallman also launched the Free Software Movement. In October 1985 he started the Free Software Foundation.

The GNU/Linux system, which is a variant of GNU that also uses the kernel Linux developed by Linus Torvalds, are used in tens or hundreds of millions of computers, and are now preinstalled in computers available in retail stores. However, the distributors of these systems often disregard the ideas of freedom which make free software important.

That is why, since the mid-1990s, Stallman has spent most of his time in political advocacy for free software, and spreading the ethical ideas of the movement, as well as campaigning against both software patents and dangerous extension of copyright laws. Before that, Stallman developed a number of widely used software components of the GNU system, including the original Emacs, the GNU Compiler Collection, the GNU symbolic debugger (gdb), GNU Emacs, and various other programs for the GNU operating system.

Stallman pioneered the concept of copyleft, and is the main author of the GNU General Public License, the most widely used free software license.

Stallman gives speeches frequently about free software and related topics. Common speech titles include "The GNU Operating System and the Free Software movement", "The Dangers of Software Patents", and "Copyright and Community in the Age of the Computer Networks". A fourth common topic consists of explaining the changes in version 3 of the GNU General Public License, which was released in June 2007. </td>
</tr>

</table>

== Parking and Transportation ==
Public Parking: http://www1.umn.edu/pts/publicparking.htm 
Map of St. Paul Campus Parking (PDF): http://www1.umn.edu/pts/maps/spcont.pdf 
Campus Connector Shuttle: http://www1.umn.edu/pts/shuttle.htm 
Metro Bus information: http://www1.umn.edu/pts/metrobuses.htm

OWASP Minneapolis St Paul 2008 Conference

2008-10-15T03:43:03Z

Afongen: added note about lunch.

== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 ==
The [[Minneapolis St Paul|Minneapolis - Saint Paul Chapter]] invites you to attend the first ever Minnesota OWASP Conference on October 21st.

We're very excited out the line up of internationally known speakers we were able to bring together for this one day of Application Security talks at the University of Minnesota's [http://www1.umn.edu/twincities/maps/StCen/StCen-map.html St. Paul Student Center] ([[#Parking and Transportation|parking and transportation]] information below). There is a nominal fee of $25.00 per person, which includes lunch. Seating is limited and we expect this event to sell out. '''On site registration is not expected''' to be available the day of the event -- and we need to have a reasonably accurate lunch count -- so please [http://guest.cvent.com/i.aspx?4W,M3,c2618ba0-022d-434e-a053-39fcc4120313 register] prior to the event to guarantee your seat (and lunch!).

[http://guest.cvent.com/i.aspx?4W,M3,c2618ba0-022d-434e-a053-39fcc4120313 http://www.owasp.org/images/7/7f/Register.gif]

== Thank You To Our Sponsors ==

[http://www.strategicit.org/ https://www.owasp.org/images/8/81/MN-center-strategic-it-security.gif] 
[http://www.strategicit.org/ Center for Strategic Information Technology and Security]

[http://www.go-integral.net/ http://www.go-integral.net/files/integral_logo.png] 
[http://www.go-integral.com/ Integral Business Solutions]

Conference space provided courtesy of the [http://www.umn.edu/oit/ University of Minnesota Office of Information Technology]

== Tentative Agenda ==
<table width="80%" border="0">
<tr>
<td style="background-color:#AEB7D5; padding: 1px;">8:00-9:00</td>
<td style="background-color:#D5B4AE; padding: 5px;">Registration / Check-In</td>
</tr>
<tr>
<td style="background-color:#AEB7D5; padding: 5px;">9:00-9:30</td>
<td style="background-color:#D5B4AE; padding: 5px;">'''Kuai Hinojosa''' OWASP MN President Conference Introduction</td>
</tr>
<tr>
<td style="background-color:#AEB7D5; padding: 5px;">9:30-10:30</td>
<td style="background-color:#D5B4AE; padding: 5px;">
'''Jeff Williams''' CEO, [http://www.aspectsecurity.com/ Aspect Security] OWASP founder; Chair, OWASP Foundation 

Application security is getting more complicated every day with increasing connectivity, more mixing of code and data, more parsers, more interpreters, more assets, and more functionality available. We have to take steps now to simplify the problem. So if you're tired of securing one application at a time, and wrestling with the same vulnerabilities again and again, is establishing your organization's ESAPI is one of the best things you can do?

'''Bio''':
I'm Jeff Williams, I work as CEO of Aspect Security and I serve as the volunteer Chair of the OWASP Foundation. I've worked on a number of projects at OWASP, including creating the OWASP Top 10, WebGoat, Stinger, Secure Software Contract Annex, Honeycomb Project and the Enterprise Security API. You can find more about my background here: http://myappsecurity.blogspot.com/2007/03/reflection-on-jeff-williams.html.
</td>
</tr>

<tr>
<td style="background-color:#AEB7D5; padding: 1px;">10:30-11:00</td>
<td style="background-color:#D5B4AE; padding: 5px;">'''Arshan Dabirsiaghi''' Director of Research, [http://www.aspectsecurity.com/ Aspect Security]

Many of the challenges we face in application security could be solved at an architectural layer without trying to accomplish the impossible task of fixing millions of websites with billions of lines of code behind them. The OWASP [[Intrinsic Security Working Group]] is a new OWASP effort focused on addressing root causes of application security problems and fixing them where it's easiest. Sometimes that means pushing a browser to include a feature, or asking a language framework to provide a new API, or helping standard-makers come up with useable security protections.

Our goal with the OWASP ISWG is to leverage the collective security know-how of OWASP into practical advice and suggestions for all those technologies that our applications lean on in one way or another. We've got the modest goal of fixing the Internet - what could be more valuable?

'''Bio''': Arshan Dabirsiaghi is the Director of Research at Aspect Security. Arshan has over seven of years of professional experience writing code, four years of professionally auditing code, and many years of hobbying in both. At Aspect Security, Arshan performs the normal array of security assurance work, including code reviews, architecture reviews and penetration testing. He spends the balance of his work time teaching classes all over the world and doing research into next generation web application attacks and defenses.

Arshan earned his Master’s degree in Computer Science from Towson University with a focus on Information Security. He has delivered tutorials at Blackhat and OWASP conferences and has been a featured speaker at a number of security and artificial intelligence conferences. Arshan is also the author of the OWASP AntiSamy project and the founder of the OWASP Intrinsic Security Working Group.
</td>
</tr>

<tr>
<td style="background-color: #AEB7D5; padding: 5px;">11:00-12:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">
Lunch
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">12:30-13:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Anil Kumar Revuru'''
 [http://www.miscrosoft.com/ Microsoft] 

Microsoft Connected Information Security Framework (CISF) and Tools: 
The Connected Information Security Group, part of Microsoft internal Information Security organization are working on a technology framework and set of applications to support corporate information security management programs. The Microsoft corporate Information Security Organization (and a few 'early adopter' customers) will be dog-fooding early prototypes in late 2008/early 2009. This presentation provides a short overview of the problem space and current thinking on our approach to solving it.

'''Bio''':
Anil Kumar Revuru currently works for Microsoft as a Security Technologist where he is responsible for architecting security tools. In his previous life at Microsoft, Anil was conducting security design reviews, threat modeling, and application and source-code assessments. Previously as a Security Consultant for a security services vendor, he helped Fortune 100 clients evaluate the security of their software products and applications. He has authored security tools and has presented courses internally at Microsoft.

Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development, He also made significant contribution to the security development of products at V-Empower Inc. After joining in Microsoft, he worked towards finding security weaknesses and providing necessary countermeasures to application teams. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool used for application threat modeling
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">1:30-2:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">'''Brian Chess''' [http://www.fortify.com/ Fortify Software]

Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution.

Highlights include: 
* The most common security short-cuts and why they lead to security failures
* Why programmers are in the best position to get security right
* Where to look for security problems
* How static analysis helps
* The critical attributes and algorithms that make or break a static analysis tool

We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review.

'''Bio''': Dr. Chess's research focuses on methods for creating secure systems. He received his Ph.D. from the University of California at Santa Cruz, where he applied his background in integrated circuit test and verification to the problem of identifying security errors in software. In addition to authoring numerous patents and technical papers, Dr. Chess has more than ten years of experience in the commercial software arena, having led development efforts at Hewlett Packard and NetLedge
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">2:30-3:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
Break
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">3:00-4:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Elliot Glazer''' [http://www.dtcc.com/ DTCC]

Information Security Architecture Layers and Key Processes:

* Information Security Architecture is driven by an Information Security Strategy and Principles. It is also critical the architecture support the Business Strategy:
** Security Functional Architecture: the layout of key functions in security to be accomplished, which drives security requirements.
** Security Technical Architecture: the solutions and standards to implement key functions, usually an overlay on top of the Functional Architecture. This is generally a definition of components, intended to be leveraged for reuse by organization, business, line of business or across the enterprise.
** Security Reference Architecture: the implementation of Technical Architecture components into a strategy, platform, or particular complex solution set, to be used as a model for other, like needs. This is usually a set of components organized together.
** Security Technology Lifecycle – the process of phasing in and out, technology and process solutions that improve the security environment. Six phases ranging from researching new solutions to exiting old and failing solutions are defined.
** Security Program Implementation Planning – the process of identifying high level scheduling based on priority and available resources, for solutions defined in the Technical Architecture. Priority is generally established based on risk. The program also helps in the planning cycles for budgeting, as it will try to take a multiyear view.

'''Bio''': Elliott has over 25 years of information technology experience and has worked in the security field for over 10 years. He is currently Director of Security Architecture for the Depository Trust and Clearing Corporation (DTCC), where he has created a number of innovative solutions in the areas of security monitoring and security architecture. He also provides consulting to the organization on critical security issues. Prior to this, Mr. Glazer was Vice President for Security Solutions at American Express, leading many large and small solutions for the Internet, Security, Privacy, and Customer Servicing. Previous to this, Elliott held leadership positions at Citigroup, Sprint International, and BT Dialcom in software development and operations. He has led architecture, development, and operations organizations including an enterprise architecture group, Internet software development, and distrbitured operations among others.
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">4:00-5:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Corey Benninger''' [http://intrepidusgroup.com/ Intrepidus Group] 

Exploring the how poor application security mixed with a phishing is leading to a costly cocktail of disaster. This talk will go over real world examples of phishing attacks that have taken advantage of cross site scripting flaws, SQL injection vulnerabilities, session fixation attacks, and others web application flaws. Learn what phishers are doing to take their attacks to the next level by chaining multiple vulnerabilities together. The presentation will also share resources that help to track phishing trends and research.

'''Bio''': Corey is a Principal Consultant with the Intrepidus Group, specializing in
web and mobile application security. He has performed code reviews and
conducted application penetration tests for numerous Fortune 500 clients.

Prior to joining Intrepidus Group’s professional services team, Corey served
as a Senior Consultant and Trainer at Foundstone.

Corey is a polished public speaker and has been invited to speak at leading
conferences like Black Hat, OWASP AppSec, NYCBSDCon, Secure Development
World and Infragard. In addition, his expert opinion has been published in
industry publications like eWeek. He has also published several whitepapers
on cutting edge security issues, like vulnerabilities in AJAX, and the
security implications of web browser data caching. He is the co-founder and
leader of the OWASP Mobile Security Project, a consortium of mobile security
developers and experts.

Corey has an undergraduate degree from Boston University. He is a Certified
Information Systems Security Professional (CISSP).
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 1px;">
5:00-5:15
</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Richard Stallman'''

Richard Matthew Stallman is a software developer and software freedom activist. In 1983 he announced the project to develop the GNU operating system, a Unix-like operating system meant to be entirely free software, and has been the project's leader ever since. With that announcement Stallman also launched the Free Software Movement. In October 1985 he started the Free Software Foundation.

The GNU/Linux system, which is a variant of GNU that also uses the kernel Linux developed by Linus Torvalds, are used in tens or hundreds of millions of computers, and are now preinstalled in computers available in retail stores. However, the distributors of these systems often disregard the ideas of freedom which make free software important.

That is why, since the mid-1990s, Stallman has spent most of his time in political advocacy for free software, and spreading the ethical ideas of the movement, as well as campaigning against both software patents and dangerous extension of copyright laws. Before that, Stallman developed a number of widely used software components of the GNU system, including the original Emacs, the GNU Compiler Collection, the GNU symbolic debugger (gdb), GNU Emacs, and various other programs for the GNU operating system.

Stallman pioneered the concept of copyleft, and is the main author of the GNU General Public License, the most widely used free software license.

Stallman gives speeches frequently about free software and related topics. Common speech titles include "The GNU Operating System and the Free Software movement", "The Dangers of Software Patents", and "Copyright and Community in the Age of the Computer Networks". A fourth common topic consists of explaining the changes in version 3 of the GNU General Public License, which was released in June 2007. </td>
</tr>

</table>

== Parking and Transportation ==
Public Parking: http://www1.umn.edu/pts/publicparking.htm 
Map of St. Paul Campus Parking (PDF): http://www1.umn.edu/pts/maps/spcont.pdf 
Campus Connector Shuttle: http://www1.umn.edu/pts/shuttle.htm 
Metro Bus information: http://www1.umn.edu/pts/metrobuses.htm

Minneapolis St Paul

2008-10-10T21:39:42Z

Afongen: added board members list

OWASP Minneapolis St Paul 2008 Conference

2008-10-09T02:48:04Z

Afongen: moved thank you section, added logos

== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 ==
The [[Minneapolis St Paul|Minneapolis - Saint Paul Chapter]] invites you to attend the first ever Minnesota OWASP Conference on October 21st.

We're very excited out the line up of internationally known speakers we were able to bring together for this one day of Application Security talks at the University of Minnesota's [http://www1.umn.edu/twincities/maps/StCen/StCen-map.html St. Paul Student Center] ([[#Parking and Transportation|parking and transportation]] information below). There is a nominal fee of $25.00 per person, which includes lunch. Seating is limited and we expect this event to sell out. '''On site registration is not expected''' to be available the day of the event, so please [http://guest.cvent.com/i.aspx?4W,M3,c2618ba0-022d-434e-a053-39fcc4120313 register] prior to the event to guarantee your seat.

[http://guest.cvent.com/i.aspx?4W,M3,c2618ba0-022d-434e-a053-39fcc4120313 http://www.owasp.org/images/7/7f/Register.gif]

== Thank You To Our Sponsors ==

[http://www.strategicit.org/ https://www.owasp.org/images/8/81/MN-center-strategic-it-security.gif] 
[http://www.strategicit.org/ Center for Strategic Information Technology and Security]

[http://www.go-integral.net/ http://www.go-integral.net/files/integral_logo.png] 
[http://www.go-integral.com/ Integral Business Solutions]

Conference space provided courtesy of the [http://www.umn.edu/oit/ University of Minnesota Office of Information Technology]

== Tentative Agenda ==
<table width="80%" border="0">
<tr>
<td style="background-color:#AEB7D5; padding: 1px;">8:00-9:00</td>
<td style="background-color:#D5B4AE; padding: 5px;">Registration / Check-In</td>
</tr>
<tr>
<td style="background-color:#AEB7D5; padding: 5px;">9:00-9:30</td>
<td style="background-color:#D5B4AE; padding: 5px;">'''Kuai Hinojosa''' OWASP MN President Conference Introduction</td>
</tr>
<tr>
<td style="background-color:#AEB7D5; padding: 5px;">9:30-10:30</td>
<td style="background-color:#D5B4AE; padding: 5px;">
'''Jeff Williams''' CEO, [http://www.aspectsecurity.com/ Aspect Security] OWASP founder; Chair, OWASP Foundation 

Application security is getting more complicated every day with increasing connectivity, more mixing of code and data, more parsers, more interpreters, more assets, and more functionality available. We have to take steps now to simplify the problem. So if you're tired of securing one application at a time, and wrestling with the same vulnerabilities again and again, is establishing your organization's ESAPI is one of the best things you can do?

'''Bio''':
I'm Jeff Williams, I work as CEO of Aspect Security and I serve as the volunteer Chair of the OWASP Foundation. I've worked on a number of projects at OWASP, including creating the OWASP Top 10, WebGoat, Stinger, Secure Software Contract Annex, Honeycomb Project and the Enterprise Security API. You can find more about my background here: http://myappsecurity.blogspot.com/2007/03/reflection-on-jeff-williams.html.
</td>
</tr>

<tr>
<td style="background-color:#AEB7D5; padding: 1px;">10:30-11:00</td>
<td style="background-color:#D5B4AE; padding: 5px;">'''Arshan Dabirsiaghi''' Director of Research, [http://www.aspectsecurity.com/ Aspect Security]

Many of the challenges we face in application security could be solved at an architectural layer without trying to accomplish the impossible task of fixing millions of websites with billions of lines of code behind them. The OWASP [[Intrinsic Security Working Group]] is a new OWASP effort focused on addressing root causes of application security problems and fixing them where it's easiest. Sometimes that means pushing a browser to include a feature, or asking a language framework to provide a new API, or helping standard-makers come up with useable security protections.

Our goal with the OWASP ISWG is to leverage the collective security know-how of OWASP into practical advice and suggestions for all those technologies that our applications lean on in one way or another. We've got the modest goal of fixing the Internet - what could be more valuable?

'''Bio''': Arshan Dabirsiaghi is the Director of Research at Aspect Security. Arshan has over seven of years of professional experience writing code, four years of professionally auditing code, and many years of hobbying in both. At Aspect Security, Arshan performs the normal array of security assurance work, including code reviews, architecture reviews and penetration testing. He spends the balance of his work time teaching classes all over the world and doing research into next generation web application attacks and defenses.

Arshan earned his Master’s degree in Computer Science from Towson University with a focus on Information Security. He has delivered tutorials at Blackhat and OWASP conferences and has been a featured speaker at a number of security and artificial intelligence conferences. Arshan is also the author of the OWASP AntiSamy project and the founder of the OWASP Intrinsic Security Working Group.
</td>
</tr>

<tr>
<td style="background-color: #AEB7D5; padding: 5px;">11:00-12:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">
Lunch
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">12:30-13:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Anil Kumar Revuru'''
 [http://www.miscrosoft.com/ Microsoft] 

Microsoft Connected Information Security Framework (CISF) and Tools: 
The Connected Information Security Group, part of Microsoft internal Information Security organization are working on a technology framework and set of applications to support corporate information security management programs. The Microsoft corporate Information Security Organization (and a few 'early adopter' customers) will be dog-fooding early prototypes in late 2008/early 2009. This presentation provides a short overview of the problem space and current thinking on our approach to solving it.

'''Bio''':
Anil Kumar Revuru currently works for Microsoft as a Security Technologist where he is responsible for architecting security tools. In his previous life at Microsoft, Anil was conducting security design reviews, threat modeling, and application and source-code assessments. Previously as a Security Consultant for a security services vendor, he helped Fortune 100 clients evaluate the security of their software products and applications. He has authored security tools and has presented courses internally at Microsoft.

Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development, He also made significant contribution to the security development of products at V-Empower Inc. After joining in Microsoft, he worked towards finding security weaknesses and providing necessary countermeasures to application teams. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool used for application threat modeling
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">1:30-2:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">'''Brian Chess''' [http://www.fortify.com/ Fortify Software]

Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution.

Highlights include: 
* The most common security short-cuts and why they lead to security failures
* Why programmers are in the best position to get security right
* Where to look for security problems
* How static analysis helps
* The critical attributes and algorithms that make or break a static analysis tool

We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review.

'''Bio''': Dr. Chess's research focuses on methods for creating secure systems. He received his Ph.D. from the University of California at Santa Cruz, where he applied his background in integrated circuit test and verification to the problem of identifying security errors in software. In addition to authoring numerous patents and technical papers, Dr. Chess has more than ten years of experience in the commercial software arena, having led development efforts at Hewlett Packard and NetLedge
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">2:30-3:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
Break
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">3:00-4:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Elliot Glazer''' [http://www.dtcc.com/ DTCC]

Information Security Architecture Layers and Key Processes:

* Information Security Architecture is driven by an Information Security Strategy and Principles. It is also critical the architecture support the Business Strategy:
** Security Functional Architecture: the layout of key functions in security to be accomplished, which drives security requirements.
** Security Technical Architecture: the solutions and standards to implement key functions, usually an overlay on top of the Functional Architecture. This is generally a definition of components, intended to be leveraged for reuse by organization, business, line of business or across the enterprise.
** Security Reference Architecture: the implementation of Technical Architecture components into a strategy, platform, or particular complex solution set, to be used as a model for other, like needs. This is usually a set of components organized together.
** Security Technology Lifecycle – the process of phasing in and out, technology and process solutions that improve the security environment. Six phases ranging from researching new solutions to exiting old and failing solutions are defined.
** Security Program Implementation Planning – the process of identifying high level scheduling based on priority and available resources, for solutions defined in the Technical Architecture. Priority is generally established based on risk. The program also helps in the planning cycles for budgeting, as it will try to take a multiyear view.

'''Bio''': Elliott has over 25 years of information technology experience and has worked in the security field for over 10 years. He is currently Director of Security Architecture for the Depository Trust and Clearing Corporation (DTCC), where he has created a number of innovative solutions in the areas of security monitoring and security architecture. He also provides consulting to the organization on critical security issues. Prior to this, Mr. Glazer was Vice President for Security Solutions at American Express, leading many large and small solutions for the Internet, Security, Privacy, and Customer Servicing. Previous to this, Elliott held leadership positions at Citigroup, Sprint International, and BT Dialcom in software development and operations. He has led architecture, development, and operations organizations including an enterprise architecture group, Internet software development, and distrbitured operations among others.
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">4:00-5:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Corey Benninger''' [http://intrepidusgroup.com/ Intrepidus Group] 

Exploring the how poor application security mixed with a phishing is leading to a costly cocktail of disaster. This talk will go over real world examples of phishing attacks that have taken advantage of cross site scripting flaws, SQL injection vulnerabilities, session fixation attacks, and others web application flaws. Learn what phishers are doing to take their attacks to the next level by chaining multiple vulnerabilities together. The presentation will also share resources that help to track phishing trends and research.

'''Bio''': Corey is a Principal Consultant with the Intrepidus Group, specializing in
web and mobile application security. He has performed code reviews and
conducted application penetration tests for numerous Fortune 500 clients.

Prior to joining Intrepidus Group’s professional services team, Corey served
as a Senior Consultant and Trainer at Foundstone.

Corey is a polished public speaker and has been invited to speak at leading
conferences like Black Hat, OWASP AppSec, NYCBSDCon, Secure Development
World and Infragard. In addition, his expert opinion has been published in
industry publications like eWeek. He has also published several whitepapers
on cutting edge security issues, like vulnerabilities in AJAX, and the
security implications of web browser data caching. He is the co-founder and
leader of the OWASP Mobile Security Project, a consortium of mobile security
developers and experts.

Corey has an undergraduate degree from Boston University. He is a Certified
Information Systems Security Professional (CISSP).
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 1px;">
5:00-5:15
</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Richard Stallman'''

Richard Stallman is the founder of the GNU Project, launched in 1984 to develop the free operating system, GNU.

Richard Stallman is the principal author of the GNU C Compiler, the GNU symbolic debugger (GDB), GNU Emacs, and various other GNU programs. Stallman currently serves as president of the Free Software Foundation.
</td>
</tr>

</table>

== Parking and Transportation ==
Public Parking: http://www1.umn.edu/pts/publicparking.htm 
Map of St. Paul Campus Parking (PDF): http://www1.umn.edu/pts/maps/spcont.pdf 
Campus Connector Shuttle: http://www1.umn.edu/pts/shuttle.htm 
Metro Bus information: http://www1.umn.edu/pts/metrobuses.htm

OWASP Minneapolis St Paul 2008 Conference

2008-10-08T02:22:56Z

Afongen: /* Tentative Agenda */

== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 ==
The [[Minneapolis St Paul|Minneapolis - Saint Paul Chapter]] invites you to attend the first ever Minnesota OWASP Conference on October 21st.

We're very excited out the line up of internationally known speakers we were able to bring together for this one day of Application Security talks at the University of Minnesota's [http://www1.umn.edu/twincities/maps/StCen/StCen-map.html St. Paul Student Center] ([[#Parking and Transportation|parking and transportation]] information below). There is a nominal fee of $25.00 per person, which includes lunch. Seating is limited and we expect this event to sell out. '''On site registration is not expected''' to be available the day of the event, so please [http://guest.cvent.com/i.aspx?4W,M3,c2618ba0-022d-434e-a053-39fcc4120313 register] prior to the event to guarantee your seat.

[http://guest.cvent.com/i.aspx?4W,M3,c2618ba0-022d-434e-a053-39fcc4120313 http://www.owasp.org/images/7/7f/Register.gif]

== Tentative Agenda ==
<table width="80%" border="0">
<tr>
<td style="background-color:#AEB7D5; padding: 1px;">8:00-9:00</td>
<td style="background-color:#D5B4AE; padding: 5px;">Registration / Check-In</td>
</tr>
<tr>
<td style="background-color:#AEB7D5; padding: 5px;">9:00-9:30</td>
<td style="background-color:#D5B4AE; padding: 5px;">'''Kuai Hinojosa''' OWASP MN President Conference Introduction</td>
</tr>
<tr>
<td style="background-color:#AEB7D5; padding: 5px;">9:30-10:30</td>
<td style="background-color:#D5B4AE; padding: 5px;">
'''Jeff Williams''' CEO, [http://www.aspectsecurity.com/ Aspect Security] OWASP founder; Chair, OWASP Foundation 

Application security is getting more complicated every day with increasing connectivity, more mixing of code and data, more parsers, more interpreters, more assets, and more functionality available. We have to take steps now to simplify the problem. So if you're tired of securing one application at a time, and wrestling with the same vulnerabilities again and again, is establishing your organization's ESAPI is one of the best things you can do?

'''Bio''':
I'm Jeff Williams, I work as CEO of Aspect Security and I serve as the volunteer Chair of the OWASP Foundation. I've worked on a number of projects at OWASP, including creating the OWASP Top 10, WebGoat, Stinger, Secure Software Contract Annex, Honeycomb Project and the Enterprise Security API. You can find more about my background here: http://myappsecurity.blogspot.com/2007/03/reflection-on-jeff-williams.html.
</td>
</tr>

<tr>
<td style="background-color:#AEB7D5; padding: 1px;">10:30-11:00</td>
<td style="background-color:#D5B4AE; padding: 5px;">'''Arshan Dabirsiaghi''' Director of Research, [http://www.aspectsecurity.com/ Aspect Security]

Many of the challenges we face in application security could be solved at an architectural layer without trying to accomplish the impossible task of fixing millions of websites with billions of lines of code behind them. The OWASP [[Intrinsic Security Working Group]] is a new OWASP effort focused on addressing root causes of application security problems and fixing them where it's easiest. Sometimes that means pushing a browser to include a feature, or asking a language framework to provide a new API, or helping standard-makers come up with useable security protections.

Our goal with the OWASP ISWG is to leverage the collective security know-how of OWASP into practical advice and suggestions for all those technologies that our applications lean on in one way or another. We've got the modest goal of fixing the Internet - what could be more valuable?

'''Bio''': Arshan Dabirsiaghi is the Director of Research at Aspect Security. Arshan has over seven of years of professional experience writing code, four years of professionally auditing code, and many years of hobbying in both. At Aspect Security, Arshan performs the normal array of security assurance work, including code reviews, architecture reviews and penetration testing. He spends the balance of his work time teaching classes all over the world and doing research into next generation web application attacks and defenses.

Arshan earned his Master’s degree in Computer Science from Towson University with a focus on Information Security. He has delivered tutorials at Blackhat and OWASP conferences and has been a featured speaker at a number of security and artificial intelligence conferences. Arshan is also the author of the OWASP AntiSamy project and the founder of the OWASP Intrinsic Security Working Group.
</td>
</tr>

<tr>
<td style="background-color: #AEB7D5; padding: 5px;">11:00-12:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">
Lunch
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">12:30-13:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Anil Kumar Revuru'''
 [http://www.miscrosoft.com/ Microsoft] 

Microsoft Connected Information Security Framework (CISF) and Tools: 
The Connected Information Security Group, part of Microsoft internal Information Security organization are working on a technology framework and set of applications to support corporate information security management programs. The Microsoft corporate Information Security Organization (and a few 'early adopter' customers) will be dog-fooding early prototypes in late 2008/early 2009. This presentation provides a short overview of the problem space and current thinking on our approach to solving it.

'''Bio''':
Anil Kumar Revuru currently works for Microsoft as a Security Technologist where he is responsible for architecting security tools. In his previous life at Microsoft, Anil was conducting security design reviews, threat modeling, and application and source-code assessments. Previously as a Security Consultant for a security services vendor, he helped Fortune 100 clients evaluate the security of their software products and applications. He has authored security tools and has presented courses internally at Microsoft.

Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development, He also made significant contribution to the security development of products at V-Empower Inc. After joining in Microsoft, he worked towards finding security weaknesses and providing necessary countermeasures to application teams. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool used for application threat modeling
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">1:30-2:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">'''Brian Chess''' [http://www.fortify.com/ Fortify Software]

Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution.

Highlights include: 
* The most common security short-cuts and why they lead to security failures
* Why programmers are in the best position to get security right
* Where to look for security problems
* How static analysis helps
* The critical attributes and algorithms that make or break a static analysis tool

We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review.

'''Bio''': Dr. Chess's research focuses on methods for creating secure systems. He received his Ph.D. from the University of California at Santa Cruz, where he applied his background in integrated circuit test and verification to the problem of identifying security errors in software. In addition to authoring numerous patents and technical papers, Dr. Chess has more than ten years of experience in the commercial software arena, having led development efforts at Hewlett Packard and NetLedge
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">2:30-3:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
Break
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">3:00-4:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Elliot Glazer''' [http://www.dtcc.com/ DTCC]

Information Security Architecture Layers and Key Processes:

* Information Security Architecture is driven by an Information Security Strategy and Principles. It is also critical the architecture support the Business Strategy:
** Security Functional Architecture: the layout of key functions in security to be accomplished, which drives security requirements.
** Security Technical Architecture: the solutions and standards to implement key functions, usually an overlay on top of the Functional Architecture. This is generally a definition of components, intended to be leveraged for reuse by organization, business, line of business or across the enterprise.
** Security Reference Architecture: the implementation of Technical Architecture components into a strategy, platform, or particular complex solution set, to be used as a model for other, like needs. This is usually a set of components organized together.
** Security Technology Lifecycle – the process of phasing in and out, technology and process solutions that improve the security environment. Six phases ranging from researching new solutions to exiting old and failing solutions are defined.
** Security Program Implementation Planning – the process of identifying high level scheduling based on priority and available resources, for solutions defined in the Technical Architecture. Priority is generally established based on risk. The program also helps in the planning cycles for budgeting, as it will try to take a multiyear view.

'''Bio''': Elliott has over 25 years of information technology experience and has worked in the security field for over 10 years. He is currently Director of Security Architecture for the Depository Trust and Clearing Corporation (DTCC), where he has created a number of innovative solutions in the areas of security monitoring and security architecture. He also provides consulting to the organization on critical security issues. Prior to this, Mr. Glazer was Vice President for Security Solutions at American Express, leading many large and small solutions for the Internet, Security, Privacy, and Customer Servicing. Previous to this, Elliott held leadership positions at Citigroup, Sprint International, and BT Dialcom in software development and operations. He has led architecture, development, and operations organizations including an enterprise architecture group, Internet software development, and distrbitured operations among others.
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">4:00-5:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Corey Benninger''' [http://intrepidusgroup.com/ Intrepidus Group] 

Exploring the how poor application security mixed with a phishing is leading to a costly cocktail of disaster. This talk will go over real world examples of phishing attacks that have taken advantage of cross site scripting flaws, SQL injection vulnerabilities, session fixation attacks, and others web application flaws. Learn what phishers are doing to take their attacks to the next level by chaining multiple vulnerabilities together. The presentation will also share resources that help to track phishing trends and research.

'''Bio''': Corey is a Principal Consultant with the Intrepidus Group, specializing in
web and mobile application security. He has performed code reviews and
conducted application penetration tests for numerous Fortune 500 clients.

Prior to joining Intrepidus Group’s professional services team, Corey served
as a Senior Consultant and Trainer at Foundstone.

Corey is a polished public speaker and has been invited to speak at leading
conferences like Black Hat, OWASP AppSec, NYCBSDCon, Secure Development
World and Infragard. In addition, his expert opinion has been published in
industry publications like eWeek. He has also published several whitepapers
on cutting edge security issues, like vulnerabilities in AJAX, and the
security implications of web browser data caching. He is the co-founder and
leader of the OWASP Mobile Security Project, a consortium of mobile security
developers and experts.

Corey has an undergraduate degree from Boston University. He is a Certified
Information Systems Security Professional (CISSP).
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 1px;">
5:00-5:15
</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Richard Stallman'''

Richard Stallman is the founder of the GNU Project, launched in 1984 to develop the free operating system, GNU.

Richard Stallman is the principal author of the GNU C Compiler, the GNU symbolic debugger (GDB), GNU Emacs, and various other GNU programs. Stallman currently serves as president of the Free Software Foundation.
</td>
</tr>

</table>

== Parking and Transportation ==
Public Parking: http://www1.umn.edu/pts/publicparking.htm 
Map of St. Paul Campus Parking (PDF): http://www1.umn.edu/pts/maps/spcont.pdf 
Campus Connector Shuttle: http://www1.umn.edu/pts/shuttle.htm 
Metro Bus information: http://www1.umn.edu/pts/metrobuses.htm 

== Thank You To Our Sponsors ==

[http://www.strategicit.org/ Center for Strategic Information Technology and Security]

[http://www.go-integral.com/ Integral Business Solutions]

Conference space provided courtesy of the University of Minnesota Office of Information Technology [http://www.umn.edu/ University of Minnesota]

Minneapolis St Paul

2008-10-08T02:10:37Z

Afongen: fixed a name. oops!

OWASP Minneapolis St Paul 2008 Conference

2008-10-08T01:54:53Z

Afongen: Stallman bio

== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 ==
The [[Minneapolis St Paul|Minneapolis - Saint Paul Chapter]] invites you to attend the first ever Minnesota OWASP Conference on October 21st.

We're very excited out the line up of internationally known speakers we were able to bring together for this one day of Application Security talks at the University of Minnesota's [http://www1.umn.edu/twincities/maps/StCen/StCen-map.html St. Paul Student Center] ([[#Parking and Transportation|parking and transportation]] information below). There is a nominal fee of $25.00 per person, which includes lunch. Seating is limited and we expect this event to sell out. '''On site registration is not expected''' to be available the day of the event, so please [http://guest.cvent.com/i.aspx?4W,M3,c2618ba0-022d-434e-a053-39fcc4120313 register] prior to the event to guarantee your seat.

[http://guest.cvent.com/i.aspx?4W,M3,c2618ba0-022d-434e-a053-39fcc4120313 http://www.owasp.org/images/7/7f/Register.gif]

== Tentative Agenda ==
<table width="80%" border="0">
<tr>
<td style="background-color:#AEB7D5; padding: 1px;">8:00-9:00</td>
<td style="background-color:#D5B4AE; padding: 5px;">Registration / Check-In</td>
</tr>
<tr>
<td style="background-color:#AEB7D5; padding: 5px;">9:00-9:30</td>
<td style="background-color:#D5B4AE; padding: 5px;">'''Kuai Hinojosa''' OWASP MN President Conference Introduction</td>
</tr>
<tr>
<td style="background-color:#AEB7D5; padding: 5px;">9:30-10:30</td>
<td style="background-color:#D5B4AE; padding: 5px;">
'''Jeff Williams''' CEO, [http://www.aspectsecurity.com/ Aspect Security] OWASP founder; Chair, OWASP Foundation 

Application security is getting more complicated every day with increasing connectivity, more mixing of code and data, more parsers, more interpreters, more assets, and more functionality available. We have to take steps now to simplify the problem. So if you?re tired of securing one application at a time, and wrestling with the same vulnerabilities again and again, establishing your organization's ESAPI is one of the best things you can do?

'''Bio''':
I'm Jeff Williams, I work as CEO of Aspect Security and I serve as the volunteer Chair of the OWASP Foundation. I've worked on a number of projects at OWASP, including creating the OWASP Top 10, WebGoat, Stinger, Secure Software Contract Annex, Honeycomb Project and the Enterprise Security API. You can find more about my background here: http://myappsecurity.blogspot.com/2007/03/reflection-on-jeff-williams.html.
</td>
</tr>

<tr>
<td style="background-color:#AEB7D5; padding: 1px;">10:30-11:00</td>
<td style="background-color:#D5B4AE; padding: 5px;">'''Arshan Dabirsiaghi''' Director of Research, [http://www.aspectsecurity.com/ Aspect Security]

Many of the challenges we face in application security could be solved at an architectural layer without trying to accomplish the impossible task of fixing millions of websites with billions of lines of code behind them. The OWASP [[Intrinsic Security Working Group]] is a new OWASP effort focused on addressing root causes of application security problems and fixing them where it's easiest. Sometimes that means pushing a browser to include a feature, or asking a language framework to provide a new API, or helping standard-makers come up with useable security protections.

Our goal with the OWASP ISWG is to leverage the collective security know-how of OWASP into practical advice and suggestions for all those technologies that our applications lean on in one way or another. We've got the modest goal of fixing the Internet - what could be more valuable?

'''Bio''': Arshan Dabirsiaghi is the Director of Research at Aspect Security. Arshan has over seven of years of professional experience writing code, four years of professionally auditing code, and many years of hobbying in both. At Aspect Security, Arshan performs the normal array of security assurance work, including code reviews, architecture reviews and penetration testing. He spends the balance of his work time teaching classes all over the world and doing research into next generation web application attacks and defenses.

Arshan earned his Master’s degree in Computer Science from Towson University with a focus on Information Security. He has delivered tutorials at Blackhat and OWASP conferences and has been a featured speaker at a number of security and artificial intelligence conferences. Arshan is also the author of the OWASP AntiSamy project and the founder of the OWASP Intrinsic Security Working Group.
</td>
</tr>

<tr>
<td style="background-color: #AEB7D5; padding: 5px;">11:00-12:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">
Lunch
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">12:30-13:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Anil Kumar Revuru'''
 [http://www.miscrosoft.com/ Microsoft] 

Microsoft Connected Information Security Framework (CISF) and Tools: 
The Connected Information Security Group, part of Microsoft internal Information Security organization are working on a technology framework and set of applications to support corporate information security management programs. The Microsoft corporate Information Security Organization (and a few 'early adopter' customers) will be dog-fooding early prototypes in late 2008/early 2009. This presentation provides a short overview of the problem space and current thinking on our approach to solving it.

'''Bio''':
Anil Kumar Revuru currently works for Microsoft as a Security Technologist where he is responsible for architecting security tools. In his previous life at Microsoft, Anil was conducting security design reviews, threat modeling, and application and source-code assessments. Previously as a Security Consultant for a security services vendor, he helped Fortune 100 clients evaluate the security of their software products and applications. He has authored security tools and has presented courses internally at Microsoft.

Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development, He also made significant contribution to the security development of products at V-Empower Inc. After joining in Microsoft, he worked towards finding security weaknesses and providing necessary countermeasures to application teams. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool used for application threat modeling
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">1:30-2:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">'''Brian Chess''' [http://www.fortify.com/ Fortify Software]

Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution.

Highlights include: 
* The most common security short-cuts and why they lead to security failures
* Why programmers are in the best position to get security right
* Where to look for security problems
* How static analysis helps
* The critical attributes and algorithms that make or break a static analysis tool

We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review.

'''Bio''': Dr. Chess's research focuses on methods for creating secure systems. He received his Ph.D. from the University of California at Santa Cruz, where he applied his background in integrated circuit test and verification to the problem of identifying security errors in software. In addition to authoring numerous patents and technical papers, Dr. Chess has more than ten years of experience in the commercial software arena, having led development efforts at Hewlett Packard and NetLedge
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">2:30-3:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
Break
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">3:00-4:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Elliot Glazer''' [http://www.dtcc.com/ DTCC]

Information Security Architecture Layers and Key Processes:

* Information Security Architecture is driven by an Information Security Strategy and Principles. It is also critical the architecture support the Business Strategy:
** Security Functional Architecture: the layout of key functions in security to be accomplished, which drives security requirements.
** Security Technical Architecture: the solutions and standards to implement key functions, usually an overlay on top of the Functional Architecture. This is generally a definition of components, intended to be leveraged for reuse by organization, business, line of business or across the enterprise.
** Security Reference Architecture: the implementation of Technical Architecture components into a strategy, platform, or particular complex solution set, to be used as a model for other, like needs. This is usually a set of components organized together.
** Security Technology Lifecycle – the process of phasing in and out, technology and process solutions that improve the security environment. Six phases ranging from researching new solutions to exiting old and failing solutions are defined.
** Security Program Implementation Planning – the process of identifying high level scheduling based on priority and available resources, for solutions defined in the Technical Architecture. Priority is generally established based on risk. The program also helps in the planning cycles for budgeting, as it will try to take a multiyear view.

'''Bio''': Elliott has over 25 years of information technology experience and has worked in the security field for over 10 years. He is currently Director of Security Architecture for the Depository Trust and Clearing Corporation (DTCC), where he has created a number of innovative solutions in the areas of security monitoring and security architecture. He also provides consulting to the organization on critical security issues. Prior to this, Mr. Glazer was Vice President for Security Solutions at American Express, leading many large and small solutions for the Internet, Security, Privacy, and Customer Servicing. Previous to this, Elliott held leadership positions at Citigroup, Sprint International, and BT Dialcom in software development and operations. He has led architecture, development, and operations organizations including an enterprise architecture group, Internet software development, and distrbitured operations among others.
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">4:00-5:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Corey Benninger''' [http://intrepidusgroup.com/ Intrepidus Group] 

Exploring the how poor application security mixed with a phishing is leading to a costly cocktail of disaster. This talk will go over real world examples of phishing attacks that have taken advantage of cross site scripting flaws, SQL injection vulnerabilities, session fixation attacks, and others web application flaws. Learn what phishers are doing to take their attacks to the next level by chaining multiple vulnerabilities together. The presentation will also share resources that help to track phishing trends and research.

'''Bio''': Corey is a Principal Consultant with the Intrepidus Group, specializing in
web and mobile application security. He has performed code reviews and
conducted application penetration tests for numerous Fortune 500 clients.

Prior to joining Intrepidus Group’s professional services team, Corey served
as a Senior Consultant and Trainer at Foundstone.

Corey is a polished public speaker and has been invited to speak at leading
conferences like Black Hat, OWASP AppSec, NYCBSDCon, Secure Development
World and Infragard. In addition, his expert opinion has been published in
industry publications like eWeek. He has also published several whitepapers
on cutting edge security issues, like vulnerabilities in AJAX, and the
security implications of web browser data caching. He is the co-founder and
leader of the OWASP Mobile Security Project, a consortium of mobile security
developers and experts.

Corey has an undergraduate degree from Boston University. He is a Certified
Information Systems Security Professional (CISSP).
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 1px;">
5:00-5:15
</td>
<td style="background-color: #D5B4AE; padding: 5px;">
'''Richard Stallman'''

Richard Stallman is the founder of the GNU Project, launched in 1984 to develop the free operating system, GNU.

Richard Stallman is the principal author of the GNU C Compiler, the GNU symbolic debugger (GDB), GNU Emacs, and various other GNU programs. Stallman currently serves as president of the Free Software Foundation.
</td>
</tr>

</table>

== Parking and Transportation ==
Public Parking: http://www1.umn.edu/pts/publicparking.htm 
Map of St. Paul Campus Parking (PDF): http://www1.umn.edu/pts/maps/spcont.pdf 
Campus Connector Shuttle: http://www1.umn.edu/pts/shuttle.htm 
Metro Bus information: http://www1.umn.edu/pts/metrobuses.htm 

== Thank You To Our Sponsors ==

[http://www.strategicit.org/ Center for Strategic Information Technology and Security]

[http://www.go-integral.com/ Integral Business Solutions]

Conference space provided courtesy of the University of Minnesota Office of Information Technology [http://www.umn.edu/ University of Minnesota]

Minneapolis St Paul

2008-10-08T01:49:06Z

Afongen: new paragraph about the conference

OWASP Minneapolis St Paul 2008 Conference

2008-10-08T01:42:03Z

Afongen: lightened table background colors

== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 ==
The [[Minneapolis St Paul|Minneapolis - Saint Paul Chapter]] invites you to attend the first ever Minnesota OWASP Conference on October 21st.

We're very excited out the line up of internationally known speakers we were able to bring together for this one day of Application Security talks at the University of Minnesota's [http://www1.umn.edu/twincities/maps/StCen/StCen-map.html St. Paul Student Center] ([[#Parking and Transportation|parking and transportation]] information below). There is a nominal fee of $25.00 per person, which includes lunch. Seating is limited and we expect this event to sell out. '''On site registration is not expected''' to be available the day of the event, so please [http://guest.cvent.com/i.aspx?4W,M3,c2618ba0-022d-434e-a053-39fcc4120313 register] prior to the event to guarantee your seat.

[http://guest.cvent.com/i.aspx?4W,M3,c2618ba0-022d-434e-a053-39fcc4120313 http://www.owasp.org/images/7/7f/Register.gif]

== Tentative Agenda ==
<table width="80%" border="0">
<tr>
<td style="background-color:#AEB7D5; padding: 1px;">8:00-9:00</td>
<td style="background-color:#D5B4AE; padding: 5px;">Registration / Check-In</td>
</tr>
<tr>
<td style="background-color:#AEB7D5; padding: 5px;">9:00-9:30</td>
<td style="background-color:#D5B4AE; padding: 5px;">Kuai Hinojosa OWASP MN President Conference Introduction</td>
</tr>
<tr>
<td style="background-color:#AEB7D5; padding: 5px;">9:30-10:30</td>
<td style="background-color:#D5B4AE; padding: 5px;">
Jeff Williams CEO, [http://www.aspectsecurity.com/ Aspect Security] OWASP founder; Chair, OWASP Foundation 

Application security is getting more complicated every day with increasing connectivity, more mixing of code and data, more parsers, more interpreters, more assets, and more functionality available. We have to take steps now to simplify the problem. So if you?re tired of securing one application at a time, and wrestling with the same vulnerabilities again and again, establishing your organization's ESAPI is one of the best things you can do?

'''Bio''':
I'm Jeff Williams, I work as CEO of Aspect Security and I serve as the volunteer Chair of the OWASP Foundation. I've worked on a number of projects at OWASP, including creating the OWASP Top 10, WebGoat, Stinger, Secure Software Contract Annex, Honeycomb Project and the Enterprise Security API. You can find more about my background here: http://myappsecurity.blogspot.com/2007/03/reflection-on-jeff-williams.html.
</td>
</tr>

<tr>
<td style="background-color:#AEB7D5; padding: 1px;">10:30-11:00</td>
<td style="background-color:#D5B4AE; padding: 5px;">Arshan Dabirsiaghi Director of Research, [http://www.aspectsecurity.com/ Aspect Security]

Many of the challenges we face in application security could be solved at an architectural layer without trying to accomplish the impossible task of fixing millions of websites with billions of lines of code behind them. The OWASP [[Intrinsic Security Working Group]] is a new OWASP effort focused on addressing root causes of application security problems and fixing them where it's easiest. Sometimes that means pushing a browser to include a feature, or asking a language framework to provide a new API, or helping standard-makers come up with useable security protections.

Our goal with the OWASP ISWG is to leverage the collective security know-how of OWASP into practical advice and suggestions for all those technologies that our applications lean on in one way or another. We've got the modest goal of fixing the Internet - what could be more valuable?

'''Bio''': Arshan Dabirsiaghi is the Director of Research at Aspect Security. Arshan has over seven of years of professional experience writing code, four years of professionally auditing code, and many years of hobbying in both. At Aspect Security, Arshan performs the normal array of security assurance work, including code reviews, architecture reviews and penetration testing. He spends the balance of his work time teaching classes all over the world and doing research into next generation web application attacks and defenses.

Arshan earned his Master’s degree in Computer Science from Towson University with a focus on Information Security. He has delivered tutorials at Blackhat and OWASP conferences and has been a featured speaker at a number of security and artificial intelligence conferences. Arshan is also the author of the OWASP AntiSamy project and the founder of the OWASP Intrinsic Security Working Group.
</td>
</tr>

<tr>
<td style="background-color: #AEB7D5; padding: 5px;">11:00-12:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">
Lunch
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">12:30-13:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">
Anil Kumar Revuru
 [http://www.miscrosoft.com/ Microsoft] 

Microsoft Connected Information Security Framework (CISF) and Tools: 
The Connected Information Security Group, part of Microsoft internal Information Security organization are working on a technology framework and set of applications to support corporate information security management programs. The Microsoft corporate Information Security Organization (and a few 'early adopter' customers) will be dog-fooding early prototypes in late 2008/early 2009. This presentation provides a short overview of the problem space and current thinking on our approach to solving it.

'''Bio''':
Anil Kumar Revuru currently works for Microsoft as a Security Technologist where he is responsible for architecting security tools. In his previous life at Microsoft, Anil was conducting security design reviews, threat modeling, and application and source-code assessments. Previously as a Security Consultant for a security services vendor, he helped Fortune 100 clients evaluate the security of their software products and applications. He has authored security tools and has presented courses internally at Microsoft.

Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development, He also made significant contribution to the security development of products at V-Empower Inc. After joining in Microsoft, he worked towards finding security weaknesses and providing necessary countermeasures to application teams. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool used for application threat modeling
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">1:30-2:30</td>
<td style="background-color: #D5B4AE; padding: 5px;">Brian Chess [http://www.fortify.com/ Fortify Software]

Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution.

Highlights include: 
* The most common security short-cuts and why they lead to security failures
* Why programmers are in the best position to get security right
* Where to look for security problems
* How static analysis helps
* The critical attributes and algorithms that make or break a static analysis tool

We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review.

'''Bio''': Dr. Chess's research focuses on methods for creating secure systems. He received his Ph.D. from the University of California at Santa Cruz, where he applied his background in integrated circuit test and verification to the problem of identifying security errors in software. In addition to authoring numerous patents and technical papers, Dr. Chess has more than ten years of experience in the commercial software arena, having led development efforts at Hewlett Packard and NetLedge
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">2:30-3:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
Break
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">3:00-4:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
Elliot Glazer [http://www.dtcc.com/ DTCC]

Information Security Architecture Layers and Key Processes:

* Information Security Architecture is driven by an Information Security Strategy and Principles. It is also critical the architecture support the Business Strategy:
** Security Functional Architecture: the layout of key functions in security to be accomplished, which drives security requirements.
** Security Technical Architecture: the solutions and standards to implement key functions, usually an overlay on top of the Functional Architecture. This is generally a definition of components, intended to be leveraged for reuse by organization, business, line of business or across the enterprise.
** Security Reference Architecture: the implementation of Technical Architecture components into a strategy, platform, or particular complex solution set, to be used as a model for other, like needs. This is usually a set of components organized together.
** Security Technology Lifecycle – the process of phasing in and out, technology and process solutions that improve the security environment. Six phases ranging from researching new solutions to exiting old and failing solutions are defined.
** Security Program Implementation Planning – the process of identifying high level scheduling based on priority and available resources, for solutions defined in the Technical Architecture. Priority is generally established based on risk. The program also helps in the planning cycles for budgeting, as it will try to take a multiyear view.

'''Bio''': Elliott has over 25 years of information technology experience and has worked in the security field for over 10 years. He is currently Director of Security Architecture for the Depository Trust and Clearing Corporation (DTCC), where he has created a number of innovative solutions in the areas of security monitoring and security architecture. He also provides consulting to the organization on critical security issues. Prior to this, Mr. Glazer was Vice President for Security Solutions at American Express, leading many large and small solutions for the Internet, Security, Privacy, and Customer Servicing. Previous to this, Elliott held leadership positions at Citigroup, Sprint International, and BT Dialcom in software development and operations. He has led architecture, development, and operations organizations including an enterprise architecture group, Internet software development, and distrbitured operations among others.
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 5px;">4:00-5:00</td>
<td style="background-color: #D5B4AE; padding: 5px;">
Corey Benninger [http://intrepidusgroup.com/ Intrepidus Group] 

Exploring the how poor application security mixed with a phishing is leading to a costly cocktail of disaster. This talk will go over real world examples of phishing attacks that have taken advantage of cross site scripting flaws, SQL injection vulnerabilities, session fixation attacks, and others web application flaws. Learn what phishers are doing to take their attacks to the next level by chaining multiple vulnerabilities together. The presentation will also share resources that help to track phishing trends and research.

'''Bio''': Corey is a Principal Consultant with the Intrepidus Group, specializing in
web and mobile application security. He has performed code reviews and
conducted application penetration tests for numerous Fortune 500 clients.

Prior to joining Intrepidus Group’s professional services team, Corey served
as a Senior Consultant and Trainer at Foundstone.

Corey is a polished public speaker and has been invited to speak at leading
conferences like Black Hat, OWASP AppSec, NYCBSDCon, Secure Development
World and Infragard. In addition, his expert opinion has been published in
industry publications like eWeek. He has also published several whitepapers
on cutting edge security issues, like vulnerabilities in AJAX, and the
security implications of web browser data caching. He is the co-founder and
leader of the OWASP Mobile Security Project, a consortium of mobile security
developers and experts.

Corey has an undergraduate degree from Boston University. He is a Certified
Information Systems Security Professional (CISSP).
</td>
</tr>
<tr>
<td style="background-color: #AEB7D5; padding: 1px;">
5:00-5:15
</td>
<td style="background-color: #D5B4AE; padding: 5px;">
Richard Stallman
</td>
</tr>

</table>

== Parking and Transportation ==
Public Parking: http://www1.umn.edu/pts/publicparking.htm 
Map of St. Paul Campus Parking (PDF): http://www1.umn.edu/pts/maps/spcont.pdf 
Campus Connector Shuttle: http://www1.umn.edu/pts/shuttle.htm 
Metro Bus information: http://www1.umn.edu/pts/metrobuses.htm 

== Thank You To Our Sponsors ==

[http://www.strategicit.org/ Center for Strategic Information Technology and Security]

[http://www.go-integral.com/ Integral Business Solutions]

Conference space provided courtesy of the University of Minnesota Office of Information Technology [http://www.umn.edu/ University of Minnesota]

OWASP Minneapolis St Paul 2008 Conference

2008-10-08T01:37:20Z

Afongen: Bio for Arshan Dabirsiaghi and expanded session description

== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 ==
The [[Minneapolis St Paul|Minneapolis - Saint Paul Chapter]] invites you to attend the first ever Minnesota OWASP Conference on October 21st.

We're very excited out the line up of internationally known speakers we were able to bring together for this one day of Application Security talks at the University of Minnesota's [http://www1.umn.edu/twincities/maps/StCen/StCen-map.html St. Paul Student Center] ([[#Parking and Transportation|parking and transportation]] information below). There is a nominal fee of $25.00 per person, which includes lunch. Seating is limited and we expect this event to sell out. '''On site registration is not expected''' to be available the day of the event, so please [http://guest.cvent.com/i.aspx?4W,M3,c2618ba0-022d-434e-a053-39fcc4120313 register] prior to the event to guarantee your seat.

[http://guest.cvent.com/i.aspx?4W,M3,c2618ba0-022d-434e-a053-39fcc4120313 http://www.owasp.org/images/7/7f/Register.gif]

== Tentative Agenda ==
<table width="80%" border="0">
<tr>
<td style="background-color:#7B8ABD; padding: 1px;">8:00-9:00</td>
<td style="background-color:#BC857A; padding: 5px;">Registration / Check-In</td>
</tr>
<tr>
<td style="background-color:#7B8ABD; padding: 5px;">9:00-9:30</td>
<td style="background-color:#BC857A; padding: 5px;">Kuai Hinojosa OWASP MN President Conference Introduction</td>
</tr>
<tr>
<td style="background-color:#7B8ABD; padding: 5px;">9:30-10:30</td>
<td style="background-color:#BC857A; padding: 5px;">
Jeff Williams CEO, [http://www.aspectsecurity.com/ Aspect Security] OWASP founder; Chair, OWASP Foundation 

Application security is getting more complicated every day with increasing connectivity, more mixing of code and data, more parsers, more interpreters, more assets, and more functionality available. We have to take steps now to simplify the problem. So if you?re tired of securing one application at a time, and wrestling with the same vulnerabilities again and again, establishing your organization's ESAPI is one of the best things you can do?

'''Bio''':
I'm Jeff Williams, I work as CEO of Aspect Security and I serve as the volunteer Chair of the OWASP Foundation. I've worked on a number of projects at OWASP, including creating the OWASP Top 10, WebGoat, Stinger, Secure Software Contract Annex, Honeycomb Project and the Enterprise Security API. You can find more about my background here: http://myappsecurity.blogspot.com/2007/03/reflection-on-jeff-williams.html.
</td>
</tr>

<tr>
<td style="background-color:#7B8ABD; padding: 1px;">10:30-11:00</td>
<td style="background-color:#BC857A; padding: 5px;">Arshan Dabirsiaghi Director of Research, [http://www.aspectsecurity.com/ Aspect Security]

Many of the challenges we face in application security could be solved at an architectural layer without trying to accomplish the impossible task of fixing millions of websites with billions of lines of code behind them. The OWASP [[Intrinsic Security Working Group]] is a new OWASP effort focused on addressing root causes of application security problems and fixing them where it's easiest. Sometimes that means pushing a browser to include a feature, or asking a language framework to provide a new API, or helping standard-makers come up with useable security protections.

Our goal with the OWASP ISWG is to leverage the collective security know-how of OWASP into practical advice and suggestions for all those technologies that our applications lean on in one way or another. We've got the modest goal of fixing the Internet - what could be more valuable?

'''Bio''': Arshan Dabirsiaghi is the Director of Research at Aspect Security. Arshan has over seven of years of professional experience writing code, four years of professionally auditing code, and many years of hobbying in both. At Aspect Security, Arshan performs the normal array of security assurance work, including code reviews, architecture reviews and penetration testing. He spends the balance of his work time teaching classes all over the world and doing research into next generation web application attacks and defenses.

Arshan earned his Master’s degree in Computer Science from Towson University with a focus on Information Security. He has delivered tutorials at Blackhat and OWASP conferences and has been a featured speaker at a number of security and artificial intelligence conferences. Arshan is also the author of the OWASP AntiSamy project and the founder of the OWASP Intrinsic Security Working Group.
</td>
</tr>

<tr>
<td style="background-color: #7B8ABD; padding: 5px;">11:00-12:30</td>
<td style="background-color: #BC857A; padding: 5px;">
Lunch
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">12:30-13:30</td>
<td style="background-color: #BC857A; padding: 5px;">
Anil Kumar Revuru
 [http://www.miscrosoft.com/ Microsoft] 

Microsoft Connected Information Security Framework (CISF) and Tools: 
The Connected Information Security Group, part of Microsoft internal Information Security organization are working on a technology framework and set of applications to support corporate information security management programs. The Microsoft corporate Information Security Organization (and a few 'early adopter' customers) will be dog-fooding early prototypes in late 2008/early 2009. This presentation provides a short overview of the problem space and current thinking on our approach to solving it.

'''Bio''':
Anil Kumar Revuru currently works for Microsoft as a Security Technologist where he is responsible for architecting security tools. In his previous life at Microsoft, Anil was conducting security design reviews, threat modeling, and application and source-code assessments. Previously as a Security Consultant for a security services vendor, he helped Fortune 100 clients evaluate the security of their software products and applications. He has authored security tools and has presented courses internally at Microsoft.

Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development, He also made significant contribution to the security development of products at V-Empower Inc. After joining in Microsoft, he worked towards finding security weaknesses and providing necessary countermeasures to application teams. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool used for application threat modeling
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">1:30-2:30</td>
<td style="background-color: #BC857A; padding: 5px;">Brian Chess [http://www.fortify.com/ Fortify Software]

Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution.

Highlights include: 
* The most common security short-cuts and why they lead to security failures
* Why programmers are in the best position to get security right
* Where to look for security problems
* How static analysis helps
* The critical attributes and algorithms that make or break a static analysis tool

We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review.

'''Bio''': Dr. Chess's research focuses on methods for creating secure systems. He received his Ph.D. from the University of California at Santa Cruz, where he applied his background in integrated circuit test and verification to the problem of identifying security errors in software. In addition to authoring numerous patents and technical papers, Dr. Chess has more than ten years of experience in the commercial software arena, having led development efforts at Hewlett Packard and NetLedge
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">2:30-3:00</td>
<td style="background-color: #BC857A; padding: 5px;">
Break
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">3:00-4:00</td>
<td style="background-color: #BC857A; padding: 5px;">
Elliot Glazer [http://www.dtcc.com/ DTCC]

Information Security Architecture Layers and Key Processes:

* Information Security Architecture is driven by an Information Security Strategy and Principles. It is also critical the architecture support the Business Strategy:
** Security Functional Architecture: the layout of key functions in security to be accomplished, which drives security requirements.
** Security Technical Architecture: the solutions and standards to implement key functions, usually an overlay on top of the Functional Architecture. This is generally a definition of components, intended to be leveraged for reuse by organization, business, line of business or across the enterprise.
** Security Reference Architecture: the implementation of Technical Architecture components into a strategy, platform, or particular complex solution set, to be used as a model for other, like needs. This is usually a set of components organized together.
** Security Technology Lifecycle – the process of phasing in and out, technology and process solutions that improve the security environment. Six phases ranging from researching new solutions to exiting old and failing solutions are defined.
** Security Program Implementation Planning – the process of identifying high level scheduling based on priority and available resources, for solutions defined in the Technical Architecture. Priority is generally established based on risk. The program also helps in the planning cycles for budgeting, as it will try to take a multiyear view.

'''Bio''': Elliott has over 25 years of information technology experience and has worked in the security field for over 10 years. He is currently Director of Security Architecture for the Depository Trust and Clearing Corporation (DTCC), where he has created a number of innovative solutions in the areas of security monitoring and security architecture. He also provides consulting to the organization on critical security issues. Prior to this, Mr. Glazer was Vice President for Security Solutions at American Express, leading many large and small solutions for the Internet, Security, Privacy, and Customer Servicing. Previous to this, Elliott held leadership positions at Citigroup, Sprint International, and BT Dialcom in software development and operations. He has led architecture, development, and operations organizations including an enterprise architecture group, Internet software development, and distrbitured operations among others.
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">4:00-5:00</td>
<td style="background-color: #BC857A; padding: 5px;">
Corey Benninger [http://intrepidusgroup.com/ Intrepidus Group] 

Exploring the how poor application security mixed with a phishing is leading to a costly cocktail of disaster. This talk will go over real world examples of phishing attacks that have taken advantage of cross site scripting flaws, SQL injection vulnerabilities, session fixation attacks, and others web application flaws. Learn what phishers are doing to take their attacks to the next level by chaining multiple vulnerabilities together. The presentation will also share resources that help to track phishing trends and research.

'''Bio''': Corey is a Principal Consultant with the Intrepidus Group, specializing in
web and mobile application security. He has performed code reviews and
conducted application penetration tests for numerous Fortune 500 clients.

Prior to joining Intrepidus Group’s professional services team, Corey served
as a Senior Consultant and Trainer at Foundstone.

Corey is a polished public speaker and has been invited to speak at leading
conferences like Black Hat, OWASP AppSec, NYCBSDCon, Secure Development
World and Infragard. In addition, his expert opinion has been published in
industry publications like eWeek. He has also published several whitepapers
on cutting edge security issues, like vulnerabilities in AJAX, and the
security implications of web browser data caching. He is the co-founder and
leader of the OWASP Mobile Security Project, a consortium of mobile security
developers and experts.

Corey has an undergraduate degree from Boston University. He is a Certified
Information Systems Security Professional (CISSP).
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 1px;">
5:00-5:15
</td>
<td style="background-color: #BC857A; padding: 5px;">
Richard Stallman
</td>
</tr>

</table>

== Parking and Transportation ==
Public Parking: http://www1.umn.edu/pts/publicparking.htm 
Map of St. Paul Campus Parking (PDF): http://www1.umn.edu/pts/maps/spcont.pdf 
Campus Connector Shuttle: http://www1.umn.edu/pts/shuttle.htm 
Metro Bus information: http://www1.umn.edu/pts/metrobuses.htm 

== Thank You To Our Sponsors ==

[http://www.strategicit.org/ Center for Strategic Information Technology and Security]

[http://www.go-integral.com/ Integral Business Solutions]

Conference space provided courtesy of the University of Minnesota Office of Information Technology [http://www.umn.edu/ University of Minnesota]

OWASP Minneapolis St Paul 2008 Conference

2008-10-07T18:37:03Z

Afongen: /* OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 */

== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 ==
The [[Minneapolis St Paul|Minneapolis - Saint Paul Chapter]] invites you to attend the first ever Minnesota OWASP Conference on October 21st.

We're very excited out the line up of internationally known speakers we were able to bring together for this one day of Application Security talks at the University of Minnesota's [http://www1.umn.edu/twincities/maps/StCen/StCen-map.html St. Paul Student Center] ([[#Parking and Transportation|parking and transportation]] information below). There is a nominal fee of $25.00 per person, which includes lunch. Seating is limited and we expect this event to sell out. '''On site registration is not expected''' to be available the day of the event, so please [http://guest.cvent.com/i.aspx?4W,M3,c2618ba0-022d-434e-a053-39fcc4120313 register] prior to the event to guarantee your seat.

[http://guest.cvent.com/i.aspx?4W,M3,c2618ba0-022d-434e-a053-39fcc4120313 http://www.owasp.org/images/7/7f/Register.gif]

== Tentative Agenda ==
<table width="80%" border="0">
<tr>
<td style="background-color:#7B8ABD; padding: 1px;">8:00-9:00</td>
<td style="background-color:#BC857A; padding: 5px;">Registration / Check-In</td>
</tr>
<tr>
<td style="background-color:#7B8ABD; padding: 5px;">9:00-9:30</td>
<td style="background-color:#BC857A; padding: 5px;">Kuai Hinojosa OWASP MN President Conference Introduction</td>
</tr>
<tr>
<td style="background-color:#7B8ABD; padding: 5px;">9:30-10:30</td>
<td style="background-color:#BC857A; padding: 5px;">
Jeff Williams CEO, [http://www.aspectsecurity.com/ Aspect Security] OWASP founder; Chair, OWASP Foundation 

Application security is getting more complicated every day with increasing connectivity, more mixing of code and data, more parsers, more interpreters, more assets, and more functionality available. We have to take steps now to simplify the problem. So if you?re tired of securing one application at a time, and wrestling with the same vulnerabilities again and again, establishing your organization's ESAPI is one of the best things you can do?

'''Bio''':
I'm Jeff Williams, I work as CEO of Aspect Security and I serve as the volunteer Chair of the OWASP Foundation. I've worked on a number of projects at OWASP, including creating the OWASP Top 10, WebGoat, Stinger, Secure Software Contract Annex, Honeycomb Project and the Enterprise Security API. You can find more about my background here: http://myappsecurity.blogspot.com/2007/03/reflection-on-jeff-williams.html.
</td>
</tr>

<tr>
<td style="background-color:#7B8ABD; padding: 1px;">10:30-11:00</td>
<td style="background-color:#BC857A; padding: 5px;">Arshan Dabirsiaghi Director of Research, [http://www.aspectsecurity.com/ Aspect Security]

Many of the challenges we face in application security could be solved at an architectural layer without trying to accomplish the impossible task of fixing millions of websites with billions of lines of code behind them. The OWASP [[Intrinsic Security Working Group]] is a new OWASP effort focused on addressing root causes of application security problems and fixing them where it's easiest.
</td>
</tr>

<tr>
<td style="background-color: #7B8ABD; padding: 5px;">11:00-12:30</td>
<td style="background-color: #BC857A; padding: 5px;">
Lunch
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">12:30-13:30</td>
<td style="background-color: #BC857A; padding: 5px;">
Anil Kumar Revuru
 [http://www.miscrosoft.com/ Microsoft] 

Microsoft Connected Information Security Framework (CISF) and Tools: 
The Connected Information Security Group, part of Microsoft internal Information Security organization are working on a technology framework and set of applications to support corporate information security management programs. The Microsoft corporate Information Security Organization (and a few 'early adopter' customers) will be dog-fooding early prototypes in late 2008/early 2009. This presentation provides a short overview of the problem space and current thinking on our approach to solving it.

'''Bio''':
Anil Kumar Revuru currently works for Microsoft as a Security Technologist where he is responsible for architecting security tools. In his previous life at Microsoft, Anil was conducting security design reviews, threat modeling, and application and source-code assessments. Previously as a Security Consultant for a security services vendor, he helped Fortune 100 clients evaluate the security of their software products and applications. He has authored security tools and has presented courses internally at Microsoft.

Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development, He also made significant contribution to the security development of products at V-Empower Inc. After joining in Microsoft, he worked towards finding security weaknesses and providing necessary countermeasures to application teams. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool used for application threat modeling
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">1:30-2:30</td>
<td style="background-color: #BC857A; padding: 5px;">Brian Chess [http://www.fortify.com/ Fortify Software]

Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution.

Highlights include: 
* The most common security short-cuts and why they lead to security failures
* Why programmers are in the best position to get security right
* Where to look for security problems
* How static analysis helps
* The critical attributes and algorithms that make or break a static analysis tool

We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review.

'''Bio''': Dr. Chess's research focuses on methods for creating secure systems. He received his Ph.D. from the University of California at Santa Cruz, where he applied his background in integrated circuit test and verification to the problem of identifying security errors in software. In addition to authoring numerous patents and technical papers, Dr. Chess has more than ten years of experience in the commercial software arena, having led development efforts at Hewlett Packard and NetLedge
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">2:30-3:00</td>
<td style="background-color: #BC857A; padding: 5px;">
Break
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">3:00-4:00</td>
<td style="background-color: #BC857A; padding: 5px;">
Elliot Glazer [http://www.dtcc.com/ DTCC]

Information Security Architecture Layers and Key Processes:

* Information Security Architecture is driven by an Information Security Strategy and Principles. It is also critical the architecture support the Business Strategy:
** Security Functional Architecture: the layout of key functions in security to be accomplished, which drives security requirements.
** Security Technical Architecture: the solutions and standards to implement key functions, usually an overlay on top of the Functional Architecture. This is generally a definition of components, intended to be leveraged for reuse by organization, business, line of business or across the enterprise.
** Security Reference Architecture: the implementation of Technical Architecture components into a strategy, platform, or particular complex solution set, to be used as a model for other, like needs. This is usually a set of components organized together.
** Security Technology Lifecycle – the process of phasing in and out, technology and process solutions that improve the security environment. Six phases ranging from researching new solutions to exiting old and failing solutions are defined.
** Security Program Implementation Planning – the process of identifying high level scheduling based on priority and available resources, for solutions defined in the Technical Architecture. Priority is generally established based on risk. The program also helps in the planning cycles for budgeting, as it will try to take a multiyear view.

'''Bio''': Elliott has over 25 years of information technology experience and has worked in the security field for over 10 years. He is currently Director of Security Architecture for the Depository Trust and Clearing Corporation (DTCC), where he has created a number of innovative solutions in the areas of security monitoring and security architecture. He also provides consulting to the organization on critical security issues. Prior to this, Mr. Glazer was Vice President for Security Solutions at American Express, leading many large and small solutions for the Internet, Security, Privacy, and Customer Servicing. Previous to this, Elliott held leadership positions at Citigroup, Sprint International, and BT Dialcom in software development and operations. He has led architecture, development, and operations organizations including an enterprise architecture group, Internet software development, and distrbitured operations among others.
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">4:00-5:00</td>
<td style="background-color: #BC857A; padding: 5px;">
Corey Benninger [http://intrepidusgroup.com/ Intrepidus Group] 

Exploring the how poor application security mixed with a phishing is leading to a costly cocktail of disaster. This talk will go over real world examples of phishing attacks that have taken advantage of cross site scripting flaws, SQL injection vulnerabilities, session fixation attacks, and others web application flaws. Learn what phishers are doing to take their attacks to the next level by chaining multiple vulnerabilities together. The presentation will also share resources that help to track phishing trends and research.

'''Bio''': Corey is a Principal Consultant with the Intrepidus Group, specializing in
web and mobile application security. He has performed code reviews and
conducted application penetration tests for numerous Fortune 500 clients.

Prior to joining Intrepidus Group’s professional services team, Corey served
as a Senior Consultant and Trainer at Foundstone.

Corey is a polished public speaker and has been invited to speak at leading
conferences like Black Hat, OWASP AppSec, NYCBSDCon, Secure Development
World and Infragard. In addition, his expert opinion has been published in
industry publications like eWeek. He has also published several whitepapers
on cutting edge security issues, like vulnerabilities in AJAX, and the
security implications of web browser data caching. He is the co-founder and
leader of the OWASP Mobile Security Project, a consortium of mobile security
developers and experts.

Corey has an undergraduate degree from Boston University. He is a Certified
Information Systems Security Professional (CISSP).
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 1px;">
5:00-5:15
</td>
<td style="background-color: #BC857A; padding: 5px;">
Richard Stallman
</td>
</tr>

</table>

== Parking and Transportation ==
Public Parking: http://www1.umn.edu/pts/publicparking.htm 
Map of St. Paul Campus Parking (PDF): http://www1.umn.edu/pts/maps/spcont.pdf 
Campus Connector Shuttle: http://www1.umn.edu/pts/shuttle.htm 
Metro Bus information: http://www1.umn.edu/pts/metrobuses.htm 

== Thank You To Our Sponsors ==

[http://www.strategicit.org/ Center for Strategic Information Technology and Security]

[http://www.go-integral.com/ Integral Business Solutions]

Conference space provided courtesy of the University of Minnesota Office of Information Technology [http://www.umn.edu/ University of Minnesota]

OWASP Minneapolis St Paul 2008 Conference

2008-10-07T18:36:06Z

Afongen: /* OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 */

== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 ==
The [[Minneapolis St Paul|Minneapolis - Saint Paul Chapter]] invites you to attend the first ever Minnesota OWASP Conference on October 21st.

We're very excited out the line up of internationally known speakers we were able to bring together for this one day of Application Security talks at the University of Minnesota's [http://www1.umn.edu/twincities/maps/StCen/StCen-map.html St. Paul Student Center] ([[#Parking and Transportation]] information below). There is a nominal fee of $25.00 per person, which includes lunch. Seating is limited and we expect this event to sell out. '''On site registration is not expected''' to be available the day of the event, so please [http://guest.cvent.com/i.aspx?4W,M3,c2618ba0-022d-434e-a053-39fcc4120313 register] prior to the event to guarantee your seat.

[http://guest.cvent.com/i.aspx?4W,M3,c2618ba0-022d-434e-a053-39fcc4120313 http://www.owasp.org/images/7/7f/Register.gif]

== Tentative Agenda ==
<table width="80%" border="0">
<tr>
<td style="background-color:#7B8ABD; padding: 1px;">8:00-9:00</td>
<td style="background-color:#BC857A; padding: 5px;">Registration / Check-In</td>
</tr>
<tr>
<td style="background-color:#7B8ABD; padding: 5px;">9:00-9:30</td>
<td style="background-color:#BC857A; padding: 5px;">Kuai Hinojosa OWASP MN President Conference Introduction</td>
</tr>
<tr>
<td style="background-color:#7B8ABD; padding: 5px;">9:30-10:30</td>
<td style="background-color:#BC857A; padding: 5px;">
Jeff Williams CEO, [http://www.aspectsecurity.com/ Aspect Security] OWASP founder; Chair, OWASP Foundation 

Application security is getting more complicated every day with increasing connectivity, more mixing of code and data, more parsers, more interpreters, more assets, and more functionality available. We have to take steps now to simplify the problem. So if you?re tired of securing one application at a time, and wrestling with the same vulnerabilities again and again, establishing your organization's ESAPI is one of the best things you can do?

'''Bio''':
I'm Jeff Williams, I work as CEO of Aspect Security and I serve as the volunteer Chair of the OWASP Foundation. I've worked on a number of projects at OWASP, including creating the OWASP Top 10, WebGoat, Stinger, Secure Software Contract Annex, Honeycomb Project and the Enterprise Security API. You can find more about my background here: http://myappsecurity.blogspot.com/2007/03/reflection-on-jeff-williams.html.
</td>
</tr>

<tr>
<td style="background-color:#7B8ABD; padding: 1px;">10:30-11:00</td>
<td style="background-color:#BC857A; padding: 5px;">Arshan Dabirsiaghi Director of Research, [http://www.aspectsecurity.com/ Aspect Security]

Many of the challenges we face in application security could be solved at an architectural layer without trying to accomplish the impossible task of fixing millions of websites with billions of lines of code behind them. The OWASP [[Intrinsic Security Working Group]] is a new OWASP effort focused on addressing root causes of application security problems and fixing them where it's easiest.
</td>
</tr>

<tr>
<td style="background-color: #7B8ABD; padding: 5px;">11:00-12:30</td>
<td style="background-color: #BC857A; padding: 5px;">
Lunch
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">12:30-13:30</td>
<td style="background-color: #BC857A; padding: 5px;">
Anil Kumar Revuru
 [http://www.miscrosoft.com/ Microsoft] 

Microsoft Connected Information Security Framework (CISF) and Tools: 
The Connected Information Security Group, part of Microsoft internal Information Security organization are working on a technology framework and set of applications to support corporate information security management programs. The Microsoft corporate Information Security Organization (and a few 'early adopter' customers) will be dog-fooding early prototypes in late 2008/early 2009. This presentation provides a short overview of the problem space and current thinking on our approach to solving it.

'''Bio''':
Anil Kumar Revuru currently works for Microsoft as a Security Technologist where he is responsible for architecting security tools. In his previous life at Microsoft, Anil was conducting security design reviews, threat modeling, and application and source-code assessments. Previously as a Security Consultant for a security services vendor, he helped Fortune 100 clients evaluate the security of their software products and applications. He has authored security tools and has presented courses internally at Microsoft.

Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development, He also made significant contribution to the security development of products at V-Empower Inc. After joining in Microsoft, he worked towards finding security weaknesses and providing necessary countermeasures to application teams. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool used for application threat modeling
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">1:30-2:30</td>
<td style="background-color: #BC857A; padding: 5px;">Brian Chess [http://www.fortify.com/ Fortify Software]

Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution.

Highlights include: 
* The most common security short-cuts and why they lead to security failures
* Why programmers are in the best position to get security right
* Where to look for security problems
* How static analysis helps
* The critical attributes and algorithms that make or break a static analysis tool

We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review.

'''Bio''': Dr. Chess's research focuses on methods for creating secure systems. He received his Ph.D. from the University of California at Santa Cruz, where he applied his background in integrated circuit test and verification to the problem of identifying security errors in software. In addition to authoring numerous patents and technical papers, Dr. Chess has more than ten years of experience in the commercial software arena, having led development efforts at Hewlett Packard and NetLedge
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">2:30-3:00</td>
<td style="background-color: #BC857A; padding: 5px;">
Break
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">3:00-4:00</td>
<td style="background-color: #BC857A; padding: 5px;">
Elliot Glazer [http://www.dtcc.com/ DTCC]

Information Security Architecture Layers and Key Processes:

* Information Security Architecture is driven by an Information Security Strategy and Principles. It is also critical the architecture support the Business Strategy:
** Security Functional Architecture: the layout of key functions in security to be accomplished, which drives security requirements.
** Security Technical Architecture: the solutions and standards to implement key functions, usually an overlay on top of the Functional Architecture. This is generally a definition of components, intended to be leveraged for reuse by organization, business, line of business or across the enterprise.
** Security Reference Architecture: the implementation of Technical Architecture components into a strategy, platform, or particular complex solution set, to be used as a model for other, like needs. This is usually a set of components organized together.
** Security Technology Lifecycle – the process of phasing in and out, technology and process solutions that improve the security environment. Six phases ranging from researching new solutions to exiting old and failing solutions are defined.
** Security Program Implementation Planning – the process of identifying high level scheduling based on priority and available resources, for solutions defined in the Technical Architecture. Priority is generally established based on risk. The program also helps in the planning cycles for budgeting, as it will try to take a multiyear view.

'''Bio''': Elliott has over 25 years of information technology experience and has worked in the security field for over 10 years. He is currently Director of Security Architecture for the Depository Trust and Clearing Corporation (DTCC), where he has created a number of innovative solutions in the areas of security monitoring and security architecture. He also provides consulting to the organization on critical security issues. Prior to this, Mr. Glazer was Vice President for Security Solutions at American Express, leading many large and small solutions for the Internet, Security, Privacy, and Customer Servicing. Previous to this, Elliott held leadership positions at Citigroup, Sprint International, and BT Dialcom in software development and operations. He has led architecture, development, and operations organizations including an enterprise architecture group, Internet software development, and distrbitured operations among others.
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">4:00-5:00</td>
<td style="background-color: #BC857A; padding: 5px;">
Corey Benninger [http://intrepidusgroup.com/ Intrepidus Group] 

Exploring the how poor application security mixed with a phishing is leading to a costly cocktail of disaster. This talk will go over real world examples of phishing attacks that have taken advantage of cross site scripting flaws, SQL injection vulnerabilities, session fixation attacks, and others web application flaws. Learn what phishers are doing to take their attacks to the next level by chaining multiple vulnerabilities together. The presentation will also share resources that help to track phishing trends and research.

'''Bio''': Corey is a Principal Consultant with the Intrepidus Group, specializing in
web and mobile application security. He has performed code reviews and
conducted application penetration tests for numerous Fortune 500 clients.

Prior to joining Intrepidus Group’s professional services team, Corey served
as a Senior Consultant and Trainer at Foundstone.

Corey is a polished public speaker and has been invited to speak at leading
conferences like Black Hat, OWASP AppSec, NYCBSDCon, Secure Development
World and Infragard. In addition, his expert opinion has been published in
industry publications like eWeek. He has also published several whitepapers
on cutting edge security issues, like vulnerabilities in AJAX, and the
security implications of web browser data caching. He is the co-founder and
leader of the OWASP Mobile Security Project, a consortium of mobile security
developers and experts.

Corey has an undergraduate degree from Boston University. He is a Certified
Information Systems Security Professional (CISSP).
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 1px;">
5:00-5:15
</td>
<td style="background-color: #BC857A; padding: 5px;">
Richard Stallman
</td>
</tr>

</table>

== Parking and Transportation ==
Public Parking: http://www1.umn.edu/pts/publicparking.htm 
Map of St. Paul Campus Parking (PDF): http://www1.umn.edu/pts/maps/spcont.pdf 
Campus Connector Shuttle: http://www1.umn.edu/pts/shuttle.htm 
Metro Bus information: http://www1.umn.edu/pts/metrobuses.htm 

== Thank You To Our Sponsors ==

[http://www.strategicit.org/ Center for Strategic Information Technology and Security]

[http://www.go-integral.com/ Integral Business Solutions]

Conference space provided courtesy of the University of Minnesota Office of Information Technology [http://www.umn.edu/ University of Minnesota]

OWASP Minneapolis St Paul 2008 Conference

2008-10-07T18:35:06Z

Afongen: change ampersand to "and"

== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 ==
The [[Minneapolis St Paul|Minneapolis - Saint Paul Chapter]] invites you to attend the first ever Minnesota OWASP Conference on October 21st.

We're very excited out the line up of internationally known speakers we were able to bring together for this one day of Application Security talks at the University of Minnesota's [http://www1.umn.edu/twincities/maps/StCen/StCen-map.html St. Paul Student Center]. There is a nominal fee of $25.00 per person, which includes lunch. Seating is limited and we expect this event to sell out. '''On site registration is not expected''' to be available the day of the event, so please [http://guest.cvent.com/i.aspx?4W,M3,c2618ba0-022d-434e-a053-39fcc4120313 register] prior to the event to guarantee your seat.

[http://guest.cvent.com/i.aspx?4W,M3,c2618ba0-022d-434e-a053-39fcc4120313 http://www.owasp.org/images/7/7f/Register.gif]

== Tentative Agenda ==
<table width="80%" border="0">
<tr>
<td style="background-color:#7B8ABD; padding: 1px;">8:00-9:00</td>
<td style="background-color:#BC857A; padding: 5px;">Registration / Check-In</td>
</tr>
<tr>
<td style="background-color:#7B8ABD; padding: 5px;">9:00-9:30</td>
<td style="background-color:#BC857A; padding: 5px;">Kuai Hinojosa OWASP MN President Conference Introduction</td>
</tr>
<tr>
<td style="background-color:#7B8ABD; padding: 5px;">9:30-10:30</td>
<td style="background-color:#BC857A; padding: 5px;">
Jeff Williams CEO, [http://www.aspectsecurity.com/ Aspect Security] OWASP founder; Chair, OWASP Foundation 

Application security is getting more complicated every day with increasing connectivity, more mixing of code and data, more parsers, more interpreters, more assets, and more functionality available. We have to take steps now to simplify the problem. So if you?re tired of securing one application at a time, and wrestling with the same vulnerabilities again and again, establishing your organization's ESAPI is one of the best things you can do?

'''Bio''':
I'm Jeff Williams, I work as CEO of Aspect Security and I serve as the volunteer Chair of the OWASP Foundation. I've worked on a number of projects at OWASP, including creating the OWASP Top 10, WebGoat, Stinger, Secure Software Contract Annex, Honeycomb Project and the Enterprise Security API. You can find more about my background here: http://myappsecurity.blogspot.com/2007/03/reflection-on-jeff-williams.html.
</td>
</tr>

<tr>
<td style="background-color:#7B8ABD; padding: 1px;">10:30-11:00</td>
<td style="background-color:#BC857A; padding: 5px;">Arshan Dabirsiaghi Director of Research, [http://www.aspectsecurity.com/ Aspect Security]

Many of the challenges we face in application security could be solved at an architectural layer without trying to accomplish the impossible task of fixing millions of websites with billions of lines of code behind them. The OWASP [[Intrinsic Security Working Group]] is a new OWASP effort focused on addressing root causes of application security problems and fixing them where it's easiest.
</td>
</tr>

<tr>
<td style="background-color: #7B8ABD; padding: 5px;">11:00-12:30</td>
<td style="background-color: #BC857A; padding: 5px;">
Lunch
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">12:30-13:30</td>
<td style="background-color: #BC857A; padding: 5px;">
Anil Kumar Revuru
 [http://www.miscrosoft.com/ Microsoft] 

Microsoft Connected Information Security Framework (CISF) and Tools: 
The Connected Information Security Group, part of Microsoft internal Information Security organization are working on a technology framework and set of applications to support corporate information security management programs. The Microsoft corporate Information Security Organization (and a few 'early adopter' customers) will be dog-fooding early prototypes in late 2008/early 2009. This presentation provides a short overview of the problem space and current thinking on our approach to solving it.

'''Bio''':
Anil Kumar Revuru currently works for Microsoft as a Security Technologist where he is responsible for architecting security tools. In his previous life at Microsoft, Anil was conducting security design reviews, threat modeling, and application and source-code assessments. Previously as a Security Consultant for a security services vendor, he helped Fortune 100 clients evaluate the security of their software products and applications. He has authored security tools and has presented courses internally at Microsoft.

Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development, He also made significant contribution to the security development of products at V-Empower Inc. After joining in Microsoft, he worked towards finding security weaknesses and providing necessary countermeasures to application teams. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool used for application threat modeling
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">1:30-2:30</td>
<td style="background-color: #BC857A; padding: 5px;">Brian Chess [http://www.fortify.com/ Fortify Software]

Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution.

Highlights include: 
* The most common security short-cuts and why they lead to security failures
* Why programmers are in the best position to get security right
* Where to look for security problems
* How static analysis helps
* The critical attributes and algorithms that make or break a static analysis tool

We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review.

'''Bio''': Dr. Chess's research focuses on methods for creating secure systems. He received his Ph.D. from the University of California at Santa Cruz, where he applied his background in integrated circuit test and verification to the problem of identifying security errors in software. In addition to authoring numerous patents and technical papers, Dr. Chess has more than ten years of experience in the commercial software arena, having led development efforts at Hewlett Packard and NetLedge
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">2:30-3:00</td>
<td style="background-color: #BC857A; padding: 5px;">
Break
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">3:00-4:00</td>
<td style="background-color: #BC857A; padding: 5px;">
Elliot Glazer [http://www.dtcc.com/ DTCC]

Information Security Architecture Layers and Key Processes:

* Information Security Architecture is driven by an Information Security Strategy and Principles. It is also critical the architecture support the Business Strategy:
** Security Functional Architecture: the layout of key functions in security to be accomplished, which drives security requirements.
** Security Technical Architecture: the solutions and standards to implement key functions, usually an overlay on top of the Functional Architecture. This is generally a definition of components, intended to be leveraged for reuse by organization, business, line of business or across the enterprise.
** Security Reference Architecture: the implementation of Technical Architecture components into a strategy, platform, or particular complex solution set, to be used as a model for other, like needs. This is usually a set of components organized together.
** Security Technology Lifecycle – the process of phasing in and out, technology and process solutions that improve the security environment. Six phases ranging from researching new solutions to exiting old and failing solutions are defined.
** Security Program Implementation Planning – the process of identifying high level scheduling based on priority and available resources, for solutions defined in the Technical Architecture. Priority is generally established based on risk. The program also helps in the planning cycles for budgeting, as it will try to take a multiyear view.

'''Bio''': Elliott has over 25 years of information technology experience and has worked in the security field for over 10 years. He is currently Director of Security Architecture for the Depository Trust and Clearing Corporation (DTCC), where he has created a number of innovative solutions in the areas of security monitoring and security architecture. He also provides consulting to the organization on critical security issues. Prior to this, Mr. Glazer was Vice President for Security Solutions at American Express, leading many large and small solutions for the Internet, Security, Privacy, and Customer Servicing. Previous to this, Elliott held leadership positions at Citigroup, Sprint International, and BT Dialcom in software development and operations. He has led architecture, development, and operations organizations including an enterprise architecture group, Internet software development, and distrbitured operations among others.
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">4:00-5:00</td>
<td style="background-color: #BC857A; padding: 5px;">
Corey Benninger [http://intrepidusgroup.com/ Intrepidus Group] 

Exploring the how poor application security mixed with a phishing is leading to a costly cocktail of disaster. This talk will go over real world examples of phishing attacks that have taken advantage of cross site scripting flaws, SQL injection vulnerabilities, session fixation attacks, and others web application flaws. Learn what phishers are doing to take their attacks to the next level by chaining multiple vulnerabilities together. The presentation will also share resources that help to track phishing trends and research.

'''Bio''': Corey is a Principal Consultant with the Intrepidus Group, specializing in
web and mobile application security. He has performed code reviews and
conducted application penetration tests for numerous Fortune 500 clients.

Prior to joining Intrepidus Group’s professional services team, Corey served
as a Senior Consultant and Trainer at Foundstone.

Corey is a polished public speaker and has been invited to speak at leading
conferences like Black Hat, OWASP AppSec, NYCBSDCon, Secure Development
World and Infragard. In addition, his expert opinion has been published in
industry publications like eWeek. He has also published several whitepapers
on cutting edge security issues, like vulnerabilities in AJAX, and the
security implications of web browser data caching. He is the co-founder and
leader of the OWASP Mobile Security Project, a consortium of mobile security
developers and experts.

Corey has an undergraduate degree from Boston University. He is a Certified
Information Systems Security Professional (CISSP).
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 1px;">
5:00-5:15
</td>
<td style="background-color: #BC857A; padding: 5px;">
Richard Stallman
</td>
</tr>

</table>

== Parking and Transportation ==
Public Parking: http://www1.umn.edu/pts/publicparking.htm 
Map of St. Paul Campus Parking (PDF): http://www1.umn.edu/pts/maps/spcont.pdf 
Campus Connector Shuttle: http://www1.umn.edu/pts/shuttle.htm 
Metro Bus information: http://www1.umn.edu/pts/metrobuses.htm 

== Thank You To Our Sponsors ==

[http://www.strategicit.org/ Center for Strategic Information Technology and Security]

[http://www.go-integral.com/ Integral Business Solutions]

Conference space provided courtesy of the University of Minnesota Office of Information Technology [http://www.umn.edu/ University of Minnesota]

OWASP Minneapolis St Paul 2008 Conference

2008-10-07T18:32:07Z

Afongen: updated agenda with new times and a small reorg of content

== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 ==
The [[Minneapolis St Paul|Minneapolis - Saint Paul Chapter]] invites you to attend the first ever Minnesota OWASP Conference on October 21st.

We're very excited out the line up of internationally known speakers we were able to bring together for this one day of Application Security talks at the University of Minnesota's [http://www1.umn.edu/twincities/maps/StCen/StCen-map.html St. Paul Student Center]. There is a nominal fee of $25.00 per person, which includes lunch. Seating is limited and we expect this event to sell out. '''On site registration is not expected''' to be available the day of the event, so please [http://guest.cvent.com/i.aspx?4W,M3,c2618ba0-022d-434e-a053-39fcc4120313 register] prior to the event to guarantee your seat.

[http://guest.cvent.com/i.aspx?4W,M3,c2618ba0-022d-434e-a053-39fcc4120313 http://www.owasp.org/images/7/7f/Register.gif]

== Tentative Agenda ==
<table width="80%" border="0">
<tr>
<td style="background-color:#7B8ABD; padding: 1px;">8:00-9:00</td>
<td style="background-color:#BC857A; padding: 5px;">Registration / Check-In</td>
</tr>
<tr>
<td style="background-color:#7B8ABD; padding: 5px;">9:00-9:30</td>
<td style="background-color:#BC857A; padding: 5px;">Kuai Hinojosa OWASP MN President Conference Introduction</td>
</tr>
<tr>
<td style="background-color:#7B8ABD; padding: 5px;">9:30-10:30</td>
<td style="background-color:#BC857A; padding: 5px;">
Jeff Williams CEO, [http://www.aspectsecurity.com/ Aspect Security] OWASP founder; Chair, OWASP Foundation 

Application security is getting more complicated every day with increasing connectivity, more mixing of code and data, more parsers, more interpreters, more assets, and more functionality available. We have to take steps now to simplify the problem. So if you?re tired of securing one application at a time, and wrestling with the same vulnerabilities again and again, establishing your organization's ESAPI is one of the best things you can do?

'''Bio''':
I'm Jeff Williams, I work as CEO of Aspect Security and I serve as the volunteer Chair of the OWASP Foundation. I've worked on a number of projects at OWASP, including creating the OWASP Top 10, WebGoat, Stinger, Secure Software Contract Annex, Honeycomb Project and the Enterprise Security API. You can find more about my background here: http://myappsecurity.blogspot.com/2007/03/reflection-on-jeff-williams.html.
</td>
</tr>

<tr>
<td style="background-color:#7B8ABD; padding: 1px;">10:30-11:00</td>
<td style="background-color:#BC857A; padding: 5px;">Arshan Dabirsiaghi Director of Research, [http://www.aspectsecurity.com/ Aspect Security]

Many of the challenges we face in application security could be solved at an architectural layer without trying to accomplish the impossible task of fixing millions of websites with billions of lines of code behind them. The OWASP [[Intrinsic Security Working Group]] is a new OWASP effort focused on addressing root causes of application security problems and fixing them where it's easiest.
</td>
</tr>

<tr>
<td style="background-color: #7B8ABD; padding: 5px;">11:00-12:30</td>
<td style="background-color: #BC857A; padding: 5px;">
Lunch
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">12:30-13:30</td>
<td style="background-color: #BC857A; padding: 5px;">
Anil Kumar Revuru
 [http://www.miscrosoft.com/ Microsoft] 

Microsoft Connected Information Security Framework (CISF) and Tools: 
The Connected Information Security Group, part of Microsoft internal Information Security organization are working on a technology framework and set of applications to support corporate information security management programs. The Microsoft corporate Information Security Organization (and a few 'early adopter' customers) will be dog-fooding early prototypes in late 2008/early 2009. This presentation provides a short overview of the problem space and current thinking on our approach to solving it.

'''Bio''':
Anil Kumar Revuru currently works for Microsoft as a Security Technologist where he is responsible for architecting security tools. In his previous life at Microsoft, Anil was conducting security design reviews, threat modeling, and application and source-code assessments. Previously as a Security Consultant for a security services vendor, he helped Fortune 100 clients evaluate the security of their software products and applications. He has authored security tools and has presented courses internally at Microsoft.

Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development, He also made significant contribution to the security development of products at V-Empower Inc. After joining in Microsoft, he worked towards finding security weaknesses and providing necessary countermeasures to application teams. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool used for application threat modeling
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">1:30-2:30</td>
<td style="background-color: #BC857A; padding: 5px;">Brian Chess [http://www.fortify.com/ Fortify Software]

Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution.

Highlights include: 
* The most common security short-cuts and why they lead to security failures
* Why programmers are in the best position to get security right
* Where to look for security problems
* How static analysis helps
* The critical attributes and algorithms that make or break a static analysis tool

We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review.

'''Bio''': Dr. Chess's research focuses on methods for creating secure systems. He received his Ph.D. from the University of California at Santa Cruz, where he applied his background in integrated circuit test and verification to the problem of identifying security errors in software. In addition to authoring numerous patents and technical papers, Dr. Chess has more than ten years of experience in the commercial software arena, having led development efforts at Hewlett Packard and NetLedge
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">2:30-3:00</td>
<td style="background-color: #BC857A; padding: 5px;">
Break
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">3:00-4:00</td>
<td style="background-color: #BC857A; padding: 5px;">
Elliot Glazer [http://www.dtcc.com/ DTCC]

Information Security Architecture Layers and Key Processes:

* Information Security Architecture is driven by an Information Security Strategy and Principles. It is also critical the architecture support the Business Strategy:
** Security Functional Architecture: the layout of key functions in security to be accomplished, which drives security requirements.
** Security Technical Architecture: the solutions and standards to implement key functions, usually an overlay on top of the Functional Architecture. This is generally a definition of components, intended to be leveraged for reuse by organization, business, line of business or across the enterprise.
** Security Reference Architecture: the implementation of Technical Architecture components into a strategy, platform, or particular complex solution set, to be used as a model for other, like needs. This is usually a set of components organized together.
** Security Technology Lifecycle – the process of phasing in and out, technology and process solutions that improve the security environment. Six phases ranging from researching new solutions to exiting old and failing solutions are defined.
** Security Program Implementation Planning – the process of identifying high level scheduling based on priority and available resources, for solutions defined in the Technical Architecture. Priority is generally established based on risk. The program also helps in the planning cycles for budgeting, as it will try to take a multiyear view.

'''Bio''': Elliott has over 25 years of information technology experience and has worked in the security field for over 10 years. He is currently Director of Security Architecture for the Depository Trust and Clearing Corporation (DTCC), where he has created a number of innovative solutions in the areas of security monitoring and security architecture. He also provides consulting to the organization on critical security issues. Prior to this, Mr. Glazer was Vice President for Security Solutions at American Express, leading many large and small solutions for the Internet, Security, Privacy, and Customer Servicing. Previous to this, Elliott held leadership positions at Citigroup, Sprint International, and BT Dialcom in software development and operations. He has led architecture, development, and operations organizations including an enterprise architecture group, Internet software development, and distrbitured operations among others.
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">4:00-5:00</td>
<td style="background-color: #BC857A; padding: 5px;">
Corey Benninger [http://intrepidusgroup.com/ Intrepidus Group] 

Exploring the how poor application security mixed with a phishing is leading to a costly cocktail of disaster. This talk will go over real world examples of phishing attacks that have taken advantage of cross site scripting flaws, SQL injection vulnerabilities, session fixation attacks, and others web application flaws. Learn what phishers are doing to take their attacks to the next level by chaining multiple vulnerabilities together. The presentation will also share resources that help to track phishing trends and research.

'''Bio''': Corey is a Principal Consultant with the Intrepidus Group, specializing in
web and mobile application security. He has performed code reviews and
conducted application penetration tests for numerous Fortune 500 clients.

Prior to joining Intrepidus Group’s professional services team, Corey served
as a Senior Consultant and Trainer at Foundstone.

Corey is a polished public speaker and has been invited to speak at leading
conferences like Black Hat, OWASP AppSec, NYCBSDCon, Secure Development
World and Infragard. In addition, his expert opinion has been published in
industry publications like eWeek. He has also published several whitepapers
on cutting edge security issues, like vulnerabilities in AJAX, and the
security implications of web browser data caching. He is the co-founder and
leader of the OWASP Mobile Security Project, a consortium of mobile security
developers and experts.

Corey has an undergraduate degree from Boston University. He is a Certified
Information Systems Security Professional (CISSP).
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 1px;">
5:00-5:15
</td>
<td style="background-color: #BC857A; padding: 5px;">
Richard Stallman
</td>
</tr>

</table>

== Parking & Transportation ==
Public Parking: http://www1.umn.edu/pts/publicparking.htm 
Map of St. Paul Campus Parking (PDF): http://www1.umn.edu/pts/maps/spcont.pdf 
Campus Connector Shuttle: http://www1.umn.edu/pts/shuttle.htm 
Metro Bus information: http://www1.umn.edu/pts/metrobuses.htm 

== Thank You To Our Sponsors ==

[http://www.strategicit.org/ Center for Strategic Information Technology and Security]

[http://www.go-integral.com/ Integral Business Solutions]

Conference space provided courtesy of the University of Minnesota Office of Information Technology [http://www.umn.edu/ University of Minnesota]

OWASP Minneapolis St Paul 2008 Conference

2008-10-07T18:14:49Z

Afongen: improved intro paragraph

== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 ==
The [[Minneapolis St Paul|Minneapolis - Saint Paul Chapter]] invites you to attend the first ever Minnesota OWASP Conference on October 21st.

We're very excited out the line up of internationally known speakers we were able to bring together for this one day of Application Security talks at the University of Minnesota's [http://www1.umn.edu/twincities/maps/StCen/StCen-map.html St. Paul Student Center]. There is a nominal fee of $25.00 per person, which includes lunch. Seating is limited and we expect this event to sell out. '''On site registration is not expected''' to be available the day of the event, so please [http://guest.cvent.com/i.aspx?4W,M3,c2618ba0-022d-434e-a053-39fcc4120313 register] prior to the event to guarantee your seat.

[http://guest.cvent.com/i.aspx?4W,M3,c2618ba0-022d-434e-a053-39fcc4120313 http://www.owasp.org/images/7/7f/Register.gif]

== Tentative Agenda ==
<table width="80%" border="0">
<tr>
<td style="background-color:#7B8ABD; padding: 1px;">08:00-09:00</td>
<td style="background-color:#BC857A; padding: 5px;">Registration Opens and Tech Expo</td>
</tr>
<tr>
<td style="background-color:#7B8ABD; padding: 5px;">09:00-10:00</td>
<td style="background-color:#BC857A; padding: 5px;">Introduction, OWASP conference</td>
</tr>
<tr>
<td style="background-color:#7B8ABD; padding: 5px;">10:00-11:00</td>
<td style="background-color:#BC857A; padding: 5px;">
Jeff Williams CEO, [http://www.aspectsecurity.com/ Aspect Security] OWASP founder; Chair, OWASP Foundation 
Bio: 
I'm Jeff Williams, I work as CEO of Aspect Security and I serve as the volunteer Chair of the OWASP Foundation. I've worked on a number of projects at OWASP, including creating the OWASP Top 10, WebGoat, Stinger, Secure Software Contract Annex, Honeycomb Project and the Enterprise Security API. You can find more about my background here: http://myappsecurity.blogspot.com/2007/03/reflection-on-jeff-williams.html.

Topic: 
Application security is getting more complicated every day with increasing connectivity, more mixing of code and data, more parsers, more interpreters, more assets, and more functionality available. We have to take steps now to simplify the problem. So if you?re tired of securing one application at a time, and wrestling with the same vulnerabilities again and again, establishing your organization?s ESAPI is one of the best things you can do.?
</td>

</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">11:00-12:30</td>
<td style="background-color: #BC857A; padding: 5px;">
lunch break
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">12:30-13:30</td>
<td style="background-color: #BC857A; padding: 5px;">

Anil Kumar Revuru
 [http://www.miscrosoft.com/ Microsfot] 
Bio 

Anil Kumar Revuru currently works for Microsoft as a Security Technologist where he is responsible for architecting security tools. In his previous life at Microsoft, Anil was conducting security design reviews, threat modeling, and application and source-code assessments. Previously as a Security Consultant for a security services vendor, he helped Fortune 100 clients evaluate the security of their software products and applications. He has authored security tools and has presented courses internally at Microsoft.

Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development, He also made significant contribution to the security development of products at V-Empower Inc. After joining in Microsoft, he worked towards finding security weaknesses and providing necessary countermeasures to application teams. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool used for application threat modeling

Topic:
Microsoft Connected Information Security Framework (CISF) and Tools
Description:
The Connected Information Security Group, part of Microsoft internal Information Security organization are working on a technology framework and set of applications to support corporate information security management programs. The Microsoft corporate Information Security Organization (and a few 'early adopter' customers) will be dog-fooding early prototypes in late 2008/early 2009. This presentation provides a short overview of the problem space and current thinking on our approach to solving it.

</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">13:30-14:30</td>
<td style="background-color: #BC857A; padding: 5px;">Brian Chess [http://www.fortify.com/ Fortify Software]
Bio: 
Dr. Chess's research focuses on methods for creating secure systems. He received his Ph.D. from the University of California at Santa Cruz, where he applied his background in integrated circuit test and verification to the problem of identifying security errors in software. In addition to authoring numerous patents and technical papers, Dr. Chess has more than ten years of experience in the commercial software arena, having led development efforts at Hewlett Packard and NetLedge

Topic: 
Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution.

Highlights include:
* The most common security short-cuts and why they lead to security failures
* Why programmers are in the best position to get security right
* Where to look for security problems
* How static analysis helps
* The critical attributes and algorithms that make or break a static analysis tool

We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review.
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">14:30-15:00</td>
<td style="background-color: #BC857A; padding: 5px;">
Break
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">15:00-15:30</td>
<td style="background-color: #BC857A; padding: 5px;">
Elliot Glazer [http://www.dtcc.com/ DTCC]

Bio:
Elliott has over 25 years of information technology experience and has worked in the security field for over 10 years. He is currently Director of Security Architecture for the Depository Trust and Clearing Corporation (DTCC), where he has created a number of innovative solutions in the areas of security monitoring and security architecture. He also provides consulting to the organization on critical security issues. Prior to this, Mr. Glazer was Vice President for Security Solutions at American Express, leading many large and small solutions for the Internet, Security, Privacy, and Customer Servicing. Previous to this, Elliott held leadership positions at Citigroup, Sprint International, and BT Dialcom in software development and operations. He has led architecture, development, and operations organizations including an enterprise architecture group, Internet software development, and distrbitured operations among others.

Topic:

Information Security Architecture Layers and Key Processes

* Information Security Architecture is driven by an Information Security Strategy and Principles. It is also critical the architecture support the Business Strategy:
** Security Functional Architecture: the layout of key functions in security to be accomplished, which drives security requirements.
** Security Technical Architecture: the solutions and standards to implement key functions, usually an overlay on top of the Functional Architecture. This is generally a definition of components, intended to be leveraged for reuse by organization, business, line of business or across the enterprise.
** Security Reference Architecture: the implementation of Technical Architecture components into a strategy, platform, or particular complex solution set, to be used as a model for other, like needs. This is usually a set of components organized together.
** Security Technology Lifecycle – the process of phasing in and out, technology and process solutions that improve the security environment. Six phases ranging from researching new solutions to exiting old and failing solutions are defined.
** Security Program Implementation Planning – the process of identifying high level scheduling based on priority and available resources, for solutions defined in the Technical Architecture. Priority is generally established based on risk. The program also helps in the planning cycles for budgeting, as it will try to take a multiyear view.

</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">15:30-16:30</td>
<td style="background-color: #BC857A; padding: 5px;">
Corey Benninger [http://intrepidusgroup.com/ Intrepidus Group] 

Bio:
Corey is a Principal Consultant with the Intrepidus Group, specializing in
web and mobile application security. He has performed code reviews and
conducted application penetration tests for numerous Fortune 500 clients.

Prior to joining Intrepidus Group’s professional services team, Corey served
as a Senior Consultant and Trainer at Foundstone.

Corey is a polished public speaker and has been invited to speak at leading
conferences like Black Hat, OWASP AppSec, NYCBSDCon, Secure Development
World and Infragard. In addition, his expert opinion has been published in
industry publications like eWeek. He has also published several whitepapers
on cutting edge security issues, like vulnerabilities in AJAX, and the
security implications of web browser data caching. He is the co-founder and
leader of the OWASP Mobile Security Project, a consortium of mobile security
developers and experts.

Corey has an undergraduate degree from Boston University. He is a Certified
Information Systems Security Professional (CISSP).

Topic:
Exploring the how poor application security mixed with a phishing is leading to a costly cocktail of disaster. This talk will go over real world examples of phishing attacks that have taken advantage of cross site scripting flaws, SQL injection vulnerabilities, session fixation attacks, and others web application flaws. Learn what phishers are doing to take their attacks to the next level by chaining multiple vulnerabilities together. The presentation will also share resources that help to track phishing trends and research
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 1px;">

</td>
<td style="background-color: #BC857A; padding: 5px;">
Richard Stallman
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">14:00 - ?
</td>
<td style="background-color: #BC857A; padding: 5px;">
Happy hour and networking opps
</td>
</tr>
</table>

== Parking & Transportation ==
Public Parking: http://www1.umn.edu/pts/publicparking.htm 
Map of St. Paul Campus Parking (PDF): http://www1.umn.edu/pts/maps/spcont.pdf 
Campus Connector Shuttle: http://www1.umn.edu/pts/shuttle.htm 
Metro Bus information: http://www1.umn.edu/pts/metrobuses.htm 

== Thank You To Our Sponsors ==

[http://www.strategicit.org/ Center for Strategic Information Technology and Security]

[http://www.go-integral.com/ Integral Business Solutions]

Conference space provided courtesy of the University of Minnesota Office of Information Technology [http://www.umn.edu/ University of Minnesota]

Minneapolis St Paul

2008-10-07T18:09:19Z

Afongen: deleted

OWASP Minneapolis St Paul 2008 Conference

2008-10-01T01:54:27Z

Afongen: added parking and transportation

== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 ==
The Minneapolis - Saint Paul Chapter invites you to a one-day mini-conference at the University of Minnesota's [http://www1.umn.edu/twincities/maps/StCen/StCen-map.html St. Paul Student Center].

Online registration will be available soon. The cost of the conference is $25, which includes lunch.

== Tentative Agenda ==
<table width="80%" border="0">
<tr>
<td style="background-color:#7B8ABD; padding: 1px;">08:00-09:00</td>
<td style="background-color:#BC857A; padding: 5px;">Registration Opens and Tech Expo</td>
</tr>
<tr>
<td style="background-color:#7B8ABD; padding: 5px;">09:00-10:00</td>
<td style="background-color:#BC857A; padding: 5px;">Introduction, OWASP conference</td>
</tr>
<tr>
<td style="background-color:#7B8ABD; padding: 5px;">10:00-11:00</td>
<td style="background-color:#BC857A; padding: 5px;">
Jeff Williams CEO, [http://www.aspectsecurity.com/ Aspect Security] OWASP founder; Chair, OWASP Foundation 
Bio: 
I'm Jeff Williams, I work as CEO of Aspect Security and I serve as the volunteer Chair of the OWASP Foundation. I've worked on a number of projects at OWASP, including creating the OWASP Top 10, WebGoat, Stinger, Secure Software Contract Annex, Honeycomb Project and the Enterprise Security API. You can find more about my background here: http://myappsecurity.blogspot.com/2007/03/reflection-on-jeff-williams.html.

Topic: 
Application security is getting more complicated every day with increasing connectivity, more mixing of code and data, more parsers, more interpreters, more assets, and more functionality available. We have to take steps now to simplify the problem. So if you?re tired of securing one application at a time, and wrestling with the same vulnerabilities again and again, establishing your organization?s ESAPI is one of the best things you can do.?
</td>

</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">11:00-12:30</td>
<td style="background-color: #BC857A; padding: 5px;">
lunch break
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">12:30-13:30</td>
<td style="background-color: #BC857A; padding: 5px;">

Anil Kumar Revuru
 [http://www.miscrosoft.com/ Microsfot] 
Bio 

Anil Kumar Revuru currently works for Microsoft as a Security Technologist where he is responsible for architecting security tools. In his previous life at Microsoft, Anil was conducting security design reviews, threat modeling, and application and source-code assessments. Previously as a Security Consultant for a security services vendor, he helped Fortune 100 clients evaluate the security of their software products and applications. He has authored security tools and has presented courses internally at Microsoft.

Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development, He also made significant contribution to the security development of products at V-Empower Inc. After joining in Microsoft, he worked towards finding security weaknesses and providing necessary countermeasures to application teams. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool used for application threat modeling

Topic:
Microsoft Connected Information Security Framework (CISF) and Tools
Description:
The Connected Information Security Group, part of Microsoft internal Information Security organization are working on a technology framework and set of applications to support corporate information security management programs. The Microsoft corporate Information Security Organization (and a few 'early adopter' customers) will be dog-fooding early prototypes in late 2008/early 2009. This presentation provides a short overview of the problem space and current thinking on our approach to solving it.

</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">13:30-14:30</td>
<td style="background-color: #BC857A; padding: 5px;">Brian Chess [http://www.fortify.com/ Fortify Software]
Bio: 
Dr. Chess's research focuses on methods for creating secure systems. He received his Ph.D. from the University of California at Santa Cruz, where he applied his background in integrated circuit test and verification to the problem of identifying security errors in software. In addition to authoring numerous patents and technical papers, Dr. Chess has more than ten years of experience in the commercial software arena, having led development efforts at Hewlett Packard and NetLedge

Topic: 
Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution.

Highlights include:
* The most common security short-cuts and why they lead to security failures
* Why programmers are in the best position to get security right
* Where to look for security problems
* How static analysis helps
* The critical attributes and algorithms that make or break a static analysis tool

We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review.
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">14:30-15:00</td>
<td style="background-color: #BC857A; padding: 5px;">
Break
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">15:00-15:30</td>
<td style="background-color: #BC857A; padding: 5px;">
Elliot Glazer [http://www.dtcc.com/ DTCC]

Bio:
Elliott has over 25 years of information technology experience and has worked in the security field for over 10 years. He is currently Director of Security Architecture for the Depository Trust and Clearing Corporation (DTCC), where he has created a number of innovative solutions in the areas of security monitoring and security architecture. He also provides consulting to the organization on critical security issues. Prior to this, Mr. Glazer was Vice President for Security Solutions at American Express, leading many large and small solutions for the Internet, Security, Privacy, and Customer Servicing. Previous to this, Elliott held leadership positions at Citigroup, Sprint International, and BT Dialcom in software development and operations. He has led architecture, development, and operations organizations including an enterprise architecture group, Internet software development, and distrbitured operations among others.

Topic:

Information Security Architecture Layers and Key Processes

* Information Security Architecture is driven by an Information Security Strategy and Principles. It is also critical the architecture support the Business Strategy:
** Security Functional Architecture: the layout of key functions in security to be accomplished, which drives security requirements.
** Security Technical Architecture: the solutions and standards to implement key functions, usually an overlay on top of the Functional Architecture. This is generally a definition of components, intended to be leveraged for reuse by organization, business, line of business or across the enterprise.
** Security Reference Architecture: the implementation of Technical Architecture components into a strategy, platform, or particular complex solution set, to be used as a model for other, like needs. This is usually a set of components organized together.
** Security Technology Lifecycle – the process of phasing in and out, technology and process solutions that improve the security environment. Six phases ranging from researching new solutions to exiting old and failing solutions are defined.
** Security Program Implementation Planning – the process of identifying high level scheduling based on priority and available resources, for solutions defined in the Technical Architecture. Priority is generally established based on risk. The program also helps in the planning cycles for budgeting, as it will try to take a multiyear view.

</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">15:30-16:30</td>
<td style="background-color: #BC857A; padding: 5px;">
Corey Benninger [http://intrepidusgroup.com/ Intrepidus Group] 

Bio:
Corey is a Principal Consultant with the Intrepidus Group, specializing in
web and mobile application security. He has performed code reviews and
conducted application penetration tests for numerous Fortune 500 clients.

Prior to joining Intrepidus Group’s professional services team, Corey served
as a Senior Consultant and Trainer at Foundstone.

Corey is a polished public speaker and has been invited to speak at leading
conferences like Black Hat, OWASP AppSec, NYCBSDCon, Secure Development
World and Infragard. In addition, his expert opinion has been published in
industry publications like eWeek. He has also published several whitepapers
on cutting edge security issues, like vulnerabilities in AJAX, and the
security implications of web browser data caching. He is the co-founder and
leader of the OWASP Mobile Security Project, a consortium of mobile security
developers and experts.

Corey has an undergraduate degree from Boston University. He is a Certified
Information Systems Security Professional (CISSP).

Topic:
Exploring the how poor application security mixed with a phishing is leading to a costly cocktail of disaster. This talk will go over real world examples of phishing attacks that have taken advantage of cross site scripting flaws, SQL injection vulnerabilities, session fixation attacks, and others web application flaws. Learn what phishers are doing to take their attacks to the next level by chaining multiple vulnerabilities together. The presentation will also share resources that help to track phishing trends and research
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 1px;">

</td>
<td style="background-color: #BC857A; padding: 5px;">
Richard Stallman
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">14:00 - ?
</td>
<td style="background-color: #BC857A; padding: 5px;">
Happy hour and networking opps
</td>
</tr>
</table>

== Parking & Transportation ==
Public Parking: http://www1.umn.edu/pts/publicparking.htm 
Map of St. Paul Campus Parking (PDF): http://www1.umn.edu/pts/maps/spcont.pdf 
Campus Connector Shuttle: http://www1.umn.edu/pts/shuttle.htm 
Metro Bus information: http://www1.umn.edu/pts/metrobuses.htm 

== Thank You To Our Sponsors ==

[http://www.strategicit.org/ Center for Strategic Information Technology and Security]

[http://www.go-integral.com/ Integral Business Solutions]

Conference space provided courtesy of the University of Minnesota Office of Information Technology [http://www.umn.edu/ University of Minnesota]

OWASP Minneapolis St Paul 2008 Conference

2008-09-30T18:32:34Z

Afongen: link to student center. registration info.

== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 ==
The Minneapolis - Saint Paul Chapter invites you to a one-day mini-conference at the University of Minnesota's [http://www1.umn.edu/twincities/maps/StCen/StCen-map.html St. Paul Student Center].

Online registration will be available soon. The cost of the conference is $25, which includes lunch.

== Tentative Agenda ==
<table width="80%" border="0">
<tr>
<td style="background-color:#7B8ABD; padding: 1px;">08:00-09:00</td>
<td style="background-color:#BC857A; padding: 5px;">Registration Opens and Tech Expo</td>
</tr>
<tr>
<td style="background-color:#7B8ABD; padding: 5px;">09:00-10:00</td>
<td style="background-color:#BC857A; padding: 5px;">Introduction, OWASP conference</td>
</tr>
<tr>
<td style="background-color:#7B8ABD; padding: 5px;">10:00-11:00</td>
<td style="background-color:#BC857A; padding: 5px;">
Jeff Williams CEO, [http://www.aspectsecurity.com/ Aspect Security] OWASP founder; Chair, OWASP Foundation 
Bio: 
I'm Jeff Williams, I work as CEO of Aspect Security and I serve as the volunteer Chair of the OWASP Foundation. I've worked on a number of projects at OWASP, including creating the OWASP Top 10, WebGoat, Stinger, Secure Software Contract Annex, Honeycomb Project and the Enterprise Security API. You can find more about my background here: http://myappsecurity.blogspot.com/2007/03/reflection-on-jeff-williams.html.

Topic: 
Application security is getting more complicated every day with increasing connectivity, more mixing of code and data, more parsers, more interpreters, more assets, and more functionality available. We have to take steps now to simplify the problem. So if you?re tired of securing one application at a time, and wrestling with the same vulnerabilities again and again, establishing your organization?s ESAPI is one of the best things you can do.?
</td>

</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">11:00-12:30</td>
<td style="background-color: #BC857A; padding: 5px;">
lunch break
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">12:30-13:30</td>
<td style="background-color: #BC857A; padding: 5px;">

Anil Kumar Revuru
 [http://www.miscrosoft.com/ Microsfot] 
Bio 

Anil Kumar Revuru currently works for Microsoft as a Security Technologist where he is responsible for architecting security tools. In his previous life at Microsoft, Anil was conducting security design reviews, threat modeling, and application and source-code assessments. Previously as a Security Consultant for a security services vendor, he helped Fortune 100 clients evaluate the security of their software products and applications. He has authored security tools and has presented courses internally at Microsoft.

Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development, He also made significant contribution to the security development of products at V-Empower Inc. After joining in Microsoft, he worked towards finding security weaknesses and providing necessary countermeasures to application teams. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool used for application threat modeling

Topic:
Microsoft Connected Information Security Framework (CISF) and Tools
Description:
The Connected Information Security Group, part of Microsoft internal Information Security organization are working on a technology framework and set of applications to support corporate information security management programs. The Microsoft corporate Information Security Organization (and a few 'early adopter' customers) will be dog-fooding early prototypes in late 2008/early 2009. This presentation provides a short overview of the problem space and current thinking on our approach to solving it.

</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">13:30-14:30</td>
<td style="background-color: #BC857A; padding: 5px;">Brian Chess [http://www.fortify.com/ Fortify Software]
Bio: 
Dr. Chess's research focuses on methods for creating secure systems. He received his Ph.D. from the University of California at Santa Cruz, where he applied his background in integrated circuit test and verification to the problem of identifying security errors in software. In addition to authoring numerous patents and technical papers, Dr. Chess has more than ten years of experience in the commercial software arena, having led development efforts at Hewlett Packard and NetLedge

Topic: 
Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution.

Highlights include:
* The most common security short-cuts and why they lead to security failures
* Why programmers are in the best position to get security right
* Where to look for security problems
* How static analysis helps
* The critical attributes and algorithms that make or break a static analysis tool

We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review.
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">14:30-15:00</td>
<td style="background-color: #BC857A; padding: 5px;">
Break
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">15:00-15:30</td>
<td style="background-color: #BC857A; padding: 5px;">
Elliot Glazer [http://www.dtcc.com/ DTCC]

Bio:
Elliott has over 25 years of information technology experience and has worked in the security field for over 10 years. He is currently Director of Security Architecture for the Depository Trust and Clearing Corporation (DTCC), where he has created a number of innovative solutions in the areas of security monitoring and security architecture. He also provides consulting to the organization on critical security issues. Prior to this, Mr. Glazer was Vice President for Security Solutions at American Express, leading many large and small solutions for the Internet, Security, Privacy, and Customer Servicing. Previous to this, Elliott held leadership positions at Citigroup, Sprint International, and BT Dialcom in software development and operations. He has led architecture, development, and operations organizations including an enterprise architecture group, Internet software development, and distrbitured operations among others.

Topic:

Information Security Architecture Layers and Key Processes

* Information Security Architecture is driven by an Information Security Strategy and Principles. It is also critical the architecture support the Business Strategy:
** Security Functional Architecture: the layout of key functions in security to be accomplished, which drives security requirements.
** Security Technical Architecture: the solutions and standards to implement key functions, usually an overlay on top of the Functional Architecture. This is generally a definition of components, intended to be leveraged for reuse by organization, business, line of business or across the enterprise.
** Security Reference Architecture: the implementation of Technical Architecture components into a strategy, platform, or particular complex solution set, to be used as a model for other, like needs. This is usually a set of components organized together.
** Security Technology Lifecycle – the process of phasing in and out, technology and process solutions that improve the security environment. Six phases ranging from researching new solutions to exiting old and failing solutions are defined.
** Security Program Implementation Planning – the process of identifying high level scheduling based on priority and available resources, for solutions defined in the Technical Architecture. Priority is generally established based on risk. The program also helps in the planning cycles for budgeting, as it will try to take a multiyear view.

</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">15:30-16:30</td>
<td style="background-color: #BC857A; padding: 5px;">
Corey Benninger [http://intrepidusgroup.com/ Intrepidus Group] 

Bio:
Corey is a Principal Consultant with the Intrepidus Group, specializing in
web and mobile application security. He has performed code reviews and
conducted application penetration tests for numerous Fortune 500 clients.

Prior to joining Intrepidus Group’s professional services team, Corey served
as a Senior Consultant and Trainer at Foundstone.

Corey is a polished public speaker and has been invited to speak at leading
conferences like Black Hat, OWASP AppSec, NYCBSDCon, Secure Development
World and Infragard. In addition, his expert opinion has been published in
industry publications like eWeek. He has also published several whitepapers
on cutting edge security issues, like vulnerabilities in AJAX, and the
security implications of web browser data caching. He is the co-founder and
leader of the OWASP Mobile Security Project, a consortium of mobile security
developers and experts.

Corey has an undergraduate degree from Boston University. He is a Certified
Information Systems Security Professional (CISSP).

Topic:
Exploring the how poor application security mixed with a phishing is leading to a costly cocktail of disaster. This talk will go over real world examples of phishing attacks that have taken advantage of cross site scripting flaws, SQL injection vulnerabilities, session fixation attacks, and others web application flaws. Learn what phishers are doing to take their attacks to the next level by chaining multiple vulnerabilities together. The presentation will also share resources that help to track phishing trends and research
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 1px;">

</td>
<td style="background-color: #BC857A; padding: 5px;">
Richard Stallman
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">14:00 - ?
</td>
<td style="background-color: #BC857A; padding: 5px;">
Happy hour and networking opps
</td>
</tr>
</table>

== Thank You To Our Sponsors ==

[http://www.strategicit.org/ Center for Strategic Information Technology and Security]

[http://www.go-integral.com/ Integral Business Solutions]

Conference space provided courtesy of the University of Minnesota Office of Information Technology [http://www.umn.edu/ University of Minnesota]

OWASP Minneapolis St Paul 2008 Conference

2008-09-29T18:12:06Z

Afongen: fixed formatting in agenda

== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 ==
The Minneapolis - Saint Paul Chapter invites you to a one-day mini-conference at the University of Minnesota's Saint Paul campus. Thanks to the generous support of our sponsors and OWASP, we are able to offer this event at '''no charge to attendees'''!

The agenda is still being finalized, so watch this space for more information.

== Tentative Agenda ==
<table width="80%" border="0">
<tr>
<td style="background-color:#7B8ABD; padding: 1px;">08:00-09:00</td>
<td style="background-color:#BC857A; padding: 5px;">Registration Opens and Tech Expo</td>
</tr>
<tr>
<td style="background-color:#7B8ABD; padding: 5px;">09:00-10:00</td>
<td style="background-color:#BC857A; padding: 5px;">Introduction, OWASP conference</td>
</tr>
<tr>
<td style="background-color:#7B8ABD; padding: 5px;">10:00-11:00</td>
<td style="background-color:#BC857A; padding: 5px;">
Jeff Williams CEO, [http://www.aspectsecurity.com/ Aspect Security] OWASP founder; Chair, OWASP Foundation 
Bio: 
I'm Jeff Williams, I work as CEO of Aspect Security and I serve as the volunteer Chair of the OWASP Foundation. I've worked on a number of projects at OWASP, including creating the OWASP Top 10, WebGoat, Stinger, Secure Software Contract Annex, Honeycomb Project and the Enterprise Security API. You can find more about my background here: http://myappsecurity.blogspot.com/2007/03/reflection-on-jeff-williams.html.

Topic: 
Application security is getting more complicated every day with increasing connectivity, more mixing of code and data, more parsers, more interpreters, more assets, and more functionality available. We have to take steps now to simplify the problem. So if you?re tired of securing one application at a time, and wrestling with the same vulnerabilities again and again, establishing your organization?s ESAPI is one of the best things you can do.?
</td>

</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">11:00-12:30</td>
<td style="background-color: #BC857A; padding: 5px;">
lunch break
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">12:30-13:30</td>
<td style="background-color: #BC857A; padding: 5px;">

Anil Kumar Revuru
 [http://www.miscrosoft.com/ Microsfot] 
Bio 

Anil Kumar Revuru currently works for Microsoft as a Security Technologist where he is responsible for architecting security tools. In his previous life at Microsoft, Anil was conducting security design reviews, threat modeling, and application and source-code assessments. Previously as a Security Consultant for a security services vendor, he helped Fortune 100 clients evaluate the security of their software products and applications. He has authored security tools and has presented courses internally at Microsoft.

Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development, He also made significant contribution to the security development of products at V-Empower Inc. After joining in Microsoft, he worked towards finding security weaknesses and providing necessary countermeasures to application teams. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool used for application threat modeling

Topic:
Microsoft Connected Information Security Framework (CISF) and Tools
Description:
The Connected Information Security Group, part of Microsoft internal Information Security organization are working on a technology framework and set of applications to support corporate information security management programs. The Microsoft corporate Information Security Organization (and a few 'early adopter' customers) will be dog-fooding early prototypes in late 2008/early 2009. This presentation provides a short overview of the problem space and current thinking on our approach to solving it.

</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">13:30-14:30</td>
<td style="background-color: #BC857A; padding: 5px;">Brian Chess [http://www.fortify.com/ Fortify Software]
Bio: 
Dr. Chess's research focuses on methods for creating secure systems. He received his Ph.D. from the University of California at Santa Cruz, where he applied his background in integrated circuit test and verification to the problem of identifying security errors in software. In addition to authoring numerous patents and technical papers, Dr. Chess has more than ten years of experience in the commercial software arena, having led development efforts at Hewlett Packard and NetLedge

Topic: 
Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution.

Highlights include:
* The most common security short-cuts and why they lead to security failures
* Why programmers are in the best position to get security right
* Where to look for security problems
* How static analysis helps
* The critical attributes and algorithms that make or break a static analysis tool

We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review.
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">14:30-15:00</td>
<td style="background-color: #BC857A; padding: 5px;">
Break
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">15:00-15:30</td>
<td style="background-color: #BC857A; padding: 5px;">
Elliot Glazer [http://www.dtcc.com/ DTCC]

Bio:
Elliott has over 25 years of information technology experience and has worked in the security field for over 10 years. He is currently Director of Security Architecture for the Depository Trust and Clearing Corporation (DTCC), where he has created a number of innovative solutions in the areas of security monitoring and security architecture. He also provides consulting to the organization on critical security issues. Prior to this, Mr. Glazer was Vice President for Security Solutions at American Express, leading many large and small solutions for the Internet, Security, Privacy, and Customer Servicing. Previous to this, Elliott held leadership positions at Citigroup, Sprint International, and BT Dialcom in software development and operations. He has led architecture, development, and operations organizations including an enterprise architecture group, Internet software development, and distrbitured operations among others.

Topic:

Information Security Architecture Layers and Key Processes

* Information Security Architecture is driven by an Information Security Strategy and Principles. It is also critical the architecture support the Business Strategy:
** Security Functional Architecture: the layout of key functions in security to be accomplished, which drives security requirements.
** Security Technical Architecture: the solutions and standards to implement key functions, usually an overlay on top of the Functional Architecture. This is generally a definition of components, intended to be leveraged for reuse by organization, business, line of business or across the enterprise.
** Security Reference Architecture: the implementation of Technical Architecture components into a strategy, platform, or particular complex solution set, to be used as a model for other, like needs. This is usually a set of components organized together.
** Security Technology Lifecycle – the process of phasing in and out, technology and process solutions that improve the security environment. Six phases ranging from researching new solutions to exiting old and failing solutions are defined.
** Security Program Implementation Planning – the process of identifying high level scheduling based on priority and available resources, for solutions defined in the Technical Architecture. Priority is generally established based on risk. The program also helps in the planning cycles for budgeting, as it will try to take a multiyear view.

</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">15:30-16:30</td>
<td style="background-color: #BC857A; padding: 5px;">
Corey Benninger [http://intrepidusgroup.com/ Intrepidus Group] 

Bio:
Corey is a Principal Consultant with the Intrepidus Group, specializing in
web and mobile application security. He has performed code reviews and
conducted application penetration tests for numerous Fortune 500 clients.

Prior to joining Intrepidus Group’s professional services team, Corey served
as a Senior Consultant and Trainer at Foundstone.

Corey is a polished public speaker and has been invited to speak at leading
conferences like Black Hat, OWASP AppSec, NYCBSDCon, Secure Development
World and Infragard. In addition, his expert opinion has been published in
industry publications like eWeek. He has also published several whitepapers
on cutting edge security issues, like vulnerabilities in AJAX, and the
security implications of web browser data caching. He is the co-founder and
leader of the OWASP Mobile Security Project, a consortium of mobile security
developers and experts.

Corey has an undergraduate degree from Boston University. He is a Certified
Information Systems Security Professional (CISSP).

Topic:
Exploring the how poor application security mixed with a phishing is leading to a costly cocktail of disaster. This talk will go over real world examples of phishing attacks that have taken advantage of cross site scripting flaws, SQL injection vulnerabilities, session fixation attacks, and others web application flaws. Learn what phishers are doing to take their attacks to the next level by chaining multiple vulnerabilities together. The presentation will also share resources that help to track phishing trends and research
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 1px;">

</td>
<td style="background-color: #BC857A; padding: 5px;">
Richard Stallman
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">14:00 - ?
</td>
<td style="background-color: #BC857A; padding: 5px;">
Happy hour and networking opps
</td>
</tr>
</table>

== Thank You To Our Sponsors ==

[http://www.strategicit.org/ Center for Strategic Information Technology and Security]

[http://www.go-integral.com/ Integral Business Solutions]

Conference space provided courtesy of the University of Minnesota Office of Information Technology [http://www.umn.edu/ University of Minnesota]

Minneapolis St Paul

2008-09-29T03:57:44Z

Afongen: /* Time and Location */

{{Chapter Template|chaptername=Minneapolis St Paul|extra=The chapter leader is [Kuai]|mailinglistsite=https://lists.owasp.org/mailman/listinfo/owasp-twincities|emailarchives=https://lists.owasp.org/pipermail/owasp-twincities}}
<paypal>Minneapolis St Paul</paypal>

== October meeting: Wednesday, October 1, 6:00 p.m. ==
=== Andrew van der Stock: OWASP Developer Guide 3.0 ===
We are delighted to be able to welcome Andrew van der Stock to the Twin Cities to speak about the OWASP Developer Guide 3.0.

The '''OWASP Developer Guide 3.0''' is coming. Learn what's new, how to build secure software, and how you can help to make the Developer Guide the best ever release of OWASP's first guide!

'''Please [http://www.go-integral.net/node/233 register]''' so we have some idea how many are coming. The room we are scheduled for is smaller than our usual room, so we'll need to communicate with you if the location changes.

==== Time and Location ====
Time: 6 p.m. 
Location: Management Education Center, Room M2300 
Address: 1501 Hennepin Avenue, Minneapolis, MN 55403 (Hennepin and Spruce, Entrance on Harmon Place) 
Directions: http://www.metrostate.edu/bldgservices/location.html#mpls 
Google Maps street view: http://preview.tinyurl.com/5292ad

==== Agenda ====
6:00 pm - Introduction and optional sign-in for CISSP credits 
6:10 pm - Welcome: OWASP chapter updates, Conference Announcement! 
6:30 pm - Andrew van der Stock 
8:15 pm - Upcoming Events reminder and meeting wrap-up 

==== Speaker Bio ====
Andrew van der Stock is a leading web application researcher active in the web application security community. Andrew is a Senior Application Security Engineer at Aspect Security, specializing in enterprise security architecture, J2EE and PHP web application and web services security. Andrew has 18 years experience in the IT industry, specializing for the last 10 years in web application security, risk management, and architecture for large financial services, logistics and telecommunications clients.

Andrew has a long history with the open source world as a developer
and researcher. He has contributed to the following projects:

* OWASP Guide Project Lead / Primary Author (2005-)
* OWASP Top 10 2007 Project Lead / Primary Author (2007-)
* OWASP PHP Top 5 (2006)
* SANS Top 20 Web Application Security Section Author (2005-)
* SANS GSSP J2EE Secure Programmer Certification, Contributor (2007)
* UltimaBB PHP forum software, Lead Developer (2005-2008)
* XMB PHP forum software, Developer (2002-2004), Security Manager (2004-2005, 2008)

Andrew is the moderator of webappsec, one of the primary web app sec mail lists. Previously, Andrew helped create open source low level device drivers for XFree86, a graphical sub-system and Hewlett Packard printers for Linux, NetBSD, and other Unix-like systems.

==== Thank You ====
[http://www.strategicit.org/ Center for Strategic Information Technology and Security] for sponsoring our location. 
[[Image:MN-center-strategic-it-security.gif]]

== October Conference ==
Please join us October 21, 2008 for a [https://www.owasp.org/index.php/OWASP_Minneapolis_St_Paul_2008_Conference '''mini conference''' in October 2008] at University of Minnesota's Saint Paul campus. We will have the participation of speakers such as '''Richard Stallman''' founder of the Free Software Foundation; '''Jeff Williams''', Chair of the OWASP Foundation and CEO of Aspect Security; and '''Rohyt Belani''' from the Intrepidus Group, to mention a few. We will post all the details soon once we have all the details finalized.

== Videos ==

Videos of several past meetings are available at https://www.owasp.org/index.php/Category:OWASP_Video#Videos

'''Most recent videos:'''

[http://video.google.com/videoplay?docid=-2772176093312625908&hl=en Video: Jeremiah Grossman - Get Rich or Die Trying - Making Money on The Web, The Black Hat Way - OWASP (MSP) - 9 September 2008 (Partial Video - 38 Minutes)] | [https://www.owasp.org/images/5/5d/OWASP_Minneapolis_20080908_Jeremiah_Grossman.pdf Slides (PDF)]

Gunnar Peterson - Breaking Web Services - OWASP (MSP) - 7 July 2008 ([http://video.google.com/videoplay?docid=-7859027646762182620&hl=en Part 1] of 2 - original aspect ratio) ([http://video.google.com/videoplay?docid=-7066675474788394571&hl=en Part 2] of 2 - distorted aspect ratio)
[https://www.owasp.org/images/b/b9/OWASP-MSP-GunnarPetersonHandout20080707.pdf Handout for the presentation (5.4 MB PDF)]

<h2>Upcoming Events:</h2>
[[OWASP Minneapolis St Paul 2008 Conference]] on October 21 with lots of great speakers and opportunities to participate. Looking forward to seeing you there!

We are looking for sponsors! Contact Kuai or Lorna if you are interested - any contributions to the local chapter would be highly appreciated.

There is also planning for a two day web penetration testing course offered by the MN-ISSA and Rohyt Belani from the Intrepidus Group. Stay turned for more info!

'''DC612''' meetings 
2nd Thursday of the month 
http://www.dc612.org/


'''MN ISSA-''' Meets on Tuesday, September 16, 2008, at the Four Points Sheraton, 1330 Industrial Blvd. Mpls, MN. For more information on speakers and topics.
http://www.mn-issa.org/html/chaptermeetings.html


[[Category:Minnesota]]

Minneapolis St Paul

2008-09-29T03:54:27Z

Afongen: better building name and URL

{{Chapter Template|chaptername=Minneapolis St Paul|extra=The chapter leader is [Kuai]|mailinglistsite=https://lists.owasp.org/mailman/listinfo/owasp-twincities|emailarchives=https://lists.owasp.org/pipermail/owasp-twincities}}
<paypal>Minneapolis St Paul</paypal>

== October meeting: Wednesday, October 1, 6:00 p.m. ==
=== Andrew van der Stock: OWASP Developer Guide 3.0 ===
We are delighted to be able to welcome Andrew van der Stock to the Twin Cities to speak about the OWASP Developer Guide 3.0.

The '''OWASP Developer Guide 3.0''' is coming. Learn what's new, how to build secure software, and how you can help to make the Developer Guide the best ever release of OWASP's first guide!

'''Please [http://www.go-integral.net/node/233 register]''' so we have some idea how many are coming. The room we are scheduled for is smaller than our usual room, so we'll need to communicate with you if the location changes.

==== Time and Location ====
Time: 6 p.m. 
Location: Management Education Center, Room M2300 
Address: 1501 Hennepin Avenue, Minneapolis, MN 55403 (Hennepin and Spruce, Entrance on Harmon Place) 
Directions: http://www.metrostate.edu/bldgservices/location.html#mpls

==== Agenda ====
6:00 pm - Introduction and optional sign-in for CISSP credits 
6:10 pm - Welcome: OWASP chapter updates, Conference Announcement! 
6:30 pm - Andrew van der Stock 
8:15 pm - Upcoming Events reminder and meeting wrap-up 

==== Speaker Bio ====
Andrew van der Stock is a leading web application researcher active in the web application security community. Andrew is a Senior Application Security Engineer at Aspect Security, specializing in enterprise security architecture, J2EE and PHP web application and web services security. Andrew has 18 years experience in the IT industry, specializing for the last 10 years in web application security, risk management, and architecture for large financial services, logistics and telecommunications clients.

Andrew has a long history with the open source world as a developer
and researcher. He has contributed to the following projects:

* OWASP Guide Project Lead / Primary Author (2005-)
* OWASP Top 10 2007 Project Lead / Primary Author (2007-)
* OWASP PHP Top 5 (2006)
* SANS Top 20 Web Application Security Section Author (2005-)
* SANS GSSP J2EE Secure Programmer Certification, Contributor (2007)
* UltimaBB PHP forum software, Lead Developer (2005-2008)
* XMB PHP forum software, Developer (2002-2004), Security Manager (2004-2005, 2008)

Andrew is the moderator of webappsec, one of the primary web app sec mail lists. Previously, Andrew helped create open source low level device drivers for XFree86, a graphical sub-system and Hewlett Packard printers for Linux, NetBSD, and other Unix-like systems.

==== Thank You ====
[http://www.strategicit.org/ Center for Strategic Information Technology and Security] for sponsoring our location. 
[[Image:MN-center-strategic-it-security.gif]]

== October Conference ==
Please join us October 21, 2008 for a [https://www.owasp.org/index.php/OWASP_Minneapolis_St_Paul_2008_Conference '''mini conference''' in October 2008] at University of Minnesota's Saint Paul campus. We will have the participation of speakers such as '''Richard Stallman''' founder of the Free Software Foundation; '''Jeff Williams''', Chair of the OWASP Foundation and CEO of Aspect Security; and '''Rohyt Belani''' from the Intrepidus Group, to mention a few. We will post all the details soon once we have all the details finalized.

== Videos ==

Videos of several past meetings are available at https://www.owasp.org/index.php/Category:OWASP_Video#Videos

'''Most recent videos:'''

[http://video.google.com/videoplay?docid=-2772176093312625908&hl=en Video: Jeremiah Grossman - Get Rich or Die Trying - Making Money on The Web, The Black Hat Way - OWASP (MSP) - 9 September 2008 (Partial Video - 38 Minutes)] | [https://www.owasp.org/images/5/5d/OWASP_Minneapolis_20080908_Jeremiah_Grossman.pdf Slides (PDF)]

Gunnar Peterson - Breaking Web Services - OWASP (MSP) - 7 July 2008 ([http://video.google.com/videoplay?docid=-7859027646762182620&hl=en Part 1] of 2 - original aspect ratio) ([http://video.google.com/videoplay?docid=-7066675474788394571&hl=en Part 2] of 2 - distorted aspect ratio)
[https://www.owasp.org/images/b/b9/OWASP-MSP-GunnarPetersonHandout20080707.pdf Handout for the presentation (5.4 MB PDF)]

<h2>Upcoming Events:</h2>
[[OWASP Minneapolis St Paul 2008 Conference]] on October 21 with lots of great speakers and opportunities to participate. Looking forward to seeing you there!

We are looking for sponsors! Contact Kuai or Lorna if you are interested - any contributions to the local chapter would be highly appreciated.

There is also planning for a two day web penetration testing course offered by the MN-ISSA and Rohyt Belani from the Intrepidus Group. Stay turned for more info!

'''DC612''' meetings 
2nd Thursday of the month 
http://www.dc612.org/


'''MN ISSA-''' Meets on Tuesday, September 16, 2008, at the Four Points Sheraton, 1330 Industrial Blvd. Mpls, MN. For more information on speakers and topics.
http://www.mn-issa.org/html/chaptermeetings.html


[[Category:Minnesota]]

Minneapolis St Paul

2008-09-27T01:50:03Z

Afongen: updated notice about registering

{{Chapter Template|chaptername=Minneapolis St Paul|extra=The chapter leader is [Kuai]|mailinglistsite=https://lists.owasp.org/mailman/listinfo/owasp-twincities|emailarchives=https://lists.owasp.org/pipermail/owasp-twincities}}
<paypal>Minneapolis St Paul</paypal>

== October meeting: Wednesday, October 1, 6:00 p.m. ==
=== Andrew van der Stock: OWASP Developer Guide 3.0 ===
We are delighted to be able to welcome Andrew van der Stock to the Twin Cities to speak about the OWASP Developer Guide 3.0.

The '''OWASP Developer Guide 3.0''' is coming. Learn what's new, how to build secure software, and how you can help to make the Developer Guide the best ever release of OWASP's first guide!

'''Please [http://www.go-integral.net/node/233 register]''' so we have some idea how many are coming. The room we are scheduled for is smaller than our usual room, so we'll need to communicate with you if the location changes.

==== Time and Location ====
Time: 6 p.m. 
Location: MEC building Room M 2300 
Address: 1501 Hennepin Avenue, Minneapolis, MN 55403 (Hennepin and Spruce, Entrance on Harmon Place) 
Directions: http://www.metrostate.edu/bldgservices/location.html

==== Agenda ====
6:00 pm - Introduction and optional sign-in for CISSP credits 
6:10 pm - Welcome: OWASP chapter updates, Conference Announcement! 
6:30 pm - Andrew van der Stock 
8:15 pm - Upcoming Events reminder and meeting wrap-up 

==== Speaker Bio ====
Andrew van der Stock is a leading web application researcher active in the web application security community. Andrew is a Senior Application Security Engineer at Aspect Security, specializing in enterprise security architecture, J2EE and PHP web application and web services security. Andrew has 18 years experience in the IT industry, specializing for the last 10 years in web application security, risk management, and architecture for large financial services, logistics and telecommunications clients.

Andrew has a long history with the open source world as a developer
and researcher. He has contributed to the following projects:

* OWASP Guide Project Lead / Primary Author (2005-)
* OWASP Top 10 2007 Project Lead / Primary Author (2007-)
* OWASP PHP Top 5 (2006)
* SANS Top 20 Web Application Security Section Author (2005-)
* SANS GSSP J2EE Secure Programmer Certification, Contributor (2007)
* UltimaBB PHP forum software, Lead Developer (2005-2008)
* XMB PHP forum software, Developer (2002-2004), Security Manager (2004-2005, 2008)

Andrew is the moderator of webappsec, one of the primary web app sec mail lists. Previously, Andrew helped create open source low level device drivers for XFree86, a graphical sub-system and Hewlett Packard printers for Linux, NetBSD, and other Unix-like systems.

==== Thank You ====
[http://www.strategicit.org/ Center for Strategic Information Technology and Security] for sponsoring our location. 
[[Image:MN-center-strategic-it-security.gif]]

== October Conference ==
Please join us October 21, 2008 for a [https://www.owasp.org/index.php/OWASP_Minneapolis_St_Paul_2008_Conference '''mini conference''' in October 2008] at University of Minnesota's Saint Paul campus. We will have the participation of speakers such as '''Richard Stallman''' founder of the Free Software Foundation; '''Jeff Williams''', Chair of the OWASP Foundation and CEO of Aspect Security; and '''Rohyt Belani''' from the Intrepidus Group, to mention a few. We will post all the details soon once we have all the details finalized.

== Videos ==

Videos of several past meetings are available at https://www.owasp.org/index.php/Category:OWASP_Video#Videos

'''Most recent videos:'''

[http://video.google.com/videoplay?docid=-2772176093312625908&hl=en Video: Jeremiah Grossman - Get Rich or Die Trying - Making Money on The Web, The Black Hat Way - OWASP (MSP) - 9 September 2008 (Partial Video - 38 Minutes)] | [https://www.owasp.org/images/5/5d/OWASP_Minneapolis_20080908_Jeremiah_Grossman.pdf Slides (PDF)]

Gunnar Peterson - Breaking Web Services - OWASP (MSP) - 7 July 2008 ([http://video.google.com/videoplay?docid=-7859027646762182620&hl=en Part 1] of 2 - original aspect ratio) ([http://video.google.com/videoplay?docid=-7066675474788394571&hl=en Part 2] of 2 - distorted aspect ratio)
[https://www.owasp.org/images/b/b9/OWASP-MSP-GunnarPetersonHandout20080707.pdf Handout for the presentation (5.4 MB PDF)]

<h2>Upcoming Events:</h2>
[[OWASP Minneapolis St Paul 2008 Conference]] on October 21 with lots of great speakers and opportunities to participate. Looking forward to seeing you there!

We are looking for sponsors! Contact Kuai or Lorna if you are interested - any contributions to the local chapter would be highly appreciated.

There is also planning for a two day web penetration testing course offered by the MN-ISSA and Rohyt Belani from the Intrepidus Group. Stay turned for more info!

'''DC612''' meetings 
2nd Thursday of the month 
http://www.dc612.org/


'''MN ISSA-''' Meets on Tuesday, September 16, 2008, at the Four Points Sheraton, 1330 Industrial Blvd. Mpls, MN. For more information on speakers and topics.
http://www.mn-issa.org/html/chaptermeetings.html


[[Category:Minnesota]]

Minneapolis St Paul

2008-09-26T16:05:40Z

Afongen: /* Andrew van der Stock: OWASP Developer Guide 3.0 */

{{Chapter Template|chaptername=Minneapolis St Paul|extra=The chapter leader is [Kuai]|mailinglistsite=https://lists.owasp.org/mailman/listinfo/owasp-twincities|emailarchives=https://lists.owasp.org/pipermail/owasp-twincities}}
<paypal>Minneapolis St Paul</paypal>

== October meeting: Wednesday, October 1, 6:00 p.m. ==
=== Andrew van der Stock: OWASP Developer Guide 3.0 ===
We are delighted to be able to welcome Andrew van der Stock to the Twin Cities to speak about the OWASP Developer Guide 3.0.

The '''OWASP Developer Guide 3.0''' is coming. Learn what's new, how to build secure software, and how you can help to make the Developer Guide the best ever release of OWASP's first guide!

Please [http://www.go-integral.net/node/233 register] so we have some idea how many are coming.

==== Time and Location ====
Time: 6 p.m. 
Location: MEC building Room M 2300 
Address: 1501 Hennepin Avenue, Minneapolis, MN 55403 (Hennepin and Spruce, Entrance on Harmon Place) 
Directions: http://www.metrostate.edu/bldgservices/location.html

==== Agenda ====
6:00 pm - Introduction and optional sign-in for CISSP credits 
6:10 pm - Welcome: OWASP chapter updates, Conference Announcement! 
6:30 pm - Andrew van der Stock 
8:15 pm - Upcoming Events reminder and meeting wrap-up 

==== Speaker Bio ====
Andrew van der Stock is a leading web application researcher active in the web application security community. Andrew is a Senior Application Security Engineer at Aspect Security, specializing in enterprise security architecture, J2EE and PHP web application and web services security. Andrew has 18 years experience in the IT industry, specializing for the last 10 years in web application security, risk management, and architecture for large financial services, logistics and telecommunications clients.

Andrew has a long history with the open source world as a developer
and researcher. He has contributed to the following projects:

* OWASP Guide Project Lead / Primary Author (2005-)
* OWASP Top 10 2007 Project Lead / Primary Author (2007-)
* OWASP PHP Top 5 (2006)
* SANS Top 20 Web Application Security Section Author (2005-)
* SANS GSSP J2EE Secure Programmer Certification, Contributor (2007)
* UltimaBB PHP forum software, Lead Developer (2005-2008)
* XMB PHP forum software, Developer (2002-2004), Security Manager (2004-2005, 2008)

Andrew is the moderator of webappsec, one of the primary web app sec mail lists. Previously, Andrew helped create open source low level device drivers for XFree86, a graphical sub-system and Hewlett Packard printers for Linux, NetBSD, and other Unix-like systems.

==== Thank You ====
[http://www.strategicit.org/ Center for Strategic Information Technology and Security] for sponsoring our location. 
[[Image:MN-center-strategic-it-security.gif]]

== October Conference ==
Please join us October 21, 2008 for a [https://www.owasp.org/index.php/OWASP_Minneapolis_St_Paul_2008_Conference '''mini conference''' in October 2008] at University of Minnesota's Saint Paul campus. We will have the participation of speakers such as '''Richard Stallman''' founder of the Free Software Foundation; '''Jeff Williams''', Chair of the OWASP Foundation and CEO of Aspect Security; and '''Rohyt Belani''' from the Intrepidus Group, to mention a few. We will post all the details soon once we have all the details finalized.

== Videos ==

Videos of several past meetings are available at https://www.owasp.org/index.php/Category:OWASP_Video#Videos

'''Most recent videos:'''

[http://video.google.com/videoplay?docid=-2772176093312625908&hl=en Video: Jeremiah Grossman - Get Rich or Die Trying - Making Money on The Web, The Black Hat Way - OWASP (MSP) - 9 September 2008 (Partial Video - 38 Minutes)] | [https://www.owasp.org/images/5/5d/OWASP_Minneapolis_20080908_Jeremiah_Grossman.pdf Slides (PDF)]

Gunnar Peterson - Breaking Web Services - OWASP (MSP) - 7 July 2008 ([http://video.google.com/videoplay?docid=-7859027646762182620&hl=en Part 1] of 2 - original aspect ratio) ([http://video.google.com/videoplay?docid=-7066675474788394571&hl=en Part 2] of 2 - distorted aspect ratio)
[https://www.owasp.org/images/b/b9/OWASP-MSP-GunnarPetersonHandout20080707.pdf Handout for the presentation (5.4 MB PDF)]

<h2>Upcoming Events:</h2>
[[OWASP Minneapolis St Paul 2008 Conference]] on October 21 with lots of great speakers and opportunities to participate. Looking forward to seeing you there!

We are looking for sponsors! Contact Kuai or Lorna if you are interested - any contributions to the local chapter would be highly appreciated.

There is also planning for a two day web penetration testing course offered by the MN-ISSA and Rohyt Belani from the Intrepidus Group. Stay turned for more info!

'''DC612''' meetings 
2nd Thursday of the month 
http://www.dc612.org/


'''MN ISSA-''' Meets on Tuesday, September 16, 2008, at the Four Points Sheraton, 1330 Industrial Blvd. Mpls, MN. For more information on speakers and topics.
http://www.mn-issa.org/html/chaptermeetings.html


[[Category:Minnesota]]

Minneapolis St Paul

2008-09-26T16:03:58Z

Afongen: /* October meeting: Wednesday, October 1 */

{{Chapter Template|chaptername=Minneapolis St Paul|extra=The chapter leader is [Kuai]|mailinglistsite=https://lists.owasp.org/mailman/listinfo/owasp-twincities|emailarchives=https://lists.owasp.org/pipermail/owasp-twincities}}
<paypal>Minneapolis St Paul</paypal>

== October meeting: Wednesday, October 1, 6:00 p.m. ==
=== Andrew van der Stock: OWASP Developer Guide 3.0 ===
We are delighted to be able to welcome Andrew van der Stock to the Twin Cities to speak about the OWASP Developer Guide 3.0.

The '''OWASP Developer Guide 3.0''' is coming. Learn what's new, how to build secure software, and how you can help to make the Developer Guide the best ever release of OWASP's first guide!

==== Time and Location ====
Time: 6 p.m. 
Location: MEC building Room M 2300 
Address: 1501 Hennepin Avenue, Minneapolis, MN 55403 (Hennepin and Spruce, Entrance on Harmon Place) 
Directions: http://www.metrostate.edu/bldgservices/location.html

==== Agenda ====
6:00 pm - Introduction and optional sign-in for CISSP credits 
6:10 pm - Welcome: OWASP chapter updates, Conference Announcement! 
6:30 pm - Andrew van der Stock 
8:15 pm - Upcoming Events reminder and meeting wrap-up 

==== Speaker Bio ====
Andrew van der Stock is a leading web application researcher active in the web application security community. Andrew is a Senior Application Security Engineer at Aspect Security, specializing in enterprise security architecture, J2EE and PHP web application and web services security. Andrew has 18 years experience in the IT industry, specializing for the last 10 years in web application security, risk management, and architecture for large financial services, logistics and telecommunications clients.

Andrew has a long history with the open source world as a developer
and researcher. He has contributed to the following projects:

* OWASP Guide Project Lead / Primary Author (2005-)
* OWASP Top 10 2007 Project Lead / Primary Author (2007-)
* OWASP PHP Top 5 (2006)
* SANS Top 20 Web Application Security Section Author (2005-)
* SANS GSSP J2EE Secure Programmer Certification, Contributor (2007)
* UltimaBB PHP forum software, Lead Developer (2005-2008)
* XMB PHP forum software, Developer (2002-2004), Security Manager (2004-2005, 2008)

Andrew is the moderator of webappsec, one of the primary web app sec mail lists. Previously, Andrew helped create open source low level device drivers for XFree86, a graphical sub-system and Hewlett Packard printers for Linux, NetBSD, and other Unix-like systems.

==== Thank You ====
[http://www.strategicit.org/ Center for Strategic Information Technology and Security] for sponsoring our location. 
[[Image:MN-center-strategic-it-security.gif]]

== October Conference ==
Please join us October 21, 2008 for a [https://www.owasp.org/index.php/OWASP_Minneapolis_St_Paul_2008_Conference '''mini conference''' in October 2008] at University of Minnesota's Saint Paul campus. We will have the participation of speakers such as '''Richard Stallman''' founder of the Free Software Foundation; '''Jeff Williams''', Chair of the OWASP Foundation and CEO of Aspect Security; and '''Rohyt Belani''' from the Intrepidus Group, to mention a few. We will post all the details soon once we have all the details finalized.

== Videos ==

Videos of several past meetings are available at https://www.owasp.org/index.php/Category:OWASP_Video#Videos

'''Most recent videos:'''

[http://video.google.com/videoplay?docid=-2772176093312625908&hl=en Video: Jeremiah Grossman - Get Rich or Die Trying - Making Money on The Web, The Black Hat Way - OWASP (MSP) - 9 September 2008 (Partial Video - 38 Minutes)] | [https://www.owasp.org/images/5/5d/OWASP_Minneapolis_20080908_Jeremiah_Grossman.pdf Slides (PDF)]

Gunnar Peterson - Breaking Web Services - OWASP (MSP) - 7 July 2008 ([http://video.google.com/videoplay?docid=-7859027646762182620&hl=en Part 1] of 2 - original aspect ratio) ([http://video.google.com/videoplay?docid=-7066675474788394571&hl=en Part 2] of 2 - distorted aspect ratio)
[https://www.owasp.org/images/b/b9/OWASP-MSP-GunnarPetersonHandout20080707.pdf Handout for the presentation (5.4 MB PDF)]

<h2>Upcoming Events:</h2>
[[OWASP Minneapolis St Paul 2008 Conference]] on October 21 with lots of great speakers and opportunities to participate. Looking forward to seeing you there!

We are looking for sponsors! Contact Kuai or Lorna if you are interested - any contributions to the local chapter would be highly appreciated.

There is also planning for a two day web penetration testing course offered by the MN-ISSA and Rohyt Belani from the Intrepidus Group. Stay turned for more info!

'''DC612''' meetings 
2nd Thursday of the month 
http://www.dc612.org/


'''MN ISSA-''' Meets on Tuesday, September 16, 2008, at the Four Points Sheraton, 1330 Industrial Blvd. Mpls, MN. For more information on speakers and topics.
http://www.mn-issa.org/html/chaptermeetings.html


[[Category:Minnesota]]

Minneapolis St Paul

2008-09-26T16:03:22Z

Afongen: /* Andrew van der Stock */

{{Chapter Template|chaptername=Minneapolis St Paul|extra=The chapter leader is [Kuai]|mailinglistsite=https://lists.owasp.org/mailman/listinfo/owasp-twincities|emailarchives=https://lists.owasp.org/pipermail/owasp-twincities}}
<paypal>Minneapolis St Paul</paypal>

== October meeting: Wednesday, October 1 ==
=== Andrew van der Stock ===
We are delighted to be able to welcome Andrew van der Stock to the Twin Cities to speak about the OWASP Developer Guide 3.0.

The '''OWASP Developer Guide 3.0''' is coming. Learn what's new, how to build secure software, and how you can help to make the Developer Guide the best ever release of OWASP's first guide!

==== Time and Location ====
Time: 6 p.m. 
Location: MEC building Room M 2300 
Address: 1501 Hennepin Avenue, Minneapolis, MN 55403 (Hennepin and Spruce, Entrance on Harmon Place) 
Directions: http://www.metrostate.edu/bldgservices/location.html

==== Agenda ====
6:00 pm - Introduction and optional sign-in for CISSP credits 
6:10 pm - Welcome: OWASP chapter updates, Conference Announcement! 
6:30 pm - Andrew van der Stock 
8:15 pm - Upcoming Events reminder and meeting wrap-up 

==== Speaker Bio ====
Andrew van der Stock is a leading web application researcher active in the web application security community. Andrew is a Senior Application Security Engineer at Aspect Security, specializing in enterprise security architecture, J2EE and PHP web application and web services security. Andrew has 18 years experience in the IT industry, specializing for the last 10 years in web application security, risk management, and architecture for large financial services, logistics and telecommunications clients.

Andrew has a long history with the open source world as a developer
and researcher. He has contributed to the following projects:

* OWASP Guide Project Lead / Primary Author (2005-)
* OWASP Top 10 2007 Project Lead / Primary Author (2007-)
* OWASP PHP Top 5 (2006)
* SANS Top 20 Web Application Security Section Author (2005-)
* SANS GSSP J2EE Secure Programmer Certification, Contributor (2007)
* UltimaBB PHP forum software, Lead Developer (2005-2008)
* XMB PHP forum software, Developer (2002-2004), Security Manager (2004-2005, 2008)

Andrew is the moderator of webappsec, one of the primary web app sec mail lists. Previously, Andrew helped create open source low level device drivers for XFree86, a graphical sub-system and Hewlett Packard printers for Linux, NetBSD, and other Unix-like systems.

==== Thank You ====
[http://www.strategicit.org/ Center for Strategic Information Technology and Security] for sponsoring our location. 
[[Image:MN-center-strategic-it-security.gif]]

== October Conference ==
Please join us October 21, 2008 for a [https://www.owasp.org/index.php/OWASP_Minneapolis_St_Paul_2008_Conference '''mini conference''' in October 2008] at University of Minnesota's Saint Paul campus. We will have the participation of speakers such as '''Richard Stallman''' founder of the Free Software Foundation; '''Jeff Williams''', Chair of the OWASP Foundation and CEO of Aspect Security; and '''Rohyt Belani''' from the Intrepidus Group, to mention a few. We will post all the details soon once we have all the details finalized.

== Videos ==

Videos of several past meetings are available at https://www.owasp.org/index.php/Category:OWASP_Video#Videos

'''Most recent videos:'''

[http://video.google.com/videoplay?docid=-2772176093312625908&hl=en Video: Jeremiah Grossman - Get Rich or Die Trying - Making Money on The Web, The Black Hat Way - OWASP (MSP) - 9 September 2008 (Partial Video - 38 Minutes)] | [https://www.owasp.org/images/5/5d/OWASP_Minneapolis_20080908_Jeremiah_Grossman.pdf Slides (PDF)]

Gunnar Peterson - Breaking Web Services - OWASP (MSP) - 7 July 2008 ([http://video.google.com/videoplay?docid=-7859027646762182620&hl=en Part 1] of 2 - original aspect ratio) ([http://video.google.com/videoplay?docid=-7066675474788394571&hl=en Part 2] of 2 - distorted aspect ratio)
[https://www.owasp.org/images/b/b9/OWASP-MSP-GunnarPetersonHandout20080707.pdf Handout for the presentation (5.4 MB PDF)]

<h2>Upcoming Events:</h2>
[[OWASP Minneapolis St Paul 2008 Conference]] on October 21 with lots of great speakers and opportunities to participate. Looking forward to seeing you there!

We are looking for sponsors! Contact Kuai or Lorna if you are interested - any contributions to the local chapter would be highly appreciated.

There is also planning for a two day web penetration testing course offered by the MN-ISSA and Rohyt Belani from the Intrepidus Group. Stay turned for more info!

'''DC612''' meetings 
2nd Thursday of the month 
http://www.dc612.org/


'''MN ISSA-''' Meets on Tuesday, September 16, 2008, at the Four Points Sheraton, 1330 Industrial Blvd. Mpls, MN. For more information on speakers and topics.
http://www.mn-issa.org/html/chaptermeetings.html


[[Category:Minnesota]]

Minneapolis St Paul

2008-09-26T16:02:49Z

Afongen: added location and agenda

{{Chapter Template|chaptername=Minneapolis St Paul|extra=The chapter leader is [Kuai]|mailinglistsite=https://lists.owasp.org/mailman/listinfo/owasp-twincities|emailarchives=https://lists.owasp.org/pipermail/owasp-twincities}}
<paypal>Minneapolis St Paul</paypal>

== October meeting: Wednesday, October 1 ==
=== Andrew van der Stock ===
We are delighted to be able to welcome Andrew van der Stock to the Twin Cities to speak about the OWASP Developer Guide 3.0.

The OWASP Developer Guide 3.0 is coming. Learn what's new, how to build secure software, and how you can help to make the Developer Guide the best ever release of OWASP's first guide!

==== Time and Location ====
Time: 6 p.m. 
Location: MEC building Room M 2300 
Address: 1501 Hennepin Avenue, Minneapolis, MN 55403 (Hennepin and Spruce, Entrance on Harmon Place) 
Directions: http://www.metrostate.edu/bldgservices/location.html

==== Agenda ====
6:00 pm - Introduction and optional sign-in for CISSP credits 
6:10 pm - Welcome: OWASP chapter updates, Conference Announcement! 
6:30 pm - Andrew van der Stock 
8:15 pm - Upcoming Events reminder and meeting wrap-up 

==== Speaker Bio ====
Andrew van der Stock is a leading web application researcher active in the web application security community. Andrew is a Senior Application Security Engineer at Aspect Security, specializing in enterprise security architecture, J2EE and PHP web application and web services security. Andrew has 18 years experience in the IT industry, specializing for the last 10 years in web application security, risk management, and architecture for large financial services, logistics and telecommunications clients.

Andrew has a long history with the open source world as a developer
and researcher. He has contributed to the following projects:

* OWASP Guide Project Lead / Primary Author (2005-)
* OWASP Top 10 2007 Project Lead / Primary Author (2007-)
* OWASP PHP Top 5 (2006)
* SANS Top 20 Web Application Security Section Author (2005-)
* SANS GSSP J2EE Secure Programmer Certification, Contributor (2007)
* UltimaBB PHP forum software, Lead Developer (2005-2008)
* XMB PHP forum software, Developer (2002-2004), Security Manager (2004-2005, 2008)

Andrew is the moderator of webappsec, one of the primary web app sec mail lists. Previously, Andrew helped create open source low level device drivers for XFree86, a graphical sub-system and Hewlett Packard printers for Linux, NetBSD, and other Unix-like systems.

==== Thank You ====
[http://www.strategicit.org/ Center for Strategic Information Technology and Security] for sponsoring our location. 
[[Image:MN-center-strategic-it-security.gif]]

== October Conference ==
Please join us October 21, 2008 for a [https://www.owasp.org/index.php/OWASP_Minneapolis_St_Paul_2008_Conference '''mini conference''' in October 2008] at University of Minnesota's Saint Paul campus. We will have the participation of speakers such as '''Richard Stallman''' founder of the Free Software Foundation; '''Jeff Williams''', Chair of the OWASP Foundation and CEO of Aspect Security; and '''Rohyt Belani''' from the Intrepidus Group, to mention a few. We will post all the details soon once we have all the details finalized.

== Videos ==

Videos of several past meetings are available at https://www.owasp.org/index.php/Category:OWASP_Video#Videos

'''Most recent videos:'''

[http://video.google.com/videoplay?docid=-2772176093312625908&hl=en Video: Jeremiah Grossman - Get Rich or Die Trying - Making Money on The Web, The Black Hat Way - OWASP (MSP) - 9 September 2008 (Partial Video - 38 Minutes)] | [https://www.owasp.org/images/5/5d/OWASP_Minneapolis_20080908_Jeremiah_Grossman.pdf Slides (PDF)]

Gunnar Peterson - Breaking Web Services - OWASP (MSP) - 7 July 2008 ([http://video.google.com/videoplay?docid=-7859027646762182620&hl=en Part 1] of 2 - original aspect ratio) ([http://video.google.com/videoplay?docid=-7066675474788394571&hl=en Part 2] of 2 - distorted aspect ratio)
[https://www.owasp.org/images/b/b9/OWASP-MSP-GunnarPetersonHandout20080707.pdf Handout for the presentation (5.4 MB PDF)]

<h2>Upcoming Events:</h2>
[[OWASP Minneapolis St Paul 2008 Conference]] on October 21 with lots of great speakers and opportunities to participate. Looking forward to seeing you there!

We are looking for sponsors! Contact Kuai or Lorna if you are interested - any contributions to the local chapter would be highly appreciated.

There is also planning for a two day web penetration testing course offered by the MN-ISSA and Rohyt Belani from the Intrepidus Group. Stay turned for more info!

'''DC612''' meetings 
2nd Thursday of the month 
http://www.dc612.org/


'''MN ISSA-''' Meets on Tuesday, September 16, 2008, at the Four Points Sheraton, 1330 Industrial Blvd. Mpls, MN. For more information on speakers and topics.
http://www.mn-issa.org/html/chaptermeetings.html


[[Category:Minnesota]]

Minneapolis St Paul

2008-09-24T04:30:09Z

Afongen: removed link to AppSec NYC. It's tomorrow.

Minneapolis St Paul

2008-09-24T04:29:10Z

Afongen: Added info about October speaker: Andrew van der Stock.

Minneapolis St Paul

2008-08-26T02:17:39Z

Afongen: fixed link

{{Chapter Template|chaptername=Minneapolis St Paul|extra=The chapter leader is [Kuai]|mailinglistsite=https://lists.owasp.org/mailman/listinfo/owasp-twincities|emailarchives=https://lists.owasp.org/pipermail/owasp-twincities}}
<paypal>Minneapolis St Paul</paypal>

== September meeting: Tuesday, September 9 at 6:00 pm ==

=== Jeremiah Grossman: Get Rich or Die Trying - Making Money on The Web, The Black Hat Way ===
Forget Cross-Site Scripting. Forget SQL Injection. If you want to make some serious cash on the Web silently and surreptitiously, you don't need them. You also don't need noisy scanners, sophisticated proxies, 0-days, or ninja level reverse engineering skills -- all you need is a Web browser, a clue on what to look for, and a few black hat tricks. Generating affiliate advertising revenue from the Website traffic of others, trade stock using corporation information passively gleaned, inhibit the online purchase of sought after items creating artificial scarcity, and so much more. Activities not technically illegal, only violating terms of service.

You may have heard these referred to as business logic flaws, but that name really doesn't do them justice. It sounds so academic and benign in that context when the truth is anything but. These are not the same ol' Web hacker attack techniques everyone is familiar with, but the one staring you in the face and missed because gaming a system and making money this way couldn't be that simple. Plus IDS can't detect them and Web application firewalls can't black them. If fact, these types of attacks are so hard to detect (if anyone is actually trying) we aren't even sure how widespread their use actually is. Time to pull back the cover and expose what's possible.

==== Speaker Bio ====
Jeremiah Grossman is the founder and CTO of WhiteHat Security, considered a world-renowned expert in Web security, co-founder of the Web Application Security Consortium, and named to InfoWorld's Top 25 CTOs for 2007. Mr. Grossman is a frequent speaker at industry events including the BlackHat Briefings, RSA, ISACA, CSI, HiTB, OWASP, Vanguard, ISSA, Defcon, and a number of large universities. He has authored dozens of articles and white papers; is credited with the discovery of many cutting-edge attack and defensive techniques; and is a co-author of XSS Attacks. Mr. Grossman is frequently quoted in major media publications such as InfoWorld, USA Today, PCWorld, Dark Reading, SC Magazine, SecurityFocus, CNet, SC Magazine, CSO, and InformationWeek. Prior to WhiteHat he was an information security officer at Yahoo!

==== Agenda: ====

6:00 pm - Introduction and Optional sign-in for CISSP credits
6:10 pm - Welcome: OWASP chapter updates, conference announcement
6:30 pm – Break
6:45 pm – Jeremiah Grossman
8:15 pm - Upcoming Events reminder and meeting wrap-up

==== Register ====

Please help us anticipate attendance: '''[http://www.go-integral.net/node/231 register online]'''.

==== Location ====

[http://www.minneapolis.edu/ Minneapolis Community and Technical College] 
1501 Hennepin Ave, Minneapolis 
Whitney Center, Room L3100 (3rd Floor)

'''Map''': http://www.minneapolis.edu/campusmaps/

Park in the ramp (R) - move through the T building (T) and go to Whitney Hall (L).

==== Thank You ====
[http://www.strategicit.org/ Center for Strategic Information Technology and Security] for sponsoring our location. 
[[Image:MN-center-strategic-it-security.gif]]

We are still looking for a book give-away sponsor and for sponsors for upcoming meetings.
Call Lorna at 651-338-0243 if you need directions or have questions.

== October Conference ==
Please join us October 21, 2008 for a [https://www.owasp.org/index.php/OWASP_Minneapolis_St_Paul_2008_Conference '''mini conference''' in October 2008] at University of Minnesota's Saint Paul campus. We will have the participation of speakers such as '''Richard Stallman''' founder of the Free Software Foundation; '''Jeff Williams''', Chair of the OWASP Foundation and CEO of Aspect Security; and '''Rohyt Belani''' from the Intrepidus Group, to mention a few. We will post all the details soon once we have all the details finalized.

== Videos ==

Videos of several past meetings are available at https://www.owasp.org/index.php/Category:OWASP_Video#Videos

'''Most recent videos:'''

Gunnar Peterson - Breaking Web Services - OWASP (MSP) - 7 July 2008 ([http://video.google.com/videoplay?docid=-7859027646762182620&hl=en Part 1] of 2 - original aspect ratio) ([http://video.google.com/videoplay?docid=-7066675474788394571&hl=en Part 2] of 2 - distorted aspect ratio)
[https://www.owasp.org/images/b/b9/OWASP-MSP-GunnarPetersonHandout20080707.pdf Handout for the presentation (PDF)]

[http://video.google.com/videoplay?docid=7535038243903138173&hl=en Tony Stieber - How NOT to Implement Encryption for the OWASP Top 10 - OWASP (MSP) - 16 June 2008]

<h2>Upcoming Events:</h2>
[[OWASP Minneapolis St Paul 2008 Conference]] on October 21 with lots of great speakers and opportunities to participate. Looking forward to seeing you there!

We are looking for sponsors! Contact Kuai or Lorna if you are interested - any contributions to the local chapter would be highly appreciated.

There is also planning for a two day web penetration testing course offered by the MN-ISSA and Rohyt Belani from the Intrepidus Group. Stay turned for more info!

'''DC612''' meetings 
2nd Thursday of the month 
http://www.dc612.org/


'''MN ISSA-''' Meets on Tuesday, September 16, 2008, at the Four Points Sheraton, 1330 Industrial Blvd. Mpls, MN. For more information on speakers and topics.
http://www.mn-issa.org/html/chaptermeetings.html


'''OWASP NYC AppSec 2008''' Sept 24-25th - Don't miss the [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference/ NYC AppSec conference]! 
[https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference http://www.owasp.org/images/6/61/Banner2_irfan.jpg]

[[Category:Minnesota]]

Minneapolis St Paul

2008-08-26T01:50:41Z

Afongen: more info about mini-conference, minor re-org of sections.

{{Chapter Template|chaptername=Minneapolis St Paul|extra=The chapter leader is [Kuai]|mailinglistsite=https://lists.owasp.org/mailman/listinfo/owasp-twincities|emailarchives=https://lists.owasp.org/pipermail/owasp-twincities}}
<paypal>Minneapolis St Paul</paypal>

== September meeting: Tuesday, September 9 at 6:00 pm ==

=== Jeremiah Grossman: Get Rich or Die Trying - Making Money on The Web, The Black Hat Way ===
Forget Cross-Site Scripting. Forget SQL Injection. If you want to make some serious cash on the Web silently and surreptitiously, you don't need them. You also don't need noisy scanners, sophisticated proxies, 0-days, or ninja level reverse engineering skills -- all you need is a Web browser, a clue on what to look for, and a few black hat tricks. Generating affiliate advertising revenue from the Website traffic of others, trade stock using corporation information passively gleaned, inhibit the online purchase of sought after items creating artificial scarcity, and so much more. Activities not technically illegal, only violating terms of service.

You may have heard these referred to as business logic flaws, but that name really doesn't do them justice. It sounds so academic and benign in that context when the truth is anything but. These are not the same ol' Web hacker attack techniques everyone is familiar with, but the one staring you in the face and missed because gaming a system and making money this way couldn't be that simple. Plus IDS can't detect them and Web application firewalls can't black them. If fact, these types of attacks are so hard to detect (if anyone is actually trying) we aren't even sure how widespread their use actually is. Time to pull back the cover and expose what's possible.

==== Speaker Bio ====
Jeremiah Grossman is the founder and CTO of WhiteHat Security, considered a world-renowned expert in Web security, co-founder of the Web Application Security Consortium, and named to InfoWorld's Top 25 CTOs for 2007. Mr. Grossman is a frequent speaker at industry events including the BlackHat Briefings, RSA, ISACA, CSI, HiTB, OWASP, Vanguard, ISSA, Defcon, and a number of large universities. He has authored dozens of articles and white papers; is credited with the discovery of many cutting-edge attack and defensive techniques; and is a co-author of XSS Attacks. Mr. Grossman is frequently quoted in major media publications such as InfoWorld, USA Today, PCWorld, Dark Reading, SC Magazine, SecurityFocus, CNet, SC Magazine, CSO, and InformationWeek. Prior to WhiteHat he was an information security officer at Yahoo!

==== Agenda: ====

6:00 pm - Introduction and Optional sign-in for CISSP credits
6:10 pm - Welcome: OWASP chapter updates, conference announcement
6:30 pm – Break
6:45 pm – Jeremiah Grossman
8:15 pm - Upcoming Events reminder and meeting wrap-up

==== Register ====

Please help us anticipate attendance: '''[http://www.go-integral.net/node/231 register online]'''.

==== Location ====

[http://www.minneapolis.edu/ Minneapolis Community and Technical College] 
1501 Hennepin Ave, Minneapolis 
Whitney Center, Room L3100 (3rd Floor)

'''Map''': http://www.minneapolis.edu/campusmaps/

Park in the ramp (R) - move through the T building (T) and go to Whitney Hall (L).

==== Thank You ====
[http://www.strategicit.org/ Center for Strategic Information Technology and Security] for sponsoring our location. 
[[Image:MN-center-strategic-it-security.gif]]

We are still looking for a book give-away sponsor and for sponsors for upcoming meetings.
Call Lorna at 651-338-0243 if you need directions or have questions.

== October Conference ==
Please join us October 21, 2008 for a [https://www.owasp.org/index.php/OWASP_Minneapolis_St_Paul_2008_Conference '''mini conference''' in October 2008] at University of Minnesota's Saint Paul campus. We will have the participation of speakers such as '''Richard Stallman''' founder of the Free Software Foundation; '''User:Jeff Williams''', Chair of the OWASP Foundation and CEO of Aspect Security; and '''Rohyt Belani''' from the Intrepidus Group, to mention a few. We will post all the details soon once we have all the details finalized.

== Videos ==

Videos of several past meetings are available at https://www.owasp.org/index.php/Category:OWASP_Video#Videos

'''Most recent videos:'''

Gunnar Peterson - Breaking Web Services - OWASP (MSP) - 7 July 2008 ([http://video.google.com/videoplay?docid=-7859027646762182620&hl=en Part 1] of 2 - original aspect ratio) ([http://video.google.com/videoplay?docid=-7066675474788394571&hl=en Part 2] of 2 - distorted aspect ratio)
[https://www.owasp.org/images/b/b9/OWASP-MSP-GunnarPetersonHandout20080707.pdf Handout for the presentation (PDF)]

[http://video.google.com/videoplay?docid=7535038243903138173&hl=en Tony Stieber - How NOT to Implement Encryption for the OWASP Top 10 - OWASP (MSP) - 16 June 2008]

<h2>Upcoming Events:</h2>
[[OWASP Minneapolis St Paul 2008 Conference]] on October 21 with lots of great speakers and opportunities to participate. Looking forward to seeing you there!

We are looking for sponsors! Contact Kuai or Lorna if you are interested - any contributions to the local chapter would be highly appreciated.

There is also planning for a two day web penetration testing course offered by the MN-ISSA and Rohyt Belani from the Intrepidus Group. Stay turned for more info!

'''DC612''' meetings 
2nd Thursday of the month 
http://www.dc612.org/


'''MN ISSA-''' Meets on Tuesday, September 16, 2008, at the Four Points Sheraton, 1330 Industrial Blvd. Mpls, MN. For more information on speakers and topics.
http://www.mn-issa.org/html/chaptermeetings.html


'''OWASP NYC AppSec 2008''' Sept 24-25th - Don't miss the [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference/ NYC AppSec conference]! 
[https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference http://www.owasp.org/images/6/61/Banner2_irfan.jpg]

[[Category:Minnesota]]

OWASP Minneapolis St Paul 2008 Conference

2008-08-26T01:35:57Z

Afongen: added "Saint Paul campus"

== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 ==
The Minneapolis - Saint Paul Chapter invites you to a one-day mini-conference at the University of Minnesota's Saint Paul campus. Thanks to the generous support of our sponsors and OWASP, we are able to offer this event at '''no charge to attendees'''!

The agenda is still being finalized, so watch this space for more information.

== Tentative Agenda ==
<table>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">08:00-09:00</td>
<td style="background-color:#BC857A; padding: 5px;">Registration Opens and Tech Expo</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">09:00-10:00</td>
<td style="background-color: #BC857A; padding: 5px;">Introduction, OWASP conference</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">10:00-11:00</td>
<td style="background-color: #BC857A; padding: 5px;">
Jeff Williams CEO, [http://www.aspectsecurity.com/ Aspect Security] OWASP founder; Chair, OWASP Foundation</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">11:00-12:30</td>
<td style="background-color: #BC857A; padding: 5px;">
lunch break
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">12:30-13:30</td>
<td style="background-color: #BC857A; padding: 5px;">
Simon Roses Fermerling Microsoft - [http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project Pantera project]
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">13:30-14:30</td>
<td style="background-color: #BC857A; padding: 5px;">Brian Chess [http://www.fortify.com/ Fortify Software]
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">14:30-15:00</td>
<td style="background-color: #BC857A; padding: 5px;">
Break
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">15:00-15:30</td>
<td style="background-color: #BC857A; padding: 5px;">
Elliot Glazer [http://www.dtcc.com/ DTCC]

</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">15:30-16:30</td>
<td style="background-color: #BC857A; padding: 5px;">
Rohyt Belani [http://intrepidusgroup.com/ Intrepidus Group]
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">

</td>
<td style="background-color: #BC857A; padding: 5px;">
Richard Stallman
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">14:00 - ?
</td>
<td style="background-color: #BC857A; padding: 5px;">
Happy hour and networking opps
</td>
</tr>
</table>

== Thank You To Our Sponsors ==

[http://www.strategicit.org/ Center for Strategic Information Technology and Security]

[http://www.go-integral.com/ Integral Business Solutions]

[http://www.umn.edu/ University of Minnesota]

OWASP Minneapolis St Paul 2008 Conference

2008-08-26T01:35:00Z

Afongen: titles for Jeff Williams

== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008 ==
The Minneapolis - Saint Paul Chapter invites you to a one-day mini-conference at the University of Minnesota. Thanks to the generous support of our sponsors and OWASP, we are able to offer this event at '''no charge to attendees'''!

The agenda is still being finalized, so watch this space for more information.

== Tentative Agenda ==
<table>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">08:00-09:00</td>
<td style="background-color:#BC857A; padding: 5px;">Registration Opens and Tech Expo</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">09:00-10:00</td>
<td style="background-color: #BC857A; padding: 5px;">Introduction, OWASP conference</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">10:00-11:00</td>
<td style="background-color: #BC857A; padding: 5px;">
Jeff Williams CEO, [http://www.aspectsecurity.com/ Aspect Security] OWASP founder; Chair, OWASP Foundation</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">11:00-12:30</td>
<td style="background-color: #BC857A; padding: 5px;">
lunch break
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">12:30-13:30</td>
<td style="background-color: #BC857A; padding: 5px;">
Simon Roses Fermerling Microsoft - [http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project Pantera project]
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">13:30-14:30</td>
<td style="background-color: #BC857A; padding: 5px;">Brian Chess [http://www.fortify.com/ Fortify Software]
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">14:30-15:00</td>
<td style="background-color: #BC857A; padding: 5px;">
Break
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">15:00-15:30</td>
<td style="background-color: #BC857A; padding: 5px;">
Elliot Glazer [http://www.dtcc.com/ DTCC]

</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">15:30-16:30</td>
<td style="background-color: #BC857A; padding: 5px;">
Rohyt Belani [http://intrepidusgroup.com/ Intrepidus Group]
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">

</td>
<td style="background-color: #BC857A; padding: 5px;">
Richard Stallman
</td>
</tr>
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">14:00 - ?
</td>
<td style="background-color: #BC857A; padding: 5px;">
Happy hour and networking opps
</td>
</tr>
</table>

== Thank You To Our Sponsors ==

[http://www.strategicit.org/ Center for Strategic Information Technology and Security]

[http://www.go-integral.com/ Integral Business Solutions]

[http://www.umn.edu/ University of Minnesota]

Minneapolis St Paul

2008-08-23T01:48:19Z

Afongen: added registration link

{{Chapter Template|chaptername=Minneapolis St Paul|extra=The chapter leader is [Kuai]|mailinglistsite=https://lists.owasp.org/mailman/listinfo/owasp-twincities|emailarchives=https://lists.owasp.org/pipermail/owasp-twincities}}
<paypal>Minneapolis St Paul</paypal>

== September meeting: Tuesday, September 9 at 6:00 pm ==

=== Jeremiah Grossman: Get Rich or Die Trying - Making Money on The Web, The Black Hat Way ===
Forget Cross-Site Scripting. Forget SQL Injection. If you want to make some serious cash on the Web silently and surreptitiously, you don't need them. You also don't need noisy scanners, sophisticated proxies, 0-days, or ninja level reverse engineering skills -- all you need is a Web browser, a clue on what to look for, and a few black hat tricks. Generating affiliate advertising revenue from the Website traffic of others, trade stock using corporation information passively gleaned, inhibit the online purchase of sought after items creating artificial scarcity, and so much more. Activities not technically illegal, only violating terms of service.

You may have heard these referred to as business logic flaws, but that name really doesn't do them justice. It sounds so academic and benign in that context when the truth is anything but. These are not the same ol' Web hacker attack techniques everyone is familiar with, but the one staring you in the face and missed because gaming a system and making money this way couldn't be that simple. Plus IDS can't detect them and Web application firewalls can't black them. If fact, these types of attacks are so hard to detect (if anyone is actually trying) we aren't even sure how widespread their use actually is. Time to pull back the cover and expose what's possible.

==== Speaker Bio ====
Jeremiah Grossman is the founder and CTO of WhiteHat Security, considered a world-renowned expert in Web security, co-founder of the Web Application Security Consortium, and named to InfoWorld's Top 25 CTOs for 2007. Mr. Grossman is a frequent speaker at industry events including the BlackHat Briefings, RSA, ISACA, CSI, HiTB, OWASP, Vanguard, ISSA, Defcon, and a number of large universities. He has authored dozens of articles and white papers; is credited with the discovery of many cutting-edge attack and defensive techniques; and is a co-author of XSS Attacks. Mr. Grossman is frequently quoted in major media publications such as InfoWorld, USA Today, PCWorld, Dark Reading, SC Magazine, SecurityFocus, CNet, SC Magazine, CSO, and InformationWeek. Prior to WhiteHat he was an information security officer at Yahoo!

==== Agenda: ====

6:00 pm - Introduction and Optional sign-in for CISSP credits
6:10 pm - Welcome: OWASP chapter updates, conference announcement
6:30 pm – Break
6:45 pm – Jeremiah Grossman
8:15 pm - Upcoming Events reminder and meeting wrap-up

==== Register ====

Please help us anticipate attendance: '''[http://www.go-integral.net/node/231 register online]'''.

==== Location ====

[http://www.minneapolis.edu/ Minneapolis Community and Technical College] 
1501 Hennepin Ave, Minneapolis 
Whitney Center, Room L3100 (3rd Floor)

'''Map''': http://www.minneapolis.edu/campusmaps/

Park in the ramp (R) - move through the T building (T) and go to Whitney Hall (L).

==== Thank You ====
[http://www.strategicit.org/ Center for Strategic Information Technology and Security] for sponsoring our location. 
[[Image:MN-center-strategic-it-security.gif]]

We are still looking for a book give-away sponsor and for sponsors for upcoming meetings.
Call Lorna at 651-338-0243 if you need directions or have questions.

== Materials from the July 7 meeting (Gunnar Peterson - Breaking Web Services) ==

[https://www.owasp.org/images/b/b9/OWASP-MSP-GunnarPetersonHandout20080707.pdf Handout for the presentation (PDF)]

[http://video.google.com/videoplay?docid=-7859027646762182620&hl=en Video (1 of 2) of the presentation (Google Video - original aspect ratio)]

[http://video.google.com/videoplay?docid=-7066675474788394571&hl=en Video (2 of 2) of the presentation (Google Video - distorted aspect ratio)]

== Other Upcoming Speakers: ==
''' Jeff Williams ''' - We are in the process of organizing a '''mini conference''' in October 2008 and are pleased to announce that Jeff Williams has accepted our invitation to be our keynote speaker for this event. Jeff Williams is one of the founders of and is a board member of OWASP. He is also CEO of [http://www.aspectsecurity.com/ Aspect Security]. Stay tuned for more details!

== Videos ==

Videos of several past meetings are available at https://www.owasp.org/index.php/Category:OWASP_Video#Videos

'''Most recent videos:'''

Gunnar Peterson - Breaking Web Services - OWASP (MSP) - 7 July 2008 ([http://video.google.com/videoplay?docid=-7859027646762182620&hl=en Part 1] of 2 - original aspect ratio) ([http://video.google.com/videoplay?docid=-7066675474788394571&hl=en Part 2] of 2 - distorted aspect ratio)

[http://video.google.com/videoplay?docid=7535038243903138173&hl=en Tony Stieber - How NOT to Implement Encryption for the OWASP Top 10 - OWASP (MSP) - 16 June 2008]

<h2>Upcoming Events:</h2>
We are working on a '''mini conference in Minneapolis''' for the week of October 21st. We are still working on the logistics, but we promise this is going to be an interesting and unique event with lots of great speakers and opportunities to participate. Stay tuned for more information. Also, please feel free to submit suggestions for this event and post an email to the mailing list owasp-twincities_at_lists.owasp.org

We are looking for sponsors! Contact Kuai or Lorna if you are interested - any contributions to the local chapter would be highly appreciated.

'''DC612''' meetings 
2nd Thursday of the month 
http://www.dc612.org/


'''MN ISSA-''' Meets on Tuesday, September 16, 2008, at the Four Points Sheraton, 1330 Industrial Blvd. Mpls, MN. For more information on speakers and topics.
http://www.mn-issa.org/html/chaptermeetings.html


'''OWASP NYC AppSec 2008''' Sept 24-25th - Don't miss the [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference/ NYC AppSec conference]! 
[https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference http://www.owasp.org/images/6/61/Banner2_irfan.jpg]

[[Category:Minnesota]]