OWASP - User contributions [en]

OWASP NYC AppSec 2008 Conference

2008-09-15T18:46:22Z

Aspectmichelle: /* [http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference_Training OWASP NYC AppSec 2008 Training Courses - September 22nd and 23rd, 2008 ] */

__NOTOC__
= 2008 OWASP USA, NYC =
Last Update: {{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}
<br>
This conference has tracks for management, security, audit and development professionals interested in the state of the appsec industry and its trends. Presented by some of the brightest people in the industry, this event is a must attend for anyone looking to improve their information security posture and threat awareness. With assistance from: [http://www.webappsec.org WASC], [http://www.nym-infragard.us NYM InfraGard], [http://aitglobal.com AITGlobal], [http://nyphp.org/index.php NYC PHP], [http://www.nycbug.org NYCBUG], [http://www.isacany.net NYC ISACA], [http://www.nymissa.org NYC ISSA] and our event co-sponsors you are invited to (2) days of hardcore hands-on training and (2) full days of Seminars and Technology Pavilion from the world's best application security technology minds, all held in the New York City, Midtown. <br>

<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 http://www.owasp.org/images/6/61/Banner2_irfan.jpg]</center>
<center>Scroll down to see event agenda and training options</center>

<b>When/Where</b><br>
Sept 22nd - 25th 2008<br>
<u><b>[http://www.parkcentralny.com/location/location.cfm The Park Central Hotel - 870 Seventh Avenue at 56th Street New York, NY 10019-4038]</b></u>

<b>How Much?</b><br>
Seminar Fees: $350 [https://www.owasp.org/index.php/Membership#Categories_of_Membership OWASP Members] / $400 Non-Members (includes 1 year OWASP individual membership) / $200 for Students (with student ID). [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference#OWASP_NYC_AppSec_2008_Training_Courses_-_September_22nd_and_23rd.2C_2008 2 days of hands on training classes] are also available.
<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 http://www.owasp.org/images/7/7f/Register.gif]</center><br>
<hr>
<center>[http://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Diamond Sponsor] - [http://www.imperva.com http://www.owasp.org/images/d/de/Imperva_2color_RGB.jpg]<br>
<br>[https://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Platinum Sponsor] - [http://www.cenzic.com https://www.owasp.org/images/b/bf/CenzicLogo_RGB.gif] - [http://www.whitehatsec.com http://www.owasp.org/images/archive/4/4d/20080703021901%21Whitehat.gif] - [http://www-935.ibm.com/services/us/gbs/app/html/gbs_applicationservices.html?cm_re=masthead-_-business-_-apps-allappserv https://www.owasp.org/images/4/47/Ibm.jpg] </center><br>
[http://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Gold, Silver & Other Sponsors] - [http://www.isc2.org http://www.owasp.org/images/4/45/Isc2logo.gif] - [http://www.f5.com http://www.owasp.org/images/7/7e/50px-F5_50px.jpg] - [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif] - [http://www.foundstone.com/us/education-overview.asp http://www.owasp.org/images/2/26/Foundstone.jpg] - [http://www.qualys.com https://www.owasp.org/images/a/ae/Qualys.gif] - [http://www.ouncelabs.com https://www.owasp.org/images/6/6e/OunceLabs_logo.jpg] - [http://www.fortify.com https://www.owasp.org/images/a/ac/Fortify.jpg] - [http://www.cigital.com/ https://www.owasp.org/images/b/be/Cigital_OWASP.GIF] - [http://www.acunetix.com https://www.owasp.org/images/e/eb/Acuneti.gif] - [http://www.denimgroup.com http://www.owasp.org/images/5/56/Denimgroup.jpg] - [http://www.accessitgroup.com https://www.owasp.org/images/6/6d/Accessit.JPG] -
[http://www.fishnetsecurity.com https://www.owasp.org/images/4/4a/Fishnet_security.png] - [http://www.arctecgroup.net http://www.owasp.org/images/b/bf/Arctec.jpg] - [http://www.airtightnetworks.net https://www.owasp.org/images/8/8b/Airtight.gif] -
[http://www.artofdefence.com https://www.owasp.org/images/d/dc/AOD_Logo.gif] -
[http://www.securityuniversity.net https://www.owasp.org/images/0/0d/Security_university.jpg] -
[http://www.breach.com https://www.owasp.org/images/9/9c/Breach_logo.gif] - [http://www.armorize.com https://www.owasp.org/images/c/ce/Armorize_Logo.png] -[http://www.barracudanetworks.com/ https://www.owasp.org/images/a/a2/Barracuda_Color_Logo.jpg]
<br>
<center>[https://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Sponsorship Opportunities] -- [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-PRESS Press Registration] -- [http://www.owasp.org/index.php/Member_Offers Other OWASP Member Offers] </center>
<hr>

<br>

== 2008 OWASP USA, NYC Conference Schedule – Sept 24th - Sept 25th ==
<center><h2>[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference/speakeragreement OWASP Speaker Agreement]</h2></center>
{| style="width:80%" border="0" align="center"
! colspan="4" align="center" style="background:#4058A0; color:white" | <h2>Day 1 – Sept 24th, 2008 </h2>
|-
| style="width:10%; background:#7B8ABD" | || style="width:30%; background:#BC857A" | Track 1: BALLROOM
| style="width:30%; background:#BCA57A" | Track 2: SKYLINE
| style="width:30%; background:#99FF99" | Track 3: TIMESQUARE
|-
| style="width:10%; background:#7B8ABD" | 07:30-08:50 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | Doors Open for Attendee/Speaker Registration
''avoid lines come early get your caffeine fix and use free wifi''
|-
| style="width:10%; background:#7B8ABD" | 09:00-09:45 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | OWASP Version 3.0 who we are, how we got here and where we are going?
''OWASP Foundation: [http://www.owasp.org/index.php/Contact Jeff Williams], [http://www.owasp.org/index.php/Contact Dinis Cruz], [http://www.owasp.org/index.php/Contact Dave Wichers], [http://www.linkedin.com/in/tombrennan Tom Brennan], [http://www.owasp.org/index.php/Contact Sebastien Deleersnyder], [http://www.owasp.org/index.php/Contact Paulo Coimbra], [http://www.owasp.org/index.php/Contact Kate Hartmann], [http://www.owasp.org/index.php/Contact Alison Shrader] & [http://www.owasp.org/index.php/Category:OWASP_Chapter#Chapter_Support_Materials all local chapter leaders]
''
|-
| style="width:10%; background:#7B8ABD" | 10:00-10:45 || style="width:30%; background:#BC857A" align="left" | [http://www.owasp.org/index.php/AppSecEU08_Trends_in_Web_Hacking_Incidents:_What%27s_hot_for_2008 Analysis of the Web Hacking Incidents Database (WHID)]
''[http://blog.shezaf.com Ofer Shezaf]''
| style="width:30%; background:#BCA57A" align="left" | [http://www.webappsecroadmap.com Web Application Security Road Map] <br>
''[http://joesecurity.blogspot.com Joe White]''
| style="width:30%; background:#99FF99" align="left" |[https://buildsecurityin.us-cert.gov/swa/acqwg.html DHS Software Assurance Initiatives]
''[http://www.linkedin.com/pub/0/ab/3b7 Stan Wisseman] & [http://www.linkedin.com/pub/1/439/923 Joe Jarzombek]''
|-
| style="width:10%; background:#7B8ABD" | 11:00-11:45 || style="width:30%; background:#BC857A" align="left" | Http Bot Research
''[http://www.shadowserver.org/wiki/pmwiki.php?n=Shadowserver.Mission Andre M. DiMino - ShadowServer Foundation]''
| style="width:30%; background:#BCA57A" align="left" | OWASP "Google Hacking" Project
''[http://www.linkedin.com/in/ChristianHeinrich Christian Heinrich]''
| style="width:30%; background:#99FF99" align="left" | MalSpam Research
'' [http://www.knujon.com/bios.html Garth Bruen]''
|-
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference/ctf Capture the Flag] Sign-Up
''LUNCH - Provided by event sponsors @ TechExpo''
|-
| style="width:10%; background:#7B8ABD" | 12:00-12:45 || style="width:30%; background:#BC857A" align="left" | Get Rich or Die Trying - Making Money on The Web, The Black Hat Way
''[http://www.linkedin.com/in/treyford Trey Ford], [http://www.linkedin.com/in/tombrennan Tom Brennan], [http://www.linkedin.com/pub/0/205/77a Jeremiah Grossman]''
| style="width:30%; background:#BCA57A" align="left" | Framework-level Threat Analysis: Adding Science to the Art of Source-code review
''[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-rohit-sethi Rohit Sethi] & [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-sahba-kazerooni Sahba Kazerooni]''
| style="width:30%; background:#99FF99" align="left" | Automated Web-based Malware Behavioral Analysis
''[http://www.linkedin.com/pub/3/359/b1a Tyler Hudak]''
|-
| style="width:10%; background:#7B8ABD" | 13:00-13:45 || style="width:30%; background:#BC857A" align="left" | New 0-Day Browser Exploits: Clickjacking - yea, this is bad...
''[http://jeremiahgrossman.blogspot.com Jeremiah Grossman] & [http://ha.ckers.org/blog/about Robert "RSnake" Hansen]''
| style="width:30%; background:#BCA57A" align="left" | WAF ModSecurity
''[http://www.breach.com/company/executive-team/ Ivan Ristic]''
| style="width:30%; background:#99FF99" align="left" | Using Layer 8 and OWASP to Secure Web Applications
''[http://www.linkedin.com/in/davidstern2000 David Stern] & [http://www.linkedin.com/in/romangarber Roman Garber]''

|-
| style="width:10%; background:#7B8ABD" | 14:00-14:45 || style="width:30%; background:#BC857A" align="left" | Industry Outlook Panel: ''[http://www.linkedin.com/in/markclancy Mark Clancy] EVP CitiGroup, [http://www.linkedin.com/pub/0/497/86a Jim Routh] CISO DTCC, [http://www.linkedin.com/pub/0/bb1/68a Sunil Seshadri] CISO NYSE-Euronet, [http://www.linkedin.com/pub/0/1ba/4a9 Warren Axelrod] SVP Bank of America, [http://www.linkedin.com/in/bernik Joe Bernik] SVP, RBS,[http://www.linkedin.com/pub/8/878/240 Jennifer Bayuk] Infosec Consultant & [http://www.linkedin.com/in/philvenables Philip Venables] CISO, Goldman Sachs, [http://www.linkedin.com/in/crecalde Carlos Recalde] SVP, Lehman Brothers, [http://www.linkedin.com/pub/5/658/872 Tom King] CISO, Barclays Capital, <br> [http://www.linkedin.com/in/mahidontamsetti Mahi Dontamsetti] Moderator''
| style="width:30%; background:#BCA57A" align="left" | [http://www.owasp.org/index.php/Security_Assessing_Java_RMI Security Assessing Java RMI]
''[http://www.linkedin.com/in/adamboulton Adam Boulton]''
| style="width:30%; background:#99FF99" align="left" | JBroFuzz 0.1 - 1.1: Building a Java Fuzzer for the Web
''[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Yiannis_Pavlosoglou Yiannis Pavlosoglou]''
|-
| style="width:10%; background:#7B8ABD" | 15:00-15:45 || style="width:30%; background:#BC857A" align="left" |OWASP Testing Guide - Offensive Assessing Financial Applications
'' [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-daniel-cuthbert Daniel Cuthbert]''
| style="width:30%; background:#BCA57A" align="left" | Flash Parameter Injection (FPI)
''Ayal Yogev & Adi Sharabani''
| style="width:30%; background:#99FF99" align="left" |[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Andres_Riancho w3af - A Framework to own the web]
''Andres Riancho''
|-
| style="width:10%; background:#7B8ABD" | 16:00-16:45 || style="width:30%; background:#BC857A" align="left" | OWASP Enterprise Security API [http://www.owasp.org/index.php/ESAPI (ESAPI) Project]
'' [http://www.aspectsecurity.com/management.htm Jeff Williams]''
| style="width:30%; background:#BCA57A" align="left" | Cross-Site Scripting Filter Evasion
''Alexios Fakos''
| style="width:30%; background:#99FF99" align="left" | Case Studies: Exploiting application testing tool deficiencies via "out of band" injection
''[http://www.linkedin.com/pub/0/a91/aa2 Vijay Akasapu] & [http://www.linkedin.com/pub/9/279/381 Marshall Heilman]''
|-
| style="width:10%; background:#7B8ABD" | 17:00-17:45 || style="width:30%; background:#BC857A" align="left" | Threading the Needle:
Bypassing web application/service security controls using Encoding, Transcoding, Filter Evasion, and other Canonicalization Attacks
'' [http://www.linkedin.com/in/arianevans Arian Evans]''
| style="width:30%; background:#BCA57A" align="left" | Mastering PCI Section 6.6
''[http://www.linkedin.com/pub/1/228/6a5 Taylor McKinley] and [http://www.linkedin.com/in/jacobwest Jacob West]''
| style="width:30%; background:#99FF99" align="left" | [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-GunterOllmann Multidisciplinary Bank Attacks]
''Gunter Ollmann''
|-
| style="width:10%; background:#7B8ABD" | 18:00-18:45 || style="width:30%; background:#BC857A" align="left" | [http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project OWASP Live CD]
'' [http://www.linkedin.com/in/packetfocus Joshua Perrymon]''
| style="width:30%; background:#BCA57A" align="left" | Coding Secure w/PHP
''[http://www.linkedin.com/in/zaunere Hans Zaunere]''
| style="width:30%; background:#99FF99" align="left" | [http://www.owasp.org/index.php/Payment_Card_Data_Security_and_the_new_Enterprise_Java Payment Card Data Security and the new Enterprise Java]
''[https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Dr._B._V._Kumar Dr. B. V. Kumar] & [https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Abhay_Bhargav Mr. Abhay Bhargav]''
|-
| style="width:10%; background:#7B8ABD" | 19:00-20:00 || style="width:30%; background:#BC857A" align="left" | OWASP Chapter Leader / Project Leader working session
| style="width:30%; background:#BCA57A" align="left" | <b>(ISC)2 Cocktail Hour</b> all welcome to attend for special announcement <br> presented by: [https://www.isc2.org/cgi-bin/content.cgi?page=351 W. Hord Tipton, Executive Director of (ISC)2]
| style="width:30%; background:#99FF99" align="left" | Technology Movie Night ''[http://www.youtube.com/watch?v=LlKDkTbUFhU&feature=related Sneakers], [http://www.youtube.com/watch?v=tAcEzhQ7oqA WarGames], [http://hackersarepeopletoo.com HackersArePeopleToo], [http://www.youtube.com/watch?v=4Be-ZzcXVLw TigerTeam]'' from 19:00 - 23:00

|-
| style="width:10%; background:#7B8ABD" | 20:00-23:00+ || colspan="3" style="width:80%; background:#C2C2C2" align="center" | OWASP Event Party/Reception <br>Event badge required for admission <br>[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference/ctf Food, Drinks w/ New & Old Friends - break out the laptop and play capture the flag for fun and prizes.] <br>''Location: HOTEL BALLROOM''</b>
<br>
|-
! colspan="10" align="center" style="background:#4058A0; color:white" |

<h2>Day 2 – Sept 25th, 2008 </h2>
|-
| style="width:10%; background:#99FF99" | 08:00-10:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | BREAKFAST - Provided by event sponsors @ TechExpo

|-
| style="width:10%; background:#7B8ABD" | 08:00-08:45 || style="width:30%; background:#BC857A" align="left" | Software Development: The Last Security Frontier
''[http://blog.isc2.org/isc2_blog/tipton/index.html W. Hord Tipton], CISSP-ISSEP, CAP, CISA, CNSS and former Chief Information Officer for the U.S. Department of the Interior
Executive Director and member of the Board of Directors, (ISC)²''
| style="width:30%; background:#BCA57A" align="left" | [http://www.owasp.org/index.php/AppSecEU08_Best_Practices_Guide_Web_Application_Firewalls Best Practices Guide: Web Application Firewalls]
''Alexander Meisel''
| style="width:30%; background:#99FF99" align="left" | The Good The Bad and The Ugly - Pen Testing VS. Source Code Analysis
''[http://www.linkedin.com/in/tommyryan Thomas Ryan]'' & ''[http://www.linkedin.com/in/steveantoniewicz Steve Antoniewicz]''

|-
| style="width:10%; background:#7B8ABD" | 09:00-09:45 || style="width:30%; background:#BC857A" align="left" | OWASP Web Services Top Ten
''[http://1raindrop.typepad.com Gunnar Peterson]''
| style="width:30%; background:#BCA57A" align="left" | [http://www.trutv.com/video/tiger-team/tiger-team-101-1-of-4.html Tiger Team - APPSEC Projects]
''[http://www.linkedin.com/pub/1/373/994 Chris Nickerson]''
| style="width:30%; background:#99FF99" align="left" | OpenSource Tools ''Prof. Li-Chiou Chen & Chienitng Lin, [http://www.pace.edu/page.cfm?doc_id=16399 Pace Univ]''
|-
| style="width:10%; background:#7B8ABD" | 10:00-10:45 || style="width:30%; background:#BC857A" align="left" | Building a tool for Security consultants: A story of a customized source code scanner
''Dinis Cruz''
| style="width:30%; background:#BCA57A" align="left" | "Help Wanted" [http://www.infosecleaders.com/survey 7 Things You Need to Know APPSEC/INFOSEC Employment]
''[http://www.linkedin.com/pub/0/29/685 Lee Kushner]''
| style="width:30%; background:#99FF99" align="left" | Industry Analyst with Forrester Research
''[http://www.forrester.com/rb/analyst/chenxi_wang Chenxi Wang]''
|-
| style="width:10%; background:#7B8ABD" | 11:00-11:45 || style="width:30%; background:#BC857A" align="left" | [http://www.owasp.org/index.php/Category:OWASP_CLASP_Project CLASP (Comprehensive, Lightweight Application Security Process)]
''Pravir Chandra''
| style="width:30%; background:#BCA57A" align="left" | Security in Agile Development
''[http://www.owasp.org/index.php/User:Wichers Dave Wichers]''
| style="width:30%; background:#99FF99" align="left" | Secure Software Impact
''[http://ouncelabs.com/company/team.asp Jack Danahy]''
|-
| style="width:10%; background:#7B8ABD" | 12:00-12:45 || style="width:30%; background:#BC857A" align="left" | Next Generation Cross Site Scripting Worms
''[http://i8jesus.com/?page_id=5 Arshan Dabirsiaghi]''
| style="width:30%; background:#BCA57A" align="left" | Security of Software-as-a-Service (SaaS)
''[http://www.linkedin.com/pub/6/372/45a James Landis]''
| style="width:30%; background:#99FF99" align="left" | [http://reversebenchmarking.com/About.html Open Reverse Benchmarking Project]
''Marce Luck & [http://www.linkedin.com/pub/1/507/616 Tom Stracener]''
|-
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference/ctf Capture the Flag] Status
''LUNCH - Provided @ TechExpo''

|-
| style="width:10%; background:#7B8ABD" | 13:00-13:45 || style="width:30%; background:#BC857A" align="left" | [[NIST SAMATE Static Analysis Tool Exposition (SATE)]]
''[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-vadim-okun Vadim Okun]''
| style="width:30%; background:#BCA57A" align="left" | [https://www.owasp.org/index.php/User_talk:Jian Lotus Notes/Domino Web Application Security]
''[https://www.owasp.org/index.php/User_talk:Jian Jian Hui Wang]''
| style="width:30%; background:#99FF99" align="left" | Shootout @ Blackbox Corral
''Larry Suto ''

|-
| style="width:10%; background:#7B8ABD" | 14:00-14:45 || style="width:30%; background:#BC857A" align="left" | Practical Advanced Threat Modeling
''John Steven''
| style="width:30%; background:#BCA57A" align="left" | [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project The Owasp Orizon Project: towards version 1.0]
[https://www.owasp.org/index.php/User:Thesp0nge Paolo Perego]
| style="width:30%; background:#99FF99" align="left" | [http://www.owasp.org/index.php/Building_Usable_Security Building Usable Security]
[http://www.owasp.org/index.php/Zed_Abbadi Zed Abbadi]
|-
| style="width:10%; background:#7B8ABD" | 15:00-15:45 || style="width:30%; background:#BC857A" align="left" | Off-shoring Application Development? Security is Still Your Problem
''Rohyt Belani''
| style="width:30%; background:#BCA57A" align="left" | [http://www.owasp.org/index.php/OWASP_EU_Summit_2008 OWASP EU Summit Portugal]
''Dinis Cruz''
| style="width:30%; background:#99FF99" align="left" | Code Secrets
''[http://johanpeeters.com Johan Peeters]''
|-
| style="width:10%; background:#7B8ABD" | 16:00-16:45 || style="width:30%; background:#BC857A" align="left" | Vulnerabilities in application interpreters and runtimes
''Erik Cabetas''
| style="width:30%; background:#BCA57A" align="left" | Detecting User Disposition - Polar Bears in a Whiteout [http://ha.ckers.org/blog/about Robert "RSnake" Hansen]''

| style="width:30%; background:#99FF99" align="left" | Special Guest
|-
| style="width:10%; background:#7B8ABD" | 17:00-17:45 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''Event Wrap-Up / Speaker & CTF Awards and Sponsor Raffles'''
|-
| style="width:10%; background:#7B8ABD" | 18:30-19:30 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | OWASP Foundation, Chapter Leader Meeting - to collect ideas to make OWASP better!
|}

<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 http://www.owasp.org/images/7/7f/Register.gif]</center>

== Technology Pavilion - September 24th and 25th ==

Want to see the latest offerings from technology product and service firms worldwide? Stop by the Technology Pavilion/TechExpo on September 24th and 25th.

Do you want to preview the event space [http://www.parkcentralny.com/meetings/floor_plans.cfm Click Here]

<hr>

== CPE Credits ==

Much of the content is eligible for CPE credits. Please check with your institution regarding specific requirements.

'''The CISM cpe policy (www.isaca.org/cismcpepolicy) states''':

One continuing professional education hour is earned for each fifty minutes of active participation (excluding lunches and breaks) in a professional educational activity. Continuing professional education hours are only earned in full-hour increments and rounding must be down. For example, a CISA who attends an eight-hour presentation (480 minutes) with 90 minutes of breaks will earn seven (7) continuing professional education hours.

Activities that qualify for CPE must be directly applicable to the management, design or assessment of an enterprise's information security as per the CISM job practice"

'''Earn (ISC)2 CPE Credits at 2008 OWASP USA, NYC'''

Attendance at the 2008 OWASP NYC Training Courses or Conferences will earn you Continuing Professional Education (CPE) credits as follows:
Training Courses: September 22-23, 2008
• 16 CPE units for 2 days of training (Monday - Tuesday)
• 8 CPE units for 1 day of training (Monday or Tuesday Only)
Conferences: September 24-25, 2008
Earn 1 CPE per hour of conference attendance

== [http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference_Training OWASP NYC AppSec 2008 Training Courses - September 22nd and 23rd, 2008 ] ==

All classes begin at 9AM and end at 5:30PM

{| style="width:80%" border="0" align="center"
! align="center" style="background:#4058A0; color:white" | T1. Defensive Programming - 2-Days - $1350
|-
| style="background:#F2F2F2" | This class will teach you how to program defensively. A must for developers, managers, testers and security professionals. Learn the latest techniques to build attack resistant code, protect from current and future vulnerabilities and how to secure an application from both implementation bugs and design flaws. [[:Category:OWASP_AppSec_Conference_Training#T1._Defensive_Programming_-_2-Day_Course_-_Sep_22-23.2C_2008 | Learn More Here]]

Instructor: Jason Rouse, Technical Manager, [http://www.cigital.com/training/series http://www.owasp.org/images/b/be/Cigital_OWASP.GIF]'''
|-
{| style="width:80%" border="0" align="center"
! align="center" style="background:#4058A0; color:white" | T2. Secure Coding for Java EE - 2-Days - $1350
|-
| style="background:#F2F2F2" | This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of Java focused content, including:
# Java EE security overview,
# All coding examples and recommendations are specifically focused on Java and Java servers, and
# 3 additional hands on coding labs where the students find and then fix security vulnerabilities in a Java EE application developed for the class.

[[:Category:OWASP_AppSec_Conference_Training#T2._Secure_Coding_for_Java_EE-_2-Day_Course_-_Sep_22-23.2C_2008 | Learn More Here]]

Instructor: Dave Wichers: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]
'''
|-
! align="center" style="background:#4058A0; color:white" | T3. Web Services and XML Security - 2-Days - $1350
|-
| style="background:#F2F2F2" | The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software. [[:Category:OWASP_AppSec_Conference_Training#T3._Web_Services_and_XML_Security_-_2-Day_Course_-_Sep_22-23.2C_2008 | Learn More Here]]

Instructor: Gunnar Peterson''' [http://www.arctecgroup.net https://www.owasp.org/images/b/bf/Arctec.jpg]
|-
! align="center" style="background:#4058A0; color:white" | T4. Advanced Web Application Security Testing - 2-Days - $1350
|-
| style="background:#F2F2F2" | Course Overview While all developers need to know the basics of web application security testing, application security specialists will want to know all the advanced techniques for finding and diagnosing security problems in applications. Aspect’s Advanced Web Application Security Testing training is based on a decade of work verifying the security of critical applications. The course is taught by an experienced application security practitioner in an interactive manner. [[:Category:OWASP_AppSec_Conference_Training#T4._Advanced_Web_Application_Security_Testing_-_2-Day_Course_-_Sep_22-23.2C_2008 | Learn More Here]]

Instructor: Eric Sheridan: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''
|-
! align="center" style="background:#4058A0; color:white" | T5. Leading the Development of Secure Applications 1-Day - Sept 22nd- $675
|-
| style="background:#F2F2F2" | In this one-day management session you’ll get the answers to the ten key questions that most CIOs and development managers face when trying to improve security in the development process. The course provides proven techniques and valuable lessons learned that can be applied to projects at any phase of their application’s lifecycle. [[:Category:OWASP_AppSec_Conference_Training#T5._Leading_the_Development_of_Secure_Applications_-_1-Day_Course_-_Sep_22.2C_2008 | Learn More Here]]
Instructor: John Pavone: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''
|-
{| style="width:80%" border="0" align="center"
|-
! align="center" style="background:#4058A0; color:white" | T6. Building Secure Rich Internet Applications 1-Day - Sept 23rd- $675
|-
| style="background:#F2F2F2" | Rich Internet applications using technologies like Ajax, Flash, ActiveX, and Java Applets require special attention to secure. This one day training addresses the special issues that arise in this type of application development. [[:Category:OWASP_AppSec_Conference_Training#T6._Building_Secure_Rich_Internet_Applications_-_1-Day_Course_-_Sep_23.2C_2008 | Learn More Here]]
Instructor: Arshan Dabirsiaghi: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''
|-
{| style="width:80%" border="0" align="center"

! align="center" style="background:#4058A0; color:white" | T8. Writing Secure Code ASP.NET - 2-Days - $1350
|-
| style="background:#F2F2F2" | Understand the key security features of the .NET platform, the common web security pitfalls developers make, and how to build secure and reliable web applications using ASP.NET. Students are lead through hands on code examples that highlight issues and prescribe solutions. [[:Category:OWASP_AppSec_Conference_Training#T8._Writing_Secure_Code_ASP.NET_-_Sep_22-23.2C_2008 | Learn More Here]]

The instructors are Foundstone's Technical Director, Rudolph Araujo and Foundstone's Professional Services Consultant, Alex Smolen. [http://www.foundstone.com/us/education-overview.asp https://www.owasp.org/images/2/26/Foundstone.jpg]
|}
<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 https://www.owasp.org/images/7/7f/Register.gif]</center>

<h2> HOTELS / TRAVEL </h2>
[http://www.parkcentralny.com Park Central Hotel] - # 800.346.1359 / 212.247.8000 ROOM BLOCK # 41258 $549.00 per night.
870 Seventh Avenue at 56th Street, New York, NY 10019-4038

[http://maps.google.com/maps?near=7th+Ave+%26+W+56th+St,+New+York,+NY&geocode=&q=hotels&f=l&sll=40.766339,-73.980539&sspn=0.007654,0.02223&ie=UTF8&ll=40.764681,-73.980668&spn=0.007655,0.02223&z=16 Hotels close to the venue]

What is around APPSEC2008 - [http://www.parkcentralny.com/attractions/attractions.cfm Area Attractions]

New York City MTA: http://www.mta.nyc.ny.us/nyct/index.html

New York City Subway & walking directions: http://www.hopstop.com/?city=newyork

New York Sights & Sounds - SightsSounds

New York City Travel Guide - http://www.nytoday.com/

New York City Attractions - http://www.nycvisit.com

New York TV Show Tickets - Get free tickets to TV shows! - http://www.nytix.com/

New York City local news: http://www.ny1news.com

<h2>EVENT SPONSORSHIP </h2>The OWASP Conferences & Training security technologists including CSOs,admins, application admins, MIS directors, homeland defense chiefs. These important influencers drive buying decisions exclusive access to its audiences. OWASP has established strategic relationships with security—print publications, newsletters, portals, consultants,message—and leadership positioning OWASP events. OWASP’s mission is supported by organizations who share our application, and software security communities. This approach should be part of your mix.

<b>[https://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Sponsorship Opportunities]- Register online: [http://guest.cvent.com/i.aspx?4W,M3,09e3b490-ba93-4474-851e-be803b1a01c2 click here]</b>

OWASP NYC AppSec 2008 Conference

2008-09-12T19:59:28Z

Aspectmichelle: /* [http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference_Training OWASP NYC AppSec 2008 Training Courses - September 22nd and 23rd, 2008] */

__NOTOC__
= 2008 OWASP USA, NYC =
Last Update: {{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}
<br>
OWASP Foundation is excited to announce a change of venue for our NYC AppSec 2008 Conference as of <b>9/11/2008</b> from downtown NYC to midtown. This was required due to the growing size of the conference and space limitations at our former venue. The prestigious <b>[http://www.parkcentralny.com/location/location.cfm Park Central New York Hotel]</b> (www.parkcentralny.com) will now host the largest OWASP AppSec Conference on record. Centrally located in the heart of New York City, this landmark choice of Midtown Manhattan hotels is just blocks from the Theater District, Central Park, Rockefeller Center, and numerous fine restaurants. Relocation to this modern venue enables OWASP to offer conference attendees additional seating space, onsite accommodations, and access to the best of what New York City has to offer.<br>
<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 http://www.owasp.org/images/6/61/Banner2_irfan.jpg]</center>
<center>Scroll down to see event agenda and training options</center>
<br>
This conference has tracks for management, security, audit and development professionals interested in the state of the appsec industry and its trends. Presented by some of the brightest people in the industry, this event is a must attend for anyone looking to improve their information security posture and threat awareness. With assistance from: [http://www.webappsec.org WASC], [http://www.nym-infragard.us NYM InfraGard], [http://aitglobal.com AITGlobal], [http://nyphp.org/index.php NYC PHP], [http://www.nycbug.org NYCBUG], [http://www.isacany.net NYC ISACA], [http://www.nymissa.org NYC ISSA] and our event co-sponsors you are invited to (2) days of hardcore hands-on training and (2) full days of Seminars and Technology Pavilion from the world's best application security technology minds, all held in the New York City, Midtown. <br>

<b>When:</b><br>
Sept 22nd - 25th 2008<br>

<b>Where:</b><br>
<u><b>[http://www.parkcentralny.com/location/location.cfm The Park Central Hotel - 870 Seventh Avenue at 56th Street New York, NY 10019-4038]</b></u>

<b>How Much?</b><br>
Seminar Fees: $350 [https://www.owasp.org/index.php/Membership#Categories_of_Membership OWASP Members] / $400 Non-Members (includes 1 year OWASP individual membership) / $200 for Students (with student ID). [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference#OWASP_NYC_AppSec_2008_Training_Courses_-_September_22nd_and_23rd.2C_2008 2 days of hands on training classes] are also available.
<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 http://www.owasp.org/images/7/7f/Register.gif]</center><br>
<hr>
<center>[http://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Diamond Sponsor] - [http://www.imperva.com http://www.owasp.org/images/d/de/Imperva_2color_RGB.jpg]<br>
<br>[https://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Platinum Sponsor] - [http://www.cenzic.com https://www.owasp.org/images/b/bf/CenzicLogo_RGB.gif] - [http://www.whitehatsec.com http://www.owasp.org/images/archive/4/4d/20080703021901%21Whitehat.gif] - [http://www-935.ibm.com/services/us/gbs/app/html/gbs_applicationservices.html?cm_re=masthead-_-business-_-apps-allappserv https://www.owasp.org/images/4/47/Ibm.jpg] </center><br>
[http://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Gold, Silver & Other Sponsors] - [http://www.isc2.org http://www.owasp.org/images/4/45/Isc2logo.gif] - [http://www.f5.com http://www.owasp.org/images/7/7e/50px-F5_50px.jpg] - [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif] - [http://www.foundstone.com/us/education-overview.asp http://www.owasp.org/images/2/26/Foundstone.jpg] - [http://www.qualys.com https://www.owasp.org/images/a/ae/Qualys.gif] - [http://www.ouncelabs.com https://www.owasp.org/images/6/6e/OunceLabs_logo.jpg] - [http://www.fortify.com https://www.owasp.org/images/a/ac/Fortify.jpg] - [http://www.cigital.com/ https://www.owasp.org/images/b/be/Cigital_OWASP.GIF] - [http://www.acunetix.com https://www.owasp.org/images/e/eb/Acuneti.gif] - [http://www.accessitgroup.com https://www.owasp.org/images/6/6d/Accessit.JPG] -
[http://www.fishnetsecurity.com https://www.owasp.org/images/4/4a/Fishnet_security.png] - [http://www.arctecgroup.net http://www.owasp.org/images/b/bf/Arctec.jpg] - [http://www.airtightnetworks.net https://www.owasp.org/images/8/8b/Airtight.gif] -
[http://www.artofdefence.com https://www.owasp.org/images/d/dc/AOD_Logo.gif] -
[http://www.securityuniversity.net https://www.owasp.org/images/0/0d/Security_university.jpg] -
[http://www.breach.com https://www.owasp.org/images/9/9c/Breach_logo.gif] - [http://www.armorize.com https://www.owasp.org/images/c/ce/Armorize_Logo.png] -[http://www.barracudanetworks.com/ https://www.owasp.org/images/a/a2/Barracuda_Color_Logo.jpg] ~ [http://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf http://www.owasp.org/images/f/f8/Sponsorsm.gif]
<br>
<center>[https://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Sponsorship Opportunities] -- [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-PRESS Press Registration] -- [http://www.owasp.org/index.php/Member_Offers Other OWASP Member Offers] </center>
<hr>

<br>

== 2008 OWASP USA, NYC Conference Schedule – Sept 24th - Sept 25th ==
<center><h2>[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference/speakeragreement OWASP Speaker Agreement]</h2></center>
{| style="width:80%" border="0" align="center"
! colspan="4" align="center" style="background:#4058A0; color:white" | <h2>Day 1 – Sept 24th, 2008 </h2>
|-
| style="width:10%; background:#7B8ABD" | || style="width:30%; background:#BC857A" | Track 1: BALLROOM
| style="width:30%; background:#BCA57A" | Track 2: SKYLINE
| style="width:30%; background:#99FF99" | Track 3: TIMESQUARE
|-
| style="width:10%; background:#7B8ABD" | 07:30-08:50 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | Doors Open for Attendee/Speaker Registration
''avoid lines come early get your caffeine fix and use free wifi''
|-
| style="width:10%; background:#7B8ABD" | 09:00-09:45 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | OWASP Version 3.0 who we are, how we got here and where we are going?
''OWASP Foundation: [http://www.owasp.org/index.php/Contact Jeff Williams], [http://www.owasp.org/index.php/Contact Dinis Cruz], [http://www.owasp.org/index.php/Contact Dave Wichers], [http://www.linkedin.com/in/tombrennan Tom Brennan], [http://www.owasp.org/index.php/Contact Sebastien Deleersnyder], [http://www.owasp.org/index.php/Contact Paulo Coimbra], [http://www.owasp.org/index.php/Contact Kate Hartmann], [http://www.owasp.org/index.php/Contact Alison Shrader] & [http://www.owasp.org/index.php/Category:OWASP_Chapter#Chapter_Support_Materials all local chapter leaders]
''
|-
| style="width:10%; background:#7B8ABD" | 10:00-10:45 || style="width:30%; background:#BC857A" align="left" | [http://www.owasp.org/index.php/AppSecEU08_Trends_in_Web_Hacking_Incidents:_What%27s_hot_for_2008 Analysis of the Web Hacking Incidents Database (WHID)]
''[http://blog.shezaf.com Ofer Shezaf]''
| style="width:30%; background:#BCA57A" align="left" | [http://www.webappsecroadmap.com Web Application Security Road Map] <br>
''[http://joesecurity.blogspot.com Joe White]''
| style="width:30%; background:#99FF99" align="left" |[https://buildsecurityin.us-cert.gov/swa/acqwg.html DHS Software Assurance Initiatives]
''[http://www.linkedin.com/pub/0/ab/3b7 Stan Wisseman] & [http://www.linkedin.com/pub/1/439/923 Joe Jarzombek]''
|-
| style="width:10%; background:#7B8ABD" | 11:00-11:45 || style="width:30%; background:#BC857A" align="left" | Http Bot Research
''[http://www.shadowserver.org/wiki/pmwiki.php?n=Shadowserver.Mission Andre M. DiMino - ShadowServer Foundation]''
| style="width:30%; background:#BCA57A" align="left" | OWASP "Google Hacking" Project
''[http://www.linkedin.com/in/ChristianHeinrich Christian Heinrich]''
| style="width:30%; background:#99FF99" align="left" | MalSpam Research
'' [http://www.knujon.com/bios.html Garth Bruen]''
|-
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference/ctf Capture the Flag] Sign-Up
''LUNCH - Provided by event sponsors @ TechExpo''
|-
| style="width:10%; background:#7B8ABD" | 12:00-12:45 || style="width:30%; background:#BC857A" align="left" | Get Rich or Die Trying - Making Money on The Web, The Black Hat Way
''[http://www.linkedin.com/in/treyford Trey Ford], [http://www.linkedin.com/in/tombrennan Tom Brennan], [http://www.linkedin.com/pub/0/205/77a Jeremiah Grossman]''
| style="width:30%; background:#BCA57A" align="left" | Framework-level Threat Analysis: Adding Science to the Art of Source-code review
''[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-rohit-sethi Rohit Sethi] & [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-sahba-kazerooni Sahba Kazerooni]''
| style="width:30%; background:#99FF99" align="left" | Automated Web-based Malware Behavioral Analysis
''[http://www.linkedin.com/pub/3/359/b1a Tyler Hudak]''
|-
| style="width:10%; background:#7B8ABD" | 13:00-13:45 || style="width:30%; background:#BC857A" align="left" | New Exploit Techniques
''[http://jeremiahgrossman.blogspot.com Jeremiah Grossman] & [http://ha.ckers.org/blog/about Robert "RSnake" Hansen]''
| style="width:30%; background:#BCA57A" align="left" | WAF ModSecurity
''[http://www.breach.com/company/executive-team/ Ivan Ristic]''
| style="width:30%; background:#99FF99" align="left" | Using Layer 8 and OWASP to Secure Web Applications
''[http://www.linkedin.com/in/davidstern2000 David Stern] & [http://www.linkedin.com/in/romangarber Roman Garber]''

|-
| style="width:10%; background:#7B8ABD" | 14:00-14:45 || style="width:30%; background:#BC857A" align="left" | Industry Outlook Panel: ''[http://www.linkedin.com/in/markclancy Mark Clancy] EVP CitiGroup, [http://www.linkedin.com/pub/0/497/86a Jim Routh] CISO DTCC, [http://www.linkedin.com/pub/0/bb1/68a Sunil Seshadri] CISO NYSE-Euronet, [http://www.linkedin.com/pub/0/1ba/4a9 Warren Axelrod] SVP Bank of America, [http://www.linkedin.com/in/bernik Joe Bernik] SVP, RBS,[http://www.linkedin.com/pub/8/878/240 Jennifer Bayuk] Infosec Consultant & [http://www.linkedin.com/in/philvenables Philip Venables] CISO, Goldman Sachs, [http://www.linkedin.com/in/crecalde Carlos Recalde] SVP, Lehman Brothers, [http://www.linkedin.com/pub/5/658/872 Tom King] CISO, Barclays Capital, <br> [http://www.linkedin.com/in/mahidontamsetti Mahi Dontamsetti] Moderator''
| style="width:30%; background:#BCA57A" align="left" | [http://www.owasp.org/index.php/Security_Assessing_Java_RMI Security Assessing Java RMI]
''[http://www.linkedin.com/in/adamboulton Adam Boulton]''
| style="width:30%; background:#99FF99" align="left" | JBroFuzz 0.1 - 1.1: Building a Java Fuzzer for the Web
''[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Yiannis_Pavlosoglou Yiannis Pavlosoglou]''
|-
| style="width:10%; background:#7B8ABD" | 15:00-15:45 || style="width:30%; background:#BC857A" align="left" |OWASP Testing Guide - Offensive Assessing Financial Applications
'' [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-daniel-cuthbert Daniel Cuthbert]''
| style="width:30%; background:#BCA57A" align="left" | [http://www.owasp.org/index.php/Wild_Wild_Web_on_Security_Planet Wild Wild Web on Security Planet]
''[http://www.securisksolutions.com/company/execmgt.aspx Mano Paul]''
| style="width:30%; background:#99FF99" align="left" |[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-GunterOllmann Multidisciplinary Bank Attacks]
''Gunter Ollmann''
|-
| style="width:10%; background:#7B8ABD" | 16:00-16:45 || style="width:30%; background:#BC857A" align="left" | OWASP Enterprise Security API [http://www.owasp.org/index.php/ESAPI (ESAPI) Project]
'' [http://www.aspectsecurity.com/management.htm Jeff Williams]''
| style="width:30%; background:#BCA57A" align="left" | Cross-Site Scripting Filter Evasion
''Alexios Fakos''
| style="width:30%; background:#99FF99" align="left" | Case Studies: Exploiting application testing tool deficiencies via "out of band" injection
''[http://www.linkedin.com/pub/0/a91/aa2 Vijay Akasapu] & [http://www.linkedin.com/pub/9/279/381 Marshall Heilman]''
|-
| style="width:10%; background:#7B8ABD" | 17:00-17:45 || style="width:30%; background:#BC857A" align="left" | Threading the Needle:
Bypassing web application/service security controls using Encoding, Transcoding, Filter Evasion, and other Canonicalization Attacks
'' [http://www.linkedin.com/in/arianevans Arian Evans]''
| style="width:30%; background:#BCA57A" align="left" | Mastering PCI Section 6.6
''[http://www.linkedin.com/pub/1/228/6a5 Taylor McKinley] and [http://www.linkedin.com/in/jacobwest Jacob West]''
| style="width:30%; background:#99FF99" align="left" | [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Andres_Riancho w3af - A Framework to own the web]
''Andres Riancho''
|-
| style="width:10%; background:#7B8ABD" | 18:00-18:45 || style="width:30%; background:#BC857A" align="left" | [http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project OWASP Live CD]
'' [http://www.linkedin.com/in/packetfocus Joshua Perrymon]''
| style="width:30%; background:#BCA57A" align="left" | Coding Secure w/PHP
''[http://www.linkedin.com/in/zaunere Hans Zaunere]''
| style="width:30%; background:#99FF99" align="left" | [http://www.owasp.org/index.php/Payment_Card_Data_Security_and_the_new_Enterprise_Java Payment Card Data Security and the new Enterprise Java]
''[https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Dr._B._V._Kumar Dr. B. V. Kumar] & [https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Abhay_Bhargav Mr. Abhay Bhargav]''
|-
| style="width:10%; background:#7B8ABD" | 19:00-19:30 || style="width:30%; background:#BC857A" align="left" | Party Set-Up ''BallRoom''
| style="width:30%; background:#BCA57A" align="left" | <b> (ISC)2 Pre-Party event, all welcome to attend for special announcement <br> presented by: [https://www.isc2.org/cgi-bin/content.cgi?page=351 W. Hord Tipton, Executive Director of (ISC)2]
| style="width:30%; background:#99FF99" align="left" | Technology Movie Night ''[http://www.youtube.com/watch?v=LlKDkTbUFhU&feature=related Sneakers], [http://www.youtube.com/watch?v=tAcEzhQ7oqA WarGames], [http://hackersarepeopletoo.com HackersArePeopleToo], [http://www.youtube.com/watch?v=4Be-ZzcXVLw TigerTeam]'' from 19:00 - 22:00

|-
| style="width:10%; background:#7B8ABD" | 19:30-22:00+ || colspan="3" style="width:80%; background:#C2C2C2" align="center" | OWASP Event Party/Reception <br>Event badge required for admission <br>[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference/ctf Food, Drinks w/ New & Old Friends - break out the laptop and play capture the flag for fun and prizes.] <br>''Location: HOTEL BALLROOM''</b>
<br>
|-
! colspan="10" align="center" style="background:#4058A0; color:white" | <h2>Day 2 – Sept 25th, 2008 </h2>
|-
| style="width:10%; background:#99FF99" | 08:00-10:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | BREAKFAST - Provided by event sponsors @ TechExpo

|-
| style="width:10%; background:#7B8ABD" | 08:00-08:45 || style="width:30%; background:#BC857A" align="left" | Software Development: The Last Security Frontier
''[http://blog.isc2.org/isc2_blog/tipton/index.html W. Hord Tipton], CISSP-ISSEP, CAP, CISA, CNSS and former Chief Information Officer for the U.S. Department of the Interior
Executive Director and member of the Board of Directors, (ISC)²''
| style="width:30%; background:#BCA57A" align="left" | [http://www.owasp.org/index.php/AppSecEU08_Best_Practices_Guide_Web_Application_Firewalls Best Practices Guide: Web Application Firewalls]
''Alexander Meisel''
| style="width:30%; background:#99FF99" align="left" | The Good The Bad and The Ugly - Pen Testing VS. Source Code Analysis
''[http://www.linkedin.com/in/tommyryan Thomas Ryan]'' & ''[http://www.linkedin.com/in/steveantoniewicz Steve Antoniewicz]''

|-
| style="width:10%; background:#7B8ABD" | 09:00-09:45 || style="width:30%; background:#BC857A" align="left" | OWASP Web Services Top Ten
''[http://1raindrop.typepad.com Gunnar Peterson]''
| style="width:30%; background:#BCA57A" align="left" | [http://www.trutv.com/video/tiger-team/tiger-team-101-1-of-4.html Tiger Team - APPSEC Projects]
''[http://www.linkedin.com/pub/1/373/994 Chris Nickerson]''
| style="width:30%; background:#99FF99" align="left" | OpenSource Tools ''Prof. Li-Chiou Chen & Chienitng Lin, [http://www.pace.edu/page.cfm?doc_id=16399 Pace Univ]''
|-
| style="width:10%; background:#7B8ABD" | 10:00-10:45 || style="width:30%; background:#BC857A" align="left" | Building a tool for Security consultants: A story of a customized source code scanner
''Dinis Cruz''
| style="width:30%; background:#BCA57A" align="left" | "Help Wanted" [http://www.infosecleaders.com/survey 7 Things You Need to Know APPSEC/INFOSEC Employment]
''[http://www.linkedin.com/pub/0/29/685 Lee Kushner]''
| style="width:30%; background:#99FF99" align="left" | Industry Analyst with Forrester Research
''[http://www.forrester.com/rb/analyst/chenxi_wang Chenxi Wang]''
|-
| style="width:10%; background:#7B8ABD" | 11:00-11:45 || style="width:30%; background:#BC857A" align="left" | [http://www.owasp.org/index.php/Category:OWASP_CLASP_Project CLASP (Comprehensive, Lightweight Application Security Process)]
''Pravir Chandra''
| style="width:30%; background:#BCA57A" align="left" | Security in Agile Development
''[http://www.owasp.org/index.php/User:Wichers Dave Wichers]''
| style="width:30%; background:#99FF99" align="left" | Secure Software Impact
''[http://ouncelabs.com/company/team.asp Jack Danahy]''
|-
| style="width:10%; background:#7B8ABD" | 12:00-12:45 || style="width:30%; background:#BC857A" align="left" | Next Generation Cross Site Scripting Worms
''[http://i8jesus.com/?page_id=5 Arshan Dabirsiaghi]''
| style="width:30%; background:#BCA57A" align="left" | Security of Software-as-a-Service (SaaS)
''[http://www.linkedin.com/pub/6/372/45a James Landis]''
| style="width:30%; background:#99FF99" align="left" | [http://reversebenchmarking.com/About.html Open Reverse Benchmarking Project]
''Marce Luck & [http://www.linkedin.com/pub/1/507/616 Tom Stracener]''
|-
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference/ctf Capture the Flag] Status
''LUNCH - Provided @ TechExpo''

|-
| style="width:10%; background:#7B8ABD" | 13:00-13:45 || style="width:30%; background:#BC857A" align="left" | [[NIST SAMATE Static Analysis Tool Exposition (SATE)]]
''[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-vadim-okun Vadim Okun]''
| style="width:30%; background:#BCA57A" align="left" | [https://www.owasp.org/index.php/User_talk:Jian Lotus Notes/Domino Web Application Security]
''[https://www.owasp.org/index.php/User_talk:Jian Jian Hui Wang]''
| style="width:30%; background:#99FF99" align="left" | Shootout @ Blackbox Corral
''Larry Suto ''

|-
| style="width:10%; background:#7B8ABD" | 14:00-14:45 || style="width:30%; background:#BC857A" align="left" | Practical Advanced Threat Modeling
''John Steven''
| style="width:30%; background:#BCA57A" align="left" | [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project The Owasp Orizon Project: towards version 1.0]
[https://www.owasp.org/index.php/User:Thesp0nge Paolo Perego]
| style="width:30%; background:#99FF99" align="left" | [http://www.owasp.org/index.php/Building_Usable_Security Building Usable Security]
[http://www.owasp.org/index.php/Zed_Abbadi Zed Abbadi]
|-
| style="width:10%; background:#7B8ABD" | 15:00-15:45 || style="width:30%; background:#BC857A" align="left" | Off-shoring Application Development? Security is Still Your Problem
''Rohyt Belani''
| style="width:30%; background:#BCA57A" align="left" | [http://www.owasp.org/index.php/OWASP_EU_Summit_2008 OWASP EU Summit Portugal]
''Dinis Cruz''
| style="width:30%; background:#99FF99" align="left" | Code Secrets
''[http://johanpeeters.com Johan Peeters]''
|-
| style="width:10%; background:#7B8ABD" | 16:00-16:45 || style="width:30%; background:#BC857A" align="left" | Vulnerabilities in application interpreters and runtimes
''Erik Cabetas''
| style="width:30%; background:#BCA57A" align="left" | Flash Parameter Injection (FPI)
''Ayal Yogev & Adi Sharabani''
| style="width:30%; background:#99FF99" align="left" | Special Guest
|-
| style="width:10%; background:#7B8ABD" | 17:00-17:45 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''Event Wrap-Up / Speaker & CTF Awards and Sponsor Raffles'''
|-
| style="width:10%; background:#7B8ABD" | 18:30-19:30 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | OWASP Foundation, Chapter Leader Meeting - to collect ideas to make OWASP better!
|}

<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 http://www.owasp.org/images/7/7f/Register.gif]</center>

== Technology Pavilion - September 24th and 25th ==

Want to see the latest offerings from technology product and service firms worldwide? Stop by the Technology Pavilion/TechExpo on September 24th and 25th.

Do you want to preview the event space [http://www.parkcentralny.com/meetings/floor_plans.cfm Click Here]

<hr>

== CPE Credits ==

Much of the content is eligible for CPE credits. Please check with your institution regarding specific requirements.

'''The CISM cpe policy (www.isaca.org/cismcpepolicy) states''':

One continuing professional education hour is earned for each fifty minutes of active participation (excluding lunches and breaks) in a professional educational activity. Continuing professional education hours are only earned in full-hour increments and rounding must be down. For example, a CISA who attends an eight-hour presentation (480 minutes) with 90 minutes of breaks will earn seven (7) continuing professional education hours.

Activities that qualify for CPE must be directly applicable to the management, design or assessment of an enterprise's information security as per the CISM job practice"

'''Earn (ISC)2 CPE Credits at 2008 OWASP USA, NYC'''

Attendance at the 2008 OWASP NYC Training Courses or Conferences will earn you Continuing Professional Education (CPE) credits as follows:
Training Courses: September 22-23, 2008
• 16 CPE units for 2 days of training (Monday - Tuesday)
• 8 CPE units for 1 day of training (Monday or Tuesday Only)
Conferences: September 24-25, 2008
Earn 1 CPE per hour of conference attendance

== [http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference_Training OWASP NYC AppSec 2008 Training Courses - September 22nd and 23rd, 2008 ] ==

All classes begin at 9AM and end at 5:30PM

{| style="width:80%" border="0" align="center"
! align="center" style="background:#4058A0; color:white" | T1. Defensive Programming - 2-Days - $1350
|-
| style="background:#F2F2F2" | This class will teach you how to program defensively. A must for developers, managers, testers and security professionals. Learn the latest techniques to build attack resistant code, protect from current and future vulnerabilities and how to secure an application from both implementation bugs and design flaws. The instructor Pravir Chandra is well known security expert, project lead for OWASP CLASP project and former co-founder & CTO of secure software [[:Category:OWASP_AppSec_Conference_Training#T1._Defensive_Programming_-_2-Day_Course_-_Sep_22-23.2C_2008 | Learn More Here]]

Instructor: Jason Rouse, Technical Manager, [http://www.cigital.com/training/series http://www.owasp.org/images/b/be/Cigital_OWASP.GIF]'''
|-
{| style="width:80%" border="0" align="center"
! align="center" style="background:#4058A0; color:white" | T2. Secure Coding for Java EE - 2-Days - $1350
|-
| style="background:#F2F2F2" | This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of Java focused content, including:
# Java EE security overview,
# All coding examples and recommendations are specifically focused on Java and Java servers, and
# 3 additional hands on coding labs where the students find and then fix security vulnerabilities in a Java EE application developed for the class.

[[:Category:OWASP_AppSec_Conference_Training#T2._Secure_Coding_for_Java_EE-_2-Day_Course_-_Sep_22-23.2C_2008 | Learn More Here]]

Instructor: Dave Wichers: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]
'''
|-
! align="center" style="background:#4058A0; color:white" | T3. Web Services and XML Security - 2-Days - $1350
|-
| style="background:#F2F2F2" | The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software. [[:Category:OWASP_AppSec_Conference_Training#T3._Web_Services_and_XML_Security_-_2-Day_Course_-_Sep_22-23.2C_2008 | Learn More Here]]

Instructor: Gunnar Peterson''' [http://www.arctecgroup.net https://www.owasp.org/images/b/bf/Arctec.jpg]
|-
! align="center" style="background:#4058A0; color:white" | T4. Advanced Web Application Security Testing - 2-Days - $1350
|-
| style="background:#F2F2F2" | Course Overview While all developers need to know the basics of web application security testing, application security specialists will want to know all the advanced techniques for finding and diagnosing security problems in applications. Aspect’s Advanced Web Application Security Testing training is based on a decade of work verifying the security of critical applications. The course is taught by an experienced application security practitioner in an interactive manner. [[:Category:OWASP_AppSec_Conference_Training#T4._Advanced_Web_Application_Security_Testing_-_2-Day_Course_-_Sep_22-23.2C_2008 | Learn More Here]]

Instructor: Eric Sheridan: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''
|-
! align="center" style="background:#4058A0; color:white" | T5. Leading the Development of Secure Applications 1-Day - Sept 22nd- $675
|-
| style="background:#F2F2F2" | In this one-day management session you’ll get the answers to the ten key questions that most CIOs and development managers face when trying to improve security in the development process. The course provides proven techniques and valuable lessons learned that can be applied to projects at any phase of their application’s lifecycle. [[:Category:OWASP_AppSec_Conference_Training#T5._Leading_the_Development_of_Secure_Applications_-_1-Day_Course_-_Sep_22.2C_2008 | Learn More Here]]
Instructor: John Pavone: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''
|-
{| style="width:80%" border="0" align="center"
|-
! align="center" style="background:#4058A0; color:white" | T6. Building Secure Rich Internet Applications 1-Day - Sept 23rd- $675
|-
| style="background:#F2F2F2" | Rich Internet applications using technologies like Ajax, Flash, ActiveX, and Java Applets require special attention to secure. This one day training addresses the special issues that arise in this type of application development. [[:Category:OWASP_AppSec_Conference_Training#T6._Building_Secure_Rich_Internet_Applications_-_1-Day_Course_-_Sep_23.2C_2008 | Learn More Here]]
Instructor: Arshan Dabirsiaghi: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''
|-
{| style="width:80%" border="0" align="center"

! align="center" style="background:#4058A0; color:white" | T8. Writing Secure Code ASP.NET - 2-Days - $1350
|-
| style="background:#F2F2F2" | Understand the key security features of the .NET platform, the common web security pitfalls developers make, and how to build secure and reliable web applications using ASP.NET. Students are lead through hands on code examples that highlight issues and prescribe solutions. [[:Category:OWASP_AppSec_Conference_Training#T8._Writing_Secure_Code_ASP.NET_-_Sep_22-23.2C_2008 | Learn More Here]]

The instructors are Foundstone's Technical Director, Rudolph Araujo and Foundstone's Professional Services Consultant, Alex Smolen. [http://www.foundstone.com/us/education-overview.asp https://www.owasp.org/images/2/26/Foundstone.jpg]
|}
<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 https://www.owasp.org/images/7/7f/Register.gif]</center>

<h2> HOTELS / TRAVEL </h2>
[http://www.parkcentralny.com Park Central Hotel] - # 800.346.1359 / 212.247.8000 ROOM BLOCK # 41258 $549.00 per night.
870 Seventh Avenue at 56th Street, New York, NY 10019-4038

[http://maps.google.com/maps?near=7th+Ave+%26+W+56th+St,+New+York,+NY&geocode=&q=hotels&f=l&sll=40.766339,-73.980539&sspn=0.007654,0.02223&ie=UTF8&ll=40.764681,-73.980668&spn=0.007655,0.02223&z=16 Hotels close to the venue]

What is around APPSEC2008 - [http://www.parkcentralny.com/attractions/attractions.cfm Area Attractions]

New York City MTA: http://www.mta.nyc.ny.us/nyct/index.html

New York City Subway & walking directions: http://www.hopstop.com/?city=newyork

New York Sights & Sounds - SightsSounds

New York City Travel Guide - http://www.nytoday.com/

New York City Attractions - http://www.nycvisit.com

New York TV Show Tickets - Get free tickets to TV shows! - http://www.nytix.com/

New York City local news: http://www.ny1news.com

<h2>EVENT SPONSORSHIP </h2>The OWASP Conferences & Training security technologists including CSOs,admins, application admins, MIS directors, homeland defense chiefs. These important influencers drive buying decisions exclusive access to its audiences. OWASP has established strategic relationships with security—print publications, newsletters, portals, consultants,message—and leadership positioning OWASP events. OWASP’s mission is supported by organizations who share our application, and software security communities. This approach should be part of your mix.

<b>[https://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Sponsorship Opportunities]- Register online: [http://guest.cvent.com/i.aspx?4W,M3,09e3b490-ba93-4474-851e-be803b1a01c2 click here]</b>

7th OWASP AppSec Conference - San Jose 2007/Training

2007-11-09T22:09:53Z

Aspectmichelle: /* Conference Training Day - Two Day Training Courses - November 12th-13th, 2007 */

== Conference Training Day - Two Day Training Courses - November 12th-13th, 2007 ==

OWASP has arranged to have six 2-day Application Security training courses prior to the conference.

The first three courses will be provided by a long time contributor to OWASP, Aspect Security. The fourth course will be provided by another active OWASP member, the Arctec Group. The fifth course is being provided by Dinis Cruz, the OWASP Chief Evangelist. The sixth course is being presented by frequent OWASP/WASC contributor Breach Security. Most of these courses were offered in their 1-day format at the last two OWASP AppSec conferences and were well received. This is the first OWASP conference where we have been able to expand these classes to their 2-day format.

These courses are being offered to attendees of the OWASP conference at a significant discount to their standard commercial price. Most of the course fee will go to OWASP to support the OWASP Foundation's efforts.

{| align="center" width="60%" cellpadding="2" cellspacing="5" style="vertical-align:top;background-color:#cedff2"
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T1</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Building and Testing Secure Web Applications</div>
|-
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T2</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Secure Coding for Java EE</div>
|-
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T3</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Secure Coding .NET Web Applications</div>
|-
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T4</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Web Services and XML Security</div>
|-
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T5</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Leveraging OWASP Tools and Documents to Secure Your Enterprise</div>
|-
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T6</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">ModSecurity Boot-Camp Training</div>
|}

<center>*Note: Information corresponding to each training course is located below.</center>

'''Pricing'''

$1300 for conference attendees. [Note: This fee includes snacks, and LUNCH]

$1450 - Tutorial only pricing (if not attending the conference)

$675 - Student Pricing

'''Location'''

At eBay in San Jose. Same location as the conference. [http://maps.google.com/maps?f=q&hl=en&geocode=&time=&date=&ttype=&q=2211+North+First+Street++San+Jose,+CA&sll=37.35288,-121.9047&sspn=0.201136,0.304184&ie=UTF8&t=h&z=17&om=1 Click Here for Map] [http://maps.google.com/maps?f=d&hl=en&geocode=&time=&date=&ttype=&saddr=san+jose+airport&daddr=2211+North+First+Street++San+Jose,+CA&sll=37.377249,-121.921354&sspn=0.006283,0.009506&ie=UTF8&z=15&om=1 From San Jose Airport] [http://maps.google.com/maps?f=d&hl=en&geocode=&time=&date=&ttype=&saddr=San+Francisco+airport&daddr=2211+North+First+Street++San+Jose,+CA&sll=37.36999,-121.92282&sspn=0.025136,0.038023&ie=UTF8&z=11&om=1 From San Francisco Airport]

'''Course Times'''

Each class begins at 9 AM and runs until 5:30 PM each day.

'''Registration'''

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

== T1. Building and Testing Secure Web Applications - 2-Day Course - Nov 12-13, 2007 ==

'''Course Overview'''

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

'''Details'''

This course starts with a module designed to raise awareness of just how insecure most web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following web application security areas (which encompass the entire OWASP Top 10 plus more):

* Authentication and Session Management
* Access Control
* Cross-Site Request Forgery (CSRF)
* Cross-Site Scripting (XSS)
* Input Validation
* Protecting Sensitive Data (w/ Crypto)
* Caching, Pooling, and Reuse Errors
* Database Security (Including SQL Injection)
* Error Handling and Logging
* Denial of Service
* Code Quality
* Accessing Services Securely
* Setting Security Policy
* Integrating Security into the SDLC

For each area, the course covers the following:

* Theoretical foundations
* Recommended security policies
* Common pitfalls when implementing
* Details on historical exploits
* Best practices for implementation

'''Hands on Exercises'''

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

'''Requirements'''

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop.

'''Registration'''

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

'''Tutorial Provider'''

This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]

== T2. Secure Coding for Java EE - 2-Day Course - Nov 12-13, 2007 ==

'''Summary'''

This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of Java focused content, including:
# Java EE security overview,
# All coding examples and recommendations are specifically focused on Java and Java servers, and
# 3 additional hands on coding labs where the students find and then fix security vulnerabilities in a Java EE application developed for the class.

To make room for this Java specific content, some of the more basic material has been removed, and some topics covered in our standard course are not addressed here.

This course is a compressed version of Aspect's standard 3-day Secure Coding for Java EE course.

'''Course Overview'''

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

'''Details'''

This course starts with a module designed to raise awareness of just how insecure most Java EE based web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how Java EE web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following Java EE web application security areas (which encompass the entire OWASP Top 10 plus more):

* Authentication and Session Management
* Access Control
* Cross-Site Request Forgery (CSRF)
* Cross-Site Scripting (XSS)
* Input Validation
* Protecting Sensitive Data (w/ Crypto)
* Database Security (Including SQL Injection)
* Error Handling and Logging
* Code Quality

For each area, the course covers the following:

* Theoretical foundations
* Recommended security policies
* Common pitfalls when implementing
* Details on historical exploits
* Best practices for implementation

'''Hands on Testing Exercises'''

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

'''Hands on Coding Exercises''' (Only in Java specific version of this class!)

For this Java focused course, students will additionally have the opportunity to find, exploit, and then fix Java coding vulnerabilities in three different Java labs using Eclipse.

'''Requirements'''

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop.

'''Registration'''

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

'''Tutorial Provider'''

This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]

== T3. Secure Coding .NET Web Applications - 2-Day Course - Nov 12-13, 2007 ==

'''Summary'''

This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of .NET focused content, including:
# .NET Framework security overview,
# All coding examples and recommendations are specifically focused on .NET, and
# 3 additional hands on coding labs where the students find and then fix security vulnerabilities in a .NET application developed for the class.

This class covers, and includes examples from, both C# and ASP.NET.

To make room for this .NET specific content, some of the more basic material has been removed, and some topics covered in our standard course are not addressed here.

This course is a compressed version of Aspect's standard 3-day Secure Coding for .NET course.

'''Course Overview'''

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

'''Details'''

This course starts with a module designed to raise awareness of just how insecure most .NET based web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how .NET web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following .NET web application security areas (which encompass the entire OWASP Top 10 plus more):

* Authentication and Session Management
* Access Control
* Cross-Site Request Forgery (CSRF)
* Cross-Site Scripting (XSS)
* Input Validation
* Protecting Sensitive Data (w/ Crypto)
* Database Security (Including SQL Injection)
* Error Handling and Logging
* Code Quality

For each area, the course covers the following:

* Theoretical foundations
* Recommended security policies
* Common pitfalls when implementing
* Details on historical exploits
* Best practices for implementation

'''Hands on Testing Exercises'''

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

'''Hands on Coding Exercises''' (Only in .NET specific version of this class!)

For this .NET focused course, students will additionally have the opportunity to find, exploit, and then fix .NET coding vulnerabilities in three different .NET labs using Visual Studio.

'''Requirements'''

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop.

'''Registration'''

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

'''Tutorial Provider'''

This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]

== T4. Web Services and XML Security - 2-Day Course - Nov 12-13, 2007 ==

'''Course Overview'''

The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software.

Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system!

'''Details'''

Topics covered include understanding how web application risks (such as those in OWASP Guide and OWASP Top Ten) apply in a Web Services world, and Web Services security topics including:

* Web Services attack patterns
* Common XML attack patterns
* Data and XML security using WS-Security, SAML, XML Encryption and XML Digital Signature
* Identity services and federation with SAML and Liberty
* Hardening Web Services servers
* Input validation for Web Services
* Integrating Web Services securely with backend resources and applications using WS-Trust
* Secure Exception handling in Web Services

'''Registration'''

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

'''Tutorial Provider'''

This tutorial is provided by [http://www.arctecgroup.net http://www.owasp.org/images/b/bc/Arctec_logo.jpeg]

== T5. Leveraging OWASP Tools and Documents to Secure Your Enterprise - 2-Day Course - Nov 12-13, 2007 ==

'''Course Overview'''

Apart from OWASP's Top 10, most OWASP projects (https://www.owasp.org/index.php/Category:OWASP_Project) are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Lifecycle (WADL)

This course aims to change that by providing detailed presentations of the most mature and enterprise ready projects together with practical examples of how to use them.

Curriculum

* Part 1: OWASP Documentation Projects
* Part 2: OWASP Tools
* Part 3: Using OWASP in the Enterprise
* Part 4: Using OWASP in the WADL (Web Application Development Lifecycle)

'''Hands on Exercises'''

The course will be very practical where demonstration and hands-on exercises will be provided for the tools covered.

'''Requirements'''

If you are interested in participating in the hands on portion of the course, please bring a laptop.

'''Registration'''

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

'''Tutorial Provider'''

This tutorial is provided by Dinis Cruz (OWASP Chief Evangelist)

== T6. ModSecurity Boot-Camp Training - 2-Day Course - Nov 12-13, 2007 ==

'''Course Overview'''

ModSecurity is currently the most widely deployed web application firewall (WAF) product. This two-day, boot-camp class is designed for those people who want to quickly learn how to build, deploy, and use ModSecurity in the most effective manner possible. The course will cover topics such as: the open source ModSecurity Console, which helps manage alerts on suspicious web activity targeting your web servers, and also provides an in-depth look at the extremely powerful ModSecurity Rules Language. Learning how to take advantage of the power behind ModSecurity rules can help web security professionals write and configure highly effective rules to handle complex web vulnerabilities. Hands-on labs with fully documented instructions help students deploy solid, secure ModSecurity installations and understand the inner workings of the premier open source web application firewall available today.

Curriculum

Day 1: Deployment and Management
* Introduction to Web Application Firewalls
* Overview of the Web Application Firewall Evaluation Criteria
* Introduction to ModSecurity
* ModSecurity architecture
* ModSecurity deployment options
* ModSecurity installation
* ModSecurity configuration and operation
* ModSecurity directives and features overview
* ModSecurity rules primer
* ModSecurity tuning
* ModSecurity console deployment and usage

Day 2: Rules Writing Workshop
* Introduction to ModSecurity’s Rule Language
* Anatomy of a ModSecurity rule
* Overview of PCRE
* Variables
* Transformation functions
* Actions
* Using advanced rule syntax with the “chain” action
* Overview of the Core Rule set
* Creating custom rules
* Virtual Patching
* Using initcol and setsid for stateful rules
* Good rule writing practices
* Testing rules
* Tuning rules
* Rule Debugging
* Rule management

'''Hands on Exercises'''

Hands-on labs will include installation and use of the ModSecurity Console on day 1, and a unique challenge on day 2 where the participants will have to use ModSecurity to try and mitigate as many vulnerabilities as possible in the OWASP WebGoat application.

'''Requirements'''

If you are interested in participating in the hands on portion of the course, please bring a laptop. The class will use a custom VMware image so you will need to have VMware Player, Workstation or Server pre-installed. Additionally, some of the tools we will be using outside of the VMware host will require Java so ensure that you have installed/updated to the latest version.

'''Registration'''

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

'''Tutorial Provider'''

This tutorial is provided by Ryan Barnett (ModSecurity Community Manager and Director of Application Security Training at [http://www.breach.com http://www.owasp.org/images/9/9c/Breach_logo.gif])

* Special Note: Ivan Ristic, ModSecurity Creator and Breach Security Chief Evangelist, will be in attendance to answer questions and also to present on the ModSecurity development roadmap.

Template:Conference blurb

2007-11-07T16:46:05Z

Aspectmichelle:

'''Nov 12-15 - [[:Category:OWASP AppSec Conference | OWASP & WASC AppSec 2007]] - San Jose'''
:Join us at the 7th AppSec Conference at eBay in San Jose, CA. Two full days of [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training | training]] and two days of a dual track [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda | agenda]] with the leading experts in application security. [https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=17e6e912-2dec-4de6-8946-aa005721c4dd Register...]

'''Feb 27-29 - [[:Category:OWASP_AppSec_Conference | OWASP Australia AppSec 2008]] - Queensland'''
:Join us at the 8th AppSec Conference at Gold Coast Convention Center in Queensland Australia. One day of [[OWASP_Australia_AppSec_2008_Conference/TrainingAgenda| training]] and two days of a dual track [[OWASP_Australia_AppSec_2008_Conference/Agenda| agenda]] with the leading experts in application security. [http://guest.cvent.com/i.aspx?4W,M3,91a28af2-06ca-4030-bec4-a55c5a6fe138 Registration is now open!!!]

Template:Conference blurb

2007-11-07T16:43:19Z

Aspectmichelle:

'''Nov 12-15 - [[:Category:OWASP AppSec Conference | OWASP & WASC AppSec 2007]] - San Jose'''
:Join us at the 7th AppSec Conference at eBay in San Jose, CA. Two full days of [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training | training]] and two days of a dual track [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda | agenda]] with the leading experts in application security. [https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=17e6e912-2dec-4de6-8946-aa005721c4dd Register...]

'''Feb 27-29 - [[:Category:OWASP_AppSec_Conference | OWASP Australia AppSec 2008]] - Queensland, Australia'''
:Join us at the 8th AppSec Conference at Gold Coast Convention Center in Queensland Australia. One day of [[OWASP_Australia_AppSec_2008_Conference/TrainingAgenda| training]] and two days of a dual track [[OWASP_Australia_AppSec_2008_Conference/Agenda| agenda]] with the leading experts in application security. [http://guest.cvent.com/i.aspx?4W,M3,91a28af2-06ca-4030-bec4-a55c5a6fe138 Register...]

OWASP Australia AppSec 2008 Conference

2007-11-07T16:21:31Z

Aspectmichelle: /* Registration */

[http://www.owasp.org/index.php/OWASP_Australia_AppSec_2008_Conference https://www.owasp.org/images/4/4b/Owasp_ausconf_banner.jpg]

Welcome to the OWASP Australia Application Security Conference for 2008. Following on from the great success of OWASP Conferences in 2006 and 2007 in the United States and Europe, the first ever Asia Pacific & Australia Security conference will take place in February 2008. The conference will offer an opportunity for security professionals, developers, Managers to hear from industry recognised speakers on the latest critical security risks associated with application security. The conference includes a number of high quality presentations from industry speakers and business professionals with also the opportunity to network with relevant application security vendors and professionals.

==Conference Details==

'''Conference Training Day''' (Wednesday 27th February 2008).

'''Main Conference Presentations''' (Thursday 28th and Friday 29th February 2008).

The 2008 Conference will be held at the Gold Coast Convention Center in Queensland Australia.

The Conference includes a Vendor Exhibition, Welcome Cocktail Party and Gala Dinner.

==Latest News==

We are currently in the final planing stages of the conference. We invite anyone to submit any recommendations, or ideas for the conference.

The Call for papers has begun, and we would appreciate anyone submiting ideas and presentations email to jderry 'at' owasp.org. The call for papers will expire on the 30th November 2007. We hope to put together a fantastic line up of OWASP Project speakers and industry experts.

We are encouraging anyone to get involved in the project, so please simply contact the conference committee to get involved.

==[[OWASP_Australia_AppSec_2008_Conference/TrainingAgenda | OWASP Conference Training: Wednesday 27th February 2008]]==

The Training to be offered for the Conference is still currently being decided upon. Any questions please contact the conference Committee.

==[[OWASP_Australia_AppSec_2008_Conference/Agenda | Agenda and Presentations: Thursday 28th and Friday 29th February 2008]]==

Call for papers and presenters is currently open for the conference.

Call for papers will continue until the end of November 2007.

The conference committee only require an initial 3 paragraph summary of your proposed presentation for submissions. Please submit these to the conference committee. The conference will have both a technical and business application security track.

==Technology Expo==

Leading vendors in the application security space will be at the conference giving technology demonstrations and providing access to their technical staff so they can answer in-depth questions and demonstrate the capabilities of their products or managed services.

The technology expo will be open during the conference in the meeting area. All attendees will be available to meet and discuss with any of the vendors during moring, lunch and afternoon breaks.

More information about conference sponsorship and participating in the technology expo is available by contacting the conference Committee.

==Conference Fees==

Standard: $475, OWASP Members: $425, AISA Members: $450, Early Registration Discount (by Dec 31): $50

Conference Fees are inclusive of all presentations and agenda (including the Cocktail Reception and Gala Dinner)

Conference Tutorial (One Day Training): $650 ($750 if attending tutorial only) Early Registration Discount (by Dec 31): $50

Note: To save on processing expenses, all fees paid for the AppSec 2008 Conference are non-refundable. OWASP can accomodate transfers of registrations from one person to another, if such an adjustment becomes necessary.
(Please note that all fees are in USD)(Conference Fees are kept to a minimum and follow the US/UK Conference Pricing)

==[http://guest.cvent.com/i.aspx?4W,M3,91a28af2-06ca-4030-bec4-a55c5a6fe138 Registration]==

Registration is now open!! Here is the [http://guest.cvent.com/i.aspx?4W,M3,91a28af2-06ca-4030-bec4-a55c5a6fe138 registration page].

== OWASP Australian Security Conference 2008 Sponsors==

The following organizations are sponsors for this conference. If you are interested in sponsoring either of the 2008 OWASP conferences, please contact the conference Committee.

Current OWASP Australia Application Security 2008 Conference Sponsors are

[http://www.b-sec.com http://www.owasp.org/images/3/33/Bsec.JPG]

== Conference Committee ==

OWASP Australian Conferences Chair: Justin Derry - b-sec Consulting - jderry 'at' owasp.org

Currently assisted by (and with thanks)

OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org

OWASP Australia AppSec 2008 Conference

2007-11-07T16:17:08Z

Aspectmichelle:

[http://www.owasp.org/index.php/OWASP_Australia_AppSec_2008_Conference https://www.owasp.org/images/4/4b/Owasp_ausconf_banner.jpg]

Welcome to the OWASP Australia Application Security Conference for 2008. Following on from the great success of OWASP Conferences in 2006 and 2007 in the United States and Europe, the first ever Asia Pacific & Australia Security conference will take place in February 2008. The conference will offer an opportunity for security professionals, developers, Managers to hear from industry recognised speakers on the latest critical security risks associated with application security. The conference includes a number of high quality presentations from industry speakers and business professionals with also the opportunity to network with relevant application security vendors and professionals.

==Conference Details==

'''Conference Training Day''' (Wednesday 27th February 2008).

'''Main Conference Presentations''' (Thursday 28th and Friday 29th February 2008).

The 2008 Conference will be held at the Gold Coast Convention Center in Queensland Australia.

The Conference includes a Vendor Exhibition, Welcome Cocktail Party and Gala Dinner.

==Latest News==

We are currently in the final planing stages of the conference. We invite anyone to submit any recommendations, or ideas for the conference.

The Call for papers has begun, and we would appreciate anyone submiting ideas and presentations email to jderry 'at' owasp.org. The call for papers will expire on the 30th November 2007. We hope to put together a fantastic line up of OWASP Project speakers and industry experts.

We are encouraging anyone to get involved in the project, so please simply contact the conference committee to get involved.

==[[OWASP_Australia_AppSec_2008_Conference/TrainingAgenda | OWASP Conference Training: Wednesday 27th February 2008]]==

The Training to be offered for the Conference is still currently being decided upon. Any questions please contact the conference Committee.

==[[OWASP_Australia_AppSec_2008_Conference/Agenda | Agenda and Presentations: Thursday 28th and Friday 29th February 2008]]==

Call for papers and presenters is currently open for the conference.

Call for papers will continue until the end of November 2007.

The conference committee only require an initial 3 paragraph summary of your proposed presentation for submissions. Please submit these to the conference committee. The conference will have both a technical and business application security track.

==Technology Expo==

Leading vendors in the application security space will be at the conference giving technology demonstrations and providing access to their technical staff so they can answer in-depth questions and demonstrate the capabilities of their products or managed services.

The technology expo will be open during the conference in the meeting area. All attendees will be available to meet and discuss with any of the vendors during moring, lunch and afternoon breaks.

More information about conference sponsorship and participating in the technology expo is available by contacting the conference Committee.

==Conference Fees==

Standard: $475, OWASP Members: $425, AISA Members: $450, Early Registration Discount (by Dec 31): $50

Conference Fees are inclusive of all presentations and agenda (including the Cocktail Reception and Gala Dinner)

Conference Tutorial (One Day Training): $650 ($750 if attending tutorial only) Early Registration Discount (by Dec 31): $50

Note: To save on processing expenses, all fees paid for the AppSec 2008 Conference are non-refundable. OWASP can accomodate transfers of registrations from one person to another, if such an adjustment becomes necessary.
(Please note that all fees are in USD)(Conference Fees are kept to a minimum and follow the US/UK Conference Pricing)

==Registration==

== OWASP Australian Security Conference 2008 Sponsors==

The following organizations are sponsors for this conference. If you are interested in sponsoring either of the 2008 OWASP conferences, please contact the conference Committee.

Current OWASP Australia Application Security 2008 Conference Sponsors are

[http://www.b-sec.com http://www.owasp.org/images/3/33/Bsec.JPG]

== Conference Committee ==

OWASP Australian Conferences Chair: Justin Derry - b-sec Consulting - jderry 'at' owasp.org

Currently assisted by (and with thanks)

OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org

OWASP AppSec Conference Sponsors

2007-10-25T14:52:34Z

Aspectmichelle: /* Sending Materials to Conference Facility in San Jose */

== OWASP Conference Sponsorship ==

OWASP is '''no longer''' accepting sponsorships for the 2007 OWASP AppSec San Jose Conference. Financial sponsorship will help defray the non-profit OWASP Foundation's expenses to prepare for and hold this conference. For the first time, there are two different sponsorship options for this conference:

Option #1: Standard Sponsorship Plan (same as previous conferences):

* Sponsor information will be presented on the main conference web page

* A Sponsor information sheet will be included in handouts to all attendees

* Sponsors can include a poster (no larger than 6 ft. x 4 ft. [can be oriented either way]) at the conference in the main hallway. This can be freestanding, or be hung from the wall.

* Includes 2 Free admissions to the conference

The sponsorship fee for this option at the 7th OWASP Conference in San Jose, CA in November 2007 is $4000.

Option #2: Technology Expo:

* Product vendors can demonstrate their application security products to conference attendees. The intended focus of this expo is to be prepared to discuss the technical details of the technologies they are offering in the market to help organizations deal with their application security issues. This expo should be light on sales push and very technical. OWASP attendees are very familiar with the application security market! As this is a technology expo, services only vendors are not appropriate for this venue.

* Time frame: The technology expo will be held from 12-2 on November 13th, with lunch included for all the OWASP tutorial attendees who will be invited to attend the expo, and then open again from 11-6 on November 14th during the first day of the OWASP conference.

* Setup: The tech expo room will open at 9AM on Nov. 13th for the vendors so you can get in and set everything up.

Each vendor will receive:

* Tabletop with tablecloth
* Chairs
* Power strip
* Internet connectivity (it may be wireless access so please check)

The sponsorship fee for this option at the 7th OWASP Conference in San Jose, CA in November 2007 is also $4000.

Option #3: Combined Sponsorship:

If you are interested in doing both at the San Jose conference, the sponsorship fee for this combined option is $6000.

If you are interested in sponsoring the 2007 OWASP San Jose conference, please contact OWASP at: conferences 'at' owasp.org.

== Registration ==

Sponsorship registration to the 2007 OWASP AppSec San Jose Conference is now open! Here is the [http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd registration page].

== Sending Materials to Conference Facility in San Jose ==

Sponsors, please ship your conference materials to:

Attention: Amber Mann, OWASP event
eBay
2211 N. First Street
San Jose, CA 95131

All materials must arrive no earlier than Nov 7th.

== Conference Sponsors ==

The following are the sponsors for the OWASP & WASC AppSec 2007 Conference.

[http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]
[http://www.fortifysoftware.com http://www.owasp.org/images/d/d1/Fortify.JPG]
[http://www.ouncelabs.com/ http://www.owasp.org/images/3/33/Ounce_labs.jpg]
[http://www.breach.com http://www.owasp.org/images/9/9c/Breach_logo.gif]

OWASP AppSec Conference Sponsors

2007-10-25T14:51:43Z

Aspectmichelle: /* Sending Materials to Conference Facility in San Jose */

OWASP & WASC AppSec 2007 Conference

2007-10-17T13:56:43Z

Aspectmichelle: /* Conference Schedule and Location */

[[Image:Owasp_wasc.gif|center]]
==Its now the OWASP & WASC AppSec 2007 Conference !!! @ eBay in San Jose, CA Nov 12-15, 2007==

OWASP and [http://www.webappsec.org WASC] have agreed to join forces this year to put together an incredible AppSec 2007 Conference for the application security community. A huge concentration of industry leading experts will be in attendance presenting high quality web application security content. AppSec 2007 offers a unique opportunity for security professionals, software developers, and IT managers to get up to speed on the latest and greatest attack techniques, defense strategies, and industry trends in an atmosphere of peers. The conference format and venue is also perfect for networking and sharing experiences with others that are down in the trenches.

Registration is now open for the conference. See below for details.

==Conference Schedule and Location==

The AppSec 2007 Conference will be held at eBay at their facility at: 2211 North First Street in San Jose, CA Nov 12th-15th.

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training | Training Days: November 12th-13th]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007#Technology_Expo:_Tuesday-Wednesday_Nov_13th-14th | Tech Expo: November 13th-14th]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007#Social Events | Breach Cocktail Party: Evening of November 13th]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda | Main Conference: November 14th-15th]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007#Social Events | OWASP Conference Dinner: Evening of November 14th]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007#Social Events | Microsoft and Aspect Security Cocktail Party: Evening of November 15th
]]

==[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda | Agenda and Presentations: Wednesday-Thursday - Nov 14th-15th]]==

The [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda | agenda]] will follow the general OWASP conference format of two tracks, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing presentations back in the main auditorium both days.

New Web Services Track: In addition, the conference will have a 3rd track on the first day. This track is focused on Web Services Security which is a new area for OWASP. If you are interested in speaking at this conference on a Web Services Security topic, please contact Gunnar Peterson, who is organizing that track.

This conference will include presentations from many different OWASP and WASC contributors and leading Application Security professionals, and will include closing panels each day.

==[[ 7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training | Training: Monday-Tuesday - Nov 12th-13th]]==

We have arranged for a suite of two-day Application Security training courses to be offered prior to the conference. General details about all the tutorials including location and pricing is available [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training | here]]. The tutorials being offered are:

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T1._Building_and_Testing_Secure_Web_Applications_-_2-Day_Course_-_Nov_12-13.2C_2007 | T1. Building and Testing Secure Web Applications]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T2._Secure_Coding_for_Java_EE_-_2-Day_Course_-_Nov_12-13.2C_2007 | T2. Secure Coding for Java EE]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T3._Secure_Coding_.NET_Web_Applications_-_2-Day_Course_-_Nov_12-13.2C_2007 | T3. Secure Coding .NET Web Applications]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T4._Web_Services_and_XML_Security_-_2-Day_Course_-_Nov_12-13.2C_2007 | T4. Web Services and XML Security]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T5._Leveraging_OWASP_Tools_and_Documents_to_Secure_Your_Enterprise | T5. Leveraging OWASP Tools and Documents to Secure Your Enterprise ]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T6._Open_Source_ModSecurity_Training_-_2-Day_Course_-_Nov_12-13.2C_2007 | T6. Open Source ModSecurity Training ]]

==Technology Expo: Tuesday-Wednesday Nov 13th-14th==

Leading vendors in the application security space will be at the conference for the first time this year giving technology demonstrations and providing access to their technical staff so they can answer in-depth questions and demonstrate the capabilities of their products or automated managed services.

The technology expo will be open from '''12PM - 2PM on Nov. 13th''' (and all tutorial attendees will be given a large lunch break during that time to attend the expo). It will also be open from '''11AM - 5PM on Nov. 14th''' which is the first day of the conference.

What can a conference attendee expect to get out of the Tech Expo?
* ''Hands-on time using a vendor's product'' - The goal is to be able to walk up to vendor with a USB stick of code/binaries/etc. and actually get a taste of how the tool(s) performs, technical features, applicability & appropriateness, etc.
* ''Evaluate in a non-sales environment'' - At the Expo, attendees will be provided information about the types of tools being exhibited and independent evaluation criteria where that exists (e.g. the [http://www.webappsec.org/projects/wafec/ WAFEC] from WASC, information from the [[OWASP_Tools_Project]], etc.). It's an opportunity to ask the hard questions and talk to technical folks from the vendors that can answer them.
* ''Contact info exchange at your discretion'' - We will not be doing badge scanning and the like to provide vendors attendee information, so attendees are in control of who they want to follow-up with (via good, old-fashioned business card exchange).

More information about conference sponsorship and participating in the technology expo is available [[OWASP AppSec Conference Sponsors | here]].

==Conference Fees==

Standard: $400, OWASP Members: $350, Students: $225, Early Registration Discount (by Oct 12): $50 ($25 for students)

Conference Dinner (Evening of Nov 14th): $50

Conference Tutorial (Two day tutorials Nov 12-13): $1300, $1450 [If not attending the conference], Student Fee: $675

Note: To save on processing expenses, all fees paid for the AppSec 2007 Conference are non-refundable. OWASP can accomodate transfers of registrations from one person to another, if such an adjustment becomes necessary.

==[http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd Registration]==

Registration is now open!! Here is the [http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd registration page].

==Social Events==
Breach Cocktail Party: Evening of November 13th
@ Fahrenheit Ultra Lounge & Restaurant
99 East San Fernando Street
San Jose, CA 95113
6:30PM - 8:30PM
Space is Limited so please RSVP: More info and how to RSVP available [http://www.breach.com/breach_security_party_owaspwasc_san_jose.html here].

OWASP Conference Dinner: Evening of November 14th
@ Holiday Inn
1740 N. First Street
San Jose, CA 95112
6:30PM - ???PM
Register for this event at the conference [https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=17e6e912-2dec-4de6-8946-aa005721c4dd website].
Microsoft and Aspect Security Cocktail Party: Evening of November 15th
@ Holiday Inn
1740 N. First Street
San Jose, CA 95112
6:30PM - 8:30PM

==Hotel and Transportation Info==
OWASP has negotiated rates at the following hotels (Please book hotel rooms by October 21st to ensure OWASP rates):

Holiday Inn-San Jose OWASP Rate $129/night King or Double Room
You can call reservations at 1-866-241-9878 and ask for the group "OWASP" or reserve your room [http://www.ichotelsgroup.com/h/d/hi/1/en/advancedsearch?whichtype=room&roomResult=none&hotelCode=sjcfs&quickRes=city&_GPC=OSP&checkInDate=11&checkOutMonthYear=102007&checkInMonthYear=102007&checkOutDate=16&_requestid=184025 online here].

Homewood Suites by Hilton- San Jose OWASP Rate $149/night (4+ nights) $169/night (3 or less nights)
King room w/ sleeper sofa (comes w/ fully equipped kitchen)
Call Maria Larios at 408-678-4481 and ask for the group OWASP or email her at maria.larios@dimdev.com

Transportation Info:

From San Jose International Airport (SJC):
eBay is located about a mile from this airport

From San Francisco International Airport (SFO):
eBay is located 40 miles from this airport

== Conference Committee ==

OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org

Web Services Security Track Chair: Gunnar Peterson - Arctec Group - gunnar 'at' arctecgroup.net

Vendor Exhibition Chair: Pravir Chandra - Cigital - chandra 'at' list.org

2008 U.S. Planning Committee Chair: Tom Brennan - Access IT Group - jinxpuppy 'at' gmail.com

Refereed Papers Chair: Frank Piessens - KU Leuven - Frank.Piessens 'at' cs.kuleuven.ac.be

== [[OWASP AppSec Conference Sponsors | OWASP & WASC AppSec 2007 Conference Sponsors]]==

The following organizations are sponsors for this conference. If you are interested in sponsoring either of the 2007 OWASP conferences, please contact OWASP at: conferences 'at' owasp.org.

[http://www.aspectsecurity.com https://www.owasp.org/images/d/d1/Aspect_logo.gif]
[http://www.fortifysoftware.com https://www.owasp.org/images/d/d1/Fortify.JPG]
[http://www.paypal.com https://www.owasp.org/images/c/c9/Paypal_logo.gif]
[http://www.ebay.com https://www.owasp.org/images/e/e0/Ebay.gif]
[http://www.ouncelabs.com/ https://www.owasp.org/images/3/33/Ounce_labs.jpg]
[http://www.breach.com https://www.owasp.org/images/9/9c/Breach_logo.gif]
[http://www.whitehatsec.com https://www.owasp.org/images/4/4d/Whitehat.gif]
[http://www.ioactive.com https://www.owasp.org/images/4/46/IOActive.gif]

We are also going to have vendor booths at this conference for the first time. If you are interested in demonstrating your application security product to a sophisticated audience of application security professionals, please contact us for more information. Please contact either Dave Wichers (the OWASP Conferences Chair) or Pravir Chandra, who will be organizing the vendor area for this conference.

More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].

[[Category:OWASP AppSec Conference]]

__NOTOC__

OWASP & WASC AppSec 2007 Conference

2007-10-17T13:52:26Z

Aspectmichelle: /* Agenda and Presentations: Wednesday-Thursday - Nov 14th-15th */

[[Image:Owasp_wasc.gif|center]]
==Its now the OWASP & WASC AppSec 2007 Conference !!! @ eBay in San Jose, CA Nov 12-15, 2007==

OWASP and [http://www.webappsec.org WASC] have agreed to join forces this year to put together an incredible AppSec 2007 Conference for the application security community. A huge concentration of industry leading experts will be in attendance presenting high quality web application security content. AppSec 2007 offers a unique opportunity for security professionals, software developers, and IT managers to get up to speed on the latest and greatest attack techniques, defense strategies, and industry trends in an atmosphere of peers. The conference format and venue is also perfect for networking and sharing experiences with others that are down in the trenches.

Registration is now open for the conference. See below for details.

==Conference Schedule and Location==

The AppSec 2007 Conference will be held at eBay at their facility at: 2211 North First Street in San Jose, CA Nov 12th-15th.

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training | Training Days: November 12th-13th]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007#Technology_Expo:_Tuesday-Wednesday_Nov_13th-14th | Tech Expo: November 13th-14th]]

Breach Cocktail Party: Evening of November 13th

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda | Main Conference: November 14th-15th]]

OWASP Conference Dinner: Evening of November 14th

Microsoft and Aspect Security Cocktail Party: Evening of November 15th

==[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda | Agenda and Presentations: Wednesday-Thursday - Nov 14th-15th]]==

The [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda | agenda]] will follow the general OWASP conference format of two tracks, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing presentations back in the main auditorium both days.

New Web Services Track: In addition, the conference will have a 3rd track on the first day. This track is focused on Web Services Security which is a new area for OWASP. If you are interested in speaking at this conference on a Web Services Security topic, please contact Gunnar Peterson, who is organizing that track.

This conference will include presentations from many different OWASP and WASC contributors and leading Application Security professionals, and will include closing panels each day.

==[[ 7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training | Training: Monday-Tuesday - Nov 12th-13th]]==

We have arranged for a suite of two-day Application Security training courses to be offered prior to the conference. General details about all the tutorials including location and pricing is available [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training | here]]. The tutorials being offered are:

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T1._Building_and_Testing_Secure_Web_Applications_-_2-Day_Course_-_Nov_12-13.2C_2007 | T1. Building and Testing Secure Web Applications]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T2._Secure_Coding_for_Java_EE_-_2-Day_Course_-_Nov_12-13.2C_2007 | T2. Secure Coding for Java EE]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T3._Secure_Coding_.NET_Web_Applications_-_2-Day_Course_-_Nov_12-13.2C_2007 | T3. Secure Coding .NET Web Applications]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T4._Web_Services_and_XML_Security_-_2-Day_Course_-_Nov_12-13.2C_2007 | T4. Web Services and XML Security]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T5._Leveraging_OWASP_Tools_and_Documents_to_Secure_Your_Enterprise | T5. Leveraging OWASP Tools and Documents to Secure Your Enterprise ]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T6._Open_Source_ModSecurity_Training_-_2-Day_Course_-_Nov_12-13.2C_2007 | T6. Open Source ModSecurity Training ]]

==Technology Expo: Tuesday-Wednesday Nov 13th-14th==

Leading vendors in the application security space will be at the conference for the first time this year giving technology demonstrations and providing access to their technical staff so they can answer in-depth questions and demonstrate the capabilities of their products or automated managed services.

The technology expo will be open from '''12PM - 2PM on Nov. 13th''' (and all tutorial attendees will be given a large lunch break during that time to attend the expo). It will also be open from '''11AM - 5PM on Nov. 14th''' which is the first day of the conference.

What can a conference attendee expect to get out of the Tech Expo?
* ''Hands-on time using a vendor's product'' - The goal is to be able to walk up to vendor with a USB stick of code/binaries/etc. and actually get a taste of how the tool(s) performs, technical features, applicability & appropriateness, etc.
* ''Evaluate in a non-sales environment'' - At the Expo, attendees will be provided information about the types of tools being exhibited and independent evaluation criteria where that exists (e.g. the [http://www.webappsec.org/projects/wafec/ WAFEC] from WASC, information from the [[OWASP_Tools_Project]], etc.). It's an opportunity to ask the hard questions and talk to technical folks from the vendors that can answer them.
* ''Contact info exchange at your discretion'' - We will not be doing badge scanning and the like to provide vendors attendee information, so attendees are in control of who they want to follow-up with (via good, old-fashioned business card exchange).

More information about conference sponsorship and participating in the technology expo is available [[OWASP AppSec Conference Sponsors | here]].

==Conference Fees==

Standard: $400, OWASP Members: $350, Students: $225, Early Registration Discount (by Oct 12): $50 ($25 for students)

Conference Dinner (Evening of Nov 14th): $50

Conference Tutorial (Two day tutorials Nov 12-13): $1300, $1450 [If not attending the conference], Student Fee: $675

Note: To save on processing expenses, all fees paid for the AppSec 2007 Conference are non-refundable. OWASP can accomodate transfers of registrations from one person to another, if such an adjustment becomes necessary.

==[http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd Registration]==

Registration is now open!! Here is the [http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd registration page].

==Social Events==
Breach Cocktail Party: Evening of November 13th
@ Fahrenheit Ultra Lounge & Restaurant
99 East San Fernando Street
San Jose, CA 95113
6:30PM - 8:30PM
Space is Limited so please RSVP: More info and how to RSVP available [http://www.breach.com/breach_security_party_owaspwasc_san_jose.html here].

OWASP Conference Dinner: Evening of November 14th
@ Holiday Inn
1740 N. First Street
San Jose, CA 95112
6:30PM - ???PM
Register for this event at the conference [https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=17e6e912-2dec-4de6-8946-aa005721c4dd website].
Microsoft and Aspect Security Cocktail Party: Evening of November 15th
@ Holiday Inn
1740 N. First Street
San Jose, CA 95112
6:30PM - 8:30PM

==Hotel and Transportation Info==
OWASP has negotiated rates at the following hotels (Please book hotel rooms by October 21st to ensure OWASP rates):

Holiday Inn-San Jose OWASP Rate $129/night King or Double Room
You can call reservations at 1-866-241-9878 and ask for the group "OWASP" or reserve your room [http://www.ichotelsgroup.com/h/d/hi/1/en/advancedsearch?whichtype=room&roomResult=none&hotelCode=sjcfs&quickRes=city&_GPC=OSP&checkInDate=11&checkOutMonthYear=102007&checkInMonthYear=102007&checkOutDate=16&_requestid=184025 online here].

Homewood Suites by Hilton- San Jose OWASP Rate $149/night (4+ nights) $169/night (3 or less nights)
King room w/ sleeper sofa (comes w/ fully equipped kitchen)
Call Maria Larios at 408-678-4481 and ask for the group OWASP or email her at maria.larios@dimdev.com

Transportation Info:

From San Jose International Airport (SJC):
eBay is located about a mile from this airport

From San Francisco International Airport (SFO):
eBay is located 40 miles from this airport

== Conference Committee ==

OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org

Web Services Security Track Chair: Gunnar Peterson - Arctec Group - gunnar 'at' arctecgroup.net

Vendor Exhibition Chair: Pravir Chandra - Cigital - chandra 'at' list.org

2008 U.S. Planning Committee Chair: Tom Brennan - Access IT Group - jinxpuppy 'at' gmail.com

Refereed Papers Chair: Frank Piessens - KU Leuven - Frank.Piessens 'at' cs.kuleuven.ac.be

== [[OWASP AppSec Conference Sponsors | OWASP & WASC AppSec 2007 Conference Sponsors]]==

The following organizations are sponsors for this conference. If you are interested in sponsoring either of the 2007 OWASP conferences, please contact OWASP at: conferences 'at' owasp.org.

[http://www.aspectsecurity.com https://www.owasp.org/images/d/d1/Aspect_logo.gif]
[http://www.fortifysoftware.com https://www.owasp.org/images/d/d1/Fortify.JPG]
[http://www.paypal.com https://www.owasp.org/images/c/c9/Paypal_logo.gif]
[http://www.ebay.com https://www.owasp.org/images/e/e0/Ebay.gif]
[http://www.ouncelabs.com/ https://www.owasp.org/images/3/33/Ounce_labs.jpg]
[http://www.breach.com https://www.owasp.org/images/9/9c/Breach_logo.gif]
[http://www.whitehatsec.com https://www.owasp.org/images/4/4d/Whitehat.gif]
[http://www.ioactive.com https://www.owasp.org/images/4/46/IOActive.gif]

We are also going to have vendor booths at this conference for the first time. If you are interested in demonstrating your application security product to a sophisticated audience of application security professionals, please contact us for more information. Please contact either Dave Wichers (the OWASP Conferences Chair) or Pravir Chandra, who will be organizing the vendor area for this conference.

More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].

[[Category:OWASP AppSec Conference]]

__NOTOC__

OWASP & WASC AppSec 2007 Conference

2007-10-17T13:51:41Z

Aspectmichelle: /* Social Events */

[[Image:Owasp_wasc.gif|center]]
==Its now the OWASP & WASC AppSec 2007 Conference !!! @ eBay in San Jose, CA Nov 12-15, 2007==

OWASP and [http://www.webappsec.org WASC] have agreed to join forces this year to put together an incredible AppSec 2007 Conference for the application security community. A huge concentration of industry leading experts will be in attendance presenting high quality web application security content. AppSec 2007 offers a unique opportunity for security professionals, software developers, and IT managers to get up to speed on the latest and greatest attack techniques, defense strategies, and industry trends in an atmosphere of peers. The conference format and venue is also perfect for networking and sharing experiences with others that are down in the trenches.

Registration is now open for the conference. See below for details.

==Conference Schedule and Location==

The AppSec 2007 Conference will be held at eBay at their facility at: 2211 North First Street in San Jose, CA Nov 12th-15th.

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training | Training Days: November 12th-13th]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007#Technology_Expo:_Tuesday-Wednesday_Nov_13th-14th | Tech Expo: November 13th-14th]]

Breach Cocktail Party: Evening of November 13th

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda | Main Conference: November 14th-15th]]

OWASP Conference Dinner: Evening of November 14th

Microsoft and Aspect Security Cocktail Party: Evening of November 15th

==[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda | Agenda and Presentations: Wednesday-Thursday - Nov 14th-15th]]==

The [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda | agenda]] will follow the general OWASP conference format of two tracks, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing presentations back in the main auditorium both days.

New Web Services Track: In addition, the conference will have a 3rd track on the first day. This track is focused on Web Services Security which is a new area for OWASP. If you are interested in speaking at this conference on a Web Services Security topic, please contact Gunnar Peterson, who is organizing that track.

This conference will include presentations from many different OWASP and WASC contributors and leading Application Security professionals, and will include closing panels each day.

==[[ 7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training | Training: Monday-Tuesday - Nov 12th-13th]]==

We have arranged for a suite of two-day Application Security training courses to be offered prior to the conference. General details about all the tutorials including location and pricing is available [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training | here]]. The tutorials being offered are:

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T1._Building_and_Testing_Secure_Web_Applications_-_2-Day_Course_-_Nov_12-13.2C_2007 | T1. Building and Testing Secure Web Applications]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T2._Secure_Coding_for_Java_EE_-_2-Day_Course_-_Nov_12-13.2C_2007 | T2. Secure Coding for Java EE]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T3._Secure_Coding_.NET_Web_Applications_-_2-Day_Course_-_Nov_12-13.2C_2007 | T3. Secure Coding .NET Web Applications]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T4._Web_Services_and_XML_Security_-_2-Day_Course_-_Nov_12-13.2C_2007 | T4. Web Services and XML Security]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T5._Leveraging_OWASP_Tools_and_Documents_to_Secure_Your_Enterprise | T5. Leveraging OWASP Tools and Documents to Secure Your Enterprise ]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T6._Open_Source_ModSecurity_Training_-_2-Day_Course_-_Nov_12-13.2C_2007 | T6. Open Source ModSecurity Training ]]

==Technology Expo: Tuesday-Wednesday Nov 13th-14th==

Leading vendors in the application security space will be at the conference for the first time this year giving technology demonstrations and providing access to their technical staff so they can answer in-depth questions and demonstrate the capabilities of their products or automated managed services.

The technology expo will be open from '''12PM - 2PM on Nov. 13th''' (and all tutorial attendees will be given a large lunch break during that time to attend the expo). It will also be open from '''11AM - 5PM on Nov. 14th''' which is the first day of the conference.

What can a conference attendee expect to get out of the Tech Expo?
* ''Hands-on time using a vendor's product'' - The goal is to be able to walk up to vendor with a USB stick of code/binaries/etc. and actually get a taste of how the tool(s) performs, technical features, applicability & appropriateness, etc.
* ''Evaluate in a non-sales environment'' - At the Expo, attendees will be provided information about the types of tools being exhibited and independent evaluation criteria where that exists (e.g. the [http://www.webappsec.org/projects/wafec/ WAFEC] from WASC, information from the [[OWASP_Tools_Project]], etc.). It's an opportunity to ask the hard questions and talk to technical folks from the vendors that can answer them.
* ''Contact info exchange at your discretion'' - We will not be doing badge scanning and the like to provide vendors attendee information, so attendees are in control of who they want to follow-up with (via good, old-fashioned business card exchange).

More information about conference sponsorship and participating in the technology expo is available [[OWASP AppSec Conference Sponsors | here]].

==Conference Fees==

Standard: $400, OWASP Members: $350, Students: $225, Early Registration Discount (by Oct 12): $50 ($25 for students)

Conference Dinner (Evening of Nov 14th): $50

Conference Tutorial (Two day tutorials Nov 12-13): $1300, $1450 [If not attending the conference], Student Fee: $675

Note: To save on processing expenses, all fees paid for the AppSec 2007 Conference are non-refundable. OWASP can accomodate transfers of registrations from one person to another, if such an adjustment becomes necessary.

==[http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd Registration]==

Registration is now open!! Here is the [http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd registration page].

==Social Events==
Breach Cocktail Party: Evening of November 13th
@ Fahrenheit Ultra Lounge & Restaurant
99 East San Fernando Street
San Jose, CA 95113
6:30PM - 8:30PM
Space is Limited so please RSVP: More info and how to RSVP available [http://www.breach.com/breach_security_party_owaspwasc_san_jose.html here].

OWASP Conference Dinner: Evening of November 14th
@ Holiday Inn
1740 N. First Street
San Jose, CA 95112
6:30PM - ???PM
Register for this event at the conference [https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=17e6e912-2dec-4de6-8946-aa005721c4dd website].
Microsoft and Aspect Security Cocktail Party: Evening of November 15th
@ Holiday Inn
1740 N. First Street
San Jose, CA 95112
6:30PM - 8:30PM

==[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda | Agenda and Presentations: Wednesday-Thursday - Nov 14th-15th]]==

==Hotel and Transportation Info==
OWASP has negotiated rates at the following hotels (Please book hotel rooms by October 21st to ensure OWASP rates):

Holiday Inn-San Jose OWASP Rate $129/night King or Double Room
You can call reservations at 1-866-241-9878 and ask for the group "OWASP" or reserve your room [http://www.ichotelsgroup.com/h/d/hi/1/en/advancedsearch?whichtype=room&roomResult=none&hotelCode=sjcfs&quickRes=city&_GPC=OSP&checkInDate=11&checkOutMonthYear=102007&checkInMonthYear=102007&checkOutDate=16&_requestid=184025 online here].

Homewood Suites by Hilton- San Jose OWASP Rate $149/night (4+ nights) $169/night (3 or less nights)
King room w/ sleeper sofa (comes w/ fully equipped kitchen)
Call Maria Larios at 408-678-4481 and ask for the group OWASP or email her at maria.larios@dimdev.com

Transportation Info:

From San Jose International Airport (SJC):
eBay is located about a mile from this airport

From San Francisco International Airport (SFO):
eBay is located 40 miles from this airport

== Conference Committee ==

OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org

Web Services Security Track Chair: Gunnar Peterson - Arctec Group - gunnar 'at' arctecgroup.net

Vendor Exhibition Chair: Pravir Chandra - Cigital - chandra 'at' list.org

2008 U.S. Planning Committee Chair: Tom Brennan - Access IT Group - jinxpuppy 'at' gmail.com

Refereed Papers Chair: Frank Piessens - KU Leuven - Frank.Piessens 'at' cs.kuleuven.ac.be

== [[OWASP AppSec Conference Sponsors | OWASP & WASC AppSec 2007 Conference Sponsors]]==

The following organizations are sponsors for this conference. If you are interested in sponsoring either of the 2007 OWASP conferences, please contact OWASP at: conferences 'at' owasp.org.

[http://www.aspectsecurity.com https://www.owasp.org/images/d/d1/Aspect_logo.gif]
[http://www.fortifysoftware.com https://www.owasp.org/images/d/d1/Fortify.JPG]
[http://www.paypal.com https://www.owasp.org/images/c/c9/Paypal_logo.gif]
[http://www.ebay.com https://www.owasp.org/images/e/e0/Ebay.gif]
[http://www.ouncelabs.com/ https://www.owasp.org/images/3/33/Ounce_labs.jpg]
[http://www.breach.com https://www.owasp.org/images/9/9c/Breach_logo.gif]
[http://www.whitehatsec.com https://www.owasp.org/images/4/4d/Whitehat.gif]
[http://www.ioactive.com https://www.owasp.org/images/4/46/IOActive.gif]

We are also going to have vendor booths at this conference for the first time. If you are interested in demonstrating your application security product to a sophisticated audience of application security professionals, please contact us for more information. Please contact either Dave Wichers (the OWASP Conferences Chair) or Pravir Chandra, who will be organizing the vendor area for this conference.

More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].

[[Category:OWASP AppSec Conference]]

__NOTOC__

OWASP & WASC AppSec 2007 Conference

2007-10-17T13:34:24Z

Aspectmichelle:

[[Image:Owasp_wasc.gif|center]]
==Its now the OWASP & WASC AppSec 2007 Conference !!! @ eBay in San Jose, CA Nov 12-15, 2007==

OWASP and [http://www.webappsec.org WASC] have agreed to join forces this year to put together an incredible AppSec 2007 Conference for the application security community. A huge concentration of industry leading experts will be in attendance presenting high quality web application security content. AppSec 2007 offers a unique opportunity for security professionals, software developers, and IT managers to get up to speed on the latest and greatest attack techniques, defense strategies, and industry trends in an atmosphere of peers. The conference format and venue is also perfect for networking and sharing experiences with others that are down in the trenches.

Registration is now open for the conference. See below for details.

==Conference Schedule and Location==

The AppSec 2007 Conference will be held at eBay at their facility at: 2211 North First Street in San Jose, CA Nov 12th-15th.

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training | Training Days: November 12th-13th]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007#Technology_Expo:_Tuesday-Wednesday_Nov_13th-14th | Tech Expo: November 13th-14th]]

Breach Cocktail Party: Evening of November 13th

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda | Main Conference: November 14th-15th]]

OWASP Conference Dinner: Evening of November 14th

Microsoft and Aspect Security Cocktail Party: Evening of November 15th

==[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda | Agenda and Presentations: Wednesday-Thursday - Nov 14th-15th]]==

The [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda | agenda]] will follow the general OWASP conference format of two tracks, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing presentations back in the main auditorium both days.

New Web Services Track: In addition, the conference will have a 3rd track on the first day. This track is focused on Web Services Security which is a new area for OWASP. If you are interested in speaking at this conference on a Web Services Security topic, please contact Gunnar Peterson, who is organizing that track.

This conference will include presentations from many different OWASP and WASC contributors and leading Application Security professionals, and will include closing panels each day.

==[[ 7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training | Training: Monday-Tuesday - Nov 12th-13th]]==

We have arranged for a suite of two-day Application Security training courses to be offered prior to the conference. General details about all the tutorials including location and pricing is available [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training | here]]. The tutorials being offered are:

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T1._Building_and_Testing_Secure_Web_Applications_-_2-Day_Course_-_Nov_12-13.2C_2007 | T1. Building and Testing Secure Web Applications]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T2._Secure_Coding_for_Java_EE_-_2-Day_Course_-_Nov_12-13.2C_2007 | T2. Secure Coding for Java EE]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T3._Secure_Coding_.NET_Web_Applications_-_2-Day_Course_-_Nov_12-13.2C_2007 | T3. Secure Coding .NET Web Applications]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T4._Web_Services_and_XML_Security_-_2-Day_Course_-_Nov_12-13.2C_2007 | T4. Web Services and XML Security]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T5._Leveraging_OWASP_Tools_and_Documents_to_Secure_Your_Enterprise | T5. Leveraging OWASP Tools and Documents to Secure Your Enterprise ]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T6._Open_Source_ModSecurity_Training_-_2-Day_Course_-_Nov_12-13.2C_2007 | T6. Open Source ModSecurity Training ]]

==Technology Expo: Tuesday-Wednesday Nov 13th-14th==

Leading vendors in the application security space will be at the conference for the first time this year giving technology demonstrations and providing access to their technical staff so they can answer in-depth questions and demonstrate the capabilities of their products or automated managed services.

The technology expo will be open from '''12PM - 2PM on Nov. 13th''' (and all tutorial attendees will be given a large lunch break during that time to attend the expo). It will also be open from '''11AM - 5PM on Nov. 14th''' which is the first day of the conference.

What can a conference attendee expect to get out of the Tech Expo?
* ''Hands-on time using a vendor's product'' - The goal is to be able to walk up to vendor with a USB stick of code/binaries/etc. and actually get a taste of how the tool(s) performs, technical features, applicability & appropriateness, etc.
* ''Evaluate in a non-sales environment'' - At the Expo, attendees will be provided information about the types of tools being exhibited and independent evaluation criteria where that exists (e.g. the [http://www.webappsec.org/projects/wafec/ WAFEC] from WASC, information from the [[OWASP_Tools_Project]], etc.). It's an opportunity to ask the hard questions and talk to technical folks from the vendors that can answer them.
* ''Contact info exchange at your discretion'' - We will not be doing badge scanning and the like to provide vendors attendee information, so attendees are in control of who they want to follow-up with (via good, old-fashioned business card exchange).

More information about conference sponsorship and participating in the technology expo is available [[OWASP AppSec Conference Sponsors | here]].

==Conference Fees==

Standard: $400, OWASP Members: $350, Students: $225, Early Registration Discount (by Oct 12): $50 ($25 for students)

Conference Dinner (Evening of Nov 14th): $50

Conference Tutorial (Two day tutorials Nov 12-13): $1300, $1450 [If not attending the conference], Student Fee: $675

Note: To save on processing expenses, all fees paid for the AppSec 2007 Conference are non-refundable. OWASP can accomodate transfers of registrations from one person to another, if such an adjustment becomes necessary.

==[http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd Registration]==

Registration is now open!! Here is the [http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd registration page].

==Social Events==
Breach Cocktail Party: Evening of November 13th

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda | Main Conference: November 14th-15th]]

OWASP Conference Dinner: Evening of November 14th

Microsoft and Aspect Security Cocktail Party: Evening of November 15th

==[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda | Agenda and Presentations: Wednesday-Thursday - Nov 14th-15th]]==

==Hotel and Transportation Info==
OWASP has negotiated rates at the following hotels (Please book hotel rooms by October 21st to ensure OWASP rates):

Holiday Inn-San Jose OWASP Rate $129/night King or Double Room
You can call reservations at 1-866-241-9878 and ask for the group "OWASP" or reserve your room [http://www.ichotelsgroup.com/h/d/hi/1/en/advancedsearch?whichtype=room&roomResult=none&hotelCode=sjcfs&quickRes=city&_GPC=OSP&checkInDate=11&checkOutMonthYear=102007&checkInMonthYear=102007&checkOutDate=16&_requestid=184025 online here].

Homewood Suites by Hilton- San Jose OWASP Rate $149/night (4+ nights) $169/night (3 or less nights)
King room w/ sleeper sofa (comes w/ fully equipped kitchen)
Call Maria Larios at 408-678-4481 and ask for the group OWASP or email her at maria.larios@dimdev.com

Transportation Info:

From San Jose International Airport (SJC):
eBay is located about a mile from this airport

From San Francisco International Airport (SFO):
eBay is located 40 miles from this airport

== Conference Committee ==

OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org

Web Services Security Track Chair: Gunnar Peterson - Arctec Group - gunnar 'at' arctecgroup.net

Vendor Exhibition Chair: Pravir Chandra - Cigital - chandra 'at' list.org

2008 U.S. Planning Committee Chair: Tom Brennan - Access IT Group - jinxpuppy 'at' gmail.com

Refereed Papers Chair: Frank Piessens - KU Leuven - Frank.Piessens 'at' cs.kuleuven.ac.be

== [[OWASP AppSec Conference Sponsors | OWASP & WASC AppSec 2007 Conference Sponsors]]==

The following organizations are sponsors for this conference. If you are interested in sponsoring either of the 2007 OWASP conferences, please contact OWASP at: conferences 'at' owasp.org.

[http://www.aspectsecurity.com https://www.owasp.org/images/d/d1/Aspect_logo.gif]
[http://www.fortifysoftware.com https://www.owasp.org/images/d/d1/Fortify.JPG]
[http://www.paypal.com https://www.owasp.org/images/c/c9/Paypal_logo.gif]
[http://www.ebay.com https://www.owasp.org/images/e/e0/Ebay.gif]
[http://www.ouncelabs.com/ https://www.owasp.org/images/3/33/Ounce_labs.jpg]
[http://www.breach.com https://www.owasp.org/images/9/9c/Breach_logo.gif]
[http://www.whitehatsec.com https://www.owasp.org/images/4/4d/Whitehat.gif]
[http://www.ioactive.com https://www.owasp.org/images/4/46/IOActive.gif]

We are also going to have vendor booths at this conference for the first time. If you are interested in demonstrating your application security product to a sophisticated audience of application security professionals, please contact us for more information. Please contact either Dave Wichers (the OWASP Conferences Chair) or Pravir Chandra, who will be organizing the vendor area for this conference.

More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].

[[Category:OWASP AppSec Conference]]

__NOTOC__

OWASP Australia AppSec 2008 Conference

2007-10-17T11:21:05Z

Aspectmichelle: /* Conference Fees */

[http://www.owasp.org/index.php/OWASP_Australia_AppSec_2008_Conference https://www.owasp.org/images/4/4b/Owasp_ausconf_banner.jpg]

Welcome to the OWASP Australia Application Security Conference for 2008. Following on from the great success of OWASP Conferences in 2006 and 2007 in the United States and Europe, the first ever Asia Pacific & Australia Security conference will take place in February 2008. The conference will offer an opportunity for security professionals, developers, Managers to hear from industry recognised speakers on the latest critical security risks associated with application security. The conference includes a number of high quality presentations from industry speakers and business professionals with also the opportunity to network with relevant application security vendors and professionals.

==Conference Details==

'''Conference Training Day''' (Wednesday 27th February 2008).

'''Main Conference Presentations''' (Thursday 28th and Friday 29th February 2008).

The 2008 Conference will be held at the Gold Coast Convention Center in Queensland Australia.

The Conference includes a Vendor Exhibition, Welcome Cocktail Party and Gala Dinner.

==Latest News==

We are currently in the final planing stages of the conference. We invite anyone to submit any recommendations, or ideas for the conference.

The Call for papers has begun, and we would appreciate anyone submiting ideas and presentations email to jderry 'at' owasp.org. The call for papers will expire on the 30th November 2007. We hope to put together a fantastic line up of OWASP Project speakers and industry experts.

We are encouraging anyone to get involved in the project, so please simply contact the conference committee to get involved.

==[[OWASP_Australia_AppSec_2008_Conference/TrainingAgenda | OWASP Conference Training: Wednesday 27th February 2008]]==

The Training to be offered for the Conference is still currently being decided upon. Any questions please contact the conference Committee.

==[[OWASP_Australia_AppSec_2008_Conference/Agenda | Agenda and Presentations: Thursday 28th and Friday 29th February 2008]]==

Call for papers and presenters is currently open for the conference.

Call for papers will continue until the end of November 2007.

The conference committee only require an initial 3 paragraph summary of your proposed presentation for submissions. Please submit these to the conference committee. The conference will have both a technical and business application security track.

==Technology Expo==

Leading vendors in the application security space will be at the conference giving technology demonstrations and providing access to their technical staff so they can answer in-depth questions and demonstrate the capabilities of their products or managed services.

The technology expo will be open during the conference in the meeting area. All attendees will be available to meet and discuss with any of the vendors during moring, lunch and afternoon breaks.

More information about conference sponsorship and participating in the technology expo is available by contacting the conference Committee.

==Conference Fees==

Standard: $475, OWASP Members: $425, AISA Members: $450, Early Registration Discount (by Dec 31): $50

Conference Fees are inclusive of all presentations and agenda (including the Cocktail Reception and Gala Dinner)

Conference Tutorial (One Day Training): $650 ($750 if attending tutorial only) Early Registration Discount (by Dec 31): $50

Note: To save on processing expenses, all fees paid for the AppSec 2008 Conference are non-refundable. OWASP can accomodate transfers of registrations from one person to another, if such an adjustment becomes necessary.
(Please note that all fees are in USD)(Conference Fees are kept to a minimum and follow the US/UK Conference Pricing)

== OWASP Australian Security Conference 2008 Sponsors==

The following organizations are sponsors for this conference. If you are interested in sponsoring either of the 2008 OWASP conferences, please contact the conference Committee.

Current OWASP Australia Application Security 2008 Conference Sponsors are

[http://www.b-sec.com http://www.owasp.org/images/3/33/Bsec.JPG]

== Conference Committee ==

OWASP Australian Conferences Chair: Justin Derry - b-sec Consulting - jderry 'at' owasp.org

Currently assisted by (and with thanks)

OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org

OWASP Australia AppSec 2008 Conference

2007-10-17T11:19:56Z

Aspectmichelle: /* Conference Fees */

[http://www.owasp.org/index.php/OWASP_Australia_AppSec_2008_Conference https://www.owasp.org/images/4/4b/Owasp_ausconf_banner.jpg]

Welcome to the OWASP Australia Application Security Conference for 2008. Following on from the great success of OWASP Conferences in 2006 and 2007 in the United States and Europe, the first ever Asia Pacific & Australia Security conference will take place in February 2008. The conference will offer an opportunity for security professionals, developers, Managers to hear from industry recognised speakers on the latest critical security risks associated with application security. The conference includes a number of high quality presentations from industry speakers and business professionals with also the opportunity to network with relevant application security vendors and professionals.

==Conference Details==

'''Conference Training Day''' (Wednesday 27th February 2008).

'''Main Conference Presentations''' (Thursday 28th and Friday 29th February 2008).

The 2008 Conference will be held at the Gold Coast Convention Center in Queensland Australia.

The Conference includes a Vendor Exhibition, Welcome Cocktail Party and Gala Dinner.

==Latest News==

We are currently in the final planing stages of the conference. We invite anyone to submit any recommendations, or ideas for the conference.

The Call for papers has begun, and we would appreciate anyone submiting ideas and presentations email to jderry 'at' owasp.org. The call for papers will expire on the 30th November 2007. We hope to put together a fantastic line up of OWASP Project speakers and industry experts.

We are encouraging anyone to get involved in the project, so please simply contact the conference committee to get involved.

==[[OWASP_Australia_AppSec_2008_Conference/TrainingAgenda | OWASP Conference Training: Wednesday 27th February 2008]]==

The Training to be offered for the Conference is still currently being decided upon. Any questions please contact the conference Committee.

==[[OWASP_Australia_AppSec_2008_Conference/Agenda | Agenda and Presentations: Thursday 28th and Friday 29th February 2008]]==

Call for papers and presenters is currently open for the conference.

Call for papers will continue until the end of November 2007.

The conference committee only require an initial 3 paragraph summary of your proposed presentation for submissions. Please submit these to the conference committee. The conference will have both a technical and business application security track.

==Technology Expo==

Leading vendors in the application security space will be at the conference giving technology demonstrations and providing access to their technical staff so they can answer in-depth questions and demonstrate the capabilities of their products or managed services.

The technology expo will be open during the conference in the meeting area. All attendees will be available to meet and discuss with any of the vendors during moring, lunch and afternoon breaks.

More information about conference sponsorship and participating in the technology expo is available by contacting the conference Committee.

==Conference Fees==

Standard: $475, OWASP Members: $425, AISA Members: $450, Early Registration Discount (by Dec 31): $50

Conference Fees are inclusive of all presentations and agenda (including the Cocktail Receiption and Gala Dinner)

Conference Tutorial (One Day Training): $650 ($750 if attending tutorial only) Early Registration Discount (by Dec 31): $50

Note: To save on processing expenses, all fees paid for the AppSec 2008 Conference are non-refundable. OWASP can accomodate transfers of registrations from one person to another, if such an adjustment becomes necessary.
(Please note that all fees are in USD)(Conference Fees are kept to a minimum and follow the US/UK Conference Pricing)

== OWASP Australian Security Conference 2008 Sponsors==

The following organizations are sponsors for this conference. If you are interested in sponsoring either of the 2008 OWASP conferences, please contact the conference Committee.

Current OWASP Australia Application Security 2008 Conference Sponsors are

[http://www.b-sec.com http://www.owasp.org/images/3/33/Bsec.JPG]

== Conference Committee ==

OWASP Australian Conferences Chair: Justin Derry - b-sec Consulting - jderry 'at' owasp.org

Currently assisted by (and with thanks)

OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org

OWASP Australia AppSec 2008 Conference

2007-10-17T11:18:00Z

Aspectmichelle: /* Conference Fees */

[http://www.owasp.org/index.php/OWASP_Australia_AppSec_2008_Conference https://www.owasp.org/images/4/4b/Owasp_ausconf_banner.jpg]

Welcome to the OWASP Australia Application Security Conference for 2008. Following on from the great success of OWASP Conferences in 2006 and 2007 in the United States and Europe, the first ever Asia Pacific & Australia Security conference will take place in February 2008. The conference will offer an opportunity for security professionals, developers, Managers to hear from industry recognised speakers on the latest critical security risks associated with application security. The conference includes a number of high quality presentations from industry speakers and business professionals with also the opportunity to network with relevant application security vendors and professionals.

==Conference Details==

'''Conference Training Day''' (Wednesday 27th February 2008).

'''Main Conference Presentations''' (Thursday 28th and Friday 29th February 2008).

The 2008 Conference will be held at the Gold Coast Convention Center in Queensland Australia.

The Conference includes a Vendor Exhibition, Welcome Cocktail Party and Gala Dinner.

==Latest News==

We are currently in the final planing stages of the conference. We invite anyone to submit any recommendations, or ideas for the conference.

The Call for papers has begun, and we would appreciate anyone submiting ideas and presentations email to jderry 'at' owasp.org. The call for papers will expire on the 30th November 2007. We hope to put together a fantastic line up of OWASP Project speakers and industry experts.

We are encouraging anyone to get involved in the project, so please simply contact the conference committee to get involved.

==[[OWASP_Australia_AppSec_2008_Conference/TrainingAgenda | OWASP Conference Training: Wednesday 27th February 2008]]==

The Training to be offered for the Conference is still currently being decided upon. Any questions please contact the conference Committee.

==[[OWASP_Australia_AppSec_2008_Conference/Agenda | Agenda and Presentations: Thursday 28th and Friday 29th February 2008]]==

Call for papers and presenters is currently open for the conference.

Call for papers will continue until the end of November 2007.

The conference committee only require an initial 3 paragraph summary of your proposed presentation for submissions. Please submit these to the conference committee. The conference will have both a technical and business application security track.

==Technology Expo==

Leading vendors in the application security space will be at the conference giving technology demonstrations and providing access to their technical staff so they can answer in-depth questions and demonstrate the capabilities of their products or managed services.

The technology expo will be open during the conference in the meeting area. All attendees will be available to meet and discuss with any of the vendors during moring, lunch and afternoon breaks.

More information about conference sponsorship and participating in the technology expo is available by contacting the conference Committee.

==Conference Fees==

Standard: $475, OWASP Members: $425, AISA Members: $450, Early Registration Discount (by Dec 31): $50 (Please note that all fees are in USD)

Conference Fees are inclusive of all presentations and agenda (including the Cocktail Receiption and Gala Dinner)

Conference Tutorial (One Day Training): $650 ($750 if attending tutorial only) Early Registration Discount (by Dec 31): $50

Note: To save on processing expenses, all fees paid for the AppSec 2008 Conference are non-refundable. OWASP can accomodate transfers of registrations from one person to another, if such an adjustment becomes necessary.
(Conference Fees are kept to a minimum and follow the US/UK Conference Pricing)

== OWASP Australian Security Conference 2008 Sponsors==

The following organizations are sponsors for this conference. If you are interested in sponsoring either of the 2008 OWASP conferences, please contact the conference Committee.

Current OWASP Australia Application Security 2008 Conference Sponsors are

[http://www.b-sec.com http://www.owasp.org/images/3/33/Bsec.JPG]

== Conference Committee ==

OWASP Australian Conferences Chair: Justin Derry - b-sec Consulting - jderry 'at' owasp.org

Currently assisted by (and with thanks)

OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org

OWASP & WASC AppSec 2007 Conference

2007-09-25T17:59:18Z

Aspectmichelle: /* Hotel and Transportation Info */

OWASP & WASC AppSec 2007 Conference

2007-09-07T21:58:59Z

Aspectmichelle: /* Hotel and Transportation Info */

OWASP & WASC AppSec 2007 Conference

2007-09-07T21:04:09Z

Aspectmichelle: /* Hotel and Transportation Info */

Old-MembershipReference

2007-09-05T21:26:47Z

Aspectmichelle:

'''OWASP Membership/Donation Information'''

='''Please Join Us'''=

We invite you to join us. If you're using OWASP materials in your organization, please support our efforts by becoming a member. All of our materials are free and offered under an open source license, so you do not have to become a member to use them or participate in our projects, mailing lists, conferences, or other activities. Please consider becoming a member and enabling OWASP to continue to provide unbiased tools, documentation, conferences, mailing lists, etc.

Click the "Register Now" logo to register

<center>
[http://guest.cvent.com/i.aspx?4W,M3,d8fa3c02-6498-47c8-be53-ed24858a2619 https://www.owasp.org/images/9/9d/Register_now.gif]
or fill out the [http://www.owasp.org/images/4/4b/Membership.pdf OWASP Membership/Donation Registration Form]
</center><br/>
and fax to (443 583-0772) or e-mail (conferences 'at' owasp.org) it to us. Then send a check to OWASP at the address at the bottom of this page.

='''About OWASP'''=

OWASP is an open source project dedicated to finding and fighting the causes of insecure software. The OWASP Foundation is a not-for-profit 501c3 charitable organization not associated with any commercial product or service. OWASP member companies, educational organizations, government and law enforcement agencies, and individuals from around the world form an application security community that works together to create articles, methodologies, documentation, tools, and technologies (“OWASP Materials”). For more information about OWASP, please see the [[About The Open Web Application Security Project]].

='''Benefits of Membership'''=

'''Benefits unique to members'''
#A [[OWASP Commercial License]] to use the materials within your organization without the restrictions associated with the various open source licenses used by the OWASP projects.
#Visibility for your organization's tangible commitment to application security through its inclusion in the members list on the OWASP website and promotional materials.
#The right to use the OWASP name and [http://www.owasp.org/images/f/f0/OWASP_Logo.gif membership mark] to show that you are an OWASP Member. Note that the mark must not be used in any way that might indicate that OWASP supports a commercial product or service.
#Discounts to the OWASP AppSec and other security conferences and events. See the OWASP [[Member Offers]] page for the most current discounts available to OWASP Members. NOTE: Some of these discounts are greater than or equal to the cost of an individual OWASP Membership.

'''Benefits that also apply to all OWASP participants (even non-members)'''
#An active voice in the development of OWASP Materials that are becoming widely accepted as an application security standard for all organizations.
# Timely electronic notification of updates to the OWASP Materials.
# Collaboration with other highly skilled people from organizations around the world, both virtually and in person during periodic OWASP AppSec conferences and chapter meetings.
# Authorization to create an account and edit pages on the www.owasp.org website (WIKI based)

='''Categories of Membership'''=

There are several types of OWASP Memberships depending on the type of organization and how the OWASP Materials are used. As a not-for-profit organization, 100% of all membership fees go directly to supporting OWASP's various projects and chapters.

{| border=1
||'''Membership Category''' ||'''Description''' ||'''Annual Membership Fee'''
|-
||Individual Members||Individuals who support OWASP's mission and would like to provide financial support to our efforts. ||$100 USD
|-
||Educational and Non-Profit Members || [http://www.ed.gov/admins/finaid/accred/index.html Accredited] [http://www.ope.ed.gov/accreditation/Search.asp educational institutions] and government-approved non-profit organizations that would like to use OWASP materials in their courses, research, or other educational purposes.||$250 USD
|-
||End-User Organization Members ||End-user organizations that use OWASP Materials within their organization. Organizations with 100 or more employees are considered large. ||Small (<100) - $2,000 USD

Large (100+) - $7,000 USD
|-
||Consulting Organization Members ||Organizations with employees that provide information security consulting, training, or auditing services and use OWASP Materials in their services or marketing. Organizations with 10 or more consultants are considered large. ||Small (<10) - $3,000 USD

Large (10+) - $8,000 USD
|-
||Vendor Organization Members ||Software vendors that market security products or other software and use OWASP Materials in their products or marketing. ||$9,000 USD
|-
|}

='''Current OWASP Members'''=
{{OWASP Members}}

='''OWASP Membership Frequently Asked Questions (FAQ)'''=

== Why Should I Become An OWASP Member? ==

OWASP provides documentation, tools, methodologies, standards, articles, and message forums (“OWASP Materials”) as a service to Internet users worldwide to help users and developers understand more about application security. OWASP makes these materials available to end users to help them acquire, build, test, and operate secure software. In addition to the benefits you receive as described above, your membership helps to support the growth of OWASP and the development of new and improved OWASP Materials. Because we are an open, non-commercial entity, we can take on projects that commercial entities driven by profit motives could not. Everyone benefits from these projects. Your support will help OWASP continue to find and fight the causes of insecure software.

== How Are Funds Used? ==

OWASP is a 501c3 not-for-profit foundation, and all funds go directly to support OWASP projects, chapters, and infrastructure. Our funds come from conferences, memberships, advertising, and individual contributions.

== Who Must Become an OWASP Member? ==

Memberships are not required to use OWASP materials under each project's open source license. Also, anyone can participate in or contribute to an OWASP project without becoming a member. Membership provides a [[OWASP commercial license|commercial license]] to all OWASP Materials for your entire organization. This license will ensure that you can modify, use, and bundle OWASP Materials in applications and documents under a single commercial license. Your membership fees are what make the various OWASP projects possible.

== How Can I Become An OWASP Member? ==

To become an OWASP Member, an individual or organization must:
Agree to the terms and conditions of the OWASP Membership Agreement.
Pay the appropriate membership fee, depending on what type of OWASP Membership is indicated. (See top of page for both)
Keep OWASP updated with accurate contact and business profile information.
Enrollment as an OWASP Member is required before a commercial license to use the materials is established. The term of the agreement is one year from the date of execution. We appreciate your interest in becoming an OWASP Member. Click the "Register Now" logo to begin the OWASP Member registration process:<br/><br/>
<center>
[http://guest.cvent.com/i.aspx?4W,M3,d8fa3c02-6498-47c8-be53-ed24858a2619 https://www.owasp.org/images/9/9d/Register_now.gif]
</center>

== What is OWASP’s licensing model? ==

OWASP uses a "dual licensing" business model. OWASP Materials are offered under two types of licenses. Anyone can use OWASP materials under the [http://www.opensource.org/ approved open source license] associated with each project. Members, however, may also use the OWASP materials under the [[OWASP Commercial License]]. Both have full access to the entire range of OWASP Materials and include all source code and documentation.

*'''Open Source Licenses''': Each OWASP project is licensed under one of the [http://www.opensource.org/ approved open source licenses], such as the GPL, LGPL, and GFDL. Under these licenses, you may be required to contribute changes back to the open source community at large, according to the terms of the applicable open source license.
*'''Commercial License for Members''': Members in good standing have the right to use the OWASP Materials under the [[OWASP Commercial License]]. This is a single license that grants access to all OWASP Materials to an individual member or an entire organization.

== Why does OWASP offer two licenses? ==

OWASP's dual license model allows individuals and organizations the option to use a single license for all OWASP projects. The [[OWASP Commercial License]] is free from open source terms that may restrict a member's use of the materials and may require legal analysis. The OWASP membership program is also the best way for organizations to support what OWASP does. As a not-for-profit foundation, OWASP channels all membership fees back into support for its open source user community that, in turn, supports OWASP’s members.

== Do I get the same OWASP Materials under either license? ==

Yes. The OWASP Materials are essentially identical under either license option.

== With a commercial license option, is OWASP still an "open source" organization? ==

Yes, OWASP is an open source organization and is completely committed to open source values and philosophies. All of the OWASP Materials are offered for no cost and with all source code. We believe the open source model of development and distribution is the most efficient way to produce high-quality documentation, tools, and other materials. All OWASP Materials are offered under both open source and commercial license terms.

== Are other organizations using the dual licensing business model? ==

Yes, the dual licensing business model is well established among open source organizations as it paves the way for long-term financial viability. Other companies that offer dual licensing include MySQL, Red Hat, Digium, OSAF, MandrakeSoft, Sleepycat Software, Technical Pursuit, Trolltech, and others.

==For more information==
[http://guest.cvent.com/i.aspx?4W,M3,d8fa3c02-6498-47c8-be53-ed24858a2619 https://www.owasp.org/images/9/9d/Register_now.gif]

Contact: [mailto:owasp@owasp.org owasp@owasp.org]

The OWASP Foundation

9175 Guilford Road, Suite 300

Columbia, MD 21046

[[Category:OWASP Foundation]]

Old-MembershipReference

2007-09-05T21:13:30Z

Aspectmichelle: /* '''Please Join Us''' */

'''OWASP Membership Information'''

='''Please Join Us'''=

We invite you to join us. If you're using OWASP materials in your organization, please support our efforts by becoming a member. All of our materials are free and offered under an open source license, so you do not have to become a member to use them or participate in our projects, mailing lists, conferences, or other activities. Please consider becoming a member and enabling OWASP to continue to provide unbiased tools, documentation, conferences, mailing lists, etc.

Click the "Register Now" logo to register

<center>
[http://guest.cvent.com/i.aspx?4W,M3,d8fa3c02-6498-47c8-be53-ed24858a2619 https://www.owasp.org/images/9/9d/Register_now.gif]
or fill out the [http://www.owasp.org/images/4/4b/Membership.pdf OWASP Membership/Donation Registration Form]
</center><br/>
and fax to (443 583-0772) or e-mail (conferences 'at' owasp.org) it to us. Then send a check to OWASP at the address at the bottom of this page.

='''About OWASP'''=

OWASP is an open source project dedicated to finding and fighting the causes of insecure software. The OWASP Foundation is a not-for-profit 501c3 charitable organization not associated with any commercial product or service. OWASP member companies, educational organizations, government and law enforcement agencies, and individuals from around the world form an application security community that works together to create articles, methodologies, documentation, tools, and technologies (“OWASP Materials”). For more information about OWASP, please see the [[About The Open Web Application Security Project]].

='''Benefits of Membership'''=

'''Benefits unique to members'''
#A [[OWASP Commercial License]] to use the materials within your organization without the restrictions associated with the various open source licenses used by the OWASP projects.
#Visibility for your organization's tangible commitment to application security through its inclusion in the members list on the OWASP website and promotional materials.
#The right to use the OWASP name and [http://www.owasp.org/images/f/f0/OWASP_Logo.gif membership mark] to show that you are an OWASP Member. Note that the mark must not be used in any way that might indicate that OWASP supports a commercial product or service.
#Discounts to the OWASP AppSec and other security conferences and events. See the OWASP [[Member Offers]] page for the most current discounts available to OWASP Members. NOTE: Some of these discounts are greater than or equal to the cost of an individual OWASP Membership.

'''Benefits that also apply to all OWASP participants (even non-members)'''
#An active voice in the development of OWASP Materials that are becoming widely accepted as an application security standard for all organizations.
# Timely electronic notification of updates to the OWASP Materials.
# Collaboration with other highly skilled people from organizations around the world, both virtually and in person during periodic OWASP AppSec conferences and chapter meetings.
# Authorization to create an account and edit pages on the www.owasp.org website (WIKI based)

='''Categories of Membership'''=

There are several types of OWASP Memberships depending on the type of organization and how the OWASP Materials are used. As a not-for-profit organization, 100% of all membership fees go directly to supporting OWASP's various projects and chapters.

{| border=1
||'''Membership Category''' ||'''Description''' ||'''Annual Membership Fee'''
|-
||Individual Members||Individuals who support OWASP's mission and would like to provide financial support to our efforts. ||$100 USD
|-
||Educational and Non-Profit Members || [http://www.ed.gov/admins/finaid/accred/index.html Accredited] [http://www.ope.ed.gov/accreditation/Search.asp educational institutions] and government-approved non-profit organizations that would like to use OWASP materials in their courses, research, or other educational purposes.||$250 USD
|-
||End-User Organization Members ||End-user organizations that use OWASP Materials within their organization. Organizations with 100 or more employees are considered large. ||Small (<100) - $2,000 USD

Large (100+) - $7,000 USD
|-
||Consulting Organization Members ||Organizations with employees that provide information security consulting, training, or auditing services and use OWASP Materials in their services or marketing. Organizations with 10 or more consultants are considered large. ||Small (<10) - $3,000 USD

Large (10+) - $8,000 USD
|-
||Vendor Organization Members ||Software vendors that market security products or other software and use OWASP Materials in their products or marketing. ||$9,000 USD
|-
|}

='''Current OWASP Members'''=
{{OWASP Members}}

='''OWASP Membership Frequently Asked Questions (FAQ)'''=

== Why Should I Become An OWASP Member? ==

OWASP provides documentation, tools, methodologies, standards, articles, and message forums (“OWASP Materials”) as a service to Internet users worldwide to help users and developers understand more about application security. OWASP makes these materials available to end users to help them acquire, build, test, and operate secure software. In addition to the benefits you receive as described above, your membership helps to support the growth of OWASP and the development of new and improved OWASP Materials. Because we are an open, non-commercial entity, we can take on projects that commercial entities driven by profit motives could not. Everyone benefits from these projects. Your support will help OWASP continue to find and fight the causes of insecure software.

== How Are Funds Used? ==

OWASP is a 501c3 not-for-profit foundation, and all funds go directly to support OWASP projects, chapters, and infrastructure. Our funds come from conferences, memberships, advertising, and individual contributions.

== Who Must Become an OWASP Member? ==

Memberships are not required to use OWASP materials under each project's open source license. Also, anyone can participate in or contribute to an OWASP project without becoming a member. Membership provides a [[OWASP commercial license|commercial license]] to all OWASP Materials for your entire organization. This license will ensure that you can modify, use, and bundle OWASP Materials in applications and documents under a single commercial license. Your membership fees are what make the various OWASP projects possible.

== How Can I Become An OWASP Member? ==

To become an OWASP Member, an individual or organization must:
Agree to the terms and conditions of the OWASP Membership Agreement.
Pay the appropriate membership fee, depending on what type of OWASP Membership is indicated. (See top of page for both)
Keep OWASP updated with accurate contact and business profile information.
Enrollment as an OWASP Member is required before a commercial license to use the materials is established. The term of the agreement is one year from the date of execution. We appreciate your interest in becoming an OWASP Member. Click the "Register Now" logo to begin the OWASP Member registration process:<br/><br/>
<center>
[http://guest.cvent.com/i.aspx?4W,M3,d8fa3c02-6498-47c8-be53-ed24858a2619 https://www.owasp.org/images/9/9d/Register_now.gif]
</center>

== What is OWASP’s licensing model? ==

OWASP uses a "dual licensing" business model. OWASP Materials are offered under two types of licenses. Anyone can use OWASP materials under the [http://www.opensource.org/ approved open source license] associated with each project. Members, however, may also use the OWASP materials under the [[OWASP Commercial License]]. Both have full access to the entire range of OWASP Materials and include all source code and documentation.

*'''Open Source Licenses''': Each OWASP project is licensed under one of the [http://www.opensource.org/ approved open source licenses], such as the GPL, LGPL, and GFDL. Under these licenses, you may be required to contribute changes back to the open source community at large, according to the terms of the applicable open source license.
*'''Commercial License for Members''': Members in good standing have the right to use the OWASP Materials under the [[OWASP Commercial License]]. This is a single license that grants access to all OWASP Materials to an individual member or an entire organization.

== Why does OWASP offer two licenses? ==

OWASP's dual license model allows individuals and organizations the option to use a single license for all OWASP projects. The [[OWASP Commercial License]] is free from open source terms that may restrict a member's use of the materials and may require legal analysis. The OWASP membership program is also the best way for organizations to support what OWASP does. As a not-for-profit foundation, OWASP channels all membership fees back into support for its open source user community that, in turn, supports OWASP’s members.

== Do I get the same OWASP Materials under either license? ==

Yes. The OWASP Materials are essentially identical under either license option.

== With a commercial license option, is OWASP still an "open source" organization? ==

Yes, OWASP is an open source organization and is completely committed to open source values and philosophies. All of the OWASP Materials are offered for no cost and with all source code. We believe the open source model of development and distribution is the most efficient way to produce high-quality documentation, tools, and other materials. All OWASP Materials are offered under both open source and commercial license terms.

== Are other organizations using the dual licensing business model? ==

Yes, the dual licensing business model is well established among open source organizations as it paves the way for long-term financial viability. Other companies that offer dual licensing include MySQL, Red Hat, Digium, OSAF, MandrakeSoft, Sleepycat Software, Technical Pursuit, Trolltech, and others.

==For more information==
[http://guest.cvent.com/i.aspx?4W,M3,d8fa3c02-6498-47c8-be53-ed24858a2619 https://www.owasp.org/images/9/9d/Register_now.gif]

Contact: [mailto:owasp@owasp.org owasp@owasp.org]

The OWASP Foundation

9175 Guilford Road, Suite 300

Columbia, MD 21046

[[Category:OWASP Foundation]]

Template:OWASP Conference

2007-09-05T20:22:57Z

Aspectmichelle:

'''[[6th_OWASP_AppSec_Conference_-_Italy_2007|6th OWASP AppSec Conference in Italy May 15-17 was a great success!!]]'''

The [[6th_OWASP_AppSec_Conference_-_Italy_2007|6th OWASP AppSec Conference]] was held May 15-17 in Milan, Italy. Microsoft presented on "The Benefits of the SDL initiative to Microsoft and its Customers" and there were expert talks on Web Services Security, Securing AJAX, the Microsoft Secure Development Lifecycle, all the new OWASP projects, and much more.

You can read all the [[6th_OWASP_AppSec_Conference_-_Italy_2007|details]] and then access all the presentations online on the [[6th_OWASP_AppSec_Conference_-_Italy_2007/Agenda | agenda page]].

'''[[7th_OWASP_AppSec_Conference_-_San_Jose_2007|It's now the OWASP & WASC AppSec 2007 Conference !!! Registration Now Available!]]'''

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007 |The OWASP & WASC AppSec Conference]] will be held Nov. 12-15, 2007 at eBay in San Jose, CA. This conference will be our biggest ever with two full days of tutorials, two days for the conference (including a new 3rd track on Web Services Security), and for the first time a vendor booth area.

OWASP AppSec Conference Sponsors

2007-08-30T18:11:25Z

Aspectmichelle:

== OWASP Conference Sponsorship ==

OWASP is accepting sponsorships for the 2007 OWASP AppSec San Jose Conference. Financial sponsorship will help defray the non-profit OWASP Foundation's expenses to prepare for and hold this conference. For the first time, there are two different sponsorship options for this conference:

Option #1: Standard Sponsorship Plan (same as previous conferences):

* Sponsor information will be presented on the main conference page

* A Sponsor information sheet will be included in handouts to all attendees

* Sponsors can include a poster (no larger than 6 ft. x 4 ft.) at the conference in the main hallway

* Includes 2 Free admissions to the conference

The sponsorship fee for this option at the 7th OWASP Conference in San Jose, CA in November 2007 is $4000.

Option #2: Technology Expo:

* Product vendors can demonstrate their application security products to conference attendees. The intended focus of this expo is to be prepared to discuss the technical details of the technologies they are offering in the market to help organizations deal with their application security issues. This expo should be light on sales push and very technical. OWASP attendees are very familiar with the application security market! As this is a technology expo, services only vendors are not appropriate for this venue.

* Time frame: The technology expo will be held from 12-2 on November 13th, with lunch included for all the OWASP tutorial attendees who will be invited to attend the expo, and then open again from 11-5 on November 14th during the first day of the OWASP conference.

Each vendor will receive:

* Tabletop with tablecloth
* Power strip
* Internet connectivity (it may be wireless access so please check)

The sponsorship fee for this option at the 7th OWASP Conference in San Jose, CA in November 2007 is also $4000.

Option #3: Combined Sponsorship:

If you are interested in doing both at the San Jose conference, the sponsorship fee for this combined option is $6000.

If you are interested in sponsoring the 2007 OWASP San Jose conference, please contact OWASP at: conferences 'at' owasp.org.

== Registration ==

Sponsorship registration to the 2007 OWASP AppSec San Jose Conference is now open! Here is the [http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd registration page].

== Sending Materials to Conference Facility in San Jose ==

Sponsors, please ship your conference materials to:

Location TBD.

All materials must arrive no earlier than date TBD.

== Conference Sponsors ==

The following are the sponsors for the 7th OWASP AppSec Conference.

[http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]
[http://www.fortifysoftware.com https://www.owasp.org/images/d/d1/Fortify.JPG]

Template:OWASP Conference

2007-08-27T18:23:43Z

Aspectmichelle:

'''[[6th_OWASP_AppSec_Conference_-_Italy_2007|6th OWASP AppSec Conference in Italy May 15-17 was a great success!!]]'''

The [[6th_OWASP_AppSec_Conference_-_Italy_2007|6th OWASP AppSec Conference]] was held May 15-17 in Milan, Italy. Microsoft presented on "The Benefits of the SDL initiative to Microsoft and its Customers" and there were expert talks on Web Services Security, Securing AJAX, the Microsoft Secure Development Lifecycle, all the new OWASP projects, and much more.

You can read all the [[6th_OWASP_AppSec_Conference_-_Italy_2007|details]] and then access all the presentations online on the [[6th_OWASP_AppSec_Conference_-_Italy_2007/Agenda | agenda page]].

'''[[7th_OWASP_AppSec_Conference_-_San_Jose_2007|REGISTRATION NOW OPEN for 7th OWASP AppSec Conference in San Jose, CA Nov. 12-15 2007!]]'''

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007 | 7th OWASP AppSec Conference]] will be held Nov. 12-15, 2007 at eBay in San Jose, CA. This conference will be our biggest ever with two full days of tutorials, two days for the conference (including a new 3rd track on Web Services Security), and for the first time a vendor booth area.

OWASP & WASC AppSec 2007 Conference

2007-08-27T17:10:56Z

Aspectmichelle:

Registration is now open for the OWASP U.S. conference, eBay in San Jose, CA Nov 12-15, 2007.

Web Services Track: The conference will have 3 tracks on the first day instead of 2. The 3rd track will be focused on Web Services Security which is a new area for OWASP. If you are interested in speaking at this conference on a Web Services Security topic, please contact Gunnar Peterson, who is organizing that track.

Application Security Technology Expo: This conference will also have a technology expo for the first time. Application Security product vendors will be able to demonstrate the technical capabilities of their products in the technology expo area. More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].

==Conference Location==

This year's US OWASP conference will be held at eBay at their facility at: 2211 North First Street in San Jose, CA Nov 12th-15th.

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training | Training Days: Novermber 12th-13th]]

Main Conference: November 14th-15th

==Agenda and Presentations: Wednesday-Thursday - Nov 14th-15th==

The [http://www.owasp.org/index.php/7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda agenda] will follow the (current) standard OWASP conference format of two tracks, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing presentations back in the main auditorium both days. In addition, on the first day, there will be a third track focused on Web Services Security.

This conference will include presentations from many different OWASP contributors and leading Application Security professionals, and will include one panel each day.

The OWASP AppSec San Jose 2007 agenda is still being developed.

==Training: Monday-Tuesday - Nov 12th-13th==

OWASP has arranged for a suite of two day Application Security training courses to be offered prior to the conference. The tutorials being offered are:

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T1._Building_and_Testing_Secure_Web_Applications_-_2-Day_Course_-_Nov_12-13.2C_2007 | Building and Testing Secure Web Applications]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T2._Secure_Coding_for_Java_EE_-_2-Day_Course_-_Nov_12-13.2C_2007 | Secure Coding for Java EE]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T3._Advanced_Asp.Net_Exploits_and_Countermeasures_-_2-Day_Course_-_Nov_12-13.2C_2007 | Advanced Asp.Net Exploits and Countermeasures]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T4._Web_Services_and_XML_Security_-_2-Day_Course_-_Nov_12-13.2C_2007 | Web Services and XML Security]]

==Conference Fees==

Standard: $400, OWASP Members: $350, Students: $225, Early Registration Discount (by Oct 12): $50 ($25 for students)

Conference Dinner (Evening of Nov 14th): $50

Conference Tutorial (Two day tutorials Nov 12-13): $1300, $1450 [If not attending the conference], Student Fee: $675

Note: To save on processing expenses, all fees paid for the OWASP conference are non-refundable. OWASP can accomodate transfers of registrations from one person to another, if such an adjustment becomes necessary.

==[http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd Registration]==

Here is the [http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd registration page].

==Hotel and Transportation Info==

OWASP is currently negotiating rates with local hotels

From San Jose International Airport (SJC):
eBay is located about a mile from this airport

From San Francisco International Airport (SFO):
eBay is located 40 miles from this airport

== Conference Committee ==

OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org

Web Services Security Track Chair: Gunnar Peterson - Arctec Group - gunnar 'at' arctecgroup.net

Vendor Exhibition Chair: Pravir Chandra - Cigital - chandra 'at' list.org

Refereed Papers Chair: Frank Piessens - KU Leuven - Frank.Piessens 'at' cs.kuleuven.ac.be

== [[OWASP AppSec Conference Sponsors | Conference Sponsors]]==

The following organizations are sponsors for this conference. If you are interested in sponsoring either of the 2007 OWASP conferences, please contact OWASP at: conferences 'at' owasp.org.

[http://www.aspectsecurity.com https://www.owasp.org/images/d/d1/Aspect_logo.gif]
[http://www.fortifysoftware.com https://www.owasp.org/images/d/d1/Fortify.JPG]

We are also going to have vendor booths at this conference for the first time. If you are interested in demonstrating your application security product to a sophisticated audience of application security professionals, please contact us for more information. Please contact either Dave Wichers (the OWASP Conferences Chair) or Pravir Chandra, who will be organizing the vendor area for this conference.

More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].

[[Category:OWASP AppSec Conference]]

__NOTOC__

7th OWASP AppSec Conference - San Jose 2007/Training

2007-08-27T17:07:02Z

Aspectmichelle: /* Conference Training Day - Two Day Training Courses - November 12th-13th, 2007 */

== Conference Training Day - Two Day Training Courses - November 12th-13th, 2007 ==

OWASP has arranged to have four 2-day Application Security training courses prior to the conference.

The first two courses will be provided by a long time contributor to OWASP, Aspect Security. The third course is being taught by Dinis Cruz, the OWASP Evangelist and one of the longest active members at OWASP. The fourth course will be provided by another active OWASP member, the Arctec Group. All of these courses were offered in their 1-day format at the last two OWASP AppSec conferences and were well received. This is the first OWASP conference where we have been able to expand these classes to their 2-day format.

These courses are being offered to attendees of the OWASP conference at a significant discount to their standard commercial price. Most of the course fee will go to OWASP to support the OWASP Foundation's efforts.

{| align="center" width="60%" cellpadding="2" cellspacing="5" style="vertical-align:top;background-color:#cedff2"
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T1</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Building and Testing Secure Web Applications - 2-Day Course - Nov 12-13, 2007</div>
|-
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T2</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Secure Coding for Java EE - 2-Day Course - Nov 12-13, 2007</div>
|-
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T3</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Advanced Asp.Net Exploits and Countermeasures - 2-Day Course - Nov 12-13, 2007</div>
|-
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T4</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Web Services and XML Security - 2-Day Course - Nov 12-13, 2007</div>
|}

<center>*Note: Information corresponding to each training course is located below.</center>

'''Pricing'''

$1300 for conference attendees. [Note: This fee includes snacks, and LUNCH]

$1450 - Tutorial only pricing (if not attending the conference)

$675 - Student Pricing

'''Location'''

At eBay in San Jose. Same location as the conference.

'''Course Times'''

Each class begins at 9 AM and runs until 5 PM each day.

'''Registration'''

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

== T1. Building and Testing Secure Web Applications - 2-Day Course - Nov 12-13, 2007 ==

'''Course Overview'''

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is just not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

'''Details'''

This course starts with a module designed to raise awareness of just how insecure most web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following common vulnerability areas:

* Unvalidated Parameters *
* Broken Access Control *
* Broken Account and Session Management *
* Cross-Site Scripting (XSS) Flaws *
* Buffer Overflows *
* Command Injection Flaws *
* Error Handling Problems *
* Insecure Use of Cryptography *
* Denial of Service *
* Web and Application Server Misconfiguration *
* Poor Logging Practices
* Caching, Pooling, and Reuse Errors
* Code Quality

<nowiki>*</nowiki> The OWASP Top Ten Most Critical Web Application Vulnerabilities

For each area, the course covers the following:

* Theoretical foundations
* Recommended security policies
* Common pitfalls when implementing
* Details on historical exploits
* Best practices for implementation

'''Hands on Exercises'''

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

'''Requirements'''

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop that supports Java.

'''Registration'''

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

'''Tutorial Provider'''

This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]

== T2. Secure Coding for Java EE - 2-Day Course - Nov 12-13, 2007 ==

'''Summary'''

This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of Java focused content, including 1) Java EE security overview, 2) all coding examples are specifically focused on Java and Java servers, and 3) the addition of 3 hands on coding labs where the students find and then fix security vulnerabilities in an application developed for the class.

This course is a compressed version of Aspect's standard 3-day Secure Coding for Java EE course.

'''Course Overview'''

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is just not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful one day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

'''Details'''

This course starts with a module designed to raise awareness of just how insecure most web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following common vulnerability areas:

* Unvalidated Parameters *
* Broken Access Control *
* Broken Account and Session Management *
* Cross-Site Scripting (XSS) Flaws *
* Buffer Overflows *
* Command Injection Flaws *
* Error Handling Problems *
* Insecure Use of Cryptography *
* Denial of Service *
* Web and Application Server Misconfiguration *
* Poor Logging Practices
* Caching, Pooling, and Reuse Errors
* Code Quality

<nowiki>*</nowiki> The OWASP Top Ten Most Critical Web Application Vulnerabilities

For each area, the course covers the following:

* Theoretical foundations
* Recommended security policies
* Common pitfalls when implementing
* Details on historical exploits
* Best practices for implementation

'''Hands on Exercises'''

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

For this Java focused course, students will additionally have the opportunity to find and exploit, and then fix vulnerabilities in three different labs using Eclipse.

'''Requirements'''

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop that supports Java.

'''Registration'''

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

'''Tutorial Provider'''

This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]

== T3. Advanced ASP.NET Exploits and Countermeasures - 2-Day Course - Nov 12-13, 2007 ==

'''Course Overview'''

In this two day course you will push ASP.NET to the limit and will be shown how ASP.NET applications and environments can be exploited by skilled attackers. Advanced exploitation techniques will be presented together with low-level technical analysis of the .NET Framework. You will also learn advanced defense techniques such as: Building an ASP.NET Security Protection layer (also called a Web Application Firewall) and Real time patching of vulnerabilities in the target application, the .NET Framework or the CLR.

'''Details'''

The Course is made of 2 modules

'''Module 1: Security principles and .NET Framework Architecture; Guerrilla Threat Modeling; Exploiting ASP.NET Applications'''

* Analysis of the .NET Framework and its core components (CLR, Garbage Collector, Verifier, Security Manager)
* Using quick-and-dirty threat models to discover vulnerabilities in the target application
* Exploiting vulnerabilities in ASP.NET applications: Data Validation, Authorization, Authentication, SessionState, XSS, Cookies, AJAX, Web Services, Remoting, etc. (using basic and advanced techniques)
* Exploiting Buffer Overflows and Windows vulnerabilities via ASP.NET Applications

'''Module 2: Exploiting Full Trust and Partial Trust ASP.NET Environments; Advanced ASP.NET Countermeasures'''

* Practical demonstrations of the power of Full Trust ASP.NET:
* Rooting the CLR (e.g. patching the .Net Framework and CLR), Reflection, IIS Metabase, Shellcode injection, Launching internal attacks to compromise the server and the data center
* Full Trust non-verification and Type Safety attacks (via MSIL manipulation)
* Exploiting Insecure Partial Trust ASP.NET Environments
* Applying real-time security patches in the target application, .NET Framework and CLR
* Solutions to create secure Data Validation and Authorization architectures
* Creating secure ASP.NET hosting environments
* Building an ASP.NET Security Protection layer (also called Web Application Firewall);

You will walk away from this class with a much better understanding of some of the weaknesses of .NET applications, particularly the internals of the .NET framework. You will also get the chance to put your skills to the test against a target application over the course of the class.

'''Requirements'''

A laptop with VMWare Player pre-installed. A VMWare image containing all necessary lab tools will be provided.

'''Prerequisites'''

This is an advanced course targeted at industry professionals who want to understand the weaknesses and the power of the .Net Framework.

To get the most of this course and to be able to do the extensive practice material provided (using a VMWare image), the participants must:

* Have a good understanding of a .NET Language (Ideally C#)
* Be familiar with MSIL/Assembly
* Have some experience with debugging user-land applications
* Have commercial experience on either application development or security auditing.

The material is presented at a pace adjusted for experienced developers and/or security consultants.

'''Trainer'''

Dinis Cruz is the OWASP Evangelist, current OWASP .NET Project leader and the main developer of several of OWASP .NET tools (SAM'SHE, ANBS, SiteGenerator, PenTest Reporter, Asp.Net Reflector, Online IIS Metabase Explorer).

Since the 1.1 release of the .NET Framework, Dinis has been one of the strongest proponents of the need to write .NET applications that can be executed in secure Partially Trusted .NET environments, and has done extensive research on: Rooting the CLR, exposing the dangers of Full Trust ASP.NET Code, Type Confusion vulnerabilities in Full Trust (i.e. non verifiable) code, creating .Net Security Protection Layers and using Reflection to dynamically manipulate .Net Client applications.

'''Registration'''

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

'''Tutorial Provider'''

This tutorial is provided by Dinis Cruz (OWASP Chief Evangelist)

== T4. Web Services and XML Security - 2-Day Course - Nov 12-13, 2007 ==

'''Course Overview'''

The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software.

Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system!

'''Details'''

Topics covered include understanding how web application risks (such as those in OWASP Guide and OWASP Top Ten) apply in a Web Services world, and Web Services security topics including:

* Web Services attack patterns
* Common XML attack patterns
* Data and XML security using WS-Security, SAML, XML Encryption and XML Digital Signature
* Identity services and federation with SAML and Liberty
* Hardening Web Services servers
* Input validation for Web Services
* Integrating Web Services securely with backend resources and applications using WS-Trust
* Secure Exception handling in Web Services

'''Registration'''

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

'''Tutorial Provider'''

This tutorial is provided by [http://www.arctecgroup.net http://www.owasp.org/images/b/bc/Arctec_logo.jpeg]

7th OWASP AppSec Conference - San Jose 2007/Training

2007-08-27T17:06:17Z

Aspectmichelle: /* T4. Web Services and XML Security - 2-Day Course - Nov 12-13, 2007 */

== Conference Training Day - Two Day Training Courses - November 12th-13th, 2007 ==

OWASP has arranged to have four 2-day Application Security training courses prior to the conference.

The first two courses will be provided by a long time contributor to OWASP, Aspect Security. The third course is being taught by Dinis Cruz, the OWASP Evangelist and one of the longest active members at OWASP. The fourth course will be provided by another active OWASP member, the Arctec Group. All of these courses were offered in their 1-day format at the last two OWASP AppSec conferences and were well received. This is the first OWASP conference where we have been able to expand these classes to their 2-day format.

These courses are being offered to attendees of the OWASP conference at a significant discount to their standard commercial price. Most of the course fee will go to OWASP to support the OWASP Foundation's efforts.

{| align="center" width="60%" cellpadding="2" cellspacing="5" style="vertical-align:top;background-color:#cedff2"
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T1</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Building and Testing Secure Web Applications - 2-Day Course - Nov 12-13, 2007</div>
|-
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T2</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Secure Coding for Java EE - 2-Day Course - Nov 12-13, 2007</div>
|-
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T3</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Advanced Asp.Net Exploits and Countermeasures - 2-Day Course - Nov 12-13, 2007</div>
|-
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T4</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Web Services and XML Security - 2-Day Course - Nov 12-13, 2007</div>
|}

<center>*Note: Information corresponding to each training course is located below.</center>

'''Pricing'''

$1300 for conference attendees. [Note: This fee includes snacks, and LUNCH]

$1450 - Tutorial only pricing (if not attending the conference)

$675 - Student Pricing

'''Location'''

At eBay in San Jose. Same location as the conference.

'''Course Times'''

Each class begins at 9 AM and runs until 5 PM each day.

'''Registration'''

Registration will be available via the OWASP Conference Cvent site.

== T1. Building and Testing Secure Web Applications - 2-Day Course - Nov 12-13, 2007 ==

'''Course Overview'''

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is just not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

'''Details'''

This course starts with a module designed to raise awareness of just how insecure most web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following common vulnerability areas:

* Unvalidated Parameters *
* Broken Access Control *
* Broken Account and Session Management *
* Cross-Site Scripting (XSS) Flaws *
* Buffer Overflows *
* Command Injection Flaws *
* Error Handling Problems *
* Insecure Use of Cryptography *
* Denial of Service *
* Web and Application Server Misconfiguration *
* Poor Logging Practices
* Caching, Pooling, and Reuse Errors
* Code Quality

<nowiki>*</nowiki> The OWASP Top Ten Most Critical Web Application Vulnerabilities

For each area, the course covers the following:

* Theoretical foundations
* Recommended security policies
* Common pitfalls when implementing
* Details on historical exploits
* Best practices for implementation

'''Hands on Exercises'''

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

'''Requirements'''

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop that supports Java.

'''Registration'''

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

'''Tutorial Provider'''

This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]

== T2. Secure Coding for Java EE - 2-Day Course - Nov 12-13, 2007 ==

'''Summary'''

This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of Java focused content, including 1) Java EE security overview, 2) all coding examples are specifically focused on Java and Java servers, and 3) the addition of 3 hands on coding labs where the students find and then fix security vulnerabilities in an application developed for the class.

This course is a compressed version of Aspect's standard 3-day Secure Coding for Java EE course.

'''Course Overview'''

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is just not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful one day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

'''Details'''

This course starts with a module designed to raise awareness of just how insecure most web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following common vulnerability areas:

* Unvalidated Parameters *
* Broken Access Control *
* Broken Account and Session Management *
* Cross-Site Scripting (XSS) Flaws *
* Buffer Overflows *
* Command Injection Flaws *
* Error Handling Problems *
* Insecure Use of Cryptography *
* Denial of Service *
* Web and Application Server Misconfiguration *
* Poor Logging Practices
* Caching, Pooling, and Reuse Errors
* Code Quality

<nowiki>*</nowiki> The OWASP Top Ten Most Critical Web Application Vulnerabilities

For each area, the course covers the following:

* Theoretical foundations
* Recommended security policies
* Common pitfalls when implementing
* Details on historical exploits
* Best practices for implementation

'''Hands on Exercises'''

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

For this Java focused course, students will additionally have the opportunity to find and exploit, and then fix vulnerabilities in three different labs using Eclipse.

'''Requirements'''

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop that supports Java.

'''Registration'''

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

'''Tutorial Provider'''

This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]

== T3. Advanced ASP.NET Exploits and Countermeasures - 2-Day Course - Nov 12-13, 2007 ==

'''Course Overview'''

In this two day course you will push ASP.NET to the limit and will be shown how ASP.NET applications and environments can be exploited by skilled attackers. Advanced exploitation techniques will be presented together with low-level technical analysis of the .NET Framework. You will also learn advanced defense techniques such as: Building an ASP.NET Security Protection layer (also called a Web Application Firewall) and Real time patching of vulnerabilities in the target application, the .NET Framework or the CLR.

'''Details'''

The Course is made of 2 modules

'''Module 1: Security principles and .NET Framework Architecture; Guerrilla Threat Modeling; Exploiting ASP.NET Applications'''

* Analysis of the .NET Framework and its core components (CLR, Garbage Collector, Verifier, Security Manager)
* Using quick-and-dirty threat models to discover vulnerabilities in the target application
* Exploiting vulnerabilities in ASP.NET applications: Data Validation, Authorization, Authentication, SessionState, XSS, Cookies, AJAX, Web Services, Remoting, etc. (using basic and advanced techniques)
* Exploiting Buffer Overflows and Windows vulnerabilities via ASP.NET Applications

'''Module 2: Exploiting Full Trust and Partial Trust ASP.NET Environments; Advanced ASP.NET Countermeasures'''

* Practical demonstrations of the power of Full Trust ASP.NET:
* Rooting the CLR (e.g. patching the .Net Framework and CLR), Reflection, IIS Metabase, Shellcode injection, Launching internal attacks to compromise the server and the data center
* Full Trust non-verification and Type Safety attacks (via MSIL manipulation)
* Exploiting Insecure Partial Trust ASP.NET Environments
* Applying real-time security patches in the target application, .NET Framework and CLR
* Solutions to create secure Data Validation and Authorization architectures
* Creating secure ASP.NET hosting environments
* Building an ASP.NET Security Protection layer (also called Web Application Firewall);

You will walk away from this class with a much better understanding of some of the weaknesses of .NET applications, particularly the internals of the .NET framework. You will also get the chance to put your skills to the test against a target application over the course of the class.

'''Requirements'''

A laptop with VMWare Player pre-installed. A VMWare image containing all necessary lab tools will be provided.

'''Prerequisites'''

This is an advanced course targeted at industry professionals who want to understand the weaknesses and the power of the .Net Framework.

To get the most of this course and to be able to do the extensive practice material provided (using a VMWare image), the participants must:

* Have a good understanding of a .NET Language (Ideally C#)
* Be familiar with MSIL/Assembly
* Have some experience with debugging user-land applications
* Have commercial experience on either application development or security auditing.

The material is presented at a pace adjusted for experienced developers and/or security consultants.

'''Trainer'''

Dinis Cruz is the OWASP Evangelist, current OWASP .NET Project leader and the main developer of several of OWASP .NET tools (SAM'SHE, ANBS, SiteGenerator, PenTest Reporter, Asp.Net Reflector, Online IIS Metabase Explorer).

Since the 1.1 release of the .NET Framework, Dinis has been one of the strongest proponents of the need to write .NET applications that can be executed in secure Partially Trusted .NET environments, and has done extensive research on: Rooting the CLR, exposing the dangers of Full Trust ASP.NET Code, Type Confusion vulnerabilities in Full Trust (i.e. non verifiable) code, creating .Net Security Protection Layers and using Reflection to dynamically manipulate .Net Client applications.

'''Registration'''

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

'''Tutorial Provider'''

This tutorial is provided by Dinis Cruz (OWASP Chief Evangelist)

== T4. Web Services and XML Security - 2-Day Course - Nov 12-13, 2007 ==

'''Course Overview'''

The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software.

Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system!

'''Details'''

Topics covered include understanding how web application risks (such as those in OWASP Guide and OWASP Top Ten) apply in a Web Services world, and Web Services security topics including:

* Web Services attack patterns
* Common XML attack patterns
* Data and XML security using WS-Security, SAML, XML Encryption and XML Digital Signature
* Identity services and federation with SAML and Liberty
* Hardening Web Services servers
* Input validation for Web Services
* Integrating Web Services securely with backend resources and applications using WS-Trust
* Secure Exception handling in Web Services

'''Registration'''

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

'''Tutorial Provider'''

This tutorial is provided by [http://www.arctecgroup.net http://www.owasp.org/images/b/bc/Arctec_logo.jpeg]

7th OWASP AppSec Conference - San Jose 2007/Training

2007-08-27T17:05:49Z

Aspectmichelle: /* T3. Advanced ASP.NET Exploits and Countermeasures - 2-Day Course - Nov 12-13, 2007 */

== Conference Training Day - Two Day Training Courses - November 12th-13th, 2007 ==

OWASP has arranged to have four 2-day Application Security training courses prior to the conference.

The first two courses will be provided by a long time contributor to OWASP, Aspect Security. The third course is being taught by Dinis Cruz, the OWASP Evangelist and one of the longest active members at OWASP. The fourth course will be provided by another active OWASP member, the Arctec Group. All of these courses were offered in their 1-day format at the last two OWASP AppSec conferences and were well received. This is the first OWASP conference where we have been able to expand these classes to their 2-day format.

These courses are being offered to attendees of the OWASP conference at a significant discount to their standard commercial price. Most of the course fee will go to OWASP to support the OWASP Foundation's efforts.

{| align="center" width="60%" cellpadding="2" cellspacing="5" style="vertical-align:top;background-color:#cedff2"
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T1</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Building and Testing Secure Web Applications - 2-Day Course - Nov 12-13, 2007</div>
|-
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T2</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Secure Coding for Java EE - 2-Day Course - Nov 12-13, 2007</div>
|-
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T3</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Advanced Asp.Net Exploits and Countermeasures - 2-Day Course - Nov 12-13, 2007</div>
|-
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T4</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Web Services and XML Security - 2-Day Course - Nov 12-13, 2007</div>
|}

<center>*Note: Information corresponding to each training course is located below.</center>

'''Pricing'''

$1300 for conference attendees. [Note: This fee includes snacks, and LUNCH]

$1450 - Tutorial only pricing (if not attending the conference)

$675 - Student Pricing

'''Location'''

At eBay in San Jose. Same location as the conference.

'''Course Times'''

Each class begins at 9 AM and runs until 5 PM each day.

'''Registration'''

Registration will be available via the OWASP Conference Cvent site.

== T1. Building and Testing Secure Web Applications - 2-Day Course - Nov 12-13, 2007 ==

'''Course Overview'''

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is just not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

'''Details'''

This course starts with a module designed to raise awareness of just how insecure most web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following common vulnerability areas:

* Unvalidated Parameters *
* Broken Access Control *
* Broken Account and Session Management *
* Cross-Site Scripting (XSS) Flaws *
* Buffer Overflows *
* Command Injection Flaws *
* Error Handling Problems *
* Insecure Use of Cryptography *
* Denial of Service *
* Web and Application Server Misconfiguration *
* Poor Logging Practices
* Caching, Pooling, and Reuse Errors
* Code Quality

<nowiki>*</nowiki> The OWASP Top Ten Most Critical Web Application Vulnerabilities

For each area, the course covers the following:

* Theoretical foundations
* Recommended security policies
* Common pitfalls when implementing
* Details on historical exploits
* Best practices for implementation

'''Hands on Exercises'''

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

'''Requirements'''

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop that supports Java.

'''Registration'''

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

'''Tutorial Provider'''

This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]

== T2. Secure Coding for Java EE - 2-Day Course - Nov 12-13, 2007 ==

'''Summary'''

This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of Java focused content, including 1) Java EE security overview, 2) all coding examples are specifically focused on Java and Java servers, and 3) the addition of 3 hands on coding labs where the students find and then fix security vulnerabilities in an application developed for the class.

This course is a compressed version of Aspect's standard 3-day Secure Coding for Java EE course.

'''Course Overview'''

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is just not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful one day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

'''Details'''

This course starts with a module designed to raise awareness of just how insecure most web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following common vulnerability areas:

* Unvalidated Parameters *
* Broken Access Control *
* Broken Account and Session Management *
* Cross-Site Scripting (XSS) Flaws *
* Buffer Overflows *
* Command Injection Flaws *
* Error Handling Problems *
* Insecure Use of Cryptography *
* Denial of Service *
* Web and Application Server Misconfiguration *
* Poor Logging Practices
* Caching, Pooling, and Reuse Errors
* Code Quality

<nowiki>*</nowiki> The OWASP Top Ten Most Critical Web Application Vulnerabilities

For each area, the course covers the following:

* Theoretical foundations
* Recommended security policies
* Common pitfalls when implementing
* Details on historical exploits
* Best practices for implementation

'''Hands on Exercises'''

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

For this Java focused course, students will additionally have the opportunity to find and exploit, and then fix vulnerabilities in three different labs using Eclipse.

'''Requirements'''

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop that supports Java.

'''Registration'''

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

'''Tutorial Provider'''

This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]

== T3. Advanced ASP.NET Exploits and Countermeasures - 2-Day Course - Nov 12-13, 2007 ==

'''Course Overview'''

In this two day course you will push ASP.NET to the limit and will be shown how ASP.NET applications and environments can be exploited by skilled attackers. Advanced exploitation techniques will be presented together with low-level technical analysis of the .NET Framework. You will also learn advanced defense techniques such as: Building an ASP.NET Security Protection layer (also called a Web Application Firewall) and Real time patching of vulnerabilities in the target application, the .NET Framework or the CLR.

'''Details'''

The Course is made of 2 modules

'''Module 1: Security principles and .NET Framework Architecture; Guerrilla Threat Modeling; Exploiting ASP.NET Applications'''

* Analysis of the .NET Framework and its core components (CLR, Garbage Collector, Verifier, Security Manager)
* Using quick-and-dirty threat models to discover vulnerabilities in the target application
* Exploiting vulnerabilities in ASP.NET applications: Data Validation, Authorization, Authentication, SessionState, XSS, Cookies, AJAX, Web Services, Remoting, etc. (using basic and advanced techniques)
* Exploiting Buffer Overflows and Windows vulnerabilities via ASP.NET Applications

'''Module 2: Exploiting Full Trust and Partial Trust ASP.NET Environments; Advanced ASP.NET Countermeasures'''

* Practical demonstrations of the power of Full Trust ASP.NET:
* Rooting the CLR (e.g. patching the .Net Framework and CLR), Reflection, IIS Metabase, Shellcode injection, Launching internal attacks to compromise the server and the data center
* Full Trust non-verification and Type Safety attacks (via MSIL manipulation)
* Exploiting Insecure Partial Trust ASP.NET Environments
* Applying real-time security patches in the target application, .NET Framework and CLR
* Solutions to create secure Data Validation and Authorization architectures
* Creating secure ASP.NET hosting environments
* Building an ASP.NET Security Protection layer (also called Web Application Firewall);

You will walk away from this class with a much better understanding of some of the weaknesses of .NET applications, particularly the internals of the .NET framework. You will also get the chance to put your skills to the test against a target application over the course of the class.

'''Requirements'''

A laptop with VMWare Player pre-installed. A VMWare image containing all necessary lab tools will be provided.

'''Prerequisites'''

This is an advanced course targeted at industry professionals who want to understand the weaknesses and the power of the .Net Framework.

To get the most of this course and to be able to do the extensive practice material provided (using a VMWare image), the participants must:

* Have a good understanding of a .NET Language (Ideally C#)
* Be familiar with MSIL/Assembly
* Have some experience with debugging user-land applications
* Have commercial experience on either application development or security auditing.

The material is presented at a pace adjusted for experienced developers and/or security consultants.

'''Trainer'''

Dinis Cruz is the OWASP Evangelist, current OWASP .NET Project leader and the main developer of several of OWASP .NET tools (SAM'SHE, ANBS, SiteGenerator, PenTest Reporter, Asp.Net Reflector, Online IIS Metabase Explorer).

Since the 1.1 release of the .NET Framework, Dinis has been one of the strongest proponents of the need to write .NET applications that can be executed in secure Partially Trusted .NET environments, and has done extensive research on: Rooting the CLR, exposing the dangers of Full Trust ASP.NET Code, Type Confusion vulnerabilities in Full Trust (i.e. non verifiable) code, creating .Net Security Protection Layers and using Reflection to dynamically manipulate .Net Client applications.

'''Registration'''

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

'''Tutorial Provider'''

This tutorial is provided by Dinis Cruz (OWASP Chief Evangelist)

== T4. Web Services and XML Security - 2-Day Course - Nov 12-13, 2007 ==

'''Course Overview'''

The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software.

Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system!

'''Details'''

Topics covered include understanding how web application risks (such as those in OWASP Guide and OWASP Top Ten) apply in a Web Services world, and Web Services security topics including:

* Web Services attack patterns
* Common XML attack patterns
* Data and XML security using WS-Security, SAML, XML Encryption and XML Digital Signature
* Identity services and federation with SAML and Liberty
* Hardening Web Services servers
* Input validation for Web Services
* Integrating Web Services securely with backend resources and applications using WS-Trust
* Secure Exception handling in Web Services

'''Registration'''

Registration will be available via the OWASP Conference Cvent site.

'''Tutorial Provider'''

This tutorial is provided by [http://www.arctecgroup.net http://www.owasp.org/images/b/bc/Arctec_logo.jpeg]

7th OWASP AppSec Conference - San Jose 2007/Training

2007-08-27T17:04:51Z

Aspectmichelle: /* T2. Secure Coding for Java EE - 2-Day Course - Nov 12-13, 2007 */

== Conference Training Day - Two Day Training Courses - November 12th-13th, 2007 ==

OWASP has arranged to have four 2-day Application Security training courses prior to the conference.

The first two courses will be provided by a long time contributor to OWASP, Aspect Security. The third course is being taught by Dinis Cruz, the OWASP Evangelist and one of the longest active members at OWASP. The fourth course will be provided by another active OWASP member, the Arctec Group. All of these courses were offered in their 1-day format at the last two OWASP AppSec conferences and were well received. This is the first OWASP conference where we have been able to expand these classes to their 2-day format.

These courses are being offered to attendees of the OWASP conference at a significant discount to their standard commercial price. Most of the course fee will go to OWASP to support the OWASP Foundation's efforts.

{| align="center" width="60%" cellpadding="2" cellspacing="5" style="vertical-align:top;background-color:#cedff2"
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T1</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Building and Testing Secure Web Applications - 2-Day Course - Nov 12-13, 2007</div>
|-
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T2</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Secure Coding for Java EE - 2-Day Course - Nov 12-13, 2007</div>
|-
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T3</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Advanced Asp.Net Exploits and Countermeasures - 2-Day Course - Nov 12-13, 2007</div>
|-
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T4</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Web Services and XML Security - 2-Day Course - Nov 12-13, 2007</div>
|}

<center>*Note: Information corresponding to each training course is located below.</center>

'''Pricing'''

$1300 for conference attendees. [Note: This fee includes snacks, and LUNCH]

$1450 - Tutorial only pricing (if not attending the conference)

$675 - Student Pricing

'''Location'''

At eBay in San Jose. Same location as the conference.

'''Course Times'''

Each class begins at 9 AM and runs until 5 PM each day.

'''Registration'''

Registration will be available via the OWASP Conference Cvent site.

== T1. Building and Testing Secure Web Applications - 2-Day Course - Nov 12-13, 2007 ==

'''Course Overview'''

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is just not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

'''Details'''

This course starts with a module designed to raise awareness of just how insecure most web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following common vulnerability areas:

* Unvalidated Parameters *
* Broken Access Control *
* Broken Account and Session Management *
* Cross-Site Scripting (XSS) Flaws *
* Buffer Overflows *
* Command Injection Flaws *
* Error Handling Problems *
* Insecure Use of Cryptography *
* Denial of Service *
* Web and Application Server Misconfiguration *
* Poor Logging Practices
* Caching, Pooling, and Reuse Errors
* Code Quality

<nowiki>*</nowiki> The OWASP Top Ten Most Critical Web Application Vulnerabilities

For each area, the course covers the following:

* Theoretical foundations
* Recommended security policies
* Common pitfalls when implementing
* Details on historical exploits
* Best practices for implementation

'''Hands on Exercises'''

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

'''Requirements'''

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop that supports Java.

'''Registration'''

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

'''Tutorial Provider'''

This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]

== T2. Secure Coding for Java EE - 2-Day Course - Nov 12-13, 2007 ==

'''Summary'''

This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of Java focused content, including 1) Java EE security overview, 2) all coding examples are specifically focused on Java and Java servers, and 3) the addition of 3 hands on coding labs where the students find and then fix security vulnerabilities in an application developed for the class.

This course is a compressed version of Aspect's standard 3-day Secure Coding for Java EE course.

'''Course Overview'''

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is just not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful one day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

'''Details'''

This course starts with a module designed to raise awareness of just how insecure most web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following common vulnerability areas:

* Unvalidated Parameters *
* Broken Access Control *
* Broken Account and Session Management *
* Cross-Site Scripting (XSS) Flaws *
* Buffer Overflows *
* Command Injection Flaws *
* Error Handling Problems *
* Insecure Use of Cryptography *
* Denial of Service *
* Web and Application Server Misconfiguration *
* Poor Logging Practices
* Caching, Pooling, and Reuse Errors
* Code Quality

<nowiki>*</nowiki> The OWASP Top Ten Most Critical Web Application Vulnerabilities

For each area, the course covers the following:

* Theoretical foundations
* Recommended security policies
* Common pitfalls when implementing
* Details on historical exploits
* Best practices for implementation

'''Hands on Exercises'''

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

For this Java focused course, students will additionally have the opportunity to find and exploit, and then fix vulnerabilities in three different labs using Eclipse.

'''Requirements'''

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop that supports Java.

'''Registration'''

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

'''Tutorial Provider'''

This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]

== T3. Advanced ASP.NET Exploits and Countermeasures - 2-Day Course - Nov 12-13, 2007 ==

'''Course Overview'''

In this two day course you will push ASP.NET to the limit and will be shown how ASP.NET applications and environments can be exploited by skilled attackers. Advanced exploitation techniques will be presented together with low-level technical analysis of the .NET Framework. You will also learn advanced defense techniques such as: Building an ASP.NET Security Protection layer (also called a Web Application Firewall) and Real time patching of vulnerabilities in the target application, the .NET Framework or the CLR.

'''Details'''

The Course is made of 2 modules

'''Module 1: Security principles and .NET Framework Architecture; Guerrilla Threat Modeling; Exploiting ASP.NET Applications'''

* Analysis of the .NET Framework and its core components (CLR, Garbage Collector, Verifier, Security Manager)
* Using quick-and-dirty threat models to discover vulnerabilities in the target application
* Exploiting vulnerabilities in ASP.NET applications: Data Validation, Authorization, Authentication, SessionState, XSS, Cookies, AJAX, Web Services, Remoting, etc. (using basic and advanced techniques)
* Exploiting Buffer Overflows and Windows vulnerabilities via ASP.NET Applications

'''Module 2: Exploiting Full Trust and Partial Trust ASP.NET Environments; Advanced ASP.NET Countermeasures'''

* Practical demonstrations of the power of Full Trust ASP.NET:
* Rooting the CLR (e.g. patching the .Net Framework and CLR), Reflection, IIS Metabase, Shellcode injection, Launching internal attacks to compromise the server and the data center
* Full Trust non-verification and Type Safety attacks (via MSIL manipulation)
* Exploiting Insecure Partial Trust ASP.NET Environments
* Applying real-time security patches in the target application, .NET Framework and CLR
* Solutions to create secure Data Validation and Authorization architectures
* Creating secure ASP.NET hosting environments
* Building an ASP.NET Security Protection layer (also called Web Application Firewall);

You will walk away from this class with a much better understanding of some of the weaknesses of .NET applications, particularly the internals of the .NET framework. You will also get the chance to put your skills to the test against a target application over the course of the class.

'''Requirements'''

A laptop with VMWare Player pre-installed. A VMWare image containing all necessary lab tools will be provided.

'''Prerequisites'''

This is an advanced course targeted at industry professionals who want to understand the weaknesses and the power of the .Net Framework.

To get the most of this course and to be able to do the extensive practice material provided (using a VMWare image), the participants must:

* Have a good understanding of a .NET Language (Ideally C#)
* Be familiar with MSIL/Assembly
* Have some experience with debugging user-land applications
* Have commercial experience on either application development or security auditing.

The material is presented at a pace adjusted for experienced developers and/or security consultants.

'''Trainer'''

Dinis Cruz is the OWASP Evangelist, current OWASP .NET Project leader and the main developer of several of OWASP .NET tools (SAM'SHE, ANBS, SiteGenerator, PenTest Reporter, Asp.Net Reflector, Online IIS Metabase Explorer).

Since the 1.1 release of the .NET Framework, Dinis has been one of the strongest proponents of the need to write .NET applications that can be executed in secure Partially Trusted .NET environments, and has done extensive research on: Rooting the CLR, exposing the dangers of Full Trust ASP.NET Code, Type Confusion vulnerabilities in Full Trust (i.e. non verifiable) code, creating .Net Security Protection Layers and using Reflection to dynamically manipulate .Net Client applications.

'''Registration'''

Registration will be available via the OWASP Conference Cvent site.

'''Tutorial Provider'''

This tutorial is provided by Dinis Cruz (OWASP Chief Evangelist)

== T4. Web Services and XML Security - 2-Day Course - Nov 12-13, 2007 ==

'''Course Overview'''

The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software.

Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system!

'''Details'''

Topics covered include understanding how web application risks (such as those in OWASP Guide and OWASP Top Ten) apply in a Web Services world, and Web Services security topics including:

* Web Services attack patterns
* Common XML attack patterns
* Data and XML security using WS-Security, SAML, XML Encryption and XML Digital Signature
* Identity services and federation with SAML and Liberty
* Hardening Web Services servers
* Input validation for Web Services
* Integrating Web Services securely with backend resources and applications using WS-Trust
* Secure Exception handling in Web Services

'''Registration'''

Registration will be available via the OWASP Conference Cvent site.

'''Tutorial Provider'''

This tutorial is provided by [http://www.arctecgroup.net http://www.owasp.org/images/b/bc/Arctec_logo.jpeg]

7th OWASP AppSec Conference - San Jose 2007/Training

2007-08-27T17:02:54Z

Aspectmichelle: /* T1. Building and Testing Secure Web Applications - 2-Day Course - Nov 12-13, 2007 */

== Conference Training Day - Two Day Training Courses - November 12th-13th, 2007 ==

OWASP has arranged to have four 2-day Application Security training courses prior to the conference.

The first two courses will be provided by a long time contributor to OWASP, Aspect Security. The third course is being taught by Dinis Cruz, the OWASP Evangelist and one of the longest active members at OWASP. The fourth course will be provided by another active OWASP member, the Arctec Group. All of these courses were offered in their 1-day format at the last two OWASP AppSec conferences and were well received. This is the first OWASP conference where we have been able to expand these classes to their 2-day format.

These courses are being offered to attendees of the OWASP conference at a significant discount to their standard commercial price. Most of the course fee will go to OWASP to support the OWASP Foundation's efforts.

{| align="center" width="60%" cellpadding="2" cellspacing="5" style="vertical-align:top;background-color:#cedff2"
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T1</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Building and Testing Secure Web Applications - 2-Day Course - Nov 12-13, 2007</div>
|-
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T2</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Secure Coding for Java EE - 2-Day Course - Nov 12-13, 2007</div>
|-
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T3</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Advanced Asp.Net Exploits and Countermeasures - 2-Day Course - Nov 12-13, 2007</div>
|-
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T4</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Web Services and XML Security - 2-Day Course - Nov 12-13, 2007</div>
|}

<center>*Note: Information corresponding to each training course is located below.</center>

'''Pricing'''

$1300 for conference attendees. [Note: This fee includes snacks, and LUNCH]

$1450 - Tutorial only pricing (if not attending the conference)

$675 - Student Pricing

'''Location'''

At eBay in San Jose. Same location as the conference.

'''Course Times'''

Each class begins at 9 AM and runs until 5 PM each day.

'''Registration'''

Registration will be available via the OWASP Conference Cvent site.

== T1. Building and Testing Secure Web Applications - 2-Day Course - Nov 12-13, 2007 ==

'''Course Overview'''

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is just not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

'''Details'''

This course starts with a module designed to raise awareness of just how insecure most web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following common vulnerability areas:

* Unvalidated Parameters *
* Broken Access Control *
* Broken Account and Session Management *
* Cross-Site Scripting (XSS) Flaws *
* Buffer Overflows *
* Command Injection Flaws *
* Error Handling Problems *
* Insecure Use of Cryptography *
* Denial of Service *
* Web and Application Server Misconfiguration *
* Poor Logging Practices
* Caching, Pooling, and Reuse Errors
* Code Quality

<nowiki>*</nowiki> The OWASP Top Ten Most Critical Web Application Vulnerabilities

For each area, the course covers the following:

* Theoretical foundations
* Recommended security policies
* Common pitfalls when implementing
* Details on historical exploits
* Best practices for implementation

'''Hands on Exercises'''

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

'''Requirements'''

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop that supports Java.

'''Registration'''

Registration is available via the OWASP Conference Cvent site at: http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd

'''Tutorial Provider'''

This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]

== T2. Secure Coding for Java EE - 2-Day Course - Nov 12-13, 2007 ==

'''Summary'''

This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of Java focused content, including 1) Java EE security overview, 2) all coding examples are specifically focused on Java and Java servers, and 3) the addition of 3 hands on coding labs where the students find and then fix security vulnerabilities in an application developed for the class.

This course is a compressed version of Aspect's standard 3-day Secure Coding for Java EE course.

'''Course Overview'''

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is just not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful one day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

'''Details'''

This course starts with a module designed to raise awareness of just how insecure most web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following common vulnerability areas:

* Unvalidated Parameters *
* Broken Access Control *
* Broken Account and Session Management *
* Cross-Site Scripting (XSS) Flaws *
* Buffer Overflows *
* Command Injection Flaws *
* Error Handling Problems *
* Insecure Use of Cryptography *
* Denial of Service *
* Web and Application Server Misconfiguration *
* Poor Logging Practices
* Caching, Pooling, and Reuse Errors
* Code Quality

<nowiki>*</nowiki> The OWASP Top Ten Most Critical Web Application Vulnerabilities

For each area, the course covers the following:

* Theoretical foundations
* Recommended security policies
* Common pitfalls when implementing
* Details on historical exploits
* Best practices for implementation

'''Hands on Exercises'''

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

For this Java focused course, students will additionally have the opportunity to find and exploit, and then fix vulnerabilities in three different labs using Eclipse.

'''Requirements'''

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop that supports Java.

'''Registration'''

Registration will be available via the OWASP Conference Cvent site.

'''Tutorial Provider'''

This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]

== T3. Advanced ASP.NET Exploits and Countermeasures - 2-Day Course - Nov 12-13, 2007 ==

'''Course Overview'''

In this two day course you will push ASP.NET to the limit and will be shown how ASP.NET applications and environments can be exploited by skilled attackers. Advanced exploitation techniques will be presented together with low-level technical analysis of the .NET Framework. You will also learn advanced defense techniques such as: Building an ASP.NET Security Protection layer (also called a Web Application Firewall) and Real time patching of vulnerabilities in the target application, the .NET Framework or the CLR.

'''Details'''

The Course is made of 2 modules

'''Module 1: Security principles and .NET Framework Architecture; Guerrilla Threat Modeling; Exploiting ASP.NET Applications'''

* Analysis of the .NET Framework and its core components (CLR, Garbage Collector, Verifier, Security Manager)
* Using quick-and-dirty threat models to discover vulnerabilities in the target application
* Exploiting vulnerabilities in ASP.NET applications: Data Validation, Authorization, Authentication, SessionState, XSS, Cookies, AJAX, Web Services, Remoting, etc. (using basic and advanced techniques)
* Exploiting Buffer Overflows and Windows vulnerabilities via ASP.NET Applications

'''Module 2: Exploiting Full Trust and Partial Trust ASP.NET Environments; Advanced ASP.NET Countermeasures'''

* Practical demonstrations of the power of Full Trust ASP.NET:
* Rooting the CLR (e.g. patching the .Net Framework and CLR), Reflection, IIS Metabase, Shellcode injection, Launching internal attacks to compromise the server and the data center
* Full Trust non-verification and Type Safety attacks (via MSIL manipulation)
* Exploiting Insecure Partial Trust ASP.NET Environments
* Applying real-time security patches in the target application, .NET Framework and CLR
* Solutions to create secure Data Validation and Authorization architectures
* Creating secure ASP.NET hosting environments
* Building an ASP.NET Security Protection layer (also called Web Application Firewall);

You will walk away from this class with a much better understanding of some of the weaknesses of .NET applications, particularly the internals of the .NET framework. You will also get the chance to put your skills to the test against a target application over the course of the class.

'''Requirements'''

A laptop with VMWare Player pre-installed. A VMWare image containing all necessary lab tools will be provided.

'''Prerequisites'''

This is an advanced course targeted at industry professionals who want to understand the weaknesses and the power of the .Net Framework.

To get the most of this course and to be able to do the extensive practice material provided (using a VMWare image), the participants must:

* Have a good understanding of a .NET Language (Ideally C#)
* Be familiar with MSIL/Assembly
* Have some experience with debugging user-land applications
* Have commercial experience on either application development or security auditing.

The material is presented at a pace adjusted for experienced developers and/or security consultants.

'''Trainer'''

Dinis Cruz is the OWASP Evangelist, current OWASP .NET Project leader and the main developer of several of OWASP .NET tools (SAM'SHE, ANBS, SiteGenerator, PenTest Reporter, Asp.Net Reflector, Online IIS Metabase Explorer).

Since the 1.1 release of the .NET Framework, Dinis has been one of the strongest proponents of the need to write .NET applications that can be executed in secure Partially Trusted .NET environments, and has done extensive research on: Rooting the CLR, exposing the dangers of Full Trust ASP.NET Code, Type Confusion vulnerabilities in Full Trust (i.e. non verifiable) code, creating .Net Security Protection Layers and using Reflection to dynamically manipulate .Net Client applications.

'''Registration'''

Registration will be available via the OWASP Conference Cvent site.

'''Tutorial Provider'''

This tutorial is provided by Dinis Cruz (OWASP Chief Evangelist)

== T4. Web Services and XML Security - 2-Day Course - Nov 12-13, 2007 ==

'''Course Overview'''

The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software.

Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system!

'''Details'''

Topics covered include understanding how web application risks (such as those in OWASP Guide and OWASP Top Ten) apply in a Web Services world, and Web Services security topics including:

* Web Services attack patterns
* Common XML attack patterns
* Data and XML security using WS-Security, SAML, XML Encryption and XML Digital Signature
* Identity services and federation with SAML and Liberty
* Hardening Web Services servers
* Input validation for Web Services
* Integrating Web Services securely with backend resources and applications using WS-Trust
* Secure Exception handling in Web Services

'''Registration'''

Registration will be available via the OWASP Conference Cvent site.

'''Tutorial Provider'''

This tutorial is provided by [http://www.arctecgroup.net http://www.owasp.org/images/b/bc/Arctec_logo.jpeg]

OWASP & WASC AppSec 2007 Conference

2007-08-27T17:00:24Z

Aspectmichelle: /* Registration */

We are still in the planning stages for the next OWASP U.S. conference, eBay in San Jose, CA Nov 12-15, 2007.

Web Services Track: The conference will have 3 tracks on the first day instead of 2. The 3rd track will be focused on Web Services Security which is a new area for OWASP. If you are interested in speaking at this conference on a Web Services Security topic, please contact Gunnar Peterson, who is organizing that track.

Application Security Technology Expo: This conference will also have a technology expo for the first time. Application Security product vendors will be able to demonstrate the technical capabilities of their products in the technology expo area. More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].

==Conference Location==

This year's US OWASP conference will be held at eBay at their facility at: 2211 North First Street in San Jose, CA Nov 12th-15th.

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training | Training Days: Novermber 12th-13th]]

Main Conference: November 14th-15th

==Agenda and Presentations: Wednesday-Thursday - Nov 14th-15th==

The [http://www.owasp.org/index.php/7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda agenda] will follow the (current) standard OWASP conference format of two tracks, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing presentations back in the main auditorium both days. In addition, on the first day, there will be a third track focused on Web Services Security.

This conference will include presentations from many different OWASP contributors and leading Application Security professionals, and will include one panel each day.

The OWASP AppSec San Jose 2007 agenda is still being developed.

==Training: Monday-Tuesday - Nov 12th-13th==

OWASP has arranged for a suite of two day Application Security training courses to be offered prior to the conference. The tutorials being offered are:

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T1._Building_and_Testing_Secure_Web_Applications_-_2-Day_Course_-_Nov_12-13.2C_2007 | Building and Testing Secure Web Applications]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T2._Secure_Coding_for_Java_EE_-_2-Day_Course_-_Nov_12-13.2C_2007 | Secure Coding for Java EE]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T3._Advanced_Asp.Net_Exploits_and_Countermeasures_-_2-Day_Course_-_Nov_12-13.2C_2007 | Advanced Asp.Net Exploits and Countermeasures]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T4._Web_Services_and_XML_Security_-_2-Day_Course_-_Nov_12-13.2C_2007 | Web Services and XML Security]]

==Conference Fees==

Standard: $400, OWASP Members: $350, Students: $225, Early Registration Discount (by Oct 12): $50 ($25 for students)

Conference Dinner (Evening of Nov 14th): $50

Conference Tutorial (Two day tutorials Nov 12-13): $1300, $1450 [If not attending the conference], Student Fee: $675

Note: To save on processing expenses, all fees paid for the OWASP conference are non-refundable. OWASP can accomodate transfers of registrations from one person to another, if such an adjustment becomes necessary.

==[http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd Registration]==

Here is the [http://guest.cvent.com/i.aspx?4W,M3,17e6e912-2dec-4de6-8946-aa005721c4dd registration page].

==Hotel and Transportation Info==

OWASP is currently negotiating rates with local hotels

From San Jose International Airport (SJC):
eBay is located about a mile from this airport

From San Francisco International Airport (SFO):
eBay is located 40 miles from this airport

== Conference Committee ==

OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org

Web Services Security Track Chair: Gunnar Peterson - Arctec Group - gunnar 'at' arctecgroup.net

Vendor Exhibition Chair: Pravir Chandra - Cigital - chandra 'at' list.org

Refereed Papers Chair: Frank Piessens - KU Leuven - Frank.Piessens 'at' cs.kuleuven.ac.be

== [[OWASP AppSec Conference Sponsors | Conference Sponsors]]==

The following organizations are sponsors for this conference. If you are interested in sponsoring either of the 2007 OWASP conferences, please contact OWASP at: conferences 'at' owasp.org.

[http://www.aspectsecurity.com https://www.owasp.org/images/d/d1/Aspect_logo.gif]
[http://www.fortifysoftware.com https://www.owasp.org/images/d/d1/Fortify.JPG]

We are also going to have vendor booths at this conference for the first time. If you are interested in demonstrating your application security product to a sophisticated audience of application security professionals, please contact us for more information. Please contact either Dave Wichers (the OWASP Conferences Chair) or Pravir Chandra, who will be organizing the vendor area for this conference.

More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].

[[Category:OWASP AppSec Conference]]

__NOTOC__

OWASP & WASC AppSec 2007 Conference

2007-08-27T16:55:37Z

Aspectmichelle:

We are still in the planning stages for the next OWASP U.S. conference, eBay in San Jose, CA Nov 12-15, 2007.

Web Services Track: The conference will have 3 tracks on the first day instead of 2. The 3rd track will be focused on Web Services Security which is a new area for OWASP. If you are interested in speaking at this conference on a Web Services Security topic, please contact Gunnar Peterson, who is organizing that track.

Application Security Technology Expo: This conference will also have a technology expo for the first time. Application Security product vendors will be able to demonstrate the technical capabilities of their products in the technology expo area. More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].

==Conference Location==

This year's US OWASP conference will be held at eBay at their facility at: 2211 North First Street in San Jose, CA Nov 12th-15th.

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training | Training Days: Novermber 12th-13th]]

Main Conference: November 14th-15th

==Agenda and Presentations: Wednesday-Thursday - Nov 14th-15th==

The [http://www.owasp.org/index.php/7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda agenda] will follow the (current) standard OWASP conference format of two tracks, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing presentations back in the main auditorium both days. In addition, on the first day, there will be a third track focused on Web Services Security.

This conference will include presentations from many different OWASP contributors and leading Application Security professionals, and will include one panel each day.

The OWASP AppSec San Jose 2007 agenda is still being developed.

==Training: Monday-Tuesday - Nov 12th-13th==

OWASP has arranged for a suite of two day Application Security training courses to be offered prior to the conference. The tutorials being offered are:

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T1._Building_and_Testing_Secure_Web_Applications_-_2-Day_Course_-_Nov_12-13.2C_2007 | Building and Testing Secure Web Applications]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T2._Secure_Coding_for_Java_EE_-_2-Day_Course_-_Nov_12-13.2C_2007 | Secure Coding for Java EE]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T3._Advanced_Asp.Net_Exploits_and_Countermeasures_-_2-Day_Course_-_Nov_12-13.2C_2007 | Advanced Asp.Net Exploits and Countermeasures]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T4._Web_Services_and_XML_Security_-_2-Day_Course_-_Nov_12-13.2C_2007 | Web Services and XML Security]]

==Conference Fees==

Standard: $400, OWASP Members: $350, Students: $225, Early Registration Discount (by Oct 12): $50 ($25 for students)

Conference Dinner (Evening of Nov 14th): $50

Conference Tutorial (Two day tutorials Nov 12-13): $1300, $1450 [If not attending the conference], Student Fee: $675

Note: To save on processing expenses, all fees paid for the OWASP conference are non-refundable. OWASP can accomodate transfers of registrations from one person to another, if such an adjustment becomes necessary.

==Registration==

==Hotel and Transportation Info==

OWASP is currently negotiating rates with local hotels

From San Jose International Airport (SJC):
eBay is located about a mile from this airport

From San Francisco International Airport (SFO):
eBay is located 40 miles from this airport

== Conference Committee ==

OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org

Web Services Security Track Chair: Gunnar Peterson - Arctec Group - gunnar 'at' arctecgroup.net

Vendor Exhibition Chair: Pravir Chandra - Cigital - chandra 'at' list.org

Refereed Papers Chair: Frank Piessens - KU Leuven - Frank.Piessens 'at' cs.kuleuven.ac.be

== [[OWASP AppSec Conference Sponsors | Conference Sponsors]]==

The following organizations are sponsors for this conference. If you are interested in sponsoring either of the 2007 OWASP conferences, please contact OWASP at: conferences 'at' owasp.org.

[http://www.aspectsecurity.com https://www.owasp.org/images/d/d1/Aspect_logo.gif]
[http://www.fortifysoftware.com https://www.owasp.org/images/d/d1/Fortify.JPG]

We are also going to have vendor booths at this conference for the first time. If you are interested in demonstrating your application security product to a sophisticated audience of application security professionals, please contact us for more information. Please contact either Dave Wichers (the OWASP Conferences Chair) or Pravir Chandra, who will be organizing the vendor area for this conference.

More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].

[[Category:OWASP AppSec Conference]]

__NOTOC__

OWASP & WASC AppSec 2007 Conference

2007-08-24T15:45:05Z

Aspectmichelle:

We are still in the planning stages for the next OWASP U.S. conference, eBay in San Jose, CA Nov 12-15, 2007.

Web Services Track: The conference will have 3 tracks on the first day instead of 2. The 3rd track will be focused on Web Services Security which is a new area for OWASP. If you are interested in speaking at this conference on a Web Services Security topic, please contact Gunnar Peterson, who is organizing that track.

Application Security Vendor Expo: This conference will also have a vendor expo for the first time Application Security product vendors can demonstrate the technical capabilities of their products. More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].

==Conference Location==

This year's US OWASP conference will be held at eBay at their facility at: 2211 North First Street in San Jose, CA Nov 12th-15th.

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training | Training Days: Novermber 12th-13th]]

Main Conference: November 14th-15th

==Agenda and Presentations: Wednesday-Thursday - Nov 14th-15th==

The [http://www.owasp.org/index.php/7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda agenda] will follow the (current) standard OWASP conference format of two tracks, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing presentations back in the main auditorium both days. In addition, on the first day, there will be a third track focused on Web Services Security.

This conference will include presentations from many different OWASP contributors and leading Application Security professionals, and will include one panel each day.

The OWASP AppSec San Jose 2007 agenda is still being developed.

==Training: Monday-Tuesday - Nov 12th-13th==

OWASP has arranged for a suite of two day Application Security training courses to be offered prior to the conference. The tutorials being offered are:

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T1._Building_and_Testing_Secure_Web_Applications_-_2-Day_Course_-_Nov_12-13.2C_2007 | Building and Testing Secure Web Applications]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T2._Secure_Coding_for_Java_EE_-_2-Day_Course_-_Nov_12-13.2C_2007 | Secure Coding for Java EE]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T3._Advanced_Asp.Net_Exploits_and_Countermeasures_-_2-Day_Course_-_Nov_12-13.2C_2007 | Advanced Asp.Net Exploits and Countermeasures]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T4._Web_Services_and_XML_Security_-_2-Day_Course_-_Nov_12-13.2C_2007 | Web Services and XML Security]]

==Conference Fees==

Standard: $400, OWASP Members: $350, Students: $225, Early Registration Discount (by Oct 12): $50 ($25 for students)

Conference Dinner (Evening of Nov 14th): $50

Conference Tutorial (Two day tutorials Nov 12-13): $1300, $1450 [If not attending the conference], Student Fee: $675

Note: To save on processing expenses, all fees paid for the OWASP conference are non-refundable. OWASP can accomodate transfers of registrations from one person to another, if such an adjustment becomes necessary.

==Hotel and Transportation Info==

OWASP is currently negotiating rates with local hotels

From San Jose International Airport (SJC):
eBay is located about a mile from this airport

From San Francisco International Airport (SFO):
eBay is located 40 miles from this airport

== Conference Committee ==

OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org

Web Services Security Track Chair: Gunnar Peterson - Arctec Group - gunnar 'at' arctecgroup.net

Vendor Exhibition Chair: Pravir Chandra - Cigital - chandra 'at' list.org

Refereed Papers Chair: Frank Piessens - KU Leuven - Frank.Piessens 'at' cs.kuleuven.ac.be

== [[OWASP AppSec Conference Sponsors | Conference Sponsors]]==

The following organizations are sponsors for this conference. If you are interested in sponsoring either of the 2007 OWASP conferences, please contact OWASP at: conferences 'at' owasp.org.

[http://www.aspectsecurity.com https://www.owasp.org/images/d/d1/Aspect_logo.gif]
[http://www.fortifysoftware.com https://www.owasp.org/images/d/d1/Fortify.JPG]

We are also going to have vendor booths at this conference for the first time. If you are interested in demonstrating your application security product to a sophisticated audience of application security professionals, please contact us for more information. Please contact either Dave Wichers (the OWASP Conferences Chair) or Pravir Chandra, who will be organizing the vendor area for this conference.

More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].

[[Category:OWASP AppSec Conference]]

__NOTOC__

OWASP AppSec Conference Sponsors

2007-08-24T15:19:37Z

Aspectmichelle: /* OWASP Conference Sponsorship */

== OWASP Conference Sponsorship ==

OWASP is accepting sponsorships for the 2007 OWASP Conferences. Financial sponsorship for a conference will help defray the non-profit OWASP Foundation's expenses to prepare for and hold this conference.

The following is our current sponsorship plan:

* Sponsor information will be presented on the main conference page

* A Sponsor information sheet will be included in handouts to all attendees

* Sponsors can include a poster (no larger than 6 ft. x 4 ft.) at the conference in the main hallway

* Includes 2 Free admissions to the conference

The sponsorship fee for 7th OWASP Conference in San Jose, CA in November 2007 is $4250.

Note: We are also working on pulling together vendor booths for application security product vendors to exhibit at the San Jose conference. We have not figured out these details or pricing but in the mean time, if you are interested in exhibiting, please let us know.

If you are interested in sponsoring either of the 2007 OWASP conferences, please contact OWASP at: conferences 'at' owasp.org.

== Sending Materials to Conference Facility in San Jose ==

Sponsors, please ship your conference materials to:

Location TBD.

All materials must arrive no earlier than date TBD.

== Conference Sponsors ==

The following are the sponsors for the 7th OWASP AppSec Conference.

[http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]
[http://www.fortifysoftware.com https://www.owasp.org/images/d/d1/Fortify.JPG]

OWASP AppSec Conference Sponsors

2007-08-24T15:17:30Z

Aspectmichelle: /* Conference Sponsors */

== OWASP Conference Sponsorship ==

OWASP is accepting sponsorships for the 2007 OWASP Conferences. Financial sponsorship for a conference will help defray the non-profit OWASP Foundation's expenses to prepare for and hold this conference.

The following is our current sponsorship plan:

* Sponsor information will be presented on the main conference page

* A Sponsor information sheet will be included in handouts to all attendees

* Sponsors can include a poster (no larger than 6 ft. x 4 ft.) at the conference in the main hallway

* Includes 2 Free admissions to the conference

The sponsorship fee for 7th OWASP Conference in San Jose, CA in October 2007 is $4250.

Note: We are also working on pulling together vendor booths for application security product vendors to exhibit at the San Jose conference. We have not figured out these details or pricing but in the mean time, if you are interested in exhibiting, please let us know.

If you are interested in sponsoring either of the 2007 OWASP conferences, please contact OWASP at: conferences 'at' owasp.org.

== Sending Materials to Conference Facility in San Jose ==

Sponsors, please ship your conference materials to:

Location TBD.

All materials must arrive no earlier than date TBD.

== Conference Sponsors ==

The following are the sponsors for the 7th OWASP AppSec Conference.

[http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]
[http://www.fortifysoftware.com https://www.owasp.org/images/d/d1/Fortify.JPG]

OWASP & WASC AppSec 2007 Conference

2007-08-24T15:16:47Z

Aspectmichelle: /* Agenda and Presentations - Nov 14th-15th */

We are still in the planning stages for the next OWASP U.S. conference, eBay in San Jose, CA Nov 12-15, 2007.

Web Services Track: The conference will have 3 tracks on the first day instead of 2. The 3rd track will be focused on Web Services Security which is a new area for OWASP. If you are interested in speaking at this conference on a Web Services Security topic, please contact Gunnar Peterson, who is organizing that track.

Application Security Vendor Expo: This conference will also have a vendor expo for the first time Application Security product vendors can demonstrate the technical capabilities of their products. More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].

==Conference Location==

This year's US OWASP conference will be held at eBay at their facility at: 2211 North First Street in San Jose, CA Nov 12th-15th.

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training | Training Days: Novermber 12th-13th]]

Main Conference: November 14th-15th

==Agenda and Presentations: Wednesday-Thursday - Nov 14th-15th==

The [http://www.owasp.org/index.php/7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda agenda] will follow the (current) standard OWASP conference format of two tracks, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing presentations back in the main auditorium both days. In addition, on the first day, there will be a third track focused on Web Services Security.

This conference will include presentations from many different OWASP contributors and leading Application Security professionals, and will include one panel each day.

The OWASP AppSec San Jose 2007 agenda is still being developed.

==Training: Monday-Tuesday - Nov 12th-13th==

OWASP has arranged for a suite of two day Application Security training courses to be offered prior to the conference. The tutorials being offered are:

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T1._Building_and_Testing_Secure_Web_Applications_-_2-Day_Course_-_Nov_12-13.2C_2007 | Building and Testing Secure Web Applications]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T2._Secure_Coding_for_Java_EE_-_2-Day_Course_-_Nov_12-13.2C_2007 | Secure Coding for Java EE]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T3._Advanced_Asp.Net_Exploits_and_Countermeasures_-_2-Day_Course_-_Nov_12-13.2C_2007 | Advanced Asp.Net Exploits and Countermeasures]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T4._Web_Services_and_XML_Security_-_2-Day_Course_-_Nov_12-13.2C_2007 | Web Services and XML Security]]

==Conference Fees==

Standard: $400, OWASP Members: $350, Students: $225, Early Registration Discount (by Oct 12): $50 ($25 for students)

Conference Dinner (Evening of Nov 14th): $50

Conference Tutorial (Two day tutorials Nov 12-13): $1300, $1450 [If not attending the conference], Student Fee: $675

Note: To save on processing expenses, all fees paid for the OWASP conference are non-refundable. OWASP can accomodate transfers of registrations from one person to another, if such an adjustment becomes necessary.

== Conference Committee ==

OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org

Web Services Security Track Chair: Gunnar Peterson - Arctec Group - gunnar 'at' arctecgroup.net

Vendor Exhibition Chair: Pravir Chandra - Cigital - chandra 'at' list.org

Refereed Papers Chair: Frank Piessens - KU Leuven - Frank.Piessens 'at' cs.kuleuven.ac.be

== [[OWASP AppSec Conference Sponsors | Conference Sponsors]]==

The following organizations are sponsors for this conference. If you are interested in sponsoring either of the 2007 OWASP conferences, please contact OWASP at: conferences 'at' owasp.org.

[http://www.aspectsecurity.com https://www.owasp.org/images/d/d1/Aspect_logo.gif]
[http://www.fortifysoftware.com https://www.owasp.org/images/d/d1/Fortify.JPG]

We are also going to have vendor booths at this conference for the first time. If you are interested in demonstrating your application security product to a sophisticated audience of application security professionals, please contact us for more information. Please contact either Dave Wichers (the OWASP Conferences Chair) or Pravir Chandra, who will be organizing the vendor area for this conference.

More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].

[[Category:OWASP AppSec Conference]]

__NOTOC__

7th OWASP AppSec Conference - San Jose 2007/Training

2007-08-24T15:14:14Z

Aspectmichelle: /* T3. Advanced ASP.NET Exploits and Countermeasures - 2-Day Course - Nov 12-13, 2007 */

== Conference Training Day - Two Day Training Courses - November 12th-13th, 2007 ==

OWASP has arranged to have four 2-day Application Security training courses prior to the conference.

The first two courses will be provided by a long time contributor to OWASP, Aspect Security. The third course is being taught by Dinis Cruz, the OWASP Evangelist and one of the longest active members at OWASP. The fourth course will be provided by another active OWASP member, the Arctec Group. All of these courses were offered in their 1-day format at the last two OWASP AppSec conferences and were well received. This is the first OWASP conference where we have been able to expand these classes to their 2-day format.

These courses are being offered to attendees of the OWASP conference at a significant discount to their standard commercial price. Most of the course fee will go to OWASP to support the OWASP Foundation's efforts.

{| align="center" width="60%" cellpadding="2" cellspacing="5" style="vertical-align:top;background-color:#cedff2"
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T1</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Building and Testing Secure Web Applications - 2-Day Course - Nov 12-13, 2007</div>
|-
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T2</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Secure Coding for Java EE - 2-Day Course - Nov 12-13, 2007</div>
|-
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T3</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Advanced Asp.Net Exploits and Countermeasures - 2-Day Course - Nov 12-13, 2007</div>
|-
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T4</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Web Services and XML Security - 2-Day Course - Nov 12-13, 2007</div>
|}

<center>*Note: Information corresponding to each training course is located below.</center>

'''Pricing'''

$1300 for conference attendees. [Note: This fee includes snacks, and LUNCH]

$1450 - Tutorial only pricing (if not attending the conference)

$675 - Student Pricing

'''Location'''

At eBay in San Jose. Same location as the conference.

'''Course Times'''

Each class begins at 9 AM and runs until 5 PM each day.

'''Registration'''

Registration will be available via the OWASP Conference Cvent site.

== T1. Building and Testing Secure Web Applications - 2-Day Course - Nov 12-13, 2007 ==

'''Course Overview'''

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is just not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

'''Details'''

This course starts with a module designed to raise awareness of just how insecure most web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following common vulnerability areas:

* Unvalidated Parameters *
* Broken Access Control *
* Broken Account and Session Management *
* Cross-Site Scripting (XSS) Flaws *
* Buffer Overflows *
* Command Injection Flaws *
* Error Handling Problems *
* Insecure Use of Cryptography *
* Denial of Service *
* Web and Application Server Misconfiguration *
* Poor Logging Practices
* Caching, Pooling, and Reuse Errors
* Code Quality

<nowiki>*</nowiki> The OWASP Top Ten Most Critical Web Application Vulnerabilities

For each area, the course covers the following:

* Theoretical foundations
* Recommended security policies
* Common pitfalls when implementing
* Details on historical exploits
* Best practices for implementation

'''Hands on Exercises'''

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

'''Requirements'''

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop that supports Java.

'''Registration'''

Registration will be available via the OWASP Conference Cvent site.

'''Tutorial Provider'''

This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]

== T2. Secure Coding for Java EE - 2-Day Course - Nov 12-13, 2007 ==

'''Summary'''

This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of Java focused content, including 1) Java EE security overview, 2) all coding examples are specifically focused on Java and Java servers, and 3) the addition of 3 hands on coding labs where the students find and then fix security vulnerabilities in an application developed for the class.

This course is a compressed version of Aspect's standard 3-day Secure Coding for Java EE course.

'''Course Overview'''

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is just not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful one day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

'''Details'''

This course starts with a module designed to raise awareness of just how insecure most web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following common vulnerability areas:

* Unvalidated Parameters *
* Broken Access Control *
* Broken Account and Session Management *
* Cross-Site Scripting (XSS) Flaws *
* Buffer Overflows *
* Command Injection Flaws *
* Error Handling Problems *
* Insecure Use of Cryptography *
* Denial of Service *
* Web and Application Server Misconfiguration *
* Poor Logging Practices
* Caching, Pooling, and Reuse Errors
* Code Quality

<nowiki>*</nowiki> The OWASP Top Ten Most Critical Web Application Vulnerabilities

For each area, the course covers the following:

* Theoretical foundations
* Recommended security policies
* Common pitfalls when implementing
* Details on historical exploits
* Best practices for implementation

'''Hands on Exercises'''

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

For this Java focused course, students will additionally have the opportunity to find and exploit, and then fix vulnerabilities in three different labs using Eclipse.

'''Requirements'''

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop that supports Java.

'''Registration'''

Registration will be available via the OWASP Conference Cvent site.

'''Tutorial Provider'''

This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]

== T3. Advanced ASP.NET Exploits and Countermeasures - 2-Day Course - Nov 12-13, 2007 ==

'''Course Overview'''

In this two day course you will push ASP.NET to the limit and will be shown how ASP.NET applications and environments can be exploited by skilled attackers. Advanced exploitation techniques will be presented together with low-level technical analysis of the .NET Framework. You will also learn advanced defense techniques such as: Building an ASP.NET Security Protection layer (also called a Web Application Firewall) and Real time patching of vulnerabilities in the target application, the .NET Framework or the CLR.

'''Details'''

The Course is made of 2 modules

'''Module 1: Security principles and .NET Framework Architecture; Guerrilla Threat Modeling; Exploiting ASP.NET Applications'''

* Analysis of the .NET Framework and its core components (CLR, Garbage Collector, Verifier, Security Manager)
* Using quick-and-dirty threat models to discover vulnerabilities in the target application
* Exploiting vulnerabilities in ASP.NET applications: Data Validation, Authorization, Authentication, SessionState, XSS, Cookies, AJAX, Web Services, Remoting, etc. (using basic and advanced techniques)
* Exploiting Buffer Overflows and Windows vulnerabilities via ASP.NET Applications

'''Module 2: Exploiting Full Trust and Partial Trust ASP.NET Environments; Advanced ASP.NET Countermeasures'''

* Practical demonstrations of the power of Full Trust ASP.NET:
* Rooting the CLR (e.g. patching the .Net Framework and CLR), Reflection, IIS Metabase, Shellcode injection, Launching internal attacks to compromise the server and the data center
* Full Trust non-verification and Type Safety attacks (via MSIL manipulation)
* Exploiting Insecure Partial Trust ASP.NET Environments
* Applying real-time security patches in the target application, .NET Framework and CLR
* Solutions to create secure Data Validation and Authorization architectures
* Creating secure ASP.NET hosting environments
* Building an ASP.NET Security Protection layer (also called Web Application Firewall);

You will walk away from this class with a much better understanding of some of the weaknesses of .NET applications, particularly the internals of the .NET framework. You will also get the chance to put your skills to the test against a target application over the course of the class.

'''Requirements'''

A laptop with VMWare Player pre-installed. A VMWare image containing all necessary lab tools will be provided.

'''Prerequisites'''

This is an advanced course targeted at industry professionals who want to understand the weaknesses and the power of the .Net Framework.

To get the most of this course and to be able to do the extensive practice material provided (using a VMWare image), the participants must:

* Have a good understanding of a .NET Language (Ideally C#)
* Be familiar with MSIL/Assembly
* Have some experience with debugging user-land applications
* Have commercial experience on either application development or security auditing.

The material is presented at a pace adjusted for experienced developers and/or security consultants.

'''Trainer'''

Dinis Cruz is the OWASP Evangelist, current OWASP .NET Project leader and the main developer of several of OWASP .NET tools (SAM'SHE, ANBS, SiteGenerator, PenTest Reporter, Asp.Net Reflector, Online IIS Metabase Explorer).

Since the 1.1 release of the .NET Framework, Dinis has been one of the strongest proponents of the need to write .NET applications that can be executed in secure Partially Trusted .NET environments, and has done extensive research on: Rooting the CLR, exposing the dangers of Full Trust ASP.NET Code, Type Confusion vulnerabilities in Full Trust (i.e. non verifiable) code, creating .Net Security Protection Layers and using Reflection to dynamically manipulate .Net Client applications.

'''Registration'''

Registration will be available via the OWASP Conference Cvent site.

'''Tutorial Provider'''

This tutorial is provided by Dinis Cruz (OWASP Chief Evangelist)

== T4. Web Services and XML Security - 2-Day Course - Nov 12-13, 2007 ==

'''Course Overview'''

The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software.

Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system!

'''Details'''

Topics covered include understanding how web application risks (such as those in OWASP Guide and OWASP Top Ten) apply in a Web Services world, and Web Services security topics including:

* Web Services attack patterns
* Common XML attack patterns
* Data and XML security using WS-Security, SAML, XML Encryption and XML Digital Signature
* Identity services and federation with SAML and Liberty
* Hardening Web Services servers
* Input validation for Web Services
* Integrating Web Services securely with backend resources and applications using WS-Trust
* Secure Exception handling in Web Services

'''Registration'''

Registration will be available via the OWASP Conference Cvent site.

'''Tutorial Provider'''

This tutorial is provided by [http://www.arctecgroup.net http://www.owasp.org/images/b/bc/Arctec_logo.jpeg]

7th OWASP AppSec Conference - San Jose 2007/Training

2007-08-24T15:12:09Z

Aspectmichelle: /* T1. Building and Testing Secure Web Applications - 2-Day Course - Nov 12-13, 2007 */

== Conference Training Day - Two Day Training Courses - November 12th-13th, 2007 ==

OWASP has arranged to have four 2-day Application Security training courses prior to the conference.

The first two courses will be provided by a long time contributor to OWASP, Aspect Security. The third course is being taught by Dinis Cruz, the OWASP Evangelist and one of the longest active members at OWASP. The fourth course will be provided by another active OWASP member, the Arctec Group. All of these courses were offered in their 1-day format at the last two OWASP AppSec conferences and were well received. This is the first OWASP conference where we have been able to expand these classes to their 2-day format.

These courses are being offered to attendees of the OWASP conference at a significant discount to their standard commercial price. Most of the course fee will go to OWASP to support the OWASP Foundation's efforts.

{| align="center" width="60%" cellpadding="2" cellspacing="5" style="vertical-align:top;background-color:#cedff2"
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T1</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Building and Testing Secure Web Applications - 2-Day Course - Nov 12-13, 2007</div>
|-
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T2</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Secure Coding for Java EE - 2-Day Course - Nov 12-13, 2007</div>
|-
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T3</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Advanced Asp.Net Exploits and Countermeasures - 2-Day Course - Nov 12-13, 2007</div>
|-
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">T4</div>
! <div style="margin:0;background-color:#f5faff;font-family:sans-serif;font-size:100%;font-weight:bold;border:1px solid #a3b0bf;text-align:left;color:#000;padding:0.2em 0.4em;">Web Services and XML Security - 2-Day Course - Nov 12-13, 2007</div>
|}

<center>*Note: Information corresponding to each training course is located below.</center>

'''Pricing'''

$1300 for conference attendees. [Note: This fee includes snacks, and LUNCH]

$1450 - Tutorial only pricing (if not attending the conference)

$675 - Student Pricing

'''Location'''

At eBay in San Jose. Same location as the conference.

'''Course Times'''

Each class begins at 9 AM and runs until 5 PM each day.

'''Registration'''

Registration will be available via the OWASP Conference Cvent site.

== T1. Building and Testing Secure Web Applications - 2-Day Course - Nov 12-13, 2007 ==

'''Course Overview'''

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is just not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful two day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

'''Details'''

This course starts with a module designed to raise awareness of just how insecure most web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following common vulnerability areas:

* Unvalidated Parameters *
* Broken Access Control *
* Broken Account and Session Management *
* Cross-Site Scripting (XSS) Flaws *
* Buffer Overflows *
* Command Injection Flaws *
* Error Handling Problems *
* Insecure Use of Cryptography *
* Denial of Service *
* Web and Application Server Misconfiguration *
* Poor Logging Practices
* Caching, Pooling, and Reuse Errors
* Code Quality

<nowiki>*</nowiki> The OWASP Top Ten Most Critical Web Application Vulnerabilities

For each area, the course covers the following:

* Theoretical foundations
* Recommended security policies
* Common pitfalls when implementing
* Details on historical exploits
* Best practices for implementation

'''Hands on Exercises'''

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

'''Requirements'''

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop that supports Java.

'''Registration'''

Registration will be available via the OWASP Conference Cvent site.

'''Tutorial Provider'''

This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]

== T2. Secure Coding for Java EE - 2-Day Course - Nov 12-13, 2007 ==

'''Summary'''

This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of Java focused content, including 1) Java EE security overview, 2) all coding examples are specifically focused on Java and Java servers, and 3) the addition of 3 hands on coding labs where the students find and then fix security vulnerabilities in an application developed for the class.

This course is a compressed version of Aspect's standard 3-day Secure Coding for Java EE course.

'''Course Overview'''

Most developers, IT professionals, and auditors learn what they know about application security on the job, usually by making mistakes. Application security is just not a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their IT security efforts.

This powerful one day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code.

'''Details'''

This course starts with a module designed to raise awareness of just how insecure most web applications are. We demonstrate how easily hackers are able to attack web applications, and what some of the most common and most significant vulnerabilities are. The course then provides an overview of how web applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course includes coverage of the following common vulnerability areas:

* Unvalidated Parameters *
* Broken Access Control *
* Broken Account and Session Management *
* Cross-Site Scripting (XSS) Flaws *
* Buffer Overflows *
* Command Injection Flaws *
* Error Handling Problems *
* Insecure Use of Cryptography *
* Denial of Service *
* Web and Application Server Misconfiguration *
* Poor Logging Practices
* Caching, Pooling, and Reuse Errors
* Code Quality

<nowiki>*</nowiki> The OWASP Top Ten Most Critical Web Application Vulnerabilities

For each area, the course covers the following:

* Theoretical foundations
* Recommended security policies
* Common pitfalls when implementing
* Details on historical exploits
* Best practices for implementation

'''Hands on Exercises'''

To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application (i.e., WebGoat) that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises.

For this Java focused course, students will additionally have the opportunity to find and exploit, and then fix vulnerabilities in three different labs using Eclipse.

'''Requirements'''

If you are interested in participating in the hands on portion of the course, please bring a Windows based laptop that supports Java.

'''Registration'''

Registration will be available via the OWASP Conference Cvent site.

'''Tutorial Provider'''

This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]

== T3. Advanced ASP.NET Exploits and Countermeasures - 2-Day Course - Nov 12-13, 2007 ==

'''Course Overview'''

In this one day course you will push ASP.NET to the limit and will be shown how ASP.NET applications and environments can be exploited by skilled attackers. Advanced exploitation techniques will be presented together with low-level technical analysis of the .NET Framework. You will also learn advanced defense techniques such as: Building an ASP.NET Security Protection layer (also called a Web Application Firewall) and Real time patching of vulnerabilities in the target application, the .NET Framework or the CLR.

'''Details'''

The Course is made of 2 modules (one in the morning and one in the afternoon)

'''Module 1: Security principles and .NET Framework Architecture; Guerrilla Threat Modeling; Exploiting ASP.NET Applications'''

* Analysis of the .NET Framework and its core components (CLR, Garbage Collector, Verifier, Security Manager)
* Using quick-and-dirty threat models to discover vulnerabilities in the target application
* Exploiting vulnerabilities in ASP.NET applications: Data Validation, Authorization, Authentication, SessionState, XSS, Cookies, AJAX, Web Services, Remoting, etc. (using basic and advanced techniques)
* Exploiting Buffer Overflows and Windows vulnerabilities via ASP.NET Applications

'''Module 2: Exploiting Full Trust and Partial Trust ASP.NET Environments; Advanced ASP.NET Countermeasures'''

* Practical demonstrations of the power of Full Trust ASP.NET:
* Rooting the CLR (e.g. patching the .Net Framework and CLR), Reflection, IIS Metabase, Shellcode injection, Launching internal attacks to compromise the server and the data center
* Full Trust non-verification and Type Safety attacks (via MSIL manipulation)
* Exploiting Insecure Partial Trust ASP.NET Environments
* Applying real-time security patches in the target application, .NET Framework and CLR
* Solutions to create secure Data Validation and Authorization architectures
* Creating secure ASP.NET hosting environments
* Building an ASP.NET Security Protection layer (also called Web Application Firewall);

You will walk away from this class with a much better understanding of some of the weaknesses of .NET applications, particularly the internals of the .NET framework. You will also get the chance to put your skills to the test against a target application over the course of the class.

'''Requirements'''

A laptop with VMWare Player pre-installed. A VMWare image containing all necessary lab tools will be provided.

'''Prerequisites'''

This is an advanced course targeted at industry professionals who want to understand the weaknesses and the power of the .Net Framework.

To get the most of this course and to be able to do the extensive practice material provided (using a VMWare image), the participants must:

* Have a good understanding of a .NET Language (Ideally C#)
* Be familiar with MSIL/Assembly
* Have some experience with debugging user-land applications
* Have commercial experience on either application development or security auditing.

The material is presented at a pace adjusted for experienced developers and/or security consultants.

'''Trainer'''

Dinis Cruz is the OWASP Evangelist, current OWASP .NET Project leader and the main developer of several of OWASP .NET tools (SAM'SHE, ANBS, SiteGenerator, PenTest Reporter, Asp.Net Reflector, Online IIS Metabase Explorer).

Since the 1.1 release of the .NET Framework, Dinis has been one of the strongest proponents of the need to write .NET applications that can be executed in secure Partially Trusted .NET environments, and has done extensive research on: Rooting the CLR, exposing the dangers of Full Trust ASP.NET Code, Type Confusion vulnerabilities in Full Trust (i.e. non verifiable) code, creating .Net Security Protection Layers and using Reflection to dynamically manipulate .Net Client applications.

'''Registration'''

Registration will be available via the OWASP Conference Cvent site.

'''Tutorial Provider'''

This tutorial is provided by Dinis Cruz (OWASP Chief Evangelist)

== T4. Web Services and XML Security - 2-Day Course - Nov 12-13, 2007 ==

'''Course Overview'''

The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software.

Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system!

'''Details'''

Topics covered include understanding how web application risks (such as those in OWASP Guide and OWASP Top Ten) apply in a Web Services world, and Web Services security topics including:

* Web Services attack patterns
* Common XML attack patterns
* Data and XML security using WS-Security, SAML, XML Encryption and XML Digital Signature
* Identity services and federation with SAML and Liberty
* Hardening Web Services servers
* Input validation for Web Services
* Integrating Web Services securely with backend resources and applications using WS-Trust
* Secure Exception handling in Web Services

'''Registration'''

Registration will be available via the OWASP Conference Cvent site.

'''Tutorial Provider'''

This tutorial is provided by [http://www.arctecgroup.net http://www.owasp.org/images/b/bc/Arctec_logo.jpeg]

OWASP & WASC AppSec 2007 Conference

2007-08-24T15:11:15Z

Aspectmichelle: /* Agenda and Presentations - November 14th-15th */

We are still in the planning stages for the next OWASP U.S. conference, eBay in San Jose, CA Nov 12-15, 2007.

Web Services Track: The conference will have 3 tracks on the first day instead of 2. The 3rd track will be focused on Web Services Security which is a new area for OWASP. If you are interested in speaking at this conference on a Web Services Security topic, please contact Gunnar Peterson, who is organizing that track.

Application Security Vendor Expo: This conference will also have a vendor expo for the first time Application Security product vendors can demonstrate the technical capabilities of their products. More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].

==Conference Location==

This year's US OWASP conference will be held at eBay at their facility at: 2211 North First Street in San Jose, CA Nov 12th-15th.

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training | Training Days: Novermber 12th-13th]]

Main Conference: November 14th-15th

==Agenda and Presentations - Nov 14th-15th==

The [http://www.owasp.org/index.php/7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda agenda] will follow the (current) standard OWASP conference format of two tracks, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing presentations back in the main auditorium both days. In addition, on the first day, there will be a third track focused on Web Services Security.

This conference will include presentations from many different OWASP contributors and leading Application Security professionals, and will include one panel each day.

The OWASP AppSec San Jose 2007 agenda is still being developed.

==Training: Monday-Tuesday - Nov 12th-13th==

OWASP has arranged for a suite of two day Application Security training courses to be offered prior to the conference. The tutorials being offered are:

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T1._Building_and_Testing_Secure_Web_Applications_-_2-Day_Course_-_Nov_12-13.2C_2007 | Building and Testing Secure Web Applications]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T2._Secure_Coding_for_Java_EE_-_2-Day_Course_-_Nov_12-13.2C_2007 | Secure Coding for Java EE]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T3._Advanced_Asp.Net_Exploits_and_Countermeasures_-_2-Day_Course_-_Nov_12-13.2C_2007 | Advanced Asp.Net Exploits and Countermeasures]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T4._Web_Services_and_XML_Security_-_2-Day_Course_-_Nov_12-13.2C_2007 | Web Services and XML Security]]

==Conference Fees==

Standard: $400, OWASP Members: $350, Students: $225, Early Registration Discount (by Oct 12): $50 ($25 for students)

Conference Dinner (Evening of Nov 14th): $50

Conference Tutorial (Two day tutorials Nov 12-13): $1300, $1450 [If not attending the conference], Student Fee: $675

Note: To save on processing expenses, all fees paid for the OWASP conference are non-refundable. OWASP can accomodate transfers of registrations from one person to another, if such an adjustment becomes necessary.

== Conference Committee ==

OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org

Web Services Security Track Chair: Gunnar Peterson - Arctec Group - gunnar 'at' arctecgroup.net

Vendor Exhibition Chair: Pravir Chandra - Cigital - chandra 'at' list.org

Refereed Papers Chair: Frank Piessens - KU Leuven - Frank.Piessens 'at' cs.kuleuven.ac.be

== [[OWASP AppSec Conference Sponsors | Conference Sponsors]]==

The following organizations are sponsors for this conference. If you are interested in sponsoring either of the 2007 OWASP conferences, please contact OWASP at: conferences 'at' owasp.org.

[http://www.aspectsecurity.com https://www.owasp.org/images/d/d1/Aspect_logo.gif]
[http://www.fortifysoftware.com https://www.owasp.org/images/d/d1/Fortify.JPG]

We are also going to have vendor booths at this conference for the first time. If you are interested in demonstrating your application security product to a sophisticated audience of application security professionals, please contact us for more information. Please contact either Dave Wichers (the OWASP Conferences Chair) or Pravir Chandra, who will be organizing the vendor area for this conference.

More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].

[[Category:OWASP AppSec Conference]]

__NOTOC__

OWASP & WASC AppSec 2007 Conference

2007-08-24T15:10:48Z

Aspectmichelle: /* Agenda and Presentations - Oct 17th-18th */

We are still in the planning stages for the next OWASP U.S. conference, eBay in San Jose, CA Nov 12-15, 2007.

Web Services Track: The conference will have 3 tracks on the first day instead of 2. The 3rd track will be focused on Web Services Security which is a new area for OWASP. If you are interested in speaking at this conference on a Web Services Security topic, please contact Gunnar Peterson, who is organizing that track.

Application Security Vendor Expo: This conference will also have a vendor expo for the first time Application Security product vendors can demonstrate the technical capabilities of their products. More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].

==Conference Location==

This year's US OWASP conference will be held at eBay at their facility at: 2211 North First Street in San Jose, CA Nov 12th-15th.

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training | Training Days: Novermber 12th-13th]]

Main Conference: November 14th-15th

==Agenda and Presentations - November 14th-15th==

The [http://www.owasp.org/index.php/7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda agenda] will follow the (current) standard OWASP conference format of two tracks, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing presentations back in the main auditorium both days. In addition, on the first day, there will be a third track focused on Web Services Security.

This conference will include presentations from many different OWASP contributors and leading Application Security professionals, and will include one panel each day.

The OWASP AppSec San Jose 2007 agenda is still being developed.

==Training: Monday-Tuesday - Nov 12th-13th==

OWASP has arranged for a suite of two day Application Security training courses to be offered prior to the conference. The tutorials being offered are:

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T1._Building_and_Testing_Secure_Web_Applications_-_2-Day_Course_-_Nov_12-13.2C_2007 | Building and Testing Secure Web Applications]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T2._Secure_Coding_for_Java_EE_-_2-Day_Course_-_Nov_12-13.2C_2007 | Secure Coding for Java EE]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T3._Advanced_Asp.Net_Exploits_and_Countermeasures_-_2-Day_Course_-_Nov_12-13.2C_2007 | Advanced Asp.Net Exploits and Countermeasures]]

[[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T4._Web_Services_and_XML_Security_-_2-Day_Course_-_Nov_12-13.2C_2007 | Web Services and XML Security]]

==Conference Fees==

Standard: $400, OWASP Members: $350, Students: $225, Early Registration Discount (by Oct 12): $50 ($25 for students)

Conference Dinner (Evening of Nov 14th): $50

Conference Tutorial (Two day tutorials Nov 12-13): $1300, $1450 [If not attending the conference], Student Fee: $675

Note: To save on processing expenses, all fees paid for the OWASP conference are non-refundable. OWASP can accomodate transfers of registrations from one person to another, if such an adjustment becomes necessary.

== Conference Committee ==

OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org

Web Services Security Track Chair: Gunnar Peterson - Arctec Group - gunnar 'at' arctecgroup.net

Vendor Exhibition Chair: Pravir Chandra - Cigital - chandra 'at' list.org

Refereed Papers Chair: Frank Piessens - KU Leuven - Frank.Piessens 'at' cs.kuleuven.ac.be

== [[OWASP AppSec Conference Sponsors | Conference Sponsors]]==

The following organizations are sponsors for this conference. If you are interested in sponsoring either of the 2007 OWASP conferences, please contact OWASP at: conferences 'at' owasp.org.

[http://www.aspectsecurity.com https://www.owasp.org/images/d/d1/Aspect_logo.gif]
[http://www.fortifysoftware.com https://www.owasp.org/images/d/d1/Fortify.JPG]

We are also going to have vendor booths at this conference for the first time. If you are interested in demonstrating your application security product to a sophisticated audience of application security professionals, please contact us for more information. Please contact either Dave Wichers (the OWASP Conferences Chair) or Pravir Chandra, who will be organizing the vendor area for this conference.

More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].

[[Category:OWASP AppSec Conference]]

__NOTOC__