OWASP - User contributions [en]

OWASP Connections Committee - Application 9

2012-03-14T20:45:52Z

Camargoneves:

[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]

----

{| border="0" align="center" style="width: 100%;"
|-
! align="center" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" colspan="2" | <font color="white">'''COMMITTEE APPLICATION FORM'''</font>
|-
| align="center" style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; width: 25%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''Applicant's Name'''
| align="left" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 85%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" colspan="1" | <font color="black">Luiz Eduardo Dos Santos</font>
|-
| align="center" style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; width: 25%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''Current and past OWASP Roles'''
| align="left" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 85%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" colspan="1" | LATAM Regional Event Coordinator, Member
|-
| align="center" style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; width: 25%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''Committee Applying for'''
| align="left" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 85%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" colspan="1" | OWASP Connection Committee
|}

----

<br>

----

Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. An incomplete application will not be considered for vote.

----

<br>

----

{| border="0" align="center" style="width: 100%;"
|-
! align="center" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" colspan="8" | <font color="white">'''COMMITTEE RECOMMENDATIONS'''</font>
|-
! align="center" style="background: white none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font color="black"></font>
! align="center" style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font color="black">'''Who Recommends/Name'''</font>
! align="center" style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font color="black">'''Role in OWASP'''</font>
! align="center" style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font color="black">'''Recommendation Content'''</font>
|-
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''1'''
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Lucas C. Ferreira
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Portuguese Project Leader, Conferences Committee Member
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Luiz Eduardo is one of the best known security professionals in Brazil, has helped with the Program committee of AppSec Brasil 2011 and is very well connected to industry and academia folks around the globe.
|-
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''2'''
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Eduardo V. C. Neves
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Former member of the Global Education Committee
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | Luiz Eduardo is a professional working on the Information Security industry for many years and was able to create and maintain one of the most important Security Conferences in Brazil for six years, maintain a Security Podcast, create a second conference and keep his sanity. He can be a great contribution to an OWASP Committee using his energy, creativity and connections to increase the presence and exposure of the Project's mission.
|-
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''3'''
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | NAME
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | TITLE
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | WHY
|-
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''4'''
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | NAME
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | TITLE
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | WHY.
|-
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | '''5'''
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | NAME
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | TITLE
| align="center" style="background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | WHY
|}

----

AppSec Brasil 2010 (pt-br)

2010-08-03T13:22:06Z

Camargoneves: /* Patrocinadores do kit da conferência */

__NOTOC__

[[Image:LogoAppSecBrazil.002.jpg|center]]

'''The English version is [[AppSec Brasil 2010|here]]'''

= OWASP AppSec Brasil 2010 =

A segunda edição da versão brasileira da série de conferências mais importante da OWASP ocorrerá em Campinas, SP. A conferência terá dois dias de treinamentos, seguidos de dois dias de conferência em trilha única.
<center>
[[Image:AppSec Brasil 2010 Campinas.jpg|500px]]
</center>
== Datas Importantes ==

A Conferência ocorrerá entre 16 e 19 de novembro de 2010. Os primeiros dois dias serão dedicados aos treinamentos. As plenárias ocorrerão em 18 e 19 de novembro de 2010.

<br> 

==== Sobre ====

== Sobre a Conferência ==

Dando prosseguimento ao sucesso da primeira AppSec Brasil, que ocorreu em Brasília em 2009, o Capítulo brasileiro do OWASP irá promover a segunda edição em 2010, na cidade de Campinas, a cerca de 90 km de São Paulo

Campinas é a terceira maior cidade do estado de São Paulo (e a maior fora da área metropolitana da Capital) e é um importante polo econômico, abrigando universidades e centros de pesquisa de renome internacional. A cidade também concentra muitas indústrias de alta tecnologia, incluindo multi-nacionais dos ramos de eletrônicos, telecomunicações e quimicos.

Este ano, esperamos reunir um número expressivo de profissionais e pesquisadores brasileiros e latino-americanos para compartilharem informações sobre o estado-da-arte da segurança de aplicações.

==== Chamadas de trabalhos ====
<pre>**APPSEC BRASIL 2010**
**CHAMADA DE TRABALHOS**

O OWASP (Open Web Application Security Project) solicita propostas de apresentações para a conferência AppSec Brasil 2010,
que ocorrerá na Fundação CPqD em Campinas, SP, de 16 a 19 de novembro de 2010. Haverá mini-cursos nos dias 16 e 17, seguidos
de sessões plenárias detrilha única nos dias 18 e 19 de novembro de 2010.

Buscamos pessoas e organizações que queiram ministrar palestras sobre segurança de aplicações. Em particular destacamos os seguintes
tópicos de interesse:
- Modelagem de ameaças em aplicações
- Riscos de Negócio em Segurança de aplicações
- Aplicações de Revisões de Código
- Métricas Aplicadas a Segurança de Aplicações
- Ferramentas e Projetos do OWASP
- Tópicos de Privacidade em Aplicações e Armazenamento de Dados
- Práticas de Programação Segura
- Programas de Segurança para todo o Ciclo de Vida de aplicações
- Tópicos de Segurança para tecnologias específicas (AJAX, XML, Flash, etc)
- Controles de Segurança para aplicações Web
- Testes de Segurança de aplicações Web
- Segurança de Web Services ou XML

A lista de tópicos não é exaustiva; outros tópicos podem ser abordados, desde que em consonância com o tema central do evento.

Para submeter uma proposta, preencha o formulário disponível em
http://www.owasp.org/images/6/68/OWASP_AppSec_Brasil_2010_CFP%28pt-br%29.rtf.zip, que deve ser enviado através da página
da conferência no site Easychair: http://www.easychair.org/conferences/?conf=appsecbr2010

Cada apresentação terá 45 minutos de duração, seguidos de 10 minutos para perguntas da platéia. Todas as apresentações deverão estar
em conformidade com as regras definidas pelo OWASP em seu "Speaker Agreement".

**Datas importantes:**
A data limite para apresentação de propostas é 17 de agosto de 2010 às 23:59, horário de Brasília.
A notificação de aceitação ocorrerá até o dia 8 de setembro de 2010.
A versão final das apresentações deverá ser enviada até o dia 30 de setembro de 2010.

A comissão organizadora da conferência pode ser contactada pelo e-mail: organizacao2010@appsecbrasil.org

Para mais informações, favor consultar as seguintes páginas:
Página da conferência: http://www.owasp.org/index.php/AppSec_Brasil_2010_(pt-br)
OWASP Speaker Agreement (em inglês): http://www.owasp.org/index.php/Speaker_Agreement
Página do OWASP: http://www.owasp.org
Página da conferência no Easychair: http://www.easychair.org/conferences/?conf=appsecbr2010
Formulário para apresentação de propostas: http://www.owasp.org/images/6/68/OWASP_AppSec_Brasil_2010_CFP%28pt-br%29.rtf.zip

********* ATENÇÃO: Não serão aceitas propostas sem TODAS as informações solicitadas no formulário *********

Favor divulgar a todos os possíveis interessados.

</pre>
== Chamada de mini-cursos ==
<pre>**APPSEC BRASIL 2010**
**CHAMADA DE MINI-CURSOS**

O OWASP (Open Web Application Security Project) solicita propostas de apresentações para a conferência AppSec Brasil 2010,
que ocorrerá na Fundação CPqD em Campinas, SP, de 16 a 19 de novembro de 2010. Haverá mini-cursos nos dias 16 e 17,
seguidos de sessões plenárias de trilha única nos dias 18 e 19 de novembro de 2010.

Buscamos pessoas e organizações que queiram ministrar mini-cursos sobre segurança de aplicações.
Destacamos os seguintes tópicos de interesse:
- Modelagem de ameaças em aplicações (Application Threat Modeling)
- Riscos de Negócio em Segurança de aplicações (Business Risks with Application Security)
- Aplicações de Revisões de Código (Hands-on Source Code Review)
- Métricas Aplicadas a Segurança de Aplicações (Metrics for Application Security)
- Ferramentas e Projetos do OWASP (OWASP Tools and Projects)
- Tópicos de Privacidade em Aplicações e Armazenamento de Dados (Privacy Concerns with
Applications and Data Storage)
- Práticas de Programação Segura (Secure Coding Practices)
- Programas de Segurança para todo o Ciclo de Vida de aplicações (Secure Development Lifecycle Programs)
- Tópicos de Segurança para tecnologias específicas (AJAX, XML, Flash, etc) (Technology specific presentations on
security such as AJAX, XML, etc)
- Controles de Segurança para aplicações Web (Web Application Security countermeasures)
- Testes de Segurança de aplicações Web (Web Application Security Testing)
- Segurança de Web Services ou XML (Web Services, XML and Application Security)

A lista de tópicos não é exaustiva; outros tópicos podem ser abordados, desde que em consonância com o tema central do evento.

Para submeter uma proposta, preencha o formulário disponível em
http://www.owasp.org/images/4/43/OWASP_AppSec_Brasil_2010_CFT%28pt-br%29.rtf.zip, que deve ser enviado por email
para organizacao2010@appsecbrasil.org.

Cada mini-curso poderá ter 1 ou 2 dias (8 horas por dia) de duração e deverão estar em conformidade com as regras definidas
pelo OWASP em seu "Speaker Agreement". A conferência pagará aos instrutores pelo menos 30% do fatuamente de seus mini-cursos.
Cursos que consigam atrair mais que o número mínimo de alunos poderão receber percentagens maiores (mais detalhes abaixo).
Não haverá qualquer outro tipo de remuneração (passagens, hospedagem, etc) para os apresentadores ou autores dos mini-cursos.
Caso seja necessário um arranjo diferente, favor entrar em contacto com o comitê organizador pelo email abaixo.

**Remuneração**
Os instrutores e autores dos cursos serão remunerados conforme a quantidade de alunos. Se o curso atrair apenas o número
mínimo de alunos, a remuneração será 30% do faturamento. Para cada 10 alunos a mais, a remuneração será acrescida de 5% do
faturamento, até um máximo de 45% do faturamento do curso. Por exemplo, para um curso de 1 dia para uma turma de 10 a
19 alunos, os instrutores e autores receberão 30% do faturamento do curso. Para turmas entre 20 e 29 alunos, a remuneração
sobe para 35% do faturamento e assim sucessivamente.

Em casos excepcionais, poderá ser acordado um esquema diferente para remuneração dos instrutores. Possíveis interessados
devem entrar em contato com a comissão organizadora pelo email organizacao2010@appsecbrasil.org

**Valores das inscrições**
Cursos de 1 dia: R$ 450 por aluno
Cursos de 2 días: R$ 900 por aluno

**Mínimo de alunos**
10 alunos para cursos de 1 dia
20 alunos para cursos de 2 dias

**Datas importantes:**
A data limite para apresentação de propostas é 26 de julho de 2010 às 23:59, horário de Brasília.
A notificação de aceitação ocorrerá até o dia 16 de agosto de 2010.
A versão final do material dos mini-cursos deverá ser enviada até o dia 15 de setembro de 2010.

A comissão organizadora da conferência pode ser contactada pelo e-mail: organizacao2010@appsecbrasil.org

Para mais informações, favor consultar as seguintes páginas:
Página da conferência: http://www.owasp.org/index.php/AppSec_Brasil_2010_(pt-br)
OWASP Speaker Agreement (em inglês): http://www.owasp.org/index.php/Speaker_Agreement
Página do OWASP: http://www.owasp.org
Página da conferência no Easychair: http://www.easychair.org/conferences/?conf=appsecbr2010
Formulário para apresentação de propostas: http://www.owasp.org/images/4/43/OWASP_AppSec_Brasil_2010_CFT%28pt-br%29.rtf.zip

********* ATENÇÃO: Não serão aceitas propostas sem TODAS as informações solicitadas no formulário *********

Favor divulgar a todos os possíveis interessados.
</pre>
==== Patrocínio ====

Estamos atualmente buscado patrocinadores para a edição 2010 da AppSec Brasil. Veja mais detalhes sobre as [[Media:OWASP_AppSec_Brasil_2010-Oportunidade_de_Patroc%C3%ADnio.pdf|oportunidades de patrocínio]].

Se estiver interessado em patrocinar o AppSec Brasil 2010, por favor entre em contato com a equipe organizadora da conferência pelo email organizacao2010@appsecbrasil.org.

== Patrocinadores ==

== Patrocinadores Platinum ==

{|
|-
| [[Image:AppSec Brasil 2010 CPQD.jpg|200px|link=http://www.cpqd.com.br]]
|-
|  
|}

== Patrocinadores Gold ==

{|
|-
| [[Image:LeadComm Logo Screen.jpg|150px|link=http://www.leadcomm.com.br]]
| width="50" | <br>
| [[Image:Logo PagSeguro-Uma empresa-UOL.jpg|150px|link=http://www.pagseguro.uol.com.br]]
|-
|  
|}

== Patrocinadores Silver ==

<br>

=== Patrocinadores do kit da conferência ===
{|
| [[Image:Logotipo_Conviso_2009_Cor.png|150px]]
| width="50" | <br>
| [[Image:lgClavis.png|100px|link=http://www.clavis.com.br]]
|-
|  
|-
|}
<br>

== Promoção ==
<center>
[[Image:Appsec Brasil 2010 InstitutoTuring.png]]
</center>
==== Keynotes ====

== <font color="red"><s>Bruce Schneier</s></font> ==

<font color="red">
Olá a todos,

Estamos aqui para comunicar que infelizmente o Sr. Bruce Schneier teve que cancelar sua participação no evento.
Já estamos procurando por outro palestrante e atualizaremos o site assim que possível.

Nós lamentamos muito que isso tenha acontecido, mas tenha certeza que nós estamos nos empenhando ao máximo para oferecê-los um evento memorável.

Mais uma vez, nos desculpamos por qualquer desconforto que isso possa causar.</font>

== Jeremiah Grossman ==

[http://www.whitehatsec.com/ WhiteHat Security]

''Title:'' '''TBD.'''

''Bio:'' Jeremiah Grossman, fundador e CTO da WhiteHat Security, é um especialista em segurança web. É co-fundador do Web Application Security Consortium (WASC), foi escolhido pela InfoWorld um dos Top 25 CTOs em 2007 e é frequentemente citado em publicações técnicas ou de negócios. Publicou dezenas de artigos, foi o descobridor de várias técnicas avançadas de ataque e defesa e é co-autor do livro "XSS Attacks: Cross Site Scripting Exploits and Defense." Grossman é também um blogueiro influente que oferece idéias e encoraja um dálogo franco sobre pesquisas e tedências da segurança na web. Antes da WhiteHat, Grossman foi um "information security officer" no Yahoo!

<br>

==== Agenda ====

== Programa da Conferência - Dia 1 - 18 de novembro de 2010 ==
<center>
{| width="80%" class="t"
|-
| width="14%" height="17" align="right" | 08:30 - 09:00
| bgcolor="#8595c2" align="CENTER" | '''Recepção'''
|-
| width="14%" height="17" align="right" | 09:00 - 09:20
| bgcolor="#b9c2dc" align="CENTER" | '''Cerimônia de Abertura'''
|-
| width="14%" height="49" align="right" | 09:20 - 10:20
| bgcolor="#eeeeee" align="CENTER" | '''Dinis Cruz'''<br> Sobre o OWASP
|-
| width="14%" height="17" align="right" | 10:20 - 10:40
| bgcolor="#d98b66" align="CENTER" | '''Intervalo'''
|-
| width="14%" height="49" align="right" | 10:40 - 11:40
| bgcolor="#b9c2dc" align="CENTER" | '''Bruce Schneier'''<br> TBD
|-
| width="14%" height="17" align="right" | 11:40 - 12:30
| bgcolor="#eeeeee" align="CENTER" | '''TBD<br>''' TBD
|-
| width="14%" height="17" align="right" | 12:30 - 14:00
| bgcolor="#d98b66" align="CENTER" | '''Almoço'''
|-
| width="14%" height="47" align="right" | 14:00 - 14:50
| bgcolor="#b9c2dc" align="CENTER" | '''TBD<br>''' TBD
|-
| width="14%" height="32" align="right" | 14:50 - 15:40
| bgcolor="#eeeeee" align="CENTER" | '''TBD<br>''' TBD
|-
| width="14%" height="17" align="right" | 15:40 - 16:00
| bgcolor="#d98b66" align="CENTER" | '''Intervalo'''
|-
| width="14%" height="47" align="right" | 16:00 - 16:50
| bgcolor="#b9c2dc" align="CENTER" | '''TBD<br>''' TBD
|-
| width="14%" height="32" align="right" | 16:50 - 17:40
| bgcolor="#eeeeee" align="CENTER" | '''TBD<br>''' TBD
|-
| width="14%" height="47" align="right" | 17:40 - 18:30
| bgcolor="#b9c2dc" align="CENTER" | '''TBD <br>''' TBD
|-
| width="14%" height="17" align="right" | 18:30 - 18:35
| bgcolor="#cccccc" align="CENTER" | '''Encerramento do primeiro dia'''
|}
</center>
<br>

== Programa da Conferência - Dia 2 - 19 de novembro de 2010 ==
<center>
{| width="80%" class="t"
|-
| width="14%" height="17" align="right" | 08:30 - 09:00
| bgcolor="#8595c2" align="CENTER" | '''Recepção'''
|-
| width="14%" height="32" align="right" | 09:00 - 10:30
| bgcolor="#b9c2dc" align="CENTER" | '''Jeremiah Grossman'''<br> TBD
|-
| width="14%" height="17" align="right" | 10:30 - 10:50
| bgcolor="#d98b66" align="CENTER" | '''Intervalo'''
|-
| width="14%" height="47" align="right" | 10:30 - 11:40
| bgcolor="#eeeeee" align="CENTER" | '''TBD'''<br> TBD
|-
| width="14%" height="32" align="right" | 11:40 - 12:30
| bgcolor="#b9c2dc" align="CENTER" | '''TBD'''<br> TBD
|-
| width="14%" height="17" align="right" | 12:30 - 14:00
| bgcolor="#d98b66" align="CENTER" | '''Almoço'''
|-
| width="14%" height="32" align="right" | 14:00 - 15:10
| bgcolor="#eeeeee" align="CENTER" | '''TBD'''<br> TBD
|-
| width="14%" height="32" align="right" | 15:10 - 16:00
| bgcolor="#b9c2dc" align="CENTER" | '''TBD'''<br> TBD
|-
| width="14%" height="17" align="right" | 16:00 - 16:20
| bgcolor="#d98b66" align="CENTER" | '''Intervalo'''
|-
| width="14%" height="32" align="right" | 16:20 - 17:10
| bgcolor="#eeeeee" align="CENTER" | '''TBD'''<br> TBD
|-
| width="14%" height="32" align="right" | 17:10 - 18:00
| bgcolor="#b9c2dc" align="CENTER" | '''TBD'''<br> TBD
|-
| width="14%" height="17" align="right" | 18:00 - 18:30
| bgcolor="#cccccc" align="CENTER" | '''Encerramento'''
|}
</center>
<br>

==== Treinamentos ====

[[Image:Aspect logo.png]]

=== '''Codificação Segura em Aplicações J2EE''' ===

[[Image:Jasonli appsecBR2010.jpg|frame]]

'''<span style="color: rgb(255, 0, 0);"> Atenção: Este treinamento será ministrado em inglês SEM tradução simultânea. </span>'''

'''Data e horário: 16 e 17 de Novembro'''<br> '''Instrutor: Jason Li'''<br>

'''Resumo'''<br> A capacitação de desenvolvedores nas práticas de programação segura oferece o mais alto retorno de investimento em meio a todo o orçamento de segurança, através da eliminação de vulnerabilidades diretamente no código. O curso Aspectos de Programação Segura JAVA EE faz crescer a noção de questões relativas segurança de aplicações em meio aos desenvolvedores e fornece exemplos de “o que fazer” e “o que não fazer”. O curso é ministrado por um desenvolvedor experiente e apresentado de maneira bastante interativa. Este curso inclui exercícios “mão-na-massa” onde os alunos são chamados a executar análises e testes de segurança em uma aplicação Web Java EE real. Este ambiente especialmente planejado inclui falhas intencionais as quais os alunos deverão encontrar, diagnosticar e corrigir. O curso também faz uso de exercícios de programação Java EE, de forma a fornecer aos alunos uma experiência realista e “mão-na-massa” de desenvolvimento seguro. Os alunos obtêm essa experiência “mão-na-massa” usando ferramentas de teste de segurança de aplicações Web, disponíveis gratuitamente, de forma a buscar e diagnosticar falhas e aprender a evitá-las em seu próprio código.<br>

'''Público Alvo'''<br> O publico esperado para este curso é composto por desenvolvedores de aplicações JAVA EE e por testadores que possuam conhecimentos de programação.

'''Objetivos de Aprendizado'''<br>

O objetivo maior do curso é assegurar que os desenvolvedores são capazes de projetar, construir e testar aplicações seguras Java EE e compreender a importância da segurança no processo.<br>

'''Tópicos'''<br>

*'''Aprendendo os Fundamentos Objetivos do HTTP'''<br>
**Compreender e ser capaz de empregar as características de segurança

envolvidas no uso do HTTP (e.g., cabeçalhos, cookies, SSL).<br>

*'''Princípios e Padrões de Projeto'''<br>
**Compreender e ser capaz de aplicar os princípios de projeto de

segurança de aplicação.<br>

*'''Ameaças'''<br>
**Ser capaz de identificar e explicar as ameaças comuns à segurança de

aplicações Web (cross-site scripting, SQL injection, ataques de “denial of service”, ataques de "Man-in-the-middle", etc.) e implementar técnicas para mitigar o risco.<br>

*'''Autenticação e Gerência de Sessão'''<br>
**Ser capaz de tratar credenciais de forma segura, ao fornecer um leque

completo de suporte a funções de autenticação, incluindo login, troca, esquecimento e recuperação de senha, logout, re-autenticação e expiração de sessão.<br>

*'''Controle de Acesso'''<br>
**Ser capaz de implementar regras de controle de acesso à interface de

usuário, lógica de negócio e camada de dados.<br>

*'''Validação de Campos'''<br>
**Ser capaz de reconhecer problemas potenciais na validação de campos,

particularmente problemas de injection e Cross-site Scripting (XSS), e implementar os mecanismos apropriados de validação de campos informados pelo usuário ou obtidos a partir de outras fontes de entrada.<br>

*'''Injeção de Comandos'''<br>
**Compreender os perigos da injeção de comandos e as técnicas para

evitar a introdução deste tipo de vulnerabilidade.<br>

*'''Tratamento de Erros'''<br>
**Ser capaz de implementar um tratamento consistente de erros (exceções)

e um esquema de log para a aplicação Web como um todo.<br>

*'''Criptografia'''<br>
**Aprender em quais situações de deve aplicar técnicas de criptografia e

ser capaz de escolher algoritmos, usar criptografia/decriptografia e funções de hash de forma segura.<br>

'''O Instrutor'''<br> Jason é um instrutor notável, tendo comandado cinco diferentes cursos no período de um ano para nossos principais e diversos clientes de longa data. A base de clientes inclui uma grande instituição financeira, diversas empresas líderes do ramo de encomendas e logística e um líder na integração de sistemas governamentais.<br>

Jason também já ministrou os cursos Testando a Segurança de Aplicações Web Anvançado e Construindo Aplicações Web Seguras na conferência OWASP 2008, na Bélgica e Índia.<br>

Elogios comuns encontrados nas avaliações dos cursos de Jason incluem '''“Este é provavelmente um dos''' cursos mais importantes aos quais já fui exposto aqui”'''e '''“Um dos melhores instrutores que já tive. Um conhecimento efetivo do assunto. Manteve a turma interessada através do compartilhamento de exemplos pessoais reais os quais descreveram bons cenários”'''.<br>'''

==== Local ====

A conferência será em Campinas, SP, na [http://www.cpqd.com.br Fundação CPQD].

Veja a localização usando o [http://maps.google.com.br/maps/ms?source=embed&hl=pt-BR&geocode=&ie=UTF8&update=1&t=h&msa=0&msid=104978801628275418750.000462bf2d1a49a7571af&ll=-22.83125,-47.044315&spn=0.03718,0.04034&z=14 Google Maps]

== Como chegar ==

TBD

==== Inscrições ====

== Inscrições online ==

TBD

== Valores ==

TBD

==== Organização ====

== Comitês ==

OWASP Global Conferences Committee Chair: Mark Bristow

Líder do [[Brazilian|Capítulo Brasileiro]]: Wagner Elias

Comissão organizadora do AppSec Brasil 2010 (organizacao2010 at appsecbrasil.org):

*Conference General Chair: Lucas C. Ferreira
*Tutorials Chair: Eduardo Camargo Neves
*Tracks Chair: Luiz Otávio Duarte
*Local Chair: Alexandre Melo Braga

=== Equipe ===

*Alexandre Melo Braga
*Eduardo Camargo Neves
*Lucas C. Ferreira
*Luiz Otávio Duarte
*Wagner Elias
*Eduardo Alves Nonato da Silva
*Leonardo Buonsanti
*Dinis Cruz
*Paulo Coimbra

<br> <br>

==== Hospedagem ====

TBD

==== Links ====

Blog: http://blog.appsecbrasil.org

Twitter: http://twitter.com/owaspappsecbr

== Notícias ==

[http://g1.globo.com/Noticias/Tecnologia/0,,MUL1545935-6174,00-EM+COMPETICAO+DE+SEGURANCA+SAFARI+IE+E+FIREFOX+SAO+HACKEADOS.html Portal G1]

<br> <headertabs />

[[Category:OWASP_AppSec_Conference]]

AppSec Brasil 2010

2010-08-03T13:21:24Z

Camargoneves: /* Attendee Kit Sponsors */

__NOTOC__

[[Image:LogoAppSecBrazil.002.jpg|center]]

'''Para a versão em português, veja em [[AppSec Brasil 2010 (pt-br)]]'''

= OWASP AppSec Brasil 2010 =

The Second Edition of OWASP's flagship conference in South America will happen in Campinas, SP, Brazil. The Conference consists of two days of training sessions, followed by a two-day conference on a single track.
<center>
[[Image:AppSec Brasil 2010 Campinas.jpg|500px]]
</center>
== Conference Dates ==

The conference will happen from '''November 16th, 2010 to November 19th, 2010'''. The first two days will be tutorial days (see below). Plenary sessions will be held on November 18th and 19th.

<br>

==== About ====

== About the conference ==

Following the success of the first AppSec Brasil, held in Brasilia in 2009, the OWASP Brazilian Chapter is organizing its second edition in 2010. AppSec Brasil 2010 will happen in the city of Campinas, located 90 km from São Paulo.

Campinas is the 3rd biggest city in the State of São Paulo and is an important economic center and hosts major universities and research centers. It is known to concentrate several high tech industries, including important multi-national companies in the fields of electronics, telecom and chemicals.

This year, we expect to gather a number of Brazilian and Latin American practitioners and researchers to share state-of-the-art information about application security.

==== Calls ====
<pre>**OWASP APPSEC BRASIL 2010**
**CALL FOR PRESENTATIONS**

Colleagues,

OWASP is currently soliciting presentations for the OWASP AppSec Brasil 2010 Conference that will take
place at CPqD Foundation in Campinas, SP, Brazil on November 16th through 19th, 2010. There will be
training courses on November 16th and 17th followed by plenary sessions on the 18th and 19th with each
day having one single track.

We are seeking people and organizations that want to present on any of the following topics (in no particular order):
- Application Threat Modeling
- Business Risks with Application Security
- Hands-on Source Code Review
- Metrics for Application Security
- OWASP Tools and Projects
- Privacy Concerns with Applications and Data Storage
- Secure Coding Practices (J2EE/.NET)
- Starting and Managing Secure Development Lifecycle Programs
- Technology specific presentations on security such as AJAX, XML, etc
- Web Application Security countermeasures
- Web Application Security Testing
- Web Services-, XML- and Application Security
- Anything else relating to OWASP and Application Security

To make a submission you must fill out the form available
at http://www.owasp.org/images/f/f7/OWASP_AppSec_Brasil_2010_CFP.rtf.zip and submit
through the easychair conference interface at http://www.easychair.org/conferences/?conf=appsecbr2010

Each presenter will have 45 minutes for the presentation, followed by 10 minutes reserved for
questions from the audience. The presentations must respect the restrictions of the OWASP Speaker Agreement.

**Important Dates:**
Submission deadline is August 17, 2010 at 11:59 PM (UTC/GMT -3).
Notification of acceptance is September 8, 2010.
Presentation slides are due September 30, 2010.

The conference organization team may be contacted by email at organizacao2010 (at) appsecbrasil.org

For more information, please see the following web pages:
Conference Website: https://www.owasp.org/index.php/AppSec_Brasil_2010
OWASP Speaker Agreement: http://www.owasp.org/index.php/Speaker_Agreement
OWASP Website: http://www.owasp.org
Easychair conference site: http://www.easychair.org/conferences/?conf=appsecbr2010
Presentation proposal form: http://www.owasp.org/images/f/f7/OWASP_AppSec_Brasil_2010_CFP.rtf.zip

********** WARNING: Submissions without the information requested in the proposal form will not be considered ************

Please forward to all interested practitioners and colleagues.

</pre>
== Call for training providers ==
<pre>**OWASP APPSEC BRASIL 2010**
**CALL FOR TRAINING SESSIONS**

Colleagues,

OWASP is currently soliciting training proposals for the OWASP
AppSec Brazil 2010 Conference which will take place at Fundação CPqD
in Campinas, SP, Brazil, on November 16 through November 19, 2010.
There will be training courses on November 16 and 17 followed by
plenary sessions on the 18 and 19 with one single track per day.

We are seeking training proposals on the following topics (in no
particular order):
- Application Threat Modeling - Business Risks with Application Security
- Hands-on Source Code Review
- Metrics for Application Security
- OWASP Tools and Projects
- Privacy Concerns with Applications and Data Storage
- Secure Coding Practices (J2EE/.NET)
- Starting and Managing Secure Development Lifecycle Programs
- Technology specific presentations on security such as AJAX, XML, etc
- Web Application Security countermeasures
- Web Application Security Testing
- Web Services, XML- and Application Security
- Anything else relating to OWASP and Application Security

Proposals on topics not listed above but related to the conference
(i.e. which are related to Application Security) may also be accepted.

To make a submission you must fill out the form available at
http://www.owasp.org/images/1/1a/OWASP_AppSec_Brasil_2010_CFT.rtf.zip
and submit by email to organizacao2010@appsecbrasil.org

There may be 1 or 2-day courses. The proposals must respect the
restrictions of the OWASP Speaker Agreement. The conference will
reward trainers with at least 30% of the total revenue of their
courses, based on a minimum attendance. Courses that attract more
students may be granted higher percentages. No other compensation
(such as tickets or lodging) will be provided. If you require a
different arrangement, please contact the conference chair at the
email address below.

**Compensation**
Instructors and authors will be paid based on the number of students
in their training sessions. If the training gathers only the minimum
number of students, the compensation will be 30% of the revenue. For
each group of 10 extra students enrolled, the compensation will be
increased by 5% of the revenue, up to a maximum of 45% of the training
revenue. For example, a 1-day training with 10 to 19 students will
generate a compensation of 30% of the revenue. For classes of 20 to 29
students, the compensation raises to 35% percent of the revenue.

In exceptional cases, different compensation schemes may be accepted.
Please contact the conference organization team by email
(organizacao2010@appsecbrasil.org) for details.

**Training cost**
1-day training: R$ 450 per student
2-day training: R$ 900 per student
All prices in Brazilian Reais (BRL)

**Minimum number of students**
1-day trainings: 10 students
2-day trainings: 20 students

**Important Dates:**
Submission deadline is July 26, 2010, at 11:59 PM (UTC/GMT-3).
Notification of acceptance will be August 16, 2010.
Final version is due September 15, 2010.

The conference organization team may be contacted by email at
organizacao2010 (at) appsecbrasil.org

For more information, please see the following web pages:
Conference Website: https://www.owasp.org/index.php/AppSec_Brasil_2010
OWASP Speaker Agreement: http://www.owasp.org/index.php/Speaker_Agreement
OWASP Website: http://www.owasp.org
Easychair conference site:
http://www.easychair.org/conferences/?conf=appsecbr2010
Presentation proposal form:
http://www.owasp.org/images/1/1a/OWASP_AppSec_Brasil_2010_CFT.rtf.zip

********** WARNING: Submissions without all the information requested
in the proposal form will not be considered ************

</pre>
==== Sponsorship ====

We are currently soliciting sponsors for the AppSec Brasil 2010 Conference. Detailed [[Media:OWASP_-_Sponsorship_Opportunities_-_EN_V.1.2.pdf|sponsorship oportunities]] are now available.

If you are interested in sponsoring AppSec Brasil 2010, please contact the Conference Organization Team (organizacao2010@appsecbrasil.org).

== Sponsors ==

== Platinum Sponsors ==
{|
| [[Image:AppSec Brasil 2010 CPQD.jpg|200px|link=http://www.cpqd.com.br]]
|-
|  
|-
|}

== Gold Sponsors ==
{|
| [[Image:LeadComm Logo Screen.jpg|150px|link=http://www.leadcomm.com.br]]
| width="50" | <br>
| [[Image:Logo PagSeguro-Uma empresa-UOL.jpg|150px|link=http://www.pagseguro.uol.com.br]]
|-
|  
|-
|}

== Silver Sponsors ==
<br>

=== Attendee Kit Sponsors ===
{|
| [[Image:Logotipo_Conviso_2009_Cor.png|150px]]
| width="50" | <br>
| [[Image:lgClavis.png|110px|link=http://www.clavis.com.br]]
|-
|  
|-
|}
<br>

== Promoted by ==
<center>
[[Image:Appsec Brasil 2010 InstitutoTuring.png]]
</center>
==== Keynotes ====

==<font color="red"><s>Bruce Schneier</s></font> ==

<font color="red">Hello there,

We are here to announce that unfortunately, Mr. Schneier had to cancel his participation at the event. We are already looking for other keynote and will update the site as soon as possible.

We are truly sorry this happened, but be sure we are giving our best efforts to offer you a memorable event.
Be sure to always check the site for updates.

Once again, we apologize if this made you uncomfortable.</font>

== Jeremiah Grossman ==

[http://www.whitehatsec.com/ WhiteHat Security]

''Title:'' '''TBD.'''

''Bio:'' Jeremiah Grossman, founder and CTO, WhiteHat Security, is a world-renowned Web security expert. A co-founder of the Web Application Security Consortium (WASC), he was named to InfoWorld's Top 25 CTOs in 2007 and is frequently quoted by business and technical media. He has authored dozens of articles and whitepapers, is credited with the discovery of many cutting-edge attack and defensive techniques, and is a co-author of "XSS Attacks: Cross Site Scripting Exploits and Defense." Grossman is also an influential blogger who offers insight and encourages open dialogue regarding Web security research and trends. Prior to WhiteHat, Grossman was an information security officer at Yahoo!

<br>

==== Agenda ====

== Conference Program - Day 1 - November 18th 2010 ==
<center>
{| width="80%" class="t"
|-
| width="14%" height="17" align="right" | 08:30 - 09:00
| bgcolor="#8595c2" align="CENTER" | '''Reception Desk Open'''
|-
| width="14%" height="17" align="right" | 09:00 - 09:20
| bgcolor="#b9c2dc" align="CENTER" | '''Opening Ceremony'''
|-
| width="14%" height="49" align="right" | 09:20 - 10:20
| bgcolor="#eeeeee" align="CENTER" | '''Dinis Cruz'''<br> About OWASP
|-
| width="14%" height="17" align="right" | 10:20 - 10:40
| bgcolor="#d98b66" align="CENTER" | '''Break'''
|-
| width="14%" height="49" align="right" | 10:40 - 11:40
| bgcolor="#b9c2dc" align="CENTER" | '''Bruce Schneier'''<br> TBD
|-
| width="14%" height="17" align="right" | 11:40 - 12:30
| bgcolor="#eeeeee" align="CENTER" | '''TBD<br>''' TBD
|-
| width="14%" height="17" align="right" | 12:30 - 14:00
| bgcolor="#d98b66" align="CENTER" | '''Lunch Break'''
|-
| width="14%" height="47" align="right" | 14:00 - 14:50
| bgcolor="#b9c2dc" align="CENTER" | '''TBD<br>''' TBD
|-
| width="14%" height="32" align="right" | 14:50 - 15:40
| bgcolor="#eeeeee" align="CENTER" | '''TBD<br>''' TBD
|-
| width="14%" height="17" align="right" | 15:40 - 16:00
| bgcolor="#d98b66" align="CENTER" | '''Break'''
|-
| width="14%" height="47" align="right" | 16:00 - 16:50
| bgcolor="#b9c2dc" align="CENTER" | '''TBD<br>''' TBD
|-
| width="14%" height="32" align="right" | 16:50 - 17:40
| bgcolor="#eeeeee" align="CENTER" | '''TBD<br>''' TBD
|-
| width="14%" height="47" align="right" | 17:40 - 18:30
| bgcolor="#b9c2dc" align="CENTER" | '''TBD <br>''' TBD
|-
| width="14%" height="17" align="right" | 18:30 - 18:35
| bgcolor="#cccccc" align="CENTER" | '''End of the First Day'''
|}
</center>
<br>

== Conference Program - Day 2 - November 19th 2010 ==
<center>
{| width="80%" class="t"
|-
| width="14%" height="17" align="right" | 08:30 - 09:00
| bgcolor="#8595c2" align="CENTER" | '''Reception Desk Open'''
|-
| width="14%" height="32" align="right" | 09:00 - 10:30
| bgcolor="#b9c2dc" align="CENTER" | '''Jeremiah Grossman'''<br> TBD
|-
| width="14%" height="17" align="right" | 10:30 - 10:50
| bgcolor="#d98b66" align="CENTER" | '''Break'''
|-
| width="14%" height="47" align="right" | 10:30 - 11:40
| bgcolor="#eeeeee" align="CENTER" | '''TBD'''<br> TBD
|-
| width="14%" height="32" align="right" | 11:40 - 12:30
| bgcolor="#b9c2dc" align="CENTER" | '''TBD'''<br> TBD
|-
| width="14%" height="17" align="right" | 12:30 - 14:00
| bgcolor="#d98b66" align="CENTER" | '''Lunch Break'''
|-
| width="14%" height="32" align="right" | 14:00 - 15:10
| bgcolor="#eeeeee" align="CENTER" | '''TBD'''<br> TBD
|-
| width="14%" height="32" align="right" | 15:10 - 16:00
| bgcolor="#b9c2dc" align="CENTER" | '''TBD'''<br> TBD
|-
| width="14%" height="17" align="right" | 16:00 - 16:20
| bgcolor="#d98b66" align="CENTER" | '''Break'''
|-
| width="14%" height="32" align="right" | 16:20 - 17:10
| bgcolor="#eeeeee" align="CENTER" | '''TBD'''<br> TBD
|-
| width="14%" height="32" align="right" | 17:10 - 18:00
| bgcolor="#b9c2dc" align="CENTER" | '''TBD'''<br> TBD
|-
| width="14%" height="17" align="right" | 18:00 - 18:30
| bgcolor="#cccccc" align="CENTER" | '''End of the Conference'''
|}
</center>
<br>

==== Trainings ====

[[Image:Aspect logo.png]]

=== '''Secure Coding for J2EE Applications''' ===

[[Image:Jasonli appsecBR2010.jpg|frame]] '''Date and time: November 16th and 17th'''<br> '''Instructor: Jason Li'''<br> '''Summary'''<br> Training developers on secure coding practices offers one of the highest returns on investment of any security investment by eliminating vulnerabilities at the source. Aspect’s Java EE Secure Coding Training raises developer awareness of application security issues and provides examples of ‘what to do’ and ‘what not to do.' The class is lead by an experienced developer and is delivered in a very interactive manner. This class includes hands-on exercises where the students get to perform security analysis and testing on a live Java EE web application. This specially designed environment includes deliberate flaws the students have to find, diagnose, and fix. The class also uses Java EE coding exercises to provide students with realistic hands-on secure coding experience. Students gain hands-on experience using freely available web application security test tools to find and diagnose flaws and learn to avoid them in their own code.<br>

'''Audience'''<br> The intended audience for this course is intended for Java EE software developers and Java EE software testers who know how to program.<br>

'''Learning Objectives'''<br> At the highest level, the objective for this course is to ensure that developers are capable of designing, building, and testing secure Java EE applications and understand why this is important.<br>

'''Topics'''<br>

*'''HTTP Fundamentals'''<br>
**Understand and be able to employ the security features involved with using HTTP (e.g., headers, cookies, SSL)<br>
*'''Design Principles and Patterns'''<br>
**Understand and be able to apply application security design principles.<br>
*'''Threats'''<br>
**Be able to identify and explain common web application security threats (e.g. , cross-site scripting, SQL injection, denial of service attacks, "Man-in-the-middle" attacks, etc.) and implement mitigation techniques.<br>
*'''Authentication and Session Management'''<br>
**Be able to handle credentials securely while providing the full range of authentication support functions, including login, change password, forgot password, remember password, logout, reauthentication, and timeouts.<br>
*'''Access Control'''<br>
**Be able to implement access control rules for the user interface, business logic, and data layers.<br>
*'''Input Validation'''<br>
**Be able to recognize potential input validation issues, particularly injection and Cross-site Scripting (XSS) problems, and implement appropriate input validation mechanisms for user input and other sources of input.<br>
*'''Command Injection'''<br>
**Understand the dangers of command injection and techniques for avoiding the introduction of this type vulnerability.<br>
*'''Error Handling'''<br>
**Be able to implement a consistent error (exception) handling and logging approach for an entire web application.<br>
*'''Cryptography'''<br>
**Learn when to apply cryptographic techniques and be able to choose algorithms and use encryption/decryption and hash functions securely.<br>

'''Jason’s Bio'''<br> Jason is a remarkable trainer, mastering five different training courses within a year’s time to our most valuable longstanding but diverse clients. The client base included a large financial institution, several leading shipping and logistics Management Company, and a leading Government systems integrator.<br>

Jason has also taught Advanced Web Application Security Testing and Building Secure Web Applications classes at OWASP 2008 conferences in Belgium and India.<br>

Common remarks returned from Jason’s class evaluations include '''“This is probably one of the most important classes I‘ve been exposed to here”''' and '''“One of the best instructors I’ve ever had. Really knowledgeable of the subject. Kept class interested by sharing real life examples that depicted good scenarios”'''<br>

==== Venue ====

The event will be held in Campinas, SP, Brazil at: [http://www.cpqd.com.br Fundação CPQD].

You can check the location at [http://maps.google.com.br/maps/ms?source=embed&hl=pt-BR&geocode=&ie=UTF8&update=1&t=h&msa=0&msid=104978801628275418750.000462bf2d1a49a7571af&ll=-22.83125,-47.044315&spn=0.03718,0.04034&z=14 Google Maps]

''How to get there''

TBD

==== Registration ====

== Online Registration ==

TBD

== Conference Fees ==

TBD

==== Committees ====

== Conference Committee ==

OWASP Global Conferences Committee Chair: Mark Bristow

OWASP [[Brazilian]] Chapter Leader: Wagner Elias

AppSec Brasil 2010 Organization Team (organizacao2010 at appsecbrasil.org):

*Conference General Chair: Lucas C. Ferreira
*Tutorials Chair: Eduardo Camargo Neves
*Tracks Chair: Luiz Otávio Duarte
*Local Chair: Alexandre Melo Braga

=== Team Members ===

*Alexandre Melo Braga
*Eduardo Camargo Neves
*Lucas C. Ferreira
*Luiz Otávio Duarte
*Wagner Elias
*Eduardo Alves Nonato da Silva
*Leonardo Buonsanti
*Dinis Cruz
*Paulo Coimbra

<br> <br>

==== Travel ====

TBD

==== Links ====

Blog: http://blog.appsecbrasil.org

Twitter: http://twitter.com/owaspappsecbr

<br> <headertabs />

[[Category:OWASP_AppSec_Conference]]

AppSec Brasil 2010

2010-08-03T13:21:04Z

Camargoneves: /* Attendee Kit Sponsors */

__NOTOC__

[[Image:LogoAppSecBrazil.002.jpg|center]]

'''Para a versão em português, veja em [[AppSec Brasil 2010 (pt-br)]]'''

= OWASP AppSec Brasil 2010 =

The Second Edition of OWASP's flagship conference in South America will happen in Campinas, SP, Brazil. The Conference consists of two days of training sessions, followed by a two-day conference on a single track.
<center>
[[Image:AppSec Brasil 2010 Campinas.jpg|500px]]
</center>
== Conference Dates ==

The conference will happen from '''November 16th, 2010 to November 19th, 2010'''. The first two days will be tutorial days (see below). Plenary sessions will be held on November 18th and 19th.

<br>

==== About ====

== About the conference ==

Following the success of the first AppSec Brasil, held in Brasilia in 2009, the OWASP Brazilian Chapter is organizing its second edition in 2010. AppSec Brasil 2010 will happen in the city of Campinas, located 90 km from São Paulo.

Campinas is the 3rd biggest city in the State of São Paulo and is an important economic center and hosts major universities and research centers. It is known to concentrate several high tech industries, including important multi-national companies in the fields of electronics, telecom and chemicals.

This year, we expect to gather a number of Brazilian and Latin American practitioners and researchers to share state-of-the-art information about application security.

==== Calls ====
<pre>**OWASP APPSEC BRASIL 2010**
**CALL FOR PRESENTATIONS**

Colleagues,

OWASP is currently soliciting presentations for the OWASP AppSec Brasil 2010 Conference that will take
place at CPqD Foundation in Campinas, SP, Brazil on November 16th through 19th, 2010. There will be
training courses on November 16th and 17th followed by plenary sessions on the 18th and 19th with each
day having one single track.

We are seeking people and organizations that want to present on any of the following topics (in no particular order):
- Application Threat Modeling
- Business Risks with Application Security
- Hands-on Source Code Review
- Metrics for Application Security
- OWASP Tools and Projects
- Privacy Concerns with Applications and Data Storage
- Secure Coding Practices (J2EE/.NET)
- Starting and Managing Secure Development Lifecycle Programs
- Technology specific presentations on security such as AJAX, XML, etc
- Web Application Security countermeasures
- Web Application Security Testing
- Web Services-, XML- and Application Security
- Anything else relating to OWASP and Application Security

To make a submission you must fill out the form available
at http://www.owasp.org/images/f/f7/OWASP_AppSec_Brasil_2010_CFP.rtf.zip and submit
through the easychair conference interface at http://www.easychair.org/conferences/?conf=appsecbr2010

Each presenter will have 45 minutes for the presentation, followed by 10 minutes reserved for
questions from the audience. The presentations must respect the restrictions of the OWASP Speaker Agreement.

**Important Dates:**
Submission deadline is August 17, 2010 at 11:59 PM (UTC/GMT -3).
Notification of acceptance is September 8, 2010.
Presentation slides are due September 30, 2010.

The conference organization team may be contacted by email at organizacao2010 (at) appsecbrasil.org

For more information, please see the following web pages:
Conference Website: https://www.owasp.org/index.php/AppSec_Brasil_2010
OWASP Speaker Agreement: http://www.owasp.org/index.php/Speaker_Agreement
OWASP Website: http://www.owasp.org
Easychair conference site: http://www.easychair.org/conferences/?conf=appsecbr2010
Presentation proposal form: http://www.owasp.org/images/f/f7/OWASP_AppSec_Brasil_2010_CFP.rtf.zip

********** WARNING: Submissions without the information requested in the proposal form will not be considered ************

Please forward to all interested practitioners and colleagues.

</pre>
== Call for training providers ==
<pre>**OWASP APPSEC BRASIL 2010**
**CALL FOR TRAINING SESSIONS**

Colleagues,

OWASP is currently soliciting training proposals for the OWASP
AppSec Brazil 2010 Conference which will take place at Fundação CPqD
in Campinas, SP, Brazil, on November 16 through November 19, 2010.
There will be training courses on November 16 and 17 followed by
plenary sessions on the 18 and 19 with one single track per day.

We are seeking training proposals on the following topics (in no
particular order):
- Application Threat Modeling - Business Risks with Application Security
- Hands-on Source Code Review
- Metrics for Application Security
- OWASP Tools and Projects
- Privacy Concerns with Applications and Data Storage
- Secure Coding Practices (J2EE/.NET)
- Starting and Managing Secure Development Lifecycle Programs
- Technology specific presentations on security such as AJAX, XML, etc
- Web Application Security countermeasures
- Web Application Security Testing
- Web Services, XML- and Application Security
- Anything else relating to OWASP and Application Security

Proposals on topics not listed above but related to the conference
(i.e. which are related to Application Security) may also be accepted.

To make a submission you must fill out the form available at
http://www.owasp.org/images/1/1a/OWASP_AppSec_Brasil_2010_CFT.rtf.zip
and submit by email to organizacao2010@appsecbrasil.org

There may be 1 or 2-day courses. The proposals must respect the
restrictions of the OWASP Speaker Agreement. The conference will
reward trainers with at least 30% of the total revenue of their
courses, based on a minimum attendance. Courses that attract more
students may be granted higher percentages. No other compensation
(such as tickets or lodging) will be provided. If you require a
different arrangement, please contact the conference chair at the
email address below.

**Compensation**
Instructors and authors will be paid based on the number of students
in their training sessions. If the training gathers only the minimum
number of students, the compensation will be 30% of the revenue. For
each group of 10 extra students enrolled, the compensation will be
increased by 5% of the revenue, up to a maximum of 45% of the training
revenue. For example, a 1-day training with 10 to 19 students will
generate a compensation of 30% of the revenue. For classes of 20 to 29
students, the compensation raises to 35% percent of the revenue.

In exceptional cases, different compensation schemes may be accepted.
Please contact the conference organization team by email
(organizacao2010@appsecbrasil.org) for details.

**Training cost**
1-day training: R$ 450 per student
2-day training: R$ 900 per student
All prices in Brazilian Reais (BRL)

**Minimum number of students**
1-day trainings: 10 students
2-day trainings: 20 students

**Important Dates:**
Submission deadline is July 26, 2010, at 11:59 PM (UTC/GMT-3).
Notification of acceptance will be August 16, 2010.
Final version is due September 15, 2010.

The conference organization team may be contacted by email at
organizacao2010 (at) appsecbrasil.org

For more information, please see the following web pages:
Conference Website: https://www.owasp.org/index.php/AppSec_Brasil_2010
OWASP Speaker Agreement: http://www.owasp.org/index.php/Speaker_Agreement
OWASP Website: http://www.owasp.org
Easychair conference site:
http://www.easychair.org/conferences/?conf=appsecbr2010
Presentation proposal form:
http://www.owasp.org/images/1/1a/OWASP_AppSec_Brasil_2010_CFT.rtf.zip

********** WARNING: Submissions without all the information requested
in the proposal form will not be considered ************

</pre>
==== Sponsorship ====

We are currently soliciting sponsors for the AppSec Brasil 2010 Conference. Detailed [[Media:OWASP_-_Sponsorship_Opportunities_-_EN_V.1.2.pdf|sponsorship oportunities]] are now available.

If you are interested in sponsoring AppSec Brasil 2010, please contact the Conference Organization Team (organizacao2010@appsecbrasil.org).

== Sponsors ==

== Platinum Sponsors ==
{|
| [[Image:AppSec Brasil 2010 CPQD.jpg|200px|link=http://www.cpqd.com.br]]
|-
|  
|-
|}

== Gold Sponsors ==
{|
| [[Image:LeadComm Logo Screen.jpg|150px|link=http://www.leadcomm.com.br]]
| width="50" | <br>
| [[Image:Logo PagSeguro-Uma empresa-UOL.jpg|150px|link=http://www.pagseguro.uol.com.br]]
|-
|  
|-
|}

== Silver Sponsors ==
<br>

=== Attendee Kit Sponsors ===
{|
| [[Image:Logotipo_Conviso_2009_Cor.png|130px]]
| width="50" | <br>
| [[Image:lgClavis.png|110px|link=http://www.clavis.com.br]]
|-
|  
|-
|}
<br>

== Promoted by ==
<center>
[[Image:Appsec Brasil 2010 InstitutoTuring.png]]
</center>
==== Keynotes ====

==<font color="red"><s>Bruce Schneier</s></font> ==

<font color="red">Hello there,

We are here to announce that unfortunately, Mr. Schneier had to cancel his participation at the event. We are already looking for other keynote and will update the site as soon as possible.

We are truly sorry this happened, but be sure we are giving our best efforts to offer you a memorable event.
Be sure to always check the site for updates.

Once again, we apologize if this made you uncomfortable.</font>

== Jeremiah Grossman ==

[http://www.whitehatsec.com/ WhiteHat Security]

''Title:'' '''TBD.'''

''Bio:'' Jeremiah Grossman, founder and CTO, WhiteHat Security, is a world-renowned Web security expert. A co-founder of the Web Application Security Consortium (WASC), he was named to InfoWorld's Top 25 CTOs in 2007 and is frequently quoted by business and technical media. He has authored dozens of articles and whitepapers, is credited with the discovery of many cutting-edge attack and defensive techniques, and is a co-author of "XSS Attacks: Cross Site Scripting Exploits and Defense." Grossman is also an influential blogger who offers insight and encourages open dialogue regarding Web security research and trends. Prior to WhiteHat, Grossman was an information security officer at Yahoo!

<br>

==== Agenda ====

== Conference Program - Day 1 - November 18th 2010 ==
<center>
{| width="80%" class="t"
|-
| width="14%" height="17" align="right" | 08:30 - 09:00
| bgcolor="#8595c2" align="CENTER" | '''Reception Desk Open'''
|-
| width="14%" height="17" align="right" | 09:00 - 09:20
| bgcolor="#b9c2dc" align="CENTER" | '''Opening Ceremony'''
|-
| width="14%" height="49" align="right" | 09:20 - 10:20
| bgcolor="#eeeeee" align="CENTER" | '''Dinis Cruz'''<br> About OWASP
|-
| width="14%" height="17" align="right" | 10:20 - 10:40
| bgcolor="#d98b66" align="CENTER" | '''Break'''
|-
| width="14%" height="49" align="right" | 10:40 - 11:40
| bgcolor="#b9c2dc" align="CENTER" | '''Bruce Schneier'''<br> TBD
|-
| width="14%" height="17" align="right" | 11:40 - 12:30
| bgcolor="#eeeeee" align="CENTER" | '''TBD<br>''' TBD
|-
| width="14%" height="17" align="right" | 12:30 - 14:00
| bgcolor="#d98b66" align="CENTER" | '''Lunch Break'''
|-
| width="14%" height="47" align="right" | 14:00 - 14:50
| bgcolor="#b9c2dc" align="CENTER" | '''TBD<br>''' TBD
|-
| width="14%" height="32" align="right" | 14:50 - 15:40
| bgcolor="#eeeeee" align="CENTER" | '''TBD<br>''' TBD
|-
| width="14%" height="17" align="right" | 15:40 - 16:00
| bgcolor="#d98b66" align="CENTER" | '''Break'''
|-
| width="14%" height="47" align="right" | 16:00 - 16:50
| bgcolor="#b9c2dc" align="CENTER" | '''TBD<br>''' TBD
|-
| width="14%" height="32" align="right" | 16:50 - 17:40
| bgcolor="#eeeeee" align="CENTER" | '''TBD<br>''' TBD
|-
| width="14%" height="47" align="right" | 17:40 - 18:30
| bgcolor="#b9c2dc" align="CENTER" | '''TBD <br>''' TBD
|-
| width="14%" height="17" align="right" | 18:30 - 18:35
| bgcolor="#cccccc" align="CENTER" | '''End of the First Day'''
|}
</center>
<br>

== Conference Program - Day 2 - November 19th 2010 ==
<center>
{| width="80%" class="t"
|-
| width="14%" height="17" align="right" | 08:30 - 09:00
| bgcolor="#8595c2" align="CENTER" | '''Reception Desk Open'''
|-
| width="14%" height="32" align="right" | 09:00 - 10:30
| bgcolor="#b9c2dc" align="CENTER" | '''Jeremiah Grossman'''<br> TBD
|-
| width="14%" height="17" align="right" | 10:30 - 10:50
| bgcolor="#d98b66" align="CENTER" | '''Break'''
|-
| width="14%" height="47" align="right" | 10:30 - 11:40
| bgcolor="#eeeeee" align="CENTER" | '''TBD'''<br> TBD
|-
| width="14%" height="32" align="right" | 11:40 - 12:30
| bgcolor="#b9c2dc" align="CENTER" | '''TBD'''<br> TBD
|-
| width="14%" height="17" align="right" | 12:30 - 14:00
| bgcolor="#d98b66" align="CENTER" | '''Lunch Break'''
|-
| width="14%" height="32" align="right" | 14:00 - 15:10
| bgcolor="#eeeeee" align="CENTER" | '''TBD'''<br> TBD
|-
| width="14%" height="32" align="right" | 15:10 - 16:00
| bgcolor="#b9c2dc" align="CENTER" | '''TBD'''<br> TBD
|-
| width="14%" height="17" align="right" | 16:00 - 16:20
| bgcolor="#d98b66" align="CENTER" | '''Break'''
|-
| width="14%" height="32" align="right" | 16:20 - 17:10
| bgcolor="#eeeeee" align="CENTER" | '''TBD'''<br> TBD
|-
| width="14%" height="32" align="right" | 17:10 - 18:00
| bgcolor="#b9c2dc" align="CENTER" | '''TBD'''<br> TBD
|-
| width="14%" height="17" align="right" | 18:00 - 18:30
| bgcolor="#cccccc" align="CENTER" | '''End of the Conference'''
|}
</center>
<br>

==== Trainings ====

[[Image:Aspect logo.png]]

=== '''Secure Coding for J2EE Applications''' ===

[[Image:Jasonli appsecBR2010.jpg|frame]] '''Date and time: November 16th and 17th'''<br> '''Instructor: Jason Li'''<br> '''Summary'''<br> Training developers on secure coding practices offers one of the highest returns on investment of any security investment by eliminating vulnerabilities at the source. Aspect’s Java EE Secure Coding Training raises developer awareness of application security issues and provides examples of ‘what to do’ and ‘what not to do.' The class is lead by an experienced developer and is delivered in a very interactive manner. This class includes hands-on exercises where the students get to perform security analysis and testing on a live Java EE web application. This specially designed environment includes deliberate flaws the students have to find, diagnose, and fix. The class also uses Java EE coding exercises to provide students with realistic hands-on secure coding experience. Students gain hands-on experience using freely available web application security test tools to find and diagnose flaws and learn to avoid them in their own code.<br>

'''Audience'''<br> The intended audience for this course is intended for Java EE software developers and Java EE software testers who know how to program.<br>

'''Learning Objectives'''<br> At the highest level, the objective for this course is to ensure that developers are capable of designing, building, and testing secure Java EE applications and understand why this is important.<br>

'''Topics'''<br>

*'''HTTP Fundamentals'''<br>
**Understand and be able to employ the security features involved with using HTTP (e.g., headers, cookies, SSL)<br>
*'''Design Principles and Patterns'''<br>
**Understand and be able to apply application security design principles.<br>
*'''Threats'''<br>
**Be able to identify and explain common web application security threats (e.g. , cross-site scripting, SQL injection, denial of service attacks, "Man-in-the-middle" attacks, etc.) and implement mitigation techniques.<br>
*'''Authentication and Session Management'''<br>
**Be able to handle credentials securely while providing the full range of authentication support functions, including login, change password, forgot password, remember password, logout, reauthentication, and timeouts.<br>
*'''Access Control'''<br>
**Be able to implement access control rules for the user interface, business logic, and data layers.<br>
*'''Input Validation'''<br>
**Be able to recognize potential input validation issues, particularly injection and Cross-site Scripting (XSS) problems, and implement appropriate input validation mechanisms for user input and other sources of input.<br>
*'''Command Injection'''<br>
**Understand the dangers of command injection and techniques for avoiding the introduction of this type vulnerability.<br>
*'''Error Handling'''<br>
**Be able to implement a consistent error (exception) handling and logging approach for an entire web application.<br>
*'''Cryptography'''<br>
**Learn when to apply cryptographic techniques and be able to choose algorithms and use encryption/decryption and hash functions securely.<br>

'''Jason’s Bio'''<br> Jason is a remarkable trainer, mastering five different training courses within a year’s time to our most valuable longstanding but diverse clients. The client base included a large financial institution, several leading shipping and logistics Management Company, and a leading Government systems integrator.<br>

Jason has also taught Advanced Web Application Security Testing and Building Secure Web Applications classes at OWASP 2008 conferences in Belgium and India.<br>

Common remarks returned from Jason’s class evaluations include '''“This is probably one of the most important classes I‘ve been exposed to here”''' and '''“One of the best instructors I’ve ever had. Really knowledgeable of the subject. Kept class interested by sharing real life examples that depicted good scenarios”'''<br>

==== Venue ====

The event will be held in Campinas, SP, Brazil at: [http://www.cpqd.com.br Fundação CPQD].

You can check the location at [http://maps.google.com.br/maps/ms?source=embed&hl=pt-BR&geocode=&ie=UTF8&update=1&t=h&msa=0&msid=104978801628275418750.000462bf2d1a49a7571af&ll=-22.83125,-47.044315&spn=0.03718,0.04034&z=14 Google Maps]

''How to get there''

TBD

==== Registration ====

== Online Registration ==

TBD

== Conference Fees ==

TBD

==== Committees ====

== Conference Committee ==

OWASP Global Conferences Committee Chair: Mark Bristow

OWASP [[Brazilian]] Chapter Leader: Wagner Elias

AppSec Brasil 2010 Organization Team (organizacao2010 at appsecbrasil.org):

*Conference General Chair: Lucas C. Ferreira
*Tutorials Chair: Eduardo Camargo Neves
*Tracks Chair: Luiz Otávio Duarte
*Local Chair: Alexandre Melo Braga

=== Team Members ===

*Alexandre Melo Braga
*Eduardo Camargo Neves
*Lucas C. Ferreira
*Luiz Otávio Duarte
*Wagner Elias
*Eduardo Alves Nonato da Silva
*Leonardo Buonsanti
*Dinis Cruz
*Paulo Coimbra

<br> <br>

==== Travel ====

TBD

==== Links ====

Blog: http://blog.appsecbrasil.org

Twitter: http://twitter.com/owaspappsecbr

<br> <headertabs />

[[Category:OWASP_AppSec_Conference]]

File:Oportunidade de Patrocinio HQ.pdf

2010-03-24T13:37:57Z

Camargoneves: PDF file describing que sponsorship opportunities for OWASP AppSecBrasil 2010 in high resolution.

PDF file describing que sponsorship opportunities for OWASP AppSecBrasil 2010 in high resolution.

File:Oportunidade de Patrocínio LQ.pdf

2010-03-24T13:36:10Z

Camargoneves: uploaded a new version of "File:Oportunidade de Patrocínio LQ.pdf"

PDF file describing que sponsorship opportunities for OWASP AppSecBrasil 2010 in low resolution.

File:Oportunidade de Patrocínio HQ.pdf

2010-03-24T13:35:33Z

Camargoneves: PDF file describing que sponsorship opportunities for OWASP AppSecBrasil 2010 in high resolution.

PDF file describing que sponsorship opportunities for OWASP AppSecBrasil 2010 in high resolution.

File:Oportunidade de Patrocínio LQ.pdf

2010-03-24T13:34:29Z

Camargoneves: PDF file describing que sponsorship opportunities for OWASP AppSecBrasil 2010 in low resolution.

PDF file describing que sponsorship opportunities for OWASP AppSecBrasil 2010 in low resolution.

OWASP O2 Platform/WIKI/Active O2 Users

2009-11-23T03:51:02Z

Camargoneves: /* Brazil */

this page list Active O2 users based on their geographical location:

== Companies ==
=== USA ===
* '''Washinton DC''': [www.cigital.com Cigital]

== Individuals ==
=== US ===
* '''Boston''': Ian Spiro
* '''Washington DC''': John Steven

=== Brazil ===
* '''Brazilia''': Dyemes Cartegyano
* '''São Paulo''': Wagner Elias

Global Conferences Committee - Application 2

2009-11-04T01:01:36Z

Camargoneves:

[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]

----
{| style="width:100%" border="0" align="center"
! colspan="2" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE APPLICATION FORM'''
|-
| style="width:25%; background:#7B8ABD" align="center"|'''Applicant's Name'''
| colspan="1" style="width:85%; background:#cccccc" align="left"|<font color="black">Lucas C. Ferreira.
|-
| style="width:25%; background:#7B8ABD" align="center"| '''Current and past OWASP Roles'''
| colspan="1" style="width:85%; background:#cccccc" align="left"|OWASP Brazilian Chapter member, AppSec Brasil 2009 Chair.
|-
| style="width:25%; background:#7B8ABD" align="center"| '''Committee Applying for'''
| colspan="1" style="width:85%; background:#cccccc" align="left"|OWASP Global Conferences Committee.
|}
----

----
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''.
An incomplete application will not be considered for vote.
----

----
{| style="width:100%" border="0" align="center"
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE RECOMMENDATIONS'''
|-
! align="center" style="background:white; color:white"|<font color="black">
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Who Recommends/Name'''
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Role in OWASP'''
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Recommendation Content'''
|-
| style="width:3%; background:#cccccc" align="center"|'''1'''
| style="width:20%; background:#cccccc" align="center"| Eduardo Vianna de Camargo Neves
| style="width:20%; background:#cccccc" align="center"| GEC Member
| style="width:57%; background:#cccccc" align="center"| An outstanding OWASP Member that allocated heart and soul to make the OWASP AppSec Brasil 2009 happens and is already doing the same for the 2010 Edition. Moreover, Lucas is a high evangelist of OWASP resources within the Brazilian IT Community with a strong presence on the Government Sector and Academia.
|-
| style="width:3%; background:#cccccc" align="center"|'''2'''
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:57%; background:#cccccc" align="center"|
|-
| style="width:3%; background:#cccccc" align="center"|'''3'''
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:57%; background:#cccccc" align="center"|
|-
| style="width:3%; background:#cccccc" align="center"|'''4'''
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:57%; background:#cccccc" align="center"|
|-
| style="width:3%; background:#cccccc" align="center"|'''5'''
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:57%; background:#cccccc" align="center"|
|}
----

AppSec Brasil 2009 (pt-br)

2009-10-24T16:31:30Z

Camargoneves: /* Datas */

=Conferência Internacional de Segurança de Aplicações (AppSec Brasil 2009)=

A comunidade [http://www.ticontrole.gov.br Comunidade TI-Controle] e o Centro de Informática da [http://www.camara.gov.br Câmara dos Deputados] apresentam a '''Conferência Internacional de Segurança de Aplicações''', que será realizada com o apoio do OWASP ([http://www.owasp.org/index.php/About_OWASP Open Web Application Security Project]) em [http://en.wikipedia.org/wiki/Brasília Brasília], capital do Brasil. A conferência consistirá de dois dias de treinamentos, seguidos de dois dias de plenárias em trilha única.

[[Image:Brasilia Panorama.jpg]]

==Datas==

A Conferência ocorrerá do dia 27 ao 30 de outubro de 2009. Os dias 27 e 28 de outubro serão dedicados ao mini-cursos e os dias 29 e 30 terão as sessões plenárias.

==== Promoção====

Esta conferência é promovida pela Comunidade [http://www.ticontrole.gov.br TI-Controle] e organizada pelo Centro de Informática da [http://www.camara.gov.br/ Câmara dos Deputados].

A Conferência tem o apoio do OWASP, [[Brazilian | Capítulo Brasil]], como provedor de conteúdo (seleção de palestras e cursos e montagem da grade de horários).

A Conferência tem o apoio da [http://www.unb.br Universidade de Brasília (UnB)] [[image:Unb.gif|60px]]

A Conferência é patrocinada por [http://www.conviso.com.br Conviso IT Security] [[File:CorVersao_BR_Small.jpg|200px]]

====Keynotes====
'''Gary McGraw'''

CTO, [http://www.cigital.com Cigital]

<br>

[[Image:GaryMcGraw.JPG|left|60px]]

''Título:'' '''O Modelo de Maturidade Building Security In (BSIMM)'''

''Biografia:''
Gary McGraw é o CTO da Cigital, Inc., uma empresa de segurança e qualidade de software com sede em Washington, Estados Unidos. Ele é reconhecido mundialmente como uma autoridade em segurança de software e é autor de oito importantes livros sobre este tópico, incluindo: "Java Security", "Building Secure Software", "Exploiting software", "Software Security" e "Exploiting Online Games". Ele é também editor da série de livros sobre segurança de software na editora Addison-Wesley. Dr. McGraw também escreveu mais de 100 artigos científicos, escreve uma coluna mensal para o site informIT e é frequentemente citado na mídia. Além de servir como consultor estratégico para importantes empresas e executivos de TI, Gary faz parte dos Conselhos Administrativos das empresas Fortify Software e Raven White. Ele recebeu um PhD duplo em Ciência Cognitiva e Ciência da Computação pela Universidade de Indiana, onde ele faz parte do Conselho Consultivo da Escola de Informática. Ele também produz o podcast "Silver Bullet" para a revista IEEE Security & Privacy e produz o podcast Reality Check Security para o site CSO online.

'''Jason Li'''

[http://www.aspectsecurity.com Aspect Security]

''Título:'' '''Ágil e Seguro: É possível fazer os dois?'''

Co-autor: '''Jerry Hoff''', Aspect Security

''Biografias:''
Jason Li é engenheiro senior de segurança de aplicações na Aspect Security. Jason conduz revisões de arquiteturas de segurança, revisão de segurança em código de aplicações, testes de segurança e provê treinamentos de segurança em aplicações Web para diversas empresas do ramo de varejo, financeiro e governamentais. Ele também é ativamente envolvido na OWASP, apoiando do Comitê de Projetos Globais da OWASP e como co-autor do Projeto Antisamy da OWASP (versão Java). Jason obteve seu pós-mestrado em Ciências da Computação com concentração em Segurança da Informação pela Universidade Johns Hopkins. Ele obteve seu grau de Mestre em Ciências da Computação pela Universidade Cornell, onde obteve também sua graduação dupla, em Ciências da COmputação e Pesquisador de Operações.

Jerry Hoff é engenheiro senior de segurança de aplicações na Aspect Security. Jerry coordena e executa numerosas revisões de segurança em código de aplicações para clientes de diversas industrias. Jerry também fornece treinamentos para clientes e possui mais de 10 anos de experiência ensinando e desenvolvendo. Jerry também é envolvido com a OWASP e foi o líder do projeto AntiSamy .net. Ele possui mestrado em Ciências da Computação pela Universidade de Washington em St. Louis.

'''Dinis Cruz'''

OWASP Board

''Título:'' '''A Definir'''

''Biografia:''

A definir.

'''Kuai Hinojosa'''

OWASP

''Título:'' '''Implementando Aplicações Web Seguras Usando Recursos do OWASP'''

''Biografia:''

Kuai Hinojosa desenvolve e protege aplicações Web por mais de 12 anos. Anteriormente, ele trabalhou no setor bancário como administrador de segurança de base de dados para o quinto maior banco dos Estados Unidos, onde ele trabalhou em um pequeno time de desenvolvimento de aplicações para proteção dos ativos da empresa. Ele trabalha agora na Universidade de Nova Yorque como Especialista de Aplicações Web onde ele continua a empregar o desenvolvimento de aplicações Web e a experiência em segurança de aplicações para proteger os recursos da universidade. Em seu tempo livre, Kuai se voluntaria para catequisar sermões de segurança de aplicações and liderar o capítulo de Mineapolis da OWASP. Kuai é membro do Comitê Global de Edução da OWASP.

====Agenda ====

'''Programa da Conferência - Dia 1 - 29 de outubro de 2009 '''

<center>
{| width="80%" class="t"
|-
| width="14%" height="17" align="right" | 08:30 - 09:00
| bgcolor="#8595c2" align="CENTER" | '''Recepção'''
|-
| width="14%" height="17" align="right" | 09:00 - 10:00
| bgcolor="#eeeeee" align="CENTER" | '''Abertura'''
|-
| width="14%" height="49" align="right" | 10:00 - 10:30
| bgcolor="#b9c2dc" align="CENTER" | '''Dinis Cruz<br>''' Apresentação do Projeto OWASP
|-
| width="14%" height="32" align="right" | 10:30 - 12:30
| bgcolor="#eeeeee" align="CENTER" | '''Gary McGraw (Cigital)<br>''' Modelo de Maturidade Building Security In (BSIMM)
|-
| width="14%" height="17" align="right" | 12:30 - 14:00
| bgcolor="#d98b66" align="CENTER" | '''Almoço'''
|-
| width="14%" height="47" align="right" | 14:00 - 14:50
| bgcolor="#b9c2dc" align="CENTER" | '''Dinis Cruz<br>''' Apanhado dos Projetos do OWASP
|-
| width="14%" height="32" align="right" | 14:50 - 15:40
| bgcolor="#eeeeee" align="CENTER" | '''Thomas Schreiber<br>''' As Camadas Lógica e Semântica da Segurança de Aplicações Web
|-
| width="14%" height="17" align="right" | 15:40 - 16:00
| bgcolor="#d98b66" align="CENTER" | '''Break'''
|-
| width="14%" height="47" align="right" | 16:00 - 16:50
| bgcolor="#b9c2dc" align="CENTER" | '''Brian Contos<br>''' O Uso de Web Application Firewalls (WAF) e Sistemas de Database Activity Monitoring (DAM) Para Melhorar a Segurança de Código
|-
| width="14%" height="32" align="right" | 16:50 - 17:40
| bgcolor="#eeeeee" align="CENTER" | '''Matt Tesauro<br>''' ROI: Otimize os Gastos com Segurança
|-
| width="14%" height="47" align="right" | 17:40 - 18:30
| bgcolor="#b9c2dc" align="CENTER" | '''Pravir Chandra <br>''' O Modelo de Maturidade “Software Assurance Maturity Model (SAMM)”
|-
| width="14%" height="17" align="right" | 18:30 - 18:35
| bgcolor="#cccccc" align="CENTER" | '''Encerramento do Primeiro Dia'''
|}
</center>
<br>

<br> '''Programa da Conferência - Dia 2 - 30 de outubro de 2009'''

<center>
{| width="80%" class="t"
|-
| width="14%" height="17" align="right" | 08:30 - 09:00
| bgcolor="#8595c2" align="CENTER" | '''Recepção'''
|-
| width="14%" height="32" align="right" | 09:00 - 10:30
| bgcolor="#b9c2dc" align="CENTER" | '''Jason Li e Jerry Hoff (Aspect Security) '''<br> Ágil e Seguro - É possível fazer os dois?
|-
| width="14%" height="17" align="right" | 10:30 - 10:50
| bgcolor="#d98b66" align="CENTER" | '''Intervalo'''
|-
| width="14%" height="47" align="right" | 10:50 - 11:40
| bgcolor="#eeeeee" align="CENTER" | '''Cassio Goldschmidt'''<br> Praticas e ferramentas fundamentais para o desenvolvimento de software seguro
|-
| width="14%" height="32" align="right" | 11:40 - 12:30
| bgcolor="#b9c2dc" align="CENTER" | '''Luiz Otávio Duarte'''<br> Abordagem Preventiva para Teste de Segurança em Aplicações Web
|-
| width="14%" height="17" align="right" | 12:30 - 14:00
| bgcolor="#d98b66" align="CENTER" | '''Almoço'''
|-
| width="14%" height="32" align="right" | 14:00 - 15:10
| bgcolor="#eeeeee" align="CENTER" | '''Kuai Hinojosa (NY University)'''<br> Implementando Aplicações Web Seguras Usando Recursos do OWASP
|-
| width="14%" height="32" align="right" | 15:10 - 16:00
| bgcolor="#b9c2dc" align="CENTER" | '''Sebastian Cufre'''<br> Técnicas Automáticas para “SQL Ownage”

|-
| width="14%" height="17" align="right" | 16:00 - 16:20
| bgcolor="#d98b66" align="CENTER" | '''Intervalo'''

|-
| width="14%" height="32" align="right" | 16:20 - 17:10
| bgcolor="#eeeeee" align="CENTER" | '''Klaubert Herr da Silveira'''<br> ModSecurity: Firewall OpenSource para Aplicações Web (WAF)
|-
| width="14%" height="32" align="right" | 17:10 - 18:00
| bgcolor="#b9c2dc" align="CENTER" | '''Philippe Sevestre'''<br> Programação Segura utilizando Análise Estática
|-
| width="14%" height="17" align="right" | 18:00 - 18:30
| bgcolor="#cccccc" align="CENTER" | '''Encerramento'''
|}
</center>

====Resumos das Palestras====

'''O Modelo de Maturidade Building Security In (BSIMM)'''

''Gary McGraw'', Cigital

Como uma disciplina, segurança de software tem feito grande progresso na última década. Existem hoje pelo menos 34 grandes iniciativas de segurança de software em empresas, incluindo as empresas de serviços financeiros globais, os fornecedores de software independentes, organizações de defesa, e outros setores. Em 2008, Brian Chess, Sammy Migues e eu entrevistamos os executivos usando nove iniciativas baseadas nas doze práticas do Framework de Segurança de Software como o nosso guia. Essas empresas, entre as nove que gentilmente concordaram em ser identificadas, incluem: Adobe, The Depository Trust and Clearing Corporation (DTCC), EMC, Google, Microsoft, QUALCOMM, e Wells Fargo. Os resultados obtidos, traçados com base em programas reais em diferentes níveis de maturidade, foram utilizados para para orientar a construção do Construindo Segurança no Modelo de Maturidade (em inglês, Building Security In Maturity Model - BSIMM). Esta palestra irá descrever o modelo de maturidade baseado em observação, aproveitando exemplos reais de muitos programas de segurança de software. Um modelo de maturidade é adequado pois ao melhorar a segurança do software quase sempre significa mudar a forma como uma organização trabalha --- pessoas, processos, automação são todos necessários. Embora nem todas as organizações necessitam alcançar os mesmos objetivos de segurança, todas iniciativas de segurança de software em larga escala compartilham idéias e abordagens comuns. Se você acreditar na Cigital Touchpoints, no SDL da Microsoft, ou OWASP CLASP, há muito a aprender com experiências práticas. Utilize o BSIMM como uma referência para determinar onde você está e que tipo de plano de segurança do software irá funcionar melhor para você.

'''Ágil e Seguro: É possível fazer os dois?'''

''Jason Li and Jerry Hoff'', Aspect Security

As metodologias ágeis estão tomando o mundo do desenvolvimento de software como uma tempestade, porém a segurança está se adaptadando vagarosamente. O que nós podemos aprender do movimento ágil? É possível obter segurança e permanecer ágil? Jason e Jerry irão compartilhar as experiências de trabalho da Aspect Security com times ágeis para garntir segurança e economizar dinheiro. Eles irão comparar e contrastar o modelo tradicional de cascata com os processos ágeis e mostrar como nós podemos alcançar confiabilidade e segurança enquanto os principios ágeis são mantidos.

'''Implementando Aplicações Web Seguras Usando Recursos do OWASP'''

''Kuai Hinojosa'', NY University e OWASP

Universidade são chaves para tornar a segurança de aplicação visível e a necessidade de educar desenvolvedores de software quanto a importância da segurança de aplicações ser um aspecto primordial no desenvolvimento de software nunca foi tão importante.
Nesta apresentação eu irei mostrar como os recursos da OWASP podem ser utilizados por universidades para desenvolver, testar e implementar aplicações Web seguras. Eu irei discutir desafios que universidades atualmente encontram para integrar as melhores práticas de segurança de aplicações e descrever como as ferramentas e recursos da OWASP são utilizados na Universidade de Nova York para testar as falhas mais comuns em aplicações Web. Eu irei introduzir projetos como a API de Segurança Corporativa da OWASP pode ser utilizado para mitigar as falhas mais comuns em aplicações Web e compartilhar as iniciativas que o Comitê Global de Educação está desenvolvendo.
Se você estiver interessado em proteger aplicações Web e como apoiar o Comitê Global de Educação da OWASP, você não pode perder esta apresentação!

'''Apresentação do projeto OWASP'''

''Dinis Cruz'', OWASP

Esta palestra apresenta o que é e como funciona o projeto OWASP – Open Web Application Security Project, cujo objetivo é o desenvolvimento coletivo e aberto de soluções e documentos que permitam o desenvolvimento de sistema mais seguros.

'''Projetos da OWASP que podem ser utilizados livremente nas organizações'''

''Dinis Cruz'', OWASP

Esta palestra dará um apanhado geral dos projetos desenvolvidos pelo OWASP que podem ser utilizados livremente em todas as organizações. Estes projetos envolvem desde manuais e guias até ferramentas de software. A ideia e mostrar à audiência a ampla gama de materiais disponíveis e as possibilidade de colaboração com a comunidade através do projeto OWASP.

'''As Camadas Lógica e Semântica da Segurança de Aplicações Web'''

''Thomas Schreiber'', SecureNet

Muitos problemas que ocorrem em aplicações web decorrem da forma como a lógica de negócios é mapeada em código. Esta apresentação irá mostrar como ataques reais podem decorrer de falhas nas camadas lógica e semântica das aplicações. A apresentação também mostrará como evitar estas armadilhas.

'''O Uso de Web Application Firewalls (WAF) e Sistemas de Database Activity Monitoring (DAM) Para Melhorar a Segurança de Código'''

''Brian Contos'', Imperva

Hoje em dia, os ataques à infraestrutura de TI estão se concentrando nos ativos que armazenam e processam dados: aplicações e base de dados. Em resposta, as organizações estão adotando novas medidas de segurança de aplicações e dados, que permitem monitorar e proteger contra ataques desta natureza. Esta apresentação irá introduzir duas destas tecnologias, os Web Application firewalls (WAF) e os sistemas de Database Activity Monitoring (DAM).

'''ROI: Otimize os Gastos com Segurança'''

''Matt Tesauro''

Esta palestra apresentará como alguns dos projetos desenvolvidos no âmbito do OWASP podem melhorar a segurança das organizações de forma econômica. Alguns dos produtos que podem ser usados gratuitamente pelas organizações são o OWASP Top Ten, os guias de testes e desenvolvimento de aplicações seguras. Um estudo de caso será apresentado em que a economia chegou a US$ 400.000,00 por ano.

'''O Modelo de Maturidade “Software Assurance Maturity Model (SAMM)”'''

''Pravir Chandra'', Fortify

O SAMM – Software Assurance Maturity Model é um framework que permite a inclusão de aspectos de segurança em uma organização de desenvolvimento de software. Este modelo permite que as organizações verifiquem sua maturidade com relação ao desenvolvimento seguro de aplicações e criem scorecards para medir seu progresso. Esta palestra apresentará o framework e mostrará o caminho recomendado para que as organizações implantem as práticas de segurança no desenvolvimento de sistemas.

'''Técnicas Automáticas para “SQL Ownage”'''

''Sebastian Cufre'', Core Security

Esta palestra descreve formas de melhorar os processos de verificação de vulnerabilidades de SQL Injection provendo formas de descartar os falsos-positivos e confirmar as vulnerabilidades exploráveis.

'''Praticas e ferramentas fundamentais para o desenvolvimento de software seguro'''

''Cássio Goldschmidt'', Symantec

Implementar um programa de segurança para todo o ciclo de vida de aplicações pode ser uma tarefa árdua e custosa . Por isso, no desenvolvimento dessa proposta será demonstrado como é possível atenuar o custo desse empreendimento, usando recursos de ótima qualidade disponíveis na Internet e estudando quais as práticas consideradas fundamentais pelas empresas integrantes do SAFECode (EMC, Juniper, Microsoft, Nokia, SAP, Symantec).

'''Abordagem Preventiva para Teste de Segurança em Aplicações Web'''

''Luiz Otávio Duarte, Ferrucio de Franco Rosa e Walcir M. Cardoso Jr.'', CTI/MCT

O objetivo da palestra é apresentar a abordagem utilizada pelo CTI/MCT (Centro de Tecnologia da Informação Renato Archer / Ministério da Ciência e Tecnologia) para testes de segurança em aplicações web. Primeiramente, será feita uma introdução, incluindo conceitos importantes, motivação, dados estatísticos e vulnerabilidades mais críticas. Posteriormente, serão apresentadas técnicas para teste de segurança em software. Com a audiência situada com relação aos conceitos e técnicas base, será apresentada a abordagem utilizada pela instituição para teste de segurança em aplicações web, tais como inspeção de código fonte, expressões regulares e técnicas de detecção de vulnerabilidades.

'''ModSecurity, Firewall de Aplicação Web Open Source'''

''Klaubert Herr da Silveira''

Com a crescente complexidade e importância das aplicações web, prazos curtos para desenvolvimento, novas técnicas de ataque, regulações, busca por melhores práticas e a falta de atenção e/ou foco do desenvolvedor com a segurança, torna-se necessário adicionar uma nova camada de segurança para aplicações web, os "firewall de aplicações web" ou WAF's. Esta apresentação introduzirá os conceitos de WAF, e em especial o ModSecurity, Firewall OpenSource para Aplicações Web, uma poderosa e complexa ferramenta desenhada para entender e proteger as aplicações web nos seus mais variados tipos. Serão apresentadas suas funcionalidades, bem como ele pode ajudar no dia a dia de um site web, seja na monitoração, proteção ou mesmo na depuração das aplicações web.

'''Programação Segura utilizando Análise Estática'''

''Philippe Sevestre'', LeadComm

Criar um código que seja seguro requer mais do que apenas boas intenções. Os programadores precisam saber como fazer com que seu código seja seguro em um número quase infinito de cenários e configurações. A análise estática do código dá a seus usuários a habilidade de revisar o produto de seu trabalho com um “pente fino” , revelando as falhas que conduzem diretamente a vulnerabilidades. Esta palestra contextualiza o problema de segurança de software e mostra como a análise estática é parte da solução do mesmo.

====Mini-Cursos====

'''Gestão de Riscos de Segurança Aplicada a Web Services'''

''José Eduardo Malta de Sá Brandão'', IPEA

Data: 27/10
Período: manhã

O objetivo deste minicurso é apresentar a disciplina de gestão de riscos de segurança associada a web Services. O enfoque do curso visa elucidar aspectos conceituais e sistemáticos nestas metodologias, exemplificado em um estudo de caso que visa reforçar a utilidade e necessidade do uso destas metodologias para o entendimento e o desenvolvimento de web services. O curso deverá fornecer aos alunos base para desenvolverem seus próprios projetos de gestão de riscos. As apresentações deverão discorres sobre conceitos, descrição de modelos e na comparação dos principais padrões relacionados à gestão de riscos na segurança.

'''Segurança  Web:  Técnicas  para  Programação  Segura  de  Aplicações'''

''André Ricardo Abed Grégio e Vitor Monte Afonso'', CTI/MCT, ''Paulo Licio de Geus'', IC/UNICAMP

Data: 28/10
Período: tarde

O treinamento visa apresentar os princípios e técnicas de programação segura, principalmente programação de
aplicações Web, abordando conceitos fundamentais da área, detalhando as vulnerabilidades possíveis de serem
exploradas e com foco nos métodos de mitigação destas falhas. São abordados exemplos práticos de como corrigir
vulnerabilidades baseadas no OWASP top 10 em diferentes linguagens de programação, com trechos de código
vulnerável de aplicações Web retirados de revisões de código realizadas pelos autores. São apresentadas também
algumas ferramentas para detecção de ataques e testes de vulnerabilidades em aplicações Web.

'''Segurança Computacional no Desenvolvimento de Web Services'''

''Júlio Cesar Estrella et al'', ICMC/USP

Data: 28/10
Período: integral (manhã e tarde)

Este minicurso apresenta o desenvolvimento de aplicações distribuídas utilizando o conceito de SOA
levando em consideração os aspectos de segurança computacional. Para o desenvolvimento das
aplicações clientes e servidoras serão considerados o uso da engine Apache Axis2. São abordados os
componentes básicos do Axis2, os tipos e modelos de invocação de Web Services bem como suas
principais características. Dois padrões de segurança para a construção de Web Services são
abordadas no contexto da engine Apache Axis2: WS-Security e SAML. A metodologia utilizada para
este minicurso envolve a utilização de tópicos expositivos e de exercícios práticos, abordando os
conceitos fundamentais da engine Axis2, e a construção de aplicações reais com foco em segurança.

'''Tecnologias de Segurança em Web Services'''

''Eduardo Takeo Ueda e Wilson Vicente Ruggiero'', Poli/USP

Data: 28/10
Período: manhã

Devido a sua característica de integração e por fazer uso de padrões abertos, os web services se tornaram uma área de grande interesse para acadêmicos e a indústria nos últimos anos. Inicialmente, pretendemos introduzir aos participantes os conceitos básicos da arquitetura orientada a serviços, com o intuito do treinamento ser auto-suficiente. Posteriormente serão apresentados os principais padrões e especificações de segurança que estão sendo desenvolvidos e devem ser adotados em web services. Por fim, o treinamento culmina com a exposição e caracterização de desafios atuais em segurança de web services.

'''Hands on Web Application Testing using the OWASP Testing Guide.'''

''Matt Tesauro'', OWASP

<span style="color:#ff0000">Este treinamento será ministrado em inglês sem tradução simultânea.</span>

'''<span style="color:#ff0000">Atenção: Este treinamento requer um notebook por aluno para a parte prática. Cada aluno deverá trazer seu próprio notebook.</span>'''

Data: 27 e 28/10 (2 dias)
Período: integral (manhã e tarde)

O treinamento irá cobrir as áreas críticas do teste de aplicações Web utilizando o Guia de Testes (Testing Guide) da OWASP v3, como framework de testes de aplicação, e o OWASP Live CD, com as ferramentas para realizar os testes. Uma versão customizada do OWASP Live CD irá ser criada para o treinamento. Ela irá incluir um ambiente controlado de testes oferecendo aplicações vulneráveis de forma que tanto as ferramentas e as aplicações para testar as ferramentas serão incluídas.

====Local====

'''Local das plenárias'''

[[Image:CongressoNacional.jpg|The Palácio do Congresso building]]

O evento será na Câmara dos Deputados em Brasília, DF, Brasil no endereço: Auditório Nereu Ramos, Câmara dos Deputados - Anexo II, Praça dos Três Poderes.

Veja a localização no [http://maps.google.com/maps?f=q&source=s_q&hl=pt-BR&geocode=&q=anexo+II,+camara+dos+deputados,+brasilia&sll=37.0625,-95.677068&sspn=43.934478,79.101563&ie=UTF8&t=h&ll=-15.800058,-47.865822&spn=0.01309,0.019312&z=16 Google Maps]

''Como chegar ao local da Conferência''

A definir

'''Local dos Mini-cursos'''

Os mini-cursos ocorrerão no Centro de Formação, Treinamento e Aperfeiçoamento da Câmara dos Deputados, localizado na via N3, Projeção L, Setor de Garagens Ministeriais Norte, Complexo Avançado da Câmara dos Deputados, Bloco B. Veja a localização no [http://maps.google.com.br/maps/ms?ie=UTF8&hl=pt-BR&msa=0&ll=-15.793895,-47.864009&spn=0.005017,0.006866&t=h&z=17&msid=106468407154665154285.0004577c477849eda80f3 mapa].

''Como chegar ao local dos Mini-cursos''

Estamos verificando a possibilidade de haver transporte de algum ponto da Esplanada dos Ministérios até o local dos mini-cursos. Assim que tivermos mais informações, divulgaremos nesta página.

Para ir de táxi, mostre o mapa acima para o motorista. É pouco provável que o motorista consiga chegar apenas com o endereço do local.

Não aconselhamos ir de carro, pois há séria dificuldade em encontrar vagas para estacionar na região do Congresso e Ministérios.

====Inscrições====

A Conferência será gratuita, mas será necessário inscrever-se previamente.

A página com o formulário de inscrições foi publicada [http://www.camara.gov.br/appsecbrasil2009 aqui]

====Organização====

'''Comitês'''

OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org

2009 AppSec Brasil - Comitê de Programa (appsec.brasil@camara.gov.br):
* Coordenador Geral: Lucas C. Ferreira (lucas.ferreira at owasp.org)
* Coordenador de Tutoriais: Eduardo V. C. Neves (eduardo.neves at owasp.org)
* Coordenador do Programa: Wagner Elias (wagner.elias at owasp.org)

Equipe Organizadora

* Cassio Goldschmidt (cassio 'at' owasp.org)
* Kuai Hinojosa (kuai.hinojosa 'at' owasp.org)
* Leonardo Cavallari - (leo.cavallari 'at' owasp.org)
* Thiago Lechuga (thiagoalz 'at' gmail.com)
* Dinis Cruz (dinis.cruz 'at' owasp.org)

====Links ====

Página do evento no LinkedIn: http://events.linkedin.com/OWASP-AppSec-Brasil/pub/65160

====Perguntas Frequentes====

'''Quem está promovendo a conferência?'''

Esta conferência é promovida e organizada pela [http://www.ticontrole.gov.br Comunidade TI-Controle] e a [http://www.camara.gov.br Câmara dos Deputados], sendo os conteúdos (apresentações, palestras, cursos, etc) selecionados pelo [[Brazilian| Capítulo Brasil da OWASP]].

'''Quanto irá custar?'''

Nada. Graças ao seu patrocinador, a participação da conferência será gratuita. No entanto, devido ao número limitados de participantes, recomenda-se registrar antecipadamente.

'''''Chamada de Trabalhos'''''

'''O que é a OWASP (Open Web Application Security Project)?'''

A OWASP (Projeto Aberto de Segurança de Aplicações Web, em português) é uma comunidade mundial aberta e livre focada em melhorar a segurança de aplicações. Nossa missão é tornar a segurança de aplicações visível, para que pessoas e organizações possam tomar decisões informadas sobre os reais riscos da segurança de aplicações. Todo mundo é livre para participar na OWASP e todo nosso material é disponível sob um licença de software livre e aberta. A Fundação OWASP é uma organização sem fins lucrativos que garante a constante disponibilidade e suporte para nosso trabalho com seu suporte.

'''Quantas sessões haverão?'''

Veja a agenda na [http://www.owasp.org/index.php/AppSec_Brasil_2009 página principal] da conferência.

'''Quais são os prazos para submissão?'''

O prazo para submissão é 11 de Julho, sendo que a versão final dos trabalhos selecionados deve ser enviado até 15 de setembro de 2009.

'''Quem poderá submeter trabalhos?'''

Autores principais podem submeter seus trabalhos para avaliação. Representantes de terceiros, como empresas de relações públicas ou representantes de palestrantes, NÃO DEVEM submeter trabalhos em nome de um potencial palestrante.

'''Por que submissões de trabalhos por Representantes, como empresas de RP, não são permitidos?'''

Devido aos direitos autorais e responsabilidade com problemas de propriedade intelectual, bem como a necessidade da OWASP ter contato direto com os potenciais apresentadores para fornecer detalhes e providenciar os materiais, nós requeremos que apenas os autores principais submetam suas apresentações. Representantes de terceiros, como empresas de relações públicas ou representantes de palestrantes, NÃO DEVEM submeter trabalhos em nome de um potencial palestrante.

'''Existe alguma restrição no conteúdo das apresentações?'''

Sim, todas as apresentações devem respeitar as regras definidas no [[Speaker Agreement |Acordo de Palestrantes da OWASP]]. Basicamente, as apresentações não devem possuir qualquer conteúdo promocional ou faça referência a marcas e produtos.

'''Quanto tempo eu terei que esperar antes de ser notificado se meu trabalho foi aceito ou negado?'''

Os autores serão notificados do resultado (aceito ou negado) em 7 de Agosto de 2009.

'''Existe algum honorário para os palestrantes?'''

Não. A OWASP é comprometida em tornar sua conferência para a maior audiência possível. Neste sentido, a OWASP manterá a entrada gratuita para a AppSec Brasil 2009 de forma a tornar a conferência acessível. Por conta disto, nós não somos capazes de oferecer gratificações mas recebemos nossos palestrantes como convidados para a conferência onde eles poderão interagir com outros profissionais de segurança. Nós iremos oferecer hospedagem e passagem aérea para um apresentador de cada tarabalho selecionado.

'''Eu fui aceito. Quais são os materiais que eu preciso depositar e quais são os prazos?'''

A lista a seguir apresenta os materiais que são requeridos para cada apresentação aceita. O não cumprimento na submissão desses materiais no prazo previamente determinado acarretará no cancelamento da aprovação do trabalho.
* [[Speaker_Agreement | Acordo de Palestrante]] (15 de Julho de 2009)
* Apresentação no formato PowerPoint conforme http://www.owasp.org/images/5/54/Presentation_template.ppt OWASP Template] (15 de Setembro de 2009)
* Bibliografia detalhada de recursos, co-autores, etc (15 de Setembro de 2009)
* Opcional: Artigo para inclusão no CD da conferência (15 de Setembro de 2009)

'''Eu preciso submeter um artigo?'''

Não. Nós certamente apreciamos todo artigo que possa ser incluído no website e CD da conferência, mas isto não é orbigatório. Se você tem um artigo escrito para acompanhar sua apresentação, por favor envie-nos junto com sua submissão. Submissões com artigos anexados recebrão considerações adicionais.

'''O que acontece caso eu tenha um co-autor que não está apresentando. Como eu referencio esta pessoa??'''

Todos os co-autores e trabalhos utilizados devem ser citados na bibliografia detalhada que será publicada no CD da conferência.

'''Eu fui aceito e gostaria de adicionar um co-apresentador. Eu ainda posso fazer isso?'''

Não. Co-apresentadores devem ser adicionados no momento em que a apresentação for submetida. Eles podem participar da conferência e apresentar, caso se registrem como qualquer outro participante.

'''Minha empresa de RP/amigos/família/amigos de trabalho gostariam de prestigiar minha apresentação. A presença deles será permitida gratuitamente??'''

Sim, mas eles precisam se registrar pelo site como todo outro participante.

'''Eu tenho outras dúvidas...'''

Envie um e-mail para appsec.brasil@camara.gov.br a respeito deste evento.

__NOTOC__
<headertabs/>
[[Category:OWASP AppSec Conference]]

AppSec Brasil 2009

2009-10-24T16:30:22Z

Camargoneves: /* Conference Dates */

__NOTOC__

'''Para a versão em português, veja em [[AppSec Brasil 2009 (pt-br)]]'''

= International Conference on Application Security =

[http://www.ticontrole.gov.br TI-Controle] and the Computing Centre of the [http://www.camara.gov.br Deputy Chamber] present the '''First International Conference on Application Security''' that will happen in [http://en.wikipedia.org/wiki/Brasília Brasilia, Capital of Brazil] with the support of OWASP [[Brazilian]] Chapter. The Conference consists of two days of training sessions, followed by a two-day conference on a single track. [[Image:Brasilia Panorama.jpg]]

=== Conference Dates ===

The conference will happen from October 27th, 2009 to October 30th, 2009. The first two days will be tutorial days (see below). Plenary sessions will be held on October 29th and 30th.

<br>

==== Sponsorship ====

This conference is promoted by [http://www.ticontrole.gov.br TI-Controle] Community and organized by Computing Centre of [http://www.camara.gov.br/ Brazilian Deputy Chamber].

The conference is supported by OWASP [[Brazilian|Brazilian Chapter]], as content provider (talks selection, trainings and schedule grid).

The conference is supported by the [http://www.unb.br University of Brasilia] (UnB) [[Image:Unb.gif|60px]]

The conference is sponsored by [http://www.conviso.com.br Conviso IT Security] [[File:CorVersao_BR_Small.jpg|200px]]

==== Keynotes ====

[[Image:GaryMcGraw.JPG|left|60px]] '''Gary McGraw'''

CTO, [http://www.cigital.com Cigital]

''Title:'' '''The Building Security In Maturity Model (BSIMM)'''

''Bio:'' Gary McGraw is the CTO of Cigital, Inc., a software security and quality consulting firm with headquarters in the Washington, D.C. area. He is a globally recognized authority on software security and the author of eight best selling books on this topic. His titles include Java Security, Building Secure Software, Exploiting Software, Software Security, and Exploiting Online Games; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 100 peer-reviewed scientific publications, authors a monthly security column for informIT, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Fortify Software and Raven White. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean's Advisory Council for the School of Informatics. Gary served on the IEEE Computer Society Board of Governors, produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine (syndicated by informIT), and produces the Reality Check Security Podcast for CSO Online.

<br>

'''Jason Li'''

[http://www.aspectsecurity.com Aspect Security]

''Title:'' '''Agile and Secure: Can We Do Both?'''

Co-author: '''Jerry Hoff''', Aspect Security

''Bio:'' Jason Li is a Senior Application Security Engineer at Aspect Security. Jason has led security architecture reviews, application security code reviews, penetration tests and provided web application security training services for a variety of commercial, financial, and government customers. He is also actively involved in the Open Web Application Security Project (OWASP), serving on the OWASP Global Projects Committee and as a co-author of the OWASP AntiSamy Project (Java version). Jason earned his Post-Master's degree in Computer Science with a concentration in Information Assurance from Johns Hopkins University. He earned his Master's degree in Computer Science from Cornell University, where he also earned his Bachelor's degree, double majoring in Computer Science and Operations Research.

Jerry Hoff is a Senior Application Security Engineer at Aspect Security. Jerry has led and performed numerous application security code reviews for clients across multiple industries. Jerry also provides training services for clients, and has over 10 years teaching and development experience. Jerry is also involved in the Open Web Application Security Project (OWASP) and was the lead developer of AntiSamy.net project. He has a master's degree in Computer Science from Washington University in St. Louis.

<br>

'''Dinis Cruz'''

OWASP Board

''Title:'' '''To be defined'''

''Bio:'' Coming Soon.

<br>

'''Kuai Hinojosa'''

OWASP

''Title:'' '''Deploying Secure Web Applications with OWASP Resources'''

''Bio:'' Kuai Hinojosa has been developing and securing web applications for about 12 years. He previously worked in the banking industry as a database security administrator for the 5th largest bank in the U.S. where he worked in a small team developing applications that protected company's assets. He now works for New York University as a Web Applications Specialist where he continues to use web application development and application security experience to protect university resources. In his spare time Kuai volunteers his time preaching the application security gospel and leading the Minneapolis OWASP chapter. Kuai is a member of the OWASP (Open Web Application Security Project) Global Education Committee.

==== Agenda ====

'''Conference Program - Day 1 - October 29th 2009 '''
<center>
{| width="80%" class="t"
|-
| width="14%" height="17" align="right" | 08:30 - 09:00
| bgcolor="#8595c2" align="CENTER" | '''Reception Desk Open'''
|-
| width="14%" height="17" align="right" | 09:00 - 10:00
| bgcolor="#eeeeee" align="CENTER" | '''Opening Ceremony'''
|-
| width="14%" height="49" align="right" | 10:00 - 10:30
| bgcolor="#b9c2dc" align="CENTER" | '''Dinis Cruz<br>''' What is OWASP?
|-
| width="14%" height="32" align="right" | 10:30 - 12:30
| bgcolor="#eeeeee" align="CENTER" | '''Gary McGraw (Cigital)<br>''' The Building Security In Maturity Model (BSIMM)
|-
| width="14%" height="17" align="right" | 12:30 - 14:00
| bgcolor="#d98b66" align="CENTER" | '''Lunch Break'''
|-
| width="14%" height="47" align="right" | 14:00 - 14:50
| bgcolor="#b9c2dc" align="CENTER" | '''Dinis Cruz<br>''' OWASP Project Tour
|-
| width="14%" height="32" align="right" | 14:50 - 15:40
| bgcolor="#eeeeee" align="CENTER" | '''Thomas Schreiber<br>''' The Logic and Semantic Layer of Web Application Security
|-
| width="14%" height="17" align="right" | 15:40 - 16:00
| bgcolor="#d98b66" align="CENTER" | '''Break'''
|-
| width="14%" height="47" align="right" | 16:00 - 16:50
| bgcolor="#b9c2dc" align="CENTER" | '''Brian Contos<br>''' Making a Case for Data Security to Network-Centric Peers and Managers and Leveraging Web Application Firewalls (WAF) and Database Activity Monitoring (DAM) to Augment Secure Coding & Review Practices
|-
| width="14%" height="32" align="right" | 16:50 - 17:40
| bgcolor="#eeeeee" align="CENTER" | '''Matt Tesauro<br>''' OWASP ROI: Optimize Security Spending using OWASP
|-
| width="14%" height="47" align="right" | 17:40 - 18300
| bgcolor="#b9c2dc" align="CENTER" | '''Pravir Chandra <br>''' Software Assurance Maturity Model (SAMM)
|-
| width="14%" height="17" align="right" | 18:30 - 18:35
| bgcolor="#cccccc" align="CENTER" | '''End of the First Day Program'''
|}
</center>
<br>

<br> '''Conference Program - Day 2 - October 30th 2009'''
<center>
{| width="80%" class="t"
|-
| width="14%" height="17" align="right" | 08:30 - 09:00
| bgcolor="#8595c2" align="CENTER" | '''Reception Desk Open'''
|-
| width="14%" height="32" align="right" | 09:00 - 10:30
| bgcolor="#b9c2dc" align="CENTER" | '''Jason Li e Jerry Hoff (Aspect Security) '''<br> Agile and Secure - Can we do both?
|-
| width="14%" height="17" align="right" | 10:30 - 10:50
| bgcolor="#d98b66" align="CENTER" | '''Break'''
|-
| width="14%" height="47" align="right" | 10:30 - 11:40
| bgcolor="#eeeeee" align="CENTER" | '''Cassio Goldschmidt'''<br> Praticas e ferramentas fundamentais para o desenvolvimento de software seguro <br> (''Tools and Practices for Secure Software Development'')
|-
| width="14%" height="32" align="right" | 11:40 - 12:30
| bgcolor="#b9c2dc" align="CENTER" | '''Luiz Otávio Duarte'''<br> Abordagem Preventiva para Teste de Segurança em Aplicações Web <br> (''Preventive Approach for Web Application Security Testing'')
|-
| width="14%" height="17" align="right" | 12:30 - 14:00
| bgcolor="#d98b66" align="CENTER" | '''Lunch Break'''
|-
| width="14%" height="32" align="right" | 14:00 - 15:10
| bgcolor="#eeeeee" align="CENTER" | '''Kuai Hinojosa (NY University)'''<br> Deploying Secure Web Applications with OWASP Resources
|-
| width="14%" height="32" align="right" | 15:10 - 16:00
| bgcolor="#b9c2dc" align="CENTER" | '''Sebastian Cufre'''<br> Automated SQL Ownage Techniques

|-
| width="14%" height="17" align="right" | 16:00 - 16:20
| bgcolor="#d98b66" align="CENTER" | '''Break'''

|-
| width="14%" height="32" align="right" | 16:20 - 17:10
| bgcolor="#eeeeee" align="CENTER" | '''Klaubert Herr da Silveira'''<br> ModSecurity: Firewall OpenSource para Aplicações Web (WAF) <br> (''ModSecurity, Open Source Web Application Firewall'')
|-
| width="14%" height="32" align="right" | 17:10 - 18:00
| bgcolor="#b9c2dc" align="CENTER" | '''Philippe Sevestre'''<br> Programação Segura utilizando Análise Estática <br> (''Secure Programming with Static Analysis'')
|-
| width="14%" height="17" align="right" | 18:00 - 18:30
| bgcolor="#cccccc" align="CENTER" | '''End of the Conference'''
|}
</center>

==== Presentation Abstracts ====

'''The Building Security In Maturity Model (BSIMM)'''

''Gary McGraw'', Cigital

As a discipline, software security has made great progress over the last decade. There are now at least 34 large scale software security initiatives underway in enterprises including global financial services firms, independent software vendors, defense organizations, and other verticals. In 2008, Brian Chess, Sammy Migues and I interviewed the executives running nine initiatives using the twelve practices of the Software Security Framework as our guide. Those companies among the nine who graciously agreed to be identified include: Adobe, The Depository Trust and Clearing Corporation (DTCC), EMC, Google, Microsoft, QUALCOMM, and Wells Fargo. The resulting data, drawn from real programs at different levels of maturity was used to guide the construction of the Building Security In Maturity Model (BSIMM). This talk will describe the observation-based maturity model, drawing examples from many real software security programs. A maturity model is appropriate because improving software security almost always means changing the way an organization works ---people, process, and automation are all required. While not all organizations need to achieve the same security goals, all successful large scale software security initiatives share common ideas and approaches. Whether you rely on the Cigital Touchpoints, Microsoft's SDL, or OWASP CLASP, there is much to learn from practical experience. Use the BSIMM as a yardstick to determine where you stand and what kind of software security plan will work best for you.

<br> '''Agile and Secure: Can We Do Both?'''

''Jason Li and Jerry Hoff'', Aspect Security

Agile is taking the software development world by storm, but security has been slow to adapt. What can we learn from the Agile movement? Is it possible to achieve security and remain Agile? Jason and Jerry will share Aspect Security's experiences working with Agile teams to gain assurance and save money. They'll compare and contrast traditional waterfall and agile processes and show how we can achieve assurance and security while remaining true to Agile principles.

<br> '''Deploying Secure Web Applications with OWASP Resources'''

''Kuai Hinojosa'', NY University and OWASP

Universities are key to making application security visible and the need to educate software developers about application security as an aspect of proper software development has never been more important. In this presentation I will share how OWASP resources can be used by universities to develop, test and deploy secure web applications. I will discuss challenges that Universities currently face integrating a pplication security best practices, describe how OWASP tools and resources are currently used at New York University to test for most common web application flaws. I will introduce projects such as the OWASP Enterprise Security API which can be used to mitigate most common flaws in web applications and share initiatives the OWASP Global Education Committee is currently working on. If you are interested in securing web applications, and supporting the OWASP Global Education Committee efforts you don't want to miss this!

<br> '''What is OWASP'''

''Dinis Cruz'', OWASP

TBD.

<br> '''OWASP Project Tour'''

''Dinis Cruz'', OWASP

TBD.

<br> '''The Logic and Semantic Layer of Web Application Security'''

''Thomas Schreiber'', SecureNet

Testing Web Application Security mostly focusses on technical weaknesses only. But there is a huge field of potential weaknesses above the server layer and beyond the implementational aspects. Even if a web application is totally free from security bugs in code and system, it may still be vulnerable to dangerous threats. It is the kind how the business logic is mapped onto software, that gives an attacker a starting point for his bad intents. The presentation shows, illustrated with various real examples, how a clever hacker may reveal sensitive data - including credit card data -, enter into user accounts or conduct a denial-of-service on the whole infrastructure - not only the server - by attacking the logical and semantical layers. The presentation also gives hints on how to avoid these pitfalls.

<br> '''Making a Case for Data Security to Network-Centric Peers and Managers and Leveraging Web Application Firewalls (WAF) and Database Activity Monitoring (DAM) to Augment Secure Coding & Review Practices'''

''Brian Contos'', Imperva

Information system security has changed. The days of being focused on network security measures, operating system vulnerabilities, and open ports, while still important, is no longer the main concern for most organizations. Today, the attackers – organized crime, competitors, nation-states, and malicious insiders are going after the assets that process and store data: applications and databases. The criminals are already fighting the fight on this front. In response, organizations are deploying new defenses - adopting application and data security countermeasures that allow them to protect, monitor and respond to nefarious activity.

<br> '''OWASP ROI: Optimize Security Spending using OWASP'''

''Matt Tesauro''

Considering the current economic times, security spending is tighter than ever. This presentation will cover the Open Web Application Security Project (OWASP) projects and how they can improve your application security posture in a budgetfriendly way. OWASP is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. The OWASP Foundation is a notforprofit entity and provides unbiased, practical, costeffective information about application security. Projects covered include the OWASP Top 10, OWASP Testing Guide, OpenSAMM Enterprise Security API (ESAPI), Application Security Verification Standard (ASVS), Application Security Desk Reference (ASDR) and others. A case study of a specific company's success with implementing OWASP methodologies and tools will also be provided. In this case study, the company realized a saving of nearly $400,000 in year one.

<br> '''Software Assurance Maturity Model (SAMM)'''

''Pravir Chandra'', Fortify

The Software Assurance Maturity Model (SAMM) (http://www.opensamm.org) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. SAMM is an open a free project and has recently been added under the Open Web Application Security Project (OWASP).

<br> '''Automated SQL Ownage Techniques'''

''Sebastian Cufre'', Core Security

This talk is about web application security assessment. In particular, in this talk we set to improve the assessment process for SQL injection vulnerabilities by providing the means to discard exogenous "false positive" alarms and confirm exploitable vulnerabilities.

We propose a black-box technique to detect and exploit SQL injection vulnerabilities. The exploitation provides an interface to execute arbitrary SQL code through them. Therefore, we are able to thoroughly assess the impact of the vulnerability (e.g., understand what a hacker can do).

The core of this talk is in examining the difficulties that appear while trying to expose vulnerability and how to do a black-box interaction to automatically construct an exploit.

<br> '''Praticas e ferramentas fundamentais para o desenvolvimento de software seguro (''Tools and Practices for Secure Software Development'')'''

''Cassio Goldschmidt'', Symantec

Implementing a security program for the whole application life cycle can be a daunting and costly task. So, in the development of this talk, we will demonstrate how it is possible to lessen the risk of this program, using high quality resource freely available on the Internet and studying the practices considered fundamental by SAFECode members (EMC, Juniper, Microsoft, Nokia, SAP, symantec).

<br> '''Abordagem Preventiva para Teste de Segurança em Aplicações Web (''Preventive Approach for Web Application Security Testing'')'''

''Luiz Otávio Duarte, Ferrucio de Franco Rosa, Walcir M. Cardoso Jr.'', CTI/MCT

The objetive of this lecture is to present the approach used by CTI (Renato Archer Information Technology Center, institution under the Brazilian Ministry of Science and Technology) for security testing of web applications. The presentation is organized as follows: First, an introduction will be presented, including important concepts, motivation, statistics and most critical vulnerabilities nowadays.

Later will be shown techniques for software testing and techniques for software security testing. Then we show the approach used by CTI to security testing web application such as inspection of source code, use of regular expressions and vulnerability detection techniques. A pratical demonstration will be presented after the approach overview.

The presentation will be finalized with conclusions and recommendations of best practices for security testing web applications.

<br> '''ModSecurity: Firewall OpenSource para Aplicações Web (WAF) (''ModSecurity, Open Source Web Application Firewall'')'''

''Klaubert Herr da Silveira''

With the growing complexity and importance of web applications, short development schedule, new attack techniques and the lack of attention and/or focus of developer with security, regulations and the seek for best practices, is necessary add a new layer of security to web applications, the "web applications firewalls" or WAF's. This talk will show the concepts of WAF, specially of ModSecurity, open source web application firewall, a powerful and complex tool, designed to understand and protect the web applications of many types, Will be presented their functionalities, and how it can help the day-by-day of a web site, for monitoring, protection or even as a troubleshooting tool for web application.

<br> '''Programação Segura utilizando Análise Estática (''Secure Programming with Static Analysis'')'''

''Philippe Sevestre'', LeadComm

Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine-tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution.

We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review. Along the way we'll look at examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar errors.

<br>

==== Training Sessions ====

'''Risk Management Applied to Web Services'''

''José Eduardo Malta de Sá Brandão'', IPEA

<span style="color: rgb(255, 0, 0);">This course will be in Portuguese only.</span>

Date: Oct 27<br> Time: Morning

This training will present the risk management discipline regarding web services. The course focus will show concepts and systematize this discipline, exemplifying with a case study to reinforce the utility and need of using these methodology to understand and develop web services. The course should provide its students the knowledge to develop their own risk management projects. The presentation will show concepts, models and compare the main standards related to security risk management.

<br> '''Web Security: Techniques for Secure Application Programming'''

''André Ricardo Abed Grégio e Vitor Monte Afonso'', CTI/MCT, ''Paulo Licio de Geus'', IC/UNICAMP

<span style="color: rgb(255, 0, 0);">This course will be in Portuguese only.</span>

Date: Oct 28<br> Time: afternoon

This course aims to present the principles and techniques of secure programming, specially web application programming, showing fundamental concepts and detailing the vulnerabilities which could be explored and focusing on the methods to mitigate those faults. We will present some examples of how some OWASP Top Ten vulnerabilities can be corrected in different programming languages, with code vulnerable snippets from code reviews conducted by the training authors. Some tools for detecting attacks and web application vulnerability testing will be presented.

<br> '''Computational Security in Web Service Development'''

''Júlio Cesar Estrella et al'', ICMC/USP

<span style="color: rgb(255, 0, 0);">This course will be in Portuguese only.</span>

Date: Oct 28<br> Time: all day

This training session will present the development of distributed applications using the concept of SOA and considering its computational security. For the development of the client and server applications, we will use the Apache Axis2 engine. The basic components of Axis2 will be presented, as well as the web service invocation types and models, and their main characteristics. Two web service security standards will be seen in the context of the Apache Axis2 engine: WS-Security and SAML. The methodology used for this training session includes theory and practice, touching the fundamental concepts of the Axis2 engine and the construction of real applications with focus on security.

<br> '''Security Technologies in Web Services'''

''Eduardo Takeo Ueda e Wilson Vicente Ruggiero'', Poli/USP

<span style="color: rgb(255, 0, 0);">This course will be in Portuguese only.</span>

Data: Oct 28<br> Time: morning

Due to their integration characteristics and because they use open standards, web services have become an area of great interest to academics and industry. Firstly, we will introduce the basic concepts of a service oriented architecture, so the training can be self sufficient. After, we will present the main security standards and specifications in development and which must be adopted for web services. Lastly, the training ends with an exposition of the current challenges in web service security.

<br> '''Hands on Web Application Testing using the OWASP Testing Guide.'''

''Matt Tesauro'', OWASP

Date: Oct 27 and 28 (2 days)<br> Time: all day

The training will cover the critical areas of web application testing using the OWASP Testing Guide v3 as the framework for testing an application and the OWASP Live CD for the tools to test with. A custom version of the OWASP Live CD will be created for the training. It will include a self-contained testing environment providing vulnerable applications so that both tools and the applications to test them on are provided.

<span style="color: rgb(255, 0, 0);">This course requires a laptop for the hands-on activities. Each student should bring its own laptop.</span>

==== Venue ====

[[Image:CongressoNacional.jpg|The Palácio do Congresso building]]

The event will be held in Brasília, Brazil's Capital at: Câmara dos Deputados, Anexo II, Praça dos Três Poderes.

You can check the location at [http://maps.google.com/maps?f=q&source=s_q&hl=pt-BR&geocode=&q=anexo+II,+camara+dos+deputados,+brasilia&sll=37.0625,-95.677068&sspn=43.934478,79.101563&ie=UTF8&t=h&ll=-15.800058,-47.865822&spn=0.01309,0.019312&z=16 Google Maps]

'''Training Sessions'''

All training sessions will happen in the Deputy Chamber Cororate University (CEFOR), which is located at the following address:

Centro de Formação, Treinamento e Aperfeiçoamente da Câmara dos Deputados, via N3, Projeção L, Setor de Garagens Ministeriais Norte, Complexo Avançado da Câmara dos Deputados, Bloco B.

Check its location on [http://maps.google.com.br/maps/ms?ie=UTF8&hl=pt-BR&msa=0&ll=-15.793895,-47.864009&spn=0.005017,0.006866&t=h&z=17&msid=106468407154665154285.0004577c477849eda80f3 this map].

''How to get there''

We are trying to provided a transfer from somewhere in the ''Esplanada dos Ministérios'', which is accessible by bus. Any new information on this will be posted in this page.

To go by taxi, show the map to the driver. It is improbable tha any taxi driver will be able to get you to the training sessions location just by reading is address. With the map, arriving to the location is quite easy and fast from any downtown location.

We strongly recommend against getting to the trainings in your own car, as it is very difficult to find unused parking slots in this part of town.

==== Registration ====

'''Registration and Conference Fees'''

There will be no fees for this conference, only '''registration''' is required to participate. The registration form can be found [http://www2.camara.gov.br/eventos/appsec-brasil-2009-confer.-inter.-de-seguranca-de/inscricao here].

The training session registration form can be found [https://creator.zoho.com/lucas.ferreira/appsec-mini-cursos/ here]

==== Committees ====

'''Conference Committee'''

OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org

2009 AppSec Brasil Program Committee (appsec.brasil@camara.gov.br):

*Conference Chair: Lucas C. Ferreira (lucas.ferreira at owasp.org)
*Tutorials Organization: Eduardo V. C. Neves (eduardo.neves at owasp.org)
*Tracks Organization: Wagner Elias (wagner.elias at owasp.org)

Organization Team

*Cassio Goldschmidt (cassio 'at' owasp.org)
*Kuai Hinojosa (kuai.hinojosa 'at' owasp.org)
*Leonardo Cavallari - (leo.cavallari 'at' owasp.org)
*Thiago Lechuga (thiagoalz 'at' gmail.com)
*Dinis Cruz (dinis.cruz 'at' owasp.org)

<br>

==== Links and other information ====

Event page on LinkedIn: http://events.linkedin.com/OWASP-AppSec-Brasil/pub/65160

==== FAQ ====

'''Q. Who is promoting the conference?'''

A. This conference is being supported and organized by the [http://www.ticontrole.gov.br TI-Controle Community] and the [http://www.camara.gov.br Deputy Chamber], with the contents (presentations, keynotes, training, etc) selected by the OWASP [[Brazilian]] Chapter.

'''Q. What will it cost?'''

A. Nothing. Thanks to its sponsor, the conference will be free of charge. However we have limited seats, so please register early.

<br> '''''Call For Papers'''''

'''Q. What is the Open Web Application Security Project (OWASP)?'''

The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work with your support.

'''Q. How many speaking slots are there?'''

Please see the Conference Agenda in its [http://www.owasp.org/index.php/AppSec_Brasil_2009 main page].

'''Q. What are the submission deadlines?'''

The CFP submission deadline is July 11th, with the final version of the presentation material due September 15th 2009.

'''Q: Who is allowed to submit presentations?'''

A: Original authors may submit presentations for consideration. Third party representatives such as PR firms or Speaker Representatives MAY NOT submit materials on behalf of a potential speaker.

'''Q: Why aren't Third Parties such as PR Firms allowed to submit presentations?'''

A: Due to potential copyright and intellectual property liability issues as well as the need for OWASP to have direct contact with potential and selected presenters to expedite selection and deliverable materials, we require that only original authors of presentations submit for the Call for Papers. Third party representatives such as PR firms or Speaker Representatives MAY NOT submit materials on behalf of a potential speaker.

'''Q: Are there any restrictions on the content of the presentations?'''

A: Yes, all presentations must respect the rules defined in the OWASP [[Speaker Agreement]].

'''Q: How long will I have to wait before I am notified if I have been accepted or denied?'''

A: Submitters will be notified of the status (acceptance or denial) on August 7th 2009.

'''Q. Is there an honorarium for presenters?'''

No. OWASP is committed to making its conferences available to the widest possible audience. In order to do this OWASP keeps the entrance free for the AppSec Brazil 2009 to make the conference accessible. As a result we are unable to provide a monetary honorarium but we welcome our speakers as our guests to the conference where they can network with other security professionals. We will provide lodging and domestic air travel for one presenter for each selected work.

'''Q: I have been accepted. What are the materials that I have to turn in and what are the deadlines?'''

A: The following is a list of materials that are required from each accepted presentation. Failure to proceed these materials by the deadlines set forth for the event the presentation was accepted for will result in cancellation of acceptance.

*A confirmed [[Speaker Agreement|Speaker Agreement]] (July 15th 2009)
*Presentation in PowerPoint or Keynote format using the [http://www.owasp.org/images/5/54/Presentation_template.ppt OWASP Template] (September 15th 2009)
*Detailed Bibliography of resources, co-authors, etc. (September 15th 2009)
*Optional White Paper for inclusion on CD (September 15th 2009)

'''Q: Do I have to submit a White Paper?'''

A: No. We would certainly appreciate any White Papers that can be included on the conference web site but they are not required. If you have written an existing white paper to go along with your presentation, please submit it with your CFP submission. Submissions with attached White Papers will receive additional consideration.

'''Q: What if I have a co-author who is not presenting. How do I cite the person(s)?'''

A: All co-authors and works that have been used should be cited in a detailed bibliography that will be published on the Conference CD.

'''Q: I have been accepted and would like to add co-presenters. Can I still do this?'''

A: No. Co-presenters should have been added at the time that the Presentation was submitted. They may attend the conference and present if they register as any other participant.

'''Q: My PR company/friends/co-workers/family would like to come see me give my presentation. Will they be allowed in for free?'''

A: Yes, but they need to register on the conference web site as any other conference participant.

'''Q. I have more questions'''

A: Email appsec.brasil@camara.gov.br concerning this event.

<br> __NOTOC__ <headertabs />

[[Category:OWASP_AppSec_Conference]]

AppSec Brasil 2009

2009-10-24T16:29:54Z

Camargoneves: /* Conference Dates */

__NOTOC__

'''Para a versão em português, veja em [[AppSec Brasil 2009 (pt-br)]]'''

= International Conference on Application Security =

[http://www.ticontrole.gov.br TI-Controle] and the Computing Centre of the [http://www.camara.gov.br Deputy Chamber] present the '''First International Conference on Application Security''' that will happen in [http://en.wikipedia.org/wiki/Brasília Brasilia, Capital of Brazil] with the support of OWASP [[Brazilian]] Chapter. The Conference consists of two days of training sessions, followed by a two-day conference on a single track. [[Image:Brasilia Panorama.jpg]]

=== Conference Dates ===

The conference will happen from October 27th, 2009 to October 30th, 2009. The first two days will be tutorial days (see below). Plenary sessions will be held on October 29th and 30th.

<br>

==== Sponsorship ====

This conference is promoted by [http://www.ticontrole.gov.br TI-Controle] Community and organized by Computing Centre of [http://www.camara.gov.br/ Brazilian Deputy Chamber].

The conference is supported by OWASP [[Brazilian|Brazilian Chapter]], as content provider (talks selection, trainings and schedule grid).

The conference is supported by the [http://www.unb.br University of Brasilia] (UnB) [[Image:Unb.gif|60px]]

The conference is sponsored by [http://www.conviso.com.br Conviso IT Security] [[File:CorVersao_BR_Small.jpg|200px|thumb|left|alt text]]

==== Keynotes ====

[[Image:GaryMcGraw.JPG|left|60px]] '''Gary McGraw'''

CTO, [http://www.cigital.com Cigital]

''Title:'' '''The Building Security In Maturity Model (BSIMM)'''

''Bio:'' Gary McGraw is the CTO of Cigital, Inc., a software security and quality consulting firm with headquarters in the Washington, D.C. area. He is a globally recognized authority on software security and the author of eight best selling books on this topic. His titles include Java Security, Building Secure Software, Exploiting Software, Software Security, and Exploiting Online Games; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 100 peer-reviewed scientific publications, authors a monthly security column for informIT, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Fortify Software and Raven White. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean's Advisory Council for the School of Informatics. Gary served on the IEEE Computer Society Board of Governors, produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine (syndicated by informIT), and produces the Reality Check Security Podcast for CSO Online.

<br>

'''Jason Li'''

[http://www.aspectsecurity.com Aspect Security]

''Title:'' '''Agile and Secure: Can We Do Both?'''

Co-author: '''Jerry Hoff''', Aspect Security

''Bio:'' Jason Li is a Senior Application Security Engineer at Aspect Security. Jason has led security architecture reviews, application security code reviews, penetration tests and provided web application security training services for a variety of commercial, financial, and government customers. He is also actively involved in the Open Web Application Security Project (OWASP), serving on the OWASP Global Projects Committee and as a co-author of the OWASP AntiSamy Project (Java version). Jason earned his Post-Master's degree in Computer Science with a concentration in Information Assurance from Johns Hopkins University. He earned his Master's degree in Computer Science from Cornell University, where he also earned his Bachelor's degree, double majoring in Computer Science and Operations Research.

Jerry Hoff is a Senior Application Security Engineer at Aspect Security. Jerry has led and performed numerous application security code reviews for clients across multiple industries. Jerry also provides training services for clients, and has over 10 years teaching and development experience. Jerry is also involved in the Open Web Application Security Project (OWASP) and was the lead developer of AntiSamy.net project. He has a master's degree in Computer Science from Washington University in St. Louis.

<br>

'''Dinis Cruz'''

OWASP Board

''Title:'' '''To be defined'''

''Bio:'' Coming Soon.

<br>

'''Kuai Hinojosa'''

OWASP

''Title:'' '''Deploying Secure Web Applications with OWASP Resources'''

''Bio:'' Kuai Hinojosa has been developing and securing web applications for about 12 years. He previously worked in the banking industry as a database security administrator for the 5th largest bank in the U.S. where he worked in a small team developing applications that protected company's assets. He now works for New York University as a Web Applications Specialist where he continues to use web application development and application security experience to protect university resources. In his spare time Kuai volunteers his time preaching the application security gospel and leading the Minneapolis OWASP chapter. Kuai is a member of the OWASP (Open Web Application Security Project) Global Education Committee.

==== Agenda ====

'''Conference Program - Day 1 - October 29th 2009 '''
<center>
{| width="80%" class="t"
|-
| width="14%" height="17" align="right" | 08:30 - 09:00
| bgcolor="#8595c2" align="CENTER" | '''Reception Desk Open'''
|-
| width="14%" height="17" align="right" | 09:00 - 10:00
| bgcolor="#eeeeee" align="CENTER" | '''Opening Ceremony'''
|-
| width="14%" height="49" align="right" | 10:00 - 10:30
| bgcolor="#b9c2dc" align="CENTER" | '''Dinis Cruz<br>''' What is OWASP?
|-
| width="14%" height="32" align="right" | 10:30 - 12:30
| bgcolor="#eeeeee" align="CENTER" | '''Gary McGraw (Cigital)<br>''' The Building Security In Maturity Model (BSIMM)
|-
| width="14%" height="17" align="right" | 12:30 - 14:00
| bgcolor="#d98b66" align="CENTER" | '''Lunch Break'''
|-
| width="14%" height="47" align="right" | 14:00 - 14:50
| bgcolor="#b9c2dc" align="CENTER" | '''Dinis Cruz<br>''' OWASP Project Tour
|-
| width="14%" height="32" align="right" | 14:50 - 15:40
| bgcolor="#eeeeee" align="CENTER" | '''Thomas Schreiber<br>''' The Logic and Semantic Layer of Web Application Security
|-
| width="14%" height="17" align="right" | 15:40 - 16:00
| bgcolor="#d98b66" align="CENTER" | '''Break'''
|-
| width="14%" height="47" align="right" | 16:00 - 16:50
| bgcolor="#b9c2dc" align="CENTER" | '''Brian Contos<br>''' Making a Case for Data Security to Network-Centric Peers and Managers and Leveraging Web Application Firewalls (WAF) and Database Activity Monitoring (DAM) to Augment Secure Coding & Review Practices
|-
| width="14%" height="32" align="right" | 16:50 - 17:40
| bgcolor="#eeeeee" align="CENTER" | '''Matt Tesauro<br>''' OWASP ROI: Optimize Security Spending using OWASP
|-
| width="14%" height="47" align="right" | 17:40 - 18300
| bgcolor="#b9c2dc" align="CENTER" | '''Pravir Chandra <br>''' Software Assurance Maturity Model (SAMM)
|-
| width="14%" height="17" align="right" | 18:30 - 18:35
| bgcolor="#cccccc" align="CENTER" | '''End of the First Day Program'''
|}
</center>
<br>

<br> '''Conference Program - Day 2 - October 30th 2009'''
<center>
{| width="80%" class="t"
|-
| width="14%" height="17" align="right" | 08:30 - 09:00
| bgcolor="#8595c2" align="CENTER" | '''Reception Desk Open'''
|-
| width="14%" height="32" align="right" | 09:00 - 10:30
| bgcolor="#b9c2dc" align="CENTER" | '''Jason Li e Jerry Hoff (Aspect Security) '''<br> Agile and Secure - Can we do both?
|-
| width="14%" height="17" align="right" | 10:30 - 10:50
| bgcolor="#d98b66" align="CENTER" | '''Break'''
|-
| width="14%" height="47" align="right" | 10:30 - 11:40
| bgcolor="#eeeeee" align="CENTER" | '''Cassio Goldschmidt'''<br> Praticas e ferramentas fundamentais para o desenvolvimento de software seguro <br> (''Tools and Practices for Secure Software Development'')
|-
| width="14%" height="32" align="right" | 11:40 - 12:30
| bgcolor="#b9c2dc" align="CENTER" | '''Luiz Otávio Duarte'''<br> Abordagem Preventiva para Teste de Segurança em Aplicações Web <br> (''Preventive Approach for Web Application Security Testing'')
|-
| width="14%" height="17" align="right" | 12:30 - 14:00
| bgcolor="#d98b66" align="CENTER" | '''Lunch Break'''
|-
| width="14%" height="32" align="right" | 14:00 - 15:10
| bgcolor="#eeeeee" align="CENTER" | '''Kuai Hinojosa (NY University)'''<br> Deploying Secure Web Applications with OWASP Resources
|-
| width="14%" height="32" align="right" | 15:10 - 16:00
| bgcolor="#b9c2dc" align="CENTER" | '''Sebastian Cufre'''<br> Automated SQL Ownage Techniques

|-
| width="14%" height="17" align="right" | 16:00 - 16:20
| bgcolor="#d98b66" align="CENTER" | '''Break'''

|-
| width="14%" height="32" align="right" | 16:20 - 17:10
| bgcolor="#eeeeee" align="CENTER" | '''Klaubert Herr da Silveira'''<br> ModSecurity: Firewall OpenSource para Aplicações Web (WAF) <br> (''ModSecurity, Open Source Web Application Firewall'')
|-
| width="14%" height="32" align="right" | 17:10 - 18:00
| bgcolor="#b9c2dc" align="CENTER" | '''Philippe Sevestre'''<br> Programação Segura utilizando Análise Estática <br> (''Secure Programming with Static Analysis'')
|-
| width="14%" height="17" align="right" | 18:00 - 18:30
| bgcolor="#cccccc" align="CENTER" | '''End of the Conference'''
|}
</center>

==== Presentation Abstracts ====

'''The Building Security In Maturity Model (BSIMM)'''

''Gary McGraw'', Cigital

As a discipline, software security has made great progress over the last decade. There are now at least 34 large scale software security initiatives underway in enterprises including global financial services firms, independent software vendors, defense organizations, and other verticals. In 2008, Brian Chess, Sammy Migues and I interviewed the executives running nine initiatives using the twelve practices of the Software Security Framework as our guide. Those companies among the nine who graciously agreed to be identified include: Adobe, The Depository Trust and Clearing Corporation (DTCC), EMC, Google, Microsoft, QUALCOMM, and Wells Fargo. The resulting data, drawn from real programs at different levels of maturity was used to guide the construction of the Building Security In Maturity Model (BSIMM). This talk will describe the observation-based maturity model, drawing examples from many real software security programs. A maturity model is appropriate because improving software security almost always means changing the way an organization works ---people, process, and automation are all required. While not all organizations need to achieve the same security goals, all successful large scale software security initiatives share common ideas and approaches. Whether you rely on the Cigital Touchpoints, Microsoft's SDL, or OWASP CLASP, there is much to learn from practical experience. Use the BSIMM as a yardstick to determine where you stand and what kind of software security plan will work best for you.

<br> '''Agile and Secure: Can We Do Both?'''

''Jason Li and Jerry Hoff'', Aspect Security

Agile is taking the software development world by storm, but security has been slow to adapt. What can we learn from the Agile movement? Is it possible to achieve security and remain Agile? Jason and Jerry will share Aspect Security's experiences working with Agile teams to gain assurance and save money. They'll compare and contrast traditional waterfall and agile processes and show how we can achieve assurance and security while remaining true to Agile principles.

<br> '''Deploying Secure Web Applications with OWASP Resources'''

''Kuai Hinojosa'', NY University and OWASP

Universities are key to making application security visible and the need to educate software developers about application security as an aspect of proper software development has never been more important. In this presentation I will share how OWASP resources can be used by universities to develop, test and deploy secure web applications. I will discuss challenges that Universities currently face integrating a pplication security best practices, describe how OWASP tools and resources are currently used at New York University to test for most common web application flaws. I will introduce projects such as the OWASP Enterprise Security API which can be used to mitigate most common flaws in web applications and share initiatives the OWASP Global Education Committee is currently working on. If you are interested in securing web applications, and supporting the OWASP Global Education Committee efforts you don't want to miss this!

<br> '''What is OWASP'''

''Dinis Cruz'', OWASP

TBD.

<br> '''OWASP Project Tour'''

''Dinis Cruz'', OWASP

TBD.

<br> '''The Logic and Semantic Layer of Web Application Security'''

''Thomas Schreiber'', SecureNet

Testing Web Application Security mostly focusses on technical weaknesses only. But there is a huge field of potential weaknesses above the server layer and beyond the implementational aspects. Even if a web application is totally free from security bugs in code and system, it may still be vulnerable to dangerous threats. It is the kind how the business logic is mapped onto software, that gives an attacker a starting point for his bad intents. The presentation shows, illustrated with various real examples, how a clever hacker may reveal sensitive data - including credit card data -, enter into user accounts or conduct a denial-of-service on the whole infrastructure - not only the server - by attacking the logical and semantical layers. The presentation also gives hints on how to avoid these pitfalls.

<br> '''Making a Case for Data Security to Network-Centric Peers and Managers and Leveraging Web Application Firewalls (WAF) and Database Activity Monitoring (DAM) to Augment Secure Coding & Review Practices'''

''Brian Contos'', Imperva

Information system security has changed. The days of being focused on network security measures, operating system vulnerabilities, and open ports, while still important, is no longer the main concern for most organizations. Today, the attackers – organized crime, competitors, nation-states, and malicious insiders are going after the assets that process and store data: applications and databases. The criminals are already fighting the fight on this front. In response, organizations are deploying new defenses - adopting application and data security countermeasures that allow them to protect, monitor and respond to nefarious activity.

<br> '''OWASP ROI: Optimize Security Spending using OWASP'''

''Matt Tesauro''

Considering the current economic times, security spending is tighter than ever. This presentation will cover the Open Web Application Security Project (OWASP) projects and how they can improve your application security posture in a budgetfriendly way. OWASP is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. The OWASP Foundation is a notforprofit entity and provides unbiased, practical, costeffective information about application security. Projects covered include the OWASP Top 10, OWASP Testing Guide, OpenSAMM Enterprise Security API (ESAPI), Application Security Verification Standard (ASVS), Application Security Desk Reference (ASDR) and others. A case study of a specific company's success with implementing OWASP methodologies and tools will also be provided. In this case study, the company realized a saving of nearly $400,000 in year one.

<br> '''Software Assurance Maturity Model (SAMM)'''

''Pravir Chandra'', Fortify

The Software Assurance Maturity Model (SAMM) (http://www.opensamm.org) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. SAMM is an open a free project and has recently been added under the Open Web Application Security Project (OWASP).

<br> '''Automated SQL Ownage Techniques'''

''Sebastian Cufre'', Core Security

This talk is about web application security assessment. In particular, in this talk we set to improve the assessment process for SQL injection vulnerabilities by providing the means to discard exogenous "false positive" alarms and confirm exploitable vulnerabilities.

We propose a black-box technique to detect and exploit SQL injection vulnerabilities. The exploitation provides an interface to execute arbitrary SQL code through them. Therefore, we are able to thoroughly assess the impact of the vulnerability (e.g., understand what a hacker can do).

The core of this talk is in examining the difficulties that appear while trying to expose vulnerability and how to do a black-box interaction to automatically construct an exploit.

<br> '''Praticas e ferramentas fundamentais para o desenvolvimento de software seguro (''Tools and Practices for Secure Software Development'')'''

''Cassio Goldschmidt'', Symantec

Implementing a security program for the whole application life cycle can be a daunting and costly task. So, in the development of this talk, we will demonstrate how it is possible to lessen the risk of this program, using high quality resource freely available on the Internet and studying the practices considered fundamental by SAFECode members (EMC, Juniper, Microsoft, Nokia, SAP, symantec).

<br> '''Abordagem Preventiva para Teste de Segurança em Aplicações Web (''Preventive Approach for Web Application Security Testing'')'''

''Luiz Otávio Duarte, Ferrucio de Franco Rosa, Walcir M. Cardoso Jr.'', CTI/MCT

The objetive of this lecture is to present the approach used by CTI (Renato Archer Information Technology Center, institution under the Brazilian Ministry of Science and Technology) for security testing of web applications. The presentation is organized as follows: First, an introduction will be presented, including important concepts, motivation, statistics and most critical vulnerabilities nowadays.

Later will be shown techniques for software testing and techniques for software security testing. Then we show the approach used by CTI to security testing web application such as inspection of source code, use of regular expressions and vulnerability detection techniques. A pratical demonstration will be presented after the approach overview.

The presentation will be finalized with conclusions and recommendations of best practices for security testing web applications.

<br> '''ModSecurity: Firewall OpenSource para Aplicações Web (WAF) (''ModSecurity, Open Source Web Application Firewall'')'''

''Klaubert Herr da Silveira''

With the growing complexity and importance of web applications, short development schedule, new attack techniques and the lack of attention and/or focus of developer with security, regulations and the seek for best practices, is necessary add a new layer of security to web applications, the "web applications firewalls" or WAF's. This talk will show the concepts of WAF, specially of ModSecurity, open source web application firewall, a powerful and complex tool, designed to understand and protect the web applications of many types, Will be presented their functionalities, and how it can help the day-by-day of a web site, for monitoring, protection or even as a troubleshooting tool for web application.

<br> '''Programação Segura utilizando Análise Estática (''Secure Programming with Static Analysis'')'''

''Philippe Sevestre'', LeadComm

Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine-tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution.

We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review. Along the way we'll look at examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar errors.

<br>

==== Training Sessions ====

'''Risk Management Applied to Web Services'''

''José Eduardo Malta de Sá Brandão'', IPEA

<span style="color: rgb(255, 0, 0);">This course will be in Portuguese only.</span>

Date: Oct 27<br> Time: Morning

This training will present the risk management discipline regarding web services. The course focus will show concepts and systematize this discipline, exemplifying with a case study to reinforce the utility and need of using these methodology to understand and develop web services. The course should provide its students the knowledge to develop their own risk management projects. The presentation will show concepts, models and compare the main standards related to security risk management.

<br> '''Web Security: Techniques for Secure Application Programming'''

''André Ricardo Abed Grégio e Vitor Monte Afonso'', CTI/MCT, ''Paulo Licio de Geus'', IC/UNICAMP

<span style="color: rgb(255, 0, 0);">This course will be in Portuguese only.</span>

Date: Oct 28<br> Time: afternoon

This course aims to present the principles and techniques of secure programming, specially web application programming, showing fundamental concepts and detailing the vulnerabilities which could be explored and focusing on the methods to mitigate those faults. We will present some examples of how some OWASP Top Ten vulnerabilities can be corrected in different programming languages, with code vulnerable snippets from code reviews conducted by the training authors. Some tools for detecting attacks and web application vulnerability testing will be presented.

<br> '''Computational Security in Web Service Development'''

''Júlio Cesar Estrella et al'', ICMC/USP

<span style="color: rgb(255, 0, 0);">This course will be in Portuguese only.</span>

Date: Oct 28<br> Time: all day

This training session will present the development of distributed applications using the concept of SOA and considering its computational security. For the development of the client and server applications, we will use the Apache Axis2 engine. The basic components of Axis2 will be presented, as well as the web service invocation types and models, and their main characteristics. Two web service security standards will be seen in the context of the Apache Axis2 engine: WS-Security and SAML. The methodology used for this training session includes theory and practice, touching the fundamental concepts of the Axis2 engine and the construction of real applications with focus on security.

<br> '''Security Technologies in Web Services'''

''Eduardo Takeo Ueda e Wilson Vicente Ruggiero'', Poli/USP

<span style="color: rgb(255, 0, 0);">This course will be in Portuguese only.</span>

Data: Oct 28<br> Time: morning

Due to their integration characteristics and because they use open standards, web services have become an area of great interest to academics and industry. Firstly, we will introduce the basic concepts of a service oriented architecture, so the training can be self sufficient. After, we will present the main security standards and specifications in development and which must be adopted for web services. Lastly, the training ends with an exposition of the current challenges in web service security.

<br> '''Hands on Web Application Testing using the OWASP Testing Guide.'''

''Matt Tesauro'', OWASP

Date: Oct 27 and 28 (2 days)<br> Time: all day

The training will cover the critical areas of web application testing using the OWASP Testing Guide v3 as the framework for testing an application and the OWASP Live CD for the tools to test with. A custom version of the OWASP Live CD will be created for the training. It will include a self-contained testing environment providing vulnerable applications so that both tools and the applications to test them on are provided.

<span style="color: rgb(255, 0, 0);">This course requires a laptop for the hands-on activities. Each student should bring its own laptop.</span>

==== Venue ====

[[Image:CongressoNacional.jpg|The Palácio do Congresso building]]

The event will be held in Brasília, Brazil's Capital at: Câmara dos Deputados, Anexo II, Praça dos Três Poderes.

You can check the location at [http://maps.google.com/maps?f=q&source=s_q&hl=pt-BR&geocode=&q=anexo+II,+camara+dos+deputados,+brasilia&sll=37.0625,-95.677068&sspn=43.934478,79.101563&ie=UTF8&t=h&ll=-15.800058,-47.865822&spn=0.01309,0.019312&z=16 Google Maps]

'''Training Sessions'''

All training sessions will happen in the Deputy Chamber Cororate University (CEFOR), which is located at the following address:

Centro de Formação, Treinamento e Aperfeiçoamente da Câmara dos Deputados, via N3, Projeção L, Setor de Garagens Ministeriais Norte, Complexo Avançado da Câmara dos Deputados, Bloco B.

Check its location on [http://maps.google.com.br/maps/ms?ie=UTF8&hl=pt-BR&msa=0&ll=-15.793895,-47.864009&spn=0.005017,0.006866&t=h&z=17&msid=106468407154665154285.0004577c477849eda80f3 this map].

''How to get there''

We are trying to provided a transfer from somewhere in the ''Esplanada dos Ministérios'', which is accessible by bus. Any new information on this will be posted in this page.

To go by taxi, show the map to the driver. It is improbable tha any taxi driver will be able to get you to the training sessions location just by reading is address. With the map, arriving to the location is quite easy and fast from any downtown location.

We strongly recommend against getting to the trainings in your own car, as it is very difficult to find unused parking slots in this part of town.

==== Registration ====

'''Registration and Conference Fees'''

There will be no fees for this conference, only '''registration''' is required to participate. The registration form can be found [http://www2.camara.gov.br/eventos/appsec-brasil-2009-confer.-inter.-de-seguranca-de/inscricao here].

The training session registration form can be found [https://creator.zoho.com/lucas.ferreira/appsec-mini-cursos/ here]

==== Committees ====

'''Conference Committee'''

OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org

2009 AppSec Brasil Program Committee (appsec.brasil@camara.gov.br):

*Conference Chair: Lucas C. Ferreira (lucas.ferreira at owasp.org)
*Tutorials Organization: Eduardo V. C. Neves (eduardo.neves at owasp.org)
*Tracks Organization: Wagner Elias (wagner.elias at owasp.org)

Organization Team

*Cassio Goldschmidt (cassio 'at' owasp.org)
*Kuai Hinojosa (kuai.hinojosa 'at' owasp.org)
*Leonardo Cavallari - (leo.cavallari 'at' owasp.org)
*Thiago Lechuga (thiagoalz 'at' gmail.com)
*Dinis Cruz (dinis.cruz 'at' owasp.org)

<br>

==== Links and other information ====

Event page on LinkedIn: http://events.linkedin.com/OWASP-AppSec-Brasil/pub/65160

==== FAQ ====

'''Q. Who is promoting the conference?'''

A. This conference is being supported and organized by the [http://www.ticontrole.gov.br TI-Controle Community] and the [http://www.camara.gov.br Deputy Chamber], with the contents (presentations, keynotes, training, etc) selected by the OWASP [[Brazilian]] Chapter.

'''Q. What will it cost?'''

A. Nothing. Thanks to its sponsor, the conference will be free of charge. However we have limited seats, so please register early.

<br> '''''Call For Papers'''''

'''Q. What is the Open Web Application Security Project (OWASP)?'''

The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work with your support.

'''Q. How many speaking slots are there?'''

Please see the Conference Agenda in its [http://www.owasp.org/index.php/AppSec_Brasil_2009 main page].

'''Q. What are the submission deadlines?'''

The CFP submission deadline is July 11th, with the final version of the presentation material due September 15th 2009.

'''Q: Who is allowed to submit presentations?'''

A: Original authors may submit presentations for consideration. Third party representatives such as PR firms or Speaker Representatives MAY NOT submit materials on behalf of a potential speaker.

'''Q: Why aren't Third Parties such as PR Firms allowed to submit presentations?'''

A: Due to potential copyright and intellectual property liability issues as well as the need for OWASP to have direct contact with potential and selected presenters to expedite selection and deliverable materials, we require that only original authors of presentations submit for the Call for Papers. Third party representatives such as PR firms or Speaker Representatives MAY NOT submit materials on behalf of a potential speaker.

'''Q: Are there any restrictions on the content of the presentations?'''

A: Yes, all presentations must respect the rules defined in the OWASP [[Speaker Agreement]].

'''Q: How long will I have to wait before I am notified if I have been accepted or denied?'''

A: Submitters will be notified of the status (acceptance or denial) on August 7th 2009.

'''Q. Is there an honorarium for presenters?'''

No. OWASP is committed to making its conferences available to the widest possible audience. In order to do this OWASP keeps the entrance free for the AppSec Brazil 2009 to make the conference accessible. As a result we are unable to provide a monetary honorarium but we welcome our speakers as our guests to the conference where they can network with other security professionals. We will provide lodging and domestic air travel for one presenter for each selected work.

'''Q: I have been accepted. What are the materials that I have to turn in and what are the deadlines?'''

A: The following is a list of materials that are required from each accepted presentation. Failure to proceed these materials by the deadlines set forth for the event the presentation was accepted for will result in cancellation of acceptance.

*A confirmed [[Speaker Agreement|Speaker Agreement]] (July 15th 2009)
*Presentation in PowerPoint or Keynote format using the [http://www.owasp.org/images/5/54/Presentation_template.ppt OWASP Template] (September 15th 2009)
*Detailed Bibliography of resources, co-authors, etc. (September 15th 2009)
*Optional White Paper for inclusion on CD (September 15th 2009)

'''Q: Do I have to submit a White Paper?'''

A: No. We would certainly appreciate any White Papers that can be included on the conference web site but they are not required. If you have written an existing white paper to go along with your presentation, please submit it with your CFP submission. Submissions with attached White Papers will receive additional consideration.

'''Q: What if I have a co-author who is not presenting. How do I cite the person(s)?'''

A: All co-authors and works that have been used should be cited in a detailed bibliography that will be published on the Conference CD.

'''Q: I have been accepted and would like to add co-presenters. Can I still do this?'''

A: No. Co-presenters should have been added at the time that the Presentation was submitted. They may attend the conference and present if they register as any other participant.

'''Q: My PR company/friends/co-workers/family would like to come see me give my presentation. Will they be allowed in for free?'''

A: Yes, but they need to register on the conference web site as any other conference participant.

'''Q. I have more questions'''

A: Email appsec.brasil@camara.gov.br concerning this event.

<br> __NOTOC__ <headertabs />

[[Category:OWASP_AppSec_Conference]]

File:CorVersao BR Small.jpg

2009-10-24T16:28:36Z

Camargoneves: uploaded a new version of "File:CorVersao BR Small.jpg"

2009-04-08T20:27:36Z

Camargoneves: uploaded a new version of "Image:CongressoNacional.jpg"

File:CongressoNacional.jpg

2009-04-08T20:26:26Z

Camargoneves:

AppSec Brasil 2009

2009-04-08T20:10:26Z

Camargoneves: /* Conference Schedule */

Welcome to the [http://en.wikipedia.org/wiki/Community_of_Portuguese_Language_Countries Community of Portuguese Language Countries (CPLP, in Portuguese)] OWASP Application Security Conference! After successful OWASP Conferences in the United States and Europe, we are now in Brazil in October 2009!

==About the CPLP==

'''From Wikipedia:'''
The Community of Portuguese Language Countries (Portuguese: Comunidade dos Países de Língua Portuguesa, pron. IPA: [kumuni'dad(ɨ) duʃ pɐ'izɨʒ dɨ 'lĩgwɐ puɾtu'gezɐ] (EP), IPA: [komuni'dadʒi dus pa'iziz dʒi 'lĩgwa poɾtu'gezɐ] (BP); abbreviated to CPLP) is the intergovernmental organization for friendship among lusophone (Portuguese-speaking) nations where Portuguese is an official language. The Portuguese-speaking countries are home to more than 223 million people located across the globe. The CPLP nations have a combined area of about 10,772,000 square kilometres (4,159,000 sq mi).

'''Why CPLP?'''

We understand that an event in Brazil will fit well to invite members from all the OWASP Chapters within Latin America, where the main language is Spanish with French, English and even Dutch, German and Russian in some regions. However, we want to make an event were our colleagues from Portugal and all African Nations were Portuguese is the main language can share and learn about Application Security.

In October, OWASP will hold the first CPLP Application Security conference at [http://en.wikipedia.org/wiki/Brasília Brasilia, Capital of Brazil]. The Conference consists of two days of training sessions, followed by a two-day conference on a single track.

==Conference Location==

'''Brasília, Brazil.'''

==Call for Presentations / Research Papers==

To be defined

==Call for Training Provider==

To be defined

==Agenda and Presentations ==

===Conference Schedule - Day 1 ===

<center>
<table width="80%" class="t">
<tr>
<td width="7%" class="tcell3" valign="top"><div align="right">08:30</div></td>
<td colspan="2" bgcolor="#8595C2" class="tcell3"><center>
<strong> Registration </strong>
</center></td>
</tr>
<tr>

<td class="tcell2" valign="top"><div align="right">09:00</div></td>
<td colspan="2" bgcolor="#eeeeee" class="tcell"><div align="center"><b>Welcome/Introduction</b></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">09:15</div></td>
<td colspan="2" bgcolor="#b9c2dc" class="tcell"><b>tba</b><br/>
tba</td>
</tr>

<tr>
<td class="tcell2" valign="top"><div align="right">10:00</div></td>
<td colspan="2" bgcolor="#EEEEEE" class="tcell"><b>tba</b><br/>
tba</td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">10:45</div></td>
<td colspan="2" bgcolor="#D98B66" class="tcell"><div align="center"><strong>Coffe Break</strong></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">11:15</div></td>
<td colspan="2" bgcolor="#B9C2DC" class="tcell"><strong>tba</strong><br />
tba</td>
</tr>
<tr>
<td class="tcell3" valign="top"><div align="right">12:00</div></td>
<td colspan="2" bgcolor="#D98B66" class="tcell3"><div align="center"><strong>Lunch Break</strong></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">13:00</div></td>
<td colspan="2" bgcolor="#EEEEEE" class="tcell"><b>tba</b><br/>
tba</td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">13:45</div></td>
<td width="47%" bgcolor="#B9C2DC" class="tcell"><b>tba</b><br/>
tba</td>

<td width="46%" bgcolor="#8B9AC5" class="tcell"><b>tba</b><br/>
tba</td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">14:30</div></td>
<td bgcolor="#EEEEEE" class="tcell"><strong>tba</strong><br />
tba</td>
<td bgcolor="#D3D3D3" class="tcell"><strong>tba</strong><br />
tba</td>
</tr>
<tr>
<td class="tcell3" valign="top"><div align="right">15:15</div></td>
<td colspan="2" bgcolor="#D98B66" class="tcell3"><div align="center"><strong>Snack Break</strong></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">15:45</div></td>
<td bgcolor="#B9C2DC" class="tcell"><b>tba</b><br/>
tba</td>

<td bgcolor="#8B9AC5" class="tcell"><b>tba</b><br/>
tba</td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">16:30</div></td>
<td bgcolor="#EEEEEE" class="tcell"><b>tba</b><br/>
tba</td>
<td bgcolor="#D3D3D3" class="tcell"><b>tba</b><br/>
tba</td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">17:15</div></td>
<td bgcolor="#B9C2DC" class="tcell"><strong>tba</strong><br />
tba</td>
<td bgcolor="#8B9AC5" class="tcell"><strong>tba</strong><br />
tba</td>
</tr>
<tr>
<td class="tcell3" valign="top"><div align="right">18:00</div></td>
<td colspan="2" bgcolor="#CCCCCC" class="tcell3"><div align="center"><strong>Conclusion</strong></div></td>
</tr>
</table>
</center>
----

===Conference Schedule - Day 2 ===

<center>
<table width="80%" class="t">
<tr>
<td width="7%" class="tcell3" valign="top"><div align="right">08:30</div></td>
<td colspan="2" bgcolor="#8595C2" class="tcell3"><center>
<strong> Registration </strong>
</center></td>
</tr>
<tr>

<td class="tcell2" valign="top"><div align="right">09:00</div></td>
<td colspan="2" bgcolor="#eeeeee" class="tcell"><div align="center"><b>Welcome/Introduction</b></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">09:15</div></td>
<td colspan="2" bgcolor="#b9c2dc" class="tcell"><b>tba</b><br/>
tba</td>
</tr>

<tr>
<td class="tcell2" valign="top"><div align="right">10:00</div></td>
<td colspan="2" bgcolor="#EEEEEE" class="tcell"><b>tba</b><br/>
tba</td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">10:45</div></td>
<td colspan="2" bgcolor="#D98B66" class="tcell"><div align="center"><strong>Coffe Break</strong></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">11:15</div></td>
<td colspan="2" bgcolor="#B9C2DC" class="tcell"><strong>tba</strong><br />
tba</td>
</tr>
<tr>
<td class="tcell3" valign="top"><div align="right">12:00</div></td>
<td colspan="2" bgcolor="#D98B66" class="tcell3"><div align="center"><strong>Lunch Break</strong></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">13:00</div></td>
<td colspan="2" bgcolor="#EEEEEE" class="tcell"><b>tba</b><br/>
tba</td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">13:45</div></td>
<td width="47%" bgcolor="#B9C2DC" class="tcell"><b>tba</b><br/>
tba</td>

<td width="46%" bgcolor="#8B9AC5" class="tcell"><b>tba</b><br/>
tba</td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">14:30</div></td>
<td bgcolor="#EEEEEE" class="tcell"><strong>tba</strong><br />
tba</td>
<td bgcolor="#D3D3D3" class="tcell"><strong>tba</strong><br />
tba</td>
</tr>
<tr>
<td class="tcell3" valign="top"><div align="right">15:15</div></td>
<td colspan="2" bgcolor="#D98B66" class="tcell3"><div align="center"><strong>Snack Break</strong></div></td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">15:45</div></td>
<td bgcolor="#B9C2DC" class="tcell"><b>tba</b><br/>
tba</td>

<td bgcolor="#8B9AC5" class="tcell"><b>tba</b><br/>
tba</td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">16:30</div></td>
<td bgcolor="#EEEEEE" class="tcell"><b>tba</b><br/>
tba</td>
<td bgcolor="#D3D3D3" class="tcell"><b>tba</b><br/>
tba</td>
</tr>
<tr>
<td class="tcell2" valign="top"><div align="right">17:15</div></td>
<td bgcolor="#B9C2DC" class="tcell"><strong>tba</strong><br />
tba</td>
<td bgcolor="#8B9AC5" class="tcell"><strong>tba</strong><br />
tba</td>
</tr>
<tr>
<td class="tcell3" valign="top"><div align="right">18:00</div></td>
<td colspan="2" bgcolor="#CCCCCC" class="tcell3"><div align="center"><strong>Conclusion</strong></div></td>
</tr>
</table>
</center>
----

==Venue==

Câmara dos Deputados, Anexo II, Praça dos Três Poderes, Brasília, Brazil.

See it in [http://maps.google.com/maps?f=q&source=s_q&hl=pt-BR&geocode=&q=anexo+II,+camara+dos+deputados,+brasilia&sll=37.0625,-95.677068&sspn=43.934478,79.101563&ie=UTF8&t=h&ll=-15.800058,-47.865822&spn=0.01309,0.019312&z=16 Google Maps]

==Registration==

Will be available soon.

==Tutorial Days - October 13-14==

OWASP will host numerous 1 and 2 day tutorial sessions prior to the conference. If you are interested in delivering a tutorial at this event, please contact [mailto:eduardo.neves@owasp.org Eduardo Neves].

==Accommodations==

To be defined

==Transportation to the Conference==

To be defined

===How to get to the venue?===

To be defined

==Registration and Conference Fees==

There will be no fees for this conference, only registration is required to participate.

==Conference Committee==

OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org

2009 AppSec CPLP Program Committee:
* Conference Chair: Lucas C. Ferreira (contato at sapao.net)
* Tutorials Organization: Eduardo V. C. Neves (eduardo.neves at owasp.org)
* Tracks Organization: Wagner Elias (wagner.elias at gmail.com)

Pre-Event Organization Team

* Cassio Goldschmidt - cassio 'at' owasp.org
* Kuai Hinojosa - kuai.hinojosa 'at' owasp.org
* Leonardo Cavallari - (email)
* Thiago Lechuga - thiagoalz 'at' gmail.com

Event Organization Team

==[[OWASP AppSec Conference Sponsors | Conference Sponsors]]==

This conference will be sponsored by the [http://www2.camara.gov.br/english Computing Centre of the Brazilian Deputy Chamber]

[[Category:OWASP AppSec Conference]]

2009-02-06T01:59:08Z

Camargoneves:

__NOTOC__

Return to [[Global Education Committee]]

{| style="width:100%" border="0" align="center"
! colspan="4" align="center" style="background:#4058A0; color:white"|<font color="white">'''ACTIVITY IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Activity Name'''
| colspan="3" style="width:75%; background:#cccccc" align="left"|<font color="black">Internationalization of educational material a.k.a. translate materials'''
|-
| style="width:25%; background:#7B8ABD" align="center"| '''Short Description'''
| colspan="3" style="width:75%; background:#cccccc" align="left"|
Perform translation and generation marketing material for distribution
|-
| style="width:25%; background:#7B8ABD" align="center"| '''Related Projects'''
| colspan="3" style="width:75%; background:#cccccc" align="left"|None
|-
| style="width:25%; background:#7B8ABD" align="center"|'''Email Contacts & Roles'''
| style="width:25%; background:#cccccc" align="center"|Eduardo Vianna de Camargo Neves<br>[mailto:eduardo.neves@owasp.org e-mail]
| style="width:25%; background:#cccccc" align="center"|'''Secondary'''<br>[mailto:email(at)owasp.org '''who''']
| style="width:25%; background:#cccccc" align="center"|'''Mailing list'''<br>None
|}

{| style="width:100%" border="0" align="center"
! colspan="4" align="center" style="background:#4058A0; color:white"|<font color="white">'''ACTIVITY SPECIFICS'''
|-
| style="width:25%; background:#7B8ABD" align="center"| '''Objectives'''
| colspan="3" style="width:75%; background:#cccccc" align="left"|
* '''Identify point of contacts places for translation efforts and setup a deadline Translate material in French, Portuguese, Spanish, Malay, Italian, Indonesian, Chinese '''
|-
| style="width:25%; background:#7B8ABD" align="center"| '''Deadlines'''
| colspan="3" style="width:75%; background:#cccccc" align="left"|
* '''4Q 2009'''
|-
| style="width:25%; background:#7B8ABD" align="center"| '''Status'''
| colspan="3" style="width:75%; background:#cccccc" align="left"|
* '''On Going'''
|-
| style="width:25%; background:#7B8ABD" align="center"| '''Resources'''
| colspan="3" style="width:75%; background:#cccccc" align="left"|
'''Language Translation Coordination'''
* Eduardo Neves is the coordinator for translation on Portuguese.
* Cecil Su is the coordinator for translation on Malay, Indonesian and Chinese.
* Martin Knobloch is the coordinator for translation on Dutch and German.
|-
|}