OWASP NYC AppSec 2008 Conference

2008-05-27T15:59:36Z

Gollmann:

<center>[[Image:NYC08_468x60_72_newdates.gif]]</center>

= OWASP NYC AppSec 2008 - September 22th-25th 2008 =
Last Update: {{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}
In association with: [http://www.webappsec.org WASC], [http://www.nym-infragard.us NYM InfraGard], [http://aitglobal.com AITGlobal], [http://nyphp.org/index.php NYC PHP], [http://www.nycbug.org NYCBUG], [http://www.isacany.net ISACA], [http://www.issa.org ISSA] and [http://www.pace.edu Pace University] you're invited to (2) days of Seminars and Technology Pavilion from the world's best application security technology minds, (2) days of hardcore hands-on training, all held at <b>[http://www.pace.edu/page.cfm?doc_id=16157 Pace University]</b>, located in downtown New York City at <b>One Pace Plaza New York, NY 10038.</b> Event Fees: $350 for 2 days of seminars, $675 for 1-day training classes and $1,350 for 2-day courses. [http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 https://www.owasp.org/images/7/7f/Register.gif] - do you want to preview the event space [http://www.flickr.com/photos/21550725@N04/sets/72157604662279903/detail Click Here]
<hr>
[https://www.owasp.org/images/6/60/NY_Sponsorship.pdf Diamond Sponsor] - [http://www.imperva.com https://www.owasp.org/images/d/de/Imperva_2color_RGB.jpg]<br>
<br>
[https://www.owasp.org/images/6/60/NY_Sponsorship.pdf Platinum Sponsor] - [http://www.cenzic.com/ https://www.owasp.org/images/b/bf/CenzicLogo_RGB.gif]<br>
<br>
[https://www.owasp.org/images/6/60/NY_Sponsorship.pdf Gold & Silver Sponsors] -[http://www.accessitgroup.com/products/inspectit.php https://www.owasp.org/images/6/6d/Accessit.JPG] - [http://www.fortify.com https://www.owasp.org/images/a/ac/Fortify.jpg] - [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif] - [http://www.cigital.com/ https://www.owasp.org/images/b/be/Cigital_OWASP.GIF] - [http://www.ouncelabs.com/ https://www.owasp.org/images/6/6e/OunceLabs_logo.jpg]
[http://www.proactiverisk.com https://www.owasp.org/images/9/97/Proactiverisk_logo.jpg]

<br>
<center>[https://www.owasp.org/images/9/98/NY_Sponsorship_Form.pdf Sponsorship Opportunities] -- [https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-PRESS Press Registration] -- [http://www.owasp.org/index.php/Member_Offers Other OWASP Member Offers] </center>
<hr>

== OWASP NYC AppSec 2008 Conference Schedule – Sept 24th - Sept 25th ==
{| style="width:80%" border="0" align="center"
! colspan="4" align="center" style="background:#4058A0; color:white" | Day 1 – Sept 24th, 2008
|-
| style="width:10%; background:#7B8ABD" | || style="width:30%; background:#BC857A" | Track 1:
| style="width:30%; background:#BCA57A" | Track 2:
| style="width:30%; background:#7B8ABD" | Track 3:
|-
| style="width:10%; background:#7B8ABD" | 08:00-09:30 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''Registration Opens and Tech Expo'''
|-
| style="width:10%; background:#7B8ABD" | 09:15-10:15 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | Introduction, OWASP Version 3.0 where we are.. where we are going
''OWASP Foundation Board Jeff Williams, Tom Brennan, Dinis Cruz, Sebastien Deleersnyder & Dave Wichers''
|-
| style="width:10%; background:#7B8ABD" | 10:30-11:30 || style="width:30%; background:#BC857A" align="left" | Logic Attacks and Inefficiencies of Robotic Detection
''Robert "RSnake" Hansen CEO [http://www.sectheory.com SecTheory]''
| style="width:30%; background:#BCA57A" align="left" | Offensive Assessing Financial Apps
''Daniel Cuthbert''
| style="width:30%; background:#7B8ABD" align="left" | Web Intrusion Detection with ModSecurity
''Ivan Ristic''
|-
| style="width:10%; background:#7B8ABD" | 11:30-12:30 || style="width:30%; background:#BC857A" align="left" | Reverse Engineering .NET
''Adam Boulton''
| style="width:30%; background:#BCA57A" align="left" | [http://www.owasp.org/index.php/Category:OWASP_JBroFuzz JBroFuzz] 0.1 - 1.1: [https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Yiannis_Pavlosoglou Building a Java Fuzzer for the Web]
''[https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Yiannis_Pavlosoglou Yiannis Pavlosoglou] - Senior Director - [http://www.ouncelabs.com Ounce Labs] ''
| style="width:30%; background:#7B8ABD" align="left" | [http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project OWASP LIVE CD]
''Joshua Perrymon - CEO [http://www.packetfocus.com Packetfocus]''
|-
| style="width:10%; background:#7B8ABD" | 12:30-13:30 || style="width:30%; background:#BC857A" align="left" | [https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-GunterOllmann Multidisciplinary Bank Attacks]
''Gunter Ollmann, Director Security Strategy, [http://www.iss.net IBM Internet Security Systems]''
| style="width:30%; background:#BCA57A" align="left" | OWASP CLASP
''Pravir Chandra''
| style="width:30%; background:#7B8ABD" align="left" | Shootout at the Blackbox Corral
''Dinis Cruz & Larry Suto''
|-
| style="width:10%; background:#7B8ABD" | 13:30-14:30 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | Collective Intelligence - Jennifer Bayuk-CISO Bear Stearns, Mark Clancy EVP CitiGroup, Jim Routh CISO DTCC, Sunil Seshadri CISO NYSE-Euronet, Warren Axelrod SVP Bank of America, Joe Bernik Royal Bank of Scotland & Philip Venables CIRO, Goldman, Sachs
Moderator: Mahi Dontamsetti
|-
| style="width:10%; background:#7B8ABD" | 14:30-15:30 || style="width:30%; background:#BC857A" align="left" | [https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Andres_Riancho w3af, a framework to own the web] -
[https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Andres_Riancho ''Andres Riancho''], [http://www.cybsec.com/ Cybsec]

| style="width:30%; background:#BCA57A" align="left" | [[AppSecEU08_Trends_in_Web_Hacking_Incidents:_What's_hot_for_2008 | Trends in Web Hacking: What's hot in 2008<br/>Analysis of the Web Hacking Incidents Database (WHID)]]
''[http://blog.shezaf.com Ofer Shezaf], Breach''
| style="width:30%; background:#7B8ABD" align="left" | Security in Agile Development
''Dave Wichers, COO [http://www.aspectsecurity.com Aspect Security]''
|-
| style="width:10%; background:#7B8ABD" | 15:30-16:30 || style="width:30%; background:#BC857A" align="left" | [http://www.owasp.org/index.php/ESAPI OWASP Enterprise Security API (ESAPI) Project]
''Jeff Williams, CEO [http://www.aspectsecurity.com Aspect Security]''
| style="width:30%; background:#BCA57A" align="left" | Next Generation Cross Site Scripting Worms
''Arshan Dabirsiaghi, Director of Research [http://www.aspectsecurity.com Aspect Security]''
| style="width:30%; background:#7B8ABD" align="left" | "Threading the Needle:
Bypassing web application/service security controls using Encoding, Transcoding, Filter Evasion, and other Canonicalization Attacks."
''Arian Evans, Director of Operations [http://www.whitehatsec.com WhiteHat Security]''
|-
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || style="width:30%; background:#BC857A" align="left" | Shhhh Don’t Tell Anybody
''Petko D. Petkov, a.k.a. pdp''
| style="width:30%; background:#BCA57A" align="left" | Secure PHP
''Hans Zaunere, CEO [http://www.nyphp.com NYCPHP]''
| style="width:30%; background:#7B8ABD" align="left" | Payment Card Data Security and the new Enterprise Java
''Dr. B. V. Kumar & Mr. Abhay ''
|-
| style="width:10%; background:#7B8ABD" | 17:30-18:30 || style="width:30%; background:#BC857A" align="left" | Notes Security
''Jian Hui Wang''
| style="width:30%; background:#BCA57A" align="left" | Mastering PCI Section 6.6
''Taylor McKinley and Jacob West''
| style="width:30%; background:#7B8ABD" align="left" | AppSec Techniques
''JD Glaser, CEO [http://www.ntobjectives.com/company/management.php NTO Objectives]''
|-
| style="width:10%; background:#7B8ABD" | 18:30 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''Web Application Capture the Flag - [http://isis.poly.edu/projects Polytechnic University]'''
|-
| style="width:10%; background:#7B8ABD" | 20:00 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | ''' Speaker/Attendee Reception'''
|-
! colspan="4" align="center" style="background:#4058A0; color:white" | Day 2 – Sept 25th, 2008
|-
| style="width:10%; background:#7B8ABD" | 8:00-10:00 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | Breakfast @ Tech-Expo
|-
| style="width:10%; background:#7B8ABD" | 0900-10:00 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''"We have all the tools, policies, frameworks, documents, community support available what works... what does not?" ' Industry Panel: <TBD>, <TBD>, <TBD>, <TBD>, <TBD> Moderator: Daniel Cuthbert''
|-
| style="width:10%; background:#7B8ABD" | 10:00-11:00 || style="width:30%; background:#BC857A" align="left" | Practical Advanced Threat Modeling
''John Steven''
| style="width:30%; background:#BCA57A" align="left" | [http://reversebenchmarking.com Open Reverse Benchmarking Project]
''Marce Luck & Tom Stracener''
| style="width:30%; background:#7B8ABD" align="left" | Building Usable Security
''Zed Abbadi''
|-
| style="width:10%; background:#7B8ABD" | 11:00-12:00 || style="width:30%; background:#BC857A" align="left" | Offshoring Application Development? Security is Still Your Problem
''Rohyt Belani''
| style="width:30%; background:#BCA57A" align="left" | OWASP Orizon Project
''Paolo Perego''
| style="width:30%; background:#7B8ABD" align="left" | NIST SAMATE Static Analysis Tool Exposition (SATE)
''Vadim Okun''
|-
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || style="width:30%; background:#BC857A" align="left" | The Art and Nature of Web Application Security
''Mano Paul CEO [http://www.expresscertifications.com Express Certifications]''
| style="width:30%; background:#BCA57A" align="left" | Software Liability
''Jack Danahy''
| style="width:30%; background:#7B8ABD" align="left" | Cross-Site Scripting Filter Evasion
''Alexios Fakos''
|-
| style="width:10%; background:#7B8ABD" | 13:00-14:00 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | OWASP Projects "Dinis Cruz & OWASP Project Leaders"
|-
| style="width:10%; background:#7B8ABD" | 14:00-15:00 || style="width:30%; background:#BC857A" align="left" | Projects with OWASP
''Steve Malson''
| style="width:30%; background:#BCA57A" align="left" | OWASP Pantera Advances
''Simon Roses Femerling''
| style="width:30%; background:#7B8ABD" align="left" | Software-as-a-Service (SaaS)
''James Landis''
|-
| style="width:10%; background:#7B8ABD" | 15:00-16:00 || style="width:30%; background:#BC857A" align="left" | "Out of Band" Injection
''Vijay Akasapu & Marshall Heilman''
| style="width:30%; background:#BCA57A" align="left" | OWASP V2 Testing Guide 4.2.3 Spidering and Googling in depth
''Christian Heinrich''
| style="width:30%; background:#7B8ABD" align="left" | Caution, Java ahead
''Jeremiah Grossman CTO [http://www.whitehatsec.com WhiteHat Security]''
|-
| style="width:10%; background:#7B8ABD" | 16:00-17:00 || style="width:30%; background:#BC857A" align="left" | [[Input validation: the Good, the Bad and the Ugly]]
''[[Johan Peeters]]''
| style="width:30%; background:#BCA57A" align="left" | Flash Parameter Injection (FPI)
''Ayal Yogev & Yuval Baror''
| style="width:30%; background:#7B8ABD" align="left" | Learning the .Net Debugging API
''Kevin Spett''
|-
| style="width:10%; background:#7B8ABD" | 17:00-18:00 || style="width:30%; background:#BC857A" align="left" | Secure System Development Life Cycle (SSDLC) Methodology for SOA
''Ken Huang''
| style="width:30%; background:#BCA57A" align="left" | Web Security Education using Open Source Tools
''Prof. Li-Chiou Chen & Chienitng Lin''
| style="width:30%; background:#7B8ABD" align="left" | Friend or Foe: Penetration Testing VS Source Code Analysis
''Tom Ryan''
|-
| style="width:10%; background:#7B8ABD" | 18:30 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''Closing Remarks / CTF Awards / Raffles'''
|-
| style="width:10%; background:#7B8ABD" | 21:00 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''Farewell dinner.. Go secure the world'''
|}

<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 https://www.owasp.org/images/7/7f/Register.gif]</center>

== Technology Pavilion - September 24th and 25th ==

Want to see the latest offerings from technology product and service firms, visit the Technology Pavilion. On September 24th and 25th there will be 2 full days of exhibits by service providers and manufacturers from around the world.

<hr>

== [https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference_Training OWASP NYC AppSec 2008 Training Courses - September 22nd and 23rd, 2008] ==
{| style="width:80%" border="0" align="center"
! align="center" style="background:#4058A0; color:white" | T1. Defensive Programming - 2-Days - $1350
|-
| style="background:#F2F2F2" | This class will teach you how to program defensively. A must for developers, managers, testers and security professionals. Learn the latest techniques to build attack resistant code, protect from current and future vulnerabilities and how to secure an application from both implementation bugs and design flaws. The instructor Pravir Chandra is well known security expert, project lead for OWASP CLASP project and former co-founder & CTO of secure software [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]

Instructor: Pravir Chandra, Project Lead OWASP [[:Category:OWASP_CLASP_Project | CLASP]] Project, Principal Consultant, [http://www.cigital.com https://www.owasp.org/images/b/be/Cigital_OWASP.GIF]'''
|-
! align="center" style="background:#4058A0; color:white" | T2. Secure Coding for Java EE - 2-Days - $1350
|-
| style="background:#F2F2F2" | This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of Java focused content, including:
# Java EE security overview,
# All coding examples and recommendations are specifically focused on Java and Java servers, and
# 3 additional hands on coding labs where the students find and then fix security vulnerabilities in a Java EE application developed for the class.

[[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]

Instructor: This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]
'''
|-
! align="center" style="background:#4058A0; color:white" | T3. Web Services and XML Security - 2-Days - $1350
|-
| style="background:#F2F2F2" | The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]

Instructor: Gunnar Peterson''' [http://www.arctecgroup.net https://www.owasp.org/images/b/bf/Arctec.jpg]
|-
! align="center" style="background:#4058A0; color:white" | T4. Advanced Web Application Security Testing - 2-Days - $1350
|-
| style="background:#F2F2F2" | Course Overview While all developers need to know the basics of web application security testing, application security specialists will want to know all the advanced techniques for finding and diagnosing security problems in applications. Aspect’s Advanced Web Application Security Testing training is based on a decade of work verifying the security of critical applications. The course is taught by an experienced application security practitioner in an interactive manner. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]

Instructor: This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''
|-
! align="center" style="background:#4058A0; color:white" | T5. Leading the Development of Secure Applications 1-Day - Sept 22nd- $675
|-
| style="background:#F2F2F2" | In this one-day management session you’ll get the answers to the ten key questions that most CIOs and development managers face when trying to improve security in the development process. The course provides proven techniques and valuable lessons learned that can be applied to projects at any phase of their application’s lifecycle. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]
Instructor: This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''
|-
! align="center" style="background:#4058A0; color:white" | T6. Application Security Forensics - 1-Day - Sep 23rd - $675
|-
| style="background:#F2F2F2" | Web application forensics and incident response, requires a solid understanding of web application, security issues – this 1 day class will provide you with a crashcourse on chain of custody and issues related to dealing with a breach
|-
! align="center" style="background:#4058A0; color:white" | T7. Encryption Programming Using SKSML - 2-Days - $1350
|-
| style="background:#F2F2F2" | Application developers are increasingly required to protect sensitive data through encryption. While there are many libraries that can assist with cryptography, there are few to none that focus on encryption key management.

This class will introduce you to an OASIS standards protocol - Symmetric Key Services Markup Language (SKSML) - and show you how it can be used to securely encrypt sensitive data and manage encryption keys across the enterprise. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]

Instructor: Arshad Noor, CTO, StrongAuth Inc.''' [http://www.strongauth.com https://www.owasp.org/images/8/86/StrongAuth.jpg]
|}
<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 https://www.owasp.org/images/7/7f/Register.gif]</center>

<h2> HOTELS / TRAVEL </h2>
[http://maps.google.com/maps?near=Pace+Plz,+New+York,+NY+10038+(Pace+University+New+York+Cmps)&geocode=15467452012610799558,40.711640,-74.005820&q=hotel&f=l&dq=Pace+University-New+York&ie=UTF8&z=15&om=0 Hotel's in the area of the event]

New York City MTA: http://www.mta.nyc.ny.us/nyct/index.html

New York City Subway & walking directions: http://www.hopstop.com/?city=newyork

New York Sights & Sounds - SightsSounds

New York City Travel Guide - http://www.nytoday.com/

New York City Attractions - http://www.nycvisit.com

New York TV Show Tickets - Get free tickets to TV shows! - http://www.nytix.com/

New York City local news: http://www.ny1news.com

<h2>EVENT SPONSORSHIP </h2>The OWASP Conferences & Training security technologists including CSOs,admins, application admins, MIS directors, homeland defense chiefs. These important influencers drive buying decisions exclusive access to its audiences. OWASP has established strategic relationships with security—print publications, newsletters, portals, consultants,message—and leadership positioning OWASP events. OWASP’s mission is supported by organizations who share our application, and software security communities. This approach should be part of your mix.

<b>[https://www.owasp.org/images/9/98/NY_Sponsorship_Form.pdf Sponsorship Opportunities]- Register online: [http://guest.cvent.com/i.aspx?4W,M3,09e3b490-ba93-4474-851e-be803b1a01c2 click here]</b>

OWASP NYC AppSec 2008 Conference-SPEAKER-GunterOllmann

2008-05-27T15:56:04Z

Gollmann: New page: ==Multidisciplinary Bank Attacks== Online Web banking applications have evolved considerably in the last decade; however the financial losses by their customers due to account compromise a...

==Multidisciplinary Bank Attacks==
Online Web banking applications have evolved considerably in the last decade; however the financial losses by their customers due to account compromise appear to be increasing. While the banks have invested in their application security, organized criminal teams appear to have been investing more - and are coming up with new vectors that emphasize attacks that take place on the customer’s host.

Attacking a bank and its customers is a multidisciplinary activity engaged by well organized and well funded international criminal teams. Advances in authentication processes – whether they be multi-factor, temporal-based combinations of one-time pads, or other backend validation processes – have proved ineffective since the attackers have focused upon the financial transaction itself. The combination of drive-by-download infection vectors, custom “Swiss-army knife” malware, banking application logic flaws and end-user complexity are all now leveraged to conduct a successful attack.

Security professionals need to provide a multidisciplinary understanding of the threat to their clients. The use of malware and social engineering cannot be divorced from Web application vulnerabilities any longer.

This session examines how malware is successfully leveraged within organized online banking attacks to bypass even the most sophisticated application logic. I will explain how current state-of-the-art man-in-the-browser technologies have overcome advanced authentication techniques and transaction validation processes. We will discuss how banking application complexity and ill thought-out logic changes can (and are) leveraged by criminals to socially engineer the customer in to falling for their criminal deception. And, finally, I will explain how even out-of-band multi-factor authentication systems such as SMS-based tokens are likely to be bypassed in the future.

What does Web application security look like if you cannot trust anything that goes to, or comes from, your customers host?

==About the Speaker==

Gunter Ollmann serves as Director of Security Strategy for IBM Internet Security Systems. With two decades of service within the information technology field, Ollmann is responsible for IBM ISS’ overall strategy for handling next generation security threats. As the former director of X-Force, Ollmann was responsible for ISS’ security research and development efforts, including all security content for ISS' products and services, zero-day vulnerability analysis, observation and analysis of global security trends, and vulnerability discovery. Ollmann was previously the former head of X-Force security assessment services for EMEA. In his role Gunter managed a distributed team of highly skilled consultants in multiple locations throughout Europe, pioneered specialist methodologies and techniques for the successful assessment of custom software solutions and increased the growth and application of the ISS global center of excellence in security assessment and penetration testing.

Prior to joining Internet Security Systems, Ollmann was the professional services director of Next Generation Security Software (NGS), a vulnerability research and attack-based consulting firm. He was responsible for the development of business relationships, including building NGS’ international clientele, and helping define the direction of research activities and development of the company’s vulnerability-based knowledge services. Ollmann grew NGS consulting service while dispensing cutting-edge security advice to product vendors to aid them in the development of commercial technology.

Ollmann has been a contributor to multiple leading international IT and security focused magazines and journals, including a dedicated monthly “Consultants Corner” column in SC Magazine. He has authored, developed and delivered a number of highly technical courses on Web Application Security. He has provided technical advice to various government agencies and is an invited to speaker at many international security conferences.

OWASP - User contributions [en]

OWASP NYC AppSec 2008 Conference

OWASP NYC AppSec 2008 Conference-SPEAKER-GunterOllmann