OWASP - User contributions [en]

OWASP Spring Of Code 2007 - Projects

2007-11-18T09:57:59Z

Ileliveinsandbox: /* All SpoC Projects */

== All SpoC Projects ==

This page contains the latest information about the status of the [[OWASP Spring Of Code 2007]] projects (and links to each project's SpoC page)

{| class="wikitable" WIDTH=100%
|-
! SpoC Project Name
! Author
! Confirmed
! Status
! Coordinated by
|-

|-
! [[SpoC 007 - The OWASP Web Security Certification Framework|The OWASP Web Security Certification Framework]]
| Mark Curphey
| Yes
| Half term review: '''done'''
''Agreed project extension''
| OWASP Board

|-
! [[SpoC 007 - SqlMap|SqlMap]]
| Bernardo Damele
| Yes
| Full term review: '''done'''
progress: '''100%'''
'''Waiting for final review'''
| Dinis Cruz

|-
! [[SpoC 007 - OWASP Site Generator|OWASP Site Generator]]
| Boris Maletic and
Mike de Libero
| Yes
| Not reviewed progress: '''20%
''Agreed project extension''
| Dinis Cruz

|-
! [[SpoC 007 - Attacks Reference Guide|Attacks Reference Guide]]
| NSRAV Security Research Group
| Yes
| Full term review: '''done'''
progress: '''100%'''
| Dinis Cruz

|-
! [[SpoC 007 - The Scholastic Application Security Assessment Project|The Scholastic Application Security Assessment Project]]
| Eric Sheridan and
Dr. Goran Trajkovski
| Yes
| Full term review: '''done'''
progress: '''100%'''
| Dinis Cruz

|-
! [[SpoC 007 - Inspekt|Inspekt: Input filtering and validation library for PHP]]
| Ed Finkler
| Yes
| Half term review: '''done'''
''Agreed project extension''
| Andrew v d Stock

|-
! [[SpoC 007 - Code review Project|Code review Project]]
| Eoin Keary
| Yes
| Full term review: '''done'''
progress: '''100%'''
| Dinis Cruz

|-
! [[SpoC 007 - OWASP Certification Project|OWASP Certification Project]]
| Matteo Meucci
| Yes
| 0%
Project Cancelled
| Dinis Cruz

|-
! [[SpoC 007 - OWASP Education Project|OWASP Education Project]]
| Sebastien Deleersnyder
| Yes
| Full term review: '''done'''
progress: '''100%'''
| Dinis Cruz

|-
! [[SpoC 007 - OWASP The Anti-Samy Project|OWASP The Anti-Samy Project]]
| Arshan Dabirsiaghi
| Yes
| Half term review: '''done'''
Partially completed - waiting final review
| Jeff Williams

|-
! [[SpoC 007 - Security throughout the SDLC|Security throughout the SDLC]]
| Keith Casey
|
| '''Project Cancelled'''
|

|-
! [[SpoC 007 - OWASP WebGoat Solutions Guide|OWASP WebGoat Solutions Guide]]
| Erwin Geirnaert
| Yes
| '''Project Finished'''
| Jeff Williams

|-
! [[SpoC 007 - OWASP WeBekci Project|OWASP WeBekci Project]]
| Bunyamin Demir
| Yes
| Not reviewed progress: '''40%'''
Partially completed - waiting final review
| Ivan Ristic

|-
! [[SpoC 007 - Python Tainted Mode|Python Tainted Mode]]
| Zalivin Denis
| Yes
| Not reviewed progress: '''100%'''
'''Waiting for final review'''
| Dinis Silva

|-
! [[SpoC 007 - WebScarab NG Security Test Automation|WebScarab NG Security Test Automation]]
| Darren Edmonds
| Yes
| 0%
Partially completed - waiting final review
| Jeff Williams

|-
! [[SpoC 007 - Refresh Attacks list|Refresh Attacks list]]
| Przemyslaw 'rezos' Skowron
| Yes
| Full term review: '''done'''
progress: '''100%'''
| Dinis Cruz

|-
! [[SpoC 007 - Best Practices & Countermeasures|Best Practices & Countermeasures]]
| Jim
| No
| '''Project Cancelled'''
|

|-
! [[SpoC 007 - OWASP Brand|OWASP brand]]
| Paulo Coimbra
| Yes
| '''Project Suspended'''
| Dinis Cruz

|-
! [[SpoC 007 - Web Application Security put into practice|Web Application Security put into practice]]
| Heiko Webers
| Yes
| Full term review: '''done'''
progress: '''100%'''
| Dinis Cruz

|-
! [[SpoC 007 - OWASP JBroFuzz Project|OWASP JBroFuzz Project]]
| Subere
| Yes
| Half term review: '''done'''
''Agreed project extension''
| Dinis Cruz

|-
! [[SpoC 007 - Owasp Orizon Project|Owasp Orizon Project]]
| Paolo Perego
| Yes
| Half term review: '''done'''
Not reviewed progress: '''75-80%'''
'''Waiting for final review'''
| Dinis Cruz

|-
! [[SpoC 007 - Enigform: Firefox Addon for OpenPGP signing of HTTP requests|Enigform: Firefox Addon for OpenPGP signing of HTTP requests]]
| Arturo (Buanzo) Busleiman
| Yes
| Full term review: '''done'''
progress: '''100%'''
| Dinis Cruz

|-
! [[SpoC 007 - OWASP LiveCD Education Project|OWASP LiveCD Education Project]]
| Josh Sweeney
| Yes
| Reviewed progress: '''30%'''
Partially completed - waiting final review
| Eoin Keary

|-
! [[SpoC 007 - OWASP Java Project|OWASP Java Project]]
| Erwin Geirnaert
| Yes
| 0%
Partially completed - waiting final review
| Jeff Williams

|-
! [[SpoC 007 - OWASP LiveCD Project|OWASP LiveCD Project]]
| Joshua Perrymon
| Yes
| Not reviewed progress: '''75%'''
''Agreed project extension''
| Eoin Keary

|-
! [[SpoC 007 - Interim @ Aspect Offices|Interim @ Aspect Offices]]
| Andy Gocke
| Yes
| '''Project Finished'''
| Jeff Williams

|-
! [[SpoC 007 - Help with SpoC project management|Help with SpoC project management]]
| Paulo Coimbra
| Yes
| Full term review: '''done'''
progress: '''100%'''
| Dinis Cruz

|-
! [[SpoC 007 - OWASP Corporate Application Security Rating Guide|OWASP Corporate Application Security Rating Guide]]
| Erwin Geirnaert
| Yes
| 0%
''Agreed project extension''
| Mandeep Khera

|}

OWASP Spring Of Code 2007 - Projects

2007-11-18T09:56:41Z

Ileliveinsandbox: /* All SpoC Projects */

== All SpoC Projects ==

This page contains the latest information about the status of the [[OWASP Spring Of Code 2007]] projects (and links to each project's SpoC page)

{| class="wikitable" WIDTH=100%
|-
! SpoC Project Name
! Author
! Confirmed
! Status
! Coordinated by
|-

|-
! [[SpoC 007 - The OWASP Web Security Certification Framework|The OWASP Web Security Certification Framework]]
| Mark Curphey
| Yes
| Half term review: '''done'''
''Agreed project extension''
| OWASP Board

|-
! [[SpoC 007 - SqlMap|SqlMap]]
| Bernardo Damele
| Yes
| Half term review: '''done'''
Not reviewed progress: '''100%'''
'''Waiting for final review'''
| Dinis Cruz

|-
! [[SpoC 007 - OWASP Site Generator|OWASP Site Generator]]
| Boris Maletic and
Mike de Libero
| Yes
| Not reviewed progress: '''20%
''Agreed project extension''
| Dinis Cruz

|-
! [[SpoC 007 - Attacks Reference Guide|Attacks Reference Guide]]
| NSRAV Security Research Group
| Yes
| Full term review: '''done'''
progress: '''100%'''
| Dinis Cruz

|-
! [[SpoC 007 - The Scholastic Application Security Assessment Project|The Scholastic Application Security Assessment Project]]
| Eric Sheridan and
Dr. Goran Trajkovski
| Yes
| Full term review: '''done'''
progress: '''100%'''
| Dinis Cruz

|-
! [[SpoC 007 - Inspekt|Inspekt: Input filtering and validation library for PHP]]
| Ed Finkler
| Yes
| Half term review: '''done'''
''Agreed project extension''
| Andrew v d Stock

|-
! [[SpoC 007 - Code review Project|Code review Project]]
| Eoin Keary
| Yes
| Full term review: '''done'''
progress: '''100%'''
| Dinis Cruz

|-
! [[SpoC 007 - OWASP Certification Project|OWASP Certification Project]]
| Matteo Meucci
| Yes
| 0%
Project Cancelled
| Dinis Cruz

|-
! [[SpoC 007 - OWASP Education Project|OWASP Education Project]]
| Sebastien Deleersnyder
| Yes
| Full term review: '''done'''
progress: '''100%'''
| Dinis Cruz

|-
! [[SpoC 007 - OWASP The Anti-Samy Project|OWASP The Anti-Samy Project]]
| Arshan Dabirsiaghi
| Yes
| Half term review: '''done'''
Partially completed - waiting final review
| Jeff Williams

|-
! [[SpoC 007 - Security throughout the SDLC|Security throughout the SDLC]]
| Keith Casey
|
| '''Project Cancelled'''
|

|-
! [[SpoC 007 - OWASP WebGoat Solutions Guide|OWASP WebGoat Solutions Guide]]
| Erwin Geirnaert
| Yes
| '''Project Finished'''
| Jeff Williams

|-
! [[SpoC 007 - OWASP WeBekci Project|OWASP WeBekci Project]]
| Bunyamin Demir
| Yes
| Not reviewed progress: '''40%'''
Partially completed - waiting final review
| Ivan Ristic

|-
! [[SpoC 007 - Python Tainted Mode|Python Tainted Mode]]
| Zalivin Denis
| Yes
| Not reviewed progress: '''100%'''
'''Waiting for final review'''
| Dinis Silva

|-
! [[SpoC 007 - WebScarab NG Security Test Automation|WebScarab NG Security Test Automation]]
| Darren Edmonds
| Yes
| 0%
Partially completed - waiting final review
| Jeff Williams

|-
! [[SpoC 007 - Refresh Attacks list|Refresh Attacks list]]
| Przemyslaw 'rezos' Skowron
| Yes
| Full term review: '''done'''
progress: '''100%'''
| Dinis Cruz

|-
! [[SpoC 007 - Best Practices & Countermeasures|Best Practices & Countermeasures]]
| Jim
| No
| '''Project Cancelled'''
|

|-
! [[SpoC 007 - OWASP Brand|OWASP brand]]
| Paulo Coimbra
| Yes
| '''Project Suspended'''
| Dinis Cruz

|-
! [[SpoC 007 - Web Application Security put into practice|Web Application Security put into practice]]
| Heiko Webers
| Yes
| Full term review: '''done'''
progress: '''100%'''
| Dinis Cruz

|-
! [[SpoC 007 - OWASP JBroFuzz Project|OWASP JBroFuzz Project]]
| Subere
| Yes
| Half term review: '''done'''
''Agreed project extension''
| Dinis Cruz

|-
! [[SpoC 007 - Owasp Orizon Project|Owasp Orizon Project]]
| Paolo Perego
| Yes
| Half term review: '''done'''
Not reviewed progress: '''75-80%'''
'''Waiting for final review'''
| Dinis Cruz

|-
! [[SpoC 007 - Enigform: Firefox Addon for OpenPGP signing of HTTP requests|Enigform: Firefox Addon for OpenPGP signing of HTTP requests]]
| Arturo (Buanzo) Busleiman
| Yes
| Full term review: '''done'''
progress: '''100%'''
| Dinis Cruz

|-
! [[SpoC 007 - OWASP LiveCD Education Project|OWASP LiveCD Education Project]]
| Josh Sweeney
| Yes
| Reviewed progress: '''30%'''
Partially completed - waiting final review
| Eoin Keary

|-
! [[SpoC 007 - OWASP Java Project|OWASP Java Project]]
| Erwin Geirnaert
| Yes
| 0%
Partially completed - waiting final review
| Jeff Williams

|-
! [[SpoC 007 - OWASP LiveCD Project|OWASP LiveCD Project]]
| Joshua Perrymon
| Yes
| Not reviewed progress: '''75%'''
''Agreed project extension''
| Eoin Keary

|-
! [[SpoC 007 - Interim @ Aspect Offices|Interim @ Aspect Offices]]
| Andy Gocke
| Yes
| '''Project Finished'''
| Jeff Williams

|-
! [[SpoC 007 - Help with SpoC project management|Help with SpoC project management]]
| Paulo Coimbra
| Yes
| Full term review: '''done'''
progress: '''100%'''
| Dinis Cruz

|-
! [[SpoC 007 - OWASP Corporate Application Security Rating Guide|OWASP Corporate Application Security Rating Guide]]
| Erwin Geirnaert
| Yes
| 0%
''Agreed project extension''
| Mandeep Khera

|}

7th OWASP AppSec Conference - San Jose 2007/Agenda

2007-11-15T18:20:29Z

Ileliveinsandbox: Undo revision 23431 by Ileliveinsandbox (Talk)

The agenda for the conference is still under development and is subject to change.

The [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda#Nov 14: Track 3: Web Services Security | Web Services Security Track]], which is the 3rd track on Day 1, is at the bottom of this page.

== OWASP & WASC AppSec 2007 Training Courses - Nov 12th-13th 2007 ==

The tutorials and the conference itself will be held at eBay in San Jose.

{| style="width:80%" border="0" align="center"
! align="center" style="background:#4058A0; color:white" | T1. Building and Testing Secure Web Applications
|-
| style="background:#F2F2F2" | This powerful two-day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how easily application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code. [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T1._Building_and_Testing_Secure_Web_Applications_-_2-Day_Course_-_Nov_12-13.2C_2007 | Read more here!]]
|-
! align="center" style="background:#4058A0; color:white" | T2. Secure Coding for Java EE
|-
| style="background:#F2F2F2" | This Java focused course covers the most common Java EE web application security problems, including the OWASP Top Ten. It teaches Java EE best practices, so developers can really understand how to avoid introducing such vulnerabilities into their Java EE applications. '''This course includes hands on coding exercises that allows the students to fix real flaws in a Java EE application using the best practices recommended in class!!''' [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T2._Secure_Coding_for_Java_EE_-_2-Day_Course_-_Nov_12-13.2C_2007 | Read more here!]]
|-
! align="center" style="background:#4058A0; color:white" | T3. Secure Coding .NET Web Applications
|-
| style="background:#F2F2F2" | This .NET focused course covers the most common .NET web application security problems, including the OWASP Top Ten. It teaches .NET best practices, so developers can really understand how to avoid introducing such vulnerabilities into their .NET web applications. '''This course includes hands on coding exercises that allows the students to fix real flaws in a .NET application using the best practices recommended in class!!''' [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T3._Secure_Coding_.NET_Web_Applications_-_2-Day_Course_-_Nov_12-13.2C_2007 | Read more here!]]
|-
! align="center" style="background:#4058A0; color:white" | T4. Web Services and XML Security
|-
| style="background:#F2F2F2" | Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system! [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T4._Web_Services_and_XML_Security_-_2-Day_Course_-_Nov_12-13.2C_2007 | Read more here!]]
|-
! align="center" style="background:#4058A0; color:white" | T5. Leveraging OWASP Tools and Documents to Secure Your Enterprise
|-
| style="background:#F2F2F2" | Apart from OWASP's Top 10, most OWASP projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of these Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Lifecycle (WADL). This course aims to change that by providing detailed presentations of the most mature and enterprise ready OWASP projects together with practical examples of how to use them. [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T5._Leveraging_OWASP_Tools_and_Documents_to_Secure_Your_Enterprise_-_2-Day_Course_-_Nov_12-13.2C_2007 | Read more here!]]
|-
! align="center" style="background:#4058A0; color:white" | T6. Open Source ModSecurity Training
|-
| style="background:#F2F2F2" | ModSecurity is currently the most widely deployed web application firewall (WAF) product. This two-day class is for those people who want to learn how to build, deploy, and use ModSecurity in the most effective manner. The course will cover the open source ModSecurity Console, which helps manage alerts on suspicious web activity targeting your web servers. The course also provides an in-depth look at the extremely powerful ModSecurity Rules Language. [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T6._Open_Source_ModSecurity_Training_-_2-Day_Course_-_Nov_12-13.2C_2007 | Read more here!]]
|}

November 12th - Cenzic is sponsoring a cocktail party at the eBay facility after the first day of training.

== Tech Expo - Nov 13th-14th ==

Product vendors will be demonstrating their application security products to conference attendees for the first time at this OWASP Conference. The intended focus of this expo is on the technical details of the technologies they are offering in the market to help organizations deal with their application security issues.

The technology expo will be held:
* November 13th: From 12-2, with lunch included for all the OWASP tutorial attendees who will be invited to attend the expo.
* November 14th: From 11-6 during the first day of the OWASP conference.

'''Breach Cocktail Party - Nov 13'''

To close out the training event and the first day of the tech expo, Breach has kindly agreed to arrange a cocktail party on Tuesday evening. They sponsored a similar event at Black Hat for a joint OWASP / WASC get together and it was a roaring success with over 300 attendees. These have always been great events at previous conferences. Hope to see you there. This event is limited to ~100 people so please RSVP. For more details and RSVP go to: http://www.breach.com/breach_security_party_owaspwasc_san_jose.html

'''Sandbox party''' Nov 15th
........

== OWASP & WASC AppSec 2007 Conference Schedule - Nov 14-15 (San Jose 2007) ==

{| style="width:80%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white" | Day 1 - Nov 14, 2007
|-
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Track 1:
| style="width:40%; background:#BCA57A" | Track 2:
|-
| style="width:10%; background:#7B8ABD" | 08:00-09:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Coffee
|-
| style="width:10%; background:#7B8ABD" | 09:00-09:10 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | Welcome to OWASP & WASC AppSec 2007 Conference: Dave Wichers, OWASP Conferences Chair and COO Aspect Security
|-
| style="width:10%; background:#7B8ABD" | 09:10-10:00 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | Keynote: eBay Application Security Program – Dave Cullinane, CISO - eBay and Michael Barrett, CISO - PayPal
|-
| style="width:10%; background:#7B8ABD" | 10:00-10:30 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | An Introduction to WASC and its projects – Jeremiah Grossman, CTO, WhiteHat Security
|-
| style="width:10%; background:#7B8ABD" | 10:30-11:00 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | Using OWASP, Jeff Williams, OWASP Chair and CEO - Aspect Security
|-
| style="width:10%; background:#7B8ABD" | 11:00-11:20 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break
|-
| style="width:10%; background:#7B8ABD" | 11:20-12:20 || style="width:40%; background:#BC857A" align="left" | For my next trick... hacking Web 2.0 – Petko D. Petkov (AKA PDP Architect), Senior Security Researcher
| style="width:40%; background:#BCA57A" align="left" | Backdoors and other Developer Introduced 'Features', Chris Wysopal, CTO Veracode
|-
| style="width:10%; background:#7B8ABD" | 12:20-13:45 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch
|-
| style="width:10%; background:#7B8ABD" | 13:45-14:30 || style="width:40%; background:#BC857A" align="left" | CSRF: Danger, Detection, and Defenses – Introducing two new OWASP CSRF Tools, Eric Sheridan, Application Security Consultant, Aspect Security and OWASP CSRF Guard Project Lead
| style="width:40%; background:#BCA57A" align="left" | WASC Distributed Open Proxy Honeypot Project, Ryan Barnett, WASC Open Proxy Honeypot Project Lead, Breach Security
|-
| style="width:10%; background:#7B8ABD" | 14:30-15:10 || style="width:40%; background:#BC857A" align="left" | Defeating Web 2.0 Attacks without Recoding Applications, Amichai Shulman, CTO, Imperva
| style="width:40%; background:#BCA57A" align="left" | Dangers of Third Party Content, Tom Stripling, Senior Security Consultant - Security PS
|-
| style="width:10%; background:#7B8ABD" | 15:10-15:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break
|-
| style="width:10%; background:#7B8ABD" | 15:30-16:40 || style="width:40%; background:#BC857A" align="left" | OWASP Projects Overview, Dinis Cruz, Chief OWASP Evangelist
| style="width:40%; background:#BCA57A" align="left" | Web Browser (In)-Security - "Past, Present, and Future", Robert "RSnake" Hansen, CEO SecTheory
|-
| style="width:10%; background:#7B8ABD" | 16:40-17:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break
|-
| style="width:10%; background:#7B8ABD" | 17:00-18:00 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel: “Building an Effective Application Security Assurance Program”
Moderator: Brian Bertacini, Sr. Manager, AppSec Consulting

Panelists: Jeff Williams - CEO Aspect Security, Andy Steingruebl - Principal Security Engineer PayPal, Gary Terrell, Adobe Systems, Scott Stender, iSEC Partners, Neil Daswani, Google
|-
| style="width:10%; background:#7B8ABD" | 18:00-19:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Leader Meeting [[7th_OWASP_AppSec_Conference_-_San_Jose_2007_/_OWASP_Leaders_Meeting_-_Nov_14_6pm|(see meeting agenda here)]] - Organized by Dinis Cruz
|-
| style="width:10%; background:#7B8ABD" | 19:00-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks at Holiday Inn. (1740 N. 1st St. San Jose)
|-
| style="width:10%; background:#7B8ABD" | ~01:00-??:?? || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Band ???
|-
! colspan="3" align="center" style="background:#4058A0; color:white" | Day 2 - Nov 15, 2007
|-
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Track 1:
| style="width:40%; background:#BCA57A" | Track 2:
|-
| style="width:10%; background:#7B8ABD" | 08:00-09:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Coffee
|-
| style="width:10%; background:#7B8ABD" | 09:00-9:50 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | Keynote: DTCC Application Security Program, Jim Routh, CISO for the Depository Trust and Clearing Corporation (DTCC)
|-
| style="width:10%; background:#7B8ABD" | 9:50-10:30 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | OWASP State of the Union, Dinis Cruz, Chief OWASP Evangelist
|-
| style="width:10%; background:#7B8ABD" | 10:30-10:50 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break
|-
| style="width:10%; background:#7B8ABD" | 10:50-11:30 || style="width:40%; background:#BC857A" align="left" | Finding Vulnerabilities in Flash Applications, Stefano Di Paola, CTO Minded Security
| style="width:40%; background:#BCA57A" align="left" | Start Rolling with Rails Security, Corey Benninger, Principal Consultant, Intrepidus Group, Inc.
|-
| style="width:10%; background:#7B8ABD" | 11:30-12:30 || style="width:40%; background:#BC857A" align="left" | OWASP Enterprise Security API (ESAPI) – Jeff Williams, CEO Aspect Security and OWASP Chair
| style="width:40%; background:#BCA57A" align="left" | Securing Java Server Faces against the OWASP Top 10, David Chandler, Web Architect, Digital Insight
|-
| style="width:10%; background:#7B8ABD" | 12:30-13:45 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch
|-
| style="width:10%; background:#7B8ABD" | 13:45-14:30 || style="width:40%; background:#BC857A" align="left" | The MySpace Worm, by its author: Samy Kamkar
| style="width:40%; background:#BCA57A" align="left" | .Net Web Services Hacking - Scan, Attacks and Defense, Sheeraj Shah, Blueinfy
|-
| style="width:10%; background:#7B8ABD" | 14:30-15:20 || style="width:40%; background:#BC857A" align="left" | OWASP SpoC Project: Anti Samy - Picking a Fight with XSS, Arshan Dabirsiaghi, Application Security Engineer, Aspect Security
| style="width:40%; background:#BCA57A" align="left" | Website Vulnerability Statistics, Arian Evans (Director of Operations, WhiteHat Security)
|-
| style="width:10%; background:#7B8ABD" | 15:20-15:40 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break
|-
| style="width:10%; background:#7B8ABD" | 15:40-16:30 || style="width:40%; background:#BC857A" align="left" | The PKI Lie – Attacking Certificate-Based Authentication, Ofer Maor, CTO Hacktics
| style="width:40%; background:#BCA57A" align="left" | Session Management Security and Assessment Techniques, Tom Stracener, Sr. Security Analyst, Cenzic
|-
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || style="width:40%; background:#F2F2F2" align="left" | Panel: Responsible "Website" Vulnerability Disclosure
Moderator: Anurag Agarwal

Panelists: Robert "RSnake" Hansen, CEO SecTheory; Bruce Lowenthal, Director of Oracle Security Alerts Group, Oracle; Zulfikar Ramzan, Advanced Threat Team, Symantec; Christopher Ernst, US Secret Service; and Katie Moussouris, Security Strategist, Microsoft
| style="width:40%; background:#F2F2F2" align="left" | Panel: Outsourcing: Financial Dream or Security Nightmare?
Moderator: Rohyt Belani, Managing Partner, Intrepidus Group

Panelists: Claire McDonough - Security Program Manager at Google, Renato Delatorre – Director of Network Security & Risk Management for Verizon Wireless, Jaswinder Hayre - Application Security Manager for HBO
|-
| style="width:10%; background:#7B8ABD" | 17:30-17:45 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up - Dave Wichers, OWASP Conferences Chair
|-
| style="width:10%; background:#7B8ABD" | 18:30-20:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Microsoft and Aspect Security Cosponsored Cocktail Party: Drinks at Holiday Inn. (1740 N. 1st St. San Jose)
|}

== Nov 14: Track 3: Web Services Security ==

{| style="width:80%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white" | Day 1 - Nov 14, 2007
|-
| style="width:10%; background:#7B8ABD" | || style="width:80%; background:#BC857A" | Track 3: Web Services Security
|-
| style="width:10%; background:#7B8ABD" | 11:10-11:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break
|-
| style="width:10%; background:#7B8ABD" | 11:30-12:30 || style="width:80%; background:#BC857A" align="left" | The Top 10 Web Services Security Issues, Gunnar Peterson, Principle, Arctec Group
|-
| style="width:10%; background:#7B8ABD" | 12:30-13:45 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch
|-
| style="width:10%; background:#7B8ABD" | 13:45-14:30 || style="width:80%; background:#BC857A" align="left" | Centralized, Dynamic Web Services Security and Policy Management, Richard Salz, IBM
|-
| style="width:10%; background:#7B8ABD" | 14:30-15:10 || style="width:80%; background:#BC857A" align="left" | Covert CDATA Channels, XML Bombs, and Unexpected Attachments: Case Notes from a real-life XML Web Services Vulnerability Assessment, Mark O'Neill, CTO Vordel
|-
| style="width:10%; background:#7B8ABD" | 15:10-15:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break
|-
| style="width:10%; background:#7B8ABD" | 15:30-16:40 || style="width:80%; background:#BC857A" align="left" | Attacking XML Security, Brad Hill, Principal Security Consultant, iSEC Partners
|}

7th OWASP AppSec Conference - San Jose 2007/Agenda

2007-11-15T18:18:30Z

Ileliveinsandbox: /* OWASP & WASC AppSec 2007 Conference Schedule - Nov 14-15 (San Jose 2007) */

The agenda for the conference is still under development and is subject to change.

The [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda#Nov 14: Track 3: Web Services Security | Web Services Security Track]], which is the 3rd track on Day 1, is at the bottom of this page.

== OWASP & WASC AppSec 2007 Training Courses - Nov 12th-13th 2007 ==

The tutorials and the conference itself will be held at eBay in San Jose.

{| style="width:80%" border="0" align="center"
! align="center" style="background:#4058A0; color:white" | T1. Building and Testing Secure Web Applications
|-
| style="background:#F2F2F2" | This powerful two-day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how easily application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code. [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T1._Building_and_Testing_Secure_Web_Applications_-_2-Day_Course_-_Nov_12-13.2C_2007 | Read more here!]]
|-
! align="center" style="background:#4058A0; color:white" | T2. Secure Coding for Java EE
|-
| style="background:#F2F2F2" | This Java focused course covers the most common Java EE web application security problems, including the OWASP Top Ten. It teaches Java EE best practices, so developers can really understand how to avoid introducing such vulnerabilities into their Java EE applications. '''This course includes hands on coding exercises that allows the students to fix real flaws in a Java EE application using the best practices recommended in class!!''' [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T2._Secure_Coding_for_Java_EE_-_2-Day_Course_-_Nov_12-13.2C_2007 | Read more here!]]
|-
! align="center" style="background:#4058A0; color:white" | T3. Secure Coding .NET Web Applications
|-
| style="background:#F2F2F2" | This .NET focused course covers the most common .NET web application security problems, including the OWASP Top Ten. It teaches .NET best practices, so developers can really understand how to avoid introducing such vulnerabilities into their .NET web applications. '''This course includes hands on coding exercises that allows the students to fix real flaws in a .NET application using the best practices recommended in class!!''' [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T3._Secure_Coding_.NET_Web_Applications_-_2-Day_Course_-_Nov_12-13.2C_2007 | Read more here!]]
|-
! align="center" style="background:#4058A0; color:white" | T4. Web Services and XML Security
|-
| style="background:#F2F2F2" | Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system! [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T4._Web_Services_and_XML_Security_-_2-Day_Course_-_Nov_12-13.2C_2007 | Read more here!]]
|-
! align="center" style="background:#4058A0; color:white" | T5. Leveraging OWASP Tools and Documents to Secure Your Enterprise
|-
| style="background:#F2F2F2" | Apart from OWASP's Top 10, most OWASP projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of these Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Lifecycle (WADL). This course aims to change that by providing detailed presentations of the most mature and enterprise ready OWASP projects together with practical examples of how to use them. [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T5._Leveraging_OWASP_Tools_and_Documents_to_Secure_Your_Enterprise_-_2-Day_Course_-_Nov_12-13.2C_2007 | Read more here!]]
|-
! align="center" style="background:#4058A0; color:white" | T6. Open Source ModSecurity Training
|-
| style="background:#F2F2F2" | ModSecurity is currently the most widely deployed web application firewall (WAF) product. This two-day class is for those people who want to learn how to build, deploy, and use ModSecurity in the most effective manner. The course will cover the open source ModSecurity Console, which helps manage alerts on suspicious web activity targeting your web servers. The course also provides an in-depth look at the extremely powerful ModSecurity Rules Language. [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T6._Open_Source_ModSecurity_Training_-_2-Day_Course_-_Nov_12-13.2C_2007 | Read more here!]]
|}

November 12th - Cenzic is sponsoring a cocktail party at the eBay facility after the first day of training.

== Tech Expo - Nov 13th-14th ==

Product vendors will be demonstrating their application security products to conference attendees for the first time at this OWASP Conference. The intended focus of this expo is on the technical details of the technologies they are offering in the market to help organizations deal with their application security issues.

The technology expo will be held:
* November 13th: From 12-2, with lunch included for all the OWASP tutorial attendees who will be invited to attend the expo.
* November 14th: From 11-6 during the first day of the OWASP conference.

'''Breach Cocktail Party - Nov 13'''

To close out the training event and the first day of the tech expo, Breach has kindly agreed to arrange a cocktail party on Tuesday evening. They sponsored a similar event at Black Hat for a joint OWASP / WASC get together and it was a roaring success with over 300 attendees. These have always been great events at previous conferences. Hope to see you there. This event is limited to ~100 people so please RSVP. For more details and RSVP go to: http://www.breach.com/breach_security_party_owaspwasc_san_jose.html

'''Sandbox party''' Nov 15th
........

== OWASP & WASC AppSec 2007 Conference Schedule - Nov 14-15 (San Jose 2007) ==

{| style="width:80%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white" | Day 1 - Nov 14, 2007
|-
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Track 1:
| style="width:40%; background:#BCA57A" | Track 2:
|-
| style="width:10%; background:#7B8ABD" | 08:00-09:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Coffee
|-
| style="width:10%; background:#7B8ABD" | 09:00-09:10 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | Welcome to OWASP & WASC AppSec 2007 Conference: Dave Wichers, OWASP Conferences Chair and COO Aspect Security
|-
| style="width:10%; background:#7B8ABD" | 09:10-10:00 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | Keynote: eBay Application Security Program – Dave Cullinane, CISO - eBay and Michael Barrett, CISO - PayPal
|-
| style="width:10%; background:#7B8ABD" | 10:00-10:30 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | An Introduction to WASC and its projects – Jeremiah Grossman, CTO, WhiteHat Security
|-
| style="width:10%; background:#7B8ABD" | 10:30-11:00 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | Using OWASP, Jeff Williams, OWASP Chair and CEO - Aspect Security
|-
| style="width:10%; background:#7B8ABD" | 11:00-11:20 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break
|-
| style="width:10%; background:#7B8ABD" | 11:20-12:20 || style="width:40%; background:#BC857A" align="left" | For my next trick... hacking Web 2.0 – Petko D. Petkov (AKA PDP Architect), Senior Security Researcher
| style="width:40%; background:#BCA57A" align="left" | Backdoors and other Developer Introduced 'Features', Chris Wysopal, CTO Veracode
|-
| style="width:10%; background:#7B8ABD" | 12:20-13:45 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch
|-
| style="width:10%; background:#7B8ABD" | 13:45-14:30 || style="width:40%; background:#BC857A" align="left" | CSRF: Danger, Detection, and Defenses – Introducing two new OWASP CSRF Tools, Eric Sheridan, Application Security Consultant, Aspect Security and OWASP CSRF Guard Project Lead
| style="width:40%; background:#BCA57A" align="left" | WASC Distributed Open Proxy Honeypot Project, Ryan Barnett, WASC Open Proxy Honeypot Project Lead, Breach Security
|-
| style="width:10%; background:#7B8ABD" | 14:30-15:10 || style="width:40%; background:#BC857A" align="left" | Defeating Web 2.0 Attacks without Recoding Applications, Amichai Shulman, CTO, Imperva
| style="width:40%; background:#BCA57A" align="left" | Dangers of Third Party Content, Tom Stripling, Senior Security Consultant - Security PS
|-
| style="width:10%; background:#7B8ABD" | 15:10-15:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break
|-
| style="width:10%; background:#7B8ABD" | 15:30-16:40 || style="width:40%; background:#BC857A" align="left" | OWASP Projects Overview, Dinis Cruz, Chief OWASP Evangelist
| style="width:40%; background:#BCA57A" align="left" | Web Browser (In)-Security - "Past, Present, and Future", Robert "RSnake" Hansen, CEO SecTheory
|-
| style="width:10%; background:#7B8ABD" | 16:40-17:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break
|-
| style="width:10%; background:#7B8ABD" | 17:00-18:00 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel: “Building an Effective Application Security Assurance Program”
Moderator: Brian Bertacini, Sr. Manager, AppSec Consulting

Panelists: Jeff Williams - CEO Aspect Security, Andy Steingruebl - Principal Security Engineer PayPal, Gary Terrell, Adobe Systems, Scott Stender, iSEC Partners, Neil Daswani, Google
|-
| style="width:10%; background:#7B8ABD" | 18:00-19:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Leader Meeting [[7th_OWASP_AppSec_Conference_-_San_Jose_2007_/_OWASP_Leaders_Meeting_-_Nov_14_6pm|(see meeting agenda here)]] - Organized by Dinis Cruz
|-
| style="width:10%; background:#7B8ABD" | 19:00-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks at Holiday Inn. (1740 N. 1st St. San Jose)
|-
| style="width:10%; background:#7B8ABD" | ~01:00-??:?? || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Band ???
|-
! colspan="3" align="center" style="background:#4058A0; color:white" | Day 2 - Nov 15, 2007
|-
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Track 1:
| style="width:40%; background:#BCA57A" | Track 2:
|-
| style="width:10%; background:#7B8ABD" | 08:00-09:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Coffee
|-
| style="width:10%; background:#7B8ABD" | 09:00-9:50 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | Keynote: DTCC Application Security Program, Jim Routh, CISO for the Depository Trust and Clearing Corporation (DTCC)
|-
| style="width:10%; background:#7B8ABD" | 9:50-10:30 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | The Blob of Security - in search of the lost sandbox
|-
| style="width:10%; background:#7B8ABD" | 10:30-10:50 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break
|-
| style="width:10%; background:#7B8ABD" | 10:50-11:30 || style="width:40%; background:#BC857A" align="left" | Finding Vulnerabilities in Flash Applications, Stefano Di Paola, CTO Minded Security
| style="width:40%; background:#BCA57A" align="left" | Start Rolling with Rails Security, Corey Benninger, Principal Consultant, Intrepidus Group, Inc.
|-
| style="width:10%; background:#7B8ABD" | 11:30-12:30 || style="width:40%; background:#BC857A" align="left" | OWASP Enterprise Security API (ESAPI) – Jeff Williams, CEO Aspect Security and OWASP Chair
| style="width:40%; background:#BCA57A" align="left" | Securing Java Server Faces against the OWASP Top 10, David Chandler, Web Architect, Digital Insight
|-
| style="width:10%; background:#7B8ABD" | 12:30-13:45 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch
|-
| style="width:10%; background:#7B8ABD" | 13:45-14:30 || style="width:40%; background:#BC857A" align="left" | The MySpace Worm, by its author: Samy Kamkar
| style="width:40%; background:#BCA57A" align="left" | .Net Web Services Hacking - Scan, Attacks and Defense, Sheeraj Shah, Blueinfy
|-
| style="width:10%; background:#7B8ABD" | 14:30-15:20 || style="width:40%; background:#BC857A" align="left" | OWASP SpoC Project: Anti Samy - Picking a Fight with XSS, Arshan Dabirsiaghi, Application Security Engineer, Aspect Security
| style="width:40%; background:#BCA57A" align="left" | Website Vulnerability Statistics, Arian Evans (Director of Operations, WhiteHat Security)
|-
| style="width:10%; background:#7B8ABD" | 15:20-15:40 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break
|-
| style="width:10%; background:#7B8ABD" | 15:40-16:30 || style="width:40%; background:#BC857A" align="left" | The PKI Lie – Attacking Certificate-Based Authentication, Ofer Maor, CTO Hacktics
| style="width:40%; background:#BCA57A" align="left" | Session Management Security and Assessment Techniques, Tom Stracener, Sr. Security Analyst, Cenzic
|-
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || style="width:40%; background:#F2F2F2" align="left" | Panel: Responsible "Website" Vulnerability Disclosure
Moderator: Anurag Agarwal

Panelists: Robert "RSnake" Hansen, CEO SecTheory; Bruce Lowenthal, Director of Oracle Security Alerts Group, Oracle; Zulfikar Ramzan, Advanced Threat Team, Symantec; Christopher Ernst, US Secret Service; and Katie Moussouris, Security Strategist, Microsoft
| style="width:40%; background:#F2F2F2" align="left" | Panel: Outsourcing: Financial Dream or Security Nightmare?
Moderator: Rohyt Belani, Managing Partner, Intrepidus Group

Panelists: Claire McDonough - Security Program Manager at Google, Renato Delatorre – Director of Network Security & Risk Management for Verizon Wireless, Jaswinder Hayre - Application Security Manager for HBO
|-
| style="width:10%; background:#7B8ABD" | 17:30-17:45 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up - Dave Wichers, OWASP Conferences Chair
|-
| style="width:10%; background:#7B8ABD" | 18:30-20:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Microsoft and Aspect Security Cosponsored Cocktail Party: Drinks at Holiday Inn. (1740 N. 1st St. San Jose)
|}

== Nov 14: Track 3: Web Services Security ==

{| style="width:80%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white" | Day 1 - Nov 14, 2007
|-
| style="width:10%; background:#7B8ABD" | || style="width:80%; background:#BC857A" | Track 3: Web Services Security
|-
| style="width:10%; background:#7B8ABD" | 11:10-11:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break
|-
| style="width:10%; background:#7B8ABD" | 11:30-12:30 || style="width:80%; background:#BC857A" align="left" | The Top 10 Web Services Security Issues, Gunnar Peterson, Principle, Arctec Group
|-
| style="width:10%; background:#7B8ABD" | 12:30-13:45 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch
|-
| style="width:10%; background:#7B8ABD" | 13:45-14:30 || style="width:80%; background:#BC857A" align="left" | Centralized, Dynamic Web Services Security and Policy Management, Richard Salz, IBM
|-
| style="width:10%; background:#7B8ABD" | 14:30-15:10 || style="width:80%; background:#BC857A" align="left" | Covert CDATA Channels, XML Bombs, and Unexpected Attachments: Case Notes from a real-life XML Web Services Vulnerability Assessment, Mark O'Neill, CTO Vordel
|-
| style="width:10%; background:#7B8ABD" | 15:10-15:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break
|-
| style="width:10%; background:#7B8ABD" | 15:30-16:40 || style="width:80%; background:#BC857A" align="left" | Attacking XML Security, Brad Hill, Principal Security Consultant, iSEC Partners
|}

7th OWASP AppSec Conference - San Jose 2007/Agenda

2007-11-15T18:17:33Z

Ileliveinsandbox: /* Tech Expo - Nov 13th-14th */