OWASP - User contributions [en]

OWASP AppSec Research 2010 - Stockholm, Sweden

2010-06-23T12:43:48Z

Ivanr:

__NOTOC__

==== Welcome ====

== Invitation ==

Ladies and Gentlemen,

In June 21-24, 2010 let's all meet in beautiful Stockholm, Sweden. The OWASP chapters in [http://www.owasp.org/index.php/Sweden Sweden], [http://www.owasp.org/index.php/Norway Norway], and [http://www.owasp.org/index.php/Denmark Denmark] hereby invite you to OWASP AppSec Research 2010.

If you have any questions, please email the conference chair: john.wilander at owasp.org

[[Image:Stockholm old town small.jpg]]

=== Sponsors ===

Diamond sponsor: [[Image:AppSec Research 2010 Microsoft diamond sponsor.jpg]]

Gold sponsors: [[Image:Cybercom logo.png]] [[Image:Portwise logo.png]] [[Image:Fortify logo AppSec Research 2010.png]] [[Image:Omegapoint logo.png]]

Silver sponsors: [[Image:Mnemonic logo.png]] [[Image:AppSec Research 2010 sponsor Nixu logo.jpg]] 
[http://www.hps.se/ http://www.owasp.org/images/6/6f/Hps_logo.png] [[Image:AppSec Research 2010 sponsor F5 logo.jpg]] 
[[Image:AppSec Research 2010 sponsor Imperva logo.jpg]] [[Image:AppSec_Research_2010_sponsor_Promon_logo.jpg]]‎

Dinner Party sponsor: [http://www.google.com/EngineeringEMEA http://www.owasp.org/images/thumb/8/86/AppSec_Research_2010_Google_20k_sponsor.jpg/150px-AppSec_Research_2010_Google_20k_sponsor.jpg]

Lunch sponsors (1 taken, 1 open): [[Image:IIS logo.png]]

Coffee break sponsors (1 taken, 3 open): [[Image:MyNethouse logo.png]]

Media sponsors: [[Image:AppSec Research 2010 Help Net Security sponsor.jpg]]

Notepad sponsors: 
[[Image:TrustwaveLogo.jpg|Trustwave - Notepad sponsor]]

For full sponsoring program see the Sponsoring tab above.

=== "AppSec Research".equals("AppSec Europe") ===

This conference was formerly known as OWASP AppSec Europe. We have added 'Research' to highlight that we invite both industry and academia. All the regular AppSec Europe visitors and topics are welcome along with contributions from universities and research institutes.

This will be ''the'' European conference for anyone interested in or working with application security. Co-host is the [http://dsv.su.se/en/ Department of Computer and Systems Science] at Stockholm University, offering a great venue in the fabulous Aula Magna.

=== Countdown Challenges -- Free Tickets to Win! ===

There will be a challenge posted on the conference wiki page the 21st every month up until the event. The winner will get free entrance to the conference. What are you waiting for? Go to the Challenges tab and have fun!

=== Organizing Committee ===

• John Wilander, chapter leader Sweden (chair) • Mattias Bergling (vice chair) • Alan Davidson, Stockholm University/Royal Institute of Technology (co-host) • Ulf Munkedal, chapter leader Denmark • Kåre Presttun, chapter leader Norway • Stefan Pettersson (sponsoring coordinator) • Carl-Johan Bostorp (schedule and event coordinator) • Martin Holst Swende (coffee/lunch/dinner) • Michael Boman (conference guide/attendee pack) • Predrag Mitrovic, OWASP Sweden Board • Kate Hartmann, OWASP • Sebastien Deleersnyder, OWASP Board

'''Welcome to Stockholm this year!''' Regards, John Wilander

==== June 21-22 (Training) ====

== Schedule ==
10:30-10:50 Coffee break 
12:15-13:00 Lunch in the canteen 
15:00-15:20 Coffee break 

17:00 End of training for the day

18:00 Monday we'll just go somewhere to eat, Tuesday we have the official meet up at "Mosebacke". Check the "Social Events" tab above.

== Training Registration is closed ==

Application security training is given the first two days, '''June 21-22'''. The price was '''€990''' (~$1.350) for a two-day course. 65 people took the chance to learn from the best!

=== Course 1: Threat Modeling and Architecture Review (two days) ===

[[Image:AppSec Research 2010 Pravir Chandra.jpg]]

Pravir Chandra, Fortify Software

'''Abstract''': Threat Modeling and Architecture Review are the cornerstones of a preventative approach to Application Security. By combining these topics into single comprehensive course attendees can get a complete understanding of how to understand the threat an application faces and how the application will handle those potential threats. This enables the risk to be accurately assessed and appropriate changes or mitigating controls recommended. From the course outline:

1. Overview
* Scope and problem definition
* High‐level view of the overall process
* Core techniques
2. Threat assessment and modeling
* Overall threat modeling process
* Preparation and background information
* Capturing business and security goals
* Identify vulnerabilities and other risks
* Establish weighting and prioritization of risks
* Guard against risks with compensating controls
* EXERCISE - Threat model a real‐life problem
3. Architecture review techniques
* Authentication
* Authorization
* EXERCISE - Apply the techniques from Authentication and Authorization
* Input validation
* Output encoding
* EXERCISE - Apply the techniques from Input Validation and Output Encoding
* Error handling
* Audit logging
* EXERCISE - Apply the techniques from Error Handling and Audit Logging
* Encryption
* Configuration management
* EXERCISE - Apply the techniques from Encryption and Configuration Management
4. Specifying security requirements
* Writing positive security requirements
* Deriving security requirements from functional requirements
* Thinking broadly about requirements coverage
* Balancing security requirements with functionality

'''Trainer Bio''': Pravir Chandra is Director of Strategic Services at Fortify where he works with clients to build and optimize software security assurance programs. Pravir is widely recognized in the industry for his expertise in software security and code analysis, and also for his ability to apply technical knowledge strategically from a business perspective. His book, Network Security with OpenSSL is a popular reference on protecting software applications through cryptography and secure communications. His varied special project experience includes creating and leading the Open Software Assurance Maturity Model (OpenSAMM) project

=== Course 2: Introduction to Malware Analysis (two days) ===

[[Image:AppSec Research 2010 Jason Geffner.jpg]]

Jason Geffner, Next Generation Security Software (NGS), and Scott Lambert, Microsoft

'''Abstract''': Security researchers are facing a growing problem in the complexity of malicious executables. While dynamic black-box automation tools exist to discover what malware will do on a given execution, it is often important for an analyst to know the full capabilities of a given malware sample. What port does it listen on? What password does it expect for backdoor access? What files will it write to? What will it do tomorrow that it didn't do today? This class will focus on teaching attendees the steps required to understand the functionality of given malware samples. This is a hands-on course. Attendees will work on real-world malware through a series of lab exercises designed to build their expertise in understanding the analysis process.

Learning Objectives:

*An understanding of how to use reverse engineering tools
*An understanding of low-level code and data flow
*PE File format
*x86 Assembly language
*API functions often used by malware
*Anti-analysis tricks and how to defeat them
*Exploits and Shellcode
*A methodology for analyzing malware with and without the use of specialized tools

'''Trainer Bio''': Jason Geffner joined Next Generation Security Software Ltd. in June of 2007 as a Principal Security Consultant. Jason focuses on performing security reviews of source code and designs, reverse engineering software protection methods and DRM protection methods, deobfuscating and analyzing malware, penetration testing web applications and network infrastructures, and developing automated security analysis tools.

=== Course 3: Building Secure Ajax and Web 2.0 Applications (two days) ===

[[Image:AppSec Research 2010 Dave Wichers.jpg]]

Dave Wichers, Aspect Security

'''Abstract''': Rich Internet applications using technologies like Ajax, Flash, ActiveX, and Java Applets require special attention to secure. This course addresses the special issues with this type of application development. Students will gain hands-on testing experience with freely available web application security test tools to find and diagnose such flaws and learn how to identify, fix, and avoid them in their own projects. In addition, Aspect’s engineers are leaders in the AppSec Community and will offer the students an amazing perspective.

'''Trainer Bio''': Dave Wichers is a member of the OWASP Board and a coauthor, along with Jeff Williams, of all previous versions of the OWASP Top Ten. Dave is also the Chief Operating Officer of Aspect Security, a company that specializes in application security services. Mr. Wichers brings over twenty years of experience in the information security field. Prior to cofounding Aspect, he ran the Application Security Services Group at a large data center company, Exodus Communications. His current work involves helping customers, from small e-commerce sites to Fortune 500 corporations and the U.S. Government, secure their applications by providing application security design, architecture, and SDLC support services: including code review, application penetration testing, security policy development, security consulting services, and developer training.

=== Course 4: Assessing and Exploiting Web Apps with Samurai-WTF (two days) ===

[[Image:AppSec Research 2010 Justin Searle.jpg]]

Justin Searle, InGuardians

'''Abstract''': This course will focus on using open source tools to perform web application assessments. The course will take attendees through the process of application assessment using the open source tools included in the Samurai Web Testing Framework Live CD (Samurai-WTF). Day one will take students through the steps and open source tools used to assess applications for vulnerabilities. Day two will focus on the exploitation of web app vulnerabilities, spending half the day on server side attacks and the other half of the day on client side attacks. The latest tools and techniques will be use throughout the course, including several tools developed by the trainers themselves. From the course outline:

Samurai-WTF Project and Distribution (about, using ...) 
Web Application Assessment Methodology (pentest types, four step methodology ...) 
Step 1: Reconnaissance
* Overview of Web Application Recon
* Domain and IP Registration Databases (Labs: whois)
* Google Hacking (Labs: gooscan, gpscan)
* Social Networks (Labs: Reconnoiter)
* DNS Interrogation (Labs: host, dig, nslookup, fierce)
Step 2: Mapping
* Overview of Mapping
* Port Scanning and Fingerprinting (Labs: nmap, zenmap, Yokoso!)
* Web Service Scanning (Labs: Nikto)
* Spidering (Labs: wget, curl, Paros, WebScarab, BurpSuite)
* Discovering "Non-Discoverable" URLs (Labs: DirBuster)
Step 3: Discovery
* Using Built-in Tools (Labs: Page Info, Error Console, DOM Inspector, View Source)
* Poking and Prodding (Labs: Default User Agent, Cookie Editor, Tamper Data)
* Interception Proxies (Labs: Paros, WebScarab, BurpSuite)
* Semi-Automated Discovery (Labs: RatProxy)
* Automated Discovery (Labs: Grendel-Scan, w3af)
* Information Discovery (Labs: CeWL)
* Fuzzing (Labs: JBroFuzz, BurpIntruder)
* Finding XSS (Labs: TamperData, XSS-Me, BurpIntruder)
* Finding SQL Injection (Labs: SQL Inject-Me, SQL Injection, BurpIntruder)
* Decompiling Flash Objects (Labs: Flare)
Step 4: Exploitation
* Username Harvesting (Labs: python)
* Brute Forcing Passwords (Labs: python)
* Command Injection (Labs: w3af)
* Exploiting SQL Injection (Labs: SQLMap, SQLNinja, Laudanum)
* Exploiting XSS (Labs: Durzosploit)
* Browser Exploitation (Labs: BeEF, BrowserRider, Yokoso!)
* Advanced exploitation through tool integration (MSF + sqlninga/sqlmap/BeEF)

'''Trainer Bio''': Justin Searle, a Senior Security Analyst with InGuardians, specializes in web application, network, and embedded penetration testing. Justin has presented at top security conferences including DEFCON, ToorCon, ShmooCon, and SANS. Justin has an MBA in International Technology and is CISSP and SANS GIAC-certified in incident handling and hacker techniques (GCIH) and intrusion analysis (GCIA). Justin is one of the founders and lead developers of Samurai-WTF.

=== Course 5: Securing Web Services (two days) ===

[[Image:AppSec Research 2010 Jason Li.jpg]]

Jason Li, Aspect Security

'''Abstract''': Aspect Security offers this two day Securing Web Services course which focuses on the most important messages regarding the development of secure web services. This course helps developers understand the real risks associated with Security in Web Services and Service Oriented Architectures, what standard are available to help, and how to use the standards. The course includes a combination of lecture, demonstrations, and hands on testing designed to provide detailed guidance regarding the implementation of specific security principles and functions in web services.

From the course outline:

* Web Service and SOA Threat Model
* Data Formats: XML, JSON
* Protocols: SOAP, REST
* Overview of the Standards (WS-Security, SAML, XACML)
* Common Communications Vulnerabilities
* Using SSL for Simple Web Services
* XML Encryption
* XML Signature
* WS-Security
* How to Manage Web Service Identities
* Federated Identities
* Common Authentication Vulnerabilities
* WSDL Examples of Implementing WS-Security
* Common Access Control Vulnerabilities
* How to Validate Web Service Input (XML Schema, Business Logic Validation)
* Common XML Attacks (Recursion, References, Overflow, Transforms)
* State Management
* Using Interpreters Safely (SQL Injection, LDAP Injection, Command Injection, XPath Injection)
* Denial of Service and Availability

'''Trainer Bio''': Jason Li is a Senior Application Security Engineer for Aspect Security where he performs application security assessments and architecture reviews, as well as application security training, to a wide variety of financial and government customers. Jason is an active OWASP leader, contributing to several OWASP projects and serving on the OWASP Global Projects Committee. He holds a Post-Masters certificate in Computer Science and concentration in Information Security from Johns Hopkins University and a Masters degree in Computer Science from Cornell University.

==== June 23 ====

{| border="0" align="center" style="width: 80%;"
|-
| align="center" colspan="4" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | '''Conference Day 1 - June 23, 2010'''
[[Image:OWASP AppSec Research 2010 Research R.gif]] = Research paper [[Image:OWASP AppSec Research 2010 Demo D.gif]] = Demo [[Image:OWASP AppSec Research 2010 Presentation P.gif]] = Presentation

|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 
| style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | Track 1
| style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | Track 2
| style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | Track 3
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 08:00-08:50
| align="left" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Registration and Breakfast + Coffee
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 08:50-09:00
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(242, 242, 242);" | Welcome to OWASP AppSec Research 2010 Conference (John Wilander & [http://www.owasp.org/index.php/About_OWASP OWASP Global Board Members])
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 09:00-10:00
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(252, 252, 150);" | [[#Keynote: Cross-Domain Theft and the Future of Browser Security]]
''Chris Evans, Information Security Engineer, and Ian Fette, Product Manager for Chrome Security, Google''

|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 10:10-10:45
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | [[Image:OWASP AppSec Research 2010 Research R.gif]] [[#BitFlip: Determine a Data's Signature Coverage from Within the Application]]
''Henrich Christopher Poehls, University of Passau'' 

| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | [[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#CsFire: Browser-Enforced Mitigation Against CSRF]]
''Lieven Desmet and Philippe De Ryck, Katholieke Universiteit Leuven'' 

| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | [[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#Deconstructing ColdFusion]]
''Chris Eng, Veracode''

|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 10:45-11:10
| align="left" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Break - Expo - CTF kick-off, '''Coffee break sponsoring position open''' ($2,000)
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 11:10-11:45
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | [[Image:OWASP AppSec Research 2010 Research R.gif]] [[#Towards Building Secure Web Mashups]]
''M Decat, P De Ryck, L Desmet, F Piessens, W Joosen, Katholieke Universiteit Leuven''

| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | [[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#New Insights into Clickjacking]]
''Marco Balduzzi, Eurecom ''

 

| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | [[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#How to Render SSL Useless]] ([[Media:Ivan_Ristic_-_Breaking_SSL_-_OWASP.pdf|PDF]])
''Ivan Ristic, Qualys ''

|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 11:55-12:30
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |
[[Image:OWASP AppSec Research 2010 Research R.gif]] [[#Busting Frame Busting]]

''Gustav Rydstedt, Stanford Web Security Research'' 

| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | [[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#Web Frameworks and How They Kill Traditional Security Scanning]]
''Christian Hang and Lars Andren, Armorize Technologies''

| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | [[Image:OWASP AppSec Research 2010 Demo D.gif]] [[#The State of SSL in the World]]
''Michael Boman, Omegapoint ''

|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 12:30-13:45
| align="left" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Lunch - Expo - CTF, Lunch sponsor: [[Image:OWASP AppSec Research 2010 IIS logo for program.png]]
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 13:45-14:20
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | [[Image:OWASP AppSec Research 2010 Research R.gif]] [[#(New) Object Capabilities and Isolation of Untrusted Web Applications]]
''Sergio Maffeis, Imperial College, London''

| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | [[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#Beyond the Same-Origin Policy]]
''Jasvir Nagra and Mike Samuel, Google ''

| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | [[Image:OWASP AppSec Research 2010 Demo D.gif]] [[#SmashFileFuzzer - a New File Fuzzer Tool]]
''Komal Randive, Symantec''

|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 14:30-15:05
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | [[Image:OWASP AppSec Research 2010 Demo D.gif]] [[#Security Toolbox for .NET Development and Testing]]
''Johan Lindfors and Dag König, Microsoft''

| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | [[Image:OWASP AppSec Research 2010 Demo D.gif]] [[#Cross-Site Location Jacking (XSLJ) (not really)]]
''David Lindsay, Cigital Eduardo Vela Nava, sla.ckers.org''

| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | [[Image:OWASP AppSec Research 2010 Demo D.gif]] [[#Owning Oracle: Sessions and Credentials]]
''Wendel G. Henrique and Steve Ocepek, Trustwave''

|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 15:05-15:30
| align="left" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Break - Expo - CTF, '''Coffee break sponsoring position open''' ($2,000)
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 15:30-16:05
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | [[Image:OWASP AppSec Research 2010 Demo D.gif]] [[#Value Objects a la Domain-Driven Security: A Design Mindset to Avoid SQL Injection and Cross-Site Scripting]]
''Dan Bergh Johnsson, Omegapoint''

| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | [[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#Automated vs. Manual Security: You Can't Filter "The Stupid"]] 
''David Byrne and Charles Henderson, Trustwave''

| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | [[Image:OWASP AppSec Research 2010 Research R.gif]] [[#Session Fixation - the Forgotten Vulnerability?]]
''Michael Schrank and Bastian Braun, University of Passau Martin Johns, SAP Research''

|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 16:15-17:00
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(242, 242, 242);" | Panel Discussion: To Be Announced
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 19:00-23:00
| align="center" colspan="1" style="background: none repeat scroll 0% 0% rgb(43, 58, 109);" | [[Image:OWASP_AppSec_Research_2010_Stockholm_City_Hall_exterior_small.jpg|Stockholm City Hall, photo by Yanan Li]]
| align="center" colspan="1" style="background: none repeat scroll 0% 0% rgb(43, 58, 109); color: white;" | '''Gala Dinner''' at [http://international.stockholm.se/Tourism-and-history/The-Famous-City-Hall/Pictures-of-the-City-Hall/ Stockholm City Hall] Sponsored by [[Image:OWASP AppSec Research 2010 Google logo for program.png]]
| align="center" colspan="1" style="background: none repeat scroll 0% 0% rgb(43, 58, 109);" | [[Image:OWASP_AppSec_Research_2010_Stockholm_City_Hall_Golden_Hall_small.jpg|The Golden Hall, photo by Yanan Li]]
|}
<center>
[[Image:AppSec Research 2010 Microsoft diamond sponsor.jpg|250px|Microsoft - Diamond Sponsor]] [[Image:AppSec Research 2010 Google 20k sponsor.jpg|150px|Google - Dinner Party and Expo Sponsor]] [[Image:Portwise logo.png|130px|PortWise - Gold and Badge Sponsor]] [[Image:Cybercom logo.png|100px|Cybercom - Gold Sponsor]] [[Image:Fortify logo AppSec Research 2010.png|120px|Fortify - Gold Sponsor]] [[Image:Omegapoint logo.png|110px|Omegapoint - Gold Sponsor]] [[Image:Mnemonic logo.png|100px|Mnemonic - Silver Sponsor]] [[Image:AppSec Research 2010 sponsor Nixu logo.jpg|100px|NIXU - Silver Sponsor]] [[Image:Hps_logo.png|140px|High Performance Systems - Silver Sponsor]] [[Image:AppSec Research 2010 sponsor F5 logo.jpg|70px|F5 - Silver Sponsor]] [[Image:AppSec Research 2010 sponsor Imperva logo.jpg|100px|Imperva - Silver Sponsor]] [[Image:AppSec_Research_2010_sponsor_Promon_logo.jpg|100px|Promon - Silver Sponsor]] [[Image:IIS logo.png|100px|Stiftelsen för Internetinfrastruktur - Lunch Sponsor]] [[Image:MyNethouse logo.png|100px|MyNethouse - Coffee Break Sponsor]] [[Image:AppSec Research 2010 Help Net Security sponsor.jpg|100px|Help Net Security - Media Sponsor]] [[Image:TrustwaveLogo.jpg|100px|Trustwave - Notepad sponsor]]
</center>

== Keynote: Cross-Domain Theft and the Future of Browser Security ==

[[Image:Appsec research 2010 invited talk 1.jpg]]

'''Chris Evans''' Troublemaker, Information Security Engineer, and Tech Lead at Google inc. Also the sole author of vsftpd.

'''Ian Fette''' Product Manager for Chrome Security and Google's Anti-Malware initiative

'''Abstract''' The web browser, and associated machinery, is on the front line of attacks. We will first look at design-level problems with the traditional browser in terms of monolithic architecture and fundamental problems with the same-origin policy. We will then look at the types of solution that are starting to appear in browsers such as Google Chrome and Internet Explorer. We will look at other important browser-based defenses such as Safe Browsing. We will detail what a future browser might look like that has a much more secure design, but is still usable on the wide variety of web sites that people use daily.

== DAY 1, TRACK 1 ==

=== [[Image:OWASP AppSec Research 2010 Research word.gif]] BitFlip: Determine a Data's Signature Coverage from Within the Application ===

''Henrich Christopher Poehls, University of Passau - ISL''

Despite applied cryptographic primitives applications are working on data that was not protected by them. We show by abstracting the message flow between the application and the underlying wire, that protection is applied to a different data model. Taking problems from real life, like XML wrapping attacks and digital signatures on XML, we show that establishing the right linkage between the security checked on lower levels and the application above is practically difficult. We propose a application controlled check, the BitFlip-test. By this simple test an application can test if the application's assumed protection of a data value was indeed provided by the digital signature applied to the message that contained the value.

=== [[Image:OWASP AppSec Research 2010 Research word.gif]] Towards Building Secure Web Mashups ===

''Maarten Decat, Philippe De Ryck, Lieven Desmet, Frank Piessens, and Wouter Joosen, Katholieke Universiteit Leuven''

Web mashups combine components from multiple sources into a single, interactive application. This kind of setup typically requires both interaction between the components to achieve the necessary functionality, as well as component separation to achieve a secure execution. Unfortunately, the traditional web is not designed to easily fulfill both requirements, which can be seen in the restrictions imposed by traditional development techniques. This paper gives an overview of these traditional techniques and investigates new developments, specifically aimed at combining components in a secure manner. In addition, topics for further improvement are identified to ensure a wide adaptation of secure mashups.

=== [[Image:OWASP AppSec Research 2010 Research word.gif]] Busting Frame Busting ===

''Gustav Rydstedt, Stanford Web Security Research'' 
Joint work with Elie Bursztein, Dan Boneh, and Collin Jackson.

Web framing attacks such as clickjacking use iframes to hijack a user's web session. The most common defense, called frame busting, prevents a site from functioning when loaded inside a frame. We study frame busting practices for the Alexa Top-500 sites and show that all can be circumvented in one way or another. Some circumventions are browser-specific while others work across browsers. We conclude with recommendations for proper frame busting.

=== [[Image:OWASP AppSec Research 2010 Research word.gif]] (New) Object Capabilities and Isolation of Untrusted Web Applications ===

''Sergio Maffeis, Imperial College, London''

The object-capability model provides an appealing approach for isolating untrusted content in mashups: if untrusted applications are provided disjoint capabilities they still can interact with the user or the hosting page, but they cannot directly interfere with each other. We develop language-based foundations for isolation proofs based on object-capability concepts, and we show the applicability of our framework for a specific class of mashups. As an application, we prove that a JavaScript subset based on Google Caja is capability safe.

=== [[Image:OWASP AppSec Research 2010 Demo word.gif]] Security Toolbox for .NET Development and Testing ===

''Johan Lindfors and Dag König, Microsoft''

Being a developer on the Microsoft platform leveraging .NET doesn’t only involve keeping up with the continuous development of the underlying framework and technologies. It also means to be on top of the latest security threats and naturally the available mitigations and best practices to protect the customers and users of the applications and solutions being developed.

In this session we will demonstrate how you as a .NET developer can leverage existing tools and technologies to build safer applications. During the demonstrations you will get more familiar with the existing tools within Visual Studio but also be introduced and educated in more tools that will help you build a toolbox for secure development and security testing.

But one must also remember that tools will never replace knowledge and hence we will also show you how you can regularly get updated with the latest information from Microsoft on security including how to leverage SDL – Security Development Lifecycle, within your own projects.

=== [[Image:OWASP AppSec Research 2010 Demo word.gif]] Value Objects a la Domain-Driven Security: A Design Mindset to Avoid SQL Injection and Cross-Site Scripting ===

''Dan Bergh Johnsson, Omegapoint''

SQL Injection and Cross-Site Scripting have been topping the OWASP Top Ten for the last years. It must be a top priority for the community to evolve designs and mindsets that help the programmers to avoid these traps in their day-to-day work, where they have so much else but security that calls for their attention. The ambition of this presentation is to show design and coding practices that are well established in other fields of software development and put them to use to avoid just-mentioned traps. We also show some small refactorings that can be immediately applied to an existing codebase to make significant improvements to its security. Attendants of the session should be able to go back to work Monday morning and finish an improvement in this style before Monday lunch.

We take inspiration from Domain Driven Design (DDD), which is characterized by its focus on what the software intend to represent. In particular, we make heavy use of the Value Object design pattern, where strict typing help us enforce that the incoming data is truthful to the restrictions of the domain. We start out with Injection Flaws and use the canonical username SQL Injection attack (“’OR 1=1 --“) as an example. Realizing that mentioned string was not intended as a valid username we elaborate the model to reflect this. Further more we make this change explicit in the code by introducing the new type and class Username. This also gives a natural place to put validation code, which otherwise often is placed in utility classes where it is easily forgotten and seldom called. In fact, we can even design service methods to require a validated Username, thus using the strong typing to enforce validation in the calling client system tier.

Making this re-design with associated code changes is performed as a demo, and en route we discuss other design options and their relative merits and drawbacks. Again using DDD we proceed to analyse XSS. In the same way we see that XSS is in the general case not an indata validation problem. An extended analysis proposes that it can be phrased as an output-encoding problem. Using a similar technique we model the target domain of web content as the new type HTMLString, and can thereby enforce conversion from ordinary strings to strings with the proper encoding. If you have multiple content channels, then each channel will.

All steps needed are shown in code, starting with a vulnerable application and through controlled refactoring steps ending up with a version without the vulnerability. In summary, we will take an established quality practice from another field of software development and use it to get security improvements. The main benefits are two: firstly, the method gently guides and reminds the programmers to include validation and encoding in an unobtrusive way. Secondly, the work can be performed in very small steps, where the first can be finished before lunch Monday after the conference.

== DAY 1, TRACK 2 ==

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] CsFire: Browser-Enforced Mitigation Against CSRF ===

''Lieven Desmet and Philippe De Ryck, Katholieke Universiteit Leuven''

Cross-Site Request Forgery (CSRF) is a web application attack vector that can be leveraged by an attacker to force an unwitting user's browser to perform actions on a third party website, possibly reusing all cached authentication credentials of that user.

Currently, a whole range of techniques exist to mitigate CSRF, either by protecting the server application or by protecting the end-user. Unfortunately, the server-side protection mechanisms are not yet widely adopted, and the client-side solutions provide only limited protection or cannot deal with complex web 2.0 applications, which use techniques such as AJAX, mashups or single sign-on (SSO).

In this talk, we will presents three interesting results of our research: (1) an extensive, real‐world traffic analysis to gain more insights in cross‐domain web interactions, (2) requirements for client‐side mitigation against CSRF and an analysis of existing browser extensions and (3) CsFire, our newly developed FireFox extension to mitigate CSRF.

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] Automated vs. Manual Security: You Can't Filter "The Stupid" ===

''David Byrne and Charles Henderson, Trustwave''

Everyone wants to stretch their security budget, and automated application security tools are an appealing choice for doing so. However, manual security testing isn’t going anywhere until the HAL application scanner comes online. This presentation will use often humorous, real-world examples to illustrate the relative strengths and weaknesses of automated solutions and manual techniques.

Automated tools certainly have some strengths (namely low incremental cost, detecting simple vulnerabilities, and performing highly repetitive tasks). In addition to preventing some attacks, WAFs also have advantages for some compliance frameworks. However, automated solutions are far from perfect. To begin with, there are entire classes of very important vulnerabilities that are theoretically impossible for automated software to detect (at least until HAL comes online). Examples include complex information leakage, race conditions, logic flaws, design flaws, subjective vulnerabilities such as CSRF, and multistage process attacks.

Beyond that, there are many vulnerabilities that are too complicated or obscure to practically detect with an automated tool. Automated tools are designed to cover common application designs and platforms. Applications using an unusual layout or components will not be thoroughly protected by automated tools. Realistically, only the most vanilla of web applications written on common, simple platforms will receive solid code coverage from an automated tool.

On the other hand, manual testing is far more versatile. An experienced penetration tester can identify complicated vulnerabilities in the same way that an attacker does. Specific, real-world examples of vulnerabilities only recognizable by humans will be provided. The diversity of vulnerabilities shown will clearly demonstrate that all applications have the potential for significant vulnerabilities not detectable by automated tools.

Manual source code reviews present even more benefits by identifying vulnerabilities that require access to source code. Examples include “hidden” or unused application components, SQL injection with no evidence in the response, exotic injection attacks (e.g. mainframe session attacks), vulnerabilities in back-end systems, and intentional backdoors. Many organizations assume that this type of vulnerability is not a large threat, but source code can be obtained by disgruntled developers, by internal attackers when the repository isn’t properly secured, by exploiting platform bugs or path directory traversal attacks, and by external attackers using a Trojan horse or similar technique.

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] Web Frameworks and How They Kill Traditional Security Scanning ===

''Christian Hang and Lars Andren, Armorize Technologies''

Modern web application frameworks present a challenge to static analysis technologies due to how they influence application behavior in ways not obvious from the source code. This prevents efficient security scanning and can cause up to 80% of total potential issues to remain undetected due to the incorrect framework handling. After explaining the underlying problems, we demonstrate in a real world walk through using code analysis to scan actual application code. By extending static analysis with new framework specific components, even applications using complex frameworks like Struts and Smarty can be inspected automatically and code coverage of security analysis can be greatly enhanced.

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] Beyond the Same-Origin Policy ===

''Jasvir Nagra and Mike Samuel, Google Inc''

The same-origin policy has governed interaction between client-side code and user data since Netscape 2.0, but new development techniques are rendering it obsolete. Traditionally, a website consisted of server-side code written by trusted, in-house developers ; and a minimum of client-side code written by the same in-house devs. The same-origin policy worked because it didn't matter whether code ran server-side or client-side ; the user was interacting with code produced by the same organization. But today, complex applications are being written almost entirely in client-side code requiring developers to specialize and share code across organizational boundaries.

This talk will explain how the same-origin policy is breaking down, give examples of attacks, discuss the properties that any alternative must have, introduce a number of alternative models being examined by the Secure EcmaScript committee and other standards bodies, demonstrate how they do or don't thwart these attacks, and discuss how secure interactive documents could open up new markets for web developers. We assume a basic familiarity with web application protocols : HTTP, HTML, JavaScript, CSS ; and common classes of attacks : XSS, XSRF, Phishing.

=== [[Image:OWASP AppSec Research 2010 Demo word.gif]] Cross-Site Location Jacking (XSLJ) (not really) ===

''David Lindsay, Cigital Inc, and Eduardo Vela Nava sla.ckers.org''

Redirects are commonly used on many websites and are an integral part of many web frameworks. However, subtle and not so subtle issues can lead to security holes and privacy issues. In this presentation, we will discuss several high and low level issues related to redirects and demonstrate how the issues can be exploited.

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] New Insights into Clickjacking ===

''Marco Balduzzi, Eurecom''

Over the past year, clickjacking received extensive media coverage. News portals and security forums have been overloaded by posts claiming clickjacking to be the upcoming security threat. In a clickjacking attack, a malicious page is constructed (or a benign page is hijacked) to trick the user into performing unintended clicks that are advantageous for the attacker, such as propagating a web worm, stealing confidential information or abusing of the user session. In this talk, we formally define the problem and introduce our novel solution for automated detection of clickjacking attacks. We present the details of the system architecture and its implementation, and we evaluate the results we obtained from the analysis of over a million unique Internet pages. We conclude by discussing the clickjacking phenomenon and its future implications.

== DAY 1, TRACK 3 ==

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] Deconstructing ColdFusion ===

''Chris Eng, Veracode''

This presentation is a technical survey of ColdFusion security, which will be of interest mostly to code auditors and penetration testers. We’ll cover the basics of ColdFusion markup, control flow, functions, and components and demonstrate how to identify common web application vulnerabilities at the source code level. We’ll also delve into ColdFusion J2EE internals, describing some of the unexpected properties we’ve observed while decompiling ColdFusion applications for static analysis.

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] How to Render SSL Useless ===

''Ivan Ristic, Feisty Duck''

SSL is the technology that secures the Internet, but it is effective only when deployed properly. While the SSL protocol itself is very robust and easy to use, the same cannot be said for the usability of the complete ecosystem, which includes server configuration, certificates and application implementation details. In fact, SSL deployment is generally plagued with traps at every step of the way. As a result, too many web sites use insecure deployment practices that render SSL completely useless. In this talk I will present a list of top ten (or thereabout) deployment mistakes, based on my work on the SSL Labs assessment platform (https://www.ssllabs.com).

=== [[Image:OWASP AppSec Research 2010 Demo word.gif]] The State of SSL in the World ===

''Michael Boman, Omegapoint''

What is the status of SSL deployments in Fortune 500 companies and the top 10'000 websites (according to Alexa)? While developing a tool that was needed to perform the test-case OWASP-CM-001 (Testing for SSL-TLS) it was noticed that some sites had very good SSL-configuration, sometimes unexpectedly, and some sites has very poor security configuration, even when you could expect the site to have good security standard. Does the organization behind the site has any bearing on how good the security standard the site has in regards to HTTPS-support and configuration? The talk will highlight the findings and the tools and process of obtaining the underlying data, while also trying to answer the questions: - How many of the Fortune 500 and Top 10'000 websites offer an HTTPS-enabled browser experience to their visitors? - How is the HTTPS-server configured in regards to SSL-protocols offered, key exchange and key lengths (bit-size)? - Are there any correlation between company size, industry or popularity and the HTTPS-enabled browsing experience and the HTTPS-configuration?

=== [[Image:OWASP AppSec Research 2010 Demo word.gif]] SmashFileFuzzer - a New File Fuzzer Tool ===

''Komal Randive, Symantec''

Here is a tool SmashFileFuzzer designed and developed to address the same problem with ease. SmashFileFuzzer understands the file formats and then user can specify the fields in the file to be fuzzed. SmashFileFuzzer acts on a sample file of the required format and generates multiple fuzzed file copies from this sample file. SmashFileFuzzer also has the support to add more custom file formats to be able to fuzz them, especially .dat formats. In comparison with the existing file fuzzers and frameworks this fuzzer has simple language for adding new formats, many more modes of fuzzing and attack oriented fuzzing. Following are the highlights of this fuzzer

*Support to understand the file formats and fuzz specific fields with specified/random data
*Understands the correlation between different fields and manipulates them in accordance with the fuzzed content.
*Can generate valid fuzzed files even based on the partial format understanding. Only the portions of file format which are understood by the user can be used to generate valid fuzzed files.
*Understands the custom formats for file types and also for the configuration files(e.g key value pair format or .dat formats)
*Tool is designed to be easily extended for any new file formats
*Fuzz strings are read from a dictionary file. Users can add application specific input string to this dictionary for testing.
*It’s a unix shell based tool which can be easily scripted.

=== [[Image:OWASP AppSec Research 2010 Demo word.gif]] Owning Oracle: Sessions and Credentials ===

''Wendel G. Henrique and Steve Ocepek, Trustwave''

In a world of free, ever-present encryption libraries, many penetration testers still find a lot of great stuff on the wire. Database traffic is a common favorite, and with good reason: when the data includes PAN, Track, and CVV, it makes you stop and wonder why this stuff isn’t encrypted across the board. However, despite this weakness, we still need someone to issue queries before we see the data. Or maybe not… after all, it’s just plaintext.

Wendel G. Henrique and Steve Ocepek of Trustwave’s SpiderLabs division offer a closer look at the world’s most popular relational database: Oracle. Through a combination of downgrade attacks and session take-over exploits, this talk introduces a unique approach to database account hijacking. Using a new tool, thicknet, the team will demonstrate how deadly injection and downgrade attacks can be to database security.

The Oracle TNS/Net8 protocol was studied extensively during presentation for this talk. Very little public knowledge of this protocol exists today, and much of the data gained is, as far as we know, new to Oracle outsiders.

Also, during the presentation we will be offering to attendants:

*Knowledge about man-in-the-middle and downgrade attacks, especially the area of data injection.
*A better understanding of the network protocol used by Oracle.
*The ability to audit databases against this type of attack vector.
*Ideas for how to prevent this type of attack, and an understanding of the value of encryption and digital signature technologies.
*Understanding of methodologies used to reverse-engineer undocumented protocols.

=== [[Image:OWASP AppSec Research 2010 Research word.gif]] Session Fixation - the Forgotten Vulnerability? ===

''Michael Schrank and Bastian Braun, University of Passau, and Martin Johns, SAP Research''

The term 'Session Fixation vulnerability' subsumes issues in Web applications that under certain circumstances enable the adversary to perform a session hijacking attack through ontrolling the victim's session identier value. We explore this vulnerability pattern. First, we give an analysis of the root causes and document existing attack vectors. Then we take steps to assess the current attack surface of Session Fixation. Finally, we present a transparent server-side method for mitigating vulnerabilities.

==== June 24 ====

{| style="width:80%" border="0" align="center"
|-
| colspan="4" align="center" style="background:#4058A0; color:white" | '''Conference Day 2 - June 24, 2010'''
[[Image:OWASP AppSec Research 2010 Research R.gif]] = Research paper [[Image:OWASP AppSec Research 2010 Demo D.gif]] = Demo [[Image:OWASP AppSec Research 2010 Presentation P.gif]] = Presentation

|-
| style="width:10%; background:#7B8ABD" |
| style="width:30%; background:#BC857A" | Track 1
| style="width:30%; background:#BCA57A" | Track 2
| style="width:30%; background:#99FF99" | Track 3
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 08:00-08:50
| align="left" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Breakfast + Coffee
|-
| style="width:10%; background:#7B8ABD" | 09:00-10:00
| colspan="3" style="width:80%; background:rgb(252, 252, 150)" align="center" | [[#Keynote: The Security Development Lifecycle - The Creation and Evolution of a Security Development Process]] ''Steve Lipner, Senior Director of Security Engineering Strategy, Microsoft Corporation''
|-
| style="width:10%; background:#7B8ABD" | 10:10-10:45
| style="width:30%; background:#BC857A" align="left" |
[[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#The Anatomy of Real-World Software Security Programs]]

''Pravir Chandra, Fortify''

| style="width:30%; background:#BCA57A" align="left" |
[[Image:OWASP AppSec Research 2010 Demo D.gif]] [[#Promon TestSuite: Client-Based Penetration Testing Tool]]

''Folker den Braber and Tom Lysemose Hansen, Promon''

| style="width:30%; background:#99FF99" align="left" |
[[Image:OWASP AppSec Research 2010 Research R.gif]] [[#A Taint Mode for Python via a Library]]

''Juan José Conti, Universidad Tecnológica Nacional Alejandro Russo, Chalmers Univ. of Technology''

|-
| style="width:10%; background:#7B8ABD" | 10:45-11:10
| colspan="3" style="width:90%; background:#C2C2C2" align="left" | Break - Expo - CTF, Coffee sponsor: [[Image:OWASP AppSec Research 2010 MyNethouse logo for program.png]]
|-
| style="width:10%; background:#7B8ABD" | 11:10-11:45
| style="width:30%; background:#BC857A" align="left" |
[[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#Microsoft's Security Development Lifecycle for Agile Development]]

''Nick Coblentz, OWASP Kansas City Chapter and AT&T Consulting''

| style="width:30%; background:#BCA57A" align="left" |
[[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#Detecting and Protecting Your Users from 100% of all Malware - How?]]

''Bradley Anstis and Vadim Pogulievsky, M86 Security''

| style="width:30%; background:#99FF99" align="left" |
[[Image:OWASP AppSec Research 2010 Research R.gif]] [[#OPA: Language Support for a Sane, Safe and Secure Web]]

''David Rajchenbach-Teller and François-Régis Sinot, MLstate''

|-
| style="width:10%; background:#7B8ABD" | 11:55-12:30
| style="width:30%; background:#BC857A" align="left" |
[[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#Secure Application Development for the Enterprise: Practical, Real-World Tips]]

''Michael Craigue, Dell''

| style="width:30%; background:#BCA57A" align="left" |
[[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#Responsibility for the Harm and Risk of Software Security Flaws]]

''Cassio Goldschmidt, Symantec''

| style="width:30%; background:#99FF99" align="left" |
[[Image:OWASP AppSec Research 2010 Research R.gif]] [[#Secure the Clones: Static Enforcement of Policies for Secure Object Copying]]

''Thomas Jensen and David Pichardie, INRIA Rennes - Bretagne Atlantique''

|-
| style="width:10%; background:#7B8ABD" | 12:30-13:45
| colspan="3" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF, '''Lunch break sponsoring position open''' ($4,000)
|-
| style="width:10%; background:#7B8ABD" | 13:45-14:20
| style="width:30%; background:#BC857A" align="left" |
[[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#Product Security Management in Agile Product Management]]

''Antti Vähä-Sipilä, Nokia''

| style="width:30%; background:#BCA57A" align="left" |
[[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#Hacking by Numbers]]

''Tom Brennan, WhiteHat Security and OWASP Foundation ''

| style="width:30%; background:#99FF99" align="left" |
[[Image:OWASP AppSec Research 2010 Research R.gif]] [[#Safe Wrappers and Sane Policies for Self Protecting JavaScript]]

''Jonas Magazinius, Phu H. Phung, and David Sands, Chalmers Univ. of Technology''

|-
| style="width:10%; background:#7B8ABD" | 14:30-15:05
| style="width:30%; background:#BC857A" align="left" |
[[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#OWASP_Top_10_2010]]

''Dave Wichers, Aspect Security and OWASP Foundation ''

| style="width:30%; background:#BCA57A" align="left" |
[[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#Application Security Scoreboard in the Sky]]

''Chris Eng, Veracode''

| style="width:30%; background:#99FF99" align="left" |
[[Image:OWASP AppSec Research 2010 Research R.gif]] [[#On the Privacy of File Sharing Services]]

''N Nikiforakis, F Gadaleta, Y Younan, and W Joosen, Katholieke Universiteit Leuven''

|-
| style="width:10%; background:#7B8ABD" | 15:05-15:30
| colspan="3" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF, '''Coffee break sponsoring position open''' ($2,000)
|-
| style="width:10%; background:#7B8ABD" | 15:30-16:00
| colspan="3" style="width:90%; background:#F2F2F2" align="center" | CTF Price Ceremony, Announcement of OWASP AppSec EU 2011, Closing Notes
|}
<center>
[[Image:AppSec Research 2010 Microsoft diamond sponsor.jpg|250px|Microsoft - Diamond Sponsor]] [[Image:AppSec Research 2010 Google 20k sponsor.jpg|150px|Google - Dinner Party and Expo Sponsor]] [[Image:Portwise logo.png|130px|PortWise - Gold and Badge Sponsor]] [[Image:Cybercom logo.png|100px|Cybercom - Gold Sponsor]] [[Image:Fortify logo AppSec Research 2010.png|120px|Fortify - Gold Sponsor]] [[Image:Omegapoint logo.png|110px|Omegapoint - Gold Sponsor]] [[Image:Mnemonic logo.png|100px|Mnemonic - Silver Sponsor]] [[Image:AppSec Research 2010 sponsor Nixu logo.jpg|100px|NIXU - Silver Sponsor]] [[Image:Hps_logo.png|140px|High Performance Systems - Silver Sponsor]] [[Image:AppSec Research 2010 sponsor F5 logo.jpg|70px|F5 - Silver Sponsor]] [[Image:AppSec Research 2010 sponsor Imperva logo.jpg|100px|Imperva - Silver Sponsor]] [[Image:AppSec_Research_2010_sponsor_Promon_logo.jpg|100px|Promon - Silver Sponsor]] [[Image:IIS logo.png|100px|Stiftelsen för Internetinfrastruktur - Lunch Sponsor]] [[Image:MyNethouse logo.png|100px|MyNethouse - Coffee Break Sponsor]] [[Image:AppSec Research 2010 Help Net Security sponsor.jpg|100px|Help Net Security - Media Sponsor]] [[Image:TrustwaveLogo.jpg|100px|Trustwave - Notepad sponsor]]
</center>
== Keynote: The Security Development Lifecycle - The Creation and Evolution of a Security Development Process ==

[[Image:Appsec research 2010 invited talk 2.jpg]]

'''Steve Lipner''' Senior Director of Security Engineering Strategy, Trustworthy Computing Security, Microsoft Corporation. Co-author of "The Security Development Lifecycle", Microsoft Press (book cover above).

'''Abstract''' This keynote will review the evolution of the Security Development Lifecycle (SDL) from its origins in the Microsoft “security pushes” of 2002-3 through its current status and application in 2010. It will emphasize the aspects of change and change management as the SDL and its user community have matured and grown and will conclude with a summary of some recent changes and additions to the SDL. Specific topics to be addressed include:

*Motivations for introducing both the SDL and its predecessor processes.
*Considerations in selling the process to management and sustaining a mandate over a prolonged period.
*Scaling the SDL to an organization with tens of thousands of engineers.
*Managing change.
*The role of automation in the SDL.
*Adaptation of the SDL to agile development processes.
*Thoughts for organizations that are considering implementing the SDL.

The presentation will cover technical aspects of the SDL including a brief review of requirements and tools, and results.

'''Speaker Bio''' Steven B. Lipner is senior director of Security Engineering Strategy at Microsoft Corp where he is responsible for programs that provide improved product security for Microsoft customers. Lipner leads Microsoft’s Security Development Lifecycle (SDL) team and is responsible for the definition of Microsoft’s SDL and for programs to make the SDL available to organizations beyond Microsoft. Lipner is also responsible for Microsoft’s corporate strategies related to government security evaluation of Microsoft products.

Lipner is coauthor with Michael Howard of The Security Development Lifecycle (Microsoft Press, 2006) and is named as inventor on twelve U.S. patents and two pending applications in the field of computer and network security. He has authored numerous professional papers and conference presentations, and served on several National Research Council committees. He served two terms – a total of more than ten years – on the United States Information Security and Privacy Advisory Board and its predecessor. Lipner holds S.B. and S.M. degrees in Civil Engineering from the Massachusetts Institute of Technology and attended the Harvard Business School’s Program for Management Development.

== DAY 2, TRACK 1 ==

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] The Anatomy of Real-World Software Security Programs ===

''Pravir Chandra, Fortify''

Effectively reducing risk from software vulnerabilities remains a challenge for most organizations despite the existence of several secure SDLC models. From conducting technical assessments to earning management buy-in, there may not seem to be a lot of easy answers along the way, but experiences from the field shows that there is indeed hope. We've learned that the hard questions of "what", "when", and "how much" simply require the answers to be customized to each organization. Whether you’re a developer or a CISO, this talk will leave you with actionable advice that you can use to help take your software security assurance program to the next level.

To help organizations formulate their own solutions, we'll discuss several real-world examples of programs in action. From there, we’ll talk about lessons learned and introduce the ''Open Software Assurance Maturity Model'' (OpenSAMM), a flexible framework for building a balanced software security assurance program (OpenSAMM is an open and free OWASP project and more information is available at http://www.opensamm.org). Using the framework, attendees will learn how to self-assess their security activities and use available resources to drive improvement in small and measurable iterations. With time remaining, we’ll also discuss the latest work on the OpenSAMM project and how it relates to other modern approaches to building out assurance programs.

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] Microsoft's Security Development Lifecycle for Agile Development ===

''Nick Coblentz, OWASP Kansas City Chapter and AT&T Consulting''

Many development and security teams believe Agile development cannot be accomplished securely. During this presentation, Nick Coblentz will discuss the recent guidance from Microsoft that enables development teams to include secure development activities within their Agile processes without compromising features or functionality. Nick will also demonstrate ASP.NET libraries, strategies, and automated tools to reduce the effort required by developers.

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] Secure Application Development for the Enterprise: Practical, Real-World Tips ===

''Michael Craigue, Dell''

Dell has a reputation for IT simplification and a lean cost structure. We take the same approach with our application security program. This talk covers money-saving tips in the creation and evolution of Dell's Security Development Lifecycle, including risk assessments, security reviews, threat modeling, source code scans, awareness/training, application security user groups, security consulting staff development, and assurance scans/penetration testing. We’ll discuss how we have adapted our program to our IT, Product Group, and Services organizations.

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] Product Security Management in Agile Product Management ===

''Antti Vähä-Sipilä, Nokia''

This paper provides a model for product security risk management and security requirements elicitation in an agile product management framework, using the concepts of Scrum and an epics-based agile requirements model. The paper documents some real-life experiences of rolling out such a risk management model. The model addresses security threat analysis and risk acceptance, and is agnostic to the actual security engineering practices employed in the Scrum teams, and is scalable over large and small enterprises.

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] OWASP Top 10 2010 ===

''Dave Wichers, Aspect Security and OWASP Foundation''

This presentation will cover the OWASP Top 10 - 2010 (final version). The OWASP Top 10 was originally released in 2003 to raise awareness of the importance of application security. As the field evolves, the Top 10 needs to be periodically updated to keep with up with the times. The Top 10 was updated in 2004 and the last update was in 2007, where it introduced Cross Site Request Forgery (CSRF) as the big new emerging web application security risk.

This update will be based on more sources of web application vulnerability information than the previous versions were when determining the new Top 10. It will also present this information in a more concise, compelling, and consumable manner, and include strong references to the many new openly available resources that can help address each issue, particularly OWASP's new Enterprise Security API (ESAPI) and Application Security Verification Standard (ASVS) projects.

A significant change for this update will be that the OWASP Top 10 will be focused on the Top 10 Risks to Web Applications, not just the most common vulnerabilities.

== DAY 2, TRACK 2 ==

=== [[Image:OWASP AppSec Research 2010 Demo word.gif]] Promon TestSuite: Client-Based Penetration Testing Tool ===

''Folker den Braber and Tom Lysemose Hansen, Promon''

Vulnerability analysis has a wide scope containing both social and technical aspects. An important part of technical vulnerability analysis consists of penetration testing. In most cases, penetration testing is focused on either server side or network layer vulnerabilities. In this demonstration we will have a closer look at vulnerability analysis on the client side, while demonstrating the use of the Promon Testuite testing tool.

Promon TestSuite is designed to use the same vectors as common malware but in a clear and visual way, with varying payloads to illustrate the security issues involved with giving injected code free access to a programs memory.

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] Detecting and Protecting Your Users from 100% of all Malware - How? ===

''Bradley Anstis and Vadim Pogulievsky, M86 Security''

100% Malware detection is the goal but is it really achievable? This session looks at the traditional Malware detection technologies and how well they perform today and then compares this to some newer approaches with demonstrations of Real-time code analysis and Behavioral Analysis technologies to see what is better or worse.

100% detection rates are the goal, but how close can we get with a single technology, or what combination of technologies can we use to get as close as possible?

This session is all about challenging the existing accepted practices for Malware protection. We want to open the minds of the attendees, encourage them to question existing solutions and the incumbent market leading vendors. We want you to also re-evaluate their environment to see if improvements can be made.

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] Responsibility for the Harm and Risk of Software Security Flaws ===

''Cassio Goldschmidt, Symantec Corp''

Who is responsible for the harm and risk of security flaws? The advent of worldwide networks such as the internet made software security (or the lack of software security) become a problem of international proportions. There are no mathematical/statistical risk models available today to assess networked systems with interdependent failures. Without this tool, decision-makers are bound to overinvest in activities that don’t generate the desired return on investment or under invest on mitigations, risking dreadful consequences. Experience suggests that no party is solely responsible for the harm and risk of software security flaws but a model of partial responsibility can only emerge once the duties and motivations of all parties are examine and understood.

State of the art practices in software development won’t guarantee products free of flaws. The infinite principles of mathematics are not properly implemented in modern computer hardware without having to truncate numbers and calculations. Many of the most common operating systems, network protocols and programming languages used today were first conceived without the basic principles of security in mind. Compromises are made to maintain compatibility of newer versions of these systems with previous versions. Evolving software inherits all flaws and risks that are present in this layered and interdependent solution. Lastly, there are no formal ways to prove software correctness using neither mathematics nor definitive authority to assert the absence of vulnerabilities. The slightest coding error can lead to a fatal flaw. Without a doubt, vulnerabilities in software applications will continue to be part of our daily lives for years to come.

Decisions made by adopters such as whether to install a patch, upgrade a system or employed insecure configurations create externalities that have implications on the security of other systems. Proper cyber hygiene and education are vital to stop the proliferation of computer worms, viruses and botnets. Furthermore, end users, corporations and large governments directly influence software vendors’ decisions to invest on security by voting with their money every time software is purchased or pirated.

Security researchers largely influence the overall state of software security depending on the approach taken to disclose findings. While many believe full disclosure practices helped the software industry to advance security in the past, several of the most devastating computer worms were created by borrowing from information detailed by researcher’s full disclosure. Both incentives and penalties were created for security researchers: a number of stories of vendors suing security researchers are available in the press. Some countries enacted laws banning the use and development of “hacking tools”. At the same time, companies such as iDefense promoted the creation of a market for security vulnerabilities providing rewards that are larger than a year’s worth of salary for a software practitioner in countries such as China and India.

Effective policy and standards can serve as leverage to fix the problem either by providing incentives or penalties. Attempts such PCI created a perverse incentive that diverted decision makers’ goals to compliance instead of security. Stiff mandates and ineffective laws have been observed internationally. Given the fast pace of the industry, laws to combat software vulnerabilities may become obsolete before they are enacted. Alternatively, the government can use its own buying power to encourage adoption of good security standards. One example of this is the Federal Desktop Core Configuration (FDCC).

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] Hacking by Numbers ===

''Tom Brennan, WhiteHat Security and OWASP Foundation''

There is a difference between what is possible and what is probable, something we often lose sight of in the world of information security. For example, a vulnerability represents a possible way for an attacker to exploit an asset, but remember not all vulnerabilities are created equal. Obviously we must also keep in mind that just because a vulnerability exists does not necessarily mean it will be exploited, or indicate by whom or to what extent. Clearly, many vulnerabilities are very serious leaving the door open to compromise of sensitive information, financial loss, brand damage, violation of industry regulations, and downtime. Some vulnerabilities are more difficult to exploit than others and therefore attract different attackers. Autonomous worms & viruses may attack one type of issue, while a sentient targeted attacker may prefer another path. Better understanding of these factors enables us to make informed business decisions about website risk management and what is probable.

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] Application Security Scoreboard in the Sky ===

''Chris Eng, Veracode''

This presentation will discuss vulnerability metrics gathered from real-world applications. The statistics are derived from continuously updated data collected by Veracode’s cloud-based code analysis service. The anonymized data represents a total of nearly 1,600 applications submitted for analysis by large and small companies, commercial software providers, open source projects, and software outsourcers between February 2007 and January 2010. This is the first vulnerability analytics study of this magnitude that incorporates data from both static analysis and dynamic analysis.

We will compare the relative security of applications by industry and origin, and we will examine detailed vulnerability distribution data in the context of taxonomies such as the OWASP Top Ten and the CWE/SANS Top 25 Programming Errors.

== DAY 2, TRACK 3 ==

=== [[Image:OWASP AppSec Research 2010 Research word.gif]] A Taint Mode for Python via a Library ===

''Juan José Conti, Universidad Tecnológica Nacional, and Alejandro Russo, Chalmers University of Technology''

Vulnerabilities in web applications present threats to on-line systems. SQL injection and cross-site scripting attacks are among the most common threats found nowadays. These attacks are often result of improper or none input validation. To help discover such vulnerabilities, taint analyses have been developed in popular web scripting languages like Perl, Ruby, PHP, and Python. Such analysis are often implemented as an execution monitor, where the interpreter needs to be adapted to provide a taint mode. However, modifying interpreters might be a major task in its own right. In fact, it is very probably that new releases of interpreters require to be adapted to provide a taint mode. Differently from previous approaches, we show how to provide a taint analysis for Python via a library written entirely in Python, and thus avoiding modifications in the interpreter. The concepts of classes, decorators and dynamic dispatch makes our solution lightweight, easy to use, and particularly neat. With minimal or none effort, the library can be adapted to work with different Python interpreters.

=== [[Image:OWASP AppSec Research 2010 Research word.gif]] OPA: Language Support for a Sane, Safe and Secure Web ===

''David Rajchenbach-Teller and François-Régis Sinot, MLstate''

Web applications and services have critical needs in terms of safety, security and privacy: they need to remain available constantly and can at any time be the object of attacks by malicious and anonymous distant users attempting to take control, alter data or steal it, or cause unwanted behaviors. Unfortunately, recent history shows numerous cases of popular web applications falling victim to such attacks, despite careful attempts to secure them.

In this paper, we introduce OPA (One Pot Application), a new platform designed to make web development sane, safe and secure. OPA provides an integrated methodology where the complete application is written with one simple language with consistent semantics, enforces safe use of the infrastructure through compile-time static checking and a novel programming paradigm suited to the web and encourages correct-by-construction development.

=== [[Image:OWASP AppSec Research 2010 Research word.gif]] Secure the Clones: Static Enforcement of Policies for Secure Object Copying ===

''Thomas Jensen and David Pichardie, INRIA Rennes - Bretagne Atlantique''

Exchanging mutable data objects with untrusted code is a delicate matter because of the risk of creating a data space that is accessible by both a code and an attacker. Consequently, secure programming guidelines for Java stress the importance of using defensive copying before accepting or handing out references to an internal mutable object. However, implementation of a copy method (like clone()) is entirely left to the programmer. It may not provide a sufficiently deep copy of an object and is subject to overriding by a malicious sub-class. Currently no language-based mechanism supports secure object cloning.

This paper proposes a type-based annotation system for defining modular cloning policies for class-based object-oriented programs. It provides a static enforcement mechanism that will guarantee that all classes fulfill their copying policy, even in the presence of overriding of copy methods, and establishes the semantic correctness of the overall approach.

=== [[Image:OWASP AppSec Research 2010 Research word.gif]] Safe Wrappers and Sane Policies for Self Protecting JavaScript ===

''Jonas Magazinius, Phu H. Phung, and David Sands, Chalmers Univ. of Technology''

Phung et al (ASIACCS’09) describe a method for wrapping built-in methods of JavaScript programs in order to enforce security policies. The method is appealing because it requires neither deep transformation of the code nor browser modification. Unfortunately the implementation outlined suffers from a range of vulnerabilities, and policy construction is restrictive and error prone. In this paper we address these issues to provide a systematic way to avoid the identified vulnerabilities, and make it easier for the policy writer to construct declarative policies – i.e. policies upon which attacker code has no side effects.

=== [[Image:OWASP AppSec Research 2010 Research word.gif]] On the Privacy of File Sharing Services ===

''Nick Nikiforakis, Francesco Gadaleta, Yves Younan, and Wouter Joosen, Katholieke Universiteit Leuven''

File sharing services are used daily by tens of thousands of people as a way of sharing files. Almost all such services, use a security-through-obscurity method of hiding the files of one user from others. For each uploaded file, the user is given a secret URL which supposedly cannot be guessed. The user can then share his uploaded file by sharing this URL with other users of his choice. Unfortunately though, a number of file sharing services are incorrectly implemented allowing an attacker to guess valid URLs of millions of files and thus allowing him to enumerate their file database and access all of the uploaded files. In this paper, we study some of these services and we record their incorrect implementations. We design automatic enumerators for two such services and a privacy-classifying module which characterises an uploaded file as private or public. Using this technique we gain access to thousands of private files ranging from private and company documents to personal photographs. We present a taxonomy of the private files found and ways that the users and services can protect themselves against such attacks.

==== Registration ====

== Registration is open ==

'''[http://guest.cvent.com/i.aspx?4W%2cM3%2c717e8a7c-4453-47ff-addb-721306529534 Click Here To Register]'''

Note: To save on processing expenses, all fees paid for the OWASP conference are non-refundable. OWASP can accommodate transfers of registrations from one person to another, if such an adjustment becomes necessary.

== Stay Informed ... and Tell Others ==

[https://lists.owasp.org/mailman/listinfo/appsec_eu_2010 Subscribe to the conference '''mailing list''']. This is the official information channel and you'll be sure to get any updates and practical info before the conference.

[http://events.linkedin.com/OWASP-AppSec-Research-2010/pub/185990 Add the event to your '''LinkedIn''' profle] to tell all your business contacts that AppSec Research 2010 is the place to be.

Then get on the '''Twitter''' stream by using the tags '''#OWASP''' and '''#AppSecEU'''.

== Conference Fees (June 23-24) ==

*Regular registration: €350
*OWASP individual member (not just chapter member): €300
*Full-time students*: €225

<nowiki>*</nowiki> We need some kind of proof of your full-time student status. Either ask your local OWASP chapter leader to vouch for you by email to Kate.Hartmann@owasp.org, or email Kate a scanned image of your student ID (please compress the file size :).

== Training Fee (June 21-22) ==

*Training fee is €990 for two days, see Training tab above

==== Practical Info ====

== Tailor-Made Visitors' Guide ==

We have tailor-made a 15-page visitors' guide to the conference and Stockholm. With this guide you'll know how to get to and from the airport, find your way to the hotel and conference, know where good bars are, know when and how to tip etc. Check it out! [http://www.owasp.org/images/e/eb/OWASP_AppSec_Research_2010_Visitors_Guide_A4.pdf pdf]

== Swedish Wall Plugs ==

This is how Swedish wall plugs look like (image below). The left one is not grounded and the right one is, having small metal connectors on the sides. Be sure to bring adapters, for instance like [http://international-electrical-supplies.com/sweden-plug-adapters.html these], if your's look different.

[[Image:Swedish_wall_plugs.jpg]]

== Weather Forecast ==

YR.no has good coverage of the weather in Stockholm. Checkit out [http://www.yr.no/place/Sweden/Stockholm/Stockholm/ here].

== Travel ==

Stockholm's foremost international airport is Arlanda (ARN). Clean and convenient speed trains will take you between Arlanda and Stockholm Central in 20 minutes. You can also fly to Stockholm Skavsta (NYO) or Stockholm Västerås (VST) where coaches take you to Stockholm Central in 1 h 20 min.

== Accommodation ==

You can choose hotel/hostel freely in Stockholm but we provided three suggestions with pre-booked rooms so many OWASPers are staying there. '''Check with sites like [http://www.hotels.com hotels.com] since they might have better prices than the hotels state themselves!'''

[[Image:Stockholm map with hotels and public transportation.jpg]]

Subways and buses are convenient and safe and will take you right up to the venue (station/stop "Universitetet") from these three hotels:

'''Best Western Time Hotel''' Why? Closest to the university, direct bus or subway to the conference [http://www.timehotel.se/index.aspx?languageID=5 Best Western Time Hotel] Single room: 1395 SEK/€145/$195 Double room: 1575 SEK/€160/$220 (Rooms were pre-booked until May 18 under code "G#73641 OWASP") 

'''Scandic Continental''' Why? Right at the Central Station, convenient travel to and from airport, direct subway to the conference [http://www.scandichotels.com/en/Hotels/Countries/Sweden/Stockholm/Hotels/Scandic-Continental-Stockholm/ Scandic Continental] Single room: 1590 SEK/€165/$220 Double room: 1690 SEK/€175/$235 (Rooms were pre-booked until early May under code "OWASP") 

'''Fridhemsplan's Hostel''' Why? Affordable stay in Stockholm's nicest hostel, direct bus to the conference [http://fridhemsplan.se/?p=Main&c= Fridhemsplan's Hostel] Rooms cost €35-€55 ($50-$80) Book directly with them through their webpage.

==== Social Events ====

== Official Meet Up at "Mosebacke", Tuesday, June 22 ==
Regardless whether you're one of the lucky ones who will attend training or you'll just attend the conference you are invited to join us at "Mosebacke" on the evening the 22nd. Mosebacke is one of Stockholm's older establishments and is beautifully situated in the south of Stockholm city (only 2 subway stations from Central Station). The official meet up time is 20:00 CEST. We plan on beverage only, but for those who don't mind spending a little extra money on food, you can reserve a table for early evening by calling +46 8 556 098 90 during 2 pm - 5 pm (work days) or with some luck by e-mailing to mosebacke@mosebacke.se.

How will you recognize all the other OWASPers? Some of us will have OWASP-branded grey caps, some you met earlier, some you recognize from pictures, and if you hear any non-Swedish speaking male I guess chances are they're just like you - here for the AppSec conference :).

'''What''': Informal gathering, beer etc. 
'''When''': 8 pm CEST 
'''Where''': Mosebacke, Mosebacke Torg 3 [http://maps.google.se/maps?f=q&source=s_q&hl=sv&geocode=&q=Mosebacke+Etablissement,+Stockholm&sll=59.320492,18.074398&sspn=0.024831,0.077162&gl=se&ie=UTF8&hq=Mosebacke&hnear=Mosebacke,+Mosebacke+Torg+3,+116+46+Stockholm&ll=59.320492,18.074398&spn=0.024831,0.077162&t=h&z=14&iwloc=A Google Maps] 
'''How to get there''': Subway to "Slussen" (2 stops from "T-centralen"), best exit towards "Götgatan". Walk upwards but take the first left to "Hökens gata". Straight up on that one. 
'''How to get there + short sightseeing''': Walk from "T-centralen" along "Drottninggatan" towards Old Town, then towards Slussen and Götgatan. Takes about 30 minutes. 

Hope to meet you there!

== Gala Dinner at City Hall, Wednesday, June 23 ==
All two-day conference attendees including sponsors are welcome to the official AppSec Gala Dinner at Stockholm City Hall on Wednesday June 23rd. We start with a drink at 6:30 pm and sit down for a three course dinner with entertainment at 7 pm. Don't be late.

'''What''': Gala dinner, three course dinner with entertainment 
'''Clothes''': Nice pants/trousers + shirt or a suit is appropriate for men. Women have so many more choices so we opt-out of any suggestions. :) 
'''When''': 6:30 pm CEST 
'''Where''': City Hall, Ragnar Östbergs plan 1 [http://maps.google.se/maps?um=1&ie=UTF-8&q=stadshuset&fb=1&gl=se&hq=stadshuset&hnear=Stockholm&cid=0,0,15456533754099492758&ei=t8wYTJ7IGd6jOJqd6aEL&sa=X&oi=local_result&ct=image&resnum=1&ved=0CB0QnwIwAA Google Maps] 
'''How to get there''': Walk from Central Station / "T-centralen"). Takes about 10 minutes. Or take a taxi/cab and tell the driver "City Hall, please" 

Whatever you do, don't skip the gala dinner!

==== Venue ====

The venue for both training and conference is Aula Magna at Stockholm University.

'''Address''' (for instance for deliveries): 
Aula Magna 
Stockholms universitet 
Frescativägen 6 
SE-106 91 Stockholm 
Sweden 

[[Image:AppSec Research 2010 Aula Magna.jpg]]

==== Sponsoring ====
<center>
[[Image:AppSec Research 2010 Microsoft diamond sponsor.jpg|250px|Microsoft - Diamond Sponsor]] [[Image:AppSec Research 2010 Google 20k sponsor.jpg|150px|Google - Dinner Party and Expo Sponsor]] [[Image:Portwise logo.png|130px|PortWise - Gold and Badge Sponsor]] [[Image:Cybercom logo.png|100px|Cybercom - Gold Sponsor]] [[Image:Fortify logo AppSec Research 2010.png|120px|Fortify - Gold Sponsor]] [[Image:Omegapoint logo.png|110px|Omegapoint - Gold Sponsor]] [[Image:Mnemonic logo.png|100px|Mnemonic - Silver Sponsor]] [[Image:AppSec Research 2010 sponsor Nixu logo.jpg|100px|NIXU - Silver Sponsor]] [[Image:Hps_logo.png|140px|High Performance Systems - Silver Sponsor]] [[Image:AppSec Research 2010 sponsor F5 logo.jpg|70px|F5 - Silver Sponsor]] [[Image:AppSec Research 2010 sponsor Imperva logo.jpg|100px|Imperva - Silver Sponsor]] [[Image:AppSec_Research_2010_sponsor_Promon_logo.jpg|100px|Promon - Silver Sponsor]] [[Image:IIS logo.png|100px|Stiftelsen för Internetinfrastruktur - Lunch Sponsor]] [[Image:MyNethouse logo.png|100px|MyNethouse - Coffee Break Sponsor]] [[Image:AppSec Research 2010 Help Net Security sponsor.jpg|100px|Help Net Security - Media Sponsor]] [[Image:TrustwaveLogo.jpg|100px|Trustwave - Notepad sponsor]]
</center>
We are still welcoming sponsors for OWASP AppSec Research 2010. Take the opportunity to support this year's major appsec event in Europe! The full sponsoring program is available as pdfs:

Sponsoring program in English: [[Image:OWASP Sponsorship AppSec Research 2010 (eng).pdf]]

Sponsoring program in Swedish: [[Image:OWASP Sponsorship AppSec Research 2010 (swe).pdf]]

==== Challenges ====

=== Countdown Challenges -- Free Tickets to Win! ===

There will be a challenge posted on the conference wiki page the 21st every month up until the event. The winner will get free entrance to the conference. Be sure to sign up for [https://lists.owasp.org/mailman/listinfo/appsec_eu_2010 the conference mailing list] to get a monthly reminder.

== AppSec Research Final Challenge: Internet Treasure Hunt ==

It's May 21st, one month to AppSec Research 2010, and '''the last chance to win a free ticket''' to this year's number one conference in appsec.

'''The Treasure Hunt in a Nutshell''' 
Your mission is to find several small AppSec Research logotypes hidden among the websites of our sponsors and hosts. Every logo found is associated with a keyword (a dictionary word) in some way. When you've found all the keywords you email them to us.

[[Image:Owasp_appsec_research_2010_logo_by_daniel_kozlowski.jpg|40px|OWASP AppSec Research 2010 logo by Daniel Kozlowski]]

'''Instructions''' 
* Please don't do anything malicious during your hunt. And don't produce considerable load on the websites. You should be able to find the keywords anyway :).
* To check if you found all keywords you compare the md5 of all keywords concatenated in alphabetical order with this hash: 1a7b54ba9cee6cccd9890e7800b83208
* You can calculate the hash by doing the following in a shell: echo "Keywords concatenated in alphabetical order" | md5
* To ensure your hash function produces the same as our you can try: echo "owasp" | md5 ... which should result in the hash 2bdce47b1a6c527b134d4b658b033702

'''How to Win''' 
To win you email all keywords (not the hash) concatenated in alphabetical order to stefan dot pettersson at owasp dot org. Stefan will let you know if you were the first one with the correct answer!

'''Example:''' 
* You found three logos and the keywords were: golf, king, apple
* You calculate the hash by doing: echo "applegolfking" | md5
* If the hash matches 1a7b54ba9cee6cccd9890e7800b83208 you email applegolfking to Stefan.

Let the best hunter win!

 <headertabs />

OWASP AppSec Research 2010 - Stockholm, Sweden

2010-06-23T12:39:23Z

Ivanr:

__NOTOC__

==== Welcome ====

== Invitation ==

Ladies and Gentlemen,

In June 21-24, 2010 let's all meet in beautiful Stockholm, Sweden. The OWASP chapters in [http://www.owasp.org/index.php/Sweden Sweden], [http://www.owasp.org/index.php/Norway Norway], and [http://www.owasp.org/index.php/Denmark Denmark] hereby invite you to OWASP AppSec Research 2010.

If you have any questions, please email the conference chair: john.wilander at owasp.org

[[Image:Stockholm old town small.jpg]]

=== Sponsors ===

Diamond sponsor: [[Image:AppSec Research 2010 Microsoft diamond sponsor.jpg]]

Gold sponsors: [[Image:Cybercom logo.png]] [[Image:Portwise logo.png]] [[Image:Fortify logo AppSec Research 2010.png]] [[Image:Omegapoint logo.png]]

Silver sponsors: [[Image:Mnemonic logo.png]] [[Image:AppSec Research 2010 sponsor Nixu logo.jpg]] 
[http://www.hps.se/ http://www.owasp.org/images/6/6f/Hps_logo.png] [[Image:AppSec Research 2010 sponsor F5 logo.jpg]] 
[[Image:AppSec Research 2010 sponsor Imperva logo.jpg]] [[Image:AppSec_Research_2010_sponsor_Promon_logo.jpg]]‎

Dinner Party sponsor: [http://www.google.com/EngineeringEMEA http://www.owasp.org/images/thumb/8/86/AppSec_Research_2010_Google_20k_sponsor.jpg/150px-AppSec_Research_2010_Google_20k_sponsor.jpg]

Lunch sponsors (1 taken, 1 open): [[Image:IIS logo.png]]

Coffee break sponsors (1 taken, 3 open): [[Image:MyNethouse logo.png]]

Media sponsors: [[Image:AppSec Research 2010 Help Net Security sponsor.jpg]]

Notepad sponsors: 
[[Image:TrustwaveLogo.jpg|Trustwave - Notepad sponsor]]

For full sponsoring program see the Sponsoring tab above.

=== "AppSec Research".equals("AppSec Europe") ===

This conference was formerly known as OWASP AppSec Europe. We have added 'Research' to highlight that we invite both industry and academia. All the regular AppSec Europe visitors and topics are welcome along with contributions from universities and research institutes.

This will be ''the'' European conference for anyone interested in or working with application security. Co-host is the [http://dsv.su.se/en/ Department of Computer and Systems Science] at Stockholm University, offering a great venue in the fabulous Aula Magna.

=== Countdown Challenges -- Free Tickets to Win! ===

There will be a challenge posted on the conference wiki page the 21st every month up until the event. The winner will get free entrance to the conference. What are you waiting for? Go to the Challenges tab and have fun!

=== Organizing Committee ===

• John Wilander, chapter leader Sweden (chair) • Mattias Bergling (vice chair) • Alan Davidson, Stockholm University/Royal Institute of Technology (co-host) • Ulf Munkedal, chapter leader Denmark • Kåre Presttun, chapter leader Norway • Stefan Pettersson (sponsoring coordinator) • Carl-Johan Bostorp (schedule and event coordinator) • Martin Holst Swende (coffee/lunch/dinner) • Michael Boman (conference guide/attendee pack) • Predrag Mitrovic, OWASP Sweden Board • Kate Hartmann, OWASP • Sebastien Deleersnyder, OWASP Board

'''Welcome to Stockholm this year!''' Regards, John Wilander

==== June 21-22 (Training) ====

== Schedule ==
10:30-10:50 Coffee break 
12:15-13:00 Lunch in the canteen 
15:00-15:20 Coffee break 

17:00 End of training for the day

18:00 Monday we'll just go somewhere to eat, Tuesday we have the official meet up at "Mosebacke". Check the "Social Events" tab above.

== Training Registration is closed ==

Application security training is given the first two days, '''June 21-22'''. The price was '''€990''' (~$1.350) for a two-day course. 65 people took the chance to learn from the best!

=== Course 1: Threat Modeling and Architecture Review (two days) ===

[[Image:AppSec Research 2010 Pravir Chandra.jpg]]

Pravir Chandra, Fortify Software

'''Abstract''': Threat Modeling and Architecture Review are the cornerstones of a preventative approach to Application Security. By combining these topics into single comprehensive course attendees can get a complete understanding of how to understand the threat an application faces and how the application will handle those potential threats. This enables the risk to be accurately assessed and appropriate changes or mitigating controls recommended. From the course outline:

1. Overview
* Scope and problem definition
* High‐level view of the overall process
* Core techniques
2. Threat assessment and modeling
* Overall threat modeling process
* Preparation and background information
* Capturing business and security goals
* Identify vulnerabilities and other risks
* Establish weighting and prioritization of risks
* Guard against risks with compensating controls
* EXERCISE - Threat model a real‐life problem
3. Architecture review techniques
* Authentication
* Authorization
* EXERCISE - Apply the techniques from Authentication and Authorization
* Input validation
* Output encoding
* EXERCISE - Apply the techniques from Input Validation and Output Encoding
* Error handling
* Audit logging
* EXERCISE - Apply the techniques from Error Handling and Audit Logging
* Encryption
* Configuration management
* EXERCISE - Apply the techniques from Encryption and Configuration Management
4. Specifying security requirements
* Writing positive security requirements
* Deriving security requirements from functional requirements
* Thinking broadly about requirements coverage
* Balancing security requirements with functionality

'''Trainer Bio''': Pravir Chandra is Director of Strategic Services at Fortify where he works with clients to build and optimize software security assurance programs. Pravir is widely recognized in the industry for his expertise in software security and code analysis, and also for his ability to apply technical knowledge strategically from a business perspective. His book, Network Security with OpenSSL is a popular reference on protecting software applications through cryptography and secure communications. His varied special project experience includes creating and leading the Open Software Assurance Maturity Model (OpenSAMM) project

=== Course 2: Introduction to Malware Analysis (two days) ===

[[Image:AppSec Research 2010 Jason Geffner.jpg]]

Jason Geffner, Next Generation Security Software (NGS), and Scott Lambert, Microsoft

'''Abstract''': Security researchers are facing a growing problem in the complexity of malicious executables. While dynamic black-box automation tools exist to discover what malware will do on a given execution, it is often important for an analyst to know the full capabilities of a given malware sample. What port does it listen on? What password does it expect for backdoor access? What files will it write to? What will it do tomorrow that it didn't do today? This class will focus on teaching attendees the steps required to understand the functionality of given malware samples. This is a hands-on course. Attendees will work on real-world malware through a series of lab exercises designed to build their expertise in understanding the analysis process.

Learning Objectives:

*An understanding of how to use reverse engineering tools
*An understanding of low-level code and data flow
*PE File format
*x86 Assembly language
*API functions often used by malware
*Anti-analysis tricks and how to defeat them
*Exploits and Shellcode
*A methodology for analyzing malware with and without the use of specialized tools

'''Trainer Bio''': Jason Geffner joined Next Generation Security Software Ltd. in June of 2007 as a Principal Security Consultant. Jason focuses on performing security reviews of source code and designs, reverse engineering software protection methods and DRM protection methods, deobfuscating and analyzing malware, penetration testing web applications and network infrastructures, and developing automated security analysis tools.

=== Course 3: Building Secure Ajax and Web 2.0 Applications (two days) ===

[[Image:AppSec Research 2010 Dave Wichers.jpg]]

Dave Wichers, Aspect Security

'''Abstract''': Rich Internet applications using technologies like Ajax, Flash, ActiveX, and Java Applets require special attention to secure. This course addresses the special issues with this type of application development. Students will gain hands-on testing experience with freely available web application security test tools to find and diagnose such flaws and learn how to identify, fix, and avoid them in their own projects. In addition, Aspect’s engineers are leaders in the AppSec Community and will offer the students an amazing perspective.

'''Trainer Bio''': Dave Wichers is a member of the OWASP Board and a coauthor, along with Jeff Williams, of all previous versions of the OWASP Top Ten. Dave is also the Chief Operating Officer of Aspect Security, a company that specializes in application security services. Mr. Wichers brings over twenty years of experience in the information security field. Prior to cofounding Aspect, he ran the Application Security Services Group at a large data center company, Exodus Communications. His current work involves helping customers, from small e-commerce sites to Fortune 500 corporations and the U.S. Government, secure their applications by providing application security design, architecture, and SDLC support services: including code review, application penetration testing, security policy development, security consulting services, and developer training.

=== Course 4: Assessing and Exploiting Web Apps with Samurai-WTF (two days) ===

[[Image:AppSec Research 2010 Justin Searle.jpg]]

Justin Searle, InGuardians

'''Abstract''': This course will focus on using open source tools to perform web application assessments. The course will take attendees through the process of application assessment using the open source tools included in the Samurai Web Testing Framework Live CD (Samurai-WTF). Day one will take students through the steps and open source tools used to assess applications for vulnerabilities. Day two will focus on the exploitation of web app vulnerabilities, spending half the day on server side attacks and the other half of the day on client side attacks. The latest tools and techniques will be use throughout the course, including several tools developed by the trainers themselves. From the course outline:

Samurai-WTF Project and Distribution (about, using ...) 
Web Application Assessment Methodology (pentest types, four step methodology ...) 
Step 1: Reconnaissance
* Overview of Web Application Recon
* Domain and IP Registration Databases (Labs: whois)
* Google Hacking (Labs: gooscan, gpscan)
* Social Networks (Labs: Reconnoiter)
* DNS Interrogation (Labs: host, dig, nslookup, fierce)
Step 2: Mapping
* Overview of Mapping
* Port Scanning and Fingerprinting (Labs: nmap, zenmap, Yokoso!)
* Web Service Scanning (Labs: Nikto)
* Spidering (Labs: wget, curl, Paros, WebScarab, BurpSuite)
* Discovering "Non-Discoverable" URLs (Labs: DirBuster)
Step 3: Discovery
* Using Built-in Tools (Labs: Page Info, Error Console, DOM Inspector, View Source)
* Poking and Prodding (Labs: Default User Agent, Cookie Editor, Tamper Data)
* Interception Proxies (Labs: Paros, WebScarab, BurpSuite)
* Semi-Automated Discovery (Labs: RatProxy)
* Automated Discovery (Labs: Grendel-Scan, w3af)
* Information Discovery (Labs: CeWL)
* Fuzzing (Labs: JBroFuzz, BurpIntruder)
* Finding XSS (Labs: TamperData, XSS-Me, BurpIntruder)
* Finding SQL Injection (Labs: SQL Inject-Me, SQL Injection, BurpIntruder)
* Decompiling Flash Objects (Labs: Flare)
Step 4: Exploitation
* Username Harvesting (Labs: python)
* Brute Forcing Passwords (Labs: python)
* Command Injection (Labs: w3af)
* Exploiting SQL Injection (Labs: SQLMap, SQLNinja, Laudanum)
* Exploiting XSS (Labs: Durzosploit)
* Browser Exploitation (Labs: BeEF, BrowserRider, Yokoso!)
* Advanced exploitation through tool integration (MSF + sqlninga/sqlmap/BeEF)

'''Trainer Bio''': Justin Searle, a Senior Security Analyst with InGuardians, specializes in web application, network, and embedded penetration testing. Justin has presented at top security conferences including DEFCON, ToorCon, ShmooCon, and SANS. Justin has an MBA in International Technology and is CISSP and SANS GIAC-certified in incident handling and hacker techniques (GCIH) and intrusion analysis (GCIA). Justin is one of the founders and lead developers of Samurai-WTF.

=== Course 5: Securing Web Services (two days) ===

[[Image:AppSec Research 2010 Jason Li.jpg]]

Jason Li, Aspect Security

'''Abstract''': Aspect Security offers this two day Securing Web Services course which focuses on the most important messages regarding the development of secure web services. This course helps developers understand the real risks associated with Security in Web Services and Service Oriented Architectures, what standard are available to help, and how to use the standards. The course includes a combination of lecture, demonstrations, and hands on testing designed to provide detailed guidance regarding the implementation of specific security principles and functions in web services.

From the course outline:

* Web Service and SOA Threat Model
* Data Formats: XML, JSON
* Protocols: SOAP, REST
* Overview of the Standards (WS-Security, SAML, XACML)
* Common Communications Vulnerabilities
* Using SSL for Simple Web Services
* XML Encryption
* XML Signature
* WS-Security
* How to Manage Web Service Identities
* Federated Identities
* Common Authentication Vulnerabilities
* WSDL Examples of Implementing WS-Security
* Common Access Control Vulnerabilities
* How to Validate Web Service Input (XML Schema, Business Logic Validation)
* Common XML Attacks (Recursion, References, Overflow, Transforms)
* State Management
* Using Interpreters Safely (SQL Injection, LDAP Injection, Command Injection, XPath Injection)
* Denial of Service and Availability

'''Trainer Bio''': Jason Li is a Senior Application Security Engineer for Aspect Security where he performs application security assessments and architecture reviews, as well as application security training, to a wide variety of financial and government customers. Jason is an active OWASP leader, contributing to several OWASP projects and serving on the OWASP Global Projects Committee. He holds a Post-Masters certificate in Computer Science and concentration in Information Security from Johns Hopkins University and a Masters degree in Computer Science from Cornell University.

==== June 23 ====

{| border="0" align="center" style="width: 80%;"
|-
| align="center" colspan="4" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | '''Conference Day 1 - June 23, 2010'''
[[Image:OWASP AppSec Research 2010 Research R.gif]] = Research paper [[Image:OWASP AppSec Research 2010 Demo D.gif]] = Demo [[Image:OWASP AppSec Research 2010 Presentation P.gif]] = Presentation

|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 
| style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | Track 1
| style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | Track 2
| style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | Track 3
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 08:00-08:50
| align="left" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Registration and Breakfast + Coffee
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 08:50-09:00
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(242, 242, 242);" | Welcome to OWASP AppSec Research 2010 Conference (John Wilander & [http://www.owasp.org/index.php/About_OWASP OWASP Global Board Members])
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 09:00-10:00
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(252, 252, 150);" | [[#Keynote: Cross-Domain Theft and the Future of Browser Security]]
''Chris Evans, Information Security Engineer, and Ian Fette, Product Manager for Chrome Security, Google''

|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 10:10-10:45
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | [[Image:OWASP AppSec Research 2010 Research R.gif]] [[#BitFlip: Determine a Data's Signature Coverage from Within the Application]]
''Henrich Christopher Poehls, University of Passau'' 

| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | [[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#CsFire: Browser-Enforced Mitigation Against CSRF]]
''Lieven Desmet and Philippe De Ryck, Katholieke Universiteit Leuven'' 

| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | [[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#Deconstructing ColdFusion]]
''Chris Eng, Veracode''

|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 10:45-11:10
| align="left" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Break - Expo - CTF kick-off, '''Coffee break sponsoring position open''' ($2,000)
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 11:10-11:45
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | [[Image:OWASP AppSec Research 2010 Research R.gif]] [[#Towards Building Secure Web Mashups]]
''M Decat, P De Ryck, L Desmet, F Piessens, W Joosen, Katholieke Universiteit Leuven''

| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | [[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#New Insights into Clickjacking]]
''Marco Balduzzi, Eurecom ''

 

| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | [[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#How to Render SSL Useless]] ([[Media:Ivan_Ristic_-_Breaking_SSL_-_OWASP.pdf PDF]])
''Ivan Ristic, Qualys ''

|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 11:55-12:30
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" |
[[Image:OWASP AppSec Research 2010 Research R.gif]] [[#Busting Frame Busting]]

''Gustav Rydstedt, Stanford Web Security Research'' 

| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | [[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#Web Frameworks and How They Kill Traditional Security Scanning]]
''Christian Hang and Lars Andren, Armorize Technologies''

| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | [[Image:OWASP AppSec Research 2010 Demo D.gif]] [[#The State of SSL in the World]]
''Michael Boman, Omegapoint ''

|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 12:30-13:45
| align="left" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Lunch - Expo - CTF, Lunch sponsor: [[Image:OWASP AppSec Research 2010 IIS logo for program.png]]
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 13:45-14:20
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | [[Image:OWASP AppSec Research 2010 Research R.gif]] [[#(New) Object Capabilities and Isolation of Untrusted Web Applications]]
''Sergio Maffeis, Imperial College, London''

| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | [[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#Beyond the Same-Origin Policy]]
''Jasvir Nagra and Mike Samuel, Google ''

| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | [[Image:OWASP AppSec Research 2010 Demo D.gif]] [[#SmashFileFuzzer - a New File Fuzzer Tool]]
''Komal Randive, Symantec''

|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 14:30-15:05
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | [[Image:OWASP AppSec Research 2010 Demo D.gif]] [[#Security Toolbox for .NET Development and Testing]]
''Johan Lindfors and Dag König, Microsoft''

| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | [[Image:OWASP AppSec Research 2010 Demo D.gif]] [[#Cross-Site Location Jacking (XSLJ) (not really)]]
''David Lindsay, Cigital Eduardo Vela Nava, sla.ckers.org''

| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | [[Image:OWASP AppSec Research 2010 Demo D.gif]] [[#Owning Oracle: Sessions and Credentials]]
''Wendel G. Henrique and Steve Ocepek, Trustwave''

|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 15:05-15:30
| align="left" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Break - Expo - CTF, '''Coffee break sponsoring position open''' ($2,000)
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 15:30-16:05
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | [[Image:OWASP AppSec Research 2010 Demo D.gif]] [[#Value Objects a la Domain-Driven Security: A Design Mindset to Avoid SQL Injection and Cross-Site Scripting]]
''Dan Bergh Johnsson, Omegapoint''

| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | [[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#Automated vs. Manual Security: You Can't Filter "The Stupid"]] 
''David Byrne and Charles Henderson, Trustwave''

| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | [[Image:OWASP AppSec Research 2010 Research R.gif]] [[#Session Fixation - the Forgotten Vulnerability?]]
''Michael Schrank and Bastian Braun, University of Passau Martin Johns, SAP Research''

|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 16:15-17:00
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(242, 242, 242);" | Panel Discussion: To Be Announced
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 19:00-23:00
| align="center" colspan="1" style="background: none repeat scroll 0% 0% rgb(43, 58, 109);" | [[Image:OWASP_AppSec_Research_2010_Stockholm_City_Hall_exterior_small.jpg|Stockholm City Hall, photo by Yanan Li]]
| align="center" colspan="1" style="background: none repeat scroll 0% 0% rgb(43, 58, 109); color: white;" | '''Gala Dinner''' at [http://international.stockholm.se/Tourism-and-history/The-Famous-City-Hall/Pictures-of-the-City-Hall/ Stockholm City Hall] Sponsored by [[Image:OWASP AppSec Research 2010 Google logo for program.png]]
| align="center" colspan="1" style="background: none repeat scroll 0% 0% rgb(43, 58, 109);" | [[Image:OWASP_AppSec_Research_2010_Stockholm_City_Hall_Golden_Hall_small.jpg|The Golden Hall, photo by Yanan Li]]
|}
<center>
[[Image:AppSec Research 2010 Microsoft diamond sponsor.jpg|250px|Microsoft - Diamond Sponsor]] [[Image:AppSec Research 2010 Google 20k sponsor.jpg|150px|Google - Dinner Party and Expo Sponsor]] [[Image:Portwise logo.png|130px|PortWise - Gold and Badge Sponsor]] [[Image:Cybercom logo.png|100px|Cybercom - Gold Sponsor]] [[Image:Fortify logo AppSec Research 2010.png|120px|Fortify - Gold Sponsor]] [[Image:Omegapoint logo.png|110px|Omegapoint - Gold Sponsor]] [[Image:Mnemonic logo.png|100px|Mnemonic - Silver Sponsor]] [[Image:AppSec Research 2010 sponsor Nixu logo.jpg|100px|NIXU - Silver Sponsor]] [[Image:Hps_logo.png|140px|High Performance Systems - Silver Sponsor]] [[Image:AppSec Research 2010 sponsor F5 logo.jpg|70px|F5 - Silver Sponsor]] [[Image:AppSec Research 2010 sponsor Imperva logo.jpg|100px|Imperva - Silver Sponsor]] [[Image:AppSec_Research_2010_sponsor_Promon_logo.jpg|100px|Promon - Silver Sponsor]] [[Image:IIS logo.png|100px|Stiftelsen för Internetinfrastruktur - Lunch Sponsor]] [[Image:MyNethouse logo.png|100px|MyNethouse - Coffee Break Sponsor]] [[Image:AppSec Research 2010 Help Net Security sponsor.jpg|100px|Help Net Security - Media Sponsor]] [[Image:TrustwaveLogo.jpg|100px|Trustwave - Notepad sponsor]]
</center>

== Keynote: Cross-Domain Theft and the Future of Browser Security ==

[[Image:Appsec research 2010 invited talk 1.jpg]]

'''Chris Evans''' Troublemaker, Information Security Engineer, and Tech Lead at Google inc. Also the sole author of vsftpd.

'''Ian Fette''' Product Manager for Chrome Security and Google's Anti-Malware initiative

'''Abstract''' The web browser, and associated machinery, is on the front line of attacks. We will first look at design-level problems with the traditional browser in terms of monolithic architecture and fundamental problems with the same-origin policy. We will then look at the types of solution that are starting to appear in browsers such as Google Chrome and Internet Explorer. We will look at other important browser-based defenses such as Safe Browsing. We will detail what a future browser might look like that has a much more secure design, but is still usable on the wide variety of web sites that people use daily.

== DAY 1, TRACK 1 ==

=== [[Image:OWASP AppSec Research 2010 Research word.gif]] BitFlip: Determine a Data's Signature Coverage from Within the Application ===

''Henrich Christopher Poehls, University of Passau - ISL''

Despite applied cryptographic primitives applications are working on data that was not protected by them. We show by abstracting the message flow between the application and the underlying wire, that protection is applied to a different data model. Taking problems from real life, like XML wrapping attacks and digital signatures on XML, we show that establishing the right linkage between the security checked on lower levels and the application above is practically difficult. We propose a application controlled check, the BitFlip-test. By this simple test an application can test if the application's assumed protection of a data value was indeed provided by the digital signature applied to the message that contained the value.

=== [[Image:OWASP AppSec Research 2010 Research word.gif]] Towards Building Secure Web Mashups ===

''Maarten Decat, Philippe De Ryck, Lieven Desmet, Frank Piessens, and Wouter Joosen, Katholieke Universiteit Leuven''

Web mashups combine components from multiple sources into a single, interactive application. This kind of setup typically requires both interaction between the components to achieve the necessary functionality, as well as component separation to achieve a secure execution. Unfortunately, the traditional web is not designed to easily fulfill both requirements, which can be seen in the restrictions imposed by traditional development techniques. This paper gives an overview of these traditional techniques and investigates new developments, specifically aimed at combining components in a secure manner. In addition, topics for further improvement are identified to ensure a wide adaptation of secure mashups.

=== [[Image:OWASP AppSec Research 2010 Research word.gif]] Busting Frame Busting ===

''Gustav Rydstedt, Stanford Web Security Research'' 
Joint work with Elie Bursztein, Dan Boneh, and Collin Jackson.

Web framing attacks such as clickjacking use iframes to hijack a user's web session. The most common defense, called frame busting, prevents a site from functioning when loaded inside a frame. We study frame busting practices for the Alexa Top-500 sites and show that all can be circumvented in one way or another. Some circumventions are browser-specific while others work across browsers. We conclude with recommendations for proper frame busting.

=== [[Image:OWASP AppSec Research 2010 Research word.gif]] (New) Object Capabilities and Isolation of Untrusted Web Applications ===

''Sergio Maffeis, Imperial College, London''

The object-capability model provides an appealing approach for isolating untrusted content in mashups: if untrusted applications are provided disjoint capabilities they still can interact with the user or the hosting page, but they cannot directly interfere with each other. We develop language-based foundations for isolation proofs based on object-capability concepts, and we show the applicability of our framework for a specific class of mashups. As an application, we prove that a JavaScript subset based on Google Caja is capability safe.

=== [[Image:OWASP AppSec Research 2010 Demo word.gif]] Security Toolbox for .NET Development and Testing ===

''Johan Lindfors and Dag König, Microsoft''

Being a developer on the Microsoft platform leveraging .NET doesn’t only involve keeping up with the continuous development of the underlying framework and technologies. It also means to be on top of the latest security threats and naturally the available mitigations and best practices to protect the customers and users of the applications and solutions being developed.

In this session we will demonstrate how you as a .NET developer can leverage existing tools and technologies to build safer applications. During the demonstrations you will get more familiar with the existing tools within Visual Studio but also be introduced and educated in more tools that will help you build a toolbox for secure development and security testing.

But one must also remember that tools will never replace knowledge and hence we will also show you how you can regularly get updated with the latest information from Microsoft on security including how to leverage SDL – Security Development Lifecycle, within your own projects.

=== [[Image:OWASP AppSec Research 2010 Demo word.gif]] Value Objects a la Domain-Driven Security: A Design Mindset to Avoid SQL Injection and Cross-Site Scripting ===

''Dan Bergh Johnsson, Omegapoint''

SQL Injection and Cross-Site Scripting have been topping the OWASP Top Ten for the last years. It must be a top priority for the community to evolve designs and mindsets that help the programmers to avoid these traps in their day-to-day work, where they have so much else but security that calls for their attention. The ambition of this presentation is to show design and coding practices that are well established in other fields of software development and put them to use to avoid just-mentioned traps. We also show some small refactorings that can be immediately applied to an existing codebase to make significant improvements to its security. Attendants of the session should be able to go back to work Monday morning and finish an improvement in this style before Monday lunch.

We take inspiration from Domain Driven Design (DDD), which is characterized by its focus on what the software intend to represent. In particular, we make heavy use of the Value Object design pattern, where strict typing help us enforce that the incoming data is truthful to the restrictions of the domain. We start out with Injection Flaws and use the canonical username SQL Injection attack (“’OR 1=1 --“) as an example. Realizing that mentioned string was not intended as a valid username we elaborate the model to reflect this. Further more we make this change explicit in the code by introducing the new type and class Username. This also gives a natural place to put validation code, which otherwise often is placed in utility classes where it is easily forgotten and seldom called. In fact, we can even design service methods to require a validated Username, thus using the strong typing to enforce validation in the calling client system tier.

Making this re-design with associated code changes is performed as a demo, and en route we discuss other design options and their relative merits and drawbacks. Again using DDD we proceed to analyse XSS. In the same way we see that XSS is in the general case not an indata validation problem. An extended analysis proposes that it can be phrased as an output-encoding problem. Using a similar technique we model the target domain of web content as the new type HTMLString, and can thereby enforce conversion from ordinary strings to strings with the proper encoding. If you have multiple content channels, then each channel will.

All steps needed are shown in code, starting with a vulnerable application and through controlled refactoring steps ending up with a version without the vulnerability. In summary, we will take an established quality practice from another field of software development and use it to get security improvements. The main benefits are two: firstly, the method gently guides and reminds the programmers to include validation and encoding in an unobtrusive way. Secondly, the work can be performed in very small steps, where the first can be finished before lunch Monday after the conference.

== DAY 1, TRACK 2 ==

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] CsFire: Browser-Enforced Mitigation Against CSRF ===

''Lieven Desmet and Philippe De Ryck, Katholieke Universiteit Leuven''

Cross-Site Request Forgery (CSRF) is a web application attack vector that can be leveraged by an attacker to force an unwitting user's browser to perform actions on a third party website, possibly reusing all cached authentication credentials of that user.

Currently, a whole range of techniques exist to mitigate CSRF, either by protecting the server application or by protecting the end-user. Unfortunately, the server-side protection mechanisms are not yet widely adopted, and the client-side solutions provide only limited protection or cannot deal with complex web 2.0 applications, which use techniques such as AJAX, mashups or single sign-on (SSO).

In this talk, we will presents three interesting results of our research: (1) an extensive, real‐world traffic analysis to gain more insights in cross‐domain web interactions, (2) requirements for client‐side mitigation against CSRF and an analysis of existing browser extensions and (3) CsFire, our newly developed FireFox extension to mitigate CSRF.

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] Automated vs. Manual Security: You Can't Filter "The Stupid" ===

''David Byrne and Charles Henderson, Trustwave''

Everyone wants to stretch their security budget, and automated application security tools are an appealing choice for doing so. However, manual security testing isn’t going anywhere until the HAL application scanner comes online. This presentation will use often humorous, real-world examples to illustrate the relative strengths and weaknesses of automated solutions and manual techniques.

Automated tools certainly have some strengths (namely low incremental cost, detecting simple vulnerabilities, and performing highly repetitive tasks). In addition to preventing some attacks, WAFs also have advantages for some compliance frameworks. However, automated solutions are far from perfect. To begin with, there are entire classes of very important vulnerabilities that are theoretically impossible for automated software to detect (at least until HAL comes online). Examples include complex information leakage, race conditions, logic flaws, design flaws, subjective vulnerabilities such as CSRF, and multistage process attacks.

Beyond that, there are many vulnerabilities that are too complicated or obscure to practically detect with an automated tool. Automated tools are designed to cover common application designs and platforms. Applications using an unusual layout or components will not be thoroughly protected by automated tools. Realistically, only the most vanilla of web applications written on common, simple platforms will receive solid code coverage from an automated tool.

On the other hand, manual testing is far more versatile. An experienced penetration tester can identify complicated vulnerabilities in the same way that an attacker does. Specific, real-world examples of vulnerabilities only recognizable by humans will be provided. The diversity of vulnerabilities shown will clearly demonstrate that all applications have the potential for significant vulnerabilities not detectable by automated tools.

Manual source code reviews present even more benefits by identifying vulnerabilities that require access to source code. Examples include “hidden” or unused application components, SQL injection with no evidence in the response, exotic injection attacks (e.g. mainframe session attacks), vulnerabilities in back-end systems, and intentional backdoors. Many organizations assume that this type of vulnerability is not a large threat, but source code can be obtained by disgruntled developers, by internal attackers when the repository isn’t properly secured, by exploiting platform bugs or path directory traversal attacks, and by external attackers using a Trojan horse or similar technique.

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] Web Frameworks and How They Kill Traditional Security Scanning ===

''Christian Hang and Lars Andren, Armorize Technologies''

Modern web application frameworks present a challenge to static analysis technologies due to how they influence application behavior in ways not obvious from the source code. This prevents efficient security scanning and can cause up to 80% of total potential issues to remain undetected due to the incorrect framework handling. After explaining the underlying problems, we demonstrate in a real world walk through using code analysis to scan actual application code. By extending static analysis with new framework specific components, even applications using complex frameworks like Struts and Smarty can be inspected automatically and code coverage of security analysis can be greatly enhanced.

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] Beyond the Same-Origin Policy ===

''Jasvir Nagra and Mike Samuel, Google Inc''

The same-origin policy has governed interaction between client-side code and user data since Netscape 2.0, but new development techniques are rendering it obsolete. Traditionally, a website consisted of server-side code written by trusted, in-house developers ; and a minimum of client-side code written by the same in-house devs. The same-origin policy worked because it didn't matter whether code ran server-side or client-side ; the user was interacting with code produced by the same organization. But today, complex applications are being written almost entirely in client-side code requiring developers to specialize and share code across organizational boundaries.

This talk will explain how the same-origin policy is breaking down, give examples of attacks, discuss the properties that any alternative must have, introduce a number of alternative models being examined by the Secure EcmaScript committee and other standards bodies, demonstrate how they do or don't thwart these attacks, and discuss how secure interactive documents could open up new markets for web developers. We assume a basic familiarity with web application protocols : HTTP, HTML, JavaScript, CSS ; and common classes of attacks : XSS, XSRF, Phishing.

=== [[Image:OWASP AppSec Research 2010 Demo word.gif]] Cross-Site Location Jacking (XSLJ) (not really) ===

''David Lindsay, Cigital Inc, and Eduardo Vela Nava sla.ckers.org''

Redirects are commonly used on many websites and are an integral part of many web frameworks. However, subtle and not so subtle issues can lead to security holes and privacy issues. In this presentation, we will discuss several high and low level issues related to redirects and demonstrate how the issues can be exploited.

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] New Insights into Clickjacking ===

''Marco Balduzzi, Eurecom''

Over the past year, clickjacking received extensive media coverage. News portals and security forums have been overloaded by posts claiming clickjacking to be the upcoming security threat. In a clickjacking attack, a malicious page is constructed (or a benign page is hijacked) to trick the user into performing unintended clicks that are advantageous for the attacker, such as propagating a web worm, stealing confidential information or abusing of the user session. In this talk, we formally define the problem and introduce our novel solution for automated detection of clickjacking attacks. We present the details of the system architecture and its implementation, and we evaluate the results we obtained from the analysis of over a million unique Internet pages. We conclude by discussing the clickjacking phenomenon and its future implications.

== DAY 1, TRACK 3 ==

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] Deconstructing ColdFusion ===

''Chris Eng, Veracode''

This presentation is a technical survey of ColdFusion security, which will be of interest mostly to code auditors and penetration testers. We’ll cover the basics of ColdFusion markup, control flow, functions, and components and demonstrate how to identify common web application vulnerabilities at the source code level. We’ll also delve into ColdFusion J2EE internals, describing some of the unexpected properties we’ve observed while decompiling ColdFusion applications for static analysis.

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] How to Render SSL Useless ===

''Ivan Ristic, Feisty Duck''

SSL is the technology that secures the Internet, but it is effective only when deployed properly. While the SSL protocol itself is very robust and easy to use, the same cannot be said for the usability of the complete ecosystem, which includes server configuration, certificates and application implementation details. In fact, SSL deployment is generally plagued with traps at every step of the way. As a result, too many web sites use insecure deployment practices that render SSL completely useless. In this talk I will present a list of top ten (or thereabout) deployment mistakes, based on my work on the SSL Labs assessment platform (https://www.ssllabs.com).

=== [[Image:OWASP AppSec Research 2010 Demo word.gif]] The State of SSL in the World ===

''Michael Boman, Omegapoint''

What is the status of SSL deployments in Fortune 500 companies and the top 10'000 websites (according to Alexa)? While developing a tool that was needed to perform the test-case OWASP-CM-001 (Testing for SSL-TLS) it was noticed that some sites had very good SSL-configuration, sometimes unexpectedly, and some sites has very poor security configuration, even when you could expect the site to have good security standard. Does the organization behind the site has any bearing on how good the security standard the site has in regards to HTTPS-support and configuration? The talk will highlight the findings and the tools and process of obtaining the underlying data, while also trying to answer the questions: - How many of the Fortune 500 and Top 10'000 websites offer an HTTPS-enabled browser experience to their visitors? - How is the HTTPS-server configured in regards to SSL-protocols offered, key exchange and key lengths (bit-size)? - Are there any correlation between company size, industry or popularity and the HTTPS-enabled browsing experience and the HTTPS-configuration?

=== [[Image:OWASP AppSec Research 2010 Demo word.gif]] SmashFileFuzzer - a New File Fuzzer Tool ===

''Komal Randive, Symantec''

Here is a tool SmashFileFuzzer designed and developed to address the same problem with ease. SmashFileFuzzer understands the file formats and then user can specify the fields in the file to be fuzzed. SmashFileFuzzer acts on a sample file of the required format and generates multiple fuzzed file copies from this sample file. SmashFileFuzzer also has the support to add more custom file formats to be able to fuzz them, especially .dat formats. In comparison with the existing file fuzzers and frameworks this fuzzer has simple language for adding new formats, many more modes of fuzzing and attack oriented fuzzing. Following are the highlights of this fuzzer

*Support to understand the file formats and fuzz specific fields with specified/random data
*Understands the correlation between different fields and manipulates them in accordance with the fuzzed content.
*Can generate valid fuzzed files even based on the partial format understanding. Only the portions of file format which are understood by the user can be used to generate valid fuzzed files.
*Understands the custom formats for file types and also for the configuration files(e.g key value pair format or .dat formats)
*Tool is designed to be easily extended for any new file formats
*Fuzz strings are read from a dictionary file. Users can add application specific input string to this dictionary for testing.
*It’s a unix shell based tool which can be easily scripted.

=== [[Image:OWASP AppSec Research 2010 Demo word.gif]] Owning Oracle: Sessions and Credentials ===

''Wendel G. Henrique and Steve Ocepek, Trustwave''

In a world of free, ever-present encryption libraries, many penetration testers still find a lot of great stuff on the wire. Database traffic is a common favorite, and with good reason: when the data includes PAN, Track, and CVV, it makes you stop and wonder why this stuff isn’t encrypted across the board. However, despite this weakness, we still need someone to issue queries before we see the data. Or maybe not… after all, it’s just plaintext.

Wendel G. Henrique and Steve Ocepek of Trustwave’s SpiderLabs division offer a closer look at the world’s most popular relational database: Oracle. Through a combination of downgrade attacks and session take-over exploits, this talk introduces a unique approach to database account hijacking. Using a new tool, thicknet, the team will demonstrate how deadly injection and downgrade attacks can be to database security.

The Oracle TNS/Net8 protocol was studied extensively during presentation for this talk. Very little public knowledge of this protocol exists today, and much of the data gained is, as far as we know, new to Oracle outsiders.

Also, during the presentation we will be offering to attendants:

*Knowledge about man-in-the-middle and downgrade attacks, especially the area of data injection.
*A better understanding of the network protocol used by Oracle.
*The ability to audit databases against this type of attack vector.
*Ideas for how to prevent this type of attack, and an understanding of the value of encryption and digital signature technologies.
*Understanding of methodologies used to reverse-engineer undocumented protocols.

=== [[Image:OWASP AppSec Research 2010 Research word.gif]] Session Fixation - the Forgotten Vulnerability? ===

''Michael Schrank and Bastian Braun, University of Passau, and Martin Johns, SAP Research''

The term 'Session Fixation vulnerability' subsumes issues in Web applications that under certain circumstances enable the adversary to perform a session hijacking attack through ontrolling the victim's session identier value. We explore this vulnerability pattern. First, we give an analysis of the root causes and document existing attack vectors. Then we take steps to assess the current attack surface of Session Fixation. Finally, we present a transparent server-side method for mitigating vulnerabilities.

==== June 24 ====

{| style="width:80%" border="0" align="center"
|-
| colspan="4" align="center" style="background:#4058A0; color:white" | '''Conference Day 2 - June 24, 2010'''
[[Image:OWASP AppSec Research 2010 Research R.gif]] = Research paper [[Image:OWASP AppSec Research 2010 Demo D.gif]] = Demo [[Image:OWASP AppSec Research 2010 Presentation P.gif]] = Presentation

|-
| style="width:10%; background:#7B8ABD" |
| style="width:30%; background:#BC857A" | Track 1
| style="width:30%; background:#BCA57A" | Track 2
| style="width:30%; background:#99FF99" | Track 3
|-
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 08:00-08:50
| align="left" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Breakfast + Coffee
|-
| style="width:10%; background:#7B8ABD" | 09:00-10:00
| colspan="3" style="width:80%; background:rgb(252, 252, 150)" align="center" | [[#Keynote: The Security Development Lifecycle - The Creation and Evolution of a Security Development Process]] ''Steve Lipner, Senior Director of Security Engineering Strategy, Microsoft Corporation''
|-
| style="width:10%; background:#7B8ABD" | 10:10-10:45
| style="width:30%; background:#BC857A" align="left" |
[[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#The Anatomy of Real-World Software Security Programs]]

''Pravir Chandra, Fortify''

| style="width:30%; background:#BCA57A" align="left" |
[[Image:OWASP AppSec Research 2010 Demo D.gif]] [[#Promon TestSuite: Client-Based Penetration Testing Tool]]

''Folker den Braber and Tom Lysemose Hansen, Promon''

| style="width:30%; background:#99FF99" align="left" |
[[Image:OWASP AppSec Research 2010 Research R.gif]] [[#A Taint Mode for Python via a Library]]

''Juan José Conti, Universidad Tecnológica Nacional Alejandro Russo, Chalmers Univ. of Technology''

|-
| style="width:10%; background:#7B8ABD" | 10:45-11:10
| colspan="3" style="width:90%; background:#C2C2C2" align="left" | Break - Expo - CTF, Coffee sponsor: [[Image:OWASP AppSec Research 2010 MyNethouse logo for program.png]]
|-
| style="width:10%; background:#7B8ABD" | 11:10-11:45
| style="width:30%; background:#BC857A" align="left" |
[[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#Microsoft's Security Development Lifecycle for Agile Development]]

''Nick Coblentz, OWASP Kansas City Chapter and AT&T Consulting''

| style="width:30%; background:#BCA57A" align="left" |
[[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#Detecting and Protecting Your Users from 100% of all Malware - How?]]

''Bradley Anstis and Vadim Pogulievsky, M86 Security''

| style="width:30%; background:#99FF99" align="left" |
[[Image:OWASP AppSec Research 2010 Research R.gif]] [[#OPA: Language Support for a Sane, Safe and Secure Web]]

''David Rajchenbach-Teller and François-Régis Sinot, MLstate''

|-
| style="width:10%; background:#7B8ABD" | 11:55-12:30
| style="width:30%; background:#BC857A" align="left" |
[[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#Secure Application Development for the Enterprise: Practical, Real-World Tips]]

''Michael Craigue, Dell''

| style="width:30%; background:#BCA57A" align="left" |
[[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#Responsibility for the Harm and Risk of Software Security Flaws]]

''Cassio Goldschmidt, Symantec''

| style="width:30%; background:#99FF99" align="left" |
[[Image:OWASP AppSec Research 2010 Research R.gif]] [[#Secure the Clones: Static Enforcement of Policies for Secure Object Copying]]

''Thomas Jensen and David Pichardie, INRIA Rennes - Bretagne Atlantique''

|-
| style="width:10%; background:#7B8ABD" | 12:30-13:45
| colspan="3" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF, '''Lunch break sponsoring position open''' ($4,000)
|-
| style="width:10%; background:#7B8ABD" | 13:45-14:20
| style="width:30%; background:#BC857A" align="left" |
[[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#Product Security Management in Agile Product Management]]

''Antti Vähä-Sipilä, Nokia''

| style="width:30%; background:#BCA57A" align="left" |
[[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#Hacking by Numbers]]

''Tom Brennan, WhiteHat Security and OWASP Foundation ''

| style="width:30%; background:#99FF99" align="left" |
[[Image:OWASP AppSec Research 2010 Research R.gif]] [[#Safe Wrappers and Sane Policies for Self Protecting JavaScript]]

''Jonas Magazinius, Phu H. Phung, and David Sands, Chalmers Univ. of Technology''

|-
| style="width:10%; background:#7B8ABD" | 14:30-15:05
| style="width:30%; background:#BC857A" align="left" |
[[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#OWASP_Top_10_2010]]

''Dave Wichers, Aspect Security and OWASP Foundation ''

| style="width:30%; background:#BCA57A" align="left" |
[[Image:OWASP AppSec Research 2010 Presentation P.gif]] [[#Application Security Scoreboard in the Sky]]

''Chris Eng, Veracode''

| style="width:30%; background:#99FF99" align="left" |
[[Image:OWASP AppSec Research 2010 Research R.gif]] [[#On the Privacy of File Sharing Services]]

''N Nikiforakis, F Gadaleta, Y Younan, and W Joosen, Katholieke Universiteit Leuven''

|-
| style="width:10%; background:#7B8ABD" | 15:05-15:30
| colspan="3" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF, '''Coffee break sponsoring position open''' ($2,000)
|-
| style="width:10%; background:#7B8ABD" | 15:30-16:00
| colspan="3" style="width:90%; background:#F2F2F2" align="center" | CTF Price Ceremony, Announcement of OWASP AppSec EU 2011, Closing Notes
|}
<center>
[[Image:AppSec Research 2010 Microsoft diamond sponsor.jpg|250px|Microsoft - Diamond Sponsor]] [[Image:AppSec Research 2010 Google 20k sponsor.jpg|150px|Google - Dinner Party and Expo Sponsor]] [[Image:Portwise logo.png|130px|PortWise - Gold and Badge Sponsor]] [[Image:Cybercom logo.png|100px|Cybercom - Gold Sponsor]] [[Image:Fortify logo AppSec Research 2010.png|120px|Fortify - Gold Sponsor]] [[Image:Omegapoint logo.png|110px|Omegapoint - Gold Sponsor]] [[Image:Mnemonic logo.png|100px|Mnemonic - Silver Sponsor]] [[Image:AppSec Research 2010 sponsor Nixu logo.jpg|100px|NIXU - Silver Sponsor]] [[Image:Hps_logo.png|140px|High Performance Systems - Silver Sponsor]] [[Image:AppSec Research 2010 sponsor F5 logo.jpg|70px|F5 - Silver Sponsor]] [[Image:AppSec Research 2010 sponsor Imperva logo.jpg|100px|Imperva - Silver Sponsor]] [[Image:AppSec_Research_2010_sponsor_Promon_logo.jpg|100px|Promon - Silver Sponsor]] [[Image:IIS logo.png|100px|Stiftelsen för Internetinfrastruktur - Lunch Sponsor]] [[Image:MyNethouse logo.png|100px|MyNethouse - Coffee Break Sponsor]] [[Image:AppSec Research 2010 Help Net Security sponsor.jpg|100px|Help Net Security - Media Sponsor]] [[Image:TrustwaveLogo.jpg|100px|Trustwave - Notepad sponsor]]
</center>
== Keynote: The Security Development Lifecycle - The Creation and Evolution of a Security Development Process ==

[[Image:Appsec research 2010 invited talk 2.jpg]]

'''Steve Lipner''' Senior Director of Security Engineering Strategy, Trustworthy Computing Security, Microsoft Corporation. Co-author of "The Security Development Lifecycle", Microsoft Press (book cover above).

'''Abstract''' This keynote will review the evolution of the Security Development Lifecycle (SDL) from its origins in the Microsoft “security pushes” of 2002-3 through its current status and application in 2010. It will emphasize the aspects of change and change management as the SDL and its user community have matured and grown and will conclude with a summary of some recent changes and additions to the SDL. Specific topics to be addressed include:

*Motivations for introducing both the SDL and its predecessor processes.
*Considerations in selling the process to management and sustaining a mandate over a prolonged period.
*Scaling the SDL to an organization with tens of thousands of engineers.
*Managing change.
*The role of automation in the SDL.
*Adaptation of the SDL to agile development processes.
*Thoughts for organizations that are considering implementing the SDL.

The presentation will cover technical aspects of the SDL including a brief review of requirements and tools, and results.

'''Speaker Bio''' Steven B. Lipner is senior director of Security Engineering Strategy at Microsoft Corp where he is responsible for programs that provide improved product security for Microsoft customers. Lipner leads Microsoft’s Security Development Lifecycle (SDL) team and is responsible for the definition of Microsoft’s SDL and for programs to make the SDL available to organizations beyond Microsoft. Lipner is also responsible for Microsoft’s corporate strategies related to government security evaluation of Microsoft products.

Lipner is coauthor with Michael Howard of The Security Development Lifecycle (Microsoft Press, 2006) and is named as inventor on twelve U.S. patents and two pending applications in the field of computer and network security. He has authored numerous professional papers and conference presentations, and served on several National Research Council committees. He served two terms – a total of more than ten years – on the United States Information Security and Privacy Advisory Board and its predecessor. Lipner holds S.B. and S.M. degrees in Civil Engineering from the Massachusetts Institute of Technology and attended the Harvard Business School’s Program for Management Development.

== DAY 2, TRACK 1 ==

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] The Anatomy of Real-World Software Security Programs ===

''Pravir Chandra, Fortify''

Effectively reducing risk from software vulnerabilities remains a challenge for most organizations despite the existence of several secure SDLC models. From conducting technical assessments to earning management buy-in, there may not seem to be a lot of easy answers along the way, but experiences from the field shows that there is indeed hope. We've learned that the hard questions of "what", "when", and "how much" simply require the answers to be customized to each organization. Whether you’re a developer or a CISO, this talk will leave you with actionable advice that you can use to help take your software security assurance program to the next level.

To help organizations formulate their own solutions, we'll discuss several real-world examples of programs in action. From there, we’ll talk about lessons learned and introduce the ''Open Software Assurance Maturity Model'' (OpenSAMM), a flexible framework for building a balanced software security assurance program (OpenSAMM is an open and free OWASP project and more information is available at http://www.opensamm.org). Using the framework, attendees will learn how to self-assess their security activities and use available resources to drive improvement in small and measurable iterations. With time remaining, we’ll also discuss the latest work on the OpenSAMM project and how it relates to other modern approaches to building out assurance programs.

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] Microsoft's Security Development Lifecycle for Agile Development ===

''Nick Coblentz, OWASP Kansas City Chapter and AT&T Consulting''

Many development and security teams believe Agile development cannot be accomplished securely. During this presentation, Nick Coblentz will discuss the recent guidance from Microsoft that enables development teams to include secure development activities within their Agile processes without compromising features or functionality. Nick will also demonstrate ASP.NET libraries, strategies, and automated tools to reduce the effort required by developers.

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] Secure Application Development for the Enterprise: Practical, Real-World Tips ===

''Michael Craigue, Dell''

Dell has a reputation for IT simplification and a lean cost structure. We take the same approach with our application security program. This talk covers money-saving tips in the creation and evolution of Dell's Security Development Lifecycle, including risk assessments, security reviews, threat modeling, source code scans, awareness/training, application security user groups, security consulting staff development, and assurance scans/penetration testing. We’ll discuss how we have adapted our program to our IT, Product Group, and Services organizations.

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] Product Security Management in Agile Product Management ===

''Antti Vähä-Sipilä, Nokia''

This paper provides a model for product security risk management and security requirements elicitation in an agile product management framework, using the concepts of Scrum and an epics-based agile requirements model. The paper documents some real-life experiences of rolling out such a risk management model. The model addresses security threat analysis and risk acceptance, and is agnostic to the actual security engineering practices employed in the Scrum teams, and is scalable over large and small enterprises.

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] OWASP Top 10 2010 ===

''Dave Wichers, Aspect Security and OWASP Foundation''

This presentation will cover the OWASP Top 10 - 2010 (final version). The OWASP Top 10 was originally released in 2003 to raise awareness of the importance of application security. As the field evolves, the Top 10 needs to be periodically updated to keep with up with the times. The Top 10 was updated in 2004 and the last update was in 2007, where it introduced Cross Site Request Forgery (CSRF) as the big new emerging web application security risk.

This update will be based on more sources of web application vulnerability information than the previous versions were when determining the new Top 10. It will also present this information in a more concise, compelling, and consumable manner, and include strong references to the many new openly available resources that can help address each issue, particularly OWASP's new Enterprise Security API (ESAPI) and Application Security Verification Standard (ASVS) projects.

A significant change for this update will be that the OWASP Top 10 will be focused on the Top 10 Risks to Web Applications, not just the most common vulnerabilities.

== DAY 2, TRACK 2 ==

=== [[Image:OWASP AppSec Research 2010 Demo word.gif]] Promon TestSuite: Client-Based Penetration Testing Tool ===

''Folker den Braber and Tom Lysemose Hansen, Promon''

Vulnerability analysis has a wide scope containing both social and technical aspects. An important part of technical vulnerability analysis consists of penetration testing. In most cases, penetration testing is focused on either server side or network layer vulnerabilities. In this demonstration we will have a closer look at vulnerability analysis on the client side, while demonstrating the use of the Promon Testuite testing tool.

Promon TestSuite is designed to use the same vectors as common malware but in a clear and visual way, with varying payloads to illustrate the security issues involved with giving injected code free access to a programs memory.

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] Detecting and Protecting Your Users from 100% of all Malware - How? ===

''Bradley Anstis and Vadim Pogulievsky, M86 Security''

100% Malware detection is the goal but is it really achievable? This session looks at the traditional Malware detection technologies and how well they perform today and then compares this to some newer approaches with demonstrations of Real-time code analysis and Behavioral Analysis technologies to see what is better or worse.

100% detection rates are the goal, but how close can we get with a single technology, or what combination of technologies can we use to get as close as possible?

This session is all about challenging the existing accepted practices for Malware protection. We want to open the minds of the attendees, encourage them to question existing solutions and the incumbent market leading vendors. We want you to also re-evaluate their environment to see if improvements can be made.

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] Responsibility for the Harm and Risk of Software Security Flaws ===

''Cassio Goldschmidt, Symantec Corp''

Who is responsible for the harm and risk of security flaws? The advent of worldwide networks such as the internet made software security (or the lack of software security) become a problem of international proportions. There are no mathematical/statistical risk models available today to assess networked systems with interdependent failures. Without this tool, decision-makers are bound to overinvest in activities that don’t generate the desired return on investment or under invest on mitigations, risking dreadful consequences. Experience suggests that no party is solely responsible for the harm and risk of software security flaws but a model of partial responsibility can only emerge once the duties and motivations of all parties are examine and understood.

State of the art practices in software development won’t guarantee products free of flaws. The infinite principles of mathematics are not properly implemented in modern computer hardware without having to truncate numbers and calculations. Many of the most common operating systems, network protocols and programming languages used today were first conceived without the basic principles of security in mind. Compromises are made to maintain compatibility of newer versions of these systems with previous versions. Evolving software inherits all flaws and risks that are present in this layered and interdependent solution. Lastly, there are no formal ways to prove software correctness using neither mathematics nor definitive authority to assert the absence of vulnerabilities. The slightest coding error can lead to a fatal flaw. Without a doubt, vulnerabilities in software applications will continue to be part of our daily lives for years to come.

Decisions made by adopters such as whether to install a patch, upgrade a system or employed insecure configurations create externalities that have implications on the security of other systems. Proper cyber hygiene and education are vital to stop the proliferation of computer worms, viruses and botnets. Furthermore, end users, corporations and large governments directly influence software vendors’ decisions to invest on security by voting with their money every time software is purchased or pirated.

Security researchers largely influence the overall state of software security depending on the approach taken to disclose findings. While many believe full disclosure practices helped the software industry to advance security in the past, several of the most devastating computer worms were created by borrowing from information detailed by researcher’s full disclosure. Both incentives and penalties were created for security researchers: a number of stories of vendors suing security researchers are available in the press. Some countries enacted laws banning the use and development of “hacking tools”. At the same time, companies such as iDefense promoted the creation of a market for security vulnerabilities providing rewards that are larger than a year’s worth of salary for a software practitioner in countries such as China and India.

Effective policy and standards can serve as leverage to fix the problem either by providing incentives or penalties. Attempts such PCI created a perverse incentive that diverted decision makers’ goals to compliance instead of security. Stiff mandates and ineffective laws have been observed internationally. Given the fast pace of the industry, laws to combat software vulnerabilities may become obsolete before they are enacted. Alternatively, the government can use its own buying power to encourage adoption of good security standards. One example of this is the Federal Desktop Core Configuration (FDCC).

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] Hacking by Numbers ===

''Tom Brennan, WhiteHat Security and OWASP Foundation''

There is a difference between what is possible and what is probable, something we often lose sight of in the world of information security. For example, a vulnerability represents a possible way for an attacker to exploit an asset, but remember not all vulnerabilities are created equal. Obviously we must also keep in mind that just because a vulnerability exists does not necessarily mean it will be exploited, or indicate by whom or to what extent. Clearly, many vulnerabilities are very serious leaving the door open to compromise of sensitive information, financial loss, brand damage, violation of industry regulations, and downtime. Some vulnerabilities are more difficult to exploit than others and therefore attract different attackers. Autonomous worms & viruses may attack one type of issue, while a sentient targeted attacker may prefer another path. Better understanding of these factors enables us to make informed business decisions about website risk management and what is probable.

=== [[Image:OWASP AppSec Research 2010 Presentation word.gif]] Application Security Scoreboard in the Sky ===

''Chris Eng, Veracode''

This presentation will discuss vulnerability metrics gathered from real-world applications. The statistics are derived from continuously updated data collected by Veracode’s cloud-based code analysis service. The anonymized data represents a total of nearly 1,600 applications submitted for analysis by large and small companies, commercial software providers, open source projects, and software outsourcers between February 2007 and January 2010. This is the first vulnerability analytics study of this magnitude that incorporates data from both static analysis and dynamic analysis.

We will compare the relative security of applications by industry and origin, and we will examine detailed vulnerability distribution data in the context of taxonomies such as the OWASP Top Ten and the CWE/SANS Top 25 Programming Errors.

== DAY 2, TRACK 3 ==

=== [[Image:OWASP AppSec Research 2010 Research word.gif]] A Taint Mode for Python via a Library ===

''Juan José Conti, Universidad Tecnológica Nacional, and Alejandro Russo, Chalmers University of Technology''

Vulnerabilities in web applications present threats to on-line systems. SQL injection and cross-site scripting attacks are among the most common threats found nowadays. These attacks are often result of improper or none input validation. To help discover such vulnerabilities, taint analyses have been developed in popular web scripting languages like Perl, Ruby, PHP, and Python. Such analysis are often implemented as an execution monitor, where the interpreter needs to be adapted to provide a taint mode. However, modifying interpreters might be a major task in its own right. In fact, it is very probably that new releases of interpreters require to be adapted to provide a taint mode. Differently from previous approaches, we show how to provide a taint analysis for Python via a library written entirely in Python, and thus avoiding modifications in the interpreter. The concepts of classes, decorators and dynamic dispatch makes our solution lightweight, easy to use, and particularly neat. With minimal or none effort, the library can be adapted to work with different Python interpreters.

=== [[Image:OWASP AppSec Research 2010 Research word.gif]] OPA: Language Support for a Sane, Safe and Secure Web ===

''David Rajchenbach-Teller and François-Régis Sinot, MLstate''

Web applications and services have critical needs in terms of safety, security and privacy: they need to remain available constantly and can at any time be the object of attacks by malicious and anonymous distant users attempting to take control, alter data or steal it, or cause unwanted behaviors. Unfortunately, recent history shows numerous cases of popular web applications falling victim to such attacks, despite careful attempts to secure them.

In this paper, we introduce OPA (One Pot Application), a new platform designed to make web development sane, safe and secure. OPA provides an integrated methodology where the complete application is written with one simple language with consistent semantics, enforces safe use of the infrastructure through compile-time static checking and a novel programming paradigm suited to the web and encourages correct-by-construction development.

=== [[Image:OWASP AppSec Research 2010 Research word.gif]] Secure the Clones: Static Enforcement of Policies for Secure Object Copying ===

''Thomas Jensen and David Pichardie, INRIA Rennes - Bretagne Atlantique''

Exchanging mutable data objects with untrusted code is a delicate matter because of the risk of creating a data space that is accessible by both a code and an attacker. Consequently, secure programming guidelines for Java stress the importance of using defensive copying before accepting or handing out references to an internal mutable object. However, implementation of a copy method (like clone()) is entirely left to the programmer. It may not provide a sufficiently deep copy of an object and is subject to overriding by a malicious sub-class. Currently no language-based mechanism supports secure object cloning.

This paper proposes a type-based annotation system for defining modular cloning policies for class-based object-oriented programs. It provides a static enforcement mechanism that will guarantee that all classes fulfill their copying policy, even in the presence of overriding of copy methods, and establishes the semantic correctness of the overall approach.

=== [[Image:OWASP AppSec Research 2010 Research word.gif]] Safe Wrappers and Sane Policies for Self Protecting JavaScript ===

''Jonas Magazinius, Phu H. Phung, and David Sands, Chalmers Univ. of Technology''

Phung et al (ASIACCS’09) describe a method for wrapping built-in methods of JavaScript programs in order to enforce security policies. The method is appealing because it requires neither deep transformation of the code nor browser modification. Unfortunately the implementation outlined suffers from a range of vulnerabilities, and policy construction is restrictive and error prone. In this paper we address these issues to provide a systematic way to avoid the identified vulnerabilities, and make it easier for the policy writer to construct declarative policies – i.e. policies upon which attacker code has no side effects.

=== [[Image:OWASP AppSec Research 2010 Research word.gif]] On the Privacy of File Sharing Services ===

''Nick Nikiforakis, Francesco Gadaleta, Yves Younan, and Wouter Joosen, Katholieke Universiteit Leuven''

File sharing services are used daily by tens of thousands of people as a way of sharing files. Almost all such services, use a security-through-obscurity method of hiding the files of one user from others. For each uploaded file, the user is given a secret URL which supposedly cannot be guessed. The user can then share his uploaded file by sharing this URL with other users of his choice. Unfortunately though, a number of file sharing services are incorrectly implemented allowing an attacker to guess valid URLs of millions of files and thus allowing him to enumerate their file database and access all of the uploaded files. In this paper, we study some of these services and we record their incorrect implementations. We design automatic enumerators for two such services and a privacy-classifying module which characterises an uploaded file as private or public. Using this technique we gain access to thousands of private files ranging from private and company documents to personal photographs. We present a taxonomy of the private files found and ways that the users and services can protect themselves against such attacks.

==== Registration ====

== Registration is open ==

'''[http://guest.cvent.com/i.aspx?4W%2cM3%2c717e8a7c-4453-47ff-addb-721306529534 Click Here To Register]'''

Note: To save on processing expenses, all fees paid for the OWASP conference are non-refundable. OWASP can accommodate transfers of registrations from one person to another, if such an adjustment becomes necessary.

== Stay Informed ... and Tell Others ==

[https://lists.owasp.org/mailman/listinfo/appsec_eu_2010 Subscribe to the conference '''mailing list''']. This is the official information channel and you'll be sure to get any updates and practical info before the conference.

[http://events.linkedin.com/OWASP-AppSec-Research-2010/pub/185990 Add the event to your '''LinkedIn''' profle] to tell all your business contacts that AppSec Research 2010 is the place to be.

Then get on the '''Twitter''' stream by using the tags '''#OWASP''' and '''#AppSecEU'''.

== Conference Fees (June 23-24) ==

*Regular registration: €350
*OWASP individual member (not just chapter member): €300
*Full-time students*: €225

<nowiki>*</nowiki> We need some kind of proof of your full-time student status. Either ask your local OWASP chapter leader to vouch for you by email to Kate.Hartmann@owasp.org, or email Kate a scanned image of your student ID (please compress the file size :).

== Training Fee (June 21-22) ==

*Training fee is €990 for two days, see Training tab above

==== Practical Info ====

== Tailor-Made Visitors' Guide ==

We have tailor-made a 15-page visitors' guide to the conference and Stockholm. With this guide you'll know how to get to and from the airport, find your way to the hotel and conference, know where good bars are, know when and how to tip etc. Check it out! [http://www.owasp.org/images/e/eb/OWASP_AppSec_Research_2010_Visitors_Guide_A4.pdf pdf]

== Swedish Wall Plugs ==

This is how Swedish wall plugs look like (image below). The left one is not grounded and the right one is, having small metal connectors on the sides. Be sure to bring adapters, for instance like [http://international-electrical-supplies.com/sweden-plug-adapters.html these], if your's look different.

[[Image:Swedish_wall_plugs.jpg]]

== Weather Forecast ==

YR.no has good coverage of the weather in Stockholm. Checkit out [http://www.yr.no/place/Sweden/Stockholm/Stockholm/ here].

== Travel ==

Stockholm's foremost international airport is Arlanda (ARN). Clean and convenient speed trains will take you between Arlanda and Stockholm Central in 20 minutes. You can also fly to Stockholm Skavsta (NYO) or Stockholm Västerås (VST) where coaches take you to Stockholm Central in 1 h 20 min.

== Accommodation ==

You can choose hotel/hostel freely in Stockholm but we provided three suggestions with pre-booked rooms so many OWASPers are staying there. '''Check with sites like [http://www.hotels.com hotels.com] since they might have better prices than the hotels state themselves!'''

[[Image:Stockholm map with hotels and public transportation.jpg]]

Subways and buses are convenient and safe and will take you right up to the venue (station/stop "Universitetet") from these three hotels:

'''Best Western Time Hotel''' Why? Closest to the university, direct bus or subway to the conference [http://www.timehotel.se/index.aspx?languageID=5 Best Western Time Hotel] Single room: 1395 SEK/€145/$195 Double room: 1575 SEK/€160/$220 (Rooms were pre-booked until May 18 under code "G#73641 OWASP") 

'''Scandic Continental''' Why? Right at the Central Station, convenient travel to and from airport, direct subway to the conference [http://www.scandichotels.com/en/Hotels/Countries/Sweden/Stockholm/Hotels/Scandic-Continental-Stockholm/ Scandic Continental] Single room: 1590 SEK/€165/$220 Double room: 1690 SEK/€175/$235 (Rooms were pre-booked until early May under code "OWASP") 

'''Fridhemsplan's Hostel''' Why? Affordable stay in Stockholm's nicest hostel, direct bus to the conference [http://fridhemsplan.se/?p=Main&c= Fridhemsplan's Hostel] Rooms cost €35-€55 ($50-$80) Book directly with them through their webpage.

==== Social Events ====

== Official Meet Up at "Mosebacke", Tuesday, June 22 ==
Regardless whether you're one of the lucky ones who will attend training or you'll just attend the conference you are invited to join us at "Mosebacke" on the evening the 22nd. Mosebacke is one of Stockholm's older establishments and is beautifully situated in the south of Stockholm city (only 2 subway stations from Central Station). The official meet up time is 20:00 CEST. We plan on beverage only, but for those who don't mind spending a little extra money on food, you can reserve a table for early evening by calling +46 8 556 098 90 during 2 pm - 5 pm (work days) or with some luck by e-mailing to mosebacke@mosebacke.se.

How will you recognize all the other OWASPers? Some of us will have OWASP-branded grey caps, some you met earlier, some you recognize from pictures, and if you hear any non-Swedish speaking male I guess chances are they're just like you - here for the AppSec conference :).

'''What''': Informal gathering, beer etc. 
'''When''': 8 pm CEST 
'''Where''': Mosebacke, Mosebacke Torg 3 [http://maps.google.se/maps?f=q&source=s_q&hl=sv&geocode=&q=Mosebacke+Etablissement,+Stockholm&sll=59.320492,18.074398&sspn=0.024831,0.077162&gl=se&ie=UTF8&hq=Mosebacke&hnear=Mosebacke,+Mosebacke+Torg+3,+116+46+Stockholm&ll=59.320492,18.074398&spn=0.024831,0.077162&t=h&z=14&iwloc=A Google Maps] 
'''How to get there''': Subway to "Slussen" (2 stops from "T-centralen"), best exit towards "Götgatan". Walk upwards but take the first left to "Hökens gata". Straight up on that one. 
'''How to get there + short sightseeing''': Walk from "T-centralen" along "Drottninggatan" towards Old Town, then towards Slussen and Götgatan. Takes about 30 minutes. 

Hope to meet you there!

== Gala Dinner at City Hall, Wednesday, June 23 ==
All two-day conference attendees including sponsors are welcome to the official AppSec Gala Dinner at Stockholm City Hall on Wednesday June 23rd. We start with a drink at 6:30 pm and sit down for a three course dinner with entertainment at 7 pm. Don't be late.

'''What''': Gala dinner, three course dinner with entertainment 
'''Clothes''': Nice pants/trousers + shirt or a suit is appropriate for men. Women have so many more choices so we opt-out of any suggestions. :) 
'''When''': 6:30 pm CEST 
'''Where''': City Hall, Ragnar Östbergs plan 1 [http://maps.google.se/maps?um=1&ie=UTF-8&q=stadshuset&fb=1&gl=se&hq=stadshuset&hnear=Stockholm&cid=0,0,15456533754099492758&ei=t8wYTJ7IGd6jOJqd6aEL&sa=X&oi=local_result&ct=image&resnum=1&ved=0CB0QnwIwAA Google Maps] 
'''How to get there''': Walk from Central Station / "T-centralen"). Takes about 10 minutes. Or take a taxi/cab and tell the driver "City Hall, please" 

Whatever you do, don't skip the gala dinner!

==== Venue ====

The venue for both training and conference is Aula Magna at Stockholm University.

'''Address''' (for instance for deliveries): 
Aula Magna 
Stockholms universitet 
Frescativägen 6 
SE-106 91 Stockholm 
Sweden 

[[Image:AppSec Research 2010 Aula Magna.jpg]]

==== Sponsoring ====
<center>
[[Image:AppSec Research 2010 Microsoft diamond sponsor.jpg|250px|Microsoft - Diamond Sponsor]] [[Image:AppSec Research 2010 Google 20k sponsor.jpg|150px|Google - Dinner Party and Expo Sponsor]] [[Image:Portwise logo.png|130px|PortWise - Gold and Badge Sponsor]] [[Image:Cybercom logo.png|100px|Cybercom - Gold Sponsor]] [[Image:Fortify logo AppSec Research 2010.png|120px|Fortify - Gold Sponsor]] [[Image:Omegapoint logo.png|110px|Omegapoint - Gold Sponsor]] [[Image:Mnemonic logo.png|100px|Mnemonic - Silver Sponsor]] [[Image:AppSec Research 2010 sponsor Nixu logo.jpg|100px|NIXU - Silver Sponsor]] [[Image:Hps_logo.png|140px|High Performance Systems - Silver Sponsor]] [[Image:AppSec Research 2010 sponsor F5 logo.jpg|70px|F5 - Silver Sponsor]] [[Image:AppSec Research 2010 sponsor Imperva logo.jpg|100px|Imperva - Silver Sponsor]] [[Image:AppSec_Research_2010_sponsor_Promon_logo.jpg|100px|Promon - Silver Sponsor]] [[Image:IIS logo.png|100px|Stiftelsen för Internetinfrastruktur - Lunch Sponsor]] [[Image:MyNethouse logo.png|100px|MyNethouse - Coffee Break Sponsor]] [[Image:AppSec Research 2010 Help Net Security sponsor.jpg|100px|Help Net Security - Media Sponsor]] [[Image:TrustwaveLogo.jpg|100px|Trustwave - Notepad sponsor]]
</center>
We are still welcoming sponsors for OWASP AppSec Research 2010. Take the opportunity to support this year's major appsec event in Europe! The full sponsoring program is available as pdfs:

Sponsoring program in English: [[Image:OWASP Sponsorship AppSec Research 2010 (eng).pdf]]

Sponsoring program in Swedish: [[Image:OWASP Sponsorship AppSec Research 2010 (swe).pdf]]

==== Challenges ====

=== Countdown Challenges -- Free Tickets to Win! ===

There will be a challenge posted on the conference wiki page the 21st every month up until the event. The winner will get free entrance to the conference. Be sure to sign up for [https://lists.owasp.org/mailman/listinfo/appsec_eu_2010 the conference mailing list] to get a monthly reminder.

== AppSec Research Final Challenge: Internet Treasure Hunt ==

It's May 21st, one month to AppSec Research 2010, and '''the last chance to win a free ticket''' to this year's number one conference in appsec.

'''The Treasure Hunt in a Nutshell''' 
Your mission is to find several small AppSec Research logotypes hidden among the websites of our sponsors and hosts. Every logo found is associated with a keyword (a dictionary word) in some way. When you've found all the keywords you email them to us.

[[Image:Owasp_appsec_research_2010_logo_by_daniel_kozlowski.jpg|40px|OWASP AppSec Research 2010 logo by Daniel Kozlowski]]

'''Instructions''' 
* Please don't do anything malicious during your hunt. And don't produce considerable load on the websites. You should be able to find the keywords anyway :).
* To check if you found all keywords you compare the md5 of all keywords concatenated in alphabetical order with this hash: 1a7b54ba9cee6cccd9890e7800b83208
* You can calculate the hash by doing the following in a shell: echo "Keywords concatenated in alphabetical order" | md5
* To ensure your hash function produces the same as our you can try: echo "owasp" | md5 ... which should result in the hash 2bdce47b1a6c527b134d4b658b033702

'''How to Win''' 
To win you email all keywords (not the hash) concatenated in alphabetical order to stefan dot pettersson at owasp dot org. Stefan will let you know if you were the first one with the correct answer!

'''Example:''' 
* You found three logos and the keywords were: golf, king, apple
* You calculate the hash by doing: echo "applegolfking" | md5
* If the hash matches 1a7b54ba9cee6cccd9890e7800b83208 you email applegolfking to Stefan.

Let the best hunter win!

 <headertabs />

2008-12-04T11:07:24Z

Ivanr: /* Future Events */

{{Chapter Template|chaptername=London|extra=The chapter leader is Ivan Ristic (since Apr 2007)|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}

<paypal>London</paypal>

== Future Events ==

* '''Thursday, December 4th'''

** '''Location''': KPMG, 39th Floor, One Canada Sq, E14 5AG, starting at '''6.30pm''' (arrive between 6.00pm and 6.30pm), ending by 8.30pm. KMPG are sponsoring the meeting. Complementary drinks will be provided. '''IMPORTANT: You must RSVP (by sending an email to ivanr AT webkreator DOT com) if you want to attend.'''

'''Justin Clarke: SQL Injection Worms for Fun and Profit''' ([[Image:SPF.png|PPT]])

Earlier this year the first (publicly known) SQL Injection worm
appeared. This worm used SQL Injection to insert malicious scripting
tags into the pages of over 90,000 sites that were vulnerable to SQL
injection.

Yet the exploit vector was fairly innocuous, easy to clean up, and easy
to block. In other words, very much version 0.1 of what a SQL Injection
worm can achieve.

This talk is going to discuss how far the rabbit hole can go with SQL
injection based worms, including full compromise of the server OS, and
why we should be worried by what is going to be coming next out of
Russia/China/wherever, including a live demo of a proof of concept SQL
injection worm, "weaponized".

'''Dinis Cruz: OWASP Summit 2008 Report'''

The [http://www.owasp.org/index.php/OWASP_EU_Summit_2008 OWASP Summit 2008] has been a great success. Dinis, also known as Chief OWASP Evangelist, is going to tell us what we've missed.

'''Justin Clarke: Protecting Vulnerable Applications with IIS7'''

With the advent of IIS7 and its modular design, Microsoft has provided
the ability to easily integrate custom ASP.NET HttpModules into the IIS7
request-handling pipeline. This session will present an IIS7 module
designed to leverage this architecture to actively and dynamically
protect web applications from attack. With minimal configuration, the
module can be used to protect virtually any application running on the
web server, including non-ASP.NET applications (such as those written in
PHP, Cold Fusion, or classic ASP).

This presentation will outline the overall design and architecture of
the module, including a detailed explanation of available features and
attack defense techniques. The session will focus on live demonstrations
of how the module can easily be installed to protect already-deployed
applications and how it can block both traditional web application
attacks, such as SQL injection and Cross-Site Scripting, and
application-specific vulnerabilities like parameter manipulation and
authorization attacks.

'''About Justin:'''

Justin is a Principal Consultant with Gotham Digital Science. He is the
co-author of "Network Security Tools" (O'Reilly, 2005), a contributing
author to "Network Security Assessment" (O'Reilly, 2007), and has spoken
at Blackhat, EuSecWest, RSA, and OSCON in the past. He has over 10 years
of security testing and consulting experience in network, application,
source code and wireless testing work for some of the largest commercial
and government organizations in the United States, United Kingdom, and
New Zealand. Justin is active in developing security tools for
penetrating and defending applications, servers, and wireless networks
(e.g. SQLBrute), and as a compulsive tinkerer he can't leave anything
alone without at least trying to see how it works.

== Past Events ==

* '''Thursday, September 4th'''

** '''Location''': KPMG 39th Floor, One Canada Sq, E14 5AG, starting at 7pm (arrive between 6.30pm and 7pm), ending by 9pm. KMPG are sponsoring the meeting. Complementary drinks and snacks will be provided.

'''James Fisher: DirBuster & Beyond''' ([https://www.owasp.org/images/f/f4/DirBuster_OWASP-London_September-2008.pdf PDF])

An introduction to the DirBuster project, detailing how it works, what it can do for you, and the direction it will be taking in the future. Followed by an introduction to my unreleased project FuzzBuster, showing why it's different to other HTTP fuzzes out there.

'''Yiannis Pavlosoglou: JBroFuzz'''

[Summary will be updated if I get it from Yiannis, but you can always go to the [http://www.owasp.org/index.php/Category:OWASP_JBroFuzz JBroFuzz project homepage] for more information.

* '''Thursday, July 24th'''

** '''Location''': Auriol Kensington Rowing Club ([http://www.akrowing.com/page.php?page=findus map]), starting at 7pm (arrive between 6.30pm and 7pm). [http://www.breach.com Breach Security] is sponsoring the meeting by paying for the costs of the venue.

** '''Programme'''
** 18:30 Arrive and make yourselves comfortable.
** 19:00 Dinis Cruz: What is going on at OWASP?
** 19:20 Colin Watson: Nominet Best Practices Award briefing ([https://www.owasp.org/images/6/69/Owasp-london-bestpractice2008.pdf PDF])
** 19:45 Dennis Hurst: AJAX / Web 2.0 / WebServices security concerns ([https://www.owasp.org/images/9/90/Testing_Finance_2_June_2008.pdf PDF])
** 20:30 Dinis Cruz: Building a tool for Security consultants: A story of a customized source code scanner
** 21:15 Ivan Ristic: Evaluation Criteria for Web Application Firewalls ([http://www.owasp.org/images/f/f4/AppSecEU08_Evaluation_Criteria_for_Web_Application_Firewalls.pdf PDF]) (talk from the recent OWASP AppSec Europe conference in Ghent).

* '''Thursday, April 3rd'''

** '''Location''': Auriol Kensington Rowing Club ([http://www.akrowing.com/page.php?page=findus map]), starting at 7pm (arrive between 6.30pm and 7pm). [http://www.breach.com Breach Security] is sponsoring the meeting by paying for the costs of the venue.

** '''Programme'''
** 18h30 Arrive and make yourselves comfortable.
** 19h00 [http://www.withdk.com/archives/PHP%20Code%20Analysis-%20Real%20World%20Examples.pdf PHP Code Analysis: Real World Examples] (David Kierznowski)
** 20h00 [http://www.secforce.co.uk/research/socket_reuse/PHP_socket_reuse_attacks.pdf Abusing PHP sockets for fun and profit] (Rodrigo Marcos; also available: [http://www.secforce.co.uk/research/socket_reuse/socket_attack.zip source code], [http://www.secforce.co.uk/research/socket_reuse/PHP_socket_reuse.html Flash demo])
** 20h45 Web Application Security Badges (Colin Watson) - [[Media:owasp-london-security-badges.pdf|PDF]]
** 21h00 Discussion: OWASP [http://www.nic.uk/about/bestpracticechallenge/ Best Practice Challenge 2008 nomination].
** 21h30 End.

* '''Thursday, December 6th'''

** '''Location''': Auriol Kensington Rowing Club ([http://www.akrowing.com/page.php?page=findus map]), starting at 7pm (arrive between 6.30pm and 7pm). [http://www.breach.com Breach Security] sponsoring the meeting by paying for the costs of the venue.

** '''Programme'''
** 18h30 Arrive and make yourselves comfortable.
** 19h00 Adrian Pastor: Cracking into embedded devices and beyond! ([[Media:Cracking-into-embedded-devices-and-beyond.pdf]])
** 19h45 Rodrigo Marcos: Blind SQL Injection: Optimization Techniques ([http://www.gnucitizen.org/blog/security-and-hacking-scene-in-london/BlindSQLinjection.ppt PPT]).
** 20h15 OWASP London Chapter (discussion).
** 20h45 PDP: Client-Side Security (discussion).
** 21h30 End.

* '''Wednesday, September 5th''' (participating in the [[OWASP Day]] event). Read meeting notes [https://lists.owasp.org/pipermail/owasp-london/2007-September/000187.html here].
** Location: Auriol Kensington Rowing Club ([http://www.akrowing.com/page.php?page=findus map]), starting at 7pm (arrive between 6.30pm and 7pm). [http://www.breach.com Breach Security] sponsored the meeting by paying for the costs of the venue.

* '''Programme''':
** 18h30 Arrive and make yourselves comfortable.
** 19h00 [http://gnucitizen.org/about/pdp Petko D. Petkov], a.k.a pdp (architect), founder of the [http://gnucitizen.org GNUCITIZEN] group: [http://www.owasp.org/index.php/Belgium#For_my_next_trick..._hacking_Web2.0_.28pdp.29 For my next trick... hacking Web2.0].
** 20h00 Discussion: "Privacy in the 21st Century?", moderator: Ivan Ristic.
** 21h00 Discussion: "Future of the OWASP London Chapter".
** 21h30 End

* '''Thursday 22nd March'''
** Location: The Water Poet Pub, Liverpool St, London [http://www.beerintheevening.com/cgi-bin/map_link.cgi?id=17986&type=8 map] , [http://www.beerintheevening.com/pubs/s/17/17986/Water_Poet/Shoreditch description]
** We are going to use the downstairs room which you can access from the back of the pub
* '''Presentations''':
** [[Mark O'Neill]] "Security Vulnerabilities in AJAX and Web 2.0" - 60 m
** [[Dinis Cruz]] "OWASP Spring of Code and Owasp world update " - 30 m

* '''Thursday 22nd February'''
** Location: The Water Poet Pub, Liverpool St, London [http://www.beerintheevening.com/cgi-bin/map_link.cgi?id=17986&type=8 map] , [http://www.beerintheevening.com/pubs/s/17/17986/Water_Poet/Shoreditch description]
** We are going to use the downstairs room which you can access from the back of the pub
* '''Presentations''':
** by '''Dinis Cruz (Chief OWASP Evangelist)''' :
*** '''OWASP, the Open Web Application Security Project''' 30m - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.
*** '''Buffer Overflows on .Net and Asp.Net''' 30m - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).
*** '''0wning Vista's userland - The CAS / UAC missed opportunity , and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.
** by '''Ivan Ristic''':
*** '''ModSecurity''' - 30m

* '''Schedule''':
** 6pm - 7pm arrive and grab a drink
** 7:00 - '''OWASP, the Open Web Application Security Project''', Dinis Cruz
** 7:45 - '''ModSecurity''', Ivan Ristic
** 8:15 - '''Buffer Overflows on .Net and Asp.Net''', Dinis Cruz
** 8:50 - 0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done, Dinis Cruz
** 9:00 - Dinner

== Other Activities ==

*'''16th October 2008 - COI Browser Standards for Public Websites'''

The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).

[[Category:United Kingdom]]

2008-10-17T09:51:00Z

Ivanr: /* Past Events */

{{Chapter Template|chaptername=London|extra=The chapter leader is Ivan Ristic (since Apr 2007)|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}

<paypal>London</paypal>

== Future Events ==

* '''Thursday, December 4th'''

** '''Location''': KPMG, 39th Floor, One Canada Sq, E14 5AG, starting at '''6.30pm''' (arrive between 6.00pm and 6.30pm), ending by 8.30pm. KMPG are sponsoring the meeting. Complementary drinks will be provided. '''IMPORTANT: You must RSVP if you want to attend.'''

'''Justin Clarke: SQL Injection Worms for Fun and Profit'''

Earlier this year the first (publicly known) SQL Injection worm
appeared. This worm used SQL Injection to insert malicious scripting
tags into the pages of over 90,000 sites that were vulnerable to SQL
injection.

Yet the exploit vector was fairly innocuous, easy to clean up, and easy
to block. In other words, very much version 0.1 of what a SQL Injection
worm can achieve.

This talk is going to discuss how far the rabbit hole can go with SQL
injection based worms, including full compromise of the server OS, and
why we should be worried by what is going to be coming next out of
Russia/China/wherever, including a live demo of a proof of concept SQL
injection worm, "weaponized".

'''Justin Clarke: Protecting Vulnerable Applications with IIS7'''

With the advent of IIS7 and its modular design, Microsoft has provided
the ability to easily integrate custom ASP.NET HttpModules into the IIS7
request-handling pipeline. This session will present an IIS7 module
designed to leverage this architecture to actively and dynamically
protect web applications from attack. With minimal configuration, the
module can be used to protect virtually any application running on the
web server, including non-ASP.NET applications (such as those written in
PHP, Cold Fusion, or classic ASP).

This presentation will outline the overall design and architecture of
the module, including a detailed explanation of available features and
attack defense techniques. The session will focus on live demonstrations
of how the module can easily be installed to protect already-deployed
applications and how it can block both traditional web application
attacks, such as SQL injection and Cross-Site Scripting, and
application-specific vulnerabilities like parameter manipulation and
authorization attacks.

'''About Justin:'''

Justin is a Principal Consultant with Gotham Digital Science. He is the
co-author of "Network Security Tools" (O'Reilly, 2005), a contributing
author to "Network Security Assessment" (O'Reilly, 2007), and has spoken
at Blackhat, EuSecWest, RSA, and OSCON in the past. He has over 10 years
of security testing and consulting experience in network, application,
source code and wireless testing work for some of the largest commercial
and government organizations in the United States, United Kingdom, and
New Zealand. Justin is active in developing security tools for
penetrating and defending applications, servers, and wireless networks
(e.g. SQLBrute), and as a compulsive tinkerer he can't leave anything
alone without at least trying to see how it works.

== Past Events ==

* '''Thursday, September 4th'''

** '''Location''': KPMG 39th Floor, One Canada Sq, E14 5AG, starting at 7pm (arrive between 6.30pm and 7pm), ending by 9pm. KMPG are sponsoring the meeting. Complementary drinks and snacks will be provided.

'''James Fisher: DirBuster & Beyond''' ([https://www.owasp.org/images/f/f4/DirBuster_OWASP-London_September-2008.pdf PDF])

An introduction to the DirBuster project, detailing how it works, what it can do for you, and the direction it will be taking in the future. Followed by an introduction to my unreleased project FuzzBuster, showing why it's different to other HTTP fuzzes out there.

'''Yiannis Pavlosoglou: JBroFuzz'''

[Summary will be updated if I get it from Yiannis, but you can always go to the [http://www.owasp.org/index.php/Category:OWASP_JBroFuzz JBroFuzz project homepage] for more information.

* '''Thursday, July 24th'''

** '''Location''': Auriol Kensington Rowing Club ([http://www.akrowing.com/page.php?page=findus map]), starting at 7pm (arrive between 6.30pm and 7pm). [http://www.breach.com Breach Security] is sponsoring the meeting by paying for the costs of the venue.

** '''Programme'''
** 18:30 Arrive and make yourselves comfortable.
** 19:00 Dinis Cruz: What is going on at OWASP?
** 19:20 Colin Watson: Nominet Best Practices Award briefing ([https://www.owasp.org/images/6/69/Owasp-london-bestpractice2008.pdf PDF])
** 19:45 Dennis Hurst: AJAX / Web 2.0 / WebServices security concerns ([https://www.owasp.org/images/9/90/Testing_Finance_2_June_2008.pdf PDF])
** 20:30 Dinis Cruz: Building a tool for Security consultants: A story of a customized source code scanner
** 21:15 Ivan Ristic: Evaluation Criteria for Web Application Firewalls ([http://www.owasp.org/images/f/f4/AppSecEU08_Evaluation_Criteria_for_Web_Application_Firewalls.pdf PDF]) (talk from the recent OWASP AppSec Europe conference in Ghent).

* '''Thursday, April 3rd'''

** '''Location''': Auriol Kensington Rowing Club ([http://www.akrowing.com/page.php?page=findus map]), starting at 7pm (arrive between 6.30pm and 7pm). [http://www.breach.com Breach Security] is sponsoring the meeting by paying for the costs of the venue.

** '''Programme'''
** 18h30 Arrive and make yourselves comfortable.
** 19h00 [http://www.withdk.com/archives/PHP%20Code%20Analysis-%20Real%20World%20Examples.pdf PHP Code Analysis: Real World Examples] (David Kierznowski)
** 20h00 [http://www.secforce.co.uk/research/socket_reuse/PHP_socket_reuse_attacks.pdf Abusing PHP sockets for fun and profit] (Rodrigo Marcos; also available: [http://www.secforce.co.uk/research/socket_reuse/socket_attack.zip source code], [http://www.secforce.co.uk/research/socket_reuse/PHP_socket_reuse.html Flash demo])
** 20h45 Web Application Security Badges (Colin Watson) - [[Media:owasp-london-security-badges.pdf|PDF]]
** 21h00 Discussion: OWASP [http://www.nic.uk/about/bestpracticechallenge/ Best Practice Challenge 2008 nomination].
** 21h30 End.

* '''Thursday, December 6th'''

** '''Location''': Auriol Kensington Rowing Club ([http://www.akrowing.com/page.php?page=findus map]), starting at 7pm (arrive between 6.30pm and 7pm). [http://www.breach.com Breach Security] sponsoring the meeting by paying for the costs of the venue.

** '''Programme'''
** 18h30 Arrive and make yourselves comfortable.
** 19h00 Adrian Pastor: Cracking into embedded devices and beyond! ([[Media:Cracking-into-embedded-devices-and-beyond.pdf]])
** 19h45 Rodrigo Marcos: Blind SQL Injection: Optimization Techniques ([http://www.gnucitizen.org/blog/security-and-hacking-scene-in-london/BlindSQLinjection.ppt PPT]).
** 20h15 OWASP London Chapter (discussion).
** 20h45 PDP: Client-Side Security (discussion).
** 21h30 End.

* '''Wednesday, September 5th''' (participating in the [[OWASP Day]] event). Read meeting notes [https://lists.owasp.org/pipermail/owasp-london/2007-September/000187.html here].
** Location: Auriol Kensington Rowing Club ([http://www.akrowing.com/page.php?page=findus map]), starting at 7pm (arrive between 6.30pm and 7pm). [http://www.breach.com Breach Security] sponsored the meeting by paying for the costs of the venue.

* '''Programme''':
** 18h30 Arrive and make yourselves comfortable.
** 19h00 [http://gnucitizen.org/about/pdp Petko D. Petkov], a.k.a pdp (architect), founder of the [http://gnucitizen.org GNUCITIZEN] group: [http://www.owasp.org/index.php/Belgium#For_my_next_trick..._hacking_Web2.0_.28pdp.29 For my next trick... hacking Web2.0].
** 20h00 Discussion: "Privacy in the 21st Century?", moderator: Ivan Ristic.
** 21h00 Discussion: "Future of the OWASP London Chapter".
** 21h30 End

* '''Thursday 22nd March'''
** Location: The Water Poet Pub, Liverpool St, London [http://www.beerintheevening.com/cgi-bin/map_link.cgi?id=17986&type=8 map] , [http://www.beerintheevening.com/pubs/s/17/17986/Water_Poet/Shoreditch description]
** We are going to use the downstairs room which you can access from the back of the pub
* '''Presentations''':
** [[Mark O'Neill]] "Security Vulnerabilities in AJAX and Web 2.0" - 60 m
** [[Dinis Cruz]] "OWASP Spring of Code and Owasp world update " - 30 m

* '''Thursday 22nd February'''
** Location: The Water Poet Pub, Liverpool St, London [http://www.beerintheevening.com/cgi-bin/map_link.cgi?id=17986&type=8 map] , [http://www.beerintheevening.com/pubs/s/17/17986/Water_Poet/Shoreditch description]
** We are going to use the downstairs room which you can access from the back of the pub
* '''Presentations''':
** by '''Dinis Cruz (Chief OWASP Evangelist)''' :
*** '''OWASP, the Open Web Application Security Project''' 30m - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.
*** '''Buffer Overflows on .Net and Asp.Net''' 30m - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).
*** '''0wning Vista's userland - The CAS / UAC missed opportunity , and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.
** by '''Ivan Ristic''':
*** '''ModSecurity''' - 30m

* '''Schedule''':
** 6pm - 7pm arrive and grab a drink
** 7:00 - '''OWASP, the Open Web Application Security Project''', Dinis Cruz
** 7:45 - '''ModSecurity''', Ivan Ristic
** 8:15 - '''Buffer Overflows on .Net and Asp.Net''', Dinis Cruz
** 8:50 - 0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done, Dinis Cruz
** 9:00 - Dinner

[[Category:United Kingdom]]

2008-10-03T08:44:38Z

Ivanr:

OWASP Israel 2008 Conference at the Interdisciplinary Center Herzliya (IDC)

2008-09-22T16:07:00Z

Ivanr: /* Agenda */

{{Template:OWASP_IL_2008_Sponsors}}

The OWASP Israel 2008 conference was held on September 14th at the Interdisciplinary Center Herzliya with 250 attendees. The agenda of the full day two track event can be found below.

== Agenda ==

{| class="wikitable" <hiddentext>generated with [[:de:Wikipedia:Helferlein/VBA-Macro for EXCEL tableconversion]] V1.7<\hiddentext>
|- style="font-size:11pt"
|style="color:#1F497D" width="68" height="15" align="right" valign="top" | 8:30-9:00
| width="291" valign="top" | Gathering and Socializing
| width="296" valign="top" |  

|- style="font-size:11pt"
|style="color:#1F497D" height="15" align="right" valign="top" | 9:00-9:15
| valign="top" | Opening words by Ofer Shezaf, OWASP Israel founder
| valign="top" |  

|- style="font-size:11pt"
|style="color:#1F497D" height="15" align="right" valign="top" |  
| valign="top" |  
| valign="top" |  

|- style="font-size:11pt;font-weight:bold"
|style="color:#1F497D" height="15" align="right" valign="top" |  
| valign="top" | Room #1
| valign="top" | Room #2

|- style="font-size:11pt;font-weight:bold"
|style="color:#1F497D" height="15" align="right" valign="top" |  
| valign="top" | Management Track
| valign="top" | Fundamentals Track

|- style="font-size:11pt"
|style="color:#1F497D" height="45" align="right" valign="top" | 9:15-10:00
| valign="top" | [[OWASP_Israel_2008_Conference_Amichai_Shulman|Web Application Security and Search Engines – Beyond Google Hacking]] ([[Media:OWASP_IL_2008_Amichai_Shulman_BeyondGoogleHackingn.ppt‎|download ppt)]] Amichai Shulman, Imperva
| valign="top" | [[OWASP_Israel_2008_Conference_Maty_Siman|Application Security - The code analysis way]] Maty Siman, Checkmark

|- style="font-size:11pt"
|style="color:#1F497D" height="45" align="right" valign="top" | 10:00-10:45
| valign="top" | [[OWASP_Israel_2008_Conference_Ivan_Ristic|No More Signatures: Defending Web Applications from 0-Day Attacks with ModProfiler Using Traffic Profiling] ([[Media:OWASP_Israel_2008-Ristic-Shezaf-ModProfiler.pdf|download PDF]]) Ivan Ristic, Breach Security
| valign="top" | [[OWASP_Israel_2008_Conference_Adi_Sharabani|Black Box vs. White Box - pros and cons]] ([[Media:OWASP_IL_2008_Sharabani_BlackBox_Vs_WhiteBox.ppt‎|download ppt]]) Adi Sharabani & Yinnon Haviv, IBM

|- style="font-size:11pt"
|style="color:#1F497D" height="15" align="right" valign="top" | 10:45-11:00
| valign="top" colspan="2"| Break

|- style="font-size:11pt"
|style="color:#1F497D" height="30" align="right" valign="top" | 11:00-11:45
| valign="top" | [[AppSecEU08_Trends_in_Web_Hacking_Incidents:_What%27s_hot_for_2008|Trends in Web Hacking: What's hot in 2008]] ([[Media:AppSecEU2008-WHID.ppt|download ppt]]) Ofer Shezaf, Breach Security
| valign="top" | [[OWASP_Israel_2008_Conference_David_Movshovitz|AJAX - new technologies new threats]] ([[Media:OWASP IL 2008 David Movshovitz AJAX.ppt|download ppt]]) Dr. David Movshovitz, IDC

|- style="font-size:11pt"
|style="color:#1F497D" height="30" align="right" valign="top" | 11:45-12:30
| valign="top" | [[OWASP_Israel_2008_Conference_Ofer_Maor|Testing the Tester – Measuring Quality of Security Testing]] Ofer Maor, Hacktics
| valign="top" | [[OWASP_Israel_2008_Conference_Yuli_Stremovsky|GreenSQL - an open source database security gateway]] ([[Media:OWASP_IL_2008_Yuli_Stremovsky.GreenSQL_Database_Firewall.ppt‎|download ppt]]) Yuli Stremovsky

|- style="font-size:11pt"
|style="color:#1F497D" height="15" align="right" valign="top" | 12:30-13:15
| valign="top" colspan="2"| Lunch

|- style="font-size:11pt"
|style="color:#1F497D" height="15" align="right" valign="top" |  
| valign="top" |  
| valign="top" |  

|- style="font-size:11pt"
|style="color:#1F497D" height="15" align="right" valign="top" |  
|style="font-weight:bold" valign="top" | Advanced Technology Track
|style="font-weight:bold" valign="top" | Practical Technology Track

|- style="font-size:11pt"
|style="color:#1F497D" height="45" align="right" valign="top" | 13:15-14:00
| valign="top" | [[OWASP_Israel_2008_Conference_Shai_Chen|Achilles’ heel – Hacking Through Java Protocols]] ([[Media:OWASP IL 2008 Shai Chen PT to Java Client Server Apps.ppt|download ppt]]) Shai Chen, Hacktics
| valign="top" | [[OWASP_Israel_2008_Conference_Amir_Herzberg|Defending against Phishing without Client-side Code]] ([[Media:OWASP_IL_2008_Amir_Herzberg_Defending_against_Phishing_without_Client-side_Code.ppt|download ppt]]) Prof. Amir Herzberg, Bar-Ilan University

|- style="font-size:11pt"
|style="color:#1F497D" height="30" align="right" valign="top" | 14:00-14:45
| valign="top" | [[OWASP_Israel_2008_Conference_Alon_Rosen|Cryptographic elections - how to simultaneously achieve verifiability and privacy]] ([[Media:OWASP_IL_2008_Alon_Resen_eVoting.pdf‎|download pdf]]) Dr. Alon Rosen, IDC
| valign="top" | [[OWASP_Israel_2008_Conference_Erez_Metula|.NET Framework rootkits - backdoors inside your Framework]] ([[Media:OWASP IL 2008 Erez Metula .NET Rootkits.ppt|download ppt]]) Erez Metula, 2Bsecure

|- style="font-size:11pt"
|style="color:#1F497D" height="15" align="right" valign="top" | 14:45-15:00
| valign="top" colspan="2"| Break

|- style="font-size:11pt"
|style="color:#1F497D" height="45" align="right" valign="top" | 15:00-15:45
| valign="top" | [[OWASP_Israel_2008_Conference_Ronen_Bachar|Automated Crawling & Security Analysis of Flash/Flex based Web Applications]] ([[Media:OWASP_IL_2008_Ronen_Bachar_RIA.ppt‎|download ppt]]) Ronen Bachar, IBM
| valign="top" | [[OWASP_Israel_2008_Conference_Ohad_Ben_Cohen|Korset: Code-based Intrusion Detection System for Linux]] ([[Media:OWASP_IL_2008_Ohad_Ben_Cohen_Korset.pdf|download pdf]]) Ohad Ben-Cohen

|- style="font-size:11pt"
|style="color:#1F497D" height="30" align="right" valign="top" | 15:45-16:30
| valign="top" colspan="2" | Turbo talks (Rump Session), Currently scheduled presentations:
* Yossi Oren, Automatic Patch-Based Exploit Generation (APEG) ([[Media:OWASP_IL_2008_Yossi_Oren_APEG.ppt|download ppt]])
* Avi Weissman, Introduction to the Israeli Forum for Information Security (ISIF)
* Robert Moskovitch, Detection of Unknown Malicious Code via Machine Learning ([[Media:UnknownMalcodeDetection_OWASP-IL-08.pdf|download pdf]])
* Yaniv Miron, Comsec, UTF7 XSS ([[Media:OWASP_IL_2008_Yaniv_Miron_UTF7_XSS.ppt|download ppt]])
* Shay Zalalichin & Avi Douglen, Comsec, Breaking CAPTCHA Myths ([[Media:2008-09-14_OWASP_Israel_2008.ppt‎|download ppt]])

'''Closing Words, Ofer Shezaf'''
|}

== The people behind the conference ==

OWASP Israel is made by the people who contribute their time and brain to its success. The following people are working to ensure that OWASP Israel 2008 is a success.

If you feel that you also can contribute or have interesting ideas regarding the conference, don't hesitate to contact me.

=== Steering Committee ===

The steering committee includes prominent individuals in the field of information security and help set the program for the conference:

* Adi Sharabani (IBM)
* Dr. David Movshovitz (Interdisciplinary Center Herzliya)
* Ofer Maor (Hacktics)
* Ofer Shezaf (Breach Security)
* Ory Segal (IBM)
* Shay Zalalichin (ComSec)
* Yossi Oren (Proxy Software Systems)

=== Organization Committee ===

The organization committee is in charge of making this all happen:

* Dr. Anat Bremler-Barr (Interdisciplinary Center Herzliya)
* Neer Roggel, the technion
* Shay Shuker
* Ofer Shezaf (Breach Security)

~ [[User:Oshezaf|Ofer Shezaf]],Conference Chair 
[mailto:ofer@shezaf.com ofer@shezaf.com]

[[Category:OWASP Israel 2008]]

OWASP Israel 2008 Conference at the Interdisciplinary Center Herzliya (IDC)

2008-09-22T16:06:38Z

Ivanr: /* Agenda */

{{Template:OWASP_IL_2008_Sponsors}}

The OWASP Israel 2008 conference was held on September 14th at the Interdisciplinary Center Herzliya with 250 attendees. The agenda of the full day two track event can be found below.

== Agenda ==

{| class="wikitable" <hiddentext>generated with [[:de:Wikipedia:Helferlein/VBA-Macro for EXCEL tableconversion]] V1.7<\hiddentext>
|- style="font-size:11pt"
|style="color:#1F497D" width="68" height="15" align="right" valign="top" | 8:30-9:00
| width="291" valign="top" | Gathering and Socializing
| width="296" valign="top" |  

|- style="font-size:11pt"
|style="color:#1F497D" height="15" align="right" valign="top" | 9:00-9:15
| valign="top" | Opening words by Ofer Shezaf, OWASP Israel founder
| valign="top" |  

|- style="font-size:11pt"
|style="color:#1F497D" height="15" align="right" valign="top" |  
| valign="top" |  
| valign="top" |  

|- style="font-size:11pt;font-weight:bold"
|style="color:#1F497D" height="15" align="right" valign="top" |  
| valign="top" | Room #1
| valign="top" | Room #2

|- style="font-size:11pt;font-weight:bold"
|style="color:#1F497D" height="15" align="right" valign="top" |  
| valign="top" | Management Track
| valign="top" | Fundamentals Track

|- style="font-size:11pt"
|style="color:#1F497D" height="45" align="right" valign="top" | 9:15-10:00
| valign="top" | [[OWASP_Israel_2008_Conference_Amichai_Shulman|Web Application Security and Search Engines – Beyond Google Hacking]] ([[Media:OWASP_IL_2008_Amichai_Shulman_BeyondGoogleHackingn.ppt‎|download ppt)]] Amichai Shulman, Imperva
| valign="top" | [[OWASP_Israel_2008_Conference_Maty_Siman|Application Security - The code analysis way]] Maty Siman, Checkmark

|- style="font-size:11pt"
|style="color:#1F497D" height="45" align="right" valign="top" | 10:00-10:45
| valign="top" | [[OWASP_Israel_2008_Conference_Ivan_Ristic|No More Signatures: Defending Web Applications from 0-Day Attacks with ModProfiler Using Traffic Profiling]
([[Media:OWASP_Israel_2008-Ristic-Shezaf-ModProfiler.pdf|download PDF]]) Ivan Ristic, Breach Security
| valign="top" | [[OWASP_Israel_2008_Conference_Adi_Sharabani|Black Box vs. White Box - pros and cons]] ([[Media:OWASP_IL_2008_Sharabani_BlackBox_Vs_WhiteBox.ppt‎|download ppt]]) Adi Sharabani & Yinnon Haviv, IBM

|- style="font-size:11pt"
|style="color:#1F497D" height="15" align="right" valign="top" | 10:45-11:00
| valign="top" colspan="2"| Break

|- style="font-size:11pt"
|style="color:#1F497D" height="30" align="right" valign="top" | 11:00-11:45
| valign="top" | [[AppSecEU08_Trends_in_Web_Hacking_Incidents:_What%27s_hot_for_2008|Trends in Web Hacking: What's hot in 2008]] ([[Media:AppSecEU2008-WHID.ppt|download ppt]]) Ofer Shezaf, Breach Security
| valign="top" | [[OWASP_Israel_2008_Conference_David_Movshovitz|AJAX - new technologies new threats]] ([[Media:OWASP IL 2008 David Movshovitz AJAX.ppt|download ppt]]) Dr. David Movshovitz, IDC

|- style="font-size:11pt"
|style="color:#1F497D" height="30" align="right" valign="top" | 11:45-12:30
| valign="top" | [[OWASP_Israel_2008_Conference_Ofer_Maor|Testing the Tester – Measuring Quality of Security Testing]] Ofer Maor, Hacktics
| valign="top" | [[OWASP_Israel_2008_Conference_Yuli_Stremovsky|GreenSQL - an open source database security gateway]] ([[Media:OWASP_IL_2008_Yuli_Stremovsky.GreenSQL_Database_Firewall.ppt‎|download ppt]]) Yuli Stremovsky

|- style="font-size:11pt"
|style="color:#1F497D" height="15" align="right" valign="top" | 12:30-13:15
| valign="top" colspan="2"| Lunch

|- style="font-size:11pt"
|style="color:#1F497D" height="15" align="right" valign="top" |  
| valign="top" |  
| valign="top" |  

|- style="font-size:11pt"
|style="color:#1F497D" height="15" align="right" valign="top" |  
|style="font-weight:bold" valign="top" | Advanced Technology Track
|style="font-weight:bold" valign="top" | Practical Technology Track

|- style="font-size:11pt"
|style="color:#1F497D" height="45" align="right" valign="top" | 13:15-14:00
| valign="top" | [[OWASP_Israel_2008_Conference_Shai_Chen|Achilles’ heel – Hacking Through Java Protocols]] ([[Media:OWASP IL 2008 Shai Chen PT to Java Client Server Apps.ppt|download ppt]]) Shai Chen, Hacktics
| valign="top" | [[OWASP_Israel_2008_Conference_Amir_Herzberg|Defending against Phishing without Client-side Code]] ([[Media:OWASP_IL_2008_Amir_Herzberg_Defending_against_Phishing_without_Client-side_Code.ppt|download ppt]]) Prof. Amir Herzberg, Bar-Ilan University

|- style="font-size:11pt"
|style="color:#1F497D" height="30" align="right" valign="top" | 14:00-14:45
| valign="top" | [[OWASP_Israel_2008_Conference_Alon_Rosen|Cryptographic elections - how to simultaneously achieve verifiability and privacy]] ([[Media:OWASP_IL_2008_Alon_Resen_eVoting.pdf‎|download pdf]]) Dr. Alon Rosen, IDC
| valign="top" | [[OWASP_Israel_2008_Conference_Erez_Metula|.NET Framework rootkits - backdoors inside your Framework]] ([[Media:OWASP IL 2008 Erez Metula .NET Rootkits.ppt|download ppt]]) Erez Metula, 2Bsecure

|- style="font-size:11pt"
|style="color:#1F497D" height="15" align="right" valign="top" | 14:45-15:00
| valign="top" colspan="2"| Break

|- style="font-size:11pt"
|style="color:#1F497D" height="45" align="right" valign="top" | 15:00-15:45
| valign="top" | [[OWASP_Israel_2008_Conference_Ronen_Bachar|Automated Crawling & Security Analysis of Flash/Flex based Web Applications]] ([[Media:OWASP_IL_2008_Ronen_Bachar_RIA.ppt‎|download ppt]]) Ronen Bachar, IBM
| valign="top" | [[OWASP_Israel_2008_Conference_Ohad_Ben_Cohen|Korset: Code-based Intrusion Detection System for Linux]] ([[Media:OWASP_IL_2008_Ohad_Ben_Cohen_Korset.pdf|download pdf]]) Ohad Ben-Cohen

|- style="font-size:11pt"
|style="color:#1F497D" height="30" align="right" valign="top" | 15:45-16:30
| valign="top" colspan="2" | Turbo talks (Rump Session), Currently scheduled presentations:
* Yossi Oren, Automatic Patch-Based Exploit Generation (APEG) ([[Media:OWASP_IL_2008_Yossi_Oren_APEG.ppt|download ppt]])
* Avi Weissman, Introduction to the Israeli Forum for Information Security (ISIF)
* Robert Moskovitch, Detection of Unknown Malicious Code via Machine Learning ([[Media:UnknownMalcodeDetection_OWASP-IL-08.pdf|download pdf]])
* Yaniv Miron, Comsec, UTF7 XSS ([[Media:OWASP_IL_2008_Yaniv_Miron_UTF7_XSS.ppt|download ppt]])
* Shay Zalalichin & Avi Douglen, Comsec, Breaking CAPTCHA Myths ([[Media:2008-09-14_OWASP_Israel_2008.ppt‎|download ppt]])

'''Closing Words, Ofer Shezaf'''
|}

== The people behind the conference ==

OWASP Israel is made by the people who contribute their time and brain to its success. The following people are working to ensure that OWASP Israel 2008 is a success.

If you feel that you also can contribute or have interesting ideas regarding the conference, don't hesitate to contact me.

=== Steering Committee ===

The steering committee includes prominent individuals in the field of information security and help set the program for the conference:

* Adi Sharabani (IBM)
* Dr. David Movshovitz (Interdisciplinary Center Herzliya)
* Ofer Maor (Hacktics)
* Ofer Shezaf (Breach Security)
* Ory Segal (IBM)
* Shay Zalalichin (ComSec)
* Yossi Oren (Proxy Software Systems)

=== Organization Committee ===

The organization committee is in charge of making this all happen:

* Dr. Anat Bremler-Barr (Interdisciplinary Center Herzliya)
* Neer Roggel, the technion
* Shay Shuker
* Ofer Shezaf (Breach Security)

~ [[User:Oshezaf|Ofer Shezaf]],Conference Chair 
[mailto:ofer@shezaf.com ofer@shezaf.com]

[[Category:OWASP Israel 2008]]

OWASP Israel 2008 Conference at the Interdisciplinary Center Herzliya (IDC)

2008-09-22T16:06:06Z

Ivanr: /* Agenda */

{{Template:OWASP_IL_2008_Sponsors}}

The OWASP Israel 2008 conference was held on September 14th at the Interdisciplinary Center Herzliya with 250 attendees. The agenda of the full day two track event can be found below.

== Agenda ==

{| class="wikitable" <hiddentext>generated with [[:de:Wikipedia:Helferlein/VBA-Macro for EXCEL tableconversion]] V1.7<\hiddentext>
|- style="font-size:11pt"
|style="color:#1F497D" width="68" height="15" align="right" valign="top" | 8:30-9:00
| width="291" valign="top" | Gathering and Socializing
| width="296" valign="top" |  

|- style="font-size:11pt"
|style="color:#1F497D" height="15" align="right" valign="top" | 9:00-9:15
| valign="top" | Opening words by Ofer Shezaf, OWASP Israel founder
| valign="top" |  

|- style="font-size:11pt"
|style="color:#1F497D" height="15" align="right" valign="top" |  
| valign="top" |  
| valign="top" |  

|- style="font-size:11pt;font-weight:bold"
|style="color:#1F497D" height="15" align="right" valign="top" |  
| valign="top" | Room #1
| valign="top" | Room #2

|- style="font-size:11pt;font-weight:bold"
|style="color:#1F497D" height="15" align="right" valign="top" |  
| valign="top" | Management Track
| valign="top" | Fundamentals Track

|- style="font-size:11pt"
|style="color:#1F497D" height="45" align="right" valign="top" | 9:15-10:00
| valign="top" | [[OWASP_Israel_2008_Conference_Amichai_Shulman|Web Application Security and Search Engines – Beyond Google Hacking]] ([[Media:OWASP_IL_2008_Amichai_Shulman_BeyondGoogleHackingn.ppt‎|download ppt)]] Amichai Shulman, Imperva
| valign="top" | [[OWASP_Israel_2008_Conference_Maty_Siman|Application Security - The code analysis way]] Maty Siman, Checkmark

|- style="font-size:11pt"
|style="color:#1F497D" height="45" align="right" valign="top" | 10:00-10:45
| valign="top" | [[OWASP_Israel_2008_Conference_Ivan_Ristic|No More Signatures: Defending Web Applications from 0-Day Attacks with ModProfiler Using Traffic Profiling]
([[Media:OWASP_Israel_2008-Ristic-Shezaf-ModProfiler.pdf|download PDF)] Ivan Ristic, Breach Security
| valign="top" | [[OWASP_Israel_2008_Conference_Adi_Sharabani|Black Box vs. White Box - pros and cons]] ([[Media:OWASP_IL_2008_Sharabani_BlackBox_Vs_WhiteBox.ppt‎|download ppt]]) Adi Sharabani & Yinnon Haviv, IBM

|- style="font-size:11pt"
|style="color:#1F497D" height="15" align="right" valign="top" | 10:45-11:00
| valign="top" colspan="2"| Break

|- style="font-size:11pt"
|style="color:#1F497D" height="30" align="right" valign="top" | 11:00-11:45
| valign="top" | [[AppSecEU08_Trends_in_Web_Hacking_Incidents:_What%27s_hot_for_2008|Trends in Web Hacking: What's hot in 2008]] ([[Media:AppSecEU2008-WHID.ppt|download ppt]]) Ofer Shezaf, Breach Security
| valign="top" | [[OWASP_Israel_2008_Conference_David_Movshovitz|AJAX - new technologies new threats]] ([[Media:OWASP IL 2008 David Movshovitz AJAX.ppt|download ppt]]) Dr. David Movshovitz, IDC

|- style="font-size:11pt"
|style="color:#1F497D" height="30" align="right" valign="top" | 11:45-12:30
| valign="top" | [[OWASP_Israel_2008_Conference_Ofer_Maor|Testing the Tester – Measuring Quality of Security Testing]] Ofer Maor, Hacktics
| valign="top" | [[OWASP_Israel_2008_Conference_Yuli_Stremovsky|GreenSQL - an open source database security gateway]] ([[Media:OWASP_IL_2008_Yuli_Stremovsky.GreenSQL_Database_Firewall.ppt‎|download ppt]]) Yuli Stremovsky

|- style="font-size:11pt"
|style="color:#1F497D" height="15" align="right" valign="top" | 12:30-13:15
| valign="top" colspan="2"| Lunch

|- style="font-size:11pt"
|style="color:#1F497D" height="15" align="right" valign="top" |  
| valign="top" |  
| valign="top" |  

|- style="font-size:11pt"
|style="color:#1F497D" height="15" align="right" valign="top" |  
|style="font-weight:bold" valign="top" | Advanced Technology Track
|style="font-weight:bold" valign="top" | Practical Technology Track

|- style="font-size:11pt"
|style="color:#1F497D" height="45" align="right" valign="top" | 13:15-14:00
| valign="top" | [[OWASP_Israel_2008_Conference_Shai_Chen|Achilles’ heel – Hacking Through Java Protocols]] ([[Media:OWASP IL 2008 Shai Chen PT to Java Client Server Apps.ppt|download ppt]]) Shai Chen, Hacktics
| valign="top" | [[OWASP_Israel_2008_Conference_Amir_Herzberg|Defending against Phishing without Client-side Code]] ([[Media:OWASP_IL_2008_Amir_Herzberg_Defending_against_Phishing_without_Client-side_Code.ppt|download ppt]]) Prof. Amir Herzberg, Bar-Ilan University

|- style="font-size:11pt"
|style="color:#1F497D" height="30" align="right" valign="top" | 14:00-14:45
| valign="top" | [[OWASP_Israel_2008_Conference_Alon_Rosen|Cryptographic elections - how to simultaneously achieve verifiability and privacy]] ([[Media:OWASP_IL_2008_Alon_Resen_eVoting.pdf‎|download pdf]]) Dr. Alon Rosen, IDC
| valign="top" | [[OWASP_Israel_2008_Conference_Erez_Metula|.NET Framework rootkits - backdoors inside your Framework]] ([[Media:OWASP IL 2008 Erez Metula .NET Rootkits.ppt|download ppt]]) Erez Metula, 2Bsecure

|- style="font-size:11pt"
|style="color:#1F497D" height="15" align="right" valign="top" | 14:45-15:00
| valign="top" colspan="2"| Break

|- style="font-size:11pt"
|style="color:#1F497D" height="45" align="right" valign="top" | 15:00-15:45
| valign="top" | [[OWASP_Israel_2008_Conference_Ronen_Bachar|Automated Crawling & Security Analysis of Flash/Flex based Web Applications]] ([[Media:OWASP_IL_2008_Ronen_Bachar_RIA.ppt‎|download ppt]]) Ronen Bachar, IBM
| valign="top" | [[OWASP_Israel_2008_Conference_Ohad_Ben_Cohen|Korset: Code-based Intrusion Detection System for Linux]] ([[Media:OWASP_IL_2008_Ohad_Ben_Cohen_Korset.pdf|download pdf]]) Ohad Ben-Cohen

|- style="font-size:11pt"
|style="color:#1F497D" height="30" align="right" valign="top" | 15:45-16:30
| valign="top" colspan="2" | Turbo talks (Rump Session), Currently scheduled presentations:
* Yossi Oren, Automatic Patch-Based Exploit Generation (APEG) ([[Media:OWASP_IL_2008_Yossi_Oren_APEG.ppt|download ppt]])
* Avi Weissman, Introduction to the Israeli Forum for Information Security (ISIF)
* Robert Moskovitch, Detection of Unknown Malicious Code via Machine Learning ([[Media:UnknownMalcodeDetection_OWASP-IL-08.pdf|download pdf]])
* Yaniv Miron, Comsec, UTF7 XSS ([[Media:OWASP_IL_2008_Yaniv_Miron_UTF7_XSS.ppt|download ppt]])
* Shay Zalalichin & Avi Douglen, Comsec, Breaking CAPTCHA Myths ([[Media:2008-09-14_OWASP_Israel_2008.ppt‎|download ppt]])

'''Closing Words, Ofer Shezaf'''
|}

== The people behind the conference ==

OWASP Israel is made by the people who contribute their time and brain to its success. The following people are working to ensure that OWASP Israel 2008 is a success.

If you feel that you also can contribute or have interesting ideas regarding the conference, don't hesitate to contact me.

=== Steering Committee ===

The steering committee includes prominent individuals in the field of information security and help set the program for the conference:

* Adi Sharabani (IBM)
* Dr. David Movshovitz (Interdisciplinary Center Herzliya)
* Ofer Maor (Hacktics)
* Ofer Shezaf (Breach Security)
* Ory Segal (IBM)
* Shay Zalalichin (ComSec)
* Yossi Oren (Proxy Software Systems)

=== Organization Committee ===

The organization committee is in charge of making this all happen:

* Dr. Anat Bremler-Barr (Interdisciplinary Center Herzliya)
* Neer Roggel, the technion
* Shay Shuker
* Ofer Shezaf (Breach Security)

~ [[User:Oshezaf|Ofer Shezaf]],Conference Chair 
[mailto:ofer@shezaf.com ofer@shezaf.com]

[[Category:OWASP Israel 2008]]

File:OWASP Israel 2008-Ristic-Shezaf-ModProfiler.pdf

2008-09-22T16:04:27Z

Ivanr:

London

2008-09-12T09:58:16Z

Ivanr: /* Future Events */

{{Chapter Template|chaptername=London|extra=The chapter leader is Ivan Ristic (since Apr 2007)|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}

== Future Events ==

* '''Thursday, December 4th'''

** '''Location''': KPMG, 39th Floor, One Canada Sq, E14 5AG, starting at '''6.30pm''' (arrive between 6.00pm and 6.30pm), ending by 8.30pm. KMPG are sponsoring the meeting. Complementary drinks will be provided. '''IMPORTANT: You must RSVP if you want to attend.'''

'''Justin Clarke: SQL Injection Worms for Fun and Profit'''

Earlier this year the first (publicly known) SQL Injection worm
appeared. This worm used SQL Injection to insert malicious scripting
tags into the pages of over 90,000 sites that were vulnerable to SQL
injection.

Yet the exploit vector was fairly innocuous, easy to clean up, and easy
to block. In other words, very much version 0.1 of what a SQL Injection
worm can achieve.

This talk is going to discuss how far the rabbit hole can go with SQL
injection based worms, including full compromise of the server OS, and
why we should be worried by what is going to be coming next out of
Russia/China/wherever, including a live demo of a proof of concept SQL
injection worm, "weaponized".

'''Justin Clarke: Protecting Vulnerable Applications with IIS7'''

With the advent of IIS7 and its modular design, Microsoft has provided
the ability to easily integrate custom ASP.NET HttpModules into the IIS7
request-handling pipeline. This session will present an IIS7 module
designed to leverage this architecture to actively and dynamically
protect web applications from attack. With minimal configuration, the
module can be used to protect virtually any application running on the
web server, including non-ASP.NET applications (such as those written in
PHP, Cold Fusion, or classic ASP).

This presentation will outline the overall design and architecture of
the module, including a detailed explanation of available features and
attack defense techniques. The session will focus on live demonstrations
of how the module can easily be installed to protect already-deployed
applications and how it can block both traditional web application
attacks, such as SQL injection and Cross-Site Scripting, and
application-specific vulnerabilities like parameter manipulation and
authorization attacks.

'''About Justin:'''

Justin is a Principal Consultant with Gotham Digital Science. He is the
co-author of "Network Security Tools" (O'Reilly, 2005), a contributing
author to "Network Security Assessment" (O'Reilly, 2007), and has spoken
at Blackhat, EuSecWest, RSA, and OSCON in the past. He has over 10 years
of security testing and consulting experience in network, application,
source code and wireless testing work for some of the largest commercial
and government organizations in the United States, United Kingdom, and
New Zealand. Justin is active in developing security tools for
penetrating and defending applications, servers, and wireless networks
(e.g. SQLBrute), and as a compulsive tinkerer he can't leave anything
alone without at least trying to see how it works.

== Past Events ==

* '''Thursday, September 4th'''

** '''Location''': KPMG 39th Floor, One Canada Sq, E14 5AG, starting at 7pm (arrive between 6.30pm and 7pm), ending by 9pm. KMPG are sponsoring the meeting. Complementary drinks and snacks will be provided.

'''James Fisher: DirBuster & Beyond''' ([https://www.owasp.org/images/f/f4/DirBuster_OWASP-London_September-2008.pdf PDF])

An introduction to the DirBuster project, detailing how it works, what it can do for you, and the direction it will be taking in the future. Followed by an introduction to my unreleased project FuzzBuster, showing why it's different to other HTTP fuzzes out there.

'''Yiannis Pavlosoglou: JBroFuzz'''

[Summary will be updated if I get it from Yiannis, but you can always go to the [http://www.owasp.org/index.php/Category:OWASP_JBroFuzz JBroFuzz project homepage] for more information.

* '''Thursday, July 24th'''

** '''Location''': Auriol Kensington Rowing Club ([http://www.akrowing.com/page.php?page=findus map]), starting at 7pm (arrive between 6.30pm and 7pm). [http://www.breach.com Breach Security] is sponsoring the meeting by paying for the costs of the venue.

** '''Programme'''
** 18:30 Arrive and make yourselves comfortable.
** 19:00 Dinis Cruz: What is going on at OWASP?
** 19:20 Colin Watson: Nominet Best Practices Award briefing ([https://www.owasp.org/images/6/69/Owasp-london-bestpractice2008.pdf PDF])
** 19:45 Dennis Hurst: AJAX / Web 2.0 / WebServices security concerns ([https://www.owasp.org/images/9/90/Testing_Finance_2_June_2008.pdf PDF])
** 20:30 Dinis Cruz: Building a tool for Security consultants: A story of a customized source code scanner
** 21:15 Ivan Ristic: Evaluation Criteria for Web Application Firewalls ([http://www.owasp.org/images/f/f4/AppSecEU08_Evaluation_Criteria_for_Web_Application_Firewalls.pdf PDF]) (talk from the recent OWASP AppSec Europe conference in Ghent).

* '''Thursday, April 3rd'''

** '''Location''': Auriol Kensington Rowing Club ([http://www.akrowing.com/page.php?page=findus map]), starting at 7pm (arrive between 6.30pm and 7pm). [http://www.breach.com Breach Security] is sponsoring the meeting by paying for the costs of the venue.

** '''Programme'''
** 18h30 Arrive and make yourselves comfortable.
** 19h00 [http://www.withdk.com/archives/PHP%20Code%20Analysis-%20Real%20World%20Examples.pdf PHP Code Analysis: Real World Examples] (David Kierznowski)
** 20h00 [http://www.secforce.co.uk/research/socket_reuse/PHP_socket_reuse_attacks.pdf Abusing PHP sockets for fun and profit] (Rodrigo Marcos; also available: [http://www.secforce.co.uk/research/socket_reuse/socket_attack.zip source code], [http://www.secforce.co.uk/research/socket_reuse/PHP_socket_reuse.html Flash demo])
** 20h45 Web Application Security Badges (Colin Watson)
** 21h00 Discussion: OWASP [http://www.nic.uk/about/bestpracticechallenge/ Best Practice Challenge 2008 nomination].
** 21h30 End.

* '''Thursday, December 6th'''

** '''Location''': Auriol Kensington Rowing Club ([http://www.akrowing.com/page.php?page=findus map]), starting at 7pm (arrive between 6.30pm and 7pm). [http://www.breach.com Breach Security] sponsoring the meeting by paying for the costs of the venue.

** '''Programme'''
** 18h30 Arrive and make yourselves comfortable.
** 19h00 Adrian Pastor: Cracking into embedded devices and beyond! ([[Media:Cracking-into-embedded-devices-and-beyond.pdf]])
** 19h45 Rodrigo Marcos: Blind SQL Injection: Optimization Techniques ([http://www.gnucitizen.org/blog/security-and-hacking-scene-in-london/BlindSQLinjection.ppt PPT]).
** 20h15 OWASP London Chapter (discussion).
** 20h45 PDP: Client-Side Security (discussion).
** 21h30 End.

* '''Wednesday, September 5th''' (participating in the [[OWASP Day]] event). Read meeting notes [https://lists.owasp.org/pipermail/owasp-london/2007-September/000187.html here].
** Location: Auriol Kensington Rowing Club ([http://www.akrowing.com/page.php?page=findus map]), starting at 7pm (arrive between 6.30pm and 7pm). [http://www.breach.com Breach Security] sponsored the meeting by paying for the costs of the venue.

* '''Programme''':
** 18h30 Arrive and make yourselves comfortable.
** 19h00 [http://gnucitizen.org/about/pdp Petko D. Petkov], a.k.a pdp (architect), founder of the [http://gnucitizen.org GNUCITIZEN] group: [http://www.owasp.org/index.php/Belgium#For_my_next_trick..._hacking_Web2.0_.28pdp.29 For my next trick... hacking Web2.0].
** 20h00 Discussion: "Privacy in the 21st Century?", moderator: Ivan Ristic.
** 21h00 Discussion: "Future of the OWASP London Chapter".
** 21h30 End

* '''Thursday 22nd March'''
** Location: The Water Poet Pub, Liverpool St, London [http://www.beerintheevening.com/cgi-bin/map_link.cgi?id=17986&type=8 map] , [http://www.beerintheevening.com/pubs/s/17/17986/Water_Poet/Shoreditch description]
** We are going to use the downstairs room which you can access from the back of the pub
* '''Presentations''':
** [[Mark O'Neill]] "Security Vulnerabilities in AJAX and Web 2.0" - 60 m
** [[Dinis Cruz]] "OWASP Spring of Code and Owasp world update " - 30 m

* '''Thursday 22nd February'''
** Location: The Water Poet Pub, Liverpool St, London [http://www.beerintheevening.com/cgi-bin/map_link.cgi?id=17986&type=8 map] , [http://www.beerintheevening.com/pubs/s/17/17986/Water_Poet/Shoreditch description]
** We are going to use the downstairs room which you can access from the back of the pub
* '''Presentations''':
** by '''Dinis Cruz (Chief OWASP Evangelist)''' :
*** '''OWASP, the Open Web Application Security Project''' 30m - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.
*** '''Buffer Overflows on .Net and Asp.Net''' 30m - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).
*** '''0wning Vista's userland - The CAS / UAC missed opportunity , and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.
** by '''Ivan Ristic''':
*** '''ModSecurity''' - 30m

* '''Schedule''':
** 6pm - 7pm arrive and grab a drink
** 7:00 - '''OWASP, the Open Web Application Security Project''', Dinis Cruz
** 7:45 - '''ModSecurity''', Ivan Ristic
** 8:15 - '''Buffer Overflows on .Net and Asp.Net''', Dinis Cruz
** 8:50 - 0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done, Dinis Cruz
** 9:00 - Dinner

[[Category:United Kingdom]]

London

2008-09-12T09:47:10Z

Ivanr: /* Past Events */

{{Chapter Template|chaptername=London|extra=The chapter leader is Ivan Ristic (since Apr 2007)|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}

== Future Events ==

* '''Thursday, December 4th''' - '''TO BE CONFIRMED'''

** '''Location''': KPMG 39th Floor, One Canada Sq, E14 5AG, starting at 7pm (arrive between 6.30pm and 7pm), ending by 9pm. KMPG are sponsoring the meeting. Complementary drinks will be provided. '''IMPORTANT: You must RSVP if you want to attend.'''

== Past Events ==

* '''Thursday, September 4th'''

** '''Location''': KPMG 39th Floor, One Canada Sq, E14 5AG, starting at 7pm (arrive between 6.30pm and 7pm), ending by 9pm. KMPG are sponsoring the meeting. Complementary drinks and snacks will be provided.

'''James Fisher: DirBuster & Beyond''' ([https://www.owasp.org/images/f/f4/DirBuster_OWASP-London_September-2008.pdf PDF])

An introduction to the DirBuster project, detailing how it works, what it can do for you, and the direction it will be taking in the future. Followed by an introduction to my unreleased project FuzzBuster, showing why it's different to other HTTP fuzzes out there.

'''Yiannis Pavlosoglou: JBroFuzz'''

[Summary will be updated if I get it from Yiannis, but you can always go to the [http://www.owasp.org/index.php/Category:OWASP_JBroFuzz JBroFuzz project homepage] for more information.

* '''Thursday, July 24th'''

** '''Location''': Auriol Kensington Rowing Club ([http://www.akrowing.com/page.php?page=findus map]), starting at 7pm (arrive between 6.30pm and 7pm). [http://www.breach.com Breach Security] is sponsoring the meeting by paying for the costs of the venue.

** '''Programme'''
** 18:30 Arrive and make yourselves comfortable.
** 19:00 Dinis Cruz: What is going on at OWASP?
** 19:20 Colin Watson: Nominet Best Practices Award briefing ([https://www.owasp.org/images/6/69/Owasp-london-bestpractice2008.pdf PDF])
** 19:45 Dennis Hurst: AJAX / Web 2.0 / WebServices security concerns ([https://www.owasp.org/images/9/90/Testing_Finance_2_June_2008.pdf PDF])
** 20:30 Dinis Cruz: Building a tool for Security consultants: A story of a customized source code scanner
** 21:15 Ivan Ristic: Evaluation Criteria for Web Application Firewalls ([http://www.owasp.org/images/f/f4/AppSecEU08_Evaluation_Criteria_for_Web_Application_Firewalls.pdf PDF]) (talk from the recent OWASP AppSec Europe conference in Ghent).

* '''Thursday, April 3rd'''

** '''Location''': Auriol Kensington Rowing Club ([http://www.akrowing.com/page.php?page=findus map]), starting at 7pm (arrive between 6.30pm and 7pm). [http://www.breach.com Breach Security] is sponsoring the meeting by paying for the costs of the venue.

** '''Programme'''
** 18h30 Arrive and make yourselves comfortable.
** 19h00 [http://www.withdk.com/archives/PHP%20Code%20Analysis-%20Real%20World%20Examples.pdf PHP Code Analysis: Real World Examples] (David Kierznowski)
** 20h00 [http://www.secforce.co.uk/research/socket_reuse/PHP_socket_reuse_attacks.pdf Abusing PHP sockets for fun and profit] (Rodrigo Marcos; also available: [http://www.secforce.co.uk/research/socket_reuse/socket_attack.zip source code], [http://www.secforce.co.uk/research/socket_reuse/PHP_socket_reuse.html Flash demo])
** 20h45 Web Application Security Badges (Colin Watson)
** 21h00 Discussion: OWASP [http://www.nic.uk/about/bestpracticechallenge/ Best Practice Challenge 2008 nomination].
** 21h30 End.

* '''Thursday, December 6th'''

** '''Location''': Auriol Kensington Rowing Club ([http://www.akrowing.com/page.php?page=findus map]), starting at 7pm (arrive between 6.30pm and 7pm). [http://www.breach.com Breach Security] sponsoring the meeting by paying for the costs of the venue.

** '''Programme'''
** 18h30 Arrive and make yourselves comfortable.
** 19h00 Adrian Pastor: Cracking into embedded devices and beyond! ([[Media:Cracking-into-embedded-devices-and-beyond.pdf]])
** 19h45 Rodrigo Marcos: Blind SQL Injection: Optimization Techniques ([http://www.gnucitizen.org/blog/security-and-hacking-scene-in-london/BlindSQLinjection.ppt PPT]).
** 20h15 OWASP London Chapter (discussion).
** 20h45 PDP: Client-Side Security (discussion).
** 21h30 End.

* '''Wednesday, September 5th''' (participating in the [[OWASP Day]] event). Read meeting notes [https://lists.owasp.org/pipermail/owasp-london/2007-September/000187.html here].
** Location: Auriol Kensington Rowing Club ([http://www.akrowing.com/page.php?page=findus map]), starting at 7pm (arrive between 6.30pm and 7pm). [http://www.breach.com Breach Security] sponsored the meeting by paying for the costs of the venue.

* '''Programme''':
** 18h30 Arrive and make yourselves comfortable.
** 19h00 [http://gnucitizen.org/about/pdp Petko D. Petkov], a.k.a pdp (architect), founder of the [http://gnucitizen.org GNUCITIZEN] group: [http://www.owasp.org/index.php/Belgium#For_my_next_trick..._hacking_Web2.0_.28pdp.29 For my next trick... hacking Web2.0].
** 20h00 Discussion: "Privacy in the 21st Century?", moderator: Ivan Ristic.
** 21h00 Discussion: "Future of the OWASP London Chapter".
** 21h30 End

* '''Thursday 22nd March'''
** Location: The Water Poet Pub, Liverpool St, London [http://www.beerintheevening.com/cgi-bin/map_link.cgi?id=17986&type=8 map] , [http://www.beerintheevening.com/pubs/s/17/17986/Water_Poet/Shoreditch description]
** We are going to use the downstairs room which you can access from the back of the pub
* '''Presentations''':
** [[Mark O'Neill]] "Security Vulnerabilities in AJAX and Web 2.0" - 60 m
** [[Dinis Cruz]] "OWASP Spring of Code and Owasp world update " - 30 m

* '''Thursday 22nd February'''
** Location: The Water Poet Pub, Liverpool St, London [http://www.beerintheevening.com/cgi-bin/map_link.cgi?id=17986&type=8 map] , [http://www.beerintheevening.com/pubs/s/17/17986/Water_Poet/Shoreditch description]
** We are going to use the downstairs room which you can access from the back of the pub
* '''Presentations''':
** by '''Dinis Cruz (Chief OWASP Evangelist)''' :
*** '''OWASP, the Open Web Application Security Project''' 30m - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.
*** '''Buffer Overflows on .Net and Asp.Net''' 30m - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).
*** '''0wning Vista's userland - The CAS / UAC missed opportunity , and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.
** by '''Ivan Ristic''':
*** '''ModSecurity''' - 30m

* '''Schedule''':
** 6pm - 7pm arrive and grab a drink
** 7:00 - '''OWASP, the Open Web Application Security Project''', Dinis Cruz
** 7:45 - '''ModSecurity''', Ivan Ristic
** 8:15 - '''Buffer Overflows on .Net and Asp.Net''', Dinis Cruz
** 8:50 - 0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done, Dinis Cruz
** 9:00 - Dinner

[[Category:United Kingdom]]

London

2008-09-09T11:32:43Z

Ivanr: /* Past Events */

{{Chapter Template|chaptername=London|extra=The chapter leader is Ivan Ristic (since Apr 2007)|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}

== Future Events ==

* '''Thursday, December 4th''' - '''TO BE CONFIRMED'''

** '''Location''': KPMG 39th Floor, One Canada Sq, E14 5AG, starting at 7pm (arrive between 6.30pm and 7pm), ending by 9pm. KMPG are sponsoring the meeting. Complementary drinks will be provided. '''IMPORTANT: You must RSVP if you want to attend.'''

== Past Events ==

* '''Thursday, September 4th'''

** '''Location''': KPMG 39th Floor, One Canada Sq, E14 5AG, starting at 7pm (arrive between 6.30pm and 7pm), ending by 9pm. KMPG are sponsoring the meeting. Complementary drinks will be provided. '''IMPORTANT: You must RSVP if you want to attend.'''

'''James Fisher: DirBuster & Beyond''' ([https://www.owasp.org/images/f/f4/DirBuster_OWASP-London_September-2008.pdf PDF])

An introduction to the DirBuster project, detailing how it works, what it can do for you, and the direction it will be taking in the future. Followed by an introduction to my unreleased project FuzzBuster, showing why it's different to other HTTP fuzzes out there.

'''Yiannis Pavlosoglou: JBroFuzz'''

[Summary will be updated if I get it from Yiannis, but you can always go to the [http://www.owasp.org/index.php/Category:OWASP_JBroFuzz JBroFuzz project homepage] for more information.

* '''Thursday, July 24th'''

** '''Location''': Auriol Kensington Rowing Club ([http://www.akrowing.com/page.php?page=findus map]), starting at 7pm (arrive between 6.30pm and 7pm). [http://www.breach.com Breach Security] is sponsoring the meeting by paying for the costs of the venue.

** '''Programme'''
** 18:30 Arrive and make yourselves comfortable.
** 19:00 Dinis Cruz: What is going on at OWASP?
** 19:20 Colin Watson: Nominet Best Practices Award briefing ([https://www.owasp.org/images/6/69/Owasp-london-bestpractice2008.pdf PDF])
** 19:45 Dennis Hurst: AJAX / Web 2.0 / WebServices security concerns ([https://www.owasp.org/images/9/90/Testing_Finance_2_June_2008.pdf PDF])
** 20:30 Dinis Cruz: Building a tool for Security consultants: A story of a customized source code scanner
** 21:15 Ivan Ristic: Evaluation Criteria for Web Application Firewalls ([http://www.owasp.org/images/f/f4/AppSecEU08_Evaluation_Criteria_for_Web_Application_Firewalls.pdf PDF]) (talk from the recent OWASP AppSec Europe conference in Ghent).

* '''Thursday, April 3rd'''

** '''Location''': Auriol Kensington Rowing Club ([http://www.akrowing.com/page.php?page=findus map]), starting at 7pm (arrive between 6.30pm and 7pm). [http://www.breach.com Breach Security] is sponsoring the meeting by paying for the costs of the venue.

** '''Programme'''
** 18h30 Arrive and make yourselves comfortable.
** 19h00 [http://www.withdk.com/archives/PHP%20Code%20Analysis-%20Real%20World%20Examples.pdf PHP Code Analysis: Real World Examples] (David Kierznowski)
** 20h00 [http://www.secforce.co.uk/research/socket_reuse/PHP_socket_reuse_attacks.pdf Abusing PHP sockets for fun and profit] (Rodrigo Marcos; also available: [http://www.secforce.co.uk/research/socket_reuse/socket_attack.zip source code], [http://www.secforce.co.uk/research/socket_reuse/PHP_socket_reuse.html Flash demo])
** 20h45 Web Application Security Badges (Colin Watson)
** 21h00 Discussion: OWASP [http://www.nic.uk/about/bestpracticechallenge/ Best Practice Challenge 2008 nomination].
** 21h30 End.

* '''Thursday, December 6th'''

** '''Location''': Auriol Kensington Rowing Club ([http://www.akrowing.com/page.php?page=findus map]), starting at 7pm (arrive between 6.30pm and 7pm). [http://www.breach.com Breach Security] sponsoring the meeting by paying for the costs of the venue.

** '''Programme'''
** 18h30 Arrive and make yourselves comfortable.
** 19h00 Adrian Pastor: Cracking into embedded devices and beyond! ([[Media:Cracking-into-embedded-devices-and-beyond.pdf]])
** 19h45 Rodrigo Marcos: Blind SQL Injection: Optimization Techniques ([http://www.gnucitizen.org/blog/security-and-hacking-scene-in-london/BlindSQLinjection.ppt PPT]).
** 20h15 OWASP London Chapter (discussion).
** 20h45 PDP: Client-Side Security (discussion).
** 21h30 End.

* '''Wednesday, September 5th''' (participating in the [[OWASP Day]] event). Read meeting notes [https://lists.owasp.org/pipermail/owasp-london/2007-September/000187.html here].
** Location: Auriol Kensington Rowing Club ([http://www.akrowing.com/page.php?page=findus map]), starting at 7pm (arrive between 6.30pm and 7pm). [http://www.breach.com Breach Security] sponsored the meeting by paying for the costs of the venue.

* '''Programme''':
** 18h30 Arrive and make yourselves comfortable.
** 19h00 [http://gnucitizen.org/about/pdp Petko D. Petkov], a.k.a pdp (architect), founder of the [http://gnucitizen.org GNUCITIZEN] group: [http://www.owasp.org/index.php/Belgium#For_my_next_trick..._hacking_Web2.0_.28pdp.29 For my next trick... hacking Web2.0].
** 20h00 Discussion: "Privacy in the 21st Century?", moderator: Ivan Ristic.
** 21h00 Discussion: "Future of the OWASP London Chapter".
** 21h30 End

* '''Thursday 22nd March'''
** Location: The Water Poet Pub, Liverpool St, London [http://www.beerintheevening.com/cgi-bin/map_link.cgi?id=17986&type=8 map] , [http://www.beerintheevening.com/pubs/s/17/17986/Water_Poet/Shoreditch description]
** We are going to use the downstairs room which you can access from the back of the pub
* '''Presentations''':
** [[Mark O'Neill]] "Security Vulnerabilities in AJAX and Web 2.0" - 60 m
** [[Dinis Cruz]] "OWASP Spring of Code and Owasp world update " - 30 m

* '''Thursday 22nd February'''
** Location: The Water Poet Pub, Liverpool St, London [http://www.beerintheevening.com/cgi-bin/map_link.cgi?id=17986&type=8 map] , [http://www.beerintheevening.com/pubs/s/17/17986/Water_Poet/Shoreditch description]
** We are going to use the downstairs room which you can access from the back of the pub
* '''Presentations''':
** by '''Dinis Cruz (Chief OWASP Evangelist)''' :
*** '''OWASP, the Open Web Application Security Project''' 30m - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.
*** '''Buffer Overflows on .Net and Asp.Net''' 30m - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).
*** '''0wning Vista's userland - The CAS / UAC missed opportunity , and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.
** by '''Ivan Ristic''':
*** '''ModSecurity''' - 30m

* '''Schedule''':
** 6pm - 7pm arrive and grab a drink
** 7:00 - '''OWASP, the Open Web Application Security Project''', Dinis Cruz
** 7:45 - '''ModSecurity''', Ivan Ristic
** 8:15 - '''Buffer Overflows on .Net and Asp.Net''', Dinis Cruz
** 8:50 - 0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done, Dinis Cruz
** 9:00 - Dinner

[[Category:United Kingdom]]

File:DirBuster OWASP-London September-2008.pdf

2008-09-09T11:30:18Z

Ivanr:

London

2008-09-09T11:28:52Z

Ivanr: /* Future Events */

{{Chapter Template|chaptername=London|extra=The chapter leader is Ivan Ristic (since Apr 2007)|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}

== Future Events ==

* '''Thursday, December 4th''' - '''TO BE CONFIRMED'''

** '''Location''': KPMG 39th Floor, One Canada Sq, E14 5AG, starting at 7pm (arrive between 6.30pm and 7pm), ending by 9pm. KMPG are sponsoring the meeting. Complementary drinks will be provided. '''IMPORTANT: You must RSVP if you want to attend.'''

== Past Events ==

* '''Thursday, September 4th'''

** '''Location''': KPMG 39th Floor, One Canada Sq, E14 5AG, starting at 7pm (arrive between 6.30pm and 7pm), ending by 9pm. KMPG are sponsoring the meeting. Complementary drinks will be provided. '''IMPORTANT: You must RSVP if you want to attend.'''

'''James Fisher: DirBuster & Beyond'''

An introduction to the DirBuster project, detailing how it works, what it can do for you, and the direction it will be taking in the future. Followed by an introduction to my unreleased project FuzzBuster, showing why it's different to other HTTP fuzzes out there.

'''Yiannis Pavlosoglou: Web Authentication Combining Single Packet Authorization (WACSPA)'''

This presentation aims to demonstrate a pioneering way of authenticating on a web-site, by means of accessing the login interface via port knocking.

As Single Packet Authorization is beginning to mature as a subject discipline, attaching a time window of opportunity towards the ability of logging in to a web-site adds an extra layer of security, well beyond the remit of the application layer.

In this presentation, the basic concept will be presented, a system description given, as well as a detailed outline of the tools used to develop this type of web authentication.

* '''Thursday, July 24th'''

** '''Location''': Auriol Kensington Rowing Club ([http://www.akrowing.com/page.php?page=findus map]), starting at 7pm (arrive between 6.30pm and 7pm). [http://www.breach.com Breach Security] is sponsoring the meeting by paying for the costs of the venue.

** '''Programme'''
** 18:30 Arrive and make yourselves comfortable.
** 19:00 Dinis Cruz: What is going on at OWASP?
** 19:20 Colin Watson: Nominet Best Practices Award briefing ([https://www.owasp.org/images/6/69/Owasp-london-bestpractice2008.pdf PDF])
** 19:45 Dennis Hurst: AJAX / Web 2.0 / WebServices security concerns ([https://www.owasp.org/images/9/90/Testing_Finance_2_June_2008.pdf PDF])
** 20:30 Dinis Cruz: Building a tool for Security consultants: A story of a customized source code scanner
** 21:15 Ivan Ristic: Evaluation Criteria for Web Application Firewalls ([http://www.owasp.org/images/f/f4/AppSecEU08_Evaluation_Criteria_for_Web_Application_Firewalls.pdf PDF]) (talk from the recent OWASP AppSec Europe conference in Ghent).

* '''Thursday, April 3rd'''

** '''Location''': Auriol Kensington Rowing Club ([http://www.akrowing.com/page.php?page=findus map]), starting at 7pm (arrive between 6.30pm and 7pm). [http://www.breach.com Breach Security] is sponsoring the meeting by paying for the costs of the venue.

** '''Programme'''
** 18h30 Arrive and make yourselves comfortable.
** 19h00 [http://www.withdk.com/archives/PHP%20Code%20Analysis-%20Real%20World%20Examples.pdf PHP Code Analysis: Real World Examples] (David Kierznowski)
** 20h00 [http://www.secforce.co.uk/research/socket_reuse/PHP_socket_reuse_attacks.pdf Abusing PHP sockets for fun and profit] (Rodrigo Marcos; also available: [http://www.secforce.co.uk/research/socket_reuse/socket_attack.zip source code], [http://www.secforce.co.uk/research/socket_reuse/PHP_socket_reuse.html Flash demo])
** 20h45 Web Application Security Badges (Colin Watson)
** 21h00 Discussion: OWASP [http://www.nic.uk/about/bestpracticechallenge/ Best Practice Challenge 2008 nomination].
** 21h30 End.

* '''Thursday, December 6th'''

** '''Location''': Auriol Kensington Rowing Club ([http://www.akrowing.com/page.php?page=findus map]), starting at 7pm (arrive between 6.30pm and 7pm). [http://www.breach.com Breach Security] sponsoring the meeting by paying for the costs of the venue.

** '''Programme'''
** 18h30 Arrive and make yourselves comfortable.
** 19h00 Adrian Pastor: Cracking into embedded devices and beyond! ([[Media:Cracking-into-embedded-devices-and-beyond.pdf]])
** 19h45 Rodrigo Marcos: Blind SQL Injection: Optimization Techniques ([http://www.gnucitizen.org/blog/security-and-hacking-scene-in-london/BlindSQLinjection.ppt PPT]).
** 20h15 OWASP London Chapter (discussion).
** 20h45 PDP: Client-Side Security (discussion).
** 21h30 End.

* '''Wednesday, September 5th''' (participating in the [[OWASP Day]] event). Read meeting notes [https://lists.owasp.org/pipermail/owasp-london/2007-September/000187.html here].
** Location: Auriol Kensington Rowing Club ([http://www.akrowing.com/page.php?page=findus map]), starting at 7pm (arrive between 6.30pm and 7pm). [http://www.breach.com Breach Security] sponsored the meeting by paying for the costs of the venue.

* '''Programme''':
** 18h30 Arrive and make yourselves comfortable.
** 19h00 [http://gnucitizen.org/about/pdp Petko D. Petkov], a.k.a pdp (architect), founder of the [http://gnucitizen.org GNUCITIZEN] group: [http://www.owasp.org/index.php/Belgium#For_my_next_trick..._hacking_Web2.0_.28pdp.29 For my next trick... hacking Web2.0].
** 20h00 Discussion: "Privacy in the 21st Century?", moderator: Ivan Ristic.
** 21h00 Discussion: "Future of the OWASP London Chapter".
** 21h30 End

* '''Thursday 22nd March'''
** Location: The Water Poet Pub, Liverpool St, London [http://www.beerintheevening.com/cgi-bin/map_link.cgi?id=17986&type=8 map] , [http://www.beerintheevening.com/pubs/s/17/17986/Water_Poet/Shoreditch description]
** We are going to use the downstairs room which you can access from the back of the pub
* '''Presentations''':
** [[Mark O'Neill]] "Security Vulnerabilities in AJAX and Web 2.0" - 60 m
** [[Dinis Cruz]] "OWASP Spring of Code and Owasp world update " - 30 m

* '''Thursday 22nd February'''
** Location: The Water Poet Pub, Liverpool St, London [http://www.beerintheevening.com/cgi-bin/map_link.cgi?id=17986&type=8 map] , [http://www.beerintheevening.com/pubs/s/17/17986/Water_Poet/Shoreditch description]
** We are going to use the downstairs room which you can access from the back of the pub
* '''Presentations''':
** by '''Dinis Cruz (Chief OWASP Evangelist)''' :
*** '''OWASP, the Open Web Application Security Project''' 30m - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.
*** '''Buffer Overflows on .Net and Asp.Net''' 30m - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).
*** '''0wning Vista's userland - The CAS / UAC missed opportunity , and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.
** by '''Ivan Ristic''':
*** '''ModSecurity''' - 30m

* '''Schedule''':
** 6pm - 7pm arrive and grab a drink
** 7:00 - '''OWASP, the Open Web Application Security Project''', Dinis Cruz
** 7:45 - '''ModSecurity''', Ivan Ristic
** 8:15 - '''Buffer Overflows on .Net and Asp.Net''', Dinis Cruz
** 8:50 - 0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done, Dinis Cruz
** 9:00 - Dinner

[[Category:United Kingdom]]

London

2008-09-09T11:28:36Z

Ivanr: /* Past Events */

{{Chapter Template|chaptername=London|extra=The chapter leader is Ivan Ristic (since Apr 2007)|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}

== Future Events ==

* '''Thursday, December 4th''' '''TO BE CONFIRMED'''

** '''Location''': KPMG 39th Floor, One Canada Sq, E14 5AG, starting at 7pm (arrive between 6.30pm and 7pm), ending by 9pm. KMPG are sponsoring the meeting. Complementary drinks will be provided. '''IMPORTANT: You must RSVP if you want to attend.'''

== Past Events ==

* '''Thursday, September 4th'''

** '''Location''': KPMG 39th Floor, One Canada Sq, E14 5AG, starting at 7pm (arrive between 6.30pm and 7pm), ending by 9pm. KMPG are sponsoring the meeting. Complementary drinks will be provided. '''IMPORTANT: You must RSVP if you want to attend.'''

'''James Fisher: DirBuster & Beyond'''

An introduction to the DirBuster project, detailing how it works, what it can do for you, and the direction it will be taking in the future. Followed by an introduction to my unreleased project FuzzBuster, showing why it's different to other HTTP fuzzes out there.

'''Yiannis Pavlosoglou: Web Authentication Combining Single Packet Authorization (WACSPA)'''

This presentation aims to demonstrate a pioneering way of authenticating on a web-site, by means of accessing the login interface via port knocking.

As Single Packet Authorization is beginning to mature as a subject discipline, attaching a time window of opportunity towards the ability of logging in to a web-site adds an extra layer of security, well beyond the remit of the application layer.

In this presentation, the basic concept will be presented, a system description given, as well as a detailed outline of the tools used to develop this type of web authentication.

* '''Thursday, July 24th'''

** '''Location''': Auriol Kensington Rowing Club ([http://www.akrowing.com/page.php?page=findus map]), starting at 7pm (arrive between 6.30pm and 7pm). [http://www.breach.com Breach Security] is sponsoring the meeting by paying for the costs of the venue.

** '''Programme'''
** 18:30 Arrive and make yourselves comfortable.
** 19:00 Dinis Cruz: What is going on at OWASP?
** 19:20 Colin Watson: Nominet Best Practices Award briefing ([https://www.owasp.org/images/6/69/Owasp-london-bestpractice2008.pdf PDF])
** 19:45 Dennis Hurst: AJAX / Web 2.0 / WebServices security concerns ([https://www.owasp.org/images/9/90/Testing_Finance_2_June_2008.pdf PDF])
** 20:30 Dinis Cruz: Building a tool for Security consultants: A story of a customized source code scanner
** 21:15 Ivan Ristic: Evaluation Criteria for Web Application Firewalls ([http://www.owasp.org/images/f/f4/AppSecEU08_Evaluation_Criteria_for_Web_Application_Firewalls.pdf PDF]) (talk from the recent OWASP AppSec Europe conference in Ghent).

* '''Thursday, April 3rd'''

** '''Location''': Auriol Kensington Rowing Club ([http://www.akrowing.com/page.php?page=findus map]), starting at 7pm (arrive between 6.30pm and 7pm). [http://www.breach.com Breach Security] is sponsoring the meeting by paying for the costs of the venue.

** '''Programme'''
** 18h30 Arrive and make yourselves comfortable.
** 19h00 [http://www.withdk.com/archives/PHP%20Code%20Analysis-%20Real%20World%20Examples.pdf PHP Code Analysis: Real World Examples] (David Kierznowski)
** 20h00 [http://www.secforce.co.uk/research/socket_reuse/PHP_socket_reuse_attacks.pdf Abusing PHP sockets for fun and profit] (Rodrigo Marcos; also available: [http://www.secforce.co.uk/research/socket_reuse/socket_attack.zip source code], [http://www.secforce.co.uk/research/socket_reuse/PHP_socket_reuse.html Flash demo])
** 20h45 Web Application Security Badges (Colin Watson)
** 21h00 Discussion: OWASP [http://www.nic.uk/about/bestpracticechallenge/ Best Practice Challenge 2008 nomination].
** 21h30 End.

* '''Thursday, December 6th'''

** '''Location''': Auriol Kensington Rowing Club ([http://www.akrowing.com/page.php?page=findus map]), starting at 7pm (arrive between 6.30pm and 7pm). [http://www.breach.com Breach Security] sponsoring the meeting by paying for the costs of the venue.

** '''Programme'''
** 18h30 Arrive and make yourselves comfortable.
** 19h00 Adrian Pastor: Cracking into embedded devices and beyond! ([[Media:Cracking-into-embedded-devices-and-beyond.pdf]])
** 19h45 Rodrigo Marcos: Blind SQL Injection: Optimization Techniques ([http://www.gnucitizen.org/blog/security-and-hacking-scene-in-london/BlindSQLinjection.ppt PPT]).
** 20h15 OWASP London Chapter (discussion).
** 20h45 PDP: Client-Side Security (discussion).
** 21h30 End.

* '''Wednesday, September 5th''' (participating in the [[OWASP Day]] event). Read meeting notes [https://lists.owasp.org/pipermail/owasp-london/2007-September/000187.html here].
** Location: Auriol Kensington Rowing Club ([http://www.akrowing.com/page.php?page=findus map]), starting at 7pm (arrive between 6.30pm and 7pm). [http://www.breach.com Breach Security] sponsored the meeting by paying for the costs of the venue.

* '''Programme''':
** 18h30 Arrive and make yourselves comfortable.
** 19h00 [http://gnucitizen.org/about/pdp Petko D. Petkov], a.k.a pdp (architect), founder of the [http://gnucitizen.org GNUCITIZEN] group: [http://www.owasp.org/index.php/Belgium#For_my_next_trick..._hacking_Web2.0_.28pdp.29 For my next trick... hacking Web2.0].
** 20h00 Discussion: "Privacy in the 21st Century?", moderator: Ivan Ristic.
** 21h00 Discussion: "Future of the OWASP London Chapter".
** 21h30 End

* '''Thursday 22nd March'''
** Location: The Water Poet Pub, Liverpool St, London [http://www.beerintheevening.com/cgi-bin/map_link.cgi?id=17986&type=8 map] , [http://www.beerintheevening.com/pubs/s/17/17986/Water_Poet/Shoreditch description]
** We are going to use the downstairs room which you can access from the back of the pub
* '''Presentations''':
** [[Mark O'Neill]] "Security Vulnerabilities in AJAX and Web 2.0" - 60 m
** [[Dinis Cruz]] "OWASP Spring of Code and Owasp world update " - 30 m

* '''Thursday 22nd February'''
** Location: The Water Poet Pub, Liverpool St, London [http://www.beerintheevening.com/cgi-bin/map_link.cgi?id=17986&type=8 map] , [http://www.beerintheevening.com/pubs/s/17/17986/Water_Poet/Shoreditch description]
** We are going to use the downstairs room which you can access from the back of the pub
* '''Presentations''':
** by '''Dinis Cruz (Chief OWASP Evangelist)''' :
*** '''OWASP, the Open Web Application Security Project''' 30m - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.
*** '''Buffer Overflows on .Net and Asp.Net''' 30m - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).
*** '''0wning Vista's userland - The CAS / UAC missed opportunity , and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.
** by '''Ivan Ristic''':
*** '''ModSecurity''' - 30m

* '''Schedule''':
** 6pm - 7pm arrive and grab a drink
** 7:00 - '''OWASP, the Open Web Application Security Project''', Dinis Cruz
** 7:45 - '''ModSecurity''', Ivan Ristic
** 8:15 - '''Buffer Overflows on .Net and Asp.Net''', Dinis Cruz
** 8:50 - 0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done, Dinis Cruz
** 9:00 - Dinner

[[Category:United Kingdom]]

2008-08-28T14:27:46Z

Ivanr:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP Securing WebGoat using ModSecurity Project'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The purpose of this project is to create custom Modsecurity rulesets that, in addition to the Core Set, will protect WebGoat 5.1 from as many of its vulnerabilities as possible (the goal is 90%) without changing one line of source code. To ensure that it will be a complete 'no touch' on WebGoat and its environment, ModSecurity will be configured on Apache server as a remote proxy server. For those vulnerabilities that cannot be prevented (partially or not at all), I will document my efforts in attempting to protect them. Business logic vulnerabilities will be particularly challenging to solve.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:stephencraig.evans(at)gmail.com '''Stephen Evans''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors (if applicable) [mailto:name(at)name '''Name&Email''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-webgoat-using-modsecurity '''Mailing List/Subscribe'''] [mailto:Owasp-WebGoat-using-ModSecurity(at)lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:ivan.ristic@breach.com '''Ivan Ristic & Breach Group''']
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:christian.folini(at)netnea.com '''Christian Folini''']
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member '''X'''
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [[:OWASP Securing WebGoat using ModSecurity Project|Main project page]]
* [[:OWASP ModSecurity Securing WebGoat Section4 Sublesson 04.2|Section 4, Mitigating the WebGoat lessons]]
*(If appropriate, links to be added)
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''RELATED PROJECTS'''
|-
| style="width:100%; background:#cccccc" align="center"|
[[:Category:OWASP WebGoat Project|OWASP WebGoat Project]]
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications#Securing WebGoat using ModSecurity|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template Securing WebGoat using ModSecurity - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template Securing WebGoat using ModSecurity - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template Securing WebGoat using ModSecurity 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Securing WebGoat using ModSecurity - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Securing WebGoat using ModSecurity - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template Securing WebGoat using ModSecurity - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:22%; background:#C2C2C2" align="center"|X
|-
|}

OWASP NYC AppSec 2008 Conference

2008-08-26T15:01:48Z

Ivanr: /* 2008 OWASP USA, NYC Conference Schedule – Sept 24th - Sept 25th */

= 2008 OWASP USA, NYC =
Last Update: {{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}

<center> Scroll down to see speaker agenda, and training options </center>

<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 http://www.owasp.org/images/6/61/Banner2_irfan.jpg]</center>
 
<hr>
<center>[http://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Diamond Sponsor] - [http://www.imperva.com http://www.owasp.org/images/d/de/Imperva_2color_RGB.jpg] 
 [https://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Platinum Sponsor] - [http://www.cenzic.com https://www.owasp.org/images/b/bf/CenzicLogo_RGB.gif] - [http://www.whitehatsec.com http://www.owasp.org/images/archive/4/4d/20080703021901%21Whitehat.gif] - [http://www-935.ibm.com/services/us/gbs/app/html/gbs_applicationservices.html?cm_re=masthead-_-business-_-apps-allappserv https://www.owasp.org/images/4/47/Ibm.jpg] </center> 
[http://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Gold, Silver & Other Sponsors] - [http://www.isc2.org http://www.owasp.org/images/4/45/Isc2logo.gif] - [http://www.f5.com http://www.owasp.org/images/7/7e/50px-F5_50px.jpg] - [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif] - [http://www.foundstone.com/us/education-overview.asp http://www.owasp.org/images/2/26/Foundstone.jpg] - [http://www.qualys.com https://www.owasp.org/images/a/ae/Qualys.gif] - [http://www.ouncelabs.com https://www.owasp.org/images/6/6e/OunceLabs_logo.jpg] - [http://www.fortify.com https://www.owasp.org/images/a/ac/Fortify.jpg] - [http://www.cigital.com/ https://www.owasp.org/images/b/be/Cigital_OWASP.GIF] - [http://www.acunetix.com https://www.owasp.org/images/e/eb/Acuneti.gif] - [http://www.accessitgroup.com https://www.owasp.org/images/6/6d/Accessit.JPG] -
[http://www.fishnetsecurity.com https://www.owasp.org/images/4/4a/Fishnet_security.png] - [http://www.arctecgroup.net http://www.owasp.org/images/b/bf/Arctec.jpg] - [http://www.airtightnetworks.net https://www.owasp.org/images/8/8b/Airtight.gif] -
[http://www.artofdefence.com https://www.owasp.org/images/d/dc/AOD_Logo.gif] -
[http://www.securityuniversity.net https://www.owasp.org/images/0/0d/Security_university.jpg] -
[http://www.breach.com https://www.owasp.org/images/9/9c/Breach_logo.gif] - [http://www.armorize.com https://www.owasp.org/images/c/ce/Armorize_Logo.png] -[http://www.barracudanetworks.com/ https://www.owasp.org/images/a/a2/Barracuda_Color_Logo.jpg] ~ [http://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf http://www.owasp.org/images/f/f8/Sponsorsm.gif]
 
<center>[https://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Sponsorship Opportunities] -- [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-PRESS Press Registration] -- [http://www.owasp.org/index.php/Member_Offers Other OWASP Member Offers] </center>
<hr>
With assistance from: [http://www.webappsec.org WASC], [http://www.nym-infragard.us NYM InfraGard], [http://aitglobal.com AITGlobal], [http://nyphp.org/index.php NYC PHP], [http://www.nycbug.org NYCBUG], [http://www.isacany.net NYC ISACA], [http://www.nymissa.org NYC ISSA] and [http://www.pace.edu Pace University] you're invited to (2) days of Seminars and Technology Pavilion from the world's best application security technology minds, (2) days of hardcore hands-on training, all held at [http://www.pace.edu/page.cfm?doc_id=16157 Pace University], located in downtown New York City at One Pace Plaza New York, NY 10038. Event Fees: $350 Members / $400 Non-Members / $200 for Students. [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference#OWASP_NYC_AppSec_2008_Training_Courses_-_September_22nd_and_23rd.2C_2008 2 days of hands on training classes] are also available.
<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 http://www.owasp.org/images/7/7f/Register.gif]
 
</center>
OWASP NYC's conference offers tracks for security and development professionals interested in learning how to secure applications and enterprises as well as organization leaders who want to learn more about the state of the appsec industry and its trends. With two days of training and two days of sessions discussing cutting edge research presented by some of the brightest people in the industry, this event is a must attend for anyone looking to improve their information security posture.

== 2008 OWASP USA, NYC Conference Schedule – Sept 24th - Sept 25th ==
<center>[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference/speakeragreement OWASP Speaker Agreement]</center>
{| style="width:80%" border="0" align="center"
! colspan="4" align="center" style="background:#4058A0; color:white" | Day 1 – Sept 24th, 2008
|-
| style="width:10%; background:#7B8ABD" | || style="width:30%; background:#BC857A" | Track 1:
| style="width:30%; background:#BCA57A" | Track 2:
| style="width:30%; background:#99FF99" | Track 3:
|-
| style="width:10%; background:#7B8ABD" | 07:30-10:00 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''Doors Open for Attendee/Speaker Registration & [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference#Technology_Pavilion_-_September_24th_and_25th Exhibit/Sponsor Area]'''

|-
| style="width:10%; background:#7B8ABD" | 09:00-09:45 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | OWASP Version 3.0 who we are, where we are.. where we are going
''OWASP Foundation: [http://www.owasp.org/index.php/Contact Jeff Williams], [http://www.owasp.org/index.php/Contact Dinis Cruz], [http://www.owasp.org/index.php/Contact Dave Wichers], [http://www.linkedin.com/in/tombrennan Tom Brennan], [http://www.owasp.org/index.php/Contact Sebastien Deleersnyder], [http://www.owasp.org/index.php/Contact Paulo Coimbra], [http://www.owasp.org/index.php/Contact Kate Hartmann], [http://www.owasp.org/index.php/Contact Alison Shrader] & [http://www.owasp.org/index.php/Category:OWASP_Chapter#Chapter_Support_Materials all local chapter leaders]
''
|-
| style="width:10%; background:#7B8ABD" | 10:00-10:45 || style="width:30%; background:#BC857A" align="left" | [http://www.owasp.org/index.php/AppSecEU08_Trends_in_Web_Hacking_Incidents:_What%27s_hot_for_2008 Analysis of the Web Hacking Incidents Database (WHID)]
''[http://blog.shezaf.com Ofer Shezaf]''
| style="width:30%; background:#BCA57A" align="left" | [http://www.webappsecroadmap.com Web Application Security Road Map] 
''[http://joesecurity.blogspot.com Joe White]''
| style="width:30%; background:#99FF99" align="left" |[https://buildsecurityin.us-cert.gov/swa/acqwg.html DHS Software Assurance Initiatives]
''[http://www.linkedin.com/pub/0/ab/3b7 Stan Wisseman] & [http://www.linkedin.com/pub/1/439/923 Joe Jarzombek]''
|-
| style="width:10%; background:#7B8ABD" | 11:00-11:45 || style="width:30%; background:#BC857A" align="left" | Web Security Education using Open Source Tools
''Prof. Li-Chiou Chen & Chienitng Lin, [http://www.pace.edu/page.cfm?doc_id=16399 Pace Univ]''
| style="width:30%; background:#BCA57A" align="left" | Http Bot Research
''[http://www.shadowserver.org/wiki/pmwiki.php?n=Shadowserver.Mission Andre M. DiMino - ShadowServer Foundation]''
| style="width:30%; background:#99FF99" align="left" | MalSpam Research
'' [http://www.knujon.com/bios.html Garth Bruen]''
|-
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference/ctf Capture the Flag] Sign-Up
''LUNCH - Provided by event sponsors @ TechExpo''
|-
| style="width:10%; background:#7B8ABD" | 12:00-12:30 || style="width:30%; background:#BC857A" align="left" | Cross-Site Scripting Filter Evasion
''Alexios Fakos''
| style="width:30%; background:#BCA57A" align="left" | Framework-level Threat Analysis: Adding Science to the Art of Source-code review
''[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-rohit-sethi Rohit Sethi] & [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-sahba-kazerooni Sahba Kazerooni]''
| style="width:30%; background:#99FF99" align="left" | Automated Web-based Malware Behavioral Analysis
''[http://www.linkedin.com/pub/3/359/b1a Tyler Hudak]''
|-
| style="width:10%; background:#7B8ABD" | 13:00-13:45 || style="width:30%; background:#BC857A" align="left" | OWASP Testing Guide - Offensive Assessing Financial Applications
'' [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-daniel-cuthbert Daniel Cuthbert]''
| style="width:30%; background:#BCA57A" align="left" | WAF ModSecurity
''[http://www.breach.com/company/executive-team/ Ivan Ristic]''
| style="width:30%; background:#99FF99" align="left" | Using Layer 8 and OWASP to Secure Web Applications
''[http://www.linkedin.com/in/davidstern2000 David Stern] & [http://www.linkedin.com/in/romangarber Roman Garber]''

|-
| style="width:10%; background:#7B8ABD" | 14:00-14:45 || style="width:30%; background:#BC857A" align="left" | Critical exploits... let us count the ways
''[http://jeremiahgrossman.blogspot.com Jeremiah Grossman] & [http://ha.ckers.org/blog/about Robert "RSnake" Hansen],''
| style="width:30%; background:#BCA57A" align="left" | OWASP Testing Guide - Reverse Engineering .NET
''[http://www.linkedin.com/in/adamboulton Adam Boulton]''
| style="width:30%; background:#99FF99" align="left" | JBroFuzz 0.1 - 1.1: Building a Java Fuzzer for the Web
''[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Yiannis_Pavlosoglou Yiannis Pavlosoglou]''
|-
| style="width:10%; background:#7B8ABD" | 15:00-15:45 || style="width:30%; background:#BC857A" align="left" |Industry Outlook Panel: ''[http://www.linkedin.com/in/markclancy Mark Clancy] EVP CitiGroup, [http://www.linkedin.com/pub/0/497/86a Jim Routh] CISO DTCC, [http://www.linkedin.com/pub/0/bb1/68a Sunil Seshadri] CISO NYSE-Euronet, [http://www.linkedin.com/pub/0/1ba/4a9 Warren Axelrod] SVP Bank of America, [http://www.linkedin.com/in/bernik Joe Bernik] SVP, RBS,[http://www.linkedin.com/pub/8/878/240 Jennifer Bayuk] Infosec Consultant & [http://www.linkedin.com/in/philvenables Philip Venables] CISO, Goldman Sachs
[http://www.linkedin.com/in/crecalde Carlos Recalde] SVP, Lehman Brothers
[http://www.linkedin.com/in/mahidontamsetti Mahi Dontamsetti] Moderator''
| style="width:30%; background:#BCA57A" align="left" | [http://www.owasp.org/index.php/Wild_Wild_Web_on_Security_Planet Wild Wild Web on Security Planet]
''[http://www.securisksolutions.com/company/execmgt.aspx Mano Paul]''
| style="width:30%; background:#99FF99" align="left" |[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-GunterOllmann Multidisciplinary Bank Attacks]
''Gunter Ollmann''
|-
| style="width:10%; background:#7B8ABD" | 16:00-16:45 || style="width:30%; background:#BC857A" align="left" | OWASP Enterprise Security API [http://www.owasp.org/index.php/ESAPI (ESAPI) Project]
'' [http://www.aspectsecurity.com/management.htm Jeff Williams]''
| style="width:30%; background:#BCA57A" align="left" | Shootout @ Blackbox Corral
''Larry Suto ''
| style="width:30%; background:#99FF99" align="left" | Case Studies: Exploiting application testing tool deficiencies via "out of band" injection
''[http://www.linkedin.com/pub/0/a91/aa2 Vijay Akasapu] & [http://www.linkedin.com/pub/9/279/381 Marshall Heilman]''
|-
| style="width:10%; background:#7B8ABD" | 17:00-17:45 || style="width:30%; background:#BC857A" align="left" | Threading the Needle:

Bypassing web application/service security controls using Encoding, Transcoding, Filter Evasion, and other Canonicalization Attacks
'' [http://www.linkedin.com/in/arianevans Arian Evans]''
| style="width:30%; background:#BCA57A" align="left" |Shhhh Don’t Tell Anybody
''[http://www.linkedin.com/in/ppetkov Petko D. Petkov]''
| style="width:30%; background:#99FF99" align="left" | [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Andres_Riancho w3af - A Framework to own the web]
''Andres Riancho''
|-
| style="width:10%; background:#7B8ABD" | 18:00-18:45 || style="width:30%; background:#BC857A" align="left" | [http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project OWASP Live CD]
'' [http://www.linkedin.com/in/packetfocus Joshua Perrymon]''
| style="width:30%; background:#BCA57A" align="left" | Coding Secure w/PHP
''[http://www.linkedin.com/in/zaunere Hans Zaunere]''
| style="width:30%; background:#99FF99" align="left" | [http://www.owasp.org/index.php/Payment_Card_Data_Security_and_the_new_Enterprise_Java Payment Card Data Security and the new Enterprise Java]
''[https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Dr._B._V._Kumar Dr. B. V. Kumar] & [https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Abhay_Bhargav Mr. Abhay Bhargav]''
|-
| style="width:10%; background:#7B8ABD" | 20:00-23:00 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | OWASP NYC AppSec 2008 VIP Party
''Location: TBD''
|-
! colspan="10" align="center" style="background:#4058A0; color:white" | Day 2 – Sept 25th, 2008
|-
| style="width:10%; background:#99FF99" | 08:00-10:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | BREAKFAST - Provided by event sponsors @ TechExpo

|-
| style="width:10%; background:#7B8ABD" | 08:00-08:45 || style="width:30%; background:#BC857A" align="left" | State of the Union
''[http://www.aeispeakers.com/speakerbio.php?SpeakerID=1192 Prof. Howard A. Schmidt, CISSP, CISM (Hon.)] Current (ISC)² Security Strategist and Former White House Cyber Security Advisor''
| style="width:30%; background:#BCA57A" align="left" | [http://www.owasp.org/index.php/AppSecEU08_Best_Practices_Guide_Web_Application_Firewalls Best Practices Guide: Web Application Firewalls]
''Alexander Meisel''
| style="width:30%; background:#99FF99" align="left" | The Good The Bad and The Ugly - Pen Testing VS. Source Code Analysis
''[http://www.linkedin.com/in/tommyryan Thomas Ryan]'' & ''[http://www.linkedin.com/in/steveantoniewicz Steve Antoniewicz]''

|-
| style="width:10%; background:#7B8ABD" | 09:00-09:45 || style="width:30%; background:#BC857A" align="left" | [http://www.trutv.com/video/tiger-team/tiger-team-101-1-of-4.html APPSEC Red/Tiger Team Projects]
''[http://www.linkedin.com/pub/1/373/994 Chris Nickerson]''
| style="width:30%; background:#BCA57A" align="left" | OWASP "Google Hacking" Project
''[http://www.linkedin.com/in/ChristianHeinrich Christian Heinrich]''
| style="width:30%; background:#99FF99" align="left" | OWASP Web Services Top Ten
''[http://1raindrop.typepad.com Gunnar Peterson]''
|-
| style="width:10%; background:#7B8ABD" | 10:00-10:45 || style="width:30%; background:#BC857A" align="left" | Lets talk about OWASP....
''Dinis Cruz''
| style="width:30%; background:#BCA57A" align="left" | "Help Wanted" [http://www.infosecleaders.com/survey 7 Things You Need to Know APPSEC/INFOSEC Employment]
''[http://www.linkedin.com/pub/0/29/685 Lee Kushner]''
| style="width:30%; background:#99FF99" align="left" | Industry Analyst with Forrester Research
''[http://www.forrester.com/rb/analyst/chenxi_wang Chenxi Wang]''
|-
| style="width:10%; background:#7B8ABD" | 11:00-11:45 || style="width:30%; background:#BC857A" align="left" | [http://www.owasp.org/index.php/Category:OWASP_CLASP_Project CLASP (Comprehensive, Lightweight Application Security Process)]
''Pravir Chandra''
| style="width:30%; background:#BCA57A" align="left" | Next Generation Cross Site Scripting Worms
''[http://i8jesus.com/?page_id=5 Arshan Dabirsiaghi]''
| style="width:30%; background:#99FF99" align="left" | Secure Software Impact
''[http://ouncelabs.com/company/team.asp Jack Danahy]''
|-
| style="width:10%; background:#7B8ABD" | 12:00-12:45 || style="width:30%; background:#BC857A" align="left" | Security in Agile Development
''[http://www.owasp.org/index.php/User:Wichers Dave Wichers]''
| style="width:30%; background:#BCA57A" align="left" | Security of Software-as-a-Service (SaaS)
''[http://www.linkedin.com/pub/6/372/45a James Landis]''
| style="width:30%; background:#99FF99" align="left" | [http://reversebenchmarking.com/About.html Open Reverse Benchmarking Project]
''Marce Luck & [http://www.linkedin.com/pub/1/507/616 Tom Stracener]''
|-
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference/ctf Capture the Flag] Status
''LUNCH - Provided @ TechExpo''
|-
| style="width:10%; background:#7B8ABD" | 13:00-13:45 || style="width:30%; background:#BC857A" align="left" | Security Research Report
''[http://www.linkedin.com/pub/5/742/233 Dinis Cruz]''
| style="width:30%; background:#BCA57A" align="left" | [http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project Pantera Advances]
''[http://www.linkedin.com/pub/1/598/855 Simon Roses Femerling]''
| style="width:30%; background:#99FF99" align="left" | [https://www.owasp.org/index.php/User_talk:Jian Lotus Notes/Domino Web Application Security]
''[https://www.owasp.org/index.php/User_talk:Jian Jian Hui Wang]''
|-
| style="width:10%; background:#7B8ABD" | 14:00-14:45 || style="width:30%; background:#BC857A" align="left" | Practical Advanced Threat Modeling
''John Steven''
| style="width:30%; background:#BCA57A" align="left" | [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project Owasp Orizon]
''Paolo Perego''
| style="width:30%; background:#99FF99" align="left" | [http://www.owasp.org/index.php/Building_Usable_Security Building Usable Security]
[http://www.owasp.org/index.php/Zed_Abbadi Zed Abbadi]
|-
| style="width:10%; background:#7B8ABD" | 15:00-15:45 || style="width:30%; background:#BC857A" align="left" | [http://www.owasp.org/index.php/Input_validation:_the_Good%2C_the_Bad_and_the_Ugly Input validation: the Good, the Bad and the Ugly]
''[http://johanpeeters.com Johan Peeters]''
| style="width:30%; background:#BCA57A" align="left" | Off-shoring Application Development? Security is Still Your Problem
''Rohyt Belani''
| style="width:30%; background:#99FF99" align="left" | [[NIST SAMATE Static Analysis Tool Exposition (SATE)]]
''[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-vadim-okun Vadim Okun]''
|-
| style="width:10%; background:#7B8ABD" | 16:00-16:45 || style="width:30%; background:#BC857A" align="left" | Vulnerabilities in application interpreters and runtimes
''Erik Cabetas''
| style="width:30%; background:#BCA57A" align="left" | Flash Parameter Injection (FPI)
''Ayal Yogev & Adi Sharabani''
| style="width:30%; background:#99FF99" align="left" | Mastering PCI Section 6.6
''[http://www.linkedin.com/pub/1/228/6a5 Taylor McKinley] and [http://www.linkedin.com/in/jacobwest Jacob West]''
|-
| style="width:10%; background:#7B8ABD" | 17:00-17:45 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''Wizdom of Crowds / CTF Awards & Raffles'''
|-
| style="width:10%; background:#7B8ABD" | 18:30-19:30 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | OWASP Foundation, Chapter Leader Meeting
|}

<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 http://www.owasp.org/images/7/7f/Register.gif]</center>

== Technology Pavilion - September 24th and 25th ==

Want to see the latest offerings from technology product and service firms, visit the Technology Pavilion. On September 24th and 25th. 2 full days of exhibits by service providers and manufacturers from around the world.

Do you want to preview the event space [http://www.flickr.com/photos/21550725@N04/sets/72157604662279903/detail Click Here]

<hr>

== CPE Credits ==

Much of the content is eligible for CPE credits. Please check with your institution regarding specific requirements.

'''The CISM cpe policy (www.isaca.org/cismcpepolicy) states''':

One continuing professional education hour is earned for each fifty minutes of active participation (excluding lunches and breaks) in a professional educational activity. Continuing professional education hours are only earned in full-hour increments and rounding must be down. For example, a CISA who attends an eight-hour presentation (480 minutes) with 90 minutes of breaks will earn seven (7) continuing professional education hours.

Activities that qualify for CPE must be directly applicable to the management, design or assessment of an enterprise's information security as per the CISM job practice"

'''Earn (ISC)2 CPE Credits at 2008 OWASP USA, NYC'''

Attendance at the 2008 OWASP NYC Training Courses or Conferences will earn you Continuing Professional Education (CPE) credits as follows:
Training Courses: September 22-23, 2008
• 16 CPE units for 2 days of training (Monday - Tuesday)
• 8 CPE units for 1 day of training (Monday or Tuesday Only)
Conferences: September 24-25, 2008
Earn 1 CPE per hour of conference attendance

== [http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference_Training OWASP NYC AppSec 2008 Training Courses - September 22nd and 23rd, 2008] ==
{| style="width:80%" border="0" align="center"
! align="center" style="background:#4058A0; color:white" | T1. Defensive Programming - 2-Days - $1350
|-
| style="background:#F2F2F2" | This class will teach you how to program defensively. A must for developers, managers, testers and security professionals. Learn the latest techniques to build attack resistant code, protect from current and future vulnerabilities and how to secure an application from both implementation bugs and design flaws. The instructor Pravir Chandra is well known security expert, project lead for OWASP CLASP project and former co-founder & CTO of secure software [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]

Instructor: Jason Rouse, Technical Manager, [http://www.cigital.com/training/series http://www.owasp.org/images/b/be/Cigital_OWASP.GIF]'''
|-
{| style="width:80%" border="0" align="center"
! align="center" style="background:#4058A0; color:white" | T2. Secure Coding for Java EE - 2-Days - $1350
|-
| style="background:#F2F2F2" | This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of Java focused content, including:
# Java EE security overview,
# All coding examples and recommendations are specifically focused on Java and Java servers, and
# 3 additional hands on coding labs where the students find and then fix security vulnerabilities in a Java EE application developed for the class.

[[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]

Instructor: Dave Wichers: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]
'''
|-
! align="center" style="background:#4058A0; color:white" | T3. Web Services and XML Security - 2-Days - $1350
|-
| style="background:#F2F2F2" | The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]

Instructor: Gunnar Peterson''' [http://www.arctecgroup.net https://www.owasp.org/images/b/bf/Arctec.jpg]
|-
! align="center" style="background:#4058A0; color:white" | T4. Advanced Web Application Security Testing - 2-Days - $1350
|-
| style="background:#F2F2F2" | Course Overview While all developers need to know the basics of web application security testing, application security specialists will want to know all the advanced techniques for finding and diagnosing security problems in applications. Aspect’s Advanced Web Application Security Testing training is based on a decade of work verifying the security of critical applications. The course is taught by an experienced application security practitioner in an interactive manner. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]

Instructor: Eric Sheridan: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''
|-
! align="center" style="background:#4058A0; color:white" | T5. Leading the Development of Secure Applications 1-Day - Sept 22nd- $675
|-
| style="background:#F2F2F2" | In this one-day management session you’ll get the answers to the ten key questions that most CIOs and development managers face when trying to improve security in the development process. The course provides proven techniques and valuable lessons learned that can be applied to projects at any phase of their application’s lifecycle. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]
Instructor: John Pavone: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''
|-
{| style="width:80%" border="0" align="center"
|-
! align="center" style="background:#4058A0; color:white" | T6. Building Secure Rich Internet Applications 1-Day - Sept 23rd- $675
|-
| style="background:#F2F2F2" | Rich Internet applications using technologies like Ajax, Flash, ActiveX, and Java Applets require special attention to secure. This one day training addresses the special issues that arise in this type of application development. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]
Instructor: Arshan Dabirsiaghi: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''
|-
{| style="width:80%" border="0" align="center"

! align="center" style="background:#4058A0; color:white" | T8. Writing Secure Code ASP.NET - 2-Days - $1350
|-
| style="background:#F2F2F2" | Understand the key security features of the .NET platform, the common web security pitfalls developers make, and how to build secure and reliable web applications using ASP.NET. Students are lead through hands on code examples that highlight issues and prescribe solutions. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]

The instructors are Foundstone's Technical Director, Rudolph Araujo and Foundstone's Professional Services Conlultant, Alex Smolen. [http://www.foundstone.com/us/education-overview.asp https://www.owasp.org/images/2/26/Foundstone.jpg]
|}
<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 https://www.owasp.org/images/7/7f/Register.gif]</center>

<h2> HOTELS / TRAVEL </h2>
[http://maps.google.com/maps?near=Pace+Plz,+New+York,+NY+10038+(Pace+University+New+York+Cmps)&geocode=15467452012610799558,40.711640,-74.005820&q=hotel&f=l&dq=Pace+University-New+York&ie=UTF8&z=15&om=0 Hotels in the area of the event]

New York City MTA: http://www.mta.nyc.ny.us/nyct/index.html

New York City Subway & walking directions: http://www.hopstop.com/?city=newyork

New York Sights & Sounds - SightsSounds

New York City Travel Guide - http://www.nytoday.com/

New York City Attractions - http://www.nycvisit.com

New York TV Show Tickets - Get free tickets to TV shows! - http://www.nytix.com/

New York City local news: http://www.ny1news.com

<h2>EVENT SPONSORSHIP </h2>The OWASP Conferences & Training security technologists including CSOs,admins, application admins, MIS directors, homeland defense chiefs. These important influencers drive buying decisions exclusive access to its audiences. OWASP has established strategic relationships with security—print publications, newsletters, portals, consultants,message—and leadership positioning OWASP events. OWASP’s mission is supported by organizations who share our application, and software security communities. This approach should be part of your mix.

[https://www.owasp.org/images/6/66/NY_Sponsorship_Form_update_%282%29.pdf Sponsorship Opportunities]- Register online: [http://guest.cvent.com/i.aspx?4W,M3,09e3b490-ba93-4474-851e-be803b1a01c2 click here]