OWASP - User contributions [en]

Los Angeles/Sponsors/Venafi

2012-09-17T05:23:06Z

Kelly FitzGerald: Created the page, added initial description

==Full Company Description==

[http://www.venafi.com/ Venafi] is the inventor of and market leader in Enterprise Key and Certificate Management (EKCM) solutions. Venafi delivered the first enterprise-class solution to automate the provisioning, discovery, monitoring and management of digital certificates and encryption keys——from the datacenter to the cloud and beyond——built specifically for encryption management interoperability across heterogeneous environments. Venafi products reduce the unquantified and unmanaged risks associated with encryption deployments that result in data breaches, security audit failures and unplanned system outages. Venafi customers include the world’’s most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail.

==Condensed Company Description==

Venafi is the inventor of and market leader in Enterprise Key and Certificate Management (EKCM), and delivered the first enterprise-class solution to automate the provisioning, discovery, monitoring and management of digital certificates and encryption keys, built specifically for encryption management interoperability across heterogeneous environments
—— from the datacenter to the cloud and beyond.

Los Angeles

2012-09-17T05:19:28Z

Kelly FitzGerald: Added wiki article link for Venafi sponsor

== Welcome to the Los Angeles Chapter! ==

'''Sponsors and Supporters Donate Here:'''
=====https://www.cvent.com/events/owasp-sponsorship-and-donation/registration-99bc1441e2684ff5b214b0df6b3a9ae3.aspx=====

Single Meeting Supporter:
Organizations that wish to support the OWASP Los Angeles Chapter with a 100% tax deductible donation enable the OWASP Foundation to continue its mission

Get the following benefits::
- Meet upwards of 60-70 potential new clients
- Be recognized as a local supporter by posting your company logo on the local chapter page(Image size for logos: gif, jpg or png with a size of 150px X 45px at 72dpi or 55px X 80px at 72dpi)
- Have a table at local chapter meeting
- Promote your products and services
- Bring a raffle prize to gather business cards

Contact us [[#Los Angeles Chapter]] for general questions relating to sponsorship and donations

== Announcements ==

http://img1.meetupstatic.com/892670376411449149876/img/header/logo.png
===== We are on Meetup. Please join our community there. =====

===== http://www.meetup.com/OWASP-Los-Angeles/ =====

===== Sign up for OWASP Los Angeles mailing list, very low volume and spam free. =====

===== https://lists.owasp.org/mailman/listinfo/owasp-losangeles =====

 

== Next Meeting September 19, 2012: Special Dinner Meeting with Los Angeles Chapters: OWASP, ISSA, ISC2 and CSA ==
*'''At: The Olympic Collection Banquet & Conference Center'''

*11301 Olympic Blvd. #204, ● West Los Angeles, CA 90064

===== Please RSVP here: http://www.issala.org/events/?event_id=35 =====
 
== Thanks to generous support of our sponsors==

'''Bay Dynamics''' http://www.baydynamics.com/

'''[[Los Angeles/Sponsors/Venafi|Venafi]]''' http://www.Venafi.com/

'''Trustwave''' https://www.trustwave.com/

'''Security Innovation''' http://www.securityinnovation.com/

'''Phone Factor''' http://www.phonefactor.com/index.php
 
 
== Would you like to speak at an OWASP Los Angeles Meeting? ==

Call for Papers (CFP) is NOW OPEN. To speak at upcoming OWASP Los Angeles meetings please submit your BIO and talk abstract via email to [mailto:tin.zaw@owasp.org Tin Zaw]. The talk must be vendor neutral and its content be available under Creative Common 3.0 license.

 

== Archives of Previous Meetings ==
[[Los Angeles/2012 Meetings|2012 Meetings]]

[[Los Angeles/2011 Meetings|2011 Meetings]]

[[Los Angeles/2010 Meetings|2010 Meetings]]

[[Los Angeles/2009 Meetings|2009 Meetings]]

[[Los Angeles/2008 Meetings|2008 Meetings]]

[[Los Angeles Presentation Archive|List of presentations available from past meetings]] 

 

== Los Angeles Chapter ==

*[mailto:tin.zaw@owasp.org Tin Zaw] -- Chapter Leader and President
*[mailto:richard.greenberg@owasp.org Richard Greenberg] -- Board Member
*[mailto:edward@owasp.org Edward Bonver] -- Board Member
*[mailto:Kelly.Fitzgerald@owasp.org Kelly Fitzgerald] -- Board Member
*[mailto:Stuart.Schwartz@owasp.org Stuart Schwartz] -- Board Member

Volunteer OWASP Leaders: Yev Avidon and Mikhael Felker 
Los Angeles chapter was founded by Cassio Goldschmidt.

 The AppSec USA 2010 conference received rave reviews. Thanks to all the volunteers and great speakers who helped make it a success!

Web archive: http://2010.AppSecUSA.org

Videos: http://vimeo.com/user4863863/videos 

[[Image:AppSec Logo.jpg|362x106px|AppSec Logo.jpg]]

[[Category:California]] [[Category:OWASP Chapter]]

Los Angeles

2011-03-25T21:25:59Z

Kelly FitzGerald:

== Local News ==

===== Sign up for OWASP Los Angeles mailing list, very low volume and spam free. =====

===== https://lists.owasp.org/mailman/listinfo/owasp-losangeles =====

 The AppSec USA 2010 conference received rave reviews. Thanks to all the volunteers and great speakers who helped make it a success!

http://2010.AppSecUSA.org

Check out the videos: http://vimeo.com/user4863863/videos 

[[Image:AppSec Logo.jpg|362x106px|AppSec Logo.jpg]]

== Next Chapter Meeting:  Wednesday, April 27, 2011 7:00 P.M. - 8:30 P.M. ==

Symantec 900 Corporate Pointe Culver City, CA 90232 

Please RSVP: http://owasp-april2011.eventbrite.com/

==== Donate Funds to Los Angeles Chapter ====

<paypal>Los Angeles</paypal>

----

== '''Topic: NoSQL Security''' ==

'''Speaker: Bryan Sullivan''' 

[[Image:BryanSullivan.JPG]]

Bryan Sullivan is a Senior Security Researcher with Adobe Systems, where he focuses on cloud security issues. Prior to Adobe, he was a program manager on Microsoft's Security Development Lifecycle team, and a development manager at HP, where he helped to design HP's vulnerability scanning tools WebInspect and DevInspect. Bryan has spoken at security industry conferences such as Black Hat, RSA Conference, BlueHat and TechEd on topics such as RIA architecture, REST, cryptography, denial-of-service defense, URL rewriting, and applying secure development processes to Agile projects. He was the author of the MSDN Magazine column Security Briefs, and is the coauthor of the books Ajax Security (Addison-Wesley, 2007) and the upcoming Secure Web Applications, A Beginner's Guide (McGraw-Hill, 2011).

'''Abstract: NoSQL Security''' 

NoSQL databases are rapidly gaining popularity, especially for use in distributed, high-availability cloud services. But are we making the same mistakes with NoSQL in the childhood of the cloud that we made with SQL in the childhood of the web? This talk will examine some general security issues that come with emphasizing the Availability aspect of Consistency/Availability/Partition-tolerance, and we'll also look at some specific issues with popular NoSQL databases such as MongoDB and Cassandra.

== '''Sponsors:''' ==

[[Image:BPS Logo.jpg|http://www.businesspartnersolutions.com/]]

 BPS has experience with fortune 500, City, and State Government clients. BPS has working technical knowledge in the following areas of security and compliance:

Audit trail monitoring and planning Business continuity planning and disaster recovery Configuration management Data classification Incident response planning Policy development Risk analysis and acceptance Forensics Forensic tools and methodology Secure software development lifecycle (SDLC) Vulnerability management and remediation Project management 

 

----

 

Would you like to speak at an OWASP Los Angeles Meeting?

Call for Papers (CFP) is NOW OPEN. To speak at upcoming OWASP Los Angeles meetings please submit your BIO and talk abstract via email to [mailto:tin.zaw@owasp.org Tin Zaw]. When we accept your talk, it will be required to use the Powerpoint [http://www.owasp.org/images/5/54/Presentation_template.ppt OWASP Template].

= Archives of Previous Meetings =

[[2009 Meetings]]

[[2010 Meetings]]

[[2011 Meetings]]

A list of previous presentations conducted at the Los Angeles Chapter can be found [https://www.owasp.org/index.php/Los_Angeles_Previous_Presentations here].

= Los Angeles Chapter =

*[mailto:tin.zaw@owasp.org Tin Zaw] -- Chapter Leader and Chair
*[mailto:cassio@owasp.org Cassio Goldschmidt] -- Board Member
*[mailto:richard.greenberg@owasp.org Richard Greenberg] -- Board Member

[[Category:California]]

Los Angeles

2011-03-23T20:28:25Z

Kelly FitzGerald:

== Local News ==

===== Sign up for OWASP Los Angeles mailing list, very low volume and spam free. =====

===== https://lists.owasp.org/mailman/listinfo/owasp-losangeles =====

 The AppSec USA 2010 conference received rave reviews. Thanks to all the volunteers and great speakers who helped make it a success!

http://2010.AppSecUSA.org

Check out the videos: http://vimeo.com/user4863863/videos 

[[Image:AppSec Logo.jpg|362x106px|AppSec Logo.jpg]]

== Next Chapter Meeting:  Wednesday, April 27, 2011 6:00 P.M. - 8:30 P.M. ==

Symantec 900 Corporate Pointe Culver City, CA 90232 

Please RSVP: http://owasp-april2011.eventbrite.com/

==== Donate Funds to Los Angeles Chapter ====

<paypal>Los Angeles</paypal>

----

== '''Topic: NoSQL Security''' ==

'''Speaker: Bryan Sullivan''' 

[[Image:BryanSullivan.JPG]]

Bryan Sullivan is a Senior Security Researcher with Adobe Systems, where he focuses on cloud security issues. Prior to Adobe, he was a program manager on Microsoft's Security Development Lifecycle team, and a development manager at HP, where he helped to design HP's vulnerability scanning tools WebInspect and DevInspect. Bryan has spoken at security industry conferences such as Black Hat, RSA Conference, BlueHat and TechEd on topics such as RIA architecture, REST, cryptography, denial-of-service defense, URL rewriting, and applying secure development processes to Agile projects. He was the author of the MSDN Magazine column Security Briefs, and is the coauthor of the books Ajax Security (Addison-Wesley, 2007) and the upcoming Secure Web Applications, A Beginner's Guide (McGraw-Hill, 2011).

'''Abstract: NoSQL Security''' 

NoSQL databases are rapidly gaining popularity, especially for use in distributed, high-availability cloud services. But are we making the same mistakes with NoSQL in the childhood of the cloud that we made with SQL in the childhood of the web? This talk will examine some general security issues that come with emphasizing the Availability aspect of Consistency/Availability/Partition-tolerance, and we'll also look at some specific issues with popular NoSQL databases such as MongoDB and Cassandra.

== '''Sponsors:''' ==

[[Image:BPS Logo.jpg|http://www.businesspartnersolutions.com/]]

 BPS has experience with fortune 500, City, and State Government clients. BPS has working technical knowledge in the following areas of security and compliance:

Audit trail monitoring and planning Business continuity planning and disaster recovery Configuration management Data classification Incident response planning Policy development Risk analysis and acceptance Forensics Forensic tools and methodology Secure software development lifecycle (SDLC) Vulnerability management and remediation Project management 

 

----

 

Would you like to speak at an OWASP Los Angeles Meeting?

Call for Papers (CFP) is NOW OPEN. To speak at upcoming OWASP Los Angeles meetings please submit your BIO and talk abstract via email to [mailto:tin.zaw@owasp.org Tin Zaw]. When we accept your talk, it will be required to use the Powerpoint [http://www.owasp.org/images/5/54/Presentation_template.ppt OWASP Template].

= Archives of Previous Meetings =

A list of previous presentations conducted at the Los Angeles Chapter can be found [https://www.owasp.org/index.php/Los_Angeles_Previous_Presentations here].

= Los Angeles Chapter =

*[mailto:tin.zaw@owasp.org Tin Zaw] -- Chapter Leader and Chair
*[mailto:cassio@owasp.org Cassio Goldschmidt] -- Board Member
*[mailto:richard.greenberg@owasp.org Richard Greenberg] -- Board Member

[[Category:California]]

Los Angeles

2011-03-23T20:27:35Z

Kelly FitzGerald:

== Local News ==

===== Sign up for OWASP Los Angeles mailing list, very low volume and spam free. =====

===== https://lists.owasp.org/mailman/listinfo/owasp-losangeles =====

 The AppSec USA 2010 conference received rave reviews. Thanks to all the volunteers and great speakers who helped make it a success!

http://2010.AppSecUSA.org

Check out the videos: http://vimeo.com/user4863863/videos 

[[Image:AppSec Logo.jpg|362x106px|AppSec Logo.jpg]]

== Next Chapter Meeting:  Wednesday, April 27, 2011 6:00 P.M. - 8:30 P.M. ==

Symantec 900 Corporate Pointe Culver City, CA 90232 

Please RSVP: http://owasp-april2011.eventbrite.com/

==== Donate Funds to Los Angeles Chapter ====

<paypal>Los Angeles</paypal>

----

== '''Topic: NoSQL Security''' ==

'''Speaker: Bryan Sullivan''' 

[[Image:BryanSullivan.JPG]]Bryan Sullivan is a Senior Security Researcher with Adobe Systems, where he focuses on cloud security issues. Prior to Adobe, he was a program manager on Microsoft's Security Development Lifecycle team, and a development manager at HP, where he helped to design HP's vulnerability scanning tools WebInspect and DevInspect.

Bryan has spoken at security industry conferences such as Black Hat, RSA Conference, BlueHat and TechEd on topics such as RIA architecture, REST, cryptography, denial-of-service defense, URL rewriting, and applying secure development processes to Agile projects. He was the author of the MSDN Magazine column Security Briefs, and is the coauthor of the books Ajax Security (Addison-Wesley, 2007) and the upcoming Secure Web Applications, A Beginner's Guide (McGraw-Hill, 2011). 

'''Abstract: NoSQL Security''' 

NoSQL databases are rapidly gaining popularity, especially for use in distributed, high-availability cloud services. But are we making the same mistakes with NoSQL in the childhood of the cloud that we made with SQL in the childhood of the web? This talk will examine some general security issues that come with emphasizing the Availability aspect of Consistency/Availability/Partition-tolerance, and we'll also look at some specific issues with popular NoSQL databases such as MongoDB and Cassandra.

== '''Sponsors:''' ==

[[Image:BPS Logo.jpg|http://www.businesspartnersolutions.com/]]

 BPS has experience with fortune 500, City, and State Government clients. BPS has working technical knowledge in the following areas of security and compliance:

Audit trail monitoring and planning Business continuity planning and disaster recovery Configuration management Data classification Incident response planning Policy development Risk analysis and acceptance Forensics Forensic tools and methodology Secure software development lifecycle (SDLC) Vulnerability management and remediation Project management 

 

----

 

Would you like to speak at an OWASP Los Angeles Meeting?

Call for Papers (CFP) is NOW OPEN. To speak at upcoming OWASP Los Angeles meetings please submit your BIO and talk abstract via email to [mailto:tin.zaw@owasp.org Tin Zaw]. When we accept your talk, it will be required to use the Powerpoint [http://www.owasp.org/images/5/54/Presentation_template.ppt OWASP Template].

= Archives of Previous Meetings =

A list of previous presentations conducted at the Los Angeles Chapter can be found [https://www.owasp.org/index.php/Los_Angeles_Previous_Presentations here].

= Los Angeles Chapter =

*[mailto:tin.zaw@owasp.org Tin Zaw] -- Chapter Leader and Chair
*[mailto:cassio@owasp.org Cassio Goldschmidt] -- Board Member
*[mailto:richard.greenberg@owasp.org Richard Greenberg] -- Board Member

[[Category:California]]

File:BryanSullivan.JPG

2011-03-23T20:25:25Z

Kelly FitzGerald:

Los Angeles

2011-03-23T20:19:05Z

Kelly FitzGerald: Removing an extra line

== Local News ==

===== Sign up for OWASP Los Angeles mailing list, very low volume and spam free. =====

===== https://lists.owasp.org/mailman/listinfo/owasp-losangeles =====

 The AppSec USA 2010 conference received rave reviews. Thanks to all the volunteers and great speakers who helped make it a success!

http://2010.AppSecUSA.org

Check out the videos: http://vimeo.com/user4863863/videos 

[[Image:AppSec Logo.jpg|362x106px|AppSec Logo.jpg]]

== Next Chapter Meeting:  Wednesday, April 27, 2011 6:00 P.M. - 8:30 P.M. ==

Symantec 900 Corporate Pointe Culver City, CA 90232 

Please RSVP: http://owasp-april2011.eventbrite.com/

==== Donate Funds to Los Angeles Chapter ====

<paypal>Los Angeles</paypal>

----

== '''Topic: NoSQL Security''' ==

'''Speaker: Bryan Sullivan''' 

Bryan Sullivan is a Senior Security Researcher with Adobe Systems, where he focuses on cloud security issues. Prior to Adobe, he was a program manager on Microsoft's Security Development Lifecycle team, and a development manager at HP, where he helped to design HP's vulnerability scanning tools WebInspect and DevInspect.

Bryan has spoken at security industry conferences such as Black Hat, RSA Conference, BlueHat and TechEd on topics such as RIA architecture, REST, cryptography, denial-of-service defense, URL rewriting, and applying secure development processes to Agile projects. He was the author of the MSDN Magazine column Security Briefs, and is the coauthor of the books Ajax Security (Addison-Wesley, 2007) and the upcoming Secure Web Applications, A Beginner's Guide (McGraw-Hill, 2011). 

'''Abstract: NoSQL Security''' 

NoSQL databases are rapidly gaining popularity, especially for use in distributed, high-availability cloud services. But are we making the same mistakes with NoSQL in the childhood of the cloud that we made with SQL in the childhood of the web? This talk will examine some general security issues that come with emphasizing the Availability aspect of Consistency/Availability/Partition-tolerance, and we'll also look at some specific issues with popular NoSQL databases such as MongoDB and Cassandra.

== '''Sponsors:''' ==

[[Image:BPS Logo.jpg|http://www.businesspartnersolutions.com/]]

 BPS has experience with fortune 500, City, and State Government clients. BPS has working technical knowledge in the following areas of security and compliance:

Audit trail monitoring and planning Business continuity planning and disaster recovery Configuration management Data classification Incident response planning Policy development Risk analysis and acceptance Forensics Forensic tools and methodology Secure software development lifecycle (SDLC) Vulnerability management and remediation Project management 

 

----

 

Would you like to speak at an OWASP Los Angeles Meeting?

Call for Papers (CFP) is NOW OPEN. To speak at upcoming OWASP Los Angeles meetings please submit your BIO and talk abstract via email to [mailto:tin.zaw@owasp.org Tin Zaw]. When we accept your talk, it will be required to use the Powerpoint [http://www.owasp.org/images/5/54/Presentation_template.ppt OWASP Template].

= Archives of Previous Meetings =

A list of previous presentations conducted at the Los Angeles Chapter can be found [https://www.owasp.org/index.php/Los_Angeles_Previous_Presentations here].

= Los Angeles Chapter =

*[mailto:tin.zaw@owasp.org Tin Zaw] -- Chapter Leader and Chair
*[mailto:cassio@owasp.org Cassio Goldschmidt] -- Board Member
*[mailto:richard.greenberg@owasp.org Richard Greenberg] -- Board Member

[[Category:California]]

Los Angeles

2011-03-23T20:18:17Z

Kelly FitzGerald: All edits done save for press photo of B. Sullivan

== Local News ==

===== Sign up for OWASP Los Angeles mailing list, very low volume and spam free. =====

===== https://lists.owasp.org/mailman/listinfo/owasp-losangeles =====

 The AppSec USA 2010 conference received rave reviews. Thanks to all the volunteers and great speakers who helped make it a success!

http://2010.AppSecUSA.org

Check out the videos: http://vimeo.com/user4863863/videos 

[[Image:AppSec Logo.jpg|362x106px|AppSec Logo.jpg]]

== ==

== Next Chapter Meeting:  Wednesday, April 27, 2011 6:00 P.M. - 8:30 P.M. ==

Symantec 900 Corporate Pointe Culver City, CA 90232 

Please RSVP: http://owasp-april2011.eventbrite.com/

==== Donate Funds to Los Angeles Chapter ====

<paypal>Los Angeles</paypal>

----

== '''Topic: NoSQL Security''' ==

'''Speaker: Bryan Sullivan''' 

Bryan Sullivan is a Senior Security Researcher with Adobe Systems, where he focuses on cloud security issues. Prior to Adobe, he was a program manager on Microsoft's Security Development Lifecycle team, and a development manager at HP, where he helped to design HP's vulnerability scanning tools WebInspect and DevInspect.

Bryan has spoken at security industry conferences such as Black Hat, RSA Conference, BlueHat and TechEd on topics such as RIA architecture, REST, cryptography, denial-of-service defense, URL rewriting, and applying secure development processes to Agile projects. He was the author of the MSDN Magazine column Security Briefs, and is the coauthor of the books Ajax Security (Addison-Wesley, 2007) and the upcoming Secure Web Applications, A Beginner's Guide (McGraw-Hill, 2011). 

'''Abstract: NoSQL Security''' 

NoSQL databases are rapidly gaining popularity, especially for use in distributed, high-availability cloud services. But are we making the same mistakes with NoSQL in the childhood of the cloud that we made with SQL in the childhood of the web? This talk will examine some general security issues that come with emphasizing the Availability aspect of Consistency/Availability/Partition-tolerance, and we'll also look at some specific issues with popular NoSQL databases such as MongoDB and Cassandra.

== '''Sponsors:''' ==

[[Image:BPS_Logo.jpg|http://www.businesspartnersolutions.com/]]

 BPS has experience with fortune 500, City, and State Government clients. BPS has working technical knowledge in the following areas of security and compliance:

Audit trail monitoring and planning Business continuity planning and disaster recovery Configuration management Data classification Incident response planning Policy development Risk analysis and acceptance Forensics Forensic tools and methodology Secure software development lifecycle (SDLC) Vulnerability management and remediation Project management 

 

----

 

Would you like to speak at an OWASP Los Angeles Meeting?

Call for Papers (CFP) is NOW OPEN. To speak at upcoming OWASP Los Angeles meetings please submit your BIO and talk abstract via email to [mailto:tin.zaw@owasp.org Tin Zaw]. When we accept your talk, it will be required to use the Powerpoint [http://www.owasp.org/images/5/54/Presentation_template.ppt OWASP Template].

= Archives of Previous Meetings =

A list of previous presentations conducted at the Los Angeles Chapter can be found [https://www.owasp.org/index.php/Los_Angeles_Previous_Presentations here].

= Los Angeles Chapter =

*[mailto:tin.zaw@owasp.org Tin Zaw] -- Chapter Leader and Chair
*[mailto:cassio@owasp.org Cassio Goldschmidt] -- Board Member
*[mailto:richard.greenberg@owasp.org Richard Greenberg] -- Board Member

[[Category:California]]

File:BPS Logo.jpg

2011-03-23T20:12:21Z

Kelly FitzGerald:

Los Angeles

2011-03-23T20:11:16Z

Kelly FitzGerald: Changing the date for April 27th. Still need to update sponser.

== Local News ==

===== Sign up for OWASP Los Angeles mailing list, very low volume and spam free. =====

===== https://lists.owasp.org/mailman/listinfo/owasp-losangeles =====

 The AppSec USA 2010 conference received rave reviews. Thanks to all the volunteers and great speakers who helped make it a success!

http://2010.AppSecUSA.org

Check out the videos: http://vimeo.com/user4863863/videos 

[[Image:AppSec Logo.jpg|362x106px|AppSec Logo.jpg]]

== ==

== Next Chapter Meeting:  Wednesday, April 27, 2011 6:00 P.M. - 8:30 P.M. ==

Symantec 900 Corporate Pointe Culver City, CA 90232 

Please RSVP:

==== Donate Funds to Los Angeles Chapter ====

<paypal>Los Angeles</paypal>

----

== '''Topic: NoSQL Security''' ==

'''Speaker: Bryan Sullivan''' 

Bryan Sullivan is a Senior Security Researcher with Adobe Systems, where he focuses on cloud security issues. Prior to Adobe, he was a program manager on Microsoft's Security Development Lifecycle team, and a development manager at HP, where he helped to design HP's vulnerability scanning tools WebInspect and DevInspect.

Bryan has spoken at security industry conferences such as Black Hat, RSA Conference, BlueHat and TechEd on topics such as RIA architecture, REST, cryptography, denial-of-service defense, URL rewriting, and applying secure development processes to Agile projects. He was the author of the MSDN Magazine column Security Briefs, and is the coauthor of the books Ajax Security (Addison-Wesley, 2007) and the upcoming Secure Web Applications, A Beginner's Guide (McGraw-Hill, 2011). 

'''Abstract: NoSQL Security''' 

NoSQL databases are rapidly gaining popularity, especially for use in distributed, high-availability cloud services. But are we making the same mistakes with NoSQL in the childhood of the cloud that we made with SQL in the childhood of the web? This talk will examine some general security issues that come with emphasizing the Availability aspect of Consistency/Availability/Partition-tolerance, and we'll also look at some specific issues with popular NoSQL databases such as MongoDB and Cassandra.

== '''Sponsors:''' ==

[[Image:Evolve logo.jpg|http://www.go-evolve.com/]]

Evolve Technology Group: Evolve Technology Group’s mission is to build robust networks to support Data, Voice and Video. We provide professional consulting services to integrate technology solutions that effectively mitigate a wide variety of information security risks and performance issues faced by our clients. In our constantly changing world, we provide relevance in the industry with best of breed products and solutions coupled with superior customer service to enable our clients to exceed their goals.

 

 [[Image:WebSenseLogo.jpg|http://www.websense.com/content/home.aspx]] 

Websense: The Websense TRITONT security architecture provides the industry’s first and only unified content security solution to deliver the best modern security for inbound threats and outbound risks with the lowest total cost of ownership. Websense secures the modern business as its infrastructure dissolves and users, data, and applications move to the Web.

 

 

----

 

Would you like to speak at an OWASP Los Angeles Meeting?

Call for Papers (CFP) is NOW OPEN. To speak at upcoming OWASP Los Angeles meetings please submit your BIO and talk abstract via email to [mailto:tin.zaw@owasp.org Tin Zaw]. When we accept your talk, it will be required to use the Powerpoint [http://www.owasp.org/images/5/54/Presentation_template.ppt OWASP Template].

= Archives of Previous Meetings =

A list of previous presentations conducted at the Los Angeles Chapter can be found [https://www.owasp.org/index.php/Los_Angeles_Previous_Presentations here].

= Los Angeles Chapter =

*[mailto:tin.zaw@owasp.org Tin Zaw] -- Chapter Leader and Chair
*[mailto:cassio@owasp.org Cassio Goldschmidt] -- Board Member
*[mailto:richard.greenberg@owasp.org Richard Greenberg] -- Board Member

[[Category:California]]

Los Angeles

2011-03-23T20:04:38Z

Kelly FitzGerald: Mid-edit Save for the LA April 2011 meeting

== Local News ==

===== Sign up for OWASP Los Angeles mailing list, very low volume and spam free. =====

===== https://lists.owasp.org/mailman/listinfo/owasp-losangeles =====

 The AppSec USA 2010 conference received rave reviews. Thanks to all the volunteers and great speakers who helped make it a success!

http://2010.AppSecUSA.org

Check out the videos: http://vimeo.com/user4863863/videos 

[[Image:AppSec Logo.jpg|362x106px|AppSec Logo.jpg]]

== ==

== Next Chapter Meeting:  Wednesday, March 16, 2011 6:00 P.M. - 8:30 P.M. ==

Les Freres Taix French Restaurant 1911 West Sunset Blvd. Los Angeles, CA 90026 213/484-1265 

Please RSVP: [http://www.issa-la.org/rsvpoptions/ http://www.issa-la.org/rsvpoptions/
]

==== Donate Funds to Los Angeles Chapter ====

<paypal>Los Angeles</paypal>

----

== '''Topic: NoSQL Security''' ==
'''Speaker: Bryan Sullivan'''[[Image:Liam OMurchu.png|left|112x130px|Scottsutherland.jpeg]]  ==

Bryan Sullivan is a Senior Security Researcher with Adobe Systems, where he focuses on cloud security issues. Prior to Adobe, he was a program manager on Microsoft's Security Development Lifecycle team, and a development manager at HP, where he helped to design HP's vulnerability scanning tools WebInspect and DevInspect.

Bryan has spoken at security industry conferences such as Black Hat, RSA Conference, BlueHat and TechEd on topics such as RIA architecture, REST, cryptography, denial-of-service defense, URL rewriting, and applying secure development processes to Agile projects. He was the author of the MSDN Magazine column Security Briefs, and is the coauthor of the books Ajax Security (Addison-Wesley, 2007) and the upcoming Secure Web Applications, A Beginner's Guide (McGraw-Hill, 2011). 

'''Abstract: NoSQL Security''' 

NoSQL databases are rapidly gaining popularity, especially for use in distributed, high-availability cloud services. But are we making the same mistakes with NoSQL in the childhood of the cloud that we made with SQL in the childhood of the web? This talk will examine some general security issues that come with emphasizing the Availability aspect of Consistency/Availability/Partition-tolerance, and we'll also look at some specific issues with popular NoSQL databases such as MongoDB and Cassandra.

== '''Sponsors:''' ==

[[Image:Evolve logo.jpg|http://www.go-evolve.com/]]

Evolve Technology Group: Evolve Technology Group’s mission is to build robust networks to support Data, Voice and Video. We provide professional consulting services to integrate technology solutions that effectively mitigate a wide variety of information security risks and performance issues faced by our clients. In our constantly changing world, we provide relevance in the industry with best of breed products and solutions coupled with superior customer service to enable our clients to exceed their goals.

 

 [[Image:WebSenseLogo.jpg|http://www.websense.com/content/home.aspx]] 

Websense: The Websense TRITONT security architecture provides the industry’s first and only unified content security solution to deliver the best modern security for inbound threats and outbound risks with the lowest total cost of ownership. Websense secures the modern business as its infrastructure dissolves and users, data, and applications move to the Web.

 

 

----

 

Would you like to speak at an OWASP Los Angeles Meeting?

Call for Papers (CFP) is NOW OPEN. To speak at upcoming OWASP Los Angeles meetings please submit your BIO and talk abstract via email to [mailto:tin.zaw@owasp.org Tin Zaw]. When we accept your talk, it will be required to use the Powerpoint [http://www.owasp.org/images/5/54/Presentation_template.ppt OWASP Template].

= Archives of Previous Meetings =

A list of previous presentations conducted at the Los Angeles Chapter can be found [https://www.owasp.org/index.php/Los_Angeles_Previous_Presentations here].

= Los Angeles Chapter =

*[mailto:tin.zaw@owasp.org Tin Zaw] -- Chapter Leader and Chair
*[mailto:cassio@owasp.org Cassio Goldschmidt] -- Board Member
*[mailto:richard.greenberg@owasp.org Richard Greenberg] -- Board Member

[[Category:California]]

Los Angeles

2011-03-09T00:57:22Z

Kelly FitzGerald:

== Local News ==

===== Sign up for OWASP Los Angeles mailing list, very low volume and spam free. =====

===== https://lists.owasp.org/mailman/listinfo/owasp-losangeles =====

 The AppSec USA 2010 conference received rave reviews. Thanks to all the volunteers and great speakers who helped make it a success!

http://2010.AppSecUSA.org

Check out the videos: http://vimeo.com/user4863863/videos 

[[Image:AppSec Logo.jpg|362x106px|AppSec Logo.jpg]]

== ==

== Next Chapter Meeting:  Wednesday, March 16, 2011 6:00 P.M. - 8:30 P.M. ==

Les Freres Taix French Restaurant 1911 West Sunset Blvd. Los Angeles, CA 90026 213/484-1265 

Please RSVP: [http://www.issa-la.org/rsvpoptions/ http://www.issa-la.org/rsvpoptions/
]

==== Donate Funds to Los Angeles Chapter ====

<paypal>Los Angeles</paypal>

----

== '''Topic: STUXNET''' ==

== '''Speaker: Liam O Murchu'''[[Image:Liam OMurchu.png|left|112x130px|Scottsutherland.jpeg]]  ==

Liam O Murchu is the manager of Security Response Operations for North America with Symantec. In this role he leads the team of malware reverse engineers and is constantly combating the latest malware attacks and dealing with cutting edge threats of all sorts. Liam has analyzed the majority of the high profile threats that have emerged in the last number of years, both documenting their actions and working with both private parties and law enforcement agencies to counter these threats. His research has been presented before the US congress and the British and EU Parliaments. As part of his research he has been credited with discovering several zero day vulnerabilities. Most recently Liam has been analyzing the Stuxnet worm which is speculated to have been targeting Uranium enrichment plants in Iran.

''' '''

 '''Abstract: STUXNET''' 

Liam O Murchu is the manager of Security Response Operations for North America with Symantec. In this role he leads the team of malware reverse engineers and is constantly combating the latest malware attacks and dealing with cutting edge threats of all sorts. Liam has analyzed the majority of the high profile threats that have emerged in the last number of years, both documenting their actions and working with both private parties and law enforcement agencies to counter these threats. His research has been presented before the US congress and the British and EU Parliaments. As part of his research he has been credited with discovering several zero day vulnerabilities. Most recently Liam has been analyzing the Stuxnet worm which is speculated to have been targeting Uranium enrichment plants in Iran.

 

Dinner Menu Options:

■Chicken Vol Au Vent ■Lamb Shank 

 

Dinner Fees:

LA members & members of other ISSA chapters, ISACA, OWASP members – with reservations and online-payment: $20 LA members & members of other ISSA chapters, ISACA, OWASP members – without reservation: $30 Non-members with reservations and online-payment: $30 Non-members without reservation: $40

== '''Sponsors:''' ==

[[Image:Evolve logo.jpg|http://www.go-evolve.com/]]

Evolve Technology Group: Evolve Technology Group’s mission is to build robust networks to support Data, Voice and Video. We provide professional consulting services to integrate technology solutions that effectively mitigate a wide variety of information security risks and performance issues faced by our clients. In our constantly changing world, we provide relevance in the industry with best of breed products and solutions coupled with superior customer service to enable our clients to exceed their goals.

 

 [[Image:WebSenseLogo.jpg|http://www.websense.com/content/home.aspx]] 

Websense: The Websense TRITONT security architecture provides the industry’s first and only unified content security solution to deliver the best modern security for inbound threats and outbound risks with the lowest total cost of ownership. Websense secures the modern business as its infrastructure dissolves and users, data, and applications move to the Web.

 

 

----

 

Would you like to speak at an OWASP Los Angeles Meeting?

Call for Papers (CFP) is NOW OPEN. To speak at upcoming OWASP Los Angeles meetings please submit your BIO and talk abstract via email to [mailto:tin.zaw@owasp.org Tin Zaw]. When we accept your talk, it will be required to use the Powerpoint [http://www.owasp.org/images/5/54/Presentation_template.ppt OWASP Template].

= Archives of Previous Meetings =

A list of previous presentations conducted at the Los Angeles Chapter can be found [https://www.owasp.org/index.php/Los_Angeles_Previous_Presentations here].

= Los Angeles Chapter =

*[mailto:tin.zaw@owasp.org Tin Zaw] -- Chapter Leader and Chair
*[mailto:cassio@owasp.org Cassio Goldschmidt] -- Board Member
*[mailto:richard.greenberg@owasp.org Richard Greenberg] -- Board Member

[[Category:California]]

Los Angeles

2011-03-09T00:54:15Z

Kelly FitzGerald:

== Local News ==

===== Sign up for OWASP Los Angeles mailing list, very low volume and spam free. =====

===== https://lists.owasp.org/mailman/listinfo/owasp-losangeles =====

 The AppSec USA 2010 conference received rave reviews. Thanks to all the volunteers and great speakers who helped make it a success!

http://2010.AppSecUSA.org

Check out the videos: http://vimeo.com/user4863863/videos 

[[Image:AppSec Logo.jpg|362x106px|AppSec Logo.jpg]]

== ==

== Next Chapter Meeting:  Wednesday, March 16, 2011 6:00 P.M. - 8:30 P.M. ==

Les Freres Taix French Restaurant 1911 West Sunset Blvd. Los Angeles, CA 90026 213/484-1265 

Please RSVP: [http://www.issa-la.org/rsvpoptions/ http://www.issa-la.org/rsvpoptions/
]

==== Donate Funds to Los Angeles Chapter ====

<paypal>Los Angeles</paypal>

----

== '''Topic: STUXNET''' ==

== '''Speaker: Liam O Murchu'''[[Image:Liam OMurchu.png|left|112x130px|Scottsutherland.jpeg]]  ==

Liam O Murchu is the manager of Security Response Operations for North America with Symantec. In this role he leads the team of malware reverse engineers and is constantly combating the latest malware attacks and dealing with cutting edge threats of all sorts. Liam has analyzed the majority of the high profile threats that have emerged in the last number of years, both documenting their actions and working with both private parties and law enforcement agencies to counter these threats. His research has been presented before the US congress and the British and EU Parliaments. As part of his research he has been credited with discovering several zero day vulnerabilities. Most recently Liam has been analyzing the Stuxnet worm which is speculated to have been targeting Uranium enrichment plants in Iran.

''' '''

''' '''''' Abstract: STUXNET''' 

Liam O Murchu is the manager of Security Response Operations for North America with Symantec. In this role he leads the team of malware reverse engineers and is constantly combating the latest malware attacks and dealing with cutting edge threats of all sorts. Liam has analyzed the majority of the high profile threats that have emerged in the last number of years, both documenting their actions and working with both private parties and law enforcement agencies to counter these threats. His research has been presented before the US congress and the British and EU Parliaments. As part of his research he has been credited with discovering several zero day vulnerabilities. Most recently Liam has been analyzing the Stuxnet worm which is speculated to have been targeting Uranium enrichment plants in Iran.

 

== '''Sponsor:''' ==

[[Image:Evolve logo.jpg]]

Evolve Technology Group: Evolve Technology Group’s mission is to build robust networks to support Data, Voice and Video. We provide professional consulting services to integrate technology solutions that effectively mitigate a wide variety of information security risks and performance issues faced by our clients. In our constantly changing world, we provide relevance in the industry with best of breed products and solutions coupled with superior customer service to enable our clients to exceed their goals.

 

 [[Image:WebSenseLogo.jpg]] 

Websense: The Websense TRITONT security architecture provides the industry’s first and only unified content security solution to deliver the best modern security for inbound threats and outbound risks with the lowest total cost of ownership. Websense secures the modern business as its infrastructure dissolves and users, data, and applications move to the Web.

 

 

----

 

Would you like to speak at an OWASP Los Angeles Meeting?

Call for Papers (CFP) is NOW OPEN. To speak at upcoming OWASP Los Angeles meetings please submit your BIO and talk abstract via email to [mailto:tin.zaw@owasp.org Tin Zaw]. When we accept your talk, it will be required to use the Powerpoint [http://www.owasp.org/images/5/54/Presentation_template.ppt OWASP Template].

= Archives of Previous Meetings =

A list of previous presentations conducted at the Los Angeles Chapter can be found [https://www.owasp.org/index.php/Los_Angeles_Previous_Presentations here].

= Los Angeles Chapter =

*[mailto:tin.zaw@owasp.org Tin Zaw] -- Chapter Leader and Chair
*[mailto:cassio@owasp.org Cassio Goldschmidt] -- Board Member
*[mailto:richard.greenberg@owasp.org Richard Greenberg] -- Board Member

[[Category:California]]

Los Angeles

2011-03-09T00:50:58Z

Kelly FitzGerald:

== Local News ==

===== Sign up for OWASP Los Angeles mailing list, very low volume and spam free. =====

===== https://lists.owasp.org/mailman/listinfo/owasp-losangeles =====

 The AppSec USA 2010 conference received rave reviews. Thanks to all the volunteers and great speakers who helped make it a success!

http://2010.AppSecUSA.org

Check out the videos: http://vimeo.com/user4863863/videos 

[[Image:AppSec Logo.jpg|362x106px|AppSec Logo.jpg]]

== ==

== Next Chapter Meeting:  Wednesday, March 16, 2011 6:00 P.M. - 8:30 P.M. ==

Les Freres Taix French Restaurant 1911 West Sunset Blvd. Los Angeles, CA 90026 213/484-1265 

Please RSVP: [http://www.issa-la.org/rsvpoptions/ http://www.issa-la.org/rsvpoptions/
]

==== Donate Funds to Los Angeles Chapter ====

<paypal>Los Angeles</paypal>

----

== '''Topic: STUXNET''' ==

== '''Speaker: Liam O Murchu'''[[Image:Liam OMurchu.png|left|112x130px|Scottsutherland.jpeg]]  ==

Liam O Murchu is the manager of Security Response Operations for North America with Symantec. In this role he leads the team of malware reverse engineers and is constantly combating the latest malware attacks and dealing with cutting edge threats of all sorts. Liam has analyzed the majority of the high profile threats that have emerged in the last number of years, both documenting their actions and working with both private parties and law enforcement agencies to counter these threats. His research has been presented before the US congress and the British and EU Parliaments. As part of his research he has been credited with discovering several zero day vulnerabilities. Most recently Liam has been analyzing the Stuxnet worm which is speculated to have been targeting Uranium enrichment plants in Iran.

''' '''

''' '''''' Abstract: STUXNET''' 

Liam O Murchu is the manager of Security Response Operations for North America with Symantec. In this role he leads the team of malware reverse engineers and is constantly combating the latest malware attacks and dealing with cutting edge threats of all sorts. Liam has analyzed the majority of the high profile threats that have emerged in the last number of years, both documenting their actions and working with both private parties and law enforcement agencies to counter these threats. His research has been presented before the US congress and the British and EU Parliaments. As part of his research he has been credited with discovering several zero day vulnerabilities. Most recently Liam has been analyzing the Stuxnet worm which is speculated to have been targeting Uranium enrichment plants in Iran.

 

== '''Sponsor:''' ==

[[Image:Evolve logo.jpg]]

Evolve Technology Group: Evolve Technology Group’s mission is to build robust networks to support Data, Voice and Video. We provide professional consulting services to integrate technology solutions that effectively mitigate a wide variety of information security risks and performance issues faced by our clients. In our constantly changing world, we provide relevance in the industry with best of breed products and solutions coupled with superior customer service to enable our clients to exceed their goals.

 

 
[[Image:WebSenseLogo.jpg]]
Websense: The Websense TRITONT security architecture provides the industry’s first and only unified content security solution to deliver the best modern security for inbound threats and outbound risks with the lowest total cost of ownership. Websense secures the modern business as its infrastructure dissolves and users, data, and applications move to the Web.

 

 

----

 

Would you like to speak at an OWASP Los Angeles Meeting?

Call for Papers (CFP) is NOW OPEN. To speak at upcoming OWASP Los Angeles meetings please submit your BIO and talk abstract via email to [mailto:tin.zaw@owasp.org Tin Zaw]. When we accept your talk, it will be required to use the Powerpoint [http://www.owasp.org/images/5/54/Presentation_template.ppt OWASP Template].

= Archives of Previous Meetings =

A list of previous presentations conducted at the Los Angeles Chapter can be found [https://www.owasp.org/index.php/Los_Angeles_Previous_Presentations here].

= Los Angeles Chapter =

*[mailto:tin.zaw@owasp.org Tin Zaw] -- Chapter Leader and Chair
*[mailto:cassio@owasp.org Cassio Goldschmidt] -- Board Member
*[mailto:richard.greenberg@owasp.org Richard Greenberg] -- Board Member

[[Category:California]]

Los Angeles

2011-03-09T00:49:36Z

Kelly FitzGerald:

== Local News ==

===== Sign up for OWASP Los Angeles mailing list, very low volume and spam free. =====

===== https://lists.owasp.org/mailman/listinfo/owasp-losangeles =====

 The AppSec USA 2010 conference received rave reviews. Thanks to all the volunteers and great speakers who helped make it a success!

http://2010.AppSecUSA.org

Check out the videos: http://vimeo.com/user4863863/videos 

[[Image:AppSec Logo.jpg|362x106px|AppSec Logo.jpg]]

== ==

== Next Chapter Meeting:  Wednesday, March 16, 2011 6:00 P.M. - 8:30 P.M. ==

Les Freres Taix French Restaurant 1911 West Sunset Blvd. Los Angeles, CA 90026 213/484-1265 

Please RSVP: [http://www.issa-la.org/rsvpoptions/ http://www.issa-la.org/rsvpoptions/
]

==== Donate Funds to Los Angeles Chapter ====

<paypal>Los Angeles</paypal>

----

== '''Topic: STUXNET''' ==

== '''Speaker: Liam O Murchu'''[[Image:Liam OMurchu.png|left|112x130px|Scottsutherland.jpeg]]  ==

Liam O Murchu is the manager of Security Response Operations for North America with Symantec. In this role he leads the team of malware reverse engineers and is constantly combating the latest malware attacks and dealing with cutting edge threats of all sorts. Liam has analyzed the majority of the high profile threats that have emerged in the last number of years, both documenting their actions and working with both private parties and law enforcement agencies to counter these threats. His research has been presented before the US congress and the British and EU Parliaments. As part of his research he has been credited with discovering several zero day vulnerabilities. Most recently Liam has been analyzing the Stuxnet worm which is speculated to have been targeting Uranium enrichment plants in Iran.

''' '''

''' '''''' Abstract: STUXNET''' 

Liam O Murchu is the manager of Security Response Operations for North America with Symantec. In this role he leads the team of malware reverse engineers and is constantly combating the latest malware attacks and dealing with cutting edge threats of all sorts. Liam has analyzed the majority of the high profile threats that have emerged in the last number of years, both documenting their actions and working with both private parties and law enforcement agencies to counter these threats. His research has been presented before the US congress and the British and EU Parliaments. As part of his research he has been credited with discovering several zero day vulnerabilities. Most recently Liam has been analyzing the Stuxnet worm which is speculated to have been targeting Uranium enrichment plants in Iran.

 

== '''Sponsor:''' ==

[[Image:Evolve_logo.jpg]]

Evolve Technology Group: Evolve Technology Group’s mission is to build robust networks to support Data, Voice and Video. We provide professional consulting services to integrate technology solutions that effectively mitigate a wide variety of information security risks and performance issues faced by our clients. In our constantly changing world, we provide relevance in the industry with best of breed products and solutions coupled with superior customer service to enable our clients to exceed their goals.

 

 

Websense: The Websense TRITONT security architecture provides the industry’s first and only unified content security solution to deliver the best modern security for inbound threats and outbound risks with the lowest total cost of ownership. Websense secures the modern business as its infrastructure dissolves and users, data, and applications move to the Web.

 

 

----

 

Would you like to speak at an OWASP Los Angeles Meeting?

Call for Papers (CFP) is NOW OPEN. To speak at upcoming OWASP Los Angeles meetings please submit your BIO and talk abstract via email to [mailto:tin.zaw@owasp.org Tin Zaw]. When we accept your talk, it will be required to use the Powerpoint [http://www.owasp.org/images/5/54/Presentation_template.ppt OWASP Template].

= Archives of Previous Meetings =

A list of previous presentations conducted at the Los Angeles Chapter can be found [https://www.owasp.org/index.php/Los_Angeles_Previous_Presentations here].

= Los Angeles Chapter =

*[mailto:tin.zaw@owasp.org Tin Zaw] -- Chapter Leader and Chair
*[mailto:cassio@owasp.org Cassio Goldschmidt] -- Board Member
*[mailto:richard.greenberg@owasp.org Richard Greenberg] -- Board Member

[[Category:California]]

File:WebSenseLogo.jpg

2011-03-09T00:46:56Z

Kelly FitzGerald:

File:Evolve logo.jpg

2011-03-09T00:46:33Z

Kelly FitzGerald:

Los Angeles

2011-03-09T00:44:54Z

Kelly FitzGerald: Adding Sponsers

== Local News ==

===== Sign up for OWASP Los Angeles mailing list, very low volume and spam free. =====

===== https://lists.owasp.org/mailman/listinfo/owasp-losangeles =====

 The AppSec USA 2010 conference received rave reviews. Thanks to all the volunteers and great speakers who helped make it a success!

http://2010.AppSecUSA.org

Check out the videos: http://vimeo.com/user4863863/videos 

[[Image:AppSec Logo.jpg|362x106px|AppSec Logo.jpg]]

== ==

== Next Chapter Meeting:  Wednesday, March 16, 2011 6:00 P.M. - 8:30 P.M. ==

Les Freres Taix French Restaurant 1911 West Sunset Blvd. Los Angeles, CA 90026 213/484-1265 

Please RSVP: [http://www.issa-la.org/rsvpoptions/ http://www.issa-la.org/rsvpoptions/
]

==== Donate Funds to Los Angeles Chapter ====

<paypal>Los Angeles</paypal>

----

== '''Topic: STUXNET''' ==

== '''Speaker: Liam O Murchu'''[[Image:Liam OMurchu.png|left|112x130px|Scottsutherland.jpeg]]  ==

Liam O Murchu is the manager of Security Response Operations for North America with Symantec. In this role he leads the team of malware reverse engineers and is constantly combating the latest malware attacks and dealing with cutting edge threats of all sorts. Liam has analyzed the majority of the high profile threats that have emerged in the last number of years, both documenting their actions and working with both private parties and law enforcement agencies to counter these threats. His research has been presented before the US congress and the British and EU Parliaments. As part of his research he has been credited with discovering several zero day vulnerabilities. Most recently Liam has been analyzing the Stuxnet worm which is speculated to have been targeting Uranium enrichment plants in Iran.

''' '''

''' '''''' Abstract: STUXNET''' 

Liam O Murchu is the manager of Security Response Operations for North America with Symantec. In this role he leads the team of malware reverse engineers and is constantly combating the latest malware attacks and dealing with cutting edge threats of all sorts. Liam has analyzed the majority of the high profile threats that have emerged in the last number of years, both documenting their actions and working with both private parties and law enforcement agencies to counter these threats. His research has been presented before the US congress and the British and EU Parliaments. As part of his research he has been credited with discovering several zero day vulnerabilities. Most recently Liam has been analyzing the Stuxnet worm which is speculated to have been targeting Uranium enrichment plants in Iran.

 

== '''Sponsor:''' ==

Evolve Technology Group: Evolve Technology Group’s mission is to build robust networks to support Data, Voice and Video. We provide professional consulting services to integrate technology solutions that effectively mitigate a wide variety of information security risks and performance issues faced by our clients. In our constantly changing world, we provide relevance in the industry with best of breed products and solutions coupled with superior customer service to enable our clients to exceed their goals.

Websense: The Websense TRITONT security architecture provides the industry’s first and only unified content security solution to deliver the best modern security for inbound threats and outbound risks with the lowest total cost of ownership. Websense secures the modern business as its infrastructure dissolves and users, data, and applications move to the Web.

----

 

Would you like to speak at an OWASP Los Angeles Meeting?

Call for Papers (CFP) is NOW OPEN. To speak at upcoming OWASP Los Angeles meetings please submit your BIO and talk abstract via email to [mailto:tin.zaw@owasp.org Tin Zaw]. When we accept your talk, it will be required to use the Powerpoint [http://www.owasp.org/images/5/54/Presentation_template.ppt OWASP Template].

= Archives of Previous Meetings =

A list of previous presentations conducted at the Los Angeles Chapter can be found [https://www.owasp.org/index.php/Los_Angeles_Previous_Presentations here].

= Los Angeles Chapter =

*[mailto:tin.zaw@owasp.org Tin Zaw] -- Chapter Leader and Chair
*[mailto:cassio@owasp.org Cassio Goldschmidt] -- Board Member
*[mailto:richard.greenberg@owasp.org Richard Greenberg] -- Board Member

[[Category:California]]

Los Angeles

2011-03-09T00:43:43Z

Kelly FitzGerald:

== Local News ==

===== Sign up for OWASP Los Angeles mailing list, very low volume and spam free. =====

===== https://lists.owasp.org/mailman/listinfo/owasp-losangeles =====

 The AppSec USA 2010 conference received rave reviews. Thanks to all the volunteers and great speakers who helped make it a success!

http://2010.AppSecUSA.org

Check out the videos: http://vimeo.com/user4863863/videos 

[[Image:AppSec Logo.jpg|362x106px|AppSec Logo.jpg]]

== ==

== Next Chapter Meeting:  Wednesday, March 16, 2011 6:00 P.M. - 8:30 P.M. ==

Les Freres Taix French Restaurant 1911 West Sunset Blvd. Los Angeles, CA 90026 213/484-1265 

Please RSVP: [http://www.issa-la.org/rsvpoptions/ http://www.issa-la.org/rsvpoptions/
]

==== Donate Funds to Los Angeles Chapter ====

<paypal>Los Angeles</paypal>

----

== '''Topic: STUXNET''' ==

== '''Speaker: Liam O Murchu'''[[Image:Liam OMurchu.png|left|112x130px|Scottsutherland.jpeg]]  ==

Liam O Murchu is the manager of Security Response Operations for North America with Symantec. In this role he leads the team of malware reverse engineers and is constantly combating the latest malware attacks and dealing with cutting edge threats of all sorts. Liam has analyzed the majority of the high profile threats that have emerged in the last number of years, both documenting their actions and working with both private parties and law enforcement agencies to counter these threats. His research has been presented before the US congress and the British and EU Parliaments. As part of his research he has been credited with discovering several zero day vulnerabilities. Most recently Liam has been analyzing the Stuxnet worm which is speculated to have been targeting Uranium enrichment plants in Iran.

''' '''

''' '''''' Abstract: STUXNET''' 

Liam O Murchu is the manager of Security Response Operations for North America with Symantec. In this role he leads the team of malware reverse engineers and is constantly combating the latest malware attacks and dealing with cutting edge threats of all sorts. Liam has analyzed the majority of the high profile threats that have emerged in the last number of years, both documenting their actions and working with both private parties and law enforcement agencies to counter these threats. His research has been presented before the US congress and the British and EU Parliaments. As part of his research he has been credited with discovering several zero day vulnerabilities. Most recently Liam has been analyzing the Stuxnet worm which is speculated to have been targeting Uranium enrichment plants in Iran.

 

== '''Sponsor:''' ==

[[Image:Netspi logo.png|left|Netspi logo.png]]

 ''' '''

 

 

 

[http://www.netspi.com/ http://www.netspi.com/]

----

 

Would you like to speak at an OWASP Los Angeles Meeting?

Call for Papers (CFP) is NOW OPEN. To speak at upcoming OWASP Los Angeles meetings please submit your BIO and talk abstract via email to [mailto:tin.zaw@owasp.org Tin Zaw]. When we accept your talk, it will be required to use the Powerpoint [http://www.owasp.org/images/5/54/Presentation_template.ppt OWASP Template].

= Archives of Previous Meetings =

A list of previous presentations conducted at the Los Angeles Chapter can be found [https://www.owasp.org/index.php/Los_Angeles_Previous_Presentations here].

= Los Angeles Chapter =

*[mailto:tin.zaw@owasp.org Tin Zaw] -- Chapter Leader and Chair
*[mailto:cassio@owasp.org Cassio Goldschmidt] -- Board Member
*[mailto:richard.greenberg@owasp.org Richard Greenberg] -- Board Member

[[Category:California]]

Los Angeles

2011-03-09T00:41:16Z

Kelly FitzGerald:

File:Liam OMurchu.png

2011-03-09T00:36:35Z

Kelly FitzGerald:

Los Angeles Previous Presentations 2009, 2010

2011-03-08T22:13:13Z

Kelly FitzGerald: moved Los Angeles Previous Presentations Mega Archive to Los Angeles Previous Presentations 2009, 2010

=  Previous Presentations =

==  '''Wednesday, January 26, 2011 7:00 PM''' ==

*'''Evercookie: The Persistent Cookie'''

 
<pre>Meeting Location
Symantec Corporation
900 Corporate Pointe
Culver City, CA 90230
</pre>
''' Description: '''Evercookie is a JavaScript API that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they have removed standard cookies, Flash cookies Local Shared Objects or LSOs), and others.

Evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.

You can read more about Samy and Evercookie at [http://samy.pl/evercookie '''http://samy.pl/evercookie/''']

'''Speaker: '''Samy Kamkar is best known for the Samy worm, the first XSS worm, infecting over one million users on MySpace in less than 24 hours. A co-founder of Fonality, Inc., an IP PBX company, Samy previously led the development of all toplevel domain name server software and systems for Global Domains International (.ws), and worked for Penn State University developing AI-based psychometric personality assessment software. In the past 10 years, Samy has focused on evolutionary and genetic algorithmic software development, Voice over IP software development, automated security and vulnerability research in network security, reverse engineering, and network gaming. When not strapped behind the Matrix, Samy can be found stunt driving, getting involved in local community service projects, and continuing his focus on staying out of jail. '''Sponser: '''IBM Rational Software http://www-01.ibm.com/software/rational/ 

==  '''Wednesday, July 21, 2011 7:00 PM''' ==

* '''How I Met Your Girlfriend: Entirely New Classes of Web Attacks'''
<pre>Meeting Location
Symantec Corporation
900 Corporate Pointe
Culver City, CA 90230</pre>
Description: This includes using HTML5 client-side XSS (without XSS hitting the server!), and my newly discovered attacks on PHP session hijacking and random numbers (accurately guessing PHP session cookies), browser protocol confusion (turning a browser into an SMTP server), firewall and NAT penetration via Javascript (turning your router against you), remote iPhone Google Maps hijacking (iPhone penetration combined with HTTP man-in-the-middle), extracting extremely accurate geolocation information from a web browser (not using IP geolocation), and more.

 

Speaker: Samy Kamkar is best known for the Samy worm, the first XSS worm, infecting over one million users on MySpace in less than 24 hours. A co-founder of Fonality, Inc., an IP PBX company, Samy previously led the development of all top-level domain name server software and systems for Global Domains International (.ws), and worked for Penn State University developing AI-based psychometric personality assessment software.

 In the past 10 years, Samy has focused on evolutionary and genetic algorithmic software development, Voice over IP software development, automated security and vulnerability research in network security, reverse engineering, and network gaming. When not strapped behind the Matrix, Samy can be found stunt driving, getting involved in local community service projects, and continuing his focus on staying out of jail.

 

 Dinner Sponser: Citrix Systems [[Image:Citrix Picture.jpg|80x80px|http://lacitrix.com]] 

==   Wednesday, June 09, 2010 7:30PM ==

*Security Assertion Markup Language (SAML), Shibboleth Single SignOn System, and Shibboleth's role at University of Southern California
<pre>Meeting Location
Symantec Corporation
900 Corporate Pointe
Culver City, CA 90230
</pre>
Speaker: Brendan Bellina Title: Identity Services Architect and Manager of Enterprise Middleware Identity Management at USC

 

NOTE: We are having this month meeting on the second Wednesday, instead of the regular third Wednesday, to avoid conflict with ISSA Summit scheduled on June 16. You can still register for the summit at the ISSA LA website (http://www.issa-la.org/Default.aspx?id=1088). 

== Wednesday, April 21st, 2010 7:30PM ==

*The intersection of social and technical attacks in Web 2.0 applications by Mike Bailey and Mike Murray

Meeting Location
Symantec Corporation
900 Corporate Pointe
Culver City, CA 90230

 Topic: The intersection of social and technical attacks in Web 2.0 applications

Speakers: Mike Bailey and Mike Murray

Mike Bailey is a senior security researcher at MAD Security and an application security specialist. While his research spans a wide variety of domains, it generally focuses on secure web application development, web application scanning and penetration testing, online privacy issues, network protocols and services, and how to break them.

Mike has spoken throughout the country at different security conferences and shows, including Blackhat DC, Toorcon, Defcon and others. Aside from coming up with new and interesting ways to break web and client-side applications, he also puts those attacks into practice as a penetration tester. Currently, Mike is studying the intersection of social and technical attacks in Web 2.0 applications. He publishes his research on the MAD Security blog as well as at Skeptikal.org.

Mike Murray has spent his entire career in information security and currently leads the delivery arm of MAD Security (MADSecInc.com). Mike is a co-founder of InfoSecLeaders.com where he writes and talks about the skills and strategies for building a long-term career in information security. Mike's on security careers have been seen at major conferences like RSA and Defcon.

== Wednesday, March 17th, 2010 7:30PM ==

*Mike Schrenk, author of "Webbots, Spiders, and Screen Scrapers"

Meeting Location
Symantec Corporation
900 Corporate Pointe
Culver City, CA 90230

 

BOOK PREVIEW: Webbots, Spiders, and Screen Scrapers SECOND EDITION

Michael Schrenk will provide a preview of the largely expanded second edition of his book "Webbots, Spiders, and Screen Scrapers". This second edition describes how technologies like JavaScript, AJAX and Flash challenge webbot developers and how those challenges are met. He will also talk about defeating CAPTCHAs, scalability and other related topics.

Michael Schrenk is a software developer, author and instructor, who specializes in automated web browsing agents known as webbots. Michael uses the Internet in new and innovative (odd?) ways to provide competitive advantages for his clients in The US, Europe and Asia.

He also helps journalists more effectively use computers to conduct online research through automation and by describing where and how to find otherwise hidden online information. No stranger to Europe--he's lived and worked for clients in Moscow and Madrid, Mike taught at the 2008 European Investigative Journalism Conference (Brussels Belgium), twice in 2009 he lectured at The Center for Investigative Journalism (London England) and later in 2009, he lead several sessions at the VVOJ Journalism conference (Utrecht The Netherlands).

Last August, Mike made his fourth speaking appearance at the DEFCON computer hacking conference. Mike lives in sunny Las Vegas, Nevada (USA). You can contact him at http://www.schrenk.com or follow him on Twitter [http://twitter.com/mgschrenk @mgschrenk].

==   Wednesday, February 24th, 2010 7:00PM ==

*Cloud Computing Security: Raining on the Trendy New Parade

 Slides can be found [https://docs.google.com/fileview?id=0By_clZjtpXPwMWM0YWIyZDgtZmRkZC00YTZlLWE1MDEtNmU0N2Y3MzQwMTJh&hl=en here on Google Docs].

Meeting Location
AT&T Interactive
611 N. Brand Blvd., 5th Floor
Glendale, CA

Cloud computing is an unstoppable meme at the CIO level, and will dominate corporate IT planning for the next several years. Although they do offer the promise of cost savings for many organizations, the basic ideas behind abstracting out the corporate datacenter greatly complicates the tasks of securing and auditing these systems. While there has been excellent research into low-level hypervisor and virtualization bugs, there has been little public discussion of the “big picture” problems for cloud computing. These include virtualized network devices, browser same-origin issues, credential management and many interesting legal challenges.

Our goal with this talk will be to explore the different attack scenarios that exist in the cloud computing world and to provide a comparison between the security models of the leading cloud computing platforms. We will discuss how current attacks against applications and infrastructure are changed with cloud computing, as well as introduce the audience to new types of vulnerabilities that are unique to cloud computing. Attendees will learn how to analyze the threat posed to them by cloud computing platforms as either providers or consumers of software built on these new platforms. Our platforms for discussion include Salesforce.com, Google Apps, Microsoft Office Live, Google AppEngine, Microsoft Azure, Amazon EC2, and Sun.

 Alex Stamos is a founding partner of iSEC Partners, a strategic digital security organization. Alex is an experienced security engineer and consultant specializing in application security and securing large infrastructures, and has taught multiple classes in network and application security.

He is a leading researcher in the field of web application and web services security and has been a featured speaker at top industry conferences such as Black Hat, CanSecWest, DefCon, SyScan, Microsoft BlueHat and OWASP App Sec.

He holds a BS in Electrical Engineering and Computer Science from the University of California, Berkeley.

==   Wednesday, January 20th, 2010 7:30PM ==

*Do VLANs allow for good application security?

Meeting Location
[http://maps.google.com/maps?q=900+Corporate+Pointe,+90230&ie=UTF8&oe=UTF-8&ll=33.988385,-118.387041&spn=0.010284,0.014055&t=h&z=16&iwloc=addr Symantec Corporation]
900 Corporate Pointe
Culver City, CA 90230
Laguna Conference Room

 Virtual Local Area Networks (VLANs) are not a new concept, and can help any organization better control network access. I will present some of the previous issues identified, what was the root cause, and how these have been fixed in current technology. In addition we will talk about how this can help to enhance security in your environment, and what controls must be in place in order to implement such an environment. We will also touch on how this can complicate your application environment, but improve overall security.

I will touch on the controls that need to be reviewed and audited when working with VMware, VLANs, and web applications, to ensure that these networks are secure, and what to look for to potentially pass audit criteria. I will also talk about where and how these controls have been implemented in order to protect thousands of users while accessing one of the most hostile networks in the world. 

David M. N. Bryan, Senior Security Consultant

David has over 9+ years of computer security experience including, consulting, engineering and administration. He has performed security assessment projects for health care, nuclear, manufacturing, pharmaceutical, banking and educational sectors. As an active participant in the information security community, he volunteers at DEFCON where he designs and implements the Firewall and Network for what is said to be the most hostile network environment in the world.

He is also an active participant in the local Minneapolis security groups both as a board member of OWASP MSP and DC612. His roots and experience come from working for a large enterprise banks, designing and managing enterprise security systems. In the more recent years he has been working as an Information Security Consultant to review the security and architecture of information computing environments.

==   Wednesday, December 16th, 2009 7:30PM ==

*[http://www.owasp.org/images/b/bc/Sutton_-_Pulling_The_Plug-Security_Risks_in_Next_Generation_Offline_Web_Apps_-_OWASP_LA_OC.pdf Pulling the Plug: Security Risks in the Next Generation of Offline Web Applications]

 As the line between desktop and web applications becomes increasingly blurry in a web 2.0 world, browser functionality is being pushed well beyond what it was originally intended for. Persistent client side storage has become a requirement for web applications if they are to be available both online and off. This need is being filled by a variety of technologies such as Gears (formerly Google Gears) and the Database Storage <http://webkit.org/blog/126/webkit-does-html5-client-side-database-storage/> functionality included in the emerging HTML 5 <http://dev.w3.org/html5/spec/Overview.html> specification. While all such technologies offer great promise, it is clear that the vast majority of developers simply do not understand their security implications.

Researching a variety of currently deployed implementations of these technologies has revealed a broad scope of vulnerabilities with frightening implications. Now attackers can target victims not just once, but every time they visit a site as the victim now carries and stores the attack with them. Imagine a scenario whereby updated confidential information is forwarded to an attacker every time a victim interacts with a given web application. The attacker no longer needs to worry about timing their attacks to ensure that the victim is authenticated as the victim attacks himself! Limited storage? Cookies that expire? Not a problem when entire databases are accessible with virtually unlimited storage and an infinite lifespan. Think these attacks are theoretical? Think again. In this talk we dive into these technologies and break down the risk posed by them when not properly understood. We will then detail a variety of real-world vulnerabilities that have been uncovered, including a new class of cross-site scripting and client-side SQL injection. 

Michael Sutton,Vice President and security research at Zscaler, has spent more than a decade in the security industry conducting leading-edge research, building teams of world-class researchers and educating others on a variety of security topics. As VP of Security Research, Michael heads Zscaler Labs, the research and development arm of the company. Zscaler Labs is responsible for researching emerging topics in web security and developing innovative security controls, which leverage the Zscaler in-the-cloud model. The team is comprised of researchers with a wealth of experience in the security industry.

Prior to joining Zscaler, Michael was the Security Evangelist for SPI Dynamics where, as an industry expert, he was responsible for researching, publishing and presenting on various security issues. In 2007, SPI Dynamics was acquired by Hewlett-Packard. Previously, Michael was a Research Director at iDefense where he led iDefense Labs, a team responsible for discovering and researching security vulnerabilities in a variety of technologies. iDefense was acquired by VeriSign in 2005. Michael is a frequent speaker at major information security conferences; he is regularly quoted by the media on various information security topics, has authored numerous articles and is the co-author of Fuzzing: Brute Force Vulnerability Discovery, an Addison-Wesley publication.

 

==   Wednesday, November 18th, 2009 7:30PM ==

*[http://www.owasp.org/images/b/bc/Watching_software_run_11.18.09.pptx Watching Software Run with Brian Chess, Fortify Founder and Chief Scientist]

 Now more than ever before, computer systems are vulnerable because software is vulnerable. No matter how good programmers get at making secure software, it will never be perfect—we will always have to contend with incomplete or inadequate code. Most efforts at living with bad code have focused on shoring it up from the outside: limiting network access (firewalls) or watching for suspicious behavior (intrusion detection). This talk takes a different perspective: we’ll look at methods for identifying and blunting the effects of software shortcomings from the inside by watching the software run.

Modern languages like Java and C# are good for more than just programmers. They also provide a wealth of structured information when they execute. We can apply many same techniques developed for outside-in security, but at a finer granularity and with much more context. Along the way there is a lot to talk about: Where web application firewalls excel and where they fall down. Fuzzing vs. static analysis. The disappointments of both aspect oriented programming and building security in. Why nobody uses the Java Security model. Taking your security with you into the cloud. The reason SQL injection won’t go away. Revenge of the reference monitor. Why was Twitter’s security so bad? 

Brian Chess is a founder of Fortify Software and serves as Fortify's Chief Scientist, where his work focuses on practical methods for creating secure systems. His book, Secure Programming with Static Analysis, shows how static source code analysis is an indispensable tool for getting security right. Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service. 

== Wednesday, October 21st, 2009 7:30PM ==

*[http://www.owasp.org/images/c/ca/ISO27001_OWASPLA_Shankar_10212009.pdf Enabling Compliance Requirements using Information Security Management System (ISMS) Framework (ISO27001)]

 Growing threats and complex regulatory requirements emphasize the need for an effective Information Security Management System (ISMS) framework for an organization. Comprehensive and globally accepted standards like ISO27001 can help in protecting information assets and in enabling compliance requirements. ISO27001 provides an Information Security framework based on best practices and controls to ensure the confidentiality, integrity and availability of information assets. This presentation analyzes the possible synergies between the goals of Information Security Management System (ISMS) and the various compliance requirements, thus making the compliance efforts less complex. Following are the key objectives of this presentation :

*Provide an introduction to ISO27001 and its controls
*Discuss the implementation approach for an Information Security Management System (ISMS) framework
*Familiarize the audience with some common challenges in implementation
*Outline synergy between ISO27001 controls and some compliance requirements( PCI , etc)

 Attendees will learn about ISO27001 Information Security Standard, ISMS implementation approach and how ISO27001 can be used in meeting various regulatory/compliance requirements like Sox, PCI etc. It will also help the attendees to improve the information security posture of the organization and provide an effective and efficient approach for handling various information security/compliance audits with less effort. 

Shankar Subramaniyan has over 11 years of experience as a technology consulting and project management executive in the areas of IT Governance, Risk and Compliance (GRC), Business Continuity Planning and Network Design & Architecture. He has thorough expertise on setting up Information Security Framework and Policies on the basis of industry standards such as ISO 27001. He has worked extensively on industry standards and best practices like BS7799 and ITIL. He also has good understanding and knowledge of various compliance requirements like PCI, Sox etc. Shankar' s experience includes IT audit, SOX remediation, ISMS (ISO27001) implementation, PCI compliance assessment, disaster recovery solution, enterprise risk management, designing IT security architecture and implementing ITIL processes. Shankar has rich experience in handling large projects and managing client relationships across corporate and educational sectors. 

== Wednesday, September 16th, 2009 7:30PM ==

*The Rise of Threat Analysis and the Fall of Compliance, Policies, and Standards in mitigating Web Application Security Risks

 On August 5th of 2009, Federal prosecutors on Monday charged Albert Gonzales with the largest case of credit and debit card data theft ever in the United States: 130 million credit cards numbers by hacking into the systems of Heartland Payment Systems, the New Jersey-based card processing company, as well as Hannaford Brothers, 7-Eleven and two unnamed national retailers. Using a SQL-injection attack, the hackers installed malware on Hannaford Brothers. Hannaford was PCI compliant at the time they were compromise that lets question the validity of regulatory compliance frameworks, and specifically PCI standards as an effective method to reduce data breaches, identity theft, and the proliferation of credit card fraud. This presentation will further analyze how status quo security standards, such as PCI-DSS, as well as other policies, standards, and guidelines truly affect security risk mitigation efforts against cybercrime based threats. These traditional efforts will be compared to threat modeling workflows in order to demonstrate how real risk is mitigated under each scenario. Cases for financial fraud will be anonymously presented to create a business case for application threat modeling as a viable methodology to drive improved application design and security risk mitigation. Threat modeling concepts will be elaborated in order to prove how application architecture walkthroughs via threat modeling improve the mitigation of cybercrime threats. Attacker motives and goals will be presented and incorporated into attack trees and it will show how attack libraries can be used to effectively identify application vulnerabilities and devise countermeasures in web application. From the risk analysis perspective, several attacks will be considered and highlighted, particularly attacks that represent a systemic impact to an organization or government (such as for example a distributed denial of service). Through the presentation of threat modeling scenarios, analyses and correlations will be drawn from the represented model(s) to attack patterns, associated and discovered security vulnerabilities, data sources, application topologies, and possible roles and permissions associated with the application environment. The purpose of the presentation is to demonstrate how application threat modeling can be used as part of a nouveau age form of security risk mitigation and overall application security. Data flow diagrams and application walkthroughs will enable audience members to witness how application threat modeling is an evolved form of security process engineering for improved application design and overall application security. The presentation will also demonstrate how threat modeling is capable of delivering critical business functions as well as in mitigating current and future cyber attacks, such as distributed denial of service, botnet driven-malware, spear phishing techniques, and more attacks that ultimately lead to identity and credit card fraud. From the point of view of current and future cybercrime risk mitigation, several different strategies for application threat modeling will be discussed as related to securing both the web application web and critical financial infrastructures, such as ATMs. Finally some emphasis will be given to countermeasures that provide for incident response, intelligence and forensics capabilities. Presentation outline, defining all topics that will be covered:

*Status quo of regulatory compliance in mitigating risk
*Threat modeling techniques for cybercrime threats
*Attack tree analysis for attack tree vectors
*Threat modeling for multi-channel fraud threat scenarios
*Cyber crime threats and application countermeasures via threat modeling
*Example of mitigation strategies for cybercrime and application of defense in depth for web applications

 Any supporting research/tools:

*Threat models and attack trees
*Threat model are produced using the Microsoft™ threat modeling tool
*Public available cybercrime data will be presented and correlated

 

Marco Morana serves as one of the leaders of OWASP (Open Web Application Security Project) organization where he is actively involved in evangelize on web application security through presentations at local chapter meetings in USA as well as internationally. Marco has recently been awarded a contract from Wiley Publishing to co-author a book on Application Threat Modeling. Besides being the OWASP Cincinnati chapter lead, Marco is also active contributor to OWASP projects such as the application threat modeling methodology for secure coding guideline and the security testing guide (ver. 2 and 3). Besides contributing to OWASP, Marco works as Technology Information Security Officer for a large financial organization in North America with responsibilities in the definition of the organization web application security standards, management of application security assessments during the SDLC, threat-fraud analysis and training of software developers, project managers and architects on different topics related to application security. In the past, Marco served as senior security consultant and independent consultant where his responsibilities included providing software security services for several clients in the financial and banking, telecommunications and commercial sector industry. Besides security consulting, Marco had a career as technologist in the security industry where he contributed to the design business critical security products currently being used by several FORTUNE 500 companies as well by the US Government. Marco work on software security is referred in the 2007 State Of the Art report by the Information Assurance Technology Analysis Center (IATAC). Marco received the NASA’s Space Act Award in 1999 for the patenting the S/MIME SEP (Secure Email Plug-in) application. Marco research work on application and software security is widely published on several magazines such as In-secure magazine, Secure Enterprise, ISSA Journal and the C/C++ Users journal. Marco’s ideas and strategies for writing secure software are posted on his blog: http://securesoftware.blogspot.com. 

 Tony UcedaVelez has more than 10 years of hands-on security and technology experience and is a vocal advocate of security process engineering – a terminology that describes the design and development of secure processes and controls working symbiotically to a unique business workflow. Tony currenlty serves as Managing Director for an Atlanta based risk advisory firm that focuses on security strategy and delivering effective means for risk mitigation and security process engineering. He has worked and consulted for the Fortune 500, as well as federal agencies in the U.S on the topic of application security and security process engineering. His diverse background in software development, security architecture, and network security, coupled with his expertise in process engineering and security risk management has allowed Tony to be a recognized leader in developing strategic security solutions that are multi-faceted in their approach to addressing enterprise risk. In the realm of application security, Tony is a threat modeling evangelist and has provided numerous talks domestically and globally on its many benefits and application. He has served as a guest mentor to teams participating in Kennesaw State University’s annual Cybercrime capture the flag event as well as a Cybercrime speaker for Southern Polytechnic University in Atlanta. He has also served as a guest speaker on the subject of application threat modeling during ISACA’s annual Geek Week event and has also served as a keynote speaker on the subject for ISACA’s Global Symposium web cast series. Additional articles include articles related to CoBIT and the ValIT model (ISACA’s Journal), application threat modeling within the SDLC (InSecureMagazine), and security process engineering for a ROSI (return on security investment) (Journal of Finance). He is currently finalizing a Wiley publishing book on Application Threat Modeling with Marco Morana. Prior to VerSprite, Tony served as Sr. Director of Security Risk Management to a Fortune 50 organization where he led security assessments against global application environments. His work encompassed web application security testing, security architecture reviews, and analysis for business logic exploits. He applied effective ways to introduce the subject of application risk to information owners by effectively mapping them to causal factors for business. Previous to this role, he spent more than 5 years in the field of application security across other Fortune 500 organizations within the banking, telecom, and information service industry segments. Tony currently leads the OWASP Atlanta Chapter, where he manages monthly workshops and events for the Atlanta web application security community. He also has developed a case study program for the Atlanta chapter in order to develop case studies with local Atlanta companies who are seeking to apply application threat modeling techniques within the SDLC and/ or incorporate the many OWASP produced tools and frameworks. Tony can be reached at tonyuv@versprite.com or tonyuv@owasp.org. 

== Tuesday, August 25th, 2009 3:00PM ==

*OWASP Live CD Demo and Q&A with Matt Tessauro

 Matt Tesauro will be in visiting our LA chapter and providing a quick demo of [http://www.owasp.org/index.php/Category:OWASP_Live_CD_2008_Project OWASP Live CD] Matt Tesauro has worked in web application development and security since 2000. He's worn many different hats, from developer to DBA to sys admin to university lecturer to pen tester. Currently, he's focused on web application security and developing a Secure SDLC for TEA. Outside work, he is the project lead for the OWASP Live CD. 

== Thursday, August 20th, 2009 7:30PM ==

*The Software Assurance Maturity Model (SAMM)

 [http://www.opensamm.org/ The Software Assurance Maturity Model (SAMM)] is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. SAMM is an open and free project and has recently been added under the Open Web Application Security Project (OWASP) Foundation. 

Pravir Chandra is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL. 

== Tuesday, July 21st, 2009 7:30PM ==

*Lock picks, BumpKeys, and Hackers oh my! How secure is your application?

 This talk will focus on physical security controls, weaknesses, and counter measures. I will present on what lock picking is, how bump keys work, and ways to subverting electronic locks. We will also go into what are good controls, and what is often overlooked when designing secure environments. Many of the topics covered apply to application security, as the methods for securing these devices is by using obscurity. In the application world with automated tools and scripts, this does not hold water for very long. 

David M. N. Bryan, NetSPI has 10 years of computer security experience, including consulting, engineering, and administration. He has performed security assessment projects in the healthcare, nuclear, manufacturing, pharmaceutical, banking and educational sectors. As an active participant in the information security community, he volunteers at DEFCON, where he designs and implements the firewall and network for what is said to be the most hostile network environment in the world. This network allows speakers, press, vendors, and others to gain access to the Internet, without being hacked. In his spare time he and his wife run the local DEFCON group, DC612 and participate in the Minneapolis OWASP chapter. 

== June 24th, 2009 7:30PM ==

*Information Warfare: Past, Present and Future

 Information warfare is the composite use of psychological operations (PYOPS), military deception (MILDEC), operational security (OPSEC), computer network operations (CNO), and electronic warfare (EW) to control and disrupt information flow. Recently, interest in information war technologies, techniques and policy issues have increased, especially in the domain of CNO. Increased scrutiny over network operations is both legitimate and valid, as global commerce and military powers are integrated and dependent on the Internet for critical operations. This presentation will describe the five domains of information warfare, the past use of information warfare in the Gulf war and recent Cyber attacks on the Eastern European countries of Georgia and Estonia. Information will be presented on possible new directions of information warfare. Mikhael Felker, CISSP-ISSEP has worked in a variety of roles including instructor, engineer, and researcher. He is currently employed by The Aerospace Corporation in the Information Assurance Technology Department, supporting Information Assurance (IA) for satellite systems. He is also an Instructor within the Computer & Information Systems Division at UCLA Extension, teaching a course in networking. Actively involved in the Los Angeles security community, he is the Education Director for Los Angeles Chapter of Information Systems Security Association (ISSA), member and speaker of Information Systems Audit and Control Association (ISACA), and former Defense Sector Coordinator for InfraGard. Mikhael has published articles in IEEE Security & Privacy, the ISSA Journal, Information Systems Control Journal, and SecurityFocus. He is a recipient of the Scholarship for Service Program (SFS) Fellowship, sponsored by the National Science Foundation and Department of Homeland Security (DHS). Mikhael completed his graduate work at Carnegie Mellon University with a Master's in Information Security Policy & Management and Bachelor's at UCLA in Computer Science. He holds over 10 certifications in IT and Security. 

== May 20th, 2009 ==

*[http://video.google.com/videoplay?docid=2875886330538461390 Top Ten Web Hacking Techniques of 2008: "What's possible, not probable"]

 The polls are closed, votes are in, and we have the winners making up the Top Ten Web Hacking Techniques of 2008! The competition was fierce with the newest and most innovative web hacking techniques to the test. This session will review the top ten hacks from 2008 - what they indicate about the security of the web, what they mean for businesses, and what might be used against us soon down the road. Jeremiah Grossman is the founder and CTO of WhiteHat Security. He is considered a world-renowned expert in Web security, is a co- founder of the Web Application Security Consortium, and was named to InfoWorld's Top 25 CTOs for 2007. Grossman is a frequent speaker at industry events including the Black Hat Briefings, RSA, CSI, HiTB, OWASP, ISSA, and a number of large universities. He has authored dozens of articles and white papers; is credited with the discovery of many cutting-edge attack and defensive techniques and is a co-author of XSS Attacks. Grossman is often quoted in the the business and technical press. Prior to WhiteHat, Grossman was an information security officer at Yahoo! 

== April 15th, 2009 ==

*Cross Site Scripting, Exploits and Defenses 

For a long time, the impact of XSS vulnerabilities has been grossly underestimated. Recent compromises, such as the pro-Hillary [http://cyberinsecure.com/hacked-obama-site-redirects-visitors-to-clintons-site/ defacement] of Barack Obama's website, and a [http://www.securescience.net/twoubledtwitter.html Viral XSS in Twitter] demonstrated the impact of XSS vulnerabilities to the masses.

During this presentation, David Campbell will demonstrate exactly how effective XSS vulns can be, and show you what you can do to protect yourself and your sites.

This presentation was originally delivered to OWASP Colorado in May of 2008, and has been updated for this session.

[https://www.owasp.org/index.php/Image:DC_ED_OWASP_XSS_MAY2008_v1.0.pdf Slide deck from May '08 talk] David Campbell is an infosec veteran, with experience ranging from penetration testing for Fortune 100's to architecting security solutions for large multinational financials to consulting for government agencies. DC is presently chapter leader of OWASP Denver and is Principal Consultant at Electric Alchemy. 

== March 12th, 2009 ==

*NETWORK SECURITY DINNER WITH ISSA - CISO'S Security Dashboard Panel!! 

This month will be joining forces with ISSA to create the biggest netowork event for security professionals in Los Angeles for this year. Agenda

*5:30 p.m., Networking and tours of the antivirus facility
*6:30 p.m., Dinner
*7:30 p.m., CISO Panel

 Panelists

*Robert J. Brown, CISSP, CISO WestCorp Credit Union
*Steve Haydostian, CISSP, Former CISO, Healthnet
*David Lam, CISSP, CISO, Stephen S. Wise
*Edward G. Pagett II, CISSP, CISO, Lender Processing Services, Inc.
*Mike O. Villegas, CISA, CISSP, Director of Information Security, Newegg.com

 Dinner Fees:

*ISSA-LA members & OWASP members - Pre-Register and Pay online: $25
*ISSA-LA members & OWASP members - Pay at the door: $30
*Non-members - Pre-Register and Pay online: $30
*Non-members - Pay at the door: $35

 ''Thanks to David Lam and Stan Stahl for agreeing to have OWASP joining this ISSA LA event!''

== February 18th 2009 ==

[https://www.owasp.org/images/5/58/Cloud_Computing_Security.pdf Cloud Computing and Security] The Cloud Computing and Software as a Service models are driving many companies to build innovative, scalable and cost effective alternatives to the traditional IT computing model. Even with the potential cost and scalability benefits of cloud computing, its use by more traditional enterprises has been retarded by the concerns of their professional security and audit staffs. In our experience these concerns are legitimate, and although surveys have shown that security is the #1 factor preventing adoption of cloud computing, there has been very little reliable discussion of the technical security risks inherent in the model and how engineers, sys-admins and architects can deal with these risks. In this session, we will explore the widely differing security models of the leading cloud computing providers, including Amazon, Google and Salesforce. We will also reveal the significant differences in operational and application security practices necessary to deal with a cloud computing environment. Alex Stamos is a co-founder and Partner at iSEC Partners Inc., a strategic digital security organization. Alex is an experienced security engineer specializing in solving difficult problems in application security and is a leading researcher in the field of web application and mobile security. He has been a featured speaker at top industry conferences such as Black Hat, Web 2.0 Expo, CanSecWest, DefCon, SyScan, SD Best Practices, Microsoft BlueHat and OWASP App Sec. Alex is a contributing author to "Hacking Exposed: Web 2.0" and an author of the upcoming book "Mobile Application Security", both from McGraw-Hill. He holds a BSEE from the University of California, Berkeley. 

== January 28th 2009 ==

Building Security into the Test Organization The common approach to detecting web security issues is still the regular application of a post-release pen-test or tool based scan. These last minute examinations rarely live up to broader organizational goals; they can be difficult to repeat, measure, or optimize over time. Most of all they're expensive: they find bugs late in the lifecycle. This talk recommends moving security testing responsibility within the test team itself. The approach discussed will work with-or-without the existence of explicit security requirements. See how security testing has been applied at other organizations and how it might be customized for yours. Ben Walther firmly believes testers have a wonderfully devious mindset, and has been promoting the idea of "security testing" at Cigital's clients, at OWASP events, and to any friends and relatives who will listen. To this end, with the aid of O'Reilly media, Ben Walther and Paco Hope recently published a book entitled the "Web Security Testing Cookbook." 

== December 10th 2008 ==

[http://www.owasp.org/images/7/79/OWASP-WASCAppSec2007SanJose_SamyWorm.ppt The MySpace Worm] The most virulent worm in the history of the series of tubes known as the Internet. One of the most highly accessed websites ever [see comScore]. One of the most ostentatious hackers alive. Over one million victims. Less than 24 hours. Fueled only by Chipotle burritos. The MySpace Worm. Samy will be recapping the story of the development, release and eventual future of the MySpace worm. The 24 hours that led up to over one million friends. The eventual downfall of the MySpace site for several hours. The non-malicious intent and humorous progression of the worm. The t-shirts. The copycats. The behind-the-scenes story of the Secret Service raid at Samy's home and office. The demise of Samy's legal use of computers, community service, restitution, high-risk offender probation, and rehabilitation. And where Samy is today. 

 

Samy Kamkar, software engineer and self-proclaimed playboy, is a meddler in the security and software realms. He is currently the Director of Engineering and co-founder of Fonality, Inc., an IP PBX startup located in Culver City. Previously, Samy led the development of all core top-level domain name server software and systems for Global Domains International (.ws). Prior to that, Samy worked with Penn State University developing psychometric personality assessment software with attention to artificial intelligence and bioinformatics. When not strapped behind the Matrix, Samy can be found performing parkour (free running), practicing urban escape artist maneuvers, or is found getting involved in local community service projects. In the past 10 years, Samy has focused on evolutionary and genetic algorithmic software development, Voice over IP software development, automated security and vulnerability research in the areas of network security, reverse engineering, and network gaming, and continues his focus in staying out of jail. 

== November 19th 2008 ==

A new web attack vector: [http://www.eweek.com/c/a/Security/Security-Researcher-to-Reveal-New-Web-Attack-Vector/ Script Fragmentation] 

This presentation will introduce a new web-based attack vector which utilizes client-side scripting to fragment malicious web content. 

This involves distributing web exploits in a asynchronous manner to evade signature detection. Similar to TCP fragmentation attacks, which are still an issue in current IDS/IPS products, This attack vector involves sending any web exploit in fragments and uses the already existing components within the web browser to reassemble and execute the exploit. 

Our presentation will discuss this attack vector used to evade both gateway and client side detection. We will show several proof of concepts containing common readily available web exploits. 

Stephan Chenette is a Senior Security Researcher who helps lead Websense Security Labs working on malcode detection techniques. Mr. Chenette specializes in research tools ranging from kernel-land sandboxes, to static analysis scanners. He has released public analyses on various vulnerabilities and malware. Prior to joining Websense, Stephan was a security software engineer for 4 years working in research and product development at eEye Digital Security. 

== October 29th 2008 ==

Entitlements Management: Security and policies for SOA using XML appliances 

Loosely coupled Web Services can be insecure as, by their very nature, are exposed to application consumers. Security built into XML appliances alleviates the developer with the burden of coding security and policies into their application, freeing the developer to concentrate on conding business processes. This evenings meeting will discuss SOA security challenges and introduce the Layer7 XML appliance that allows for dynamic policies to be configured on the fly using an intuitive user interface. Jonathan Gershater’s career started at 3Com, managing servers and networks. His initial foray into Enterprise Software began in 1999 at enCommerce, which was later acquired by Entrust. He worked at Sun Microsystems from 2005 to 2008 architecting and deploying identity solutions for customers using Sun Java System Identity products. He recently joined Layer 7 Technologies as a senior solution architect. He can be reached at jgershater@layer7tech.com. 

== September 17th 2008 ==

The web hacking incident database (WHID) 2007 Report is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents. The database classifies each reported attack by, among other criteria, the method used, the outcome of the attack and the industry and the country of the attacked organization. Based on the database Breach Labs which sponsors WHID issues a periodical report on trends in Web Application Security.

 

By providing answers to questions such as:

*The drivers behind Web hacking.
*The technology hackers use.
*The types of organizations attacked most often.
*The common outcomes

 The presentation will discuss WHID statistics, focusing on rising trends in Web Attacks in the 1st half of 2008. As the WHID enables research into the business model behind hacking, the presentation goes beyond discussing the technical aspects of attacks such as SQL injection crawlers and Web Site herding, to discussing the business model common to all of the attacks: Economy of scale. 

Ryan C. Barnett is a recognized security thought leader and evangelist who frequently speaks with the media and industry groups.

 He is the director of application security at Breach Security. He is also a faculty member for the SANS Institute, where his duties include instructor/courseware developer for Apache Security/Building a Web Application Firewall Workshop, Top 20 Vulnerabilities Team Member and Local Mentor for the SANS Track 4, "Hacker Techniques, Exploits and Incident Handling" course. He holds six SANS Global Information Assurance Certifications (GIAC): Intrusion Analyst (GCIA), Systems and Network Auditor (GSNA), Forensic Analyst (GCFA), Incident Handler (GCIH), Unix Security Administrator (GCUX) and Security Essentials (GSEC).

 Mr. Barnett also serves as the team lead for the Center for Internet Security Apache Benchmark Project and is a member of the Web Application Security Consortium. His web security book, "Preventing Web Attacks with Apache,” was published by Addison/Wesley in 2006.

== August 19th 2008 ==

"Don't Write Your Own Security Code" – Application security is arguably the most difficult IT challenge facing organizations today. There are over 600 different categories of vulnerabilities to avoid and they are all tricky. Most of these problems are related to the design, implementation, and use of a relatively small set of security controls. To solve this problem for developers, Jeff created the OWASP ESAPI project – a clean intuitive toolbox of the core security building blocks that every web developer needs. In this talk, Jeff will show you how to create an ESAPI for your organization that will solve the OWASP Top Ten vulnerabilities, increase assurance, and dramatically cut costs all at the same time.

 Jeff Williams is the founder and CEO of Aspect Security, specializing in application security services. Jeff also serves as the volunteer Chair of the Open Web Application Security Project (OWASP). Jeff has made extensive contributions to the application security community through OWASP, including the Top Ten, WebGoat, Stinger, Secure Software Contract Annex, Enterprise Security API, and the local chapters program. Jeff holds advanced degrees in psychology, computer science, and human factors, and graduated cum laude from Georgetown Law.

Los Angeles Previous Presentations Mega Archive

2011-03-08T22:13:13Z

Kelly FitzGerald: moved Los Angeles Previous Presentations Mega Archive to Los Angeles Previous Presentations 2009, 2010

#REDIRECT [[Los Angeles Previous Presentations 2009, 2010]]

Los Angeles Previous Presentations 2009, 2010

2011-03-08T22:12:12Z

Kelly FitzGerald: moved Los Angeles Previous Presentations to Los Angeles Previous Presentations Mega Archive: Breaking this down by year(i.e. 2009, 2010, 2011) due to the OWASP Wiki's lack of ability to deal with pages over 32 megs

Los Angeles Previous Presentations

2011-03-08T22:12:12Z

#REDIRECT [[Los Angeles Previous Presentations Mega Archive]]

Los Angeles

2011-02-18T22:15:32Z

Kelly FitzGerald: The "preview format" and actual format keep being out of sync. Trying again.

Los Angeles

2011-02-18T22:14:32Z

Kelly FitzGerald: Adding Netspi.com as sponser

Los Angeles

2011-02-18T21:53:37Z

Kelly FitzGerald: Rescaling Photo again

Los Angeles

2011-02-18T21:52:07Z

Kelly FitzGerald: Rescaling the picture of Scott Sutherland

Los Angeles

2011-02-18T21:49:46Z

Kelly FitzGerald: Adding Picture

File:Scottsutherland.jpeg

2011-02-18T21:42:11Z

Kelly FitzGerald: uploaded a new version of "File:Scottsutherland.jpeg"

Publicity Photo of Scott Sutherland

File:Scottsutherland low.jpeg

2011-02-18T21:38:07Z

Kelly FitzGerald: uploaded a new version of "File:Scottsutherland low.jpeg"

Lower Res Publicity Photo of Scott Sutherland.

File:Scottsutherland low.jpg

2011-02-18T21:32:45Z

Kelly FitzGerald:

File:Scottsutherland low.jpeg

2011-02-18T21:19:22Z

Kelly FitzGerald: Lower Res Publicity Photo of Scott Sutherland.

Lower Res Publicity Photo of Scott Sutherland.

Los Angeles

2011-02-18T21:18:17Z

Kelly FitzGerald: Saving intermediate edit for Feb 2011. Still need sponser info and picture.

File:Scottsutherland.jpeg

2011-02-18T21:08:10Z

Kelly FitzGerald: uploaded a new version of "File:Scottsutherland.jpeg"

Publicity Photo of Scott Sutherland

File:Scottsutherland.jpeg

2011-02-18T21:07:26Z

Kelly FitzGerald: Publicity Photo of Scott Sutherland

Publicity Photo of Scott Sutherland

Los Angeles Previous Presentations 2009, 2010

2011-02-18T20:25:27Z

Kelly FitzGerald: Adding Rational as the Dinner sponser.

Los Angeles Previous Presentations 2009, 2010

2011-02-18T20:23:19Z

Kelly FitzGerald: Adding the January talk. The wiki editor is having major problems with the size of this file. We need to find a better way to reduce page size.

=  Previous Presentations =

==  '''Wednesday, January 26, 2011 7:00 PM''' ==

*'''Evercookie: The Persistent Cookie'''

 
<pre>Meeting Location
Symantec Corporation
900 Corporate Pointe
Culver City, CA 90230
</pre>
''' Description: '''Evercookie is a JavaScript API that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they have removed standard cookies, Flash cookies Local Shared Objects or LSOs), and others.

Evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.

You can read more about Samy and Evercookie at[http://samy.pl/evercookie '''http://samy.pl/evercookie/''']

'''Speaker: '''Samy Kamkar is best known for the Samy worm, the first XSS worm, infecting over one million users on MySpace in less than 24 hours. A co-founder of Fonality, Inc., an IP PBX company, Samy previously led the development of all toplevel domain name server software and systems for Global Domains International (.ws), and worked for Penn State University developing AI-based psychometric personality assessment software. In the past 10 years, Samy has focused on evolutionary and genetic algorithmic software development, Voice over IP software development, automated security and vulnerability research in network security, reverse engineering, and network gaming. When not strapped behind the Matrix, Samy can be found stunt driving, getting involved in local community service projects, and continuing his focus on staying out of jail. 

==  '''Wednesday, July 21, 2011 7:00 PM''' ==

* '''How I Met Your Girlfriend: Entirely New Classes of Web Attacks'''
<pre>Meeting Location
Symantec Corporation
900 Corporate Pointe
Culver City, CA 90230</pre>
Description: This includes using HTML5 client-side XSS (without XSS hitting the server!), and my newly discovered attacks on PHP session hijacking and random numbers (accurately guessing PHP session cookies), browser protocol confusion (turning a browser into an SMTP server), firewall and NAT penetration via Javascript (turning your router against you), remote iPhone Google Maps hijacking (iPhone penetration combined with HTTP man-in-the-middle), extracting extremely accurate geolocation information from a web browser (not using IP geolocation), and more.

 

Speaker: Samy Kamkar is best known for the Samy worm, the first XSS worm, infecting over one million users on MySpace in less than 24 hours. A co-founder of Fonality, Inc., an IP PBX company, Samy previously led the development of all top-level domain name server software and systems for Global Domains International (.ws), and worked for Penn State University developing AI-based psychometric personality assessment software.

 In the past 10 years, Samy has focused on evolutionary and genetic algorithmic software development, Voice over IP software development, automated security and vulnerability research in network security, reverse engineering, and network gaming. When not strapped behind the Matrix, Samy can be found stunt driving, getting involved in local community service projects, and continuing his focus on staying out of jail.

 

 Dinner Sponser: Citrix Systems [[Image:Citrix Picture.jpg|80x80px|http://lacitrix.com]] 

==   Wednesday, June 09, 2010 7:30PM ==

*Security Assertion Markup Language (SAML), Shibboleth Single SignOn System, and Shibboleth's role at University of Southern California
<pre>Meeting Location
Symantec Corporation
900 Corporate Pointe
Culver City, CA 90230
</pre>
Speaker: Brendan Bellina Title: Identity Services Architect and Manager of Enterprise Middleware Identity Management at USC

 

NOTE: We are having this month meeting on the second Wednesday, instead of the regular third Wednesday, to avoid conflict with ISSA Summit scheduled on June 16. You can still register for the summit at the ISSA LA website (http://www.issa-la.org/Default.aspx?id=1088). 

== Wednesday, April 21st, 2010 7:30PM ==

*The intersection of social and technical attacks in Web 2.0 applications by Mike Bailey and Mike Murray

Meeting Location
Symantec Corporation
900 Corporate Pointe
Culver City, CA 90230

 Topic: The intersection of social and technical attacks in Web 2.0 applications

Speakers: Mike Bailey and Mike Murray

Mike Bailey is a senior security researcher at MAD Security and an application security specialist. While his research spans a wide variety of domains, it generally focuses on secure web application development, web application scanning and penetration testing, online privacy issues, network protocols and services, and how to break them.

Mike has spoken throughout the country at different security conferences and shows, including Blackhat DC, Toorcon, Defcon and others. Aside from coming up with new and interesting ways to break web and client-side applications, he also puts those attacks into practice as a penetration tester. Currently, Mike is studying the intersection of social and technical attacks in Web 2.0 applications. He publishes his research on the MAD Security blog as well as at Skeptikal.org.

Mike Murray has spent his entire career in information security and currently leads the delivery arm of MAD Security (MADSecInc.com). Mike is a co-founder of InfoSecLeaders.com where he writes and talks about the skills and strategies for building a long-term career in information security. Mike's on security careers have been seen at major conferences like RSA and Defcon.

== Wednesday, March 17th, 2010 7:30PM ==

*Mike Schrenk, author of "Webbots, Spiders, and Screen Scrapers"

Meeting Location
Symantec Corporation
900 Corporate Pointe
Culver City, CA 90230

 

BOOK PREVIEW: Webbots, Spiders, and Screen Scrapers SECOND EDITION

Michael Schrenk will provide a preview of the largely expanded second edition of his book "Webbots, Spiders, and Screen Scrapers". This second edition describes how technologies like JavaScript, AJAX and Flash challenge webbot developers and how those challenges are met. He will also talk about defeating CAPTCHAs, scalability and other related topics.

Michael Schrenk is a software developer, author and instructor, who specializes in automated web browsing agents known as webbots. Michael uses the Internet in new and innovative (odd?) ways to provide competitive advantages for his clients in The US, Europe and Asia.

He also helps journalists more effectively use computers to conduct online research through automation and by describing where and how to find otherwise hidden online information. No stranger to Europe--he's lived and worked for clients in Moscow and Madrid, Mike taught at the 2008 European Investigative Journalism Conference (Brussels Belgium), twice in 2009 he lectured at The Center for Investigative Journalism (London England) and later in 2009, he lead several sessions at the VVOJ Journalism conference (Utrecht The Netherlands).

Last August, Mike made his fourth speaking appearance at the DEFCON computer hacking conference. Mike lives in sunny Las Vegas, Nevada (USA). You can contact him at http://www.schrenk.com or follow him on Twitter [http://twitter.com/mgschrenk @mgschrenk].

==   Wednesday, February 24th, 2010 7:00PM ==

*Cloud Computing Security: Raining on the Trendy New Parade

 Slides can be found [https://docs.google.com/fileview?id=0By_clZjtpXPwMWM0YWIyZDgtZmRkZC00YTZlLWE1MDEtNmU0N2Y3MzQwMTJh&hl=en here on Google Docs].

Meeting Location
AT&T Interactive
611 N. Brand Blvd., 5th Floor
Glendale, CA

Cloud computing is an unstoppable meme at the CIO level, and will dominate corporate IT planning for the next several years. Although they do offer the promise of cost savings for many organizations, the basic ideas behind abstracting out the corporate datacenter greatly complicates the tasks of securing and auditing these systems. While there has been excellent research into low-level hypervisor and virtualization bugs, there has been little public discussion of the “big picture” problems for cloud computing. These include virtualized network devices, browser same-origin issues, credential management and many interesting legal challenges.

Our goal with this talk will be to explore the different attack scenarios that exist in the cloud computing world and to provide a comparison between the security models of the leading cloud computing platforms. We will discuss how current attacks against applications and infrastructure are changed with cloud computing, as well as introduce the audience to new types of vulnerabilities that are unique to cloud computing. Attendees will learn how to analyze the threat posed to them by cloud computing platforms as either providers or consumers of software built on these new platforms. Our platforms for discussion include Salesforce.com, Google Apps, Microsoft Office Live, Google AppEngine, Microsoft Azure, Amazon EC2, and Sun.

 Alex Stamos is a founding partner of iSEC Partners, a strategic digital security organization. Alex is an experienced security engineer and consultant specializing in application security and securing large infrastructures, and has taught multiple classes in network and application security.

He is a leading researcher in the field of web application and web services security and has been a featured speaker at top industry conferences such as Black Hat, CanSecWest, DefCon, SyScan, Microsoft BlueHat and OWASP App Sec.

He holds a BS in Electrical Engineering and Computer Science from the University of California, Berkeley.

==   Wednesday, January 20th, 2010 7:30PM ==

*Do VLANs allow for good application security?

Meeting Location
[http://maps.google.com/maps?q=900+Corporate+Pointe,+90230&ie=UTF8&oe=UTF-8&ll=33.988385,-118.387041&spn=0.010284,0.014055&t=h&z=16&iwloc=addr Symantec Corporation]
900 Corporate Pointe
Culver City, CA 90230
Laguna Conference Room

 Virtual Local Area Networks (VLANs) are not a new concept, and can help any organization better control network access. I will present some of the previous issues identified, what was the root cause, and how these have been fixed in current technology. In addition we will talk about how this can help to enhance security in your environment, and what controls must be in place in order to implement such an environment. We will also touch on how this can complicate your application environment, but improve overall security.

I will touch on the controls that need to be reviewed and audited when working with VMware, VLANs, and web applications, to ensure that these networks are secure, and what to look for to potentially pass audit criteria. I will also talk about where and how these controls have been implemented in order to protect thousands of users while accessing one of the most hostile networks in the world. 

David M. N. Bryan, Senior Security Consultant

David has over 9+ years of computer security experience including, consulting, engineering and administration. He has performed security assessment projects for health care, nuclear, manufacturing, pharmaceutical, banking and educational sectors. As an active participant in the information security community, he volunteers at DEFCON where he designs and implements the Firewall and Network for what is said to be the most hostile network environment in the world.

He is also an active participant in the local Minneapolis security groups both as a board member of OWASP MSP and DC612. His roots and experience come from working for a large enterprise banks, designing and managing enterprise security systems. In the more recent years he has been working as an Information Security Consultant to review the security and architecture of information computing environments.

==   Wednesday, December 16th, 2009 7:30PM ==

*[http://www.owasp.org/images/b/bc/Sutton_-_Pulling_The_Plug-Security_Risks_in_Next_Generation_Offline_Web_Apps_-_OWASP_LA_OC.pdf Pulling the Plug: Security Risks in the Next Generation of Offline Web Applications]

 As the line between desktop and web applications becomes increasingly blurry in a web 2.0 world, browser functionality is being pushed well beyond what it was originally intended for. Persistent client side storage has become a requirement for web applications if they are to be available both online and off. This need is being filled by a variety of technologies such as Gears (formerly Google Gears) and the Database Storage <http://webkit.org/blog/126/webkit-does-html5-client-side-database-storage/> functionality included in the emerging HTML 5 <http://dev.w3.org/html5/spec/Overview.html> specification. While all such technologies offer great promise, it is clear that the vast majority of developers simply do not understand their security implications.

Researching a variety of currently deployed implementations of these technologies has revealed a broad scope of vulnerabilities with frightening implications. Now attackers can target victims not just once, but every time they visit a site as the victim now carries and stores the attack with them. Imagine a scenario whereby updated confidential information is forwarded to an attacker every time a victim interacts with a given web application. The attacker no longer needs to worry about timing their attacks to ensure that the victim is authenticated as the victim attacks himself! Limited storage? Cookies that expire? Not a problem when entire databases are accessible with virtually unlimited storage and an infinite lifespan. Think these attacks are theoretical? Think again. In this talk we dive into these technologies and break down the risk posed by them when not properly understood. We will then detail a variety of real-world vulnerabilities that have been uncovered, including a new class of cross-site scripting and client-side SQL injection. 

Michael Sutton,Vice President and security research at Zscaler, has spent more than a decade in the security industry conducting leading-edge research, building teams of world-class researchers and educating others on a variety of security topics. As VP of Security Research, Michael heads Zscaler Labs, the research and development arm of the company. Zscaler Labs is responsible for researching emerging topics in web security and developing innovative security controls, which leverage the Zscaler in-the-cloud model. The team is comprised of researchers with a wealth of experience in the security industry.

Prior to joining Zscaler, Michael was the Security Evangelist for SPI Dynamics where, as an industry expert, he was responsible for researching, publishing and presenting on various security issues. In 2007, SPI Dynamics was acquired by Hewlett-Packard. Previously, Michael was a Research Director at iDefense where he led iDefense Labs, a team responsible for discovering and researching security vulnerabilities in a variety of technologies. iDefense was acquired by VeriSign in 2005. Michael is a frequent speaker at major information security conferences; he is regularly quoted by the media on various information security topics, has authored numerous articles and is the co-author of Fuzzing: Brute Force Vulnerability Discovery, an Addison-Wesley publication.

 

==   Wednesday, November 18th, 2009 7:30PM ==

*[http://www.owasp.org/images/b/bc/Watching_software_run_11.18.09.pptx Watching Software Run with Brian Chess, Fortify Founder and Chief Scientist]

 Now more than ever before, computer systems are vulnerable because software is vulnerable. No matter how good programmers get at making secure software, it will never be perfect—we will always have to contend with incomplete or inadequate code. Most efforts at living with bad code have focused on shoring it up from the outside: limiting network access (firewalls) or watching for suspicious behavior (intrusion detection). This talk takes a different perspective: we’ll look at methods for identifying and blunting the effects of software shortcomings from the inside by watching the software run.

Modern languages like Java and C# are good for more than just programmers. They also provide a wealth of structured information when they execute. We can apply many same techniques developed for outside-in security, but at a finer granularity and with much more context. Along the way there is a lot to talk about: Where web application firewalls excel and where they fall down. Fuzzing vs. static analysis. The disappointments of both aspect oriented programming and building security in. Why nobody uses the Java Security model. Taking your security with you into the cloud. The reason SQL injection won’t go away. Revenge of the reference monitor. Why was Twitter’s security so bad? 

Brian Chess is a founder of Fortify Software and serves as Fortify's Chief Scientist, where his work focuses on practical methods for creating secure systems. His book, Secure Programming with Static Analysis, shows how static source code analysis is an indispensable tool for getting security right. Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service. 

== Wednesday, October 21st, 2009 7:30PM ==

*[http://www.owasp.org/images/c/ca/ISO27001_OWASPLA_Shankar_10212009.pdf Enabling Compliance Requirements using Information Security Management System (ISMS) Framework (ISO27001)]

 Growing threats and complex regulatory requirements emphasize the need for an effective Information Security Management System (ISMS) framework for an organization. Comprehensive and globally accepted standards like ISO27001 can help in protecting information assets and in enabling compliance requirements. ISO27001 provides an Information Security framework based on best practices and controls to ensure the confidentiality, integrity and availability of information assets. This presentation analyzes the possible synergies between the goals of Information Security Management System (ISMS) and the various compliance requirements, thus making the compliance efforts less complex. Following are the key objectives of this presentation :

*Provide an introduction to ISO27001 and its controls
*Discuss the implementation approach for an Information Security Management System (ISMS) framework
*Familiarize the audience with some common challenges in implementation
*Outline synergy between ISO27001 controls and some compliance requirements( PCI , etc)

 Attendees will learn about ISO27001 Information Security Standard, ISMS implementation approach and how ISO27001 can be used in meeting various regulatory/compliance requirements like Sox, PCI etc. It will also help the attendees to improve the information security posture of the organization and provide an effective and efficient approach for handling various information security/compliance audits with less effort. 

Shankar Subramaniyan has over 11 years of experience as a technology consulting and project management executive in the areas of IT Governance, Risk and Compliance (GRC), Business Continuity Planning and Network Design & Architecture. He has thorough expertise on setting up Information Security Framework and Policies on the basis of industry standards such as ISO 27001. He has worked extensively on industry standards and best practices like BS7799 and ITIL. He also has good understanding and knowledge of various compliance requirements like PCI, Sox etc. Shankar' s experience includes IT audit, SOX remediation, ISMS (ISO27001) implementation, PCI compliance assessment, disaster recovery solution, enterprise risk management, designing IT security architecture and implementing ITIL processes. Shankar has rich experience in handling large projects and managing client relationships across corporate and educational sectors. 

== Wednesday, September 16th, 2009 7:30PM ==

*The Rise of Threat Analysis and the Fall of Compliance, Policies, and Standards in mitigating Web Application Security Risks

 On August 5th of 2009, Federal prosecutors on Monday charged Albert Gonzales with the largest case of credit and debit card data theft ever in the United States: 130 million credit cards numbers by hacking into the systems of Heartland Payment Systems, the New Jersey-based card processing company, as well as Hannaford Brothers, 7-Eleven and two unnamed national retailers. Using a SQL-injection attack, the hackers installed malware on Hannaford Brothers. Hannaford was PCI compliant at the time they were compromise that lets question the validity of regulatory compliance frameworks, and specifically PCI standards as an effective method to reduce data breaches, identity theft, and the proliferation of credit card fraud. This presentation will further analyze how status quo security standards, such as PCI-DSS, as well as other policies, standards, and guidelines truly affect security risk mitigation efforts against cybercrime based threats. These traditional efforts will be compared to threat modeling workflows in order to demonstrate how real risk is mitigated under each scenario. Cases for financial fraud will be anonymously presented to create a business case for application threat modeling as a viable methodology to drive improved application design and security risk mitigation. Threat modeling concepts will be elaborated in order to prove how application architecture walkthroughs via threat modeling improve the mitigation of cybercrime threats. Attacker motives and goals will be presented and incorporated into attack trees and it will show how attack libraries can be used to effectively identify application vulnerabilities and devise countermeasures in web application. From the risk analysis perspective, several attacks will be considered and highlighted, particularly attacks that represent a systemic impact to an organization or government (such as for example a distributed denial of service). Through the presentation of threat modeling scenarios, analyses and correlations will be drawn from the represented model(s) to attack patterns, associated and discovered security vulnerabilities, data sources, application topologies, and possible roles and permissions associated with the application environment. The purpose of the presentation is to demonstrate how application threat modeling can be used as part of a nouveau age form of security risk mitigation and overall application security. Data flow diagrams and application walkthroughs will enable audience members to witness how application threat modeling is an evolved form of security process engineering for improved application design and overall application security. The presentation will also demonstrate how threat modeling is capable of delivering critical business functions as well as in mitigating current and future cyber attacks, such as distributed denial of service, botnet driven-malware, spear phishing techniques, and more attacks that ultimately lead to identity and credit card fraud. From the point of view of current and future cybercrime risk mitigation, several different strategies for application threat modeling will be discussed as related to securing both the web application web and critical financial infrastructures, such as ATMs. Finally some emphasis will be given to countermeasures that provide for incident response, intelligence and forensics capabilities. Presentation outline, defining all topics that will be covered:

*Status quo of regulatory compliance in mitigating risk
*Threat modeling techniques for cybercrime threats
*Attack tree analysis for attack tree vectors
*Threat modeling for multi-channel fraud threat scenarios
*Cyber crime threats and application countermeasures via threat modeling
*Example of mitigation strategies for cybercrime and application of defense in depth for web applications

 Any supporting research/tools:

*Threat models and attack trees
*Threat model are produced using the Microsoft™ threat modeling tool
*Public available cybercrime data will be presented and correlated

 

Marco Morana serves as one of the leaders of OWASP (Open Web Application Security Project) organization where he is actively involved in evangelize on web application security through presentations at local chapter meetings in USA as well as internationally. Marco has recently been awarded a contract from Wiley Publishing to co-author a book on Application Threat Modeling. Besides being the OWASP Cincinnati chapter lead, Marco is also active contributor to OWASP projects such as the application threat modeling methodology for secure coding guideline and the security testing guide (ver. 2 and 3). Besides contributing to OWASP, Marco works as Technology Information Security Officer for a large financial organization in North America with responsibilities in the definition of the organization web application security standards, management of application security assessments during the SDLC, threat-fraud analysis and training of software developers, project managers and architects on different topics related to application security. In the past, Marco served as senior security consultant and independent consultant where his responsibilities included providing software security services for several clients in the financial and banking, telecommunications and commercial sector industry. Besides security consulting, Marco had a career as technologist in the security industry where he contributed to the design business critical security products currently being used by several FORTUNE 500 companies as well by the US Government. Marco work on software security is referred in the 2007 State Of the Art report by the Information Assurance Technology Analysis Center (IATAC). Marco received the NASA’s Space Act Award in 1999 for the patenting the S/MIME SEP (Secure Email Plug-in) application. Marco research work on application and software security is widely published on several magazines such as In-secure magazine, Secure Enterprise, ISSA Journal and the C/C++ Users journal. Marco’s ideas and strategies for writing secure software are posted on his blog: http://securesoftware.blogspot.com. 

 Tony UcedaVelez has more than 10 years of hands-on security and technology experience and is a vocal advocate of security process engineering – a terminology that describes the design and development of secure processes and controls working symbiotically to a unique business workflow. Tony currenlty serves as Managing Director for an Atlanta based risk advisory firm that focuses on security strategy and delivering effective means for risk mitigation and security process engineering. He has worked and consulted for the Fortune 500, as well as federal agencies in the U.S on the topic of application security and security process engineering. His diverse background in software development, security architecture, and network security, coupled with his expertise in process engineering and security risk management has allowed Tony to be a recognized leader in developing strategic security solutions that are multi-faceted in their approach to addressing enterprise risk. In the realm of application security, Tony is a threat modeling evangelist and has provided numerous talks domestically and globally on its many benefits and application. He has served as a guest mentor to teams participating in Kennesaw State University’s annual Cybercrime capture the flag event as well as a Cybercrime speaker for Southern Polytechnic University in Atlanta. He has also served as a guest speaker on the subject of application threat modeling during ISACA’s annual Geek Week event and has also served as a keynote speaker on the subject for ISACA’s Global Symposium web cast series. Additional articles include articles related to CoBIT and the ValIT model (ISACA’s Journal), application threat modeling within the SDLC (InSecureMagazine), and security process engineering for a ROSI (return on security investment) (Journal of Finance). He is currently finalizing a Wiley publishing book on Application Threat Modeling with Marco Morana. Prior to VerSprite, Tony served as Sr. Director of Security Risk Management to a Fortune 50 organization where he led security assessments against global application environments. His work encompassed web application security testing, security architecture reviews, and analysis for business logic exploits. He applied effective ways to introduce the subject of application risk to information owners by effectively mapping them to causal factors for business. Previous to this role, he spent more than 5 years in the field of application security across other Fortune 500 organizations within the banking, telecom, and information service industry segments. Tony currently leads the OWASP Atlanta Chapter, where he manages monthly workshops and events for the Atlanta web application security community. He also has developed a case study program for the Atlanta chapter in order to develop case studies with local Atlanta companies who are seeking to apply application threat modeling techniques within the SDLC and/ or incorporate the many OWASP produced tools and frameworks. Tony can be reached at tonyuv@versprite.com or tonyuv@owasp.org. 

== Tuesday, August 25th, 2009 3:00PM ==

*OWASP Live CD Demo and Q&A with Matt Tessauro

 Matt Tesauro will be in visiting our LA chapter and providing a quick demo of [http://www.owasp.org/index.php/Category:OWASP_Live_CD_2008_Project OWASP Live CD] Matt Tesauro has worked in web application development and security since 2000. He's worn many different hats, from developer to DBA to sys admin to university lecturer to pen tester. Currently, he's focused on web application security and developing a Secure SDLC for TEA. Outside work, he is the project lead for the OWASP Live CD. 

== Thursday, August 20th, 2009 7:30PM ==

*The Software Assurance Maturity Model (SAMM)

 [http://www.opensamm.org/ The Software Assurance Maturity Model (SAMM)] is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. SAMM is an open and free project and has recently been added under the Open Web Application Security Project (OWASP) Foundation. 

Pravir Chandra is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL. 

== Tuesday, July 21st, 2009 7:30PM ==

*Lock picks, BumpKeys, and Hackers oh my! How secure is your application?

 This talk will focus on physical security controls, weaknesses, and counter measures. I will present on what lock picking is, how bump keys work, and ways to subverting electronic locks. We will also go into what are good controls, and what is often overlooked when designing secure environments. Many of the topics covered apply to application security, as the methods for securing these devices is by using obscurity. In the application world with automated tools and scripts, this does not hold water for very long. 

David M. N. Bryan, NetSPI has 10 years of computer security experience, including consulting, engineering, and administration. He has performed security assessment projects in the healthcare, nuclear, manufacturing, pharmaceutical, banking and educational sectors. As an active participant in the information security community, he volunteers at DEFCON, where he designs and implements the firewall and network for what is said to be the most hostile network environment in the world. This network allows speakers, press, vendors, and others to gain access to the Internet, without being hacked. In his spare time he and his wife run the local DEFCON group, DC612 and participate in the Minneapolis OWASP chapter. 

== June 24th, 2009 7:30PM ==

*Information Warfare: Past, Present and Future

 Information warfare is the composite use of psychological operations (PYOPS), military deception (MILDEC), operational security (OPSEC), computer network operations (CNO), and electronic warfare (EW) to control and disrupt information flow. Recently, interest in information war technologies, techniques and policy issues have increased, especially in the domain of CNO. Increased scrutiny over network operations is both legitimate and valid, as global commerce and military powers are integrated and dependent on the Internet for critical operations. This presentation will describe the five domains of information warfare, the past use of information warfare in the Gulf war and recent Cyber attacks on the Eastern European countries of Georgia and Estonia. Information will be presented on possible new directions of information warfare. Mikhael Felker, CISSP-ISSEP has worked in a variety of roles including instructor, engineer, and researcher. He is currently employed by The Aerospace Corporation in the Information Assurance Technology Department, supporting Information Assurance (IA) for satellite systems. He is also an Instructor within the Computer & Information Systems Division at UCLA Extension, teaching a course in networking. Actively involved in the Los Angeles security community, he is the Education Director for Los Angeles Chapter of Information Systems Security Association (ISSA), member and speaker of Information Systems Audit and Control Association (ISACA), and former Defense Sector Coordinator for InfraGard. Mikhael has published articles in IEEE Security & Privacy, the ISSA Journal, Information Systems Control Journal, and SecurityFocus. He is a recipient of the Scholarship for Service Program (SFS) Fellowship, sponsored by the National Science Foundation and Department of Homeland Security (DHS). Mikhael completed his graduate work at Carnegie Mellon University with a Master's in Information Security Policy & Management and Bachelor's at UCLA in Computer Science. He holds over 10 certifications in IT and Security. 

== May 20th, 2009 ==

*[http://video.google.com/videoplay?docid=2875886330538461390 Top Ten Web Hacking Techniques of 2008: "What's possible, not probable"]

 The polls are closed, votes are in, and we have the winners making up the Top Ten Web Hacking Techniques of 2008! The competition was fierce with the newest and most innovative web hacking techniques to the test. This session will review the top ten hacks from 2008 - what they indicate about the security of the web, what they mean for businesses, and what might be used against us soon down the road. Jeremiah Grossman is the founder and CTO of WhiteHat Security. He is considered a world-renowned expert in Web security, is a co- founder of the Web Application Security Consortium, and was named to InfoWorld's Top 25 CTOs for 2007. Grossman is a frequent speaker at industry events including the Black Hat Briefings, RSA, CSI, HiTB, OWASP, ISSA, and a number of large universities. He has authored dozens of articles and white papers; is credited with the discovery of many cutting-edge attack and defensive techniques and is a co-author of XSS Attacks. Grossman is often quoted in the the business and technical press. Prior to WhiteHat, Grossman was an information security officer at Yahoo! 

== April 15th, 2009 ==

*Cross Site Scripting, Exploits and Defenses 

For a long time, the impact of XSS vulnerabilities has been grossly underestimated. Recent compromises, such as the pro-Hillary [http://cyberinsecure.com/hacked-obama-site-redirects-visitors-to-clintons-site/ defacement] of Barack Obama's website, and a [http://www.securescience.net/twoubledtwitter.html Viral XSS in Twitter] demonstrated the impact of XSS vulnerabilities to the masses.

During this presentation, David Campbell will demonstrate exactly how effective XSS vulns can be, and show you what you can do to protect yourself and your sites.

This presentation was originally delivered to OWASP Colorado in May of 2008, and has been updated for this session.

[https://www.owasp.org/index.php/Image:DC_ED_OWASP_XSS_MAY2008_v1.0.pdf Slide deck from May '08 talk] David Campbell is an infosec veteran, with experience ranging from penetration testing for Fortune 100's to architecting security solutions for large multinational financials to consulting for government agencies. DC is presently chapter leader of OWASP Denver and is Principal Consultant at Electric Alchemy. 

== March 12th, 2009 ==

*NETWORK SECURITY DINNER WITH ISSA - CISO'S Security Dashboard Panel!! 

This month will be joining forces with ISSA to create the biggest netowork event for security professionals in Los Angeles for this year. Agenda

*5:30 p.m., Networking and tours of the antivirus facility
*6:30 p.m., Dinner
*7:30 p.m., CISO Panel

 Panelists

*Robert J. Brown, CISSP, CISO WestCorp Credit Union
*Steve Haydostian, CISSP, Former CISO, Healthnet
*David Lam, CISSP, CISO, Stephen S. Wise
*Edward G. Pagett II, CISSP, CISO, Lender Processing Services, Inc.
*Mike O. Villegas, CISA, CISSP, Director of Information Security, Newegg.com

 Dinner Fees:

*ISSA-LA members & OWASP members - Pre-Register and Pay online: $25
*ISSA-LA members & OWASP members - Pay at the door: $30
*Non-members - Pre-Register and Pay online: $30
*Non-members - Pay at the door: $35

 ''Thanks to David Lam and Stan Stahl for agreeing to have OWASP joining this ISSA LA event!''

== February 18th 2009 ==

[https://www.owasp.org/images/5/58/Cloud_Computing_Security.pdf Cloud Computing and Security] The Cloud Computing and Software as a Service models are driving many companies to build innovative, scalable and cost effective alternatives to the traditional IT computing model. Even with the potential cost and scalability benefits of cloud computing, its use by more traditional enterprises has been retarded by the concerns of their professional security and audit staffs. In our experience these concerns are legitimate, and although surveys have shown that security is the #1 factor preventing adoption of cloud computing, there has been very little reliable discussion of the technical security risks inherent in the model and how engineers, sys-admins and architects can deal with these risks. In this session, we will explore the widely differing security models of the leading cloud computing providers, including Amazon, Google and Salesforce. We will also reveal the significant differences in operational and application security practices necessary to deal with a cloud computing environment. Alex Stamos is a co-founder and Partner at iSEC Partners Inc., a strategic digital security organization. Alex is an experienced security engineer specializing in solving difficult problems in application security and is a leading researcher in the field of web application and mobile security. He has been a featured speaker at top industry conferences such as Black Hat, Web 2.0 Expo, CanSecWest, DefCon, SyScan, SD Best Practices, Microsoft BlueHat and OWASP App Sec. Alex is a contributing author to "Hacking Exposed: Web 2.0" and an author of the upcoming book "Mobile Application Security", both from McGraw-Hill. He holds a BSEE from the University of California, Berkeley. 

== January 28th 2009 ==

Building Security into the Test Organization The common approach to detecting web security issues is still the regular application of a post-release pen-test or tool based scan. These last minute examinations rarely live up to broader organizational goals; they can be difficult to repeat, measure, or optimize over time. Most of all they're expensive: they find bugs late in the lifecycle. This talk recommends moving security testing responsibility within the test team itself. The approach discussed will work with-or-without the existence of explicit security requirements. See how security testing has been applied at other organizations and how it might be customized for yours. Ben Walther firmly believes testers have a wonderfully devious mindset, and has been promoting the idea of "security testing" at Cigital's clients, at OWASP events, and to any friends and relatives who will listen. To this end, with the aid of O'Reilly media, Ben Walther and Paco Hope recently published a book entitled the "Web Security Testing Cookbook." 

== December 10th 2008 ==

[http://www.owasp.org/images/7/79/OWASP-WASCAppSec2007SanJose_SamyWorm.ppt The MySpace Worm] The most virulent worm in the history of the series of tubes known as the Internet. One of the most highly accessed websites ever [see comScore]. One of the most ostentatious hackers alive. Over one million victims. Less than 24 hours. Fueled only by Chipotle burritos. The MySpace Worm. Samy will be recapping the story of the development, release and eventual future of the MySpace worm. The 24 hours that led up to over one million friends. The eventual downfall of the MySpace site for several hours. The non-malicious intent and humorous progression of the worm. The t-shirts. The copycats. The behind-the-scenes story of the Secret Service raid at Samy's home and office. The demise of Samy's legal use of computers, community service, restitution, high-risk offender probation, and rehabilitation. And where Samy is today. 

 

Samy Kamkar, software engineer and self-proclaimed playboy, is a meddler in the security and software realms. He is currently the Director of Engineering and co-founder of Fonality, Inc., an IP PBX startup located in Culver City. Previously, Samy led the development of all core top-level domain name server software and systems for Global Domains International (.ws). Prior to that, Samy worked with Penn State University developing psychometric personality assessment software with attention to artificial intelligence and bioinformatics. When not strapped behind the Matrix, Samy can be found performing parkour (free running), practicing urban escape artist maneuvers, or is found getting involved in local community service projects. In the past 10 years, Samy has focused on evolutionary and genetic algorithmic software development, Voice over IP software development, automated security and vulnerability research in the areas of network security, reverse engineering, and network gaming, and continues his focus in staying out of jail. 

== November 19th 2008 ==

A new web attack vector: [http://www.eweek.com/c/a/Security/Security-Researcher-to-Reveal-New-Web-Attack-Vector/ Script Fragmentation] 

This presentation will introduce a new web-based attack vector which utilizes client-side scripting to fragment malicious web content. 

This involves distributing web exploits in a asynchronous manner to evade signature detection. Similar to TCP fragmentation attacks, which are still an issue in current IDS/IPS products, This attack vector involves sending any web exploit in fragments and uses the already existing components within the web browser to reassemble and execute the exploit. 

Our presentation will discuss this attack vector used to evade both gateway and client side detection. We will show several proof of concepts containing common readily available web exploits. 

Stephan Chenette is a Senior Security Researcher who helps lead Websense Security Labs working on malcode detection techniques. Mr. Chenette specializes in research tools ranging from kernel-land sandboxes, to static analysis scanners. He has released public analyses on various vulnerabilities and malware. Prior to joining Websense, Stephan was a security software engineer for 4 years working in research and product development at eEye Digital Security. 

== October 29th 2008 ==

Entitlements Management: Security and policies for SOA using XML appliances 

Loosely coupled Web Services can be insecure as, by their very nature, are exposed to application consumers. Security built into XML appliances alleviates the developer with the burden of coding security and policies into their application, freeing the developer to concentrate on conding business processes. This evenings meeting will discuss SOA security challenges and introduce the Layer7 XML appliance that allows for dynamic policies to be configured on the fly using an intuitive user interface. Jonathan Gershater’s career started at 3Com, managing servers and networks. His initial foray into Enterprise Software began in 1999 at enCommerce, which was later acquired by Entrust. He worked at Sun Microsystems from 2005 to 2008 architecting and deploying identity solutions for customers using Sun Java System Identity products. He recently joined Layer 7 Technologies as a senior solution architect. He can be reached at jgershater@layer7tech.com. 

== September 17th 2008 ==

The web hacking incident database (WHID) 2007 Report is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents. The database classifies each reported attack by, among other criteria, the method used, the outcome of the attack and the industry and the country of the attacked organization. Based on the database Breach Labs which sponsors WHID issues a periodical report on trends in Web Application Security.

 

By providing answers to questions such as:

*The drivers behind Web hacking.
*The technology hackers use.
*The types of organizations attacked most often.
*The common outcomes

 The presentation will discuss WHID statistics, focusing on rising trends in Web Attacks in the 1st half of 2008. As the WHID enables research into the business model behind hacking, the presentation goes beyond discussing the technical aspects of attacks such as SQL injection crawlers and Web Site herding, to discussing the business model common to all of the attacks: Economy of scale. 

Ryan C. Barnett is a recognized security thought leader and evangelist who frequently speaks with the media and industry groups.

 He is the director of application security at Breach Security. He is also a faculty member for the SANS Institute, where his duties include instructor/courseware developer for Apache Security/Building a Web Application Firewall Workshop, Top 20 Vulnerabilities Team Member and Local Mentor for the SANS Track 4, "Hacker Techniques, Exploits and Incident Handling" course. He holds six SANS Global Information Assurance Certifications (GIAC): Intrusion Analyst (GCIA), Systems and Network Auditor (GSNA), Forensic Analyst (GCFA), Incident Handler (GCIH), Unix Security Administrator (GCUX) and Security Essentials (GSEC).

 Mr. Barnett also serves as the team lead for the Center for Internet Security Apache Benchmark Project and is a member of the Web Application Security Consortium. His web security book, "Preventing Web Attacks with Apache,” was published by Addison/Wesley in 2006.

== August 19th 2008 ==

"Don't Write Your Own Security Code" – Application security is arguably the most difficult IT challenge facing organizations today. There are over 600 different categories of vulnerabilities to avoid and they are all tricky. Most of these problems are related to the design, implementation, and use of a relatively small set of security controls. To solve this problem for developers, Jeff created the OWASP ESAPI project – a clean intuitive toolbox of the core security building blocks that every web developer needs. In this talk, Jeff will show you how to create an ESAPI for your organization that will solve the OWASP Top Ten vulnerabilities, increase assurance, and dramatically cut costs all at the same time.

 Jeff Williams is the founder and CEO of Aspect Security, specializing in application security services. Jeff also serves as the volunteer Chair of the Open Web Application Security Project (OWASP). Jeff has made extensive contributions to the application security community through OWASP, including the Top Ten, WebGoat, Stinger, Secure Software Contract Annex, Enterprise Security API, and the local chapters program. Jeff holds advanced degrees in psychology, computer science, and human factors, and graduated cum laude from Georgetown Law.

AppSec US 2010, CA

2010-08-27T22:51:27Z

Kelly FitzGerald: Edited the blurb for Justin Searle

__NOTOC__

 [[Image:Appsec banner.png|468x60px|AppSec USA 2010 Banner]]

= Welcome to AppSec USA 2010 =

{| class="FCK__ShowTableBorders" border="0" width="100%" align="center"
|-
| style="background: rgb(238,235,226); color: black" colspan="4" align="left" |
For complete information, please visit [http://www.appsecusa.org AppSec US 2010 Website] Training and Presentation Schedules Available Now!

Training Days Sept 7-8: [http://www.owasp.org/index.php/AppSec_US_2010,_CA#tab=Training_September_7th_.26_8th Schedule of Classes]

Presentation Schedule Sept 9th: [http://www.owasp.org/index.php/AppSec_US_2010,_CA#tab=September_9th Schedule of Talks] Sept 10th: [http://www.owasp.org/index.php/AppSec_US_2010,_CA#tab=September_10th Schedule of Talks]

|}

{| style="width: 100%" class="FCK__ShowTableBorders"
|-
| style="width: 100%; color: rgb(0,0,0)" |
{| style="width: 100%; background: none transparent scroll repeat 0% 0%; -moz-background-inline-policy: continuous" class="FCK__ShowTableBorders"
|-
| style="width: 95%; color: rgb(0,0,0)" |
'''Latest Updates:'''

Dr. Chenxi Wang of Forrester Research added as keynote speaker for September 9.

@chenxiwang tweets at http://twitter.com/chenxiwang.''' '''

|}



| style="border-bottom: rgb(204,204,204) 0px solid; border-left: rgb(204,204,204) 0px solid; width: 100%; color: rgb(0,0,0); font-size: 95%; border-top: rgb(204,204,204) 0px solid; border-right: rgb(204,204,204) 0px solid" | 
| style="width: 110px; color: rgb(0,0,0); font-size: 95%" |
|}



==== Training September 7th & 8th ====

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
! style="background: rgb(64,88,160); color: white" align="center" | T1. Web Security Testing - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" | This course is a deep dive into the world of web application security testing. It is designed to walk testers through every step of web application penetration testing, arming them with the knowledge and tools they will need to begin conducting their own security testing. The course will teach the participants how to think like a security engineer by creating and executing a security test plan. Participants will be exposed to common web application vulnerabilities, testing techniques and tools by a professional security tester.
The course includes a guided penetration test in which the students will execute security test with the help of the instructor.

|-
| style="background: rgb(242,242,242)" | Instructor: Joe Basirico, Security Innovation
|-
| style="background: rgb(242,242,242)" | [[Learn More About the Web Security Testing Class]]
|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|}

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
! style="background: rgb(64,88,160); color: white" align="center" | T2. Building Secure Ajax and Web 2.0 Applications - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" | This two-day class will cover common Web 2.0 and AJAX security threats, vulnerabilities, and it will provide specific guidance on how to develop Web 2.0 applications to defend against these threats and vulnerabilities.
Training developers on secure coding practices offers one of highest returns on investment of any security investment by eliminating vulnerabilities at the source. Aspect’s Building Secure Ajax and Web 2.0 Applications Course enables developers to securely utilize Web 2.0 technologies in their web applications without introducing security issues. The course provides detailed examples of ‘what to do’ and ‘what not to do.' The class is lead by an experienced developer and delivered in a very interactive manner. The course will use demonstrations, code examples, and spot-the-bug exercises to get developers engaged in the topic. Developers will leave with an understanding of how Ajax attacks work, the impacts of successful attacks, and what to do to defend against them.

|-
| style="background: rgb(242,242,242)" | Instructor: Dave Wichers: [[Image:Aspect logo.gif]]
|-
| style="background: rgb(242,242,242)" | [[Learn More about the Building Secure Ajax and Web 2.0 Applications Class]]
|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|-
! style="background: rgb(64,88,160); color: white" align="center" | T3. Assessing and Exploiting Web Applications with Samurai - WTF - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" |
Come take the official Samurai-WTF training course given by one of the founders and lead developers of the project! You will learn how to use the latest Samurai-WTF open source tools and the be shown the latest techniques to perform web application assessments. After a quick overview of pen testing methodology, the instructor will lead you through the penetration and exploitation of three different web applications, and the browsers connecting to them. Different sets of open source tools will be used on each web application, allow you to learn first hand the pros and cons of each tool. After you have gained experience with the Samurai-WTF tools, you will be challenged with a fourth web application that contains keys you must find and collect. This final challenge will give you time to practice your new skills at your own pace and experiment with your favorite new tools. This experience will help you gain the confidence necessary to perform web application assessments and expose you to the wealth of freely available open source tools.

|-
| style="background: rgb(242,242,242)" |
Instructor: Justin Searle: InGuardians [[Image:InGuardians.png|36x39px]]

|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|-
! style="background: rgb(64,88,160); color: white" align="center" | T4. Application Security Leadership Essentials - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" | In this two-day management session you’ll get an industry perspective of application security, understand the key vulnerabilities to applications, be able to analyze root cause, and provide practical and proven techniques in building out an application security initiative. This course gives executives and managers the education and practical guidance they need to ensure that software projects properly address security. The course is designed to provide a firm understanding of the importance of software security, the critical security activities required within the software development lifecycle, and how to efficiently manage security issues during development and maintenance. This understanding is reinforced through industry awareness, live demonstrations of commonly found application vulnerabilities and workgroup exercises allowing attendees to conduct capability assessments and recommend improvement plans.
|-
| style="background: rgb(242,242,242)" | Instructor: Jeff Williams: [[Image:Aspect logo.gif]]
|-
| style="background: rgb(242,242,242)" | [[Learn More about the Application Security Leadership Essentials Class]]
|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|-
! style="background: rgb(64,88,160); color: white" align="center" | T5. Software Security Remediation: How to Fix Application Vulnerabilities 1-Day - Sept 7th- $675
|-
| style="background: rgb(242,242,242)" | This class teaches attendees how to fix security vulnerabilities in existing software. It provides a mix of discussion of project concerns for planning and managing remediation efforts with hands-on coding examples fixing specific vulnerabilities. Attendees will learn how to risk-rank vulnerabilities, estimate remediation tasks, perform coding fixes for vulnerabilities and demonstrate the effectiveness of fixes applied. The focus is on the practical: how to use limited resources to make significant improvements to the security of target applications. Code examples use the OWASP ESAPI Java and Microsoft Web Protection Library. Many classes teach developers how to build secure code from the ground up or teach security analysts how to test applications for security vulnerabilities. This class teaches developers and security analysts how to deal with their existing portfolio of insecure applications.
Instructor: Dan Cornell: [[Image:AppSecDC2009-Sponsor-denim.gif]]

|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|}

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
! style="background: rgb(64,88,160); color: white" align="center" | T6. Live CD 1-Day - Sept 8th- $675
|-
| style="background: rgb(242,242,242)" | This class will will cover the full range of tools and documentation that OWASP provides under free and open licenses. When the class is complete, students will be familiar with a wide range of tools and techniques to test web applications.
The class will include a DVD of OWASP tools and documentation for testing web applications. Additionally, the DVD will include the OWASP Web Testing Environment. OWASP WTE is a collection of tools and documentation for testing web applications available both as a bootable Live CD and virtual machines. Attendees to this class will receive a customized version of OWASP WTE. It will be provided as a virtual machine which includes the tools, documentation and the applications tested during class. It is a self-contained environment to learn web application testing the students can take from class to further hone their testing skills.

Students are encouraged to bring a laptop to class. The virtualization software for OWASP WTE runs on Windows, OS X and Linux. Students with a laptop can follow along with the in class demonstrations to get hands on testing experience

 Instructors: Matt Tesauro and Charles Henderson: [[Image:TrustwaveLogo.jpg]]

|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|}

 

==== September 9th ====

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
| style="background: rgb(64,88,160); color: white" colspan="4" align="center" | '''Conference Day 1 - September 9th, 2010'''
 

|-
| style="width: 10%; background: rgb(123,138,189)" | 
| style="width: 30%; background: rgb(188,133,122)" | Track 1 - Crystal Cove Auditorium
| style="width: 30%; background: rgb(188,165,122)" | Track 2 - Pacific Ballroom
| style="width: 30%; background: rgb(153,255,153)" | Track 3 - Doheny Beach
|-
| style="width: 10%; background: rgb(123,138,189)" | 07:30-08:30
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Registration and Breakfast + Coffee
|-
| style="width: 10%; background: rgb(123,138,189)" | 08:30-08:45
| style="width: 80%; background: rgb(242,242,242)" colspan="3" align="center" | Welcome to OWASP AppSec US, 2010 (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 08:45-9:30
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: Jeff Williams (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 9:30-10:15
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: Chenxi Wang (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:15-10:35
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF kick-off (Emerald Bay)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:35-11:20
| style="width: 30%; background: rgb(188,133,122)" align="left" | How I met your Girlfriend, ''Samy Kamkar'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Solving Real-World Problems with an Enterprise Security API (ESAPI), ''Chris Schmidt, ServiceMagic'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | TBD
|-
| style="width: 10%; background: rgb(123,138,189)" | 11:20-11:30
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 11:30-12:15
| style="width: 30%; background: rgb(188,133,122)" align="left" | State of SSL on the Internet - 2010 Survey, Results and Conclusions, ''Ivan Ristic, Qualys'' 
 

| style="width: 30%; background: rgb(188,165,122)" align="left" | Into the Rabbit Hole: Execution Flow-based Web Application Testing, ''Rafal Los, Hewlett-Packard'' 
 

| style="width: 30%; background: rgb(153,255,153)" align="left" | Threat Modeling Best Practices, ''Robert Zigweid, IOActive'' 
|-
| style="width: 10%; background: rgb(123,138,189)" | 12:15-13:15
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Lunch - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 13:30-14:15
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: Bill Cheswick (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:15-14:25
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:25-15:10
| style="width: 30%; background: rgb(188,133,122)" align="left" | P0w3d for Botnet CnC, ''Gunter Ollmann, Damballa'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Cloud Computing, A Weapon of Mass Destruction?, ''David Bryan, Trustwave's SpiderLabs & Michael Anderson, NetSPI'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | The Secure Coding Practices Quick Reference Guide, ''Keith Turpin, Boeing''
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:10-15:30
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Coffee Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:30-16:15
| style="width: 30%; background: rgb(188,133,122)" align="left" | Smart Phones with Dumb Apps: Threat Modeling for Mobile Applications, ''Dan Cornell, Denim Group'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Assessing, Testing and Validating Flash Content, ''Peleus Uhley, Adobe'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | OWASP State of the Union, ''Tom Brennan, OWASP''
|-
| style="width: 10%; background: rgb(123,138,189)" | 16:15-16:25
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 16:25-17:10
| style="width: 90%; background: rgb(242,242,242)" colspan="3" align="center" | Panel Discussion: Security Trends: Jeremiah Grossman, Robert Hansen, TBD...Moderator: Stuart Schwartz
|}

==== September 10th ====

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
| style="background: rgb(64,88,160); color: white" colspan="4" align="center" | '''Conference Day 2 - September 10th, 2010'''
 

|-
| style="width: 10%; background: rgb(123,138,189)" | 
| style="width: 30%; background: rgb(188,133,122)" | Track 1 - Crystal Cove Auditorium
| style="width: 30%; background: rgb(188,165,122)" | Track 2 - Pacific Ballroom
| style="width: 30%; background: rgb(153,255,153)" | Track 3 - Doheny Beach
|-
| style="width: 10%; background: rgb(123,138,189)" | 08:00-09:00
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Coffee - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 09:00-09:15
| style="width: 80%; background: rgb(242,242,242)" colspan="3" align="center" | Announcements (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 09:15-10:00
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: David Rice (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:00-10:10
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF (Emerald Bay)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:10-10:55
| style="width: 30%; background: rgb(188,133,122)" align="left" | Security Architecting Applications for the Cloud, ''Alex Stamos, iSEC Partners'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Unraveling Cross-Technology, Cross-Domain Trust Relations, ''Peleus Uhley, Adobe'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | Real Time Application Defenses - The Reality of AppSensor & ESAPI, ''Michael Coates, Mozilla,''
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:55-11:15
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 11:15-12:00
| style="width: 30%; background: rgb(188,133,122)" align="left" | Reducing Web application Vulnerabilities: Moving from a Test-Dependent to Design-Driven development, ''Joe Basirico, Security Innovation'' 
 

| style="width: 30%; background: rgb(188,165,122)" align="left" | Session Management Security tips and Tricks, ''Lars Ewe, Cenzic'' 
 

| style="width: 30%; background: rgb(153,255,153)" align="left" | The Dark Side of Twitter: Measuring and Analyzing Malicious Activity on Twitter, ''Paul Judge, David Maynor, and Daniel Peck, Barracuda Labs'' 
|-
| style="width: 10%; background: rgb(123,138,189)" | 12:00-13:15
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Lunch - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 13:15-14:00
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: HD Moore (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:05-14:50
| style="width: 30%; background: rgb(188,133,122)" align="left" | ''Symantec – Edward Bonver'' ''Principal Software Engineer (moderator) Symantec – Kelly FitzGerald Senior Vulnerability Analyst Microsoft – Katie Moussouris Senior Security Strategist Cigital – John Stephen Senior Director HP, TippingPoint -Daniel Holden Director, DVLabs''
| style="width: 30%; background: rgb(188,165,122)" align="left" | Agile + Security = FAIL, ''Adrian Lane'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | Bug-Alcoholic 2.0 - Untamed World of Web Vulnerabilities, ''Aditya K. Sood, Armorize Technologies''
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:50-15:10
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Coffee Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:10-15:55
| style="width: 30%; background: rgb(188,133,122)" align="left" | Escalating Privileges through Database Trusts, ''Scott Sutherland and Antti Rantasaari, NetSPI'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Defining the Identiy Management Framework, ''Richard Tychansky, Jim Molini, Hord Tipton, and Mike Kilroy'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | Breaking Web Browsers, ''Jeremiah Grossman, WhiteHat Security''
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:55-16:05
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 16:05-16:50
| style="width: 90%; background: rgb(242,242,242)" colspan="3" align="center" | Conference Wrap Up: AppSec US 2011 Location Announcement, CTF Results, Prizes
|}

 

==== Sponsors ====

We are currently soliciting sponsors for the AppSec US 2010 Conference. Please refer to our [http://www.appsecusa.org/become-a-sponsor.html List of Sponsorship Opportunities] (or [http://www.owasp.org/images/b/b3/OWASP_sponsorship_Irvine.pdf PDF]).

Please contact [mailto:kate.hartmann@owasp.org Kate Hartmann] for more information.

Slots are going fast so contact us to sponsor today!

 

 

== Gold Sponsors ==

[[Image:Ibmneg blurgb.jpg]] [[Image:Fortify logo AppSec Research 2010.png]]    [[Image:TrustwaveLogo.jpg]] 

== Silver Sponsors ==

[[Image:Fishnet Logo AppSec.jpg]]           [[Image:Acunetix logo 200.png]]               [[Image:Barracuda Color Logo.jpg]]       [[Image:Cenziclogo.png]]                 [[Image:Cigital-hor-color.JPG|120x65px]]                     [[Image:Fujitsu-red-opt-b-150x56.gif|150x56px]]      [[Image:Netspi logo.png]]             [[Image:Whitehat security logo.gif]]          [[Image:Imperva Logo.gif]] [[Image:Aspect logo owasp.jpg]]                   [[Image:AppSecDC2009-Sponsor-aod.gif]]        [[Image:Mavituna.jpg]] [[Image:Sponsors-radware.jpg]]      [[Image:Denim Group Logo.gif]]

== Organizational Sponsors ==

[[Image:Eccouncil.jpg]]      [[Image:ISSA-LA icon.jpg]]

=== Reception Sponsors ===

=== Coffee Sponsors ===

==== REGISTER NOW ====

Click [http://www.appsecusa.org/register-now.html here]  for registration information. 

[http://www.appsecusa.org/register-now.html http://www.appsecusa.org/register-now.html]

<headertabs />

[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_AppSec_USA]]

AppSec US 2010, CA

2010-08-23T19:29:43Z

Kelly FitzGerald: updated for updating Vuln Management Panel.

__NOTOC__

 [[Image:Appsec banner.png|468x60px|AppSec USA 2010 Banner]]

= Welcome to AppSec USA 2010 =

{| class="FCK__ShowTableBorders" border="0" width="100%" align="center"
|-
| style="background: rgb(238,235,226); color: black" colspan="4" align="left" |
For complete information, please visit [http://www.appsecusa.org AppSec US 2010 Website] Training and Presentation Schedules Available Now!

Training Days Sept 7-8: [http://www.owasp.org/index.php/AppSec_US_2010,_CA#tab=Training_September_7th_.26_8th Schedule of Classes]

Presentation Schedule Sept 9th: [http://www.owasp.org/index.php/AppSec_US_2010,_CA#tab=September_9th Schedule of Talks] Sept 10th: [http://www.owasp.org/index.php/AppSec_US_2010,_CA#tab=September_10th Schedule of Talks]

|}

{| style="width: 100%" class="FCK__ShowTableBorders"
|-
| style="width: 100%; color: rgb(0,0,0)" |
{| style="width: 100%; background: none transparent scroll repeat 0% 0%; -moz-background-inline-policy: continuous" class="FCK__ShowTableBorders"
|-
| style="width: 95%; color: rgb(0,0,0)" |
'''Latest Updates:'''

Dr. Chenxi Wang of Forrester Research added as keynote speaker for September 9.

@chenxiwang tweets at http://twitter.com/chenxiwang.''' '''

|}



| style="border-bottom: rgb(204,204,204) 0px solid; border-left: rgb(204,204,204) 0px solid; width: 100%; color: rgb(0,0,0); font-size: 95%; border-top: rgb(204,204,204) 0px solid; border-right: rgb(204,204,204) 0px solid" | 
| style="width: 110px; color: rgb(0,0,0); font-size: 95%" |
|}



==== Training September 7th & 8th ====

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
! style="background: rgb(64,88,160); color: white" align="center" | T1. Web Security Testing - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" | This course is a deep dive into the world of web application security testing. It is designed to walk testers through every step of web application penetration testing, arming them with the knowledge and tools they will need to begin conducting their own security testing. The course will teach the participants how to think like a security engineer by creating and executing a security test plan. Participants will be exposed to common web application vulnerabilities, testing techniques and tools by a professional security tester.
The course includes a guided penetration test in which the students will execute security test with the help of the instructor.

|-
| style="background: rgb(242,242,242)" | Instructor: Joe Basirico, Security Innovation
|-
| style="background: rgb(242,242,242)" | [[Learn More About the Web Security Testing Class]]
|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|}

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
! style="background: rgb(64,88,160); color: white" align="center" | T2. Building Secure Ajax and Web 2.0 Applications - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" | This two-day class will cover common Web 2.0 and AJAX security threats, vulnerabilities, and it will provide specific guidance on how to develop Web 2.0 applications to defend against these threats and vulnerabilities.
Training developers on secure coding practices offers one of highest returns on investment of any security investment by eliminating vulnerabilities at the source. Aspect’s Building Secure Ajax and Web 2.0 Applications Course enables developers to securely utilize Web 2.0 technologies in their web applications without introducing security issues. The course provides detailed examples of ‘what to do’ and ‘what not to do.' The class is lead by an experienced developer and delivered in a very interactive manner. The course will use demonstrations, code examples, and spot-the-bug exercises to get developers engaged in the topic. Developers will leave with an understanding of how Ajax attacks work, the impacts of successful attacks, and what to do to defend against them.

|-
| style="background: rgb(242,242,242)" | Instructor: Dave Wichers: [[Image:Aspect logo.gif]]
|-
| style="background: rgb(242,242,242)" | [[Learn More about the Building Secure Ajax and Web 2.0 Applications Class]]
|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|-
! style="background: rgb(64,88,160); color: white" align="center" | T3. Assessing and Exploiting Web Applications with Samurai - WTF - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" |
This course will focus on using open source tools to perform web application assessments.  The course will take attendees through the process of application assessment using the open source tools included in the Samurai Web Testing Framework Live CD (Samurai-‐WTF). 

Day one will take students through the steps and open source tools used to assess application for vulnerabilities. 

Day two will focus on the exploitation of web app vulnerabilities, spending half the day on server side attacks and the other half of the day on client side attacks.  The latest tools and techniques will be used throughout the course, including several tools developed by the trainers themselves

|-
| style="background: rgb(242,242,242)" |
Instructor: Jason Searle: InGuardians [[Image:InGuardians.png|36x39px]]

|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|-
! style="background: rgb(64,88,160); color: white" align="center" | T4. Application Security Leadership Essentials - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" | In this two-day management session you’ll get an industry perspective of application security, understand the key vulnerabilities to applications, be able to analyze root cause, and provide practical and proven techniques in building out an application security initiative. This course gives executives and managers the education and practical guidance they need to ensure that software projects properly address security. The course is designed to provide a firm understanding of the importance of software security, the critical security activities required within the software development lifecycle, and how to efficiently manage security issues during development and maintenance. This understanding is reinforced through industry awareness, live demonstrations of commonly found application vulnerabilities and workgroup exercises allowing attendees to conduct capability assessments and recommend improvement plans.
|-
| style="background: rgb(242,242,242)" | Instructor: Jeff Williams: [[Image:Aspect logo.gif]]
|-
| style="background: rgb(242,242,242)" | [[Learn More about the Application Security Leadership Essentials Class]]
|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|-
! style="background: rgb(64,88,160); color: white" align="center" | T5. Software Security Remediation: How to Fix Application Vulnerabilities 1-Day - Sept 7th- $675
|-
| style="background: rgb(242,242,242)" | This class teaches attendees how to fix security vulnerabilities in existing software. It provides a mix of discussion of project concerns for planning and managing remediation efforts with hands-on coding examples fixing specific vulnerabilities. Attendees will learn how to risk-rank vulnerabilities, estimate remediation tasks, perform coding fixes for vulnerabilities and demonstrate the effectiveness of fixes applied. The focus is on the practical: how to use limited resources to make significant improvements to the security of target applications. Code examples use the OWASP ESAPI Java and Microsoft Web Protection Library. Many classes teach developers how to build secure code from the ground up or teach security analysts how to test applications for security vulnerabilities. This class teaches developers and security analysts how to deal with their existing portfolio of insecure applications.
Instructor: Dan Cornell: [[Image:AppSecDC2009-Sponsor-denim.gif]]

|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|}

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
! style="background: rgb(64,88,160); color: white" align="center" | T6. Live CD 1-Day - Sept 8th- $675
|-
| style="background: rgb(242,242,242)" | This class will will cover the full range of tools and documentation that OWASP provides under free and open licenses. When the class is complete, students will be familiar with a wide range of tools and techniques to test web applications.
The class will include a DVD of OWASP tools and documentation for testing web applications. Additionally, the DVD will include the OWASP Web Testing Environment. OWASP WTE is a collection of tools and documentation for testing web applications available both as a bootable Live CD and virtual machines. Attendees to this class will receive a customized version of OWASP WTE. It will be provided as a virtual machine which includes the tools, documentation and the applications tested during class. It is a self-contained environment to learn web application testing the students can take from class to further hone their testing skills.

Students are encouraged to bring a laptop to class. The virtualization software for OWASP WTE runs on Windows, OS X and Linux. Students with a laptop can follow along with the in class demonstrations to get hands on testing experience

 Instructors: Matt Tesauro and Charles Henderson: [[Image:TrustwaveLogo.jpg]]

|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|}

 

==== September 9th ====

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
| style="background: rgb(64,88,160); color: white" colspan="4" align="center" | '''Conference Day 1 - September 9th, 2010'''
 

|-
| style="width: 10%; background: rgb(123,138,189)" | 
| style="width: 30%; background: rgb(188,133,122)" | Track 1 - Crystal Cove Auditorium
| style="width: 30%; background: rgb(188,165,122)" | Track 2 - Pacific Ballroom
| style="width: 30%; background: rgb(153,255,153)" | Track 3 - Doheny Beach
|-
| style="width: 10%; background: rgb(123,138,189)" | 07:30-08:30
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Registration and Breakfast + Coffee
|-
| style="width: 10%; background: rgb(123,138,189)" | 08:30-08:45
| style="width: 80%; background: rgb(242,242,242)" colspan="3" align="center" | Welcome to OWASP AppSec US, 2010 (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 08:45-9:30
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: Jeff Williams (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 9:30-10:15
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: Chenxi Wang (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:15-10:35
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF kick-off (Emerald Bay)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:35-11:20
| style="width: 30%; background: rgb(188,133,122)" align="left" | How I met your Girlfriend, ''Samy Kamkar'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Solving Real-World Problems with an Enterprise Security API (ESAPI), ''Chris Schmidt, ServiceMagic'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | TBD
|-
| style="width: 10%; background: rgb(123,138,189)" | 11:20-11:30
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 11:30-12:15
| style="width: 30%; background: rgb(188,133,122)" align="left" | State of SSL on the Internet - 2010 Survey, Results and Conclusions, ''Ivan Ristic, Qualys'' 
 

| style="width: 30%; background: rgb(188,165,122)" align="left" | Into the Rabbit Hole: Execution Flow-based Web Application Testing, ''Rafal Los, Hewlett-Packard'' 
 

| style="width: 30%; background: rgb(153,255,153)" align="left" | Threat Modeling Best Practices, ''Robert Zigweid, IOActive'' 
|-
| style="width: 10%; background: rgb(123,138,189)" | 12:15-13:15
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Lunch - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 13:30-14:15
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: Bill Cheswick (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:15-14:25
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:25-15:10
| style="width: 30%; background: rgb(188,133,122)" align="left" | P0w3d for Botnet CnC, ''Gunter Ollmann, Damballa'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Cloud Computing, A Weapon of Mass Destruction?, ''David Bryan, Trustwave's SpiderLabs'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | The Secure Coding Practices Quick Reference Guide, ''Keith Turpin, Boeing''
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:10-15:30
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Coffee Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:30-16:15
| style="width: 30%; background: rgb(188,133,122)" align="left" | Smart Phones with Dumb Apps: Threat Modeling for Mobile Applications, ''Dan Cornell, Denim Group'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Assessing, Testing and Validating Flash Content, ''Peleus Uhley, Adobe'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | OWASP State of the Union, ''Tom Brennan, OWASP''
|-
| style="width: 10%; background: rgb(123,138,189)" | 16:15-16:25
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 16:25-17:10
| style="width: 90%; background: rgb(242,242,242)" colspan="3" align="center" | Panel Discussion: Security Trends: Jeremiah Grossman, Robert Hansen, TBD...Moderator: Stuart Schwartz
|}

==== September 10th ====

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
| style="background: rgb(64,88,160); color: white" colspan="4" align="center" | '''Conference Day 2 - September 10th, 2010'''
 

|-
| style="width: 10%; background: rgb(123,138,189)" | 
| style="width: 30%; background: rgb(188,133,122)" | Track 1 - Crystal Cove Auditorium
| style="width: 30%; background: rgb(188,165,122)" | Track 2 - Pacific Ballroom
| style="width: 30%; background: rgb(153,255,153)" | Track 3 - Doheny Beach
|-
| style="width: 10%; background: rgb(123,138,189)" | 08:00-09:00
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Coffee - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 09:00-09:15
| style="width: 80%; background: rgb(242,242,242)" colspan="3" align="center" | Announcements (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 09:15-10:00
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: David Rice (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:00-10:10
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF (Emerald Bay)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:10-10:55
| style="width: 30%; background: rgb(188,133,122)" align="left" | Security Architecting Applications for the Cloud, ''Alex Stamos, iSEC Partners'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Unraveling Cross-Technology, Cross-Domain Trust Relations, ''Peleus Uhley, Adobe'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | Real Time Application Defenses - The Reality of AppSensor & ESAPI, ''Michael Coates, Mozilla,''
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:55-11:15
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 11:15-12:00
| style="width: 30%; background: rgb(188,133,122)" align="left" | Reducing Web application Vulnerabilities: Moving from a Test-Dependent to Design-Driven development, ''Joe Basirico, Security Innovation'' 
 

| style="width: 30%; background: rgb(188,165,122)" align="left" | Session Management Security tips and Tricks, ''Lars Ewe, Cenzic'' 
 

| style="width: 30%; background: rgb(153,255,153)" align="left" | The Dark Side of Twitter: Measuring and Analyzing Malicious Activity on Twitter, ''Paul Judge, David Maynor, and Daniel Peck, Barracuda Labs'' 
|-
| style="width: 10%; background: rgb(123,138,189)" | 12:00-13:15
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Lunch - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 13:15-14:00
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: HD Moore (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:05-14:50
| style="width: 30%; background: rgb(188,133,122)" align="left" | ''Symantec – Edward Bonver'' ''Principal Software Engineer (moderator) Symantec – Kelly FitzGerald Senior Vulnerability Analyst Microsoft – Katie Moussouris Senior Security Strategist Cigital – John Stephen Senior Director HP, TippingPoint -Daniel Holden Director, DVLabs''

| style="width: 30%; background: rgb(188,165,122)" align="left" | Agile + Security = FAIL, ''Adrian Lane'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | Bug-Alcoholic 2.0 - Untamed World of Web Vulnerabilities, ''Aditya K. Sood, Armorize Technologies''
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:50-15:10
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Coffee Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:10-15:55
| style="width: 30%; background: rgb(188,133,122)" align="left" | Escalating Privileges through Database Trusts, ''Scott Sutherland and Antti Rantasaari, NetSPI'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Defining the Identiy Management Framework, ''Richard Tychansky, Jim Molini, Hord Tipton, and Mike Kilroy'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | Breaking Web Browsers, ''Jeremiah Grossman, WhiteHat Security''
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:55-16:05
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 16:05-16:50
| style="width: 90%; background: rgb(242,242,242)" colspan="3" align="center" | Conference Wrap Up: AppSec US 2011 Location Announcement, CTF Results, Prizes
|}

 

==== Sponsors ====

We are currently soliciting sponsors for the AppSec US 2010 Conference. Please refer to our [http://www.appsecusa.org/become-a-sponsor.html List of Sponsorship Opportunities] (or [http://www.owasp.org/images/b/b3/OWASP_sponsorship_Irvine.pdf PDF]).

Please contact [mailto:kate.hartmann@owasp.org Kate Hartmann] for more information.

Slots are going fast so contact us to sponsor today!

 

 

== Gold Sponsors ==

[[Image:Ibmneg blurgb.jpg]] [[Image:Fortify logo AppSec Research 2010.png]]    [[Image:TrustwaveLogo.jpg]] 

== Silver Sponsors ==

[[Image:Fishnet Logo AppSec.jpg]]           [[Image:Acunetix logo 200.png]]               [[Image:Barracuda Color Logo.jpg]]       [[Image:Cenziclogo.png]]                 [[Image:Cigital-hor-color.JPG|120x65px]]                     [[Image:Fujitsu-red-opt-b-150x56.gif|150x56px]]      [[Image:Netspi logo.png]]             [[Image:Whitehat security logo.gif]]          [[Image:Imperva Logo.gif]] [[Image:Aspect logo owasp.jpg]]                   [[Image:AppSecDC2009-Sponsor-aod.gif]]        [[Image:Mavituna.jpg]] [[Image:Sponsors-radware.jpg]]

== Organizational Sponsors ==

[[Image:Eccouncil.jpg]]      [[Image:ISSA-LA icon.jpg]]

=== Reception Sponsors ===

=== Coffee Sponsors ===

==== REGISTER NOW ====

Click [http://www.appsecusa.org/register-now.html here]  for registration information. 

[http://www.appsecusa.org/register-now.html http://www.appsecusa.org/register-now.html]

<headertabs />

[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_AppSec_USA]]

AppSec US 2010, CA

2010-08-23T19:26:08Z

Kelly FitzGerald: removed an extra CR from doc.

__NOTOC__

 [[Image:Appsec banner.png|468x60px|AppSec USA 2010 Banner]]

= Welcome to AppSec USA 2010 =

{| class="FCK__ShowTableBorders" border="0" width="100%" align="center"
|-
| style="background: rgb(238,235,226); color: black" colspan="4" align="left" |
For complete information, please visit [http://www.appsecusa.org AppSec US 2010 Website] Training and Presentation Schedules Available Now!

Training Days Sept 7-8: [http://www.owasp.org/index.php/AppSec_US_2010,_CA#tab=Training_September_7th_.26_8th Schedule of Classes]

Presentation Schedule Sept 9th: [http://www.owasp.org/index.php/AppSec_US_2010,_CA#tab=September_9th Schedule of Talks] Sept 10th: [http://www.owasp.org/index.php/AppSec_US_2010,_CA#tab=September_10th Schedule of Talks]

|}

{| style="width: 100%" class="FCK__ShowTableBorders"
|-
| style="width: 100%; color: rgb(0,0,0)" |
{| style="width: 100%; background: none transparent scroll repeat 0% 0%; -moz-background-inline-policy: continuous" class="FCK__ShowTableBorders"
|-
| style="width: 95%; color: rgb(0,0,0)" |
'''Latest Updates:'''

Dr. Chenxi Wang of Forrester Research added as keynote speaker for September 9.

@chenxiwang tweets at http://twitter.com/chenxiwang.''' '''

|}



| style="border-bottom: rgb(204,204,204) 0px solid; border-left: rgb(204,204,204) 0px solid; width: 100%; color: rgb(0,0,0); font-size: 95%; border-top: rgb(204,204,204) 0px solid; border-right: rgb(204,204,204) 0px solid" | 
| style="width: 110px; color: rgb(0,0,0); font-size: 95%" |
|}



==== Training September 7th & 8th ====

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
! style="background: rgb(64,88,160); color: white" align="center" | T1. Web Security Testing - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" | This course is a deep dive into the world of web application security testing. It is designed to walk testers through every step of web application penetration testing, arming them with the knowledge and tools they will need to begin conducting their own security testing. The course will teach the participants how to think like a security engineer by creating and executing a security test plan. Participants will be exposed to common web application vulnerabilities, testing techniques and tools by a professional security tester.
The course includes a guided penetration test in which the students will execute security test with the help of the instructor.

|-
| style="background: rgb(242,242,242)" | Instructor: Joe Basirico, Security Innovation
|-
| style="background: rgb(242,242,242)" | [[Learn More About the Web Security Testing Class]]
|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|}

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
! style="background: rgb(64,88,160); color: white" align="center" | T2. Building Secure Ajax and Web 2.0 Applications - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" | This two-day class will cover common Web 2.0 and AJAX security threats, vulnerabilities, and it will provide specific guidance on how to develop Web 2.0 applications to defend against these threats and vulnerabilities.
Training developers on secure coding practices offers one of highest returns on investment of any security investment by eliminating vulnerabilities at the source. Aspect’s Building Secure Ajax and Web 2.0 Applications Course enables developers to securely utilize Web 2.0 technologies in their web applications without introducing security issues. The course provides detailed examples of ‘what to do’ and ‘what not to do.' The class is lead by an experienced developer and delivered in a very interactive manner. The course will use demonstrations, code examples, and spot-the-bug exercises to get developers engaged in the topic. Developers will leave with an understanding of how Ajax attacks work, the impacts of successful attacks, and what to do to defend against them.

|-
| style="background: rgb(242,242,242)" | Instructor: Dave Wichers: [[Image:Aspect logo.gif]]
|-
| style="background: rgb(242,242,242)" | [[Learn More about the Building Secure Ajax and Web 2.0 Applications Class]]
|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|-
! style="background: rgb(64,88,160); color: white" align="center" | T3. Assessing and Exploiting Web Applications with Samurai - WTF - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" |
This course will focus on using open source tools to perform web application assessments.  The course will take attendees through the process of application assessment using the open source tools included in the Samurai Web Testing Framework Live CD (Samurai-‐WTF). 

Day one will take students through the steps and open source tools used to assess application for vulnerabilities. 

Day two will focus on the exploitation of web app vulnerabilities, spending half the day on server side attacks and the other half of the day on client side attacks.  The latest tools and techniques will be used throughout the course, including several tools developed by the trainers themselves

|-
| style="background: rgb(242,242,242)" |
Instructor: Jason Searle: InGuardians [[Image:InGuardians.png|36x39px]]

|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|-
! style="background: rgb(64,88,160); color: white" align="center" | T4. Application Security Leadership Essentials - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" | In this two-day management session you’ll get an industry perspective of application security, understand the key vulnerabilities to applications, be able to analyze root cause, and provide practical and proven techniques in building out an application security initiative. This course gives executives and managers the education and practical guidance they need to ensure that software projects properly address security. The course is designed to provide a firm understanding of the importance of software security, the critical security activities required within the software development lifecycle, and how to efficiently manage security issues during development and maintenance. This understanding is reinforced through industry awareness, live demonstrations of commonly found application vulnerabilities and workgroup exercises allowing attendees to conduct capability assessments and recommend improvement plans.
|-
| style="background: rgb(242,242,242)" | Instructor: Jeff Williams: [[Image:Aspect logo.gif]]
|-
| style="background: rgb(242,242,242)" | [[Learn More about the Application Security Leadership Essentials Class]]
|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|-
! style="background: rgb(64,88,160); color: white" align="center" | T5. Software Security Remediation: How to Fix Application Vulnerabilities 1-Day - Sept 7th- $675
|-
| style="background: rgb(242,242,242)" | This class teaches attendees how to fix security vulnerabilities in existing software. It provides a mix of discussion of project concerns for planning and managing remediation efforts with hands-on coding examples fixing specific vulnerabilities. Attendees will learn how to risk-rank vulnerabilities, estimate remediation tasks, perform coding fixes for vulnerabilities and demonstrate the effectiveness of fixes applied. The focus is on the practical: how to use limited resources to make significant improvements to the security of target applications. Code examples use the OWASP ESAPI Java and Microsoft Web Protection Library. Many classes teach developers how to build secure code from the ground up or teach security analysts how to test applications for security vulnerabilities. This class teaches developers and security analysts how to deal with their existing portfolio of insecure applications.
Instructor: Dan Cornell: [[Image:AppSecDC2009-Sponsor-denim.gif]]

|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|}

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
! style="background: rgb(64,88,160); color: white" align="center" | T6. Live CD 1-Day - Sept 8th- $675
|-
| style="background: rgb(242,242,242)" | This class will will cover the full range of tools and documentation that OWASP provides under free and open licenses. When the class is complete, students will be familiar with a wide range of tools and techniques to test web applications.
The class will include a DVD of OWASP tools and documentation for testing web applications. Additionally, the DVD will include the OWASP Web Testing Environment. OWASP WTE is a collection of tools and documentation for testing web applications available both as a bootable Live CD and virtual machines. Attendees to this class will receive a customized version of OWASP WTE. It will be provided as a virtual machine which includes the tools, documentation and the applications tested during class. It is a self-contained environment to learn web application testing the students can take from class to further hone their testing skills.

Students are encouraged to bring a laptop to class. The virtualization software for OWASP WTE runs on Windows, OS X and Linux. Students with a laptop can follow along with the in class demonstrations to get hands on testing experience

 Instructors: Matt Tesauro and Charles Henderson: [[Image:TrustwaveLogo.jpg]]

|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|}

 

==== September 9th ====

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
| style="background: rgb(64,88,160); color: white" colspan="4" align="center" | '''Conference Day 1 - September 9th, 2010'''
 

|-
| style="width: 10%; background: rgb(123,138,189)" | 
| style="width: 30%; background: rgb(188,133,122)" | Track 1 - Crystal Cove Auditorium
| style="width: 30%; background: rgb(188,165,122)" | Track 2 - Pacific Ballroom
| style="width: 30%; background: rgb(153,255,153)" | Track 3 - Doheny Beach
|-
| style="width: 10%; background: rgb(123,138,189)" | 07:30-08:30
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Registration and Breakfast + Coffee
|-
| style="width: 10%; background: rgb(123,138,189)" | 08:30-08:45
| style="width: 80%; background: rgb(242,242,242)" colspan="3" align="center" | Welcome to OWASP AppSec US, 2010 (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 08:45-9:30
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: Jeff Williams (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 9:30-10:15
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: Chenxi Wang (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:15-10:35
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF kick-off (Emerald Bay)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:35-11:20
| style="width: 30%; background: rgb(188,133,122)" align="left" | How I met your Girlfriend, ''Samy Kamkar'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Solving Real-World Problems with an Enterprise Security API (ESAPI), ''Chris Schmidt, ServiceMagic'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | TBD
|-
| style="width: 10%; background: rgb(123,138,189)" | 11:20-11:30
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 11:30-12:15
| style="width: 30%; background: rgb(188,133,122)" align="left" | State of SSL on the Internet - 2010 Survey, Results and Conclusions, ''Ivan Ristic, Qualys'' 
 

| style="width: 30%; background: rgb(188,165,122)" align="left" | Into the Rabbit Hole: Execution Flow-based Web Application Testing, ''Rafal Los, Hewlett-Packard'' 
 

| style="width: 30%; background: rgb(153,255,153)" align="left" | Threat Modeling Best Practices, ''Robert Zigweid, IOActive'' 
|-
| style="width: 10%; background: rgb(123,138,189)" | 12:15-13:15
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Lunch - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 13:30-14:15
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: Bill Cheswick (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:15-14:25
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:25-15:10
| style="width: 30%; background: rgb(188,133,122)" align="left" | P0w3d for Botnet CnC, ''Gunter Ollmann, Damballa'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Cloud Computing, A Weapon of Mass Destruction?, ''David Bryan, Trustwave's SpiderLabs'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | The Secure Coding Practices Quick Reference Guide, ''Keith Turpin, Boeing''
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:10-15:30
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Coffee Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:30-16:15
| style="width: 30%; background: rgb(188,133,122)" align="left" | Smart Phones with Dumb Apps: Threat Modeling for Mobile Applications, ''Dan Cornell, Denim Group'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Assessing, Testing and Validating Flash Content, ''Peleus Uhley, Adobe'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | OWASP State of the Union, ''Tom Brennan, OWASP''
|-
| style="width: 10%; background: rgb(123,138,189)" | 16:15-16:25
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 16:25-17:10
| style="width: 90%; background: rgb(242,242,242)" colspan="3" align="center" | Panel Discussion: Security Trends: Jeremiah Grossman, Robert Hansen, TBD...Moderator: Stuart Schwartz
|}

==== September 10th ====

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
| style="background: rgb(64,88,160); color: white" colspan="4" align="center" | '''Conference Day 2 - September 10th, 2010'''
 

|-
| style="width: 10%; background: rgb(123,138,189)" | 
| style="width: 30%; background: rgb(188,133,122)" | Track 1 - Crystal Cove Auditorium
| style="width: 30%; background: rgb(188,165,122)" | Track 2 - Pacific Ballroom
| style="width: 30%; background: rgb(153,255,153)" | Track 3 - Doheny Beach
|-
| style="width: 10%; background: rgb(123,138,189)" | 08:00-09:00
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Coffee - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 09:00-09:15
| style="width: 80%; background: rgb(242,242,242)" colspan="3" align="center" | Announcements (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 09:15-10:00
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: David Rice (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:00-10:10
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF (Emerald Bay)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:10-10:55
| style="width: 30%; background: rgb(188,133,122)" align="left" | Security Architecting Applications for the Cloud, ''Alex Stamos, iSEC Partners'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Unraveling Cross-Technology, Cross-Domain Trust Relations, ''Peleus Uhley, Adobe'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | Real Time Application Defenses - The Reality of AppSensor & ESAPI, ''Michael Coates, Mozilla,''
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:55-11:15
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 11:15-12:00
| style="width: 30%; background: rgb(188,133,122)" align="left" | Reducing Web application Vulnerabilities: Moving from a Test-Dependent to Design-Driven development, ''Joe Basirico, Security Innovation'' 
 

| style="width: 30%; background: rgb(188,165,122)" align="left" | Session Management Security tips and Tricks, ''Lars Ewe, Cenzic'' 
 

| style="width: 30%; background: rgb(153,255,153)" align="left" | The Dark Side of Twitter: Measuring and Analyzing Malicious Activity on Twitter, ''Paul Judge, David Maynor, and Daniel Peck, Barracuda Labs'' 
|-
| style="width: 10%; background: rgb(123,138,189)" | 12:00-13:15
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Lunch - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 13:15-14:00
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: HD Moore (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:05-14:50
| style="width: 30%; background: rgb(188,133,122)" align="left" | Panel Discussion: Vulnerability Lifecycle for Software Vendors, ''Kelly FitzGerald (Symantec), (US CERT), (Cigital), (Tipping Point) Moderator: Edward Bonver'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Agile + Security = FAIL, ''Adrian Lane'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | Bug-Alcoholic 2.0 - Untamed World of Web Vulnerabilities, ''Aditya K. Sood, Armorize Technologies''
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:50-15:10
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Coffee Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:10-15:55
| style="width: 30%; background: rgb(188,133,122)" align="left" | Escalating Privileges through Database Trusts, ''Scott Sutherland and Antti Rantasaari, NetSPI'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Defining the Identiy Management Framework, ''Richard Tychansky, Jim Molini, Hord Tipton, and Mike Kilroy'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | Breaking Web Browsers, ''Jeremiah Grossman, WhiteHat Security''
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:55-16:05
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 16:05-16:50
| style="width: 90%; background: rgb(242,242,242)" colspan="3" align="center" | Conference Wrap Up: AppSec US 2011 Location Announcement, CTF Results, Prizes
|}

 

==== Sponsors ====

We are currently soliciting sponsors for the AppSec US 2010 Conference. Please refer to our [http://www.appsecusa.org/become-a-sponsor.html List of Sponsorship Opportunities] (or [http://www.owasp.org/images/b/b3/OWASP_sponsorship_Irvine.pdf PDF]).

Please contact [mailto:kate.hartmann@owasp.org Kate Hartmann] for more information.

Slots are going fast so contact us to sponsor today!

 

 

== Gold Sponsors ==

[[Image:Ibmneg blurgb.jpg]] [[Image:Fortify logo AppSec Research 2010.png]]    [[Image:TrustwaveLogo.jpg]] 

== Silver Sponsors ==

[[Image:Fishnet Logo AppSec.jpg]]           [[Image:Acunetix logo 200.png]]               [[Image:Barracuda Color Logo.jpg]]       [[Image:Cenziclogo.png]]                 [[Image:Cigital-hor-color.JPG|120x65px]]                     [[Image:Fujitsu-red-opt-b-150x56.gif|150x56px]]      [[Image:Netspi logo.png]]             [[Image:Whitehat security logo.gif]]          [[Image:Imperva Logo.gif]] [[Image:Aspect logo owasp.jpg]]                   [[Image:AppSecDC2009-Sponsor-aod.gif]]        [[Image:Mavituna.jpg]] [[Image:Sponsors-radware.jpg]]

== Organizational Sponsors ==

[[Image:Eccouncil.jpg]]      [[Image:ISSA-LA icon.jpg]]

=== Reception Sponsors ===

=== Coffee Sponsors ===

==== REGISTER NOW ====

Click [http://www.appsecusa.org/register-now.html here]  for registration information. 

[http://www.appsecusa.org/register-now.html http://www.appsecusa.org/register-now.html]

<headertabs />

[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_AppSec_USA]]

Los Angeles

2010-08-10T19:14:29Z

Kelly FitzGerald: adding the august 2010 project

== Local News ==

Please follow [http://twitter.com/appsec2010 @appsec2010]for the latest updates on AppSec USA 2010 conference.

http://www.AppSecUSA.org

== Next Chapter Meeting: Wednesday, August 18th, 2010 from 7:30 PM - 9:30 PM (PT) ==

=== DETER Project: Scientific, Safe and Simple CyberSecurity Research ===
<pre>Meeting Location
Symantec Corporation
900 Corporate Pointe
Culver City, CA 90230</pre>
Please RSVP via Eventbrite ([http://owaspla.eventbrite.com/ http://owaspla.eventbrite.com/])

 '''Description:''' As the Internet has become pervasive and our critical infrastructures inextricably tied to information systems, the risk for economic, social, and physical disruption due to the insecurities of information systems has increased immeasurably.  Over the past 10 years there has been increased investment in research on cyber security technologies by U.S. government agencies and industry.  However, a large-scale deployment of effective security technology is lacking. One important reason for this deficiency is the lack of an experimental infrastructure and rigorous scientific methodologies for development and testing next-generation cyber security technologies. 

To address these shortcomings, the DETER project is creating the necessary infrastructure - testbeds, tools, and supporting processes - for national-scale experimentation on emerging security research and advanced development technologies for cyber defense.  The DETER testbed, funded by the US Department of Homeland Security and the National Science Foundation has been operational since 2004. Today it hosts 400+ nodes at USC/ISI and UC Berkeley, and serves more than 1,200 users and 150 projects from all over the world. It is used for academic research and teaching, and for testing commercial products. It is accompanied by a set of experimentation tools and products that make experiment setup, monitoring and control easy even at large scales. The DETER project has further made advances in supporting very large scale experiments via testbed federations, and in supporting safe experimentation with risky code.

 The next generation of the DETER project plans major improvements in experimental processes to guarantee experimental validity, repeteabiiity and portability. It further plans improvements in operations to support an order of magnitude larger experiments than today. Finally, it plans to build effective community tools for exchange of code, data and ideas between its users which fosters closer collaborations. This talk will describe the current state of the DETER testbed, and our new efforts aimed at advancing the science of cyber security experimentation..

'''Speaker: '''
'''Dr. Jelena Mirkovic''' is a Computer Scientist at the USC Information Sciences Institute, which she joined in 2007. Prior to this she was an Assistant Professor at the Computer and Information Sciences Department, University of Delaware, 2003-2007. She received her M.S. and Ph.D. from UCLA, and her B.S. in Computer Science and Engineering from the School of Electrical Engineering, University of Belgrade, Serbia. Her current research is focused on scientific cyber security experimentation, safe sharing of network data, denial-of-service attacks and IP spoofing. Her research is funded by the National Science Foundation, the Department of Homeland Security and the Infosys Corporation.

= Would you like to speak at an OWASP Los Angeles Meeting? =

Call for Papers (CFP) is NOW OPEN. To speak at upcoming OWASP Los Angeles meetings please submit your BIO and talk abstract via email to [mailto:tin.zaw@owasp.org Tin Zaw]. When we accept your talk, it will be required to use the Powerpoint [http://www.owasp.org/images/5/54/Presentation_template.ppt OWASP Template].

= Archives of Previous Meetings =

A list of previous presentations conducted at the Los Angeles Chapter can be found [https://www.owasp.org/index.php/Los_Angeles_Previous_Presentations here].

= Los Angeles Chapter =

*[mailto:tin.zaw@owasp.org Tin Zaw] -- Chapter Leader and Chair
*[mailto:cassio@owasp.org Cassio Goldschmidt] -- Board Member
*[mailto:richard.greenberg@owasp.org Richard Greenberg] -- Board Member
[[Category:California]]

Los Angeles Previous Presentations 2009, 2010

2010-08-10T19:03:44Z

Kelly FitzGerald: Adding Samy to the list of archives

=  Previous Presentations =

== '''Wednesday, July 21, 2010 7:30PM''' ==

*''' How I Met Your Girlfriend: Entirely New Classes of Web Attacks'''
<pre>'''Meeting Location
Symantec Corporation
900 Corporate Pointe
Culver City, CA 90230</pre>
'''Description: '''This includes using HTML5 client-side XSS (without XSS hitting the server!), and my newly discovered attacks on PHP session hijacking and random numbers (accurately guessing PHP session cookies), browser protocol confusion (turning a browser into an SMTP server), firewall and NAT penetration via Javascript (turning your router against you), remote iPhone Google Maps hijacking (iPhone penetration combined with HTTP man-in-the-middle), extracting extremely accurate geolocation information from a web browser (not using IP geolocation), and more.

 

'''Speaker: '''Samy Kamkar is best known for the Samy worm, the first XSS worm, infecting over one million users on MySpace in less than 24 hours. A co-founder of Fonality, Inc., an IP PBX company, Samy previously led the development of all top-level domain name server software and systems for Global Domains International (.ws), and worked for Penn State University developing AI-based psychometric personality assessment software.

 In the past 10 years, Samy has focused on evolutionary and genetic algorithmic software development, Voice over IP software development, automated security and vulnerability research in network security, reverse engineering, and network gaming. When not strapped behind the Matrix, Samy can be found stunt driving, getting involved in local community service projects, and continuing his focus on staying out of jail.

 

 Dinner Sponser: Citrix Systems [[Image:Citrix Picture.jpg|80x80px|http://lacitrix.com]] 

== '''  Wednesday, June 09, 2010 7:30PM''' ==

*Security Assertion Markup Language (SAML), Shibboleth Single SignOn System, and Shibboleth's role at University of Southern California
<pre>Meeting Location
Symantec Corporation
900 Corporate Pointe
Culver City, CA 90230
</pre>
Speaker: Brendan Bellina Title: Identity Services Architect and Manager of Enterprise Middleware Identity Management at USC

 

NOTE: We are having this month meeting on the second Wednesday, instead of the regular third Wednesday, to avoid conflict with ISSA Summit scheduled on June 16. You can still register for the summit at the ISSA LA website (http://www.issa-la.org/Default.aspx?id=1088). 

== '''Wednesday, April 21st, 2010 7:30PM''' ==

*The intersection of social and technical attacks in Web 2.0 applications by Mike Bailey and Mike Murray

Meeting Location
Symantec Corporation
900 Corporate Pointe
Culver City, CA 90230

 Topic: The intersection of social and technical attacks in Web 2.0 applications

Speakers: Mike Bailey and Mike Murray

Mike Bailey is a senior security researcher at MAD Security and an application security specialist. While his research spans a wide variety of domains, it generally focuses on secure web application development, web application scanning and penetration testing, online privacy issues, network protocols and services, and how to break them.

Mike has spoken throughout the country at different security conferences and shows, including Blackhat DC, Toorcon, Defcon and others. Aside from coming up with new and interesting ways to break web and client-side applications, he also puts those attacks into practice as a penetration tester. Currently, Mike is studying the intersection of social and technical attacks in Web 2.0 applications. He publishes his research on the MAD Security blog as well as at Skeptikal.org.

Mike Murray has spent his entire career in information security and currently leads the delivery arm of MAD Security (MADSecInc.com). Mike is a co-founder of InfoSecLeaders.com where he writes and talks about the skills and strategies for building a long-term career in information security. Mike's on security careers have been seen at major conferences like RSA and Defcon.

== '''Wednesday, March 17th, 2010 7:30PM''' ==

*Mike Schrenk, author of "Webbots, Spiders, and Screen Scrapers"

Meeting Location
Symantec Corporation
900 Corporate Pointe
Culver City, CA 90230

 

BOOK PREVIEW: Webbots, Spiders, and Screen Scrapers SECOND EDITION

Michael Schrenk will provide a preview of the largely expanded second edition of his book "Webbots, Spiders, and Screen Scrapers". This second edition describes how technologies like JavaScript, AJAX and Flash challenge webbot developers and how those challenges are met. He will also talk about defeating CAPTCHAs, scalability and other related topics.

Michael Schrenk is a software developer, author and instructor, who specializes in automated web browsing agents known as webbots. Michael uses the Internet in new and innovative (odd?) ways to provide competitive advantages for his clients in The US, Europe and Asia.

He also helps journalists more effectively use computers to conduct online research through automation and by describing where and how to find otherwise hidden online information. No stranger to Europe--he's lived and worked for clients in Moscow and Madrid, Mike taught at the 2008 European Investigative Journalism Conference (Brussels Belgium), twice in 2009 he lectured at The Center for Investigative Journalism (London England) and later in 2009, he lead several sessions at the VVOJ Journalism conference (Utrecht The Netherlands).

Last August, Mike made his fourth speaking appearance at the DEFCON computer hacking conference. Mike lives in sunny Las Vegas, Nevada (USA). You can contact him at http://www.schrenk.com or follow him on Twitter [http://twitter.com/mgschrenk @mgschrenk].

== '''  Wednesday, February 24th, 2010 7:00PM''' ==

*Cloud Computing Security: Raining on the Trendy New Parade

 Slides can be found [https://docs.google.com/fileview?id=0By_clZjtpXPwMWM0YWIyZDgtZmRkZC00YTZlLWE1MDEtNmU0N2Y3MzQwMTJh&hl=en here on Google Docs].

Meeting Location
AT&T Interactive
611 N. Brand Blvd., 5th Floor
Glendale, CA

Cloud computing is an unstoppable meme at the CIO level, and will dominate corporate IT planning for the next several years. Although they do offer the promise of cost savings for many organizations, the basic ideas behind abstracting out the corporate datacenter greatly complicates the tasks of securing and auditing these systems. While there has been excellent research into low-level hypervisor and virtualization bugs, there has been little public discussion of the “big picture” problems for cloud computing. These include virtualized network devices, browser same-origin issues, credential management and many interesting legal challenges.

Our goal with this talk will be to explore the different attack scenarios that exist in the cloud computing world and to provide a comparison between the security models of the leading cloud computing platforms. We will discuss how current attacks against applications and infrastructure are changed with cloud computing, as well as introduce the audience to new types of vulnerabilities that are unique to cloud computing. Attendees will learn how to analyze the threat posed to them by cloud computing platforms as either providers or consumers of software built on these new platforms. Our platforms for discussion include Salesforce.com, Google Apps, Microsoft Office Live, Google AppEngine, Microsoft Azure, Amazon EC2, and Sun.

 Alex Stamos is a founding partner of iSEC Partners, a strategic digital security organization. Alex is an experienced security engineer and consultant specializing in application security and securing large infrastructures, and has taught multiple classes in network and application security.

He is a leading researcher in the field of web application and web services security and has been a featured speaker at top industry conferences such as Black Hat, CanSecWest, DefCon, SyScan, Microsoft BlueHat and OWASP App Sec.

He holds a BS in Electrical Engineering and Computer Science from the University of California, Berkeley.

==   '''Wednesday, January 20th, 2010 7:30PM''' ==

*Do VLANs allow for good application security?

Meeting Location
[http://maps.google.com/maps?q=900+Corporate+Pointe,+90230&ie=UTF8&oe=UTF-8&ll=33.988385,-118.387041&spn=0.010284,0.014055&t=h&z=16&iwloc=addr Symantec Corporation]
900 Corporate Pointe
Culver City, CA 90230
Laguna Conference Room

 Virtual Local Area Networks (VLANs) are not a new concept, and can help any organization better control network access. I will present some of the previous issues identified, what was the root cause, and how these have been fixed in current technology. In addition we will talk about how this can help to enhance security in your environment, and what controls must be in place in order to implement such an environment. We will also touch on how this can complicate your application environment, but improve overall security.

I will touch on the controls that need to be reviewed and audited when working with VMware, VLANs, and web applications, to ensure that these networks are secure, and what to look for to potentially pass audit criteria. I will also talk about where and how these controls have been implemented in order to protect thousands of users while accessing one of the most hostile networks in the world. 

David M. N. Bryan, Senior Security Consultant

David has over 9+ years of computer security experience including, consulting, engineering and administration. He has performed security assessment projects for health care, nuclear, manufacturing, pharmaceutical, banking and educational sectors. As an active participant in the information security community, he volunteers at DEFCON where he designs and implements the Firewall and Network for what is said to be the most hostile network environment in the world.

He is also an active participant in the local Minneapolis security groups both as a board member of OWASP MSP and DC612. His roots and experience come from working for a large enterprise banks, designing and managing enterprise security systems. In the more recent years he has been working as an Information Security Consultant to review the security and architecture of information computing environments.

== '''  Wednesday, December 16th, 2009 7:30PM''' ==

*[http://www.owasp.org/images/b/bc/Sutton_-_Pulling_The_Plug-Security_Risks_in_Next_Generation_Offline_Web_Apps_-_OWASP_LA_OC.pdf Pulling the Plug: Security Risks in the Next Generation of Offline Web Applications]

 As the line between desktop and web applications becomes increasingly blurry in a web 2.0 world, browser functionality is being pushed well beyond what it was originally intended for. Persistent client side storage has become a requirement for web applications if they are to be available both online and off. This need is being filled by a variety of technologies such as Gears (formerly Google Gears) and the Database Storage <http://webkit.org/blog/126/webkit-does-html5-client-side-database-storage/> functionality included in the emerging HTML 5 <http://dev.w3.org/html5/spec/Overview.html> specification. While all such technologies offer great promise, it is clear that the vast majority of developers simply do not understand their security implications.

Researching a variety of currently deployed implementations of these technologies has revealed a broad scope of vulnerabilities with frightening implications. Now attackers can target victims not just once, but every time they visit a site as the victim now carries and stores the attack with them. Imagine a scenario whereby updated confidential information is forwarded to an attacker every time a victim interacts with a given web application. The attacker no longer needs to worry about timing their attacks to ensure that the victim is authenticated as the victim attacks himself! Limited storage? Cookies that expire? Not a problem when entire databases are accessible with virtually unlimited storage and an infinite lifespan. Think these attacks are theoretical? Think again. In this talk we dive into these technologies and break down the risk posed by them when not properly understood. We will then detail a variety of real-world vulnerabilities that have been uncovered, including a new class of cross-site scripting and client-side SQL injection. 

Michael Sutton,Vice President and security research at Zscaler, has spent more than a decade in the security industry conducting leading-edge research, building teams of world-class researchers and educating others on a variety of security topics. As VP of Security Research, Michael heads Zscaler Labs, the research and development arm of the company. Zscaler Labs is responsible for researching emerging topics in web security and developing innovative security controls, which leverage the Zscaler in-the-cloud model. The team is comprised of researchers with a wealth of experience in the security industry.

Prior to joining Zscaler, Michael was the Security Evangelist for SPI Dynamics where, as an industry expert, he was responsible for researching, publishing and presenting on various security issues. In 2007, SPI Dynamics was acquired by Hewlett-Packard. Previously, Michael was a Research Director at iDefense where he led iDefense Labs, a team responsible for discovering and researching security vulnerabilities in a variety of technologies. iDefense was acquired by VeriSign in 2005. Michael is a frequent speaker at major information security conferences; he is regularly quoted by the media on various information security topics, has authored numerous articles and is the co-author of Fuzzing: Brute Force Vulnerability Discovery, an Addison-Wesley publication.

 

== '''  Wednesday, November 18th, 2009 7:30PM''' ==

*[http://www.owasp.org/images/b/bc/Watching_software_run_11.18.09.pptx Watching Software Run with Brian Chess, Fortify Founder and Chief Scientist]

 Now more than ever before, computer systems are vulnerable because software is vulnerable. No matter how good programmers get at making secure software, it will never be perfect—we will always have to contend with incomplete or inadequate code. Most efforts at living with bad code have focused on shoring it up from the outside: limiting network access (firewalls) or watching for suspicious behavior (intrusion detection). This talk takes a different perspective: we’ll look at methods for identifying and blunting the effects of software shortcomings from the inside by watching the software run.

Modern languages like Java and C# are good for more than just programmers. They also provide a wealth of structured information when they execute. We can apply many same techniques developed for outside-in security, but at a finer granularity and with much more context. Along the way there is a lot to talk about: Where web application firewalls excel and where they fall down. Fuzzing vs. static analysis. The disappointments of both aspect oriented programming and building security in. Why nobody uses the Java Security model. Taking your security with you into the cloud. The reason SQL injection won’t go away. Revenge of the reference monitor. Why was Twitter’s security so bad? 

Brian Chess is a founder of Fortify Software and serves as Fortify's Chief Scientist, where his work focuses on practical methods for creating secure systems. His book, Secure Programming with Static Analysis, shows how static source code analysis is an indispensable tool for getting security right. Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service. 

== Wednesday, October 21st, 2009 7:30PM ==

*[http://www.owasp.org/images/c/ca/ISO27001_OWASPLA_Shankar_10212009.pdf Enabling Compliance Requirements using Information Security Management System (ISMS) Framework (ISO27001)]

 Growing threats and complex regulatory requirements emphasize the need for an effective Information Security Management System (ISMS) framework for an organization. Comprehensive and globally accepted standards like ISO27001 can help in protecting information assets and in enabling compliance requirements. ISO27001 provides an Information Security framework based on best practices and controls to ensure the confidentiality, integrity and availability of information assets. This presentation analyzes the possible synergies between the goals of Information Security Management System (ISMS) and the various compliance requirements, thus making the compliance efforts less complex. Following are the key objectives of this presentation :

*Provide an introduction to ISO27001 and its controls
*Discuss the implementation approach for an Information Security Management System (ISMS) framework
*Familiarize the audience with some common challenges in implementation
*Outline synergy between ISO27001 controls and some compliance requirements( PCI , etc)

 Attendees will learn about ISO27001 Information Security Standard, ISMS implementation approach and how ISO27001 can be used in meeting various regulatory/compliance requirements like Sox, PCI etc. It will also help the attendees to improve the information security posture of the organization and provide an effective and efficient approach for handling various information security/compliance audits with less effort. 

Shankar Subramaniyan has over 11 years of experience as a technology consulting and project management executive in the areas of IT Governance, Risk and Compliance (GRC), Business Continuity Planning and Network Design & Architecture. He has thorough expertise on setting up Information Security Framework and Policies on the basis of industry standards such as ISO 27001. He has worked extensively on industry standards and best practices like BS7799 and ITIL. He also has good understanding and knowledge of various compliance requirements like PCI, Sox etc. Shankar' s experience includes IT audit, SOX remediation, ISMS (ISO27001) implementation, PCI compliance assessment, disaster recovery solution, enterprise risk management, designing IT security architecture and implementing ITIL processes. Shankar has rich experience in handling large projects and managing client relationships across corporate and educational sectors. 

== Wednesday, September 16th, 2009 7:30PM ==

*The Rise of Threat Analysis and the Fall of Compliance, Policies, and Standards in mitigating Web Application Security Risks

 On August 5th of 2009, Federal prosecutors on Monday charged Albert Gonzales with the largest case of credit and debit card data theft ever in the United States: 130 million credit cards numbers by hacking into the systems of Heartland Payment Systems, the New Jersey-based card processing company, as well as Hannaford Brothers, 7-Eleven and two unnamed national retailers. Using a SQL-injection attack, the hackers installed malware on Hannaford Brothers. Hannaford was PCI compliant at the time they were compromise that lets question the validity of regulatory compliance frameworks, and specifically PCI standards as an effective method to reduce data breaches, identity theft, and the proliferation of credit card fraud. This presentation will further analyze how status quo security standards, such as PCI-DSS, as well as other policies, standards, and guidelines truly affect security risk mitigation efforts against cybercrime based threats. These traditional efforts will be compared to threat modeling workflows in order to demonstrate how real risk is mitigated under each scenario. Cases for financial fraud will be anonymously presented to create a business case for application threat modeling as a viable methodology to drive improved application design and security risk mitigation. Threat modeling concepts will be elaborated in order to prove how application architecture walkthroughs via threat modeling improve the mitigation of cybercrime threats. Attacker motives and goals will be presented and incorporated into attack trees and it will show how attack libraries can be used to effectively identify application vulnerabilities and devise countermeasures in web application. From the risk analysis perspective, several attacks will be considered and highlighted, particularly attacks that represent a systemic impact to an organization or government (such as for example a distributed denial of service). Through the presentation of threat modeling scenarios, analyses and correlations will be drawn from the represented model(s) to attack patterns, associated and discovered security vulnerabilities, data sources, application topologies, and possible roles and permissions associated with the application environment. The purpose of the presentation is to demonstrate how application threat modeling can be used as part of a nouveau age form of security risk mitigation and overall application security. Data flow diagrams and application walkthroughs will enable audience members to witness how application threat modeling is an evolved form of security process engineering for improved application design and overall application security. The presentation will also demonstrate how threat modeling is capable of delivering critical business functions as well as in mitigating current and future cyber attacks, such as distributed denial of service, botnet driven-malware, spear phishing techniques, and more attacks that ultimately lead to identity and credit card fraud. From the point of view of current and future cybercrime risk mitigation, several different strategies for application threat modeling will be discussed as related to securing both the web application web and critical financial infrastructures, such as ATMs. Finally some emphasis will be given to countermeasures that provide for incident response, intelligence and forensics capabilities. Presentation outline, defining all topics that will be covered:

*Status quo of regulatory compliance in mitigating risk
*Threat modeling techniques for cybercrime threats
*Attack tree analysis for attack tree vectors
*Threat modeling for multi-channel fraud threat scenarios
*Cyber crime threats and application countermeasures via threat modeling
*Example of mitigation strategies for cybercrime and application of defense in depth for web applications

 Any supporting research/tools:

*Threat models and attack trees
*Threat model are produced using the Microsoft™ threat modeling tool
*Public available cybercrime data will be presented and correlated

 

Marco Morana serves as one of the leaders of OWASP (Open Web Application Security Project) organization where he is actively involved in evangelize on web application security through presentations at local chapter meetings in USA as well as internationally. Marco has recently been awarded a contract from Wiley Publishing to co-author a book on Application Threat Modeling. Besides being the OWASP Cincinnati chapter lead, Marco is also active contributor to OWASP projects such as the application threat modeling methodology for secure coding guideline and the security testing guide (ver. 2 and 3). Besides contributing to OWASP, Marco works as Technology Information Security Officer for a large financial organization in North America with responsibilities in the definition of the organization web application security standards, management of application security assessments during the SDLC, threat-fraud analysis and training of software developers, project managers and architects on different topics related to application security. In the past, Marco served as senior security consultant and independent consultant where his responsibilities included providing software security services for several clients in the financial and banking, telecommunications and commercial sector industry. Besides security consulting, Marco had a career as technologist in the security industry where he contributed to the design business critical security products currently being used by several FORTUNE 500 companies as well by the US Government. Marco work on software security is referred in the 2007 State Of the Art report by the Information Assurance Technology Analysis Center (IATAC). Marco received the NASA’s Space Act Award in 1999 for the patenting the S/MIME SEP (Secure Email Plug-in) application. Marco research work on application and software security is widely published on several magazines such as In-secure magazine, Secure Enterprise, ISSA Journal and the C/C++ Users journal. Marco’s ideas and strategies for writing secure software are posted on his blog: http://securesoftware.blogspot.com. 

 Tony UcedaVelez has more than 10 years of hands-on security and technology experience and is a vocal advocate of security process engineering – a terminology that describes the design and development of secure processes and controls working symbiotically to a unique business workflow. Tony currenlty serves as Managing Director for an Atlanta based risk advisory firm that focuses on security strategy and delivering effective means for risk mitigation and security process engineering. He has worked and consulted for the Fortune 500, as well as federal agencies in the U.S on the topic of application security and security process engineering. His diverse background in software development, security architecture, and network security, coupled with his expertise in process engineering and security risk management has allowed Tony to be a recognized leader in developing strategic security solutions that are multi-faceted in their approach to addressing enterprise risk. In the realm of application security, Tony is a threat modeling evangelist and has provided numerous talks domestically and globally on its many benefits and application. He has served as a guest mentor to teams participating in Kennesaw State University’s annual Cybercrime capture the flag event as well as a Cybercrime speaker for Southern Polytechnic University in Atlanta. He has also served as a guest speaker on the subject of application threat modeling during ISACA’s annual Geek Week event and has also served as a keynote speaker on the subject for ISACA’s Global Symposium web cast series. Additional articles include articles related to CoBIT and the ValIT model (ISACA’s Journal), application threat modeling within the SDLC (InSecureMagazine), and security process engineering for a ROSI (return on security investment) (Journal of Finance). He is currently finalizing a Wiley publishing book on Application Threat Modeling with Marco Morana. Prior to VerSprite, Tony served as Sr. Director of Security Risk Management to a Fortune 50 organization where he led security assessments against global application environments. His work encompassed web application security testing, security architecture reviews, and analysis for business logic exploits. He applied effective ways to introduce the subject of application risk to information owners by effectively mapping them to causal factors for business. Previous to this role, he spent more than 5 years in the field of application security across other Fortune 500 organizations within the banking, telecom, and information service industry segments. Tony currently leads the OWASP Atlanta Chapter, where he manages monthly workshops and events for the Atlanta web application security community. He also has developed a case study program for the Atlanta chapter in order to develop case studies with local Atlanta companies who are seeking to apply application threat modeling techniques within the SDLC and/ or incorporate the many OWASP produced tools and frameworks. Tony can be reached at tonyuv@versprite.com or tonyuv@owasp.org. 

== Tuesday, August 25th, 2009 3:00PM ==

*OWASP Live CD Demo and Q&A with Matt Tessauro

 Matt Tesauro will be in visiting our LA chapter and providing a quick demo of [http://www.owasp.org/index.php/Category:OWASP_Live_CD_2008_Project OWASP Live CD] Matt Tesauro has worked in web application development and security since 2000. He's worn many different hats, from developer to DBA to sys admin to university lecturer to pen tester. Currently, he's focused on web application security and developing a Secure SDLC for TEA. Outside work, he is the project lead for the OWASP Live CD. 

== Thursday, August 20th, 2009 7:30PM ==

*The Software Assurance Maturity Model (SAMM)

 [http://www.opensamm.org/ The Software Assurance Maturity Model (SAMM)] is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. SAMM is an open and free project and has recently been added under the Open Web Application Security Project (OWASP) Foundation. 

Pravir Chandra is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL. 

== Tuesday, July 21st, 2009 7:30PM ==

*Lock picks, BumpKeys, and Hackers oh my! How secure is your application?

 This talk will focus on physical security controls, weaknesses, and counter measures. I will present on what lock picking is, how bump keys work, and ways to subverting electronic locks. We will also go into what are good controls, and what is often overlooked when designing secure environments. Many of the topics covered apply to application security, as the methods for securing these devices is by using obscurity. In the application world with automated tools and scripts, this does not hold water for very long. 

David M. N. Bryan, NetSPI has 10 years of computer security experience, including consulting, engineering, and administration. He has performed security assessment projects in the healthcare, nuclear, manufacturing, pharmaceutical, banking and educational sectors. As an active participant in the information security community, he volunteers at DEFCON, where he designs and implements the firewall and network for what is said to be the most hostile network environment in the world. This network allows speakers, press, vendors, and others to gain access to the Internet, without being hacked. In his spare time he and his wife run the local DEFCON group, DC612 and participate in the Minneapolis OWASP chapter. 

== June 24th, 2009 7:30PM ==

*Information Warfare: Past, Present and Future

 Information warfare is the composite use of psychological operations (PYOPS), military deception (MILDEC), operational security (OPSEC), computer network operations (CNO), and electronic warfare (EW) to control and disrupt information flow. Recently, interest in information war technologies, techniques and policy issues have increased, especially in the domain of CNO. Increased scrutiny over network operations is both legitimate and valid, as global commerce and military powers are integrated and dependent on the Internet for critical operations. This presentation will describe the five domains of information warfare, the past use of information warfare in the Gulf war and recent Cyber attacks on the Eastern European countries of Georgia and Estonia. Information will be presented on possible new directions of information warfare. Mikhael Felker, CISSP-ISSEP has worked in a variety of roles including instructor, engineer, and researcher. He is currently employed by The Aerospace Corporation in the Information Assurance Technology Department, supporting Information Assurance (IA) for satellite systems. He is also an Instructor within the Computer & Information Systems Division at UCLA Extension, teaching a course in networking. Actively involved in the Los Angeles security community, he is the Education Director for Los Angeles Chapter of Information Systems Security Association (ISSA), member and speaker of Information Systems Audit and Control Association (ISACA), and former Defense Sector Coordinator for InfraGard. Mikhael has published articles in IEEE Security & Privacy, the ISSA Journal, Information Systems Control Journal, and SecurityFocus. He is a recipient of the Scholarship for Service Program (SFS) Fellowship, sponsored by the National Science Foundation and Department of Homeland Security (DHS). Mikhael completed his graduate work at Carnegie Mellon University with a Master's in Information Security Policy & Management and Bachelor's at UCLA in Computer Science. He holds over 10 certifications in IT and Security. 

== May 20th, 2009 ==

*[http://video.google.com/videoplay?docid=2875886330538461390 Top Ten Web Hacking Techniques of 2008: "What's possible, not probable"]

 The polls are closed, votes are in, and we have the winners making up the Top Ten Web Hacking Techniques of 2008! The competition was fierce with the newest and most innovative web hacking techniques to the test. This session will review the top ten hacks from 2008 - what they indicate about the security of the web, what they mean for businesses, and what might be used against us soon down the road. Jeremiah Grossman is the founder and CTO of WhiteHat Security. He is considered a world-renowned expert in Web security, is a co- founder of the Web Application Security Consortium, and was named to InfoWorld's Top 25 CTOs for 2007. Grossman is a frequent speaker at industry events including the Black Hat Briefings, RSA, CSI, HiTB, OWASP, ISSA, and a number of large universities. He has authored dozens of articles and white papers; is credited with the discovery of many cutting-edge attack and defensive techniques and is a co-author of XSS Attacks. Grossman is often quoted in the the business and technical press. Prior to WhiteHat, Grossman was an information security officer at Yahoo! 

== April 15th, 2009 ==

*Cross Site Scripting, Exploits and Defenses 

For a long time, the impact of XSS vulnerabilities has been grossly underestimated. Recent compromises, such as the pro-Hillary [http://cyberinsecure.com/hacked-obama-site-redirects-visitors-to-clintons-site/ defacement] of Barack Obama's website, and a [http://www.securescience.net/twoubledtwitter.html Viral XSS in Twitter] demonstrated the impact of XSS vulnerabilities to the masses.

During this presentation, David Campbell will demonstrate exactly how effective XSS vulns can be, and show you what you can do to protect yourself and your sites.

This presentation was originally delivered to OWASP Colorado in May of 2008, and has been updated for this session.

[https://www.owasp.org/index.php/Image:DC_ED_OWASP_XSS_MAY2008_v1.0.pdf Slide deck from May '08 talk] David Campbell is an infosec veteran, with experience ranging from penetration testing for Fortune 100's to architecting security solutions for large multinational financials to consulting for government agencies. DC is presently chapter leader of OWASP Denver and is Principal Consultant at Electric Alchemy. 

== March 12th, 2009 ==

*NETWORK SECURITY DINNER WITH ISSA - CISO'S Security Dashboard Panel!! 

This month will be joining forces with ISSA to create the biggest netowork event for security professionals in Los Angeles for this year. Agenda

*5:30 p.m., Networking and tours of the antivirus facility
*6:30 p.m., Dinner
*7:30 p.m., CISO Panel

 Panelists

*Robert J. Brown, CISSP, CISO WestCorp Credit Union
*Steve Haydostian, CISSP, Former CISO, Healthnet
*David Lam, CISSP, CISO, Stephen S. Wise
*Edward G. Pagett II, CISSP, CISO, Lender Processing Services, Inc.
*Mike O. Villegas, CISA, CISSP, Director of Information Security, Newegg.com

 Dinner Fees:

*ISSA-LA members & OWASP members - Pre-Register and Pay online: $25
*ISSA-LA members & OWASP members - Pay at the door: $30
*Non-members - Pre-Register and Pay online: $30
*Non-members - Pay at the door: $35

 ''Thanks to David Lam and Stan Stahl for agreeing to have OWASP joining this ISSA LA event!''

== February 18th 2009 ==

[https://www.owasp.org/images/5/58/Cloud_Computing_Security.pdf Cloud Computing and Security] The Cloud Computing and Software as a Service models are driving many companies to build innovative, scalable and cost effective alternatives to the traditional IT computing model. Even with the potential cost and scalability benefits of cloud computing, its use by more traditional enterprises has been retarded by the concerns of their professional security and audit staffs. In our experience these concerns are legitimate, and although surveys have shown that security is the #1 factor preventing adoption of cloud computing, there has been very little reliable discussion of the technical security risks inherent in the model and how engineers, sys-admins and architects can deal with these risks. In this session, we will explore the widely differing security models of the leading cloud computing providers, including Amazon, Google and Salesforce. We will also reveal the significant differences in operational and application security practices necessary to deal with a cloud computing environment. Alex Stamos is a co-founder and Partner at iSEC Partners Inc., a strategic digital security organization. Alex is an experienced security engineer specializing in solving difficult problems in application security and is a leading researcher in the field of web application and mobile security. He has been a featured speaker at top industry conferences such as Black Hat, Web 2.0 Expo, CanSecWest, DefCon, SyScan, SD Best Practices, Microsoft BlueHat and OWASP App Sec. Alex is a contributing author to "Hacking Exposed: Web 2.0" and an author of the upcoming book "Mobile Application Security", both from McGraw-Hill. He holds a BSEE from the University of California, Berkeley. 

== January 28th 2009 ==

Building Security into the Test Organization The common approach to detecting web security issues is still the regular application of a post-release pen-test or tool based scan. These last minute examinations rarely live up to broader organizational goals; they can be difficult to repeat, measure, or optimize over time. Most of all they're expensive: they find bugs late in the lifecycle. This talk recommends moving security testing responsibility within the test team itself. The approach discussed will work with-or-without the existence of explicit security requirements. See how security testing has been applied at other organizations and how it might be customized for yours. Ben Walther firmly believes testers have a wonderfully devious mindset, and has been promoting the idea of "security testing" at Cigital's clients, at OWASP events, and to any friends and relatives who will listen. To this end, with the aid of O'Reilly media, Ben Walther and Paco Hope recently published a book entitled the "Web Security Testing Cookbook." 

== December 10th 2008 ==

[http://www.owasp.org/images/7/79/OWASP-WASCAppSec2007SanJose_SamyWorm.ppt The MySpace Worm] The most virulent worm in the history of the series of tubes known as the Internet. One of the most highly accessed websites ever [see comScore]. One of the most ostentatious hackers alive. Over one million victims. Less than 24 hours. Fueled only by Chipotle burritos. The MySpace Worm. Samy will be recapping the story of the development, release and eventual future of the MySpace worm. The 24 hours that led up to over one million friends. The eventual downfall of the MySpace site for several hours. The non-malicious intent and humorous progression of the worm. The t-shirts. The copycats. The behind-the-scenes story of the Secret Service raid at Samy's home and office. The demise of Samy's legal use of computers, community service, restitution, high-risk offender probation, and rehabilitation. And where Samy is today. 

 

Samy Kamkar, software engineer and self-proclaimed playboy, is a meddler in the security and software realms. He is currently the Director of Engineering and co-founder of Fonality, Inc., an IP PBX startup located in Culver City. Previously, Samy led the development of all core top-level domain name server software and systems for Global Domains International (.ws). Prior to that, Samy worked with Penn State University developing psychometric personality assessment software with attention to artificial intelligence and bioinformatics. When not strapped behind the Matrix, Samy can be found performing parkour (free running), practicing urban escape artist maneuvers, or is found getting involved in local community service projects. In the past 10 years, Samy has focused on evolutionary and genetic algorithmic software development, Voice over IP software development, automated security and vulnerability research in the areas of network security, reverse engineering, and network gaming, and continues his focus in staying out of jail. 

== November 19th 2008 ==

A new web attack vector: [http://www.eweek.com/c/a/Security/Security-Researcher-to-Reveal-New-Web-Attack-Vector/ Script Fragmentation] 

This presentation will introduce a new web-based attack vector which utilizes client-side scripting to fragment malicious web content. 

This involves distributing web exploits in a asynchronous manner to evade signature detection. Similar to TCP fragmentation attacks, which are still an issue in current IDS/IPS products, This attack vector involves sending any web exploit in fragments and uses the already existing components within the web browser to reassemble and execute the exploit. 

Our presentation will discuss this attack vector used to evade both gateway and client side detection. We will show several proof of concepts containing common readily available web exploits. 

Stephan Chenette is a Senior Security Researcher who helps lead Websense Security Labs working on malcode detection techniques. Mr. Chenette specializes in research tools ranging from kernel-land sandboxes, to static analysis scanners. He has released public analyses on various vulnerabilities and malware. Prior to joining Websense, Stephan was a security software engineer for 4 years working in research and product development at eEye Digital Security. 

== October 29th 2008 ==

Entitlements Management: Security and policies for SOA using XML appliances 

Loosely coupled Web Services can be insecure as, by their very nature, are exposed to application consumers. Security built into XML appliances alleviates the developer with the burden of coding security and policies into their application, freeing the developer to concentrate on conding business processes. This evenings meeting will discuss SOA security challenges and introduce the Layer7 XML appliance that allows for dynamic policies to be configured on the fly using an intuitive user interface. Jonathan Gershater’s career started at 3Com, managing servers and networks. His initial foray into Enterprise Software began in 1999 at enCommerce, which was later acquired by Entrust. He worked at Sun Microsystems from 2005 to 2008 architecting and deploying identity solutions for customers using Sun Java System Identity products. He recently joined Layer 7 Technologies as a senior solution architect. He can be reached at jgershater@layer7tech.com. 

== September 17th 2008 ==

The web hacking incident database (WHID) 2007 Report is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents. The database classifies each reported attack by, among other criteria, the method used, the outcome of the attack and the industry and the country of the attacked organization. Based on the database Breach Labs which sponsors WHID issues a periodical report on trends in Web Application Security.

 

By providing answers to questions such as:

*The drivers behind Web hacking.
*The technology hackers use.
*The types of organizations attacked most often.
*The common outcomes

 The presentation will discuss WHID statistics, focusing on rising trends in Web Attacks in the 1st half of 2008. As the WHID enables research into the business model behind hacking, the presentation goes beyond discussing the technical aspects of attacks such as SQL injection crawlers and Web Site herding, to discussing the business model common to all of the attacks: Economy of scale. 

Ryan C. Barnett is a recognized security thought leader and evangelist who frequently speaks with the media and industry groups.

 He is the director of application security at Breach Security. He is also a faculty member for the SANS Institute, where his duties include instructor/courseware developer for Apache Security/Building a Web Application Firewall Workshop, Top 20 Vulnerabilities Team Member and Local Mentor for the SANS Track 4, "Hacker Techniques, Exploits and Incident Handling" course. He holds six SANS Global Information Assurance Certifications (GIAC): Intrusion Analyst (GCIA), Systems and Network Auditor (GSNA), Forensic Analyst (GCFA), Incident Handler (GCIH), Unix Security Administrator (GCUX) and Security Essentials (GSEC).

 Mr. Barnett also serves as the team lead for the Center for Internet Security Apache Benchmark Project and is a member of the Web Application Security Consortium. His web security book, "Preventing Web Attacks with Apache,” was published by Addison/Wesley in 2006.

== August 19th 2008 ==

"Don't Write Your Own Security Code" – Application security is arguably the most difficult IT challenge facing organizations today. There are over 600 different categories of vulnerabilities to avoid and they are all tricky. Most of these problems are related to the design, implementation, and use of a relatively small set of security controls. To solve this problem for developers, Jeff created the OWASP ESAPI project – a clean intuitive toolbox of the core security building blocks that every web developer needs. In this talk, Jeff will show you how to create an ESAPI for your organization that will solve the OWASP Top Ten vulnerabilities, increase assurance, and dramatically cut costs all at the same time.

 Jeff Williams is the founder and CEO of Aspect Security, specializing in application security services. Jeff also serves as the volunteer Chair of the Open Web Application Security Project (OWASP). Jeff has made extensive contributions to the application security community through OWASP, including the Top Ten, WebGoat, Stinger, Secure Software Contract Annex, Enterprise Security API, and the local chapters program. Jeff holds advanced degrees in psychology, computer science, and human factors, and graduated cum laude from Georgetown Law.

AppSec US 2010, CA

2010-08-10T01:57:24Z

Kelly FitzGerald: added a break.

__NOTOC__

 [[Image:Appsec banner.png|468x60px|AppSec USA 2010 Banner]]

= Welcome to AppSec USA 2010 =

Register by August 15 midnight (Pacific time) and be eligible for drawing of 3 iPads. You must be a paid attendee, must register via website (no POs) and must be present at end of the conference to win.
 
[[Image:Apple-ipad-tablet.jpg|thumb|left]]

 

 

{| class="FCK__ShowTableBorders" border="0" width="100%" align="center"
|-
| style="background: rgb(238,235,226); color: black" colspan="4" align="left" |
For complete information, please visit [http://www.appsecusa.org AppSec US 2010 Website] Training and Presentation Schedules Available Now!

Training Days Sept 7-8: [http://www.owasp.org/index.php/AppSec_US_2010,_CA#tab=Training_September_7th_.26_8th Schedule of Classes]

Presentation Schedule Sept 9th: [http://www.owasp.org/index.php/AppSec_US_2010,_CA#tab=September_9th Schedule of Talks] Sept 10th: [http://www.owasp.org/index.php/AppSec_US_2010,_CA#tab=September_10th Schedule of Talks]

|}

{| style="width: 100%" class="FCK__ShowTableBorders"
|-
| style="width: 100%; color: rgb(0,0,0)" |
{| style="width: 100%; background: none transparent scroll repeat 0% 0%; -moz-background-inline-policy: continuous" class="FCK__ShowTableBorders"
|-
| style="width: 95%; color: rgb(0,0,0)" |
'''Latest Updates:'''

Dr. Chenxi Wang of Forrester Research added as keynote speaker for September 9.

@chenxiwang tweets at http://twitter.com/chenxiwang.

''' '''

|}



| style="border-bottom: rgb(204,204,204) 0px solid; border-left: rgb(204,204,204) 0px solid; width: 100%; color: rgb(0,0,0); font-size: 95%; border-top: rgb(204,204,204) 0px solid; border-right: rgb(204,204,204) 0px solid" | 
| style="width: 110px; color: rgb(0,0,0); font-size: 95%" |
|}



==== Training September 7th & 8th ====

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
! style="background: rgb(64,88,160); color: white" align="center" | T1. Web Security Testing - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" | This course is a deep dive into the world of web application security testing. It is designed to walk testers through every step of web application penetration testing, arming them with the knowledge and tools they will need to begin conducting their own security testing. The course will teach the participants how to think like a security engineer by creating and executing a security test plan. Participants will be exposed to common web application vulnerabilities, testing techniques and tools by a professional security tester.
The course includes a guided penetration test in which the students will execute security test with the help of the instructor.

|-
| style="background: rgb(242,242,242)" | Instructor: Joe Basirico, Security Innovation
|-
| style="background: rgb(242,242,242)" | [[Learn More About the Web Security Testing Class]]
|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|}

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
! style="background: rgb(64,88,160); color: white" align="center" | T2. Building Secure Ajax and Web 2.0 Applications - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" | This two-day class will cover common Web 2.0 and AJAX security threats, vulnerabilities, and it will provide specific guidance on how to develop Web 2.0 applications to defend against these threats and vulnerabilities.
Training developers on secure coding practices offers one of highest returns on investment of any security investment by eliminating vulnerabilities at the source. Aspect’s Building Secure Ajax and Web 2.0 Applications Course enables developers to securely utilize Web 2.0 technologies in their web applications without introducing security issues. The course provides detailed examples of ‘what to do’ and ‘what not to do.' The class is lead by an experienced developer and delivered in a very interactive manner. The course will use demonstrations, code examples, and spot-the-bug exercises to get developers engaged in the topic. Developers will leave with an understanding of how Ajax attacks work, the impacts of successful attacks, and what to do to defend against them.

|-
| style="background: rgb(242,242,242)" | Instructor: Dave Wichers: [http://www.aspectsecurity.com [[Image:|Aspect_logo.gif]]]
|-
| style="background: rgb(242,242,242)" | [[Learn More about the Building Secure Ajax and Web 2.0 Applications Class]]
|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|-
! style="background: rgb(64,88,160); color: white" align="center" | T3. Assessing and Exploiting Web Applications with Samurai - WTF - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" |
This course will focus on using open source tools to perform web application assessments.  The course will take attendees through the process of application assessment using the open source tools included in the Samurai Web Testing Framework Live CD (Samurai-‐WTF). 

Day one will take students through the steps and open source tools used to assess application for vulnerabilities. 

Day two will focus on the exploitation of web app vulnerabilities, spending half the day on server side attacks and the other half of the day on client side attacks.  The latest tools and techniques will be used throughout the course, including several tools developed by the trainers themselves

|-
| style="background: rgb(242,242,242)" |
Instructor: Jason Searle: InGuardians [[Image:InGuardians.png|36x39px]]

|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|-
! style="background: rgb(64,88,160); color: white" align="center" | T4. Application Security Leadership Essentials - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" | In this two-day management session you’ll get an industry perspective of application security, understand the key vulnerabilities to applications, be able to analyze root cause, and provide practical and proven techniques in building out an application security initiative. This course gives executives and managers the education and practical guidance they need to ensure that software projects properly address security. The course is designed to provide a firm understanding of the importance of software security, the critical security activities required within the software development lifecycle, and how to efficiently manage security issues during development and maintenance. This understanding is reinforced through industry awareness, live demonstrations of commonly found application vulnerabilities and workgroup exercises allowing attendees to conduct capability assessments and recommend improvement plans.
|-
| style="background: rgb(242,242,242)" | Instructor: Jeff Williams: [http://www.aspectsecurity.com [[Image:|Aspect_logo.gif]]]
|-
| style="background: rgb(242,242,242)" | [[Learn More about the Application Security Leadership Essentials Class]]
|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|-
! style="background: rgb(64,88,160); color: white" align="center" | T5. Software Security Remediation: How to Fix Application Vulnerabilities 1-Day - Sept 7th- $675
|-
| style="background: rgb(242,242,242)" | This class teaches attendees how to fix security vulnerabilities in existing software. It provides a mix of discussion of project concerns for planning and managing remediation efforts with hands-on coding examples fixing specific vulnerabilities. Attendees will learn how to risk-rank vulnerabilities, estimate remediation tasks, perform coding fixes for vulnerabilities and demonstrate the effectiveness of fixes applied. The focus is on the practical: how to use limited resources to make significant improvements to the security of target applications. Code examples use the OWASP ESAPI Java and Microsoft Web Protection Library. Many classes teach developers how to build secure code from the ground up or teach security analysts how to test applications for security vulnerabilities. This class teaches developers and security analysts how to deal with their existing portfolio of insecure applications.
Instructor: Dan Cornell: [[Image:AppSecDC2009-Sponsor-denim.gif]]

|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|}

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
! style="background: rgb(64,88,160); color: white" align="center" | T6. Live CD 1-Day - Sept 8th- $675
|-
| style="background: rgb(242,242,242)" | Summary
Instructor: Matt Tesauro: [[Image:TrustwaveLogo.jpg]]

|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|}

 

==== September 9th ====

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
| style="background: rgb(64,88,160); color: white" colspan="4" align="center" | '''Conference Day 1 - September 9th, 2010'''
 

|-
| style="width: 10%; background: rgb(123,138,189)" | 
| style="width: 30%; background: rgb(188,133,122)" | Track 1 - Crystal Cove Auditorium
| style="width: 30%; background: rgb(188,165,122)" | Track 2 - Pacific Ballroom
| style="width: 30%; background: rgb(153,255,153)" | Track 3 - Doheny Beach
|-
| style="width: 10%; background: rgb(123,138,189)" | 07:30-08:30
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Registration and Breakfast + Coffee
|-
| style="width: 10%; background: rgb(123,138,189)" | 08:30-08:45
| style="width: 80%; background: rgb(242,242,242)" colspan="3" align="center" | Welcome to OWASP AppSec US, 2010 (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 08:45-9:30
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: Jeff Williams (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 9:30-10:15
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: Chenxi Wang (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:15-10:35
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF kick-off (Emerald Bay)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:35-11:20
| style="width: 30%; background: rgb(188,133,122)" align="left" | How I met your Girlfriend, ''Samy Kamkar'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Solving Real-World Problems with an Enterprise Security API (ESAPI), ''Chris Schmidt, ServiceMagic'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | TBD
|-
| style="width: 10%; background: rgb(123,138,189)" | 11:20-11:30
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 11:30-12:15
| style="width: 30%; background: rgb(188,133,122)" align="left" | State of SSL on the Internet - 2010 Survey, Results and Conclusions, ''Ivan Ristic, Qualys'' 
 

| style="width: 30%; background: rgb(188,165,122)" align="left" | Into the Rabbit Hole: Execution Flow-based Web Application Testing, ''Rafal Los, Hewlett-Packard'' 
 

| style="width: 30%; background: rgb(153,255,153)" align="left" | Threat Modeling Best Practices, ''Robert Zigweid, IOActive'' 
|-
| style="width: 10%; background: rgb(123,138,189)" | 12:15-13:15
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Lunch - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 13:30-14:15
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: Bill Cheswick (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:15-14:25
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:25-15:10
| style="width: 30%; background: rgb(188,133,122)" align="left" | P0w3d for Botnet CnC, ''Gunter Ollmann, Damballa'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Cloud Computing, A Weapon of Mass Destruction?, ''David Bryan, Trustwave's SpiderLabs'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | The Secure Coding Practices Quick Reference Guide, ''Keith Turpin, Boeing''
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:10-15:30
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Coffee Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:30-16:15
| style="width: 30%; background: rgb(188,133,122)" align="left" | Smart Phones with Dumb Apps: Threat Modeling for Mobile Applications, ''Dan Cornell, Denim Group'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Assessing, Testing and Validating Flash Content, ''Peleus Uhley, Adobe'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | OWASP State of the Union, ''Tom Brennan, OWASP''
|-
| style="width: 10%; background: rgb(123,138,189)" | 16:15-16:25
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 16:25-17:10
| style="width: 90%; background: rgb(242,242,242)" colspan="3" align="center" | Panel Discussion: Security Trends: Jeremiah Grossman, Robert Hansen, TBD...Moderator: Stuart Schwartz
|}

==== September 10th ====

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
| style="background: rgb(64,88,160); color: white" colspan="4" align="center" | '''Conference Day 2 - September 10th, 2010'''
 

|-
| style="width: 10%; background: rgb(123,138,189)" | 
| style="width: 30%; background: rgb(188,133,122)" | Track 1 - Crystal Cove Auditorium
| style="width: 30%; background: rgb(188,165,122)" | Track 2 - Pacific Ballroom
| style="width: 30%; background: rgb(153,255,153)" | Track 3 - Doheny Beach
|-
| style="width: 10%; background: rgb(123,138,189)" | 08:00-09:00
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Coffee - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 09:00-09:15
| style="width: 80%; background: rgb(242,242,242)" colspan="3" align="center" | Announcements (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 09:15-10:00
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: David Rice (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:00-10:10
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF (Emerald Bay)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:10-10:55
| style="width: 30%; background: rgb(188,133,122)" align="left" | Security Architecting Applications for the Cloud, ''Alex Stamos, iSEC Partners'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Unraveling Cross-Technology, Cross-Domain Trust Relations, ''Peleus Uhley, Adobe'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | Real Time Application Defenses - The Reality of AppSensor & ESAPI, ''Michael Coates, Mozilla,''
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:55-11:15
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 11:15-12:00
| style="width: 30%; background: rgb(188,133,122)" align="left" | Reducing Web application Vulnerabilities: Moving from a Test-Dependent to Design-Driven development, ''Joe Basirico, Security Innovation'' 
 

| style="width: 30%; background: rgb(188,165,122)" align="left" | Session Management Security tips and Tricks, ''Lars Ewe, Cenzic'' 
 

| style="width: 30%; background: rgb(153,255,153)" align="left" | The Dark Side of Twitter: Measuring and Analyzing Malicious Activity on Twitter, ''Paul Judge, David Maynor, and Daniel Peck, Barracuda Labs'' 
|-
| style="width: 10%; background: rgb(123,138,189)" | 12:00-13:15
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Lunch - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 13:15-14:00
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: HD Moore (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:05-14:50
| style="width: 30%; background: rgb(188,133,122)" align="left" | Panel Discussion: Vulnerability Lifecycle for Software Vendors, ''Kelly FitzGerald (Symantec), (US CERT), (Cigital), (Tipping Point) Moderator: Edward Bonver'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Agile + Security = FAIL, ''Adrian Lane'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | Bug-Alcoholic 2.0 - Untamed World of Web Vulnerabilities, ''Aditya K. Sood, Armorize Technologies''
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:50-15:10
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Coffee Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:10-15:55
| style="width: 30%; background: rgb(188,133,122)" align="left" | Escalating Privileges through Database Trusts, ''Scott Sutherland and Antti Rantasaari, NetSPI'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Defining the Identiy Management Framework, ''Richard Tychansky, Jim Molini, Hord Tipton, and Mike Kilroy'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | Breaking Web Browsers, ''Jeremiah Grossman, WhiteHat Security''
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:55-16:05
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 16:05-16:50
| style="width: 90%; background: rgb(242,242,242)" colspan="3" align="center" | Conference Wrap Up: AppSec US 2011 Location Announcement, CTF Results, Prizes
|}

 

==== Sponsors ====

We are currently soliciting sponsors for the AppSec US 2010 Conference. Please refer to our [http://www.appsecusa.org/become-a-sponsor.html List of Sponsorship Opportunities] (or [http://www.owasp.org/images/b/b3/OWASP_sponsorship_Irvine.pdf PDF]).

Please contact [mailto:kate.hartmann@owasp.org Kate Hartmann] for more information.

Slots are going fast so contact us to sponsor today!

    

{| style="background: none transparent scroll repeat 0% 0%; color: white; -moz-background-inline-policy: continuous" class="FCK__ShowTableBorders" border="0" cellspacing="10" align="center"
|-
|
== Platinum Sponsors ==

|
| [File:Qualys-468-60.png]
|
|
|-
|  
|-
|
== Gold Sponsors ==

| [[Image:Ibmneg blurgb.jpg]]
| [[Image:Fortify logo AppSec Research 2010.png]]
|
|-
|  
|-
|
== Silver Sponsors ==

| [[Image:Fishnet Logo AppSec.jpg]]
| [[Image:Acunetix logo 200.png]]
| [[Image:Barracuda Color Logo.jpg]]
| [[Image:Cenziclogo.png]]
|-
| [[Image:Cigital-hor-color.JPG|120px]]
| [[Image:Fujitsu-red-opt-b-150x56.gif]]
| [[Image:Netspi logo.png]]
|
|-
|
|
|
|
|-
|
|
|
|
|-
|
|
|
|
|-
|  
|-
|  
|-
|
=== Organizational Sponsors ===

| [[Image:Isc2 logo.gif|120px]]
|
|-
|  
|-
|
=== Reception Sponsors ===

|
|-
|
=== Coffee Sponsors ===

|
|
|}

==== REGISTER NOW ====

Click [http://www.appsecusa.org/register-now.html here]  for registration information. 

[http://www.appsecusa.org/register-now.html http://www.appsecusa.org/register-now.html]

<headertabs />

[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_AppSec_USA]]

AppSec US 2010, CA

2010-08-10T01:56:32Z

Kelly FitzGerald: Adding Announcement of FREE IPADS!

__NOTOC__

 [[Image:Appsec banner.png|468x60px|AppSec USA 2010 Banner]]

= Welcome to AppSec USA 2010 =

Register by August 15 midnight (Pacific time) and be eligible for drawing of 3 iPads. You must be a paid attendee, must register via website (no POs) and must be present at end of the conference to win. [[Image:Apple-ipad-tablet.jpg|thumb|left]]

 

 

{| class="FCK__ShowTableBorders" border="0" width="100%" align="center"
|-
| style="background: rgb(238,235,226); color: black" colspan="4" align="left" |
For complete information, please visit [http://www.appsecusa.org AppSec US 2010 Website] Training and Presentation Schedules Available Now!

Training Days Sept 7-8: [http://www.owasp.org/index.php/AppSec_US_2010,_CA#tab=Training_September_7th_.26_8th Schedule of Classes]

Presentation Schedule Sept 9th: [http://www.owasp.org/index.php/AppSec_US_2010,_CA#tab=September_9th Schedule of Talks] Sept 10th: [http://www.owasp.org/index.php/AppSec_US_2010,_CA#tab=September_10th Schedule of Talks]

|}

{| style="width: 100%" class="FCK__ShowTableBorders"
|-
| style="width: 100%; color: rgb(0,0,0)" |
{| style="width: 100%; background: none transparent scroll repeat 0% 0%; -moz-background-inline-policy: continuous" class="FCK__ShowTableBorders"
|-
| style="width: 95%; color: rgb(0,0,0)" |
'''Latest Updates:'''

Dr. Chenxi Wang of Forrester Research added as keynote speaker for September 9.

@chenxiwang tweets at http://twitter.com/chenxiwang.

''' '''

|}



| style="border-bottom: rgb(204,204,204) 0px solid; border-left: rgb(204,204,204) 0px solid; width: 100%; color: rgb(0,0,0); font-size: 95%; border-top: rgb(204,204,204) 0px solid; border-right: rgb(204,204,204) 0px solid" | 
| style="width: 110px; color: rgb(0,0,0); font-size: 95%" |
|}



==== Training September 7th & 8th ====

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
! style="background: rgb(64,88,160); color: white" align="center" | T1. Web Security Testing - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" | This course is a deep dive into the world of web application security testing. It is designed to walk testers through every step of web application penetration testing, arming them with the knowledge and tools they will need to begin conducting their own security testing. The course will teach the participants how to think like a security engineer by creating and executing a security test plan. Participants will be exposed to common web application vulnerabilities, testing techniques and tools by a professional security tester.
The course includes a guided penetration test in which the students will execute security test with the help of the instructor.

|-
| style="background: rgb(242,242,242)" | Instructor: Joe Basirico, Security Innovation
|-
| style="background: rgb(242,242,242)" | [[Learn More About the Web Security Testing Class]]
|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|}

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
! style="background: rgb(64,88,160); color: white" align="center" | T2. Building Secure Ajax and Web 2.0 Applications - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" | This two-day class will cover common Web 2.0 and AJAX security threats, vulnerabilities, and it will provide specific guidance on how to develop Web 2.0 applications to defend against these threats and vulnerabilities.
Training developers on secure coding practices offers one of highest returns on investment of any security investment by eliminating vulnerabilities at the source. Aspect’s Building Secure Ajax and Web 2.0 Applications Course enables developers to securely utilize Web 2.0 technologies in their web applications without introducing security issues. The course provides detailed examples of ‘what to do’ and ‘what not to do.' The class is lead by an experienced developer and delivered in a very interactive manner. The course will use demonstrations, code examples, and spot-the-bug exercises to get developers engaged in the topic. Developers will leave with an understanding of how Ajax attacks work, the impacts of successful attacks, and what to do to defend against them.

|-
| style="background: rgb(242,242,242)" | Instructor: Dave Wichers: [http://www.aspectsecurity.com [[Image:|Aspect_logo.gif]]]
|-
| style="background: rgb(242,242,242)" | [[Learn More about the Building Secure Ajax and Web 2.0 Applications Class]]
|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|-
! style="background: rgb(64,88,160); color: white" align="center" | T3. Assessing and Exploiting Web Applications with Samurai - WTF - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" |
This course will focus on using open source tools to perform web application assessments.  The course will take attendees through the process of application assessment using the open source tools included in the Samurai Web Testing Framework Live CD (Samurai-‐WTF). 

Day one will take students through the steps and open source tools used to assess application for vulnerabilities. 

Day two will focus on the exploitation of web app vulnerabilities, spending half the day on server side attacks and the other half of the day on client side attacks.  The latest tools and techniques will be used throughout the course, including several tools developed by the trainers themselves

|-
| style="background: rgb(242,242,242)" |
Instructor: Jason Searle: InGuardians [[Image:InGuardians.png|36x39px]]

|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|-
! style="background: rgb(64,88,160); color: white" align="center" | T4. Application Security Leadership Essentials - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" | In this two-day management session you’ll get an industry perspective of application security, understand the key vulnerabilities to applications, be able to analyze root cause, and provide practical and proven techniques in building out an application security initiative. This course gives executives and managers the education and practical guidance they need to ensure that software projects properly address security. The course is designed to provide a firm understanding of the importance of software security, the critical security activities required within the software development lifecycle, and how to efficiently manage security issues during development and maintenance. This understanding is reinforced through industry awareness, live demonstrations of commonly found application vulnerabilities and workgroup exercises allowing attendees to conduct capability assessments and recommend improvement plans.
|-
| style="background: rgb(242,242,242)" | Instructor: Jeff Williams: [http://www.aspectsecurity.com [[Image:|Aspect_logo.gif]]]
|-
| style="background: rgb(242,242,242)" | [[Learn More about the Application Security Leadership Essentials Class]]
|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|-
! style="background: rgb(64,88,160); color: white" align="center" | T5. Software Security Remediation: How to Fix Application Vulnerabilities 1-Day - Sept 7th- $675
|-
| style="background: rgb(242,242,242)" | This class teaches attendees how to fix security vulnerabilities in existing software. It provides a mix of discussion of project concerns for planning and managing remediation efforts with hands-on coding examples fixing specific vulnerabilities. Attendees will learn how to risk-rank vulnerabilities, estimate remediation tasks, perform coding fixes for vulnerabilities and demonstrate the effectiveness of fixes applied. The focus is on the practical: how to use limited resources to make significant improvements to the security of target applications. Code examples use the OWASP ESAPI Java and Microsoft Web Protection Library. Many classes teach developers how to build secure code from the ground up or teach security analysts how to test applications for security vulnerabilities. This class teaches developers and security analysts how to deal with their existing portfolio of insecure applications.
Instructor: Dan Cornell: [[Image:AppSecDC2009-Sponsor-denim.gif]]

|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|}

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
! style="background: rgb(64,88,160); color: white" align="center" | T6. Live CD 1-Day - Sept 8th- $675
|-
| style="background: rgb(242,242,242)" | Summary
Instructor: Matt Tesauro: [[Image:TrustwaveLogo.jpg]]

|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|}

 

==== September 9th ====

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
| style="background: rgb(64,88,160); color: white" colspan="4" align="center" | '''Conference Day 1 - September 9th, 2010'''
 

|-
| style="width: 10%; background: rgb(123,138,189)" | 
| style="width: 30%; background: rgb(188,133,122)" | Track 1 - Crystal Cove Auditorium
| style="width: 30%; background: rgb(188,165,122)" | Track 2 - Pacific Ballroom
| style="width: 30%; background: rgb(153,255,153)" | Track 3 - Doheny Beach
|-
| style="width: 10%; background: rgb(123,138,189)" | 07:30-08:30
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Registration and Breakfast + Coffee
|-
| style="width: 10%; background: rgb(123,138,189)" | 08:30-08:45
| style="width: 80%; background: rgb(242,242,242)" colspan="3" align="center" | Welcome to OWASP AppSec US, 2010 (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 08:45-9:30
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: Jeff Williams (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 9:30-10:15
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: Chenxi Wang (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:15-10:35
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF kick-off (Emerald Bay)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:35-11:20
| style="width: 30%; background: rgb(188,133,122)" align="left" | How I met your Girlfriend, ''Samy Kamkar'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Solving Real-World Problems with an Enterprise Security API (ESAPI), ''Chris Schmidt, ServiceMagic'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | TBD
|-
| style="width: 10%; background: rgb(123,138,189)" | 11:20-11:30
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 11:30-12:15
| style="width: 30%; background: rgb(188,133,122)" align="left" | State of SSL on the Internet - 2010 Survey, Results and Conclusions, ''Ivan Ristic, Qualys'' 
 

| style="width: 30%; background: rgb(188,165,122)" align="left" | Into the Rabbit Hole: Execution Flow-based Web Application Testing, ''Rafal Los, Hewlett-Packard'' 
 

| style="width: 30%; background: rgb(153,255,153)" align="left" | Threat Modeling Best Practices, ''Robert Zigweid, IOActive'' 
|-
| style="width: 10%; background: rgb(123,138,189)" | 12:15-13:15
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Lunch - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 13:30-14:15
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: Bill Cheswick (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:15-14:25
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:25-15:10
| style="width: 30%; background: rgb(188,133,122)" align="left" | P0w3d for Botnet CnC, ''Gunter Ollmann, Damballa'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Cloud Computing, A Weapon of Mass Destruction?, ''David Bryan, Trustwave's SpiderLabs'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | The Secure Coding Practices Quick Reference Guide, ''Keith Turpin, Boeing''
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:10-15:30
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Coffee Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:30-16:15
| style="width: 30%; background: rgb(188,133,122)" align="left" | Smart Phones with Dumb Apps: Threat Modeling for Mobile Applications, ''Dan Cornell, Denim Group'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Assessing, Testing and Validating Flash Content, ''Peleus Uhley, Adobe'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | OWASP State of the Union, ''Tom Brennan, OWASP''
|-
| style="width: 10%; background: rgb(123,138,189)" | 16:15-16:25
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 16:25-17:10
| style="width: 90%; background: rgb(242,242,242)" colspan="3" align="center" | Panel Discussion: Security Trends: Jeremiah Grossman, Robert Hansen, TBD...Moderator: Stuart Schwartz
|}

==== September 10th ====

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
| style="background: rgb(64,88,160); color: white" colspan="4" align="center" | '''Conference Day 2 - September 10th, 2010'''
 

|-
| style="width: 10%; background: rgb(123,138,189)" | 
| style="width: 30%; background: rgb(188,133,122)" | Track 1 - Crystal Cove Auditorium
| style="width: 30%; background: rgb(188,165,122)" | Track 2 - Pacific Ballroom
| style="width: 30%; background: rgb(153,255,153)" | Track 3 - Doheny Beach
|-
| style="width: 10%; background: rgb(123,138,189)" | 08:00-09:00
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Coffee - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 09:00-09:15
| style="width: 80%; background: rgb(242,242,242)" colspan="3" align="center" | Announcements (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 09:15-10:00
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: David Rice (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:00-10:10
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF (Emerald Bay)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:10-10:55
| style="width: 30%; background: rgb(188,133,122)" align="left" | Security Architecting Applications for the Cloud, ''Alex Stamos, iSEC Partners'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Unraveling Cross-Technology, Cross-Domain Trust Relations, ''Peleus Uhley, Adobe'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | Real Time Application Defenses - The Reality of AppSensor & ESAPI, ''Michael Coates, Mozilla,''
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:55-11:15
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 11:15-12:00
| style="width: 30%; background: rgb(188,133,122)" align="left" | Reducing Web application Vulnerabilities: Moving from a Test-Dependent to Design-Driven development, ''Joe Basirico, Security Innovation'' 
 

| style="width: 30%; background: rgb(188,165,122)" align="left" | Session Management Security tips and Tricks, ''Lars Ewe, Cenzic'' 
 

| style="width: 30%; background: rgb(153,255,153)" align="left" | The Dark Side of Twitter: Measuring and Analyzing Malicious Activity on Twitter, ''Paul Judge, David Maynor, and Daniel Peck, Barracuda Labs'' 
|-
| style="width: 10%; background: rgb(123,138,189)" | 12:00-13:15
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Lunch - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 13:15-14:00
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: HD Moore (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:05-14:50
| style="width: 30%; background: rgb(188,133,122)" align="left" | Panel Discussion: Vulnerability Lifecycle for Software Vendors, ''Kelly FitzGerald (Symantec), (US CERT), (Cigital), (Tipping Point) Moderator: Edward Bonver'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Agile + Security = FAIL, ''Adrian Lane'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | Bug-Alcoholic 2.0 - Untamed World of Web Vulnerabilities, ''Aditya K. Sood, Armorize Technologies''
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:50-15:10
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Coffee Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:10-15:55
| style="width: 30%; background: rgb(188,133,122)" align="left" | Escalating Privileges through Database Trusts, ''Scott Sutherland and Antti Rantasaari, NetSPI'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Defining the Identiy Management Framework, ''Richard Tychansky, Jim Molini, Hord Tipton, and Mike Kilroy'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | Breaking Web Browsers, ''Jeremiah Grossman, WhiteHat Security''
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:55-16:05
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 16:05-16:50
| style="width: 90%; background: rgb(242,242,242)" colspan="3" align="center" | Conference Wrap Up: AppSec US 2011 Location Announcement, CTF Results, Prizes
|}

 

==== Sponsors ====

We are currently soliciting sponsors for the AppSec US 2010 Conference. Please refer to our [http://www.appsecusa.org/become-a-sponsor.html List of Sponsorship Opportunities] (or [http://www.owasp.org/images/b/b3/OWASP_sponsorship_Irvine.pdf PDF]).

Please contact [mailto:kate.hartmann@owasp.org Kate Hartmann] for more information.

Slots are going fast so contact us to sponsor today!

    

{| style="background: none transparent scroll repeat 0% 0%; color: white; -moz-background-inline-policy: continuous" class="FCK__ShowTableBorders" border="0" cellspacing="10" align="center"
|-
|
== Platinum Sponsors ==

|
| [File:Qualys-468-60.png]
|
|
|-
|  
|-
|
== Gold Sponsors ==

| [[Image:Ibmneg blurgb.jpg]]
| [[Image:Fortify logo AppSec Research 2010.png]]
|
|-
|  
|-
|
== Silver Sponsors ==

| [[Image:Fishnet Logo AppSec.jpg]]
| [[Image:Acunetix logo 200.png]]
| [[Image:Barracuda Color Logo.jpg]]
| [[Image:Cenziclogo.png]]
|-
| [[Image:Cigital-hor-color.JPG|120px]]
| [[Image:Fujitsu-red-opt-b-150x56.gif]]
| [[Image:Netspi logo.png]]
|
|-
|
|
|
|
|-
|
|
|
|
|-
|
|
|
|
|-
|  
|-
|  
|-
|
=== Organizational Sponsors ===

| [[Image:Isc2 logo.gif|120px]]
|
|-
|  
|-
|
=== Reception Sponsors ===

|
|-
|
=== Coffee Sponsors ===

|
|
|}

==== REGISTER NOW ====

Click [http://www.appsecusa.org/register-now.html here]  for registration information. 

[http://www.appsecusa.org/register-now.html http://www.appsecusa.org/register-now.html]

<headertabs />

[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_AppSec_USA]]

File:Apple-ipad-tablet.jpg

2010-08-10T01:51:40Z

Kelly FitzGerald:

AppSec US 2010, CA

2010-08-10T01:39:10Z

Kelly FitzGerald: Removing table of contents to make format like AppSec Brazil

__NOTOC__

 [[Image:Appsec banner.png|468x60px|AppSec USA 2010 Banner]]

==== Welcome ====

{| class="FCK__ShowTableBorders" border="0" width="100%" align="center"
|-
| style="background: rgb(238,235,226); color: black" colspan="4" align="left" |
For complete information, please visit [http://www.appsecusa.org AppSec US 2010 Website] Training and Presentation Schedules Available Now!

Training Days Sept 7-8: [http://www.owasp.org/index.php/AppSec_US_2010,_CA#tab=Training_September_7th_.26_8th Schedule of Classes]

Presentation Schedule Sept 9th: [http://www.owasp.org/index.php/AppSec_US_2010,_CA#tab=September_9th Schedule of Talks] Sept 10th: [http://www.owasp.org/index.php/AppSec_US_2010,_CA#tab=September_10th Schedule of Talks]

|}

{| style="width: 100%" class="FCK__ShowTableBorders"
|-
| style="width: 100%; color: rgb(0,0,0)" |
{| style="width: 100%; background: none transparent scroll repeat 0% 0%; -moz-background-inline-policy: continuous" class="FCK__ShowTableBorders"
|-
| style="width: 95%; color: rgb(0,0,0)" |
'''Latest Updates:'''

Dr. Chenxi Wang of Forrester Research added as keynote speaker for September 9.

@chenxiwang tweets at http://twitter.com/chenxiwang.

''' '''

|}



| style="border-bottom: rgb(204,204,204) 0px solid; border-left: rgb(204,204,204) 0px solid; width: 100%; color: rgb(0,0,0); font-size: 95%; border-top: rgb(204,204,204) 0px solid; border-right: rgb(204,204,204) 0px solid" | 
| style="width: 110px; color: rgb(0,0,0); font-size: 95%" |
|}



==== Training September 7th & 8th ====

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
! style="background: rgb(64,88,160); color: white" align="center" | T1. Web Security Testing - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" | This course is a deep dive into the world of web application security testing. It is designed to walk testers through every step of web application penetration testing, arming them with the knowledge and tools they will need to begin conducting their own security testing. The course will teach the participants how to think like a security engineer by creating and executing a security test plan. Participants will be exposed to common web application vulnerabilities, testing techniques and tools by a professional security tester.
The course includes a guided penetration test in which the students will execute security test with the help of the instructor.

|-
| style="background: rgb(242,242,242)" | Instructor: Joe Basirico, Security Innovation
|-
| style="background: rgb(242,242,242)" | [[Learn More About the Web Security Testing Class]]
|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|}

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
! style="background: rgb(64,88,160); color: white" align="center" | T2. Building Secure Ajax and Web 2.0 Applications - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" | This two-day class will cover common Web 2.0 and AJAX security threats, vulnerabilities, and it will provide specific guidance on how to develop Web 2.0 applications to defend against these threats and vulnerabilities.
Training developers on secure coding practices offers one of highest returns on investment of any security investment by eliminating vulnerabilities at the source. Aspect’s Building Secure Ajax and Web 2.0 Applications Course enables developers to securely utilize Web 2.0 technologies in their web applications without introducing security issues. The course provides detailed examples of ‘what to do’ and ‘what not to do.' The class is lead by an experienced developer and delivered in a very interactive manner. The course will use demonstrations, code examples, and spot-the-bug exercises to get developers engaged in the topic. Developers will leave with an understanding of how Ajax attacks work, the impacts of successful attacks, and what to do to defend against them.

|-
| style="background: rgb(242,242,242)" | Instructor: Dave Wichers: [http://www.aspectsecurity.com [[Image:|Aspect_logo.gif]]]
|-
| style="background: rgb(242,242,242)" | [[Learn More about the Building Secure Ajax and Web 2.0 Applications Class]]
|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|-
! style="background: rgb(64,88,160); color: white" align="center" | T3. Assessing and Exploiting Web Applications with Samurai - WTF - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" |
This course will focus on using open source tools to perform web application assessments.  The course will take attendees through the process of application assessment using the open source tools included in the Samurai Web Testing Framework Live CD (Samurai-‐WTF). 

Day one will take students through the steps and open source tools used to assess application for vulnerabilities. 

Day two will focus on the exploitation of web app vulnerabilities, spending half the day on server side attacks and the other half of the day on client side attacks.  The latest tools and techniques will be used throughout the course, including several tools developed by the trainers themselves

|-
| style="background: rgb(242,242,242)" |
Instructor: Jason Searle: InGuardians [[Image:InGuardians.png|36x39px]]

|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|-
! style="background: rgb(64,88,160); color: white" align="center" | T4. Application Security Leadership Essentials - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" | In this two-day management session you’ll get an industry perspective of application security, understand the key vulnerabilities to applications, be able to analyze root cause, and provide practical and proven techniques in building out an application security initiative. This course gives executives and managers the education and practical guidance they need to ensure that software projects properly address security. The course is designed to provide a firm understanding of the importance of software security, the critical security activities required within the software development lifecycle, and how to efficiently manage security issues during development and maintenance. This understanding is reinforced through industry awareness, live demonstrations of commonly found application vulnerabilities and workgroup exercises allowing attendees to conduct capability assessments and recommend improvement plans.
|-
| style="background: rgb(242,242,242)" | Instructor: Jeff Williams: [http://www.aspectsecurity.com [[Image:|Aspect_logo.gif]]]
|-
| style="background: rgb(242,242,242)" | [[Learn More about the Application Security Leadership Essentials Class]]
|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|-
! style="background: rgb(64,88,160); color: white" align="center" | T5. Software Security Remediation: How to Fix Application Vulnerabilities 1-Day - Sept 7th- $675
|-
| style="background: rgb(242,242,242)" | This class teaches attendees how to fix security vulnerabilities in existing software. It provides a mix of discussion of project concerns for planning and managing remediation efforts with hands-on coding examples fixing specific vulnerabilities. Attendees will learn how to risk-rank vulnerabilities, estimate remediation tasks, perform coding fixes for vulnerabilities and demonstrate the effectiveness of fixes applied. The focus is on the practical: how to use limited resources to make significant improvements to the security of target applications. Code examples use the OWASP ESAPI Java and Microsoft Web Protection Library. Many classes teach developers how to build secure code from the ground up or teach security analysts how to test applications for security vulnerabilities. This class teaches developers and security analysts how to deal with their existing portfolio of insecure applications.
Instructor: Dan Cornell: [[Image:AppSecDC2009-Sponsor-denim.gif]]

|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|}

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
! style="background: rgb(64,88,160); color: white" align="center" | T6. Live CD 1-Day - Sept 8th- $675
|-
| style="background: rgb(242,242,242)" | Summary
Instructor: Matt Tesauro: [[Image:TrustwaveLogo.jpg]]

|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|}

 

==== September 9th ====

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
| style="background: rgb(64,88,160); color: white" colspan="4" align="center" | '''Conference Day 1 - September 9th, 2010'''
 

|-
| style="width: 10%; background: rgb(123,138,189)" | 
| style="width: 30%; background: rgb(188,133,122)" | Track 1 - Crystal Cove Auditorium
| style="width: 30%; background: rgb(188,165,122)" | Track 2 - Pacific Ballroom
| style="width: 30%; background: rgb(153,255,153)" | Track 3 - Doheny Beach
|-
| style="width: 10%; background: rgb(123,138,189)" | 07:30-08:30
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Registration and Breakfast + Coffee
|-
| style="width: 10%; background: rgb(123,138,189)" | 08:30-08:45
| style="width: 80%; background: rgb(242,242,242)" colspan="3" align="center" | Welcome to OWASP AppSec US, 2010 (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 08:45-9:30
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: Jeff Williams (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 9:30-10:15
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: Chenxi Wang (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:15-10:35
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF kick-off (Emerald Bay)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:35-11:20
| style="width: 30%; background: rgb(188,133,122)" align="left" | How I met your Girlfriend, ''Samy Kamkar'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Solving Real-World Problems with an Enterprise Security API (ESAPI), ''Chris Schmidt, ServiceMagic'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | TBD
|-
| style="width: 10%; background: rgb(123,138,189)" | 11:20-11:30
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 11:30-12:15
| style="width: 30%; background: rgb(188,133,122)" align="left" | State of SSL on the Internet - 2010 Survey, Results and Conclusions, ''Ivan Ristic, Qualys'' 
 

| style="width: 30%; background: rgb(188,165,122)" align="left" | Into the Rabbit Hole: Execution Flow-based Web Application Testing, ''Rafal Los, Hewlett-Packard'' 
 

| style="width: 30%; background: rgb(153,255,153)" align="left" | Threat Modeling Best Practices, ''Robert Zigweid, IOActive'' 
|-
| style="width: 10%; background: rgb(123,138,189)" | 12:15-13:15
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Lunch - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 13:30-14:15
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: Bill Cheswick (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:15-14:25
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:25-15:10
| style="width: 30%; background: rgb(188,133,122)" align="left" | P0w3d for Botnet CnC, ''Gunter Ollmann, Damballa'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Cloud Computing, A Weapon of Mass Destruction?, ''David Bryan, Trustwave's SpiderLabs'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | The Secure Coding Practices Quick Reference Guide, ''Keith Turpin, Boeing''
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:10-15:30
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Coffee Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:30-16:15
| style="width: 30%; background: rgb(188,133,122)" align="left" | Smart Phones with Dumb Apps: Threat Modeling for Mobile Applications, ''Dan Cornell, Denim Group'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Assessing, Testing and Validating Flash Content, ''Peleus Uhley, Adobe'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | OWASP State of the Union, ''Tom Brennan, OWASP''
|-
| style="width: 10%; background: rgb(123,138,189)" | 16:15-16:25
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 16:25-17:10
| style="width: 90%; background: rgb(242,242,242)" colspan="3" align="center" | Panel Discussion: Security Trends: Jeremiah Grossman, Robert Hansen, TBD...Moderator: Stuart Schwartz
|}

==== September 10th ====

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
| style="background: rgb(64,88,160); color: white" colspan="4" align="center" | '''Conference Day 2 - September 10th, 2010'''
 

|-
| style="width: 10%; background: rgb(123,138,189)" | 
| style="width: 30%; background: rgb(188,133,122)" | Track 1 - Crystal Cove Auditorium
| style="width: 30%; background: rgb(188,165,122)" | Track 2 - Pacific Ballroom
| style="width: 30%; background: rgb(153,255,153)" | Track 3 - Doheny Beach
|-
| style="width: 10%; background: rgb(123,138,189)" | 08:00-09:00
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Coffee - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 09:00-09:15
| style="width: 80%; background: rgb(242,242,242)" colspan="3" align="center" | Announcements (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 09:15-10:00
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: David Rice (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:00-10:10
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF (Emerald Bay)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:10-10:55
| style="width: 30%; background: rgb(188,133,122)" align="left" | Security Architecting Applications for the Cloud, ''Alex Stamos, iSEC Partners'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Unraveling Cross-Technology, Cross-Domain Trust Relations, ''Peleus Uhley, Adobe'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | Real Time Application Defenses - The Reality of AppSensor & ESAPI, ''Michael Coates, Mozilla,''
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:55-11:15
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 11:15-12:00
| style="width: 30%; background: rgb(188,133,122)" align="left" | Reducing Web application Vulnerabilities: Moving from a Test-Dependent to Design-Driven development, ''Joe Basirico, Security Innovation'' 
 

| style="width: 30%; background: rgb(188,165,122)" align="left" | Session Management Security tips and Tricks, ''Lars Ewe, Cenzic'' 
 

| style="width: 30%; background: rgb(153,255,153)" align="left" | The Dark Side of Twitter: Measuring and Analyzing Malicious Activity on Twitter, ''Paul Judge, David Maynor, and Daniel Peck, Barracuda Labs'' 
|-
| style="width: 10%; background: rgb(123,138,189)" | 12:00-13:15
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Lunch - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 13:15-14:00
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: HD Moore (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:05-14:50
| style="width: 30%; background: rgb(188,133,122)" align="left" | Panel Discussion: Vulnerability Lifecycle for Software Vendors, ''Kelly FitzGerald (Symantec), (US CERT), (Cigital), (Tipping Point) Moderator: Edward Bonver'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Agile + Security = FAIL, ''Adrian Lane'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | Bug-Alcoholic 2.0 - Untamed World of Web Vulnerabilities, ''Aditya K. Sood, Armorize Technologies''
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:50-15:10
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Coffee Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:10-15:55
| style="width: 30%; background: rgb(188,133,122)" align="left" | Escalating Privileges through Database Trusts, ''Scott Sutherland and Antti Rantasaari, NetSPI'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Defining the Identiy Management Framework, ''Richard Tychansky, Jim Molini, Hord Tipton, and Mike Kilroy'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | Breaking Web Browsers, ''Jeremiah Grossman, WhiteHat Security''
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:55-16:05
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 16:05-16:50
| style="width: 90%; background: rgb(242,242,242)" colspan="3" align="center" | Conference Wrap Up: AppSec US 2011 Location Announcement, CTF Results, Prizes
|}

 

==== Sponsors ====

We are currently soliciting sponsors for the AppSec US 2010 Conference. Please refer to our [http://www.appsecusa.org/become-a-sponsor.html List of Sponsorship Opportunities] (or [http://www.owasp.org/images/b/b3/OWASP_sponsorship_Irvine.pdf PDF]).

Please contact [mailto:kate.hartmann@owasp.org Kate Hartmann] for more information.

Slots are going fast so contact us to sponsor today!

    

{| style="background: none transparent scroll repeat 0% 0%; color: white; -moz-background-inline-policy: continuous" class="FCK__ShowTableBorders" border="0" cellspacing="10" align="center"
|-
|
== Platinum Sponsors ==

|
| [File:Qualys-468-60.png]
|
|
|-
|  
|-
|
== Gold Sponsors ==

| [[Image:Ibmneg blurgb.jpg]]
| [[Image:Fortify logo AppSec Research 2010.png]]
|
|-
|  
|-
|
== Silver Sponsors ==

| [[Image:Fishnet Logo AppSec.jpg]]
| [[Image:Acunetix logo 200.png]]
| [[Image:Barracuda Color Logo.jpg]]
| [[Image:Cenziclogo.png]]
|-
| [[Image:Cigital-hor-color.JPG|120px]]
| [[Image:Fujitsu-red-opt-b-150x56.gif]]
| [[Image:Netspi logo.png]]
|
|-
|
|
|
|
|-
|
|
|
|
|-
|
|
|
|
|-
|  
|-
|  
|-
|
=== Organizational Sponsors ===

| [[Image:Isc2 logo.gif|120px]]
|
|-
|  
|-
|
=== Reception Sponsors ===

|
|-
|
=== Coffee Sponsors ===

|
|
|}

==== REGISTER NOW ====

Click [http://www.appsecusa.org/register-now.html here]  for registration information. 

[http://www.appsecusa.org/register-now.html http://www.appsecusa.org/register-now.html]

<headertabs />

[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_AppSec_USA]]

AppSec US 2010, CA

2010-08-10T01:16:59Z

Kelly FitzGerald: Just making the front page for AppSec California a little cleaner

[[Image:Appsec banner.png|468x60px|AppSec USA 2010 Banner]]

==== Welcome ====

{| class="FCK__ShowTableBorders" border="0" width="100%" align="center"
|-
| style="background: rgb(238,235,226); color: black" colspan="4" align="left" |
For complete information, please visit [http://www.appsecusa.org AppSec US 2010 Website] Training and Presentation Schedules Available Now!

Training Days Sept 7-8: [http://www.owasp.org/index.php/AppSec_US_2010,_CA#tab=Training_September_7th_.26_8th Schedule of Classes]

Presentation Schedule Sept 9th: [http://www.owasp.org/index.php/AppSec_US_2010,_CA#tab=September_9th Schedule of Talks] Sept 10th: [http://www.owasp.org/index.php/AppSec_US_2010,_CA#tab=September_10th Schedule of Talks]

|}

{| style="width: 100%" class="FCK__ShowTableBorders"
|-
| style="width: 100%; color: rgb(0,0,0)" |
{| style="width: 100%; background: none transparent scroll repeat 0% 0%; -moz-background-inline-policy: continuous" class="FCK__ShowTableBorders"
|-
| style="width: 95%; color: rgb(0,0,0)" |
'''Latest Updates:'''

Dr. Chenxi Wang of Forrester Research added as keynote speaker for September 9.

@chenxiwang tweets at http://twitter.com/chenxiwang.

''' '''

|}



| style="border-bottom: rgb(204,204,204) 0px solid; border-left: rgb(204,204,204) 0px solid; width: 100%; color: rgb(0,0,0); font-size: 95%; border-top: rgb(204,204,204) 0px solid; border-right: rgb(204,204,204) 0px solid" | 
| style="width: 110px; color: rgb(0,0,0); font-size: 95%" |
|}



==== Training September 7th & 8th ====

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
! style="background: rgb(64,88,160); color: white" align="center" | T1. Web Security Testing - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" | This course is a deep dive into the world of web application security testing. It is designed to walk testers through every step of web application penetration testing, arming them with the knowledge and tools they will need to begin conducting their own security testing. The course will teach the participants how to think like a security engineer by creating and executing a security test plan. Participants will be exposed to common web application vulnerabilities, testing techniques and tools by a professional security tester.
The course includes a guided penetration test in which the students will execute security test with the help of the instructor.

|-
| style="background: rgb(242,242,242)" | Instructor: Joe Basirico, Security Innovation
|-
| style="background: rgb(242,242,242)" | [[Learn More About the Web Security Testing Class]]
|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|}

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
! style="background: rgb(64,88,160); color: white" align="center" | T2. Building Secure Ajax and Web 2.0 Applications - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" | This two-day class will cover common Web 2.0 and AJAX security threats, vulnerabilities, and it will provide specific guidance on how to develop Web 2.0 applications to defend against these threats and vulnerabilities.
Training developers on secure coding practices offers one of highest returns on investment of any security investment by eliminating vulnerabilities at the source. Aspect’s Building Secure Ajax and Web 2.0 Applications Course enables developers to securely utilize Web 2.0 technologies in their web applications without introducing security issues. The course provides detailed examples of ‘what to do’ and ‘what not to do.' The class is lead by an experienced developer and delivered in a very interactive manner. The course will use demonstrations, code examples, and spot-the-bug exercises to get developers engaged in the topic. Developers will leave with an understanding of how Ajax attacks work, the impacts of successful attacks, and what to do to defend against them.

|-
| style="background: rgb(242,242,242)" | Instructor: Dave Wichers: [http://www.aspectsecurity.com [[Image:|Aspect_logo.gif]]]
|-
| style="background: rgb(242,242,242)" | [[Learn More about the Building Secure Ajax and Web 2.0 Applications Class]]
|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|-
! style="background: rgb(64,88,160); color: white" align="center" | T3. Assessing and Exploiting Web Applications with Samurai - WTF - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" |
This course will focus on using open source tools to perform web application assessments.  The course will take attendees through the process of application assessment using the open source tools included in the Samurai Web Testing Framework Live CD (Samurai-‐WTF). 

Day one will take students through the steps and open source tools used to assess application for vulnerabilities. 

Day two will focus on the exploitation of web app vulnerabilities, spending half the day on server side attacks and the other half of the day on client side attacks.  The latest tools and techniques will be used throughout the course, including several tools developed by the trainers themselves

|-
| style="background: rgb(242,242,242)" |
Instructor: Jason Searle: InGuardians [[Image:InGuardians.png|36x39px]]

|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|-
! style="background: rgb(64,88,160); color: white" align="center" | T4. Application Security Leadership Essentials - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" | In this two-day management session you’ll get an industry perspective of application security, understand the key vulnerabilities to applications, be able to analyze root cause, and provide practical and proven techniques in building out an application security initiative. This course gives executives and managers the education and practical guidance they need to ensure that software projects properly address security. The course is designed to provide a firm understanding of the importance of software security, the critical security activities required within the software development lifecycle, and how to efficiently manage security issues during development and maintenance. This understanding is reinforced through industry awareness, live demonstrations of commonly found application vulnerabilities and workgroup exercises allowing attendees to conduct capability assessments and recommend improvement plans.
|-
| style="background: rgb(242,242,242)" | Instructor: Jeff Williams: [http://www.aspectsecurity.com [[Image:|Aspect_logo.gif]]]
|-
| style="background: rgb(242,242,242)" | [[Learn More about the Application Security Leadership Essentials Class]]
|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|-
! style="background: rgb(64,88,160); color: white" align="center" | T5. Software Security Remediation: How to Fix Application Vulnerabilities 1-Day - Sept 7th- $675
|-
| style="background: rgb(242,242,242)" | This class teaches attendees how to fix security vulnerabilities in existing software. It provides a mix of discussion of project concerns for planning and managing remediation efforts with hands-on coding examples fixing specific vulnerabilities. Attendees will learn how to risk-rank vulnerabilities, estimate remediation tasks, perform coding fixes for vulnerabilities and demonstrate the effectiveness of fixes applied. The focus is on the practical: how to use limited resources to make significant improvements to the security of target applications. Code examples use the OWASP ESAPI Java and Microsoft Web Protection Library. Many classes teach developers how to build secure code from the ground up or teach security analysts how to test applications for security vulnerabilities. This class teaches developers and security analysts how to deal with their existing portfolio of insecure applications.
Instructor: Dan Cornell: [[Image:AppSecDC2009-Sponsor-denim.gif]]

|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|}

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
! style="background: rgb(64,88,160); color: white" align="center" | T6. Live CD 1-Day - Sept 8th- $675
|-
| style="background: rgb(242,242,242)" | Summary
Instructor: Matt Tesauro: [[Image:TrustwaveLogo.jpg]]

|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|}

 

==== September 9th ====

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
| style="background: rgb(64,88,160); color: white" colspan="4" align="center" | '''Conference Day 1 - September 9th, 2010'''
 

|-
| style="width: 10%; background: rgb(123,138,189)" | 
| style="width: 30%; background: rgb(188,133,122)" | Track 1 - Crystal Cove Auditorium
| style="width: 30%; background: rgb(188,165,122)" | Track 2 - Pacific Ballroom
| style="width: 30%; background: rgb(153,255,153)" | Track 3 - Doheny Beach
|-
| style="width: 10%; background: rgb(123,138,189)" | 07:30-08:30
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Registration and Breakfast + Coffee
|-
| style="width: 10%; background: rgb(123,138,189)" | 08:30-08:45
| style="width: 80%; background: rgb(242,242,242)" colspan="3" align="center" | Welcome to OWASP AppSec US, 2010 (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 08:45-9:30
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: Jeff Williams (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 9:30-10:15
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: Chenxi Wang (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:15-10:35
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF kick-off (Emerald Bay)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:35-11:20
| style="width: 30%; background: rgb(188,133,122)" align="left" | How I met your Girlfriend, ''Samy Kamkar'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Solving Real-World Problems with an Enterprise Security API (ESAPI), ''Chris Schmidt, ServiceMagic'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | TBD
|-
| style="width: 10%; background: rgb(123,138,189)" | 11:20-11:30
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 11:30-12:15
| style="width: 30%; background: rgb(188,133,122)" align="left" | State of SSL on the Internet - 2010 Survey, Results and Conclusions, ''Ivan Ristic, Qualys'' 
 

| style="width: 30%; background: rgb(188,165,122)" align="left" | Into the Rabbit Hole: Execution Flow-based Web Application Testing, ''Rafal Los, Hewlett-Packard'' 
 

| style="width: 30%; background: rgb(153,255,153)" align="left" | Threat Modeling Best Practices, ''Robert Zigweid, IOActive'' 
|-
| style="width: 10%; background: rgb(123,138,189)" | 12:15-13:15
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Lunch - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 13:30-14:15
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: Bill Cheswick (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:15-14:25
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:25-15:10
| style="width: 30%; background: rgb(188,133,122)" align="left" | P0w3d for Botnet CnC, ''Gunter Ollmann, Damballa'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Cloud Computing, A Weapon of Mass Destruction?, ''David Bryan, Trustwave's SpiderLabs'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | The Secure Coding Practices Quick Reference Guide, ''Keith Turpin, Boeing''
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:10-15:30
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Coffee Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:30-16:15
| style="width: 30%; background: rgb(188,133,122)" align="left" | Smart Phones with Dumb Apps: Threat Modeling for Mobile Applications, ''Dan Cornell, Denim Group'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Assessing, Testing and Validating Flash Content, ''Peleus Uhley, Adobe'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | OWASP State of the Union, ''Tom Brennan, OWASP''
|-
| style="width: 10%; background: rgb(123,138,189)" | 16:15-16:25
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 16:25-17:10
| style="width: 90%; background: rgb(242,242,242)" colspan="3" align="center" | Panel Discussion: Security Trends: Jeremiah Grossman, Robert Hansen, TBD...Moderator: Stuart Schwartz
|}

==== September 10th ====

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
| style="background: rgb(64,88,160); color: white" colspan="4" align="center" | '''Conference Day 2 - September 10th, 2010'''
 

|-
| style="width: 10%; background: rgb(123,138,189)" | 
| style="width: 30%; background: rgb(188,133,122)" | Track 1 - Crystal Cove Auditorium
| style="width: 30%; background: rgb(188,165,122)" | Track 2 - Pacific Ballroom
| style="width: 30%; background: rgb(153,255,153)" | Track 3 - Doheny Beach
|-
| style="width: 10%; background: rgb(123,138,189)" | 08:00-09:00
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Coffee - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 09:00-09:15
| style="width: 80%; background: rgb(242,242,242)" colspan="3" align="center" | Announcements (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 09:15-10:00
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: David Rice (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:00-10:10
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF (Emerald Bay)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:10-10:55
| style="width: 30%; background: rgb(188,133,122)" align="left" | Security Architecting Applications for the Cloud, ''Alex Stamos, iSEC Partners'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Unraveling Cross-Technology, Cross-Domain Trust Relations, ''Peleus Uhley, Adobe'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | Real Time Application Defenses - The Reality of AppSensor & ESAPI, ''Michael Coates, Mozilla,''
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:55-11:15
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 11:15-12:00
| style="width: 30%; background: rgb(188,133,122)" align="left" | Reducing Web application Vulnerabilities: Moving from a Test-Dependent to Design-Driven development, ''Joe Basirico, Security Innovation'' 
 

| style="width: 30%; background: rgb(188,165,122)" align="left" | Session Management Security tips and Tricks, ''Lars Ewe, Cenzic'' 
 

| style="width: 30%; background: rgb(153,255,153)" align="left" | The Dark Side of Twitter: Measuring and Analyzing Malicious Activity on Twitter, ''Paul Judge, David Maynor, and Daniel Peck, Barracuda Labs'' 
|-
| style="width: 10%; background: rgb(123,138,189)" | 12:00-13:15
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Lunch - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 13:15-14:00
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: HD Moore (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:05-14:50
| style="width: 30%; background: rgb(188,133,122)" align="left" | Panel Discussion: Vulnerability Lifecycle for Software Vendors, ''Kelly FitzGerald (Symantec), (US CERT), (Cigital), (Tipping Point) Moderator: Edward Bonver'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Agile + Security = FAIL, ''Adrian Lane'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | Bug-Alcoholic 2.0 - Untamed World of Web Vulnerabilities, ''Aditya K. Sood, Armorize Technologies''
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:50-15:10
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Coffee Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:10-15:55
| style="width: 30%; background: rgb(188,133,122)" align="left" | Escalating Privileges through Database Trusts, ''Scott Sutherland and Antti Rantasaari, NetSPI'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Defining the Identiy Management Framework, ''Richard Tychansky, Jim Molini, Hord Tipton, and Mike Kilroy'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | Breaking Web Browsers, ''Jeremiah Grossman, WhiteHat Security''
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:55-16:05
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 16:05-16:50
| style="width: 90%; background: rgb(242,242,242)" colspan="3" align="center" | Conference Wrap Up: AppSec US 2011 Location Announcement, CTF Results, Prizes
|}

 

==== Sponsors ====

We are currently soliciting sponsors for the AppSec US 2010 Conference. Please refer to our [http://www.appsecusa.org/become-a-sponsor.html List of Sponsorship Opportunities] (or [http://www.owasp.org/images/b/b3/OWASP_sponsorship_Irvine.pdf PDF]).

Please contact [mailto:kate.hartmann@owasp.org Kate Hartmann] for more information.

Slots are going fast so contact us to sponsor today!

    

{| style="background: none transparent scroll repeat 0% 0%; color: white; -moz-background-inline-policy: continuous" class="FCK__ShowTableBorders" border="0" cellspacing="10" align="center"
|-
|
== Platinum Sponsors ==

|
| [File:Qualys-468-60.png]
|
|
|-
|  
|-
|
== Gold Sponsors ==

| [[Image:Ibmneg blurgb.jpg]]
| [[Image:Fortify logo AppSec Research 2010.png]]
|
|-
|  
|-
|
== Silver Sponsors ==

| [[Image:Fishnet Logo AppSec.jpg]]
| [[Image:Acunetix logo 200.png]]
| [[Image:Barracuda Color Logo.jpg]]
| [[Image:Cenziclogo.png]]
|-
| [[Image:Cigital-hor-color.JPG|120px]]
| [[Image:Fujitsu-red-opt-b-150x56.gif]]
| [[Image:Netspi logo.png]]
|
|-
|
|
|
|
|-
|
|
|
|
|-
|
|
|
|
|-
|  
|-
|  
|-
|
=== Organizational Sponsors ===

| [[Image:Isc2 logo.gif|120px]]
|
|-
|  
|-
|
=== Reception Sponsors ===

|
|-
|
=== Coffee Sponsors ===

|
|
|}

==== REGISTER NOW ====

Click [http://www.appsecusa.org/register-now.html here]  for registration information. 

[http://www.appsecusa.org/register-now.html http://www.appsecusa.org/register-now.html]

<headertabs />

[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_AppSec_USA]]

AppSec US 2010, CA

2010-07-20T19:24:18Z

Kelly FitzGerald:

[[Image:Appsec banner.png|468x60px|AppSec USA 2010 Banner]]

==== Welcome ====

{| class="FCK__ShowTableBorders" border="0" width="100%" align="center"
|-
| style="width: 25%; background: rgb(240,230,140)" align="center" | [http://www.appsecusa.org/travel-and-venue.html Travel and Venue]
| style="width: 25%; background: rgb(240,230,140)" align="center" | [http://www.appsecusa.org/become-a-sponsor.html Sponsor Information]
| style="width: 25%; background: rgb(240,230,140)" align="center" | [http://www.appsecusa.org/volunteer-opportunities.html Volunteer Opportunities]
| style="width: 25%; background: rgb(255,215,0)" align="center" | [http://www.appsecusa.org/register-now.html REGISTER NOW]
|-
| style="background: rgb(238,235,226); color: black" colspan="4" align="left" |
 For complete information, please visit [http://www.appsecusa.org AppSec US 2010 Website] 

|}

{| style="width: 100%" class="FCK__ShowTableBorders"
|-
| style="width: 100%; color: rgb(0,0,0)" |
{| style="width: 100%; background: none transparent scroll repeat 0% 0%; -moz-background-inline-policy: continuous" class="FCK__ShowTableBorders"
|-
| style="width: 95%; color: rgb(0,0,0)" |
'''Latest Updates:'''

'''Training and conference agenda available'''

'''Register now!''' Early-bird rates extended till July 31.

''' '''

|}



| style="border-bottom: rgb(204,204,204) 0px solid; border-left: rgb(204,204,204) 0px solid; width: 100%; color: rgb(0,0,0); font-size: 95%; border-top: rgb(204,204,204) 0px solid; border-right: rgb(204,204,204) 0px solid" | 
| style="width: 110px; color: rgb(0,0,0); font-size: 95%" |
|}



==== Training September 7th & 8th ====

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
! style="background: rgb(64,88,160); color: white" align="center" | T1. Web Security Testing - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" | This course is a deep dive into the world of web application security testing. It is designed to walk testers through every step of web application penetration testing, arming them with the knowledge and tools they will need to begin conducting their own security testing. The course will teach the participants how to think like a security engineer by creating and executing a security test plan. Participants will be exposed to common web application vulnerabilities, testing techniques and tools by a professional security tester.
The course includes a guided penetration test in which the students will execute security test with the help of the instructor.

|-
| style="background: rgb(242,242,242)" | Instructor: Joe Basirico, Security Innovation
|-
| style="background: rgb(242,242,242)" | [[Learn More About the Web Security Testing Class]]
|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|}

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
! style="background: rgb(64,88,160); color: white" align="center" | T2. Building Secure Ajax and Web 2.0 Applications - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" | This two-day class will cover common Web 2.0 and AJAX security threats, vulnerabilities, and it will provide specific guidance on how to develop Web 2.0 applications to defend against these threats and vulnerabilities.
Training developers on secure coding practices offers one of highest returns on investment of any security investment by eliminating vulnerabilities at the source. Aspect’s Building Secure Ajax and Web 2.0 Applications Course enables developers to securely utilize Web 2.0 technologies in their web applications without introducing security issues. The course provides detailed examples of ‘what to do’ and ‘what not to do.' The class is lead by an experienced developer and delivered in a very interactive manner. The course will use demonstrations, code examples, and spot-the-bug exercises to get developers engaged in the topic. Developers will leave with an understanding of how Ajax attacks work, the impacts of successful attacks, and what to do to defend against them.

|-
| style="background: rgb(242,242,242)" | Instructor: Dave Wichers: [[Image:100px-Aspect Security Logo.jpg]]
|-
| style="background: rgb(242,242,242)" | [[Learn More about the Building Secure Ajax and Web 2.0 Applications Class]]
|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|-
! style="background: rgb(64,88,160); color: white" align="center" | T3. Assessing and Exploiting Web Applications with Samurai - WTF - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" |
This course will focus on using open source tools to perform web application assessments.  The course will take attendees through the process of application assessment using the open source tools included in the Samurai Web Testing Framework Live CD (Samurai-‐WTF). 

Day one will take students through the steps and open source tools used to assess application for vulnerabilities. 

Day two will focus on the exploitation of web app vulnerabilities, spending half the day on server side attacks and the other half of the day on client side attacks.  The latest tools and techniques will be used throughout the course, including several tools developed by the trainers themselves

|-
| style="background: rgb(242,242,242)" |
Instructor: Jason Searle: InGuardian [[Image:InGuardians.png|36x40px]]

|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|-
! style="background: rgb(64,88,160); color: white" align="center" | T4. Application Security Leadership Essentials - 2-Days - $1350
|-
| style="background: rgb(242,242,242)" | In this two-day management session you’ll get an industry perspective of application security, understand the key vulnerabilities to applications, be able to analyze root cause, and provide practical and proven techniques in building out an application security initiative. This course gives executives and managers the education and practical guidance they need to ensure that software projects properly address security. The course is designed to provide a firm understanding of the importance of software security, the critical security activities required within the software development lifecycle, and how to efficiently manage security issues during development and maintenance. This understanding is reinforced through industry awareness, live demonstrations of commonly found application vulnerabilities and workgroup exercises allowing attendees to conduct capability assessments and recommend improvement plans.
|-
| style="background: rgb(242,242,242)" | Instructor: Jeff Williams: [[Image:100px-Aspect Security Logo.jpg]]
|-
| style="background: rgb(242,242,242)" | [[Learn More about the Application Security Leadership Essentials Class]]
|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|-
! style="background: rgb(64,88,160); color: white" align="center" | T5. Software Security Remediation: How to Fix Application Vulnerabilities 1-Day - Sept 7th- $675
|-
| style="background: rgb(242,242,242)" | Summary
Instructor: Dan Cornell: [[Image:AppSecDC2009-Sponsor-denim.gif]]

|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|}

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
! style="background: rgb(64,88,160); color: white" align="center" | T6. Live CD 1-Day - Sept 8th- $675
|-
| style="background: rgb(242,242,242)" | Summary
Instructor: Matt Tesauro: [[Image:TrustwaveLogo.jpg]]

|-
| style="background: rgb(242,242,242)" | [http://www.appsecusa.org/register-now.html Click here to register]
|}

 

==== September 9th ====

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
| style="background: rgb(64,88,160); color: white" colspan="4" align="center" | '''Conference Day 1 - September 9th, 2010'''
 

|-
| style="width: 10%; background: rgb(123,138,189)" | 
| style="width: 30%; background: rgb(188,133,122)" | Track 1 - Crystal Cove Auditorium
| style="width: 30%; background: rgb(188,165,122)" | Track 2 - Pacific Ballroom
| style="width: 30%; background: rgb(153,255,153)" | Track 3 - Doheny Beach
|-
| style="width: 10%; background: rgb(123,138,189)" | 07:30-08:30
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Registration and Breakfast + Coffee
|-
| style="width: 10%; background: rgb(123,138,189)" | 08:30-08:45
| style="width: 80%; background: rgb(242,242,242)" colspan="3" align="center" | Welcome to OWASP AppSec US, 2010 (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 08:45-9:30
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: Jeff Williams (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 9:30-10:15
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: Chenxi Wang (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:15-10:35
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF kick-off (Emerald Bay)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:35-11:20
| style="width: 30%; background: rgb(188,133,122)" align="left" | How I met your Girlfriend, ''Samy Kamkar'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Solving Real-World Problems with an Enterprise Security API (ESAPI), ''Chris Schmidt, ServiceMagic'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | Microsoft Security Development Lifecycle for Agile Development, ''Nick Coblentz, AT&T''
|-
| style="width: 10%; background: rgb(123,138,189)" | 11:20-11:30
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 11:30-12:15
| style="width: 30%; background: rgb(188,133,122)" align="left" | State of SL on the Internet - 2010 Survey, Results and Conclusions, ''Ivan Ristic, Qualys'' 
 

| style="width: 30%; background: rgb(188,165,122)" align="left" | Into the Rabbit Hole: Execution Flow-based Web Application Testing, ''Rafal Los, Hewlett-Packard'' 
 

| style="width: 30%; background: rgb(153,255,153)" align="left" | Threat Modeling Best Practices, Robert Zigweid, IOActive 
|-
| style="width: 10%; background: rgb(123,138,189)" | 12:15-13:15
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Lunch - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 13:30-14:15
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: Bill Cheswick (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:15-14:25
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:25-15:10
| style="width: 30%; background: rgb(188,133,122)" align="left" | P0w3d for Botnet CnC, ''Gunter Ollmann, Damballa'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Cloud Computing, A Weapon of Mass Destruction?, ''David Bryan'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | The Secure Coding Practices Quick Reference Guide, ''Keith Turpin, Boeing''
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:10-15:30
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Coffee Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:30-16:15
| style="width: 30%; background: rgb(188,133,122)" align="left" | Smart Phones with Dumb Apps: Threat Modeling for Mobile Applications, ''Dan Cornell, Denim Group'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Assessing, Testing and Validating Flash Content, ''Peleus Uhley, Adobe'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | OWASP State of the Union, ''Tom Brennan, OWASP''
|-
| style="width: 10%; background: rgb(123,138,189)" | 16:15-16:25
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 16:25-17:10
| style="width: 90%; background: rgb(242,242,242)" colspan="3" align="center" | Panel Discussion: Security Trends: Jeremiah Grossman, Robert Hansen, TBD...Moderator: Stuart Schwartz
|}

==== September 10th ====

{| style="width: 80%" class="FCK__ShowTableBorders" border="0" align="center"
|-
| style="background: rgb(64,88,160); color: white" colspan="4" align="center" | '''Conference Day 2 - September 10th, 2010'''
 

|-
| style="width: 10%; background: rgb(123,138,189)" | 
| style="width: 30%; background: rgb(188,133,122)" | Track 1 - Crystal Cove Auditorium
| style="width: 30%; background: rgb(188,165,122)" | Track 2 - Pacific Ballroom
| style="width: 30%; background: rgb(153,255,153)" | Track 3 - Doheny Beach
|-
| style="width: 10%; background: rgb(123,138,189)" | 08:00-09:00
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Coffee - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 09:00-09:15
| style="width: 80%; background: rgb(242,242,242)" colspan="3" align="center" | Announcements (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 09:15-10:00
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: David Rice (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:00-10:10
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF (Emerald Bay)
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:10-10:55
| style="width: 30%; background: rgb(188,133,122)" align="left" | Security Architecting Applications for the Cloud, ''Alex Stamos, iSEC Partners'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Unraveling Cross-Technology, Cross-Domain Trust Relations, ''Peleus Uhley, Adobe'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | Real Time Application Defenses - The Reality of AppSensor & ESAPI, ''Michael Coates, Mozilla,''
|-
| style="width: 10%; background: rgb(123,138,189)" | 10:55-11:15
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 11:15-12:00
| style="width: 30%; background: rgb(188,133,122)" align="left" | Reducing Web application Vulnerabilities: Moving from a Test-Dependent to Design-Driven development, ''Ed Adams, Security Innovation'' 
 

| style="width: 30%; background: rgb(188,165,122)" align="left" | Session Management Security tips and Tricks, ''Lars Ewe, Cenzic'' 
 

| style="width: 30%; background: rgb(153,255,153)" align="left" | The Dark Side of Twitter: Measuring and Analyzing Malicious Activity on Twitter, ''Paul Judge, David Maynor, and Daniel Peck, Barracuda Labs'' 
|-
| style="width: 10%; background: rgb(123,138,189)" | 12:00-13:15
| style="width: 80%; background: rgb(194,194,194)" colspan="3" align="left" | Lunch - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 13:14-14:00
| style="width: 80%; background: rgb(252,252,150)" colspan="3" align="center" | Keynote: HD Moore (Crystal Cove Auditorium)
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:04-14:50
| style="width: 30%; background: rgb(188,133,122)" align="left" | Panal Discussion: Vulnerability Lifecycle for Software Vendors, ''Kelly FitzGerald (Symantec), (US CERT), (Cigital), (Tipping Point) Moderator: Edward Bonver'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Agile + Security = FAIL, ''Adrian Lane'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | Bug-Alcoholic 2.0 - Untamed World of Web Vulnerabilities, ''Aditya K. Sood, Armorize Technologies''
|-
| style="width: 10%; background: rgb(123,138,189)" | 14:50-15:10
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Coffee Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:10-15:55
| style="width: 30%; background: rgb(188,133,122)" align="left" | Exploiting Networks through Database Weaknesses, ''Scott Sutherland, NetSPI'' 
| style="width: 30%; background: rgb(188,165,122)" align="left" | Defining the Identiy Management Framework, ''Richard Tychansky, Jim Molini, Hord Tipton, and Mike Kilroy'' 
| style="width: 30%; background: rgb(153,255,153)" align="left" | ''TBD''
|-
| style="width: 10%; background: rgb(123,138,189)" | 15:55-16:05
| style="width: 90%; background: rgb(194,194,194)" colspan="3" align="left" | Break - Expo - CTF
|-
| style="width: 10%; background: rgb(123,138,189)" | 16:05-16:50
| style="width: 90%; background: rgb(242,242,242)" colspan="3" align="center" | Conference Wrap Up: AppSec US 2011 Location Announcement, CTF Results, Prizes
|}

 

==== Sponsors ====

We are currently soliciting sponsors for the AppSec US 2010 Conference. Please refer to our [http://www.appsecusa.org/become-a-sponsor.html List of Sponsorship Opportunities] (or [http://www.owasp.org/images/b/b3/OWASP_sponsorship_Irvine.pdf PDF]).

Please contact [mailto:kate.hartmann@owasp.org Kate Hartmann] for more information.

Slots are going fast so contact us to sponsor today!

    

{| style="background: none transparent scroll repeat 0% 0%; color: white; -moz-background-inline-policy: continuous" class="FCK__ShowTableBorders" border="0" cellspacing="10" align="center"
|-
|
== Platinum Sponsors ==

|
| [File:Qualys-468-60.png]
|
|
|-
|  
|-
|
== Gold Sponsors ==

| [[Image:Ibmneg blurgb.jpg]]
| [[Image:Fortify logo AppSec Research 2010.png]]
|
|-
|  
|-
|
== Silver Sponsors ==

| [[Image:AppSecDC2009-Sponsor-fishnet.gif]]
| [[Image:Acunetix logo 200.png]]
| [[Image:Barracuda Color Logo.jpg]]
| [[Image:Cenziclogo.png]]
|-
| [[Image:Cigital-hor-color.JPG|120px]]
| [[Image:Fujitsu-red-opt-b-150x56.gif]]
| [[Image:Netspi logo.png]]
|
|-
|
|
|
|
|-
|
|
|
|
|-
|
|
|
|
|-
|  
|-
|  
|-
|
=== Organizational Sponsors ===

| [[Image:Isc2 logo.gif|120px]]
|
|-
|  
|-
|
=== Reception Sponsors ===

|
|-
|
=== Coffee Sponsors ===

|
|
|}

==== REGISTER NOW ====

Click [http://www.appsecusa.org/register-now.html here]  for registration information. 

[http://www.appsecusa.org/register-now.html http://www.appsecusa.org/register-now.html]

<headertabs />

[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_AppSec_USA]]