OWASP - User contributions [en]

OWASP AppSec DC 2010

2010-06-08T17:25:43Z

Leeannehart: Just correcting my name :-)

__NOTOC__
[http://www.dcconvention.com/ Walter E. Washington Convention Center] | Registration opening soon!
 
====Welcome====

{| style="width: 100%;"
|-
| style="width: 100%; color: rgb(0, 0, 0);" |
{| style="border: 0px solid ; background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;"
|-
| style="width: 95%; color: rgb(0, 0, 0);" |
'''Press Release June 3rd 2010 -- [http://www.owasp.org/images/1/19/AppSecDC_2010_Announcement.pdf AppSec DC 2010 Conference Announcement and opening CFP & CFT!]'''

We are pleased to announce that the [http://www.owasp.org/index.php/Washington_DC OWASP DC chapter] will host the OWASP AppSecDC 2010 regional conference in Washington, DC. The AppSecDC conference will be a premier gathering of Information Security leaders. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 600-700 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.

AppSecDC 2010 will be held at the [http://www.dcconvention.com/ Walter E. Washington Convention Center] ([http://maps.google.com/maps?q=801+Mount+Vernon+Place+NW+Washington,+DC+20001&oe=utf-8&client=firefox-a&ie=UTF8&split=0&gl=us&ei=kSntSYT5B5WOMvOWzPUP&ll=38.904977,-77.022979&spn=0.00895,0.019977&z=16&iwloc=A 801 Mount Vernon Place NW Washington, DC 20001]) on November 8th through 11th 2010.

'''Who Should Attend AppSec DC 2010:'''

*Application Developers
*Application Testers and Quality Assurance
*Application Project Management and Staff
*Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
*Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
*Security Managers and Staff
*Executives, Managers, and Staff Responsible for IT Security Governance
*IT Professionals Interesting in Improving IT Security 

'''[[OWASP AppSec DC 2010 - FAQ|Conference FAQ]]'''



 

|}



| style="border: 0px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0);" | 
[[Image:AppSecDCMMXforsite.png]]

{|
|-
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |
Use the '''[http://search.twitter.com/search?q=%23AppSecDC #AppSecDC]''' hashtag for your tweets (What are [http://hashtags.org/ hashtags]?)

'''@AppSecDC09 Twitter Feed ([http://twitter.com/AppSecDC follow us on Twitter!])''' <twitter>34534108</twitter>

| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |
|}

| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |
|}


==== Registration ====

== Registration will open soon ==

'''Who Should Attend AppSec DC 2010:'''

*Application Developers
*Application Testers and Quality Assurance
*Application Project Management and Staff
*Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
*Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
*Security Managers and Staff
*Executives, Managers, and Staff Responsible for IT Security Governance
*IT Professionals Interesting in Improving IT Security 

 For student discount, attendees must present proof of enrollment when picking up your badge.

==== Volunteer ====

== Volunteers Needed! ==

Get involved!

We will take all the help we can get to pull off the best Web Application Security Conference of the year!

More opportunities and areas will be added as time goes on. Our [http://www.owasp.org/images/f/f1/OWASP_DCAppSec_Vol_Guide.pdf Volunteer Guide] can be downloaded which outlines some of the responsibilities and available positions.

To volunteer please email [mailto:volunteers@appsecdc.org volunteers@appsecdc.org] or you can e-mail the Volunteer Coordinators [mailto:josh.feinblum@owasp.org Josh Feinblum] and [mailto:jrose@owasp.org Jon Rose]

==== CFP ====

Building on the success of AppSec DC 2009, OWASP is pleased to announce the OWASP AppSecDC 2010 conference held at the Walter E. Washington Convention Center on November 8th through 11th 2010. Plenary sessions will be on November 10th and 11th preceded by Web Application Security Training on November 8th and 9th.

You can submit talks at the [http://www.easychair.org/conferences/overview.cgi?a=a08d1d605d3a EasyChair Conference Page]. '''Submission deadline is July 31st 2010'''. Inquires can be made to cfp@appsecdc.org.

We are seeking presentations on the following topics:
*OWASP Tools and Projects
*Cloud Application Security
*Government Approaches to Application Security
*Application Security Case Studies
*Application Security and Business Risks
*Metrics for Application Security
*Web Services Security
*Source Code Review
*Web Application Security Testing
*Secure Coding Practices
*Privacy Concerns
*Vulnerabilities/Exploits in the Web App World
*Defense & Countermeasures in the Web App World
*Other web application security topics

Additional information can be found in the FAQ. You will have to sign up for an EasyChair account at https://www.easychair.org/account/signup.cgi.

===Program Committee===
* [mailto:mark.bristow@owasp.org Mark Bristow] (Chair)
* [mailto:jeff.williams@owasp.org Jeff Williams]
* [mailto:doug.wilson@owasp.org Doug Wilson]
* [mailto:wade.woolwine@owasp.org Wade Woolwine]
* [mailto:jeremy.long@owasp.org Jeremy Long]
* [mailto:tom.hallewell@owasp.org Tom Hallewell]
* [mailto:grecs@owasp.org Grecs]
* [mailto:josh.feinblum@owasp.org Josh Feinblum]
* [mailto:ben.null@owasp.org Ben Null]
* Matt Fisher
* [mailto:dave.sachdev@owasp.org Dave Sachdev]
* [mailto:shawn.duffy@owasp.org Shawn Duffy]
* [mailto:jrose@owasp.org Jon Rose]

==== Training ====

OWASP is currently soliciting training providers for the OWASP AppSec DC 2010 Conference that will take place at the Walter E. Washington Convention Center (801 Mount Vernon Place NW Washington, DC 20001) on November 8th through 11th of 2010. There will be training courses on November 8th and 9th followed by plenary sessions on the 10th and 11th. There are a total of six classrooms over two days or 12 training days available at the conference. Three classrooms hold 30 students and the other three have a capacity of 24 students.

The following conditions apply for people or organizations that want to provide training at the conference:
* Training provider should provide class syllabus / training materials.
* Proceeds will be split 60/40 (OWASP/Trainer) for the training class.
* The 60% for OWASP goes towards: Classroom Rental, Conference Logistics/Registration, and Food and OWASP Grants for Research Projects.
* Courses must have an enrollment of 60% before class is considered operational.
* Price per attendee: 2-Day Class $1495/ 1-Day Class $745.
* Trainers can brand training materials to increase their exposure
* Classes are to be focused around Application Security

Submissions must use the [http://www.owasp.org/images/d/d1/APPSEC_DC_2010_Training_Form.doc Training Proposal Template]. Training proposals should consist of the following information:
* Trainer contact info (country of origin and residence-mail, postal address, phone, E-mail).
* Employer and/or affiliations.
* Training synopsis, proposed training title, and a one-paragraph description.
* Brief biography, list of publications and papers.
* Any significant presentation and educational experience/background.
* Reason why this material is innovative or significant or an important training for the OWASP conference.
* Please list any other publications or conferences where this material has been or will be published/submitted.
* Training format (hands-on, lecture …)
* Provide a list of items/software students need for the training.
* Optionally, any samples of prepared material or outlines.

'''Submission deadline is July 31st 2010'''. Submissions must use the [http://www.owasp.org/images/d/d1/APPSEC_DC_2010_Training_Form.doc Training Proposal Template]. Submit Proposals to training@appsecdc.org.

==== Contests ====

TBD

==== Venue ====

== Walter E. Washington Convention Center ==

AppSec DC 2010 will be taking place at the [http://www.dcconvention.com/ Walter E. Washington Convention Center] in downtown Washington DC.

The convention center is located over the [http://www.wmata.com/rail/station_detail.cfm?station_id=70 Mount Vernon Square/Convention Center Metro stop] on the Green and Yellow lines of the [http://www.wmata.com DC Metro], and only a few blocks from our convention hotel, the [http://grandwashington.hyatt.com/hyatt/hotels/index.jsp Grand Hyatt Washington] (reserve rooms [https://resweb.passkey.com/Resweb.do?mode=welcome_ei_new&eventID=1401279&fromResdesk=true here]).

[http://www.dcconvention.com/ http://www.owasp.org/images/8/85/Screen_shot_2009-10-03_at_12.55.55_PM.png]

==== Hotel ====

Hotel Information TBD

==== Sponsors ====

== Sponsors ==

We are currently soliciting sponsors for the AppSec DC Conference. Please refer to our '''[http://www.owasp.org/images/b/bf/APPSEC_DC_2010_sponsorships_1.pdf sponsorship opportunities]''' for details.

Slots are going fast so contact us to sponsor today!

==== Travel ====

== Traveling to the DC Metro Area ==

The Washington DC Area is serviced by three airports -- [http://www.metwashairports.com/national/ Reagan National (DCA)], [http://www.metwashairports.com/Dulles/ Dulles (IAD)], and [http://www.bwiairport.com/en Thurgood Marshall Baltimore/Washington International (BWI)]. All currently have available transportation to downtown DC via public transportation, shuttles, or cab.

Washington DC is also serviced by [http://www.amtrak.com Amtrak], [http://www.vre.org/ VRE], and [http://www.mtamaryland.com/services/marc/ MARC] train lines, which arrive in [http://www.wmata.com/rail/station_detail.cfm?station_id=25 Union Station], a few metro stops or a short cab ride away from the convention center and the Grand Hyatt.

If you live in the DC Metropolitan area, we suggest taking [http://www.wmata.com Metro] to the event. The convention center is located over the [http://www.wmata.com/rail/station_detail.cfm?station_id=70 Mount Vernon Square/Convention Center Metro stop] on the Green and Yellow lines of the [http://www.wmata.com DC Metro].

==== Conference Committee ====

===Organizers===
Mail List: [mailto:organizers@appsecdc.org organizers@appsecdc.org]

* [mailto:mark.bristow@owasp.org Mark Bristow]
* [mailto:doug.wilson@owasp.org Doug Wilson]
* [mailto:wade.woolwine@owasp.org Wade Woolwine]

===Arch-Minions===
Mail List: [mailto:leads@appsecdc.org leads@appsecdc.org]

* Facilities ([mailto:facilities@appsecdc.org facilities@appsecdc.org])
** [mailto:jeremy.long@owasp.org Jeremy Long]
** [mailto:doug.wilson@owasp.org Doug Wilson]
** [mailto:mark.bristow@owasp.org Mark Bristow]
* Content ([mailto:content@appsecdc.org content@appsecdc.org])
** [mailto:jeremy.long@owasp.org Jeremy Long]
** [mailto:mark.bristow@owasp.org Mark Bristow]
** [mailto:shawn.duffy@owasp.org Shawn Duffy]
* Security ([mailto:security@appsecdc.org security@appsecdc.org])
** TBD
* Press ([mailto:press@appsecdc.org press@appsecdc.org])
** [mailto:mike.smith@owasp.org Mike Smith]
** [mailto:mark.bristow@owasp.org Mark Bristow]
** [mailto:doug.wilson@owasp.org Doug Wilson]
** [mailto:wade.woolwine@owasp.org Wade Woolwine]
* Registration/Info Desk ([mailto:info@appsecdc.org info@appsecdc.org])
** [mailto:Kate.Hartmann@owasp.org Kate Hartmann]
** [mailto:mark.bristow@owasp.org Mark Bristow]
** [mailto:wade.woolwine@owasp.org Wade Woolwine]
* Volunteer Coordinators ([mailto:volunteers@appsecdc.org volunteers@appsecdc.org])
** [mailto:josh.feinblum@owasp.org Josh Feinblum]
** [mailto:jrose@owasp.org Jon Rose]
** [mailto:wade.woolwine@owasp.org Wade Woolwine]
* Competitions/Contests/Events ([mailto:contests@appsecdc.org contests@appsecdc.org])
** [mailto:jrose@owasp.org Jon Rose] (Chair)
** [mailto:ken.johnson@owasp.org Ken Johnson]
** [mailto:ben.null@owasp.org Ben Null]
** [mailto:wade.woolwine@owasp.org Wade Woolwine]
* Marketing/Community Outreach ([mailto:outreach@appsecdc.org outreach@appsecdc.org])
** [mailto:dave.sachdev@owasp.org Dave Sachdev]
** [mailto:lahla@owasp.org Lee Anne Hart]
** [mailto:doug.wilson@owasp.org Doug Wilson]
** [mailto:mark.bristow@owasp.org Mark Bristow]
* Sponsorships ([mailto:sponsors@appsecdc.org sponsors@appsecdc.org])
** [mailto:josh.feinblum@owasp.org Josh Feinblum]
** [mailto:tom.hallewell@owasp.org Tom Hallewell]
** [mailto:grecs@owasp.org Grecs]
** [mailto:mark.bristow@owasp.org Mark Bristow]
** [mailto:doug.wilson@owasp.org Doug Wilson]
** [mailto:wade.woolwine@owasp.org Wade Woolwine]

<headertabs />

[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_AppSec_DC_2010]]

Injectable Exploits: Two New Tools for Pwning Web Apps and Browsers

2009-10-20T15:35:08Z

Leeannehart:

== The presentation ==

[[Image:Kevin_Johnson.jpg|200px|thumb|right|Kevin Johnson]]Injectable exploits focus on the exploitation of major web flaws during penetration tests. Two new tools will be released that expand the foothold penetration testers can obtain through SQL injection and XSS flaws. These tools provide greater insight into the network hosting the web application and the networks in which the users are located. The first tool Yokoso! is an infrastructure fingerprinting system delivered via XSS attack. The second tool, Laudanum is a collection of injectable files that are prebuilt to perform various attacks within a network. The final portion of the talk will cover SamuraiWTF. SamuraiWTF is a live CD environment focused on web penetration tests. It was released during DEFCON 16 and has had four new releases since that time. Both Yokoso! and Laudanum will be included on a new version of SamuraiWTF released at DEFCON this year.

== The speakers ==

Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and in his spare time contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E. (the Basic Analysis and Security Engine) project. The BASE project is the most popular web interface for the Snort intrusion detection system. Kevin is an instructor for SANS, teaching both the Incident Handling and Hacker Techniques class and the Web Application Penetration Testing and Ethical Hacking class, which he is the author. He has presented to many organizations, including Infragard, ISACA, ISSA, RSA and the University of Florida.

Justin Searle, a Senior Security Analyst with InGuardians, specializes in penetration testing and security architecture. Previously, Justin served as JetBlue Airway's IT Security Architect and has provided top-tier support for the largest supercomputers in the world. Justin has taught hacking techniques, forensics, networking, and intrusion detection courses for multiple universities and corporations. Justin has presented at top security conferences including DEFCON, ToorCon, ShmooCon, and SANS. In his rapidly dwindling spare time, Justin co-leads prominent open source projects including The Middler, Samarai Web Testing Framework, and the social networking pentest tools: Yokoso! and Laudnum. He is actively working to finish the upcoming bestseller the Seven Most Deadly Social Network Hacks, with Tom Eston of the Security Justice Podcast, and Kevin Johnson of InGuardians. Justin has an MBA in International Technology and is CISSP and SANS GIAC-certified in incident handling and hacker techniques (GCIH) and intrusion analysis (GCIA).

Frank DiMaggio is a manager of the Intel server team with a large insurance company in the South East. He has been in a systems administration role for over 18 years, working with small and medium sized businesses in North Florida. His experience is with Microsoft, Novell and Linux Operating Systems. In his spare time he contributes to open source security projects such as BASE, SamuraiWTF and Yokoso!

[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

Advanced SQL Injection

2009-10-20T15:31:39Z

Leeannehart:

== The presentation ==

[[Image:Joe_McCray.jpg|200px|thumb|right|Joe McCray]]SQL Injection is a vulnerability that is often missed by web application security scanners, and it's a vulnerability that is often rated as NOT exploitable by security testers when it actually can be exploited.

Advanced SQL Injection is a presentation geared toward showing security professionals advanced exploitation techniques for situations when you must prove to the customer the extent of compromise that is possible. This updated presentation will cover the following key concepts: IDS Evasion & Web Application Firewall Bypass, Privilege Escalation, Re-Enabling stored procedures, Obtaining an interactive command-shell, Data Exfiltration via DNS.

== The speaker ==

Joe McCray has 8 years of experience in the security industry with a diverse background that includes network and web application penetration testing, forensics, training, and regulatory compliance. Joe is a frequent presenter at security conferences, and has taught the CISSP, CEH, CHFI, Security+, and Web Application Security at Johns Hopkins University (JHU), University of Maryland Baltimore College (UMBC), and several other technical training centers across the country.

[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

Hacking by Numbers

2009-10-20T15:25:53Z

Leeannehart:

== The presentation ==

[[Image:Tom_Brennan.jpg|200px|thumb|right|Tom Brennen]]There is a difference between what is possible and what is probable, something we often lose sight of in the world of information security. For example, a vulnerability represents a possible way for an attacker to exploit an asset, but remember not all vulnerabilities are created equal. Obviously we must also keep in mind that just because a vulnerability exists does not necessarily mean it will be exploited, or indicate by whom or to what extent. Clearly, many vulnerabilities are very serious leaving the door open to compromise of sensitive information, financial loss, brand damage, violation of industry regulations, and downtime. Some vulnerabilities are more difficult to exploit than others and therefore attract different attackers. Autonomous worms & viruses may attack one type of issue, while a sentient targeted attacker may prefer another path. Better understanding of these factors enables us to make informed business decisions about website risk management and what is probable.

== The speaker ==

Tom is a member of the [http://www.whitehatsec.com WhiteHat Security] and serves as a Board Member of the OWASP Foundation more details can be found at [http://www.proactiverisk.com his webpage on a cloud]

[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

The 10 least-likely and most dangerous people on the Internet

2009-10-20T15:24:35Z

Leeannehart:

== The presentation ==

[[Image:Robert_Hanson.jpg|200px|thumb|right|Robert Hanson]]There are a number of people who work in roles and at places that drive much of the security on the Internet. Could these people theoretically be subverted, swayed or otherwise hacked? These people may, themselves, not even know how much control they have. This is a wide look at some of the worst single points of failure our industry, electronic commerce and the Internet at large has in general.

== The speakers ==

Robert Hansen (CEO, Founder of SecTheory) has worked for Digital Island, Exodus Communications and Cable & Wireless in varying roles from Sr. Security Architect and eventually product managing many of the managed security services product lines. He also worked at eBay as a Sr. Global Product Manager of Trust and Safety, focusing on anti-phishing, anti-DHTML malware and anti-virus strategies. Later he worked as a director of product management for Realtor.com. Robert sits on the advisory board for the Intrepidus Group, previously sat on the technical advisory board of ClickForensics and currently contributes to the security strategy of several startup companies. Mr. Hansen authors content on O'Reilly and co-authored "XSS Exploits" by Syngress publishing. He sits on the NIST.gov Software Assurance Metrics and Tool Evaluation group focusing on web application security scanners and the Web Application Security Scanners Evaluation Criteria (WASC-WASSEC) group. He also has briefed the DoD at the Pentagon and speaks at SourceBoston, Secure360, GFIRST/US-CERT, CSI, Toorcon, APWG, ISSA, TRISC, World OWASP/WASC conferences, SANS, Microsoft's Bluehat, Blackhat, DefCon, Networld+Interop, and has been the keynote speaker at the New York Cyber Security Conference, NITES and OWASP Appsec Asia. Mr. Hansen is a member of Infragard, Austin Chamber of Commerce, West Austin Rotary, WASC, IACSP, APWG, he is the Industry Liaison for the Austin ISSA and contributed to the OWASP 2.0 guide.

[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

Malicious Developers and Enterprise Java Rootkits

2009-10-20T15:23:31Z

Leeannehart:

== The presentation ==

[[Image:JeffWilliams2.jpg|200px|thumb|right|Jeff Williams]]How much would it cost to convince a developer to insert a few special lines of Java in your application? Would you detect the attack before it went live? How much damage could it do? Malicious developers are the ultimate insiders. With a very small number of lines of Java, they can steal all your data, corrupt systems, install system level attacks, and cover their tracks. A trojaned Struts or Log4j library could affect most of the financial industry at once.

This technical talk will examine some of the techniques that malicious programmers can use to insert and hide these attacks in a Java web application. What can organizations do to minimize the risk of malicious Java developers? We'll review the benefits and limitations of technical controls, such as sandboxes, configuration management, least privilege, and intrusion detection. We'll also discuss the use of detection techniques such as code review and static analysis tools. Finally, we'll talk about people and organizational issues that can help minimize this risk.

A long technical paper and an Eclipse project with all the code examples is [http://www.aspectsecurity.com/documents/EnterpriseJavaRootkits.zip available].

== The speaker ==
'''[[User:Jeff Williams|Jeff Williams]]''' is the founder and CEO of [http://www.aspectsecurity.com/ Aspect Security], specializing exclusively in application security professional services. Jeff also serves as the volunteer Chair of the [http://www.owasp.org/ Open Web Application Security Project (OWASP)]. He has made extensive contributions to the application security community through OWASP, including writing the [[topten|Top Ten]], [[WebGoat]], [[legal|Secure Software Contract Annex]], [[ESAPI|Enterprise Security API]], [[OWASP Risk Rating Methodology]], and starting the worldwide [[chapters|local chapters program]]. If nothing else, Jeff is probably the tallest application security expert in the world and likes nothing better than discussing new ideas for changing the way we build software.

[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

SCAP: Automating our way out of the Vulnerability Wheel of Pain

2009-10-20T15:21:54Z

Leeannehart:

== The presentation ==

[[Image:Ed_Bellis.jpg|200px|thumb|right|Ed Bellis]]The harsh economic climate has hit us all in some way. Budgets are trimmed and spending is down. We are continuously asked to do more with less, but how? Certainly the attackers aren't spending less! Our web applications continue to grow in size and complexity. So what can an InfoSec team do to become more efficient and still effectively protect our applications? At Orbitz, our team took a hard look at where we were spending a lot of our time & the grunt work & and how we could spend less of it. After building out a fairly comprehensive vulnerability management program and using a lot of best in breed tools, we found ourselves with an overabundance of manual labor on our hands putting together the pieces of our vulnerability puzzle. After looking around the market space, we found nothing that could really help us with this growing problem. Low and behold, there's a government set of standards now to put all this together. What the heck, let's build it!

== The speaker ==

Ed Bellis, VP, Chief Information Security Officer for Orbitz WorldWide. Ed is responsible for the protection and security of all information and electronic assets as well as compliance and ethics across the wide array of business units that make up Orbitz Worldwide on a global basis. These assets include Orbitz, CheapTickets, eBookers, Away.com, HotelClub, RatesToGo, AsiaHotels, and Orbitz for Business. With over 16 years of experience in information security and technology, Ed has worked with and been involved in protecting information assets at several Fortune 500 companies. Prior to joining Orbitz, Ed served as VP of Corporate Information Security for Bank of America within their Global Corporate and Investment Banking division. Ed serves on the advisory board to the Society of Payment Security Professionals as well as co-leads the OWASP PCI project. He also is a frequent blogger for CSOonline.com.

[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

Application security metrics from the organization on down to the vulnerabilities

2009-10-20T15:20:59Z

Leeannehart:

== The presentation ==

[[Image:Chris_Wysopal.jpg|200px|thumb|right|Chris Wysopal]]Application security metrics are valuable today yet are still evolving. The best place to start is organizational metrics. CISOs and other security managers should be asking the questions: What applications do I have? What is the business criticality of those apps? What security analysis have been performed? Once those questions are answered the next level of metrics should be determined. What is the coverage of the different security techniques both in breadth and depth? What testing should I perform and how do I prioritize what to remediate and know when I am secure. This talk will present the data to collect and how to calculate metrics to measure and improve application security.

== The speaker ==

Chris Wysopal, Veracode's CTO and Co-Founder, is responsible for the company's software security analysis capabilities. One of the original web vulnerability researchers with The L0pht and later @stake, Chris testified on Capitol Hill in the US on the subjects of government computer security and how vulnerabilities are discovered in software. He is the author of "The Art of Software Security Testing", published in 2007 by Addison-Wesley. Recently Chris, along with experts from more than 30 cyber security organizations helped develop the SANS-CWE Top 25 Most Dangerous Programming Errors.

[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

Social Zombies: Your Friends Want to Eat Your Brains

2009-10-20T15:18:32Z

Leeannehart:

== The presentation ==

[[Image:Kevin_Johnson.jpg|200px|thumb|right|Kevin Johnson]]In Social Zombies: Your Friends want to eat Your Brains, Tom Eston and Kevin Johnson explore the various concerns related to malware delivery through social network sites. Ignoring the FUD and confusion being sowed today, this presentation will examine the risks and then present tools that can be used to exploit these issues. This presentation begins by discussing the various privacy concerns that are caused by the trust mass that is social networks. We use this privacy confusion to exploit members and their companies during our penetration tests. The presentation then discusses typical botnets and bot programs. Both the delivery of this malware through social networks and the use of these social networks as command and control channels will be examined. Tom and Kevin next explore the use of browser-based bots and their delivery through custom social network applications and content. This research expands upon previous work by researchers such as Wade Alcorn and GNUCitizen and takes it into new C&C directions. Finally, the information available through the social network APIs is explored using the bot delivery applications. This allows for complete coverage of the targets and their information.

== The speakers ==

Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and in his spare time contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E. (the Basic Analysis and Security Engine) project. The BASE project is the most popular web interface for the Snort intrusion detection system. Kevin is an instructor for SANS, teaching both the Incident Handling and Hacker Techniques class and the Web Application Penetration Testing and Ethical Hacking class, which he is the author. He has presented to many organizations, including Infragard, ISACA, ISSA, RSA and the University of Florida.

Tom Eston is a penetration tester for a Fortune 500 financial services organization. Tom currently serves as the security assessment team lead. Tom began his career over twelve years ago as a systems and network administrator for several large and medium size businesses. He began his career in security by helping form an information security department for a real estate development company. Tom is actively involved in the security community and focuses his research on the security of social media. He is a contributing author to a social media eBook and has written a Facebook Privacy & Security Guide which is used in several major universities as part of student security awareness programs. Tom is also a security blogger, co-host of the Security Justice podcast and is a frequent speaker at security user groups and conferences. Tom recently gave a talk at Notacon 6 titled "The Rise of the Autobots: Into the Underground of Social Network Bots".

[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

OWASP ESAPI AppSecDC

2009-10-20T15:17:04Z

Leeannehart:

== The presentation ==

[[Image:JeffWilliams2.jpg|200px|thumb|right|Jeff Williams]]
In an enterprise with hundreds or thousands of applications, securing one at a time is too expensive and takes too long. The goal of this session is to identify the strategies that most cost-effectively reduce risk over time. How do we craft an effective application security program using a combination of tools, standard controls, consultants, in-house teams, testers and auditors, and training. How can we manage the cost and risk over time – what metrics have proven to be effective in practice?

== The speaker ==
Jeff Williams is the founder and CEO of [http://www.aspectsecurity.com/ Aspect Security], specializing exclusively in application security professional services. Jeff also serves as the volunteer Chair of the [http://www.owasp.org/ Open Web Application Security Project (OWASP)]. He has made extensive contributions to the application security community through OWASP, including writing the [[topten|Top Ten]], [[WebGoat]], [[legal|Secure Software Contract Annex]], [[ESAPI|Enterprise Security API]], [[OWASP Risk Rating Methodology]], and starting the worldwide [[chapters|local chapters program]]. If nothing else, Jeff is probably the tallest application security expert in the world and likes nothing better than discussing new ideas for changing the way we build software.

[[Category:OWASP_AppSec_DC_09]][[Category:OWASP_Conference_Presentations]]

File:Kevin Johnson.jpg

2009-10-20T15:15:29Z

Leeannehart:

File:Tom Brennan.jpg

2009-10-20T15:14:58Z

Leeannehart:

File:Robert Hanson.jpg

2009-10-20T15:14:33Z

Leeannehart:

File:John Steven2.jpg

2009-10-20T15:13:29Z

Leeannehart:

File:Ed Bellis.jpg

2009-10-20T15:13:02Z

Leeannehart:

File:Chris Wysopal.jpg

2009-10-20T15:12:42Z

Leeannehart:

File:Joe McCray.jpg

2009-10-20T15:12:18Z

Leeannehart:

File:JeffWilliams2.jpg

2009-10-20T15:11:48Z

Leeannehart:

SANS Dshield Webhoneypot Project

2009-10-20T14:14:31Z

Leeannehart:

== The presentation ==

[[Image:Jason_Lam.jpg|200px|thumb|right|Jason Lam]]The DShield project has been providing the information security industry with early attack warning data for over 8 years. The project has recently been expanding the detection scope to web application attacks. Volunteers deploy web honeypots distributed around the globe. These honeypots collect full log details (including HTTP request header and body) for DShield to archive and analyze. In this presentation, the goals and architecture as well as the experience gained in designing and implementing the distributed honeypot application will be shared and discussed along with demonstrations of some of the more interesting results obtained. Audience members will be encouraged to participate and contribute to the project.

== The speaker ==

Jason Lam is a senior security analyst at a global financial institution. He is also an author and instructor for the SANS Institute specializing in creating courses on web applications defense and penetration testing. In his free time he is an incident handler with the SANS Internet Storm Center. Recently, he took on the role to be a leader for the DShield honeypot project. The DShield Honeypot Project sets up, and monitors web application honeypots all over the world gathering their logs and performing important research and analysis on the latest trends and attacks.

[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

Manipulating Web Application Interfaces, a new approach to input validation

2009-10-20T14:14:01Z

Leeannehart:

== The presentation ==

[[Image:Felipe_Moreno-Strauch.jpg|200px|thumb|right|Felipe Moreno-Strauch]]This talk will suggest a new approach for web application input validation testing and introduce Groundspeed, an open-source Firefox extension that manipulates the interface of web applications in order to make the life of the security tester easier. Today, most of the manual parameter manipulation tests in web applications are performed using tools that modify the raw HTTP requests sent to the server. While this approach works best on simple applications, it is often inappropriate for more complex applications. Groundspeed is a Firefox extension that allows the security tester to modify the application user interface by manipulating the forms and form elements, eliminating annoying limitations and client-side controls. Some of the practical uses of Groundspeed include changing all hidden fields into text fields, removing size limitations on input fields and modifying JavaScript event handlers to bypass client side validation without actually removing it. The extension works by dynamically modifying the Document Object Model (DOM) of the page after Firefox has finished loading and rendering it. The changes take effect immediately and, since it happens entirely on the client side without generating new requests to the server, it is completely transparent to the application. More information, including a link to download and install groundspeed is available here: http://groundspeed.wobot.org.

== The speaker ==

Felipe Moreno is a manager at the Ernst & Young Advanced Security Center (ASC), based in New York City. He has more than 8 years of information security experience performing application security reviews and penetration tests in addition to teaching secure coding classes to Fortune 500 clients both in the US and Europe.

[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

Is your organization secured against internal threats?

2009-10-20T14:13:17Z

Leeannehart:

== The presentation ==

[[Image:lars_ewe.jpg|200px|thumb|right|Lars Ewe]]According to some industry statistics, as much as 70% of all cyberattacks could be related to insiders. While organizations are starting to do something about attacks from external hackers, very little attention is being paid to the employees who are either still there or have been laid off. Many of these legal issues are also inherited by larger companies when they acquire some of these companies who have paid no attention to insider threats. This presentation will detail a number of external attacks which current and former employees would be able to perform using insider information. We will also look at small/mid size organizations and common mistakes they make which expose them to internal threats creating problems for larger organizations who acquire them and then are accountable for legal issues due to mishandling of things like PII data due to implicit trust of internal employees. We will cover background of insider threats, legal and compliance issues resulting from insider threats, sample exploits, solutions, integration of third party data, and an action plan to take-away. I will also show an example exploit of a current employee using anonymous external accounts to craft and 'exploit' themselves at work, leaving a trail which is immune to forensics.

== The speaker ==

Chief Technology Officer and VP of Engineering for Cenzic Lars Ewe is a technology executive with broad background in (web) application development and security, middleware infrastructure, software development and application/system manageability technologies. Throughout his career Lars has held key positions in engineering and product management in a variety of different markets. Prior to Cenzic, Lars was software development director at Advanced Micro Devices, Inc., responsible for AMD's overall systems manageability and related security strategy and all related engineering efforts.

[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

Secure SDLC: The Good, The Bad, and The Ugly

2009-10-20T14:12:33Z

Leeannehart:

== The presentation ==

[[Image:Joey_Peloquin.jpg|200px|thumb|right|Joey Peloquin]]This isn't your father's Secure SDLC talk folks! Join Joey Peloquin, Director of Application Security at FishNet Security, for a real-world peek into the secure application development lifecycle. He'll share real-life anecdotes of good, bad, and ugly development programs, how the PCI DSS affects application security from a QSA's perspective, and what makes real application security programs across the nation tick. Finally, he'll wrap up with a detailed post-mortem of his own first attempt at a program, how it was flawed, and how his team put the pieces back together.

== The speaker ==

Joey Peloquin is the Director of Application Security at FishNet Security, where he's responsible for project oversight and quality assurance, business development, and managing the team's offerings and methodologies. He's spent the last nine of fifteen years in I.T. specializing in Information Security, with the last five specifically in Application Security. Prior to joining FishNet Security, he created the service offerings and methodologies for Hewlett-Packard's Application Security Center Professional Services Team. At HP, he also served as the principal delivery consultant and managed all partner-delivered projects. Joey also spent nearly a decade with the JCPenney Corporation, where he transformed himself from a network and systems security specialist into the corporate application security advisor. His final accomplishments were the creation of JCPenney's application security program framework, and a significant increase in application security awareness through aggressive penetration testing policies and remediation assistance. Joey speaks publicly on a regular basis, presenting recently at HP Software Universe, OWASP Front Range Conference, CSO Breakfast Club and Secure360, and has appeared in articles by Internet Retailer, Techtarget, SC Magazine, SD Times, and Information Week.

[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

Vulnerability Management in an Application Security World

2009-10-20T14:11:20Z

Leeannehart:

== The presentation ==

[[Image:Dan_Cornell_web.jpg|200px|thumb|right|Dan Cornell]]Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams' practice of vulnerability management and development teams' practice of defect management will be addressed in order to facilitate healthy communication between these groups.

== The speaker ==

Dan Cornell has over ten years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies. Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the San Antonio chapter leader of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, OWASP's open source tool for assessing the security of AJAX-enabled web applications.

[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

Advanced SSL: The good, the bad, and the ugly

2009-10-20T14:10:01Z

Leeannehart:

== The presentation ==

[[Image:Michael_Coates.jpg|200px|thumb|right|Michael Coates]]SSL has taken many hits over the past year. From the MD5 rogue certificate creation to SSL Strip, it seems that SSL should be dead and gone. However, SSL is still one of the fundamental security patterns used to protect data in transit. Unfortunately, SSL is widely misunderstood. It's time to take a breath and make sure everyone knows what we are really doing when we implement SSL. This will be an advanced talk that will focus on understanding the entire lifecycle of SSL. How does it work, what are the weaknesses and what's going on with the recent SSL attacks? We will address issues such as: How does SSL really work? Is redirecting from HTTP to HTTPS safe? Does the landing page need to be SSL? How bad are those browser warnings? What tools are available and how do I test my server's SSL configuration? Should I be concerned about the MD5 rogue certificate or SSL strip? These questions and more will be answered. This presentation will not be a basic intro to SSL talk. This will be a turbo talk of drinking from the SSL security fire hose. It is intended for security audiences already familiar with the basics of SSL and encryption.

== The speaker ==

Michael Coates is a Senior Application Security Engineer for Aspect Security and has performed numerous penetration assessments, security code reviews, and security training sessions for leading corporations worldwide. Michael is the creator and leader of the AppSensor project and holds a Masters Degree in Computer Security from DePaul University.

[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

Defend Yourself: Integrating Real Time Defenses into Online Applications

2009-10-20T14:09:05Z

Leeannehart:

== The presentation ==

[[Image:Michael_Coates.jpg|200px|thumb|right|Michael Coates]]Ask any attacker how many attempts it takes them to successfully exploit a vulnerability - two attempts, three, five? In general, an attacker requires several attempts before they can devise a successful exploit. And that is only after they've probed the site to find the vulnerable areas in the first place. Most applications are missing a critical opportunity, the attacker has made their presence known while probing for the vulnerability. Take defensive action and shut down the offending account! This presentation will continue the discussion on AppSensor, a strategy for implementing automatic attack detection and real time response to eliminate the threat of an attacker. During this presentation we will explore a new online application which implements AppSensor. The concepts discussed in this presentation can be immediately integrated into enterprise applications looking to bolster their security posture against determined attackers. We will see that the required changes have a minimal impact on the architecture of the application and require only a small amount of code change. However, there are immense benefits to detecting malicious attackers before they are successful.

== The speaker ==

Michael Coates is a Senior Application Security Engineer for Aspect Security and has performed numerous penetration assessments, security code reviews, and security training sessions for leading corporations worldwide. Michael is the creator and leader of the AppSensor project and holds a Masters Degree in Computer Security from DePaul University. In addition to application security, in previous years Michael has been a lead in the detection and response center for a global fortune 100 corporation, assessed the security of telecommunication networks and performed social engineering testing for financial institutions.

[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

Development Issues Within AJAX Applications: How to Divert Threats

2009-10-20T14:08:14Z

Leeannehart:

== The presentation ==

[[Image:lars_ewe.jpg|200px|thumb|right|Lars Ewe]]AJAX has rapidly emerged as a prominent enabling technology in the movement to improve the Web as a software platform for business and consumer applications. Using AJAX development techniques provides software developers with a wide-open platform for creating innovative new Web (2.0) applications. The result is a more readily responsive Web environment which minimizes the "start-stop-start-stop" nature of Web pages, thus increasing the speed and user-interactivity of Web-enabled services. However, the open, malleable nature of Web 2.0 also has an often overlooked impact on application security that is not necessarily initially visible to application developers, establishing a relatively easy target for malicious behavior to compromise applications and overall network security. This session will address the development issues of AJAX applications from a security perspective, looking at how today's common web threats such as SQL injections, Cross Site Scripting, and others are often magnified in an AJAX environment, and it will also explore new threads, such as JavaScript Hijacking. Last but not least it also provides Best Practices for AJAX application developers that are designed to help manage the security complexities inherent to AJAX development.

== The speaker ==

Chief Technology Officer and VP of Engineering for Cenzic Lars Ewe is a technology executive with broad background in (web) application development and security, middleware infrastructure, software development and application/system manageability technologies. Throughout his career Lars has held key positions in engineering and product management in a variety of different markets. Prior to Cenzic, Lars was software development director at Advanced Micro Devices, Inc., responsible for AMD's overall systems manageability and related security strategy and all related engineering efforts.

[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

Automated vs. Manual Security: You can't filter The Stupid

2009-10-20T14:07:36Z

Leeannehart:

== The presentation ==

[[Image:Charles_Henderson_2.jpg|200px|thumb|right|Charles Henderson]]Everyone wants to stretch their security budget, and automated application security tools are an appealing choice for doing so. However, manual security testing isn’t going anywhere until the HAL application scanner comes online. This presentation will use often humorous, real-world examples to illustrate the relative strengths and weaknesses of automated solutions and manual techniques.

Automated tools have some strengths, namely low incremental cost, detecting simple vulnerabilities, and performing highly repetitive tasks. However, automated solutions are far from perfect. There are entire classes of vulnerabilities that are theoretically impossible for automated software to detect. Examples include complex information leakage, race conditions, logic flaws, design flaws, and multistage process attacks. Beyond that, there are many vulnerabilities that are too complicated or obscure to practically detect with an automated tool.

== The speakers ==
David Byrne has worked in information security for almost a decade. Currently, he is a consultant in Trustwave's Application Security group. Before Trustwave, David was the Security Architect at Dish Network. In 2006, he started the Denver chapter of OWASP. In 2008, he released Grendel (grendel-scan.com), an open source web application security scanner. David has presented at a number of security events including DEFCON, Black Hat, Toorcon, FROC, and the Computer Security Institute's annual conference.

Charles Henderson has been in the security industry for over 15 years and manages the Application Security Practice at Trustwave. He has specialized in application security testing and application security assessment throughout his career but has also worked in physical security testing and network security testing.

[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

File:Charles Henderson 2.jpg

2009-10-20T14:06:51Z

Leeannehart: headshot

headshot

Automated vs. Manual Security: You can't filter The Stupid

2009-10-20T14:05:37Z

Leeannehart:

== The presentation ==

[[Image:Charles_Henderson_1.jpg|200px|thumb|right|Charles Henderson]]Everyone wants to stretch their security budget, and automated application security tools are an appealing choice for doing so. However, manual security testing isn’t going anywhere until the HAL application scanner comes online. This presentation will use often humorous, real-world examples to illustrate the relative strengths and weaknesses of automated solutions and manual techniques.

Automated tools have some strengths, namely low incremental cost, detecting simple vulnerabilities, and performing highly repetitive tasks. However, automated solutions are far from perfect. There are entire classes of vulnerabilities that are theoretically impossible for automated software to detect. Examples include complex information leakage, race conditions, logic flaws, design flaws, and multistage process attacks. Beyond that, there are many vulnerabilities that are too complicated or obscure to practically detect with an automated tool.

== The speakers ==
David Byrne has worked in information security for almost a decade. Currently, he is a consultant in Trustwave's Application Security group. Before Trustwave, David was the Security Architect at Dish Network. In 2006, he started the Denver chapter of OWASP. In 2008, he released Grendel (grendel-scan.com), an open source web application security scanner. David has presented at a number of security events including DEFCON, Black Hat, Toorcon, FROC, and the Computer Security Institute's annual conference.

Charles Henderson has been in the security industry for over 15 years and manages the Application Security Practice at Trustwave. He has specialized in application security testing and application security assessment throughout his career but has also worked in physical security testing and network security testing.

[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

Scalable Application Assessments in the Enterprise

2009-10-20T14:04:00Z

Leeannehart:

== The presentation ==

[[Image:lars_ewe.jpg|200px|thumb|right|Lars Ewe]]That's right & we said scalable. Applications which live in the enterprise, COTS or otherwise; are often some of the most complex and time consuming to assess, when it comes to evaluating them for commonly exploited vulnerabilities, such as those listed by the OWASP Top 10. During this talk, the presenters will explore the ways in which in-depth, transaction based application assessments can be made to scale within the enterprise, through the use of automated assessment tools (such as Cenzic Hailstorm), and a rigorous assessment methodology. While excessive levels of assessment automation has in the past taken fire for the levels of false positives, and false negatives it can generate & manual testing has also developed a bad reputation in many circles due to its high costs and execution time generally associated with performing thorough application assessments with a wholly manual approach. The speakers will demonstrate a methodology, through which a middle ground may be attained, achieving an assessment which accurately addresses top of mind vulnerabilities, provides all of the benefits of a manual assessment, falls in budget and yes & scales!

== The speakers ==

Tom Parker, Director Commercial Security Services, Securicon LLC. Mr. Parker is the Director of Securicon's Commercial Security Services, and has bottom line responsibility for the success of commercial projects, and leadership of our commercial services team. Mr. Parker is a recognized industry expert, has published over four books on the topic of information security and is a frequent speaker at professional security conferences, such as the Blackhat Briefings. Tom often lends his time to providing expert opinion to mass media organizations, including television appearances on BBC News and CNN, and is frequently quoted by printed and online media, including the likes of The Register, Reuters News, Wired and Business Week.

Lars Ewe, Chief Technology Officer and VP of Engineering, Cenzic Inc: Lars Ewe is a technology executive with broad background in (web) application development and security, middleware infrastructure, software development and application/system manageability technologies. Throughout his career Lars has held key positions in engineering, product management/marketing, and sales in a variety of different markets. Prior to Cenzic, Lars was software development director at Advanced Micro Devices, Inc., responsible for AMD's overall systems manageability and related security strategy and all related engineering efforts.

[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

Vulnerability Management in an Application Security World

2009-10-20T14:02:06Z

Leeannehart:

== The presentation ==

[[Image:Dan_Cornell_web.jpg|200px|thumb|right]]Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams' practice of vulnerability management and development teams' practice of defect management will be addressed in order to facilitate healthy communication between these groups.

== The speaker ==

Dan Cornell has over ten years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies. Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the San Antonio chapter leader of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, OWASP's open source tool for assessing the security of AJAX-enabled web applications.

[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

Manipulating Web Application Interfaces, a new approach to input validation

2009-10-20T13:49:52Z

Leeannehart:

== The presentation ==

[[Image:Felipe_Moreno-Strauch.jpg|200px|thumb|right]]This talk will suggest a new approach for web application input validation testing and introduce Groundspeed, an open-source Firefox extension that manipulates the interface of web applications in order to make the life of the security tester easier. Today, most of the manual parameter manipulation tests in web applications are performed using tools that modify the raw HTTP requests sent to the server. While this approach works best on simple applications, it is often inappropriate for more complex applications. Groundspeed is a Firefox extension that allows the security tester to modify the application user interface by manipulating the forms and form elements, eliminating annoying limitations and client-side controls. Some of the practical uses of Groundspeed include changing all hidden fields into text fields, removing size limitations on input fields and modifying JavaScript event handlers to bypass client side validation without actually removing it. The extension works by dynamically modifying the Document Object Model (DOM) of the page after Firefox has finished loading and rendering it. The changes take effect immediately and, since it happens entirely on the client side without generating new requests to the server, it is completely transparent to the application. More information, including a link to download and install groundspeed is available here: http://groundspeed.wobot.org.

== The speaker ==

Felipe Moreno is a manager at the Ernst & Young Advanced Security Center (ASC), based in New York City. He has more than 8 years of information security experience performing application security reviews and penetration tests in addition to teaching secure coding classes to Fortune 500 clients both in the US and Europe.

[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

SANS Dshield Webhoneypot Project

2009-10-20T13:46:10Z

Leeannehart:

== The presentation ==

[[Image:Jason_Lam.jpg|200px|thumb|right]]The DShield project has been providing the information security industry with early attack warning data for over 8 years. The project has recently been expanding the detection scope to web application attacks. Volunteers deploy web honeypots distributed around the globe. These honeypots collect full log details (including HTTP request header and body) for DShield to archive and analyze. In this presentation, the goals and architecture as well as the experience gained in designing and implementing the distributed honeypot application will be shared and discussed along with demonstrations of some of the more interesting results obtained. Audience members will be encouraged to participate and contribute to the project.

== The speaker ==

Jason Lam is a senior security analyst at a global financial institution. He is also an author and instructor for the SANS Institute specializing in creating courses on web applications defense and penetration testing. In his free time he is an incident handler with the SANS Internet Storm Center. Recently, he took on the role to be a leader for the DShield honeypot project. The DShield Honeypot Project sets up, and monitors web application honeypots all over the world gathering their logs and performing important research and analysis on the latest trends and attacks.

[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

Is your organization secured against internal threats?

2009-10-20T13:45:05Z

Leeannehart: /* The presentation */

== The presentation ==

[[Image:lars_ewe.jpg|200px|thumb|right]]According to some industry statistics, as much as 70% of all cyberattacks could be related to insiders. While organizations are starting to do something about attacks from external hackers, very little attention is being paid to the employees who are either still there or have been laid off. Many of these legal issues are also inherited by larger companies when they acquire some of these companies who have paid no attention to insider threats. This presentation will detail a number of external attacks which current and former employees would be able to perform using insider information. We will also look at small/mid size organizations and common mistakes they make which expose them to internal threats creating problems for larger organizations who acquire them and then are accountable for legal issues due to mishandling of things like PII data due to implicit trust of internal employees. We will cover background of insider threats, legal and compliance issues resulting from insider threats, sample exploits, solutions, integration of third party data, and an action plan to take-away. I will also show an example exploit of a current employee using anonymous external accounts to craft and 'exploit' themselves at work, leaving a trail which is immune to forensics.

== The speaker ==

Chief Technology Officer and VP of Engineering for Cenzic Lars Ewe is a technology executive with broad background in (web) application development and security, middleware infrastructure, software development and application/system manageability technologies. Throughout his career Lars has held key positions in engineering and product management in a variety of different markets. Prior to Cenzic, Lars was software development director at Advanced Micro Devices, Inc., responsible for AMD's overall systems manageability and related security strategy and all related engineering efforts.

[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

Secure SDLC: The Good, The Bad, and The Ugly

2009-10-20T13:43:41Z

Leeannehart:

== The presentation ==

[[Image:Joey_Peloquin.jpg|200px|thumb|right]]This isn't your father's Secure SDLC talk folks! Join Joey Peloquin, Director of Application Security at FishNet Security, for a real-world peek into the secure application development lifecycle. He'll share real-life anecdotes of good, bad, and ugly development programs, how the PCI DSS affects application security from a QSA's perspective, and what makes real application security programs across the nation tick. Finally, he'll wrap up with a detailed post-mortem of his own first attempt at a program, how it was flawed, and how his team put the pieces back together.

== The speaker ==

Joey Peloquin is the Director of Application Security at FishNet Security, where he's responsible for project oversight and quality assurance, business development, and managing the team's offerings and methodologies. He's spent the last nine of fifteen years in I.T. specializing in Information Security, with the last five specifically in Application Security. Prior to joining FishNet Security, he created the service offerings and methodologies for Hewlett-Packard's Application Security Center Professional Services Team. At HP, he also served as the principal delivery consultant and managed all partner-delivered projects. Joey also spent nearly a decade with the JCPenney Corporation, where he transformed himself from a network and systems security specialist into the corporate application security advisor. His final accomplishments were the creation of JCPenney's application security program framework, and a significant increase in application security awareness through aggressive penetration testing policies and remediation assistance. Joey speaks publicly on a regular basis, presenting recently at HP Software Universe, OWASP Front Range Conference, CSO Breakfast Club and Secure360, and has appeared in articles by Internet Retailer, Techtarget, SC Magazine, SD Times, and Information Week.

[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

Advanced SSL: The good, the bad, and the ugly

2009-10-20T13:41:49Z

Leeannehart: /* The presentation */

== The presentation ==

[[Image:Michael_Coates.jpg|200px|thumb|right]]SSL has taken many hits over the past year. From the MD5 rogue certificate creation to SSL Strip, it seems that SSL should be dead and gone. However, SSL is still one of the fundamental security patterns used to protect data in transit. Unfortunately, SSL is widely misunderstood. It's time to take a breath and make sure everyone knows what we are really doing when we implement SSL. This will be an advanced talk that will focus on understanding the entire lifecycle of SSL. How does it work, what are the weaknesses and what's going on with the recent SSL attacks? We will address issues such as: How does SSL really work? Is redirecting from HTTP to HTTPS safe? Does the landing page need to be SSL? How bad are those browser warnings? What tools are available and how do I test my server's SSL configuration? Should I be concerned about the MD5 rogue certificate or SSL strip? These questions and more will be answered. This presentation will not be a basic intro to SSL talk. This will be a turbo talk of drinking from the SSL security fire hose. It is intended for security audiences already familiar with the basics of SSL and encryption.

== The speaker ==

Michael Coates is a Senior Application Security Engineer for Aspect Security and has performed numerous penetration assessments, security code reviews, and security training sessions for leading corporations worldwide. Michael is the creator and leader of the AppSensor project and holds a Masters Degree in Computer Security from DePaul University.

[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

Defend Yourself: Integrating Real Time Defenses into Online Applications

2009-10-20T13:39:54Z

Leeannehart: /* The presentation */

== The presentation ==

[[Image:Michael_Coates.jpg|200px|thumb|right]]Ask any attacker how many attempts it takes them to successfully exploit a vulnerability - two attempts, three, five? In general, an attacker requires several attempts before they can devise a successful exploit. And that is only after they've probed the site to find the vulnerable areas in the first place. Most applications are missing a critical opportunity, the attacker has made their presence known while probing for the vulnerability. Take defensive action and shut down the offending account! This presentation will continue the discussion on AppSensor, a strategy for implementing automatic attack detection and real time response to eliminate the threat of an attacker. During this presentation we will explore a new online application which implements AppSensor. The concepts discussed in this presentation can be immediately integrated into enterprise applications looking to bolster their security posture against determined attackers. We will see that the required changes have a minimal impact on the architecture of the application and require only a small amount of code change. However, there are immense benefits to detecting malicious attackers before they are successful.

== The speaker ==

Michael Coates is a Senior Application Security Engineer for Aspect Security and has performed numerous penetration assessments, security code reviews, and security training sessions for leading corporations worldwide. Michael is the creator and leader of the AppSensor project and holds a Masters Degree in Computer Security from DePaul University. In addition to application security, in previous years Michael has been a lead in the detection and response center for a global fortune 100 corporation, assessed the security of telecommunication networks and performed social engineering testing for financial institutions.

[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

Development Issues Within AJAX Applications: How to Divert Threats

2009-10-20T13:37:40Z

Leeannehart: /* The presentation */

== The presentation ==

[[Image:lars_ewe.jpg|200px|thumb|right]]AJAX has rapidly emerged as a prominent enabling technology in the movement to improve the Web as a software platform for business and consumer applications. Using AJAX development techniques provides software developers with a wide-open platform for creating innovative new Web (2.0) applications. The result is a more readily responsive Web environment which minimizes the "start-stop-start-stop" nature of Web pages, thus increasing the speed and user-interactivity of Web-enabled services. However, the open, malleable nature of Web 2.0 also has an often overlooked impact on application security that is not necessarily initially visible to application developers, establishing a relatively easy target for malicious behavior to compromise applications and overall network security. This session will address the development issues of AJAX applications from a security perspective, looking at how today's common web threats such as SQL injections, Cross Site Scripting, and others are often magnified in an AJAX environment, and it will also explore new threads, such as JavaScript Hijacking. Last but not least it also provides Best Practices for AJAX application developers that are designed to help manage the security complexities inherent to AJAX development.

== The speaker ==

Chief Technology Officer and VP of Engineering for Cenzic Lars Ewe is a technology executive with broad background in (web) application development and security, middleware infrastructure, software development and application/system manageability technologies. Throughout his career Lars has held key positions in engineering and product management in a variety of different markets. Prior to Cenzic, Lars was software development director at Advanced Micro Devices, Inc., responsible for AMD's overall systems manageability and related security strategy and all related engineering efforts.

[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

File:Charles Henderson 1.jpg

2009-10-20T13:33:48Z

Leeannehart:

File:Michael Coates.jpg

2009-10-20T13:33:29Z

Leeannehart:

File:Lars ewe.jpg

2009-10-20T13:33:12Z

Leeannehart:

File:Joey Peloquin.jpg

2009-10-20T13:32:50Z

Leeannehart: headshot

headshot

File:Jason Lam.jpg

2009-10-20T13:32:27Z

Leeannehart: headshot

headshot

File:Felipe Moreno-Strauch.jpg

2009-10-20T13:31:50Z

Leeannehart: headshot

headshot

File:Amichai Shulman 02.jpg

2009-10-20T13:31:07Z

Leeannehart: Amichai Shulman headshot

Amichai Shulman headshot

File:Dan Cornell web.jpg

2009-10-20T13:29:45Z

Leeannehart: Dan Cornell headshot

Dan Cornell headshot

File:Amichai Shulman 1.jpg

2009-10-20T13:27:30Z

Leeannehart: Headshot of Amichai Shulman

Headshot of Amichai Shulman