https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=ManopaulOWASP - User contributions [en]2026-05-27T09:08:38ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Global_Chapter_Committee_-_Application_8&diff=117247Global Chapter Committee - Application 82011-09-13T03:43:37Z<p>Manopaul: </p>
<hr />
<div>[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]] <br />
<br />
----<br />
<br />
{| style="width:100%" border="0" align="center"<br />
|-<br />
! colspan="2" align="center" style="background:#4058A0; color:white" | <font color="white">'''COMMITTEE APPLICATION FORM'''</font><br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center" | '''Applicant's Name''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left" | <font color="black">Josh Sokol</font><br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center" | '''Current and past OWASP Roles''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left" | Austin OWASP President, LASCON Co-Chair, Austin OWASP Vice President<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center" | '''Committee Applying for''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left" | Global Chapter Committee<br />
|}<br />
<br />
----<br />
<br />
<br> <br />
<br />
----<br />
<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. An incomplete application will not be considered for vote. <br />
<br />
----<br />
<br />
<br> <br />
<br />
----<br />
<br />
{| border="0" align="center" style="width:100%"<br />
|-<br />
! align="center" style="background:#4058A0; color:white" colspan="8" | <font color="white">'''COMMITTEE RECOMMENDATIONS'''</font><br />
|-<br />
! align="center" style="background:white; color:white" | <font color="black"></font> <br />
! align="center" style="background:#7B8ABD; color:white" | <font color="black">'''Who Recommends/Name'''</font> <br />
! align="center" style="background:#7B8ABD; color:white" | <font color="black">'''Role in OWASP'''</font> <br />
! align="center" style="background:#7B8ABD; color:white" | <font color="black">'''Recommendation Content'''</font><br />
|-<br />
| align="center" style="width:3%; background:#cccccc" | '''1''' <br />
| align="center" style="width:20%; background:#cccccc" | Greg Genung<br />
| align="center" style="width:20%; background:#cccccc" | Austin OWASP Membership Director, LASCON Volunteer<br />
| align="center" style="width:57%; background:#cccccc" | Josh and I have worked together through the Austin OWASP chapter for the last 5 years. He has been a tremendous individual contributor to the security community - but specifically - has been a huge proponent for OWASP in Texas. He has supported each of the growing chapters in Houston, Dallas, and San Antonio - as well as his efforts in Austin with our local chapter. In addition, Josh (and James Wickett) took it upon themselves to start the LASCON conference, which in its first year was a trememdous success. Finally - Josh is reliable. When he says he is going to do something - it gets done. I reccomend Josh for this role and believe he would be a benefit to this committee.&nbsp;<br />
|-<br />
| align="center" style="width:3%; background:#cccccc" | '''2''' <br />
| align="center" style="width:20%; background:#cccccc" | David Hughes<br />
| align="center" style="width:20%; background:#cccccc" | Austin OWASP leader, LASCON Volunteer<br />
| align="center" style="width:57%; background:#cccccc" | Josh has proven his ability time and again to accomplish great things. He does what he sets out to do, and because of this he has contributed greatly to the huge success of the Austin OWASP chapter as well as the tremendous success of the LASCON conference. I highly recommend Josh and believe that his efforts on any committee would be highly valued and effective. <br />
|-<br />
| align="center" style="width:3%; background:#cccccc" | '''3''' <br />
| align="center" style="width:20%; background:#cccccc" | Mano 'dash4rk' Paul<br />
| align="center" style="width:20%; background:#cccccc" | CEO, SecuRisk Solutions and Express Certification; (ISC)2 Software Assurance Advisor, Speaker/Panelist in OWASP conferences<br />
| align="center" style="width:57%; background:#cccccc" | As President of the Austin OWASP chapter, Josh has been instrumental in building the Austin OWASP chapter to be a vibrant and active chapter. His leadership in building the local chapter is commendable and I strongly feel that his experience would be a valuable fit for the Global Chapter committee. Josh comes with my highest recommendations. <br />
|-<br />
| align="center" style="width:3%; background:#cccccc" | '''4''' <br />
| align="center" style="width:20%; background:#cccccc" | <br />
| align="center" style="width:20%; background:#cccccc" | <br />
| align="center" style="width:57%; background:#cccccc" | <br />
|-<br />
| align="center" style="width:3%; background:#cccccc" | '''5''' <br />
| align="center" style="width:20%; background:#cccccc" | <br />
| align="center" style="width:20%; background:#cccccc" | <br />
| align="center" style="width:57%; background:#cccccc" | <br />
|-<br />
| align="center" style="width:3%; background:#cccccc" | '''10''' <br />
| align="center" style="width:20%; background:#cccccc" | <br />
| align="center" style="width:20%; background:#cccccc" | <br />
| align="center" style="width:57%; background:#cccccc" | <br />
|}<br />
<br />
----</div>Manopaulhttps://wiki.owasp.org/index.php?title=OWASP_Connections_Committee_-_Application_5&diff=102785OWASP Connections Committee - Application 52011-02-01T02:56:11Z<p>Manopaul: </p>
<hr />
<div>[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]<br />
<br />
----<br />
{| border="0" align="center" class="FCK__ShowTableBorders" style="width: 100%;"<br />
|-<br />
! align="center" colspan="2" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | <font color="#ffffff">'''COMMITTEE APPLICATION FORM'''</font><br />
|-<br />
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | '''Applicant's Name''' <br />
| align="left" style="width: 85%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <font color="#000000">Greg Genung</font><br />
|-<br />
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | '''Current and past OWASP Roles''' <br />
| align="left" style="width: 85%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Austin OWASP Membership Director.<br />
|-<br />
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | '''Committee Applying for''' <br />
| align="left" style="width: 85%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | OWASP Global Connections Committee.<br />
|}<br />
<br />
----<br />
<br />
<br> <br />
<br />
----<br />
<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. An incomplete application will not be considered for vote. <br />
<br />
----<br />
<br />
<br> <br />
<br />
----<br />
<br />
{| border="0" align="center" class="FCK__ShowTableBorders" style="width: 100%;"<br />
|-<br />
! align="center" colspan="8" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | <font color="#ffffff">'''COMMITTEE RECOMMENDATIONS'''</font><br />
|-<br />
! align="center" style="background: none repeat scroll 0% 0% white; color: white;" | <font color="#000000"></font> <br />
! align="center" style="background: none repeat scroll 0% 0% rgb(123, 138, 189); color: white;" | <font color="#000000">'''Who Recommends/Name'''</font> <br />
! align="center" style="background: none repeat scroll 0% 0% rgb(123, 138, 189); color: white;" | <font color="#000000">'''Role in OWASP'''</font> <br />
! align="center" style="background: none repeat scroll 0% 0% rgb(123, 138, 189); color: white;" | <font color="#000000">'''Recommendation Content'''</font><br />
|-<br />
| align="center" style="width: 3%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | '''1''' <br />
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Josh&nbsp;Sokol <br />
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Austin OWASP&nbsp;President <br />
| align="center" style="width: 57%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Greg has served as our Austin&nbsp;OWASP Membership Director for the past year and has been instrumental in raising our membership levels and awareness of OWASP&nbsp;in the community.&nbsp; Under his leadership we went from under a dozen members in the Austin chapter to almost a hundred.&nbsp; He is always coming up with new ideas and ways to drive people to our chapter and help to evangelize security within our community.&nbsp; It would be very selfish of us to want to keep his amazing ideas just to our chapter so it is with great pleasure that I'd like to recommend Greg's nomination to the OWASP&nbsp;Global Membership Committee.<br />
|-<br />
| align="center" style="width: 3%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | '''2''' <br />
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | James Wickett<br />
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Austin Chapter Vice President<br />
| align="center" style="width: 57%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | I&nbsp;recommend Greg for the committee. There are a lot of things I could say about Greg but the easiest is to say that I&nbsp;echo Josh 100%.&nbsp; One thing I&nbsp;would add is that Greg was instrumental to the success of LASCON.&nbsp; In addition to working on the board, Greg was the face of the conference as the leader for speaker introductions and really helped keep the conference running smoothly.<br />
|-<br />
| align="center" style="width: 3%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | '''3''' <br />
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Nishi Kumar<br />
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | OWASP Global Education Committee<br />
| align="center" style="width: 57%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | I highly recommend Greg for the committee. He has infinite energy and has great interpersonal skills. He is a true people person and would be an asset for the membership committee. He was instrumental in increasing the membership of OWASP in Austin chapter. I will whole heartedly like to recommend Greg's nomination to the OWASP Global Membership Committee.<br />
|-<br />
| align="center" style="width: 3%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | '''4''' <br />
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Brad Causey<br />
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | OWASP Global Project Committe<br />
| align="center" style="width: 57%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | I met Greg about two years ago on a trip to speak at an Austin chapter meeting. His personality, fantastic attitude, and high energy are just the qualities we need on the connections committee. I'd gladly step behind Greg's leadership and I have full confidence in his ability to be successful, and therefore making OWASP even more successful.<br />
|-<br />
| align="center" style="width: 3%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | '''5''' <br />
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Mano Paul<br />
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Invited Speaker/Trainer, Past Global Education Committee<br />
| align="center" style="width: 57%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | If there is one person, I need to pick that can build synergies between even disparate individuals or groups, it would be Greg Genung. I was introduced to Greg when he served as the Membership Director and then Vice President for the Capitol of Texas ISSA Chapter and from the very first day, his inter-personal skills with a natural affinity to build connections was evident. He epitomizes the art of building relationships and as a member of the Connections Committee, he would be an invaluable addition to the OWASP Global Connections undertaking. I am supportive and do highly recommended, Greg.<br />
|}<br />
<br />
----</div>Manopaulhttps://wiki.owasp.org/index.php?title=Los_Angeles&diff=91651Los Angeles2010-10-19T14:51:55Z<p>Manopaul: /* Meeting LocationSymantec Corporation900 Corporate Pointe (off Slauson)Culver City, CA 90230 */</p>
<hr />
<div>== Local News ==<br />
<br />
The AppSec USA 2010 conference received rave reviews. Thanks to all the volunteers and great speakers who helped make it a sucess! <br />
<br />
http://www.AppSecUSA.org <br />
<br />
Check out the videos: http://vimeo.com/user4863863/videos<br> <br />
<br />
[[Image:AppSec Logo.jpg|362x106px]] <br />
<br />
== ==<br />
<br />
== Next&nbsp;Chapter Meeting:&nbsp; Wednesday, October 20, 2010 7:00 P.M. <br> ==<br />
<br />
=== We will be Having Two Great Speakers and Free Catered Greek Food ===<br />
<br />
'''Please RSVP: http://www.eventbrite.com/event/955294311'''<br> <br />
<br />
== Meeting Location<br>Symantec Corporation<br>900 Corporate Pointe (off Slauson)<br>Culver City, CA 90230 ==<br />
<br />
'''Identity Management: federation and authorization'''<br> <br />
<br />
'''Speaker:''' <br />
<br />
Todd Calvert is currently the Western Region Business Development / Sales Director for Arcot Systems, based in Sunnyvale, California, where he has been with the company over two years. Prior to Arcot, he has been involved with various industries involving enterprise SW for application management, modeling &amp; statistical analysis, and optimization for companies such as Compuware, KLA-Tencor, Nikon Inc., and Wind River. He graduated UC Santa Barbara in 1991 with a B.S. in Mathematical Sciences degree, and has spent much of his time to delivering educational &amp; technical seminars and math tutoring on the side.<br> <br />
<br />
<br> '''Sharks and Security''' <br />
<br />
Abstract: <br />
<br />
Do you know what makes a shark a shark and a hacker a hacker? Which is the most dangerous shark and how does that fit the profile of a dangerous hacker? What does the tiger shark have to do with garbage collection? Is there any connection between the locomotion in sharks and reverse engineering? and more… <br />
<br />
There are sharks at sea and there are sharks on land! Many are prevalent in the information security space. In this talk, Mano Paul, a shark biologist are researcher from the Bahamas turned security professional takes you through the similarities and differences that exists between sharks that are after our digital assets and the relatively less dangerous and beautiful creation that swims the ocean currents. The talk with the demo of a Trojan called SharkBait has take aways for the all kinds of audiences, whether they are management, technical or operational in scope. <br> <br />
<br />
Come for a fun-filled, highly interactive, and interesting presentation and leave with a new sense of appreciation on how to look at sharks and hackers and what you can do so that you or your organizations don't become shark bait.<br> <br />
<br />
'''Speaker:'''<br> <br />
[[Image:Mano_Paul.jpg|thumb|10px|frame|left|Mano Paul]]<br />
<b>Shark Researcher turned Security Guru!</b><br><br />
<b>Manoranjan (Mano) Paul</b> (CSSLP, CISSP, AMBCI, MCSD, MCAD, CompTIA Network+, ECSA) is the Founder and CEO at [http://www.securisksolutions.com SecuRisk Solutions] and [http://www.expresscertifications.com Express Certifications]. Based out of Austin, Texas in the USA, SecuRisk Solutions specializes in three areas of information security solutions - Product Development, Consulting and Awareness, Training & Education while Express Certifications focuses on professional certifications like the CISSP, SSCP, CSSLP and the BCI certificate. <br />
<br />
Before SecuRisk Solutions and Express Certifications, Mano played several roles from software developer, quality assurance tester, logistics manager, technical architect, IT strategist and Security Engineer/Program Manager/Strategist at Dell Inc. His information security experience includes designing and developing software security programs from Compliance-to-Coding, application security risk management, security strategy & management, and conducting security awareness training and education. <br />
<br />
Mano started his career as a shark researcher in the Bimini Biological Field Station, Bahamas. His educational pursuit took him to the University of Oklahoma where he received his Business Administration degree in Management Information Systems (MIS) with various accolades and the coveted 4.0 GPA. He was a member of the OWASP Global Education Committee and actively participates in OWASP speaking, training and leadership events. He is also the appointed Software Assurance Advisor for (ISC)<sup>2</sup>, representing and advising the organization on software assurance strategy, training, education and certification. He has also served as an appointed faculty member and industry representative of the Capitol of Texas Information System Security Association (ISSA) chapter. <br />
<br />
Mano has been featured in various domestic and international security conferences and is an invited speaker and panelist, delivering talks and keynotes in conferences such as the OWASP, CSI, Burton Group Catalyst, TRISC and SC World Congress conferences. He is the author of the Official (ISC)<sup>2</sup> Guide to the Certified Secure Software Lifecycle Professional (CSSLP<sup>CM</sup>), contributing author for the Information Security Management Handbook, writes periodically for the Certification Magazine and has contributed to several security topics for the Microsoft Solutions Developer Network (MSDN).<br />
<br />
Mano is married to Sangeetha Johnson whom he calls the “most wonderful and sacrificial person in this world” and their greatest fulfillment comes from spending time with their son – Reuben A Paul (RAP).<br />
<br />
<br> <br />
<br />
<br> '''Sponsor:'''&nbsp; <br />
<br />
Arcot Systems Inc is the largest cloud based authentication company in the world and also a leader in online security products including 3-D Secure (aka Verified-by-Visa / MasterCard SecureCode), Strong Authentication, Risk Assessment, Secure Document Delivery, Tokenization and Secure Digital Signing.Our Strength is in a token-less 2 Factor Authentication Methodology /Adaptive Authentication/Secure Digital Signing/3-D Secure/Tokenization to reduce PCI-DSS Audit cost. <br />
<br />
ArcotID, 100% software based smart card, is the core constituent of this solution. ArcotID provides strong protection of digital IDs for multi-factor authentication, digital signatures and encryption. ArcotID uses Arcot's patented 'Cryptographic Camouflage' technology. <br />
<br />
WebFort is Versatile Authentication Server (VAS) that supports ArcotID authentication in addition to One-Time-Password (OTP), Question-and-Answer and Password authentications<br> <br />
<br />
<br><br />
<br />
= Would you like to speak at an OWASP Los Angeles Meeting? =<br />
<br />
Call for Papers (CFP) is NOW OPEN. To speak at upcoming OWASP Los Angeles meetings please submit your BIO and talk abstract via email to [mailto:tin.zaw@owasp.org Tin Zaw]. When we accept your talk, it will be required to use the Powerpoint [http://www.owasp.org/images/5/54/Presentation_template.ppt OWASP Template]. <br />
<br />
= Archives of Previous Meetings =<br />
<br />
A list of previous presentations conducted at the Los Angeles Chapter can be found [https://www.owasp.org/index.php/Los_Angeles_Previous_Presentations here]. <br />
<br />
= Los Angeles Chapter =<br />
<br />
*[mailto:tin.zaw@owasp.org Tin Zaw] -- Chapter Leader and Chair <br />
*[mailto:cassio@owasp.org Cassio Goldschmidt] -- Board Member <br />
*[mailto:richard.greenberg@owasp.org Richard Greenberg] -- Board Member<br />
<br />
[[Category:California]]</div>Manopaulhttps://wiki.owasp.org/index.php?title=Los_Angeles&diff=91650Los Angeles2010-10-19T14:48:07Z<p>Manopaul: /* Meeting LocationSymantec Corporation900 Corporate Pointe (off Slauson)Culver City, CA 90230 */</p>
<hr />
<div>== Local News ==<br />
<br />
The AppSec USA 2010 conference received rave reviews. Thanks to all the volunteers and great speakers who helped make it a sucess! <br />
<br />
http://www.AppSecUSA.org <br />
<br />
Check out the videos: http://vimeo.com/user4863863/videos<br> <br />
<br />
[[Image:AppSec Logo.jpg|362x106px]] <br />
<br />
== ==<br />
<br />
== Next&nbsp;Chapter Meeting:&nbsp; Wednesday, October 20, 2010 7:00 P.M. <br> ==<br />
<br />
=== We will be Having Two Great Speakers and Free Catered Greek Food ===<br />
<br />
'''Please RSVP: http://www.eventbrite.com/event/955294311'''<br> <br />
<br />
== Meeting Location<br>Symantec Corporation<br>900 Corporate Pointe (off Slauson)<br>Culver City, CA 90230 ==<br />
<br />
'''Identity Management: federation and authorization'''<br> <br />
<br />
'''Speaker:''' <br />
<br />
Todd Calvert is currently the Western Region Business Development / Sales Director for Arcot Systems, based in Sunnyvale, California, where he has been with the company over two years. Prior to Arcot, he has been involved with various industries involving enterprise SW for application management, modeling &amp; statistical analysis, and optimization for companies such as Compuware, KLA-Tencor, Nikon Inc., and Wind River. He graduated UC Santa Barbara in 1991 with a B.S. in Mathematical Sciences degree, and has spent much of his time to delivering educational &amp; technical seminars and math tutoring on the side.<br> <br />
<br />
<br> '''Sharks and Security''' <br />
<br />
Abstract: <br />
<br />
Do you know what makes a shark a shark and a hacker a hacker? Which is the most dangerous shark and how does that fit the profile of a dangerous hacker? What does the tiger shark have to do with garbage collection? Is there any connection between the locomotion in sharks and reverse engineering? and more… <br />
<br />
There are sharks at sea and there are sharks on land! Many are prevalent in the information security space. In this talk, Mano Paul, a shark biologist are researcher from the Bahamas turned security professional takes you through the similarities and differences that exists between sharks that are after our digital assets and the relatively less dangerous and beautiful creation that swims the ocean currents. The talk with the demo of a Trojan called SharkBait has take aways for the all kinds of audiences, whether they are management, technical or operational in scope. <br> <br />
<br />
Come for a fun-filled, highly interactive, and interesting presentation and leave with a new sense of appreciation on how to look at sharks and hackers and what you can do so that you or your organizations don't become shark bait.<br> <br />
<br />
'''Speaker:'''<br> <br />
[[Image:Mano_Paul.jpg|thumb|10px|frame|left|Mano Paul]]<br />
<b>Shark Researcher turned Security Guru!</b><br><br />
<b>Manoranjan (Mano) Paul</b> (CSSLP, CISSP, AMBCI, MCSD, MCAD, CompTIA Network+, ECSA) is the Founder and CEO at [http://www.securisksolutions.com SecuRisk Solutions] and [http://www.expresscertifications.com Express Certifications]. Based out of Austin, Texas in the USA, SecuRisk Solutions specializes in three areas of information security solutions - Product Development, Consulting and Awareness, Training & Education while Express Certifications focuses on professional certifications like the CISSP, SSCP, CSSLP and the BCI certificate. <br />
<br />
Before SecuRisk Solutions and Express Certifications, Mano played several roles from software developer, quality assurance tester, logistics manager, technical architect, IT strategist and Security Engineer/Program Manager/Strategist at Dell Inc. His information security experience includes designing and developing software security programs from Compliance-to-Coding, application security risk management, security strategy & management, and conducting security awareness training and education. <br />
<br />
Mano started his career as a shark researcher in the Bimini Biological Field Station, Bahamas. His educational pursuit took him to the University of Oklahoma where he received his Business Administration degree in Management Information Systems (MIS) with various accolades and the coveted 4.0 GPA. He was a member of the OWASP Global Education Committee and actively participates in OWASP speaking, training and leadership events. He is also the appointed Software Assurance Advisor for (ISC)<sup>2</sup>, representing and advising the organization on software assurance strategy, training, education and certification. He has also served as an appointed faculty member and industry representative of the Capitol of Texas Information System Security Association (ISSA) chapter. <br />
<br />
Mano has been featured in various domestic and international security conferences and is an invited speaker and panelist, delivering talks and keynotes in conferences such as the OWASP, CSI, Burton Group Catalyst, TRISC and SC World Congress conferences. He is the author of the Official (ISC)<sup>2</sup> Guide to the Certified Secure Software Lifecycle Professional (CSSLP<sup>CM</sup>), contributing author for the Information Security Management Handbook, writes periodically for the Certification Magazine and has contributed to several security topics for the Microsoft Solutions Developer Network (MSDN).<br />
<br />
Mano is married to whom he calls the “most wonderful and sacrificial person in this world” - Sangeetha Johnson and their greatest fulfillment comes from spending time with the son – Reuben A Paul (RAP).<br />
<br />
<br> <br />
<br />
<br> '''Sponsor:'''&nbsp; <br />
<br />
Arcot Systems Inc is the largest cloud based authentication company in the world and also a leader in online security products including 3-D Secure (aka Verified-by-Visa / MasterCard SecureCode), Strong Authentication, Risk Assessment, Secure Document Delivery, Tokenization and Secure Digital Signing.Our Strength is in a token-less 2 Factor Authentication Methodology /Adaptive Authentication/Secure Digital Signing/3-D Secure/Tokenization to reduce PCI-DSS Audit cost. <br />
<br />
ArcotID, 100% software based smart card, is the core constituent of this solution. ArcotID provides strong protection of digital IDs for multi-factor authentication, digital signatures and encryption. ArcotID uses Arcot's patented 'Cryptographic Camouflage' technology. <br />
<br />
WebFort is Versatile Authentication Server (VAS) that supports ArcotID authentication in addition to One-Time-Password (OTP), Question-and-Answer and Password authentications<br> <br />
<br />
<br><br />
<br />
= Would you like to speak at an OWASP Los Angeles Meeting? =<br />
<br />
Call for Papers (CFP) is NOW OPEN. To speak at upcoming OWASP Los Angeles meetings please submit your BIO and talk abstract via email to [mailto:tin.zaw@owasp.org Tin Zaw]. When we accept your talk, it will be required to use the Powerpoint [http://www.owasp.org/images/5/54/Presentation_template.ppt OWASP Template]. <br />
<br />
= Archives of Previous Meetings =<br />
<br />
A list of previous presentations conducted at the Los Angeles Chapter can be found [https://www.owasp.org/index.php/Los_Angeles_Previous_Presentations here]. <br />
<br />
= Los Angeles Chapter =<br />
<br />
*[mailto:tin.zaw@owasp.org Tin Zaw] -- Chapter Leader and Chair <br />
*[mailto:cassio@owasp.org Cassio Goldschmidt] -- Board Member <br />
*[mailto:richard.greenberg@owasp.org Richard Greenberg] -- Board Member<br />
<br />
[[Category:California]]</div>Manopaulhttps://wiki.owasp.org/index.php?title=AppSec_Brasil_2010&diff=91443AppSec Brasil 20102010-10-15T05:43:33Z<p>Manopaul: /* The Art and Science of Threat Modeling Web Applications */</p>
<hr />
<div>__NOTOC__ <br />
<br />
[[Image:LogoAppSecBrazil.002.jpg|center]] <br />
<br />
'''Para a versão em português, veja em [[AppSec Brasil 2010 (pt-br)]]''' <br />
<br />
= OWASP AppSec Brasil 2010 =<br />
<br />
The Second Edition of OWASP's flagship conference in South America will happen in Campinas, SP, Brazil. The Conference consists of two days of training sessions, followed by a two-day conference on a single track. <br />
<center><br />
[[Image:AppSec Brasil 2010 Campinas.jpg|500px]] <br />
</center> <br />
== Conference Dates ==<br />
<br />
The conference will happen from '''November 16th, 2010 to November 19th, 2010'''. The first two days will be tutorial days (see below). Plenary sessions will be held on November 18th and 19th. <br />
<br><br />
<br />
<br />
==== About ====<br />
<br />
== About the conference ==<br />
<br />
Following the success of the first AppSec Brasil, held in Brasilia in 2009, the OWASP Brazilian Chapter is organizing its second edition in 2010. AppSec Brasil 2010 will happen in the city of Campinas, located 90 km from São Paulo. <br />
<br />
Campinas is the 3rd biggest city in the State of São Paulo and is an important economic center and hosts major universities and research centers. It is known to concentrate several high tech industries, including important multi-national companies in the fields of electronics, telecom and chemicals. <br />
<br />
This year, we expect to gather a number of Brazilian and Latin American practitioners and researchers to share state-of-the-art information about application security. <br />
<br />
==== Sponsorship ====<br />
<br />
We are currently soliciting sponsors for the AppSec Brasil 2010 Conference. Detailed [[Media:OWASP_-_Sponsorship_Opportunities_-_EN_V.1.2.pdf|sponsorship oportunities]] are now available. <br />
<br />
If you are interested in sponsoring AppSec Brasil 2010, please contact the Conference Organization Team (organizacao2010@appsecbrasil.org). <br />
<br />
== Sponsors ==<br />
<br />
<br />
== Platinum Sponsors ==<br />
{|<br />
| [[Image:AppSec Brasil 2010 CPQD.jpg|200px|link=http://www.cpqd.com.br]]<br />
|-<br />
| &nbsp;<br />
|-<br />
|} <br />
<br />
== Gold Sponsors ==<br />
{|<br />
| [[Image:LeadComm Logo Screen.jpg|150px|link=http://www.leadcomm.com.br]]<br />
| width="50" | <br><br />
| [[Image:Logo PagSeguro-Uma empresa-UOL.jpg|150px|link=http://www.pagseguro.uol.com.br]]<br />
|-<br />
| &nbsp;<br />
|-<br />
|}<br />
<br />
<br />
<br />
=== Attendee Kit Sponsors ===<br />
{|<br />
| [[Image:Logotipo_Conviso_2009_Cor.png|150px]]<br />
| width="50" | <br><br />
| [[Image:lgClavis.png|110px|link=http://www.clavis.com.br]]<br />
|-<br />
| &nbsp;<br />
|-<br />
|}<br />
<br><br />
<br />
== Promoted by ==<br />
<center><br />
[[Image:Appsec Brasil 2010 InstitutoTuring.png]] <br />
</center> <br />
==== Keynotes ====<br />
<br />
==Robert 'Rsnake' Hansen ==<br />
<br />
[http://www.sectheory.com/ SecTheory]<br />
<br />
'''''Title:''''' '''The Humble Cookie'''<br />
<br />
'''''Abstract:'''''<br />
The simplest thing in our browser that has caused the most confusion and worry is the cookie. This presentation will discuss what it is, how cookies work, the little known aspects of them, and dozens of attacks to steal them, set them, crack them or abuse trust based on them.<br />
<br />
'''''Bio:''''' Robert Hansen aka RSnake is the CEO and founder of SecTheory. He has worked for Digital Island, Exodus Communications and Cable & Wireless in varying roles from Sr. Security Architect and eventually product managing many of the managed security services product lines. He also worked at eBay as a Sr. Global Product Manager of Trust and Safety, focusing on anti-phishing, anti-DHTML malware and anti-virus strategies. Later he worked as a director of product management for Realtor.com. Robert sits on the advisory board for the Intrepidus Group, previously sat on the technical advisory board of ClickForensics and currently contributes to the security strategy of several startup companies.<br />
<br />
Mr. Hansen wrote Detecting Malice, authors content on O'Reilly and co-authored "XSS Exploits" by Syngress publishing. He sits on the NIST.gov Software Assurance Metrics and Tool Evaluation group focusing on web application security scanners and the Web Application Security Scanners Evaluation Criteria (WASC-WASSEC) group. He also has briefed the DoD at the Pentagon and speaks at SourceBoston, Secure360, GFIRST/US-CERT, CSI, Toorcon, APWG, ISSA, TRISC, World OWASP/WASC conferences, SANS, Microsoft's Bluehat, Blackhat, DefCon, SecTor, BSides, Networld+Interop, and has been the keynote speaker at the New York Cyber Security Conference, NITES and OWASP Appsec Asia. Mr. Hansen is a member of Infragard, West Austin Rotary, WASC, IACSP, APWG, contributed to the OWASP 2.0 guide and is on the OWASP Connections Committee.<br />
<br />
Robert also maintains the http://ha.ckers.org website where he discuss web application security and provides lots of useful content to be used against web application attacks.<br />
<br />
== Jeremiah Grossman ==<br />
<br />
[http://www.whitehatsec.com/ WhiteHat Security] <br />
<br />
'''''Title:''''' '''TBD.''' <br />
<br />
'''''Bio:''''' Jeremiah Grossman, founder and CTO, WhiteHat Security, is a world-renowned Web security expert. A co-founder of the Web Application Security Consortium (WASC), he was named to InfoWorld's Top 25 CTOs in 2007 and is frequently quoted by business and technical media. He has authored dozens of articles and whitepapers, is credited with the discovery of many cutting-edge attack and defensive techniques, and is a co-author of "XSS Attacks: Cross Site Scripting Exploits and Defense." Grossman is also an influential blogger who offers insight and encourages open dialogue regarding Web security research and trends. Prior to WhiteHat, Grossman was an information security officer at Yahoo! <br />
<br />
<br> <br />
<br />
==== Invited Speakers ====<br />
<br />
== Samy Kamkar==<br />
<br />
'''''Title:''''' '''How I Met Your Girlfriend: The discovery and execution of entirely new classes of Web attacks in order to meet your girlfriend.'''<br />
<br />
'''''Abstract:''''' <br />
This includes entertaining and newly discovered attacks including PHP session<br />
prediction and random numbers (accurately guessing PHP session cookies),<br />
browser protocol confusion (turning a browser into an SMTP server), firewall and<br />
NAT penetration via Javascript (turning your router against you), remote iPhone<br />
Google Maps hijacking (iPhone penetration combined with HTTP man-in-themiddle),<br />
extracting extremely accurate geolocation information from a Web browser<br />
(not using IP geolocation), and more.<br />
<br />
'''''Bio:'''''<br />
Samy Kamkar is best known for the Samy worm, the first XSS worm,<br />
infecting over one million users on MySpace in less than 24 hours. A cofounder<br />
of Fonality, Inc., an IP PBX company, Samy previously led the<br />
development of all top-level domain name server software and systems for<br />
Global Domains International (.ws).<br />
<br />
In the past 10 years, Samy has focused on evolutionary and genetic<br />
algorithmic software development, Voice over IP software development,<br />
automated security and vulnerability research in network security, reverse<br />
engineering, and network gaming. When not strapped behind the Matrix,<br />
Samy can be found stunt driving and getting involved in local community<br />
service projects.<br />
<br />
== Mano Paul ==<br />
<br />
'''''Title:''''' '''Wild Wild Wild Security Planet''' <br />
<br />
'''''Abstract:'''''<br />
Organisms keep themselves safe in a world that's every bit as unpredictable<br />
as our world. This presentation will parallel what we can learn from the<br />
world of art, literature, science, nature and apply it to the world of<br />
software security. For e.g., If Shakespeare had to write about software<br />
security, what would he write? What does a naked motorist have to do with<br />
loose lips that sink ships? What does pH have to do with software<br />
vulnerabilities? What does the Stick Insects' regenerative ability have to<br />
do with software 'bugs'? or can the Ostrich sticking its head in the sand<br />
behavior reflect the modicum of risk management we observe today and many<br />
more ...<br />
<br />
The talk would be a fun-filled, extremely interactive session covering<br />
various concepts of security from risk management, defense in depth, secure<br />
programming, threats and vulnerabilities and compliance and more ... Come to<br />
find out the answers to the questions above and see what it takes to develop<br />
software with a security mindset throughout its life cycle. Come and look at<br />
software security from a different perspective that would make ALL the<br />
difference for you and your company.<br />
<br />
'''''Bio:'''''<br />
[[Image:Mano_Paul.jpg|thumb|10px|frame|left|Mano Paul]]<br />
<b>Shark Researcher turned Security Guru!</b><br><br />
<b>Manoranjan (Mano) Paul</b> (CSSLP, CISSP, AMBCI, MCSD, MCAD, CompTIA Network+, ECSA) is the Founder and CEO at [http://www.securisksolutions.com SecuRisk Solutions] and [http://www.expresscertifications.com Express Certifications]. Based out of Austin, Texas in the USA, SecuRisk Solutions specializes in three areas of information security solutions - Product Development, Consulting and Awareness, Training & Education while Express Certifications focuses on professional certifications like the CISSP, SSCP, CSSLP and the BCI certificate. <br />
<br />
Before SecuRisk Solutions and Express Certifications, Mano played several roles from software developer, quality assurance tester, logistics manager, technical architect, IT strategist and Security Engineer/Program Manager/Strategist at Dell Inc. His information security experience includes designing and developing software security programs from Compliance-to-Coding, application security risk management, security strategy & management, and conducting security awareness training and education. <br />
<br />
Mano started his career as a shark researcher in the Bimini Biological Field Station, Bahamas. His educational pursuit took him to the University of Oklahoma where he received his Business Administration degree in Management Information Systems (MIS) with various accolades and the coveted 4.0 GPA. He was a member and chair of the OWASP Global Education Committee and actively participates in OWASP speaking, training and leadership events. He is also the appointed Software Assurance Advisor for (ISC)<sup>2</sup>, representing and advising the organization on software assurance strategy, training, education and certification. He is an appointed faculty member and industry representative of the Capitol of Texas Information System Security Association (ISSA) chapter. <br />
<br />
Mano has been featured in various domestic and international security conferences and is an invited speaker and panelist, delivering talks and keynotes in conferences such as the OWASP, CSI, Burton Group Catalyst, TRISC and SC World Congress conferences. He is the author of the Official (ISC)<sup>2</sup> Guide to the Certified Secure Software Lifecycle Professional (CSSLP<sup>CM</sup>), contributing author for the Information Security Management Handbook, writes periodically for the Certification Magazine and has contributed to several security topics for the Microsoft Solutions Developer Network (MSDN).<br />
<br />
Mano is married to whom he calls the “most wonderful and sacrificial person in this world” - Sangeetha Johnson and their greatest fulfillment comes from spending time with the son – Reuben A Paul (RAP).<br />
<br />
====Speakers====<br />
<br />
==Cassio Goldschmidt==<br />
Symantec<br />
<br />
'''''Title:''''' '''Responsibility for the Harm and Risk of Software Security Flaws'''<br />
<br />
'''''Abstract:'''''<br />
Who is responsible for the harm and risk of security flaws? The advent of worldwide networks such as the internet made software security (or the lack of software security) became a problem of international proportions. There are no mathematical/statistical risk models available today to assess networked systems with interdependent failures. Without this tool, decision-makers are bound to overinvest in activities that don’t generate the desired return on investment or under invest on mitigations, risking dreadful consequences. Experience suggests that no party is solely responsible for the harm and risk of software security flaws but a model of partial responsibility can only emerge once the duties and motivations of all parties are examine and understood. <br />
<br />
State of the art practices in software development won’t guarantee products free of flaws. The infinite principles of mathematics are not properly implemented in modern computer hardware without having to truncate numbers and calculations. Many of the most common operating systems, network protocols and programming languages used today were first conceived without the basic principles of security in mind. Compromises are made to maintain compatibility of newer versions of these systems with previous versions. Evolving software inherits all flaws and risks that are present in this layered and interdependent solution. Lastly, there are no formal ways to prove software correctness using neither mathematics nor definitive authority to assert the absence of vulnerabilities. The slightest coding error can lead to a fatal flaw. Without a doubt, vulnerabilities in software applications will continue to be part of our daily lives for years to come. <br />
<br />
Decisions made by adopters such as whether to install a patch, upgrade a system or employed insecure configurations create externalities that have implications on the security of other systems. Proper cyber hygiene and education are vital to stop the proliferation of computer worms, viruses and botnets. Furthermore, end users, corporations and large governments directly influence software vendors’ decisions to invest on security by voting with their money every time software is purchased or pirated.<br />
<br />
Security researchers largely influence the overall state of software security depending on the approach taken to disclose findings. While many believe full disclosure practices helped the software industry to advance security in the past, several of the most devastating computer worms were created by borrowing from information detailed by researcher’s full disclosure. Both incentives and penalties were created for security researchers: a number of stories of vendors suing security researchers are available in the press. Some countries enacted laws banning the use and development of “hacking tools”. At the same time, companies such as iDefense promoted the creation of a market for security vulnerabilities providing rewards that are larger than a year’s worth of salary for a software practitioner in countries such as China and India. <br />
<br />
Effective policy and standards can serve as leverage to fix the problem either by providing incentives or penalties. Attempts such PCI created a perverse incentive that diverted decision makers’ goals to compliance instead of security. Stiff mandates and ineffective laws have been observed internationally. Given the fast pace of the industry, laws to combat software vulnerabilities may become obsolete before they are enacted. Alternatively, the government can use its own buying power to encourage adoption of good security standards. One example of this is the Federal Desktop Core Configuration (FDCC).<br />
<br />
'''''Bio:'''''<br />
Cassio Goldschmidt is senior manager of the product security team under the Office of the CTO at Symantec Corporation. In this role he leads efforts across the company to ensure <br />
secure development of software products. His responsibilities include managing Symantec’s internal secure software development process, training, threat modeling, penetration testing and vulnerability manegement. Cassio’s background includes over 14 years of technical and managerial experience in the software industry. During the eight years he has been with Symantec, he has helped to architect, design and develop several top selling product releases, conducted numerous security classes, and coordinated various penetration tests. Cassio is also known for leading the OWASP chapter in Los Angeles and is a frequent speaker at security conferences worldwide.<br />
<br />
Cassio represents Symantec on the SAFECode technical committee and (ISC)2 in the development of the CSSLP certification. He holds a bachelor degree in computer science from Pontificia Universidade Catolica do Rio Grande Do Sul, a masters degree in software engineering from Santa Clara University, and a masters of business administration from the University of Southern California.<br />
<br />
==Amichai Shulman==<br />
Imperva<br />
<br />
'''''Title:''''' '''Business Logic Attacks – BATs and BLBs'''<br />
<br />
'''''Other authors:''''' Amichai Shulman, Rob Rachwald<br />
<br />
'''''Abstract:'''''<br />
Cyber attacks are being committed more often by professionals, and are increasingly driven by financial motives. Researchers have discovered the increasing popularity of a certain class of attacks that target business logic. Business logic attacks are a set of legal application transactions that are used to carry out a malicious operation that is not part of normal business practices. For example, brute forcing coupon codes in an ecommerce application to receive multiple discounts. This presentation will provide a quick introduction to business logic attacks, their unique characteristics and the motivation behind their uptick. The session will suggest a classification method for these attacks from which attendees can draw a set of required mitigation capabilities. We will discuss capabilities required for detecting automated interaction with the application, different types of repetitions, flow tampering and even compromised credentials. We will also contemplate on the usage of mitigation techniques such as Captcha, introducing delays and more. Concluding this session we will bring up the claim that all these capabilities can be introduced in the form of a "virtual patch" using a web application firewall, rather than being exclusively fixed in application code.<br />
<br />
'''''Bio:'''''<br />
Amichai Shulman is Co-Founder and CTO of Imperva, where he heads the Application Defense Center (ADC), Imperva's internationally recognized research organization focused on security and compliance. Mr. Shulman regularly lectures at trade conferences and delivers monthly eSeminars. The press draws on Mr. Shulman's expertise to comment on breaking news, including security breaches, mitigation techniques, and related technologies. Under his direction, the ADC has been credited with the discovery of serious vulnerabilities in commercial Web application and database products, including Oracle, IBM, and Microsoft. Prior to Imperva, Mr. Shulman was founder and CTO of Edvice Security Services Ltd., a consulting group that provided application and database security services to major financial institutions, including Web and database penetration testing and security strategy, design and implementation. Mr. Shulman served in the Israel Defense Forces, where he led a team that identified new computer attack and defense techniques. He has B.Sc and Masters Degrees in Computer Science from the Technion, Israel Institute of Technology.<br />
<br />
==Gabriel Quadros==<br />
Conviso IT Security<br />
<br />
'''''Title:''''' '''Taint Analysis of JavaScript Code to Detect Web Application Vulnerabilities'''<br />
<br />
'''''Abstract:'''''<br />
Modern Web applications make increasing use of client-side code, with JavaScript being the most present in most of them. Several vulnerabilities are introduced through the careless use of this language. The publicly available analysis tools are usually based on pattern matching to find potential vulnerabilities, but this is not an efficient approach to analyze large amounts of code. Therefore, there is a need to develop tools to perform more advanced analysis like Taint Analysis and Symbolic Execution. This article discusses various approaches to dynamic analysis of JavaScript code and presents the JsInstrumentator tool, which is being developed by Conviso Security Labs.<br />
<br />
'''''Bio:'''''<br />
Gabriel Quadros começou a estudar segurança da informação em 2003, com interesse principal em engenharia reversa, pesquisa de vulnerabilidades e desenvolvimento de exploits.<br />
<br />
Atualmente cursa o último ano do Bacharelado em Ciência da Computação na Universidade Estadual do Sudoeste da Bahia - UESB.<br />
<br />
Em abril de 2010, começou suas atividades como consultor de segurança na Conviso IT Security.<br />
<br />
==Tony Rodrigues==<br />
Provider IT Business Solutions<br />
<br />
'''''Title:''''' '''Tony’s Top 10 Application Artifacts: A Computer Forensics Approach to OWASP Top 10'''<br />
<br />
'''''Abstract:'''''<br />
Application Computer Forensics has many peculiarities comparing to others Computer Forensics disciplines. It requires not only distinctive techniques but also deep knowledge of specific artifacts. This presentation is about the top ten artifacts related to application computer forensics/digital investigations and their relation to OWASP Top 10 Risks.<br />
<br />
'''''Bio:'''''<br />
Tony Rodrigues é um profissional certificado CISSP, CFCP e Security+ com mais de 20 anos de experiência em TI e 8 anos em Gestão de Segurança de Informações. Já liderou várias investigações, perícias e pesquisas sobre Computação Forense. Tony é consultor em Segurança de Informações e palestrou em importantes conferencias internacionais (CNASI, H2HC,YSTS). É autor/criador do blog forcomp.blogspot.com, sobre Resposta a Incidentes e Forense Computacional e também colabora com artigos no blog de Computer Forensics da SANS.<br />
<br />
==Henrich Christopher Pöhls==<br />
University of Passau - ISL<br />
<br />
'''''Title:''''' '''The State of XML Digital Signatures --- How to Avoid Technical Pitfalls and Harvest the Power of Newer Signature Schemes'''<br />
<br />
'''''Abstract:'''''<br />
XML Digital Signatures are a complex tool, applied right they help to ensure legal compliance, <br />
but there are many pitfalls. <br />
This talk will provide some basic steps that users and implementers should follow to avoid the pitfalls, <br />
among them are:<br />
* Solid Understanding of the XML Signature processing and verification steps <br />
* Use of simplistic and coherent references when creating XML Digital Signature<br />
* Know how to Test what was signed before acting upon it (BitFlip Test)<br />
The Talk will also provide an overview of new applications for recent and more specialized <br />
digital signature schemes, like sanitizable signature schemes (academic research since roughly 2000) that allow to deal with the need<br />
to modify already signed content. And it will highlight the security relevant changes that are planned <br />
for the upcoming version of XML Signature Syntax and Processing 2.0.<br />
<br />
'''''Bio:'''''<br />
Henrich C. Pöhls has presented his scientific work on digital signatures at several academic conferences (i.e. ICICS, GI, Invited Talks) or to technical audiences (i.e. DFN CERT, OWASP). Instructor of a practical IT-security university class for Computer Science and IT-Security Master students for the last 7 years. He has established this course first at the University of Hamburg in 2004 and than at the University of Passau in 2008. The course, now titled "Security Infrastructures", is centered around security infrastructures focussing on secure & authenticated access through the use of digital signatures.<br />
<br />
It involves setting-up a certificate authority, using digital signatures and X509 certificates mostly for authentication in open-source software like client and server authentication with apache, secure DNS zone transfers, or client and server authentication in openvpn, as well as in MS Windows environments.It also covers certificate revocation using CRLs and OCSP. Henrich C. Pöhls draws from a rich repository of his own experience from his academic research in the field and the 7 years of using the available tools for creating, applying and managing digital signatures and X509 certificates in different versions and seeing his students struggle with the pitfalls trying to get it to work.<br />
<br />
==Rodrigo Montoro==<br />
Trustwave Spiderlabs<br />
<br />
'''''Title:''''' '''Web Application First Aid - Virtual Patching with ModSecurity'''<br />
<br />
'''''Abstract:'''''<br />
This presentation will show how to mitigate security problems that you may found after your application goes to the real world . Weʼll talk about how to analyze a security report, understand how modsecurity works and how based on the report to create a virtual patching using modsecurity rules.<br />
<br />
'''''Bio:'''''<br />
Rodrigo “Sp0oKeR” Montoro possui grande experiência em ambientes opensource e mercado de segurança especialmente na parte de IPS/IDS , malwares e protocolos. Atualmente trabalha no time de pesquisas do SpiderLabs (Trustwave) onde faz parte do core team de assinaturas do modsecurity além de analise de malwares, assinaturas de IDS e pesquisas na area de arquivos maliciosos especialmente pdfʼs.<br />
<br />
==Brian Contos==<br />
McAfee<br />
<br />
'''''Title:''''' '''Exploring Three Modern Attack Vectors: Insiders, Industrialized and APTs'''<br />
<br />
'''''Abstract:'''''<br />
Attacks are coming from all angles. In some cases they are very rudimentary; in others they are highly complex. Organizations must be able to protect themselves regardless, and do so in a way this is in parity with business operations, maintains employee and partner agility, and is manageable without the complexity of the solution being worse than the attack itself.<br />
<br />
Failure to address these three different attack types can result in everything from diminished brand loyalty, regulatory penalties, and lost revenue, to stolen intellectual property, economic competitive disadvantage, and military competitive disadvantage.<br />
Based on research from McAfee Labs and customer interactions across the globe in the public and private sector, there is much information that can be shared about these attackers and their strategies.<br />
<br />
Attendees will leave the presentation more knowledgeable about insider threats, industrialized hacking, and APTs. They will have a strong grasp of the attacker motives and understand their attack vectors. The audience will also be exposed to several non-vender, non-product specific countermeasures that they can leverage within their own organizations.<br />
<br />
'''''Bio:'''''<br />
Mr. Contos has over 15 years of security engineering and management expertise. He has worked throughout North and South America, Europe, the Middle East, and Asia. At McAfee he advises government organizations and G2000s on security strategy. He has written two books including Enemy at the Water Cooler – Real Life Stories of Insider Threats, and Physical and Logical Security Convergence which he co-authored with former NSA Deputy Director William Crowell. He has delivered speeches at industry events like RSA, Black Hat, Interop, OWASP, CSI, ISACA, ISSA, InfraGard and eCrime. He is often quoted by business and industry press, and has written articles for Forbes, NY Times, London Times, Computerworld, and many others. He was formerly the Chief Security Strategist for Imperva, the Chief Security Officer for ArcSight, and has held management and engineering positions at Riptech, Bell Labs, Tandem Computers, and DISA.<br />
<br />
==Christophe De La Fuente==<br />
<br />
'''''Title:''''' '''Testing and Fuzzing FLEX: More fun with RIA'''<br />
<br />
'''''Additional author:''''' '''Matt Tesauro'''<br />
<br />
'''''Abstract:'''''<br />
FLEX is a popular choice for the brave new world of web 2.0 applications. While the game may have appeared to change, rich Internet applications (RIA) still allow for the same vulnerabilities and design mistakes to be made. This presentation will cover methods for testing Adobe FLEX applications including the new version 4 and will look at such issues as cross--site flashing, remote calls and fuzzing. Additionally, there will be coverage of tools to test FLEX and other Flash applications including their addition to the OWASP WTE (Web Testing Environment). Finally, some design issues which may hamper FLEX development will be discussed in a brief case study.<br />
<br />
'''''Bio:'''''<br />
Christophe is a Security Consultant within the Application Security practice at Trustwave's SpiderLabs. SpiderLabs is the advanced security team responsible for Penetration Testing, Application Security, and Incident Response for Trustwave's clients. <br />
<br />
Christophe has extensive experience in penetration tests on web application and network infrastructure. He has a background testing a large range of applications, from traditional client/server applications to web applications and web services. In addition to his information security experience, Christophe has experience developing software and web applications. Christophe also has an interest in reverse code engineering for malware analysis and vulnerability research. He as taught post--graduate level university course in the field of web application security testing.<br />
<br />
==Mauro Risonho de Paula Assumpção==<br />
<br />
'''''Title:''''' '''The Tao of Hacking - Detecting Vulnerabilities in Web based Network Devices'''<br />
<br />
'''''Abstract:'''''<br />
This talks relates to the design flaws and vulnerabilities in various network peripheral devices<br />
used for security which are having web interfaces. We will be talking about some of the<br />
vulnerabilities that we have discovered while pen testing these devices. Further , this talk also<br />
lays emphasis on collecting information about internal networks from the network devices like<br />
load balancers, firewalls, disk stations, proxies, surveillance cameras etc. The aim is to gather<br />
maximum infomation from these devices and using that information to test the security of these<br />
devices and detecting vulnerabilities in them. This talk is pure conceptual and technical talk<br />
designed in an easy way to share information among masses.<br />
<br />
'''''Bio:'''''<br />
Mr. Mauro Assumpção Cheshire Paula aka firebits is a security researcher and lecturer at security conferences. He is working as director of NSEC Security Systems, an organization that provides consulting services for security and penetration testing. He has performed numerous safety tests and development projects for organizations such as Intel, Google, Microsiga, Avon, CMS Energy, Unilever, Rhodia, Tostines, Degussa, Niplan and others. He is founder and "Backtrack Brazil" and moderator and translator Backtrack USA.<br />
<br />
Aditya K Sood is a Security Researcher, consultant and PhD candidate in Computer Science Department at Michigan State University.He has worked in the security domain for Armorize, COSEINC and KPMG. He is a founder of SecNiche Security, an independent security research arena. He has been an active speaker at conferences like RSA (US 2010), TRISC, EuSecwest, XCON, Troopers, OWASP AppSec, FOSS, CERT-IN etc. He has writtencontent for HITB Ezine, Hakin9, Usenix Login, Elsevier Journals, Debugged! MZ/PE.He has released number of advisories to forefront companies.Apart from his normal routine work he loves to do lot of web based research and designing cutting edge attack vector.<br />
<br />
==== Schedule ====<br />
<br />
<center>'''<span style="color: rgb(255, 0, 0)"> Note: this schedule is tentative and subject to change. </span>''' </center><br />
<br />
== Conference Program - Day 1 - November 18th 2010 ==<br />
<center><br />
{| width="80%" class="t"<br />
|-<br />
| width="14%" height="17" align="right" | 08:30 - 09:00 <br />
| bgcolor="#8595c2" align="CENTER" | '''Reception Desk Open'''<br />
|-<br />
| width="14%" height="17" align="right" | 09:00 - 09:30 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''Opening Ceremony'''<br />
|-<br />
| width="14%" height="49" align="right" | 09:30 - 10:30 <br />
| bgcolor="#eeeeee" align="CENTER" | '''Dinis Cruz'''<br> About OWASP<br />
|-<br />
| width="14%" height="17" align="right" | 10:30 - 10:50 <br />
| bgcolor="#d98b66" align="CENTER" | '''Break'''<br />
|-<br />
| width="14%" height="49" align="right" | 10:50 - 12:20 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''Robert 'RSnake' Hansen'''<br> TBD<br />
|-<br />
| width="14%" height="17" align="right" | 12:20 - 14:20 <br />
| bgcolor="#d98b66" align="CENTER" | '''Lunch Break'''<br />
|-<br />
| width="14%" height="47" align="right" | 14:20 - 15:10 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''TBD<br>''' TBD<br />
|-<br />
| width="14%" height="32" align="right" | 15:10 - 16:00 <br />
| bgcolor="#eeeeee" align="CENTER" | '''TBD<br>''' TBD<br />
|-<br />
| width="14%" height="17" align="right" | 16:00 - 16:20 <br />
| bgcolor="#d98b66" align="CENTER" | '''Break'''<br />
|-<br />
| width="14%" height="47" align="right" | 16:20 - 17:10 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''TBD<br>''' TBD<br />
|-<br />
| width="14%" height="32" align="right" | 17:10 - 18:00 <br />
| bgcolor="#eeeeee" align="CENTER" | '''Amichai Shulman<br>''' Business Logic Attacks – BATs and BLBs<br />
|-<br />
| width="14%" height="47" align="right" | 18:00 - 18:50 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''Mano Paul'''<br> TBD<br />
|-<br />
| width="14%" height="17" align="right" | 18:50 - 18:55 <br />
| bgcolor="#cccccc" align="CENTER" | '''End of the First Day'''<br />
|}<br />
</center> <br />
<br><br />
<br />
== Conference Program - Day 2 - November 19th 2010 ==<br />
<center><br />
{| width="80%" class="t"<br />
|-<br />
| width="14%" height="17" align="right" | 08:30 - 09:00 <br />
| bgcolor="#8595c2" align="CENTER" | '''Reception Desk Open'''<br />
|-<br />
| width="14%" height="32" align="right" | 09:00 - 10:30 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''Jeremiah Grossman'''<br> TBD<br />
|-<br />
| width="14%" height="17" align="right" | 10:30 - 10:50 <br />
| bgcolor="#d98b66" align="CENTER" | '''Break'''<br />
|-<br />
| width="14%" height="47" align="right" | 10:30 - 11:40 <br />
| bgcolor="#eeeeee" align="CENTER" | '''TBD'''<br> TBD<br />
|-<br />
| width="14%" height="32" align="right" | 11:40 - 12:30 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''TBD'''<br> TBD<br />
|-<br />
| width="14%" height="17" align="right" | 12:30 - 14:30 <br />
| bgcolor="#d98b66" align="CENTER" | '''Lunch Break'''<br />
|-<br />
| width="14%" height="32" align="right" | 14:30 - 15:20 <br />
| bgcolor="#eeeeee" align="CENTER" | '''Samy Kamkar'''<br> How I met your girlfriend<br />
|-<br />
| width="14%" height="32" align="right" | 15:20 - 16:10 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''Bian Contos'''<br> Exploring Three Modern Attack Vectors: Insiders, Industrialized and APTs<br />
|-<br />
| width="14%" height="32" align="right" | 16:10 - 16:40 <br />
| bgcolor="#eeeeee" align="CENTER" | '''Cel. Monclaro'''<br> Presentation of RENASIC<br />
|-<br />
| width="14%" height="17" align="right" | 16:40 - 17:00 <br />
| bgcolor="#d98b66" align="CENTER" | '''Break'''<br />
|-<br />
| width="14%" height="32" align="right" | 17:00 - 17:50 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''TBD'''<br> TBD<br />
|-<br />
| width="14%" height="32" align="right" | 17:50 - 18:40 <br />
| bgcolor="#eeeeee" align="CENTER" | '''TBD'''<br> TBD<br />
|-<br />
| width="14%" height="17" align="right" | 18:40 - 19:00 <br />
| bgcolor="#cccccc" align="CENTER" | '''Closing Ceremony'''<br />
|}<br />
</center> <br />
<br> <br />
<br />
==== Trainings ====<br />
<br />
[[Image:Aspect logo.png]] <br />
<br />
=== '''Secure Coding for J2EE Applications''' ===<br />
<br />
[[Image:Jasonli appsecBR2010.jpg|frame]] '''Date and time: November 16th and 17th'''<br> '''Instructor: Jason Li'''<br> '''Summary'''<br> Training developers on secure coding practices offers one of the highest returns on investment of any security investment by eliminating vulnerabilities at the source. Aspect’s Java EE Secure Coding Training raises developer awareness of application security issues and provides examples of ‘what to do’ and ‘what not to do.' The class is lead by an experienced developer and is delivered in a very interactive manner. This class includes hands-on exercises where the students get to perform security analysis and testing on a live Java EE web application. This specially designed environment includes deliberate flaws the students have to find, diagnose, and fix. The class also uses Java EE coding exercises to provide students with realistic hands-on secure coding experience. Students gain hands-on experience using freely available web application security test tools to find and diagnose flaws and learn to avoid them in their own code.<br> <br />
<br />
'''Audience'''<br> The intended audience for this course is intended for Java EE software developers and Java EE software testers who know how to program.<br> <br />
<br />
'''Learning Objectives'''<br> At the highest level, the objective for this course is to ensure that developers are capable of designing, building, and testing secure Java EE applications and understand why this is important.<br> <br />
<br />
'''Topics'''<br> <br />
<br />
*'''HTTP Fundamentals'''<br> <br />
**Understand and be able to employ the security features involved with using HTTP (e.g., headers, cookies, SSL)<br> <br />
*'''Design Principles and Patterns'''<br> <br />
**Understand and be able to apply application security design principles.<br> <br />
*'''Threats'''<br> <br />
**Be able to identify and explain common web application security threats (e.g. , cross-site scripting, SQL injection, denial of service attacks, "Man-in-the-middle" attacks, etc.) and implement mitigation techniques.<br> <br />
*'''Authentication and Session Management'''<br> <br />
**Be able to handle credentials securely while providing the full range of authentication support functions, including login, change password, forgot password, remember password, logout, reauthentication, and timeouts.<br> <br />
*'''Access Control'''<br> <br />
**Be able to implement access control rules for the user interface, business logic, and data layers.<br> <br />
*'''Input Validation'''<br> <br />
**Be able to recognize potential input validation issues, particularly injection and Cross-site Scripting (XSS) problems, and implement appropriate input validation mechanisms for user input and other sources of input.<br> <br />
*'''Command Injection'''<br> <br />
**Understand the dangers of command injection and techniques for avoiding the introduction of this type vulnerability.<br> <br />
*'''Error Handling'''<br> <br />
**Be able to implement a consistent error (exception) handling and logging approach for an entire web application.<br> <br />
*'''Cryptography'''<br> <br />
**Learn when to apply cryptographic techniques and be able to choose algorithms and use encryption/decryption and hash functions securely.<br><br />
<br />
'''Jason’s Bio'''<br> Jason is a remarkable trainer, mastering five different training courses within a year’s time to our most valuable longstanding but diverse clients. The client base included a large financial institution, several leading shipping and logistics Management Company, and a leading Government systems integrator.<br> <br />
<br />
Jason has also taught Advanced Web Application Security Testing and Building Secure Web Applications classes at OWASP 2008 conferences in Belgium and India.<br> <br />
<br />
Common remarks returned from Jason’s class evaluations include '''“This is probably one of the most important classes I‘ve been exposed to here”''' and '''“One of the best instructors I’ve ever had. Really knowledgeable of the subject. Kept class interested by sharing real life examples that depicted good scenarios”'''<br><br />
<br />
== Using the OWASP ESAPI security API to provide security to web applications ==<br />
<br />
'''<span style="color: rgb(255, 0, 0);"> Tutorial in Portuguese. </span>'''<br />
<br />
'''Date and time: November 16th (9AM to 6PM)'''<br> '''Instructor: Tarcizio Vieira Neto'''<br> <br />
<br />
'''Summary'''<br />
<br />
The evolution of technology in the development of web applications has contributed to a significant increase in the use of this technology to meet the most diverse purposes. However, this technology is subject to critical security vulnerabilities, especially when recent research show that most vulnerabilities are present in the application itself. OWASP's ESAPI library (Enterprise Security API) appears in this scenario as an open source security library available for several languages such as Java EE, PHP,. NET, Classic ASP, Python, Ruby, among others. This short course addresses the vulnerabilities caused by common errors in applications development and security control mechanisms provided by ESAPI with focus on Java technology. The general principles learned in the course can be applied in the context of other programming languages.<br />
<br />
'''Target audience'''<br />
<br />
The desired profile of the audience are people connected to the area of web application development and security, having as a basic pre-requisite knowledge in web technologies, communication protocols HTTP and HTTPS, basic principles of security: encryption, hashing and digital signature, Java programming for Web systems.<br />
<br />
<br />
'''Learning objectives'''<br />
<br />
* Know the main security vulnerabilities commonly found in Web applications<br />
* Present the architecture of the ESAPI library and the operation of its modules with examples in Java.<br />
* Present Web Application Firewall component of ESAPI.<br />
<br />
<br />
'''Tópic'''<br />
<br />
# Introduction<br />
# # Myths related to security in Web applications<br />
# # OWASP Project<br />
# OWASP Top 10<br />
# OWASP ESAPI Library<br />
# # Validation and Encoding Module<br />
# # Authentication Module<br />
# # Access Control Module<br />
# # HTTP Utilities Module<br />
# # Access references module<br />
# # Cryptographic Module<br />
# # Log Module<br />
# # Intrusion Detection Module<br />
# # integrating the AppSensor module with ESAPI<br />
# # Using Filters<br />
# # Configuring ESAPI<br />
# # Web Application Firewall Module<br />
# Benefits of Using ESAPI<br />
# Conclusions<br />
<br />
<br />
'''Instructor'''<br />
<br />
Tarcízio Vieira Neto has a degree in Computer Science from Universidade Federal de Goiás (UFG), in Goiania. He began his career as an intern developer on a project of technology initiation funded by CNPq in the company Estratégia, in Goiania. After graduating he worked for six months at the company Fibonacci Soluções Ágeis in the same city, as a development analyst. Then worked for two years and eight months as a Brazilian Air Force officer as a systems analyst in the Air Force Computer Center in Brasilia, where he gained experience with the technologies of digital certification and collaborated in the development of an enterprise electronic document management system.<br />
<br />
Currently working at SERPRO since November 2009 as an Analyst in CETEC, working on software development security, dedicated primarily in writing guidelines that standardize techniques and tools tho support security in Web applications development<br />
<br />
He is attending a specialization course in Information Security from University of Brasília (UnB) and has altogether more than five years of programming experience in Java.<br />
<br />
<br />
==The Art and Science of Threat Modeling Web Applications==<br />
[[Image:Mano_Paul.jpg|thumb|10px|frame|right|Mano Paul]]<br />
'''<span style="color: rgb(255, 0, 0);"> This tutorial is in English without translation. </span>''' <br />
<br />
'''Date and Time: November 17 (9AM to 6PM)'''<br> '''Instructor: Mano Paul'''<br><br />
<br />
'''Summary'''<br />
<br />
To secure your home, you will first need to know how the thief could possibly enter and exit and where you should store your valuables. The same is true of your web applications. Unless you know what the vulnerabilities and threats of your web applications are, and what security measures you should take to protect them, ev1L h@x0rS or the enemy within (insider) could take advantage of the vulnerabilities. <br />
<br />
Threat Modeling is a technique that you can use to identify ATVS (attacks, threats, vulnerabilities and safeguards) that could affect your web applications. Threat Modeling helps in designing your application securely from a confidentiality, integrity, availability, authentication, authorization and auditing perspective. It is an essential activity to be undertaken during the design stage of your SDLC and helps mitigate and minimize overall risk. <br />
<br />
<br />
'''Target audience'''<br />
<br />
The target audience is made of technical staff and management of system development organizations, with no required knowledge of languages or specific programming techniques.<br />
<br />
<br />
'''Learning Objectives'''<br />
<br />
# Understand Threat Modeling; when to threat model and when not too<br />
# Translation of threats to risks for the organization<br />
# Have fun learning complex concepts with exercises and interactive games<br />
<br />
<br />
'''Topic'''<br />
<br />
# Introduction <br />
# Why Threat Model? <br />
# Is Threat Modeling Right for You? <br />
# Challenges <br />
# Precursors <br />
# Data Classification and Threat Modeling <br />
# Web Application Security Mechanisms <br />
# Benefits of Threat Modeling <br />
# Common Glossary of Terms <br />
# Threat Agents <br />
# OWASP Top 10 and common application attacks<br />
# Threat Modeling Process <br />
# Attack Trees <br />
# Threat and Risk Frameworks e.g., STRIDE and DREAD <br />
# Threat to Risk translation<br />
# Threat Modeling (<span style="color: rgb(255, 0, 0);">Hands-On Exercise</span>)<br />
<br />
<br />
'''Instructor'''<br />
<br />
Manoranjan (Mano) Paul is the Software Assurance Advisor for (ISC)2. His information security and software assurance experience includes designing and developing security programs from compliance-to-coding, security in the SDLC, writing secure code, risk management, security strategy, and security awareness training and education. He founded and serves as the CEO & President of Express Certifications. He also founded SecuRisk Solutions, a company that specializes in security product development and consulting.<br />
<br />
== Security in Service-oriented architectures ==<br />
<br />
'''<span style="color: rgb(255, 0, 0);"> Tutorial in Portuguese. </span>'''<br />
<br />
'''Date and time: Nov 17 (9AM to 6PM)'''<br> '''Instructors: Douglas Rodrigues, Julio Cesar Estrella e Nuno Manuel dos Santos Antunes'''<br> <br />
<br />
'''Summary'''<br />
<br />
Web services are the cornerstone of Service-Oriented Architectures (SOA). As critical components of business, Web services must provide high security. However, the deployment of secure Web services is a complex task. In fact, several studies show that a large number of Web Services are deployed with security breaches ranging from code vulnerabilities (eg vulnerabilities that allow code injection, including SQL injection and XPath injection) to the incorrect use of standards and security protocols. The aim of this short course is to present the theoretical and practical tools that allow the detection of vulnerabilities and security protocols and mechanisms against attacks.<br />
<br />
<br />
'''Público Alvo'''<br />
<br />
The target audience is composed of technical staff and operational systems development organizations with requirements for knowledge of languages and programming methodologies at the intermediate level.<br />
<br />
'''Learning Objectives'''<br />
<br />
The proposed short course contributes to add new technological trends. The theme is quite interesting in relation to the great challenges of research in computing, since it fits naturally within the technological development of quality, encompassing making systems available, accurate, secure, scalable, persistent and ubiquitous, and notoriously, observing the conference area, which SOA, Web services and security are the subject of growing research in computing, as it is current and of interest to the academic community, as well as professionals who work in the labor market. The interest in SOA has grown in recent years because it is an approach that helps the system to remain flexible and scalable as they grow, and can also help to resolve the gap business / IT. Students and professionals will have the opportunity to understand the basics of vulnerability detection code level and also to detect attacks between protocols and mechanisms. The idea is that participants can use the knowledge gained in this brief short course for the development of distributed applications using Web services secure and obtain knowledge needed to diagnose and prevent attacks on this type of application.<br />
<br />
'''Topics'''<br />
<br />
#SECURITY STANDARDS AND PROTOCOLS FOR WEB SERVICES<br />
#ATTACKS IN WEB SERVICES<br />
## Denial of Service Attacks<br />
## Attacks Brute Force<br />
## Spoofing Attacks<br />
## Flooding Attacks<br />
## Injection Attacks<br />
#EVALUATING SECURITY IN WEB SERVICES<br />
## Case Study on security in Web Services<br />
## "white box" analysis<br />
## "Black-box" testing<br />
## "Gray-box" testing<br />
## Case study on the effectiveness of tools for security assessment<br />
<br />
'''Instructors'''<br />
<br />
Julio Cesar Estrella - Master in Computer Science and Computational Mathematics, in the area of Distributed Systems (Institute of Mathematical Sciences and Computer ICMC / University of São Paulo - USP). During the Masters, worked with simulated queuing network in a project related to the development of negotiation techniques in models of web servers with service differentiation. Ph.D. in Computer Science and Computational Mathematics (Institute of Mathematical Sciences and Computer ICMC / University of São Paulo - USP). The theme of his doctoral thesis was about service-oriented architectures to support QoS and characterization of workloads for Web Services Composition and Service also supports Quality of Service. He is currently a professor at the Federal Technological University of Paraná (UTFPR - Campo Mourão)<br />
<br />
Douglas Rodrigues - Master in Computer Science and Computational Mathematics from Institute of Mathematics and Computer Science, University of São Paulo - ICMC-USP/São Carlos. Bachelor of Computer Science from University Euripides Marília - Univ - Marília / SP. Works on the following subjects: SOA, Web Services, performance evaluation, encryption and security.<br />
<br />
Nuno dos Santos Antunes - attended from 2003 to 2007, the Computer Engineering program, University of Coimbra. Since 2008, carries out scientific research in the group of Software and Systems Engineering (SSE) Center for Informatics and Systems University of Coimbra (CISUC), on topics related to methodologies and tools for developing Web Services without vulnerabilities. Concluded in 2009 a Masters in Computer Engineering from the Department of Computer Engineering, University of Coimbra, with the final rating of Very Good. In 2009 he began his PhD in Sciences and Information Technology. He published five scientific papers in conferences with the process of rigorous peer review, including articles in the most prestigious conferences in the areas of reliability and services.<br />
<br />
<br />
==Black-Box & White-Box ASP.NET Security Reviews using the OWASP O2 Platform==<br />
<br />
'''<span style="color: rgb(255, 0, 0);"> Thsi tutorial will be in Portuguese with materials in English </span>'''<br />
<br />
'''Date and time: November 16th (9AM to 6 PM)'''<br> '''Instructor: Dinis Cruz'''<br><br />
<br />
'''Summary'''<br />
<br />
This is a hands-on Training course on how to use the OWASP O2 Platform to perform both Black-Box and White-Box security reviews on ASP.NET Web Applications<br />
<br />
The course is designed for security consultants/developers who are responsible for performing Penetration Tests or Security Code Reviews. The course will show practical examples of how to use the OWASP O2 Platform to find, exploit and document security vulnerabities.<br />
<br />
For the course's labs, a number of test and real-world applications/frameworks will be used. In order to give the students a benign test enviroment which is easy to replicate, the (vulnerable-by-design) HacmeBank ASP.NET banking application will be used throughout the course.<br />
<br />
'''Topics'''<br />
<br />
* What is the OWASP O2 Platform and how to use it?<br />
* Using O2's Unit Tests for web exploration and browsing<br />
* Using O2's Unit Tests for web exploitation<br />
* Understanding and using O2's Web Automation Tools to find and exploit vulnerabilities in HacmeBank (Black-Box)<br />
* Understanding and using O2's AST .NET Scanner to find vulnerabilities in HacmeBank (White-Box)<br />
* Connecting the source-code traces with the web exploits to create a unified view of the vulnerabilties<br />
* Create 'Vulnerability-driven Unit Tests' to be delivered to Developers, QA/Testers and Managers<br />
* Customizing and writing new APIs (for new or modified frameworks)<br />
* Using O2 to consume results from open source tools and 3rd party commercial vendors<br />
* Case Study: Microsoft ASP.NET MVC<br />
* Case Study: Microsoft Sharpoint<br />
<br />
<br />
'''Instructor'''<br />
<br />
The course is delivered by Dinis Cruz who the lead developer of the OWASP O2 Platform and has created and delivered a number of .NET Security training courses<br />
<br />
== Location ==<br />
<br />
Please check the ''Venue'' tab in this page.<br />
<br />
==== Venue ====<br />
<br />
The event will be held in Campinas, SP, Brazil at: [http://www.cpqd.com.br Fundação CPQD]. <br />
<br />
You can check the location at [http://maps.google.com.br/maps/ms?source=embed&hl=pt-BR&geocode=&ie=UTF8&update=1&t=h&msa=0&msid=104978801628275418750.000462bf2d1a49a7571af&ll=-22.83125,-47.044315&spn=0.03718,0.04034&z=14 Google Maps] <br />
<br />
''How to get there'' <br />
<br />
TBD <br />
<br />
==== Registration ====<br />
<br />
== Online Registration ==<br />
<br />
Registration form is available at https://creator.zoho.com/lucas.ferreira/appsec/<br />
<br />
== Conference Fees ==<br />
<br />
'''Access to conference:'''<br />
<br />
* Before Sep 16th: 400.00 BRL<br />
* Before Oct 16th: 500.00 BRL<br />
* Before Nov 12th: 550.00 BRL<br />
* On site: 600.00 BRL<br />
<br />
On site registration subject to the availability of seats.<br />
<br />
'''Trainings'''<br />
<br />
* One day: 450.00 BRL<br />
* Two days: 900.00 BRL<br />
<br />
'''Discounts'''<br />
<br />
* OWASP Member: 100.00 BRL (Note: This discount is greater than the OWASP USD 50.00 annual fee. Check [http://www.google.com.br/#q=50+usd+in+brl&fp=1 here]<br />
* Student: 100.00 BRL (Note: student ID required).<br />
* Special discounts available for groups registrations. Please send inquiries to organizacao2010@appsecbrasil.org<br />
<br />
==== Committees ====<br />
<br />
== Conference Committee ==<br />
<br />
OWASP Global Conferences Committee Chair: Mark Bristow <br />
<br />
OWASP [[Brazilian]] Chapter Leader: Wagner Elias <br />
<br />
AppSec Brasil 2010 Organization Team (organizacao2010 at appsecbrasil.org): <br />
<br />
*Conference General Chair: Lucas C. Ferreira <br />
*Tutorials Chair: Eduardo Camargo Neves <br />
*Tracks Chair: Luiz Otávio Duarte <br />
*Local Chair: Alexandre Melo Braga<br />
<br />
=== Team Members ===<br />
<br />
*Alexandre Melo Braga <br />
*Eduardo Camargo Neves <br />
*Lucas C. Ferreira <br />
*Luiz Otávio Duarte <br />
*Wagner Elias <br />
*Eduardo Alves Nonato da Silva <br />
*Leonardo Buonsanti <br />
*Dinis Cruz <br />
*Paulo Coimbra<br />
<br />
<br />
== Programme Committee:==<br />
* Alexandre Braga<br />
* Carlos Serrao<br />
* Eduardo alves<br />
* Fernando Cima<br />
* Leonardo Buonsanti<br />
* Lucas Ferreira<br />
* Luiz Duarte<br />
* Nelson Uto<br />
* Rodrigo Rubira<br />
* Wagner Elias<br />
<br />
<br> <br> <br />
<br />
==== Travel ====<br />
<br />
TBD <br />
<br />
==== Twitter ====<br />
<br />
<twitter>124443335</twitter><br />
<br />
==== Links ====<br />
<br />
Blog: http://blog.appsecbrasil.org <br />
<br />
Twitter: http://twitter.com/owaspappsecbr <br />
<br />
Banner: http://www.owasp.org/images/3/31/AppSec_Brasil_2010_Banner.gif<br />
<br />
Powerpoint template: [[Media:OWASP_Presentation_Template_BrazilAppSec2010.ppt]]<br />
<br />
<br> <headertabs /> <br />
<br />
[[Category:OWASP_AppSec_Conference]]</div>Manopaulhttps://wiki.owasp.org/index.php?title=Manoranjan_(Mano)_Paul&diff=89782Manoranjan (Mano) Paul2010-09-22T05:03:53Z<p>Manopaul: </p>
<hr />
<div>[[Image:Mano_Paul.jpg|thumb|10px|frame|left|Mano Paul]]<br />
<b>Shark Researcher turned Security Guru!</b><br><br />
<b>Manoranjan (Mano) Paul</b> (CSSLP, CISSP, AMBCI, MCSD, MCAD, CompTIA Network+, ECSA) is the Founder and CEO at [http://www.securisksolutions.com SecuRisk Solutions] and [http://www.expresscertifications.com Express Certifications]. Based out of Austin, Texas in the USA, SecuRisk Solutions specializes in three areas of information security solutions - Product Development, Consulting and Awareness, Training & Education while Express Certifications focuses on professional certifications like the CISSP, SSCP, CSSLP and the BCI certificate. <br />
<br />
Before SecuRisk Solutions and Express Certifications, Mano played several roles from software developer, quality assurance tester, logistics manager, technical architect, IT strategist and Security Engineer/Program Manager/Strategist at Dell Inc. His information security experience includes designing and developing software security programs from Compliance-to-Coding, application security risk management, security strategy & management, and conducting security awareness training and education. <br />
<br />
Mano started his career as a shark researcher in the Bimini Biological Field Station, Bahamas. His educational pursuit took him to the University of Oklahoma where he received his Business Administration degree in Management Information Systems (MIS) with various accolades and the coveted 4.0 GPA. He actively participates in OWASP as a speaker, trainer and in OWASP leadership events. He is also the appointed Software Assurance Advisor for (ISC)<sup>2</sup>, representing and advising the organization on software assurance strategy, training, education and certification. He is an appointed faculty member and industry representative of the Capitol of Texas Information System Security Association (ISSA) chapter. <br />
<br />
Mano has been featured in various domestic and international security conferences and is an invited speaker and panelist, delivering talks and keynotes in conferences such as the OWASP, CSI, Burton Group Catalyst, TRISC and SC World Congress conferences. He is the author of the Official (ISC)<sup>2</sup> Guide to the Certified Secure Software Lifecycle Professional (CSSLP<sup>CM</sup>), contributing author for the Information Security Management Handbook, writes periodically for the Certification Magazine and has contributed to several security topics for the Microsoft Solutions Developer Network (MSDN).<br />
<br />
Mano is married to whom he calls the “most wonderful and sacrificial person in this world” - Sangeetha Johnson and their greatest fulfillment comes from spending time with the son – Reuben A Paul (RAP).</div>Manopaulhttps://wiki.owasp.org/index.php?title=AppSec_US_2010,_CA&diff=88827AppSec US 2010, CA2010-09-07T21:39:11Z<p>Manopaul: /* Welcome to AppSec&nbsp;USA 2010 */</p>
<hr />
<div>__NOTOC__ <br />
<br />
<br>[[Image:Appsec banner.png|598x79px|AppSec USA 2010 Banner]] <br />
<br />
<br> <br />
<br />
= Welcome to AppSec&nbsp;USA 2010 =<br />
<br />
{| width="100%" border="0" align="center" class="FCK__ShowTableBorders"<br />
|-<br />
| align="left" colspan="4" style="background: none repeat scroll 0% 0% rgb(238, 235, 226); color: black;" | <br />
For complete information, please visit [http://www.appsecusa.org AppSec US 2010 Website] <br>Training and Presentation Schedules Available Now! <br />
<br />
Training Days<br>Sept 7-8: [http://www.owasp.org/index.php/AppSec_US_2010,_CA#tab=Training_September_7th_.26_8th Schedule of Classes] <br />
<br />
Presentation Schedule<br>Sept 9th: [http://www.owasp.org/index.php/AppSec_US_2010,_CA#tab=September_9th Schedule of Talks]<br>Sept 10th:&nbsp;[http://www.owasp.org/index.php/AppSec_US_2010,_CA#tab=September_10th Schedule of Talks] <br />
<br />
|}<br />
<br />
{| class="FCK__ShowTableBorders" style="width: 100%;"<br />
|-<br />
| style="width: 100%; color: rgb(0, 0, 0);" | <br />
{| class="FCK__ShowTableBorders" style="width: 100%; background: none repeat scroll 0% 0% transparent; -moz-background-inline-policy: continuous;"<br />
|-<br />
| style="width: 95%; color: rgb(0, 0, 0);" | <br />
'''Latest Updates:''' <br />
<br />
Dr. Chenxi Wang of Forrester Research added as keynote speaker for September 9. <br />
<br />
@chenxiwang tweets at http://twitter.com/chenxiwang.'''<br>''' <br />
<br />
|}<br />
<br />
<!-- Twitter Box --> <br />
<br />
| style="border: 0px solid rgb(204, 204, 204); width: 100%; color: rgb(0, 0, 0); font-size: 95%;" | <!-- DON'T REMOVE ME, I'M STRUCTURAL <br />
<br />
{|<br />
|-<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" | <br />
<!--<br />
Use the '''[http://twitter.com/appsec2010 #AppSec2010]''' hashtag for your tweets (What are [http://hashtags.org/ hashtags]?) <br />
<br />
'''@AppSec2010 Twitter Feed ([http://twitter.com/appsec2010 follow us on Twitter!])''' <twitter>appec2010</twitter>--> <br> <br />
| style="width: 110px; color: rgb(0, 0, 0); font-size: 95%;" | <br><br />
|}<br />
<br />
<!-- End Banner --> <br />
<br />
==== Training September 7th &amp; 8th ====<br />
<br />
{| border="0" align="center" class="FCK__ShowTableBorders" style="width: 80%;"<br />
|-<br />
! align="center" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | T1. Web Security Testing - 2-Days - $1350<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | This course is a deep dive into the world of web application security testing. It is designed to walk testers through every step of web application penetration testing, arming them with the knowledge and tools they will need to begin conducting their own security testing. The course will teach the participants how to think like a security engineer by creating and executing a security test plan. Participants will be exposed to common web application vulnerabilities, testing techniques and tools by a professional security tester. <br />
The course includes a guided penetration test in which the students will execute security test with the help of the instructor. <br />
<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | Instructor: Joe Basirico, Security Innovation<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | [[Learn More About the Web Security Testing Class]]<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | [http://www.appsecusa.org/register-now.html Click here to register]<br />
|}<br />
<br />
{| border="0" align="center" class="FCK__ShowTableBorders" style="width: 80%;"<br />
|-<br />
! align="center" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | T2. Building Secure Ajax and Web 2.0 Applications - 2-Days - $1350<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | This two-day class will cover common Web 2.0 and AJAX security threats, vulnerabilities, and it will provide specific guidance on how to develop Web 2.0 applications to defend against these threats and vulnerabilities. <br />
Training developers on secure coding practices offers one of highest returns on investment of any security investment by eliminating vulnerabilities at the source. Aspect’s Building Secure Ajax and Web 2.0 Applications Course enables developers to securely utilize Web 2.0 technologies in their web applications without introducing security issues. The course provides detailed examples of ‘what to do’ and ‘what not to do.' The class is lead by an experienced developer and delivered in a very interactive manner. The course will use demonstrations, code examples, and spot-the-bug exercises to get developers engaged in the topic. Developers will leave with an understanding of how Ajax attacks work, the impacts of successful attacks, and what to do to defend against them. <br />
<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | Instructor: Dave Wichers: [[Image:Aspect logo.gif]]<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | [[Learn More about the Building Secure Ajax and Web 2.0 Applications Class]]<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | [http://www.appsecusa.org/register-now.html Click here to register]<br />
|-<br />
! align="center" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | T3. Assessing and Exploiting Web Applications with Samurai - WTF - 2-Days - $1350<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | <br />
Come take the official Samurai-WTF training course given by one of the founders and lead developers of the project! You will learn how to use the latest Samurai-WTF open source tools and the be shown the latest techniques to perform web application assessments. After a quick overview of pen testing methodology, the instructor will lead you through the penetration and exploitation of three different web applications, and the browsers connecting to them. Different sets of open source tools will be used on each web application, allow you to learn first hand the pros and cons of each tool. After you have gained experience with the Samurai-WTF tools, you will be challenged with a fourth web application that contains keys you must find and collect. This final challenge will give you time to practice your new skills at your own pace and experiment with your favorite new tools. This experience will help you gain the confidence necessary to perform web application assessments and expose you to the wealth of freely available open source tools. <br />
<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | <br />
Instructor: Justin Searle: InGuardians [[Image:InGuardians.png|36x39px]] <br />
<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | [http://www.appsecusa.org/register-now.html Click here to register]<br />
|-<br />
! align="center" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | T4. Application Security Leadership Essentials - 2-Days - $1350<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | In this two-day management session you’ll get an industry perspective of application security, understand the key vulnerabilities to applications, be able to analyze root cause, and provide practical and proven techniques in building out an application security initiative. This course gives executives and managers the education and practical guidance they need to ensure that software projects properly address security. The course is designed to provide a firm understanding of the importance of software security, the critical security activities required within the software development lifecycle, and how to efficiently manage security issues during development and maintenance. This understanding is reinforced through industry awareness, live demonstrations of commonly found application vulnerabilities and workgroup exercises allowing attendees to conduct capability assessments and recommend improvement plans.<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | Instructor: Jeff Williams: [[Image:Aspect logo.gif]]<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | [[Learn More about the Application Security Leadership Essentials Class]]<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | [http://www.appsecusa.org/register-now.html Click here to register]<br />
|-<br />
! align="center" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | T5. Software Security Remediation: How to Fix Application Vulnerabilities 1-Day - Sept 7th- $675<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | This class teaches attendees how to fix security vulnerabilities in existing software. It provides a mix of discussion of project concerns for planning and managing remediation efforts with hands-on coding examples fixing specific vulnerabilities. Attendees will learn how to risk-rank vulnerabilities, estimate remediation tasks, perform coding fixes for vulnerabilities and demonstrate the effectiveness of fixes applied. The focus is on the practical: how to use limited resources to make significant improvements to the security of target applications. Code examples use the OWASP ESAPI Java and Microsoft Web Protection Library. Many classes teach developers how to build secure code from the ground up or teach security analysts how to test applications for security vulnerabilities. This class teaches developers and security analysts how to deal with their existing portfolio of insecure applications. <br />
Instructor: Dan Cornell: [[Image:AppSecDC2009-Sponsor-denim.gif]] <br />
<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | [http://www.appsecusa.org/register-now.html Click here to register]<br />
|}<br />
<br />
{| border="0" align="center" class="FCK__ShowTableBorders" style="width: 80%;"<br />
|-<br />
! align="center" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | T6. Live CD 1-Day - Sept 8th- $675<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | This class will will cover the full range of tools and documentation that OWASP provides under free and open licenses. When the class is complete, students will be familiar with a wide range of tools and techniques to test web applications. <br />
The class will include a DVD of OWASP tools and documentation for testing web applications. Additionally, the DVD will include the OWASP Web Testing Environment. OWASP WTE is a collection of tools and documentation for testing web applications available both as a bootable Live CD and virtual machines. Attendees to this class will receive a customized version of OWASP WTE. It will be provided as a virtual machine which includes the tools, documentation and the applications tested during class. It is a self-contained environment to learn web application testing the students can take from class to further hone their testing skills. <br />
<br />
Students are encouraged to bring a laptop to class. The virtualization software for OWASP WTE runs on Windows, OS X and Linux. Students with a laptop can follow along with the in class demonstrations to get hands on testing experience <br />
<br />
<br>Instructors: Matt Tesauro and Charles Henderson: [[Image:TrustwaveLogo.jpg]] <br />
<br />
|-<br />
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | [http://www.appsecusa.org/register-now.html Click here to register]<br />
|}<br />
<br />
<br> <br />
<br />
==== September 9th ====<br />
<br />
{| border="0" align="center" class="FCK__ShowTableBorders" style="width: 80%;"<br />
|-<br />
| align="center" colspan="4" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | '''Conference Day 1 - September 9th, 2010''' <br />
<br> <br />
<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br> <br />
| style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | Track 1 - Crystal Cove Auditorium <br />
| style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | Track 2 - Emerald Bay <br />
| style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | Track 3 - Doheny Beach<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 07:30-08:30 <br />
| align="left" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Registration and Breakfast + Coffee<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 08:30-08:45 <br />
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(242, 242, 242);" | Welcome to OWASP AppSec US, 2010 (Crystal Cove Auditorium)<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 08:45-9:30 <br />
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(252, 252, 150);" | Keynote: Jeff Williams (Crystal Cove Auditorium)<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 9:30-10:15 <br />
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(252, 252, 150);" | Keynote: Chenxi Wang (Crystal Cove Auditorium)<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 10:15-10:35 <br />
| align="left" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Break - Expo - CTF kick-off (Pacific Ballroom)<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 10:35-11:20 <br />
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | How I met your Girlfriend, ''Samy Kamkar''<br> <br />
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | Solving Real-World Problems with an Enterprise Security API (ESAPI), ''Chris Schmidt, ServiceMagic''<br> <br />
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | Panel Discussion: Characterizing Software Security as a Mainstream Business Risk – How to talk to other CXO’s about Software Security<br>John Dickson - Principal, Denim Group (moderator)<br>Tom Brennan - CEO Proactive Risk, OWASP Board Member<br>Ed Pagett, CISO, Lender Processing Services<br>Richard Greenberg, Information Security Officer, Los Angeles County Department of Public Health<br> John Sapp - IT Governance, Risk &amp; Compliance Manager, McKesson<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 11:20-11:30 <br />
| align="left" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Break - Expo - CTF (Pacific Ballroom)<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 11:30-12:15 <br />
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | State of SSL on the Internet - 2010 Survey, Results and Conclusions, ''Ivan Ristic, Qualys''<br> <br />
<br> <br />
<br />
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | Into the Rabbit Hole: Execution Flow-based Web Application Testing, ''Rafal Los, Hewlett-Packard''<br> <br />
<br> <br />
<br />
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | Threat Modeling Best Practices, ''Robert Zigweid, IOActive''<br><br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 12:15-13:15 <br />
| align="left" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Lunch - Expo - CTF (Pacific Ballroom)<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 13:30-14:15 <br />
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(252, 252, 150);" | Keynote: Bill Cheswick (Crystal Cove Auditorium)<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 14:15-14:25 <br />
| align="left" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Break - Expo - CTF (Pacific Ballroom)<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 14:25-15:10 <br />
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | P0w3d for Botnet CnC, ''Gunter Ollmann, Damballa''<br> <br />
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | Cloud Computing, A Weapon of Mass Destruction?, ''David Bryan, Trustwave's SpiderLabs &amp; Michael Anderson, NetSPI''<br> <br />
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | The Secure Coding Practices Quick Reference Guide, ''Keith Turpin, Boeing''<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 15:10-15:30 <br />
| align="left" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Coffee Break - Expo - CTF (Pacific Ballroom)<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 15:30-16:15 <br />
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | Smart Phones with Dumb Apps: Threat Modeling for Mobile Applications, ''Dan Cornell, Denim Group''<br> <br />
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | Assessing, Testing and Validating Flash Content, ''Peleus Uhley, Adobe''<br> <br />
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | Tour of OWASP Projects,<br> ''Dinis Cruz, OWASP'' <br />
----<br />
<br />
Using the OWASP O2 Platform, <br>''Dinis Cruz, OWASP'' <br />
<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 16:15-16:25 <br />
| align="left" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Break - CTF<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 16:25-17:10 <br />
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(242, 242, 242);" | Panel Discussion: Security Trends: Jeremiah Grossman, Robert Hansen. Moderator: Stuart Schwartz<br />
|<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 17:10-17:30 <br />
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(242, 242, 242);" | Mozilla Announcment: Content Security Policy<br />
|-<br />
<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 17:30-18:00 <br />
| align="left" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Break<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 18:00-21:00 <br />
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(242, 242, 242);" | Networking Event (Pacific Ballroom)<br />
|}<br />
<br />
==== September 10th ====<br />
<br />
{| border="0" align="center" class="FCK__ShowTableBorders" style="width: 80%;"<br />
|-<br />
| align="center" colspan="4" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | '''Conference Day 2 - September 10th, 2010''' <br />
<br> <br />
<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br> <br />
| style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | Track 1 - Crystal Cove Auditorium <br />
| style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | Track 2 - Emerald Bay <br />
| style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | Track 3 - Doheny Beach<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 08:00-09:00 <br />
| align="left" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Coffee - Expo - CTF<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 09:00-09:15 <br />
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(242, 242, 242);" | Announcements (Crystal Cove Auditorium)<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 09:15-10:00 <br />
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(252, 252, 150);" | Keynote: David Rice (Crystal Cove Auditorium)<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 10:00-10:10 <br />
| align="left" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Break - Expo - CTF (Pacific Ballroom)<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 10:10-10:55 <br />
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | Security Architecting Applications for the Cloud, ''Alex Stamos, iSEC Partners''<br> <br />
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | Unraveling Cross-Technology, Cross-Domain Trust Relations, ''Peleus Uhley, Adobe''<br> <br />
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | Real Time Application Defenses - The Reality of AppSensor &amp; ESAPI, ''Michael Coates, Mozilla,''<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 10:55-11:15 <br />
| align="left" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Break - Expo - CTF (Pacific Ballroom)<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 11:15-12:00 <br />
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | Reducing Web application Vulnerabilities: Moving from a Test-Dependent to Design-Driven development, ''Joe Basirico, Security Innovation''<br> <br />
<br> <br />
<br />
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | Session Management Security tips and Tricks, ''Lars Ewe, Cenzic''<br> <br />
<br> <br />
<br />
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | The Dark Side of Twitter: Measuring and Analyzing Malicious Activity on Twitter, ''Paul Judge, David Maynor, and Daniel Peck, Barracuda Labs''<br><br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 12:00-13:15 <br />
| align="left" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Lunch - Expo - CTF (Pacific Ballroom)<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 13:15-14:00 <br />
| align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(252, 252, 150);" | Keynote: HD Moore (Crystal Cove Auditorium)<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 14:05-14:50 <br />
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | ''Panel Discussion: Vulnerability Lifecycle for Software Vendors<br><br />
Edward Bonver - Principal Software Engineer, Symantec (moderator)<br><br />
Kelly FitzGerald, Senior Vulnerability Analyst, Symantec<br><br />
Katie Moussouris, Senior Security Strategist, Microsoft<br><br />
John Steven, Senior Director, Cigital <br><br />
Daniel Holden, Director, DVLabs, HP, TippingPoint<br><br />
'' <br />
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | Agile + Security = FAIL, ''Adrian Lane''<br> <br />
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | Bug-Alcoholic 2.0 - Untamed World of Web Vulnerabilities, ''Aditya K. Sood''<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 14:50-15:10 <br />
| align="left" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Coffee Break - Expo - CTF (Pacific Ballroom)<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 15:10-15:55 <br />
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | Escalating Privileges through Database Trusts, ''Scott Sutherland and Antti Rantasaari, NetSPI''<br> <br />
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | Panel Discussion: Defining the Identity Management Framework, ''<br />
Barbara Danzi, Garda Cash Logistics (moderator)<br><br />
Richard Tychansky, Lockheed Martin<br><br />
Jeff Williams, Aspect Security<br><br />
Hord Tipton, (ISC)²<br><br />
Mano Paul, (ISC)²<br><br />
''<br> <br />
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | Breaking Web Browsers, ''Jeremiah Grossman, WhiteHat Security''<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 15:55-16:05 <br />
| align="left" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Break - Expo - CTF (Pacific Ballroom)<br />
|-<br />
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 16:05-16:50 <br />
| align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(242, 242, 242);" | Conference Wrap Up: AppSec US 2011 Location Announcement, CTF Results, Prizes&nbsp;(Pacific Ballroom)<br />
|}<br />
<br />
<br> <br />
<br />
==== Sponsors ====<br />
<br />
We are currently soliciting sponsors for the AppSec US 2010 Conference. Please refer to our [http://www.appsecusa.org/become-a-sponsor.html List of Sponsorship Opportunities]&nbsp;(or [http://www.owasp.org/images/b/b3/OWASP_sponsorship_Irvine.pdf PDF]). <br />
<br />
Please contact [mailto:kate.hartmann@owasp.org Kate Hartmann] for more information. <br />
<br />
Slots are going fast so contact us to sponsor today! <br />
<br />
<br> <br />
<br />
<br><br />
<br />
= Gold Sponsors =<br />
<br />
[[Image:Ibmneg blurgb.jpg|140x65px]] &nbsp; &nbsp;&nbsp; [[Image:Fortify logo AppSec Research 2010.png|139x43px]] &nbsp;&nbsp;&nbsp; [[Image:TrustwaveLogo.jpg]] &nbsp; &nbsp;&nbsp; [[Image:Veracode.gif|140x65px]]<br> <br />
<br />
<br> <br />
<br />
= Silver Sponsors =<br />
<br />
[[Image:Fishnet Logo AppSec.jpg]] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; [[Image:Acunetix logo 200.png]] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; [[Image:Barracuda Color Logo.jpg]]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <br />
<br />
<br>[[Image:Cenziclogo.png]] &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; [[Image:Cigital-hor-color.JPG|120x65px]] &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; [[Image:Fujitsu-red-opt-b-150x56.gif|150x56px]]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <br>[[Image:Netspi logo.png]] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; [[Image:Whitehat security logo.gif]] &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; [[Image:Imperva Logo.gif]]<br>[[Image:Aspect logo owasp.jpg|153x44px]] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp;&nbsp;&nbsp;&nbsp; [[Image:AppSecDC2009-Sponsor-aod.gif]]&nbsp;&nbsp; &nbsp; &nbsp;&nbsp; [[Image:Mavituna.jpg]] <br />
<br />
<br>[[Image:Sponsors-radware.jpg]] &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; [[Image:Denim Group Logo.gif|133x61px]] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;&nbsp;&nbsp; [[Image:Rapid7.png|229x40px]] <br />
<br />
<br> <br />
<br />
= Organizational Sponsors =<br />
<br />
[[Image:Eccouncil.jpg|759x59px]] &nbsp; &nbsp;&nbsp; [[Image:ISSA-LA icon.jpg]] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[[Image:ISSA-OC.jpg|179x57px]] <br />
<br />
=== ===<br />
<br />
==== REGISTER NOW ====<br />
<br />
Click [http://www.appsecusa.org/register-now.html here]&nbsp; for registration information. <br> <br />
<br />
[http://www.appsecusa.org/register-now.html http://www.appsecusa.org/register-now.html] <br />
<br />
<headertabs /> <br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_AppSec_USA]]</div>Manopaulhttps://wiki.owasp.org/index.php?title=Manoranjan_(Mano)_Paul&diff=87924Manoranjan (Mano) Paul2010-08-24T18:40:05Z<p>Manopaul: </p>
<hr />
<div>[[Image:Mano_Paul.jpg|thumb|10px|frame|left|Mano Paul]]<br />
<b>Shark Researcher turned Security Guru!</b><br><br />
<b>Manoranjan (Mano) Paul</b> (CSSLP, CISSP, AMBCI, MCSD, MCAD, CompTIA Network+, ECSA) is the Founder and CEO at [http://www.securisksolutions.com SecuRisk Solutions] and [http://www.expresscertifications.com Express Certifications]. Based out of Austin, Texas in the USA, SecuRisk Solutions specializes in three areas of information security solutions - Product Development, Consulting and Awareness, Training & Education while Express Certifications focuses on professional certifications like the CISSP, SSCP, CSSLP and the BCI certificate. <br />
<br />
Before SecuRisk Solutions and Express Certifications, Mano played several roles from software developer, quality assurance tester, logistics manager, technical architect, IT strategist and Security Engineer/Program Manager/Strategist at Dell Inc. His information security experience includes designing and developing software security programs from Compliance-to-Coding, application security risk management, security strategy & management, and conducting security awareness training and education. <br />
<br />
Mano started his career as a shark researcher in the Bimini Biological Field Station, Bahamas. His educational pursuit took him to the University of Oklahoma where he received his Business Administration degree in Management Information Systems (MIS) with various accolades and the coveted 4.0 GPA. He is a member and chair of the OWASP Global Education Committee and actively participates in OWASP speaking, training and leadership events. He is also the appointed Software Assurance Advisor for (ISC)<sup>2</sup>, representing and advising the organization on software assurance strategy, training, education and certification. He is an appointed faculty member and industry representative of the Capitol of Texas Information System Security Association (ISSA) chapter. <br />
<br />
Mano has been featured in various domestic and international security conferences and is an invited speaker and panelist, delivering talks and keynotes in conferences such as the OWASP, CSI, Burton Group Catalyst, TRISC and SC World Congress conferences. He is the author of the Official (ISC)<sup>2</sup> Guide to the Certified Secure Software Lifecycle Professional (CSSLP<sup>CM</sup>), contributing author for the Information Security Management Handbook, writes periodically for the Certification Magazine and has contributed to several security topics for the Microsoft Solutions Developer Network (MSDN).<br />
<br />
Mano is married to whom he calls the “most wonderful and sacrificial person in this world” - Sangeetha Johnson and their greatest fulfillment comes from spending time with the son – Reuben A Paul (RAP).</div>Manopaulhttps://wiki.owasp.org/index.php?title=AppSec_Brasil_2010&diff=87923AppSec Brasil 20102010-08-24T18:37:36Z<p>Manopaul: /* Mano Paul */</p>
<hr />
<div>__NOTOC__ <br />
<br />
[[Image:LogoAppSecBrazil.002.jpg|center]] <br />
<br />
'''Para a versão em português, veja em [[AppSec Brasil 2010 (pt-br)]]''' <br />
<br />
= OWASP AppSec Brasil 2010 =<br />
<br />
The Second Edition of OWASP's flagship conference in South America will happen in Campinas, SP, Brazil. The Conference consists of two days of training sessions, followed by a two-day conference on a single track. <br />
<center><br />
[[Image:AppSec Brasil 2010 Campinas.jpg|500px]] <br />
</center> <br />
== Conference Dates ==<br />
<br />
The conference will happen from '''November 16th, 2010 to November 19th, 2010'''. The first two days will be tutorial days (see below). Plenary sessions will be held on November 18th and 19th. <br />
<br />
<br />
<br> <br />
<br />
==== About ====<br />
<br />
== About the conference ==<br />
<br />
Following the success of the first AppSec Brasil, held in Brasilia in 2009, the OWASP Brazilian Chapter is organizing its second edition in 2010. AppSec Brasil 2010 will happen in the city of Campinas, located 90 km from São Paulo. <br />
<br />
Campinas is the 3rd biggest city in the State of São Paulo and is an important economic center and hosts major universities and research centers. It is known to concentrate several high tech industries, including important multi-national companies in the fields of electronics, telecom and chemicals. <br />
<br />
This year, we expect to gather a number of Brazilian and Latin American practitioners and researchers to share state-of-the-art information about application security. <br />
<br />
==== Calls ====<br />
<pre><br />
**DEADLINE EXTENDED - 23 August**<br />
**OWASP APPSEC BRASIL 2010**<br />
**CALL FOR PRESENTATIONS**<br />
<br />
Colleagues,<br />
<br />
OWASP is currently soliciting presentations for the OWASP AppSec Brasil<br />
2010 Conference that will take<br />
place at CPqD Foundation in Campinas, SP, Brazil on November 16th<br />
through 19th, 2010. There will be<br />
training courses on November 16th and 17th followed by plenary sessions<br />
on the 18th and 19th with each<br />
day having one single track.<br />
<br />
We are seeking people and organizations that want to present on any of<br />
the following topics (in no particular order):<br />
- - Application Threat Modeling<br />
- - Business Risks with Application Security<br />
- - Hands-on Source Code Review<br />
- - Metrics for Application Security<br />
- - OWASP Tools and Projects<br />
- - Privacy Concerns with Applications and Data Storage<br />
- - Secure Coding Practices (J2EE/.NET)<br />
- - Starting and Managing Secure Development Lifecycle Programs<br />
- - Technology specific presentations on security such as AJAX, XML, etc<br />
- - Web Application Security countermeasures<br />
- - Web Application Security Testing<br />
- - Web Services-, XML- and Application Security<br />
- - Anything else relating to OWASP and Application Security<br />
<br />
To make a submission you must fill out the form available<br />
at http://www.owasp.org/images/f/f7/OWASP_AppSec_Brasil_2010_CFP.rtf.zip<br />
and submit<br />
through the easychair conference interface at<br />
http://www.easychair.org/conferences/?conf=appsecbr2010<br />
<br />
Each presenter will have 45 minutes for the presentation, followed by 10<br />
minutes reserved for<br />
questions from the audience. The presentations must respect the<br />
restrictions of the OWASP Speaker Agreement.<br />
<br />
**Important Dates:**<br />
Submission deadline is August 23, 2010 at 11:59 PM (UTC/GMT -3).<br />
Notification of acceptance is September 8, 2010.<br />
Presentation slides are due September 30, 2010.<br />
<br />
The conference organization team may be contacted by email at<br />
organizacao2010 (at) appsecbrasil.org<br />
<br />
For more information, please see the following web pages:<br />
<br />
Conference Website:<br />
https://www.owasp.org/index.php/AppSec_Brasil_2010<br />
<br />
OWASP Speaker Agreement:<br />
http://www.owasp.org/index.php/Speaker_Agreement<br />
<br />
OWASP Website:<br />
http://www.owasp.org<br />
<br />
Easychair conference site:<br />
http://www.easychair.org/conferences/?conf=appsecbr2010<br />
<br />
Presentation proposal form:<br />
http://www.owasp.org/images/f/f7/OWASP_AppSec_Brasil_2010_CFP.rtf.zip<br />
<br />
********** WARNING: Submissions without the information requested in the<br />
proposal form will not be considered ************<br />
<br />
Please forward to all interested practitioners and colleagues<br />
<br />
</pre> <br />
<br />
<br />
== Call for training providers ==<br />
<pre>**OWASP APPSEC BRASIL 2010**<br />
**CALL FOR TRAINING SESSIONS**<br />
<br />
Colleagues,<br />
<br />
OWASP is currently soliciting training proposals for the OWASP<br />
AppSec Brazil 2010 Conference which will take place at Fundação CPqD<br />
in Campinas, SP, Brazil, on November 16 through November 19, 2010.<br />
There will be training courses on November 16 and 17 followed by<br />
plenary sessions on the 18 and 19 with one single track per day.<br />
<br />
We are seeking training proposals on the following topics (in no<br />
particular order):<br />
- Application Threat Modeling - Business Risks with Application Security<br />
- Hands-on Source Code Review<br />
- Metrics for Application Security<br />
- OWASP Tools and Projects<br />
- Privacy Concerns with Applications and Data Storage<br />
- Secure Coding Practices (J2EE/.NET)<br />
- Starting and Managing Secure Development Lifecycle Programs<br />
- Technology specific presentations on security such as AJAX, XML, etc<br />
- Web Application Security countermeasures<br />
- Web Application Security Testing<br />
- Web Services, XML- and Application Security<br />
- Anything else relating to OWASP and Application Security<br />
<br />
Proposals on topics not listed above but related to the conference<br />
(i.e. which are related to Application Security) may also be accepted.<br />
<br />
To make a submission you must fill out the form available at<br />
http://www.owasp.org/images/1/1a/OWASP_AppSec_Brasil_2010_CFT.rtf.zip<br />
and submit by email to organizacao2010@appsecbrasil.org<br />
<br />
There may be 1 or 2-day courses. The proposals must respect the<br />
restrictions of the OWASP Speaker Agreement. The conference will<br />
reward trainers with at least 30% of the total revenue of their<br />
courses, based on a minimum attendance. Courses that attract more<br />
students may be granted higher percentages. No other compensation<br />
(such as tickets or lodging) will be provided. If you require a<br />
different arrangement, please contact the conference chair at the<br />
email address below.<br />
<br />
**Compensation**<br />
Instructors and authors will be paid based on the number of students<br />
in their training sessions. If the training gathers only the minimum<br />
number of students, the compensation will be 30% of the revenue. For<br />
each group of 10 extra students enrolled, the compensation will be<br />
increased by 5% of the revenue, up to a maximum of 45% of the training<br />
revenue. For example, a 1-day training with 10 to 19 students will<br />
generate a compensation of 30% of the revenue. For classes of 20 to 29<br />
students, the compensation raises to 35% percent of the revenue.<br />
<br />
In exceptional cases, different compensation schemes may be accepted.<br />
Please contact the conference organization team by email<br />
(organizacao2010@appsecbrasil.org) for details.<br />
<br />
**Training cost**<br />
1-day training: R$ 450 per student<br />
2-day training: R$ 900 per student<br />
All prices in Brazilian Reais (BRL)<br />
<br />
**Minimum number of students**<br />
1-day trainings: 10 students<br />
2-day trainings: 20 students<br />
<br />
**Important Dates:**<br />
Submission deadline is July 26, 2010, at 11:59 PM (UTC/GMT-3).<br />
Notification of acceptance will be August 16, 2010.<br />
Final version is due September 15, 2010.<br />
<br />
The conference organization team may be contacted by email at<br />
organizacao2010 (at) appsecbrasil.org<br />
<br />
For more information, please see the following web pages:<br />
Conference Website: https://www.owasp.org/index.php/AppSec_Brasil_2010<br />
OWASP Speaker Agreement: http://www.owasp.org/index.php/Speaker_Agreement<br />
OWASP Website: http://www.owasp.org<br />
Easychair conference site:<br />
http://www.easychair.org/conferences/?conf=appsecbr2010<br />
Presentation proposal form:<br />
http://www.owasp.org/images/1/1a/OWASP_AppSec_Brasil_2010_CFT.rtf.zip<br />
<br />
********** WARNING: Submissions without all the information requested<br />
in the proposal form will not be considered ************<br />
<br />
</pre> <br />
<br />
<br />
==== Sponsorship ====<br />
<br />
We are currently soliciting sponsors for the AppSec Brasil 2010 Conference. Detailed [[Media:OWASP_-_Sponsorship_Opportunities_-_EN_V.1.2.pdf|sponsorship oportunities]] are now available. <br />
<br />
If you are interested in sponsoring AppSec Brasil 2010, please contact the Conference Organization Team (organizacao2010@appsecbrasil.org). <br />
<br />
== Sponsors ==<br />
<br />
<br />
== Platinum Sponsors ==<br />
{|<br />
| [[Image:AppSec Brasil 2010 CPQD.jpg|200px|link=http://www.cpqd.com.br]]<br />
|-<br />
| &nbsp;<br />
|-<br />
|} <br />
<br />
== Gold Sponsors ==<br />
{|<br />
| [[Image:LeadComm Logo Screen.jpg|150px|link=http://www.leadcomm.com.br]]<br />
| width="50" | <br><br />
| [[Image:Logo PagSeguro-Uma empresa-UOL.jpg|150px|link=http://www.pagseguro.uol.com.br]]<br />
|-<br />
| &nbsp;<br />
|-<br />
|}<br />
<br />
== Silver Sponsors ==<br />
<br><br />
<br />
=== Attendee Kit Sponsors ===<br />
{|<br />
| [[Image:Logotipo_Conviso_2009_Cor.png|150px]]<br />
| width="50" | <br><br />
| [[Image:lgClavis.png|110px|link=http://www.clavis.com.br]]<br />
|-<br />
| &nbsp;<br />
|-<br />
|}<br />
<br><br />
<br />
== Promoted by ==<br />
<center><br />
[[Image:Appsec Brasil 2010 InstitutoTuring.png]] <br />
</center> <br />
==== Keynotes ====<br />
<br />
==Robert 'Rsnake' Hansen ==<br />
<br />
[http://www.sectheory.com/ SecTheory]<br />
<br />
'''''Title:''''' '''TBD.'''<br />
<br />
'''''Bio:''''' Robert Hansen aka RSnake is the CEO and founder of SecTheory. He has worked for Digital Island, Exodus Communications and Cable & Wireless in varying roles from Sr. Security Architect and eventually product managing many of the managed security services product lines. He also worked at eBay as a Sr. Global Product Manager of Trust and Safety, focusing on anti-phishing, anti-DHTML malware and anti-virus strategies. Later he worked as a director of product management for Realtor.com. Robert sits on the advisory board for the Intrepidus Group, previously sat on the technical advisory board of ClickForensics and currently contributes to the security strategy of several startup companies.<br />
<br />
Mr. Hansen wrote Detecting Malice, authors content on O'Reilly and co-authored "XSS Exploits" by Syngress publishing. He sits on the NIST.gov Software Assurance Metrics and Tool Evaluation group focusing on web application security scanners and the Web Application Security Scanners Evaluation Criteria (WASC-WASSEC) group. He also has briefed the DoD at the Pentagon and speaks at SourceBoston, Secure360, GFIRST/US-CERT, CSI, Toorcon, APWG, ISSA, TRISC, World OWASP/WASC conferences, SANS, Microsoft's Bluehat, Blackhat, DefCon, SecTor, BSides, Networld+Interop, and has been the keynote speaker at the New York Cyber Security Conference, NITES and OWASP Appsec Asia. Mr. Hansen is a member of Infragard, West Austin Rotary, WASC, IACSP, APWG, contributed to the OWASP 2.0 guide and is on the OWASP Connections Committee.<br />
<br />
Robert also maintains the http://ha.ckers.org website where he discuss web application security and provides lots of useful content to be used against web application attacks.<br />
<br />
== Jeremiah Grossman ==<br />
<br />
[http://www.whitehatsec.com/ WhiteHat Security] <br />
<br />
'''''Title:''''' '''TBD.''' <br />
<br />
'''''Bio:''''' Jeremiah Grossman, founder and CTO, WhiteHat Security, is a world-renowned Web security expert. A co-founder of the Web Application Security Consortium (WASC), he was named to InfoWorld's Top 25 CTOs in 2007 and is frequently quoted by business and technical media. He has authored dozens of articles and whitepapers, is credited with the discovery of many cutting-edge attack and defensive techniques, and is a co-author of "XSS Attacks: Cross Site Scripting Exploits and Defense." Grossman is also an influential blogger who offers insight and encourages open dialogue regarding Web security research and trends. Prior to WhiteHat, Grossman was an information security officer at Yahoo! <br />
<br />
<br> <br />
<br />
==== Invited Speakers ====<br />
<br />
== Samy Kamkar==<br />
<br />
'''''Title:''''' '''How I Met Your Girlfriend: The discovery and execution of entirely new classes of Web attacks in order to meet your girlfriend.'''<br />
<br />
'''''Summary:''''' <br />
This includes entertaining and newly discovered attacks including PHP session<br />
prediction and random numbers (accurately guessing PHP session cookies),<br />
browser protocol confusion (turning a browser into an SMTP server), firewall and<br />
NAT penetration via Javascript (turning your router against you), remote iPhone<br />
Google Maps hijacking (iPhone penetration combined with HTTP man-in-themiddle),<br />
extracting extremely accurate geolocation information from a Web browser<br />
(not using IP geolocation), and more.<br />
<br />
'''''Bio:'''''<br />
Samy Kamkar is best known for the Samy worm, the first XSS worm,<br />
infecting over one million users on MySpace in less than 24 hours. A cofounder<br />
of Fonality, Inc., an IP PBX company, Samy previously led the<br />
development of all top-level domain name server software and systems for<br />
Global Domains International (.ws).<br />
<br />
In the past 10 years, Samy has focused on evolutionary and genetic<br />
algorithmic software development, Voice over IP software development,<br />
automated security and vulnerability research in network security, reverse<br />
engineering, and network gaming. When not strapped behind the Matrix,<br />
Samy can be found stunt driving and getting involved in local community<br />
service projects.<br />
<br />
== Mano Paul ==<br />
<br />
'''''Title:''''' '''TBD.''' <br />
<br />
'''''Bio:'''''<br />
[[Image:Mano_Paul.jpg|thumb|10px|frame|left|Mano Paul]]<br />
<b>Shark Researcher turned Security Guru!</b><br><br />
<b>Manoranjan (Mano) Paul</b> (CSSLP, CISSP, AMBCI, MCSD, MCAD, CompTIA Network+, ECSA) is the Founder and CEO at [http://www.securisksolutions.com SecuRisk Solutions] and [http://www.expresscertifications.com Express Certifications]. Based out of Austin, Texas in the USA, SecuRisk Solutions specializes in three areas of information security solutions - Product Development, Consulting and Awareness, Training & Education while Express Certifications focuses on professional certifications like the CISSP, SSCP, CSSLP and the BCI certificate. <br />
<br />
Before SecuRisk Solutions and Express Certifications, Mano played several roles from software developer, quality assurance tester, logistics manager, technical architect, IT strategist and Security Engineer/Program Manager/Strategist at Dell Inc. His information security experience includes designing and developing software security programs from Compliance-to-Coding, application security risk management, security strategy & management, and conducting security awareness training and education. <br />
<br />
Mano started his career as a shark researcher in the Bimini Biological Field Station, Bahamas. His educational pursuit took him to the University of Oklahoma where he received his Business Administration degree in Management Information Systems (MIS) with various accolades and the coveted 4.0 GPA. He is a member and chair of the OWASP Global Education Committee and actively participates in OWASP speaking, training and leadership events. He is also the appointed Software Assurance Advisor for (ISC)<sup>2</sup>, representing and advising the organization on software assurance strategy, training, education and certification. He is an appointed faculty member and industry representative of the Capitol of Texas Information System Security Association (ISSA) chapter. <br />
<br />
Mano has been featured in various domestic and international security conferences and is an invited speaker and panelist, delivering talks and keynotes in conferences such as the OWASP, CSI, Burton Group Catalyst, TRISC and SC World Congress conferences. He is the author of the Official (ISC)<sup>2</sup> Guide to the Certified Secure Software Lifecycle Professional (CSSLP<sup>CM</sup>), contributing author for the Information Security Management Handbook, writes periodically for the Certification Magazine and has contributed to several security topics for the Microsoft Solutions Developer Network (MSDN).<br />
<br />
Mano is married to whom he calls the “most wonderful and sacrificial person in this world” - Sangeetha Johnson and their greatest fulfillment comes from spending time with the son – Reuben A Paul (RAP).<br />
==== Agenda ====<br />
<br />
== Conference Program - Day 1 - November 18th 2010 ==<br />
<center><br />
{| width="80%" class="t"<br />
|-<br />
| width="14%" height="17" align="right" | 08:30 - 09:00 <br />
| bgcolor="#8595c2" align="CENTER" | '''Reception Desk Open'''<br />
|-<br />
| width="14%" height="17" align="right" | 09:00 - 09:30 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''Opening Ceremony'''<br />
|-<br />
| width="14%" height="49" align="right" | 09:30 - 10:30 <br />
| bgcolor="#eeeeee" align="CENTER" | '''Dinis Cruz'''<br> About OWASP<br />
|-<br />
| width="14%" height="17" align="right" | 10:30 - 10:50 <br />
| bgcolor="#d98b66" align="CENTER" | '''Break'''<br />
|-<br />
| width="14%" height="49" align="right" | 10:50 - 12:20 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''Robert 'RSnake' Hansen'''<br> TBD<br />
|-<br />
| width="14%" height="17" align="right" | 12:20 - 14:00 <br />
| bgcolor="#d98b66" align="CENTER" | '''Lunch Break'''<br />
|-<br />
| width="14%" height="47" align="right" | 14:00 - 14:50 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''TBD<br>''' TBD<br />
|-<br />
| width="14%" height="32" align="right" | 14:50 - 15:40 <br />
| bgcolor="#eeeeee" align="CENTER" | '''TBD<br>''' TBD<br />
|-<br />
| width="14%" height="17" align="right" | 15:40 - 16:00 <br />
| bgcolor="#d98b66" align="CENTER" | '''Break'''<br />
|-<br />
| width="14%" height="47" align="right" | 16:00 - 16:50 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''TBD<br>''' TBD<br />
|-<br />
| width="14%" height="32" align="right" | 16:50 - 17:40 <br />
| bgcolor="#eeeeee" align="CENTER" | '''TBD<br>''' TBD<br />
|-<br />
| width="14%" height="47" align="right" | 17:40 - 18:30 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''Mano Paul'''<br> TBD<br />
|-<br />
| width="14%" height="17" align="right" | 18:30 - 18:35 <br />
| bgcolor="#cccccc" align="CENTER" | '''End of the First Day'''<br />
|}<br />
</center> <br />
<br><br />
<br />
== Conference Program - Day 2 - November 19th 2010 ==<br />
<center><br />
{| width="80%" class="t"<br />
|-<br />
| width="14%" height="17" align="right" | 08:30 - 09:00 <br />
| bgcolor="#8595c2" align="CENTER" | '''Reception Desk Open'''<br />
|-<br />
| width="14%" height="32" align="right" | 09:00 - 10:30 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''Jeremiah Grossman'''<br> TBD<br />
|-<br />
| width="14%" height="17" align="right" | 10:30 - 10:50 <br />
| bgcolor="#d98b66" align="CENTER" | '''Break'''<br />
|-<br />
| width="14%" height="47" align="right" | 10:30 - 11:40 <br />
| bgcolor="#eeeeee" align="CENTER" | '''TBD'''<br> TBD<br />
|-<br />
| width="14%" height="32" align="right" | 11:40 - 12:30 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''TBD'''<br> TBD<br />
|-<br />
| width="14%" height="17" align="right" | 12:30 - 14:00 <br />
| bgcolor="#d98b66" align="CENTER" | '''Lunch Break'''<br />
|-<br />
| width="14%" height="32" align="right" | 14:00 - 14:50 <br />
| bgcolor="#eeeeee" align="CENTER" | '''Samy Kamkar'''<br> How I Met Your Girlfriend<br />
|-<br />
| width="14%" height="32" align="right" | 14:50 - 15:40 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''TBD'''<br> TBD<br />
|-<br />
| width="14%" height="47" align="right" | 15:40 - 16:10 <br />
| bgcolor="#eeeeee" align="CENTER" | '''Cel. Monclaro'''<br> Presentation of RENASIC<br />
|-<br />
| width="14%" height="17" align="right" | 16:10 - 16:30 <br />
| bgcolor="#d98b66" align="CENTER" | '''Break'''<br />
|-<br />
| width="14%" height="32" align="right" | 16:30 - 17:20 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''TBD'''<br> TBD<br />
|-<br />
| width="14%" height="47" align="right" | 17:20 - 18:10 <br />
| bgcolor="#eeeeee" align="CENTER" | '''TBD'''<br> TBD<br />
|-<br />
| width="14%" height="17" align="right" | 18:10 - 18:30 <br />
| bgcolor="#cccccc" align="CENTER" | '''End of the Conference'''<br />
|}<br />
</center> <br />
<br> <br />
<br />
==== Trainings ====<br />
<br />
[[Image:Aspect logo.png]] <br />
<br />
=== '''Secure Coding for J2EE Applications''' ===<br />
<br />
[[Image:Jasonli appsecBR2010.jpg|frame]] '''Date and time: November 16th and 17th'''<br> '''Instructor: Jason Li'''<br> '''Summary'''<br> Training developers on secure coding practices offers one of the highest returns on investment of any security investment by eliminating vulnerabilities at the source. Aspect’s Java EE Secure Coding Training raises developer awareness of application security issues and provides examples of ‘what to do’ and ‘what not to do.' The class is lead by an experienced developer and is delivered in a very interactive manner. This class includes hands-on exercises where the students get to perform security analysis and testing on a live Java EE web application. This specially designed environment includes deliberate flaws the students have to find, diagnose, and fix. The class also uses Java EE coding exercises to provide students with realistic hands-on secure coding experience. Students gain hands-on experience using freely available web application security test tools to find and diagnose flaws and learn to avoid them in their own code.<br> <br />
<br />
'''Audience'''<br> The intended audience for this course is intended for Java EE software developers and Java EE software testers who know how to program.<br> <br />
<br />
'''Learning Objectives'''<br> At the highest level, the objective for this course is to ensure that developers are capable of designing, building, and testing secure Java EE applications and understand why this is important.<br> <br />
<br />
'''Topics'''<br> <br />
<br />
*'''HTTP Fundamentals'''<br> <br />
**Understand and be able to employ the security features involved with using HTTP (e.g., headers, cookies, SSL)<br> <br />
*'''Design Principles and Patterns'''<br> <br />
**Understand and be able to apply application security design principles.<br> <br />
*'''Threats'''<br> <br />
**Be able to identify and explain common web application security threats (e.g. , cross-site scripting, SQL injection, denial of service attacks, "Man-in-the-middle" attacks, etc.) and implement mitigation techniques.<br> <br />
*'''Authentication and Session Management'''<br> <br />
**Be able to handle credentials securely while providing the full range of authentication support functions, including login, change password, forgot password, remember password, logout, reauthentication, and timeouts.<br> <br />
*'''Access Control'''<br> <br />
**Be able to implement access control rules for the user interface, business logic, and data layers.<br> <br />
*'''Input Validation'''<br> <br />
**Be able to recognize potential input validation issues, particularly injection and Cross-site Scripting (XSS) problems, and implement appropriate input validation mechanisms for user input and other sources of input.<br> <br />
*'''Command Injection'''<br> <br />
**Understand the dangers of command injection and techniques for avoiding the introduction of this type vulnerability.<br> <br />
*'''Error Handling'''<br> <br />
**Be able to implement a consistent error (exception) handling and logging approach for an entire web application.<br> <br />
*'''Cryptography'''<br> <br />
**Learn when to apply cryptographic techniques and be able to choose algorithms and use encryption/decryption and hash functions securely.<br><br />
<br />
'''Jason’s Bio'''<br> Jason is a remarkable trainer, mastering five different training courses within a year’s time to our most valuable longstanding but diverse clients. The client base included a large financial institution, several leading shipping and logistics Management Company, and a leading Government systems integrator.<br> <br />
<br />
Jason has also taught Advanced Web Application Security Testing and Building Secure Web Applications classes at OWASP 2008 conferences in Belgium and India.<br> <br />
<br />
Common remarks returned from Jason’s class evaluations include '''“This is probably one of the most important classes I‘ve been exposed to here”''' and '''“One of the best instructors I’ve ever had. Really knowledgeable of the subject. Kept class interested by sharing real life examples that depicted good scenarios”'''<br><br />
<br />
<br />
== Using the OWASP ESAPI security API to provide security to web applications ==<br />
<br />
'''<span style="color: rgb(255, 0, 0);"> Tutorial in Portuguese. </span>'''<br />
<br />
'''Date and time: November 16th (9AM to 6PM)'''<br> '''Instructor: Tarcizio Vieira Neto'''<br> <br />
<br />
'''Summary'''<br />
<br />
The evolution of technology in the development of web applications has contributed to a significant increase in the use of this technology to meet the most diverse purposes. However, this technology is subject to critical security vulnerabilities, especially when recent research show that most vulnerabilities are present in the application itself. OWASP's ESAPI library (Enterprise Security API) appears in this scenario as an open source security library available for several languages such as Java EE, PHP,. NET, Classic ASP, Python, Ruby, among others. This short course addresses the vulnerabilities caused by common errors in applications development and security control mechanisms provided by ESAPI with focus on Java technology. The general principles learned in the course can be applied in the context of other programming languages.<br />
<br />
'''Target audience'''<br />
<br />
The desired profile of the audience are people connected to the area of web application development and security, having as a basic pre-requisite knowledge in web technologies, communication protocols HTTP and HTTPS, basic principles of security: encryption, hashing and digital signature, Java programming for Web systems.<br />
<br />
<br />
'''Learning objectives'''<br />
<br />
* Know the main security vulnerabilities commonly found in Web applications<br />
* Present the architecture of the ESAPI library and the operation of its modules with examples in Java.<br />
* Present Web Application Firewall component of ESAPI.<br />
<br />
<br />
'''Tópic'''<br />
<br />
# Introduction<br />
# # Myths related to security in Web applications<br />
# # OWASP Project<br />
# OWASP Top 10<br />
# OWASP ESAPI Library<br />
# # Validation and Encoding Module<br />
# # Authentication Module<br />
# # Access Control Module<br />
# # HTTP Utilities Module<br />
# # Access references module<br />
# # Cryptographic Module<br />
# # Log Module<br />
# # Intrusion Detection Module<br />
# # integrating the AppSensor module with ESAPI<br />
# # Using Filters<br />
# # Configuring ESAPI<br />
# # Web Application Firewall Module<br />
# Benefits of Using ESAPI<br />
# Conclusions<br />
<br />
<br />
'''Instructor'''<br />
<br />
Tarcízio Vieira Neto has a degree in Computer Science from Universidade Federal de Goiás (UFG), in Goiania. He began his career as an intern developer on a project of technology initiation funded by CNPq in the company Estratégia, in Goiania. After graduating he worked for six months at the company Fibonacci Soluções Ágeis in the same city, as a development analyst. Then worked for two years and eight months as a Brazilian Air Force officer as a systems analyst in the Air Force Computer Center in Brasilia, where he gained experience with the technologies of digital certification and collaborated in the development of an enterprise electronic document management system.<br />
<br />
Currently working at SERPRO since November 2009 as an Analyst in CETEC, working on software development security, dedicated primarily in writing guidelines that standardize techniques and tools tho support security in Web applications development<br />
<br />
He is attending a specialization course in Information Security from University of Brasília (UnB) and has altogether more than five years of programming experience in Java.<br />
<br />
<br />
==The Art and Science of Threat Modeling Web Applications==<br />
<br />
'''<span style="color: rgb(255, 0, 0);"> This tutorial is in English without translation. </span>''' <br />
<br />
'''Date and Time: November 17 (9AM to 6PM)'''<br> '''Instructor: Mano Paul'''<br><br />
<br />
'''Summary'''<br />
<br />
To secure your home, you will first need to know how the thief could possibly enter and exit and where you should store your valuables. The same is true of your web applications. Unless you know what the vulnerabilities and threats of your web applications are, and what security measures you should take to protect them, ev1L h@x0rS or the enemy within (insider) could take advantage of the vulnerabilities. <br />
<br />
Threat Modeling is a technique that you can use to identify ATVS (attacks, threats, vulnerabilities and safeguards) that could affect your web applications. Threat Modeling helps in designing your application securely from a confidentiality, integrity, availability, authentication, authorization and auditing perspective. It is an essential activity to be undertaken during the design stage of your SDLC and helps mitigate and minimize overall risk. <br />
<br />
<br />
'''Target udience'''<br />
<br />
The target audience is made of technical staff and management of system development organizations, with no required knowledge of languages or specific programming techniques.<br />
<br />
<br />
'''Learning Objectives'''<br />
<br />
# Understand Threat Modeling; when to threat model and when not too<br />
# Translation of threats to risks for the organization<br />
# Have fun learning complex concepts with exercises and interactive games<br />
<br />
<br />
'''Topic'''<br />
<br />
# Introduction <br />
# Why Threat Model? <br />
# Is Threat Modeling Right for You? <br />
# Challenges <br />
# Precursors <br />
# Data Classification and Threat Modeling <br />
# Web Application Security Mechanisms <br />
# Benefits of Threat Modeling <br />
# Common Glossary of Terms <br />
# Threat Agents <br />
# OWASP Top 10 and common application attacks<br />
# Threat Modeling Process <br />
# Attack Trees <br />
# Threat and Risk Frameworks e.g., STRIDE and DREAD <br />
# Threat to Risk translation<br />
# Threat Modeling (Hands-On Exercise)<br />
<br />
<br />
'''Instructor'''<br />
<br />
Manoranjan (Mano) Paul is the Software Assurance Advisor for (ISC)2. His information security and software assurance experience includes designing and developing security programs from compliance-to-coding, security in the SDLC, writing secure code, risk management, security strategy, and security awareness training and education. He founded and serves as the CEO & President of Express Certifications. He also founded SecuRisk Solutions, a company that specializes in security product development and consulting.<br />
<br />
<br />
== Security in Service-oriented architectures ==<br />
<br />
'''<span style="color: rgb(255, 0, 0);"> Tutorial in Portuguese. </span>'''<br />
<br />
'''Date and time: Nov 17 (9AM to 6PM)'''<br> '''Instructors: Douglas Rodrigues, Julio Cesar Estrella e Nuno Manuel dos Santos Antunes'''<br> <br />
<br />
'''Summary'''<br />
<br />
Web services are the cornerstone of Service-Oriented Architectures (SOA). As critical components of business, Web services must provide high security. However, the deployment of secure Web services is a complex task. In fact, several studies show that a large number of Web Services are deployed with security breaches ranging from code vulnerabilities (eg vulnerabilities that allow code injection, including SQL injection and XPath injection) to the incorrect use of standards and security protocols. The aim of this short course is to present the theoretical and practical tools that allow the detection of vulnerabilities and security protocols and mechanisms against attacks.<br />
<br />
<br />
'''Público Alvo'''<br />
<br />
The target audience is composed of technical staff and operational systems development organizations with requirements for knowledge of languages and programming methodologies at the intermediate level.<br />
<br />
'''Learning Objectives'''<br />
<br />
The proposed short course contributes to add new technological trends. The theme is quite interesting in relation to the great challenges of research in computing, since it fits naturally within the technological development of quality, encompassing making systems available, accurate, secure, scalable, persistent and ubiquitous, and notoriously, observing the conference area, which SOA, Web services and security are the subject of growing research in computing, as it is current and of interest to the academic community, as well as professionals who work in the labor market. The interest in SOA has grown in recent years because it is an approach that helps the system to remain flexible and scalable as they grow, and can also help to resolve the gap business / IT. Students and professionals will have the opportunity to understand the basics of vulnerability detection code level and also to detect attacks between protocols and mechanisms. The idea is that participants can use the knowledge gained in this brief short course for the development of distributed applications using Web services secure and obtain knowledge needed to diagnose and prevent attacks on this type of application.<br />
<br />
'''Topics'''<br />
<br />
#SECURITY STANDARDS AND PROTOCOLS FOR WEB SERVICES<br />
#ATTACKS IN WEB SERVICES<br />
## Denial of Service Attacks<br />
## Attacks Brute Force<br />
## Spoofing Attacks<br />
## Flooding Attacks<br />
## Injection Attacks<br />
#EVALUATING SECURITY IN WEB SERVICES<br />
## Case Study on security in Web Services<br />
## "white box" analysis<br />
## "Black-box" testing<br />
## "Gray-box" testing<br />
## Case study on the effectiveness of tools for security assessment<br />
<br />
'''Instructors'''<br />
<br />
Julio Cesar Estrella - Master in Computer Science and Computational Mathematics, in the area of Distributed Systems (Institute of Mathematical Sciences and Computer ICMC / University of São Paulo - USP). During the Masters, worked with simulated queuing network in a project related to the development of negotiation techniques in models of web servers with service differentiation. Ph.D. in Computer Science and Computational Mathematics (Institute of Mathematical Sciences and Computer ICMC / University of São Paulo - USP). The theme of his doctoral thesis was about service-oriented architectures to support QoS and characterization of workloads for Web Services Composition and Service also supports Quality of Service. He is currently a professor at the Federal Technological University of Paraná (UTFPR - Campo Mourão)<br />
<br />
Douglas Rodrigues - Master in Computer Science and Computational Mathematics from Institute of Mathematics and Computer Science, University of São Paulo - ICMC-USP/São Carlos. Bachelor of Computer Science from University Euripides Marília - Univ - Marília / SP. Works on the following subjects: SOA, Web Services, performance evaluation, encryption and security.<br />
<br />
Nuno dos Santos Antunes - attended from 2003 to 2007, the Computer Engineering program, University of Coimbra. Since 2008, carries out scientific research in the group of Software and Systems Engineering (SSE) Center for Informatics and Systems University of Coimbra (CISUC), on topics related to methodologies and tools for developing Web Services without vulnerabilities. Concluded in 2009 a Masters in Computer Engineering from the Department of Computer Engineering, University of Coimbra, with the final rating of Very Good. In 2009 he began his PhD in Sciences and Information Technology. He published five scientific papers in conferences with the process of rigorous peer review, including articles in the most prestigious conferences in the areas of reliability and services.<br />
<br />
<br />
==Black-Box & White-Box ASP.NET Security Reviews using the OWASP O2 Platform==<br />
<br />
'''<span style="color: rgb(255, 0, 0);"> Thsi tutorial will be in Portuguese with materials in English </span>'''<br />
<br />
'''Date and time: November 16th (9AM to 6 PM)'''<br> '''Instructor: Dinis Cruz'''<br><br />
<br />
'''Summary'''<br />
<br />
This is a hands-on Training course on how to use the OWASP O2 Platform to perform both Black-Box and White-Box security reviews on ASP.NET Web Applications<br />
<br />
The course is designed for security consultants/developers who are responsible for performing Penetration Tests or Security Code Reviews. The course will show practical examples of how to use the OWASP O2 Platform to find, exploit and document security vulnerabities.<br />
<br />
For the course's labs, a number of test and real-world applications/frameworks will be used. In order to give the students a benign test enviroment which is easy to replicate, the (vulnerable-by-design) HacmeBank ASP.NET banking application will be used throughout the course.<br />
<br />
'''Topics'''<br />
<br />
* What is the OWASP O2 Platform and how to use it?<br />
* Using O2's Unit Tests for web exploration and browsing<br />
* Using O2's Unit Tests for web exploitation<br />
* Understanding and using O2's Web Automation Tools to find and exploit vulnerabilities in HacmeBank (Black-Box)<br />
* Understanding and using O2's AST .NET Scanner to find vulnerabilities in HacmeBank (White-Box)<br />
* Connecting the source-code traces with the web exploits to create a unified view of the vulnerabilties<br />
* Create 'Vulnerability-driven Unit Tests' to be delivered to Developers, QA/Testers and Managers<br />
* Customizing and writing new APIs (for new or modified frameworks)<br />
* Using O2 to consume results from open source tools and 3rd party commercial vendors<br />
* Case Study: Microsoft ASP.NET MVC<br />
* Case Study: Microsoft Sharpoint<br />
<br />
<br />
'''Instructor'''<br />
<br />
The course is delivered by Dinis Cruz who the lead developer of the OWASP O2 Platform and has created and delivered a number of .NET Security training courses<br />
<br />
== Location ==<br />
<br />
Please check the ''Venue'' tab in this page.<br />
<br />
==== Venue ====<br />
<br />
The event will be held in Campinas, SP, Brazil at: [http://www.cpqd.com.br Fundação CPQD]. <br />
<br />
You can check the location at [http://maps.google.com.br/maps/ms?source=embed&hl=pt-BR&geocode=&ie=UTF8&update=1&t=h&msa=0&msid=104978801628275418750.000462bf2d1a49a7571af&ll=-22.83125,-47.044315&spn=0.03718,0.04034&z=14 Google Maps] <br />
<br />
''How to get there'' <br />
<br />
TBD <br />
<br />
==== Registration ====<br />
<br />
== Online Registration ==<br />
<br />
Registration form is available at https://creator.zoho.com/lucas.ferreira/appsec/<br />
<br />
== Conference Fees ==<br />
<br />
'''Access to conference:'''<br />
<br />
* Before Sep 16th: 400.00 BRL<br />
* Before Oct 16th: 500.00 BRL<br />
* Before Nov 12th: 550.00 BRL<br />
* On site: 600.00 BRL<br />
<br />
On site registration subject to the availability of seats.<br />
<br />
'''Trainings'''<br />
<br />
* One day: 450.00 BRL<br />
* Two days: 900.00 BRL<br />
<br />
'''Discounts'''<br />
<br />
* OWASP Member: 100.00 BRL (Note: This discount is greater than the OWASP USD 50.00 annual fee. Check [http://www.google.com.br/#q=50+usd+in+brl&fp=1 here]<br />
* Student: 100.00 BRL (Note: student ID required).<br />
<br />
==== Committees ====<br />
<br />
== Conference Committee ==<br />
<br />
OWASP Global Conferences Committee Chair: Mark Bristow <br />
<br />
OWASP [[Brazilian]] Chapter Leader: Wagner Elias <br />
<br />
AppSec Brasil 2010 Organization Team (organizacao2010 at appsecbrasil.org): <br />
<br />
*Conference General Chair: Lucas C. Ferreira <br />
*Tutorials Chair: Eduardo Camargo Neves <br />
*Tracks Chair: Luiz Otávio Duarte <br />
*Local Chair: Alexandre Melo Braga<br />
<br />
=== Team Members ===<br />
<br />
*Alexandre Melo Braga <br />
*Eduardo Camargo Neves <br />
*Lucas C. Ferreira <br />
*Luiz Otávio Duarte <br />
*Wagner Elias <br />
*Eduardo Alves Nonato da Silva <br />
*Leonardo Buonsanti <br />
*Dinis Cruz <br />
*Paulo Coimbra<br />
<br />
<br />
== Programme Committee:==<br />
* Alexandre Braga<br />
* Carlos Serrao<br />
* Eduardo alves<br />
* Fernando Cima<br />
* Leonardo Buonsanti<br />
* Lucas Ferreira<br />
* Luiz Duarte<br />
* Nelson Uto<br />
* Rodrigo Rubira<br />
* Wagner Elias<br />
<br />
<br> <br> <br />
<br />
==== Travel ====<br />
<br />
TBD <br />
<br />
==== Links ====<br />
<br />
Blog: http://blog.appsecbrasil.org <br />
<br />
Twitter: http://twitter.com/owaspappsecbr <br />
<br />
Banner: http://www.owasp.org/images/3/31/AppSec_Brasil_2010_Banner.gif<br />
<br />
<br> <headertabs /> <br />
<br />
[[Category:OWASP_AppSec_Conference]]</div>Manopaulhttps://wiki.owasp.org/index.php?title=AppSec_Brasil_2010&diff=87922AppSec Brasil 20102010-08-24T18:36:29Z<p>Manopaul: /* Mano Paul */</p>
<hr />
<div>__NOTOC__ <br />
<br />
[[Image:LogoAppSecBrazil.002.jpg|center]] <br />
<br />
'''Para a versão em português, veja em [[AppSec Brasil 2010 (pt-br)]]''' <br />
<br />
= OWASP AppSec Brasil 2010 =<br />
<br />
The Second Edition of OWASP's flagship conference in South America will happen in Campinas, SP, Brazil. The Conference consists of two days of training sessions, followed by a two-day conference on a single track. <br />
<center><br />
[[Image:AppSec Brasil 2010 Campinas.jpg|500px]] <br />
</center> <br />
== Conference Dates ==<br />
<br />
The conference will happen from '''November 16th, 2010 to November 19th, 2010'''. The first two days will be tutorial days (see below). Plenary sessions will be held on November 18th and 19th. <br />
<br />
<br />
<br> <br />
<br />
==== About ====<br />
<br />
== About the conference ==<br />
<br />
Following the success of the first AppSec Brasil, held in Brasilia in 2009, the OWASP Brazilian Chapter is organizing its second edition in 2010. AppSec Brasil 2010 will happen in the city of Campinas, located 90 km from São Paulo. <br />
<br />
Campinas is the 3rd biggest city in the State of São Paulo and is an important economic center and hosts major universities and research centers. It is known to concentrate several high tech industries, including important multi-national companies in the fields of electronics, telecom and chemicals. <br />
<br />
This year, we expect to gather a number of Brazilian and Latin American practitioners and researchers to share state-of-the-art information about application security. <br />
<br />
==== Calls ====<br />
<pre><br />
**DEADLINE EXTENDED - 23 August**<br />
**OWASP APPSEC BRASIL 2010**<br />
**CALL FOR PRESENTATIONS**<br />
<br />
Colleagues,<br />
<br />
OWASP is currently soliciting presentations for the OWASP AppSec Brasil<br />
2010 Conference that will take<br />
place at CPqD Foundation in Campinas, SP, Brazil on November 16th<br />
through 19th, 2010. There will be<br />
training courses on November 16th and 17th followed by plenary sessions<br />
on the 18th and 19th with each<br />
day having one single track.<br />
<br />
We are seeking people and organizations that want to present on any of<br />
the following topics (in no particular order):<br />
- - Application Threat Modeling<br />
- - Business Risks with Application Security<br />
- - Hands-on Source Code Review<br />
- - Metrics for Application Security<br />
- - OWASP Tools and Projects<br />
- - Privacy Concerns with Applications and Data Storage<br />
- - Secure Coding Practices (J2EE/.NET)<br />
- - Starting and Managing Secure Development Lifecycle Programs<br />
- - Technology specific presentations on security such as AJAX, XML, etc<br />
- - Web Application Security countermeasures<br />
- - Web Application Security Testing<br />
- - Web Services-, XML- and Application Security<br />
- - Anything else relating to OWASP and Application Security<br />
<br />
To make a submission you must fill out the form available<br />
at http://www.owasp.org/images/f/f7/OWASP_AppSec_Brasil_2010_CFP.rtf.zip<br />
and submit<br />
through the easychair conference interface at<br />
http://www.easychair.org/conferences/?conf=appsecbr2010<br />
<br />
Each presenter will have 45 minutes for the presentation, followed by 10<br />
minutes reserved for<br />
questions from the audience. The presentations must respect the<br />
restrictions of the OWASP Speaker Agreement.<br />
<br />
**Important Dates:**<br />
Submission deadline is August 23, 2010 at 11:59 PM (UTC/GMT -3).<br />
Notification of acceptance is September 8, 2010.<br />
Presentation slides are due September 30, 2010.<br />
<br />
The conference organization team may be contacted by email at<br />
organizacao2010 (at) appsecbrasil.org<br />
<br />
For more information, please see the following web pages:<br />
<br />
Conference Website:<br />
https://www.owasp.org/index.php/AppSec_Brasil_2010<br />
<br />
OWASP Speaker Agreement:<br />
http://www.owasp.org/index.php/Speaker_Agreement<br />
<br />
OWASP Website:<br />
http://www.owasp.org<br />
<br />
Easychair conference site:<br />
http://www.easychair.org/conferences/?conf=appsecbr2010<br />
<br />
Presentation proposal form:<br />
http://www.owasp.org/images/f/f7/OWASP_AppSec_Brasil_2010_CFP.rtf.zip<br />
<br />
********** WARNING: Submissions without the information requested in the<br />
proposal form will not be considered ************<br />
<br />
Please forward to all interested practitioners and colleagues<br />
<br />
</pre> <br />
<br />
<br />
== Call for training providers ==<br />
<pre>**OWASP APPSEC BRASIL 2010**<br />
**CALL FOR TRAINING SESSIONS**<br />
<br />
Colleagues,<br />
<br />
OWASP is currently soliciting training proposals for the OWASP<br />
AppSec Brazil 2010 Conference which will take place at Fundação CPqD<br />
in Campinas, SP, Brazil, on November 16 through November 19, 2010.<br />
There will be training courses on November 16 and 17 followed by<br />
plenary sessions on the 18 and 19 with one single track per day.<br />
<br />
We are seeking training proposals on the following topics (in no<br />
particular order):<br />
- Application Threat Modeling - Business Risks with Application Security<br />
- Hands-on Source Code Review<br />
- Metrics for Application Security<br />
- OWASP Tools and Projects<br />
- Privacy Concerns with Applications and Data Storage<br />
- Secure Coding Practices (J2EE/.NET)<br />
- Starting and Managing Secure Development Lifecycle Programs<br />
- Technology specific presentations on security such as AJAX, XML, etc<br />
- Web Application Security countermeasures<br />
- Web Application Security Testing<br />
- Web Services, XML- and Application Security<br />
- Anything else relating to OWASP and Application Security<br />
<br />
Proposals on topics not listed above but related to the conference<br />
(i.e. which are related to Application Security) may also be accepted.<br />
<br />
To make a submission you must fill out the form available at<br />
http://www.owasp.org/images/1/1a/OWASP_AppSec_Brasil_2010_CFT.rtf.zip<br />
and submit by email to organizacao2010@appsecbrasil.org<br />
<br />
There may be 1 or 2-day courses. The proposals must respect the<br />
restrictions of the OWASP Speaker Agreement. The conference will<br />
reward trainers with at least 30% of the total revenue of their<br />
courses, based on a minimum attendance. Courses that attract more<br />
students may be granted higher percentages. No other compensation<br />
(such as tickets or lodging) will be provided. If you require a<br />
different arrangement, please contact the conference chair at the<br />
email address below.<br />
<br />
**Compensation**<br />
Instructors and authors will be paid based on the number of students<br />
in their training sessions. If the training gathers only the minimum<br />
number of students, the compensation will be 30% of the revenue. For<br />
each group of 10 extra students enrolled, the compensation will be<br />
increased by 5% of the revenue, up to a maximum of 45% of the training<br />
revenue. For example, a 1-day training with 10 to 19 students will<br />
generate a compensation of 30% of the revenue. For classes of 20 to 29<br />
students, the compensation raises to 35% percent of the revenue.<br />
<br />
In exceptional cases, different compensation schemes may be accepted.<br />
Please contact the conference organization team by email<br />
(organizacao2010@appsecbrasil.org) for details.<br />
<br />
**Training cost**<br />
1-day training: R$ 450 per student<br />
2-day training: R$ 900 per student<br />
All prices in Brazilian Reais (BRL)<br />
<br />
**Minimum number of students**<br />
1-day trainings: 10 students<br />
2-day trainings: 20 students<br />
<br />
**Important Dates:**<br />
Submission deadline is July 26, 2010, at 11:59 PM (UTC/GMT-3).<br />
Notification of acceptance will be August 16, 2010.<br />
Final version is due September 15, 2010.<br />
<br />
The conference organization team may be contacted by email at<br />
organizacao2010 (at) appsecbrasil.org<br />
<br />
For more information, please see the following web pages:<br />
Conference Website: https://www.owasp.org/index.php/AppSec_Brasil_2010<br />
OWASP Speaker Agreement: http://www.owasp.org/index.php/Speaker_Agreement<br />
OWASP Website: http://www.owasp.org<br />
Easychair conference site:<br />
http://www.easychair.org/conferences/?conf=appsecbr2010<br />
Presentation proposal form:<br />
http://www.owasp.org/images/1/1a/OWASP_AppSec_Brasil_2010_CFT.rtf.zip<br />
<br />
********** WARNING: Submissions without all the information requested<br />
in the proposal form will not be considered ************<br />
<br />
</pre> <br />
<br />
<br />
==== Sponsorship ====<br />
<br />
We are currently soliciting sponsors for the AppSec Brasil 2010 Conference. Detailed [[Media:OWASP_-_Sponsorship_Opportunities_-_EN_V.1.2.pdf|sponsorship oportunities]] are now available. <br />
<br />
If you are interested in sponsoring AppSec Brasil 2010, please contact the Conference Organization Team (organizacao2010@appsecbrasil.org). <br />
<br />
== Sponsors ==<br />
<br />
<br />
== Platinum Sponsors ==<br />
{|<br />
| [[Image:AppSec Brasil 2010 CPQD.jpg|200px|link=http://www.cpqd.com.br]]<br />
|-<br />
| &nbsp;<br />
|-<br />
|} <br />
<br />
== Gold Sponsors ==<br />
{|<br />
| [[Image:LeadComm Logo Screen.jpg|150px|link=http://www.leadcomm.com.br]]<br />
| width="50" | <br><br />
| [[Image:Logo PagSeguro-Uma empresa-UOL.jpg|150px|link=http://www.pagseguro.uol.com.br]]<br />
|-<br />
| &nbsp;<br />
|-<br />
|}<br />
<br />
== Silver Sponsors ==<br />
<br><br />
<br />
=== Attendee Kit Sponsors ===<br />
{|<br />
| [[Image:Logotipo_Conviso_2009_Cor.png|150px]]<br />
| width="50" | <br><br />
| [[Image:lgClavis.png|110px|link=http://www.clavis.com.br]]<br />
|-<br />
| &nbsp;<br />
|-<br />
|}<br />
<br><br />
<br />
== Promoted by ==<br />
<center><br />
[[Image:Appsec Brasil 2010 InstitutoTuring.png]] <br />
</center> <br />
==== Keynotes ====<br />
<br />
==Robert 'Rsnake' Hansen ==<br />
<br />
[http://www.sectheory.com/ SecTheory]<br />
<br />
'''''Title:''''' '''TBD.'''<br />
<br />
'''''Bio:''''' Robert Hansen aka RSnake is the CEO and founder of SecTheory. He has worked for Digital Island, Exodus Communications and Cable & Wireless in varying roles from Sr. Security Architect and eventually product managing many of the managed security services product lines. He also worked at eBay as a Sr. Global Product Manager of Trust and Safety, focusing on anti-phishing, anti-DHTML malware and anti-virus strategies. Later he worked as a director of product management for Realtor.com. Robert sits on the advisory board for the Intrepidus Group, previously sat on the technical advisory board of ClickForensics and currently contributes to the security strategy of several startup companies.<br />
<br />
Mr. Hansen wrote Detecting Malice, authors content on O'Reilly and co-authored "XSS Exploits" by Syngress publishing. He sits on the NIST.gov Software Assurance Metrics and Tool Evaluation group focusing on web application security scanners and the Web Application Security Scanners Evaluation Criteria (WASC-WASSEC) group. He also has briefed the DoD at the Pentagon and speaks at SourceBoston, Secure360, GFIRST/US-CERT, CSI, Toorcon, APWG, ISSA, TRISC, World OWASP/WASC conferences, SANS, Microsoft's Bluehat, Blackhat, DefCon, SecTor, BSides, Networld+Interop, and has been the keynote speaker at the New York Cyber Security Conference, NITES and OWASP Appsec Asia. Mr. Hansen is a member of Infragard, West Austin Rotary, WASC, IACSP, APWG, contributed to the OWASP 2.0 guide and is on the OWASP Connections Committee.<br />
<br />
Robert also maintains the http://ha.ckers.org website where he discuss web application security and provides lots of useful content to be used against web application attacks.<br />
<br />
== Jeremiah Grossman ==<br />
<br />
[http://www.whitehatsec.com/ WhiteHat Security] <br />
<br />
'''''Title:''''' '''TBD.''' <br />
<br />
'''''Bio:''''' Jeremiah Grossman, founder and CTO, WhiteHat Security, is a world-renowned Web security expert. A co-founder of the Web Application Security Consortium (WASC), he was named to InfoWorld's Top 25 CTOs in 2007 and is frequently quoted by business and technical media. He has authored dozens of articles and whitepapers, is credited with the discovery of many cutting-edge attack and defensive techniques, and is a co-author of "XSS Attacks: Cross Site Scripting Exploits and Defense." Grossman is also an influential blogger who offers insight and encourages open dialogue regarding Web security research and trends. Prior to WhiteHat, Grossman was an information security officer at Yahoo! <br />
<br />
<br> <br />
<br />
==== Invited Speakers ====<br />
<br />
== Samy Kamkar==<br />
<br />
'''''Title:''''' '''How I Met Your Girlfriend: The discovery and execution of entirely new classes of Web attacks in order to meet your girlfriend.'''<br />
<br />
'''''Summary:''''' <br />
This includes entertaining and newly discovered attacks including PHP session<br />
prediction and random numbers (accurately guessing PHP session cookies),<br />
browser protocol confusion (turning a browser into an SMTP server), firewall and<br />
NAT penetration via Javascript (turning your router against you), remote iPhone<br />
Google Maps hijacking (iPhone penetration combined with HTTP man-in-themiddle),<br />
extracting extremely accurate geolocation information from a Web browser<br />
(not using IP geolocation), and more.<br />
<br />
'''''Bio:'''''<br />
Samy Kamkar is best known for the Samy worm, the first XSS worm,<br />
infecting over one million users on MySpace in less than 24 hours. A cofounder<br />
of Fonality, Inc., an IP PBX company, Samy previously led the<br />
development of all top-level domain name server software and systems for<br />
Global Domains International (.ws).<br />
<br />
In the past 10 years, Samy has focused on evolutionary and genetic<br />
algorithmic software development, Voice over IP software development,<br />
automated security and vulnerability research in network security, reverse<br />
engineering, and network gaming. When not strapped behind the Matrix,<br />
Samy can be found stunt driving and getting involved in local community<br />
service projects.<br />
<br />
== Mano Paul ==<br />
<br />
'''''Title:''''' '''TBD.''' <br />
<br />
'''''Bio:'''''<br />
[[Image:Mano_Paul.jpg|thumb|10px|frame|left|Mano Paul]]<br />
<b>Shark Researcher turned Security Guru!</b><br><br />
<b>Manoranjan (Mano) Paul</b> (CSSLP, CISSP, AMBCI, MCSD, MCAD, CompTIA Network+, ECSA) is the Founder and CEO at [http://www.securisksolutions.com SecuRisk Solutions] and [http://www.expresscertifications.com Express Certifications]. Based out of Austin, Texas in the USA, SecuRisk Solutions specializes in three areas of information security solutions - Product Development, Consulting and Awareness, Training & Education while Express Certifications focuses on professional certifications like the CISSP, SSCP, CSSLP and the BCI certificate. <br />
<br />
Before SecuRisk Solutions and Express Certifications, Mano played several roles from software developer, quality assurance tester, logistics manager, technical architect, IT strategist and Security Engineer/Program Manager/Strategist at Dell Inc. His information security experience includes designing and developing software security programs from Compliance-to-Coding, application security risk management, security strategy & management, and conducting security awareness training and education. <br />
<br />
Mano started his career as a shark researcher in the Bimini Biological Field Station, Bahamas. His educational pursuit took him to the University of Oklahoma where he received his Business Administration degree in Management Information Systems (MIS) with various accolades and the coveted 4.0 GPA. He is a member and chair of the OWASP Global Education Committee and actively participates in OWASP speaking, training and leadership events. He is also appointed the Software Assurance Advisor for (ISC)<sup>2</sup>, representing and advising the organization on software assurance strategy, training, education and certification. He is an appointed faculty member and industry representative of the Capitol of Texas Information System Security Association (ISSA) chapter. <br />
<br />
Mano has been featured in various domestic and international security conferences and is an invited speaker and panelist, delivering talks and keynotes in conferences such as the OWASP, CSI, Burton Group Catalyst, TRISC and SC World Congress conferences. He is the author of the Official (ISC)<sup>2</sup> Guide to the Certified Secure Software Lifecycle Professional (CSSLP<sup>CM</sup>), contributing author for the Information Security Management Handbook, writes periodically for the Certification Magazine and has contributed to several security topics for the Microsoft Solutions Developer Network (MSDN).<br />
<br />
Mano is married to whom he calls the “most wonderful and sacrificial person in this world” - Sangeetha Johnson and their greatest fulfillment comes from spending time with the son – Reuben A Paul (RAP).<br />
==== Agenda ====<br />
<br />
== Conference Program - Day 1 - November 18th 2010 ==<br />
<center><br />
{| width="80%" class="t"<br />
|-<br />
| width="14%" height="17" align="right" | 08:30 - 09:00 <br />
| bgcolor="#8595c2" align="CENTER" | '''Reception Desk Open'''<br />
|-<br />
| width="14%" height="17" align="right" | 09:00 - 09:30 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''Opening Ceremony'''<br />
|-<br />
| width="14%" height="49" align="right" | 09:30 - 10:30 <br />
| bgcolor="#eeeeee" align="CENTER" | '''Dinis Cruz'''<br> About OWASP<br />
|-<br />
| width="14%" height="17" align="right" | 10:30 - 10:50 <br />
| bgcolor="#d98b66" align="CENTER" | '''Break'''<br />
|-<br />
| width="14%" height="49" align="right" | 10:50 - 12:20 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''Robert 'RSnake' Hansen'''<br> TBD<br />
|-<br />
| width="14%" height="17" align="right" | 12:20 - 14:00 <br />
| bgcolor="#d98b66" align="CENTER" | '''Lunch Break'''<br />
|-<br />
| width="14%" height="47" align="right" | 14:00 - 14:50 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''TBD<br>''' TBD<br />
|-<br />
| width="14%" height="32" align="right" | 14:50 - 15:40 <br />
| bgcolor="#eeeeee" align="CENTER" | '''TBD<br>''' TBD<br />
|-<br />
| width="14%" height="17" align="right" | 15:40 - 16:00 <br />
| bgcolor="#d98b66" align="CENTER" | '''Break'''<br />
|-<br />
| width="14%" height="47" align="right" | 16:00 - 16:50 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''TBD<br>''' TBD<br />
|-<br />
| width="14%" height="32" align="right" | 16:50 - 17:40 <br />
| bgcolor="#eeeeee" align="CENTER" | '''TBD<br>''' TBD<br />
|-<br />
| width="14%" height="47" align="right" | 17:40 - 18:30 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''Mano Paul'''<br> TBD<br />
|-<br />
| width="14%" height="17" align="right" | 18:30 - 18:35 <br />
| bgcolor="#cccccc" align="CENTER" | '''End of the First Day'''<br />
|}<br />
</center> <br />
<br><br />
<br />
== Conference Program - Day 2 - November 19th 2010 ==<br />
<center><br />
{| width="80%" class="t"<br />
|-<br />
| width="14%" height="17" align="right" | 08:30 - 09:00 <br />
| bgcolor="#8595c2" align="CENTER" | '''Reception Desk Open'''<br />
|-<br />
| width="14%" height="32" align="right" | 09:00 - 10:30 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''Jeremiah Grossman'''<br> TBD<br />
|-<br />
| width="14%" height="17" align="right" | 10:30 - 10:50 <br />
| bgcolor="#d98b66" align="CENTER" | '''Break'''<br />
|-<br />
| width="14%" height="47" align="right" | 10:30 - 11:40 <br />
| bgcolor="#eeeeee" align="CENTER" | '''TBD'''<br> TBD<br />
|-<br />
| width="14%" height="32" align="right" | 11:40 - 12:30 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''TBD'''<br> TBD<br />
|-<br />
| width="14%" height="17" align="right" | 12:30 - 14:00 <br />
| bgcolor="#d98b66" align="CENTER" | '''Lunch Break'''<br />
|-<br />
| width="14%" height="32" align="right" | 14:00 - 14:50 <br />
| bgcolor="#eeeeee" align="CENTER" | '''Samy Kamkar'''<br> How I Met Your Girlfriend<br />
|-<br />
| width="14%" height="32" align="right" | 14:50 - 15:40 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''TBD'''<br> TBD<br />
|-<br />
| width="14%" height="47" align="right" | 15:40 - 16:10 <br />
| bgcolor="#eeeeee" align="CENTER" | '''Cel. Monclaro'''<br> Presentation of RENASIC<br />
|-<br />
| width="14%" height="17" align="right" | 16:10 - 16:30 <br />
| bgcolor="#d98b66" align="CENTER" | '''Break'''<br />
|-<br />
| width="14%" height="32" align="right" | 16:30 - 17:20 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''TBD'''<br> TBD<br />
|-<br />
| width="14%" height="47" align="right" | 17:20 - 18:10 <br />
| bgcolor="#eeeeee" align="CENTER" | '''TBD'''<br> TBD<br />
|-<br />
| width="14%" height="17" align="right" | 18:10 - 18:30 <br />
| bgcolor="#cccccc" align="CENTER" | '''End of the Conference'''<br />
|}<br />
</center> <br />
<br> <br />
<br />
==== Trainings ====<br />
<br />
[[Image:Aspect logo.png]] <br />
<br />
=== '''Secure Coding for J2EE Applications''' ===<br />
<br />
[[Image:Jasonli appsecBR2010.jpg|frame]] '''Date and time: November 16th and 17th'''<br> '''Instructor: Jason Li'''<br> '''Summary'''<br> Training developers on secure coding practices offers one of the highest returns on investment of any security investment by eliminating vulnerabilities at the source. Aspect’s Java EE Secure Coding Training raises developer awareness of application security issues and provides examples of ‘what to do’ and ‘what not to do.' The class is lead by an experienced developer and is delivered in a very interactive manner. This class includes hands-on exercises where the students get to perform security analysis and testing on a live Java EE web application. This specially designed environment includes deliberate flaws the students have to find, diagnose, and fix. The class also uses Java EE coding exercises to provide students with realistic hands-on secure coding experience. Students gain hands-on experience using freely available web application security test tools to find and diagnose flaws and learn to avoid them in their own code.<br> <br />
<br />
'''Audience'''<br> The intended audience for this course is intended for Java EE software developers and Java EE software testers who know how to program.<br> <br />
<br />
'''Learning Objectives'''<br> At the highest level, the objective for this course is to ensure that developers are capable of designing, building, and testing secure Java EE applications and understand why this is important.<br> <br />
<br />
'''Topics'''<br> <br />
<br />
*'''HTTP Fundamentals'''<br> <br />
**Understand and be able to employ the security features involved with using HTTP (e.g., headers, cookies, SSL)<br> <br />
*'''Design Principles and Patterns'''<br> <br />
**Understand and be able to apply application security design principles.<br> <br />
*'''Threats'''<br> <br />
**Be able to identify and explain common web application security threats (e.g. , cross-site scripting, SQL injection, denial of service attacks, "Man-in-the-middle" attacks, etc.) and implement mitigation techniques.<br> <br />
*'''Authentication and Session Management'''<br> <br />
**Be able to handle credentials securely while providing the full range of authentication support functions, including login, change password, forgot password, remember password, logout, reauthentication, and timeouts.<br> <br />
*'''Access Control'''<br> <br />
**Be able to implement access control rules for the user interface, business logic, and data layers.<br> <br />
*'''Input Validation'''<br> <br />
**Be able to recognize potential input validation issues, particularly injection and Cross-site Scripting (XSS) problems, and implement appropriate input validation mechanisms for user input and other sources of input.<br> <br />
*'''Command Injection'''<br> <br />
**Understand the dangers of command injection and techniques for avoiding the introduction of this type vulnerability.<br> <br />
*'''Error Handling'''<br> <br />
**Be able to implement a consistent error (exception) handling and logging approach for an entire web application.<br> <br />
*'''Cryptography'''<br> <br />
**Learn when to apply cryptographic techniques and be able to choose algorithms and use encryption/decryption and hash functions securely.<br><br />
<br />
'''Jason’s Bio'''<br> Jason is a remarkable trainer, mastering five different training courses within a year’s time to our most valuable longstanding but diverse clients. The client base included a large financial institution, several leading shipping and logistics Management Company, and a leading Government systems integrator.<br> <br />
<br />
Jason has also taught Advanced Web Application Security Testing and Building Secure Web Applications classes at OWASP 2008 conferences in Belgium and India.<br> <br />
<br />
Common remarks returned from Jason’s class evaluations include '''“This is probably one of the most important classes I‘ve been exposed to here”''' and '''“One of the best instructors I’ve ever had. Really knowledgeable of the subject. Kept class interested by sharing real life examples that depicted good scenarios”'''<br><br />
<br />
<br />
== Using the OWASP ESAPI security API to provide security to web applications ==<br />
<br />
'''<span style="color: rgb(255, 0, 0);"> Tutorial in Portuguese. </span>'''<br />
<br />
'''Date and time: November 16th (9AM to 6PM)'''<br> '''Instructor: Tarcizio Vieira Neto'''<br> <br />
<br />
'''Summary'''<br />
<br />
The evolution of technology in the development of web applications has contributed to a significant increase in the use of this technology to meet the most diverse purposes. However, this technology is subject to critical security vulnerabilities, especially when recent research show that most vulnerabilities are present in the application itself. OWASP's ESAPI library (Enterprise Security API) appears in this scenario as an open source security library available for several languages such as Java EE, PHP,. NET, Classic ASP, Python, Ruby, among others. This short course addresses the vulnerabilities caused by common errors in applications development and security control mechanisms provided by ESAPI with focus on Java technology. The general principles learned in the course can be applied in the context of other programming languages.<br />
<br />
'''Target audience'''<br />
<br />
The desired profile of the audience are people connected to the area of web application development and security, having as a basic pre-requisite knowledge in web technologies, communication protocols HTTP and HTTPS, basic principles of security: encryption, hashing and digital signature, Java programming for Web systems.<br />
<br />
<br />
'''Learning objectives'''<br />
<br />
* Know the main security vulnerabilities commonly found in Web applications<br />
* Present the architecture of the ESAPI library and the operation of its modules with examples in Java.<br />
* Present Web Application Firewall component of ESAPI.<br />
<br />
<br />
'''Tópic'''<br />
<br />
# Introduction<br />
# # Myths related to security in Web applications<br />
# # OWASP Project<br />
# OWASP Top 10<br />
# OWASP ESAPI Library<br />
# # Validation and Encoding Module<br />
# # Authentication Module<br />
# # Access Control Module<br />
# # HTTP Utilities Module<br />
# # Access references module<br />
# # Cryptographic Module<br />
# # Log Module<br />
# # Intrusion Detection Module<br />
# # integrating the AppSensor module with ESAPI<br />
# # Using Filters<br />
# # Configuring ESAPI<br />
# # Web Application Firewall Module<br />
# Benefits of Using ESAPI<br />
# Conclusions<br />
<br />
<br />
'''Instructor'''<br />
<br />
Tarcízio Vieira Neto has a degree in Computer Science from Universidade Federal de Goiás (UFG), in Goiania. He began his career as an intern developer on a project of technology initiation funded by CNPq in the company Estratégia, in Goiania. After graduating he worked for six months at the company Fibonacci Soluções Ágeis in the same city, as a development analyst. Then worked for two years and eight months as a Brazilian Air Force officer as a systems analyst in the Air Force Computer Center in Brasilia, where he gained experience with the technologies of digital certification and collaborated in the development of an enterprise electronic document management system.<br />
<br />
Currently working at SERPRO since November 2009 as an Analyst in CETEC, working on software development security, dedicated primarily in writing guidelines that standardize techniques and tools tho support security in Web applications development<br />
<br />
He is attending a specialization course in Information Security from University of Brasília (UnB) and has altogether more than five years of programming experience in Java.<br />
<br />
<br />
==The Art and Science of Threat Modeling Web Applications==<br />
<br />
'''<span style="color: rgb(255, 0, 0);"> This tutorial is in English without translation. </span>''' <br />
<br />
'''Date and Time: November 17 (9AM to 6PM)'''<br> '''Instructor: Mano Paul'''<br><br />
<br />
'''Summary'''<br />
<br />
To secure your home, you will first need to know how the thief could possibly enter and exit and where you should store your valuables. The same is true of your web applications. Unless you know what the vulnerabilities and threats of your web applications are, and what security measures you should take to protect them, ev1L h@x0rS or the enemy within (insider) could take advantage of the vulnerabilities. <br />
<br />
Threat Modeling is a technique that you can use to identify ATVS (attacks, threats, vulnerabilities and safeguards) that could affect your web applications. Threat Modeling helps in designing your application securely from a confidentiality, integrity, availability, authentication, authorization and auditing perspective. It is an essential activity to be undertaken during the design stage of your SDLC and helps mitigate and minimize overall risk. <br />
<br />
<br />
'''Target udience'''<br />
<br />
The target audience is made of technical staff and management of system development organizations, with no required knowledge of languages or specific programming techniques.<br />
<br />
<br />
'''Learning Objectives'''<br />
<br />
# Understand Threat Modeling; when to threat model and when not too<br />
# Translation of threats to risks for the organization<br />
# Have fun learning complex concepts with exercises and interactive games<br />
<br />
<br />
'''Topic'''<br />
<br />
# Introduction <br />
# Why Threat Model? <br />
# Is Threat Modeling Right for You? <br />
# Challenges <br />
# Precursors <br />
# Data Classification and Threat Modeling <br />
# Web Application Security Mechanisms <br />
# Benefits of Threat Modeling <br />
# Common Glossary of Terms <br />
# Threat Agents <br />
# OWASP Top 10 and common application attacks<br />
# Threat Modeling Process <br />
# Attack Trees <br />
# Threat and Risk Frameworks e.g., STRIDE and DREAD <br />
# Threat to Risk translation<br />
# Threat Modeling (Hands-On Exercise)<br />
<br />
<br />
'''Instructor'''<br />
<br />
Manoranjan (Mano) Paul is the Software Assurance Advisor for (ISC)2. His information security and software assurance experience includes designing and developing security programs from compliance-to-coding, security in the SDLC, writing secure code, risk management, security strategy, and security awareness training and education. He founded and serves as the CEO & President of Express Certifications. He also founded SecuRisk Solutions, a company that specializes in security product development and consulting.<br />
<br />
<br />
== Security in Service-oriented architectures ==<br />
<br />
'''<span style="color: rgb(255, 0, 0);"> Tutorial in Portuguese. </span>'''<br />
<br />
'''Date and time: Nov 17 (9AM to 6PM)'''<br> '''Instructors: Douglas Rodrigues, Julio Cesar Estrella e Nuno Manuel dos Santos Antunes'''<br> <br />
<br />
'''Summary'''<br />
<br />
Web services are the cornerstone of Service-Oriented Architectures (SOA). As critical components of business, Web services must provide high security. However, the deployment of secure Web services is a complex task. In fact, several studies show that a large number of Web Services are deployed with security breaches ranging from code vulnerabilities (eg vulnerabilities that allow code injection, including SQL injection and XPath injection) to the incorrect use of standards and security protocols. The aim of this short course is to present the theoretical and practical tools that allow the detection of vulnerabilities and security protocols and mechanisms against attacks.<br />
<br />
<br />
'''Público Alvo'''<br />
<br />
The target audience is composed of technical staff and operational systems development organizations with requirements for knowledge of languages and programming methodologies at the intermediate level.<br />
<br />
'''Learning Objectives'''<br />
<br />
The proposed short course contributes to add new technological trends. The theme is quite interesting in relation to the great challenges of research in computing, since it fits naturally within the technological development of quality, encompassing making systems available, accurate, secure, scalable, persistent and ubiquitous, and notoriously, observing the conference area, which SOA, Web services and security are the subject of growing research in computing, as it is current and of interest to the academic community, as well as professionals who work in the labor market. The interest in SOA has grown in recent years because it is an approach that helps the system to remain flexible and scalable as they grow, and can also help to resolve the gap business / IT. Students and professionals will have the opportunity to understand the basics of vulnerability detection code level and also to detect attacks between protocols and mechanisms. The idea is that participants can use the knowledge gained in this brief short course for the development of distributed applications using Web services secure and obtain knowledge needed to diagnose and prevent attacks on this type of application.<br />
<br />
'''Topics'''<br />
<br />
#SECURITY STANDARDS AND PROTOCOLS FOR WEB SERVICES<br />
#ATTACKS IN WEB SERVICES<br />
## Denial of Service Attacks<br />
## Attacks Brute Force<br />
## Spoofing Attacks<br />
## Flooding Attacks<br />
## Injection Attacks<br />
#EVALUATING SECURITY IN WEB SERVICES<br />
## Case Study on security in Web Services<br />
## "white box" analysis<br />
## "Black-box" testing<br />
## "Gray-box" testing<br />
## Case study on the effectiveness of tools for security assessment<br />
<br />
'''Instructors'''<br />
<br />
Julio Cesar Estrella - Master in Computer Science and Computational Mathematics, in the area of Distributed Systems (Institute of Mathematical Sciences and Computer ICMC / University of São Paulo - USP). During the Masters, worked with simulated queuing network in a project related to the development of negotiation techniques in models of web servers with service differentiation. Ph.D. in Computer Science and Computational Mathematics (Institute of Mathematical Sciences and Computer ICMC / University of São Paulo - USP). The theme of his doctoral thesis was about service-oriented architectures to support QoS and characterization of workloads for Web Services Composition and Service also supports Quality of Service. He is currently a professor at the Federal Technological University of Paraná (UTFPR - Campo Mourão)<br />
<br />
Douglas Rodrigues - Master in Computer Science and Computational Mathematics from Institute of Mathematics and Computer Science, University of São Paulo - ICMC-USP/São Carlos. Bachelor of Computer Science from University Euripides Marília - Univ - Marília / SP. Works on the following subjects: SOA, Web Services, performance evaluation, encryption and security.<br />
<br />
Nuno dos Santos Antunes - attended from 2003 to 2007, the Computer Engineering program, University of Coimbra. Since 2008, carries out scientific research in the group of Software and Systems Engineering (SSE) Center for Informatics and Systems University of Coimbra (CISUC), on topics related to methodologies and tools for developing Web Services without vulnerabilities. Concluded in 2009 a Masters in Computer Engineering from the Department of Computer Engineering, University of Coimbra, with the final rating of Very Good. In 2009 he began his PhD in Sciences and Information Technology. He published five scientific papers in conferences with the process of rigorous peer review, including articles in the most prestigious conferences in the areas of reliability and services.<br />
<br />
<br />
==Black-Box & White-Box ASP.NET Security Reviews using the OWASP O2 Platform==<br />
<br />
'''<span style="color: rgb(255, 0, 0);"> Thsi tutorial will be in Portuguese with materials in English </span>'''<br />
<br />
'''Date and time: November 16th (9AM to 6 PM)'''<br> '''Instructor: Dinis Cruz'''<br><br />
<br />
'''Summary'''<br />
<br />
This is a hands-on Training course on how to use the OWASP O2 Platform to perform both Black-Box and White-Box security reviews on ASP.NET Web Applications<br />
<br />
The course is designed for security consultants/developers who are responsible for performing Penetration Tests or Security Code Reviews. The course will show practical examples of how to use the OWASP O2 Platform to find, exploit and document security vulnerabities.<br />
<br />
For the course's labs, a number of test and real-world applications/frameworks will be used. In order to give the students a benign test enviroment which is easy to replicate, the (vulnerable-by-design) HacmeBank ASP.NET banking application will be used throughout the course.<br />
<br />
'''Topics'''<br />
<br />
* What is the OWASP O2 Platform and how to use it?<br />
* Using O2's Unit Tests for web exploration and browsing<br />
* Using O2's Unit Tests for web exploitation<br />
* Understanding and using O2's Web Automation Tools to find and exploit vulnerabilities in HacmeBank (Black-Box)<br />
* Understanding and using O2's AST .NET Scanner to find vulnerabilities in HacmeBank (White-Box)<br />
* Connecting the source-code traces with the web exploits to create a unified view of the vulnerabilties<br />
* Create 'Vulnerability-driven Unit Tests' to be delivered to Developers, QA/Testers and Managers<br />
* Customizing and writing new APIs (for new or modified frameworks)<br />
* Using O2 to consume results from open source tools and 3rd party commercial vendors<br />
* Case Study: Microsoft ASP.NET MVC<br />
* Case Study: Microsoft Sharpoint<br />
<br />
<br />
'''Instructor'''<br />
<br />
The course is delivered by Dinis Cruz who the lead developer of the OWASP O2 Platform and has created and delivered a number of .NET Security training courses<br />
<br />
== Location ==<br />
<br />
Please check the ''Venue'' tab in this page.<br />
<br />
==== Venue ====<br />
<br />
The event will be held in Campinas, SP, Brazil at: [http://www.cpqd.com.br Fundação CPQD]. <br />
<br />
You can check the location at [http://maps.google.com.br/maps/ms?source=embed&hl=pt-BR&geocode=&ie=UTF8&update=1&t=h&msa=0&msid=104978801628275418750.000462bf2d1a49a7571af&ll=-22.83125,-47.044315&spn=0.03718,0.04034&z=14 Google Maps] <br />
<br />
''How to get there'' <br />
<br />
TBD <br />
<br />
==== Registration ====<br />
<br />
== Online Registration ==<br />
<br />
Registration form is available at https://creator.zoho.com/lucas.ferreira/appsec/<br />
<br />
== Conference Fees ==<br />
<br />
'''Access to conference:'''<br />
<br />
* Before Sep 16th: 400.00 BRL<br />
* Before Oct 16th: 500.00 BRL<br />
* Before Nov 12th: 550.00 BRL<br />
* On site: 600.00 BRL<br />
<br />
On site registration subject to the availability of seats.<br />
<br />
'''Trainings'''<br />
<br />
* One day: 450.00 BRL<br />
* Two days: 900.00 BRL<br />
<br />
'''Discounts'''<br />
<br />
* OWASP Member: 100.00 BRL (Note: This discount is greater than the OWASP USD 50.00 annual fee. Check [http://www.google.com.br/#q=50+usd+in+brl&fp=1 here]<br />
* Student: 100.00 BRL (Note: student ID required).<br />
<br />
==== Committees ====<br />
<br />
== Conference Committee ==<br />
<br />
OWASP Global Conferences Committee Chair: Mark Bristow <br />
<br />
OWASP [[Brazilian]] Chapter Leader: Wagner Elias <br />
<br />
AppSec Brasil 2010 Organization Team (organizacao2010 at appsecbrasil.org): <br />
<br />
*Conference General Chair: Lucas C. Ferreira <br />
*Tutorials Chair: Eduardo Camargo Neves <br />
*Tracks Chair: Luiz Otávio Duarte <br />
*Local Chair: Alexandre Melo Braga<br />
<br />
=== Team Members ===<br />
<br />
*Alexandre Melo Braga <br />
*Eduardo Camargo Neves <br />
*Lucas C. Ferreira <br />
*Luiz Otávio Duarte <br />
*Wagner Elias <br />
*Eduardo Alves Nonato da Silva <br />
*Leonardo Buonsanti <br />
*Dinis Cruz <br />
*Paulo Coimbra<br />
<br />
<br />
== Programme Committee:==<br />
* Alexandre Braga<br />
* Carlos Serrao<br />
* Eduardo alves<br />
* Fernando Cima<br />
* Leonardo Buonsanti<br />
* Lucas Ferreira<br />
* Luiz Duarte<br />
* Nelson Uto<br />
* Rodrigo Rubira<br />
* Wagner Elias<br />
<br />
<br> <br> <br />
<br />
==== Travel ====<br />
<br />
TBD <br />
<br />
==== Links ====<br />
<br />
Blog: http://blog.appsecbrasil.org <br />
<br />
Twitter: http://twitter.com/owaspappsecbr <br />
<br />
Banner: http://www.owasp.org/images/3/31/AppSec_Brasil_2010_Banner.gif<br />
<br />
<br> <headertabs /> <br />
<br />
[[Category:OWASP_AppSec_Conference]]</div>Manopaulhttps://wiki.owasp.org/index.php?title=AppSec_Brasil_2010&diff=87921AppSec Brasil 20102010-08-24T18:35:19Z<p>Manopaul: /* Mano Paul */</p>
<hr />
<div>__NOTOC__ <br />
<br />
[[Image:LogoAppSecBrazil.002.jpg|center]] <br />
<br />
'''Para a versão em português, veja em [[AppSec Brasil 2010 (pt-br)]]''' <br />
<br />
= OWASP AppSec Brasil 2010 =<br />
<br />
The Second Edition of OWASP's flagship conference in South America will happen in Campinas, SP, Brazil. The Conference consists of two days of training sessions, followed by a two-day conference on a single track. <br />
<center><br />
[[Image:AppSec Brasil 2010 Campinas.jpg|500px]] <br />
</center> <br />
== Conference Dates ==<br />
<br />
The conference will happen from '''November 16th, 2010 to November 19th, 2010'''. The first two days will be tutorial days (see below). Plenary sessions will be held on November 18th and 19th. <br />
<br />
<br />
<br> <br />
<br />
==== About ====<br />
<br />
== About the conference ==<br />
<br />
Following the success of the first AppSec Brasil, held in Brasilia in 2009, the OWASP Brazilian Chapter is organizing its second edition in 2010. AppSec Brasil 2010 will happen in the city of Campinas, located 90 km from São Paulo. <br />
<br />
Campinas is the 3rd biggest city in the State of São Paulo and is an important economic center and hosts major universities and research centers. It is known to concentrate several high tech industries, including important multi-national companies in the fields of electronics, telecom and chemicals. <br />
<br />
This year, we expect to gather a number of Brazilian and Latin American practitioners and researchers to share state-of-the-art information about application security. <br />
<br />
==== Calls ====<br />
<pre><br />
**DEADLINE EXTENDED - 23 August**<br />
**OWASP APPSEC BRASIL 2010**<br />
**CALL FOR PRESENTATIONS**<br />
<br />
Colleagues,<br />
<br />
OWASP is currently soliciting presentations for the OWASP AppSec Brasil<br />
2010 Conference that will take<br />
place at CPqD Foundation in Campinas, SP, Brazil on November 16th<br />
through 19th, 2010. There will be<br />
training courses on November 16th and 17th followed by plenary sessions<br />
on the 18th and 19th with each<br />
day having one single track.<br />
<br />
We are seeking people and organizations that want to present on any of<br />
the following topics (in no particular order):<br />
- - Application Threat Modeling<br />
- - Business Risks with Application Security<br />
- - Hands-on Source Code Review<br />
- - Metrics for Application Security<br />
- - OWASP Tools and Projects<br />
- - Privacy Concerns with Applications and Data Storage<br />
- - Secure Coding Practices (J2EE/.NET)<br />
- - Starting and Managing Secure Development Lifecycle Programs<br />
- - Technology specific presentations on security such as AJAX, XML, etc<br />
- - Web Application Security countermeasures<br />
- - Web Application Security Testing<br />
- - Web Services-, XML- and Application Security<br />
- - Anything else relating to OWASP and Application Security<br />
<br />
To make a submission you must fill out the form available<br />
at http://www.owasp.org/images/f/f7/OWASP_AppSec_Brasil_2010_CFP.rtf.zip<br />
and submit<br />
through the easychair conference interface at<br />
http://www.easychair.org/conferences/?conf=appsecbr2010<br />
<br />
Each presenter will have 45 minutes for the presentation, followed by 10<br />
minutes reserved for<br />
questions from the audience. The presentations must respect the<br />
restrictions of the OWASP Speaker Agreement.<br />
<br />
**Important Dates:**<br />
Submission deadline is August 23, 2010 at 11:59 PM (UTC/GMT -3).<br />
Notification of acceptance is September 8, 2010.<br />
Presentation slides are due September 30, 2010.<br />
<br />
The conference organization team may be contacted by email at<br />
organizacao2010 (at) appsecbrasil.org<br />
<br />
For more information, please see the following web pages:<br />
<br />
Conference Website:<br />
https://www.owasp.org/index.php/AppSec_Brasil_2010<br />
<br />
OWASP Speaker Agreement:<br />
http://www.owasp.org/index.php/Speaker_Agreement<br />
<br />
OWASP Website:<br />
http://www.owasp.org<br />
<br />
Easychair conference site:<br />
http://www.easychair.org/conferences/?conf=appsecbr2010<br />
<br />
Presentation proposal form:<br />
http://www.owasp.org/images/f/f7/OWASP_AppSec_Brasil_2010_CFP.rtf.zip<br />
<br />
********** WARNING: Submissions without the information requested in the<br />
proposal form will not be considered ************<br />
<br />
Please forward to all interested practitioners and colleagues<br />
<br />
</pre> <br />
<br />
<br />
== Call for training providers ==<br />
<pre>**OWASP APPSEC BRASIL 2010**<br />
**CALL FOR TRAINING SESSIONS**<br />
<br />
Colleagues,<br />
<br />
OWASP is currently soliciting training proposals for the OWASP<br />
AppSec Brazil 2010 Conference which will take place at Fundação CPqD<br />
in Campinas, SP, Brazil, on November 16 through November 19, 2010.<br />
There will be training courses on November 16 and 17 followed by<br />
plenary sessions on the 18 and 19 with one single track per day.<br />
<br />
We are seeking training proposals on the following topics (in no<br />
particular order):<br />
- Application Threat Modeling - Business Risks with Application Security<br />
- Hands-on Source Code Review<br />
- Metrics for Application Security<br />
- OWASP Tools and Projects<br />
- Privacy Concerns with Applications and Data Storage<br />
- Secure Coding Practices (J2EE/.NET)<br />
- Starting and Managing Secure Development Lifecycle Programs<br />
- Technology specific presentations on security such as AJAX, XML, etc<br />
- Web Application Security countermeasures<br />
- Web Application Security Testing<br />
- Web Services, XML- and Application Security<br />
- Anything else relating to OWASP and Application Security<br />
<br />
Proposals on topics not listed above but related to the conference<br />
(i.e. which are related to Application Security) may also be accepted.<br />
<br />
To make a submission you must fill out the form available at<br />
http://www.owasp.org/images/1/1a/OWASP_AppSec_Brasil_2010_CFT.rtf.zip<br />
and submit by email to organizacao2010@appsecbrasil.org<br />
<br />
There may be 1 or 2-day courses. The proposals must respect the<br />
restrictions of the OWASP Speaker Agreement. The conference will<br />
reward trainers with at least 30% of the total revenue of their<br />
courses, based on a minimum attendance. Courses that attract more<br />
students may be granted higher percentages. No other compensation<br />
(such as tickets or lodging) will be provided. If you require a<br />
different arrangement, please contact the conference chair at the<br />
email address below.<br />
<br />
**Compensation**<br />
Instructors and authors will be paid based on the number of students<br />
in their training sessions. If the training gathers only the minimum<br />
number of students, the compensation will be 30% of the revenue. For<br />
each group of 10 extra students enrolled, the compensation will be<br />
increased by 5% of the revenue, up to a maximum of 45% of the training<br />
revenue. For example, a 1-day training with 10 to 19 students will<br />
generate a compensation of 30% of the revenue. For classes of 20 to 29<br />
students, the compensation raises to 35% percent of the revenue.<br />
<br />
In exceptional cases, different compensation schemes may be accepted.<br />
Please contact the conference organization team by email<br />
(organizacao2010@appsecbrasil.org) for details.<br />
<br />
**Training cost**<br />
1-day training: R$ 450 per student<br />
2-day training: R$ 900 per student<br />
All prices in Brazilian Reais (BRL)<br />
<br />
**Minimum number of students**<br />
1-day trainings: 10 students<br />
2-day trainings: 20 students<br />
<br />
**Important Dates:**<br />
Submission deadline is July 26, 2010, at 11:59 PM (UTC/GMT-3).<br />
Notification of acceptance will be August 16, 2010.<br />
Final version is due September 15, 2010.<br />
<br />
The conference organization team may be contacted by email at<br />
organizacao2010 (at) appsecbrasil.org<br />
<br />
For more information, please see the following web pages:<br />
Conference Website: https://www.owasp.org/index.php/AppSec_Brasil_2010<br />
OWASP Speaker Agreement: http://www.owasp.org/index.php/Speaker_Agreement<br />
OWASP Website: http://www.owasp.org<br />
Easychair conference site:<br />
http://www.easychair.org/conferences/?conf=appsecbr2010<br />
Presentation proposal form:<br />
http://www.owasp.org/images/1/1a/OWASP_AppSec_Brasil_2010_CFT.rtf.zip<br />
<br />
********** WARNING: Submissions without all the information requested<br />
in the proposal form will not be considered ************<br />
<br />
</pre> <br />
<br />
<br />
==== Sponsorship ====<br />
<br />
We are currently soliciting sponsors for the AppSec Brasil 2010 Conference. Detailed [[Media:OWASP_-_Sponsorship_Opportunities_-_EN_V.1.2.pdf|sponsorship oportunities]] are now available. <br />
<br />
If you are interested in sponsoring AppSec Brasil 2010, please contact the Conference Organization Team (organizacao2010@appsecbrasil.org). <br />
<br />
== Sponsors ==<br />
<br />
<br />
== Platinum Sponsors ==<br />
{|<br />
| [[Image:AppSec Brasil 2010 CPQD.jpg|200px|link=http://www.cpqd.com.br]]<br />
|-<br />
| &nbsp;<br />
|-<br />
|} <br />
<br />
== Gold Sponsors ==<br />
{|<br />
| [[Image:LeadComm Logo Screen.jpg|150px|link=http://www.leadcomm.com.br]]<br />
| width="50" | <br><br />
| [[Image:Logo PagSeguro-Uma empresa-UOL.jpg|150px|link=http://www.pagseguro.uol.com.br]]<br />
|-<br />
| &nbsp;<br />
|-<br />
|}<br />
<br />
== Silver Sponsors ==<br />
<br><br />
<br />
=== Attendee Kit Sponsors ===<br />
{|<br />
| [[Image:Logotipo_Conviso_2009_Cor.png|150px]]<br />
| width="50" | <br><br />
| [[Image:lgClavis.png|110px|link=http://www.clavis.com.br]]<br />
|-<br />
| &nbsp;<br />
|-<br />
|}<br />
<br><br />
<br />
== Promoted by ==<br />
<center><br />
[[Image:Appsec Brasil 2010 InstitutoTuring.png]] <br />
</center> <br />
==== Keynotes ====<br />
<br />
==Robert 'Rsnake' Hansen ==<br />
<br />
[http://www.sectheory.com/ SecTheory]<br />
<br />
'''''Title:''''' '''TBD.'''<br />
<br />
'''''Bio:''''' Robert Hansen aka RSnake is the CEO and founder of SecTheory. He has worked for Digital Island, Exodus Communications and Cable & Wireless in varying roles from Sr. Security Architect and eventually product managing many of the managed security services product lines. He also worked at eBay as a Sr. Global Product Manager of Trust and Safety, focusing on anti-phishing, anti-DHTML malware and anti-virus strategies. Later he worked as a director of product management for Realtor.com. Robert sits on the advisory board for the Intrepidus Group, previously sat on the technical advisory board of ClickForensics and currently contributes to the security strategy of several startup companies.<br />
<br />
Mr. Hansen wrote Detecting Malice, authors content on O'Reilly and co-authored "XSS Exploits" by Syngress publishing. He sits on the NIST.gov Software Assurance Metrics and Tool Evaluation group focusing on web application security scanners and the Web Application Security Scanners Evaluation Criteria (WASC-WASSEC) group. He also has briefed the DoD at the Pentagon and speaks at SourceBoston, Secure360, GFIRST/US-CERT, CSI, Toorcon, APWG, ISSA, TRISC, World OWASP/WASC conferences, SANS, Microsoft's Bluehat, Blackhat, DefCon, SecTor, BSides, Networld+Interop, and has been the keynote speaker at the New York Cyber Security Conference, NITES and OWASP Appsec Asia. Mr. Hansen is a member of Infragard, West Austin Rotary, WASC, IACSP, APWG, contributed to the OWASP 2.0 guide and is on the OWASP Connections Committee.<br />
<br />
Robert also maintains the http://ha.ckers.org website where he discuss web application security and provides lots of useful content to be used against web application attacks.<br />
<br />
== Jeremiah Grossman ==<br />
<br />
[http://www.whitehatsec.com/ WhiteHat Security] <br />
<br />
'''''Title:''''' '''TBD.''' <br />
<br />
'''''Bio:''''' Jeremiah Grossman, founder and CTO, WhiteHat Security, is a world-renowned Web security expert. A co-founder of the Web Application Security Consortium (WASC), he was named to InfoWorld's Top 25 CTOs in 2007 and is frequently quoted by business and technical media. He has authored dozens of articles and whitepapers, is credited with the discovery of many cutting-edge attack and defensive techniques, and is a co-author of "XSS Attacks: Cross Site Scripting Exploits and Defense." Grossman is also an influential blogger who offers insight and encourages open dialogue regarding Web security research and trends. Prior to WhiteHat, Grossman was an information security officer at Yahoo! <br />
<br />
<br> <br />
<br />
==== Invited Speakers ====<br />
<br />
== Samy Kamkar==<br />
<br />
'''''Title:''''' '''How I Met Your Girlfriend: The discovery and execution of entirely new classes of Web attacks in order to meet your girlfriend.'''<br />
<br />
'''''Summary:''''' <br />
This includes entertaining and newly discovered attacks including PHP session<br />
prediction and random numbers (accurately guessing PHP session cookies),<br />
browser protocol confusion (turning a browser into an SMTP server), firewall and<br />
NAT penetration via Javascript (turning your router against you), remote iPhone<br />
Google Maps hijacking (iPhone penetration combined with HTTP man-in-themiddle),<br />
extracting extremely accurate geolocation information from a Web browser<br />
(not using IP geolocation), and more.<br />
<br />
'''''Bio:'''''<br />
Samy Kamkar is best known for the Samy worm, the first XSS worm,<br />
infecting over one million users on MySpace in less than 24 hours. A cofounder<br />
of Fonality, Inc., an IP PBX company, Samy previously led the<br />
development of all top-level domain name server software and systems for<br />
Global Domains International (.ws).<br />
<br />
In the past 10 years, Samy has focused on evolutionary and genetic<br />
algorithmic software development, Voice over IP software development,<br />
automated security and vulnerability research in network security, reverse<br />
engineering, and network gaming. When not strapped behind the Matrix,<br />
Samy can be found stunt driving and getting involved in local community<br />
service projects.<br />
<br />
== Mano Paul ==<br />
<br />
'''''Title:''''' '''TBD.''' <br />
<br />
'''''Bio:'''''<br />
[[Image:Mano_Paul.jpg|thumb|10px|frame|left|Mano Paul]]<br />
<b>Shark Researcher turned Security Guru!</b><br><br />
<b>Manoranjan (Mano) Paul</b> (CSSLP, CISSP, AMBCI, MCSD, MCAD, CompTIA Network+, ECSA) is the Founder and CEO at [http://www.securisksolutions.com SecuRisk Solutions] and [http://www.expresscertifications.com Express Certifications]. Based out of Austin, Texas in the USA, SecuRisk Solutions specializes in three areas of information security solutions - Product Development, Consulting and Awareness, Training & Education while Express Certifications focuses on professional certifications like the CISSP and SSCP. <br />
<br />
Before SecuRisk Solutions and Express Certifications, Mano played several roles from software developer, quality assurance tester, logistics manager, technical architect, IT strategist and Security Engineer/Program Manager/Strategist at Dell Inc. His information security experience includes designing and developing software security programs from Compliance-to-Coding, application security risk management, security strategy & management, and conducting security awareness training and education. <br />
<br />
Mano started his career as a shark researcher in the Bimini Biological Field Station, Bahamas. His educational pursuit took him to the University of Oklahoma where he received his Business Administration degree in Management Information Systems (MIS) with various accolades and the coveted 4.0 GPA. He is a member and chair of the OWASP Global Education Committee and actively participates in OWASP speaking, training and leadership events. He is also appointed the Software Assurance Advisor for (ISC)<sup>2</sup>, representing and advising the organization on software assurance strategy, training, education and certification. He is an appointed faculty member and industry representative of the Capitol of Texas Information System Security Association (ISSA) chapter. <br />
<br />
Mano has been featured in various domestic and international security conferences and is an invited speaker and panelist, delivering talks and keynotes in conferences such as the OWASP, CSI, Burton Group Catalyst, TRISC and SC World Congress conferences. He is the author of the Official (ISC)<sup>2</sup> Guide to the Certified Secure Software Lifecycle Professional (CSSLP<sup>CM</sup>), contributing author for the Information Security Management Handbook, writes periodically for the Certification Magazine and has contributed to several security topics for the Microsoft Solutions Developer Network (MSDN).<br />
<br />
Mano is married to whom he calls the “most wonderful and sacrificial person in this world” - Sangeetha Johnson and their greatest fulfillment comes from spending time with the son – Reuben A Paul (RAP).<br />
==== Agenda ====<br />
<br />
== Conference Program - Day 1 - November 18th 2010 ==<br />
<center><br />
{| width="80%" class="t"<br />
|-<br />
| width="14%" height="17" align="right" | 08:30 - 09:00 <br />
| bgcolor="#8595c2" align="CENTER" | '''Reception Desk Open'''<br />
|-<br />
| width="14%" height="17" align="right" | 09:00 - 09:30 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''Opening Ceremony'''<br />
|-<br />
| width="14%" height="49" align="right" | 09:30 - 10:30 <br />
| bgcolor="#eeeeee" align="CENTER" | '''Dinis Cruz'''<br> About OWASP<br />
|-<br />
| width="14%" height="17" align="right" | 10:30 - 10:50 <br />
| bgcolor="#d98b66" align="CENTER" | '''Break'''<br />
|-<br />
| width="14%" height="49" align="right" | 10:50 - 12:20 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''Robert 'RSnake' Hansen'''<br> TBD<br />
|-<br />
| width="14%" height="17" align="right" | 12:20 - 14:00 <br />
| bgcolor="#d98b66" align="CENTER" | '''Lunch Break'''<br />
|-<br />
| width="14%" height="47" align="right" | 14:00 - 14:50 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''TBD<br>''' TBD<br />
|-<br />
| width="14%" height="32" align="right" | 14:50 - 15:40 <br />
| bgcolor="#eeeeee" align="CENTER" | '''TBD<br>''' TBD<br />
|-<br />
| width="14%" height="17" align="right" | 15:40 - 16:00 <br />
| bgcolor="#d98b66" align="CENTER" | '''Break'''<br />
|-<br />
| width="14%" height="47" align="right" | 16:00 - 16:50 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''TBD<br>''' TBD<br />
|-<br />
| width="14%" height="32" align="right" | 16:50 - 17:40 <br />
| bgcolor="#eeeeee" align="CENTER" | '''TBD<br>''' TBD<br />
|-<br />
| width="14%" height="47" align="right" | 17:40 - 18:30 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''Mano Paul'''<br> TBD<br />
|-<br />
| width="14%" height="17" align="right" | 18:30 - 18:35 <br />
| bgcolor="#cccccc" align="CENTER" | '''End of the First Day'''<br />
|}<br />
</center> <br />
<br><br />
<br />
== Conference Program - Day 2 - November 19th 2010 ==<br />
<center><br />
{| width="80%" class="t"<br />
|-<br />
| width="14%" height="17" align="right" | 08:30 - 09:00 <br />
| bgcolor="#8595c2" align="CENTER" | '''Reception Desk Open'''<br />
|-<br />
| width="14%" height="32" align="right" | 09:00 - 10:30 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''Jeremiah Grossman'''<br> TBD<br />
|-<br />
| width="14%" height="17" align="right" | 10:30 - 10:50 <br />
| bgcolor="#d98b66" align="CENTER" | '''Break'''<br />
|-<br />
| width="14%" height="47" align="right" | 10:30 - 11:40 <br />
| bgcolor="#eeeeee" align="CENTER" | '''TBD'''<br> TBD<br />
|-<br />
| width="14%" height="32" align="right" | 11:40 - 12:30 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''TBD'''<br> TBD<br />
|-<br />
| width="14%" height="17" align="right" | 12:30 - 14:00 <br />
| bgcolor="#d98b66" align="CENTER" | '''Lunch Break'''<br />
|-<br />
| width="14%" height="32" align="right" | 14:00 - 14:50 <br />
| bgcolor="#eeeeee" align="CENTER" | '''Samy Kamkar'''<br> How I Met Your Girlfriend<br />
|-<br />
| width="14%" height="32" align="right" | 14:50 - 15:40 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''TBD'''<br> TBD<br />
|-<br />
| width="14%" height="47" align="right" | 15:40 - 16:10 <br />
| bgcolor="#eeeeee" align="CENTER" | '''Cel. Monclaro'''<br> Presentation of RENASIC<br />
|-<br />
| width="14%" height="17" align="right" | 16:10 - 16:30 <br />
| bgcolor="#d98b66" align="CENTER" | '''Break'''<br />
|-<br />
| width="14%" height="32" align="right" | 16:30 - 17:20 <br />
| bgcolor="#b9c2dc" align="CENTER" | '''TBD'''<br> TBD<br />
|-<br />
| width="14%" height="47" align="right" | 17:20 - 18:10 <br />
| bgcolor="#eeeeee" align="CENTER" | '''TBD'''<br> TBD<br />
|-<br />
| width="14%" height="17" align="right" | 18:10 - 18:30 <br />
| bgcolor="#cccccc" align="CENTER" | '''End of the Conference'''<br />
|}<br />
</center> <br />
<br> <br />
<br />
==== Trainings ====<br />
<br />
[[Image:Aspect logo.png]] <br />
<br />
=== '''Secure Coding for J2EE Applications''' ===<br />
<br />
[[Image:Jasonli appsecBR2010.jpg|frame]] '''Date and time: November 16th and 17th'''<br> '''Instructor: Jason Li'''<br> '''Summary'''<br> Training developers on secure coding practices offers one of the highest returns on investment of any security investment by eliminating vulnerabilities at the source. Aspect’s Java EE Secure Coding Training raises developer awareness of application security issues and provides examples of ‘what to do’ and ‘what not to do.' The class is lead by an experienced developer and is delivered in a very interactive manner. This class includes hands-on exercises where the students get to perform security analysis and testing on a live Java EE web application. This specially designed environment includes deliberate flaws the students have to find, diagnose, and fix. The class also uses Java EE coding exercises to provide students with realistic hands-on secure coding experience. Students gain hands-on experience using freely available web application security test tools to find and diagnose flaws and learn to avoid them in their own code.<br> <br />
<br />
'''Audience'''<br> The intended audience for this course is intended for Java EE software developers and Java EE software testers who know how to program.<br> <br />
<br />
'''Learning Objectives'''<br> At the highest level, the objective for this course is to ensure that developers are capable of designing, building, and testing secure Java EE applications and understand why this is important.<br> <br />
<br />
'''Topics'''<br> <br />
<br />
*'''HTTP Fundamentals'''<br> <br />
**Understand and be able to employ the security features involved with using HTTP (e.g., headers, cookies, SSL)<br> <br />
*'''Design Principles and Patterns'''<br> <br />
**Understand and be able to apply application security design principles.<br> <br />
*'''Threats'''<br> <br />
**Be able to identify and explain common web application security threats (e.g. , cross-site scripting, SQL injection, denial of service attacks, "Man-in-the-middle" attacks, etc.) and implement mitigation techniques.<br> <br />
*'''Authentication and Session Management'''<br> <br />
**Be able to handle credentials securely while providing the full range of authentication support functions, including login, change password, forgot password, remember password, logout, reauthentication, and timeouts.<br> <br />
*'''Access Control'''<br> <br />
**Be able to implement access control rules for the user interface, business logic, and data layers.<br> <br />
*'''Input Validation'''<br> <br />
**Be able to recognize potential input validation issues, particularly injection and Cross-site Scripting (XSS) problems, and implement appropriate input validation mechanisms for user input and other sources of input.<br> <br />
*'''Command Injection'''<br> <br />
**Understand the dangers of command injection and techniques for avoiding the introduction of this type vulnerability.<br> <br />
*'''Error Handling'''<br> <br />
**Be able to implement a consistent error (exception) handling and logging approach for an entire web application.<br> <br />
*'''Cryptography'''<br> <br />
**Learn when to apply cryptographic techniques and be able to choose algorithms and use encryption/decryption and hash functions securely.<br><br />
<br />
'''Jason’s Bio'''<br> Jason is a remarkable trainer, mastering five different training courses within a year’s time to our most valuable longstanding but diverse clients. The client base included a large financial institution, several leading shipping and logistics Management Company, and a leading Government systems integrator.<br> <br />
<br />
Jason has also taught Advanced Web Application Security Testing and Building Secure Web Applications classes at OWASP 2008 conferences in Belgium and India.<br> <br />
<br />
Common remarks returned from Jason’s class evaluations include '''“This is probably one of the most important classes I‘ve been exposed to here”''' and '''“One of the best instructors I’ve ever had. Really knowledgeable of the subject. Kept class interested by sharing real life examples that depicted good scenarios”'''<br><br />
<br />
<br />
== Using the OWASP ESAPI security API to provide security to web applications ==<br />
<br />
'''<span style="color: rgb(255, 0, 0);"> Tutorial in Portuguese. </span>'''<br />
<br />
'''Date and time: November 16th (9AM to 6PM)'''<br> '''Instructor: Tarcizio Vieira Neto'''<br> <br />
<br />
'''Summary'''<br />
<br />
The evolution of technology in the development of web applications has contributed to a significant increase in the use of this technology to meet the most diverse purposes. However, this technology is subject to critical security vulnerabilities, especially when recent research show that most vulnerabilities are present in the application itself. OWASP's ESAPI library (Enterprise Security API) appears in this scenario as an open source security library available for several languages such as Java EE, PHP,. NET, Classic ASP, Python, Ruby, among others. This short course addresses the vulnerabilities caused by common errors in applications development and security control mechanisms provided by ESAPI with focus on Java technology. The general principles learned in the course can be applied in the context of other programming languages.<br />
<br />
'''Target audience'''<br />
<br />
The desired profile of the audience are people connected to the area of web application development and security, having as a basic pre-requisite knowledge in web technologies, communication protocols HTTP and HTTPS, basic principles of security: encryption, hashing and digital signature, Java programming for Web systems.<br />
<br />
<br />
'''Learning objectives'''<br />
<br />
* Know the main security vulnerabilities commonly found in Web applications<br />
* Present the architecture of the ESAPI library and the operation of its modules with examples in Java.<br />
* Present Web Application Firewall component of ESAPI.<br />
<br />
<br />
'''Tópic'''<br />
<br />
# Introduction<br />
# # Myths related to security in Web applications<br />
# # OWASP Project<br />
# OWASP Top 10<br />
# OWASP ESAPI Library<br />
# # Validation and Encoding Module<br />
# # Authentication Module<br />
# # Access Control Module<br />
# # HTTP Utilities Module<br />
# # Access references module<br />
# # Cryptographic Module<br />
# # Log Module<br />
# # Intrusion Detection Module<br />
# # integrating the AppSensor module with ESAPI<br />
# # Using Filters<br />
# # Configuring ESAPI<br />
# # Web Application Firewall Module<br />
# Benefits of Using ESAPI<br />
# Conclusions<br />
<br />
<br />
'''Instructor'''<br />
<br />
Tarcízio Vieira Neto has a degree in Computer Science from Universidade Federal de Goiás (UFG), in Goiania. He began his career as an intern developer on a project of technology initiation funded by CNPq in the company Estratégia, in Goiania. After graduating he worked for six months at the company Fibonacci Soluções Ágeis in the same city, as a development analyst. Then worked for two years and eight months as a Brazilian Air Force officer as a systems analyst in the Air Force Computer Center in Brasilia, where he gained experience with the technologies of digital certification and collaborated in the development of an enterprise electronic document management system.<br />
<br />
Currently working at SERPRO since November 2009 as an Analyst in CETEC, working on software development security, dedicated primarily in writing guidelines that standardize techniques and tools tho support security in Web applications development<br />
<br />
He is attending a specialization course in Information Security from University of Brasília (UnB) and has altogether more than five years of programming experience in Java.<br />
<br />
<br />
==The Art and Science of Threat Modeling Web Applications==<br />
<br />
'''<span style="color: rgb(255, 0, 0);"> This tutorial is in English without translation. </span>''' <br />
<br />
'''Date and Time: November 17 (9AM to 6PM)'''<br> '''Instructor: Mano Paul'''<br><br />
<br />
'''Summary'''<br />
<br />
To secure your home, you will first need to know how the thief could possibly enter and exit and where you should store your valuables. The same is true of your web applications. Unless you know what the vulnerabilities and threats of your web applications are, and what security measures you should take to protect them, ev1L h@x0rS or the enemy within (insider) could take advantage of the vulnerabilities. <br />
<br />
Threat Modeling is a technique that you can use to identify ATVS (attacks, threats, vulnerabilities and safeguards) that could affect your web applications. Threat Modeling helps in designing your application securely from a confidentiality, integrity, availability, authentication, authorization and auditing perspective. It is an essential activity to be undertaken during the design stage of your SDLC and helps mitigate and minimize overall risk. <br />
<br />
<br />
'''Target udience'''<br />
<br />
The target audience is made of technical staff and management of system development organizations, with no required knowledge of languages or specific programming techniques.<br />
<br />
<br />
'''Learning Objectives'''<br />
<br />
# Understand Threat Modeling; when to threat model and when not too<br />
# Translation of threats to risks for the organization<br />
# Have fun learning complex concepts with exercises and interactive games<br />
<br />
<br />
'''Topic'''<br />
<br />
# Introduction <br />
# Why Threat Model? <br />
# Is Threat Modeling Right for You? <br />
# Challenges <br />
# Precursors <br />
# Data Classification and Threat Modeling <br />
# Web Application Security Mechanisms <br />
# Benefits of Threat Modeling <br />
# Common Glossary of Terms <br />
# Threat Agents <br />
# OWASP Top 10 and common application attacks<br />
# Threat Modeling Process <br />
# Attack Trees <br />
# Threat and Risk Frameworks e.g., STRIDE and DREAD <br />
# Threat to Risk translation<br />
# Threat Modeling (Hands-On Exercise)<br />
<br />
<br />
'''Instructor'''<br />
<br />
Manoranjan (Mano) Paul is the Software Assurance Advisor for (ISC)2. His information security and software assurance experience includes designing and developing security programs from compliance-to-coding, security in the SDLC, writing secure code, risk management, security strategy, and security awareness training and education. He founded and serves as the CEO & President of Express Certifications. He also founded SecuRisk Solutions, a company that specializes in security product development and consulting.<br />
<br />
<br />
== Security in Service-oriented architectures ==<br />
<br />
'''<span style="color: rgb(255, 0, 0);"> Tutorial in Portuguese. </span>'''<br />
<br />
'''Date and time: Nov 17 (9AM to 6PM)'''<br> '''Instructors: Douglas Rodrigues, Julio Cesar Estrella e Nuno Manuel dos Santos Antunes'''<br> <br />
<br />
'''Summary'''<br />
<br />
Web services are the cornerstone of Service-Oriented Architectures (SOA). As critical components of business, Web services must provide high security. However, the deployment of secure Web services is a complex task. In fact, several studies show that a large number of Web Services are deployed with security breaches ranging from code vulnerabilities (eg vulnerabilities that allow code injection, including SQL injection and XPath injection) to the incorrect use of standards and security protocols. The aim of this short course is to present the theoretical and practical tools that allow the detection of vulnerabilities and security protocols and mechanisms against attacks.<br />
<br />
<br />
'''Público Alvo'''<br />
<br />
The target audience is composed of technical staff and operational systems development organizations with requirements for knowledge of languages and programming methodologies at the intermediate level.<br />
<br />
'''Learning Objectives'''<br />
<br />
The proposed short course contributes to add new technological trends. The theme is quite interesting in relation to the great challenges of research in computing, since it fits naturally within the technological development of quality, encompassing making systems available, accurate, secure, scalable, persistent and ubiquitous, and notoriously, observing the conference area, which SOA, Web services and security are the subject of growing research in computing, as it is current and of interest to the academic community, as well as professionals who work in the labor market. The interest in SOA has grown in recent years because it is an approach that helps the system to remain flexible and scalable as they grow, and can also help to resolve the gap business / IT. Students and professionals will have the opportunity to understand the basics of vulnerability detection code level and also to detect attacks between protocols and mechanisms. The idea is that participants can use the knowledge gained in this brief short course for the development of distributed applications using Web services secure and obtain knowledge needed to diagnose and prevent attacks on this type of application.<br />
<br />
'''Topics'''<br />
<br />
#SECURITY STANDARDS AND PROTOCOLS FOR WEB SERVICES<br />
#ATTACKS IN WEB SERVICES<br />
## Denial of Service Attacks<br />
## Attacks Brute Force<br />
## Spoofing Attacks<br />
## Flooding Attacks<br />
## Injection Attacks<br />
#EVALUATING SECURITY IN WEB SERVICES<br />
## Case Study on security in Web Services<br />
## "white box" analysis<br />
## "Black-box" testing<br />
## "Gray-box" testing<br />
## Case study on the effectiveness of tools for security assessment<br />
<br />
'''Instructors'''<br />
<br />
Julio Cesar Estrella - Master in Computer Science and Computational Mathematics, in the area of Distributed Systems (Institute of Mathematical Sciences and Computer ICMC / University of São Paulo - USP). During the Masters, worked with simulated queuing network in a project related to the development of negotiation techniques in models of web servers with service differentiation. Ph.D. in Computer Science and Computational Mathematics (Institute of Mathematical Sciences and Computer ICMC / University of São Paulo - USP). The theme of his doctoral thesis was about service-oriented architectures to support QoS and characterization of workloads for Web Services Composition and Service also supports Quality of Service. He is currently a professor at the Federal Technological University of Paraná (UTFPR - Campo Mourão)<br />
<br />
Douglas Rodrigues - Master in Computer Science and Computational Mathematics from Institute of Mathematics and Computer Science, University of São Paulo - ICMC-USP/São Carlos. Bachelor of Computer Science from University Euripides Marília - Univ - Marília / SP. Works on the following subjects: SOA, Web Services, performance evaluation, encryption and security.<br />
<br />
Nuno dos Santos Antunes - attended from 2003 to 2007, the Computer Engineering program, University of Coimbra. Since 2008, carries out scientific research in the group of Software and Systems Engineering (SSE) Center for Informatics and Systems University of Coimbra (CISUC), on topics related to methodologies and tools for developing Web Services without vulnerabilities. Concluded in 2009 a Masters in Computer Engineering from the Department of Computer Engineering, University of Coimbra, with the final rating of Very Good. In 2009 he began his PhD in Sciences and Information Technology. He published five scientific papers in conferences with the process of rigorous peer review, including articles in the most prestigious conferences in the areas of reliability and services.<br />
<br />
<br />
==Black-Box & White-Box ASP.NET Security Reviews using the OWASP O2 Platform==<br />
<br />
'''<span style="color: rgb(255, 0, 0);"> Thsi tutorial will be in Portuguese with materials in English </span>'''<br />
<br />
'''Date and time: November 16th (9AM to 6 PM)'''<br> '''Instructor: Dinis Cruz'''<br><br />
<br />
'''Summary'''<br />
<br />
This is a hands-on Training course on how to use the OWASP O2 Platform to perform both Black-Box and White-Box security reviews on ASP.NET Web Applications<br />
<br />
The course is designed for security consultants/developers who are responsible for performing Penetration Tests or Security Code Reviews. The course will show practical examples of how to use the OWASP O2 Platform to find, exploit and document security vulnerabities.<br />
<br />
For the course's labs, a number of test and real-world applications/frameworks will be used. In order to give the students a benign test enviroment which is easy to replicate, the (vulnerable-by-design) HacmeBank ASP.NET banking application will be used throughout the course.<br />
<br />
'''Topics'''<br />
<br />
* What is the OWASP O2 Platform and how to use it?<br />
* Using O2's Unit Tests for web exploration and browsing<br />
* Using O2's Unit Tests for web exploitation<br />
* Understanding and using O2's Web Automation Tools to find and exploit vulnerabilities in HacmeBank (Black-Box)<br />
* Understanding and using O2's AST .NET Scanner to find vulnerabilities in HacmeBank (White-Box)<br />
* Connecting the source-code traces with the web exploits to create a unified view of the vulnerabilties<br />
* Create 'Vulnerability-driven Unit Tests' to be delivered to Developers, QA/Testers and Managers<br />
* Customizing and writing new APIs (for new or modified frameworks)<br />
* Using O2 to consume results from open source tools and 3rd party commercial vendors<br />
* Case Study: Microsoft ASP.NET MVC<br />
* Case Study: Microsoft Sharpoint<br />
<br />
<br />
'''Instructor'''<br />
<br />
The course is delivered by Dinis Cruz who the lead developer of the OWASP O2 Platform and has created and delivered a number of .NET Security training courses<br />
<br />
== Location ==<br />
<br />
Please check the ''Venue'' tab in this page.<br />
<br />
==== Venue ====<br />
<br />
The event will be held in Campinas, SP, Brazil at: [http://www.cpqd.com.br Fundação CPQD]. <br />
<br />
You can check the location at [http://maps.google.com.br/maps/ms?source=embed&hl=pt-BR&geocode=&ie=UTF8&update=1&t=h&msa=0&msid=104978801628275418750.000462bf2d1a49a7571af&ll=-22.83125,-47.044315&spn=0.03718,0.04034&z=14 Google Maps] <br />
<br />
''How to get there'' <br />
<br />
TBD <br />
<br />
==== Registration ====<br />
<br />
== Online Registration ==<br />
<br />
Registration form is available at https://creator.zoho.com/lucas.ferreira/appsec/<br />
<br />
== Conference Fees ==<br />
<br />
'''Access to conference:'''<br />
<br />
* Before Sep 16th: 400.00 BRL<br />
* Before Oct 16th: 500.00 BRL<br />
* Before Nov 12th: 550.00 BRL<br />
* On site: 600.00 BRL<br />
<br />
On site registration subject to the availability of seats.<br />
<br />
'''Trainings'''<br />
<br />
* One day: 450.00 BRL<br />
* Two days: 900.00 BRL<br />
<br />
'''Discounts'''<br />
<br />
* OWASP Member: 100.00 BRL (Note: This discount is greater than the OWASP USD 50.00 annual fee. Check [http://www.google.com.br/#q=50+usd+in+brl&fp=1 here]<br />
* Student: 100.00 BRL (Note: student ID required).<br />
<br />
==== Committees ====<br />
<br />
== Conference Committee ==<br />
<br />
OWASP Global Conferences Committee Chair: Mark Bristow <br />
<br />
OWASP [[Brazilian]] Chapter Leader: Wagner Elias <br />
<br />
AppSec Brasil 2010 Organization Team (organizacao2010 at appsecbrasil.org): <br />
<br />
*Conference General Chair: Lucas C. Ferreira <br />
*Tutorials Chair: Eduardo Camargo Neves <br />
*Tracks Chair: Luiz Otávio Duarte <br />
*Local Chair: Alexandre Melo Braga<br />
<br />
=== Team Members ===<br />
<br />
*Alexandre Melo Braga <br />
*Eduardo Camargo Neves <br />
*Lucas C. Ferreira <br />
*Luiz Otávio Duarte <br />
*Wagner Elias <br />
*Eduardo Alves Nonato da Silva <br />
*Leonardo Buonsanti <br />
*Dinis Cruz <br />
*Paulo Coimbra<br />
<br />
<br />
== Programme Committee:==<br />
* Alexandre Braga<br />
* Carlos Serrao<br />
* Eduardo alves<br />
* Fernando Cima<br />
* Leonardo Buonsanti<br />
* Lucas Ferreira<br />
* Luiz Duarte<br />
* Nelson Uto<br />
* Rodrigo Rubira<br />
* Wagner Elias<br />
<br />
<br> <br> <br />
<br />
==== Travel ====<br />
<br />
TBD <br />
<br />
==== Links ====<br />
<br />
Blog: http://blog.appsecbrasil.org <br />
<br />
Twitter: http://twitter.com/owaspappsecbr <br />
<br />
Banner: http://www.owasp.org/images/3/31/AppSec_Brasil_2010_Banner.gif<br />
<br />
<br> <headertabs /> <br />
<br />
[[Category:OWASP_AppSec_Conference]]</div>Manopaulhttps://wiki.owasp.org/index.php?title=OWASP_Connections_Committee_-_Application_2&diff=75675OWASP Connections Committee - Application 22010-01-04T17:22:34Z<p>Manopaul: </p>
<hr />
<div>[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]] <br />
<br />
----<br />
<br />
{| style="width:100%" border="0" align="center"<br />
|-<br />
! colspan="2" align="center" style="background:#4058A0; color:white" | <font color="white">'''COMMITTEE APPLICATION FORM'''</font><br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center" | '''Applicant's Name''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left" | <font color="black">Robert Hansen</font><br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center" | '''Current and past OWASP Roles''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left" | List here.<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center" | '''Committee Applying for''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left" | OWASP Connection Committee<br />
|}<br />
<br />
----<br />
<br />
<br> <br />
<br />
----<br />
<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. An incomplete application will not be considered for vote. <br />
<br />
----<br />
<br />
<br> <br />
<br />
----<br />
<br />
{| style="width:100%" border="0" align="center"<br />
|-<br />
! colspan="8" align="center" style="background:#4058A0; color:white" | <font color="white">'''COMMITTEE RECOMMENDATIONS'''</font><br />
|-<br />
! align="center" style="background:white; color:white" | <font color="black"></font><br />
! align="center" style="background:#7B8ABD; color:white" | <font color="black">'''Who Recommends/Name'''</font><br />
! align="center" style="background:#7B8ABD; color:white" | <font color="black">'''Role in OWASP'''</font><br />
! align="center" style="background:#7B8ABD; color:white" | <font color="black">'''Recommendation Content'''</font><br />
|-<br />
| style="width:3%; background:#cccccc" align="center" | '''1''' <br />
| style="width:20%; background:#cccccc" align="center" | Mano Paul<br />
| style="width:20%; background:#cccccc" align="center" | Global Education Committee, OWASP<br />
| style="width:57%; background:#cccccc" align="center" | Robert Hansen (RSnake) needs no introduction to those in the web application security world. His contributions to the world of security is commendable and for him to be part of the OWASP Connection Committee is a natural fit, one that I believe will be mutually beneficial. His background will undoubtedly be a value add to achieving the goals and objectives of the OWASP Connections committee. RSnake has my highest recommendation.&nbsp;<br />
|-<br />
| style="width:3%; background:#cccccc" align="center" | '''1''' <br />
| style="width:20%; background:#cccccc" align="center" | James Wickett<br />
| style="width:20%; background:#cccccc" align="center" | Chapter President, Austin OWASP<br />
| style="width:57%; background:#cccccc" align="center" | Robert has been a valuable asset to the Austin OWASP chapter and would be a great person to be on the OWASP Connection Committee. &nbsp;He has been instrumental in helping our chapter implement new events that help build community and integrate people socially in the group.&nbsp;<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''2'''<br />
| style="width:20%; background:#cccccc" align="center"|Josh Sokol<br />
| style="width:20%; background:#cccccc" align="center"|Chapter President, Austin OWASP<br />
| style="width:57%; background:#cccccc" align="center"|Robert has been working with the Austin OWASP Chapter board members for the past couple of years and has provided immeasurable assistance to the chapter in drumming up membership, getting top-notch presenters, and generally supporting our activities. He is a stand up person and is amongst the smartest security people I know. I think he would be an excellent fit for the OWASP Connections Committee role and he has my highest recommendation for this position.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center" | '''3''' <br />
| style="width:20%; background:#cccccc" align="center" | <br />
| style="width:20%; background:#cccccc" align="center" | <br />
| style="width:57%; background:#cccccc" align="center" | <br />
|-<br />
| style="width:3%; background:#cccccc" align="center" | '''4''' <br />
| style="width:20%; background:#cccccc" align="center" | <br />
| style="width:20%; background:#cccccc" align="center" | <br />
| style="width:57%; background:#cccccc" align="center" | <br />
|-<br />
| style="width:3%; background:#cccccc" align="center" | '''5''' <br />
| style="width:20%; background:#cccccc" align="center" | <br />
| style="width:20%; background:#cccccc" align="center" | <br />
| style="width:57%; background:#cccccc" align="center" | <br />
|}<br />
<br />
----</div>Manopaulhttps://wiki.owasp.org/index.php?title=File:Mano_Paul.jpg&diff=68721File:Mano Paul.jpg2009-09-10T20:05:34Z<p>Manopaul: uploaded a new version of "File:Mano Paul.jpg"</p>
<hr />
<div></div>Manopaulhttps://wiki.owasp.org/index.php?title=Global_Education_Committee&diff=68123Global Education Committee2009-08-27T21:13:35Z<p>Manopaul: /* Scheduled Meetings */</p>
<hr />
<div>[[Category:OWASP Project]]<br />
<br />
= About the Global Education Committee =<br />
'''The Global Education Committee was created during the OWASP EU Summit in Portugal 2008. The primary purpose of the Global Education Committee is: to work with the [https://www.owasp.org/index.php/Category:OWASP_Education_Project OWASP Education Project] to provide educational materials for both internal and external users, develop liaisons with educational institutions worldwide.'''<br />
<br />
== Mission ==<br />
Provide awareness, training and educational services to corporate,<br />
government and educational institutions on application security.<br />
<br />
== Vision ==<br />
Make OWASP educational material globally available as a well known resource<br />
in easily consumable form mapped to a framework tied specifically to user<br />
roles and responsibilities<br />
<br />
== Committee Members ==<br />
Education Committee (Board Member Rep: [mailto:seba@owasp.org Seba])<br />
<br />
• [mailto:martin.knobloch@owasp.org Martin Knobloch] (Netherlands)<br />
<br />
• [mailto:mano.paul@securisksolutions.com Mano Paul] (U.S.)<br />
<br />
• [mailto:eduardo.neves@owasp.org Eduardo Neves] (Brazil)<br />
<br />
• [mailto:kuai.hinojosa@owasp.org Kuai Hinjosa] (U.S.)<br />
<br />
• [mailto:cecil.su@GRANTTHORNTON.COM.SG Cecil Su] (Singapore)<br />
<br />
• [mailto:fabio.e.cerullo@aib.ie Fabio Cerullo] (Ireland)<br />
<br />
• [mailto:andrzej.targosz@proidea.org.pl Andrzej Targosz] (Poland)<br />
<br />
[https://www.owasp.org/index.php/How_to_Join_a_Committee How to join this committee]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/global_education_committee Join our mailing list]<br />
<br />
== Scheduled Meetings ==<br />
<pre><br />
The Global Education Committee Meetings take place via Skype at every last thursday of the month <br />
at the following local times: <br />
4:00 p.m. @ Austin, Texas <br />
5:00 p.m. @ New York <br />
8:00 p.m. @ Brasil <br />
11:00 p.m. @ Netherlands<br />
5:00 a.m. @ Singapore (following day)<br />
</pre><br />
Next meeting(s) scheduled for:<br />
* '''August 27th 2009'''<br />
<br />
= Agenda / Timeline <font color="red">'''(DRAFT)'''</font> =<br />
''' Deadline wednesday, 4th Februari'''<br />
== Tasks ==<br />
''' 60 days to make a proposal '''<br />
* ''' December 20th ''' - first draft of the proposal<br />
* ''' January 16th ''' - submit <br />
<br />
<br />
== Targets <font color="red">'''(DRAFT)'''</font> ==<br />
Below you can find the timeline, what has to be achieved by when. <br />
All tasks must be SMART!<br />
<br />
{| class="prettytable"<br />
! Task<br />
! Deadline<br />
! Type<br />
! Status<br />
! Description<br />
! Who<br />
|-<br />
| [[Categorize (Organization) of educational materials]]<br />
| '''TBD'''<br />
| Message<br />
| Status<br />
| Categorize / Organization of the educational materials for audience by roles and responsibilities/technologies and use the summit workshop notes.<br />
| Martin<br />
|-<br />
| [[Train the trainers (Teach the teachers)]]<br />
| '''Q1/Q2/Q3/Q4 2009'''<br />
| Delivery <br />
| Planning<br />
| Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
| Mano/Fabio<br />
|-<br />
| [[Create an online assessment and training portal]]<br />
| '''Q2/Q3/Q4 2009'''<br />
| Delivery <br />
| Planning<br />
| Develop an OWASP assessment and training portal that end users can use to gauge their knowledge on OWASP concepts and training providers can use to promote their training offerings.<br />
| Mano/Fabio<br />
|-<br />
| [[OWASP Boot Camp Project]]<br />
| '''Proposal:''' February 2009 '''Final:''' Oktober 2009 at OWASP AppSec US 2009<br />
| Delivery <br />
| started<br />
| OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project<br />
| Martin<br />
|-<br />
| [[OWASP CTF event]]<br />
| OWASP AppSec Denver 2009/OWASP EU<br />
| Delivery <br />
| stared<br />
| Develop an OWASP Capture the Flag contest that could be easy use for OWASP conferences.<br />
| Martin, Andrzej<br />
|-<br />
| [[Speakers Bureau Project]]<br />
| '''TBD'''<br />
| Delivery <br />
| '''started'''<br />
| List of speakers, Name, Bio, Topics, History <br><br />
Speakers in conferences (OOTM ask for funds on this)/summit <br />
| Martin<br />
|-<br />
| [[Marketing efforts]]<br />
| '''Q4 2009'''<br />
| Awareness Services <br />
| Started<br />
| Select material.<br />
| Eduardo<br />
|-<br />
| [[Internationalization of the training materials]]<br />
| '''Q4 2009'''<br />
| Awareness Services <br />
| Startes<br />
| Select material for translation services for highly spoken languages <br />
| Eduardo<br />
|-<br />
| [[Education material]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| Status<br />
| All projects should be summoned to create educational material (training service)<br />
1) Each Projects --> Documents (help), Tool, Training; Live CD (Portable)<br />
| Martin<br />
|-<br />
| [[Educational Academic Services]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| <br />
<br />
3 Universities already in contact with and planning OWASP events to participate in. <br />
<br />
| Incorporate OWASP into the following top 5 Universities, within the next 12 months by introducing OWASP training and education resources at University's events.<br />
<br />
1) New York University<br />
2) Cornell University<br />
3) Princeton University<br />
4) University of Minnesota<br />
5) Columbia University<br />
<br />
As a result of these initiative we would hope to see:<br />
<br />
1) Confirming participation at arranged events<br />
2) Asking Universities to recognize they are using our resources by allowing us to place their names in wiki pages such as http://www.owasp.org/index.php/OWASP_Top_Ten_Project <br />
3) University faculty, staff and students participate in local and international events/meetings<br />
4) University faculty, staff and students contribute to OWASP projects<br />
<br />
|Kuai Hinojosa, Andrzej<br />
|}<br />
<br />
= Proposal <font color="red">'''(DRAFT)'''</font> =<br />
== Categorize (Organization) of educational materials ==<br />
Objective: Categorize / Organize educational material, estyle the Education Project website.<br><br />
<br />
Activities/Deadline:<br> <br />
* Categorize education material according to the CLASP roles<br><br />
* Group material into management-ish, student-ish, technical-ish <br><br />
<br />
Benefits<br><br />
Target specific demographic (managers, students...) Provide easy access to education material. Efficient categorization of education materials.<br />
<br />
== Train the trainers (Teach the teachers) ==<br />
Objective:<br />
Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
<br />
Activities/Deadline:<br />
# Develop a criteria to identify and approve trainers / Q1 2009<br />
# Identify pertinent OWASP related material that will be included in the training kit / Q2 2009. This is dependent on the education project organizing material.<br />
# Create a training toolkit with pre-built presentation and training materials, assessments etc. / Q3 2009<br />
# Conduct train the trainer sessions (remote or in-person) / Q4 2009<br />
<br />
Benefits:<br />
The training kit and trained trainers will be available resources promoting OWASP in local events worldwide.<br />
<br />
== Create an online assessment and training portal ==<br />
Objective:<br />
Develop an OWASP assessment and training portal that end users can use to gauge their knowledge on OWASP concepts and training providers can use to promote their training offerings.<br />
<br />
Activities/Deadline:<br />
# Generate OWASP assessment items (can use the testing guide and other sources) / Q2-Q3 2009<br />
# Develop an assessment portal to deliver taking of assessments with robust reporting by knowledge area / Q4 2009<br />
# Develop a training portal to allow training providers to publish and promote their training offerings / Q4 2009<br />
This can be developed as a summer of code project but is not a requirement. <br />
<br />
Benefits:<br />
Assessments that can be offered in OWASP events and other conferences to users will increase OWASP awareness. The portal can become the link between trainers and trainees and will eventually help in increasing the awareness and knowledge of application security in the industry.<br />
<br />
== OWASP Boot Camp Project ==<br />
Objective<br><br />
To deliver a Boot Camp session which would lead to be one of the main criteria to produce alpha status projects<br />
<br />
Activities/Deadline:<br> <br />
<br />
Benefits<br><br />
<br />
== OWASP CTF event ==<br />
Objective<br />
Generate a Capture The Flag framework to be offered at OWASP events<br />
<br />
Activities/Deadline: <br />
* Andrzej will contact the organizers of the CTF from the Denver OWASP Conference and work in using same model<br />
<br />
Benefits<br />
Capture The Flag events are very popular in conferences, creating and OWASP specific CTF will offer entertainment at events, generate attendants participation etc.<br />
<br />
== Speakers Bureau Project ==<br />
<br />
Objective<br><br />
OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project<br><br />
<br />
Activities/Deadline:<br> <br />
<br />
Benefits<br><br />
List of speakers, Name, Bio, Topics, History <br />
Speakers in conferences (OOTM ask for funds on this)/summit<br />
<br />
Speakers Agreement - https://www.owasp.org/index.php/Speaker_Agreement<br />
<br />
== Marketing efforts ==<br />
Objective: To promote OWASP projects, events, education material and OWASP mission.<br><br />
<br />
Activities/Deadline:<br> <br />
* Gather flyers, Brochures of OWASP Top 10, Testing Guide<br />
<br />
Benefits<br><br />
Group promotional material which can be hand out at events<br />
<br />
== Internationalization of the training materials ==<br />
Objective<br><br />
Translate training materials<br />
<br />
Activities/Deadline:<br> <br />
Identify point of contacts places for translation efforts and setup a deadline<br />
Translate material in French, Portuguese, Spanish, Malay, Italian, Indonesian, Chinese<br />
<br />
Benefits<br><br />
To reach international audiences<br />
<br />
== Education material ==<br />
Objective: Consolidate all projects (Tools, Help Documents, Presentations, LiveCD) create educational material (training service) <br />
<br />
Activities/Deadline:<br> <br />
<br />
Benefits<br><br />
<br />
== Academic Educational Services ==<br />
Objectives<br><br />
Promote and encourage OWASP resources at accredited Universities around the world within the next 12 months by introducing OWASP training and education material at University's events.<br />
<br />
Activities/Deadline:<br />
<br />
* Build a list of at least 5 Universities with computer science or risk management programs that can be targeted /Q1 2009 <br />
* Establish communication with targeted universities, generate key contacts and establish relationships /Q1 - Q4 2009<br />
* Develop a list of possible academic events in which to participate /Q1 - Q2 2009 <br />
* Participate in at least 1 Academic event, present case studies or OWASP education materials /Q1 - Q4<br />
<br />
Benefits<br><br />
OWASP will gain exposure in the academic industry, starting with accredited universities around the world. Universities will become members of OWASP, provide meeting space, students will apply to OWASP grants, and provide support and structure</div>Manopaulhttps://wiki.owasp.org/index.php?title=Global_Education_Committee&diff=52414Global Education Committee2009-01-29T22:18:19Z<p>Manopaul: /* Education material */</p>
<hr />
<div>[[Category:OWASP Project]]<br />
<br />
= About the Global Education Committee =<br />
'''The Global Education Committee was created during the OWASP EU Summit in Portugal 2008. The primary purpose of the Global Education Committee is: to work with the [https://www.owasp.org/index.php/Category:OWASP_Education_Project OWASP Education Project] to provide educational materials for both internal and external users, develop liaisons with educational institutions worldwide.'''<br />
<br />
== Mission ==<br />
Provide awareness, training and educational services to corporate,<br />
government and educational institutions on application security.<br />
<br />
== Vision ==<br />
Make OWASP educational material globally available as a well known resource<br />
in easily consumable form mapped to a framework tied specifically to user<br />
roles and responsibilities<br />
<br />
== Committee Members ==<br />
Education Committee (Board Member Rep: [mailto:seba@owasp.org Seba])<br />
<br />
• [mailto:martin.knobloch@owasp.org Martin Knobloch] (Netherlands)<br />
<br />
• [mailto:mano.paul@securisksolutions.com Mano Paul] (U.S.)<br />
<br />
• [mailto:eduardo.neves@owasp.org Eduardo Neves] (Brazil)<br />
<br />
• [mailto:kuai.hinojosa@owasp.org Kuai Hinjosa] (U.S.)<br />
<br />
• [mailto:cecil.su@GRANTTHORNTON.COM.SG Cecil Su] (Singapore)<br />
<br />
• [mailto:fabio.e.cerullo@aib.ie Fabio Cerullo] (Ireland)<br />
<br />
• [mailto:andrzej.targosz@proidea.org.pl Andrzej Targosz] (Poland)<br />
<br />
[https://www.owasp.org/index.php/How_to_Join_a_Committee How to join this committee]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/global_education_committee Join our mailing list]<br />
<br />
== Scheduled Meetings ==<br />
<pre><br />
The Global Education Committee Meetings take place via Skype, see below for the local time: <br />
3:30 p.m. @ Austin, Texas <br />
4:30 p.m. @ New York <br />
7:30 p.m. @ Brasil <br />
22:30 a.m. @ Netherlands<br />
5:30 a.m. @ Singapore (following day)<br />
</pre><br />
Next meeting(s) scheduled for:<br />
* '''January 29th 2009'''<br />
* '''Februari 12th 2009'''<br />
<br />
= Agenda / Timeline <font color="red">'''(DRAFT)'''</font> =<br />
''' Deadline wednesday, 4th Februari'''<br />
== Tasks ==<br />
''' 60 days to make a proposal '''<br />
* ''' December 20th ''' - first draft of the proposal<br />
* ''' January 16th ''' - submit <br />
<br />
<br />
== Targets <font color="red">'''(DRAFT)'''</font> ==<br />
Below you can find the timeline, what has to be achieved by when. <br />
All tasks must be SMART!<br />
<br />
{| class="prettytable"<br />
! Task<br />
! Deadline<br />
! Type<br />
! Status<br />
! Description<br />
! Who<br />
|-<br />
| [[Categorize (Organization) of educational materials]]<br />
| '''TBD'''<br />
| Message<br />
| Status<br />
| Categorize / Organization of the educational materials for audience by roles and responsibilities/technologies and use the summit workshop notes.<br />
| Martin<br />
|-<br />
| [[Train the trainers (Teach the teachers)]]<br />
| '''Q1/Q2/Q3/Q4 2009'''<br />
| Delivery <br />
| Planning<br />
| Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
| Mano<br />
|-<br />
| [[Create an online assessment and training portal]]<br />
| '''Q2/Q3/Q4 2009'''<br />
| Delivery <br />
| Planning<br />
| Develop an OWASP assessment and training portal that end users can use to gauge their knowledge on OWASP concepts and training providers can use to promote their training offerings.<br />
| Mano<br />
|-<br />
| [[OWASP Boot Camp Project]]<br />
| '''Proposal:''' February 2009 '''Final:''' Oktober 2009 at OWASP AppSec US 2009<br />
| Delivery <br />
| started<br />
| OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project<br />
| Martin<br />
|-<br />
| [[OWASP CTF event]]<br />
| OWASP AppSec Denver 2009<br />
| Delivery <br />
| Status<br />
| Description<br />
| Martin<br />
|-<br />
| [[Speakers Bureau Project]]<br />
| '''TBD'''<br />
| Delivery <br />
| '''started'''<br />
| List of speakers, Name, Bio, Topics, History <br><br />
Speakers in conferences (OOTM ask for funds on this)/summit <br />
| Martin<br />
|-<br />
| [[Marketing efforts]]<br />
| '''TBD (discussion with other members)'''<br />
| Awareness Services <br />
| Status<br />
| Flyers or Brochures of OWASP Top 10, Testing Guide.<br />
| Eduardo<br />
|-<br />
| [[Internationalization of the training materials]]<br />
| '''TBD (discussion with Juan)'''<br />
| Awareness Services <br />
| Status<br />
| Liaise with Juan Calderon for translation services for highly spoken languages <br />
| Eduardo<br />
|-<br />
| [[Education material]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| Status<br />
| All projects should be summoned to create educational material (training service)<br />
1) Each Projects --> Documents (help), Tool, Training; Live CD (Portable)<br />
| Martin<br />
|-<br />
| [[Educational Services]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| <br />
<br />
3 Universities already in contact with and planning OWASP events to participate in. <br />
<br />
| Incorporate OWASP into the following top 5 Universities, within the next 12 months by introducing OWASP training and education resources at University's events.<br />
<br />
1) New York University<br />
2) Cornell University<br />
3) Princeton University<br />
4) University of Minnesota<br />
5) Columbia University<br />
<br />
As a result of these initiative we would hope to see:<br />
<br />
1) Confirming participation at arranged events<br />
2) Asking Universities to recognize they are using our resources by allowing us to place their names in wiki pages such as http://www.owasp.org/index.php/OWASP_Top_Ten_Project <br />
3) University faculty, staff and students participate in local and international events/meetings<br />
4) University faculty, staff and students contribute to OWASP projects<br />
<br />
|Kuai Hinojosa<br />
|}<br />
<br />
= Proposal <font color="red">'''(DRAFT)'''</font> =<br />
== Categorize (Organization) of educational materials ==<br />
Categorize / Organization of the educational materials for audiance by roles and responsibilities/technologies and use the summit workshop notes. <br />
== Train the trainers (Teach the teachers) ==<br />
Objective:<br />
Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
<br />
Activities/Deadline:<br />
# Develop a criteria to identify and approve trainers / Q1 2009<br />
# Identify pertinent OWASP related material that will be included in the training kit / Q2 2009. This is dependent on the education project organizing material.<br />
# Create a training toolkit with pre-built presentation and training materials, assessments etc. / Q3 2009<br />
# Conduct train the trainer sessions (remote or in-person) / Q4 2009<br />
<br />
Benefits:<br />
The training kit and trained trainers will be available resources promoting OWASP in local events worldwide.<br />
<br />
== Create an online assessment and training portal ==<br />
Objective:<br />
Develop an OWASP assessment and training portal that end users can use to gauge their knowledge on OWASP concepts and training providers can use to promote their training offerings.<br />
<br />
Activities/Deadline:<br />
# Generate OWASP assessment items (can use the testing guide and other sources) / Q2-Q3 2009<br />
# Develop an assessment portal to deliver taking of assessments with robust reporting by knowledge area / Q4 2009<br />
# Develop a training portal to allow training providers to publish and promote their training offerings / Q4 2009<br />
This can be developed as a summer of code project but is not a requirement. <br />
<br />
Benefits:<br />
Assessments that can be offered in OWASP events and other conferences to users will increase OWASP awareness. The portal can become the link between trainers and trainees and will eventually help in increasing the awareness and knowledge of application security in the industry.<br />
<br />
== OWASP Boot Camp Project ==<br />
OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project <br />
== OWASP CTF event ==<br />
== Speakers Bureau Project ==<br />
List of speakers, Name, Bio, Topics, History <br />
Speakers in conferences (OOTM ask for funds on this)/summit<br />
<br />
Speakers Agreement - https://www.owasp.org/index.php/Speaker_Agreement<br />
<br />
== Marketing efforts ==<br />
== Internationalization of the training materials ==<br />
== Education material ==<br />
Flyers or Brochures of OWASP Top 10, Testing Guide.<br />
<br />
== Educational Services ==<br />
''' Contact university - build a university list'''<br />
Incorporate OWASP into the following top 5 Universities, within the next 12 months by introducing OWASP training and education resources at University's events. <br />
1) New York University 2) Cornell University 3) Princeton University 4) University of Minnesota 5) Columbia University <br />
<br />
As a result of these initiative we would hope to see: <br />
<br />
1) Confirming participation at arranged events 2) Asking Universities to recognize they are using our resources by allowing us to place their names in wiki pages such as http://www.owasp.org/index.php/OWASP_Top_Ten_Project 3) University faculty, staff and students participate in local and international events/meetings 4) University faculty, staff and students contribute to OWASP projects</div>Manopaulhttps://wiki.owasp.org/index.php?title=Global_Education_Committee&diff=52413Global Education Committee2009-01-29T22:17:43Z<p>Manopaul: /* Speakers Bureau Project */</p>
<hr />
<div>[[Category:OWASP Project]]<br />
<br />
= About the Global Education Committee =<br />
'''The Global Education Committee was created during the OWASP EU Summit in Portugal 2008. The primary purpose of the Global Education Committee is: to work with the [https://www.owasp.org/index.php/Category:OWASP_Education_Project OWASP Education Project] to provide educational materials for both internal and external users, develop liaisons with educational institutions worldwide.'''<br />
<br />
== Mission ==<br />
Provide awareness, training and educational services to corporate,<br />
government and educational institutions on application security.<br />
<br />
== Vision ==<br />
Make OWASP educational material globally available as a well known resource<br />
in easily consumable form mapped to a framework tied specifically to user<br />
roles and responsibilities<br />
<br />
== Committee Members ==<br />
Education Committee (Board Member Rep: [mailto:seba@owasp.org Seba])<br />
<br />
• [mailto:martin.knobloch@owasp.org Martin Knobloch] (Netherlands)<br />
<br />
• [mailto:mano.paul@securisksolutions.com Mano Paul] (U.S.)<br />
<br />
• [mailto:eduardo.neves@owasp.org Eduardo Neves] (Brazil)<br />
<br />
• [mailto:kuai.hinojosa@owasp.org Kuai Hinjosa] (U.S.)<br />
<br />
• [mailto:cecil.su@GRANTTHORNTON.COM.SG Cecil Su] (Singapore)<br />
<br />
• [mailto:fabio.e.cerullo@aib.ie Fabio Cerullo] (Ireland)<br />
<br />
• [mailto:andrzej.targosz@proidea.org.pl Andrzej Targosz] (Poland)<br />
<br />
[https://www.owasp.org/index.php/How_to_Join_a_Committee How to join this committee]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/global_education_committee Join our mailing list]<br />
<br />
== Scheduled Meetings ==<br />
<pre><br />
The Global Education Committee Meetings take place via Skype, see below for the local time: <br />
3:30 p.m. @ Austin, Texas <br />
4:30 p.m. @ New York <br />
7:30 p.m. @ Brasil <br />
22:30 a.m. @ Netherlands<br />
5:30 a.m. @ Singapore (following day)<br />
</pre><br />
Next meeting(s) scheduled for:<br />
* '''January 29th 2009'''<br />
* '''Februari 12th 2009'''<br />
<br />
= Agenda / Timeline <font color="red">'''(DRAFT)'''</font> =<br />
''' Deadline wednesday, 4th Februari'''<br />
== Tasks ==<br />
''' 60 days to make a proposal '''<br />
* ''' December 20th ''' - first draft of the proposal<br />
* ''' January 16th ''' - submit <br />
<br />
<br />
== Targets <font color="red">'''(DRAFT)'''</font> ==<br />
Below you can find the timeline, what has to be achieved by when. <br />
All tasks must be SMART!<br />
<br />
{| class="prettytable"<br />
! Task<br />
! Deadline<br />
! Type<br />
! Status<br />
! Description<br />
! Who<br />
|-<br />
| [[Categorize (Organization) of educational materials]]<br />
| '''TBD'''<br />
| Message<br />
| Status<br />
| Categorize / Organization of the educational materials for audience by roles and responsibilities/technologies and use the summit workshop notes.<br />
| Martin<br />
|-<br />
| [[Train the trainers (Teach the teachers)]]<br />
| '''Q1/Q2/Q3/Q4 2009'''<br />
| Delivery <br />
| Planning<br />
| Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
| Mano<br />
|-<br />
| [[Create an online assessment and training portal]]<br />
| '''Q2/Q3/Q4 2009'''<br />
| Delivery <br />
| Planning<br />
| Develop an OWASP assessment and training portal that end users can use to gauge their knowledge on OWASP concepts and training providers can use to promote their training offerings.<br />
| Mano<br />
|-<br />
| [[OWASP Boot Camp Project]]<br />
| '''Proposal:''' February 2009 '''Final:''' Oktober 2009 at OWASP AppSec US 2009<br />
| Delivery <br />
| started<br />
| OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project<br />
| Martin<br />
|-<br />
| [[OWASP CTF event]]<br />
| OWASP AppSec Denver 2009<br />
| Delivery <br />
| Status<br />
| Description<br />
| Martin<br />
|-<br />
| [[Speakers Bureau Project]]<br />
| '''TBD'''<br />
| Delivery <br />
| '''started'''<br />
| List of speakers, Name, Bio, Topics, History <br><br />
Speakers in conferences (OOTM ask for funds on this)/summit <br />
| Martin<br />
|-<br />
| [[Marketing efforts]]<br />
| '''TBD (discussion with other members)'''<br />
| Awareness Services <br />
| Status<br />
| Flyers or Brochures of OWASP Top 10, Testing Guide.<br />
| Eduardo<br />
|-<br />
| [[Internationalization of the training materials]]<br />
| '''TBD (discussion with Juan)'''<br />
| Awareness Services <br />
| Status<br />
| Liaise with Juan Calderon for translation services for highly spoken languages <br />
| Eduardo<br />
|-<br />
| [[Education material]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| Status<br />
| All projects should be summoned to create educational material (training service)<br />
1) Each Projects --> Documents (help), Tool, Training; Live CD (Portable)<br />
| Martin<br />
|-<br />
| [[Educational Services]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| <br />
<br />
3 Universities already in contact with and planning OWASP events to participate in. <br />
<br />
| Incorporate OWASP into the following top 5 Universities, within the next 12 months by introducing OWASP training and education resources at University's events.<br />
<br />
1) New York University<br />
2) Cornell University<br />
3) Princeton University<br />
4) University of Minnesota<br />
5) Columbia University<br />
<br />
As a result of these initiative we would hope to see:<br />
<br />
1) Confirming participation at arranged events<br />
2) Asking Universities to recognize they are using our resources by allowing us to place their names in wiki pages such as http://www.owasp.org/index.php/OWASP_Top_Ten_Project <br />
3) University faculty, staff and students participate in local and international events/meetings<br />
4) University faculty, staff and students contribute to OWASP projects<br />
<br />
|Kuai Hinojosa<br />
|}<br />
<br />
= Proposal <font color="red">'''(DRAFT)'''</font> =<br />
== Categorize (Organization) of educational materials ==<br />
Categorize / Organization of the educational materials for audiance by roles and responsibilities/technologies and use the summit workshop notes. <br />
== Train the trainers (Teach the teachers) ==<br />
Objective:<br />
Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
<br />
Activities/Deadline:<br />
# Develop a criteria to identify and approve trainers / Q1 2009<br />
# Identify pertinent OWASP related material that will be included in the training kit / Q2 2009. This is dependent on the education project organizing material.<br />
# Create a training toolkit with pre-built presentation and training materials, assessments etc. / Q3 2009<br />
# Conduct train the trainer sessions (remote or in-person) / Q4 2009<br />
<br />
Benefits:<br />
The training kit and trained trainers will be available resources promoting OWASP in local events worldwide.<br />
<br />
== Create an online assessment and training portal ==<br />
Objective:<br />
Develop an OWASP assessment and training portal that end users can use to gauge their knowledge on OWASP concepts and training providers can use to promote their training offerings.<br />
<br />
Activities/Deadline:<br />
# Generate OWASP assessment items (can use the testing guide and other sources) / Q2-Q3 2009<br />
# Develop an assessment portal to deliver taking of assessments with robust reporting by knowledge area / Q4 2009<br />
# Develop a training portal to allow training providers to publish and promote their training offerings / Q4 2009<br />
This can be developed as a summer of code project but is not a requirement. <br />
<br />
Benefits:<br />
Assessments that can be offered in OWASP events and other conferences to users will increase OWASP awareness. The portal can become the link between trainers and trainees and will eventually help in increasing the awareness and knowledge of application security in the industry.<br />
<br />
== OWASP Boot Camp Project ==<br />
OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project <br />
== OWASP CTF event ==<br />
== Speakers Bureau Project ==<br />
List of speakers, Name, Bio, Topics, History <br />
Speakers in conferences (OOTM ask for funds on this)/summit<br />
<br />
Speakers Agreement - https://www.owasp.org/index.php/Speaker_Agreement<br />
<br />
== Marketing efforts ==<br />
== Internationalization of the training materials ==<br />
== Education material ==<br />
yers or Brochures of OWASP Top 10, Testing Guide. <br />
== Educational Services ==<br />
''' Contact university - build a university list'''<br />
Incorporate OWASP into the following top 5 Universities, within the next 12 months by introducing OWASP training and education resources at University's events. <br />
1) New York University 2) Cornell University 3) Princeton University 4) University of Minnesota 5) Columbia University <br />
<br />
As a result of these initiative we would hope to see: <br />
<br />
1) Confirming participation at arranged events 2) Asking Universities to recognize they are using our resources by allowing us to place their names in wiki pages such as http://www.owasp.org/index.php/OWASP_Top_Ten_Project 3) University faculty, staff and students participate in local and international events/meetings 4) University faculty, staff and students contribute to OWASP projects</div>Manopaulhttps://wiki.owasp.org/index.php?title=Global_Education_Committee&diff=52338Global Education Committee2009-01-28T21:47:46Z<p>Manopaul: /* Targets <font color="red">'''(DRAFT)'''</font> */</p>
<hr />
<div>[[Category:OWASP Project]]<br />
<br />
= About the Global Education Committee =<br />
'''The Global Education Committee was created during the OWASP EU Summit in Portugal 2008. The primary purpose of the Global Education Committee is: to work with the [https://www.owasp.org/index.php/Category:OWASP_Education_Project OWASP Education Project] to provide educational materials for both internal and external users, develop liaisons with educational institutions worldwide.'''<br />
<br />
== Mission ==<br />
Provide awareness, training and educational services to corporate,<br />
government and educational institutions on application security.<br />
<br />
== Vision ==<br />
Make OWASP educational material globally available as a well known resource<br />
in easily consumable form mapped to a framework tied specifically to user<br />
roles and responsibilities<br />
<br />
== Committee Members ==<br />
Education Committee (Board Member Rep: [mailto:seba@owasp.org Seba])<br />
<br />
• [mailto:martin.knobloch@owasp.org Martin Knobloch] (Netherlands)<br />
<br />
• [mailto:mano.paul@securisksolutions.com Mano Paul] (U.S.)<br />
<br />
• [mailto:eduardo.neves@owasp.org Eduardo Neves] (Brazil)<br />
<br />
• [mailto:kuai.hinojosa@owasp.org Kuai Hinjosa] (U.S.)<br />
<br />
• [mailto:cecil.su@GRANTTHORNTON.COM.SG Cecil Su] (Singapore)<br />
<br />
• [mailto:fabio.e.cerullo@aib.ie Fabio Cerullo] (Ireland)<br />
<br />
• [mailto:andrzej.targosz@proidea.org.pl Andrzej Targosz] (Poland)<br />
<br />
[https://www.owasp.org/index.php/How_to_Join_a_Committee How to join this committee]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/global_education_committee Join our mailing list]<br />
<br />
== Scheduled Meetings ==<br />
<pre><br />
The Global Education Committee Meetings take place via Skype, see below for the local time: <br />
3:30 p.m. @ Austin, Texas <br />
4:30 p.m. @ New York <br />
7:30 p.m. @ Brasil <br />
22:30 a.m. @ Netherlands<br />
5:30 a.m. @ Singapore (following day)<br />
</pre><br />
Next meeting(s) scheduled for:<br />
* '''February 29th 2009'''<br />
<br />
= Agenda / Timeline <font color="red">'''(DRAFT)'''</font> =<br />
<br />
== Tasks ==<br />
''' 60 days to make a proposal '''<br />
* ''' December 20th ''' - first draft of the proposal<br />
* ''' January 16th ''' - submit <br />
<br />
<br />
== Targets <font color="red">'''(DRAFT)'''</font> ==<br />
Below you can find the timeline, what has to be achieved by when. <br />
All tasks must be SMART!<br />
<br />
{| class="prettytable"<br />
! Task<br />
! Deadline<br />
! Type<br />
! Status<br />
! Description<br />
! Who<br />
|-<br />
| [[Categorize (Organization) of educational materials]]<br />
| '''TBD'''<br />
| Message<br />
| Status<br />
| Categorize / Organization of the educational materials for audience by roles and responsibilities/technologies and use the summit workshop notes.<br />
| Martin<br />
|-<br />
| [[Train the trainers (Teach the teachers)]]<br />
| '''Q1/Q2/Q3/Q4 2009'''<br />
| Delivery <br />
| Planning<br />
| Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
| Mano<br />
|-<br />
| [[Create an online assessment and training portal]]<br />
| '''Q2/Q3/Q4 2009'''<br />
| Delivery <br />
| Planning<br />
| Develop an OWASP assessment and training portal that end users can use to gauge their knowledge on OWASP concepts and training providers can use to promote their training offerings.<br />
| Mano<br />
|-<br />
| [[OWASP Boot Camp Project]]<br />
| '''Proposal:''' February 2009 '''Final:''' Oktober 2009 at OWASP AppSec US 2009<br />
| Delivery <br />
| started<br />
| OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project<br />
| Martin<br />
|-<br />
| [[OWASP CTF event]]<br />
| OWASP AppSec Denver 2009<br />
| Delivery <br />
| Status<br />
| Description<br />
| Martin<br />
|-<br />
| [[Speakers Bureau Project]]<br />
| '''TBD'''<br />
| Delivery <br />
| '''started'''<br />
| List of speakers, Name, Bio, Topics, History <br><br />
Speakers in conferences (OOTM ask for funds on this)/summit <br />
| Martin<br />
|-<br />
| [[Marketing efforts]]<br />
| '''TBD (discussion with other members)'''<br />
| Awareness Services <br />
| Status<br />
| Flyers or Brochures of OWASP Top 10, Testing Guide.<br />
| Eduardo<br />
|-<br />
| [[Internationalization of the training materials]]<br />
| '''TBD (discussion with Juan)'''<br />
| Awareness Services <br />
| Status<br />
| Liaise with Juan Calderon for translation services for highly spoken languages <br />
| Eduardo<br />
|-<br />
| [[Education material]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| Status<br />
| All projects should be summoned to create educational material (training service)<br />
1) Each Projects --> Documents (help), Tool, Training; Live CD (Portable)<br />
| Martin<br />
|-<br />
| [[Educational Services]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| <br />
<br />
3 Universities already in contact with and planning OWASP events to participate in. <br />
<br />
| Incorporate OWASP into the following top 5 Universities, within the next 12 months by introducing OWASP training and education resources at University's events.<br />
<br />
1) New York University<br />
2) Cornell University<br />
3) Princeton University<br />
4) University of Minnesota<br />
5) Columbia University<br />
<br />
As a result of these initiative we would hope to see:<br />
<br />
1) Confirming participation at arranged events<br />
2) Asking Universities to recognize they are using our resources by allowing us to place their names in wiki pages such as http://www.owasp.org/index.php/OWASP_Top_Ten_Project <br />
3) University faculty, staff and students participate in local and international events/meetings<br />
4) University faculty, staff and students contribute to OWASP projects<br />
<br />
|Kuai Hinojosa<br />
|}<br />
<br />
= Proposal <font color="red">'''(DRAFT)'''</font> =<br />
== Categorize (Organization) of educational materials ==<br />
Categorize / Organization of the educational materials for audiance by roles and responsibilities/technologies and use the summit workshop notes. <br />
== Train the trainers (Teach the teachers) ==<br />
Objective:<br />
Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
<br />
Activities/Deadline:<br />
# Develop a criteria to identify and approve trainers / Q1 2009<br />
# Identify pertinent OWASP related material that will be included in the training kit / Q2 2009. This is dependent on the education project organizing material.<br />
# Create a training toolkit with pre-built presentation and training materials, assessments etc. / Q3 2009<br />
# Conduct train the trainer sessions (remote or in-person) / Q4 2009<br />
<br />
Benefits:<br />
The training kit and trained trainers will be available resources promoting OWASP in local events worldwide.<br />
<br />
== Create an online assessment and training portal ==<br />
Objective:<br />
Develop an OWASP assessment and training portal that end users can use to gauge their knowledge on OWASP concepts and training providers can use to promote their training offerings.<br />
<br />
Activities/Deadline:<br />
# Generate OWASP assessment items (can use the testing guide and other sources) / Q2-Q3 2009<br />
# Develop an assessment portal to deliver taking of assessments with robust reporting by knowledge area / Q4 2009<br />
# Develop a training portal to allow training providers to publish and promote their training offerings / Q4 2009<br />
This can be developed as a summer of code project but is not a requirement. <br />
<br />
Benefits:<br />
Assessments that can be offered in OWASP events and other conferences to users will increase OWASP awareness. The portal can become the link between trainers and trainees and will eventually help in increasing the awareness and knowledge of application security in the industry.<br />
<br />
== OWASP Boot Camp Project ==<br />
OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project <br />
== OWASP CTF event ==<br />
== Speakers Bureau Project ==<br />
List of speakers, Name, Bio, Topics, History <br />
Speakers in conferences (OOTM ask for funds on this)/summit <br />
== Marketing efforts ==<br />
== Internationalization of the training materials ==<br />
== Education material ==<br />
yers or Brochures of OWASP Top 10, Testing Guide. <br />
== Educational Services ==<br />
''' Contact university - build a university list'''<br />
Incorporate OWASP into the following top 5 Universities, within the next 12 months by introducing OWASP training and education resources at University's events. <br />
1) New York University 2) Cornell University 3) Princeton University 4) University of Minnesota 5) Columbia University <br />
<br />
As a result of these initiative we would hope to see: <br />
<br />
1) Confirming participation at arranged events 2) Asking Universities to recognize they are using our resources by allowing us to place their names in wiki pages such as http://www.owasp.org/index.php/OWASP_Top_Ten_Project 3) University faculty, staff and students participate in local and international events/meetings 4) University faculty, staff and students contribute to OWASP projects</div>Manopaulhttps://wiki.owasp.org/index.php?title=Global_Education_Committee&diff=52337Global Education Committee2009-01-28T21:46:48Z<p>Manopaul: /* Targets <font color="red">'''(DRAFT)'''</font> */</p>
<hr />
<div>[[Category:OWASP Project]]<br />
<br />
= About the Global Education Committee =<br />
'''The Global Education Committee was created during the OWASP EU Summit in Portugal 2008. The primary purpose of the Global Education Committee is: to work with the [https://www.owasp.org/index.php/Category:OWASP_Education_Project OWASP Education Project] to provide educational materials for both internal and external users, develop liaisons with educational institutions worldwide.'''<br />
<br />
== Mission ==<br />
Provide awareness, training and educational services to corporate,<br />
government and educational institutions on application security.<br />
<br />
== Vision ==<br />
Make OWASP educational material globally available as a well known resource<br />
in easily consumable form mapped to a framework tied specifically to user<br />
roles and responsibilities<br />
<br />
== Committee Members ==<br />
Education Committee (Board Member Rep: [mailto:seba@owasp.org Seba])<br />
<br />
• [mailto:martin.knobloch@owasp.org Martin Knobloch] (Netherlands)<br />
<br />
• [mailto:mano.paul@securisksolutions.com Mano Paul] (U.S.)<br />
<br />
• [mailto:eduardo.neves@owasp.org Eduardo Neves] (Brazil)<br />
<br />
• [mailto:kuai.hinojosa@owasp.org Kuai Hinjosa] (U.S.)<br />
<br />
• [mailto:cecil.su@GRANTTHORNTON.COM.SG Cecil Su] (Singapore)<br />
<br />
• [mailto:fabio.e.cerullo@aib.ie Fabio Cerullo] (Ireland)<br />
<br />
• [mailto:andrzej.targosz@proidea.org.pl Andrzej Targosz] (Poland)<br />
<br />
[https://www.owasp.org/index.php/How_to_Join_a_Committee How to join this committee]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/global_education_committee Join our mailing list]<br />
<br />
== Scheduled Meetings ==<br />
<pre><br />
The Global Education Committee Meetings take place via Skype, see below for the local time: <br />
3:30 p.m. @ Austin, Texas <br />
4:30 p.m. @ New York <br />
7:30 p.m. @ Brasil <br />
22:30 a.m. @ Netherlands<br />
5:30 a.m. @ Singapore (following day)<br />
</pre><br />
Next meeting(s) scheduled for:<br />
* '''February 29th 2009'''<br />
<br />
= Agenda / Timeline <font color="red">'''(DRAFT)'''</font> =<br />
<br />
== Tasks ==<br />
''' 60 days to make a proposal '''<br />
* ''' December 20th ''' - first draft of the proposal<br />
* ''' January 16th ''' - submit <br />
<br />
<br />
== Targets <font color="red">'''(DRAFT)'''</font> ==<br />
Below you can find the timeline, what has to be achieved by when. <br />
All tasks must be SMART!<br />
<br />
{| class="prettytable"<br />
! Task<br />
! Deadline<br />
! Type<br />
! Status<br />
! Description<br />
! Who<br />
|-<br />
| [[Categorize (Organization) of educational materials]]<br />
| '''TBD'''<br />
| Message<br />
| Status<br />
| Categorize / Organization of the educational materials for audience by roles and responsibilities/technologies and use the summit workshop notes.<br />
| Martin<br />
|-<br />
| [[Train the trainers (Teach the teachers)]]<br />
| '''TBD'''<br />
| Delivery <br />
| Planning<br />
| Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
| Mano<br />
|-<br />
| [[Create an online assessment and training portal]]<br />
| '''TBD'''<br />
| Delivery <br />
| Planning<br />
| Description<br />
| Mano<br />
|-<br />
| [[OWASP Boot Camp Project]]<br />
| '''Proposal:''' February 2009 '''Final:''' Oktober 2009 at OWASP AppSec US 2009<br />
| Delivery <br />
| started<br />
| OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project<br />
| Martin<br />
|-<br />
| [[OWASP CTF event]]<br />
| OWASP AppSec Denver 2009<br />
| Delivery <br />
| Status<br />
| Description<br />
| Martin<br />
|-<br />
| [[Speakers Bureau Project]]<br />
| '''TBD'''<br />
| Delivery <br />
| '''started'''<br />
| List of speakers, Name, Bio, Topics, History <br><br />
Speakers in conferences (OOTM ask for funds on this)/summit <br />
| Martin<br />
|-<br />
| [[Marketing efforts]]<br />
| '''TBD (discussion with other members)'''<br />
| Awareness Services <br />
| Status<br />
| Flyers or Brochures of OWASP Top 10, Testing Guide.<br />
| Eduardo<br />
|-<br />
| [[Internationalization of the training materials]]<br />
| '''TBD (discussion with Juan)'''<br />
| Awareness Services <br />
| Status<br />
| Liaise with Juan Calderon for translation services for highly spoken languages <br />
| Eduardo<br />
|-<br />
| [[Education material]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| Status<br />
| All projects should be summoned to create educational material (training service)<br />
1) Each Projects --> Documents (help), Tool, Training; Live CD (Portable)<br />
| Martin<br />
|-<br />
| [[Educational Services]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| <br />
<br />
3 Universities already in contact with and planning OWASP events to participate in. <br />
<br />
| Incorporate OWASP into the following top 5 Universities, within the next 12 months by introducing OWASP training and education resources at University's events.<br />
<br />
1) New York University<br />
2) Cornell University<br />
3) Princeton University<br />
4) University of Minnesota<br />
5) Columbia University<br />
<br />
As a result of these initiative we would hope to see:<br />
<br />
1) Confirming participation at arranged events<br />
2) Asking Universities to recognize they are using our resources by allowing us to place their names in wiki pages such as http://www.owasp.org/index.php/OWASP_Top_Ten_Project <br />
3) University faculty, staff and students participate in local and international events/meetings<br />
4) University faculty, staff and students contribute to OWASP projects<br />
<br />
|Kuai Hinojosa<br />
|}<br />
<br />
= Proposal <font color="red">'''(DRAFT)'''</font> =<br />
== Categorize (Organization) of educational materials ==<br />
Categorize / Organization of the educational materials for audiance by roles and responsibilities/technologies and use the summit workshop notes. <br />
== Train the trainers (Teach the teachers) ==<br />
Objective:<br />
Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
<br />
Activities/Deadline:<br />
# Develop a criteria to identify and approve trainers / Q1 2009<br />
# Identify pertinent OWASP related material that will be included in the training kit / Q2 2009. This is dependent on the education project organizing material.<br />
# Create a training toolkit with pre-built presentation and training materials, assessments etc. / Q3 2009<br />
# Conduct train the trainer sessions (remote or in-person) / Q4 2009<br />
<br />
Benefits:<br />
The training kit and trained trainers will be available resources promoting OWASP in local events worldwide.<br />
<br />
== Create an online assessment and training portal ==<br />
Objective:<br />
Develop an OWASP assessment and training portal that end users can use to gauge their knowledge on OWASP concepts and training providers can use to promote their training offerings.<br />
<br />
Activities/Deadline:<br />
# Generate OWASP assessment items (can use the testing guide and other sources) / Q2-Q3 2009<br />
# Develop an assessment portal to deliver taking of assessments with robust reporting by knowledge area / Q4 2009<br />
# Develop a training portal to allow training providers to publish and promote their training offerings / Q4 2009<br />
This can be developed as a summer of code project but is not a requirement. <br />
<br />
Benefits:<br />
Assessments that can be offered in OWASP events and other conferences to users will increase OWASP awareness. The portal can become the link between trainers and trainees and will eventually help in increasing the awareness and knowledge of application security in the industry.<br />
<br />
== OWASP Boot Camp Project ==<br />
OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project <br />
== OWASP CTF event ==<br />
== Speakers Bureau Project ==<br />
List of speakers, Name, Bio, Topics, History <br />
Speakers in conferences (OOTM ask for funds on this)/summit <br />
== Marketing efforts ==<br />
== Internationalization of the training materials ==<br />
== Education material ==<br />
yers or Brochures of OWASP Top 10, Testing Guide. <br />
== Educational Services ==<br />
''' Contact university - build a university list'''<br />
Incorporate OWASP into the following top 5 Universities, within the next 12 months by introducing OWASP training and education resources at University's events. <br />
1) New York University 2) Cornell University 3) Princeton University 4) University of Minnesota 5) Columbia University <br />
<br />
As a result of these initiative we would hope to see: <br />
<br />
1) Confirming participation at arranged events 2) Asking Universities to recognize they are using our resources by allowing us to place their names in wiki pages such as http://www.owasp.org/index.php/OWASP_Top_Ten_Project 3) University faculty, staff and students participate in local and international events/meetings 4) University faculty, staff and students contribute to OWASP projects</div>Manopaulhttps://wiki.owasp.org/index.php?title=Global_Education_Committee&diff=52336Global Education Committee2009-01-28T21:45:50Z<p>Manopaul: /* Targets <font color="red">'''(DRAFT)'''</font> */</p>
<hr />
<div>[[Category:OWASP Project]]<br />
<br />
= About the Global Education Committee =<br />
'''The Global Education Committee was created during the OWASP EU Summit in Portugal 2008. The primary purpose of the Global Education Committee is: to work with the [https://www.owasp.org/index.php/Category:OWASP_Education_Project OWASP Education Project] to provide educational materials for both internal and external users, develop liaisons with educational institutions worldwide.'''<br />
<br />
== Mission ==<br />
Provide awareness, training and educational services to corporate,<br />
government and educational institutions on application security.<br />
<br />
== Vision ==<br />
Make OWASP educational material globally available as a well known resource<br />
in easily consumable form mapped to a framework tied specifically to user<br />
roles and responsibilities<br />
<br />
== Committee Members ==<br />
Education Committee (Board Member Rep: [mailto:seba@owasp.org Seba])<br />
<br />
• [mailto:martin.knobloch@owasp.org Martin Knobloch] (Netherlands)<br />
<br />
• [mailto:mano.paul@securisksolutions.com Mano Paul] (U.S.)<br />
<br />
• [mailto:eduardo.neves@owasp.org Eduardo Neves] (Brazil)<br />
<br />
• [mailto:kuai.hinojosa@owasp.org Kuai Hinjosa] (U.S.)<br />
<br />
• [mailto:cecil.su@GRANTTHORNTON.COM.SG Cecil Su] (Singapore)<br />
<br />
• [mailto:fabio.e.cerullo@aib.ie Fabio Cerullo] (Ireland)<br />
<br />
• [mailto:andrzej.targosz@proidea.org.pl Andrzej Targosz] (Poland)<br />
<br />
[https://www.owasp.org/index.php/How_to_Join_a_Committee How to join this committee]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/global_education_committee Join our mailing list]<br />
<br />
== Scheduled Meetings ==<br />
<pre><br />
The Global Education Committee Meetings take place via Skype, see below for the local time: <br />
3:30 p.m. @ Austin, Texas <br />
4:30 p.m. @ New York <br />
7:30 p.m. @ Brasil <br />
22:30 a.m. @ Netherlands<br />
5:30 a.m. @ Singapore (following day)<br />
</pre><br />
Next meeting(s) scheduled for:<br />
* '''February 29th 2009'''<br />
<br />
= Agenda / Timeline <font color="red">'''(DRAFT)'''</font> =<br />
<br />
== Tasks ==<br />
''' 60 days to make a proposal '''<br />
* ''' December 20th ''' - first draft of the proposal<br />
* ''' January 16th ''' - submit <br />
<br />
<br />
== Targets <font color="red">'''(DRAFT)'''</font> ==<br />
Below you can find the timeline, what has to be achieved by when. <br />
All tasks must be SMART!<br />
<br />
{| class="prettytable"<br />
! Task<br />
! Deadline<br />
! Type<br />
! Status<br />
! Description<br />
! Who<br />
|-<br />
| [[Categorize (Organization) of educational materials]]<br />
| '''TBD'''<br />
| Message<br />
| Status<br />
| Categorize / Organization of the educational materials for audience by roles and responsibilities/technologies and use the summit workshop notes.<br />
| Martin<br />
|-<br />
| [[Train the trainers (Teach the teachers)]]<br />
| '''TBD'''<br />
| Delivery <br />
| Planning<br />
| Create a training program to train trainers to deliver training related with OWASP material.<br />
| Mano<br />
|-<br />
| [[Create an online assessment and training portal]]<br />
| '''TBD'''<br />
| Delivery <br />
| Planning<br />
| Description<br />
| Mano<br />
|-<br />
| [[OWASP Boot Camp Project]]<br />
| '''Proposal:''' February 2009 '''Final:''' Oktober 2009 at OWASP AppSec US 2009<br />
| Delivery <br />
| started<br />
| OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project<br />
| Martin<br />
|-<br />
| [[OWASP CTF event]]<br />
| OWASP AppSec Denver 2009<br />
| Delivery <br />
| Status<br />
| Description<br />
| Martin<br />
|-<br />
| [[Speakers Bureau Project]]<br />
| '''TBD'''<br />
| Delivery <br />
| '''started'''<br />
| List of speakers, Name, Bio, Topics, History <br><br />
Speakers in conferences (OOTM ask for funds on this)/summit <br />
| Martin<br />
|-<br />
| [[Marketing efforts]]<br />
| '''TBD (discussion with other members)'''<br />
| Awareness Services <br />
| Status<br />
| Flyers or Brochures of OWASP Top 10, Testing Guide.<br />
| Eduardo<br />
|-<br />
| [[Internationalization of the training materials]]<br />
| '''TBD (discussion with Juan)'''<br />
| Awareness Services <br />
| Status<br />
| Liaise with Juan Calderon for translation services for highly spoken languages <br />
| Eduardo<br />
|-<br />
| [[Education material]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| Status<br />
| All projects should be summoned to create educational material (training service)<br />
1) Each Projects --> Documents (help), Tool, Training; Live CD (Portable)<br />
| Martin<br />
|-<br />
| [[Educational Services]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| <br />
<br />
3 Universities already in contact with and planning OWASP events to participate in. <br />
<br />
| Incorporate OWASP into the following top 5 Universities, within the next 12 months by introducing OWASP training and education resources at University's events.<br />
<br />
1) New York University<br />
2) Cornell University<br />
3) Princeton University<br />
4) University of Minnesota<br />
5) Columbia University<br />
<br />
As a result of these initiative we would hope to see:<br />
<br />
1) Confirming participation at arranged events<br />
2) Asking Universities to recognize they are using our resources by allowing us to place their names in wiki pages such as http://www.owasp.org/index.php/OWASP_Top_Ten_Project <br />
3) University faculty, staff and students participate in local and international events/meetings<br />
4) University faculty, staff and students contribute to OWASP projects<br />
<br />
|Kuai Hinojosa<br />
|}<br />
<br />
= Proposal <font color="red">'''(DRAFT)'''</font> =<br />
== Categorize (Organization) of educational materials ==<br />
Categorize / Organization of the educational materials for audiance by roles and responsibilities/technologies and use the summit workshop notes. <br />
== Train the trainers (Teach the teachers) ==<br />
Objective:<br />
Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
<br />
Activities/Deadline:<br />
# Develop a criteria to identify and approve trainers / Q1 2009<br />
# Identify pertinent OWASP related material that will be included in the training kit / Q2 2009. This is dependent on the education project organizing material.<br />
# Create a training toolkit with pre-built presentation and training materials, assessments etc. / Q3 2009<br />
# Conduct train the trainer sessions (remote or in-person) / Q4 2009<br />
<br />
Benefits:<br />
The training kit and trained trainers will be available resources promoting OWASP in local events worldwide.<br />
<br />
== Create an online assessment and training portal ==<br />
Objective:<br />
Develop an OWASP assessment and training portal that end users can use to gauge their knowledge on OWASP concepts and training providers can use to promote their training offerings.<br />
<br />
Activities/Deadline:<br />
# Generate OWASP assessment items (can use the testing guide and other sources) / Q2-Q3 2009<br />
# Develop an assessment portal to deliver taking of assessments with robust reporting by knowledge area / Q4 2009<br />
# Develop a training portal to allow training providers to publish and promote their training offerings / Q4 2009<br />
This can be developed as a summer of code project but is not a requirement. <br />
<br />
Benefits:<br />
Assessments that can be offered in OWASP events and other conferences to users will increase OWASP awareness. The portal can become the link between trainers and trainees and will eventually help in increasing the awareness and knowledge of application security in the industry.<br />
<br />
== OWASP Boot Camp Project ==<br />
OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project <br />
== OWASP CTF event ==<br />
== Speakers Bureau Project ==<br />
List of speakers, Name, Bio, Topics, History <br />
Speakers in conferences (OOTM ask for funds on this)/summit <br />
== Marketing efforts ==<br />
== Internationalization of the training materials ==<br />
== Education material ==<br />
yers or Brochures of OWASP Top 10, Testing Guide. <br />
== Educational Services ==<br />
''' Contact university - build a university list'''<br />
Incorporate OWASP into the following top 5 Universities, within the next 12 months by introducing OWASP training and education resources at University's events. <br />
1) New York University 2) Cornell University 3) Princeton University 4) University of Minnesota 5) Columbia University <br />
<br />
As a result of these initiative we would hope to see: <br />
<br />
1) Confirming participation at arranged events 2) Asking Universities to recognize they are using our resources by allowing us to place their names in wiki pages such as http://www.owasp.org/index.php/OWASP_Top_Ten_Project 3) University faculty, staff and students participate in local and international events/meetings 4) University faculty, staff and students contribute to OWASP projects</div>Manopaulhttps://wiki.owasp.org/index.php?title=Global_Education_Committee&diff=52335Global Education Committee2009-01-28T21:43:28Z<p>Manopaul: /* Create an online assessment and training portal */</p>
<hr />
<div>[[Category:OWASP Project]]<br />
<br />
= About the Global Education Committee =<br />
'''The Global Education Committee was created during the OWASP EU Summit in Portugal 2008. The primary purpose of the Global Education Committee is: to work with the [https://www.owasp.org/index.php/Category:OWASP_Education_Project OWASP Education Project] to provide educational materials for both internal and external users, develop liaisons with educational institutions worldwide.'''<br />
<br />
== Mission ==<br />
Provide awareness, training and educational services to corporate,<br />
government and educational institutions on application security.<br />
<br />
== Vision ==<br />
Make OWASP educational material globally available as a well known resource<br />
in easily consumable form mapped to a framework tied specifically to user<br />
roles and responsibilities<br />
<br />
== Committee Members ==<br />
Education Committee (Board Member Rep: [mailto:seba@owasp.org Seba])<br />
<br />
• [mailto:martin.knobloch@owasp.org Martin Knobloch] (Netherlands)<br />
<br />
• [mailto:mano.paul@securisksolutions.com Mano Paul] (U.S.)<br />
<br />
• [mailto:eduardo.neves@owasp.org Eduardo Neves] (Brazil)<br />
<br />
• [mailto:kuai.hinojosa@owasp.org Kuai Hinjosa] (U.S.)<br />
<br />
• [mailto:cecil.su@GRANTTHORNTON.COM.SG Cecil Su] (Singapore)<br />
<br />
• [mailto:fabio.e.cerullo@aib.ie Fabio Cerullo] (Ireland)<br />
<br />
• [mailto:andrzej.targosz@proidea.org.pl Andrzej Targosz] (Poland)<br />
<br />
[https://www.owasp.org/index.php/How_to_Join_a_Committee How to join this committee]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/global_education_committee Join our mailing list]<br />
<br />
== Scheduled Meetings ==<br />
<pre><br />
The Global Education Committee Meetings take place via Skype, see below for the local time: <br />
3:30 p.m. @ Austin, Texas <br />
4:30 p.m. @ New York <br />
7:30 p.m. @ Brasil <br />
22:30 a.m. @ Netherlands<br />
5:30 a.m. @ Singapore (following day)<br />
</pre><br />
Next meeting(s) scheduled for:<br />
* '''February 29th 2009'''<br />
<br />
= Agenda / Timeline <font color="red">'''(DRAFT)'''</font> =<br />
<br />
== Tasks ==<br />
''' 60 days to make a proposal '''<br />
* ''' December 20th ''' - first draft of the proposal<br />
* ''' January 16th ''' - submit <br />
<br />
<br />
== Targets <font color="red">'''(DRAFT)'''</font> ==<br />
Below you can find the timeline, what has to be achieved by when. <br />
All tasks must be SMART!<br />
<br />
{| class="prettytable"<br />
! Task<br />
! Deadline<br />
! Type<br />
! Status<br />
! Description<br />
! Who<br />
|-<br />
| [[Categorize (Organization) of educational materials]]<br />
| '''TBD'''<br />
| Message<br />
| Status<br />
| Categorize / Organization of the educational materials for audiance by roles and responsibilities/technologies and use the summit workshop notes.<br />
| Martin<br />
|-<br />
| [[Train the trainers (Teach the teachers)]]<br />
| '''TBD'''<br />
| Delivery <br />
| Status<br />
| Create a training toolkit with pre-built presentation and training materials, assessments etc.<br />
| Mano<br />
|-<br />
| [[Create an online training and assessment portal]]<br />
| '''TBD'''<br />
| Delivery <br />
| Status<br />
| Description<br />
| Mano<br />
|-<br />
| [[OWASP Boot Camp Project]]<br />
| '''Proposal:''' February 2009 '''Final:''' Oktober 2009 at OWASP AppSec US 2009<br />
| Delivery <br />
| started<br />
| OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project<br />
| Martin<br />
|-<br />
| [[OWASP CTF event]]<br />
| OWASP AppSec Denver 2009<br />
| Delivery <br />
| Status<br />
| Description<br />
| Martin<br />
|-<br />
| [[Speakers Bureau Project]]<br />
| '''TBD'''<br />
| Delivery <br />
| '''started'''<br />
| List of speakers, Name, Bio, Topics, History <br><br />
Speakers in conferences (OOTM ask for funds on this)/summit <br />
| Martin<br />
|-<br />
| [[Marketing efforts]]<br />
| '''TBD (discussion with other members)'''<br />
| Awareness Services <br />
| Status<br />
| Flyers or Brochures of OWASP Top 10, Testing Guide.<br />
| Eduardo<br />
|-<br />
| [[Internationalization of the training materials]]<br />
| '''TBD (discussion with Juan)'''<br />
| Awareness Services <br />
| Status<br />
| Liaise with Juan Calderon for translation services for highly spoken languages <br />
| Eduardo<br />
|-<br />
| [[Education material]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| Status<br />
| All projects should be summoned to create educational material (training service)<br />
1) Each Projects --> Documents (help), Tool, Training; Live CD (Portable)<br />
| Martin<br />
|-<br />
| [[Educational Services]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| <br />
<br />
3 Universities already in contact with and planning OWASP events to participate in. <br />
<br />
| Incorporate OWASP into the following top 5 Universities, within the next 12 months by introducing OWASP training and education resources at University's events.<br />
<br />
1) New York University<br />
2) Cornell University<br />
3) Princeton University<br />
4) University of Minnesota<br />
5) Columbia University<br />
<br />
As a result of these initiative we would hope to see:<br />
<br />
1) Confirming participation at arranged events<br />
2) Asking Universities to recognize they are using our resources by allowing us to place their names in wiki pages such as http://www.owasp.org/index.php/OWASP_Top_Ten_Project <br />
3) University faculty, staff and students participate in local and international events/meetings<br />
4) University faculty, staff and students contribute to OWASP projects<br />
<br />
|Kuai Hinojosa<br />
|}<br />
<br />
= Proposal <font color="red">'''(DRAFT)'''</font> =<br />
== Categorize (Organization) of educational materials ==<br />
Categorize / Organization of the educational materials for audiance by roles and responsibilities/technologies and use the summit workshop notes. <br />
== Train the trainers (Teach the teachers) ==<br />
Objective:<br />
Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
<br />
Activities/Deadline:<br />
# Develop a criteria to identify and approve trainers / Q1 2009<br />
# Identify pertinent OWASP related material that will be included in the training kit / Q2 2009. This is dependent on the education project organizing material.<br />
# Create a training toolkit with pre-built presentation and training materials, assessments etc. / Q3 2009<br />
# Conduct train the trainer sessions (remote or in-person) / Q4 2009<br />
<br />
Benefits:<br />
The training kit and trained trainers will be available resources promoting OWASP in local events worldwide.<br />
<br />
== Create an online assessment and training portal ==<br />
Objective:<br />
Develop an OWASP assessment and training portal that end users can use to gauge their knowledge on OWASP concepts and training providers can use to promote their training offerings.<br />
<br />
Activities/Deadline:<br />
# Generate OWASP assessment items (can use the testing guide and other sources) / Q2-Q3 2009<br />
# Develop an assessment portal to deliver taking of assessments with robust reporting by knowledge area / Q4 2009<br />
# Develop a training portal to allow training providers to publish and promote their training offerings / Q4 2009<br />
This can be developed as a summer of code project but is not a requirement. <br />
<br />
Benefits:<br />
Assessments that can be offered in OWASP events and other conferences to users will increase OWASP awareness. The portal can become the link between trainers and trainees and will eventually help in increasing the awareness and knowledge of application security in the industry.<br />
<br />
== OWASP Boot Camp Project ==<br />
OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project <br />
== OWASP CTF event ==<br />
== Speakers Bureau Project ==<br />
List of speakers, Name, Bio, Topics, History <br />
Speakers in conferences (OOTM ask for funds on this)/summit <br />
== Marketing efforts ==<br />
== Internationalization of the training materials ==<br />
== Education material ==<br />
yers or Brochures of OWASP Top 10, Testing Guide. <br />
== Educational Services ==<br />
''' Contact university - build a university list'''<br />
Incorporate OWASP into the following top 5 Universities, within the next 12 months by introducing OWASP training and education resources at University's events. <br />
1) New York University 2) Cornell University 3) Princeton University 4) University of Minnesota 5) Columbia University <br />
<br />
As a result of these initiative we would hope to see: <br />
<br />
1) Confirming participation at arranged events 2) Asking Universities to recognize they are using our resources by allowing us to place their names in wiki pages such as http://www.owasp.org/index.php/OWASP_Top_Ten_Project 3) University faculty, staff and students participate in local and international events/meetings 4) University faculty, staff and students contribute to OWASP projects</div>Manopaulhttps://wiki.owasp.org/index.php?title=Global_Education_Committee&diff=52334Global Education Committee2009-01-28T21:41:15Z<p>Manopaul: /* Create an online training and assessment portal */</p>
<hr />
<div>[[Category:OWASP Project]]<br />
<br />
= About the Global Education Committee =<br />
'''The Global Education Committee was created during the OWASP EU Summit in Portugal 2008. The primary purpose of the Global Education Committee is: to work with the [https://www.owasp.org/index.php/Category:OWASP_Education_Project OWASP Education Project] to provide educational materials for both internal and external users, develop liaisons with educational institutions worldwide.'''<br />
<br />
== Mission ==<br />
Provide awareness, training and educational services to corporate,<br />
government and educational institutions on application security.<br />
<br />
== Vision ==<br />
Make OWASP educational material globally available as a well known resource<br />
in easily consumable form mapped to a framework tied specifically to user<br />
roles and responsibilities<br />
<br />
== Committee Members ==<br />
Education Committee (Board Member Rep: [mailto:seba@owasp.org Seba])<br />
<br />
• [mailto:martin.knobloch@owasp.org Martin Knobloch] (Netherlands)<br />
<br />
• [mailto:mano.paul@securisksolutions.com Mano Paul] (U.S.)<br />
<br />
• [mailto:eduardo.neves@owasp.org Eduardo Neves] (Brazil)<br />
<br />
• [mailto:kuai.hinojosa@owasp.org Kuai Hinjosa] (U.S.)<br />
<br />
• [mailto:cecil.su@GRANTTHORNTON.COM.SG Cecil Su] (Singapore)<br />
<br />
• [mailto:fabio.e.cerullo@aib.ie Fabio Cerullo] (Ireland)<br />
<br />
• [mailto:andrzej.targosz@proidea.org.pl Andrzej Targosz] (Poland)<br />
<br />
[https://www.owasp.org/index.php/How_to_Join_a_Committee How to join this committee]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/global_education_committee Join our mailing list]<br />
<br />
== Scheduled Meetings ==<br />
<pre><br />
The Global Education Committee Meetings take place via Skype, see below for the local time: <br />
3:30 p.m. @ Austin, Texas <br />
4:30 p.m. @ New York <br />
7:30 p.m. @ Brasil <br />
22:30 a.m. @ Netherlands<br />
5:30 a.m. @ Singapore (following day)<br />
</pre><br />
Next meeting(s) scheduled for:<br />
* '''February 29th 2009'''<br />
<br />
= Agenda / Timeline <font color="red">'''(DRAFT)'''</font> =<br />
<br />
== Tasks ==<br />
''' 60 days to make a proposal '''<br />
* ''' December 20th ''' - first draft of the proposal<br />
* ''' January 16th ''' - submit <br />
<br />
<br />
== Targets <font color="red">'''(DRAFT)'''</font> ==<br />
Below you can find the timeline, what has to be achieved by when. <br />
All tasks must be SMART!<br />
<br />
{| class="prettytable"<br />
! Task<br />
! Deadline<br />
! Type<br />
! Status<br />
! Description<br />
! Who<br />
|-<br />
| [[Categorize (Organization) of educational materials]]<br />
| '''TBD'''<br />
| Message<br />
| Status<br />
| Categorize / Organization of the educational materials for audiance by roles and responsibilities/technologies and use the summit workshop notes.<br />
| Martin<br />
|-<br />
| [[Train the trainers (Teach the teachers)]]<br />
| '''TBD'''<br />
| Delivery <br />
| Status<br />
| Create a training toolkit with pre-built presentation and training materials, assessments etc.<br />
| Mano<br />
|-<br />
| [[Create an online training and assessment portal]]<br />
| '''TBD'''<br />
| Delivery <br />
| Status<br />
| Description<br />
| Mano<br />
|-<br />
| [[OWASP Boot Camp Project]]<br />
| '''Proposal:''' February 2009 '''Final:''' Oktober 2009 at OWASP AppSec US 2009<br />
| Delivery <br />
| started<br />
| OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project<br />
| Martin<br />
|-<br />
| [[OWASP CTF event]]<br />
| OWASP AppSec Denver 2009<br />
| Delivery <br />
| Status<br />
| Description<br />
| Martin<br />
|-<br />
| [[Speakers Bureau Project]]<br />
| '''TBD'''<br />
| Delivery <br />
| '''started'''<br />
| List of speakers, Name, Bio, Topics, History <br><br />
Speakers in conferences (OOTM ask for funds on this)/summit <br />
| Martin<br />
|-<br />
| [[Marketing efforts]]<br />
| '''TBD (discussion with other members)'''<br />
| Awareness Services <br />
| Status<br />
| Flyers or Brochures of OWASP Top 10, Testing Guide.<br />
| Eduardo<br />
|-<br />
| [[Internationalization of the training materials]]<br />
| '''TBD (discussion with Juan)'''<br />
| Awareness Services <br />
| Status<br />
| Liaise with Juan Calderon for translation services for highly spoken languages <br />
| Eduardo<br />
|-<br />
| [[Education material]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| Status<br />
| All projects should be summoned to create educational material (training service)<br />
1) Each Projects --> Documents (help), Tool, Training; Live CD (Portable)<br />
| Martin<br />
|-<br />
| [[Educational Services]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| <br />
<br />
3 Universities already in contact with and planning OWASP events to participate in. <br />
<br />
| Incorporate OWASP into the following top 5 Universities, within the next 12 months by introducing OWASP training and education resources at University's events.<br />
<br />
1) New York University<br />
2) Cornell University<br />
3) Princeton University<br />
4) University of Minnesota<br />
5) Columbia University<br />
<br />
As a result of these initiative we would hope to see:<br />
<br />
1) Confirming participation at arranged events<br />
2) Asking Universities to recognize they are using our resources by allowing us to place their names in wiki pages such as http://www.owasp.org/index.php/OWASP_Top_Ten_Project <br />
3) University faculty, staff and students participate in local and international events/meetings<br />
4) University faculty, staff and students contribute to OWASP projects<br />
<br />
|Kuai Hinojosa<br />
|}<br />
<br />
= Proposal <font color="red">'''(DRAFT)'''</font> =<br />
== Categorize (Organization) of educational materials ==<br />
Categorize / Organization of the educational materials for audiance by roles and responsibilities/technologies and use the summit workshop notes. <br />
== Train the trainers (Teach the teachers) ==<br />
Objective:<br />
Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
<br />
Activities/Deadline:<br />
# Develop a criteria to identify and approve trainers / Q1 2009<br />
# Identify pertinent OWASP related material that will be included in the training kit / Q2 2009. This is dependent on the education project organizing material.<br />
# Create a training toolkit with pre-built presentation and training materials, assessments etc. / Q3 2009<br />
# Conduct train the trainer sessions (remote or in-person) / Q4 2009<br />
<br />
Benefits:<br />
The training kit and trained trainers will be available resources promoting OWASP in local events worldwide.<br />
<br />
== Create an online assessment and training portal ==<br />
Objective:<br />
Develop an OWASP assessment and training portal that end users can use to gauge their knowledge on OWASP concepts and training providers can use to promote their training offerings.<br />
<br />
Activities/Deadline:<br />
# Generate OWASP assessment items (can use the testing guide and other sources) / Q2 2009<br />
# Develop an assessment portal to deliver taking of assessments with robust reporting by knowledge area / Q3 2009<br />
# Develop a training portal to allow training providers to publish and promote their training offerings / Q4 2009<br />
This can be developed as a summer of code project but is not a requirement. <br />
<br />
Benefits:<br />
Assessments that can be offered in OWASP events and other conferences to users will increase OWASP<br />
<br />
== OWASP Boot Camp Project ==<br />
OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project <br />
== OWASP CTF event ==<br />
== Speakers Bureau Project ==<br />
List of speakers, Name, Bio, Topics, History <br />
Speakers in conferences (OOTM ask for funds on this)/summit <br />
== Marketing efforts ==<br />
== Internationalization of the training materials ==<br />
== Education material ==<br />
yers or Brochures of OWASP Top 10, Testing Guide. <br />
== Educational Services ==<br />
''' Contact university - build a university list'''<br />
Incorporate OWASP into the following top 5 Universities, within the next 12 months by introducing OWASP training and education resources at University's events. <br />
1) New York University 2) Cornell University 3) Princeton University 4) University of Minnesota 5) Columbia University <br />
<br />
As a result of these initiative we would hope to see: <br />
<br />
1) Confirming participation at arranged events 2) Asking Universities to recognize they are using our resources by allowing us to place their names in wiki pages such as http://www.owasp.org/index.php/OWASP_Top_Ten_Project 3) University faculty, staff and students participate in local and international events/meetings 4) University faculty, staff and students contribute to OWASP projects</div>Manopaulhttps://wiki.owasp.org/index.php?title=Global_Education_Committee&diff=52332Global Education Committee2009-01-28T21:31:22Z<p>Manopaul: /* Train the trainers (Teach the teachers) */</p>
<hr />
<div>[[Category:OWASP Project]]<br />
<br />
= About the Global Education Committee =<br />
'''The Global Education Committee was created during the OWASP EU Summit in Portugal 2008. The primary purpose of the Global Education Committee is: to work with the [https://www.owasp.org/index.php/Category:OWASP_Education_Project OWASP Education Project] to provide educational materials for both internal and external users, develop liaisons with educational institutions worldwide.'''<br />
<br />
== Mission ==<br />
Provide awareness, training and educational services to corporate,<br />
government and educational institutions on application security.<br />
<br />
== Vision ==<br />
Make OWASP educational material globally available as a well known resource<br />
in easily consumable form mapped to a framework tied specifically to user<br />
roles and responsibilities<br />
<br />
== Committee Members ==<br />
Education Committee (Board Member Rep: [mailto:seba@owasp.org Seba])<br />
<br />
• [mailto:martin.knobloch@owasp.org Martin Knobloch] (Netherlands)<br />
<br />
• [mailto:mano.paul@securisksolutions.com Mano Paul] (U.S.)<br />
<br />
• [mailto:eduardo.neves@owasp.org Eduardo Neves] (Brazil)<br />
<br />
• [mailto:kuai.hinojosa@owasp.org Kuai Hinjosa] (U.S.)<br />
<br />
• [mailto:cecil.su@GRANTTHORNTON.COM.SG Cecil Su] (Singapore)<br />
<br />
• [mailto:fabio.e.cerullo@aib.ie Fabio Cerullo] (Ireland)<br />
<br />
• [mailto:andrzej.targosz@proidea.org.pl Andrzej Targosz] (Poland)<br />
<br />
[https://www.owasp.org/index.php/How_to_Join_a_Committee How to join this committee]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/global_education_committee Join our mailing list]<br />
<br />
== Scheduled Meetings ==<br />
<pre><br />
The Global Education Committee Meetings take place via Skype, see below for the local time: <br />
3:30 p.m. @ Austin, Texas <br />
4:30 p.m. @ New York <br />
7:30 p.m. @ Brasil <br />
22:30 a.m. @ Netherlands<br />
5:30 a.m. @ Singapore (following day)<br />
</pre><br />
Next meeting(s) scheduled for:<br />
* '''February 29th 2009'''<br />
<br />
= Agenda / Timeline <font color="red">'''(DRAFT)'''</font> =<br />
<br />
== Tasks ==<br />
''' 60 days to make a proposal '''<br />
* ''' December 20th ''' - first draft of the proposal<br />
* ''' January 16th ''' - submit <br />
<br />
<br />
== Targets <font color="red">'''(DRAFT)'''</font> ==<br />
Below you can find the timeline, what has to be achieved by when. <br />
All tasks must be SMART!<br />
<br />
{| class="prettytable"<br />
! Task<br />
! Deadline<br />
! Type<br />
! Status<br />
! Description<br />
! Who<br />
|-<br />
| [[Categorize (Organization) of educational materials]]<br />
| '''TBD'''<br />
| Message<br />
| Status<br />
| Categorize / Organization of the educational materials for audiance by roles and responsibilities/technologies and use the summit workshop notes.<br />
| Martin<br />
|-<br />
| [[Train the trainers (Teach the teachers)]]<br />
| '''TBD'''<br />
| Delivery <br />
| Status<br />
| Create a training toolkit with pre-built presentation and training materials, assessments etc.<br />
| Mano<br />
|-<br />
| [[Create an online training and assessment portal]]<br />
| '''TBD'''<br />
| Delivery <br />
| Status<br />
| Description<br />
| Mano<br />
|-<br />
| [[OWASP Boot Camp Project]]<br />
| '''Proposal:''' February 2009 '''Final:''' Oktober 2009 at OWASP AppSec US 2009<br />
| Delivery <br />
| started<br />
| OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project<br />
| Martin<br />
|-<br />
| [[OWASP CTF event]]<br />
| OWASP AppSec Denver 2009<br />
| Delivery <br />
| Status<br />
| Description<br />
| Martin<br />
|-<br />
| [[Speakers Bureau Project]]<br />
| '''TBD'''<br />
| Delivery <br />
| '''started'''<br />
| List of speakers, Name, Bio, Topics, History <br><br />
Speakers in conferences (OOTM ask for funds on this)/summit <br />
| Martin<br />
|-<br />
| [[Marketing efforts]]<br />
| '''TBD (discussion with other members)'''<br />
| Awareness Services <br />
| Status<br />
| Flyers or Brochures of OWASP Top 10, Testing Guide.<br />
| Eduardo<br />
|-<br />
| [[Internationalization of the training materials]]<br />
| '''TBD (discussion with Juan)'''<br />
| Awareness Services <br />
| Status<br />
| Liaise with Juan Calderon for translation services for highly spoken languages <br />
| Eduardo<br />
|-<br />
| [[Education material]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| Status<br />
| All projects should be summoned to create educational material (training service)<br />
1) Each Projects --> Documents (help), Tool, Training; Live CD (Portable)<br />
| Martin<br />
|-<br />
| [[Educational Services]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| <br />
<br />
3 Universities already in contact with and planning OWASP events to participate in. <br />
<br />
| Incorporate OWASP into the following top 5 Universities, within the next 12 months by introducing OWASP training and education resources at University's events.<br />
<br />
1) New York University<br />
2) Cornell University<br />
3) Princeton University<br />
4) University of Minnesota<br />
5) Columbia University<br />
<br />
As a result of these initiative we would hope to see:<br />
<br />
1) Confirming participation at arranged events<br />
2) Asking Universities to recognize they are using our resources by allowing us to place their names in wiki pages such as http://www.owasp.org/index.php/OWASP_Top_Ten_Project <br />
3) University faculty, staff and students participate in local and international events/meetings<br />
4) University faculty, staff and students contribute to OWASP projects<br />
<br />
|Kuai Hinojosa<br />
|}<br />
<br />
= Proposal <font color="red">'''(DRAFT)'''</font> =<br />
== Categorize (Organization) of educational materials ==<br />
Categorize / Organization of the educational materials for audiance by roles and responsibilities/technologies and use the summit workshop notes. <br />
== Train the trainers (Teach the teachers) ==<br />
Objective:<br />
Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
<br />
Activities/Deadline:<br />
# Develop a criteria to identify and approve trainers / Q1 2009<br />
# Identify pertinent OWASP related material that will be included in the training kit / Q2 2009. This is dependent on the education project organizing material.<br />
# Create a training toolkit with pre-built presentation and training materials, assessments etc. / Q3 2009<br />
# Conduct train the trainer sessions (remote or in-person) / Q4 2009<br />
<br />
Benefits:<br />
The training kit and trained trainers will be available resources promoting OWASP in local events worldwide.<br />
<br />
== Create an online training and assessment portal ==<br />
== OWASP Boot Camp Project ==<br />
OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project <br />
== OWASP CTF event ==<br />
== Speakers Bureau Project ==<br />
List of speakers, Name, Bio, Topics, History <br />
Speakers in conferences (OOTM ask for funds on this)/summit <br />
== Marketing efforts ==<br />
== Internationalization of the training materials ==<br />
== Education material ==<br />
yers or Brochures of OWASP Top 10, Testing Guide. <br />
== Educational Services ==<br />
''' Contact university - build a university list'''<br />
Incorporate OWASP into the following top 5 Universities, within the next 12 months by introducing OWASP training and education resources at University's events. <br />
1) New York University 2) Cornell University 3) Princeton University 4) University of Minnesota 5) Columbia University <br />
<br />
As a result of these initiative we would hope to see: <br />
<br />
1) Confirming participation at arranged events 2) Asking Universities to recognize they are using our resources by allowing us to place their names in wiki pages such as http://www.owasp.org/index.php/OWASP_Top_Ten_Project 3) University faculty, staff and students participate in local and international events/meetings 4) University faculty, staff and students contribute to OWASP projects</div>Manopaulhttps://wiki.owasp.org/index.php?title=Global_Education_Committee&diff=52330Global Education Committee2009-01-28T21:28:06Z<p>Manopaul: /* Train the trainers (Teach the teachers) */</p>
<hr />
<div>[[Category:OWASP Project]]<br />
<br />
= About the Global Education Committee =<br />
'''The Global Education Committee was created during the OWASP EU Summit in Portugal 2008. The primary purpose of the Global Education Committee is: to work with the [https://www.owasp.org/index.php/Category:OWASP_Education_Project OWASP Education Project] to provide educational materials for both internal and external users, develop liaisons with educational institutions worldwide.'''<br />
<br />
== Mission ==<br />
Provide awareness, training and educational services to corporate,<br />
government and educational institutions on application security.<br />
<br />
== Vision ==<br />
Make OWASP educational material globally available as a well known resource<br />
in easily consumable form mapped to a framework tied specifically to user<br />
roles and responsibilities<br />
<br />
== Committee Members ==<br />
Education Committee (Board Member Rep: [mailto:seba@owasp.org Seba])<br />
<br />
• [mailto:martin.knobloch@owasp.org Martin Knobloch] (Netherlands)<br />
<br />
• [mailto:mano.paul@securisksolutions.com Mano Paul] (U.S.)<br />
<br />
• [mailto:eduardo.neves@owasp.org Eduardo Neves] (Brazil)<br />
<br />
• [mailto:kuai.hinojosa@owasp.org Kuai Hinjosa] (U.S.)<br />
<br />
• [mailto:cecil.su@GRANTTHORNTON.COM.SG Cecil Su] (Singapore)<br />
<br />
• [mailto:fabio.e.cerullo@aib.ie Fabio Cerullo] (Ireland)<br />
<br />
• [mailto:andrzej.targosz@proidea.org.pl Andrzej Targosz] (Poland)<br />
<br />
[https://www.owasp.org/index.php/How_to_Join_a_Committee How to join this committee]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/global_education_committee Join our mailing list]<br />
<br />
== Scheduled Meetings ==<br />
<pre><br />
The Global Education Committee Meetings take place via Skype, see below for the local time: <br />
3:30 p.m. @ Austin, Texas <br />
4:30 p.m. @ New York <br />
7:30 p.m. @ Brasil <br />
22:30 a.m. @ Netherlands<br />
5:30 a.m. @ Singapore (following day)<br />
</pre><br />
Next meeting(s) scheduled for:<br />
* '''February 29th 2009'''<br />
<br />
= Agenda / Timeline <font color="red">'''(DRAFT)'''</font> =<br />
<br />
== Tasks ==<br />
''' 60 days to make a proposal '''<br />
* ''' December 20th ''' - first draft of the proposal<br />
* ''' January 16th ''' - submit <br />
<br />
<br />
== Targets <font color="red">'''(DRAFT)'''</font> ==<br />
Below you can find the timeline, what has to be achieved by when. <br />
All tasks must be SMART!<br />
<br />
{| class="prettytable"<br />
! Task<br />
! Deadline<br />
! Type<br />
! Status<br />
! Description<br />
! Who<br />
|-<br />
| [[Categorize (Organization) of educational materials]]<br />
| '''TBD'''<br />
| Message<br />
| Status<br />
| Categorize / Organization of the educational materials for audiance by roles and responsibilities/technologies and use the summit workshop notes.<br />
| Martin<br />
|-<br />
| [[Train the trainers (Teach the teachers)]]<br />
| '''TBD'''<br />
| Delivery <br />
| Status<br />
| Create a training toolkit with pre-built presentation and training materials, assessments etc.<br />
| Mano<br />
|-<br />
| [[Create an online training and assessment portal]]<br />
| '''TBD'''<br />
| Delivery <br />
| Status<br />
| Description<br />
| Mano<br />
|-<br />
| [[OWASP Boot Camp Project]]<br />
| '''Proposal:''' February 2009 '''Final:''' Oktober 2009 at OWASP AppSec US 2009<br />
| Delivery <br />
| started<br />
| OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project<br />
| Martin<br />
|-<br />
| [[OWASP CTF event]]<br />
| OWASP AppSec Denver 2009<br />
| Delivery <br />
| Status<br />
| Description<br />
| Martin<br />
|-<br />
| [[Speakers Bureau Project]]<br />
| '''TBD'''<br />
| Delivery <br />
| '''started'''<br />
| List of speakers, Name, Bio, Topics, History <br><br />
Speakers in conferences (OOTM ask for funds on this)/summit <br />
| Martin<br />
|-<br />
| [[Marketing efforts]]<br />
| '''TBD (discussion with other members)'''<br />
| Awareness Services <br />
| Status<br />
| Flyers or Brochures of OWASP Top 10, Testing Guide.<br />
| Eduardo<br />
|-<br />
| [[Internationalization of the training materials]]<br />
| '''TBD (discussion with Juan)'''<br />
| Awareness Services <br />
| Status<br />
| Liaise with Juan Calderon for translation services for highly spoken languages <br />
| Eduardo<br />
|-<br />
| [[Education material]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| Status<br />
| All projects should be summoned to create educational material (training service)<br />
1) Each Projects --> Documents (help), Tool, Training; Live CD (Portable)<br />
| Martin<br />
|-<br />
| [[Educational Services]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| <br />
<br />
3 Universities already in contact with and planning OWASP events to participate in. <br />
<br />
| Incorporate OWASP into the following top 5 Universities, within the next 12 months by introducing OWASP training and education resources at University's events.<br />
<br />
1) New York University<br />
2) Cornell University<br />
3) Princeton University<br />
4) University of Minnesota<br />
5) Columbia University<br />
<br />
As a result of these initiative we would hope to see:<br />
<br />
1) Confirming participation at arranged events<br />
2) Asking Universities to recognize they are using our resources by allowing us to place their names in wiki pages such as http://www.owasp.org/index.php/OWASP_Top_Ten_Project <br />
3) University faculty, staff and students participate in local and international events/meetings<br />
4) University faculty, staff and students contribute to OWASP projects<br />
<br />
|Kuai Hinojosa<br />
|}<br />
<br />
= Proposal <font color="red">'''(DRAFT)'''</font> =<br />
== Categorize (Organization) of educational materials ==<br />
Categorize / Organization of the educational materials for audiance by roles and responsibilities/technologies and use the summit workshop notes. <br />
== Train the trainers (Teach the teachers) ==<br />
Objective:<br />
Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
<br />
Activities/Deadline<br />
1. Develop a criteria to identify trainers / Q1 2009<br />
2. Identify pertinent OWASP related material that will be included in the training kit / Q2 2009. This is dependent on the education project organizing material.<br />
3. Create a training toolkit with pre-built presentation and training materials, assessments etc. / Q3 2009<br />
4. Conduct train the trainer sessions (remote or in-person) / Q4 2009<br />
<br />
Contact Information: mano.paul@owasp.org<br />
<br />
== Create an online training and assessment portal ==<br />
== OWASP Boot Camp Project ==<br />
OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project <br />
== OWASP CTF event ==<br />
== Speakers Bureau Project ==<br />
List of speakers, Name, Bio, Topics, History <br />
Speakers in conferences (OOTM ask for funds on this)/summit <br />
== Marketing efforts ==<br />
== Internationalization of the training materials ==<br />
== Education material ==<br />
yers or Brochures of OWASP Top 10, Testing Guide. <br />
== Educational Services ==<br />
''' Contact university - build a university list'''<br />
Incorporate OWASP into the following top 5 Universities, within the next 12 months by introducing OWASP training and education resources at University's events. <br />
1) New York University 2) Cornell University 3) Princeton University 4) University of Minnesota 5) Columbia University <br />
<br />
As a result of these initiative we would hope to see: <br />
<br />
1) Confirming participation at arranged events 2) Asking Universities to recognize they are using our resources by allowing us to place their names in wiki pages such as http://www.owasp.org/index.php/OWASP_Top_Ten_Project 3) University faculty, staff and students participate in local and international events/meetings 4) University faculty, staff and students contribute to OWASP projects</div>Manopaulhttps://wiki.owasp.org/index.php?title=Global_Education_Committee&diff=52329Global Education Committee2009-01-28T21:19:25Z<p>Manopaul: /* Train the trainers (Teach the teachers) */</p>
<hr />
<div>[[Category:OWASP Project]]<br />
<br />
= About the Global Education Committee =<br />
'''The Global Education Committee was created during the OWASP EU Summit in Portugal 2008. The primary purpose of the Global Education Committee is: to work with the [https://www.owasp.org/index.php/Category:OWASP_Education_Project OWASP Education Project] to provide educational materials for both internal and external users, develop liaisons with educational institutions worldwide.'''<br />
<br />
== Mission ==<br />
Provide awareness, training and educational services to corporate,<br />
government and educational institutions on application security.<br />
<br />
== Vision ==<br />
Make OWASP educational material globally available as a well known resource<br />
in easily consumable form mapped to a framework tied specifically to user<br />
roles and responsibilities<br />
<br />
== Committee Members ==<br />
Education Committee (Board Member Rep: [mailto:seba@owasp.org Seba])<br />
<br />
• [mailto:martin.knobloch@owasp.org Martin Knobloch] (Netherlands)<br />
<br />
• [mailto:mano.paul@securisksolutions.com Mano Paul] (U.S.)<br />
<br />
• [mailto:eduardo.neves@owasp.org Eduardo Neves] (Brazil)<br />
<br />
• [mailto:kuai.hinojosa@owasp.org Kuai Hinjosa] (U.S.)<br />
<br />
• [mailto:cecil.su@GRANTTHORNTON.COM.SG Cecil Su] (Singapore)<br />
<br />
• [mailto:fabio.e.cerullo@aib.ie Fabio Cerullo] (Ireland)<br />
<br />
• [mailto:andrzej.targosz@proidea.org.pl Andrzej Targosz] (Poland)<br />
<br />
[https://www.owasp.org/index.php/How_to_Join_a_Committee How to join this committee]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/global_education_committee Join our mailing list]<br />
<br />
== Scheduled Meetings ==<br />
<pre><br />
The Global Education Committee Meetings take place via Skype, see below for the local time: <br />
3:30 p.m. @ Austin, Texas <br />
4:30 p.m. @ New York <br />
7:30 p.m. @ Brasil <br />
22:30 a.m. @ Netherlands<br />
5:30 a.m. @ Singapore (following day)<br />
</pre><br />
Next meeting(s) scheduled for:<br />
* '''February 29th 2009'''<br />
<br />
= Agenda / Timeline <font color="red">'''(DRAFT)'''</font> =<br />
<br />
== Tasks ==<br />
''' 60 days to make a proposal '''<br />
* ''' December 20th ''' - first draft of the proposal<br />
* ''' January 16th ''' - submit <br />
<br />
<br />
== Targets <font color="red">'''(DRAFT)'''</font> ==<br />
Below you can find the timeline, what has to be achieved by when. <br />
All tasks must be SMART!<br />
<br />
{| class="prettytable"<br />
! Task<br />
! Deadline<br />
! Type<br />
! Status<br />
! Description<br />
! Who<br />
|-<br />
| [[Categorize (Organization) of educational materials]]<br />
| '''TBD'''<br />
| Message<br />
| Status<br />
| Categorize / Organization of the educational materials for audiance by roles and responsibilities/technologies and use the summit workshop notes.<br />
| Martin<br />
|-<br />
| [[Train the trainers (Teach the teachers)]]<br />
| '''TBD'''<br />
| Delivery <br />
| Status<br />
| Create a training toolkit with pre-built presentation and training materials, assessments etc.<br />
| Mano<br />
|-<br />
| [[Create an online training and assessment portal]]<br />
| '''TBD'''<br />
| Delivery <br />
| Status<br />
| Description<br />
| Mano<br />
|-<br />
| [[OWASP Boot Camp Project]]<br />
| '''Proposal:''' February 2009 '''Final:''' Oktober 2009 at OWASP AppSec US 2009<br />
| Delivery <br />
| started<br />
| OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project<br />
| Martin<br />
|-<br />
| [[OWASP CTF event]]<br />
| OWASP AppSec Denver 2009<br />
| Delivery <br />
| Status<br />
| Description<br />
| Martin<br />
|-<br />
| [[Speakers Bureau Project]]<br />
| '''TBD'''<br />
| Delivery <br />
| '''started'''<br />
| List of speakers, Name, Bio, Topics, History <br><br />
Speakers in conferences (OOTM ask for funds on this)/summit <br />
| Martin<br />
|-<br />
| [[Marketing efforts]]<br />
| '''TBD (discussion with other members)'''<br />
| Awareness Services <br />
| Status<br />
| Flyers or Brochures of OWASP Top 10, Testing Guide.<br />
| Eduardo<br />
|-<br />
| [[Internationalization of the training materials]]<br />
| '''TBD (discussion with Juan)'''<br />
| Awareness Services <br />
| Status<br />
| Liaise with Juan Calderon for translation services for highly spoken languages <br />
| Eduardo<br />
|-<br />
| [[Education material]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| Status<br />
| All projects should be summoned to create educational material (training service)<br />
1) Each Projects --> Documents (help), Tool, Training; Live CD (Portable)<br />
| Martin<br />
|-<br />
| [[Educational Services]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| <br />
<br />
3 Universities already in contact with and planning OWASP events to participate in. <br />
<br />
| Incorporate OWASP into the following top 5 Universities, within the next 12 months by introducing OWASP training and education resources at University's events.<br />
<br />
1) New York University<br />
2) Cornell University<br />
3) Princeton University<br />
4) University of Minnesota<br />
5) Columbia University<br />
<br />
As a result of these initiative we would hope to see:<br />
<br />
1) Confirming participation at arranged events<br />
2) Asking Universities to recognize they are using our resources by allowing us to place their names in wiki pages such as http://www.owasp.org/index.php/OWASP_Top_Ten_Project <br />
3) University faculty, staff and students participate in local and international events/meetings<br />
4) University faculty, staff and students contribute to OWASP projects<br />
<br />
|Kuai Hinojosa<br />
|}<br />
<br />
= Proposal <font color="red">'''(DRAFT)'''</font> =<br />
== Categorize (Organization) of educational materials ==<br />
Categorize / Organization of the educational materials for audiance by roles and responsibilities/technologies and use the summit workshop notes. <br />
== Train the trainers (Teach the teachers) ==<br />
Objective:<br />
Consolidate <br />
Description:<br />
Activities:<br />
<br />
Create a training toolkit with pre-built presentation and training materials, assessments etc.<br />
<br />
Deadline:<br />
More Information:<br />
<br />
== Create an online training and assessment portal ==<br />
== OWASP Boot Camp Project ==<br />
OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project <br />
== OWASP CTF event ==<br />
== Speakers Bureau Project ==<br />
List of speakers, Name, Bio, Topics, History <br />
Speakers in conferences (OOTM ask for funds on this)/summit <br />
== Marketing efforts ==<br />
== Internationalization of the training materials ==<br />
== Education material ==<br />
yers or Brochures of OWASP Top 10, Testing Guide. <br />
== Educational Services ==<br />
''' Contact university - build a university list'''<br />
Incorporate OWASP into the following top 5 Universities, within the next 12 months by introducing OWASP training and education resources at University's events. <br />
1) New York University 2) Cornell University 3) Princeton University 4) University of Minnesota 5) Columbia University <br />
<br />
As a result of these initiative we would hope to see: <br />
<br />
1) Confirming participation at arranged events 2) Asking Universities to recognize they are using our resources by allowing us to place their names in wiki pages such as http://www.owasp.org/index.php/OWASP_Top_Ten_Project 3) University faculty, staff and students participate in local and international events/meetings 4) University faculty, staff and students contribute to OWASP projects</div>Manopaulhttps://wiki.owasp.org/index.php?title=Manoranjan_(Mano)_Paul&diff=52328Manoranjan (Mano) Paul2009-01-28T21:06:45Z<p>Manopaul: </p>
<hr />
<div>[[Image:Mano_Paul.jpg|thumb|10px|frame|left|Mano Paul]]<br />
<b>Mano Paul</b> (CSSLP, CISSP, AMBCI, MCSD, MCAD, CompTIA Network+, ECSA) is the Founder and CEO at [http://www.securisksolutions.com SecuRisk Solutions] and [http://www.expresscertifications.com Express Certifications]. Based out of Austin, Texas in the USA, SecuRisk Solutions specializes in three areas of information security solutions - Product Development, Consulting and Awareness, Training & Education while Express Certifications focuses on professional certifications like the CISSP and SSCP. <br />
<br />
Before SecuRisk Solutions, Mano played several roles from software developer, quality assurance tester, logistics manager, technical architect, IT strategist and Security Engineer/Program Manager/Strategist at Dell Inc. His security experience includes designing and developing software security programs from Compliance-to-Coding, application security risk management, security strategy & management, and conducting security awareness training and education. <br />
<br />
Mano is He is a member and chair of the OWASP Global Education Committee and actively participates in OWASP speaking, training and leadership events. He is also appointed the Software Assurance Advisor for (ISC)2, representing and advising the organization on software assurance strategy, training, education and certification. His information security and software assurance experience includes designing and developing security programs from compliance-to-coding, security in the SDLC, writing secure code, risk management, security strategy, and security awareness training and education. Mano started his career as a shark researcher in the Bimini Biological Field Station, Bahamas. His educational pursuit took him to the University of Oklahoma where he received his Business Administration degree in Management Information Systems (MIS) with various accolades and the coveted 4.0 GPA. Before Express Certifications and SecuRisk Solutions, Mano played several roles from software developer, quality assurance engineer, logistics manager, technical architect, IT strategist and security engineer/program manager/strategist at Dell Inc. Mano is an appointed faculty member and industry representative of the Capitol of Texas Information System Security Association (ISSA) chapter. He is a contributing author for the Information Security Management Handbook, writes periodically for the Certification magazine and has contributed to several security topics for the Microsoft Solutions Developer Network (MSDN).<br />
<br />
Mano has been featured in various domestic and international security conferences and is an invited speaker and panelist, delivering talks and keynotes in conferences such as the OWASP, CSI, Burton Group Catalyst, TRISC and SC World Congress conferences. He is a contributing author for the Information Security Management Handbook, writes periodically for the Certification Magazine and has contributed to several security topics for the Microsoft Solutions Developer Network.<br />
<br />
Mano holds the following professional certifications - CSSLP, CISSP, AMBCI, Microsoft Certified Solutions Developer (MCSD), Microsoft Certified Application Developer (MCAD), CompTIA Network+, and ECSA certification.</div>Manopaulhttps://wiki.owasp.org/index.php?title=Manoranjan_(Mano)_Paul&diff=52326Manoranjan (Mano) Paul2009-01-28T20:51:19Z<p>Manopaul: </p>
<hr />
<div>[[Image:Mano_Paul.jpg|thumb|10px|frame|left|Mano Paul]]<br />
<b>Mano Paul</b> (CSSLP, CISSP, AMBCI, MCSD, MCAD, CompTIA Network+, ECSA) is the Founder and CEO at [http://www.securisksolutions.com SecuRisk Solutions] and [http://www.expresscertifications.com Express Certifications]. Based out of Austin, Texas in the USA, SecuRisk Solutions specializes in three areas of information security solutions - Product Development, Consulting and Awareness, Training & Education while Express Certifications focuses on professional certifications like the CISSP and SSCP. <br />
<br />
Before SecuRisk Solutions, Mano played several roles from software developer, quality assurance tester, logistics manager, technical architect, IT strategist and Security Engineer/Program Manager/Strategist at Dell Inc. His security experience includes designing and developing software security programs from Compliance-to-Coding, application security risk management, security strategy & management, and conducting security awareness training and education. <br />
<br />
Mano is (ISC)<sup>2</sup>'s Software Assurance Advisor and an appointed Industry representative of Information Systems Security Association (ISSA) Capitol of Texas chapter. He also serves as a faculty member for the ISSA security course at the local university. <br />
<br />
Mano has been featured in various domestic and international security conferences, contributed to and published various security articles and is an invited speaker in the OWASP Application Security Conferences, CSI, Burton Group Catalyst, TRISC and the SC World Congress Conferences. He is a contributing author for the Information Security Management Handbook, writes periodically for the Certification Magazine and has contributed to several security topics for the Microsoft Solutions Developer Network.<br />
<br />
Mano holds the following professional certifications - CSSLP, CISSP, AMBCI, Microsoft Certified Solutions Developer (MCSD), Microsoft Certified Application Developer (MCAD), CompTIA Network+, and ECSA certification.</div>Manopaulhttps://wiki.owasp.org/index.php?title=Manoranjan_(Mano)_Paul&diff=52325Manoranjan (Mano) Paul2009-01-28T20:50:15Z<p>Manopaul: </p>
<hr />
<div>[[Image:Mano_Paul.jpg|thumb|10px|frame|left|Mano Paul]]<br />
<b>Mano Paul</b> (CSSLP, CISSP, AMBCI, MCSD, MCAD, CompTIA Network+, ECSA) is the Founder and CEO at [http://www.securisksolutions.com SecuRisk Solutions] and [http://www.expresscertifications.com Express Certifications]. Based out of Austin, Texas in the USA, SecuRisk Solutions specializes in three areas of information security solutions - Product Development, Consulting and Awareness, Training & Education while Express Certifications focuses on professional certifications like the CISSP and SSCP. <br />
<br />
Before SecuRisk Solutions, Mano played several roles from software developer, quality assurance tester, logistics manager, technical architect, IT strategist and Security Engineer/Program Manager/Strategist at Dell Inc. His security experience includes designing and developing software security programs from Compliance-to-Coding, application security risk management, security strategy & management, and conducting security awareness training and education. <br />
<br />
Mano is (ISC)<sup>2</sup>'s Software Assurance Advisor and an appointed Industry representative of Information Systems Security Association (ISSA) Capitol of Texas chapter. He also serves as a faculty member for the ISSA security course at the local university. <br />
<br />
Mano has been featured in various domestic and international security conferences, contributed to and published various security articles and is an invited speaker in the OWASP Application Security Conferences, CSI, Burton Group Catalyst, TRISC and the SC World Congress Conferences. He is a contributing author for the Information Security Management Handbook, writes periodically for the Certification Magazine and has contributed to several security topics for the Microsoft Solutions Developer Network.<br />
<br />
Mano holds the following professional certifications - CISSP, ECSA, LPT, Microsoft Certified Solutions Developer (MCSD), Microsoft Certified Application Developer (MCAD) and the CompTIA Network+ certification.</div>Manopaulhttps://wiki.owasp.org/index.php?title=Global_Education_Committee_-_Application_1&diff=50266Global Education Committee - Application 12009-01-06T19:58:59Z<p>Manopaul: </p>
<hr />
<div>[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="2" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE APPLICATION FORM''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Applicant's Name'''<br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|<font color="black">Andrzej Targosz.<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Current and past OWASP Roles''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|Poland Local Chapter Leader.<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Committee Applying for''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|OWASP Global Education Committee.<br />
|}<br />
----<br />
<br />
<br />
----<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. <br />
An incomplete application will not be considered for vote.<br />
----<br />
<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE RECOMMENDATIONS''' <br />
|- <br />
! align="center" style="background:white; color:white"|<font color="black"><br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Who Recommends/Name''' <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Role in OWASP'''<br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Recommendation Content''' <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''1'''<br />
| style="width:20%; background:#cccccc" align="center"| Paulo Coimbra<br />
| style="width:20%; background:#cccccc" align="center"| Project Manager<br />
| style="width:57%; background:#cccccc" align="center"| I recommend Andrzej for his past OWASP contributions.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''2'''<br />
| style="width:20%; background:#cccccc" align="center"|Kuai Hinojosa<br />
| style="width:20%; background:#cccccc" align="center"|OWASP Global Education Committee Member<br />
| style="width:57%; background:#cccccc" align="center"|I recommend Andrzej for his past contributions and experience organizing events and ties with Universities in EU<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''3'''<br />
| style="width:20%; background:#cccccc" align="center"| Eduardo Vianna de Camargo Neves<br />
| style="width:20%; background:#cccccc" align="center"| OWASP Global Education Committee Member<br />
| style="width:57%; background:#cccccc" align="center"| I recommend Andrzej for his experience organizing events and ties with Universities in EU<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''4'''<br />
| style="width:20%; background:#cccccc" align="center"| Mano Paul<br />
| style="width:20%; background:#cccccc" align="center"| OWASP Global Education Committed Chair<br />
| style="width:57%; background:#cccccc" align="center"| Andrzej will be without a doubt pivotal in assisting the team in its educational and training goals and initiatives. His contributions and leadership in running Confidence will be certainly helpful as we look forward to marketing OWASP and its educational initiatives worldwide. Highly recommend.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''5'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|}<br />
----</div>Manopaulhttps://wiki.owasp.org/index.php?title=Global_Industry_Committee_-_Application_1&diff=50265Global Industry Committee - Application 12009-01-06T19:40:34Z<p>Manopaul: </p>
<hr />
<div>[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="2" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE APPLICATION FORM''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Applicant's Name'''<br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|<font color="black">Colin Watson<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Current and past OWASP Roles''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|<br />
* EU Summit 08 - OWASP Awards working session chair<br />
* EU Summit 08 - Event organisational assistance<br />
* Coordination of OWASP UK chapters' response ([[London#Other_Activities]]) to the UK's Central Office of Information draft document on browser standards for public websites<br />
* Participation in nomination of [http://www.nominet.org.uk/news/latest/2008/?contentId=5147 OWASP for Nominet Best Practice Awards 2008]<br />
* Speaker at OWASP London chapter meeting<br />
* Individual member<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Committee Applying for''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|OWASP Global Industry Committee.<br />
|}<br />
----<br />
<br />
<br />
----<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. <br />
An incomplete application will not be considered for vote.<br />
----<br />
<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE RECOMMENDATIONS''' <br />
|- <br />
! align="center" style="background:white; color:white"|<font color="black"><br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Who Recommends/Name''' <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Role in OWASP'''<br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Recommendation Content''' <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''1'''<br />
| style="width:20%; background:#cccccc" align="center"| Eduardo V. C. Neves<br />
| style="width:20%; background:#cccccc" align="center"| Positive Security Project Leader and Education Global Committee Member<br />
| style="width:57%; background:#cccccc" align="left"| Colin is hands on professional which is able to make thinks done very quickly and in a high quality fashion. I believe that he will be a great member for this committee.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''2'''<br />
| style="width:20%; background:#cccccc" align="center"| David Rook<br />
| style="width:20%; background:#cccccc" align="center"| OWASP Code Review Guide Contributor, OWASP Ireland Contributor<br />
| style="width:57%; background:#cccccc" align="left"| Colin has the drive and knowledge to lead OWASP efforts at the committee level. He has excellent knowledge across many security areas and a professional positive attitude towards helping people understand and embrace information security. <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''3'''<br />
| style="width:20%; background:#cccccc" align="center"| Paulo Coimbra<br />
| style="width:20%; background:#cccccc" align="center"| Project Manager<br />
| style="width:57%; background:#cccccc" align="left"| Colin Watson was one of the OWASP Summit co-organizers. To me, his performance was absolutely outstanding. His calm reliability can be a valuable asset. <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''4'''<br />
| style="width:20%; background:#cccccc" align="center"| David Campbell<br />
| style="width:20%; background:#cccccc" align="center"| Industry Committee Member<br />
| style="width:57%; background:#cccccc" align="left"| Colin was instrumental in organizing the Portugal Summit, and provided much valuable input to the Intra Gov't affairs working group. He will be a great asset to the Industry committee.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''5'''<br />
| style="width:20%; background:#cccccc" align="center"| Rex Booth<br />
| style="width:20%; background:#cccccc" align="center"| Industry Committee Member<br />
| style="width:57%; background:#cccccc" align="left"| Colin has been an active participant in the Industry Committee since its inception in Portugal. He absolutely deserves to be an official member and we could certainly use his assistance!<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''6'''<br />
| style="width:20%; background:#cccccc" align="center"| Mano Paul<br />
| style="width:20%; background:#cccccc" align="center"| Global Education Committee Chair<br />
| style="width:57%; background:#cccccc" align="left"| Colin was extremely helpful with all his voluntary helpful to make the OWASP EU summit at Portugal, a success. My interactions with him left me in respect of him for his background and experience and in what he has to offer to OWASP. I can vouch confidently that his official involvement in the Industry Committee will undoubtedly reflect positively on OWASP and you consideration would be appreciated. Highly recommend. <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''7'''<br />
| style="width:20%; background:#cccccc" align="center"| <br />
| style="width:20%; background:#cccccc" align="center"| <br />
| style="width:57%; background:#cccccc" align="center"| <br />
|}<br />
----</div>Manopaulhttps://wiki.owasp.org/index.php?title=OWASP_Working_Session_Education_Project&diff=45322OWASP Working Session Education Project2008-11-01T07:40:13Z<p>Manopaul: /* Working Session Participants */</p>
<hr />
<div>{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#b3b3b3; color:white"|<font color="black">'''Working Sessions Operational Rules''' - [[:Working Sessions Methodology|'''Please see here the general frame of rules''']].<br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION IDENTIFICATION''' <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''Work Session Name'''<br />
| colspan="6" style="width:85%; background:#cccccc" align="left"|<font color="black">'''OWASP Education Project '''<br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"| '''Short Work Session Description''' <br />
| colspan="6" style="width:85%; background:#cccccc" align="left"|Set 2009 goals for the OWASP Education project<br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"| '''Related Projects (if any)''' <br />
| colspan="6" style="width:85%; background:#cccccc" align="left"|<br />
[[:Category:OWASP Education Project|OWASP Education Project]]<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Email Contacts & Roles'''<br />
| style="width:25%; background:#cccccc" align="center"|'''Chair'''<br>[mailto:seba(at)owasp.org '''Sebastien Deleersnyder'''] <br />
| style="width:25%; background:#cccccc" align="center"|'''Secretary'''<br>[mailto:martin.knobloch(at)sogeti.nl '''Martin Knobloch''']<br />
| style="width:25%; background:#cccccc" align="center"|'''Mailing list'''<br>[https://lists.owasp.org/mailman/listinfo/owasp-education '''Subscription Page''']<br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION SPECIFICS''' <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''Objectives'''<br />
| colspan="6" style="width:85%; background:#cccccc" align="left"|<font color="black"><br />
* How to improve knowledge transfer from OWASP projects towards the community,<br />
* How to create training material (lessons, classes, courses) from OWASP project material?<br />
* How to set up an OWASP education baseline,<br />
* How to setup an OWASP Boot Camp,<br />
* How to connect to organisation to promote OWASP education content: e.g. universities, other non-profit (or profit?) education organisations,<br />
* How to organize the OWASP / Conference trainings to make them the best in the world?<br />
* Can we integrate this into OWASP certification projects?<br />
* How to setup an OWASP Boot Camp?<br />
* How to create lessons, classes, courses from OWASP project material? <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Venue/Date&Time/Model'''<br />
| style="width:25%; background:#cccccc" align="center"|'''Venue'''<br>[[:OWASP EU Summit 2008|OWASP EU Summit Portugal 2008]] <br />
| style="width:25%; background:#cccccc" align="center"|'''Date&Time'''<br>November 5, 2008 <br>Time TBD<br />
| style="width:25%; background:#cccccc" align="center"|'''Discussion Model'''<br>"Everybody is a Participant"<br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:white; color:white"|<font color="black"><br />
|}<br />
<br />
{|style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION OPERATIONAL RESOURCES''' <br />
|-<br />
| style="width:100%; background:#cccccc" align="center"|Please add here, ASAP, any needed relevant resources, e.g. data-show, boards, laptops, etc.<br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:white; color:white"|<font color="black"><br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION ADDITIONAL DETAILS''' <br />
|-<br />
| style="width:100%; background:#cccccc" align="left"|There is plenty of knowledge available inside the OWASP community. This is spread via the OWASP AppSec Conferences and the local chapter meetings, not to forget the books available now. Another, very important way to distribute the available knowledge is to teach! In plenty presentations knowledge is put into slides to share it. The next step is to reuse the information of those presentations and create training material. In a Boot Camp for example, it's not only about telling how to break stuff, but let the attendees break it themselves. Also let them fix the problems, with guidance of the experienced! <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION OUTCOMES''' <br />
|-<br />
| style="width:7%; background:#6C82B5" align="center"|Statements, Initiatives or Decisions <br />
| style="width:46%; background:#b3b3b3" align="center"|'''Proposed by Working Group''' <br />
| style="width:47%; background:#b3b3b3" align="center"|'''Approved by OWASP Board'''<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|<br />
| style="width:46%; background:#C2C2C2" align="center"|Educational Support on Winter of Code 2008. <br />
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here. <br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|<br />
| style="width:46%; background:#C2C2C2" align="center"|Guildeline about creating training material. <br />
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here. <br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|<br />
| style="width:46%; background:#C2C2C2" align="center"|Fill in here.<br />
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here. <br />
|}<br />
== Working Session Participants ==<br />
(Add you name by editing this table. On your the right, just above the this frame, you have the option to edit)<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION PARTICIPANTS''' <br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|<br />
| style="width:15%; background:#cccccc" align="center"|'''Name'''<br />
| style="width:15%; background:#cccccc" align="center"|'''Company'''<br />
| style="width:63%; background:#cccccc" align="center"|'''Notes & reason for participating, issues to be discussed/addressed'''<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|1<br />
| style="width:15%; background:#cccccc" align="center"| Sébastien GIORIA<br />
| style="width:15%; background:#cccccc" align="center"| OWASP France<br />
| style="width:63%; background:#cccccc" align="center"| I actually doing some training in government, company, school, training center oriented to Web security with some OWASP material (WebGoat, WebScarab) and want to see how we can "internationalize" the content for training and see what we can do a very good packages for OWASP. I could not be in Portugal, so I could participate (depending of Time) with Skype && Twitter or other tools<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|2<br />
| style="width:15%; background:#cccccc" align="center"| Eduardo Neves<br />
| style="width:15%; background:#cccccc" align="center"| OWASP Brazil<br />
| style="width:63%; background:#cccccc" align="center"| To discuss how the educational initiatives can be liaised with Universities and other educational sources to use OWASP tools and documents on educational actions and market development.<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|3<br />
| style="width:15%; background:#cccccc" align="center"| Colin Watson<br />
| style="width:15%; background:#cccccc" align="center"| OWASP London<br />
| style="width:63%; background:#cccccc" align="center"| Interested in how we spread the word to non-technology professions - business owners, procurement specialists, project managers, marketers, graphic designers.<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|4<br />
| style="width:15%; background:#cccccc" align="center"| Andrzej Targosz<br />
| style="width:15%; background:#cccccc" align="center"| OWASP Poland<br />
| style="width:63%; background:#cccccc" align="center"| How to spread training in universities.<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|4<br />
| style="width:15%; background:#cccccc" align="center"| Joaquim Marques<br />
| style="width:15%; background:#cccccc" align="center"| OWASP Portugal<br />
| style="width:63%; background:#cccccc" align="center"| How to spread training and educational initiatives in universities.<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|5<br />
| style="width:15%; background:#cccccc" align="center"| James Walden<br />
| style="width:15%; background:#cccccc" align="center"| Northern Kentucky University (NKU)<br />
| style="width:63%; background:#cccccc" align="center"| Expand university awareness of web application security<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|6<br />
| style="width:15%; background:#cccccc" align="center"|Carlos Serrao<br />
| style="width:15%; background:#cccccc" align="center"|OWASP Portugal, ISCTE/Adetti <br />
| style="width:63%; background:#cccccc" align="center"|To work on the dissemination of the OWASP initiatives (tool and documentation) towards web application security teaching at the portuguese Universities.<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|7<br />
| style="width:15%; background:#cccccc" align="center"|Lucas C. Ferreira<br />
| style="width:15%; background:#cccccc" align="center"|<br />
| style="width:63%; background:#cccccc" align="center"|I am doing some training on application security.<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|8<br />
| style="width:15%; background:#cccccc" align="center"|Mano Paul<br />
| style="width:15%; background:#cccccc" align="center"|SecuRisk Solutions<br />
| style="width:63%; background:#cccccc" align="center"|Active in the training and education industry<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|9<br />
| style="width:15%; background:#cccccc" align="center"|<br />
| style="width:15%; background:#cccccc" align="center"|<br />
| style="width:63%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|10<br />
| style="width:15%; background:#cccccc" align="center"|<br />
| style="width:15%; background:#cccccc" align="center"|<br />
| style="width:63%; background:#cccccc" align="center"|<br />
|}<br />
If needed add here more lines.<br />
<br />
[[Category:OWASP_Working_Session]]</div>Manopaulhttps://wiki.owasp.org/index.php?title=OWASP_Working_Session_-_OWASP_Certification&diff=45321OWASP Working Session - OWASP Certification2008-11-01T07:37:30Z<p>Manopaul: /* Working Session Participants */</p>
<hr />
<div>{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#b3b3b3; color:white"|<font color="black">'''Working Sessions Operational Rules''' - [[:Working Sessions Methodology|'''Please see here the general frame of rules''']].<br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION IDENTIFICATION''' <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''Work Session Name'''<br />
| colspan="6" style="width:85%; background:#cccccc" align="left"|<font color="black">'''OWASP Certification'''<br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"| '''Short Work Session Description''' <br />
| colspan="6" style="width:85%; background:#cccccc" align="left"|TBD<br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"| '''Related Projects (if any)''' <br />
| colspan="6" style="width:85%; background:#cccccc" align="left"|<br />
* [[:Category:OWASP Certification Requirements|OWASP Certification Requirements]]<br />
* [[:Category:OWASP Certification Project|OWASP Certification Project]]<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Email Contacts & Roles'''<br />
| style="width:25%; background:#cccccc" align="center"|'''Chair'''<br>[mailto:name(at)name '''TBD'''] <br />
| style="width:25%; background:#cccccc" align="center"|'''Secretary'''<br>TBD<br />
| style="width:25%; background:#cccccc" align="center"|'''Mailing list'''<br>[https://lists.owasp.org/mailman/listinfo/OWASP-cert '''Subscription Page''']<br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION SPECIFICS''' <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''Objectives'''<br />
| colspan="6" style="width:85%; background:#cccccc" align="left"|<font color="black"><br />
* Discuss and review current proposal and survey results,<br />
* Identify risks of offering a certification program. <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Venue/Date&Time/Model'''<br />
| style="width:25%; background:#cccccc" align="center"|'''Venue'''<br>[[:OWASP EU Summit 2008|OWASP EU Summit Portugal 2008]] <br />
| style="width:25%; background:#cccccc" align="center"|'''Date&Time'''<br>November 5 & 7, 2008 <br>Time TBD<br />
| style="width:25%; background:#cccccc" align="center"|'''Discussion Model'''<br>"Everybody is a Participant"<br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:white; color:white"|<font color="black"><br />
|}<br />
<br />
{|style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION OPERATIONAL RESOURCES''' <br />
|-<br />
| style="width:100%; background:#cccccc" align="center"|Please add here, ASAP, any needed relevant resources, e.g. data-show, boards, laptops, etc.<br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:white; color:white"|<font color="black"><br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION ADDITIONAL DETAILS''' <br />
|-<br />
| style="width:100%; background:#cccccc" align="left"|<br />
Please add here, any additional notes, links, ideas, guidelines, etc... The objective is to help the working sessions participants and attendees to prepare their participation/contribution.<br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION OUTCOMES''' <br />
|-<br />
| style="width:7%; background:#6C82B5" align="center"|Statements, Initiatives or Decisions <br />
| style="width:46%; background:#b3b3b3" align="center"|'''Proposed by Working Group''' <br />
| style="width:47%; background:#b3b3b3" align="center"|'''Approved by OWASP Board'''<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|<br />
| style="width:46%; background:#C2C2C2" align="center"|Fill in here. <br />
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here. <br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|<br />
| style="width:46%; background:#C2C2C2" align="center"|Fill in here. <br />
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here. <br />
|}<br />
== Working Session Participants ==<br />
(Add you name by editing this table. On your the right, just above the this frame, you have the option to edit)<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION PARTICIPANTS''' <br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|<br />
| style="width:15%; background:#cccccc" align="center"|'''Name'''<br />
| style="width:15%; background:#cccccc" align="center"|'''Company'''<br />
| style="width:63%; background:#cccccc" align="center"|'''Notes & reason for participating, issues to be discussed/addressed'''<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|1<br />
| style="width:15%; background:#cccccc" align="center"| Dinis Cruz<br />
| style="width:15%; background:#cccccc" align="center"| OWASP<br />
| style="width:63%; background:#cccccc" align="center"| Want to share a number of ideas and see how I can help to make this happen<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|2<br />
| style="width:15%; background:#cccccc" align="center"| Matteo Meucci<br />
| style="width:15%; background:#cccccc" align="center"| Minded Security<br />
| style="width:63%; background:#cccccc" align="center"| Thinking at the OWASP Certifications from many time. Would like to understand which kind of certification is better for the OWASP Community.<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|3<br />
| style="width:15%; background:#cccccc" align="center"| Rex Booth<br />
| style="width:15%; background:#cccccc" align="center"| Grant Thornton<br />
| style="width:63%; background:#cccccc" align="center"| Interest in the cert topic.<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|4<br />
| style="width:15%; background:#cccccc" align="center"| Pavol Luptak<br />
| style="width:15%; background:#cccccc" align="center"| Nethemba s.r.o.<br />
| style="width:63%; background:#cccccc" align="center"| Interest in the cert topic.<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|5<br />
| style="width:15%; background:#cccccc" align="center"|David Campbell<br />
| style="width:15%; background:#cccccc" align="center"|OWASP <br />
| style="width:63%; background:#cccccc" align="center"|Cert skeptic<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|6<br />
| style="width:15%; background:#cccccc" align="center"|Andrzej Targosz<br />
| style="width:15%; background:#cccccc" align="center"|PROIDEA<br />
| style="width:63%; background:#cccccc" align="center"|Interest in the topic.<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|7<br />
| style="width:15%; background:#cccccc" align="center"|Giorgio Fedon<br />
| style="width:15%; background:#cccccc" align="center"|Minded Security<br />
| style="width:63%; background:#cccccc" align="center"|Share Ideas and talking about the need for a Certification<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|8<br />
| style="width:15%; background:#cccccc" align="center"|Esteban Ribicic<br />
| style="width:15%; background:#cccccc" align="center"|HP<br />
| style="width:63%; background:#cccccc" align="center"|Interested on the topic<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|9<br />
| style="width:15%; background:#cccccc" align="center"|Christian Martorella<br />
| style="width:15%; background:#cccccc" align="center"|S21sec<br />
| style="width:63%; background:#cccccc" align="center"|Interested in the topic, and share ideas.<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|10<br />
| style="width:15%; background:#cccccc" align="center"| Tom Brennan<br />
| style="width:15%; background:#cccccc" align="center"| OWASP<br />
| style="width:63%; background:#cccccc" align="center"| Inject pro and con about a OWASP Certification<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|11<br />
| style="width:15%; background:#cccccc" align="center"| Mano Paul<br />
| style="width:15%; background:#cccccc" align="center"| Express Certifications<br />
| style="width:63%; background:#cccccc" align="center"| Interested in the topic <br />
|}<br />
If needed add here more lines.</div>Manopaulhttps://wiki.owasp.org/index.php?title=OWASP_Working_Session_-_Software_Assurance_Maturity_Model&diff=45320OWASP Working Session - Software Assurance Maturity Model2008-11-01T07:33:45Z<p>Manopaul: /* Working Session Participants */</p>
<hr />
<div>{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#b3b3b3; color:white"|<font color="black">'''Working Sessions Operational Rules''' - [[:Working Sessions Methodology|'''Please see here the general frame of rules''']].<br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION IDENTIFICATION''' <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''Work Session Name'''<br />
| colspan="6" style="width:85%; background:#cccccc" align="left"|<font color="black">'''Software Assurance Maturity Model'''<br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"| '''Short Work Session Description''' <br />
| colspan="6" style="width:85%; background:#cccccc" align="left"|This working session will provide a quick introduction to the [http://www.opensamm.org Software Assurance Maturity Model] and then move on to collate and integrate feedback since the Beta release. Several specific topics will be discussed, including proposed changes, terminology, case studies, additional roadmaps, assessments and scorecards, etc.<br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"| '''Related Projects (if any)''' <br />
| colspan="6" style="width:85%; background:#cccccc" align="left"|<br />
[[:Category:OWASP_CLASP_Project|OWASP CLASP Project]]<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Email Contacts & Roles'''<br />
| style="width:25%; background:#cccccc" align="center"|'''Chair'''<br>[mailto:chandra@cognosticus.com '''Pravir Chandra'''] <br />
| style="width:25%; background:#cccccc" align="center"|'''Secretary'''<br>TBD<br />
| style="width:25%; background:#cccccc" align="center"|'''Mailing list'''<br>[https://lists.owasp.org/mailman/listinfo/owasp-cmm '''Subscription Page''']<br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION SPECIFICS''' <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''Objectives'''<br />
| colspan="6" style="width:85%; background:#cccccc" align="left"|<font color="black"><br />
* General terminology definition and usage<br />
* Proposed changes to the high-level framework<br />
* Proposed changes to activities and details under each security function<br />
* Creation of pilots and case studies<br />
* Additional roadmaps for common organization types<br />
* Self-assessment and scorecard generation<br />
* Real-world feedback and data collection<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Venue/Date&Time/Model'''<br />
| style="width:25%; background:#cccccc" align="center"|'''Venue'''<br>[[:OWASP EU Summit 2008|OWASP EU Summit Portugal 2008]] <br />
| style="width:25%; background:#cccccc" align="center"|'''Date&Time'''<br>November 4, 2008 <br>Time TBD<br />
| style="width:25%; background:#cccccc" align="center"|'''Discussion Model'''<br>"Participants + Attendees"<br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:white; color:white"|<font color="black"><br />
|}<br />
<br />
{|style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION OPERATIONAL RESOURCES''' <br />
|-<br />
| style="width:100%; background:#cccccc" align="center"|Please review the latest SAMM release prior to the working session ([http://www.opensamm.org/downloads/SAMM-BETA-0.8.pdf available here]). Bring a laptop, pen/paper, and any additional resources related to security in the SDLC or secure development best practices.<br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:white; color:white"|<font color="black"><br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION ADDITIONAL DETAILS''' <br />
|-<br />
| style="width:100%; background:#cccccc" align="left"|<br />
Please add here, any additional notes, links, ideas, guidelines, etc... The objective is to help the working sessions participants and attendees to prepare their participation/contribution.<br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION OUTCOMES''' <br />
|-<br />
| style="width:7%; background:#6C82B5" align="center"|Statements, Initiatives or Decisions <br />
| style="width:46%; background:#b3b3b3" align="center"|'''Proposed by Working Group''' <br />
| style="width:47%; background:#b3b3b3" align="center"|'''Approved by OWASP Board'''<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|<br />
| style="width:46%; background:#C2C2C2" align="center"|Fill in here. <br />
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here. <br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|<br />
| style="width:46%; background:#C2C2C2" align="center"|Fill in here. <br />
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here. <br />
|}<br />
== Working Session Participants ==<br />
(Add you name by editing this table. On your the right, just above the this frame, you have the option to edit)<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION PARTICIPANTS''' <br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|<br />
| style="width:15%; background:#cccccc" align="center"|'''Name'''<br />
| style="width:15%; background:#cccccc" align="center"|'''Company'''<br />
| style="width:63%; background:#cccccc" align="center"|'''Notes & reason for participating, issues to be discussed/addressed'''<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|1<br />
| style="width:15%; background:#cccccc" align="center"|John Steven<br />
| style="width:15%; background:#cccccc" align="center"|Cigital<br />
| style="width:63%; background:#cccccc" align="center"|Implemented large scale software security programs a large Fortune-100 orgs<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|2<br />
| style="width:15%; background:#cccccc" align="center"|Colin Watson<br />
| style="width:15%; background:#cccccc" align="center"|Watson Hall Ltd<br />
| style="width:63%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|3<br />
| style="width:15%; background:#cccccc" align="center"|Mano Paul<br />
| style="width:15%; background:#cccccc" align="center"|SecuRisk Solutions<br />
| style="width:63%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|4<br />
| style="width:15%; background:#cccccc" align="center"|<br />
| style="width:15%; background:#cccccc" align="center"|<br />
| style="width:63%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|5<br />
| style="width:15%; background:#cccccc" align="center"|<br />
| style="width:15%; background:#cccccc" align="center"|<br />
| style="width:63%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|6<br />
| style="width:15%; background:#cccccc" align="center"|<br />
| style="width:15%; background:#cccccc" align="center"| <br />
| style="width:63%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|7<br />
| style="width:15%; background:#cccccc" align="center"|<br />
| style="width:15%; background:#cccccc" align="center"|<br />
| style="width:63%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|8<br />
| style="width:15%; background:#cccccc" align="center"|<br />
| style="width:15%; background:#cccccc" align="center"|<br />
| style="width:63%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|9<br />
| style="width:15%; background:#cccccc" align="center"|<br />
| style="width:15%; background:#cccccc" align="center"|<br />
| style="width:63%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:7%; background:#7B8ABD" align="center"|10<br />
| style="width:15%; background:#cccccc" align="center"|<br />
| style="width:15%; background:#cccccc" align="center"|<br />
| style="width:63%; background:#cccccc" align="center"|<br />
|}<br />
If needed add here more lines.<br />
<br />
[[Category:OWASP_Working_Session]]</div>Manopaulhttps://wiki.owasp.org/index.php?title=OWASP_EU_Summit_2008_Training&diff=44609OWASP EU Summit 2008 Training2008-10-25T22:41:03Z<p>Manopaul: /* WebAppSec for Managers and Executives - The Road Less Travelled */</p>
<hr />
<div>EU Summit 2008 Trainings<br />
<br />
cvent links to be added.<br />
<br />
Upon completion and scheduling, trainings will be copied over from [[OWASP EU Summit 2008 Training (Courses to be Approved)]]<br />
<br />
Back to [[OWASP EU Summit 2008]]<br />
<br />
== WebAppSec for Managers and Executives - The Road Less Travelled ==<br />
<br />
'''Instructor'''<br />
<br />
[https://www.owasp.org/index.php/User:Manopaul Mano Paul]<br />
<br />
'''Duration'''<br />
<br />
1 day<br />
<br />
'''Summary'''<br />
<br />
With the financial turn tables of major corporations resting on web applications that connect businesses, transmit and store sensitive financial and personal transaction, combined with the ubiquitous nature of the web; it is imperative that web applications that are designed, architected and developed are secure.<br />
<br />
What do you think Shakespeare had to say about Software Security? What does an naked motorist have to do with Confidentiality? What does the Jungle Book character Baloo have to say about Security Essentials (The Bear Bare Necessities of Life security)? What does the African Wildlife have to do with Security Concepts? What does pH have to do with Security? and more … The Road Less Travelled by renowned poet, Robert Frost ends by with the statement "And that has made all the difference". Come to find out the answers to the questions above and see what it takes to look at Security from a different perspective that would make ALL the difference for you and your company.<br />
<br />
'''Audience'''<br />
<br />
This session is for Management primarily and any stakeholder that needs to understand how understanding application security concepts can benefit their organizations/companies in designing secure web applications. Whether you are a novice or an expert, you will all leave learning something new to lead your teams and help design the next generation of hack-resilient web applications. <br />
<br />
'''Table of Contents'''<br />
<br />
# Introduction <br />
# Changing Landscape<br />
# Drivers of Web Application Security (Exercise)<br />
## Method to the Madness<br />
## Attackers Advantage vs. Defenders Dilemma<br />
# Stakeholders (Exercise)<br />
## Boardroom Questions<br />
## Business Aware IT Security (BAITS)<br />
# Regulations, Compliance and Security<br />
## SOX, GLBA, HIPAA ...<br />
## European Data Protection Directive<br />
## PCI DSS<br />
# Software Security Concepts<br />
## Design Principles (Saltzer & Schroeder)<br />
### Economy of Mechanisms<br />
### Fail Safe Defaults<br />
### Complete Mediation<br />
### Open Design<br />
### Separation of Privilege<br />
### Least Privilege<br />
### Least Common Mechanisms<br />
### Psychological Acceptability<br />
## Security Mechanisms (CIA+AAA+Mgmt)<br />
### Confidentiality<br />
### Integrity<br />
### Availability<br />
### Authentication<br />
### Authorization<br />
### Auditing<br />
### Management - Session, Exceptions, Configuration<br />
# Security in the SDLC - Requirements to Release<br />
## 7 Steps to securing applications<br />
## SD4 - Secure by Default, Design, Development, and Deployment <br />
# Information Security Management Top 10 (real world stories and tips)<br />
## Executive Sponsorship and Commitment<br />
## Company wide Support and Participation<br />
## Industry Standards<br />
## Getting People to Do the Right Thing<br />
## Documentation and Continuous Improvements of Processes<br />
## Training and Education is Key<br />
## Managing Risk, NOT Security<br />
## Move aside FUD, Get in Security Metrics<br />
## Not getting trapped by Compliance <br />
## Leveraging Corporate Business Initiatives<br />
# OWASP Top 10 (covers what it is, anatomy (how it works), and defense)<br />
## Cross-site Scripting (XSS)<br />
## Injection Flaws (covers SQL Injection)<br />
## Malicious File Execution (covers RFI)<br />
## Insecure Direct Object Reference<br />
## Cross-site Request Forgery (CSRF) <br />
## Information Leakage and Improper Error Handling<br />
## Broken Authentication and Session Management<br />
## Insecure Cryptographic Storage<br />
## Insecure Communications<br />
## Failure to Restrict URL Access<br />
# Software Risk Management <br />
# Security in an Outsourced World<br />
# Web 2.0 Security<br />
# Self Service Programs<br />
# Awareness, Training & Education <br />
# Hiring and Staffing <br />
# Information Security Program Framework <br />
# The Road less Travelled - Fun interactive session that covers security from Literature, Science and Nature<br />
<br />
'''Course Specifics'''<br />
<br />
No specific requirement. Come for a fun, interactive session that will cover the basic and advanced elements of web application security for executives and managers - the road less travelled, filled with exercises for the attendees to participate.<br />
<br />
== The Art and Science of Threat Modeling Web Applications ==<br />
<br />
'''Instructor'''<br />
<br />
[https://www.owasp.org/index.php/User:Manopaul Mano Paul]<br />
<br />
'''Duration'''<br />
<br />
1 day<br />
<br />
'''Summary'''<br />
<br />
To secure your home, you will first need to know how the thief could possibly enter and exit and where you should store your valuables. The same is true of your web applications. Unless you know what the vulnerabilities and threats of your web applications are, and what security measures you should take to protect them, ev1L h@x0rS or the enemy within (insider) could take advantage of the vulnerabilities. <br />
<br />
Threat Modeling is a technique that you can use to identify ATVS (attacks, threats, vulnerabilities and safeguards) that could affect your web applications. Threat Modeling helps in designing your application securely from a confidentiality, integrity, availability, authentication, authorization and auditing perspective. It is an essential activity to be undertaken during the design stage of your SDLC and helps mitigate and minimize overall risk. <br />
<br />
'''Audience'''<br />
<br />
This session is for Management, Technical (Developer, QA, Security ...) and Operational professionals and any stakeholder that needs to understand how threat modeling can benefit their organizations/companies in designing secure web applications. Whether you are a novice or an expert apropos threat modeling, you will all leave learning something new to design the next generation of hack-resilient web applications. <br />
<br />
'''Table of Contents'''<br />
<br />
1. Introduction <br />
<br />
2. Why Threat Model?<br />
<br />
3. Is Threat Modeling Right for You?<br />
<br />
4. Challenges<br />
<br />
5. Precursors<br />
<br />
6. Data Classification and Threat Modeling<br />
<br />
7. Web Application Security Mechanisms<br />
<br />
8. Benefits of Threat Modeling<br />
<br />
9. Common Glossary of Terms<br />
<br />
10. Threat Agents<br />
<br />
11. Threat Modeling Process<br />
<br />
12. Attack Trees<br />
<br />
13. STRIDE and DREAD<br />
<br />
14. Threat to Risk<br />
<br />
15. Threat Modeling (Exercise)<br />
<br />
'''Course Specifics'''<br />
<br />
No specific requirement. Come for a fun, hands-on, interactive session that will cover the basic and advanced elements of threat modeling, filled with exercises for the attendees to participate. <br />
<br />
<br />
== Web server/services hardening using SELinux ==<br />
<br />
'''Instructor'''<br />
<br />
Pavol Luptak<br />
<br />
'''Duration'''<br />
<br />
1 day<br />
<br />
'''Summary'''<br />
<br />
Security-Enhanced Linux (SELinux) is a FLASK implementation integrated in the Linux kernel with a number of utilities designed to provide mandatory access controls (MAC) through the use of Linux Security Modules (LSM) in the Linux kernel. SELinux generally supports many kinds of mandatory access control policies, including those based on the concepts of type enforcement, role-based access control, and multi-level security. <br />
<br />
A Linux kernel integrating SELinux enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. This reduces or eliminates the ability of these programs and daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example). This confinement mechanism operates independently of the traditional Linux access control mechanisms. It has no concept of a "root" super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).<br />
<br />
This training provides basic concepts of SELinux, its differences to classical UNIX/Linux systems, describe security advantages of mandatory access control policies and teach how to effectively and rapidly configure a fully functional LAMP environment on SELinux system.<br />
<br />
'''Audience'''<br />
<br />
Security consultants, system administators, programmers focused on system security<br />
<br />
'''Table of Contents'''<br />
<br />
1. SELinux history<br />
<br />
2. Unix/Linux DAC (Discretionary Access Control) and its problems<br />
<br />
3. MAC (Mandatory Access Control)<br />
<br />
4. Advantages of using MAC <br />
<br />
5. DTE (Domain Type Enforcement) model<br />
<br />
6. RBAC (Roles Based Access Control) model<br />
<br />
7. MLS (Multi Level Security) model<br />
<br />
8. SELinux FLASK Architecture<br />
<br />
9. SELinux policy (EXERCISE)<br />
<br />
10. File System Security Contexts (EXERCISE)<br />
<br />
11. SELinux Object Classes and Permissions<br />
<br />
12. TE (Type Enforcement) Rules (Attributes, Type Declaration, Type Transitions, Domain Type Transitions, Object Labeling Transitions, Access Vectors)<br />
<br />
13. Understanding AVC, log messages<br />
<br />
14. audit2allow and audit2why (EXERCISE)<br />
<br />
15. SELinux Troubleshoot Tool (EXERCISE)<br />
<br />
16. Auditing and Auditing tools<br />
<br />
17. Policy Macros<br />
<br />
18. Backtracking rule (EXERCISE)<br />
<br />
19. SELinux Users, Roles, MLS Levels<br />
<br />
20. Strict Policy<br />
<br />
21. Targeted Policy<br />
<br />
22. SELinux Booleans and their use for Apache web server (EXERCISE)<br />
<br />
23. Files and Directories in Targeted Policy, common SELinux Macros (EXERCISE)<br />
<br />
24. Analyzing Example Policy - apache.te (EXERCISE)<br />
<br />
25. Assigning Object and Process Types <br />
<br />
26. SELinux Booting<br />
<br />
27. Copying and moving files, checking security contexts, relabeling a file and directory's security context (EXERCISE)<br />
<br />
28. Policy core utilities<br />
<br />
29. Managing File Labeling, Relabeling a File System (EXERCISE)<br />
<br />
30. SELinux Administrator GUI (EXERCISE)<br />
<br />
31. SELinux Modules (EXERCISE)<br />
<br />
32. Hardening existing LAMP environments using SELinux (EXERCISE)<br />
<br />
33. Writing New Policy for a Daemon (EXERCISE for clever students)<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop. Each student will have own SELinux virtual machine for his experiments.<br />
<br />
== Secure Programming with Java ==<br />
<br />
'''Instructor'''<br />
<br />
Lucas C. Ferreira<br />
<br />
'''Duration'''<br />
<br />
1 Day<br />
<br />
'''Summary'''<br />
<br />
This training class will present best practices of secure programming in the Java language. It includes Java specific practices (i.e. how to avoid problems that arise from the compilation of Java source code to the bytecode language used by the JVM) and practices that may arise in other programming languages (with examples in Java). Some tools that may be used to verify the security of Java code and systems will be shown.<br />
<br />
The topics include a quick overview of the OWASP Top 10, in order to contextualize the practices presented, and several best practices aimed at the different software layers. At the presentation layer, we focus on input validation, access control issues and dealing with exceptions. At the business objects layer, the practices deal with cloning and serialization issues. Practices to prevent command injection are presented at the persistence layer. Practices that should be used throughout all the software are also presented, including input data validation, class and method visibility, using and storing secrets, dealing with inner classes, overflows and boxing, and object initialization.<br />
<br />
'''Audience'''<br />
<br />
Java web application developers. This training requires basic understanding of web applications and an intermediate level of proficiency in the Java language and Object Oriented concepts. People with interest in other OO languages may also benefit from this training, but specific techniques, examples and tools used are targeted to Java.<br />
<br />
'''Table of Contents'''<br />
<br />
# OWASP Top 10 - quick overview<br />
# Secure Programming Best Practices<br />
## Presentation layer<br />
### Preventing cross-site scripting<br />
### Access control<br />
### Request validation<br />
### Error treatment<br />
## Business object layer<br />
### Cloning and serialization issues<br />
## Persistence layer<br />
### Command injection issues<br />
### Database access users and permissions<br />
### file manipulation<br />
## Infra-structure layer<br />
### J2EE container-related best practices<br />
### Native method issues<br />
### SSL and encryption<br />
## Practices for all software layers<br />
### Data validation<br />
### Garbage collection issues<br />
### Classes and method scoping<br />
### Use of secrets<br />
### Inner class issues<br />
### Over/underflow and boxing issues<br />
# Tools<br />
## Code review tool<br />
## Data flow tool<br />
## Pen-testing tool<br />
<br />
'''Course Specifics'''<br />
<br />
Laptop not required.<br />
<br />
== OWASP Top 10 - What Developers Should Know on Web Application Security ==<br />
<br />
'''Instructor'''<br />
<br />
Sebastien Deleersnyder and Martin Knobloch<br />
<br />
'''Duration'''<br />
<br />
4 h<br />
To be scheduled on Tuesday.<br />
<br />
'''Summary'''<br />
<br />
Application security is an essential component of any successful project; this includes web applications, open source PHP applications, web services and proprietary business web sites.<br />
Web application security education and awareness is needed throughout the entire development and deployment organization. Each area and level of development or deployment organizations have specific needs and requirements regarding web application security education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience.<br />
<br />
The OWASP Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences.<br />
This Education Track provides in a 4 hour session covering what developers should know on web application security. It starts with an explanation of web application security and why it is important. Then the OWASP Top 10 is used to explain the nastiest vulnerabilities and how these can be prevented or re mediated. A secure coding initiative must deal with all stages of a program’s life cycle. Secure web applications are only possible when a secure SDLC is used. The SDLC is explained from the standpoint of people, processes and tools. Particularly for developers good secure development practices are covered in a separate topic. Finally the track finishes with an exhaustive list of web application security resources for web application developers.<br />
<br />
'''Audience'''<br />
<br />
Web application developers who are unaware there are security issues with contemporary web applications. No prior knowledge of web application security is assumed nor necessary. This track is independent of the coding language or web frameworks used; like PHP, JSF, Java EE or .NET. We must realize that web application developers are only one link - albeit an important one - of the chain that represents the security of a web application. This track aims to make that link as secure as possible, given the constraint of 4 hours. Another important aspect is that web application security should be tailored to the risk profile of an organization and the specific development environment of that organization.<br />
<br />
'''Table of Contents'''<br />
<br />
The challenge is to cover web application security in 4 hours to a web application developer. This is presented in such a way that the developers will be able to recognize and correct web application vulnerabilities in their projects. <br />
<br />
* [[Education Module Why WebAppSec Matters|Why WebAppSec matters]] (20 min) ([http://www.owasp.org/images/5/58/Education_Module_Why_WebAppSec_Matters.ppt direct link])<br />
:This part is the introduction of the track. It identifies the current security problems with web applications. During the introduction a definition of web application security is given. Trends that are influencing the current state of web application insecurity are also explained.<br />
:*What goes wrong<br />
:*WebAppSec Defined<br />
:*Current trends<br />
* [[Education_Module_OWASP_Top_10_Introduction_and_Remedies|OWASP Top 10 Introduction & Remedies]] (90 min) ([http://www.owasp.org/images/b/b8/Education_Module_OWASP_Top_10_Introduction_and_Remedies.ppt direct link])<br />
:The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most common web application security vulnerabilities. The Top 10 provides basic methods to protect against these vulnerabilities.<br />
:*[[Education Module Cross Site Scripting (XSS)|Cross Site Scripting (XSS)]]<br />
:*Injection Flaws<br />
:*Malicious File Execution<br />
:*Insecure Direct Object Reference<br />
:*Cross Site Request Forgery (CSRF)<br />
:*Information Leakage and Improper Error Handling<br />
:*Broken Authentication and Session Management<br />
:*Insecure Cryptographic Storage<br />
:*Insecure Communications<br />
:*Failure to Restrict URL Access<br />
*[[Education Module Embed within SDLC|Embed within SDLC]] (People, Processes & Tools) (20 min) ([http://www.owasp.org/images/f/f2/Education_Module_Embed_within_SDLC.ppt direct link])<br />
:There is no silver bullet when it comes to securing web applications. This problem has to be addressed from different angles, covering the involved actors, processes: development as well as deployment and Technologies.<br />
:*People Awareness and Education<br />
:*Development WebAppSec Controls<br />
:*Deployment WebAppSec Controls<br />
:*WebAppSec Tools<br />
*[[Education Module Good Secure Development Practices|Good Secure Development Practices]] (70 min) ([http://www.owasp.org/images/5/57/Education_Module_Good_Secure_Development_Practices.ppt direct link])<br />
:Next to the Top 10 remedies this module provides some good secure development practices from the OWASP Guide, covering e.g.<br />
:*Validating User Input <br />
:*Authentication<br />
:*Authorization<br />
:*Session Management<br />
:*Using Interpreters<br />
:*Crypto<br />
:*Catching Errors<br />
:*File System<br />
:*Configuration<br />
:*Web 2.0<br />
*[[Education Module Testing for Vulnerabilities|Testing for Vulnerabilities]] (20 min) ([http://www.owasp.org/images/4/49/Education_Module_Testing_for_Vulnerabilities.ppt direct link])<br />
:One important aspect is to test for application vulnerabilities. During this short module an introduction is provided together with some WebGoat test cases.<br />
:*Testing for application vulnerabilities<br />
:*The OWASP Testing Guide<br />
:*WebGoat demonstrated<br />
*[[Education Module Good WebAppSec Resources|Good WebAppSec Resources]] (not limited to OWASP) (10 min) ([http://www.owasp.org/images/f/fe/Education_Module_Good_WebAppSec_Resources.ppt direct link])<br />
:This 4 hour education track in only the beginning of your journey. Web application security is a moving target. New vulnerabilities and threats are discovered regularly. Web application security controls are becoming mature. The following resources should provide you with enough pointers to serve both as reference and for further research.<br />
:*Hard Copy<br />
:*Web Sites<br />
:*Mailing lists<br />
:*Blogs<br />
*Roundup (10 min)<br />
<br />
[[Category:OWASP Education Project]]<br />
<br />
'''Course Specifics'''<br />
<br />
No specific prerequisites.<br />
<br />
<br />
<br />
== Classic ASP Security using OWASP tools ==<br />
<br />
'''Instructor'''<br />
<br />
Juan Carlos Calderon<br />
<br />
'''Duration'''<br />
<br />
1 day <br />
<br />
'''Summary'''<br />
<br />
Classic ASP 2.0 and 3.0 applications are still largely used as this technology is more than 10 years old and was largely used. there are thousands of sites on the wild that need guidance on the security arena. This is where OWASP can come up and provide help for “making the Web a better place”.<br />
<br />
'''Audience'''<br />
<br />
People involved in development/maintenance of Classic ASP applications at all levels, including developers, Application Architects, testers, etc.<br />
<br />
'''Table of Contents'''<br />
<br />
*Secure programming on ASP using [[ESAPI|OWASP ESAPI]]<br />
*Auditing ASP code with [[:Category:OWASP_Code_Review_Project|Code Review Project]] checklist<br />
*Implementing [[:Category:OWASP_Stinger_Project|OWASP Stinger]] protection for Classic ASP <br />
*Complementary security best practices.<br />
<br />
'''Course Specifics'''<br />
<br />
None. Keep posted for changes on the table of contents and course specifics.<br />
<br />
== Web Application Assessments ==<br />
<br />
'''Instructor'''<br />
<br />
Vicente Aguilera Diaz<br />
<br />
'''Duration'''<br />
<br />
4h<br />
<br />
'''Summary'''<br />
<br />
As in the physical world, the "professionals" attackers spend most of their time to analysing its objective and try to gather as much information as possible about it. The more information becomes available and is more detailed and accurate, the attack is more likely to succeed.<br />
<br />
The aim of this course is to identify patterns and tools to perform this analysis (step prior to the attack), and is supplemented by a case study on a practical application.<br />
<br />
'''Audience'''<br />
<br />
Software developers, security consultants, system administrators and people loving security.<br />
<br />
'''Table of Contents'''<br />
<br />
# Introduction<br />
# Web Application Discovery<br />
# Gathering information on the target web application<br />
## Search Engines<br />
## Interaction with external entities and information services<br />
## Analysis of existing information in the web application (public information, information leaks, causing errors, etc.).<br />
# Knowing / Understand the target<br />
## Identifying characteristics (technologies, platforms, user profiles, features, etc.).<br />
## Analysis of infrastructure components: databases, Web servers, application servers, authentication servers, etc.). Detection and identification.<br />
## Identification of the exposition area<br />
# Analysis of attack vectors and vulnerabilities exploitation<br />
# Case Study<br />
## Assessment of an webmail application <br />
## Vulnerability exploitation: IMAP / SMTP Injection<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop.<br />
<br />
== Hacking Owasp Orizon Project v1.0 ==<br />
<br />
'''Instructor'''<br />
<br />
Paolo Perego<br />
<br />
'''Duration'''<br />
<br />
4h<br />
<br />
'''Summary'''<br />
<br />
In the course it will be presented Owasp Orizon v1.0 framework. The major APIs will be fully explained and it will be built a simple scanning tool using the Orizon framework.<br />
<br />
The course goal is to let people fully understand Orizon internals and let people understand how to use the framework in a real world.<br />
<br />
'''Audience'''<br />
<br />
Security specialist, code reviewers and curious developers<br />
<br />
'''Table of Contents'''<br />
<br />
* Owasp Orizon Internals<br />
** Translation engine<br />
** Owasp Orizon XML project<br />
*** XML used in writing security checks<br />
*** XML used in translation phase<br />
** Static analysis engine<br />
** Crawling engine<br />
** Reporting engine<br />
* Create a simple tool using Orizon<br />
<br />
'''Course Specifics'''<br />
<br />
People have to bring their own laptop with latest Owasp Orizon version, J2SE 1.6 or later and a Java IDE (e.g. eclipse) is also feasible.<br />
<br />
== Securing WebGoat with ModSecurity ==<br />
<br />
'''Instructor'''<br />
<br />
Stephen Craig Evans<br />
<br />
'''Duration'''<br />
<br />
4h<br />
<br />
'''Summary'''<br />
<br />
ModSecurity, normally a tool of the network security group, has capabilities that can allow a software security specialist with programming skills to mitigate business logic flaws and other vulnerabilities that are out-of-reach of basic blacklists.<br />
<br />
This 4 hour course covers the highlights of the Summer of Code 2008 project, "Securing WebGoat using ModSecurity" (please see https://www.owasp.org/index.php/Category:OWASP_Securing_WebGoat_using_ModSecurity_Project and the project wiki).<br />
<br />
'''Audience'''<br />
<br />
* Users of ModSecurity that want to learn how it can be leveraged beyond the basic rule sets in order to mitigate vulnerabilities in areas such as authentication, AJAX, and output sanitization<br />
* Web application specialists, especially pentesters, who want to learn how ModSecurity can offer an additional remedial solution to customers when the application cannot be touched<br />
* Curious people that are wondering what the hell this project is about<br />
<br />
'''Table of Contents'''<br />
<br />
* ModSecurity basics<br />
* WebGoat overview<br />
* A walkthrough of the "Securing WebGoat using ModSecurity" Summer of Code 2008 project<br />
* Mitigating WebGoat vulnerabilities using the ModSecurity core rule set<br />
* Using ModSecurity's Lua scripting language:<br />
** For its programming capabilities (including re-building the Lua library to include 3rd party functionality)<br />
** To implement configuration files<br />
** For global persistence<br />
** And much, much, more...<br />
* Using ModSecurity's Javascript injection (prepend and append):<br />
** To substitute/override/extend existing Javascript functions<br />
** To enhance the user experience when implementing a ModSecurity solution on the back end such as an authentication mechanism <br />
* Using ModSecurity's session collection, Lua script, and Javascript injection together to mitigate almost any vulnerability<br />
<br />
'''Course Specifics'''<br />
<br />
Demos (including strategy and implementation) of the most interesting lesson solutions will be shown.<br />
<br />
<br />
<br />
== Uncovering WebScarab's Secret Treasures ==<br />
<br />
'''Instructor'''<br />
<br />
Rogan Dawes<br />
<br />
'''Duration'''<br />
<br />
1 day.<br />
<br />
'''Summary'''<br />
<br />
OWASP WebScarab has a lot of hidden features that probably no one but the author really knows about. This in depth hands on session will show delegates how to access these features, and how to use them to their full potential.<br />
<br />
'''Audience'''<br />
<br />
Application reviewers, developers<br />
<br />
'''Table of Contents'''<br />
<br />
* Using the spider<br />
* Manual Request Transforms<br />
* What is the XSS/CRLF plugin, and how does it work?<br />
* Using the Fuzzer<br />
* Comparing Responses<br />
* Searching WebScarab history<br />
* Exploring the Beanshell<br />
** Writing Proxy Intercept scripts<br />
** Writing Script Manager Scripts<br />
** Writing other scripts<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop<br />
<br />
<br />
<br />
== Advanced Web Application Security Testing ==<br />
<br />
'''Instructor'''<br />
<br />
Michael Coates, Aspect Security<br />
<br />
'''Duration'''<br />
<br />
2 days.<br />
<br />
'''Summary'''<br />
<br />
While all developers need to know the basics of web application security testing, application security specialists will want to know all the advanced techniques for finding and diagnosing security problems in applications. Aspect’s Advanced Web Application Security Testing training is based on a decade of work verifying the security of critical applications. The course is taught by an experienced application security practitioner in an interactive manner.<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own Windows based laptop<br />
<br />
== Building Secure Web 2.0 Applications ==<br />
<br />
'''Instructor'''<br />
<br />
Arshan Dabirsiaghi, Aspect Security<br />
<br />
'''Duration'''<br />
<br />
1 day.<br />
<br />
'''Summary'''<br />
<br />
Web 2.0 applications using technologies like Ajax, Flash, ActiveX, and Java Applets require special attention to secure. this one day training addresses the special issues that arise in this type of application development.<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own Windows based laptop<br />
<br />
== Building Secure Web Services ==<br />
<br />
'''Instructor'''<br />
<br />
Dave Wichers, Aspect Security<br />
<br />
'''Duration'''<br />
<br />
2 days.<br />
<br />
'''Summary'''<br />
<br />
The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. this session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identify servers and related software. Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system.<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own Windows based laptop<br />
<br />
== Building Secure Web Applications with OWASP's Enterprise Security API (ESAPI) ==<br />
<br />
'''Instructor'''<br />
<br />
Jeff Williams, Aspect Security<br />
<br />
'''Duration'''<br />
<br />
1 day.<br />
<br />
'''Summary'''<br />
<br />
This course will teach you about OWASP's new Enterprise Security API (ESAPI), what it is composed of, and how to use it to improve the security and reduce the cost of developing those applications. This class covers each interface within the API, how it is intended to be used, and what the benefits are of using this interface, over other techniques for addressing the same security concerns.<br />
<br />
The course also discusses how to bring ESAPI into your organization and how to tailor it for your organization specific needs and application infrastructure.<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own Windows based laptop<br />
<br />
== Ajax Security ==<br />
<br />
'''Instructor'''<br />
<br />
Brad Causey<br />
<br />
'''Duration'''<br />
<br />
1/2 day<br />
<br />
'''Summary'''<br />
<br />
This course will provide an introductory to AJAX, its inherent security issues, how to detect them, and how to resolve them.<br />
<br />
'''Audience'''<br />
<br />
Web Application Security Professionals<br />
<br />
'''Table of Contents<br />
'''<br />
* Introduction to AJAX<br />
* Security Issues with architecture<br />
* Toolkits<br />
* Toolkit Security Concerns<br />
* Bridges and Issues<br />
* Attacking AJAX<br />
* Defending AJAX<br />
* Securing the Code<br />
* Best Practices<br />
* Other Issues and Concerns<br />
* Q and A<br />
<br />
'''Course Specifics<br />
'''<br />
<br />
Please bring your own laptop with your choice of web proxy and browser installed if you wish to participate. Participation is optional.<br />
<br />
== Flash Player Security ==<br />
<br />
'''Instructor'''<br />
<br />
Peleus Uhley, Adobe Systems<br />
<br />
'''Duration'''<br />
<br />
1/2 day<br />
<br />
'''Summary'''<br />
<br />
This course will provide an overview of the Flash Player security model and common architectures for Flash deployment. The course is targeted at people who need to understand the fundamentals of Flash Player security and how it will affect their website such as CSOs, web designers and web architects. The goal of the course is to provide the student with the enough information to architect a secure Flash deployment. The follow-on Auditing Flash Applications course will continue to build on this knowledge on an API by API level. <br />
<br />
'''Audience'''<br />
<br />
Web Application Security Professionals and those who make decisions or recommendations about Flash deployments.<br />
<br />
<br />
'''Course Specifics'''<br />
<br />
Please bring your own laptop with your choice of web browser installed if you wish to participate. Participation is optional.<br />
<br />
== Auditing Flash Applications ==<br />
<br />
'''Instructor'''<br />
<br />
Peleus Uhley, Adobe Systems<br />
<br />
'''Duration'''<br />
<br />
1/2 day<br />
<br />
'''Summary'''<br />
<br />
This course is a follow on to the Flash Player Security course for those who want to do a deep dive into the security of Flash applications. This course is targeted at Flash authors and web-site auditors who need to validate Flash code and provide meaningful recommendations and best practices for improving Flash deployments. The goal of the course is to provide the student with the tools and information to audit a Flash website and provide quality feedback on how to remediate any issues.<br />
<br />
'''Audience'''<br />
<br />
Flash Developers, Web Application Penetration Testers<br />
<br />
'''Course Specifics'''<br />
<br />
Please bring your own laptop with your choice of web browser installed if you wish to participate. Participation is optional.<br />
<br />
== Testing Guide Training ==<br />
<br />
'''Instructor'''<br />
<br />
Matteo Meucci, Giorgio Fedon - Minded Security.<br />
<br />
'''Duration'''<br />
<br />
4h.<br />
<br />
'''Summary'''<br />
<br />
This course will discuss the new OWASP Testing Guide v3 methodology and the most relevant tests of the 66 total controls of the Guide. You can learn how to test a web application and how to write a report.<br />
<br />
'''Audience'''<br />
<br />
Software developers, security consultants, auditors.<br />
<br />
'''Table of Contents'''<br />
<br />
The course will discuss the methology and will analize the 9 sub-categories of the Testing Guide:<br />
<br />
* Configuration Management Testing<br />
* Business Logic Testing<br />
* Authentication Testing<br />
* Authorization testing<br />
* Session Management Testing<br />
* Data Validation Testing<br />
* Denial of Service Testing<br />
* Web Services Testing<br />
* Ajax Testing <br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop.<br />
<br />
== Offensive Web Application Hacking ==<br />
<br />
'''Instructor'''<br />
<br />
Marco Slaviero - SensePost.<br />
<br />
'''Duration'''<br />
<br />
1 day<br />
<br />
'''Summary'''<br />
<br />
The famous Sensepost web hacking course, a technical 'go-deep' course to tune up your web hacking skills!<br />
<br />
'''Audience'''<br />
<br />
Application security testers.<br />
<br />
'''Table of Contents'''<br />
<br />
If you're attending the OWASP Summit, then you understand that web application security is a big issue. Empirical and anecdotal evidence clearly suggests web applications are being attacked, and with high degrees of success. But its one thing to know about web application hacking, and its quite another to know how to hack them yourself. This workshop by SensePost is about hacking web applications. Not the theories, the lists and the tools, but the techniques and an out-of-box thought process that underpin genuinely unique and original web application compromises. The workshop employees a series of carefully designed web hacking exercises as its integral learning tool. <br />
<br />
Each exercise is designed to teach a specific lesson and will be discussed in detail after it is completed. In this way you learn from your instructors, your colleagues and your own successes and failures. The exercises have all been designed to replicate real-life scenarios with real-life-hacker stumbling blocks along the way.<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop.</div>Manopaulhttps://wiki.owasp.org/index.php?title=OWASP_EU_Summit_2008_Training&diff=44608OWASP EU Summit 2008 Training2008-10-25T22:37:45Z<p>Manopaul: /* WebAppSec for Managers and Executives - The Road Less Travelled */</p>
<hr />
<div>EU Summit 2008 Trainings<br />
<br />
cvent links to be added.<br />
<br />
Upon completion and scheduling, trainings will be copied over from [[OWASP EU Summit 2008 Training (Courses to be Approved)]]<br />
<br />
Back to [[OWASP EU Summit 2008]]<br />
<br />
== WebAppSec for Managers and Executives - The Road Less Travelled ==<br />
<br />
'''Instructor'''<br />
<br />
[https://www.owasp.org/index.php/User:Manopaul Mano Paul]<br />
<br />
'''Duration'''<br />
<br />
1 day<br />
<br />
'''Summary'''<br />
<br />
With the financial turn tables of major corporations resting on web applications that connect businesses, transmit and store sensitive financial and personal transaction, combined with the ubiquitous nature of the web; it is imperative that web applications that are designed, architected and developed are secure.<br />
<br />
What do you think Shakespeare had to say about Software Security? What does an naked motorist have to do with Confidentiality? What does the Jungle Book character Baloo have to say about Security Essentials (The Bear Bare Necessities of Life security)? What does the African Wildlife have to do with Security Concepts? What does pH have to do with Security? and more … The Road Less Travelled by renowned poet, Robert Frost ends by with the statement "And that has made all the difference". Come to find out the answers to the questions above and see what it takes to look at Security from a different perspective that would make ALL the difference for you and your company.<br />
<br />
'''Audience'''<br />
<br />
This session is for Management primarily and any stakeholder that needs to understand how understanding application security concepts can benefit their organizations/companies in designing secure web applications. Whether you are a novice or an expert, you will all leave learning something new to lead your teams and help design the next generation of hack-resilient web applications. <br />
<br />
'''Table of Contents'''<br />
<br />
# Introduction <br />
# Changing Landscape<br />
# Drivers of Web Application Security (Exercise)<br />
## Method to the Madness<br />
## Attackers Advantage vs. Defenders Dilemma<br />
# Stakeholders (Exercise)<br />
## Boardroom Questions<br />
## Business Aware IT Security (BAITS)<br />
# Regulations, Compliance and Security<br />
## SOX, GLBA, HIPAA ...<br />
## European Data Protection Directive<br />
## PCI DSS<br />
# Software Security Concepts<br />
## Design Principles (Saltzer & Schroeder)<br />
### Economy of Mechanisms<br />
### Fail Safe Defaults<br />
### Complete Mediation<br />
### Open Design<br />
### Separation of Privilege<br />
### Least Privilege<br />
### Least Common Mechanisms<br />
### Psychological Acceptability<br />
## Security Mechanisms (CIA+AAA+Mgmt)<br />
### Confidentiality<br />
### Integrity<br />
### Availability<br />
### Authentication<br />
### Authorization<br />
### Auditing<br />
### Management - Session, Exceptions, Configuration<br />
# Security in the SDLC - Requirements to Release<br />
## 7 Steps to securing applications<br />
## SD4 - Secure by Default, Design, Development, and Deployment <br />
# Information Security Management Top 10 (real world stories and tips)<br />
## Executive Sponsorship and Commitment<br />
## Company wide Support and Participation<br />
## Industry Standards<br />
## Getting People to Do the Right Thing<br />
## Documentation and Continuous Improvements of Processes<br />
## Training and Education is Key<br />
## Managing Risk, NOT Security<br />
## Move aside FUD, Get in Security Metrics<br />
## Not getting trapped by Compliance <br />
## Leveraging Corporate Business Initiatives<br />
# OWASP Top 10 (covers what it is, anatomy (how it works), and defense)<br />
## Cross-site Scripting (XSS)<br />
## Injection Flaws (covers SQL Injection)<br />
## Malicious File Execution (covers RFI)<br />
## Insecure Direct Object Reference<br />
## Cross-site Request Forgery (CSRF) <br />
## Information Leakage and Improper Error Handling<br />
## Broken Authentication and Session Management<br />
## Insecure Cryptographic Storage<br />
## Insecure Communications<br />
## Failure to Restrict URL Access<br />
# Software Risk Management <br />
# Security in an Outsourced World<br />
# Web 2.0 Security<br />
# Self Service Programs<br />
# Awareness, Training & Education <br />
# Hiring and Staffing <br />
# Information Security Program Framework <br />
<br />
'''Course Specifics'''<br />
<br />
No specific requirement. Come for a fun, interactive session that will cover the basic and advanced elements of web application security for executives and managers - the road less travelled, filled with exercises for the attendees to participate.<br />
<br />
== The Art and Science of Threat Modeling Web Applications ==<br />
<br />
'''Instructor'''<br />
<br />
[https://www.owasp.org/index.php/User:Manopaul Mano Paul]<br />
<br />
'''Duration'''<br />
<br />
1 day<br />
<br />
'''Summary'''<br />
<br />
To secure your home, you will first need to know how the thief could possibly enter and exit and where you should store your valuables. The same is true of your web applications. Unless you know what the vulnerabilities and threats of your web applications are, and what security measures you should take to protect them, ev1L h@x0rS or the enemy within (insider) could take advantage of the vulnerabilities. <br />
<br />
Threat Modeling is a technique that you can use to identify ATVS (attacks, threats, vulnerabilities and safeguards) that could affect your web applications. Threat Modeling helps in designing your application securely from a confidentiality, integrity, availability, authentication, authorization and auditing perspective. It is an essential activity to be undertaken during the design stage of your SDLC and helps mitigate and minimize overall risk. <br />
<br />
'''Audience'''<br />
<br />
This session is for Management, Technical (Developer, QA, Security ...) and Operational professionals and any stakeholder that needs to understand how threat modeling can benefit their organizations/companies in designing secure web applications. Whether you are a novice or an expert apropos threat modeling, you will all leave learning something new to design the next generation of hack-resilient web applications. <br />
<br />
'''Table of Contents'''<br />
<br />
1. Introduction <br />
<br />
2. Why Threat Model?<br />
<br />
3. Is Threat Modeling Right for You?<br />
<br />
4. Challenges<br />
<br />
5. Precursors<br />
<br />
6. Data Classification and Threat Modeling<br />
<br />
7. Web Application Security Mechanisms<br />
<br />
8. Benefits of Threat Modeling<br />
<br />
9. Common Glossary of Terms<br />
<br />
10. Threat Agents<br />
<br />
11. Threat Modeling Process<br />
<br />
12. Attack Trees<br />
<br />
13. STRIDE and DREAD<br />
<br />
14. Threat to Risk<br />
<br />
15. Threat Modeling (Exercise)<br />
<br />
'''Course Specifics'''<br />
<br />
No specific requirement. Come for a fun, hands-on, interactive session that will cover the basic and advanced elements of threat modeling, filled with exercises for the attendees to participate. <br />
<br />
<br />
== Web server/services hardening using SELinux ==<br />
<br />
'''Instructor'''<br />
<br />
Pavol Luptak<br />
<br />
'''Duration'''<br />
<br />
1 day<br />
<br />
'''Summary'''<br />
<br />
Security-Enhanced Linux (SELinux) is a FLASK implementation integrated in the Linux kernel with a number of utilities designed to provide mandatory access controls (MAC) through the use of Linux Security Modules (LSM) in the Linux kernel. SELinux generally supports many kinds of mandatory access control policies, including those based on the concepts of type enforcement, role-based access control, and multi-level security. <br />
<br />
A Linux kernel integrating SELinux enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. This reduces or eliminates the ability of these programs and daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example). This confinement mechanism operates independently of the traditional Linux access control mechanisms. It has no concept of a "root" super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).<br />
<br />
This training provides basic concepts of SELinux, its differences to classical UNIX/Linux systems, describe security advantages of mandatory access control policies and teach how to effectively and rapidly configure a fully functional LAMP environment on SELinux system.<br />
<br />
'''Audience'''<br />
<br />
Security consultants, system administators, programmers focused on system security<br />
<br />
'''Table of Contents'''<br />
<br />
1. SELinux history<br />
<br />
2. Unix/Linux DAC (Discretionary Access Control) and its problems<br />
<br />
3. MAC (Mandatory Access Control)<br />
<br />
4. Advantages of using MAC <br />
<br />
5. DTE (Domain Type Enforcement) model<br />
<br />
6. RBAC (Roles Based Access Control) model<br />
<br />
7. MLS (Multi Level Security) model<br />
<br />
8. SELinux FLASK Architecture<br />
<br />
9. SELinux policy (EXERCISE)<br />
<br />
10. File System Security Contexts (EXERCISE)<br />
<br />
11. SELinux Object Classes and Permissions<br />
<br />
12. TE (Type Enforcement) Rules (Attributes, Type Declaration, Type Transitions, Domain Type Transitions, Object Labeling Transitions, Access Vectors)<br />
<br />
13. Understanding AVC, log messages<br />
<br />
14. audit2allow and audit2why (EXERCISE)<br />
<br />
15. SELinux Troubleshoot Tool (EXERCISE)<br />
<br />
16. Auditing and Auditing tools<br />
<br />
17. Policy Macros<br />
<br />
18. Backtracking rule (EXERCISE)<br />
<br />
19. SELinux Users, Roles, MLS Levels<br />
<br />
20. Strict Policy<br />
<br />
21. Targeted Policy<br />
<br />
22. SELinux Booleans and their use for Apache web server (EXERCISE)<br />
<br />
23. Files and Directories in Targeted Policy, common SELinux Macros (EXERCISE)<br />
<br />
24. Analyzing Example Policy - apache.te (EXERCISE)<br />
<br />
25. Assigning Object and Process Types <br />
<br />
26. SELinux Booting<br />
<br />
27. Copying and moving files, checking security contexts, relabeling a file and directory's security context (EXERCISE)<br />
<br />
28. Policy core utilities<br />
<br />
29. Managing File Labeling, Relabeling a File System (EXERCISE)<br />
<br />
30. SELinux Administrator GUI (EXERCISE)<br />
<br />
31. SELinux Modules (EXERCISE)<br />
<br />
32. Hardening existing LAMP environments using SELinux (EXERCISE)<br />
<br />
33. Writing New Policy for a Daemon (EXERCISE for clever students)<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop. Each student will have own SELinux virtual machine for his experiments.<br />
<br />
== Secure Programming with Java ==<br />
<br />
'''Instructor'''<br />
<br />
Lucas C. Ferreira<br />
<br />
'''Duration'''<br />
<br />
1 Day<br />
<br />
'''Summary'''<br />
<br />
This training class will present best practices of secure programming in the Java language. It includes Java specific practices (i.e. how to avoid problems that arise from the compilation of Java source code to the bytecode language used by the JVM) and practices that may arise in other programming languages (with examples in Java). Some tools that may be used to verify the security of Java code and systems will be shown.<br />
<br />
The topics include a quick overview of the OWASP Top 10, in order to contextualize the practices presented, and several best practices aimed at the different software layers. At the presentation layer, we focus on input validation, access control issues and dealing with exceptions. At the business objects layer, the practices deal with cloning and serialization issues. Practices to prevent command injection are presented at the persistence layer. Practices that should be used throughout all the software are also presented, including input data validation, class and method visibility, using and storing secrets, dealing with inner classes, overflows and boxing, and object initialization.<br />
<br />
'''Audience'''<br />
<br />
Java web application developers. This training requires basic understanding of web applications and an intermediate level of proficiency in the Java language and Object Oriented concepts. People with interest in other OO languages may also benefit from this training, but specific techniques, examples and tools used are targeted to Java.<br />
<br />
'''Table of Contents'''<br />
<br />
# OWASP Top 10 - quick overview<br />
# Secure Programming Best Practices<br />
## Presentation layer<br />
### Preventing cross-site scripting<br />
### Access control<br />
### Request validation<br />
### Error treatment<br />
## Business object layer<br />
### Cloning and serialization issues<br />
## Persistence layer<br />
### Command injection issues<br />
### Database access users and permissions<br />
### file manipulation<br />
## Infra-structure layer<br />
### J2EE container-related best practices<br />
### Native method issues<br />
### SSL and encryption<br />
## Practices for all software layers<br />
### Data validation<br />
### Garbage collection issues<br />
### Classes and method scoping<br />
### Use of secrets<br />
### Inner class issues<br />
### Over/underflow and boxing issues<br />
# Tools<br />
## Code review tool<br />
## Data flow tool<br />
## Pen-testing tool<br />
<br />
'''Course Specifics'''<br />
<br />
Laptop not required.<br />
<br />
== OWASP Top 10 - What Developers Should Know on Web Application Security ==<br />
<br />
'''Instructor'''<br />
<br />
Sebastien Deleersnyder and Martin Knobloch<br />
<br />
'''Duration'''<br />
<br />
4 h<br />
To be scheduled on Tuesday.<br />
<br />
'''Summary'''<br />
<br />
Application security is an essential component of any successful project; this includes web applications, open source PHP applications, web services and proprietary business web sites.<br />
Web application security education and awareness is needed throughout the entire development and deployment organization. Each area and level of development or deployment organizations have specific needs and requirements regarding web application security education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience.<br />
<br />
The OWASP Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences.<br />
This Education Track provides in a 4 hour session covering what developers should know on web application security. It starts with an explanation of web application security and why it is important. Then the OWASP Top 10 is used to explain the nastiest vulnerabilities and how these can be prevented or re mediated. A secure coding initiative must deal with all stages of a program’s life cycle. Secure web applications are only possible when a secure SDLC is used. The SDLC is explained from the standpoint of people, processes and tools. Particularly for developers good secure development practices are covered in a separate topic. Finally the track finishes with an exhaustive list of web application security resources for web application developers.<br />
<br />
'''Audience'''<br />
<br />
Web application developers who are unaware there are security issues with contemporary web applications. No prior knowledge of web application security is assumed nor necessary. This track is independent of the coding language or web frameworks used; like PHP, JSF, Java EE or .NET. We must realize that web application developers are only one link - albeit an important one - of the chain that represents the security of a web application. This track aims to make that link as secure as possible, given the constraint of 4 hours. Another important aspect is that web application security should be tailored to the risk profile of an organization and the specific development environment of that organization.<br />
<br />
'''Table of Contents'''<br />
<br />
The challenge is to cover web application security in 4 hours to a web application developer. This is presented in such a way that the developers will be able to recognize and correct web application vulnerabilities in their projects. <br />
<br />
* [[Education Module Why WebAppSec Matters|Why WebAppSec matters]] (20 min) ([http://www.owasp.org/images/5/58/Education_Module_Why_WebAppSec_Matters.ppt direct link])<br />
:This part is the introduction of the track. It identifies the current security problems with web applications. During the introduction a definition of web application security is given. Trends that are influencing the current state of web application insecurity are also explained.<br />
:*What goes wrong<br />
:*WebAppSec Defined<br />
:*Current trends<br />
* [[Education_Module_OWASP_Top_10_Introduction_and_Remedies|OWASP Top 10 Introduction & Remedies]] (90 min) ([http://www.owasp.org/images/b/b8/Education_Module_OWASP_Top_10_Introduction_and_Remedies.ppt direct link])<br />
:The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most common web application security vulnerabilities. The Top 10 provides basic methods to protect against these vulnerabilities.<br />
:*[[Education Module Cross Site Scripting (XSS)|Cross Site Scripting (XSS)]]<br />
:*Injection Flaws<br />
:*Malicious File Execution<br />
:*Insecure Direct Object Reference<br />
:*Cross Site Request Forgery (CSRF)<br />
:*Information Leakage and Improper Error Handling<br />
:*Broken Authentication and Session Management<br />
:*Insecure Cryptographic Storage<br />
:*Insecure Communications<br />
:*Failure to Restrict URL Access<br />
*[[Education Module Embed within SDLC|Embed within SDLC]] (People, Processes & Tools) (20 min) ([http://www.owasp.org/images/f/f2/Education_Module_Embed_within_SDLC.ppt direct link])<br />
:There is no silver bullet when it comes to securing web applications. This problem has to be addressed from different angles, covering the involved actors, processes: development as well as deployment and Technologies.<br />
:*People Awareness and Education<br />
:*Development WebAppSec Controls<br />
:*Deployment WebAppSec Controls<br />
:*WebAppSec Tools<br />
*[[Education Module Good Secure Development Practices|Good Secure Development Practices]] (70 min) ([http://www.owasp.org/images/5/57/Education_Module_Good_Secure_Development_Practices.ppt direct link])<br />
:Next to the Top 10 remedies this module provides some good secure development practices from the OWASP Guide, covering e.g.<br />
:*Validating User Input <br />
:*Authentication<br />
:*Authorization<br />
:*Session Management<br />
:*Using Interpreters<br />
:*Crypto<br />
:*Catching Errors<br />
:*File System<br />
:*Configuration<br />
:*Web 2.0<br />
*[[Education Module Testing for Vulnerabilities|Testing for Vulnerabilities]] (20 min) ([http://www.owasp.org/images/4/49/Education_Module_Testing_for_Vulnerabilities.ppt direct link])<br />
:One important aspect is to test for application vulnerabilities. During this short module an introduction is provided together with some WebGoat test cases.<br />
:*Testing for application vulnerabilities<br />
:*The OWASP Testing Guide<br />
:*WebGoat demonstrated<br />
*[[Education Module Good WebAppSec Resources|Good WebAppSec Resources]] (not limited to OWASP) (10 min) ([http://www.owasp.org/images/f/fe/Education_Module_Good_WebAppSec_Resources.ppt direct link])<br />
:This 4 hour education track in only the beginning of your journey. Web application security is a moving target. New vulnerabilities and threats are discovered regularly. Web application security controls are becoming mature. The following resources should provide you with enough pointers to serve both as reference and for further research.<br />
:*Hard Copy<br />
:*Web Sites<br />
:*Mailing lists<br />
:*Blogs<br />
*Roundup (10 min)<br />
<br />
[[Category:OWASP Education Project]]<br />
<br />
'''Course Specifics'''<br />
<br />
No specific prerequisites.<br />
<br />
<br />
<br />
== Classic ASP Security using OWASP tools ==<br />
<br />
'''Instructor'''<br />
<br />
Juan Carlos Calderon<br />
<br />
'''Duration'''<br />
<br />
1 day <br />
<br />
'''Summary'''<br />
<br />
Classic ASP 2.0 and 3.0 applications are still largely used as this technology is more than 10 years old and was largely used. there are thousands of sites on the wild that need guidance on the security arena. This is where OWASP can come up and provide help for “making the Web a better place”.<br />
<br />
'''Audience'''<br />
<br />
People involved in development/maintenance of Classic ASP applications at all levels, including developers, Application Architects, testers, etc.<br />
<br />
'''Table of Contents'''<br />
<br />
*Secure programming on ASP using [[ESAPI|OWASP ESAPI]]<br />
*Auditing ASP code with [[:Category:OWASP_Code_Review_Project|Code Review Project]] checklist<br />
*Implementing [[:Category:OWASP_Stinger_Project|OWASP Stinger]] protection for Classic ASP <br />
*Complementary security best practices.<br />
<br />
'''Course Specifics'''<br />
<br />
None. Keep posted for changes on the table of contents and course specifics.<br />
<br />
== Web Application Assessments ==<br />
<br />
'''Instructor'''<br />
<br />
Vicente Aguilera Diaz<br />
<br />
'''Duration'''<br />
<br />
4h<br />
<br />
'''Summary'''<br />
<br />
As in the physical world, the "professionals" attackers spend most of their time to analysing its objective and try to gather as much information as possible about it. The more information becomes available and is more detailed and accurate, the attack is more likely to succeed.<br />
<br />
The aim of this course is to identify patterns and tools to perform this analysis (step prior to the attack), and is supplemented by a case study on a practical application.<br />
<br />
'''Audience'''<br />
<br />
Software developers, security consultants, system administrators and people loving security.<br />
<br />
'''Table of Contents'''<br />
<br />
# Introduction<br />
# Web Application Discovery<br />
# Gathering information on the target web application<br />
## Search Engines<br />
## Interaction with external entities and information services<br />
## Analysis of existing information in the web application (public information, information leaks, causing errors, etc.).<br />
# Knowing / Understand the target<br />
## Identifying characteristics (technologies, platforms, user profiles, features, etc.).<br />
## Analysis of infrastructure components: databases, Web servers, application servers, authentication servers, etc.). Detection and identification.<br />
## Identification of the exposition area<br />
# Analysis of attack vectors and vulnerabilities exploitation<br />
# Case Study<br />
## Assessment of an webmail application <br />
## Vulnerability exploitation: IMAP / SMTP Injection<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop.<br />
<br />
== Hacking Owasp Orizon Project v1.0 ==<br />
<br />
'''Instructor'''<br />
<br />
Paolo Perego<br />
<br />
'''Duration'''<br />
<br />
4h<br />
<br />
'''Summary'''<br />
<br />
In the course it will be presented Owasp Orizon v1.0 framework. The major APIs will be fully explained and it will be built a simple scanning tool using the Orizon framework.<br />
<br />
The course goal is to let people fully understand Orizon internals and let people understand how to use the framework in a real world.<br />
<br />
'''Audience'''<br />
<br />
Security specialist, code reviewers and curious developers<br />
<br />
'''Table of Contents'''<br />
<br />
* Owasp Orizon Internals<br />
** Translation engine<br />
** Owasp Orizon XML project<br />
*** XML used in writing security checks<br />
*** XML used in translation phase<br />
** Static analysis engine<br />
** Crawling engine<br />
** Reporting engine<br />
* Create a simple tool using Orizon<br />
<br />
'''Course Specifics'''<br />
<br />
People have to bring their own laptop with latest Owasp Orizon version, J2SE 1.6 or later and a Java IDE (e.g. eclipse) is also feasible.<br />
<br />
== Securing WebGoat with ModSecurity ==<br />
<br />
'''Instructor'''<br />
<br />
Stephen Craig Evans<br />
<br />
'''Duration'''<br />
<br />
4h<br />
<br />
'''Summary'''<br />
<br />
ModSecurity, normally a tool of the network security group, has capabilities that can allow a software security specialist with programming skills to mitigate business logic flaws and other vulnerabilities that are out-of-reach of basic blacklists.<br />
<br />
This 4 hour course covers the highlights of the Summer of Code 2008 project, "Securing WebGoat using ModSecurity" (please see https://www.owasp.org/index.php/Category:OWASP_Securing_WebGoat_using_ModSecurity_Project and the project wiki).<br />
<br />
'''Audience'''<br />
<br />
* Users of ModSecurity that want to learn how it can be leveraged beyond the basic rule sets in order to mitigate vulnerabilities in areas such as authentication, AJAX, and output sanitization<br />
* Web application specialists, especially pentesters, who want to learn how ModSecurity can offer an additional remedial solution to customers when the application cannot be touched<br />
* Curious people that are wondering what the hell this project is about<br />
<br />
'''Table of Contents'''<br />
<br />
* ModSecurity basics<br />
* WebGoat overview<br />
* A walkthrough of the "Securing WebGoat using ModSecurity" Summer of Code 2008 project<br />
* Mitigating WebGoat vulnerabilities using the ModSecurity core rule set<br />
* Using ModSecurity's Lua scripting language:<br />
** For its programming capabilities (including re-building the Lua library to include 3rd party functionality)<br />
** To implement configuration files<br />
** For global persistence<br />
** And much, much, more...<br />
* Using ModSecurity's Javascript injection (prepend and append):<br />
** To substitute/override/extend existing Javascript functions<br />
** To enhance the user experience when implementing a ModSecurity solution on the back end such as an authentication mechanism <br />
* Using ModSecurity's session collection, Lua script, and Javascript injection together to mitigate almost any vulnerability<br />
<br />
'''Course Specifics'''<br />
<br />
Demos (including strategy and implementation) of the most interesting lesson solutions will be shown.<br />
<br />
<br />
<br />
== Uncovering WebScarab's Secret Treasures ==<br />
<br />
'''Instructor'''<br />
<br />
Rogan Dawes<br />
<br />
'''Duration'''<br />
<br />
1 day.<br />
<br />
'''Summary'''<br />
<br />
OWASP WebScarab has a lot of hidden features that probably no one but the author really knows about. This in depth hands on session will show delegates how to access these features, and how to use them to their full potential.<br />
<br />
'''Audience'''<br />
<br />
Application reviewers, developers<br />
<br />
'''Table of Contents'''<br />
<br />
* Using the spider<br />
* Manual Request Transforms<br />
* What is the XSS/CRLF plugin, and how does it work?<br />
* Using the Fuzzer<br />
* Comparing Responses<br />
* Searching WebScarab history<br />
* Exploring the Beanshell<br />
** Writing Proxy Intercept scripts<br />
** Writing Script Manager Scripts<br />
** Writing other scripts<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop<br />
<br />
<br />
<br />
== Advanced Web Application Security Testing ==<br />
<br />
'''Instructor'''<br />
<br />
Michael Coates, Aspect Security<br />
<br />
'''Duration'''<br />
<br />
2 days.<br />
<br />
'''Summary'''<br />
<br />
While all developers need to know the basics of web application security testing, application security specialists will want to know all the advanced techniques for finding and diagnosing security problems in applications. Aspect’s Advanced Web Application Security Testing training is based on a decade of work verifying the security of critical applications. The course is taught by an experienced application security practitioner in an interactive manner.<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own Windows based laptop<br />
<br />
== Building Secure Web 2.0 Applications ==<br />
<br />
'''Instructor'''<br />
<br />
Arshan Dabirsiaghi, Aspect Security<br />
<br />
'''Duration'''<br />
<br />
1 day.<br />
<br />
'''Summary'''<br />
<br />
Web 2.0 applications using technologies like Ajax, Flash, ActiveX, and Java Applets require special attention to secure. this one day training addresses the special issues that arise in this type of application development.<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own Windows based laptop<br />
<br />
== Building Secure Web Services ==<br />
<br />
'''Instructor'''<br />
<br />
Dave Wichers, Aspect Security<br />
<br />
'''Duration'''<br />
<br />
2 days.<br />
<br />
'''Summary'''<br />
<br />
The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. this session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identify servers and related software. Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system.<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own Windows based laptop<br />
<br />
== Building Secure Web Applications with OWASP's Enterprise Security API (ESAPI) ==<br />
<br />
'''Instructor'''<br />
<br />
Jeff Williams, Aspect Security<br />
<br />
'''Duration'''<br />
<br />
1 day.<br />
<br />
'''Summary'''<br />
<br />
This course will teach you about OWASP's new Enterprise Security API (ESAPI), what it is composed of, and how to use it to improve the security and reduce the cost of developing those applications. This class covers each interface within the API, how it is intended to be used, and what the benefits are of using this interface, over other techniques for addressing the same security concerns.<br />
<br />
The course also discusses how to bring ESAPI into your organization and how to tailor it for your organization specific needs and application infrastructure.<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own Windows based laptop<br />
<br />
== Ajax Security ==<br />
<br />
'''Instructor'''<br />
<br />
Brad Causey<br />
<br />
'''Duration'''<br />
<br />
1/2 day<br />
<br />
'''Summary'''<br />
<br />
This course will provide an introductory to AJAX, its inherent security issues, how to detect them, and how to resolve them.<br />
<br />
'''Audience'''<br />
<br />
Web Application Security Professionals<br />
<br />
'''Table of Contents<br />
'''<br />
* Introduction to AJAX<br />
* Security Issues with architecture<br />
* Toolkits<br />
* Toolkit Security Concerns<br />
* Bridges and Issues<br />
* Attacking AJAX<br />
* Defending AJAX<br />
* Securing the Code<br />
* Best Practices<br />
* Other Issues and Concerns<br />
* Q and A<br />
<br />
'''Course Specifics<br />
'''<br />
<br />
Please bring your own laptop with your choice of web proxy and browser installed if you wish to participate. Participation is optional.<br />
<br />
== Flash Player Security ==<br />
<br />
'''Instructor'''<br />
<br />
Peleus Uhley, Adobe Systems<br />
<br />
'''Duration'''<br />
<br />
1/2 day<br />
<br />
'''Summary'''<br />
<br />
This course will provide an overview of the Flash Player security model and common architectures for Flash deployment. The course is targeted at people who need to understand the fundamentals of Flash Player security and how it will affect their website such as CSOs, web designers and web architects. The goal of the course is to provide the student with the enough information to architect a secure Flash deployment. The follow-on Auditing Flash Applications course will continue to build on this knowledge on an API by API level. <br />
<br />
'''Audience'''<br />
<br />
Web Application Security Professionals and those who make decisions or recommendations about Flash deployments.<br />
<br />
<br />
'''Course Specifics'''<br />
<br />
Please bring your own laptop with your choice of web browser installed if you wish to participate. Participation is optional.<br />
<br />
== Auditing Flash Applications ==<br />
<br />
'''Instructor'''<br />
<br />
Peleus Uhley, Adobe Systems<br />
<br />
'''Duration'''<br />
<br />
1/2 day<br />
<br />
'''Summary'''<br />
<br />
This course is a follow on to the Flash Player Security course for those who want to do a deep dive into the security of Flash applications. This course is targeted at Flash authors and web-site auditors who need to validate Flash code and provide meaningful recommendations and best practices for improving Flash deployments. The goal of the course is to provide the student with the tools and information to audit a Flash website and provide quality feedback on how to remediate any issues.<br />
<br />
'''Audience'''<br />
<br />
Flash Developers, Web Application Penetration Testers<br />
<br />
'''Course Specifics'''<br />
<br />
Please bring your own laptop with your choice of web browser installed if you wish to participate. Participation is optional.<br />
<br />
== Testing Guide Training ==<br />
<br />
'''Instructor'''<br />
<br />
Matteo Meucci, Giorgio Fedon - Minded Security.<br />
<br />
'''Duration'''<br />
<br />
4h.<br />
<br />
'''Summary'''<br />
<br />
This course will discuss the new OWASP Testing Guide v3 methodology and the most relevant tests of the 66 total controls of the Guide. You can learn how to test a web application and how to write a report.<br />
<br />
'''Audience'''<br />
<br />
Software developers, security consultants, auditors.<br />
<br />
'''Table of Contents'''<br />
<br />
The course will discuss the methology and will analize the 9 sub-categories of the Testing Guide:<br />
<br />
* Configuration Management Testing<br />
* Business Logic Testing<br />
* Authentication Testing<br />
* Authorization testing<br />
* Session Management Testing<br />
* Data Validation Testing<br />
* Denial of Service Testing<br />
* Web Services Testing<br />
* Ajax Testing <br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop.<br />
<br />
== Offensive Web Application Hacking ==<br />
<br />
'''Instructor'''<br />
<br />
Marco Slaviero - SensePost.<br />
<br />
'''Duration'''<br />
<br />
1 day<br />
<br />
'''Summary'''<br />
<br />
The famous Sensepost web hacking course, a technical 'go-deep' course to tune up your web hacking skills!<br />
<br />
'''Audience'''<br />
<br />
Application security testers.<br />
<br />
'''Table of Contents'''<br />
<br />
If you're attending the OWASP Summit, then you understand that web application security is a big issue. Empirical and anecdotal evidence clearly suggests web applications are being attacked, and with high degrees of success. But its one thing to know about web application hacking, and its quite another to know how to hack them yourself. This workshop by SensePost is about hacking web applications. Not the theories, the lists and the tools, but the techniques and an out-of-box thought process that underpin genuinely unique and original web application compromises. The workshop employees a series of carefully designed web hacking exercises as its integral learning tool. <br />
<br />
Each exercise is designed to teach a specific lesson and will be discussed in detail after it is completed. In this way you learn from your instructors, your colleagues and your own successes and failures. The exercises have all been designed to replicate real-life scenarios with real-life-hacker stumbling blocks along the way.<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop.</div>Manopaulhttps://wiki.owasp.org/index.php?title=OWASP_EU_Summit_2008_Training&diff=43463OWASP EU Summit 2008 Training2008-10-17T03:23:03Z<p>Manopaul: /* WebAppSec for Managers and Executives - The Road Less Travelled */</p>
<hr />
<div>EU Summit 2008 Trainings<br />
<br />
cvent links to be added.<br />
<br />
Upon completion and scheduling, trainings will be copied over from [[OWASP EU Summit 2008 Training (Courses to be Approved)]]<br />
<br />
Back to [[OWASP EU Summit 2008]]<br />
<br />
== WebAppSec for Managers and Executives - The Road Less Travelled ==<br />
<br />
'''Instructor'''<br />
<br />
[https://www.owasp.org/index.php/User:Manopaul Mano Paul]<br />
<br />
'''Duration'''<br />
<br />
1 day<br />
<br />
'''Summary'''<br />
<br />
With the financial turn tables of major corporations resting on web applications that connect businesses, transmit and store sensitive financial and personal transaction, combined with the ubiquitous nature of the web; it is imperative that web applications that are designed, architected and developed are secure.<br />
<br />
What do you think Shakespeare had to say about Software Security? What does an naked motorist have to do with Confidentiality? What does the Jungle Book character Baloo have to say about Security Essentials (The Bear Bare Necessities of Life security)? What does the African Wildlife have to do with Security Concepts? What does pH have to do with Security? and more … The Road Less Travelled by renowned poet, Robert Frost ends by with the statement "And that has made all the difference". Come to find out the answers to the questions above and see what it takes to look at Security from a different perspective that would make ALL the difference for you and your company.<br />
<br />
'''Audience'''<br />
<br />
This session is for Management primarily and any stakeholder that needs to understand how understanding application security concepts can benefit their organizations/companies in designing secure web applications. Whether you are a novice or an expert, you will all leave learning something new to lead your teams and help design the next generation of hack-resilient web applications. <br />
<br />
'''Table of Contents'''<br />
<br />
1. Introduction <br />
<br />
2. Changing Landscape<br />
<br />
3. Drivers of Web Application Security<br />
<br />
4. From the Boardroom to the Builder, Client to the Coder<br />
<br />
5. Regulations, Compliance and Security<br />
<br />
6. Information Security Management Top 10<br />
<br />
7. OWASP Top 10<br />
<br />
8. Software Security Concepts<br />
<br />
9. Security in the SDLC - Requirements to Release<br />
<br />
10. Software Risk Management <br />
<br />
11. Data Classification <br />
<br />
12. Common Web Application Threats and Vulnerabilities<br />
<br />
13. Security in an Outsourced World<br />
<br />
14. Web 2.0 Security<br />
<br />
15. Self Service Programs<br />
<br />
16. Awareness, Training, Education & Certification<br />
<br />
17. Hiring and Staffing <br />
<br />
18. Information Security Framework<br />
<br />
'''Course Specifics'''<br />
<br />
No specific requirement. Come for a fun, interactive session that will cover the basic and advanced elements of web application security for executives and managers - the road less travelled, filled with exercises for the attendees to participate.<br />
<br />
== The Art and Science of Threat Modeling Web Applications ==<br />
<br />
'''Instructor'''<br />
<br />
[https://www.owasp.org/index.php/User:Manopaul Mano Paul]<br />
<br />
'''Duration'''<br />
<br />
1 day<br />
<br />
'''Summary'''<br />
<br />
To secure your home, you will first need to know how the thief could possibly enter and exit and where you should store your valuables. The same is true of your web applications. Unless you know what the vulnerabilities and threats of your web applications are, and what security measures you should take to protect them, ev1L h@x0rS or the enemy within (insider) could take advantage of the vulnerabilities. <br />
<br />
Threat Modeling is a technique that you can use to identify ATVS (attacks, threats, vulnerabilities and safeguards) that could affect your web applications. Threat Modeling helps in designing your application securely from a confidentiality, integrity, availability, authentication, authorization and auditing perspective. It is an essential activity to be undertaken during the design stage of your SDLC and helps mitigate and minimize overall risk. <br />
<br />
'''Audience'''<br />
<br />
This session is for Management, Technical (Developer, QA, Security ...) and Operational professionals and any stakeholder that needs to understand how threat modeling can benefit their organizations/companies in designing secure web applications. Whether you are a novice or an expert apropos threat modeling, you will all leave learning something new to design the next generation of hack-resilient web applications. <br />
<br />
'''Table of Contents'''<br />
<br />
1. Introduction <br />
<br />
2. Why Threat Model?<br />
<br />
3. Is Threat Modeling Right for You?<br />
<br />
4. Challenges<br />
<br />
5. Precursors<br />
<br />
6. Data Classification and Threat Modeling<br />
<br />
7. Web Application Security Mechanisms<br />
<br />
8. Benefits of Threat Modeling<br />
<br />
9. Common Glossary of Terms<br />
<br />
10. Threat Agents<br />
<br />
11. Threat Modeling Process<br />
<br />
12. Attack Trees<br />
<br />
13. STRIDE and DREAD<br />
<br />
14. Threat to Risk<br />
<br />
15. Threat Modeling (Exercise)<br />
<br />
'''Course Specifics'''<br />
<br />
No specific requirement. Come for a fun, hands-on, interactive session that will cover the basic and advanced elements of threat modeling, filled with exercises for the attendees to participate. <br />
<br />
<br />
== Web server/services hardening using SELinux ==<br />
<br />
'''Instructor'''<br />
<br />
Pavol Luptak<br />
<br />
'''Duration'''<br />
<br />
1 day<br />
<br />
'''Summary'''<br />
<br />
Security-Enhanced Linux (SELinux) is a FLASK implementation integrated in the Linux kernel with a number of utilities designed to provide mandatory access controls (MAC) through the use of Linux Security Modules (LSM) in the Linux kernel. SELinux generally supports many kinds of mandatory access control policies, including those based on the concepts of type enforcement, role-based access control, and multi-level security. <br />
<br />
A Linux kernel integrating SELinux enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. This reduces or eliminates the ability of these programs and daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example). This confinement mechanism operates independently of the traditional Linux access control mechanisms. It has no concept of a "root" super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).<br />
<br />
This training provides basic concepts of SELinux, its differences to classical UNIX/Linux systems, describe security advantages of mandatory access control policies and teach how to effectively and rapidly configure a fully functional LAMP environment on SELinux system.<br />
<br />
'''Audience'''<br />
<br />
Security consultants, system administators, programmers focused on system security<br />
<br />
'''Table of Contents'''<br />
<br />
1. SELinux history<br />
<br />
2. Unix/Linux DAC (Discretionary Access Control) and its problems<br />
<br />
3. MAC (Mandatory Access Control)<br />
<br />
4. Advantages of using MAC <br />
<br />
5. DTE (Domain Type Enforcement) model<br />
<br />
6. RBAC (Roles Based Access Control) model<br />
<br />
7. MLS (Multi Level Security) model<br />
<br />
8. SELinux FLASK Architecture<br />
<br />
9. SELinux policy (EXERCISE)<br />
<br />
10. File System Security Contexts (EXERCISE)<br />
<br />
11. SELinux Object Classes and Permissions<br />
<br />
12. TE (Type Enforcement) Rules (Attributes, Type Declaration, Type Transitions, Domain Type Transitions, Object Labeling Transitions, Access Vectors)<br />
<br />
13. Understanding AVC, log messages<br />
<br />
14. audit2allow and audit2why (EXERCISE)<br />
<br />
15. SELinux Troubleshoot Tool (EXERCISE)<br />
<br />
16. Auditing and Auditing tools<br />
<br />
17. Policy Macros<br />
<br />
18. Backtracking rule (EXERCISE)<br />
<br />
19. SELinux Users, Roles, MLS Levels<br />
<br />
20. Strict Policy<br />
<br />
21. Targeted Policy<br />
<br />
22. SELinux Booleans and their use for Apache web server (EXERCISE)<br />
<br />
23. Files and Directories in Targeted Policy, common SELinux Macros (EXERCISE)<br />
<br />
24. Analyzing Example Policy - apache.te (EXERCISE)<br />
<br />
25. Assigning Object and Process Types <br />
<br />
26. SELinux Booting<br />
<br />
27. Copying and moving files, checking security contexts, relabeling a file and directory's security context (EXERCISE)<br />
<br />
28. Policy core utilities<br />
<br />
29. Managing File Labeling, Relabeling a File System (EXERCISE)<br />
<br />
30. SELinux Administrator GUI (EXERCISE)<br />
<br />
31. SELinux Modules (EXERCISE)<br />
<br />
32. Hardening existing LAMP environments using SELinux (EXERCISE)<br />
<br />
33. Writing New Policy for a Daemon (EXERCISE for clever students)<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop. Each student will have own SELinux virtual machine for his experiments.<br />
<br />
== Secure Programming with Java ==<br />
<br />
'''Instructor'''<br />
<br />
Lucas C. Ferreira<br />
<br />
'''Duration'''<br />
<br />
1 Day<br />
<br />
'''Summary'''<br />
<br />
This training class will present best practices of secure programming in the Java language. It includes Java specific practices (i.e. how to avoid problems that arise from the compilation of Java source code to the bytecode language used by the JVM) and practices that may arise in other programming languages (with examples in Java). Some tools that may be used to verify the security of Java code and systems will be shown.<br />
<br />
The topics include a quick overview of the OWASP Top 10, in order to contextualize the practices presented, and several best practices aimed at the different software layers. At the presentation layer, we focus on input validation, access control issues and dealing with exceptions. At the business objects layer, the practices deal with cloning and serialization issues. Practices to prevent command injection are presented at the persistence layer. Practices that should be used throughout all the software are also presented, including input data validation, class and method visibility, using and storing secrets, dealing with inner classes, overflows and boxing, and object initialization.<br />
<br />
'''Audience'''<br />
<br />
Java web application developers. This training requires basic understanding of web applications and an intermediate level of proficiency in the Java language and Object Oriented concepts. People with interest in other OO languages may also benefit from this training, but specific techniques, examples and tools used are targeted to Java.<br />
<br />
'''Table of Contents'''<br />
<br />
# OWASP Top 10 - quick overview<br />
# Secure Programming Best Practices<br />
## Presentation layer<br />
### Preventing cross-site scripting<br />
### Access control<br />
### Request validation<br />
### Error treatment<br />
## Business object layer<br />
### Cloning and serialization issues<br />
## Persistence layer<br />
### Command injection issues<br />
### Database access users and permissions<br />
### file manipulation<br />
## Infra-structure layer<br />
### J2EE container-related best practices<br />
### Native method issues<br />
### SSL and encryption<br />
## Practices for all software layers<br />
### Data validation<br />
### Garbage collection issues<br />
### Classes and method scoping<br />
### Use of secrets<br />
### Inner class issues<br />
### Over/underflow and boxing issues<br />
# Tools<br />
## Code review tool<br />
## Data flow tool<br />
## Pen-testing tool<br />
<br />
'''Course Specifics'''<br />
<br />
Laptop not required.<br />
<br />
== OWASP Top 10 - What Developers Should Know on Web Application Security ==<br />
<br />
'''Instructor'''<br />
<br />
Sebastien Deleersnyder and Martin Knobloch<br />
<br />
'''Duration'''<br />
<br />
4 h<br />
To be scheduled on Tuesday.<br />
<br />
'''Summary'''<br />
<br />
Application security is an essential component of any successful project; this includes web applications, open source PHP applications, web services and proprietary business web sites.<br />
Web application security education and awareness is needed throughout the entire development and deployment organization. Each area and level of development or deployment organizations have specific needs and requirements regarding web application security education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience.<br />
<br />
The OWASP Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences.<br />
This Education Track provides in a 4 hour session covering what developers should know on web application security. It starts with an explanation of web application security and why it is important. Then the OWASP Top 10 is used to explain the nastiest vulnerabilities and how these can be prevented or re mediated. A secure coding initiative must deal with all stages of a program’s life cycle. Secure web applications are only possible when a secure SDLC is used. The SDLC is explained from the standpoint of people, processes and tools. Particularly for developers good secure development practices are covered in a separate topic. Finally the track finishes with an exhaustive list of web application security resources for web application developers.<br />
<br />
'''Audience'''<br />
<br />
Web application developers who are unaware there are security issues with contemporary web applications. No prior knowledge of web application security is assumed nor necessary. This track is independent of the coding language or web frameworks used; like PHP, JSF, Java EE or .NET. We must realize that web application developers are only one link - albeit an important one - of the chain that represents the security of a web application. This track aims to make that link as secure as possible, given the constraint of 4 hours. Another important aspect is that web application security should be tailored to the risk profile of an organization and the specific development environment of that organization.<br />
<br />
'''Table of Contents'''<br />
<br />
The challenge is to cover web application security in 4 hours to a web application developer. This is presented in such a way that the developers will be able to recognize and correct web application vulnerabilities in their projects. <br />
<br />
* [[Education Module Why WebAppSec Matters|Why WebAppSec matters]] (20 min) ([http://www.owasp.org/images/5/58/Education_Module_Why_WebAppSec_Matters.ppt direct link])<br />
:This part is the introduction of the track. It identifies the current security problems with web applications. During the introduction a definition of web application security is given. Trends that are influencing the current state of web application insecurity are also explained.<br />
:*What goes wrong<br />
:*WebAppSec Defined<br />
:*Current trends<br />
* [[Education_Module_OWASP_Top_10_Introduction_and_Remedies|OWASP Top 10 Introduction & Remedies]] (90 min) ([http://www.owasp.org/images/b/b8/Education_Module_OWASP_Top_10_Introduction_and_Remedies.ppt direct link])<br />
:The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most common web application security vulnerabilities. The Top 10 provides basic methods to protect against these vulnerabilities.<br />
:*[[Education Module Cross Site Scripting (XSS)|Cross Site Scripting (XSS)]]<br />
:*Injection Flaws<br />
:*Malicious File Execution<br />
:*Insecure Direct Object Reference<br />
:*Cross Site Request Forgery (CSRF)<br />
:*Information Leakage and Improper Error Handling<br />
:*Broken Authentication and Session Management<br />
:*Insecure Cryptographic Storage<br />
:*Insecure Communications<br />
:*Failure to Restrict URL Access<br />
*[[Education Module Embed within SDLC|Embed within SDLC]] (People, Processes & Tools) (20 min) ([http://www.owasp.org/images/f/f2/Education_Module_Embed_within_SDLC.ppt direct link])<br />
:There is no silver bullet when it comes to securing web applications. This problem has to be addressed from different angles, covering the involved actors, processes: development as well as deployment and Technologies.<br />
:*People Awareness and Education<br />
:*Development WebAppSec Controls<br />
:*Deployment WebAppSec Controls<br />
:*WebAppSec Tools<br />
*[[Education Module Good Secure Development Practices|Good Secure Development Practices]] (70 min) ([http://www.owasp.org/images/5/57/Education_Module_Good_Secure_Development_Practices.ppt direct link])<br />
:Next to the Top 10 remedies this module provides some good secure development practices from the OWASP Guide, covering e.g.<br />
:*Validating User Input <br />
:*Authentication<br />
:*Authorization<br />
:*Session Management<br />
:*Using Interpreters<br />
:*Crypto<br />
:*Catching Errors<br />
:*File System<br />
:*Configuration<br />
:*Web 2.0<br />
*[[Education Module Testing for Vulnerabilities|Testing for Vulnerabilities]] (20 min) ([http://www.owasp.org/images/4/49/Education_Module_Testing_for_Vulnerabilities.ppt direct link])<br />
:One important aspect is to test for application vulnerabilities. During this short module an introduction is provided together with some WebGoat test cases.<br />
:*Testing for application vulnerabilities<br />
:*The OWASP Testing Guide<br />
:*WebGoat demonstrated<br />
*[[Education Module Good WebAppSec Resources|Good WebAppSec Resources]] (not limited to OWASP) (10 min) ([http://www.owasp.org/images/f/fe/Education_Module_Good_WebAppSec_Resources.ppt direct link])<br />
:This 4 hour education track in only the beginning of your journey. Web application security is a moving target. New vulnerabilities and threats are discovered regularly. Web application security controls are becoming mature. The following resources should provide you with enough pointers to serve both as reference and for further research.<br />
:*Hard Copy<br />
:*Web Sites<br />
:*Mailing lists<br />
:*Blogs<br />
*Roundup (10 min)<br />
<br />
[[Category:OWASP Education Project]]<br />
<br />
'''Course Specifics'''<br />
<br />
No specific prerequisites.<br />
<br />
<br />
<br />
== Classic ASP Security using OWASP tools ==<br />
<br />
'''Instructor'''<br />
<br />
Juan Carlos Calderon<br />
<br />
'''Duration'''<br />
<br />
1 day <br />
<br />
'''Summary'''<br />
<br />
Classic ASP 2.0 and 3.0 applications are still largely used as this technology is more than 10 years old and was largely used. there are thousands of sites on the wild that need guidance on the security arena. This is where OWASP can come up and provide help for “making the Web a better place”.<br />
<br />
'''Audience'''<br />
<br />
People involved in development/maintenance of Classic ASP applications at all levels, including developers, Application Architects, testers, etc.<br />
<br />
'''Table of Contents'''<br />
<br />
*Secure programming on ASP using [[ESAPI|OWASP ESAPI]]<br />
*Auditing ASP code with [[:Category:OWASP_Code_Review_Project|Code Review Project]] checklist<br />
*Implementing [[:Category:OWASP_Stinger_Project|OWASP Stinger]] protection for Classic ASP <br />
*Complementary security best practices.<br />
<br />
'''Course Specifics'''<br />
<br />
None. Keep posted for changes on the table of contents and course specifics.<br />
<br />
== Web Application Assessments ==<br />
<br />
'''Instructor'''<br />
<br />
Vicente Aguilera Diaz<br />
<br />
'''Duration'''<br />
<br />
4h<br />
<br />
'''Summary'''<br />
<br />
As in the physical world, the "professionals" attackers spend most of their time to analysing its objective and try to gather as much information as possible about it. The more information becomes available and is more detailed and accurate, the attack is more likely to succeed.<br />
<br />
The aim of this course is to identify patterns and tools to perform this analysis (step prior to the attack), and is supplemented by a case study on a practical application.<br />
<br />
'''Audience'''<br />
<br />
Software developers, security consultants, system administrators and people loving security.<br />
<br />
'''Table of Contents'''<br />
<br />
# Introduction<br />
# Web Application Discovery<br />
# Gathering information on the target web application<br />
## Search Engines<br />
## Interaction with external entities and information services<br />
## Analysis of existing information in the web application (public information, information leaks, causing errors, etc.).<br />
# Knowing / Understand the target<br />
## Identifying characteristics (technologies, platforms, user profiles, features, etc.).<br />
## Analysis of infrastructure components: databases, Web servers, application servers, authentication servers, etc.). Detection and identification.<br />
## Identification of the exposition area<br />
# Analysis of attack vectors and vulnerabilities exploitation<br />
# Case Study<br />
## Assessment of an webmail application <br />
## Vulnerability exploitation: IMAP / SMTP Injection<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop.<br />
<br />
== Hacking Owasp Orizon Project v1.0 ==<br />
<br />
'''Instructor'''<br />
<br />
Paolo Perego<br />
<br />
'''Duration'''<br />
<br />
4h<br />
<br />
'''Summary'''<br />
<br />
In the course it will be presented Owasp Orizon v1.0 framework. The major APIs will be fully explained and it will be built a simple scanning tool using the Orizon framework.<br />
<br />
The course goal is to let people fully understand Orizon internals and let people understand how to use the framework in a real world.<br />
<br />
'''Audience'''<br />
<br />
Security specialist, code reviewers and curious developers<br />
<br />
'''Table of Contents'''<br />
<br />
* Owasp Orizon Internals<br />
** Translation engine<br />
** Owasp Orizon XML project<br />
*** XML used in writing security checks<br />
*** XML used in translation phase<br />
** Static analysis engine<br />
** Crawling engine<br />
** Reporting engine<br />
* Create a simple tool using Orizon<br />
<br />
'''Course Specifics'''<br />
<br />
People have to bring their own laptop with latest Owasp Orizon version, J2SE 1.6 or later and a Java IDE (e.g. eclipse) is also feasible.<br />
<br />
== Securing WebGoat with ModSecurity ==<br />
<br />
'''Instructor'''<br />
<br />
Stephen Craig Evans<br />
<br />
'''Duration'''<br />
<br />
4h<br />
<br />
'''Summary'''<br />
<br />
ModSecurity, normally a tool of the network security group, has capabilities that can allow a software security specialist with programming skills to mitigate business logic flaws and other vulnerabilities that are out-of-reach of basic blacklists.<br />
<br />
This 4 hour course covers the highlights of the Summer of Code 2008 project, "Securing WebGoat using ModSecurity" (please see https://www.owasp.org/index.php/Category:OWASP_Securing_WebGoat_using_ModSecurity_Project and the project wiki).<br />
<br />
'''Audience'''<br />
<br />
* Users of ModSecurity that want to learn how it can be leveraged beyond the basic rule sets in order to mitigate vulnerabilities in areas such as authentication, AJAX, and output sanitization<br />
* Web application specialists, especially pentesters, who want to learn how ModSecurity can offer an additional remedial solution to customers when the application cannot be touched<br />
* Curious people that are wondering what the hell this project is about<br />
<br />
'''Table of Contents'''<br />
<br />
* ModSecurity basics<br />
* WebGoat overview<br />
* A walkthrough of the "Securing WebGoat using ModSecurity" Summer of Code 2008 project<br />
* Mitigating WebGoat vulnerabilities using the ModSecurity core rule set<br />
* Using ModSecurity's Lua scripting language:<br />
** For its programming capabilities (including re-building the Lua library to include 3rd party functionality)<br />
** To implement configuration files<br />
** For global persistence<br />
** And much, much, more...<br />
* Using ModSecurity's Javascript injection (prepend and append):<br />
** To substitute/override/extend existing Javascript functions<br />
** To enhance the user experience when implementing a ModSecurity solution on the back end such as an authentication mechanism <br />
* Using ModSecurity's session collection, Lua script, and Javascript injection together to mitigate almost any vulnerability<br />
<br />
'''Course Specifics'''<br />
<br />
Demos (including strategy and implementation) of the most interesting lesson solutions will be shown.<br />
<br />
== How to Win AppSec Hacking Contests and Deploy Better Web Applications ==<br />
<br />
'''Instructors'''<br />
<br />
Lann Martin and Lebbeous Fogle-Weekley - ''winners of the CTF contest at OWASP AppSec NYC '08''<br />
<br />
'''Duration'''<br />
<br />
4 hours<br />
<br />
'''Summary'''<br />
<br />
This class will demonstrate how an attacker approaches potentially<br />
vulnerable web applications, taking advantage of both poor server<br />
configuration and poor application implementation to discover and exploit<br />
vulnerabilities of several types.<br />
<br />
'''Audience'''<br />
<br />
Web application developers and penetration testers of intermediate<br />
skill.<br />
<br />
'''Table of Contents'''<br />
<br />
''This table of contents is a work in progress''<br />
* The trouble with verbose error messages<br />
* The right way and the wrong way to escape input to prevent SQL injection<br />
* The right way and the wrong way to encode output to prevent XSS<br />
* More bad practices to avoid<br />
* More good practices to maintain<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop to participate in attacks on sample<br />
web applications. Firefox is the preferred browser for exploiting web<br />
applications. Automated scanning tools are out of scope for this class.<br />
<br />
== Uncovering WebScarab's Secret Treasures ==<br />
<br />
'''Instructor'''<br />
<br />
Rogan Dawes<br />
<br />
'''Duration'''<br />
<br />
1 day.<br />
<br />
'''Summary'''<br />
<br />
OWASP WebScarab has a lot of hidden features that probably no one but the author really knows about. This in depth hands on session will show delegates how to access these features, and how to use them to their full potential.<br />
<br />
'''Audience'''<br />
<br />
Application reviewers, developers<br />
<br />
'''Table of Contents'''<br />
<br />
* Using the spider<br />
* Manual Request Transforms<br />
* What is the XSS/CRLF plugin, and how does it work?<br />
* Using the Fuzzer<br />
* Comparing Responses<br />
* Searching WebScarab history<br />
* Exploring the Beanshell<br />
** Writing Proxy Intercept scripts<br />
** Writing Script Manager Scripts<br />
** Writing other scripts<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop<br />
<br />
<br />
<br />
== Advanced Web Application Security Testing ==<br />
<br />
'''Instructor'''<br />
<br />
Michael Coates, Aspect Security<br />
<br />
'''Duration'''<br />
<br />
2 days.<br />
<br />
'''Summary'''<br />
<br />
While all developers need to know the basics of web application security testing, application security specialists will want to know all the advanced techniques for finding and diagnosing security problems in applications. Aspect’s Advanced Web Application Security Testing training is based on a decade of work verifying the security of critical applications. The course is taught by an experienced application security practitioner in an interactive manner.<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own Windows based laptop<br />
<br />
== Building Secure Web 2.0 Applications ==<br />
<br />
'''Instructor'''<br />
<br />
Arshan Dabirsiaghi, Aspect Security<br />
<br />
'''Duration'''<br />
<br />
1 day.<br />
<br />
'''Summary'''<br />
<br />
Web 2.0 applications using technologies like Ajax, Flash, ActiveX, and Java Applets require special attention to secure. this one day training addresses the special issues that arise in this type of application development.<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own Windows based laptop<br />
<br />
== Building Secure Web Services ==<br />
<br />
'''Instructor'''<br />
<br />
Dave Wichers, Aspect Security<br />
<br />
'''Duration'''<br />
<br />
2 days.<br />
<br />
'''Summary'''<br />
<br />
The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. this session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identify servers and related software. Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system.<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own Windows based laptop<br />
<br />
== Building Secure Web Applications with OWASP's Enterprise Security API (ESAPI) ==<br />
<br />
'''Instructor'''<br />
<br />
Jeff Williams, Aspect Security<br />
<br />
'''Duration'''<br />
<br />
1 day.<br />
<br />
'''Summary'''<br />
<br />
This course will teach you about OWASP's new Enterprise Security API (ESAPI), what it is composed of, and how to use it to improve the security and reduce the cost of developing those applications. This class covers each interface within the API, how it is intended to be used, and what the benefits are of using this interface, over other techniques for addressing the same security concerns.<br />
<br />
The course also discusses how to bring ESAPI into your organization and how to tailor it for your organization specific needs and application infrastructure.<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own Windows based laptop<br />
<br />
== Ajax Security ==<br />
<br />
'''Instructor'''<br />
<br />
Brad Causey<br />
<br />
'''Duration'''<br />
<br />
1/2 day<br />
<br />
'''Summary'''<br />
<br />
This course will provide an introductory to AJAX, its inherent security issues, how to detect them, and how to resolve them.<br />
<br />
'''Audience'''<br />
<br />
Web Application Security Professionals<br />
<br />
'''Table of Contents<br />
'''<br />
* Introduction to AJAX<br />
* Security Issues with architecture<br />
* Toolkits<br />
* Toolkit Security Concerns<br />
* Bridges and Issues<br />
* Attacking AJAX<br />
* Defending AJAX<br />
* Securing the Code<br />
* Best Practices<br />
* Other Issues and Concerns<br />
* Q and A<br />
<br />
'''Course Specifics<br />
'''<br />
<br />
Please bring your own laptop with your choice of web proxy and browser installed if you wish to participate. Participation is optional.<br />
<br />
== Flash Player Security ==<br />
<br />
'''Instructor'''<br />
<br />
Peleus Uhley<br />
<br />
'''Duration'''<br />
<br />
1/2 day<br />
<br />
'''Summary'''<br />
<br />
This course will provide an overview of the Flash Player security model and common architectures for Flash deployment. The course is targeted at people who need to understand the fundamentals of Flash Player security and how it will affect their website such as CSOs, web designers and web architects. The goal of the course is to provide the student with the enough information to architect a secure Flash deployment. The follow-on Auditing Flash Applications course will continue to build on this knowledge on an API by API level. <br />
<br />
'''Audience'''<br />
<br />
Web Application Security Professionals and those who make decisions or recommendations about Flash deployments.<br />
<br />
<br />
'''Course Specifics'''<br />
<br />
Please bring your own laptop with your choice of web browser installed if you wish to participate. Participation is optional.<br />
<br />
== Auditing Flash Applications ==<br />
<br />
'''Instructor'''<br />
<br />
Peleus Uhley<br />
<br />
'''Duration'''<br />
<br />
1/2 day<br />
<br />
'''Summary'''<br />
<br />
This course is a follow on to the Flash Player Security course for those who want to do a deep dive into the security of Flash applications. This course is targeted at Flash authors and web-site auditors who need to validate Flash code and provide meaningful recommendations and best practices for improving Flash deployments. The goal of the course is to provide the student with the tools and information to audit a Flash website and provide quality feedback on how to remediate any issues.<br />
<br />
'''Audience'''<br />
<br />
Flash Developers, Web Application Penetration Testers<br />
<br />
'''Course Specifics'''<br />
<br />
Please bring your own laptop with your choice of web browser installed if you wish to participate. Participation is optional.<br />
== Testing Guide Training ==<br />
<br />
'''Instructor'''<br />
<br />
Matteo Meucci, Giorgio Fedon - Minded Security.<br />
<br />
'''Duration'''<br />
<br />
4h.<br />
<br />
'''Summary'''<br />
<br />
This course will discuss the new OWASP Testing Guide v3 methodology and the most relevant tests of the 66 total controls of the Guide. You can learn how to test a web application and how to write a report.<br />
<br />
'''Audience'''<br />
<br />
Software developers, security consultants, auditors.<br />
<br />
'''Table of Contents'''<br />
<br />
The course will discuss the methology and will analize the 9 sub-categories of the Testing Guide:<br />
<br />
* Configuration Management Testing<br />
* Business Logic Testing<br />
* Authentication Testing<br />
* Authorization testing<br />
* Session Management Testing<br />
* Data Validation Testing<br />
* Denial of Service Testing<br />
* Web Services Testing<br />
* Ajax Testing <br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop.</div>Manopaulhttps://wiki.owasp.org/index.php?title=Manoranjan_(Mano)_Paul&diff=43240Manoranjan (Mano) Paul2008-10-14T03:42:01Z<p>Manopaul: </p>
<hr />
<div>[[Image:Mano_Paul.jpg|thumb|10px|frame|left|Mano Paul]]<br />
<b>Mano Paul</b> (CISSP, MCSD, MCAD, CompTIA Network+, ECSA) is the Founder and CEO at [http://www.securisksolutions.com SecuRisk Solutions] and [http://www.expresscertifications.com Express Certifications]. Based out of Austin, Texas in the USA, SecuRisk Solutions specializes in three areas of information security solutions - Product Development, Consulting and Awareness, Training & Education while Express Certifications focuses on professional certifications like the CISSP and SSCP. <br />
<br />
Before SecuRisk Solutions, Mano played several roles from software developer, quality assurance tester, logistics manager, technical architect, IT strategist and Security Engineer/Program Manager/Strategist at Dell Inc. His security experience includes designing and developing software security programs from Compliance-to-Coding, application security risk management, security strategy & management, and conducting security awareness training and education. <br />
<br />
Mano is (ISC)<sup>2</sup>'s Software Assurance Advisor and an appointed Industry representative of Information Systems Security Association (ISSA) Capitol of Texas chapter. He also serves as a faculty member for the ISSA security course at the local university. <br />
<br />
Mano has been featured in various domestic and international security conferences, contributed to and published various security articles and is an invited speaker in the OWASP Application Security Conferences, CSI, Burton Group Catalyst, TRISC and the SC World Congress Conferences. He is a contributing author for the Information Security Management Handbook, writes periodically for the Certification Magazine and has contributed to several security topics for the Microsoft Solutions Developer Network.<br />
<br />
Mano holds the following professional certifications - CISSP, ECSA, LPT, Microsoft Certified Solutions Developer (MCSD), Microsoft Certified Application Developer (MCAD) and the CompTIA Network+ certification.</div>Manopaulhttps://wiki.owasp.org/index.php?title=OWASP_EU_Summit_2008_Training&diff=43215OWASP EU Summit 2008 Training2008-10-13T23:13:28Z<p>Manopaul: </p>
<hr />
<div>EU Summit 2008 Trainings<br />
<br />
cvent links to be added.<br />
<br />
Upon completion and scheduling, trainings will be copied over from [[OWASP EU Summit 2008 Training (Courses to be Approved)]]<br />
<br />
Back to [[OWASP EU Summit 2008]]<br />
<br />
== WebAppSec for Managers and Executives - The Road Less Travelled ==<br />
<br />
'''Instructor'''<br />
<br />
[https://www.owasp.org/index.php/User:Manopaul Mano Paul]<br />
<br />
'''Duration'''<br />
<br />
1 day<br />
<br />
'''Summary'''<br />
<br />
With the financial turn tables of major corporations resting on web applications that connect businesses, transmit and store sensitive financial and personal transaction, combined with the ubiquitous nature of the web; it is imperative that web applications that are designed, architected and developed are secure.<br />
<br />
What do you think Shakespeare had to say about Software Security? What does an naked motorist have to do with Confidentiality? What does the Jungle Book character Baloo have to say about Security Essentials (The Bear Bare Necessities of Life security)? What does the African Wildlife have to do with Security Concepts? What does pH have to do with Security? and more … The Road Less Travelled by renowned poet, Robert Frost ends by with the statement "And that has made all the difference". Come to find out the answers to the questions above and see what it takes to look at Security from a different perspective that would make ALL the difference for you and your company.<br />
<br />
'''Audience'''<br />
<br />
This session is for Management primarily and any stakeholder that needs to understand how understanding application security concepts can benefit their organizations/companies in designing secure web applications. Whether you are a novice or an expert, you will all leave learning something new to lead your teams and help design the next generation of hack-resilient web applications. <br />
<br />
'''Table of Contents'''<br />
<br />
1. Introduction <br />
<br />
2. Changing Landscape<br />
<br />
3. Drivers of Web Application Security<br />
<br />
4. From the Boardroom to the Builder, Client to the Coder<br />
<br />
5. Regulations, Compliance and Security<br />
<br />
6. Information Security Management Top 10<br />
<br />
7. OWASP Top 10<br />
<br />
8. Software Security Concepts<br />
<br />
9. Security in the SDLC - Requirements to Release<br />
<br />
10. Software Risk Management <br />
<br />
11. Data Classification <br />
<br />
12. Common Web Application Threats and Vulnerabilities<br />
<br />
13. Security in an Outsourced World<br />
<br />
14. Web 2.0 Security<br />
<br />
15. Self Service Programs<br />
<br />
16. Awareness, Training, Education & Certification<br />
<br />
17. Information Security Framework<br />
<br />
'''Course Specifics'''<br />
<br />
No specific requirement. Come for a fun, interactive session that will cover the basic and advanced elements of web application security for executives and managers - the road less travelled, filled with exercises for the attendees to participate.<br />
<br />
== The Art and Science of Threat Modeling Web Applications ==<br />
<br />
'''Instructor'''<br />
<br />
[https://www.owasp.org/index.php/User:Manopaul Mano Paul]<br />
<br />
'''Duration'''<br />
<br />
1 day<br />
<br />
'''Summary'''<br />
<br />
To secure your home, you will first need to know how the thief could possibly enter and exit and where you should store your valuables. The same is true of your web applications. Unless you know what the vulnerabilities and threats of your web applications are, and what security measures you should take to protect them, ev1L h@x0rS or the enemy within (insider) could take advantage of the vulnerabilities. <br />
<br />
Threat Modeling is a technique that you can use to identify ATVS (attacks, threats, vulnerabilities and safeguards) that could affect your web applications. Threat Modeling helps in designing your application securely from a confidentiality, integrity, availability, authentication, authorization and auditing perspective. It is an essential activity to be undertaken during the design stage of your SDLC and helps mitigate and minimize overall risk. <br />
<br />
'''Audience'''<br />
<br />
This session is for Management, Technical (Developer, QA, Security ...) and Operational professionals and any stakeholder that needs to understand how threat modeling can benefit their organizations/companies in designing secure web applications. Whether you are a novice or an expert apropos threat modeling, you will all leave learning something new to design the next generation of hack-resilient web applications. <br />
<br />
'''Table of Contents'''<br />
<br />
1. Introduction <br />
<br />
2. Why Threat Model?<br />
<br />
3. Is Threat Modeling Right for You?<br />
<br />
4. Challenges<br />
<br />
5. Precursors<br />
<br />
6. Data Classification and Threat Modeling<br />
<br />
7. Web Application Security Mechanisms<br />
<br />
8. Benefits of Threat Modeling<br />
<br />
9. Common Glossary of Terms<br />
<br />
10. Threat Agents<br />
<br />
11. Threat Modeling Process<br />
<br />
12. Attack Trees<br />
<br />
13. STRIDE and DREAD<br />
<br />
14. Threat to Risk<br />
<br />
15. Threat Modeling (Exercise)<br />
<br />
'''Course Specifics'''<br />
<br />
No specific requirement. Come for a fun, hands-on, interactive session that will cover the basic and advanced elements of threat modeling, filled with exercises for the attendees to participate. <br />
<br />
<br />
== Web server/services hardening using SELinux ==<br />
<br />
'''Instructor'''<br />
<br />
Pavol Luptak<br />
<br />
'''Duration'''<br />
<br />
1 day<br />
<br />
'''Summary'''<br />
<br />
Security-Enhanced Linux (SELinux) is a FLASK implementation integrated in the Linux kernel with a number of utilities designed to provide mandatory access controls (MAC) through the use of Linux Security Modules (LSM) in the Linux kernel. SELinux generally supports many kinds of mandatory access control policies, including those based on the concepts of type enforcement, role-based access control, and multi-level security. <br />
<br />
A Linux kernel integrating SELinux enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. This reduces or eliminates the ability of these programs and daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example). This confinement mechanism operates independently of the traditional Linux access control mechanisms. It has no concept of a "root" super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).<br />
<br />
This training provides basic concepts of SELinux, its differences to classical UNIX/Linux systems, describe security advantages of mandatory access control policies and teach how to effectively and rapidly configure a fully functional LAMP environment on SELinux system.<br />
<br />
'''Audience'''<br />
<br />
Security consultants, system administators, programmers focused on system security<br />
<br />
'''Table of Contents'''<br />
<br />
1. SELinux history<br />
<br />
2. Unix/Linux DAC (Discretionary Access Control) and its problems<br />
<br />
3. MAC (Mandatory Access Control)<br />
<br />
4. Advantages of using MAC <br />
<br />
5. DTE (Domain Type Enforcement) model<br />
<br />
6. RBAC (Roles Based Access Control) model<br />
<br />
7. MLS (Multi Level Security) model<br />
<br />
8. SELinux FLASK Architecture<br />
<br />
9. SELinux policy (EXERCISE)<br />
<br />
10. File System Security Contexts (EXERCISE)<br />
<br />
11. SELinux Object Classes and Permissions<br />
<br />
12. TE (Type Enforcement) Rules (Attributes, Type Declaration, Type Transitions, Domain Type Transitions, Object Labeling Transitions, Access Vectors)<br />
<br />
13. Understanding AVC, log messages<br />
<br />
14. audit2allow and audit2why (EXERCISE)<br />
<br />
15. SELinux Troubleshoot Tool (EXERCISE)<br />
<br />
16. Auditing and Auditing tools<br />
<br />
17. Policy Macros<br />
<br />
18. Backtracking rule (EXERCISE)<br />
<br />
19. SELinux Users, Roles, MLS Levels<br />
<br />
20. Strict Policy<br />
<br />
21. Targeted Policy<br />
<br />
22. SELinux Booleans and their use for Apache web server (EXERCISE)<br />
<br />
23. Files and Directories in Targeted Policy, common SELinux Macros (EXERCISE)<br />
<br />
24. Analyzing Example Policy - apache.te (EXERCISE)<br />
<br />
25. Assigning Object and Process Types <br />
<br />
26. SELinux Booting<br />
<br />
27. Copying and moving files, checking security contexts, relabeling a file and directory's security context (EXERCISE)<br />
<br />
28. Policy core utilities<br />
<br />
29. Managing File Labeling, Relabeling a File System (EXERCISE)<br />
<br />
30. SELinux Administrator GUI (EXERCISE)<br />
<br />
31. SELinux Modules (EXERCISE)<br />
<br />
32. Hardening existing LAMP environments using SELinux (EXERCISE)<br />
<br />
33. Writing New Policy for a Daemon (EXERCISE for clever students)<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop. Each student will have own SELinux virtual machine for his experiments.<br />
<br />
== Secure Programming with Java ==<br />
<br />
'''Instructor'''<br />
<br />
Lucas C. Ferreira<br />
<br />
'''Duration'''<br />
<br />
1 Day<br />
<br />
'''Summary'''<br />
<br />
This training class will present best practices of secure programming in the Java language. It includes Java specific practices (i.e. how to avoid problems that arise from the compilation of Java source code to the bytecode language used by the JVM) and practices that may arise in other programming languages (with examples in Java). Some tools that may be used to verify the security of Java code and systems will be shown.<br />
<br />
The topics include a quick overview of the OWASP Top 10, in order to contextualize the practices presented, and several best practices aimed at the different software layers. At the presentation layer, we focus on input validation, access control issues and dealing with exceptions. At the business objects layer, the practices deal with cloning and serialization issues. Practices to prevent command injection are presented at the persistence layer. Practices that should be used throughout all the software are also presented, including input data validation, class and method visibility, using and storing secrets, dealing with inner classes, overflows and boxing, and object initialization.<br />
<br />
'''Audience'''<br />
<br />
Java web application developers. This training requires basic understanding of web applications and an intermediate level of proficiency in the Java language and Object Oriented concepts. People with interest in other OO languages may also benefit from this training, but specific techniques, examples and tools used are targeted to Java.<br />
<br />
'''Table of Contents'''<br />
<br />
# OWASP Top 10 - quick overview<br />
# Secure Programming Best Practices<br />
## Presentation layer<br />
### Preventing cross-site scripting<br />
### Access control<br />
### Request validation<br />
### Error treatment<br />
## Business object layer<br />
### Cloning and serialization issues<br />
## Persistence layer<br />
### Command injection issues<br />
### Database access users and permissions<br />
### file manipulation<br />
## Infra-structure layer<br />
### J2EE container-related best practices<br />
### Native method issues<br />
### SSL and encryption<br />
## Practices for all software layers<br />
### Data validation<br />
### Garbage collection issues<br />
### Classes and method scoping<br />
### Use of secrets<br />
### Inner class issues<br />
### Over/underflow and boxing issues<br />
# Tools<br />
## Code review tool<br />
## Data flow tool<br />
## Pen-testing tool<br />
<br />
'''Course Specifics'''<br />
<br />
Laptop not required.<br />
<br />
== OWASP Top 10 - What Developers Should Know on Web Application Security ==<br />
<br />
'''Instructor'''<br />
<br />
Sebastien Deleersnyder and Martin Knobloch<br />
<br />
'''Duration'''<br />
<br />
4 h<br />
To be scheduled on Tuesday.<br />
<br />
'''Summary'''<br />
<br />
Application security is an essential component of any successful project; this includes web applications, open source PHP applications, web services and proprietary business web sites.<br />
Web application security education and awareness is needed throughout the entire development and deployment organization. Each area and level of development or deployment organizations have specific needs and requirements regarding web application security education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience.<br />
<br />
The OWASP Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences.<br />
This Education Track provides in a 4 hour session covering what developers should know on web application security. It starts with an explanation of web application security and why it is important. Then the OWASP Top 10 is used to explain the nastiest vulnerabilities and how these can be prevented or re mediated. A secure coding initiative must deal with all stages of a program’s life cycle. Secure web applications are only possible when a secure SDLC is used. The SDLC is explained from the standpoint of people, processes and tools. Particularly for developers good secure development practices are covered in a separate topic. Finally the track finishes with an exhaustive list of web application security resources for web application developers.<br />
<br />
'''Audience'''<br />
<br />
Web application developers who are unaware there are security issues with contemporary web applications. No prior knowledge of web application security is assumed nor necessary. This track is independent of the coding language or web frameworks used; like PHP, JSF, Java EE or .NET. We must realize that web application developers are only one link - albeit an important one - of the chain that represents the security of a web application. This track aims to make that link as secure as possible, given the constraint of 4 hours. Another important aspect is that web application security should be tailored to the risk profile of an organization and the specific development environment of that organization.<br />
<br />
'''Table of Contents'''<br />
<br />
The challenge is to cover web application security in 4 hours to a web application developer. This is presented in such a way that the developers will be able to recognize and correct web application vulnerabilities in their projects. <br />
<br />
* [[Education Module Why WebAppSec Matters|Why WebAppSec matters]] (20 min) ([http://www.owasp.org/images/5/58/Education_Module_Why_WebAppSec_Matters.ppt direct link])<br />
:This part is the introduction of the track. It identifies the current security problems with web applications. During the introduction a definition of web application security is given. Trends that are influencing the current state of web application insecurity are also explained.<br />
:*What goes wrong<br />
:*WebAppSec Defined<br />
:*Current trends<br />
* [[Education_Module_OWASP_Top_10_Introduction_and_Remedies|OWASP Top 10 Introduction & Remedies]] (90 min) ([http://www.owasp.org/images/b/b8/Education_Module_OWASP_Top_10_Introduction_and_Remedies.ppt direct link])<br />
:The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most common web application security vulnerabilities. The Top 10 provides basic methods to protect against these vulnerabilities.<br />
:*[[Education Module Cross Site Scripting (XSS)|Cross Site Scripting (XSS)]]<br />
:*Injection Flaws<br />
:*Malicious File Execution<br />
:*Insecure Direct Object Reference<br />
:*Cross Site Request Forgery (CSRF)<br />
:*Information Leakage and Improper Error Handling<br />
:*Broken Authentication and Session Management<br />
:*Insecure Cryptographic Storage<br />
:*Insecure Communications<br />
:*Failure to Restrict URL Access<br />
*[[Education Module Embed within SDLC|Embed within SDLC]] (People, Processes & Tools) (20 min) ([http://www.owasp.org/images/f/f2/Education_Module_Embed_within_SDLC.ppt direct link])<br />
:There is no silver bullet when it comes to securing web applications. This problem has to be addressed from different angles, covering the involved actors, processes: development as well as deployment and Technologies.<br />
:*People Awareness and Education<br />
:*Development WebAppSec Controls<br />
:*Deployment WebAppSec Controls<br />
:*WebAppSec Tools<br />
*[[Education Module Good Secure Development Practices|Good Secure Development Practices]] (70 min) ([http://www.owasp.org/images/5/57/Education_Module_Good_Secure_Development_Practices.ppt direct link])<br />
:Next to the Top 10 remedies this module provides some good secure development practices from the OWASP Guide, covering e.g.<br />
:*Validating User Input <br />
:*Authentication<br />
:*Authorization<br />
:*Session Management<br />
:*Using Interpreters<br />
:*Crypto<br />
:*Catching Errors<br />
:*File System<br />
:*Configuration<br />
:*Web 2.0<br />
*[[Education Module Testing for Vulnerabilities|Testing for Vulnerabilities]] (20 min) ([http://www.owasp.org/images/4/49/Education_Module_Testing_for_Vulnerabilities.ppt direct link])<br />
:One important aspect is to test for application vulnerabilities. During this short module an introduction is provided together with some WebGoat test cases.<br />
:*Testing for application vulnerabilities<br />
:*The OWASP Testing Guide<br />
:*WebGoat demonstrated<br />
*[[Education Module Good WebAppSec Resources|Good WebAppSec Resources]] (not limited to OWASP) (10 min) ([http://www.owasp.org/images/f/fe/Education_Module_Good_WebAppSec_Resources.ppt direct link])<br />
:This 4 hour education track in only the beginning of your journey. Web application security is a moving target. New vulnerabilities and threats are discovered regularly. Web application security controls are becoming mature. The following resources should provide you with enough pointers to serve both as reference and for further research.<br />
:*Hard Copy<br />
:*Web Sites<br />
:*Mailing lists<br />
:*Blogs<br />
*Roundup (10 min)<br />
<br />
[[Category:OWASP Education Project]]<br />
<br />
'''Course Specifics'''<br />
<br />
No specific prerequisites.<br />
<br />
<br />
<br />
== Classic ASP Security using OWASP tools ==<br />
<br />
'''Instructor'''<br />
<br />
Juan Carlos Calderon<br />
<br />
'''Duration'''<br />
<br />
1 day <br />
<br />
'''Summary'''<br />
<br />
Classic ASP 2.0 and 3.0 applications are still largely used as this technology is more than 10 years old and was largely used. there are thousands of sites on the wild that need guidance on the security arena. This is where OWASP can come up and provide help for “making the Web a better place”.<br />
<br />
'''Audience'''<br />
<br />
People involved in development/maintenance of Classic ASP applications at all levels, including developers, Application Architects, testers, etc.<br />
<br />
'''Table of Contents'''<br />
<br />
*Secure programming on ASP using [[ESAPI|OWASP ESAPI]]<br />
*Auditing ASP code with [[:Category:OWASP_Code_Review_Project|Code Review Project]] checklist<br />
*Implementing [[:Category:OWASP_Stinger_Project|OWASP Stinger]] protection for Classic ASP <br />
*Complementary security best practices.<br />
<br />
'''Course Specifics'''<br />
<br />
None. Keep posted for changes on the table of contents and course specifics.<br />
<br />
== Web Application Assessments ==<br />
<br />
'''Instructor'''<br />
<br />
Vicente Aguilera Diaz<br />
<br />
'''Duration'''<br />
<br />
4h<br />
<br />
'''Summary'''<br />
<br />
As in the physical world, the "professionals" attackers spend most of their time to analysing its objective and try to gather as much information as possible about it. The more information becomes available and is more detailed and accurate, the attack is more likely to succeed.<br />
<br />
The aim of this course is to identify patterns and tools to perform this analysis (step prior to the attack), and is supplemented by a case study on a practical application.<br />
<br />
'''Audience'''<br />
<br />
Software developers, security consultants, system administrators and people loving security.<br />
<br />
'''Table of Contents'''<br />
<br />
# Introduction<br />
# Web Application Discovery<br />
# Gathering information on the target web application<br />
## Search Engines<br />
## Interaction with external entities and information services<br />
## Analysis of existing information in the web application (public information, information leaks, causing errors, etc.).<br />
# Knowing / Understand the target<br />
## Identifying characteristics (technologies, platforms, user profiles, features, etc.).<br />
## Analysis of infrastructure components: databases, Web servers, application servers, authentication servers, etc.). Detection and identification.<br />
## Identification of the exposition area<br />
# Analysis of attack vectors and vulnerabilities exploitation<br />
# Case Study<br />
## Assessment of an webmail application <br />
## Vulnerability exploitation: IMAP / SMTP Injection<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop.<br />
<br />
== Hacking Owasp Orizon Project v1.0 ==<br />
<br />
'''Instructor'''<br />
<br />
Paolo Perego<br />
<br />
'''Duration'''<br />
<br />
4h<br />
<br />
'''Summary'''<br />
<br />
In the course it will be presented Owasp Orizon v1.0 framework. The major APIs will be fully explained and it will be built a simple scanning tool using the Orizon framework.<br />
<br />
The course goal is to let people fully understand Orizon internals and let people understand how to use the framework in a real world.<br />
<br />
'''Audience'''<br />
<br />
Security specialist, code reviewers and curious developers<br />
<br />
'''Table of Contents'''<br />
<br />
* Owasp Orizon Internals<br />
** Translation engine<br />
** Owasp Orizon XML project<br />
*** XML used in writing security checks<br />
*** XML used in translation phase<br />
** Static analysis engine<br />
** Crawling engine<br />
** Reporting engine<br />
* Create a simple tool using Orizon<br />
<br />
'''Course Specifics'''<br />
<br />
People have to bring their own laptop with latest Owasp Orizon version, J2SE 1.6 or later and a Java IDE (e.g. eclipse) is also feasible.<br />
<br />
== Securing WebGoat with ModSecurity ==<br />
<br />
'''Instructor'''<br />
<br />
Stephen Craig Evans<br />
<br />
'''Duration'''<br />
<br />
4h<br />
<br />
'''Summary'''<br />
<br />
ModSecurity, normally a tool of the network security group, has capabilities that can allow a software security specialist with programming skills to mitigate business logic flaws and other vulnerabilities that are out-of-reach of basic blacklists.<br />
<br />
This 4 hour course covers the highlights of the Summer of Code 2008 project, "Securing WebGoat using ModSecurity" (please see https://www.owasp.org/index.php/Category:OWASP_Securing_WebGoat_using_ModSecurity_Project and the project wiki).<br />
<br />
'''Audience'''<br />
<br />
* Users of ModSecurity that want to learn how it can be leveraged beyond the basic rule sets in order to mitigate vulnerabilities in areas such as authentication, AJAX, and output sanitization<br />
* Web application specialists, especially pentesters, who want to learn how ModSecurity can offer an additional remedial solution to customers when the application cannot be touched<br />
* Curious people that are wondering what the hell this project is about<br />
<br />
'''Table of Contents'''<br />
<br />
* ModSecurity basics<br />
* WebGoat overview<br />
* A walkthrough of the "Securing WebGoat using ModSecurity" Summer of Code 2008 project<br />
* Mitigating WebGoat vulnerabilities using the ModSecurity core rule set<br />
* Using ModSecurity's Lua scripting language:<br />
** For its programming capabilities (including re-building the Lua library to include 3rd party functionality)<br />
** To implement configuration files<br />
** For global persistence<br />
** And much, much, more...<br />
* Using ModSecurity's Javascript injection (prepend and append):<br />
** To substitute/override/extend existing Javascript functions<br />
** To enhance the user experience when implementing a ModSecurity solution on the back end such as an authentication mechanism <br />
* Using ModSecurity's session collection, Lua script, and Javascript injection together to mitigate almost any vulnerability<br />
<br />
'''Course Specifics'''<br />
<br />
Demos (including strategy and implementation) of the most interesting lesson solutions will be shown.<br />
<br />
== How to Win AppSec Hacking Contests and Deploy Better Web Applications ==<br />
<br />
'''Instructors'''<br />
<br />
Lann Martin and Lebbeous Fogle-Weekley - ''winners of the CTF contest at OWASP AppSec NYC '08''<br />
<br />
'''Duration'''<br />
<br />
4 hours<br />
<br />
'''Summary'''<br />
<br />
This class will demonstrate how an attacker approaches potentially<br />
vulnerable web applications, taking advantage of both poor server<br />
configuration and poor application implementation to discover and exploit<br />
vulnerabilities of several types.<br />
<br />
'''Audience'''<br />
<br />
Web application developers and penetration testers of intermediate<br />
skill.<br />
<br />
'''Table of Contents'''<br />
<br />
''This table of contents is a work in progress''<br />
* The trouble with verbose error messages<br />
* The right way and the wrong way to escape input to prevent SQL injection<br />
* The right way and the wrong way to encode output to prevent XSS<br />
* More bad practices to avoid<br />
* More good practices to maintain<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop to participate in attacks on sample<br />
web applications. Firefox is the preferred browser for exploiting web<br />
applications. Automated scanning tools are out of scope for this class.<br />
<br />
== Uncovering WebScarab's Secret Treasures ==<br />
<br />
'''Instructor'''<br />
<br />
Rogan Dawes<br />
<br />
'''Duration'''<br />
<br />
1 day.<br />
<br />
'''Summary'''<br />
<br />
OWASP WebScarab has a lot of hidden features that probably no one but the author really knows about. This in depth hands on session will show delegates how to access these features, and how to use them to their full potential.<br />
<br />
'''Audience'''<br />
<br />
Application reviewers, developers<br />
<br />
'''Table of Contents'''<br />
<br />
* Using the spider<br />
* Manual Request Transforms<br />
* What is the XSS/CRLF plugin, and how does it work?<br />
* Using the Fuzzer<br />
* Comparing Responses<br />
* Searching WebScarab history<br />
* Exploring the Beanshell<br />
** Writing Proxy Intercept scripts<br />
** Writing Script Manager Scripts<br />
** Writing other scripts<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop<br />
<br />
<br />
<br />
== Advanced Web Application Security Testing ==<br />
<br />
'''Instructor'''<br />
<br />
Michael Coates, Aspect Security<br />
<br />
'''Duration'''<br />
<br />
2 days.<br />
<br />
'''Summary'''<br />
<br />
While all developers need to know the basics of web application security testing, application security specialists will want to know all the advanced techniques for finding and diagnosing security problems in applications. Aspect’s Advanced Web Application Security Testing training is based on a decade of work verifying the security of critical applications. The course is taught by an experienced application security practitioner in an interactive manner.<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own Windows based laptop<br />
<br />
== Building Secure Web 2.0 Applications ==<br />
<br />
'''Instructor'''<br />
<br />
Arshan Dabirsiaghi, Aspect Security<br />
<br />
'''Duration'''<br />
<br />
1 day.<br />
<br />
'''Summary'''<br />
<br />
Web 2.0 applications using technologies like Ajax, Flash, ActiveX, and Java Applets require special attention to secure. this one day training addresses the special issues that arise in this type of application development.<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own Windows based laptop<br />
<br />
== Building Secure Web Services ==<br />
<br />
'''Instructor'''<br />
<br />
Dave Wichers, Aspect Security<br />
<br />
'''Duration'''<br />
<br />
2 days.<br />
<br />
'''Summary'''<br />
<br />
The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. this session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identify servers and related software. Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system.<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own Windows based laptop<br />
<br />
== Building Secure Web Applications with OWASP's Enterprise Security API (ESAPI) ==<br />
<br />
'''Instructor'''<br />
<br />
Jeff Williams, Aspect Security<br />
<br />
'''Duration'''<br />
<br />
1 day.<br />
<br />
'''Summary'''<br />
<br />
This course will teach you about OWASP's new Enterprise Security API (ESAPI), what it is composed of, and how to use it to improve the security and reduce the cost of developing those applications. This class covers each interface within the API, how it is intended to be used, and what the benefits are of using this interface, over other techniques for addressing the same security concerns.<br />
<br />
The course also discusses how to bring ESAPI into your organization and how to tailor it for your organization specific needs and application infrastructure.<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own Windows based laptop<br />
<br />
== Ajax Security ==<br />
<br />
'''Instructor'''<br />
<br />
Brad Causey<br />
<br />
'''Duration'''<br />
<br />
1/2 day<br />
<br />
'''Summary'''<br />
<br />
This course will provide an introductory to AJAX, its inherent security issues, how to detect them, and how to resolve them.<br />
<br />
'''Audience'''<br />
<br />
Web Application Security Professionals<br />
<br />
'''Table of Contents<br />
'''<br />
* Introduction to AJAX<br />
* Security Issues with architecture<br />
* Toolkits<br />
* Toolkit Security Concerns<br />
* Bridges and Issues<br />
* Attacking AJAX<br />
* Defending AJAX<br />
* Securing the Code<br />
* Best Practices<br />
* Other Issues and Concerns<br />
* Q and A<br />
<br />
'''Course Specifics<br />
'''<br />
<br />
Please bring your own laptop with your choice of web proxy and browser installed if you wish to participate. Participation is optional.<br />
<br />
== Flash Player Security ==<br />
<br />
'''Instructor'''<br />
<br />
Peleus Uhley<br />
<br />
'''Duration'''<br />
<br />
1/2 day<br />
<br />
'''Summary'''<br />
<br />
This course will provide an overview of the Flash Player security model and common architectures for Flash deployment. The course is targeted at people who need to understand the fundamentals of Flash Player security and how it will affect their website such as CSOs, web designers and web architects. The goal of the course is to provide the student with the enough information to architect a secure Flash deployment. The follow-on Auditing Flash Applications course will continue to build on this knowledge on an API by API level. <br />
<br />
'''Audience'''<br />
<br />
Web Application Security Professionals and those who make decisions or recommendations about Flash deployments.<br />
<br />
<br />
'''Course Specifics'''<br />
<br />
Please bring your own laptop with your choice of web browser installed if you wish to participate. Participation is optional.<br />
<br />
== Auditing Flash Applications ==<br />
<br />
'''Instructor'''<br />
<br />
Peleus Uhley<br />
<br />
'''Duration'''<br />
<br />
1/2 day<br />
<br />
'''Summary'''<br />
<br />
This course is a follow on to the Flash Player Security course for those who want to do a deep dive into the security of Flash applications. This course is targeted at Flash authors and web-site auditors who need to validate Flash code and provide meaningful recommendations and best practices for improving Flash deployments. The goal of the course is to provide the student with the tools and information to audit a Flash website and provide quality feedback on how to remediate any issues.<br />
<br />
'''Audience'''<br />
<br />
Flash Developers, Web Application Penetration Testers<br />
<br />
'''Course Specifics'''<br />
<br />
Please bring your own laptop with your choice of web browser installed if you wish to participate. Participation is optional.<br />
== Testing Guide Training ==<br />
<br />
'''Instructor'''<br />
<br />
Matteo Meucci, Giorgio Fedon - Minded Security.<br />
<br />
'''Duration'''<br />
<br />
4h.<br />
<br />
'''Summary'''<br />
<br />
This course will discuss the new OWASP Testing Guide v3 methodology and the most relevant tests of the 66 total controls of the Guide. You can learn how to test a web application and how to write a report.<br />
<br />
'''Audience'''<br />
<br />
Software developers, security consultants, auditors.<br />
<br />
'''Table of Contents'''<br />
<br />
The course will discuss the methology and will analize the 9 sub-categories of the Testing Guide:<br />
<br />
* Configuration Management Testing<br />
* Business Logic Testing<br />
* Authentication Testing<br />
* Authorization testing<br />
* Session Management Testing<br />
* Data Validation Testing<br />
* Denial of Service Testing<br />
* Web Services Testing<br />
* Ajax Testing <br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop.</div>Manopaulhttps://wiki.owasp.org/index.php?title=OWASP_EU_Summit_2008_Training&diff=43214OWASP EU Summit 2008 Training2008-10-13T23:10:26Z<p>Manopaul: </p>
<hr />
<div>EU Summit 2008 Trainings<br />
<br />
cvent links to be added.<br />
<br />
Upon completion and scheduling, trainings will be copied over from [[OWASP EU Summit 2008 Training (Courses to be Approved)]]<br />
<br />
Back to [[OWASP EU Summit 2008]]<br />
<br />
== WebAppSec for Managers and Executives - The Road Less Travelled ==<br />
<br />
'''Instructor'''<br />
<br />
Mano Paul<br />
<br />
'''Duration'''<br />
<br />
1 day<br />
<br />
'''Summary'''<br />
<br />
With the financial turn tables of major corporations resting on web applications that connect businesses, transmit and store sensitive financial and personal transaction, combined with the ubiquitous nature of the web; it is imperative that web applications that are designed, architected and developed are secure.<br />
<br />
What do you think Shakespeare had to say about Software Security? What does an naked motorist have to do with Confidentiality? What does the Jungle Book character Baloo have to say about Security Essentials (The Bear Bare Necessities of Life security)? What does the African Wildlife have to do with Security Concepts? What does pH have to do with Security? and more … The Road Less Travelled by renowned poet, Robert Frost ends by with the statement "And that has made all the difference". Come to find out the answers to the questions above and see what it takes to look at Security from a different perspective that would make ALL the difference for you and your company.<br />
<br />
'''Audience'''<br />
<br />
This session is for Management primarily and any stakeholder that needs to understand how understanding application security concepts can benefit their organizations/companies in designing secure web applications. Whether you are a novice or an expert, you will all leave learning something new to lead your teams and help design the next generation of hack-resilient web applications. <br />
<br />
'''Table of Contents'''<br />
<br />
1. Introduction <br />
<br />
2. Changing Landscape<br />
<br />
3. Drivers of Web Application Security<br />
<br />
4. From the Boardroom to the Builder, Client to the Coder<br />
<br />
5. Regulations, Compliance and Security<br />
<br />
6. Information Security Management Top 10<br />
<br />
7. OWASP Top 10<br />
<br />
8. Software Security Concepts<br />
<br />
9. Security in the SDLC - Requirements to Release<br />
<br />
10. Software Risk Management <br />
<br />
11. Data Classification <br />
<br />
12. Common Web Application Threats and Vulnerabilities<br />
<br />
13. Security in an Outsourced World<br />
<br />
14. Web 2.0 Security<br />
<br />
15. Self Service Programs<br />
<br />
16. Awareness, Training, Education & Certification<br />
<br />
17. Information Security Framework<br />
<br />
'''Course Specifics'''<br />
<br />
No specific requirement. Come for a fun, interactive session that will cover the basic and advanced elements of web application security for executives and managers - the road less travelled, filled with exercises for the attendees to participate.<br />
<br />
== The Art and Science of Threat Modeling Web Applications ==<br />
<br />
'''Instructor'''<br />
<br />
Mano Paul<br />
<br />
'''Duration'''<br />
<br />
1 day<br />
<br />
'''Summary'''<br />
<br />
To secure your home, you will first need to know how the thief could possibly enter and exit and where you should store your valuables. The same is true of your web applications. Unless you know what the vulnerabilities and threats of your web applications are, and what security measures you should take to protect them, ev1L h@x0rS or the enemy within (insider) could take advantage of the vulnerabilities. <br />
<br />
Threat Modeling is a technique that you can use to identify ATVS (attacks, threats, vulnerabilities and safeguards) that could affect your web applications. Threat Modeling helps in designing your application securely from a confidentiality, integrity, availability, authentication, authorization and auditing perspective. It is an essential activity to be undertaken during the design stage of your SDLC and helps mitigate and minimize overall risk. <br />
<br />
'''Audience'''<br />
<br />
This session is for Management, Technical (Developer, QA, Security ...) and Operational professionals and any stakeholder that needs to understand how threat modeling can benefit their organizations/companies in designing secure web applications. Whether you are a novice or an expert apropos threat modeling, you will all leave learning something new to design the next generation of hack-resilient web applications. <br />
<br />
'''Table of Contents'''<br />
<br />
1. Introduction <br />
<br />
2. Why Threat Model?<br />
<br />
3. Is Threat Modeling Right for You?<br />
<br />
4. Challenges<br />
<br />
5. Precursors<br />
<br />
6. Data Classification and Threat Modeling<br />
<br />
7. Web Application Security Mechanisms<br />
<br />
8. Benefits of Threat Modeling<br />
<br />
9. Common Glossary of Terms<br />
<br />
10. Threat Agents<br />
<br />
11. Threat Modeling Process<br />
<br />
12. Attack Trees<br />
<br />
13. STRIDE and DREAD<br />
<br />
14. Threat to Risk<br />
<br />
15. Threat Modeling (Exercise)<br />
<br />
'''Course Specifics'''<br />
<br />
No specific requirement. Come for a fun, hands-on, interactive session that will cover the basic and advanced elements of threat modeling, filled with exercises for the attendees to participate. <br />
<br />
<br />
== Web server/services hardening using SELinux ==<br />
<br />
'''Instructor'''<br />
<br />
Pavol Luptak<br />
<br />
'''Duration'''<br />
<br />
1 day<br />
<br />
'''Summary'''<br />
<br />
Security-Enhanced Linux (SELinux) is a FLASK implementation integrated in the Linux kernel with a number of utilities designed to provide mandatory access controls (MAC) through the use of Linux Security Modules (LSM) in the Linux kernel. SELinux generally supports many kinds of mandatory access control policies, including those based on the concepts of type enforcement, role-based access control, and multi-level security. <br />
<br />
A Linux kernel integrating SELinux enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. This reduces or eliminates the ability of these programs and daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example). This confinement mechanism operates independently of the traditional Linux access control mechanisms. It has no concept of a "root" super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).<br />
<br />
This training provides basic concepts of SELinux, its differences to classical UNIX/Linux systems, describe security advantages of mandatory access control policies and teach how to effectively and rapidly configure a fully functional LAMP environment on SELinux system.<br />
<br />
'''Audience'''<br />
<br />
Security consultants, system administators, programmers focused on system security<br />
<br />
'''Table of Contents'''<br />
<br />
1. SELinux history<br />
<br />
2. Unix/Linux DAC (Discretionary Access Control) and its problems<br />
<br />
3. MAC (Mandatory Access Control)<br />
<br />
4. Advantages of using MAC <br />
<br />
5. DTE (Domain Type Enforcement) model<br />
<br />
6. RBAC (Roles Based Access Control) model<br />
<br />
7. MLS (Multi Level Security) model<br />
<br />
8. SELinux FLASK Architecture<br />
<br />
9. SELinux policy (EXERCISE)<br />
<br />
10. File System Security Contexts (EXERCISE)<br />
<br />
11. SELinux Object Classes and Permissions<br />
<br />
12. TE (Type Enforcement) Rules (Attributes, Type Declaration, Type Transitions, Domain Type Transitions, Object Labeling Transitions, Access Vectors)<br />
<br />
13. Understanding AVC, log messages<br />
<br />
14. audit2allow and audit2why (EXERCISE)<br />
<br />
15. SELinux Troubleshoot Tool (EXERCISE)<br />
<br />
16. Auditing and Auditing tools<br />
<br />
17. Policy Macros<br />
<br />
18. Backtracking rule (EXERCISE)<br />
<br />
19. SELinux Users, Roles, MLS Levels<br />
<br />
20. Strict Policy<br />
<br />
21. Targeted Policy<br />
<br />
22. SELinux Booleans and their use for Apache web server (EXERCISE)<br />
<br />
23. Files and Directories in Targeted Policy, common SELinux Macros (EXERCISE)<br />
<br />
24. Analyzing Example Policy - apache.te (EXERCISE)<br />
<br />
25. Assigning Object and Process Types <br />
<br />
26. SELinux Booting<br />
<br />
27. Copying and moving files, checking security contexts, relabeling a file and directory's security context (EXERCISE)<br />
<br />
28. Policy core utilities<br />
<br />
29. Managing File Labeling, Relabeling a File System (EXERCISE)<br />
<br />
30. SELinux Administrator GUI (EXERCISE)<br />
<br />
31. SELinux Modules (EXERCISE)<br />
<br />
32. Hardening existing LAMP environments using SELinux (EXERCISE)<br />
<br />
33. Writing New Policy for a Daemon (EXERCISE for clever students)<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop. Each student will have own SELinux virtual machine for his experiments.<br />
<br />
== Secure Programming with Java ==<br />
<br />
'''Instructor'''<br />
<br />
Lucas C. Ferreira<br />
<br />
'''Duration'''<br />
<br />
1 Day<br />
<br />
'''Summary'''<br />
<br />
This training class will present best practices of secure programming in the Java language. It includes Java specific practices (i.e. how to avoid problems that arise from the compilation of Java source code to the bytecode language used by the JVM) and practices that may arise in other programming languages (with examples in Java). Some tools that may be used to verify the security of Java code and systems will be shown.<br />
<br />
The topics include a quick overview of the OWASP Top 10, in order to contextualize the practices presented, and several best practices aimed at the different software layers. At the presentation layer, we focus on input validation, access control issues and dealing with exceptions. At the business objects layer, the practices deal with cloning and serialization issues. Practices to prevent command injection are presented at the persistence layer. Practices that should be used throughout all the software are also presented, including input data validation, class and method visibility, using and storing secrets, dealing with inner classes, overflows and boxing, and object initialization.<br />
<br />
'''Audience'''<br />
<br />
Java web application developers. This training requires basic understanding of web applications and an intermediate level of proficiency in the Java language and Object Oriented concepts. People with interest in other OO languages may also benefit from this training, but specific techniques, examples and tools used are targeted to Java.<br />
<br />
'''Table of Contents'''<br />
<br />
# OWASP Top 10 - quick overview<br />
# Secure Programming Best Practices<br />
## Presentation layer<br />
### Preventing cross-site scripting<br />
### Access control<br />
### Request validation<br />
### Error treatment<br />
## Business object layer<br />
### Cloning and serialization issues<br />
## Persistence layer<br />
### Command injection issues<br />
### Database access users and permissions<br />
### file manipulation<br />
## Infra-structure layer<br />
### J2EE container-related best practices<br />
### Native method issues<br />
### SSL and encryption<br />
## Practices for all software layers<br />
### Data validation<br />
### Garbage collection issues<br />
### Classes and method scoping<br />
### Use of secrets<br />
### Inner class issues<br />
### Over/underflow and boxing issues<br />
# Tools<br />
## Code review tool<br />
## Data flow tool<br />
## Pen-testing tool<br />
<br />
'''Course Specifics'''<br />
<br />
Laptop not required.<br />
<br />
== OWASP Top 10 - What Developers Should Know on Web Application Security ==<br />
<br />
'''Instructor'''<br />
<br />
Sebastien Deleersnyder and Martin Knobloch<br />
<br />
'''Duration'''<br />
<br />
4 h<br />
To be scheduled on Tuesday.<br />
<br />
'''Summary'''<br />
<br />
Application security is an essential component of any successful project; this includes web applications, open source PHP applications, web services and proprietary business web sites.<br />
Web application security education and awareness is needed throughout the entire development and deployment organization. Each area and level of development or deployment organizations have specific needs and requirements regarding web application security education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience.<br />
<br />
The OWASP Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences.<br />
This Education Track provides in a 4 hour session covering what developers should know on web application security. It starts with an explanation of web application security and why it is important. Then the OWASP Top 10 is used to explain the nastiest vulnerabilities and how these can be prevented or re mediated. A secure coding initiative must deal with all stages of a program’s life cycle. Secure web applications are only possible when a secure SDLC is used. The SDLC is explained from the standpoint of people, processes and tools. Particularly for developers good secure development practices are covered in a separate topic. Finally the track finishes with an exhaustive list of web application security resources for web application developers.<br />
<br />
'''Audience'''<br />
<br />
Web application developers who are unaware there are security issues with contemporary web applications. No prior knowledge of web application security is assumed nor necessary. This track is independent of the coding language or web frameworks used; like PHP, JSF, Java EE or .NET. We must realize that web application developers are only one link - albeit an important one - of the chain that represents the security of a web application. This track aims to make that link as secure as possible, given the constraint of 4 hours. Another important aspect is that web application security should be tailored to the risk profile of an organization and the specific development environment of that organization.<br />
<br />
'''Table of Contents'''<br />
<br />
The challenge is to cover web application security in 4 hours to a web application developer. This is presented in such a way that the developers will be able to recognize and correct web application vulnerabilities in their projects. <br />
<br />
* [[Education Module Why WebAppSec Matters|Why WebAppSec matters]] (20 min) ([http://www.owasp.org/images/5/58/Education_Module_Why_WebAppSec_Matters.ppt direct link])<br />
:This part is the introduction of the track. It identifies the current security problems with web applications. During the introduction a definition of web application security is given. Trends that are influencing the current state of web application insecurity are also explained.<br />
:*What goes wrong<br />
:*WebAppSec Defined<br />
:*Current trends<br />
* [[Education_Module_OWASP_Top_10_Introduction_and_Remedies|OWASP Top 10 Introduction & Remedies]] (90 min) ([http://www.owasp.org/images/b/b8/Education_Module_OWASP_Top_10_Introduction_and_Remedies.ppt direct link])<br />
:The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most common web application security vulnerabilities. The Top 10 provides basic methods to protect against these vulnerabilities.<br />
:*[[Education Module Cross Site Scripting (XSS)|Cross Site Scripting (XSS)]]<br />
:*Injection Flaws<br />
:*Malicious File Execution<br />
:*Insecure Direct Object Reference<br />
:*Cross Site Request Forgery (CSRF)<br />
:*Information Leakage and Improper Error Handling<br />
:*Broken Authentication and Session Management<br />
:*Insecure Cryptographic Storage<br />
:*Insecure Communications<br />
:*Failure to Restrict URL Access<br />
*[[Education Module Embed within SDLC|Embed within SDLC]] (People, Processes & Tools) (20 min) ([http://www.owasp.org/images/f/f2/Education_Module_Embed_within_SDLC.ppt direct link])<br />
:There is no silver bullet when it comes to securing web applications. This problem has to be addressed from different angles, covering the involved actors, processes: development as well as deployment and Technologies.<br />
:*People Awareness and Education<br />
:*Development WebAppSec Controls<br />
:*Deployment WebAppSec Controls<br />
:*WebAppSec Tools<br />
*[[Education Module Good Secure Development Practices|Good Secure Development Practices]] (70 min) ([http://www.owasp.org/images/5/57/Education_Module_Good_Secure_Development_Practices.ppt direct link])<br />
:Next to the Top 10 remedies this module provides some good secure development practices from the OWASP Guide, covering e.g.<br />
:*Validating User Input <br />
:*Authentication<br />
:*Authorization<br />
:*Session Management<br />
:*Using Interpreters<br />
:*Crypto<br />
:*Catching Errors<br />
:*File System<br />
:*Configuration<br />
:*Web 2.0<br />
*[[Education Module Testing for Vulnerabilities|Testing for Vulnerabilities]] (20 min) ([http://www.owasp.org/images/4/49/Education_Module_Testing_for_Vulnerabilities.ppt direct link])<br />
:One important aspect is to test for application vulnerabilities. During this short module an introduction is provided together with some WebGoat test cases.<br />
:*Testing for application vulnerabilities<br />
:*The OWASP Testing Guide<br />
:*WebGoat demonstrated<br />
*[[Education Module Good WebAppSec Resources|Good WebAppSec Resources]] (not limited to OWASP) (10 min) ([http://www.owasp.org/images/f/fe/Education_Module_Good_WebAppSec_Resources.ppt direct link])<br />
:This 4 hour education track in only the beginning of your journey. Web application security is a moving target. New vulnerabilities and threats are discovered regularly. Web application security controls are becoming mature. The following resources should provide you with enough pointers to serve both as reference and for further research.<br />
:*Hard Copy<br />
:*Web Sites<br />
:*Mailing lists<br />
:*Blogs<br />
*Roundup (10 min)<br />
<br />
[[Category:OWASP Education Project]]<br />
<br />
'''Course Specifics'''<br />
<br />
No specific prerequisites.<br />
<br />
<br />
<br />
== Classic ASP Security using OWASP tools ==<br />
<br />
'''Instructor'''<br />
<br />
Juan Carlos Calderon<br />
<br />
'''Duration'''<br />
<br />
1 day <br />
<br />
'''Summary'''<br />
<br />
Classic ASP 2.0 and 3.0 applications are still largely used as this technology is more than 10 years old and was largely used. there are thousands of sites on the wild that need guidance on the security arena. This is where OWASP can come up and provide help for “making the Web a better place”.<br />
<br />
'''Audience'''<br />
<br />
People involved in development/maintenance of Classic ASP applications at all levels, including developers, Application Architects, testers, etc.<br />
<br />
'''Table of Contents'''<br />
<br />
*Secure programming on ASP using [[ESAPI|OWASP ESAPI]]<br />
*Auditing ASP code with [[:Category:OWASP_Code_Review_Project|Code Review Project]] checklist<br />
*Implementing [[:Category:OWASP_Stinger_Project|OWASP Stinger]] protection for Classic ASP <br />
*Complementary security best practices.<br />
<br />
'''Course Specifics'''<br />
<br />
None. Keep posted for changes on the table of contents and course specifics.<br />
<br />
== Web Application Assessments ==<br />
<br />
'''Instructor'''<br />
<br />
Vicente Aguilera Diaz<br />
<br />
'''Duration'''<br />
<br />
4h<br />
<br />
'''Summary'''<br />
<br />
As in the physical world, the "professionals" attackers spend most of their time to analysing its objective and try to gather as much information as possible about it. The more information becomes available and is more detailed and accurate, the attack is more likely to succeed.<br />
<br />
The aim of this course is to identify patterns and tools to perform this analysis (step prior to the attack), and is supplemented by a case study on a practical application.<br />
<br />
'''Audience'''<br />
<br />
Software developers, security consultants, system administrators and people loving security.<br />
<br />
'''Table of Contents'''<br />
<br />
# Introduction<br />
# Web Application Discovery<br />
# Gathering information on the target web application<br />
## Search Engines<br />
## Interaction with external entities and information services<br />
## Analysis of existing information in the web application (public information, information leaks, causing errors, etc.).<br />
# Knowing / Understand the target<br />
## Identifying characteristics (technologies, platforms, user profiles, features, etc.).<br />
## Analysis of infrastructure components: databases, Web servers, application servers, authentication servers, etc.). Detection and identification.<br />
## Identification of the exposition area<br />
# Analysis of attack vectors and vulnerabilities exploitation<br />
# Case Study<br />
## Assessment of an webmail application <br />
## Vulnerability exploitation: IMAP / SMTP Injection<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop.<br />
<br />
== Hacking Owasp Orizon Project v1.0 ==<br />
<br />
'''Instructor'''<br />
<br />
Paolo Perego<br />
<br />
'''Duration'''<br />
<br />
4h<br />
<br />
'''Summary'''<br />
<br />
In the course it will be presented Owasp Orizon v1.0 framework. The major APIs will be fully explained and it will be built a simple scanning tool using the Orizon framework.<br />
<br />
The course goal is to let people fully understand Orizon internals and let people understand how to use the framework in a real world.<br />
<br />
'''Audience'''<br />
<br />
Security specialist, code reviewers and curious developers<br />
<br />
'''Table of Contents'''<br />
<br />
* Owasp Orizon Internals<br />
** Translation engine<br />
** Owasp Orizon XML project<br />
*** XML used in writing security checks<br />
*** XML used in translation phase<br />
** Static analysis engine<br />
** Crawling engine<br />
** Reporting engine<br />
* Create a simple tool using Orizon<br />
<br />
'''Course Specifics'''<br />
<br />
People have to bring their own laptop with latest Owasp Orizon version, J2SE 1.6 or later and a Java IDE (e.g. eclipse) is also feasible.<br />
<br />
== Securing WebGoat with ModSecurity ==<br />
<br />
'''Instructor'''<br />
<br />
Stephen Craig Evans<br />
<br />
'''Duration'''<br />
<br />
4h<br />
<br />
'''Summary'''<br />
<br />
ModSecurity, normally a tool of the network security group, has capabilities that can allow a software security specialist with programming skills to mitigate business logic flaws and other vulnerabilities that are out-of-reach of basic blacklists.<br />
<br />
This 4 hour course covers the highlights of the Summer of Code 2008 project, "Securing WebGoat using ModSecurity" (please see https://www.owasp.org/index.php/Category:OWASP_Securing_WebGoat_using_ModSecurity_Project and the project wiki).<br />
<br />
'''Audience'''<br />
<br />
* Users of ModSecurity that want to learn how it can be leveraged beyond the basic rule sets in order to mitigate vulnerabilities in areas such as authentication, AJAX, and output sanitization<br />
* Web application specialists, especially pentesters, who want to learn how ModSecurity can offer an additional remedial solution to customers when the application cannot be touched<br />
* Curious people that are wondering what the hell this project is about<br />
<br />
'''Table of Contents'''<br />
<br />
* ModSecurity basics<br />
* WebGoat overview<br />
* A walkthrough of the "Securing WebGoat using ModSecurity" Summer of Code 2008 project<br />
* Mitigating WebGoat vulnerabilities using the ModSecurity core rule set<br />
* Using ModSecurity's Lua scripting language:<br />
** For its programming capabilities (including re-building the Lua library to include 3rd party functionality)<br />
** To implement configuration files<br />
** For global persistence<br />
** And much, much, more...<br />
* Using ModSecurity's Javascript injection (prepend and append):<br />
** To substitute/override/extend existing Javascript functions<br />
** To enhance the user experience when implementing a ModSecurity solution on the back end such as an authentication mechanism <br />
* Using ModSecurity's session collection, Lua script, and Javascript injection together to mitigate almost any vulnerability<br />
<br />
'''Course Specifics'''<br />
<br />
Demos (including strategy and implementation) of the most interesting lesson solutions will be shown.<br />
<br />
== How to Win AppSec Hacking Contests and Deploy Better Web Applications ==<br />
<br />
'''Instructors'''<br />
<br />
Lann Martin and Lebbeous Fogle-Weekley - ''winners of the CTF contest at OWASP AppSec NYC '08''<br />
<br />
'''Duration'''<br />
<br />
4 hours<br />
<br />
'''Summary'''<br />
<br />
This class will demonstrate how an attacker approaches potentially<br />
vulnerable web applications, taking advantage of both poor server<br />
configuration and poor application implementation to discover and exploit<br />
vulnerabilities of several types.<br />
<br />
'''Audience'''<br />
<br />
Web application developers and penetration testers of intermediate<br />
skill.<br />
<br />
'''Table of Contents'''<br />
<br />
''This table of contents is a work in progress''<br />
* The trouble with verbose error messages<br />
* The right way and the wrong way to escape input to prevent SQL injection<br />
* The right way and the wrong way to encode output to prevent XSS<br />
* More bad practices to avoid<br />
* More good practices to maintain<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop to participate in attacks on sample<br />
web applications. Firefox is the preferred browser for exploiting web<br />
applications. Automated scanning tools are out of scope for this class.<br />
<br />
== Uncovering WebScarab's Secret Treasures ==<br />
<br />
'''Instructor'''<br />
<br />
Rogan Dawes<br />
<br />
'''Duration'''<br />
<br />
1 day.<br />
<br />
'''Summary'''<br />
<br />
OWASP WebScarab has a lot of hidden features that probably no one but the author really knows about. This in depth hands on session will show delegates how to access these features, and how to use them to their full potential.<br />
<br />
'''Audience'''<br />
<br />
Application reviewers, developers<br />
<br />
'''Table of Contents'''<br />
<br />
* Using the spider<br />
* Manual Request Transforms<br />
* What is the XSS/CRLF plugin, and how does it work?<br />
* Using the Fuzzer<br />
* Comparing Responses<br />
* Searching WebScarab history<br />
* Exploring the Beanshell<br />
** Writing Proxy Intercept scripts<br />
** Writing Script Manager Scripts<br />
** Writing other scripts<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop<br />
<br />
<br />
<br />
== Advanced Web Application Security Testing ==<br />
<br />
'''Instructor'''<br />
<br />
Michael Coates, Aspect Security<br />
<br />
'''Duration'''<br />
<br />
2 days.<br />
<br />
'''Summary'''<br />
<br />
While all developers need to know the basics of web application security testing, application security specialists will want to know all the advanced techniques for finding and diagnosing security problems in applications. Aspect’s Advanced Web Application Security Testing training is based on a decade of work verifying the security of critical applications. The course is taught by an experienced application security practitioner in an interactive manner.<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own Windows based laptop<br />
<br />
== Building Secure Web 2.0 Applications ==<br />
<br />
'''Instructor'''<br />
<br />
Arshan Dabirsiaghi, Aspect Security<br />
<br />
'''Duration'''<br />
<br />
1 day.<br />
<br />
'''Summary'''<br />
<br />
Web 2.0 applications using technologies like Ajax, Flash, ActiveX, and Java Applets require special attention to secure. this one day training addresses the special issues that arise in this type of application development.<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own Windows based laptop<br />
<br />
== Building Secure Web Services ==<br />
<br />
'''Instructor'''<br />
<br />
Dave Wichers, Aspect Security<br />
<br />
'''Duration'''<br />
<br />
2 days.<br />
<br />
'''Summary'''<br />
<br />
The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. this session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identify servers and related software. Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system.<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own Windows based laptop<br />
<br />
== Building Secure Web Applications with OWASP's Enterprise Security API (ESAPI) ==<br />
<br />
'''Instructor'''<br />
<br />
Jeff Williams, Aspect Security<br />
<br />
'''Duration'''<br />
<br />
1 day.<br />
<br />
'''Summary'''<br />
<br />
This course will teach you about OWASP's new Enterprise Security API (ESAPI), what it is composed of, and how to use it to improve the security and reduce the cost of developing those applications. This class covers each interface within the API, how it is intended to be used, and what the benefits are of using this interface, over other techniques for addressing the same security concerns.<br />
<br />
The course also discusses how to bring ESAPI into your organization and how to tailor it for your organization specific needs and application infrastructure.<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own Windows based laptop<br />
<br />
== Ajax Security ==<br />
<br />
'''Instructor'''<br />
<br />
Brad Causey<br />
<br />
'''Duration'''<br />
<br />
1/2 day<br />
<br />
'''Summary'''<br />
<br />
This course will provide an introductory to AJAX, its inherent security issues, how to detect them, and how to resolve them.<br />
<br />
'''Audience'''<br />
<br />
Web Application Security Professionals<br />
<br />
'''Table of Contents<br />
'''<br />
* Introduction to AJAX<br />
* Security Issues with architecture<br />
* Toolkits<br />
* Toolkit Security Concerns<br />
* Bridges and Issues<br />
* Attacking AJAX<br />
* Defending AJAX<br />
* Securing the Code<br />
* Best Practices<br />
* Other Issues and Concerns<br />
* Q and A<br />
<br />
'''Course Specifics<br />
'''<br />
<br />
Please bring your own laptop with your choice of web proxy and browser installed if you wish to participate. Participation is optional.<br />
<br />
== Flash Player Security ==<br />
<br />
'''Instructor'''<br />
<br />
Peleus Uhley<br />
<br />
'''Duration'''<br />
<br />
1/2 day<br />
<br />
'''Summary'''<br />
<br />
This course will provide an overview of the Flash Player security model and common architectures for Flash deployment. The course is targeted at people who need to understand the fundamentals of Flash Player security and how it will affect their website such as CSOs, web designers and web architects. The goal of the course is to provide the student with the enough information to architect a secure Flash deployment. The follow-on Auditing Flash Applications course will continue to build on this knowledge on an API by API level. <br />
<br />
'''Audience'''<br />
<br />
Web Application Security Professionals and those who make decisions or recommendations about Flash deployments.<br />
<br />
<br />
'''Course Specifics'''<br />
<br />
Please bring your own laptop with your choice of web browser installed if you wish to participate. Participation is optional.<br />
<br />
== Auditing Flash Applications ==<br />
<br />
'''Instructor'''<br />
<br />
Peleus Uhley<br />
<br />
'''Duration'''<br />
<br />
1/2 day<br />
<br />
'''Summary'''<br />
<br />
This course is a follow on to the Flash Player Security course for those who want to do a deep dive into the security of Flash applications. This course is targeted at Flash authors and web-site auditors who need to validate Flash code and provide meaningful recommendations and best practices for improving Flash deployments. The goal of the course is to provide the student with the tools and information to audit a Flash website and provide quality feedback on how to remediate any issues.<br />
<br />
'''Audience'''<br />
<br />
Flash Developers, Web Application Penetration Testers<br />
<br />
'''Course Specifics'''<br />
<br />
Please bring your own laptop with your choice of web browser installed if you wish to participate. Participation is optional.<br />
== Testing Guide Training ==<br />
<br />
'''Instructor'''<br />
<br />
Matteo Meucci, Giorgio Fedon - Minded Security.<br />
<br />
'''Duration'''<br />
<br />
4h.<br />
<br />
'''Summary'''<br />
<br />
This course will discuss the new OWASP Testing Guide v3 methodology and the most relevant tests of the 66 total controls of the Guide. You can learn how to test a web application and how to write a report.<br />
<br />
'''Audience'''<br />
<br />
Software developers, security consultants, auditors.<br />
<br />
'''Table of Contents'''<br />
<br />
The course will discuss the methology and will analize the 9 sub-categories of the Testing Guide:<br />
<br />
* Configuration Management Testing<br />
* Business Logic Testing<br />
* Authentication Testing<br />
* Authorization testing<br />
* Session Management Testing<br />
* Data Validation Testing<br />
* Denial of Service Testing<br />
* Web Services Testing<br />
* Ajax Testing <br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop.</div>Manopaulhttps://wiki.owasp.org/index.php?title=OWASP_EU_Summit_2008_Training&diff=43213OWASP EU Summit 2008 Training2008-10-13T23:05:07Z<p>Manopaul: </p>
<hr />
<div>EU Summit 2008 Trainings<br />
<br />
cvent links to be added.<br />
<br />
Upon completion and scheduling, trainings will be copied over from [[OWASP EU Summit 2008 Training (Courses to be Approved)]]<br />
<br />
Back to [[OWASP EU Summit 2008]]<br />
<br />
== The Art and Science of Threat Modeling Web Applications ==<br />
<br />
'''Instructor'''<br />
<br />
Mano Paul<br />
<br />
'''Duration'''<br />
<br />
1 day<br />
<br />
'''Summary'''<br />
<br />
To secure your home, you will first need to know how the thief could possibly enter and exit and where you should store your valuables. The same is true of your web applications. Unless you know what the vulnerabilities and threats of your web applications are, and what security measures you should take to protect them, ev1L h@x0rS or the enemy within (insider) could take advantage of the vulnerabilities. <br />
<br />
Threat Modeling is a technique that you can use to identify ATVS (attacks, threats, vulnerabilities and safeguards) that could affect your web applications. Threat Modeling helps in designing your application securely from a confidentiality, integrity, availability, authentication, authorization and auditing perspective. It is an essential activity to be undertaken during the design stage of your SDLC and helps mitigate and minimize overall risk. <br />
<br />
'''Audience'''<br />
<br />
This session is for Management, Technical (Developer, QA, Security ...) and Operational professionals and any stakeholder that needs to understand how threat modeling can benefit their organizations/companies in designing secure web applications. Whether you are a novice or an expert apropos threat modeling, you will all leave learning something new to design the next generation of hack-resilient web applications. <br />
<br />
'''Table of Contents'''<br />
<br />
1. Introduction <br />
<br />
2. Why Threat Model?<br />
<br />
3. Is Threat Modeling Right for You?<br />
<br />
4. Challenges<br />
<br />
5. Precursors<br />
<br />
6. Data Classification and Threat Modeling<br />
<br />
7. Web Application Security Mechanisms<br />
<br />
8. Benefits of Threat Modeling<br />
<br />
9. Common Glossary of Terms<br />
<br />
10. Threat Agents<br />
<br />
11. Threat Modeling Process<br />
<br />
12. Attack Trees<br />
<br />
13. STRIDE and DREAD<br />
<br />
14. Threat to Risk<br />
<br />
15. Threat Modeling (Exercise)<br />
<br />
'''Course Specifics'''<br />
<br />
No specific requirement. Come for a fun, hands-on, interactive session that will cover the basic and advanced elements of threat modeling, filled with exercises for the attendees to participate. <br />
<br />
<br />
== Web server/services hardening using SELinux ==<br />
<br />
'''Instructor'''<br />
<br />
Pavol Luptak<br />
<br />
'''Duration'''<br />
<br />
1 day<br />
<br />
'''Summary'''<br />
<br />
Security-Enhanced Linux (SELinux) is a FLASK implementation integrated in the Linux kernel with a number of utilities designed to provide mandatory access controls (MAC) through the use of Linux Security Modules (LSM) in the Linux kernel. SELinux generally supports many kinds of mandatory access control policies, including those based on the concepts of type enforcement, role-based access control, and multi-level security. <br />
<br />
A Linux kernel integrating SELinux enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. This reduces or eliminates the ability of these programs and daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example). This confinement mechanism operates independently of the traditional Linux access control mechanisms. It has no concept of a "root" super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).<br />
<br />
This training provides basic concepts of SELinux, its differences to classical UNIX/Linux systems, describe security advantages of mandatory access control policies and teach how to effectively and rapidly configure a fully functional LAMP environment on SELinux system.<br />
<br />
'''Audience'''<br />
<br />
Security consultants, system administators, programmers focused on system security<br />
<br />
'''Table of Contents'''<br />
<br />
1. SELinux history<br />
<br />
2. Unix/Linux DAC (Discretionary Access Control) and its problems<br />
<br />
3. MAC (Mandatory Access Control)<br />
<br />
4. Advantages of using MAC <br />
<br />
5. DTE (Domain Type Enforcement) model<br />
<br />
6. RBAC (Roles Based Access Control) model<br />
<br />
7. MLS (Multi Level Security) model<br />
<br />
8. SELinux FLASK Architecture<br />
<br />
9. SELinux policy (EXERCISE)<br />
<br />
10. File System Security Contexts (EXERCISE)<br />
<br />
11. SELinux Object Classes and Permissions<br />
<br />
12. TE (Type Enforcement) Rules (Attributes, Type Declaration, Type Transitions, Domain Type Transitions, Object Labeling Transitions, Access Vectors)<br />
<br />
13. Understanding AVC, log messages<br />
<br />
14. audit2allow and audit2why (EXERCISE)<br />
<br />
15. SELinux Troubleshoot Tool (EXERCISE)<br />
<br />
16. Auditing and Auditing tools<br />
<br />
17. Policy Macros<br />
<br />
18. Backtracking rule (EXERCISE)<br />
<br />
19. SELinux Users, Roles, MLS Levels<br />
<br />
20. Strict Policy<br />
<br />
21. Targeted Policy<br />
<br />
22. SELinux Booleans and their use for Apache web server (EXERCISE)<br />
<br />
23. Files and Directories in Targeted Policy, common SELinux Macros (EXERCISE)<br />
<br />
24. Analyzing Example Policy - apache.te (EXERCISE)<br />
<br />
25. Assigning Object and Process Types <br />
<br />
26. SELinux Booting<br />
<br />
27. Copying and moving files, checking security contexts, relabeling a file and directory's security context (EXERCISE)<br />
<br />
28. Policy core utilities<br />
<br />
29. Managing File Labeling, Relabeling a File System (EXERCISE)<br />
<br />
30. SELinux Administrator GUI (EXERCISE)<br />
<br />
31. SELinux Modules (EXERCISE)<br />
<br />
32. Hardening existing LAMP environments using SELinux (EXERCISE)<br />
<br />
33. Writing New Policy for a Daemon (EXERCISE for clever students)<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop. Each student will have own SELinux virtual machine for his experiments.<br />
<br />
== Secure Programming with Java ==<br />
<br />
'''Instructor'''<br />
<br />
Lucas C. Ferreira<br />
<br />
'''Duration'''<br />
<br />
1 Day<br />
<br />
'''Summary'''<br />
<br />
This training class will present best practices of secure programming in the Java language. It includes Java specific practices (i.e. how to avoid problems that arise from the compilation of Java source code to the bytecode language used by the JVM) and practices that may arise in other programming languages (with examples in Java). Some tools that may be used to verify the security of Java code and systems will be shown.<br />
<br />
The topics include a quick overview of the OWASP Top 10, in order to contextualize the practices presented, and several best practices aimed at the different software layers. At the presentation layer, we focus on input validation, access control issues and dealing with exceptions. At the business objects layer, the practices deal with cloning and serialization issues. Practices to prevent command injection are presented at the persistence layer. Practices that should be used throughout all the software are also presented, including input data validation, class and method visibility, using and storing secrets, dealing with inner classes, overflows and boxing, and object initialization.<br />
<br />
'''Audience'''<br />
<br />
Java web application developers. This training requires basic understanding of web applications and an intermediate level of proficiency in the Java language and Object Oriented concepts. People with interest in other OO languages may also benefit from this training, but specific techniques, examples and tools used are targeted to Java.<br />
<br />
'''Table of Contents'''<br />
<br />
# OWASP Top 10 - quick overview<br />
# Secure Programming Best Practices<br />
## Presentation layer<br />
### Preventing cross-site scripting<br />
### Access control<br />
### Request validation<br />
### Error treatment<br />
## Business object layer<br />
### Cloning and serialization issues<br />
## Persistence layer<br />
### Command injection issues<br />
### Database access users and permissions<br />
### file manipulation<br />
## Infra-structure layer<br />
### J2EE container-related best practices<br />
### Native method issues<br />
### SSL and encryption<br />
## Practices for all software layers<br />
### Data validation<br />
### Garbage collection issues<br />
### Classes and method scoping<br />
### Use of secrets<br />
### Inner class issues<br />
### Over/underflow and boxing issues<br />
# Tools<br />
## Code review tool<br />
## Data flow tool<br />
## Pen-testing tool<br />
<br />
'''Course Specifics'''<br />
<br />
Laptop not required.<br />
<br />
== OWASP Top 10 - What Developers Should Know on Web Application Security ==<br />
<br />
'''Instructor'''<br />
<br />
Sebastien Deleersnyder and Martin Knobloch<br />
<br />
'''Duration'''<br />
<br />
4 h<br />
To be scheduled on Tuesday.<br />
<br />
'''Summary'''<br />
<br />
Application security is an essential component of any successful project; this includes web applications, open source PHP applications, web services and proprietary business web sites.<br />
Web application security education and awareness is needed throughout the entire development and deployment organization. Each area and level of development or deployment organizations have specific needs and requirements regarding web application security education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience.<br />
<br />
The OWASP Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences.<br />
This Education Track provides in a 4 hour session covering what developers should know on web application security. It starts with an explanation of web application security and why it is important. Then the OWASP Top 10 is used to explain the nastiest vulnerabilities and how these can be prevented or re mediated. A secure coding initiative must deal with all stages of a program’s life cycle. Secure web applications are only possible when a secure SDLC is used. The SDLC is explained from the standpoint of people, processes and tools. Particularly for developers good secure development practices are covered in a separate topic. Finally the track finishes with an exhaustive list of web application security resources for web application developers.<br />
<br />
'''Audience'''<br />
<br />
Web application developers who are unaware there are security issues with contemporary web applications. No prior knowledge of web application security is assumed nor necessary. This track is independent of the coding language or web frameworks used; like PHP, JSF, Java EE or .NET. We must realize that web application developers are only one link - albeit an important one - of the chain that represents the security of a web application. This track aims to make that link as secure as possible, given the constraint of 4 hours. Another important aspect is that web application security should be tailored to the risk profile of an organization and the specific development environment of that organization.<br />
<br />
'''Table of Contents'''<br />
<br />
The challenge is to cover web application security in 4 hours to a web application developer. This is presented in such a way that the developers will be able to recognize and correct web application vulnerabilities in their projects. <br />
<br />
* [[Education Module Why WebAppSec Matters|Why WebAppSec matters]] (20 min) ([http://www.owasp.org/images/5/58/Education_Module_Why_WebAppSec_Matters.ppt direct link])<br />
:This part is the introduction of the track. It identifies the current security problems with web applications. During the introduction a definition of web application security is given. Trends that are influencing the current state of web application insecurity are also explained.<br />
:*What goes wrong<br />
:*WebAppSec Defined<br />
:*Current trends<br />
* [[Education_Module_OWASP_Top_10_Introduction_and_Remedies|OWASP Top 10 Introduction & Remedies]] (90 min) ([http://www.owasp.org/images/b/b8/Education_Module_OWASP_Top_10_Introduction_and_Remedies.ppt direct link])<br />
:The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most common web application security vulnerabilities. The Top 10 provides basic methods to protect against these vulnerabilities.<br />
:*[[Education Module Cross Site Scripting (XSS)|Cross Site Scripting (XSS)]]<br />
:*Injection Flaws<br />
:*Malicious File Execution<br />
:*Insecure Direct Object Reference<br />
:*Cross Site Request Forgery (CSRF)<br />
:*Information Leakage and Improper Error Handling<br />
:*Broken Authentication and Session Management<br />
:*Insecure Cryptographic Storage<br />
:*Insecure Communications<br />
:*Failure to Restrict URL Access<br />
*[[Education Module Embed within SDLC|Embed within SDLC]] (People, Processes & Tools) (20 min) ([http://www.owasp.org/images/f/f2/Education_Module_Embed_within_SDLC.ppt direct link])<br />
:There is no silver bullet when it comes to securing web applications. This problem has to be addressed from different angles, covering the involved actors, processes: development as well as deployment and Technologies.<br />
:*People Awareness and Education<br />
:*Development WebAppSec Controls<br />
:*Deployment WebAppSec Controls<br />
:*WebAppSec Tools<br />
*[[Education Module Good Secure Development Practices|Good Secure Development Practices]] (70 min) ([http://www.owasp.org/images/5/57/Education_Module_Good_Secure_Development_Practices.ppt direct link])<br />
:Next to the Top 10 remedies this module provides some good secure development practices from the OWASP Guide, covering e.g.<br />
:*Validating User Input <br />
:*Authentication<br />
:*Authorization<br />
:*Session Management<br />
:*Using Interpreters<br />
:*Crypto<br />
:*Catching Errors<br />
:*File System<br />
:*Configuration<br />
:*Web 2.0<br />
*[[Education Module Testing for Vulnerabilities|Testing for Vulnerabilities]] (20 min) ([http://www.owasp.org/images/4/49/Education_Module_Testing_for_Vulnerabilities.ppt direct link])<br />
:One important aspect is to test for application vulnerabilities. During this short module an introduction is provided together with some WebGoat test cases.<br />
:*Testing for application vulnerabilities<br />
:*The OWASP Testing Guide<br />
:*WebGoat demonstrated<br />
*[[Education Module Good WebAppSec Resources|Good WebAppSec Resources]] (not limited to OWASP) (10 min) ([http://www.owasp.org/images/f/fe/Education_Module_Good_WebAppSec_Resources.ppt direct link])<br />
:This 4 hour education track in only the beginning of your journey. Web application security is a moving target. New vulnerabilities and threats are discovered regularly. Web application security controls are becoming mature. The following resources should provide you with enough pointers to serve both as reference and for further research.<br />
:*Hard Copy<br />
:*Web Sites<br />
:*Mailing lists<br />
:*Blogs<br />
*Roundup (10 min)<br />
<br />
[[Category:OWASP Education Project]]<br />
<br />
'''Course Specifics'''<br />
<br />
No specific prerequisites.<br />
<br />
<br />
<br />
== Classic ASP Security using OWASP tools ==<br />
<br />
'''Instructor'''<br />
<br />
Juan Carlos Calderon<br />
<br />
'''Duration'''<br />
<br />
1 day <br />
<br />
'''Summary'''<br />
<br />
Classic ASP 2.0 and 3.0 applications are still largely used as this technology is more than 10 years old and was largely used. there are thousands of sites on the wild that need guidance on the security arena. This is where OWASP can come up and provide help for “making the Web a better place”.<br />
<br />
'''Audience'''<br />
<br />
People involved in development/maintenance of Classic ASP applications at all levels, including developers, Application Architects, testers, etc.<br />
<br />
'''Table of Contents'''<br />
<br />
*Secure programming on ASP using [[ESAPI|OWASP ESAPI]]<br />
*Auditing ASP code with [[:Category:OWASP_Code_Review_Project|Code Review Project]] checklist<br />
*Implementing [[:Category:OWASP_Stinger_Project|OWASP Stinger]] protection for Classic ASP <br />
*Complementary security best practices.<br />
<br />
'''Course Specifics'''<br />
<br />
None. Keep posted for changes on the table of contents and course specifics.<br />
<br />
== Web Application Assessments ==<br />
<br />
'''Instructor'''<br />
<br />
Vicente Aguilera Diaz<br />
<br />
'''Duration'''<br />
<br />
4h<br />
<br />
'''Summary'''<br />
<br />
As in the physical world, the "professionals" attackers spend most of their time to analysing its objective and try to gather as much information as possible about it. The more information becomes available and is more detailed and accurate, the attack is more likely to succeed.<br />
<br />
The aim of this course is to identify patterns and tools to perform this analysis (step prior to the attack), and is supplemented by a case study on a practical application.<br />
<br />
'''Audience'''<br />
<br />
Software developers, security consultants, system administrators and people loving security.<br />
<br />
'''Table of Contents'''<br />
<br />
# Introduction<br />
# Web Application Discovery<br />
# Gathering information on the target web application<br />
## Search Engines<br />
## Interaction with external entities and information services<br />
## Analysis of existing information in the web application (public information, information leaks, causing errors, etc.).<br />
# Knowing / Understand the target<br />
## Identifying characteristics (technologies, platforms, user profiles, features, etc.).<br />
## Analysis of infrastructure components: databases, Web servers, application servers, authentication servers, etc.). Detection and identification.<br />
## Identification of the exposition area<br />
# Analysis of attack vectors and vulnerabilities exploitation<br />
# Case Study<br />
## Assessment of an webmail application <br />
## Vulnerability exploitation: IMAP / SMTP Injection<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop.<br />
<br />
== Hacking Owasp Orizon Project v1.0 ==<br />
<br />
'''Instructor'''<br />
<br />
Paolo Perego<br />
<br />
'''Duration'''<br />
<br />
4h<br />
<br />
'''Summary'''<br />
<br />
In the course it will be presented Owasp Orizon v1.0 framework. The major APIs will be fully explained and it will be built a simple scanning tool using the Orizon framework.<br />
<br />
The course goal is to let people fully understand Orizon internals and let people understand how to use the framework in a real world.<br />
<br />
'''Audience'''<br />
<br />
Security specialist, code reviewers and curious developers<br />
<br />
'''Table of Contents'''<br />
<br />
* Owasp Orizon Internals<br />
** Translation engine<br />
** Owasp Orizon XML project<br />
*** XML used in writing security checks<br />
*** XML used in translation phase<br />
** Static analysis engine<br />
** Crawling engine<br />
** Reporting engine<br />
* Create a simple tool using Orizon<br />
<br />
'''Course Specifics'''<br />
<br />
People have to bring their own laptop with latest Owasp Orizon version, J2SE 1.6 or later and a Java IDE (e.g. eclipse) is also feasible.<br />
<br />
== Securing WebGoat with ModSecurity ==<br />
<br />
'''Instructor'''<br />
<br />
Stephen Craig Evans<br />
<br />
'''Duration'''<br />
<br />
4h<br />
<br />
'''Summary'''<br />
<br />
ModSecurity, normally a tool of the network security group, has capabilities that can allow a software security specialist with programming skills to mitigate business logic flaws and other vulnerabilities that are out-of-reach of basic blacklists.<br />
<br />
This 4 hour course covers the highlights of the Summer of Code 2008 project, "Securing WebGoat using ModSecurity" (please see https://www.owasp.org/index.php/Category:OWASP_Securing_WebGoat_using_ModSecurity_Project and the project wiki).<br />
<br />
'''Audience'''<br />
<br />
* Users of ModSecurity that want to learn how it can be leveraged beyond the basic rule sets in order to mitigate vulnerabilities in areas such as authentication, AJAX, and output sanitization<br />
* Web application specialists, especially pentesters, who want to learn how ModSecurity can offer an additional remedial solution to customers when the application cannot be touched<br />
* Curious people that are wondering what the hell this project is about<br />
<br />
'''Table of Contents'''<br />
<br />
* ModSecurity basics<br />
* WebGoat overview<br />
* A walkthrough of the "Securing WebGoat using ModSecurity" Summer of Code 2008 project<br />
* Mitigating WebGoat vulnerabilities using the ModSecurity core rule set<br />
* Using ModSecurity's Lua scripting language:<br />
** For its programming capabilities (including re-building the Lua library to include 3rd party functionality)<br />
** To implement configuration files<br />
** For global persistence<br />
** And much, much, more...<br />
* Using ModSecurity's Javascript injection (prepend and append):<br />
** To substitute/override/extend existing Javascript functions<br />
** To enhance the user experience when implementing a ModSecurity solution on the back end such as an authentication mechanism <br />
* Using ModSecurity's session collection, Lua script, and Javascript injection together to mitigate almost any vulnerability<br />
<br />
'''Course Specifics'''<br />
<br />
Demos (including strategy and implementation) of the most interesting lesson solutions will be shown.<br />
<br />
== How to Win AppSec Hacking Contests and Deploy Better Web Applications ==<br />
<br />
'''Instructors'''<br />
<br />
Lann Martin and Lebbeous Fogle-Weekley - ''winners of the CTF contest at OWASP AppSec NYC '08''<br />
<br />
'''Duration'''<br />
<br />
4 hours<br />
<br />
'''Summary'''<br />
<br />
This class will demonstrate how an attacker approaches potentially<br />
vulnerable web applications, taking advantage of both poor server<br />
configuration and poor application implementation to discover and exploit<br />
vulnerabilities of several types.<br />
<br />
'''Audience'''<br />
<br />
Web application developers and penetration testers of intermediate<br />
skill.<br />
<br />
'''Table of Contents'''<br />
<br />
''This table of contents is a work in progress''<br />
* The trouble with verbose error messages<br />
* The right way and the wrong way to escape input to prevent SQL injection<br />
* The right way and the wrong way to encode output to prevent XSS<br />
* More bad practices to avoid<br />
* More good practices to maintain<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop to participate in attacks on sample<br />
web applications. Firefox is the preferred browser for exploiting web<br />
applications. Automated scanning tools are out of scope for this class.<br />
<br />
== Uncovering WebScarab's Secret Treasures ==<br />
<br />
'''Instructor'''<br />
<br />
Rogan Dawes<br />
<br />
'''Duration'''<br />
<br />
1 day.<br />
<br />
'''Summary'''<br />
<br />
OWASP WebScarab has a lot of hidden features that probably no one but the author really knows about. This in depth hands on session will show delegates how to access these features, and how to use them to their full potential.<br />
<br />
'''Audience'''<br />
<br />
Application reviewers, developers<br />
<br />
'''Table of Contents'''<br />
<br />
* Using the spider<br />
* Manual Request Transforms<br />
* What is the XSS/CRLF plugin, and how does it work?<br />
* Using the Fuzzer<br />
* Comparing Responses<br />
* Searching WebScarab history<br />
* Exploring the Beanshell<br />
** Writing Proxy Intercept scripts<br />
** Writing Script Manager Scripts<br />
** Writing other scripts<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop<br />
<br />
<br />
<br />
== Advanced Web Application Security Testing ==<br />
<br />
'''Instructor'''<br />
<br />
Michael Coates, Aspect Security<br />
<br />
'''Duration'''<br />
<br />
2 days.<br />
<br />
'''Summary'''<br />
<br />
While all developers need to know the basics of web application security testing, application security specialists will want to know all the advanced techniques for finding and diagnosing security problems in applications. Aspect’s Advanced Web Application Security Testing training is based on a decade of work verifying the security of critical applications. The course is taught by an experienced application security practitioner in an interactive manner.<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own Windows based laptop<br />
<br />
== Building Secure Web 2.0 Applications ==<br />
<br />
'''Instructor'''<br />
<br />
Arshan Dabirsiaghi, Aspect Security<br />
<br />
'''Duration'''<br />
<br />
1 day.<br />
<br />
'''Summary'''<br />
<br />
Web 2.0 applications using technologies like Ajax, Flash, ActiveX, and Java Applets require special attention to secure. this one day training addresses the special issues that arise in this type of application development.<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own Windows based laptop<br />
<br />
== Building Secure Web Services ==<br />
<br />
'''Instructor'''<br />
<br />
Dave Wichers, Aspect Security<br />
<br />
'''Duration'''<br />
<br />
2 days.<br />
<br />
'''Summary'''<br />
<br />
The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. this session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identify servers and related software. Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system.<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own Windows based laptop<br />
<br />
== Building Secure Web Applications with OWASP's Enterprise Security API (ESAPI) ==<br />
<br />
'''Instructor'''<br />
<br />
Jeff Williams, Aspect Security<br />
<br />
'''Duration'''<br />
<br />
1 day.<br />
<br />
'''Summary'''<br />
<br />
This course will teach you about OWASP's new Enterprise Security API (ESAPI), what it is composed of, and how to use it to improve the security and reduce the cost of developing those applications. This class covers each interface within the API, how it is intended to be used, and what the benefits are of using this interface, over other techniques for addressing the same security concerns.<br />
<br />
The course also discusses how to bring ESAPI into your organization and how to tailor it for your organization specific needs and application infrastructure.<br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own Windows based laptop<br />
<br />
== Ajax Security ==<br />
<br />
'''Instructor'''<br />
<br />
Brad Causey<br />
<br />
'''Duration'''<br />
<br />
1/2 day<br />
<br />
'''Summary'''<br />
<br />
This course will provide an introductory to AJAX, its inherent security issues, how to detect them, and how to resolve them.<br />
<br />
'''Audience'''<br />
<br />
Web Application Security Professionals<br />
<br />
'''Table of Contents<br />
'''<br />
* Introduction to AJAX<br />
* Security Issues with architecture<br />
* Toolkits<br />
* Toolkit Security Concerns<br />
* Bridges and Issues<br />
* Attacking AJAX<br />
* Defending AJAX<br />
* Securing the Code<br />
* Best Practices<br />
* Other Issues and Concerns<br />
* Q and A<br />
<br />
'''Course Specifics<br />
'''<br />
<br />
Please bring your own laptop with your choice of web proxy and browser installed if you wish to participate. Participation is optional.<br />
<br />
== Flash Player Security ==<br />
<br />
'''Instructor'''<br />
<br />
Peleus Uhley<br />
<br />
'''Duration'''<br />
<br />
1/2 day<br />
<br />
'''Summary'''<br />
<br />
This course will provide an overview of the Flash Player security model and common architectures for Flash deployment. The course is targeted at people who need to understand the fundamentals of Flash Player security and how it will affect their website such as CSOs, web designers and web architects. The goal of the course is to provide the student with the enough information to architect a secure Flash deployment. The follow-on Auditing Flash Applications course will continue to build on this knowledge on an API by API level. <br />
<br />
'''Audience'''<br />
<br />
Web Application Security Professionals and those who make decisions or recommendations about Flash deployments.<br />
<br />
<br />
'''Course Specifics'''<br />
<br />
Please bring your own laptop with your choice of web browser installed if you wish to participate. Participation is optional.<br />
<br />
== Auditing Flash Applications ==<br />
<br />
'''Instructor'''<br />
<br />
Peleus Uhley<br />
<br />
'''Duration'''<br />
<br />
1/2 day<br />
<br />
'''Summary'''<br />
<br />
This course is a follow on to the Flash Player Security course for those who want to do a deep dive into the security of Flash applications. This course is targeted at Flash authors and web-site auditors who need to validate Flash code and provide meaningful recommendations and best practices for improving Flash deployments. The goal of the course is to provide the student with the tools and information to audit a Flash website and provide quality feedback on how to remediate any issues.<br />
<br />
'''Audience'''<br />
<br />
Flash Developers, Web Application Penetration Testers<br />
<br />
'''Course Specifics'''<br />
<br />
Please bring your own laptop with your choice of web browser installed if you wish to participate. Participation is optional.<br />
== Testing Guide Training ==<br />
<br />
'''Instructor'''<br />
<br />
Matteo Meucci, Giorgio Fedon - Minded Security.<br />
<br />
'''Duration'''<br />
<br />
4h.<br />
<br />
'''Summary'''<br />
<br />
This course will discuss the new OWASP Testing Guide v3 methodology and the most relevant tests of the 66 total controls of the Guide. You can learn how to test a web application and how to write a report.<br />
<br />
'''Audience'''<br />
<br />
Software developers, security consultants, auditors.<br />
<br />
'''Table of Contents'''<br />
<br />
The course will discuss the methology and will analize the 9 sub-categories of the Testing Guide:<br />
<br />
* Configuration Management Testing<br />
* Business Logic Testing<br />
* Authentication Testing<br />
* Authorization testing<br />
* Session Management Testing<br />
* Data Validation Testing<br />
* Denial of Service Testing<br />
* Web Services Testing<br />
* Ajax Testing <br />
<br />
'''Course Specifics'''<br />
<br />
Bring your own laptop.</div>Manopaulhttps://wiki.owasp.org/index.php?title=Manoranjan_(Mano)_Paul&diff=43211Manoranjan (Mano) Paul2008-10-13T22:22:39Z<p>Manopaul: </p>
<hr />
<div>[[Image:Mano_Paul.jpg|thumb|10px|frame|left|Mano Paul]]<br />
<b>Mano Paul</b> (CISSP, MCSD, MCAD, CompTIA Network+, ECSA) is the Founder and CEO at SecuRisk Solutions. Based out of Austin, Texas in the USA, SecuRisk Solutions specializes in three areas of information security solutions - Product Development, Consulting and Awareness, Training & Education. <br />
<br />
Before SecuRisk Solutions, Mano played several roles from software developer, quality assurance tester, logistics manager, technical architect, IT strategist and Security Engineer/Program Manager/Strategist at Dell Inc. His security experience includes designing and developing software security programs from Compliance-to-Coding, application security risk management, security strategy & management, and conducting security awareness training and education. <br />
<br />
Mano is (ISC)<sup>2</sup>'s Software Assurance Advisor and an appointed Industry representative of Information Systems Security Association (ISSA) Capitol of Texas chapter. He also serves as a faculty member for the ISSA security course at the local university. <br />
<br />
Mano has been featured in various domestic and international security conferences, contributed to and published various security articles and is an invited speaker in the OWASP Application Security Conferences, CSI, Burton Group Catalyst, TRISC and the SC World Congress Conferences. He is a contributing author for the Information Security Management Handbook, writes periodically for the Certification Magazine and has contributed to several security topics for the Microsoft Solutions Developer Network.<br />
<br />
Mano holds the following professional certifications - CISSP, ECSA, LPT, Microsoft Certified Solutions Developer (MCSD), Microsoft Certified Application Developer (MCAD) and the CompTIA Network+ certification.</div>Manopaulhttps://wiki.owasp.org/index.php?title=OWASP_AppSec_India_Conference_2008_Advanced_Threat_Modeling&diff=35907OWASP AppSec India Conference 2008 Advanced Threat Modeling2008-08-13T09:27:13Z<p>Manopaul: /* Advanced Threat Modeling */</p>
<hr />
<div>== Advanced Threat Modeling ==<br />
<br />
To secure your home, you will first need to know how the thief could possibly enter and exit and where you should store your valuables. The same is true of your web applications. Unless you know what the vulnerabilities and threats of your web applications are, and what security measures you should take to protect them, ev1L h@x0rS or the enemy within (insider) could take advantage of the vulnerabilities. <br />
<br />
Threat Modeling is a technique that you can use to identify ATVS (attacks, threats, vulnerabilities and safeguards) that could affect your web applications. Threat Modeling helps in designing your application securely from a confidentiality, integrity, availability, authentication, authorization and auditing perspective. It is an essential activity to be undertaken during the design stage of your SDLC and helps mitigate and minimize overall risk.<br />
<br />
Come for a <font color="blue">'''fun, hands-on, interactive'''</font> session that will cover the <font color="blue">'''basic and advanced elements of threat modeling'''</font>, filled with <font color="blue">'''exercises for the attendees to participate'''</font>.<br />
<br />
'''Session Coverage'''<br><br />
The session will cover the following topics <br><br />
Introduction to Threat Modeling<br><br />
Threat Modeling Process<br><br />
Tools, Techniques and Templates<br><br />
Demos and Hands-On Exercises<br><br />
and more ...<br />
<br />
'''Who should Attend?'''<br><br />
This session is for '''Management, Technical''' (Developer, QA, Security ...) and '''Operational professionals''' and any stakeholder that needs to understand how threat modeling can benefit their organizations/companies in designing secure web applications. Whether you are a novice or an expert apropos threat modeling, you will all leave learning something new to design the next generation of hack-resilient web applications.<br />
<br />
<font color="red">'''Come and Win exciting Prizes (possibly an iPod)'''</font><br><br />
First Prize - A FREE voucher to the official (ISC)<sup>2</sup> CISSP&reg; self-assessments (<font color="red">approx. $300 value</font>) (or) <br><br />
Second Prize - A FREE voucher to the official (ISC)<sup>2</sup> SSCP&reg; self-assessments (<font color="red">approx. $110 value</font>)<br><br />
Third Prize - An <font color="red">iPod Shuffle</font><br><br />
<br />
(ISC)<sup>2</sup> self-assessments are made possible due to courtesy of ''[https://www.expresscertifications.com/isc2 Express Certifications]''<br><br />
<i>iPod is a registered trademark of Apple Inc.</i><br />
<br />
== About the Instructor ==<br />
[[Image:Mano_Paul.jpg|thumb|10px|frame|left|Mano Paul]]<br />
<b>Mano Paul</b> (CISSP, MCSD, MCAD, CompTIA Network+, ECSA) is the Founder and CEO at SecuRisk Solutions. Based out of Austin, Texas in the USA, SecuRisk Solutions specializes in three areas of information security solutions - Product Development, Consulting and Awareness, Training & Education. <br />
<br />
Before SecuRisk Solutions, Mano played several roles from software developer, quality assurance tester, logistics manager, technical architect, IT strategist and Security Engineer/Program Manager/Strategist at Dell Inc. His security experience includes designing and developing software security programs from Compliance-to-Coding, application security risk management, security strategy & management, and conducting security awareness training and education. <br />
<br />
Mano is (ISC)<sup>2</sup>'s Software Assurance Advisor and an appointed Industry representative of Information Systems Security Association (ISSA) Capitol of Texas chapter. He also serves as a faculty member for the ISSA security course at the local university. <br />
<br />
Mano has been featured in various domestic and international security conferences, contributed to and published various security articles and is an invited speaker in the OWASP Application Security Conferences, CSI, Burton Group Catalyst, TRISC and the SC World Congress Conferences. He is a contributing author for the Information Security Management Handbook, writes periodically for the Certification Magazine and has contributed to several security topics for the Microsoft Solutions Developer Network.<br />
<br />
Mano holds the following professional certifications - CISSP, ECSA, LPT, Microsoft Certified Solutions Developer (MCSD), Microsoft Certified Application Developer (MCAD) and the CompTIA Network+ certification.</div>Manopaulhttps://wiki.owasp.org/index.php?title=OWASP_AppSec_India_Conference_2008_Advanced_Threat_Modeling&diff=35906OWASP AppSec India Conference 2008 Advanced Threat Modeling2008-08-13T09:26:34Z<p>Manopaul: /* About Instructor */</p>
<hr />
<div>== Advanced Threat Modeling ==<br />
<br />
To secure your home, you will first need to know how the thief could possibly enter and exit and where you should store your valuables. The same is true of your web applications. Unless you know what the vulnerabilities and threats of your web applications are, and what security measures you should take to protect them, ev1L h@x0rS or the enemy within (insider) could take advantage of the vulnerabilities. <br />
<br />
Threat Modeling is a technique that you can use to identify ATVS (attacks, threats, vulnerabilities and safeguards) that could affect your web applications. Threat Modeling helps in designing your application securely from a confidentiality, integrity, availability, authentication, authorization and auditing perspective. It is an essential activity to be undertaken during the design stage of your SDLC and helps mitigate and minimize overall risk.<br />
<br />
Come for a <font color="blue">'''fun, hands-on, interactive'''</font> session that will cover the <font color="blue">'''basic and advanced elements of threat modeling'''</font>, filled with <font color="blue">'''exercises for the attendees to participate'''</font>.<br />
<br />
'''Session Coverage'''<br><br />
The session will cover the following topics <br><br />
Introduction to Threat Modeling<br><br />
Threat Modeling Process<br><br />
Tools, Techniques and Templates<br><br />
Demos and Hands-On Exercises<br><br />
and more ...<br />
<br />
'''Who should Attend?'''<br><br />
This session is for '''Management, Technical''' (Developer, QA, Security ...) and '''Operational professionals''' and any stakeholder that needs to understand how threat modeling can benefit their organizations/companies in designing secure web applications. Whether you are a novice or an expert apropos threat modeling, you will all leave learning something new to design the next generation of hack-resilient web applications.<br />
<br />
<font color="red">'''Come and Win exciting Prizes (possibly an iPod)'''</font><br><br />
First Prize - A FREE voucher to the official (ISC)<sup>2</sup> CISSP&reg; self-assessments (<font color="red">approx. $300 value</font>) (or) <br><br />
Second Prize - A FREE voucher to the official (ISC)<sup>2</sup> SSCP&reg; self-assessments (<font color="red">approx. $110 value</font>)<br><br />
Third Prize - An iPod Shuffle <br><br />
<br />
(ISC)<sup>2</sup> self-assessments are made possible due to courtesy of ''[https://www.expresscertifications.com/isc2 Express Certifications]''<br><br />
<i>iPod is a registered trademark of Apple Inc.</i><br />
<br />
== About the Instructor ==<br />
[[Image:Mano_Paul.jpg|thumb|10px|frame|left|Mano Paul]]<br />
<b>Mano Paul</b> (CISSP, MCSD, MCAD, CompTIA Network+, ECSA) is the Founder and CEO at SecuRisk Solutions. Based out of Austin, Texas in the USA, SecuRisk Solutions specializes in three areas of information security solutions - Product Development, Consulting and Awareness, Training & Education. <br />
<br />
Before SecuRisk Solutions, Mano played several roles from software developer, quality assurance tester, logistics manager, technical architect, IT strategist and Security Engineer/Program Manager/Strategist at Dell Inc. His security experience includes designing and developing software security programs from Compliance-to-Coding, application security risk management, security strategy & management, and conducting security awareness training and education. <br />
<br />
Mano is (ISC)<sup>2</sup>'s Software Assurance Advisor and an appointed Industry representative of Information Systems Security Association (ISSA) Capitol of Texas chapter. He also serves as a faculty member for the ISSA security course at the local university. <br />
<br />
Mano has been featured in various domestic and international security conferences, contributed to and published various security articles and is an invited speaker in the OWASP Application Security Conferences, CSI, Burton Group Catalyst, TRISC and the SC World Congress Conferences. He is a contributing author for the Information Security Management Handbook, writes periodically for the Certification Magazine and has contributed to several security topics for the Microsoft Solutions Developer Network.<br />
<br />
Mano holds the following professional certifications - CISSP, ECSA, LPT, Microsoft Certified Solutions Developer (MCSD), Microsoft Certified Application Developer (MCAD) and the CompTIA Network+ certification.</div>Manopaulhttps://wiki.owasp.org/index.php?title=OWASP_AppSec_India_Conference_2008&diff=35905OWASP AppSec India Conference 20082008-08-13T09:24:11Z<p>Manopaul: /* Day Two [Trainings/Workshops]: Thursday 21st August, 2008 */</p>
<hr />
<div>[[Image:OWASP_India-mhnew.gif]]<br />
= OWASP AppSec India Conference 2008 - August 20th-21st 2008 =<br />
Delhi Chapter invites you to (1) day of Conferences with theme as <b>"Application Security - Trends and Challenges"</b> and Technology from the world's most regarded application security leaders and experts, (1) day of extensive multi-tracked workshop, all to be held at <b>[http://www.indiahabitat.org/locate.htm India Habitat Center, New Delhi.]</b><BR><BR> <b>[https://www.owasp.org/images/e/e3/OWASPAppsecIndiacon08-Brochure.pdf Click here to download event brochure].</b> <BR><br />
<br />
<b>Event Fees:</b> <BR>INR. 5,000 (approx. USD 125) for 1 day of conference<BR>INR. 10,000 (approx. USD 250) for 1-day training/workshop.<br />
<BR><br />
<center>[http://www.eventavenue.com/attReglogin.do?eventId=EVT1667 https://www.owasp.org/images/f/f9/Green_bl.gif][https://www.eventavenue.com/attReglogin.do?eventId=EVT1667 https://www.owasp.org/images/7/7f/Register.gif]</center><br />
<br />
<BR><b>[http://204.2.106.79/cme/owasp/register.php Click here for off-line registrations]</b><br><br />
<br />
<br />
<b>Discounts on combined package for both the days:</b><br><br />
Discounts available for: Academics | Government Employees | OWASP/ISC2 members.<br />
<BR>Group Discounts are also available<BR><br />
<br />
<BR>* Only one discount option will be applicable to each delegate. <br />
<BR><br><br />
<B>Registration inquiries:</b><BR><br />
Mr. Nitin Saxena<BR><br />
CyberMedia Events<BR><br />
Mobile: 9811675559<br><br />
email :nitins@cybermedia.co.in<BR><br />
<br />
Ms. Vijitha P D'Souza<BR><br />
CyberMedia Events<BR><br />
email: vijithap@cybermedia.co.in <BR><br />
<hr><br />
<BR><BR><BR><br />
<center>[[Image:ninja.gif]]</center><br><br><br />
<br />
= Event Sponsors =<br />
<center><br />
<B>Diamond Sponsor</B><BR><BR><br />
[https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201_4000_100 https://www.owasp.org/images/d/d2/Hp1.JPG]<br />
</center><br />
<BR><BR><br />
<center><br />
<B>Associate Sponsors</B><BR><BR><br />
[http://www.paladion.net https://www.owasp.org/images/8/86/Paladion.jpg]<br />
[http://www.securematrix.in https://www.owasp.org/images/8/8f/Secure-matrix.jpg]<br />
[http://www.torridnet.com https://www.owasp.org/images/5/5a/Torrid.jpg]<br />
[http://www.sdgc.com https://www.owasp.org/images/3/39/SDG.jpg]<br />
</center><br />
<br><br><br />
To sponsor OWASP AppSec India Conference 2008, please download the <b>[https://www.owasp.org/images/e/ef/OWASP_Appsec_India_Conference_2008-Sponsorship.pdf Sponsorship Form]</b> and contact: <BR><BR><br />
Mr. Vilas Hegde<BR><br />
Associate Vice President<BR><br />
CyberMedia Events<BR><br />
email :vilash@cybermedia.co.in<BR><br />
== Official Event Supporters/Partners ==<br />
<center><br />
[http://www.isc2.org https://www.owasp.org/images/b/bf/ISC2_main_logo-small.jpg] [http://www.eventavenue.com https://www.owasp.org/images/7/76/Eventav_logo_tech_partner.jpg]<br />
[http://www.biztech2.com/ https://www.owasp.org/images/9/9b/Biztech.jpg]<br />
</center><br />
<BR><br />
<br />
= OWASP AppSec India Conference 2008 Schedule – August 20th - August 21st =<br />
==Day One [Conference Program]: Wednesday 20th August, 2008==<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#4F81BD; color:white" | <br />
<br />
|-<br />
| align="center" style="width:33%; background:#4F81BD; color:white" | '''TIME''' || style="width:33%; background:#4F81BD; color:white" align="center" | '''SESSION'''<br />
| style="width:33%; background:#4F81BD; color:white" align="center" | '''SPEAKER'''<br />
<br />
|-<br />
| align="center" style="width:20%; background:#4F81BD; color:white" | '''08:15 hrs - 9:00 hrs''' || colspan="3" style="width:80%; background:#4F81BD; color:white" align="center" | '''Registrations and Welcome Tea / Coffee'''<br />
<br />
|-<br />
| align="center" style="width:20%; background:#4F81BD; color:white" | '''09:00 hrs - 10:00 hrs''' || style="width:30%; background:#A7BFDE" align="center" | '''<BR>Welcome Address<br><br>About OWASP Foundation– The story so far and beyond.<BR><BR>Key note “ Application Security Trends & Challenges”<BR><BR>Vote of Thanks<BR><BR>'''<br />
| style="width:40%; background:#EEF0F7; color:#4A4AFF" align="center" | '''Welcome address by OWASP Delhi Chapter Board<BR><BR><BR>Dinis Cruz, Chief OWASP Evangelist<BR>OWASP Foundation USA<BR><BR><BR>Dr. Gulshan Rai, Director, CERT-In, <BR>Department of Information Technology, <BR>Government of India<BR><BR><BR>Dr. Kamlesh Bajaj, CEO, DSCI (A NASSCOM Initiative)<BR><BR>Mano Paul, Software Assurance Advisor, (ISC)<sup>2</sup> <BR><BR>OWASP Delhi Board Members'''<br />
|-<br />
<br />
| align="center" style="width:20%; background:#4F81BD; color:white" | '''10:00 hrs – 10:30 hrs''' || colspan="3" style="width:80%; background:#4F81BD; color:white" align="center" | '''Networking Tea / Coffee Break'''<br />
|-<br />
<br />
| align="center" style="width:20%; background:#4F81BD; color:white" | '''10:30 hrs - 11:30 hrs''' || style="width:30%; background:#A7BFDE" align="center" | '''Tour of OWASP projects & The Moral Ecology of OWASP'''<br />
| style="width:40%; background:#EEF0F7; color:#4A4AFF" align="center" | '''<BR>Dinis Cruz, Chief OWASP Evangelist<BR>OWASP Foundation USA<BR><BR>'''<br />
|-<br />
<br />
<br />
| align="center" style="width:20%; background:#4F81BD; color:white" | '''11:30 hrs - 12:30 hrs''' || style="width:30%; background:#A7BFDE" align="center" | '''[https://www.owasp.org/index.php/OWASP_AppSec_India_Conference_2008_Web_2.0_Attacks Web 2.0 Attacks - Next Generation Threats on the Rise]'''<br />
| style="width:40%; background:#EEF0F7; color:#4A4AFF" align="center" | '''<BR>[https://www.owasp.org/index.php/OWASP_AppSec_India_Conference_2008_Speaker_-_Shreeraj_Shah Shreeraj Shah,<BR>Founder & Director,]<BR>[http://www.blueinfy.com BlueInfy]<BR>''' <br />
|-<br />
<br />
<br />
| align="center" style="width:20%; background:#4F81BD; color:white" | '''14:30 hrs - 15:30 hrs''' || style="width:30%; background:#A7BFDE" align="center" | '''[https://www.owasp.org/index.php/OWASP_AppSec_India_Conference_2008_Business_Case_for_AppSec The Business Case for Application Security]'''<br />
| style="width:40%; background:#EEF0F7; color:#4A4AFF" align="center" | '''<BR>[https://www.owasp.org/index.php/OWASP_AppSec_India_Conference_2008_Speaker_-_Rajesh_Nayak Rajesh Nayak ]<BR>[https://h10078.www1.hp.com/cda/hpms/display/main/hpms_home.jsp?zn=bto&cp=1_4011_308__&jumpid=go/btosoftware HP Software]<BR><BR>'''<br />
|-<br />
<br />
<br />
| align="center" style="width:20%; background:#4F81BD; color:white" | '''13:30 hrs - 14:30 hrs''' || colspan="3" style="width:80%; background:#4F81BD; color:white" align="center" | '''Networking Lunch'''<br />
|-<br />
<br />
<br />
| align="center" style="width:20%; background:#4F81BD; color:white" | '''12:30 hrs - 13:30 hrs''' || style="width:30%; background:#A7BFDE" align="center" | '''[https://www.owasp.org/index.php/OWASP_AppSec_India_Conference_2008_Building_Enterprise_AppSec_program Building an enterprise application security program]'''<br />
| style="width:40%; background:#EEF0F7; color:#4A4AFF" align="center" | '''<BR>[https://www.owasp.org/index.php/OWASP_AppSec_India_Conference_2008_Speaker_-_Nishchal_Bhalla Nishchal Bhalla,<BR>CEO,] <BR>[http://www.securitycompass.com Security Compass], USA<BR><BR>'''<br />
|-<br />
<br />
<br />
<br />
<br />
| align="center" style="width:20%; background:#4F81BD; color:white" | '''15:30 hrs - 16:30 hrs''' || style="width:30%; background:#A7BFDE" align="center" | '''[https://www.owasp.org/index.php/OWASP_AppSec_India_Conference_2008_Case_Study Case Study: Testing 200+ applications in a $10 Billion Enterprise]'''<br />
| style="width:40%; background:#EEF0F7; color:#4A4AFF" align="center" | '''<BR>[https://www.owasp.org/index.php/OWASP_AppSec_India_Conference_2008_Speaker_-_Roshen_Chandran Roshen Chandran <BR>Director of Paladion's Application Security Practice,]<BR>[http://www.paladion.net/ Paladion]<BR><BR>'''<br />
|-<br />
<br />
<br />
| align="center" style="width:20%; background:#4F81BD; color:white" | '''16:30 hrs - 17:00 hrs''' || colspan="3" style="width:80%; background:#4F81BD; color:white" align="center" | '''Networking Tea / Coffee Break'''<br />
|-<br />
<br />
| align="center" style="width:20%; background:#4F81BD; color:white" | '''17:00 hrs - 18:00 hrs''' || style="width:30%; background:#A7BFDE" align="center" | '''[https://www.owasp.org/index.php/OWASP_AppSec_India_Conference_2008_OWASP_AntiSamy_Project OWASP AntiSamy Project]'''<br />
| style="width:40%; background:#EEF0F7; color:black" align="center" | '''<BR>[https://www.owasp.org/index.php/OWASP_AppSec_India_Conference_2008_Speaker_-_Jason_Li Jason Li,<BR>Senior Application Security Engineer,]<BR>[http://www.aspectsecurity.com Aspect Security Inc., USA]<BR><BR>'''<br />
|-<br />
<br />
| align="center" style="width:20%; background:#4F81BD; color:white" | '''18:00 hrs - 18:30 hrs''' || style="width:30%; background:#A7BFDE" align="center" | '''Vote of Thanks'''<br />
| style="width:40%; background:#4F81BD; color:white" align="center" | '''<BR>OWASP Delhi Chapter Board Members<BR><BR>'''<br />
|-<br />
<br />
<br />
|}<br />
<BR><BR><br />
<br />
==Day Two [Trainings/Workshops]: Thursday 21st August, 2008==<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#4F81BD; color:white" | <br />
<br />
|-<br />
| align="center" style="width:33%; background:#4F81BD; color:white" | '''TIME''' || style="width:33%; background:#4F81BD; color:white" align="center" | '''TRAINING/WORKSHOP TRACK'''<br />
| style="width:33%; background:#4F81BD; color:white" align="center" | '''TRAINING PROVIDER'''<br />
<br />
|-<br />
| align="center" style="width:20%; background:#4F81BD; color:white" | '''08:15 hrs - 9:00 hrs''' || colspan="3" style="width:80%; background:#4F81BD; color:white" align="center" | '''Registrations and Welcome Tea / Coffee'''<br />
<br />
|-<br />
<br />
| align="center" style="width:20%; background:#4F81BD; color:white" | '''09:00 hrs - 13:30 hrs''' || style="width:30%; background:#A7BFDE" align="center" | '''<BR>[https://www.owasp.org/index.php/OWASP_AppSec_India_Conference_2008_Application_Security_Assessment_(Threats_And_Exploits) Application Security Assessment (Threats and Exploits)]<BR><BR>Hall Appsec-1<BR><BR>'''<br />
<br />
| style="width:40%; background:#EEF0F7; color:#4A4AFF" align="center" | <br />
'''<BR>[https://www.owasp.org/index.php/OWASP_AppSec_India_Conference_2008_Speaker_-_Shreeraj_Shah Shreeraj Shah,<BR>Founder & Director,]<BR> [http://www.blueinfy.com https://www.owasp.org/images/a/a1/BlueInfy.JPG]<BR>''' <br />
|-<br />
<br />
<br />
| align="center" style="width:20%; background:#4F81BD; color:white" | '''09:00 hrs - 13:30 hrs''' || style="width:30%; background:#A7BFDE" align="center" | '''<BR>[https://www.owasp.org/index.php/OWASP_AppSec_India_Conference_2008_Advanced_Threat_Modeling Advanced Threat Modeling]<BR><BR>Hall Appsec-2<BR><BR>'''<br />
<br />
| style="width:40%; background:#EEF0F7; color:#4A4AFF" align="center" | <br />
'''<BR>[http://www.securisksolutions.com/company/execmgt.aspx Mano Paul,<BR>CEO, SecuRisk Solutions, USA]<BR> [http://www.securisksolutions.com/Default.aspx http://www.securisksolutions.com/Images/Logos/SRSLogo_100x100.png]<BR>''' <br />
|-<br />
<br />
<br />
| align="center" style="width:20%; background:#4F81BD; color:white" | '''11:15 hrs - 11:30 hrs''' || colspan="3" style="width:80%; background:#4F81BD; color:white" align="center" | '''Networking Tea / Coffee Break'''<br />
|-<br />
| align="center" style="width:20%; background:#4F81BD; color:white" | '''09:00 hrs - 13:30 hrs''' || style="width:30%; background:#A7BFDE" align="center" | '''<BR>[https://www.owasp.org/index.php/OWASP_AppSec_India_Conference_2008 Writing Secure Code - Java/J2EE & .Net]<BR><BR>Hall Appsec-3<BR><BR>'''<br />
| style="width:40%; background:#EEF0F7; color:#4A4AFF" align="center" | '''<BR><BR>[https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201_4000_100 https://www.owasp.org/images/d/d2/Hp1.JPG]<BR>''' <br />
|-<br />
| align="center" style="width:20%; background:#4F81BD; color:white" | '''13:30 hrs - 14:30 hrs''' || colspan="3" style="width:80%; background:#4F81BD; color:white" align="center" | '''Networking Lunch'''<br />
|-<br />
<br />
<br />
| align="center" style="width:20%; background:#4F81BD; color:white" | '''14:30 hrs - 19:00 hrs''' || style="width:30%; background:#A7BFDE" align="center" | '''<BR>[https://www.owasp.org/index.php/OWASP_AppSec_India_Conference_2008_Web_2.0_Security Web 2.0 Security]<BR><BR>Hall Appsec-1<BR><BR>'''<br />
| style="width:40%; background:#EEF0F7; color:black" align="center" | '''<BR>[https://www.owasp.org/index.php/OWASP_AppSec_India_Conference_2008_Speaker_-_Jason_Li Jason Li,<BR>Senior Application Security Engineer,]<BR><BR>[http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]<BR><BR>'''<br />
<br />
|-<br />
| align="center" style="width:20%; background:#4F81BD; color:white" | '''14:30 hrs - 19:00 hrs''' || style="width:30%; background:#A7BFDE" align="center" | '''<BR>[https://www.owasp.org/index.php/OWASP_AppSec_India_Conference_2008_AppSec_For_Managers Application Security for Managers]<BR><BR>Hall Appsec-2<BR><BR>'''<br />
| style="width:40%; background:#EEF0F7; color:#4A4AFF" align="center" | '''<BR>[https://www.owasp.org/index.php/OWASP_AppSec_India_Conference_2008_Speaker_-_Nishchal_Bhalla Nishchal Bhalla,<BR>CEO,] <BR><BR>[http://www.securitycompass.com https://www.owasp.org/images/f/f3/SecurityCompass.JPG]<BR><BR>'''<br />
|-<br />
| align="center" style="width:20%; background:#4F81BD; color:white" | '''16:30 hrs - 16:45 hrs''' || colspan="3" style="width:80%; background:#4F81BD; color:white" align="center" | '''Networking Tea / Coffee Break'''<br />
|-<br />
| align="center" style="width:20%; background:#4F81BD; color:white" | '''14:30 hrs - 19:00 hrs''' || style="width:30%; background:#A7BFDE" align="center" | '''<BR>Application Security Code Review<BR><BR>Hall Appsec-3<BR><BR>'''<br />
| style="width:40%; background:#EEF0F7; color:#4A4AFF" align="center" |<br />
'''Dinis Cruz,<BR> Director of Advanced Technologies,<BR><BR>[http://www.ouncelabs.com https://www.owasp.org/images/6/6e/OunceLabs_logo.jpg]'''<br />
|-<br />
|}<br />
<br />
*Delegates attending Trainings are requested to bring their Wi-Fi enabled Laptops for the class- Preferably with VMWare Loaded*<br />
*ISC2 Members earn 1 CPE per hour of attendance to this event*<br />
*Speakers / topics / Training sessions are subject to change*<br />
*Registration for a specific class will depend on the availability of seats*<br />
<br />
Kindly visit the conference pages for the latest updates on the event.<br><br><br />
<br />
= TRAVEL/HOTELS =<br />
<br />
*Delhi Tourism: http://delhitourism.nic.in/index.aspx<BR><br />
*Delhi Map: http://www.mapsofindia.com/maps/delhi/delhi.htm<BR><br />
*[http://www.indiahabitat.org/locate.htm Directions to Venue]<br />
<BR><br />
*<u>NOTE</u>: We have negotiated special discounts for the participants of OWASP AppSec India Conference 2008. Kindly contact our Travel Partners to get quick bookings on flights/cabs/hotels at discounted price:<br />
<br />
= Queries =<br />
<BR><b>Travel/Hotel:</B><BR>Mr. Jitin Batra<br />
<BR>Manager, Dreamz Travel<br />
<BR>Mobile: +91-981-055-8569<br />
<BR>LandLine: +91-11-41586401-402<br />
<BR>email: info@dreamztravel.net<br />
<BR><br><br />
<B>Registrations:</b><BR><br />
Mr. Nitin Saxena<BR><br />
CyberMedia Events<BR><br />
email :nitins@cybermedia.co.in<br><br />
Mobile: 09811675559<BR><br />
<br />
<br />
<br />
<BR><br />
<B>Sponsorship:</b><BR><br />
Mr. Vilas Hedge<BR><br />
Associate Vice President<BR><br />
CyberMedia Events<BR><br />
email :vilash@cybermedia.co.in<BR></div>Manopaulhttps://wiki.owasp.org/index.php?title=File:SecuRiskSolutions.jpg&diff=35904File:SecuRiskSolutions.jpg2008-08-13T09:03:28Z<p>Manopaul: uploaded a new version of "Image:SecuRiskSolutions.jpg"</p>
<hr />
<div></div>Manopaulhttps://wiki.owasp.org/index.php?title=File:SecuRiskSolutions.jpg&diff=35903File:SecuRiskSolutions.jpg2008-08-13T09:01:21Z<p>Manopaul: </p>
<hr />
<div></div>Manopaulhttps://wiki.owasp.org/index.php?title=OWASP_AppSec_India_Conference_2008_Advanced_Threat_Modeling&diff=35449OWASP AppSec India Conference 2008 Advanced Threat Modeling2008-08-06T16:29:03Z<p>Manopaul: /* Advanced Threat Modeling */</p>
<hr />
<div>== Advanced Threat Modeling ==<br />
<br />
To secure your home, you will first need to know how the thief could possibly enter and exit and where you should store your valuables. The same is true of your web applications. Unless you know what the vulnerabilities and threats of your web applications are, and what security measures you should take to protect them, ev1L h@x0rS or the enemy within (insider) could take advantage of the vulnerabilities. <br />
<br />
Threat Modeling is a technique that you can use to identify ATVS (attacks, threats, vulnerabilities and safeguards) that could affect your web applications. Threat Modeling helps in designing your application securely from a confidentiality, integrity, availability, authentication, authorization and auditing perspective. It is an essential activity to be undertaken during the design stage of your SDLC and helps mitigate and minimize overall risk.<br />
<br />
Come for a <font color="blue">'''fun, hands-on, interactive'''</font> session that will cover the <font color="blue">'''basic and advanced elements of threat modeling'''</font>, filled with <font color="blue">'''exercises for the attendees to participate'''</font>.<br />
<br />
'''Session Coverage'''<br><br />
The session will cover the following topics <br><br />
Introduction to Threat Modeling<br><br />
Threat Modeling Process<br><br />
Tools, Techniques and Templates<br><br />
Demos and Hands-On Exercises<br><br />
and more ...<br />
<br />
'''Who should Attend?'''<br><br />
This session is for '''Management, Technical''' (Developer, QA, Security ...) and '''Operational professionals''' and any stakeholder that needs to understand how threat modeling can benefit their organizations/companies in designing secure web applications. Whether you are a novice or an expert apropos threat modeling, you will all leave learning something new to design the next generation of hack-resilient web applications.<br />
<br />
<font color="red">'''Come and Win exciting Prizes (possibly an iPod)'''</font><br><br />
First Prize - A FREE voucher to the official (ISC)<sup>2</sup> CISSP&reg; self-assessments (<font color="red">approx. $300 value</font>) (or) <br><br />
Second Prize - A FREE voucher to the official (ISC)<sup>2</sup> SSCP&reg; self-assessments (<font color="red">approx. $110 value</font>)<br><br />
Third Prize - An iPod Shuffle <br><br />
<br />
(ISC)<sup>2</sup> self-assessments are made possible due to courtesy of ''[https://www.expresscertifications.com/isc2 Express Certifications]''<br><br />
<i>iPod is a registered trademark of Apple Inc.</i><br />
<br />
== About Instructor ==<br />
[[Image:Mano_Paul.jpg|thumb|10px|frame|left|Mano Paul]]<br />
<b>Mano Paul</b> (CISSP, MCSD, MCAD, CompTIA Network+, ECSA) is the Founder and CEO at SecuRisk Solutions. Based out of Austin, Texas in the USA, SecuRisk Solutions specializes in three areas of information security solutions - Product Development, Consulting and Awareness, Training & Education. <br />
<br />
Before SecuRisk Solutions, Mano played several roles from software developer, quality assurance tester, logistics manager, technical architect, IT strategist and Security Engineer/Program Manager/Strategist at Dell Inc. His security experience includes designing and developing software security programs from Compliance-to-Coding, application security risk management, security strategy & management, and conducting security awareness training and education. <br />
<br />
Mano is (ISC)<sup>2</sup>'s Software Assurance Advisor and an appointed Industry representative of Information Systems Security Association (ISSA) Capitol of Texas chapter. He also serves as a faculty member for the ISSA security course at the local university. <br />
<br />
Mano has been featured in various domestic and international security conferences, contributed to and published various security articles and is an invited speaker in the OWASP Application Security Conferences, CSI, Burton Group Catalyst, TRISC and the SC World Congress Conferences. He is a contributing author for the Information Security Management Handbook, writes periodically for the Certification Magazine and has contributed to several security topics for the Microsoft Solutions Developer Network.<br />
<br />
Mano holds the following professional certifications - CISSP, ECSA, LPT, Microsoft Certified Solutions Developer (MCSD), Microsoft Certified Application Developer (MCAD) and the CompTIA Network+ certification.</div>Manopaulhttps://wiki.owasp.org/index.php?title=OWASP_AppSec_India_Conference_2008_Advanced_Threat_Modeling&diff=35448OWASP AppSec India Conference 2008 Advanced Threat Modeling2008-08-06T16:28:20Z<p>Manopaul: /* Advanced Threat Modeling */</p>
<hr />
<div>== Advanced Threat Modeling ==<br />
<br />
To secure your home, you will first need to know how the thief could possibly enter and exit and where you should store your valuables. The same is true of your web applications. Unless you know what the vulnerabilities and threats of your web applications are, and what security measures you should take to protect them, ev1L h@x0rS or the enemy within (insider) could take advantage of the vulnerabilities. <br />
<br />
Threat Modeling is a technique that you can use to identify ATVS (attacks, threats, vulnerabilities and safeguards) that could affect your web applications. Threat Modeling helps in designing your application securely from a confidentiality, integrity, availability, authentication, authorization and auditing perspective. It is an essential activity to be undertaken during the design stage of your SDLC and helps mitigate and minimize overall risk.<br />
<br />
Come for a <font color="blue">'''fun, hands-on, interactive'''</font> session that will cover the <font color="blue">'''basic and advanced elements of threat modeling'''</font>, filled with <font color="blue">'''exercises for the attendees to participate'''</font>.<br />
<br />
'''Session Coverage'''<br><br />
The session will cover the following topics <br><br />
Introduction to Threat Modeling<br><br />
Threat Modeling Process<br><br />
Tools, Techniques and Templates<br><br />
Demos and Hands-On Exercises<br><br />
and more ...<br />
<br />
'''Who should Attend?'''<br><br />
This session is for '''Management, Technical''' (Developer, QA, Security ...) and '''Operational professionals''' and any stakeholder that needs to understand how threat modeling can benefit their organizations/companies in designing secure web applications. Whether you are a novice or an expert apropos threat modeling, you will all leave learning something new to design the next generation of hack-resilient web applications.<br />
<br />
<font color="red">'''Come and Win exciting Prizes'''</font><br><br />
First Prize - A FREE voucher to the official (ISC)<sup>2</sup> CISSP&reg; self-assessments (<font color="red">approx. $300 value</font>) (or) <br><br />
Second Prize - A FREE voucher to the official (ISC)<sup>2</sup> SSCP&reg; self-assessments (<font color="red">approx. $110 value</font>)<br><br />
Third Prize - A iPod Shuffle <br><br />
<br />
(ISC)<sup>2</sup> self-assessments are made possible due to courtesy of ''[https://www.expresscertifications.com/isc2 Express Certifications]''<br><br />
<i>Note: iPod is a registered trademark of Apple Inc.</i><br />
<br />
== About Instructor ==<br />
[[Image:Mano_Paul.jpg|thumb|10px|frame|left|Mano Paul]]<br />
<b>Mano Paul</b> (CISSP, MCSD, MCAD, CompTIA Network+, ECSA) is the Founder and CEO at SecuRisk Solutions. Based out of Austin, Texas in the USA, SecuRisk Solutions specializes in three areas of information security solutions - Product Development, Consulting and Awareness, Training & Education. <br />
<br />
Before SecuRisk Solutions, Mano played several roles from software developer, quality assurance tester, logistics manager, technical architect, IT strategist and Security Engineer/Program Manager/Strategist at Dell Inc. His security experience includes designing and developing software security programs from Compliance-to-Coding, application security risk management, security strategy & management, and conducting security awareness training and education. <br />
<br />
Mano is (ISC)<sup>2</sup>'s Software Assurance Advisor and an appointed Industry representative of Information Systems Security Association (ISSA) Capitol of Texas chapter. He also serves as a faculty member for the ISSA security course at the local university. <br />
<br />
Mano has been featured in various domestic and international security conferences, contributed to and published various security articles and is an invited speaker in the OWASP Application Security Conferences, CSI, Burton Group Catalyst, TRISC and the SC World Congress Conferences. He is a contributing author for the Information Security Management Handbook, writes periodically for the Certification Magazine and has contributed to several security topics for the Microsoft Solutions Developer Network.<br />
<br />
Mano holds the following professional certifications - CISSP, ECSA, LPT, Microsoft Certified Solutions Developer (MCSD), Microsoft Certified Application Developer (MCAD) and the CompTIA Network+ certification.</div>Manopaulhttps://wiki.owasp.org/index.php?title=OWASP_AppSec_India_Conference_2008_Advanced_Threat_Modeling&diff=35272OWASP AppSec India Conference 2008 Advanced Threat Modeling2008-08-03T20:56:28Z<p>Manopaul: /* Advanced Threat Modeling */</p>
<hr />
<div>== Advanced Threat Modeling ==<br />
<br />
To secure your home, you will first need to know how the thief could possibly enter and exit and where you should store your valuables. The same is true of your web applications. Unless you know what the vulnerabilities and threats of your web applications are, and what security measures you should take to protect them, ev1L h@x0rS or the enemy within (insider) could take advantage of the vulnerabilities. <br />
<br />
Threat Modeling is a technique that you can use to identify ATVS (attacks, threats, vulnerabilities and safeguards) that could affect your web applications. Threat Modeling helps in designing your application securely from a confidentiality, integrity, availability, authentication, authorization and auditing perspective. It is an essential activity to be undertaken during the design stage of your SDLC and helps mitigate and minimize overall risk.<br />
<br />
Come for a <font color="blue">'''fun, hands-on, interactive'''</font> session that will cover the <font color="blue">'''basic and advanced elements of threat modeling'''</font>, filled with <font color="blue">'''exercises for the attendees to participate'''</font>.<br />
<br />
'''Session Coverage'''<br><br />
The session will cover the following topics <br><br />
Introduction to Threat Modeling<br><br />
Threat Modeling Process<br><br />
Tools, Techniques and Templates<br><br />
Demos and Hands-On Exercises<br><br />
and more ...<br />
<br />
'''Who should Attend?'''<br><br />
This session is for '''Management, Technical''' (Developer, QA, Security ...) and '''Operational professionals''' and any stakeholder that needs to understand how threat modeling can benefit their organizations/companies in designing secure web applications. Whether you are a novice or an expert apropos threat modeling, you will all leave learning something new to design the next generation of hack-resilient web applications.<br />
<br />
<font color="red">'''Come and Win exciting Prizes'''</font><br><br />
First Prize - A FREE voucher to the official (ISC)<sup>2</sup> CISSP&reg; self-assessments (<font color="red">approx. $300 value</font>) (or) <br><br />
Second Prize - A FREE voucher to the official (ISC)<sup>2</sup> SSCP&reg; self-assessments (<font color="red">approx. $110 value</font>)<br><br />
(ISC)<sup>2</sup> self-assessments are made possible due to courtesy of ''[https://www.expresscertifications.com/isc2 Express Certifications]''<br />
<br />
== About Instructor ==<br />
[[Image:Mano_Paul.jpg|thumb|10px|frame|left|Mano Paul]]<br />
<b>Mano Paul</b> (CISSP, MCSD, MCAD, CompTIA Network+, ECSA) is the Founder and CEO at SecuRisk Solutions. Based out of Austin, Texas in the USA, SecuRisk Solutions specializes in three areas of information security solutions - Product Development, Consulting and Awareness, Training & Education. <br />
<br />
Before SecuRisk Solutions, Mano played several roles from software developer, quality assurance tester, logistics manager, technical architect, IT strategist and Security Engineer/Program Manager/Strategist at Dell Inc. His security experience includes designing and developing software security programs from Compliance-to-Coding, application security risk management, security strategy & management, and conducting security awareness training and education. <br />
<br />
Mano is (ISC)<sup>2</sup>'s Software Assurance Advisor and an appointed Industry representative of Information Systems Security Association (ISSA) Capitol of Texas chapter. He also serves as a faculty member for the ISSA security course at the local university. <br />
<br />
Mano has been featured in various domestic and international security conferences, contributed to and published various security articles and is an invited speaker in the OWASP Application Security Conferences, CSI, Burton Group Catalyst, TRISC and the SC World Congress Conferences. He is a contributing author for the Information Security Management Handbook, writes periodically for the Certification Magazine and has contributed to several security topics for the Microsoft Solutions Developer Network.<br />
<br />
Mano holds the following professional certifications - CISSP, ECSA, LPT, Microsoft Certified Solutions Developer (MCSD), Microsoft Certified Application Developer (MCAD) and the CompTIA Network+ certification.</div>Manopaulhttps://wiki.owasp.org/index.php?title=OWASP_AppSec_India_Conference_2008_Advanced_Threat_Modeling&diff=35271OWASP AppSec India Conference 2008 Advanced Threat Modeling2008-08-03T20:52:45Z<p>Manopaul: /* Advanced Threat Modeling */</p>
<hr />
<div>== Advanced Threat Modeling ==<br />
<br />
To secure your home, you will first need to know how the thief could possibly enter and exit and where you should store your valuables. The same is true of your web applications. Unless you know what the vulnerabilities and threats of your web applications are, and what security measures you should take to protect them, ev1L h@x0rS or the enemy within (insider) could take advantage of the vulnerabilities. <br />
<br />
Threat Modeling is a technique that you can use to identify ATVS (attacks, threats, vulnerabilities and safeguards) that could affect your web applications. Threat Modeling helps in designing your application securely from a confidentiality, integrity, availability, authentication, authorization and auditing perspective. It is an essential activity to be undertaken during the design stage of your SDLC and helps mitigate and minimize overall risk.<br />
<br />
Come for a <font color="blue">'''fun, hands-on, interactive'''</font> session that will cover the <font color="blue">'''basic and advanced elements of threat modeling'''</font>, filled with <font color="blue">'''exercises for the attendees to participate'''</font>.<br />
<br />
'''Session Coverage'''<br><br />
The session will cover the following topics <br><br />
Introduction to Threat Modeling<br><br />
Threat Modeling Process<br><br />
Tools, Techniques and Templates<br><br />
Demos and Hands-On Exercises<br><br />
and more ...<br />
<br />
'''Who should Attend?'''<br><br />
This session is for '''Management, Technical''' (Developer, QA, Security ...) and '''Operational professionals''' and any stakeholder that needs to understand how threat modeling can benefit their organizations/companies in designing secure web applications. Whether you are a novice or an expert apropos threat modeling, you will all leave learning something new to design the next generation of hack-resilient web applications.<br />
<br />
<font color="red">'''Come and Win exciting Prizes'''</font><br><br />
First Prize - A FREE voucher to the official (ISC)<sup>2</sup> CISSP&reg; self-assessments (<font color="red">approx. $300 value</font>) (or) <br><br />
Second Prize - A FREE voucher to the official (ISC)<sup>2</sup> SSCP&reg; self-assessments (<font color="red">approx. $110 value</font>)<br><br />
(ISC)<sup>2</sup> self-assessments are made possible due to courtesy of [["https://www.expresscertifications.com/isc2/" target="_blank" | Express Certifications]].<br />
<br />
== About Instructor ==<br />
[[Image:Mano_Paul.jpg|thumb|10px|frame|left|Mano Paul]]<br />
<b>Mano Paul</b> (CISSP, MCSD, MCAD, CompTIA Network+, ECSA) is the Founder and CEO at SecuRisk Solutions. Based out of Austin, Texas in the USA, SecuRisk Solutions specializes in three areas of information security solutions - Product Development, Consulting and Awareness, Training & Education. <br />
<br />
Before SecuRisk Solutions, Mano played several roles from software developer, quality assurance tester, logistics manager, technical architect, IT strategist and Security Engineer/Program Manager/Strategist at Dell Inc. His security experience includes designing and developing software security programs from Compliance-to-Coding, application security risk management, security strategy & management, and conducting security awareness training and education. <br />
<br />
Mano is (ISC)<sup>2</sup>'s Software Assurance Advisor and an appointed Industry representative of Information Systems Security Association (ISSA) Capitol of Texas chapter. He also serves as a faculty member for the ISSA security course at the local university. <br />
<br />
Mano has been featured in various domestic and international security conferences, contributed to and published various security articles and is an invited speaker in the OWASP Application Security Conferences, CSI, Burton Group Catalyst, TRISC and the SC World Congress Conferences. He is a contributing author for the Information Security Management Handbook, writes periodically for the Certification Magazine and has contributed to several security topics for the Microsoft Solutions Developer Network.<br />
<br />
Mano holds the following professional certifications - CISSP, ECSA, LPT, Microsoft Certified Solutions Developer (MCSD), Microsoft Certified Application Developer (MCAD) and the CompTIA Network+ certification.</div>Manopaulhttps://wiki.owasp.org/index.php?title=OWASP_AppSec_India_Conference_2008_Advanced_Threat_Modeling&diff=35270OWASP AppSec India Conference 2008 Advanced Threat Modeling2008-08-03T20:40:12Z<p>Manopaul: /* About Instructor */</p>
<hr />
<div>== Advanced Threat Modeling ==<br />
<br />
To secure your home, you will first need to know how the thief could possibly enter and exit and where you should store your valuables. The same is true of your web applications. Unless you know what the vulnerabilities and threats of your web applications are, and what security measures you should take to protect them, ev1L h@x0rS or the enemy within (insider) could take advantage of the vulnerabilities. <br />
<br />
Threat Modeling is a technique that you can use to identify ATVS (attacks, threats, vulnerabilities and safeguards) that could affect your web applications. Threat Modeling helps in designing your application securely from a confidentiality, integrity, availability, authentication, authorization and auditing perspective. It is an essential activity to be undertaken during the design stage of your SDLC and helps mitigate and minimize overall risk.<br />
<br />
Come for a '''fun, hands-on, interactive''' session that will cover the '''basic and advanced elements of threat modeling''', filled with '''exercises for the attendees to participate'''.<br />
<br />
'''Session Coverage'''<br />
The session will cover the following topics <br />
1. Introduction to Threat Modeling<br />
2. Threat Modeling Process<br />
3. Tools, Techniques and Templates<br />
4. Live Demo and Hands-On Exercises<br />
and more ...<br />
<br />
'''Who should Attend?'''<br />
This session is for Management, Technical (Developer, QA, Security ...) and Operational professionals and any stakeholder that needs to understand how threat modeling can benefit their organizations/companies in designing secure web applications. Whether you are a novice or an expert apropos threat modeling, you will all leave learning something new to design the next generation of hack-resilient web applications.<br />
<br />
'''Come and Win exciting Prizes'''<br />
Come and win a free self-assessment voucher to the official (ISC)<sup>2</sup> CISSP&reg; (approx. $300 value) or an iPod Shuffle.<br />
<br />
== About Instructor ==<br />
[[Image:Mano_Paul.jpg|thumb|10px|frame|left|Mano Paul]]<br />
<b>Mano Paul</b> (CISSP, MCSD, MCAD, CompTIA Network+, ECSA) is the Founder and CEO at SecuRisk Solutions. Based out of Austin, Texas in the USA, SecuRisk Solutions specializes in three areas of information security solutions - Product Development, Consulting and Awareness, Training & Education. <br />
<br />
Before SecuRisk Solutions, Mano played several roles from software developer, quality assurance tester, logistics manager, technical architect, IT strategist and Security Engineer/Program Manager/Strategist at Dell Inc. His security experience includes designing and developing software security programs from Compliance-to-Coding, application security risk management, security strategy & management, and conducting security awareness training and education. <br />
<br />
Mano is (ISC)<sup>2</sup>'s Software Assurance Advisor and an appointed Industry representative of Information Systems Security Association (ISSA) Capitol of Texas chapter. He also serves as a faculty member for the ISSA security course at the local university. <br />
<br />
Mano has been featured in various domestic and international security conferences, contributed to and published various security articles and is an invited speaker in the OWASP Application Security Conferences, CSI, Burton Group Catalyst, TRISC and the SC World Congress Conferences. He is a contributing author for the Information Security Management Handbook, writes periodically for the Certification Magazine and has contributed to several security topics for the Microsoft Solutions Developer Network.<br />
<br />
Mano holds the following professional certifications - CISSP, ECSA, LPT, Microsoft Certified Solutions Developer (MCSD), Microsoft Certified Application Developer (MCAD) and the CompTIA Network+ certification.</div>Manopaul