OWASP - User contributions [en]

Global Committee Pages

2012-11-15T00:35:04Z

Mark.bristow:

__notoc__

OWASP recognized the extraordinary contribution of our most active leaders by engaging them to lead seven committees that report progress to the [https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Global_Board_Members OWASP Board of Directors]. Each democratically established committee will focus on a key function or geographic region, such as OWASP projects, conferences, local chapters, membership and industry outreach. [http://www.owasp.org/index.php/Category:OWASP_Chapter#Local_Chapters Local Chapters], Project Leaders, questions about hosting a conference or starting a chapter should contact the appropriate committee for assistance, guidance or to suggest best practice. **Note that in a perfect world we would have your best regional representative on each committee from your country as a delegate. 
<center>[https://www.owasp.org/index.php/How_to_Join_a_Committee '''How to Join a Global Committee'''] Monthly Global Committee Chair Meetings: [https://www.owasp.org/index.php/Global_Committee_Chair_Meetings Click Here] </center>
{| style="width: 90%" class="FCK__ShowTableBorders" border="0" align="center"
|-
| style="background: rgb(64,88,160); color: white" colspan="8" align="center" | '''OWASP GLOBAL COMMITTEES'''
|-
| style="width: 10%; background: rgb(242,152,76)" align="center" | OWASP GLOBAL COMMITTEE
| style="width: 13%; background: rgb(242,152,76)" align="center" | [[:Category:Global Projects Committee|'''Projects''']]
| style="width: 13%; background: rgb(242,152,76)" align="center" | [[Global Membership Committee|'''Membership''']]
| style="width: 13%; background: rgb(242,152,76)" align="center" | [[Global Education Committee|'''Education''']]
| style="width: 13%; background: rgb(242,152,76)" align="center" | [[Global Conferences Committee|'''Conferences''']]
| style="width: 13%; background: rgb(242,152,76)" align="center" | [[Global Industry Committee|'''Industry''']]
| style="width: 13%; background: rgb(242,152,76)" align="center" | [[Global Chapter Committee|'''Chapters''']]
| style="width: 13%; background: rgb(242,152,76)" align="center" | '''[[OWASP Connections Committee|Connections]]'''
|-
| style="width: 10%; background: rgb(242,152,76)" align="center" | Committee Chair
| style="width: 13%; background: rgb(242,152,76)" align="center" | [[User:Jason Li|Jason Li]]
| style="width: 13%; background: rgb(242,152,76)" align="center" | [[Global Membership Committee - Application 5|Helen Gao]]
| style="width: 13%; background: rgb(242,152,76)" align="center" | [[:Image:Image007-Martin Knobloch.jpg|Martin Knobloch]]
| style="width: 13%; background: rgb(242,152,76)" align="center" | Vacant
| style="width: 13%; background: rgb(242,152,76)" align="center" | [[:Global Industry Committee - Application 16|Tobias Gondrom]]
| style="width: 13%; background: rgb(242,152,76)" align="center" | [[Global Chapter Committee - Application 8|Josh Sokol]]
| style="width: 13%; background: rgb(242,152,76)" align="center" | [[OWASP Connections Committee - Application 4|Jim Manico]]
|-
| style="width: 10%; background: rgb(204,204,204)" valign="top" align="center" | Members
| style="width: 13%; background: rgb(204,204,204)" valign="top" align="left" |
*[[User:Bradcausey|Brad Causey]]
*[[:Global Projects and Tools Committee - Application 3|Chris Schmidt]]
*[[:Global Projects and Tools Committee - Application 4|Justin Searle]]
*[[:User:Nishi_Kumar|Nishi Kumar]]
*[[:Global Projects and Tools Committee - Application 6|Keith Turpin]]

| style="width: 13%; background: rgb(204,204,204)" valign="top" align="left" |
*[[:Image:Image018-Dan Cornell.jpg|Dan Cornell]]
*[[Global Membership Committee - Application 3|Ofer Maor]]
*[[Global Membership Committee - Application 4|Aryavalli Gandhi]]

| style="width: 13%; background: rgb(204,204,204)" valign="top" align="left" |
*[[:Image:Image008-Eduardo Neves.jpg|Eduardo Neves]]
*[[:Image:Image011-Cecil Su.jpg|Cecil Su]]
*[[:Image:Image009-Fabio Cerullo.jpg|Fabio Cerullo]]
*[[:Image:Image010-Kuai Hinjosa.jpg|Kuai Hinjosa]]
*[[:Global Education Committee - Application 3|Sebastien Gioria]]
*[[Global Education Committee - Application 7|Tony Gottlieb]]
*[[Global Education Committee - Application 2|Carlos Serrão]]
*[[Global_Education_Committee_-_Application_8|Luiz Otavio Duarte]]

| style="width: 13%; background: rgb(204,204,204)" valign="top" align="left" |
*[[:Global Conferences Committee - Application 3|John Wilander]]
*[[Media:RGreenberg_Conference_Committee_App.pdf|Richard Greenberg]]
*[[:Global Conferences Committee - Application 5|Ralph Durkee]]
*[[Global Conferences Committee - Application 7|Mohd Fazli Azran]]
*[[Global Conferences Committee - Application 12|Lorna Alamri]]
*[[Global Conferences Committee - Application 13|Benny Ketelslegers]]

 

| style="width: 13%; background: rgb(204,204,204)" valign="top" align="left" |
*[[:Global Industry Committee - Application 8|Mauro Flores]]
*[[Global Industry Committee - Application 2|Alexander Fry]]
*[[:Image:Image013-Eoin Keary.jpg|Eoin Keary]]
*[[:Global Industry Committee - Application 9|Mateo Martinez]]
*[[Global Industry Committee - Application 1|Colin Watson]]
*[https://www.owasp.org/index.php/Marco_Morana Marco Morana]
*[[:Global Industry Committee - Application 12|Christian Papathanasiou]]
*[[:Image:Image014 Rex Booth.jpg|Rex Booth]]

| style="width: 13%; background: rgb(204,204,204)" valign="top" align="left" |
*[[User:Sdeleersnyder|Seba Deleersnyder]]
*[[Global Chapter Committee - Application 4|Tin Zaw]]
*[[Global Chapter Committee - Application 5|L. Gustavo C. Barbato]]
*[[Global_Chapter_Committee_-_Application_9|Ivy Zhang]]

 

| style="width: 13%; background: rgb(204,204,204)" valign="top" align="left" |
*[[OWASP Connections Committee - Application 8|Ludovic Petit]]
*[[OWASP_Connections_Committee_-_Application_7|Luiz Eduardo Dos Santos]]
*[[OWASP Connections Committee - Application 3|Justin Clarke]]
*[[OWASP Connections Committee - Application 7|Jerry Hoff]]

|-
| style="width: 10%; background: rgb(204,204,204)" valign="top" align="center" | [[How to Join a Committee|Applicants]]
| style="width: 13%; background: rgb(204,204,204)" valign="top" align="left" |
| style="width: 13%; background: rgb(204,204,204)" valign="top" align="left" |

 

| style="width: 13%; background: rgb(204,204,204)" valign="top" align="left" |

 

| style="width: 14%; background: rgb(204,204,204)" valign="top" align="left" |
*[[Global Conferences Committee - Application 8|Zhendong Yu]]

 

| style="width: 13%; background: rgb(204,204,204)" valign="top" align="left" |
*[[:Global Industry Committee - Application 13|Michael Scovetta]]

| style="width: 13%; background: rgb(204,204,204)" valign="top" align="left" |
 

| style="width: 13%; background: rgb(204,204,204)" valign="top" align="left" |

|-
| style="width: 10%; background: rgb(242,152,76)" align="center" | Committee Looking For
| style="width: 13%; background: rgb(242,152,76)" align="center" | New Members with OWASP Project Leadership Experience
| style="width: 13%; background: rgb(242,152,76)" align="center" | More Members
| style="width: 13%; background: rgb(242,152,76)" align="center" | New Members with Education Background
| style="width: 13%; background: rgb(242,152,76)" align="center" | More Members Outside U.S.
| style="width: 13%; background: rgb(242,152,76)" align="center" | More Members Outside U.S. and Europe
| style="width: 13%; background: rgb(242,152,76)" align="center" | More Members Outside U.S.
| style="width: 13%; background: rgb(242,152,76)" align="center" | More Members
|}

 Questions? Contact [mailto:kate.hartmann@owasp.org Kate Hartmann], OWASP Operations Director

 [[Global Committee Chair Meetings]]

== Budgets ==

[https://www.owasp.org/index.php/Global_Committee_Pages Global Committee] Budgets - [https://www.owasp.org/index.php/Global_Committee_Budgets/2011 2011 Link]

Global Conferences Committee/

2012-11-15T00:34:26Z

Mark.bristow:

__NOTOC__
= About the Committee =
'''The Global Conferences Committee was created during the OWASP EU Summit in Portugal 2008. The Global Conferences Committee exists to coordinate and facilitate OWASP conferences and events worldwide.''' The committee is governed by the [[Global Conferences Committee/Governance|Global Conferences Committee Governance]] document

*Chair (Vacant)
*[mailto:john.wilander@owasp.org John Wilander] (Sweden)
*[mailto:richard.greenberg@owasp.org Richard Greenberg] (US)
*[mailto:ralph.durkee@owasp.org Ralph Durkee] (US)
*[mailto:fazli@owasp.org Mohd Fazli Azran] (Malaysia)
*[mailto:lorna.alamri@owasp.org Lorna Alamri] (US)
*[mailto:benny.ketelslegers@owasp.org Benny Ketelslegers] (Japan)

Operational Support: [mailto:sarah.baso@owasp.org Sarah Baso]

== Upcoming Meeting ==
'''Recurring Meeting time & date: on the third Wednesday of the month at 3pm GMT/UTC'''

Date: Wednesday, July 18 at 3pm GMT/UTC

Date: Wednesday, August 15 at 3pm GMT/UTC

GoToMeeting link: [https://www3.gotomeeting.com/join/491851430 https://www3.gotomeeting.com/join/491851430]

*Use your microphone and speakers (VoIP) - a headset is recommended. Access Code: 491-851-430 Audio PIN: Shown after joining the meeting
*Meeting ID: 491-851-430

International Dial-in: 
Australia: +61 2 8355 1031 
Austria: +43 (0) 7 2088 1033 
Belgium: +32 (0) 28 08 4342 
Canada: +1 (647) 497-9371 
Denmark: +45 (0) 69 91 89 21 
Finland: +358 (0) 942 41 5770 
France: +33 (0) 182 880 159 
Germany: +49 (0) 811 8899 6926 
Ireland: +353 (0) 19 030 050 
Italy: +39 0 693 38 75 50 
Netherlands: +31 (0) 208 080 208 
New Zealand: +64 (0) 9 925 0481 
Norway: +47 21 54 82 21 
Spain: +34 911 82 9890 
Sweden: +46 (0) 852 500 179 
Switzerland: +41 (0) 435 0167 65 
United Kingdom: +44 (0) 207 151 1806 
United States: +1 (213) 493-0619 

=2012 Committee Plan=
{{:Global_Conferences_Committee_2012_Plan}}

= 2011 Committee Plan =
{{:Global Conferences Committee/2011 Committee Plan}}

= Planner Resources =

[[How to Host a Conference]] - The comprehensive guide for hosting an OWASP event.

{{:Global Conferences Committee/Resources}}

= Committee Policies =

{{:Global Conferences Committee/Policies}}

=Conference Liaison Initiative=

{{:Global Conferences Committee/Liaison Program}}

= GCC Records =

{{:Global Conferences Committee/Records}}

<headertabs/>

OWASP Events/upcoming events

2012-11-12T15:12:27Z

Mark.bristow:

== Global AppSec Events ==
{| class="wikitable"
|-
! Global AppSec Events
! Date
! Location
! GCC Rep
! OWASP Introduction/Keynote
|-
| [https://www.owasp.org/index.php/AppSecLatam2012 Global AppSec Latam 2012] ([https://www.owasp.org/index.php/AppSecLatam2012 Wiki])
| Nov. 18, 2012 - Nov. 21, 2012
| Montevideo, Uruguay
| Fabio Cerullo
| Matt Tesauro
|-
| OWASP AppSec ASIAPAC 2013
| Feb. 19, 2013 - Feb. 22, 2013
| Jeju, South Korea
| TBD
| TBD
|-
| AppSec EU Research 2013
| Aug. 20, 2013 - Aug. 23, 2013
| Hamburg, Germany
| TBD
| TBD
|-
| AppSec NYC 2013
| Oct. 14, 2013 - Oct. 17, 2013
| New York, NY
| TBD
| TBD
|}

== Regional and Local Events ==
{| class="wikitable"
|-
! Event
! Type
! Date
! Location
! OWASP Introduction/Keynote
|-
| [https://www.owasp.org/index.php/Italy_OWASP_Day_2012 OWASP Italy Day 2012]
| Local Event
| Nov. 23, 2012 - Nov. 23, 2012
| Rome
| TBD
|-
| [http://www.owaspbenelux.eu/ OWASP BeNeLux Day 2012]
| Local Event
| Nov. 29, 2012 - Nov. 30, 2012
| Leuven, Belgium
| TBD
|-
| [ OWASP MSP 1 Day of AppSec Talks]
| Local Event
| Nov. 29, 2012 - Nov. 29, 2012
| St. Paul/ Minneapolis, MN
| TBD
|}
== Partner and Promotional Events ==
Want to get your event listed here? Be sure to work with the [[Global Conferences Committee]]

{| class="wikitable"
|-
! Event
! Date
! Location
! OWASP Participation
|-
| [http://hackerhaltedapac.org/apac/ Hacker Halted Asia Pacific 2012]
| Nov. 19, 2012 - Nov. 22, 2012
| Malaysia
| TBD
|-
| [http://www.ebcg.biz/ EBCG ]
| May 11, 2013 - May 13, 2013
| Prague
| TBD
|}

How to Host a Conference/Travel and Accommodations

2012-09-11T17:21:49Z

Mark.bristow: /* Travel */

=== Accommodations ===
If you plan on a regional or international event, it is considerate to negotiate a discounted room rate with a local hotel. In many cases, if you event is at a hotel, they will happily give you greater than 50% discount on rooms. If your event is at another type of venue (convention center, university campus, corporate building) there are often referral relationships between the venue and nearby hotels. Be sure to ask you coordinator.

When reserving your room blocks take into consideration the number of out of town speakers and guests you are expecting and how many room nights will be required. Be sure to avoid commitment for the unsold rooms. The hotel wants to get paid of course. Be sure that the hotel will not hold OWASP responsible for unbooked rooms.

=== Travel ===
Your conference venue usually has maps and travel information on how to get to the location. If there aren't adequate limo or shuttle services to your venue from the airport, you may need to make your own arrangements.

'''OWASP on the MOVE funds are not to be used for conferences or events.''' If you are planning on covering ANY speakers travel and/or accommodations, be sure to plan for this in your event budget.

==== International Travel ====
If you are a conference organizer or sponsor of a conference or event located in the U.S. and the conference will be held in the U.S., please contact the email address: [mailto:businessvisa@state.gov businessvisa@state.gov], sending the following information:

*Date(s) when conference or event is to be held;
*Title/name of conference or event;
*Brief description of the conference, including purpose and sponsorship;
*Location of the conference or event;
*Expected international attendance (100 visa applicants minimum to post an event), and the total number of expected attendees;
*Point of contact (at conference/event organizer): Organization website (if available), contact name, title, address, telephone number and email address, in case the embassy has questions about your announcement.

This is especially important when we are issuing letters so foreign nationals can travel to the event.

More information at http://travel.state.gov/visa/temp/types/types_2665.html#14 http://travel.state.gov/visa/temp/types/types_2665.html#14

=== Visitor's Guide ===
All global conferences that will attract a substantial international audience should create a city Visitor's guide. A great example of a visitor's guide was put together by the [http://www.owasp.org/images/e/eb/OWASP_AppSec_Research_2010_Visitors_Guide_A4.pdf AppSec Research 2010 team]This guide should include sections like:
*Country Overview
** Common Languages
** Money
** Tipping and Haggling
** Local Customs
** Special Events during the conference
* Transportation to Event
** Taxi Company Phone numbers and estimated prices
** Buss or Mass Transit information, schedules, and prices
** Directions on how to get to conference site '''WITH PICTURES''' (It's recommended you walk from the major transportation hubs and take pictures along the way)
*Host City
** Local points of interest
** How to get around the city (metro/bus maps)
** Bars near the event

Speaker Agreement

2012-07-09T16:22:41Z

Mark.bristow:

OWASP SPEAKER AGREEMENT V2.0 - [[Media:OWASP_Presentatiion_Template.zip | OWASP Presentation Template]]

SPEAKER’S RELEASE

I accept the offer of the OWASP Foundation Inc., (OWASP) to participate as a speaker and subject matter expert subject to the terms and conditions set forth herein. As a speaker, I will receive admission to the event and no other remuneration. I will only receive one pass, and this pass is non-transferable.

I understand that the views and opinions expressed at the conference will be mine and not those of OWASP. I agree to indemnify and hold harmless OWASP against any claims, losses, expenses or damages that may be incurred by OWASP as a result of my presentation. In particular, I agree that the use of any materials prepared by me will not expose OWASP to liability for breach of confidence for infringement of copyright or similar liability.

In the unavoidable situation that I am unable to fulfill my commitment to speak, I will promptly notify the primary point of contact of the event via telephone/email so that OWASP may find an alternate speaker for my session. If I violate the terms of this agreement or fail to meet any established deadlines, OWASP reserves the right to replace me as a speaker with another speaker from my company or organization or from another company or organization.

CONTENT

Speakers are encouraged to include their contact information when introducing themselves, but may NOT include their logo on any visual and handout materials. Speakers are to avoid any appearance of commercialism in their session and presentations are to be of a technical or solutions emphasis. Further, I understand that the program tracks of the conference/event/chapter are an educational event, not a sales or marketing platform. I agree that my presentation(s) will be an objective review of the topic on which I am presenting, and will not contain any content that is a sales or promotional pitch for any specific product(s) or company(ies). My materials will also be reflective of the current status of the topic(s) I am addressing.

I agree that the information contained in my presentation(s) or related presentation materials (a) will be factual and not misleading, (b) will not violate any obligation of confidentiality that I (or my company or organization) has with any third party, (c) will not violate the intellectual property of any third party and (d) will not defame any third party.

In addition, I agree that OWASP is not an appropriate forum for disclosing vulnerabilities. I understand that presentations can discuss known vulnerabilities, types of vulnerabilities, new malicious uses of known vulnerabilities, and new vulnerabilities that span multiple products and standards. However, I will not discuss vulnerabilities in specific products. I agree to dedicate a substantial portion of my presentation to solutions for any issues raised.

COPYRIGHT PERMISSION

If my session includes a presentation, I will use the Conference Template [[Media:OWASP_Presentatiion_Template.zip | OWASP Presentation Template]].
). I will submit to the OWASP Event Leader my presentation(s) in one of the previous formats no later than 30 days prior to the conference. Should the presentation change after it has been submitted, I agree to notify the OWASP Event Leader that the presentation has changed and I will submit the changed presentation as soon as feasible and at least 24 hours prior to my scheduled session(s).

I understand that OWASP may record (audio and/or video) the conference proceedings, and, that my presentation could be included in any reproduction of the conference materials. I hereby authorize the OWASP Foundation to capture my presentation on audio/visual format or a combination thereof for presentation by OWASP Conference Organizers. Accordingly, I grant the OWASP Foundation the right to:
Reproduce and distribute the handout materials in any format including paper and electronic formats to any audience.
Distribute written materials to participants of the OWASP Conferences.

I UNDERSTAND THE FOLLOWING:

I will not receive any compensation for speaking at any OWASP Event/Conference. This includes any travel expenses such as airfare, housing, or any other daily expenses incurred while attending any OWASP Conference.
I may use the handout materials, presentation, visual aids and any other material prepared by me for the above-mentioned presentation in any manner I desire, including publication.
Papers and illustrations will not be returned.

The governing language of this Agreement, the Service, the Application and the Documentation is English. Les parties aux présentes confirment leur volonté que ce contrat de même que tous les documents y compris tout avis qui s’y rattachent soient rédigés en langue anglaise. (translation: “The parties confirm that this Agreement and all related documentation is and will be in the English language”).

Any claim, controversy or dispute arising out of or relating to this Agreement shall be settled by final and binding arbitration to be conducted by an arbitration tribunal in Columbia, Maryland, U.S.A., in English, in accordance with the commercial arbitration rules of the American Arbitration Association (“AAA”) and pursuant to this section. The arbitration shall be conducted by three (3) arbitrators, one to be appointed by OWASP, one to be appointed by you and a third being nominated by the two arbitrators so selected or, if they cannot agree on a third arbitrator within the time specified in the AAA commercial arbitration rules, by the AAA; provided, however, that all arbitrators appointed pursuant to this provision shall be both: (i) a licensed attorney or former judge; and (ii) knowledgeable about, and experienced in, the software and/or Internet industry. The decision of the arbitrators shall be binding upon the parties hereto, and the expense of the arbitration (including without limitation the award of attorneys’ fees to the prevailing party) shall be paid as the arbitrators determine. The decision of the arbitrators shall be executory, and judgment thereon may be entered by any court of competent jurisdiction. Notwithstanding anything contained in this provision to the contrary.

I AM CONSENTING TO BE BOUND BY THE TERMS AND CONDITIONS CONTAINED IN THIS AGREEMENT. IF I DO NOT AGREE TO THESE TERMS, THEN I WILL NOT BE PERMITTED TO SPEAK AT THE OWASP EVENT, IN WHICH EVENT I WILL REPLY TO THIS MESSAGE THAT I DO NOT AGREE TO THESE TERMS, AND I UNDERSTAND I WILL NOT BE ABLE TO SPEAK AT THE EVENT AND WILL BE REPLACED AS A SPEAKER.

[http://www.owasp.org/index.php/About_OWASP The OWASP Foundation Inc.]
9175 Guilford Road Suite #300
Columbia, MD 21046

OWASP Events/upcoming events

2012-06-05T22:16:54Z

Mark.bristow:

== Global AppSec Events ==
{| class="wikitable"
|-
! Global AppSec Events
! Date
! Location
! GCC Rep
! OWASP Introduction/Keynote
|-
| [http://appseceu.org/ Global AppSec Research 2012] ([https://www.owasp.org/index.php/AppSecResearch2012 Wiki])
| July 10, 2012 - July 13, 2012
| Athens, Greece
| John Wilander
| Deleersnyder, Wichers, Brennan, Keary
|-
| [https://www.owasp.org/index.php/AppSec_North_America_2012 Global AppSec North America 2012]
| Oct. 23, 2012 - Oct. 26, 2012
| Austin, TX
| Lorna Alamri
| Coates, Keary, Brennan, Wichers, Tesauro, Deleersnyder
|-
| [https://www.owasp.org/index.php/AppSecLatam2012 Global AppSec Latin America 2012]
| Nov. 14, 2012 - Nov. 16, 2012
| Buenos Aires, Argentina
| TBD
| Brennan
|-
| OWASP AppSec ASIAPAC 2013
| Feb. 21, 2013 - Feb. 22, 2013
| Jeju, South Korea
| TBD
| TBD
|}

== Regional and Local Events ==
{| class="wikitable"
|-
! Event
! Type
! Date
! Location
! OWASP Introduction/Keynote
|-
| [http://www.appsectr.org/ Application Security Day]
| Local Event
| June 9, 2012 - June 9, 2012
| Istanbul
| TBD
|-
| [http://www.owasp.org/index.php/OWASP_InfoSec_Conference_2012 AppSec India 2012]
| Regional Event
| Aug. 24, 2012 - Aug. 25, 2012
| India
| Brennan
|-
| [http://www.appsecireland.org/ OWASP Ireland]
| Regional Event
| Sept. 4, 2012 - Sept. 6, 2012
| Dublin, Ireland
| Keary, Coates
|}
== Partner and Promotional Events ==
Want to get your event listed here? Be sure to work with the [[Global Conferences Committee]]

{| class="wikitable"
|-
! Event
! Date
! Location
! OWASP Participation
|-
| [http://www.bhack.com.br/ BHack Conference]
| June 14, 2012 - June 17, 2012
| Belo Horizonte/MG, Brazil
| TBD
|-
| [http://www.sdiwc.net/CyberSec2012/page.php?id=2 Cyber Security, Cyber Warfare and Digital Forencis (CyberSec12)]
| June 26, 2012 - June 28, 2012
| Kuala Lumpur
| TBD
|-
| [http://www.blackhat.com/html/bh-us-12/bh-us-12-home.html BlackHat USA]
| July 25, 2012 - July 26, 2012
| Las Vegas, NV
| TBD
|-
| [http://www.brucon.org/ BruCON 2012]
| Sept. 24, 2012 - Sept. 27, 2012
| Belgium
| TBD
|}

OWASP AppSec DC 2012/Schedule/4-5-2012

2012-05-04T16:48:40Z

Mark.bristow:

{| border=1
| height="60" align="center" colspan="5" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | '''Plenary Day 2 - 4/5/2012'''
|-
| width=72 valign=middle bgcolor=#7b8abd |
! width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | Critical Infrastructure Room 201
! width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | Defend! Room 202A
! width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | On the Go Room 202B
! width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | SDLC Room 206
|-
| width=72 valign=middle bgcolor=#7b8abd | 7:30 AM - 9:00 AM
| align=center colspan=4 valign=middle height=30 bgcolor=#e0e0e0 align=center | Registration
|-
| width=72 valign=middle bgcolor=#7b8abd rowspan=2 | 9:00 AM - 9:50 AM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center rowspan=2 | [[OWASP_AppSec_DC_2012/Pentesting_Smart_Grid_Web_Apps|Pentesting Smart Grid Web Apps]] video | [[media: ASDC12-Pentesting_Smart_Grid_Web_Apps.pdf|slides]] Justin Searle
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/Friends_dont_let_friends_store_passwords_in_source_code|Friends don't let friends store passwords in source code]] video | slides Neil Matatall
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center rowspan=2 | [[OWASP_AppSec_DC_2012/Smart_Bombs_Mobile_Vulnerability_and_Exploitation|Smart Bombs: Mobile Vulnerability and Exploitation]] video | [[media: ASDC12-Smart_Bombs_Mobile_Vulnerability_and_Exploitation.pdf|slides]] Kevin Johnson, John Sawyer and Tom Eston
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center rowspan=2 | [[OWASP_AppSec_DC_2012/Overcoming_the_Quality_vs_Quantity_Problem_in_SoftwareSecurity_Testing|Overcoming the Quality vs. Quantity Problem in Software
Security Testing]] video | [[media: ASDC12-Overcoming_the_Quality_vs_Quantity_Problem_in_SoftwareSecurity_Testing.pdf|slides]] Rafal Los
|-
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/Web_Application_Defense_with_Bayesian_Attack_Analysis|Web Application Defense with Bayesian Attack Analysis]] video | [[media: ASDC12-Web_Application_Defense_with_Bayesian_Attack_Analysis.pdf|slides]] Ryan Barnett
|-
| width=72 valign=middle bgcolor=#7b8abd | 9:50 AM - 10:00 AM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Coffee Break
|-
| width=72 valign=middle bgcolor=#7b8abd | 10:00 AM - 10:50 AM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/Vulnerabilities_in_Industrial_Control_Systems|Vulnerabilities in Industrial Control Systems]] video | slides Kevin Hemsly
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/Access_Control_Designs_and_Pitfalls|Access Control Designs and Pitfalls]] video | [[media: ASDC12-Access_Control_Designs_and_Pitfalls.pdf|slides]] Jim Manico
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/Software_Security_Goes_Mobile|Software Security Goes Mobile]] video | slides Jacob West
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | [[OWASP_AppSec_DC_2012/Baking_In_Security_Sweet_Secure_Cupcakes|Baking In Security, Sweet, Secure, Cupcakes]] video | [[media: ASDC12-Baking_In_Security_Sweet_Secure_Cupcakes.pdf|slides]] Ken Johnson and Matt Ahrens
|-
| width=72 valign=middle bgcolor=#7b8abd | 10:50 AM - 11:00 AM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Coffee Break
|-
| width=72 valign=middle bgcolor=#7b8abd | 11:00 AM - 11:50 AM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/AMI_Security|AMI Security]] video | [[media: ASDC12-AMI_Security.pdf|slides]] John Sawyer and Don Weber
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/SharePoint_Security_101|SharePoint Security 101]] video | [[media: ASDC12-SharePoint_Security_101.pdf|slides]] Rob Rachwald, Amichai Shulman and Noa Bar-Yosef
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/Behind_Enemy_Lines__Practical_Triage_Approaches_to_MobileSecurity_Abroad__2012_Edition|Behind Enemy Lines - Practical& Triage Approaches to Mobile
Security Abroad - 2012 Edition]] video | [[media: ASDC12-Behind_Enemy_Lines_Practical_Triage_Approaches_to_MobileSecurity_Abroad_2012_Edition.pdf|slides]] Justin Morehouse
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | [[OWASP_AppSec_DC_2012/Understanding_IAST__More_Context_Better_Analysis|Understanding IAST - More Context, Better Analysis]] video | [[media: ASDC12-Understanding_IAST_More_Context_Better_Analysis.pdf|slides]] Jeff Williams
|-
| width=72 valign=middle bgcolor=#7b8abd | 11:50 AM - 1:30 PM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | No-Host Lunch
|-
| width=72 valign=middle bgcolor=#7b8abd | 1:30 PM - 2:20 PM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/Project_Basecamp_News_from_Camp_4|Project Basecamp: News from Camp 4]] video | [[media:ASDC12-Project_Basecamp_News_from_Base_4.pdf|slides]] Reid Wightman
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/Enterprise_Security_API_ESAPI_for_C_Plus_Plus|Enterprise Security API (ESAPI) for C Plus Plus]] video | [[media: ASDC12-Enterprise_Security_API_ESAPI_for_C_Plus_Plus.pdf|slides]] Dan Amodio
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/WhackaMobile_II_Mobile_App_Pen_Testing_with_the_MobiSecLive_Environment|Whack-a-Mobile II: Mobile App Pen Testing with the MobiSec
Live Environment]] video | [[media: ASDC12-WhackaMobile_II_Mobile_App_Pen_Testing_with_the_MobiSecLive_Environment.pdf|slides]] Kevin Johnson and Tony Delagrange
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | [[OWASP AppSec DC 2012/Proactive risk mitigation within the Software Development Lifecycle (SDLC)|Proactive risk mitigation within the Software Development Lifecycle (SDLC)]] video | [[media:ASDC12-Proactive_Risk_Mitigation_within_the_Software_Development_Lifecycle.pdf|slides]] Joe White
|-
| width=72 valign=middle bgcolor=#7b8abd | 2:20 PM - 2:30 PM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Coffee Break
|-
| width=72 valign=middle bgcolor=#7b8abd | 2:30 PM - 3:20 PM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/Real_world_backdoors_on_industrial_devices|Real world backdoors on industrial devices]] video | [[media: ASDC12-Real_world_backdoors_on_industrial_devices.pdf|slides]] Ruben Santamarta
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/Dynamic_DASTWAF_Integration|Dynamic DAST/WAF Integration]] video | [[media: ASDC12-Dynamic_DASTWAF_Integration.pdf|slides]] Ryan Barnett
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/An_InDepth_Introduction_to_the_Android_Permissions_Modeland_How_to_Secure_MultiComponent_Applications|An In-Depth Introduction to the Android Permissions Model,
and How to Secure Multi-Component Applications]] video | [[media: ASDC12-An_InDepth_Introduction_to_the_Android_Permissions_Modeland_How_to_Secure_MultiComponent_Applications.pdf|slides]] Jeff Six
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | [[OWASP_AppSec_DC_2012/Teaching_an_Old_Dog_New_Tricks_Securing_Development_withPMD|Teaching an Old Dog New Tricks: Securing Development with
PMD]] video | [[media: ASDC12-Teaching_an_Old_Dog_New_Tricks_Securing_Development_with_PMD.pdf|slides]] Joe Hemler
|-
| width=72 valign=middle bgcolor=#7b8abd | 3:20 PM - 3:30 PM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Coffee Break
|-
| width=72 valign=middle bgcolor=#7b8abd | 3:30 PM - 4:20 PM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/Denial_of_Surface|Denial of Surface.]] video | [[media: ASDC12-Denial_of_Surface.pdf|slides]] Eireann Leverett
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/Cloudbased_dWAF_A_Real_World_Deployment_Case_Study|Cloud-based dWAF: A Real World Deployment Case Study]] video | [[media: ASDC12-Cloudbased_dWAF_A_Real_World_Deployment_Case_Study.pdf|slides]] Alexander Meisel
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/Android_in_the_Healthcare_Workplace_A_Case_Study|Android in the Healthcare Workplace: A Case Study]] video | [[media: ASDC12-Android_in_the_Healthcare_Workplace_A_Case_Study.pdf|slides]] Thomas Richards
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | [[OWASP_AppSec_DC_2012/What_can_an_Acquirer_do_to_prevent_developers_from_makedangerous_software_errors|What can an Acquirer do to prevent developers from make
dangerous software errors?]] No video avail | [[media: ASDC12-What_can_an_Acquirer_do_to_prevent_developers_from_makedangerous_software_errors.pdf|slides]] Michele Moss and Don Davidson
|-
| width=72 valign=middle bgcolor=#7b8abd | 4:20 PM - 4:30 PM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Coffee Break
|-
| width=72 valign=middle bgcolor=#7b8abd | 4:30 PM - 5:20 PM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/Securing_Critical_Infrastructure|Securing Critical Infrastructure]] video | [[media: ASDC12-Securing_Critical_Infrastructure.pdf|slides]] Francis Cianfrocca and Bob Lam
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/Using_PHPIDS_to_Understand_Attacks_Trends|Using PHPIDS to Understand Attacks Trends]] video | [[media: ASDC12-Using_PHPIDS_to_Understand_Attacks_Trends.pdf|slides]] Salvador Grec
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/Mobile_Application_Security__Who_how_and_why|Mobile Application Security - Who, how and why]] video | [[media: ASDC12-Mobile_Application_Security_Who_how_and_why.pdf|slides]] Mike Park and Charles Henderson
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | [[OWASP_AppSec_DC_2012/Private_information_Protection_in_Cloud_Computing___LawsCompliance_and_Cloud_Security_Misconceptions|Private information Protection in Cloud Computing _ Laws,
Compliance and Cloud Security Misconceptions]] video | [[media: ASDC12-Private_information_Protection_in_Cloud_Computing_LawsCompliance_and_Cloud_Security_Misconceptions.pdf|slides]] Mikhail Utin and Daniil Utin
|-
| width=72 valign=middle bgcolor=#7b8abd | 5:20 PM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Closing Remarks Room 202A
|}

OWASP AppSec DC 2012/Schedule/4-5-2012

2012-04-19T02:20:55Z

Mark.bristow:

{| border=1
| height="60" align="center" colspan="5" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | '''Plenary Day 2 - 4/5/2012'''
|-
| width=72 valign=middle bgcolor=#7b8abd |
! width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | Critical Infrastructure Room 201
! width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | Defend! Room 202A
! width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | On the Go Room 202B
! width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | SDLC Room 206
|-
| width=72 valign=middle bgcolor=#7b8abd | 7:30 AM - 9:00 AM
| align=center colspan=4 valign=middle height=30 bgcolor=#e0e0e0 align=center | Registration
|-
| width=72 valign=middle bgcolor=#7b8abd rowspan=2 | 9:00 AM - 9:50 AM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center rowspan=2 | [[OWASP_AppSec_DC_2012/Pentesting_Smart_Grid_Web_Apps|Pentesting Smart Grid Web Apps]] video | [[media: ASDC12-Pentesting_Smart_Grid_Web_Apps.pdf|slides]] Justin Searle
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/Friends_dont_let_friends_store_passwords_in_source_code|Friends don't let friends store passwords in source code]] video | slides Neil Matatall
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center rowspan=2 | [[OWASP_AppSec_DC_2012/Smart_Bombs_Mobile_Vulnerability_and_Exploitation|Smart Bombs: Mobile Vulnerability and Exploitation]] video | [[media: ASDC12-Smart_Bombs_Mobile_Vulnerability_and_Exploitation.pdf|slides]] Kevin Johnson, John Sawyer and Tom Eston
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center rowspan=2 | [[OWASP_AppSec_DC_2012/Overcoming_the_Quality_vs_Quantity_Problem_in_SoftwareSecurity_Testing|Overcoming the Quality vs. Quantity Problem in Software
Security Testing]] video | [[media: ASDC12-Overcoming_the_Quality_vs_Quantity_Problem_in_SoftwareSecurity_Testing.pdf|slides]] Rafal Los
|-
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/Web_Application_Defense_with_Bayesian_Attack_Analysis|Web Application Defense with Bayesian Attack Analysis]] video | [[media: ASDC12-Web_Application_Defense_with_Bayesian_Attack_Analysis.pdf|slides]] Ryan Barnett
|-
| width=72 valign=middle bgcolor=#7b8abd | 9:50 AM - 10:00 AM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Coffee Break
|-
| width=72 valign=middle bgcolor=#7b8abd | 10:00 AM - 10:50 AM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/Vulnerabilities_in_Industrial_Control_Systems|Vulnerabilities in Industrial Control Systems]] video | slides Kevin Hemsly
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/Access_Control_Designs_and_Pitfalls|Access Control Designs and Pitfalls]] video | [[media: ASDC12-Access_Control_Designs_and_Pitfalls.pdf|slides]] Jim Manico
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/Software_Security_Goes_Mobile|Software Security Goes Mobile]] video | slides Jacob West
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | [[OWASP_AppSec_DC_2012/Baking_In_Security_Sweet_Secure_Cupcakes|Baking In Security, Sweet, Secure, Cupcakes]] video | [[media: ASDC12-Baking_In_Security_Sweet_Secure_Cupcakes.pdf|slides]] Ken Johnson and Matt Ahrens
|-
| width=72 valign=middle bgcolor=#7b8abd | 10:50 AM - 11:00 AM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Coffee Break
|-
| width=72 valign=middle bgcolor=#7b8abd | 11:00 AM - 11:50 AM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/AMI_Security|AMI Security]] video | [[media: ASDC12-AMI_Security.pdf|slides]] John Sawyer and Don Weber
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/SharePoint_Security_101|SharePoint Security 101]] video | [[media: ASDC12-SharePoint_Security_101.pdf|slides]] Rob Rachwald, Amichai Shulman and Noa Bar-Yosef
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/Behind_Enemy_Lines__Practical_Triage_Approaches_to_MobileSecurity_Abroad__2012_Edition|Behind Enemy Lines - Practical& Triage Approaches to Mobile
Security Abroad - 2012 Edition]] video | [[media: ASDC12-Behind_Enemy_Lines_Practical_Triage_Approaches_to_MobileSecurity_Abroad_2012_Edition.pdf|slides]] Justin Morehouse
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | [[OWASP_AppSec_DC_2012/Understanding_IAST__More_Context_Better_Analysis|Understanding IAST - More Context, Better Analysis]] video | [[media: ASDC12-Understanding_IAST_More_Context_Better_Analysis.pdf|slides]] Jeff Williams
|-
| width=72 valign=middle bgcolor=#7b8abd | 11:50 AM - 1:30 PM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | No-Host Lunch
|-
| width=72 valign=middle bgcolor=#7b8abd | 1:30 PM - 2:20 PM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/Project_Basecamp_News_from_Camp_4|Project Basecamp: News from Camp 4]] video | [[media:ASDC12-Project_Basecamp_News_from_Base_4.pdf|slides]] Reid Wightman
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/Enterprise_Security_API_ESAPI_for_C_Plus_Plus|Enterprise Security API (ESAPI) for C Plus Plus]] video | [[media: ASDC12-Enterprise_Security_API_ESAPI_for_C_Plus_Plus.pdf|slides]] Dan Amodio
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/WhackaMobile_II_Mobile_App_Pen_Testing_with_the_MobiSecLive_Environment|Whack-a-Mobile II: Mobile App Pen Testing with the MobiSec
Live Environment]] video | [[media: ASDC12-WhackaMobile_II_Mobile_App_Pen_Testing_with_the_MobiSecLive_Environment.pdf|slides]] Kevin Johnson and Tony Delagrange
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | [[OWASP AppSec DC 2012/Proactive risk mitigation within the Software Development Lifecycle (SDLC)|Proactive risk mitigation within the Software Development Lifecycle (SDLC)]] video | slides Joe White
|-
| width=72 valign=middle bgcolor=#7b8abd | 2:20 PM - 2:30 PM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Coffee Break
|-
| width=72 valign=middle bgcolor=#7b8abd | 2:30 PM - 3:20 PM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/Real_world_backdoors_on_industrial_devices|Real world backdoors on industrial devices]] video | [[media: ASDC12-Real_world_backdoors_on_industrial_devices.pdf|slides]] Ruben Santamarta
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/Dynamic_DASTWAF_Integration|Dynamic DAST/WAF Integration]] video | [[media: ASDC12-Dynamic_DASTWAF_Integration.pdf|slides]] Ryan Barnett
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/An_InDepth_Introduction_to_the_Android_Permissions_Modeland_How_to_Secure_MultiComponent_Applications|An In-Depth Introduction to the Android Permissions Model,
and How to Secure Multi-Component Applications]] video | [[media: ASDC12-An_InDepth_Introduction_to_the_Android_Permissions_Modeland_How_to_Secure_MultiComponent_Applications.pdf|slides]] Jeff Six
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | [[OWASP_AppSec_DC_2012/Teaching_an_Old_Dog_New_Tricks_Securing_Development_withPMD|Teaching an Old Dog New Tricks: Securing Development with
PMD]] video | [[media: ASDC12-Teaching_an_Old_Dog_New_Tricks_Securing_Development_with_PMD.pdf|slides]] Joe Hemler
|-
| width=72 valign=middle bgcolor=#7b8abd | 3:20 PM - 3:30 PM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Coffee Break
|-
| width=72 valign=middle bgcolor=#7b8abd | 3:30 PM - 4:20 PM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/Denial_of_Surface|Denial of Surface.]] video | [[media: ASDC12-Denial_of_Surface.pdf|slides]] Eireann Leverett
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/Cloudbased_dWAF_A_Real_World_Deployment_Case_Study|Cloud-based dWAF: A Real World Deployment Case Study]] video | [[media: ASDC12-Cloudbased_dWAF_A_Real_World_Deployment_Case_Study.pdf|slides]] Alexander Meisel
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/Android_in_the_Healthcare_Workplace_A_Case_Study|Android in the Healthcare Workplace: A Case Study]] video | [[media: ASDC12-Android_in_the_Healthcare_Workplace_A_Case_Study.pdf|slides]] Thomas Richards
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | [[OWASP_AppSec_DC_2012/What_can_an_Acquirer_do_to_prevent_developers_from_makedangerous_software_errors|What can an Acquirer do to prevent developers from make
dangerous software errors?]] No video avail | [[media: ASDC12-What_can_an_Acquirer_do_to_prevent_developers_from_makedangerous_software_errors.pdf|slides]] Michele Moss and Don Davidson
|-
| width=72 valign=middle bgcolor=#7b8abd | 4:20 PM - 4:30 PM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Coffee Break
|-
| width=72 valign=middle bgcolor=#7b8abd | 4:30 PM - 5:20 PM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/Securing_Critical_Infrastructure|Securing Critical Infrastructure]] video | [[media: ASDC12-Securing_Critical_Infrastructure.pdf|slides]] Francis Cianfrocca and Bob Lam
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/Using_PHPIDS_to_Understand_Attacks_Trends|Using PHPIDS to Understand Attacks Trends]] video | [[media: ASDC12-Using_PHPIDS_to_Understand_Attacks_Trends.pdf|slides]] Salvador Grec
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/Mobile_Application_Security__Who_how_and_why|Mobile Application Security - Who, how and why]] video | [[media: ASDC12-Mobile_Application_Security_Who_how_and_why.pdf|slides]] Mike Park and Charles Henderson
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | [[OWASP_AppSec_DC_2012/Private_information_Protection_in_Cloud_Computing___LawsCompliance_and_Cloud_Security_Misconceptions|Private information Protection in Cloud Computing _ Laws,
Compliance and Cloud Security Misconceptions]] video | [[media: ASDC12-Private_information_Protection_in_Cloud_Computing_LawsCompliance_and_Cloud_Security_Misconceptions.pdf|slides]] Mikhail Utin and Daniil Utin
|-
| width=72 valign=middle bgcolor=#7b8abd | 5:20 PM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Closing Remarks Room 202A
|}

OWASP AppSec DC 2012/Dan Geer

2012-04-19T02:17:32Z

Mark.bristow:

<noinclude>{{:OWASP AppSec DC 2012 Header}}</noinclude>
__NOTOC__
== The Presentation ==
[[Image:Geer.straight.vi11.jpg|right]]Dan Geer’s Milestones: The X Window System and Kerberos (1988), the first information security consulting firm on Wall Street (1992), convener of the first academic conference on electronic commerce (1995), the “Risk Management is Where the Money Is” speech that changed the focus of security (1998), the Presidency of USENIX Association (2000), the first call for the eclipse of authentication by accountability (2002), principal author of and spokesman for “Cyberinsecurity: The Cost of Monopoly” (2003), co-founder of SecurityMetrics.Org (2004), convener of MetriCon (2006-present), author of “Economics & Strategies of Data Security” (2008), and author of “Cybersecurity & National Policy” (2010). Creator of the Index of Cyber Security (2011) and the Cyber Security Decision Market (2011). Six times entrepreneur. Five times before Congress.
 

== Transcript ==
Application Security Matters
Daniel E. Geer, Jr., Sc.D.

I am here today to talk about application security. By the time
I'm done, you may think that I have talked more around application
security than about it. Perhaps you are right, but bear with me.
I am assuming that each of you have heard all the exhortations to
work smarter and harder many times before, and have heard (and will
be hearing) lot of talks on secure methods as this meeting goes on.

Application security is a pervasive need because applications are
themselves now pervasive. Application security is a critical need
because applications are themselves now critical. Over the last
three years, much bile has been spilled in the press over institutions
that are too big to fail and how it must have been a conspiracy of
dunces that allowed those institutions to get that big. If application
software in the aggregate can be said to be an institution in and
of itself, then it is too big to fail. One only wonders what
conspirators the press will nominate when they get around to looking
for a new set of dunces to ridicule.

We are at or near the point where it is no longer possible to live
your life without having a critical dependence on software, even
if you live at the end of a dirt road but still occasionally buy
nails or gasoline.

Everyone knows that the amount of data in the world is growing.
Where does that data come from? Data are the outputs of software,
data are nothing without software, and data volume is now so great
that the data that matter are too big to move -- meaning that your
only knowledge of those data will be what software tells you when
you ask politely. Data-centric activities that are too big to move
seem naturally to be too big to fail.

If biologic analogies move you, then I'd ask you to consider data
as the body and application software as the body's biggest organ,
that is to say application software is data's skin. It is the shape
and color of the skin that gets our attention when we are looking
for a mate, and, for many, how hard they are looking can be gauged
by how much skin they expose. The application software that is
data's skin is likewise; the most massaged data is the data with
the most exposed application software.

Many say that we know how to "build security in[to]" application
software, that it is simply some kind of weak will that explains
why we have insecure applications all around us. Others say that
if and only if the market likes the application's functionality is
it worth retrofitting some security into the application, that is
to say that security only matters once you have a customer base.

Applications are the only reason to have an Internet; without them,
who would care? At the same time, the Internet was not designed
for security -- and may I say "Thank God" for that. If the Internet
had been designed for security, we wouldn't be here not because the
problem of application security would have been solved at the outset
but because the innovation would not have come. The Internet was
designed for resistance to random faults, and that design worked.
It worked so spectacularly that innovation followed simply because
the Internet did not depend on the flawless functioning of every
one of its moving parts. It was not designed for resistance to
targetted faults, which, as Laszlo Barabasi showed, cannot be done
at the same time as you are designing for resistance to random
faults. Further, there was no gatekeeper you had to ask permission
of to put new services on that Internet. There's no government
like no government.

The end-to-end principle was the single most important technical
decision made in building out the Internet. By putting no control
policy in the network, only transport functionality, the network
became useful. The present day drumbeat to put control policy into
the network fabric itself is so blatantly stupid that it isn't even
wrong. Those who propose making the network itself contain security
policy are just another breed of Communists, this time with the
effete subtlety that neither our Chief Executive nor our Congress
has to nationalize critical infrastructure, they just have to
deputize it, by force and in private.

But, for the moment at least, the end-to-end principle generally
holds. It is, however, no longer the only principle we need as the
nature of applications on the Internet makes defining an "end" less
clear than once it had been. Under an end-to-end design rule, the
two ends of any conversation get to negotiate whatever security
policy they like just as they get to pick any network protocol that
meets their needs.

That means application security is an end-to-end design issue, does
it not? Well of course it does, but those of us who want to retain
the freedom to tinker are running into a headwind and that headwind
is the increasing difficulty of defining what an "end" in "end-to-end"
means. The reasons for this are several, and all serious.

* First, there are proxies; are they the end to which your security
regime guarantees trustworthy connection? If don't know about a
certain proxy exists, does that change your answer?

* Second, what one sees on one's screen may be a complicated merging
of many applications and data sources; which one of them is the
end? Are they all ends? Does it matter that you can't tell where
the bits came from? Is plural marriage a good idea?

* Third, in the original construction, the word "end" implicitly
meant "that which is trusted," and everthing between the ends was
not trusted. In applications today, this is not the case -- trust
may be all over the place, some of it misplaced, perhaps, but that
is besides the point.

Let me acknowledge here Marjory Blumenthal and Dave Clark whose
thinking on the end-to-end principle is especially instructive. As
they pointed out, the end-to-end principle made the assumption that
the communications system was not trustworthy whereas the endpoints
were. That the communications system might be unreliable was and
is an assumption that leads to good design choices. However, the
idea that endpoints are trustworthy needs some updating.

It may well be that the reframing should be not end-to-end but
trust-to-trust. In the original formulation, end-to-end meant
machine-to-machine or human-to-human. The idea was that the ends
could be trusted but the rest could not. Let's say that because
there are new attacks every day I don't trust my PC any more, then
my PC can't be an "end" in the end-to-end formulation. Put
differently, what began as "You're OK, I'm OK, but the network is
dangerous" has become "I hope I'm OK, I have to assume that you are
hosed, and the network may make this worse."

This, of course, brings us to the question of what is trust. My
definition of (a state of) "trust" is this: Confident anticipation
backed by effective recourse. The "confident anticipation" is the
day to day operational reality; I commit a job or some data to your
computing queue and I am confident that it will return in the manner
I anticipate, confident enough that I deploy no armed guards. The
"effective recourse" is that I actually do know enough about where
that job or data is going that should something go wrong I then
would know what next to do to force you to make me whole -- to get
an effective recourse. This is the antithesis of saying that
everyone is my friend. Rudyard Kipling's poem "If" is a jewel, but
the cybersecurity practitioner's couplet is:

If neither foes nor loving friends can hurt you,
If all men count with you, but none too much;

Summing up what I have said so far, data is where the value is,
winners have the most data in motion whereas losers have too much,
applications are the skin on the data -- some more erotic than
others, the Internet's existence gives applications their universality
and some applications their raison d'etre, the end-to-end principle
is about trust placement, trust is not for sissies, and the central
discipline of secure design is that of choosing what failure modes
you are prepared to tolerate.

At the same time, a design and its implementation can diverge. At
least since Hugh Thompson published his famous Venn diagram, we've
known that security flaw is in that part of the implementation that
was not in the design. It is from that realization that I give you
what I know to be the paramount rule of all security engineering:
No Silent Failure.

We have nowhere to go but up with respect to a rule of "no silent
failure." The Verizon Data Breach Investigations Report shows that
data loss is overwhelmingly silent. Part of that silence is digital
physics -- if I steal your data, then you still have them, unlike
when I steal your underpants -- but the majority of that silence
is that there is no programmatic indicator of the data's cloning;
it is like a (UNIX) _fork_ operation, fast and cheap. [As an
historical aside, the late Dennis Ritchie wrote that the "PDP-7's
fork call required precisely 27 lines of assembly code."]

But the most telling legacy of Dennis Ritchie was that C had data
structures, data structures that operated at a level that was just
barely high enough. I've come to view parsimony of expressiveness
as a talisman against silent failure. Let me quote Don Davis, whose
code is probably running on every computer in this room:

The network-security industry has produced lots of examples
of over-rich expressiveness: RACF, firewall rules, and .htaccess
are my favorite examples. I argue that in computer security
applications, a language or UI should present a little _less_
expressiveness than expert administrators will find necessary,
so as not to help normal administrators to confuse themselves.
The problem is that every security rule-set has to be long-lived
and to change steadily. If the rule-set's syntax allows for
subtlety, then each rule-set's size and complexity tends only
to grow, never to shrink. This is because each security
administrator will tend to avoid analyzing whatever subtleties
have accumulated, and will instead blindly add special-case
allowances and constraints, so as to avoid breaking whatever
came before. The typical result is an unwieldy rule-set that
no human can understand, with unpredictable security holes.
Here, as remedy, are two rules of thumb: for security, avoid
designing order-dependent syntax, and avoid recursive features,
like groups of groups. Such features seem useful and innocuous,
but when administrators use them heavily, complexity mounts
destructively.

Don wrote that seven years ago. His distinction between programming
language and what an administrator uses may now be a distinction
without a difference, but that does not disable his point; it
strengthens it. PERL and Ruby and Java have too many ways to express
the same thing, to do the same thing, and they brag about how "there
is always another way." Each of the three are Turing complete.
Greater expressiveness seems to be the way things are going.

The work being done by Sergey Bratus, et al., at Dartmouth in the
"Langsec" group is instructive here. Quoting from their home page,

The Language-theoretic approach (LANGSEC) regards the Internet
insecurity epidemic as a consequence of ad hoc programming of
input handling at all layers of network stacks, and in other
kinds of software stacks. LANGSEC posits that the only path
to trustworthy software that takes untrusted inputs is treating
all valid or expected inputs as a formal language, and the
respective input-handling routines as a recognizer for that
language. The recognition must be feasible, and the recognizer
must match the language in required computation power.

When input handling is done in ad hoc way, the de facto
recognizer, i.e., the input recognition and validation code
ends up scattered throughout the program, does not match the
programmers' assumptions about safety and validity of data,
and thus provides ample opportunities for exploitation.
Moreover, for complex input languages the problem of full
recognition of valid or expected inputs may be UNDECIDABLE,
in which case no amount of input-checking code or testing will
suffice to secure the program. Many popular protocols and
formats fell into this trap, the empirical fact with which
security practitioners are all too familiar.

Viewed from the venerable perspective of Least Privilege, ...
computational power is privilege, and should be given as
sparingly as any other kind of privilege to reduce the attack
surface. We call this ... the Minimal Computational Power
Principle.

We note that recent developments in common protocols run
contrary to these principles. In our opinion, this heralds a
bumpy road ahead. In particular, HTML5 is Turing-complete,
whereas HTML4 was not.

There is a parallel between Bratus' "weird machine" construct and
my own training in statistical computation. When you look at the
numerical stability of a statistical computation you posit that the
result of the computation is correct for some problem and you measure
how different the problem that you gave is from the problem whose
solution you got. As Young, Boebert, & Kain said, "If a program
has not been specified, it cannot be incorrect; it can only be
surprising." Those "weird machines" have not been specified, they've
been discovered, and that includes discovery of weird machines in
standard protocols, which Marsh Ray and I enumerated in our "Vulnerable
Compliance" talk.

The Robustness Principle, as written by Jon Postel in RFC 793, is
to "be conservative in what you send, liberal in what you accept."
That principle explains why it is that browsers tolerate so much
bad HTML which, in turn, explains why so much bad HTML continues
to be written. Or Javascript. Or you-name-it. Both the Langsec
folks and I think it is time to simply repeal Postel's Law. Just
as the most ready way to put money on the bottom line is to not
spend it, the most ready way for the browser to be less vulnerable
to input-based attacks is for it to be unforgiving. This goes for
server-side code, too, of course. Until that repeal, Rik Farrow's
comment that the market leading browser is the most dangerous program
ever written still stands.

There is a growing interest in DevOps. As a strategy, DevOps
intentionally merges programming and administration, though this
merger is not designed for limiting expressiveness but rather to
"reduce the scope of changes" based on "the idea that all elements
of a technology infrastructure can be controlled through code." If
true, the latter -- that all elements of an infrastructure can be
controlled through code -- makes cybersecurity the only game in
town. As it happens, Sandy Clark's thesis work under Matt Blaze
analyzes frequent deployment as a security tool, that is to say how
releasing code often enough that your opponents' ability to analyze
your code is thwarted by what she calls "the Honeymoon Effect" --
which can be restated as when attack development has a cycle time
then you just modify your apps using a shorter cycle time. And
then you win. Later today, Josh Corman will work to convince you
that it is possible to write and deploy secure code at, as he says,
ludicrous speed. Perhaps as you listen to Josh's talk you can ask
whether constant sprints at ludicrous speed are in fact (1) inherent
limitations on expressiveness thus precluding error, (2) proof by
demonstration of the Honeymoon Effect, (3) a way to simply minimize
the otherwise long wait for code fixes to vulnerabilities found in
the field, or (4) something else altogether.

This brings us to cloud computing which I can't help but think of
as a variation on the theme of timesharing. In a blog about how
Seattle is building a planet-wide dominance in cloud computing, the
author made this assertion:

[There is an] important, often overlooked difference between
cloud computing and old-school time-share computing: minimal
bureaucracy between users and the cloud. Timeshare typically
allocated scarce resources via a bureaucratic process. In the
cloud, anybody with $5 can be the IT manager of their own
massive compute facility, at least for a little while.

While it is completely unfair of me to pick on that one paragraph,
here's where an economist would say: Price Allocates Scarcity. It
is not as if cloud computing is forgoing bureaucracy out of some
social principle. But to the point of this meeting, I'd be very
interested in some one of you doing a thoughtful, real-numbers
analysis of the impact of cloud computing's cheapness on code bloat.
Chris Wysopal, co-founder of Veracode, has observed that the size
of applications tends to rise after they are moved into the cloud
precisely because space becomes too cheap to meter -- developers
link against any library that contains even one call they care about
and, in any case, it's faster to just include everything. Bloat
like that doesn't matter to anyone except, perhaps, us security
people, and how we are supposed to measure it seems a research grade
problem to me.

Of course, the Software as a Service (SaaS) model has something
important going for it from our security point of view: when your
users stop using a copy of your software you get to stop pleading
with them to take their updates -- you can just force it down their
throat. Think of that as fluoridating the water supply instead of
begging people to not eat sweets. The security possibilities of
Software as a Service are real and unmistakable. Marcus Ranum's
position these days is that if we were really serious, then we would

Switch the whole planet from "you own this software" to "all
software is a service" and put in place an app store model for
everything (with the proviso that mission critical systems
could opt out if payment was escrowed far enough in advance).
Get the whole planet running a small common set of codebases
instead of the chaos of crap we're wading around in.

As it happens, I pretty much disagree with all of his comment but
it *is* a coherent idea that *does* lead in an identifiable direction
that *can* be imagined. It may even be the direction that we (the
capital-W "We") are going as by now everyone has seen the figures
for smartphone sales versus computer sales. Remember that a cell
phone network is not a public Internet and that a device that only
works on such a network is not a general purpose computer. This
triplet of ideas, that the smartphone is the new endpoint, that
appstores are the only suppliers, and that software is a service
not a product leads to the end of the general purpose computer as
a consumer durable.

I've written about this as has Cory Doctorow; let me read a litte
of Cory's commentary from his speech to the Chaos Computer Congress
this past December in Berlin:

The triviality of [the] copyright [battles] tell you that when
other sectors of the economy start to evince concerns about
the Internet and the PC, that copyright will be revealed for
a minor skirmish, and not a war. Why would other sectors nurse
grudges against computers? Well, because the world we live
in today is made of computers. We don't have cars anymore,
we have computers we ride in; we don't have airplanes anymore,
we have flying Solaris boxes with a big bucketful of SCADA
controllers; a 3D printer is not a device, it's a peripheral,
and it only works connected to a computer; a radio is no longer
a crystal, it's a general-purpose computer with a fast ADC and
a fast DAC and some software.

The grievances that arose from unauthorized copying are trivial,
when compared to the calls for action that our new
computer-embroidered reality will create. Think of radio for
a minute. The entire basis for radio regulation up until today
was based on the idea that the properties of a radio are fixed
at the time of manufacture, and can't be easily altered. You
can't just flip a switch on your baby monitor, and turn it
into something that interferes with air traffic control signals.
But powerful software-defined radios can change from baby
monitor to emergency services dispatcher to air traffic
controller just by loading and executing different software,
which is why the first time the ... FCC considered what would
happen when we put SDRs in the field, they asked for comment
on whether it should mandate that all software-defined radios
should be embedded in trusted computing machines, ... whether
every PC should be locked, so that the programs they run are
strictly regulated by central authorities.

Cory is laying out for us yet another evidence that cyber security,
or at least its tools, matter. In a sense, our longstanding wish
to be taken seriously has come; we will soon reflect on whether we
really wanted that.

Remember, security is about control and governments everywhere want
more of it. Michael Jay Gross goes further in his "World War 3.0"
column. Though he does not remind us that the Internet is a ecosystem
of applications, he does show that at the nation state level the
coming treatment of the Internet will embody the majority of the
seven deadly sins. As both Cory and Michael suggest, if you think
security technology is important now, you ain't seen nothing yet.

I would suggest that cyber security is like any other ecosystem and
that predators and prey evolve in response to each other. Under
the usual terminology of evolutionary biology, evolution shows
itself as a series of long quiet periods separated by shorter periods
of change, what is called "punctuated equilibria." Sentience on
the part of the competing life forms only makes the clock run faster;
the overall dynamic remains the same. There have been, to my count,
three great punctuations that bring us here today. You and I owe
the existence of our field to the first, which was the sudden
appearance of a TCP/IP stack in Microsoft Windows. That stack was
all in all a good thing to have, but it exposed an operating system
designed for a single owner/operator on, at most, a private net to
a world in which every sociopath is your next door neighbor. The
attack rate had a sudden and profound acceleration discontinuity
much like that when they light the solid fuel on the Space Shuttle.

The second punctuation came perhaps as much as five years ago when
the population of attackers changed over from braggarts to
professionals. Because braggarts are paid in bragging rights, their
discoveries become common knowledge quickly. Professionals, however,
are paid in money and their discoveries are intellectual property,
ergo their discoveries do not become common knowledge until they
have been milked of all the income they can produce. Put differently,
the better our opponents are the less we know about how they work
-- a fact true both in cybersecurity and in the intelligence game.

The third punctuation, in which we are presently swimming, is the
very thing that Cory and I talked about -- the death of the general
purpose computer. This death does very much make Marcus's prescription
a likely outcome, but let me remind you that this is absolutely an
example of trading freedom for security and if you are widely read,
then you will have absolutely zero confusion as to how that trade
will eventually play out whether your muse is Benjamin Franklin,
Emiliano Zapata, or Edward Gibbon.

If there is to be a fourth punctuation, it is the turning over of
our protections entirely to machines. I spoke about this at length
in February at the Suits and Spooks meeting and wrote about it in
two recent IEEE Security & Privacy columns. The core argument is
simply that when everything is connected all the time, the human
cybersecurity practitioner is largely a liability, not a failsafe.

The source of risk is dependence, especially dependence on expectations
of system state. As a term of biology, the virulence of a disease
is a measure of how fast it moves from me to you. Virulence in an
infectious organism is, interestingly, a marker for how good your
immune system is insofar as if your immune is quick and efficient
at killing Microbe X, then evolutionary selection pressure on Microbe
X will cause it to move faster (be more virulent) in proportion to
how good your immune system is.

Several years ago, I looked up the major virus attacks on cybersecurity
and, in particular, looked for the doubling time of the infected
population. I plotted the doubling time on a calendar timeline and
found a hyperbolic fall-off, i.e., virus pandemic events became
ever rarer but for those that did occur, their doubling times fell
away as if on a hyperbolic curve. This is exactly what one would
expect in the biologic world where an infectious agent and its
target species co-evolve. On the one hand, the immune system of
the target gets better so episodes of infection become locally rarer
over time. Simultaneously, those episodes that do occur involve a
mutated infectious agent that displays much higher virulence with
each pandemic outbreak.

If you argue that evolution is a force that does not depend on the
choice of its participants to play ball but is, instead, operating
without either their cooperation or their sentience, then one must
conclude that computer infections will tend to follow the same
general life cycle of decreasing frequency balanced by increasing
virulence.

In other words, by the time a truly virulent strain of something
appears, our dependence on the to-be-infected infrastructure will
be so complete as to guarantee collapse.

But let us flatly assume that Software as a Service is the future.
As someone who sees a lot of business plans, I can assure you that
step 5 in nearly all of them involves renting space from Amazon,
Microsoft, or somebody and that nearly none of them include in their
capital requirements the cost of building out data centers. Software
as a Service is very much more likely to be closed source than open
-- and may I add that you will have little way to determine if a
claim of open-ness is valid when, for example, you don't have a way
to compile that source or look at the binaries that the SaaS vendor
is actually running.

Closed source can be helpful to security if the programmers take
security seriously, and harmful if they don't. While Eric Raymond
is all but entirely correct that "given enough eyeballs, all bugs
are shallow," he is nevertheless wrong that this is a fact-of-Nature
requirement on how to build code if, in particular, the user cannot
actually see the code. SaaS, in other words, can single-handedly
demote the decompiler as the best attack tool and put the fuzzer
in its place.

When you believe that your code won't actually be seen by its users
because they are only buying it as a service, your tendency will
be to compete not on ease of installation, update, field supportability
or integrability, but rather on performance and the latency of
re-configuration. Your code will get more idiosyncratic and possibly
more clever. Two engineers who have built big systems have something
to say about this; first, Mike O'Dell, the founding Chief Scientist
of UUNet and now a venture capitalist, said:

Left to themselves, creative engineers will deliver the most
complicated system they think they can debug.

while Brian Kernighan, the co-inventor of C, said:

Debugging is twice as hard as writing the code in the first
place. Therefore, if you write the code as cleverly as possible,
you are, by definition, not smart enough to debug it.

Mitja Kolsek suggests that the way to think about the execution
space on the web today is that the client has become the server's
server. You are expected to intake what amount to Remote Procedure
Calls (RPCs) from everywhere and everyone. You are supposed to
believe that trust is transitive. That is what Javascript is. That
is what Flash is. That is what HTML5 is. That is what every
embedded Browswer Help Object (BHO) is.

. If you grab
. s7.addthis.com/js/250/addthis_widget.js#pubid=xa-4f27f6b13d07e361
. you will get a file that in turn pulls down javascript from
. hundreds of sites including, for example,
. vkontakte.ru, vkrugudruzei.ru, vybrali.sme.sk

If I were to walk up to you and say that you must open your machine
to RPCs just because I say so, then you would kick me out of your
office. But that is precisely what is being asked -- to accept
RPCs all day, every day, so that the showmen in both industry and
government can deliver their vision of the all singing, all dancing
"user experience." A cavalcade of RPCs can certainly be configured
to be not only performance enhancing but security enhancing, but
security enhancement is not the default outcome.

If you think that this is a small matter, think again. According
to the HTTP Archive, over the course of 2011 the average size of a
single web page grew by 25% to 784KB and the average number of
requests required to load that page increased 13% to 87. More to
my point, the average size of the Javascript in that page increased
by 45%, in one year(!). Because I personally refuse Javascript, I
can very much confirm that for me, the person who doesn't accept
incoming RPCs, the WWW is palpably shrinking. That is my fault,
but I can at least report it.

Instead of calling me a crank, at least for the moment, remind
yourself that when, in the name of security, we "lock down" an
operating system, we do so by removing functions, by reducing the
choice set of what might be running, by shrinking the attack surface.
The reason that the Web browser is the leading entry point for
malware is the number of choices that a browser offers up to whomever
is at the other end.

Lockdown is just one aspect of what someone might do in the name
of hardening. Let me make a point about that, however. Using the
terminology of metallurgy, we can harden in one of two ways. On
the one hand, we can pick a layer in the stack or wherever and case
harden that. If we make the whole product hard, it becomes brittle
-- we have to make only the surface hard. On the other hand, we
can make the metal shatter resistant but at the price of it being
malleable enough that if I hit it with a hammer it certainly will
not shatter but it will ding. Which kind of hardening we want
depends on the kinds of impacts you expect it to be exposed to when
in actual use.

Auto-update of software is a great thing so long as it is capable
of dealing with local anomalies. Generally speaking, you get a
better result if you don't try to analyze too much, just replace
the whole software package. This is a strategy that is, to a degree,
hardening of the embrittlement sort as a regular auto-update that
does what is in effect synchronization means that both update and
repair can use the same tool and you don't really have to know
whether you are updating or repairing. However, if anyone else
that doesn't like you ever gets control of your auto-update mechanism,
then it will be hard to ever pick up the pieces well enough to
truthfully say that you got back to where you were before the strike.

Just don't forget that total cycle time for a round of updates
matters. The coming Smart Grid, is, after all, an application
layered on top of the biggest machine in the world. Kelly Ziegler's
numbers indicate that should it be necessary to do a total update
of the firmware for all households on a fully deployed Smart Grid
it would take a year or so. What might we do differently?

A strategy of intrusion tolerance is different. It begins with the
assumption that your software package will be dinged often but, if
you did a good job in design, the dings won't make the package
unusable. This is an uglier process in practice, but under some
scenarios it is more survivable. Any of you who work for large
firms will have had some visibility if not input into your disaster
recovery plan. If that includes your software base, which I hope
it does, then the DR plan probably includes mechanisms for diminished
operation, which is precisely what I am talking about. In a way,
the Microsoft Address Space Layout Randomization (ASLR) is exactly
a strategy for intrusion tolerance; you may still get dinged but
the attacker will have less probability of getting a shatter. Just
an ugly ding.

Perhaps the most important thing you can do for us all is to ensure
that there is no silent failure. This means instrumentation, it
means well designed surveillance regimes, it means an attention to
the kind of metrics that come out of an airplane's black box, it
means keeping things simple enough that, well, there are fewer
surprises, and it may mean changing how you think about how you
make tradeoffs. Repeating Kernighan, if you write the code as
cleverly as possible, you are, by definition, not smart enough to
debug it.

Finally, because security is not composable (and may never be), be
very careful where the code you reuse comes from. Every time I see
a page larded up with more domains than I have fingers, I plan never
to visit them again. I know you have to compete; I ask that you
not end up in a race to the bottom.

And, perhaps above all else, remember that all security technology
is dual use.

There is never enough time. Thank you for yours.

-----------------8<------------cut-here------------8<-----------------

reference material

"Basics of the Unix Philosophy," www.faqs.org/docs/artu/ch01s06.html

"Build Security In," buildsecurityin.us-cert.gov

Barabasi L & Albert R, "Emergence of scaling in random networks,"
Science, v286 pp509-512, 15 October 1999.

Bratus S, Locasto ME, Patterson ML, Sassaman L, & Shubina A, "Exploit
Programming: from Buffer Overflows to Weird Machines and Theory of
Computation," USENIX Association ;login:, v36 n6, December 2011.

Clark DD & Blumenthal MS, "The End-to-End Argument and Application
Design: The Role of Trust," TPRC, 2007.

Clark S, Blaze B, Frei S & Smith J, "Familiarity Breeds Contempt:
The Honeymoon Effect and the Role of Legacy Code in Zero-Day
Vulnerabilities," ACSAC, 6-10 December 2010.

DARPA internet program, RFC 793, "Transmission Control Protocol
Specification," September 1981.

Davis, DT, personal communication, 27 January 2005.

Doctorow C, "Lockdown: The Coming War on General-Purpose Computing,"
keynote speech, Chaos Computer Congress, Berlin, 26 December 2011.

Farrow, R, "Internet Explorer is the most dangerous program ever
written," 30 June 2004.

Freedom to Tinker is hosted by Princeton's Center for Information
Technology Policy. freedom-to-tinker.com

Geer D, "People in the Loop: Are They a Failsafe or a Liability?,"
Invited Talk, Suits and Spooks, Washington DC, 8 February 2012.
Geer D, "Power. Law.," For Good Measure, IEEE Security & Privacy,
v10 n1 pp94-95, January/February 2012.
Geer D, "More or Less," Clear Text, IEEE Security & Privacy, v10
n1 p96, January/February 2012.

Geer DE & Ray M, "Vulnerable Compliance," USENIX Security Symposium,
Washington, D.C., August 12, 2010.
www.usenix.org/events/sec10/tech/tech.html#Geer

Gross MJ, "World War 3.0," Vanity Fair, May 2012.

Kolsek M, personal communication, 10 February 2012.

Nilsson E, "Seattle's Growing Advantage in The Cloud," 3 August 2010.
www.xconomy.com/seattle/2010/08/03/seattles-growing-advantage-in-the-cloud

Raymond E, "The Cathedral and the Bazaar," O'Reilly Media, 1999.

Ritchie DM, "The Evolution of the Unix Time-sharing System," Bell
Laboratories Technical Journal, v63 n6/2 pp1577-1593, October 1984.

Saltzer J, Reed D, & Clark DD, "End-to-End Arguments in System
Design," ACM Transactions on Computer Systems, v2 n4 pp277-288,
November 1984.

Thompson HH & Whittaker JA, "Testing for Software Security," Dr.
Dobbs Journal, v342 pp24-34, November 2002.

"Web Pages Are Getting More Bloated, and Here's Why,"
royal.pingdom.com/2011/11/21/web-pages-getting-bloated-here-is-why (
above based on "Trends," www.httparchive.org/trends.php )

"Verizon 2012 Data Breach Investigations Report," 22 March 2012.

Wysopal C, personal communication, 12 January 2012

Young WD, Boebert WE, & Kain RY "Proving a Computer System Secure,"
Scientific Honeyweller, v6 n2 pp18-27, July 1985.

Ziegler K, "Smart Grid, Cyber Security, and the Future of Keeping
the Lights On," USENIX Security Symposium, August 13, 2010.

--------

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.
-- Benjamin Franklin

Better to die on one's feet than to live on one's knees.
-- Emiliano Zapata

In the end, more than freedom, they wanted security. They wanted
a comfortable life, and they lost it all -- security, comfort, and
freedom. When the Athenians finally wanted not to give to society
but for society to give to them, when the freedom they wished for
most was freedom from responsibility, then Athens ceased to be free
and was never free again.
-- Edward Gibbon

<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude>

OWASP AppSec DC 2012/Schedule/4-4-2012

2012-04-19T02:16:11Z

Mark.bristow:

{| border=1
| height="60" align="center" colspan="5" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | '''Plenary Day 1 - 4/4/2012'''
|-
| width=72 valign=middle bgcolor=#7b8abd |
! width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | Offense & Tools Room 201
! width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | Case Studies Room 202A
! width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | IoMT Room 202B
! width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | Interrogate! Room 206
|-
| width=72 valign=middle bgcolor=#7b8abd | 7:30 AM - 8:50 AM
| align=center colspan=4 valign=middle height=30 bgcolor=#e0e0e0 align=center | Registration
|-
| width=72 valign=middle bgcolor=#7b8abd | 8:50 AM - 9:00 AM
| align=center colspan=4 valign=middle height=30 bgcolor=#e0e0e0 align=center | Welcome and Opening Remarks Room 202A
|-
| width=72 valign=middle bgcolor=#7b8abd | 9:00 AM - 10:00 AM
| align=center colspan=4 valign=middle height=60 bgcolor=#e0e0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Dan_Geer Keynote: Dan Geer] Room 202A
|-
| width=72 valign=middle bgcolor=#7b8abd | 10:00 AM - 10:45 AM
| align=center colspan=4 valign=middle height=30 bgcolor=#e0e0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/OWASP_Board OWASP Board] Room 202A
|-
| width=72 valign=middle bgcolor=#7b8abd | 10:45 AM - 11:00 AM
| align=center colspan=4 valign=middle height=30 bgcolor=#e0e0e0 align=center | Coffee Break
|-
| width=72 valign=middle bgcolor=#7b8abd | 11:00 AM - 11:50 AM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/DOMJacking__Attack_Exploit_and_Defense|DOMJacking - Attack, Exploit and Defense]] video | [[media: ASDC12-DOMJacking_Attack_Exploit_and_Defense.pdf|slides]] Shreeraj Shah
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/The_Unfortunate_Reality_of_Insecure_Libraries|The Unfortunate Reality of Insecure Libraries]] video | [[media: ASDC12-The_Unfortunate_Reality_of_Insecure_Libraries.pdf|slides]] Jeff Williams and Arshan Dabirsiaghi
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/Python_Basics_for_Web_App_Pentesters__Part_2|Python Basics for Web App Pentesters - Part 2]] video | [[media: ASDC12-Python_Basics_for_Web_App_Pentesters__Part_2.pdf|slides]] Justin Searle
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center rowspan=3 | [[OWASP_AppSec_DC_2012/Integrating_Application_Security_into_your_Lifecycle_andProcurement|Integrating Application Security into your Lifecycle and
Procurement]] video | slides Moderator: Jim Manico
|-
| width=72 valign=middle bgcolor=#7b8abd | 11:50 AM - 12:00 PM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=3 | Coffee Break
|-
| width=72 valign=middle bgcolor=#7b8abd | 12:00 PM - 12:50 PM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/Attacking_CAPTCHAs_for_Fun_and_Profit|Attacking CAPTCHAs for Fun and Profit]] video | [[media: ASDC12-Attacking_CAPTCHAs_for_Fun_and_Profit.pdf|slides]] Gursev Singh Kalra
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | GoatDroid video | slides Jack Manino
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/Security_is_Dead_Long_Live_Rugged_DevOps_IT_at_LudicrousSpeed|Security is Dead. Long Live Rugged DevOps: IT at Ludicrous
Speed]] video | [[media: ASDC12-Security_is_Dead_Long_Live_Rugged_DevOps_IT_at_LudicrousSpeed.pdf|slides]] Joshua Corman
|-
| width=72 valign=middle bgcolor=#7b8abd | 12:50 PM - 2:30 PM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | No-Host Lunch
|-
| width=72 valign=middle bgcolor=#7b8abd | 2:30 PM - 3:20 PM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/Hacking_NETC_Applications_The_Black_Arts|Hacking .NET(C#) Applications: The Black Arts]] video | [[media: ASDC12-Hacking_NETC_Applications_The_Black_Arts.pdf|slides]] Jon McCoy
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/Security_at_scale_Web_application_security_in_a_continuousdeployment_environment|Security at scale: Web application security in a continuous
deployment environment]] video | [[media: ASDC12-Security_at_scale_Web_application_security_in_a_continuousdeployment_environment.pdf|slides]] Zane Lackey
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/The_Easy_Button_for_Your_Web_Application_Security_Career|The "Easy" Button for Your Web Application Security Career]] video | [[media: ASDC12-The_Easy_Button_for_Your_Web_Application_Security_Career.pdf|slides]] Salvador Grec
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center rowspan=3 | [[OWASP_AppSec_DC_2012/Risk_Analysis_and_Measurement_with_CWRAF|Risk Analysis and Measurement with CWRAF]] video | [[media:ASDC12-Risk Analysis and Measurement with CWRAF-1.pdf|slides]] Joe Jarzombek, Bob Martin, Walter Houser and Tom Brennan
|-
| width=72 valign=middle bgcolor=#7b8abd | 3:20 PM - 3:30 PM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=3 | Coffee Break
|-
| width=72 valign=middle bgcolor=#7b8abd | 3:30 PM - 4:20 PM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/OWASP_Broken_Web_Applications_OWASP_BWA_10_Release|OWASP Broken Web Applications (OWASP BWA) 1.0 Release]] video | [[media: ASDC12-OWASP_Broken_Web_Applications_OWASP_BWA_10_Release.pdf|slides]] Chuck Willis
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/Security_Is_Like_An_Onion_Thats_Why_It_Makes_You_Cry|Security Is Like An Onion, That's Why It Makes You Cry]] video | [[media: ASDC12-Security_Is_Like_An_Onion_Thats_Why_It_Makes_You_Cry.pdf|slides]] Michele Chubirka
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/Anatomy_of_a_Logic_Flaw|Anatomy of a Logic Flaw]] video | [[media: ASDC12-Anatomy_of_a_Logic_Flaw.pdf|slides]] Charles Henderson and David Byrne

|-
| width=72 valign=middle bgcolor=#7b8abd | 4:20 PM - 4:30 PM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Coffee Break
|-
| width=72 valign=middle bgcolor=#7b8abd | 4:30 PM - 5:20 PM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/New_and_Improved_Hacking_Oracle_from_Web|New and Improved Hacking Oracle from Web]] video | [[media: ASDC12-New_and_Improved_Hacking_Oracle_From_Web.pdf|slides]] Sumit Siddharth
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/State_of_Web_Security|State of Web Security]] video | [[media: ASDC12-State_of_Web_Security.pdf|slides]] Robert Rowley
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/Old_Webshells_New_Tricks__How_Persistent_Threats_haverevived_an_old_idea_and_how_you_can_detect_them|Old Webshells, New Tricks -- How Persistent Threats have
revived an old idea, and how you can detect them.]] video | [[media: ASDC12-Old_Webshells_New_Tricks_How_Persistent_Threats_haverevived_an_old_idea_and_how_you_can_detect_them.pdf|slides]] Ryan Kazanciyan
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center rowspan=3 | [[OWASP_AppSec_DC_2012/Fed_Panel|Fed Panel]] video | slides Moderator: Rex Booth 
Ron Ross, Joe Jarzombek, Kris Britton & Darren Death
|-
| width=72 valign=middle bgcolor=#7b8abd | 5:20 PM - 5:30 PM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=3 | Coffee Break
|-
| width=72 valign=middle bgcolor=#7b8abd | 5:30 PM - 6:20 PM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/Unraveling_some_of_the_Mysteries_around_DOMbased_XSS|Unraveling some of the Mysteries around DOM-based XSS]] video | [[media: ASDC12-Unraveling_some_of_the_Mysteries_around_DOMbased_XSS.pdf|slides]] Dave Wichers
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/2012_Global_Security_Report|2012 Global Security Report]] video | [[media: ASDC12-2012_Global_Security_Report.pdf|slides]] Tom Brennan and Nick Percoco
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/Survivable_Software_for_CyberPhysical_Systems|Survivable Software for Cyber-Physical Systems]] video | [[media: ASDC12-Survivable_Software_for_CyberPhysical_Systems.pdf|slides]] Karen Mercedes Goertzel
|-
| width=72 valign=middle bgcolor=#7b8abd | 6:20 PM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Networking Opportunity in Room 207AB sponsored by: [[Image:SPL-LOGO-MED.png|link=https://www.trustwave.com/]]
|}

File:ASDC12-2012 Global Security Report.pdf

2012-04-19T02:15:57Z

Mark.bristow:

OWASP AppSec DC 2012/Schedule/4-5-2012

2012-04-19T02:13:54Z

Mark.bristow:

{| border=1
| height="60" align="center" colspan="5" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | '''Plenary Day 2 - 4/5/2012'''
|-
| width=72 valign=middle bgcolor=#7b8abd |
! width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | Critical Infrastructure Room 201
! width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | Defend! Room 202A
! width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | On the Go Room 202B
! width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | SDLC Room 206
|-
| width=72 valign=middle bgcolor=#7b8abd | 7:30 AM - 9:00 AM
| align=center colspan=4 valign=middle height=30 bgcolor=#e0e0e0 align=center | Registration
|-
| width=72 valign=middle bgcolor=#7b8abd rowspan=2 | 9:00 AM - 9:50 AM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center rowspan=2 | [[OWASP_AppSec_DC_2012/Pentesting_Smart_Grid_Web_Apps|Pentesting Smart Grid Web Apps]] video | [[media: ASDC12-Pentesting_Smart_Grid_Web_Apps.pdf|slides]] Justin Searle
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/Friends_dont_let_friends_store_passwords_in_source_code|Friends don't let friends store passwords in source code]] video | slides Neil Matatall
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center rowspan=2 | [[OWASP_AppSec_DC_2012/Smart_Bombs_Mobile_Vulnerability_and_Exploitation|Smart Bombs: Mobile Vulnerability and Exploitation]] video | [[media: ASDC12-Smart_Bombs_Mobile_Vulnerability_and_Exploitation.pdf|slides]] Kevin Johnson, John Sawyer and Tom Eston
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center rowspan=2 | [[OWASP_AppSec_DC_2012/Overcoming_the_Quality_vs_Quantity_Problem_in_SoftwareSecurity_Testing|Overcoming the Quality vs. Quantity Problem in Software
Security Testing]] video | [[media: ASDC12-Overcoming_the_Quality_vs_Quantity_Problem_in_SoftwareSecurity_Testing.pdf|slides]] Rafal Los
|-
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/Web_Application_Defense_with_Bayesian_Attack_Analysis|Web Application Defense with Bayesian Attack Analysis]] video | [[media: ASDC12-Web_Application_Defense_with_Bayesian_Attack_Analysis.pdf|slides]] Ryan Barnett
|-
| width=72 valign=middle bgcolor=#7b8abd | 9:50 AM - 10:00 AM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Coffee Break
|-
| width=72 valign=middle bgcolor=#7b8abd | 10:00 AM - 10:50 AM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/Vulnerabilities_in_Industrial_Control_Systems|Vulnerabilities in Industrial Control Systems]] video | slides Kevin Hemsly
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/Access_Control_Designs_and_Pitfalls|Access Control Designs and Pitfalls]] video | [[media: ASDC12-Access_Control_Designs_and_Pitfalls.pdf|slides]] Jim Manico
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/Software_Security_Goes_Mobile|Software Security Goes Mobile]] video | slides Jacob West
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | [[OWASP_AppSec_DC_2012/Baking_In_Security_Sweet_Secure_Cupcakes|Baking In Security, Sweet, Secure, Cupcakes]] video | [[media: ASDC12-Baking_In_Security_Sweet_Secure_Cupcakes.pdf|slides]] Ken Johnson and Matt Ahrens
|-
| width=72 valign=middle bgcolor=#7b8abd | 10:50 AM - 11:00 AM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Coffee Break
|-
| width=72 valign=middle bgcolor=#7b8abd | 11:00 AM - 11:50 AM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/AMI_Security|AMI Security]] video | [[media: ASDC12-AMI_Security.pdf|slides]] John Sawyer and Don Weber
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/SharePoint_Security_101|SharePoint Security 101]] video | [[media: ASDC12-SharePoint_Security_101.pdf|slides]] Rob Rachwald, Amichai Shulman and Noa Bar-Yosef
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/Behind_Enemy_Lines__Practical_Triage_Approaches_to_MobileSecurity_Abroad__2012_Edition|Behind Enemy Lines - Practical& Triage Approaches to Mobile
Security Abroad - 2012 Edition]] video | [[media: ASDC12-Behind_Enemy_Lines_Practical_Triage_Approaches_to_MobileSecurity_Abroad_2012_Edition.pdf|slides]] Justin Morehouse
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | [[OWASP_AppSec_DC_2012/Understanding_IAST__More_Context_Better_Analysis|Understanding IAST - More Context, Better Analysis]] video | [[media: ASDC12-Understanding_IAST_More_Context_Better_Analysis.pdf|slides]] Jeff Williams
|-
| width=72 valign=middle bgcolor=#7b8abd | 11:50 AM - 1:30 PM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | No-Host Lunch
|-
| width=72 valign=middle bgcolor=#7b8abd | 1:30 PM - 2:20 PM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/Project_Basecamp_News_from_Camp_4|Project Basecamp: News from Camp 4]] video | [[media:ASDC12-Project_Basecamp_News_from_Base_4.pdf|slides]] Reid Wightman
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/Enterprise_Security_API_ESAPI_for_C_Plus_Plus|Enterprise Security API (ESAPI) for C Plus Plus]] video | [[media: ASDC12-Enterprise_Security_API_ESAPI_for_C_Plus_Plus.pdf|slides]] Dan Amodio
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/WhackaMobile_II_Mobile_App_Pen_Testing_with_the_MobiSecLive_Environment|Whack-a-Mobile II: Mobile App Pen Testing with the MobiSec
Live Environment]] video | [[media: ASDC12-WhackaMobile_II_Mobile_App_Pen_Testing_with_the_MobiSecLive_Environment.pdf|slides]] Kevin Johnson and Tony Delagrange
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | [[OWASP AppSec DC 2012/Proactive risk mitigation within the Software Development Lifecycle (SDLC)|Proactive risk mitigation within the Software Development Lifecycle (SDLC)]] video | slides Joe White
|-
| width=72 valign=middle bgcolor=#7b8abd | 2:20 PM - 2:30 PM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Coffee Break
|-
| width=72 valign=middle bgcolor=#7b8abd | 2:30 PM - 3:20 PM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/Real_world_backdoors_on_industrial_devices|Real world backdoors on industrial devices]] video | [[media: ASDC12-Real_world_backdoors_on_industrial_devices.pdf|slides]] Ruben Santamarta
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/Dynamic_DASTWAF_Integration|Dynamic DAST/WAF Integration]] video | [[media: ASDC12-Dynamic_DASTWAF_Integration.pdf|slides]] Ryan Barnett
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/An_InDepth_Introduction_to_the_Android_Permissions_Modeland_How_to_Secure_MultiComponent_Applications|An In-Depth Introduction to the Android Permissions Model,
and How to Secure Multi-Component Applications]] video | [[media: ASDC12-An_InDepth_Introduction_to_the_Android_Permissions_Modeland_How_to_Secure_MultiComponent_Applications.pdf|slides]] Jeff Six
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | [[OWASP_AppSec_DC_2012/Teaching_an_Old_Dog_New_Tricks_Securing_Development_withPMD|Teaching an Old Dog New Tricks: Securing Development with
PMD]] video | [[media: ASDC12-Teaching_an_Old_Dog_New_Tricks_Securing_Development_with_PMD.pdf|slides]] Joe Hemler
|-
| width=72 valign=middle bgcolor=#7b8abd | 3:20 PM - 3:30 PM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Coffee Break
|-
| width=72 valign=middle bgcolor=#7b8abd | 3:30 PM - 4:20 PM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/Denial_of_Surface|Denial of Surface.]] video | [[media: ASDC12-Denial_of_Surface.pdf|slides]] Eireann Leverett
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/Cloudbased_dWAF_A_Real_World_Deployment_Case_Study|Cloud-based dWAF: A Real World Deployment Case Study]] video | [[media: ASDC12-Cloudbased_dWAF_A_Real_World_Deployment_Case_Study.pdf|slides]] Alexander Meisel
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/Android_in_the_Healthcare_Workplace_A_Case_Study|Android in the Healthcare Workplace: A Case Study]] video | [[media: ASDC12-Android_in_the_Healthcare_Workplace_A_Case_Study.pdf|slides]] Thomas Richards
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | [[OWASP_AppSec_DC_2012/What_can_an_Acquirer_do_to_prevent_developers_from_makedangerous_software_errors|What can an Acquirer do to prevent developers from make
dangerous software errors?]] video | [[media: ASDC12-What_can_an_Acquirer_do_to_prevent_developers_from_makedangerous_software_errors.pdf|slides]] Michele Moss and Don Davidson
|-
| width=72 valign=middle bgcolor=#7b8abd | 4:20 PM - 4:30 PM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Coffee Break
|-
| width=72 valign=middle bgcolor=#7b8abd | 4:30 PM - 5:20 PM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/Securing_Critical_Infrastructure|Securing Critical Infrastructure]] video | [[media: ASDC12-Securing_Critical_Infrastructure.pdf|slides]] Francis Cianfrocca and Bob Lam
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/Using_PHPIDS_to_Understand_Attacks_Trends|Using PHPIDS to Understand Attacks Trends]] video | [[media: ASDC12-Using_PHPIDS_to_Understand_Attacks_Trends.pdf|slides]] Salvador Grec
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/Mobile_Application_Security__Who_how_and_why|Mobile Application Security - Who, how and why]] video | [[media: ASDC12-Mobile_Application_Security_Who_how_and_why.pdf|slides]] Mike Park and Charles Henderson
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | [[OWASP_AppSec_DC_2012/Private_information_Protection_in_Cloud_Computing___LawsCompliance_and_Cloud_Security_Misconceptions|Private information Protection in Cloud Computing _ Laws,
Compliance and Cloud Security Misconceptions]] video | [[media: ASDC12-Private_information_Protection_in_Cloud_Computing_LawsCompliance_and_Cloud_Security_Misconceptions.pdf|slides]] Mikhail Utin and Daniil Utin
|-
| width=72 valign=middle bgcolor=#7b8abd | 5:20 PM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Closing Remarks Room 202A
|}

OWASP AppSec DC 2012/Schedule/4-4-2012

2012-04-19T02:06:27Z

Mark.bristow:

{| border=1
| height="60" align="center" colspan="5" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | '''Plenary Day 1 - 4/4/2012'''
|-
| width=72 valign=middle bgcolor=#7b8abd |
! width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | Offense & Tools Room 201
! width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | Case Studies Room 202A
! width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | IoMT Room 202B
! width=200 valign=middle height=60 bgcolor=#b3ff99 align=center | Interrogate! Room 206
|-
| width=72 valign=middle bgcolor=#7b8abd | 7:30 AM - 8:50 AM
| align=center colspan=4 valign=middle height=30 bgcolor=#e0e0e0 align=center | Registration
|-
| width=72 valign=middle bgcolor=#7b8abd | 8:50 AM - 9:00 AM
| align=center colspan=4 valign=middle height=30 bgcolor=#e0e0e0 align=center | Welcome and Opening Remarks Room 202A
|-
| width=72 valign=middle bgcolor=#7b8abd | 9:00 AM - 10:00 AM
| align=center colspan=4 valign=middle height=60 bgcolor=#e0e0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Dan_Geer Keynote: Dan Geer] Room 202A
|-
| width=72 valign=middle bgcolor=#7b8abd | 10:00 AM - 10:45 AM
| align=center colspan=4 valign=middle height=30 bgcolor=#e0e0e0 align=center |[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/OWASP_Board OWASP Board] Room 202A
|-
| width=72 valign=middle bgcolor=#7b8abd | 10:45 AM - 11:00 AM
| align=center colspan=4 valign=middle height=30 bgcolor=#e0e0e0 align=center | Coffee Break
|-
| width=72 valign=middle bgcolor=#7b8abd | 11:00 AM - 11:50 AM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/DOMJacking__Attack_Exploit_and_Defense|DOMJacking - Attack, Exploit and Defense]] video | [[media: ASDC12-DOMJacking_Attack_Exploit_and_Defense.pdf|slides]] Shreeraj Shah
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/The_Unfortunate_Reality_of_Insecure_Libraries|The Unfortunate Reality of Insecure Libraries]] video | [[media: ASDC12-The_Unfortunate_Reality_of_Insecure_Libraries.pdf|slides]] Jeff Williams and Arshan Dabirsiaghi
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/Python_Basics_for_Web_App_Pentesters__Part_2|Python Basics for Web App Pentesters - Part 2]] video | [[media: ASDC12-Python_Basics_for_Web_App_Pentesters__Part_2.pdf|slides]] Justin Searle
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center rowspan=3 | [[OWASP_AppSec_DC_2012/Integrating_Application_Security_into_your_Lifecycle_andProcurement|Integrating Application Security into your Lifecycle and
Procurement]] video | slides Moderator: Jim Manico
|-
| width=72 valign=middle bgcolor=#7b8abd | 11:50 AM - 12:00 PM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=3 | Coffee Break
|-
| width=72 valign=middle bgcolor=#7b8abd | 12:00 PM - 12:50 PM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/Attacking_CAPTCHAs_for_Fun_and_Profit|Attacking CAPTCHAs for Fun and Profit]] video | [[media: ASDC12-Attacking_CAPTCHAs_for_Fun_and_Profit.pdf|slides]] Gursev Singh Kalra
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | GoatDroid video | slides Jack Manino
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/Security_is_Dead_Long_Live_Rugged_DevOps_IT_at_LudicrousSpeed|Security is Dead. Long Live Rugged DevOps: IT at Ludicrous
Speed]] video | [[media: ASDC12-Security_is_Dead_Long_Live_Rugged_DevOps_IT_at_LudicrousSpeed.pdf|slides]] Joshua Corman
|-
| width=72 valign=middle bgcolor=#7b8abd | 12:50 PM - 2:30 PM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | No-Host Lunch
|-
| width=72 valign=middle bgcolor=#7b8abd | 2:30 PM - 3:20 PM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/Hacking_NETC_Applications_The_Black_Arts|Hacking .NET(C#) Applications: The Black Arts]] video | [[media: ASDC12-Hacking_NETC_Applications_The_Black_Arts.pdf|slides]] Jon McCoy
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/Security_at_scale_Web_application_security_in_a_continuousdeployment_environment|Security at scale: Web application security in a continuous
deployment environment]] video | [[media: ASDC12-Security_at_scale_Web_application_security_in_a_continuousdeployment_environment.pdf|slides]] Zane Lackey
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/The_Easy_Button_for_Your_Web_Application_Security_Career|The "Easy" Button for Your Web Application Security Career]] video | [[media: ASDC12-The_Easy_Button_for_Your_Web_Application_Security_Career.pdf|slides]] Salvador Grec
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center rowspan=3 | [[OWASP_AppSec_DC_2012/Risk_Analysis_and_Measurement_with_CWRAF|Risk Analysis and Measurement with CWRAF]] video | [[media: ASDC12-Risk_Analysis_and_Measurement_with_CWRAF.pdf|slides]] Joe Jarzombek, Bob Martin, Walter Houser and Tom Brennan
|-
| width=72 valign=middle bgcolor=#7b8abd | 3:20 PM - 3:30 PM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=3 | Coffee Break
|-
| width=72 valign=middle bgcolor=#7b8abd | 3:30 PM - 4:20 PM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/OWASP_Broken_Web_Applications_OWASP_BWA_10_Release|OWASP Broken Web Applications (OWASP BWA) 1.0 Release]] video | [[media: ASDC12-OWASP_Broken_Web_Applications_OWASP_BWA_10_Release.pdf|slides]] Chuck Willis
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/Security_Is_Like_An_Onion_Thats_Why_It_Makes_You_Cry|Security Is Like An Onion, That's Why It Makes You Cry]] video | [[media: ASDC12-Security_Is_Like_An_Onion_Thats_Why_It_Makes_You_Cry.pdf|slides]] Michele Chubirka
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/Anatomy_of_a_Logic_Flaw|Anatomy of a Logic Flaw]] video | [[media: ASDC12-Anatomy_of_a_Logic_Flaw.pdf|slides]] Charles Henderson and David Byrne

|-
| width=72 valign=middle bgcolor=#7b8abd | 4:20 PM - 4:30 PM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Coffee Break
|-
| width=72 valign=middle bgcolor=#7b8abd | 4:30 PM - 5:20 PM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/New_and_Improved_Hacking_Oracle_from_Web|New and Improved Hacking Oracle from Web]] video | [[media: ASDC12-New_and_Improved_Hacking_Oracle_From_Web.pdf|slides]] Sumit Siddharth
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/State_of_Web_Security|State of Web Security]] video | [[media: ASDC12-State_of_Web_Security.pdf|slides]] Robert Rowley
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/Old_Webshells_New_Tricks__How_Persistent_Threats_haverevived_an_old_idea_and_how_you_can_detect_them|Old Webshells, New Tricks -- How Persistent Threats have
revived an old idea, and how you can detect them.]] video | [[media: ASDC12-Old_Webshells_New_Tricks_How_Persistent_Threats_haverevived_an_old_idea_and_how_you_can_detect_them.pdf|slides]] Ryan Kazanciyan
| align=center width=200 valign=middle height=60 bgcolor=#b3ff99 align=center rowspan=3 | [[OWASP_AppSec_DC_2012/Fed_Panel|Fed Panel]] video | slides Moderator: Rex Booth 
Ron Ross, Joe Jarzombek, Kris Britton & Darren Death
|-
| width=72 valign=middle bgcolor=#7b8abd | 5:20 PM - 5:30 PM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=3 | Coffee Break
|-
| width=72 valign=middle bgcolor=#7b8abd | 5:30 PM - 6:20 PM
| align=center width=200 valign=middle height=60 bgcolor=#c0a0a0 align=center | [[OWASP_AppSec_DC_2012/Unraveling_some_of_the_Mysteries_around_DOMbased_XSS|Unraveling some of the Mysteries around DOM-based XSS]] video | [[media: ASDC12-Unraveling_some_of_the_Mysteries_around_DOMbased_XSS.pdf|slides]] Dave Wichers
| align=center width=200 valign=middle height=60 bgcolor=#ffdf80 align=center | [[OWASP_AppSec_DC_2012/2012_Global_Security_Report|2012 Global Security Report]] video | [[media: ASDC12-2012_Global_Security_Report.pdf|slides]] Tom Brennan and Nick Percoco
| align=center width=200 valign=middle height=60 bgcolor=#a0c0e0 align=center | [[OWASP_AppSec_DC_2012/Survivable_Software_for_CyberPhysical_Systems|Survivable Software for Cyber-Physical Systems]] video | [[media: ASDC12-Survivable_Software_for_CyberPhysical_Systems.pdf|slides]] Karen Mercedes Goertzel
|-
| width=72 valign=middle bgcolor=#7b8abd | 6:20 PM
| valign=middle height=30 bgcolor=#e0e0e0 align=center colspan=4 | Networking Opportunity in Room 207AB sponsored by: [[Image:SPL-LOGO-MED.png|link=https://www.trustwave.com/]]
|}

File:ASDC12-What can an Acquirer do to prevent developers from makedangerous software errors.pdf

2012-04-19T01:59:35Z

Mark.bristow:

File:ASDC12-WhackaMobile II Mobile App Pen Testing with the MobiSecLive Environment.pdf

2012-04-19T01:59:22Z

Mark.bristow:

File:ASDC12-Web Application Defense with Bayesian Attack Analysis.pdf

2012-04-19T01:59:04Z

Mark.bristow:

File:ASDC12-Using PHPIDS to Understand Attacks Trends.pdf

2012-04-19T01:58:49Z

Mark.bristow:

File:ASDC12-Unraveling some of the Mysteries around DOMbased XSS.pdf

2012-04-19T01:58:35Z

Mark.bristow:

File:ASDC12-Understanding IAST More Context Better Analysis.pdf

2012-04-19T01:58:12Z

Mark.bristow:

File:ASDC12-The Unfortunate Reality of Insecure Libraries.pdf

2012-04-19T01:57:53Z

Mark.bristow:

File:ASDC12-The Easy Button for Your Web Application Security Career.pdf

2012-04-19T01:57:40Z

Mark.bristow:

File:ASDC12-Teaching an Old Dog New Tricks Securing Development with PMD.pdf

2012-04-19T01:57:27Z

Mark.bristow:

File:ASDC12-Survivable Software for CyberPhysical Systems.pdf

2012-04-19T01:57:15Z

Mark.bristow:

File:ASDC12-State of Web Security.pdf

2012-04-19T01:57:03Z

Mark.bristow:

File:ASDC12-Smart Bombs Mobile Vulnerability and Exploitation.pdf

2012-04-19T01:56:50Z

Mark.bristow:

File:ASDC12-SharePoint Security 101.pdf

2012-04-19T01:55:59Z

Mark.bristow:

File:ASDC12-Security Is Like An Onion Thats Why It Makes You Cry.pdf

2012-04-19T01:55:46Z

Mark.bristow:

File:ASDC12-Security is Dead Long Live Rugged DevOps IT at LudicrousSpeed.pdf

2012-04-19T01:55:32Z

Mark.bristow:

File:ASDC12-Security at scale Web application security in a continuousdeployment environment.pdf

2012-04-19T01:55:13Z

Mark.bristow:

File:ASDC12-Securing Critical Infrastructure.pdf

2012-04-19T01:54:57Z

Mark.bristow:

File:ASDC12-Risk Analysis and Measurement with CWRAF-1.pdf

2012-04-19T01:54:39Z

Mark.bristow:

File:ASDC12-Real world backdoors on industrial devices.pdf

2012-04-19T01:53:34Z

Mark.bristow:

File:ASDC12-Python Basics for Web App Pentesters Part 2.pdf

2012-04-19T01:53:14Z

Mark.bristow:

File:ASDC12-Project Basecamp News from Base 4.pdf

2012-04-19T01:52:55Z

Mark.bristow:

File:ASDC12-Proactive Risk Mitigation within the Software Development Lifecycle.pdf

2012-04-19T01:52:42Z

Mark.bristow:

File:ASDC12-Private information Protection in Cloud Computing LawsCompliance and Cloud Security Misconceptions.pdf

2012-04-19T01:52:25Z

Mark.bristow:

File:ASDC12-Pentesting Smart Grid Web Apps.pdf

2012-04-19T01:51:53Z

Mark.bristow:

File:ASDC12-OWASP Broken Web Applications OWASP BWA 10 Release.pdf

2012-04-19T01:51:39Z

Mark.bristow:

File:ASDC12-Overcoming the Quality vs Quantity Problem in SoftwareSecurity Testing.pdf

2012-04-19T01:51:24Z

Mark.bristow:

File:ASDC12-Old Webshells New Tricks How Persistent Threats haverevived an old idea and how you can detect them.pdf

2012-04-19T01:51:05Z

Mark.bristow:

File:ASDC12-New and Improved Hacking Oracle From Web.pdf

2012-04-19T01:50:35Z

Mark.bristow:

File:ASDC12-Mobile Application Security Who how and why.pdf

2012-04-19T01:49:41Z

Mark.bristow:

File:ASDC12-Hacking NETC Applications The Black Arts.pdf

2012-04-19T01:48:52Z

Mark.bristow:

File:ASDC12-Enterprise Security API ESAPI for C Plus Plus.pdf

2012-04-19T01:48:38Z

Mark.bristow:

File:ASDC12-Dynamic DASTWAF Integration.pdf

2012-04-19T01:48:26Z

Mark.bristow:

File:ASDC12-Denial of Surface.pdf

2012-04-19T01:48:11Z

Mark.bristow:

File:ASDC12-Cloudbased dWAF A Real World Deployment Case Study.pdf

2012-04-19T01:47:56Z

Mark.bristow:

File:ASDC12-Behind Enemy Lines Practical Triage Approaches to MobileSecurity Abroad 2012 Edition.pdf

2012-04-19T01:47:39Z

Mark.bristow:

File:ASDC12-Baking In Security Sweet Secure Cupcakes.pdf

2012-04-19T01:45:32Z

Mark.bristow:

File:ASDC12-Attacking CAPTCHAs for Fun and Profit.pdf

2012-04-19T01:45:12Z

Mark.bristow: