OWASP - User contributions [en]

WebAppSec.php: Developing Secure Web Applications

2012-03-21T18:05:08Z

Robert H'obbes' Zakon:

[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Training/WebAppSec:_Developing_Secure_Web_Applications AppSec DC 2012]

AppSec USA 2011 - Course Sold out

AppSec DC 2010 - see below

----

[[Image:468x60-banner-2010.gif|link=http://www.owasp.org/index.php?title=OWASP_AppSec_DC_2010]]

[https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=d52c6f5f-d568-4e16-b8e0-b5e2bf87ab3a Registration] | [https://resweb.passkey.com/Resweb.do?mode=welcome_gi_new&groupID=2766908 Hotel] | [http://www.dcconvention.com/ Walter E. Washington Convention Center]
 
__NOTOC__
==Description==
'''Course Length: 1 Day'''

Web applications are the new frontier of wide‐spread security breaches. This tutorial will guide through development practices to ensure the security and integrity of web applications, in turn protecting user data and the infrastructure the application runs on. Several attack types and risks will be reviewed (including OWASP’s Top 10), along with how the proper development practices can mitigate their damage. Although examples covered are PHP‐based, much of the content is also applicable to other languages.

This will be an updated, encore presentation of last year’s well received course. Following are quotes from prior ''WebAppSec.php'' attendees:

:: ''"Presented in a very structured format. Instructor knew his stuff. Good presentations."''

:: ''"Very knowledgeable! Covered a lot of topics in a limited amount of time"''

:: ''"The presenter was excellent. He didn't present an overload of information. The day went very quickly and I am leaving with a lot of valuable information"''

:: ''"The slides were excellent - full of good code examples and explanations"''

:: ''"Material that was presented was presented and covered well. Instructor is very knowledgeable"''

:: ''"Handouts & presentation well organized & coordinated"''

All course registrants will receive printed materials and a certificate of completion which may be used for documenting CPE credits.

==Student Requirements==
None

==Objectives==
Skill: Any - some knowledge of web development will be helpful

Attendees will gain the knowledge required to develop secure web applications, along with an understanding of various attack types against web apps and how they are mitigated by the proper coding techniques. The main learning objectives are:
# Developing the skills for securely coding web applications
# Reviewing existing web vulnerabilities and their impact
# Understanding how the proper development techniques mitigates known and some unknown web vulnerabilities

==Instructor==
'''Instructor: Robert Zakon''' Robert Zakon is a technology consultant and developer who has been programming web applications since the Web's infancy. In addition to developing web applications for web sites receiving millions of daily hits, he works with organizations in an interim CTO capacity, and advises corporations, non‐profits and government agencies on technology, information, and security architecture and infrastructure. Robert is a former Principal Engineer with MITRE's Information Security Center, CTO of an Internet consumer portal and application service provider, and Director of a university research lab. He is a Senior Member of the IEEE, and holds BS & MS degrees from Case Western Reserve University in Computer Engineering & Science with concentrations in Philosophy & Psychology. His interests are diverse and can be explored at [http://www.Zakon.org www.Zakon.org] where his vitae is available.

[[Category:AppSec_DC_2010_Training]] [[Category:Basic_Training]]

WebAppSec.php: Developing Secure Web Applications

2012-03-21T18:04:02Z

Robert H'obbes' Zakon:

[https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Training/WebAppSec:_Developing_Secure_Web_Applications|OWASP AppSec DC 2012]

AppSec USA 2011 - Course Sold out

AppSec DC 2010 - see below

----

[[Image:468x60-banner-2010.gif|link=http://www.owasp.org/index.php?title=OWASP_AppSec_DC_2010]]

[https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=d52c6f5f-d568-4e16-b8e0-b5e2bf87ab3a Registration] | [https://resweb.passkey.com/Resweb.do?mode=welcome_gi_new&groupID=2766908 Hotel] | [http://www.dcconvention.com/ Walter E. Washington Convention Center]
 
__NOTOC__
==Description==
'''Course Length: 1 Day'''

Web applications are the new frontier of wide‐spread security breaches. This tutorial will guide through development practices to ensure the security and integrity of web applications, in turn protecting user data and the infrastructure the application runs on. Several attack types and risks will be reviewed (including OWASP’s Top 10), along with how the proper development practices can mitigate their damage. Although examples covered are PHP‐based, much of the content is also applicable to other languages.

This will be an updated, encore presentation of last year’s well received course. Following are quotes from prior ''WebAppSec.php'' attendees:

:: ''"Presented in a very structured format. Instructor knew his stuff. Good presentations."''

:: ''"Very knowledgeable! Covered a lot of topics in a limited amount of time"''

:: ''"The presenter was excellent. He didn't present an overload of information. The day went very quickly and I am leaving with a lot of valuable information"''

:: ''"The slides were excellent - full of good code examples and explanations"''

:: ''"Material that was presented was presented and covered well. Instructor is very knowledgeable"''

:: ''"Handouts & presentation well organized & coordinated"''

All course registrants will receive printed materials and a certificate of completion which may be used for documenting CPE credits.

==Student Requirements==
None

==Objectives==
Skill: Any - some knowledge of web development will be helpful

Attendees will gain the knowledge required to develop secure web applications, along with an understanding of various attack types against web apps and how they are mitigated by the proper coding techniques. The main learning objectives are:
# Developing the skills for securely coding web applications
# Reviewing existing web vulnerabilities and their impact
# Understanding how the proper development techniques mitigates known and some unknown web vulnerabilities

==Instructor==
'''Instructor: Robert Zakon''' Robert Zakon is a technology consultant and developer who has been programming web applications since the Web's infancy. In addition to developing web applications for web sites receiving millions of daily hits, he works with organizations in an interim CTO capacity, and advises corporations, non‐profits and government agencies on technology, information, and security architecture and infrastructure. Robert is a former Principal Engineer with MITRE's Information Security Center, CTO of an Internet consumer portal and application service provider, and Director of a university research lab. He is a Senior Member of the IEEE, and holds BS & MS degrees from Case Western Reserve University in Computer Engineering & Science with concentrations in Philosophy & Psychology. His interests are diverse and can be explored at [http://www.Zakon.org www.Zakon.org] where his vitae is available.

[[Category:AppSec_DC_2010_Training]] [[Category:Basic_Training]]

OWASP AppSec DC 2012/Training/WebAppSec: Developing Secure Web Applications

2012-03-16T16:38:03Z

Robert H'obbes' Zakon:

__NOTOC__
{{:OWASP AppSec DC 2012 Header}}
==Description==
'''Course Length: 1 Day'''

Web applications continue to be the frontier of wide-spread security breaches. This tutorial will guide through development practices to ensure the security and integrity of web applications, in turn protecting user data and the infrastructure the application runs on. Several attack types and risks will be reviewed (including OWASP?s Top 10), along with how the proper development practices can mitigate their damage. Although examples covered are PHP-based, much of the content is also applicable to other languages.

'''''This tutorial was sold out at AppSec USA 2011 - register early!'''''

'''''Now with HTML5 coverage'''''
==Student Requirements==
None

==Objectives==
Audience: Technical, Operations, Enthusiast 
Skill Level: Intermediate

Attendees will gain the knowledge required to develop secure web applications, along with an understanding of various attack types against web apps and how they are mitigated by the proper coding techniques. The main learning objectives are: 1. Developing the skills for securely coding web applications 2. Reviewing existing web vulnerabilities and their impact 3. Understanding how the proper development techniques mitigates known and some unknown web vulnerabilities

Attendees will also be provided with references for additional information on vulnerabilities, testing tools, etc.
==Feedback from Prior WebAppSec Attendees==
::"''Great coverage for a complicated and broad ranged subject matter. Just the right mix of generalization and technical coverage for developers and management''"

::"''The information was very useful and current. I've learned things that I can immediately implement in my code.''"

::"''Presented in a very structured format. Instructor knew his stuff. Good presentations.''"

::"''The slides were excellent - full of good code examples and explanations''"

::"''Very knowledgeable! Covered a lot of topics in a limited amount of time''"

::"''The presenter was excellent. He didn't present an overload of information. The day went very quickly and I am leaving with a lot of valuable information''"

::"''Material that was presented was presented and covered well. Instructor is very knowledgeable''"

::"''Handouts & presentation well organized & coordinated''"
==Instructor==
Robert H'obbes' Zakon is a technology consultant and developer who has been programming web applications since the Web's infancy. In addition to developing web applications for web sites receiving millions of daily hits, he works with organizations in an interim CTO capacity, and advises corporations, non-profits and government agencies on technology, information, and security architecture and infrastructure. Robert is a former Principal Engineer with MITRE's Information Security Center, CTO of an Internet consumer portal and application service provider, and Director of a university research lab. He is a Senior Member of the IEEE, and holds BS & MS degrees from Case Western Reserve University in Computer Engineering & Science with concentrations in Philosophy and Psychology. His interests are diverse and can be explored at www.Zakon.org[http://www.Zakon.org] where his vitae is available.
[[Category:AppSec_DC_2012_Training]]
{{:OWASP AppSec DC 2012 Footer}}

User:Robert H'obbes' Zakon

2012-01-19T14:18:13Z

Robert H'obbes' Zakon:

[http://www.zakon.org www.Zakon.org]

OWASP AppSec DC 2012

2012-01-19T14:16:52Z

Robert H'obbes' Zakon:

__NOTOC__

{{:OWASP AppSec DC 2012 Header}}

=Welcome=

{| style="width: 100%;"
|-
| style="width: 100%; color: rgb(0, 0, 0);" |
{| style="border: 0px solid ; background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;"
|-
| style="width: 95%; color: rgb(0, 0, 0);" |
We are pleased to announce that the [http://www.owasp.org/index.php/Washington_DC OWASP DC chapter] will host the OWASP AppSecDC 2012 conference in Washington, DC. The AppSecDC conference will be a premier gathering of Information Security leaders. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 600-700 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.

AppSecDC 2012 will be held at the [http://www.dcconvention.com/ Walter E. Washington Convention Center] ([http://maps.google.com/maps?q=801+Mount+Vernon+Place+NW+Washington,+DC+20001&oe=utf-8&client=firefox-a&ie=UTF8&split=0&gl=us&ei=kSntSYT5B5WOMvOWzPUP&ll=38.904977,-77.022979&spn=0.00895,0.019977&z=16&iwloc=A 801 Mount Vernon Place NW Washington, DC 20001]) on April 2nd through 5th 2012.

'''Who Should Attend AppSec DC:'''

*Application Developers
*Application Testers and Quality Assurance
*Application Project Management and Staff
*Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
*Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
*Security Managers and Staff
*Executives, Managers, and Staff Responsible for IT Security Governance
*IT Professionals Interested in Improving IT Security 

'''[[OWASP AppSec DC 2012 - FAQ|Conference FAQ]]'''



 

|}



| style="border: 0px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0);" | 
[[Image:Threestarforsite.png]]

{|
|-
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |
Use the '''[http://search.twitter.com/search?q=%23ASDC10 #ASDC12]''' hashtag for your tweets for AppSec DC (What are [http://hashtags.org/ hashtags]?)

'''@AppSecDC Twitter Feed ([http://twitter.com/AppSecDC follow us on Twitter!])''' <twitter>34534108</twitter>

| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |
|}

| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |
|}


=CFP=
===NOTICE===
'''Many of you have written to us asking about the requirement for a paper in our CFP hosted on EasyChair. Due to an unforseen change in the way EasyChair works, you are no longer able to configure a submission to require only an abstract as we thought we had done, and done in the past. To be clear, we are ***NOT*** requiring papers with our CFP submissions. As we have already started the CFP and can not move the platform we ask that anyone who does not have a paper simply submit their abstract as a .txt file to satisfy the systems requirement to upload a paper.'''

We apologize for this inconvience and the confusion it has caused and as a result of the confusion, we are extending the AppSec DC CFP deadline to '''Feburary 17th 2012 at 11:59 EST''' to allow all to submit their topics.

===Submissions===
Submit papers to http://cfp.appsecdc.org. Submission deadline is Feburary 17th 2012. Inquires can be made to cfpATappsecdcDOTorg.

To submit a paper, you will have to sign up for an EasyChair account at https://www.easychair.org/account/signup.cgi.

===Topics===
In accordance with the broader OWASP mission stemming from the 2011 OWASP Global Summit, AppSec DC is working to reflect the move of OWASP towards embracing all facets of Application Security, and not restricting it's content to strictly to the realm of web applications. Therefore we invite all practitioners of application security and those who work with or interact with all facets of application security to submit papers and participate in the conference.

The AppSec DC 2012 Content Committee is seeking presentations in the following subject areas:

*OWASP Projects
*Research in Application Security Defense (Defense & Countermeasures)
*Research in Application Security Offense (Vulnerabilities & Exploits)
*Web Application Security
*Critical Infrastructure Security
*Mobile Security
*Government Initiatives & Government Case Studies
*Effective Case studies in Policy, Governance, Architecture or Life Cycle
*and other application security topics

Submit papers to http://cfp.appsecdc.org. Submission deadline is Feburary 17th 2012. Inquires can be made to cfpATappsecdcDOTorg.

To submit a paper, you will have to sign up for an EasyChair account at https://www.easychair.org/account/signup.cgi.

Additional information can be found in the [[OWASP AppSec DC 2012 - FAQ|Conference FAQ]].

= Registration =

== Register [http://reg.appsecdc.org Here] ==

Registration is now '''OPEN'''. 
You can register via at '''[http://reg.appsecdc.org http://reg.appsecdc.org]'''

===Registration Fees===
{| class="wikitable"
|-
! Ticket Type
! Early (until 2/1)
! Regular Price (until 3/15)
! Late (after 3/15)
|-
| Non-Member
| style="background: #cef2e0;" | $445.00
| $495.00
| $545.00
|-
| Non-Member plus 1 year OWASP Membership!
| style="background: #cef2e0;" | $445.00
| $495.00
| $545.00
|-
| Active OWASP Member
| style="background: #cef2e0;" | $395.00
| $445.00
| $495.00
|-
| Student
| style="background: #cef2e0;" | $75.00
| $75.00
| $100.00
|}

{| class="wikitable"
|-
! Course
! Fee
|-
| 1 Day Training
| $745
|-
| 2 Day Training
| $1495
|}

'''ATTENTION FEDERAL EMPLOYEES: Enter code ASDC12FED for $100 off, limited time only!''' (must register with your .gov or .mil email address)
 For student discount, attendees must present proof of enrollment when picking up your badge.

'''Group Discounts'''
* 10% off for groups of 10-19
* 20% off for groups of 20-29
* 30% off for groups of 30 or more

===Who Should Attend AppSec DC 2012===

*Application Developers
*Application Testers and Quality Assurance
*Application Project Management and Staff
*Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
*Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
*Security Managers and Staff
*Executives, Managers, and Staff Responsible for IT Security Governance
*IT Professionals Interesting in Improving IT Security
*Anyone interested in learning about or promoting Web Application Security 
 

= Volunteer =

== Volunteers Needed! ==

Get involved!

We will take all the help we can get to pull off the best Web Application Security Conference of the year!

More opportunities and areas will be added as time goes on. Our [http://www.owasp.org/images/f/f1/OWASP_DCAppSec_Vol_Guide.pdf Volunteer Guide] can be downloaded which outlines some of the responsibilities and available positions.

To volunteer please email [mailto:volunteers@appsecdc.org volunteers@appsecdc.org]

= Schedule =

{{:OWASP AppSec DC 2012 Schedule}}

= Training =

== Training ==
Call for papers is now OPEN until December 15th 2011. Submit proposals to [https://docs.google.com/a/owasp.org/spreadsheet/viewform?hl=en_US&formkey=dGZGcy0tRlpBb0pZaWROeVFyZGdmckE6MQ#gid=0 http://training.appsecdc.org]

OWASP strives to provide world class training for a variety of skill levels and interests at its conferences. From the novice to the expert, developers to managers, there is a training course at AppSec DC for you! Classes will begin at 9 AM each day and run until 5 PM (Daily schedule set by the trainer). Morning refreshments and lunch will be provided. Check each course for the required materials.

Price per attendee (conference Registration is a separate item):
* 2-Day Class $1495
* 1-Day Class $745

== 2 Day Classes ==
==='''Assessing and Exploiting Web Applications with Samurai-WTF''' | 2 Day | [[OWASP_AppSec_DC_2012/Training/Assessing and Exploiting Web Applications with Samurai-WTF|Course Detail]]===
Come take the official Samurai-WTF training course given by the two founders and lead developers of the project! You will learn the latest Samurai-WTF open source tools and as well as the latest techniques to perform web application penetration tests. After a quick overview of pen testing methodology, the instructors will lead you through the penetration and exploitation of various web applications, including client side attacks using flaws within the application. Different sets of open source tools will be used on each web application, allowing you to learn first hand the pros and cons of each tool. After you have gained experience with the Samurai-WTF tools, you will be challenged with a capture the flag event. This final challenge will give you time to practice your new skills at your own pace and experiment with your favorite new tools. This experience will help you gain the confidence and knowledge necessary to perform web application assessments and expose you to the wealth of freely available, open source tools.

==='''Building Secure Android Apps''' | 2 Day | [[OWASP_AppSec_DC_2012/Training/Building Secure Android Apps|Course Detail]]===
The course focuses on building secure mobile applications for the Android platform. Students will learn about the Android security model and platform security features. They will be introduced to mobile application threat modeling, and learn how to apply the outcomes of threat modeling directly into their design and development processes. The OWASP Mobile Top 10 Risks and Controls will be covered at great length. After students are taught foundational information, they will learn how to properly use the various Android components and APIs to reduce the amount of vulnerabilities within production code. Hands-on labs will use the vulnerable mobile Android applications provided by the OWASP GoatDroid project. Students will learn many techniques for performing source code reviews, penetration testing, and forensic analysis of Android applications. Hands-on exercises represent a large portion of the course. Each concept presented will include examples of insecure and secure code, along with strategies for remediation. By teaching students how to identify and exploit various security flaws, they will gain a greater understanding of how the security controls actually protect their applications. At the end of this two-day course, attendees should understand how to build secure applications, perform source code reviews, and perform penetration testing for Android applications. They will also understand and be able to demonstrate expertise at applying security controls to applications for addressing many security defects. Each student will ultimately take back with them to their workplace a repeatable and reliable methodology for building and maintaining secure Android applications. 

==='''Defense Against The Dark Arts - ESAPI''' | 2 Day | [[OWASP_AppSec_DC_2012/Training/Defense Against The Dark Arts - ESAPI|Course Detail]]===
This course will focus on using the OWASP ESAPI for Java to solve real-world security issues. In the course students will learn how to leverage the ESAPI library to design and implement reusable security controls in an enterprise environment. This is a laptops out event and students will walk away with a toolkit of reusable components that they can use in real situation to solve security issues in Java applications.

==='''Secure Web Application Development Training''' | 2 Day | [[OWASP_AppSec_DC_2012/Training/Secure Web Application Development Training|Course Detail]]===
Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand. Application security is not commonly a part of many computer science curricula today and most organizations have not focused on instituting a culture that includes application security as a core part of their software development training efforts. This intensive one-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.

==='''The Art of exploiting Injection Flaws''' | 2 Day | [[OWASP_AppSec_DC_2012/Training/The Art of exploiting Injection Flaws|Course Detail]]===
OWASP rates injection flaws as the most critical vulnerability within the Top 10 most Critical Web Application Security Risks under the OWASP Top 10 project. http://www.owasp.org/index.php/Top_10_2010-A1 This hands-on session will only focus on the injection flaws and the attendees will get an "in-depth" understanding of the flaws arising from this vulnerability. The topics covered in the class are: SQL Injection XPATH Injection LDAP Injection Hibernate Query Language Injection Direct OS Code Injection XML Entity Injection The workshop covers classical issues such as SQL Injection, which is an oldie yet very relevant in today's scenario as well as some lesser known injection flaws such as LDAP, XPATH and XML Injection. During the 2 days course, the attendees will have access to a number of challenges for each flaw and they will learn a variety of exploitation techniques used by the attackers in the wild. Identify, extract, escalate, execute; we have got it all covered.

==='''Virtual Patching Workshop''' | 2 Day | [[OWASP_AppSec_DC_2012/Training/Virtual Patching Workshop|Course Detail]]===
Identification of web application vulnerabilities is only half the battle with remediation efforts as the other. Let's face the facts, there are many real world business scenarios where it is not possible to update web application code in either a timely manner or at all. This is where the tactical use-case of implementing a web application firewall to address identified issues proves its worth. This workshop is intended to provide an overview of the recommended practices for utilizing a web application firewall for virtual patching. After discussing the framework to use, we will then present a very interesting OWASP Summer of Code Project where the challenge was to attempt to mitigate as many of the OWASP WebGoat vulnerabilities as possible using the open source ModSecurity web application firewall. During the workshop, we will discuss both WebGoat and ModSecurity and provide in-depth walk-throughs of the complex fixes. Examples will include addressing not only attacks but the underlying vulnerabilities, using data persistence for multiple-step processes, content injection and even examples of the new LUA programming language API. The goal of this workshop is to both highlight cutting edge mitigation options using a web application firewall and to show how it can effectively be used by security consultants who traditionally could only offer source code fixes.

== 1 Day Classes ==
==='''Application Source Code Analysis - Discovering Vulnerabilities in Web 2.0, HTML5 and RIA ''' | 1 Day | [[OWASP_AppSec_DC_2012/Training/Application Source Code Analysis - Discovering Vulnerabilities in Web 2.0, HTML5 and RIA |Course Detail]]===
Enterprise application source code, independent of languages and platforms, is a major source of vulnerabilities. The class is designed and developed to focus on enterprise architecture and application analytics to discover vulnerabilities across Web 2.0, RIA and HTML5. We will be covering analysis techniques, with tools, for assessment and review of enterprise application source code. It is imperative to know source code review methodologies and strategies for analysis. The emphasis of the class would be to develop a complete understanding of source code analysis, techniques and tools to address top set of vulnerabilities. Knowledge gained would help in analyzing and securing next generation enterprise applications at all different stages - architecture, design and/or development. The course is designed and delivered by the author of "Web Hacking: Attacks and Defenses", ?Hacking Web Services? and ?Web 2.0 Security ? Defending Ajax, RIA and SOA?, bringing his experience in application security and research to the curriculum.

==='''Mobile Hacking and Securing''' | 1 Day | [[OWASP_AppSec_DC_2012/Training/Mobile Hacking and Securing|Course Detail]]===
Students will discover mobile hacking techniques for Android and iPhone. They will understand the platform security models, device security models, app analysis, file system analysis and runtime analysis for these popular mobile operating systems. This course will provide students with the knowledge necessary to assess mobile app security including what hackers look for in mobile apps. Hacking apps themselves will equip them with the skills required to protect their own apps from attacks. Students will come out with an understanding of the pitfalls to mobile device security and the importance of developing mobile apps securely. They will learn the concepts necessary to securely develop mobile in your organization. 

==='''Pratical Threat Modeling''' | 1 Day | [[OWASP_AppSec_DC_2012/Training/Pratical Threat Modeling|Course Detail]]===
Threat modeling is gaining traction as a fundamental application security activity. In this class students learn about the attacks that their applications may face and then both formal and informal approaches to threat modeling. Using a fictional scenario, students perform all the activities of a threat model on a complex application ? including analyzing design documents and role-playing interviews. Students learn about the industry standard formal threat modeling process as well as Facilitated Application Threat Modeling: a 1-day approach to threat modeling pioneered by Security Compass. Students will also be taught about Security Compass?s unique source-code/design-pattern level threat modeling. 

==='''WebAppSec: Developing Secure Web Applications''' | 1 Day | [[OWASP_AppSec_DC_2012/Training/WebAppSec: Developing Secure Web Applications|Course Detail]]===
Web applications continue to be the frontier of wide-spread security breaches. This tutorial will guide through development practices to ensure the security and integrity of web applications, in turn protecting user data and the infrastructure the application runs on. Several attack types and risks will be reviewed (including OWASP?s Top 10), along with how the proper development practices can mitigate their damage. Although examples covered are PHP-based, much of the content is also applicable to other languages. This course was sold out at AppSec USA 2011.

= Contests =

== OWASP Member Door Prizes! ==
Are you an [[Membership|OWASP Member]]? At AppSecDC we will be giving away some amazing door prizes to some randomly selected OWASP members in attendance. You HAVE to be an OWASP member to be elligable, but if your not, you can easily add the $50 annual membership to your conference ticket and recieve $50 off admission. That's right, '''FREE OWASP MEMBERSHIP''' when combined with AppSec DC Registration! So remember to [https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=d52c6f5f-d568-4e16-b8e0-b5e2bf87ab3a Register] today with your OWASP membership!

This years contests vary in length, challenges, objectives and the skill-set of the participants. The goal of this year's ASDC challenges are to include application security folks of all backgrounds from developers to ninjas and to do so in a fun environment that keeps contestants scratching their heads.
Contestants have the option of either participating in a more relaxed environment with shorter contest length or going for the more intense route.
Contests consist of:

TBD

= Venue =

== Walter E. Washington Convention Center ==

AppSec DC 2012 will be taking place at the [http://www.dcconvention.com/ Walter E. Washington Convention Center] in downtown Washington DC.

The convention center is located over the [http://www.wmata.com/rail/station_detail.cfm?station_id=70 Mount Vernon Square/Convention Center Metro stop] on the Green and Yellow lines of the [http://www.wmata.com DC Metro], and only a few blocks from our convention hotel, the [http://grandwashington.hyatt.com/hyatt/hotels/index.jsp Grand Hyatt Washington] (reserve rooms [https://resweb.passkey.com/Resweb.do?mode=welcome_ei_new&eventID=1401279&fromResdesk=true here]).

[http://www.dcconvention.com/ http://www.owasp.org/images/8/85/Screen_shot_2009-10-03_at_12.55.55_PM.png]

= Hotel =

Hotel contracts are TBD

=Sponsors =

== Sponsors ==

We are currently soliciting sponsors for the AppSec DC Conference. Please refer to our '''[https://www.owasp.org/images/d/df/APPSEC_DC_2012_sponsorships_v1.pdf sponsorship opportunities]''' for details.
Please contact us at [mailto:sponsors@appsecdc.org sponsors@appsecdc.org] for sponsorship opportunities.



= Travel =

== Traveling to the DC Metro Area ==

The Washington DC Area is serviced by three airports -- [http://www.metwashairports.com/national/ Reagan National (DCA)], [http://www.metwashairports.com/Dulles/ Dulles (IAD)], and [http://www.bwiairport.com/en Thurgood Marshall Baltimore/Washington International (BWI)]. All currently have available transportation to downtown DC via public transportation, shuttles, or cab.

Washington DC is also serviced by [http://www.amtrak.com Amtrak], [http://www.vre.org/ VRE], and [http://www.mtamaryland.com/services/marc/ MARC] train lines, which arrive in [http://www.wmata.com/rail/station_detail.cfm?station_id=25 Union Station], a few metro stops or a short cab ride away from the convention center and the Grand Hyatt.

If you live in the DC Metropolitan area, we suggest taking [http://www.wmata.com Metro] to the event. The convention center is located over the [http://www.wmata.com/rail/station_detail.cfm?station_id=70 Mount Vernon Square/Convention Center Metro stop] on the Green and Yellow lines of the [http://www.wmata.com DC Metro].

= Conference Committee =

===Organizers===
Mail List: [mailto:organizers@appsecdc.org organizers@appsecdc.org]

* [mailto:doug.wilson@owasp.org Doug Wilson]
* [mailto:mark.bristow@owasp.org Mark Bristow]

===Arch-Minions===
Mail List: [mailto:leads@appsecdc.org leads@appsecdc.org]

* Facilities ([mailto:facilities@appsecdc.org facilities@appsecdc.org])

* Content ([mailto:content@appsecdc.org content@appsecdc.org])

* Press ([mailto:press@appsecdc.org press@appsecdc.org])

* Registration/Info Desk ([mailto:info@appsecdc.org info@appsecdc.org])

* Volunteer Coordinators ([mailto:volunteers@appsecdc.org volunteers@appsecdc.org])

* Competitions/Contests/Events ([mailto:contests@appsecdc.org contests@appsecdc.org])

* Marketing/Community Outreach ([mailto:outreach@appsecdc.org outreach@appsecdc.org])

* Sponsorships ([mailto:sponsors@appsecdc.org sponsors@appsecdc.org])

=FAQ=
{{:OWASP AppSec DC 2012 - FAQ}}

<headertabs />

{{:OWASP AppSec DC 2012 Footer}}

OWASP AppSec DC 2012/Training/WebAppSec: Developing Secure Web Applications

2012-01-19T14:09:14Z

Robert H'obbes' Zakon:

__NOTOC__
{{:OWASP AppSec DC 2012 Header}}
==Description==
'''Course Length: 1 Day'''

Web applications continue to be the frontier of wide-spread security breaches. This tutorial will guide through development practices to ensure the security and integrity of web applications, in turn protecting user data and the infrastructure the application runs on. Several attack types and risks will be reviewed (including OWASP?s Top 10), along with how the proper development practices can mitigate their damage. Although examples covered are PHP-based, much of the content is also applicable to other languages.

'''''This tutorial was sold out at AppSec USA 2011 - register early!'''''
==Student Requirements==
None

==Objectives==
Audience: Technical, Operations, Enthusiast 
Skill Level: Intermediate

Attendees will gain the knowledge required to develop secure web applications, along with an understanding of various attack types against web apps and how they are mitigated by the proper coding techniques. The main learning objectives are: 1. Developing the skills for securely coding web applications 2. Reviewing existing web vulnerabilities and their impact 3. Understanding how the proper development techniques mitigates known and some unknown web vulnerabilities

Attendees will also be provided with references for additional information on vulnerabilities, testing tools, etc.
==Feedback from Prior WebAppSec Attendees==
::"''Great coverage for a complicated and broad ranged subject matter. Just the right mix of generalization and technical coverage for developers and management''"

::"''The information was very useful and current. I've learned things that I can immediately implement in my code.''"

::"''Presented in a very structured format. Instructor knew his stuff. Good presentations.''"

::"''The slides were excellent - full of good code examples and explanations''"

::"''Very knowledgeable! Covered a lot of topics in a limited amount of time''"

::"''The presenter was excellent. He didn't present an overload of information. The day went very quickly and I am leaving with a lot of valuable information''"

::"''Material that was presented was presented and covered well. Instructor is very knowledgeable''"

::"''Handouts & presentation well organized & coordinated''"
==Instructor==
Robert H'obbes' Zakon is a technology consultant and developer who has been programming web applications since the Web's infancy. In addition to developing web applications for web sites receiving millions of daily hits, he works with organizations in an interim CTO capacity, and advises corporations, non-profits and government agencies on technology, information, and security architecture and infrastructure. Robert is a former Principal Engineer with MITRE's Information Security Center, CTO of an Internet consumer portal and application service provider, and Director of a university research lab. He is a Senior Member of the IEEE, and holds BS & MS degrees from Case Western Reserve University in Computer Engineering & Science with concentrations in Philosophy and Psychology. His interests are diverse and can be explored at www.Zakon.org[http://www.Zakon.org] where his vitae is available.
[[Category:AppSec_DC_2012_Training]]
{{:OWASP AppSec DC 2012 Footer}}

WebAppSec.php: Developing Secure Web Applications

2010-10-05T20:39:39Z

Robert H'obbes' Zakon: added info re. course materials & certificate

[[Image:468x60-banner-2010.gif|link=http://www.owasp.org/index.php?title=OWASP_AppSec_DC_2010]]

[https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=d52c6f5f-d568-4e16-b8e0-b5e2bf87ab3a Registration] | [https://resweb.passkey.com/Resweb.do?mode=welcome_gi_new&groupID=2766908 Hotel] | [http://www.dcconvention.com/ Walter E. Washington Convention Center]
 
__NOTOC__
==Description==
'''Course Length: 1 Day'''

Web applications are the new frontier of wide‐spread security breaches. This tutorial will guide through development practices to ensure the security and integrity of web applications, in turn protecting user data and the infrastructure the application runs on. Several attack types and risks will be reviewed (including OWASP’s Top 10), along with how the proper development practices can mitigate their damage. Although examples covered are PHP‐based, much of the content is also applicable to other languages.

This will be an updated, encore presentation of last year’s well received course. Following are quotes from prior ''WebAppSec.php'' attendees:

:: ''"Presented in a very structured format. Instructor knew his stuff. Good presentations."''

:: ''"Very knowledgeable! Covered a lot of topics in a limited amount of time"''

:: ''"The presenter was excellent. He didn't present an overload of information. The day went very quickly and I am leaving with a lot of valuable information"''

:: ''"The slides were excellent - full of good code examples and explanations"''

:: ''"Material that was presented was presented and covered well. Instructor is very knowledgeable"''

:: ''"Handouts & presentation well organized & coordinated"''

All course registrants will receive printed materials and a certificate of completion which may be used for documenting CPE credits.

==Student Requirements==
None

==Objectives==
Skill: Any - some knowledge of web development will be helpful

Attendees will gain the knowledge required to develop secure web applications, along with an understanding of various attack types against web apps and how they are mitigated by the proper coding techniques. The main learning objectives are:
# Developing the skills for securely coding web applications
# Reviewing existing web vulnerabilities and their impact
# Understanding how the proper development techniques mitigates known and some unknown web vulnerabilities

==Instructor==
'''Instructor: Robert Zakon''' Robert Zakon is a technology consultant and developer who has been programming web applications since the Web's infancy. In addition to developing web applications for web sites receiving millions of daily hits, he works with organizations in an interim CTO capacity, and advises corporations, non‐profits and government agencies on technology, information, and security architecture and infrastructure. Robert is a former Principal Engineer with MITRE's Information Security Center, CTO of an Internet consumer portal and application service provider, and Director of a university research lab. He is a Senior Member of the IEEE, and holds BS & MS degrees from Case Western Reserve University in Computer Engineering & Science with concentrations in Philosophy & Psychology. His interests are diverse and can be explored at [http://www.Zakon.org www.Zakon.org] where his vitae is available.

[[Category:AppSec_DC_2010_Training]] [[Category:Basic_Training]]

WebAppSec.php: Developing Secure Web Applications

2010-09-27T14:45:38Z

Robert H'obbes' Zakon: updated description

[[Image:468x60-banner-2010.gif|link=http://www.owasp.org/index.php?title=OWASP_AppSec_DC_2010]]

[https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=d52c6f5f-d568-4e16-b8e0-b5e2bf87ab3a Registration] | [https://resweb.passkey.com/Resweb.do?mode=welcome_gi_new&groupID=2766908 Hotel] | [http://www.dcconvention.com/ Walter E. Washington Convention Center]
 
__NOTOC__
==Description==
'''Course Length: 1 Day'''

Web applications are the new frontier of wide‐spread security breaches. This tutorial will guide through development practices to ensure the security and integrity of web applications, in turn protecting user data and the infrastructure the application runs on. Several attack types and risks will be reviewed (including OWASP’s Top 10), along with how the proper development practices can mitigate their damage. Although examples covered are PHP‐based, much of the content is also applicable to other languages.

This will be an updated, encore presentation of last year’s well received course. Following are quotes from prior ''WebAppSec.php'' attendees:

:: ''"Presented in a very structured format. Instructor knew his stuff. Good presentations."''

:: ''"Very knowledgeable! Covered a lot of topics in a limited amount of time"''

:: ''"The presenter was excellent. He didn't present an overload of information. The day went very quickly and I am leaving with a lot of valuable information"''

:: ''"The slides were excellent - full of good code examples and explanations"''

:: ''"Material that was presented was presented and covered well. Instructor is very knowledgeable"''

:: ''"Handouts & presentation well organized & coordinated"''

==Student Requirements==
None

==Objectives==
Skill: Any - some knowledge of web development will be helpful

Attendees will gain the knowledge required to develop secure web applications, along with an understanding of various attack types against web apps and how they are mitigated by the proper coding techniques. The main learning objectives are:
# Developing the skills for securely coding web applications
# Reviewing existing web vulnerabilities and their impact
# Understanding how the proper development techniques mitigates known and some unknown web vulnerabilities

==Instructor==
'''Instructor: Robert Zakon''' Robert Zakon is a technology consultant and developer who has been programming web applications since the Web's infancy. In addition to developing web applications for web sites receiving millions of daily hits, he works with organizations in an interim CTO capacity, and advises corporations, non‐profits and government agencies on technology, information, and security architecture and infrastructure. Robert is a former Principal Engineer with MITRE's Information Security Center, CTO of an Internet consumer portal and application service provider, and Director of a university research lab. He is a Senior Member of the IEEE, and holds BS & MS degrees from Case Western Reserve University in Computer Engineering & Science with concentrations in Philosophy & Psychology. His interests are diverse and can be explored at [http://www.Zakon.org www.Zakon.org] where his vitae is available.

[[Category:AppSec_DC_2010_Training]] [[Category:Basic_Training]]

Category:OWASP Speakers Project

2010-08-16T19:27:28Z

Robert H'obbes' Zakon:

This program lead by [[:user:Knoblochmartin|Martin Knobloch]] helps local chapters or application security conferences to find OWASP related speakers to have OWASP presenters on site.

This program allows two parties to find each other:

* Local chapters or application security events that want to attract an OWASP speaker
* OWASP speakers to entertain OWASP presentations and that want to see the world

For sponsorship, see the [[:Category:OWASP_on_the_Move_Project|OWASP on the Move Project]] page

== available presentations ==

== available speakers ==

If you want to (re)do an OWASP related presentation, propose them here with your availability boundaries (timing/geographical)

*Add your name, contact and bio information to become available as OWASP Speaker!

{| class="prettytable"
|-
! Name
! Introduction
! Available Area
! Bios
|-
| [mailto:Robert(at)ZakonGroup.com Robert H'obbes' Zakon]
| Presenter on Web Application Security, OWASP Top 10, PHP Security, and assorted other topics. Training sessions taught at events such as [http://www.zakongroup.com/technology/services-training.shtml OWASP, ACSAC, and CCS]. Based in New Hampshire, and available for travel worldwide. Fluent in English, and able to converse in Portuguese. A developer and consultant for the past decade, formerly a Principal Engineer with MITRE's InfoSec Group.
| Global (USA/NH-based)
| [http://www.zakon.org/robert/vitae.html BIO]
|-
| [mailto:chuck(at)McCulloughAssociates.com Chuck McCullough]
| Chuck provides training sessions to developers on the Top 10. Chuck welcomes speaking opportunities to any group. Chuck is available in the Texas area and at various other locations in the USA.
| USA/Texas
| [http://www.linkedin.com/in/chuckmccullough BIO]
|-
| Marc Curphey
| Marc will happily speak about the WebAppSec industry, SDLC etc. around Europe. You can see him in action at [http://video.hitb.org/2006.html HITB with John Viega] (big download)
| Europe
| [http://www.linkedin.com/in/curphey BIO]
|-
| [mailto:tomb(at)owasp.org Tom Brennan]
| based in NYC Metro Tom is a long time volunteer and OWASP contributor and [http://www.owasp.org/index.php/About_OWASP Global Board Member]. As a security evangelist for [http://www.whitehatsec.com WhiteHat Security] top frequently talks about application security including the [http://www.owasp.org/images/0/06/WPstats_fall09_8th.pdf "Stats Report"]. He is available for global speaking venues to educate audiences about the OWASP Foundation core mission, how it works and various projects. In addition he also provides regular talks on honeypot research and case-studies about tactical experiences when conducting [http://en.wikipedia.org/wiki/Red_Team Red Team]/Tiger Team assessments involving the application, network, wireless and physical security.
| Global
| [http://www.linkedin.com/in/tombrennan BIO]
|-
| [mailto:thesp0nge@owasp.org Paolo Perego]
| Paolo is available to talk about [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project Orizon project], safe coding and code review issues around Europe in the near October-December.
| Europe
| [http://www.linkedin.com/in/thesp0nge BIO]
|-
| [mailto:marc.m.morana@gmail.org Marco Morana]
| Marco is available to talk about [http://iac.dtic.mil/iatac/download/security.pdf Software Security Frameworks]and Secure Code Reviews [https://www.cmpevents.com/CSI33/a.asp?option=G&V=3&id=443342 see 07 CSI conference as reference] in USA around November-December and in Europe around January-February
| Europe
| [http://www.linkedin.com/pub/2/a7a/59b BIO]
|-
| [mailto:sebastien.gioria@owasp.fr Sébastien Gioria]
| Sebastien is available to talk about WebAppSec, educational purpose on AppSec in French or at least in english around France/Europe/Canada from middle of March 08. You can find some Talk on the [http://www.owasp.fr Owasp France Chapter]
| France/Europe/Canada
| [http://www.linkedin.com/in/gioria BIO]
|-
| [mailto:mkraushar@gmail.com Mordecai Kraushar]
| Mordecai is available to talk about different topics within the Web application security space. One discussion involves the OWASP project [http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project Vicnum], a flexible vulnerable web application that can be used in 'capture the flag' exercises.
| Northeastern United States
| [http://www.linkedin.com/in/mkraushar BIO]
|-
| [mailto:michael.coates@owasp.org Michael Coates]
| Michael is available to talk on a variety of web application security topics. Talks are interactive and include live demos and code examples. Michael has spoken at multiple OWASP conferences and University security courses on topics such as Introduction to Application Security, Automated Defense Systems in Applications, Real Time Detection and Prevention of Application Worms, and security risks in SSL/TLS. Michael is based in <strike>Chicago</strike> San Francisco and able to travel where needed.
| USA/San Francisco
| [http://www.linkedin.com/in/mcoates BIO]
|-
| [mailto:dan.cornell@owasp.org Dan Cornell]
| Dan Cornell has over twelve years of experience architecting, developing and securing web-based software systems. He speaks on a variety of software development and software security topics such as Vulnerability Management, Software Security Remediation, and Code Review/Static Analysis. Dan is based in San Antonio, TX and available to fly/drive as needed to the site.
| USA/San Antonio
| [http://www.denimgroup.com/about_team_dan.html BIO]
|-
| [mailto:John.Steven@owasp.org John Steven]
| John speaks on a variety of topics including "How to build your own application security group", "Threat Modeling", "Code Review and Static analysis", as well as other topics. John has spoken at and given tutorials for multiple OWASP conferences. John frequents New York, Boston, Washington DC, and Charlotte, but is available for travel elsewhere.
| Washington, DC/USA
| [http://www.cigital.com/about/team/management.php#jsteven BIO]
|-
| [mailto:blake@owasp.org Blake Cornell]
| Blake is available to speak regarding topics including Security v. HIPPA, Penetration Testing Methodologies, Fuzzing and Blended Threats such as attacking VoIP with the OWASP Top 10. Blake lives in the NY Metro area and is available for speaking at regional, national and world wide events.
| New York, NY/USA
| [http://www.linkedin.com/in/blakecornell BIO]
|-
| [mailto:Nick.Coblentz@gmail.com Nick Coblentz]
| Nick regularly performs research related to secure software development. He is available to present on topics such as the [http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model Software Assurance Maturity Model (SAMM)], the [http://nickcoblentz.blogspot.com/2009/06/samm-inteview-template-version-10.html SAMM Interview Template], [http://nickcoblentz.blogspot.com/2009/05/issa-journal-web-application-security.html Building Web Application Security Portfolios], and [http://nickcoblentz.blogspot.com/2009/11/owasp-presentation-on-dec-10-microsoft.html The Microsoft SDL for Agile Development]. Please email Nick if you see articles on his [http://nickcoblentz.blogspot.com/ blog] that you would like him to present.
| USA/Kansas, Oklahoma, Missouri
| [http://www.linkedin.com/in/ncoblentz BIO]
|-
| [mailto:johnccr@yahoo.com Juan Carlos Calderon]
| Juan has being part of the Appliction Security industry for 9 years, currently performs research on application and information security arena. He is available to present "Preparing an strategy for application vulnerability detection", "Owasp Spanish and Internationalization" and "Análisis y efectos del cibercrimen en Mexico"(Analysis and effects of cibercrime in México). He is also open to talk about other topics related to OWASP materials and tools, send him a note to verify the coverage.
| Aguascalientes/México
| [http://www.linkedin.com/in/juancarloscalderon BIO]
|}

*Add your name, contact and bio information to become available as OWASP Speaker!

How to Host a Conference

2010-02-12T14:53:47Z

Robert H'obbes' Zakon: corrected EasyChair name; added OpenConf (used by many security conferences)

__NOTOC__
'''
== CONGRATULATIONS! YOU'RE GOING TO HOST AN OWASP EVENT! ==
'''
Now what? Read on for some helpful guidelines to assist you in putting together a successful conference.

==== '''Preamble''' ====

Our intent in posting the guidelines at the OWASP web site is to give conference planners something more than "Good Luck" as they prepare to host an event. Just ask anyone who has put together an event of any size and they will tell you it's hard work, but can also be a lot of fun. We are an open community, so your peers are often a great resource. Refer to some of the other conference pages and contact the conference planners directly for advice. While it is almost impossible to cover EVERY detail of planning, we think we have put together a fairly comprehensive series of recommendations. We have included some issues that arise only at the larger conferences. We’ve left the comments mixed together so you can use what you need and to appreciate what you don't have to use.

We’ve also prepared a [Conference Planning Table] that summarizes these guidelines and gives you a check sheet to use as you plan your conference.

''In addition to general guidence, we have also developed a set of tools and compiled a series of resources to help you plan a successful event.''

==== '''STEP ONE - EVENT DEFINITION''' ====

'''OWASP AppSec Conference'''

These conferences are the flagship of the OWASP outreach effort. This will be an international conference sponsored by OWASP and approved by the Global Conferences Committee. AppSec Conferences include multiple days of multi-track plenary sessions in addition to pre-conference training offerings. AppSec Conferences, schedules, and trainings must be approved by the OWASP Global Conference Committee and will receive the full support of the OWASP Foundation. In any calander year, there will be no more than 4 AppSec Conferences of this size. Locations will be determined the prior year and planning must begin at a minimum of 12 months in advance.

'''OWASP Regional Conference'''

Regional conferences typically have lower attendance than AppSec conferences and typically include multiple days of single track plenary sessions. Training may or may not be offered at the descression of the regional conference planning team. Regional conferences are not subject to the same rigor as AppSec conferences in terms of planning and only require the local planning team deconflict scheduling with the Global Conferences Committee. Regional teams are free to brand their conference as they wish, as long as the OWASP affiliation is maintained. OWASP Foundation support may be available for large expenses at the discression of the Global Conference Committee.

'''OWASP Events'''

Events are typically single day or "OWASP Day" type events that are generally local in nature. Events typically have only one track and span anywhere from a half to a full day. Planning for these events are at the sole discression of the event team and may be branded in any manner so long as the OWASP affiliation is maintained. In general, significant OWASP Foundation support will not be available for these events.

==== '''STEP TWO - MAKE YOUR PLAN''' ====

The amount of planning, committee work, advance deadlines, etc., in part depends on the size conference you are planning. A general rule is to allow about a month for every 20 participants. For example, if you are expecting 200 attendees, you should begin to prepare at least 10 months in advance.

The general dates and time of the conference should be suggested by local variables as well as OWASP speaker availability. For example, it may not be a good idea to schedule a conference in Wisconsin in January or Texas in August due to potential weather conditions. Check the OWASP calendar to make sure there are not any conflicting events. If you plan to invite out of town speakers, it’s best to arrange them months in advance. Good speakers and instructors are often booked up to a year in advance.

Consider the size and scope of your conference. Small groups can be hosted nearly any time. But larger groups will require housing, transportation, and food services that might conflict with other events. Make sure to check the local community events to ensure there will be adequate accessibility to these needs.

==== '''BUDGET''' ====

[http://www.owasp.org/index.php/Image:AppSec_Budget_Tool_%282%29.xls The OWASP Conference Budget Planning Tool] has been developed by the Global Conferences Committee to assist in the budget planning process. The tool was originally designed for AppSec conferences but can be used for a conference of any size. When submitting a budget to the GCC, you are required to use this format.

Attendees should be expected to pay their registration fees in advance. This helps provide an accurate picture of the number who will attend because the attendees are more committed to attending. You can consider a slightly higher fee for late registrations or registrations onsite, if your food and facilities planning can handle extra last-minute registrations.

Your conference costs should be handled through the Foundation. Sponsorship funds, venue deposits, travel reimbursements, printing, etc will be managed for you. This allows you to focus more on the event content! Contact [mailto:kate.hartmann@owasp.org Kate Hartmann] as soon as possible to get this set up.
Don't minimize the importance of a detailed accounting of your conference funds. Setting things up right before you begin to receive registrations fees can make things a lot easier during and after the conference.

==== '''VENUE''' ====

One of your very first items of business should be to reserve necessary rooms for plenary sessions, breakout sessions, classroom sessions, tech expo, breaks, receptions, and conference headquarters/registration.
Adapt your conference to the facilities you have available. For example, good plenary sessions can be better than breakout sessions that don't have adequate facilities.

Try to keep conference costs down by using rooms that are free. Again, this may require some adapting or negotiating. Partnering with a local university is a great way to obtain free space.

A contract to secure your venue is critical. '''Only a member of the Board can enter into a contract on behalf of OWASP!!!''' Please forward contracts to be signed to [mailto:kate.hartmann@owasp.org Kate Hartmann] for signatures.

Training rooms will require space to accomodate generally 10-30 students per class.

Size for conference track rooms is best determined by the size of your event. Strategic agenda planning will ensure that all speaker rooms are full but not overcrowded.

==== '''REGISTRATION''' ====

OWASP has several registration tools available to use. Currently we utilize the CVENT registration system for larger, paying events. There is a fee for CVENT Registrations. If your event is free of charge, but you require an RSVP for space restrictions or food, please contact [mailto:Kate.hartmann@owasp.org Kate Hartmann] to review registration options for free events.

==== '''CFP, CFT, PRESENTATIONS''' ====

Make sure every presenter knows rules enforced by OWASP Conferences. A signed agreement is required prior to speakers presenting the talk that maybe video taped. See standard OWASP [[Speaker Agreement]]. Note that the standard agreement implies you will be providing the presenters with a Powerpoint template. A standard OWASP Powerpoint template is [[Media:Presentation_template.ppt | available here]].

Also note that according to the standard OWASP [[Speaker Agreement]], presenters must submit their presentations (in Powerpoint format) at least 60 days prior to the conference. Submissions should be uploaded to [[:Category:OWASP Presentations | OWASP Presentations]] after the event.

Consider a CFP system to manage submissions such as EasyChair (it is free) [http://www.easychair.org http://www.easychair.org], or OpenConf (free and pro-version) [http://www.openconf.com http://www.openconf.com].

==== '''ACCOMODATIONS''' ====

If you plan on a regional or international event, it is considerate to negotiate a discounted room rate with a local hotel. In many cases, if you event is at a hotel, they will happily give you greater than 50% discount on rooms. If your event is at another type of venue (convention center, university campus, corporate building) there are often referral relationships between the venue and nearby hotels. Be sure to ask you coordinator.

When reserving your room blocks take into consideration the number of out of town speakers and guests you are expecting and how many room nights will be required. Be sure to avoid commitment for the unsold rooms. The hotel wants to get paid of course. Be sure that the hotel will not hold OWASP responsible for unbooked rooms.

==== '''PRINTED MATERIAL''' ====

==== '''PROMOTE YOUR EVENT''' ====

==== '''CATERING''' ====

Well-planned meals and snacks are critical to a successful conference. Consult with your venue food services, or with a local caterer, determine what is needed, and what it will cost. Let food services or the caterer do the work.

Be sure to negotiate food services in such a way that you are not liable for food costs beyond what you can cover through conference fees. Usually food planners will allow up to 10% more people than you contract for (e.g., for late registrations), but be sure this is clear up front.

To reduce costs, seek sponsors for specific meals where possible. Some larger vendors are happy to get the publicity that comes from sponsoring a breakfast, lunch, reception, or even a dinner. In any case, it doesn't hurt to ask. If the sponsor desires it, let the sponsor choose the caterer and take care of the arrangements.

For small conferences, many if not most of the meals can be left up to the attendees. Be sure to provide a good list of local eateries. Include information about which are within walking distance, which are not, and how to get to those that are not.

Strategically scheduled snack breaks, with drinks and fruit or cookies, can add a touch of class to your conference. These don't usually cost too much, and can be covered by registration fees. Don't skimp on the time allotted for breaks, since attendees will want to network and will take the time anyway. Be sure to take care of all the caffine junkies in the crowd. If possible, try and arrange for a pre event tasting. You don't want people remembering your event for the bad coffee or sandwiches.

Be sure to allow for special dietary considerations. Always offer some vegitarian options for your meals.

==== '''SOCIAL EVENTS''' ====

After a long intensive day of speakers and/or training, a more casual opportunity for networking will be welcomed by most all attendees. Depending on the size and location of your event you may want to consider one or several of the following options:

OWASP "meet up" at a local pub
OWASP gala dinner
Corporate sponsored party
Guided site seeing tours
Group outing to a sporting event

In many cases you can include an optional fee to be paid to cover the costs of the event. In the case of a corporate sponsored event, the sponsor would cover the costs. Very often, however, an informal yet organized (planned) evening at the pub will be sufficient to facilitate networking among conference attendees and speakers.

Be sure to remind everyone at the end of the last talk for the day of the location of the gathering, the cost (if any), and the start time for the next days speakers.

==== '''AUDIO VISUAL/RECORDING''' ====

This is another critically important part of the conference, especially in our technology-driven organization. You should assign a member of your committee to head this up since it's a demanding and time-consuming responsibility.

To the extent that you can, schedule conference sessions in rooms that have basic AV equipment (overhead projectors and screens, for example). If the rooms already have computers and computer/video projection, that's even better. Then assign conference sessions to the appropriate rooms.

Determine ahead of time what portable equipment you have available, and whether you have to rent equipment. OWASP owns one projector that can be "loaned" out for events. Contact [mailto:kate.hartmann@owasp.org Kate Hartmann] to arrange for the shipping of this and other items. When you confirm conference presentations, ask presenters to provide you with a list of equipment they need.

==== '''SPONSORS''' ====

Obtaining sponsorship is essential to the success of your event. Without financial input from vendors to cover costs of food, venue, givaways, and everything else, your event will inevitabely fail. The following document has been prepared to assist you in convincing vendors to give you money. Please tailor the document to suit your event and forward it to any and all potential sponsors.

https://www.owasp.org/index.php/Image:OWASP_sponsorship_new.doc

It is important to have completed your budget early so you can correctly estimate the amount of sponsorship you will need.

==== '''TRAVEL''' ====

Your conference venue usually has maps and travel information on how to get to the location. If there aren't adequate limo or shuttle services to your venue from the airport, you may need to make your own arrangements.

It is customary for conferences to cover the direct travel accommodations of board members and committee members as well as a reasonable per diem for expenses so budget accordingly.

'''OWASP on the MOVE funds are not to be used for conferences or events.''' If you are planning on covering ANY speakers travel and/or accomodations, be sure to plan for this in your event budget.

==== '''CONFERENCE PLANNER'S TOOLBOX''' ====

[http://www.owasp.org/index.php/Image:AppSec_Budget_Tool_%282%29.xls Conference Budget Planning Tool]

[https://www.owasp.org/index.php/Image:OWASP_sponsorship_new.doc Sponsorship Document]

[https://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement]

[[Media:Presentation_template.ppt | Presentation Template]].

[https://www.owasp.org/index.php/Image:CFP_template.doc Call For Papers Template]

[https://www.owasp.org/images/8/85/OWASP_CFT_Template-1-.doc Call For Training proposal template].

[http://www.owasp.org/index.php/Image:Training_Instructor_Agreement.doc Training Instructor Agreement]

==== '''ADVICE FROM THOSE WHO HAVE BEEN THERE''' ====

Organize a conference committee as early as possible.

Communicate regularly with the OWASP leadership. There's lots of history that you can use to your advantage such as format, what works and what doesn't, etc. Also, remember that you're the host, but it's not your conference; you should be working with them (the organization's leadership) to meet their objectives.

Establish regular planning/reporting meetings. Set up email lists. Always make it clear who is supposed to do what and when. Keep minutes/notes of your meetings and use them to follow up. The more you communicate with each other, the less likely you'll have slip ups.

Here is a sample wiki page to get you started [[OWASP AppSec SAMPLE YYYY-CITY | AppSec Sample Conference]]

One of your very first items of business should be to reserve necessary rooms for plenary sessions, breakout sessions, classroom sessions, tech expo, breaks, receptions, and conference headquarters/registration.

Adapt your conference to the facilities you have available. For example, good plenary sessions can be better than breakout sessions that don't have adequate facilities.

Try to keep conference costs down by using rooms that are free. Again, this may require some adapting or negotiating.

International meetings usually have a general theme. However, for regional meetings, you may want to choose a theme that reflects your chapter's particular strengths or interests.

A good program is critical. Look for variety, interest, timeliness. What do your members need or want to leave with? Try to balance lectures with discussions, hands on, social activities, and time for colleague interaction.

A general call for presenters should have a deadline that gives you ample time to recruit and to fill in gaps should you not get all the good proposals you need. Network with other members of your organization to identify people who might be invited to make presentations. Immediately after the deadline, begin organizing the conference schedule. Select the proposals you want to use and contact them to verify their availability. Create a tentative schedule, matching presenters to the facilities. You may want to lay out your schedule on a whiteboard, or use 3x5 cards on a corkboard so you can visualize how things fit together. Make sure you plan time for attendees to talk with each other, such as at breaks, before and after dinners, at receptions, etc.

Send a formal acceptance note to each participant, and ask them to confirm by sending an abstract (if you didn't get that as part of their submission) and submitting a request for any special equipment (AV, computer, etc.)

== '''Presenters and Presentations''' ==

Make sure every presenter knows rules enforced by OWASP Conferences. A signed agreement is required prior to speakers presenting the talk that maybe video taped. See standard OWASP [[Speaker Agreement]]. Note that the standard agreement implies you will be providing the presenters with a Powerpoint template. A standard OWASP Powerpoint template is [[Media:Presentation_template.ppt | available here]].

Also note that according to the standard OWASP [[Speaker Agreement]], presenters must submit their presentations (in Powerpoint format) at least 60 days prior to the conference. Submissions should be uploaded to [[:Category:OWASP Presentations | OWASP Presentations]] after the event.

== '''Design Components''' ==

In designing your own Powerpoint templates, tshirts, bags, badges, banners, flags, carpets and what have you, find the original vector graphic of the OWASP logo (in EPS and AI formats) [[Media:OWASP_Logo.zip | here]]. Please do [[OWASP Conference Design Components|share them with the other conference chairs]]!

== '''Promotions''' ==

Promoting your conference begins as soon as you have selected a conference site and date. Post the date and location on the OWASP web site. If you have the expertise and resources, you should consider setting up your own conference wiki page for up-to-date information, on-line registration, proposal submissions, etc. Make sure to review pages for other conferences for great ideas and to allow for continuity in page style.

The first wave of publicity comes with the call for presentations.

The next wave comes as you send out the conference announcement, with as much detail as you have, including a tentative program. This is important if you want to convince people they should come. Set a registration deadline that accounts for your own deadlines (food services, etc.) You may have to consider a higher fee for those who are late, especially if that really does incur additional costs for you.

== '''Housing''' ==

Estimate the number of people you think might attend (review previous conference attendance) and make arrangements accordingly. In addition to blocking some rooms at a local motel/hotel consider economy lodging (dorms, conference centers, etc., if available), for those who prefer that kind of housing.

When making reservations with local hotels, negotiate other amenities if possible such as shuttle services (from airports, to conference sessions).

Be careful to avoid making reservations that require guarantees or other financial obligations. In fact, it's best to let the housing/hotel organization handle their own reservations and billing. Find out how long reservations can be held, cancellation deadlines, etc.

== '''Travel''' ==

Your conference venue usually has maps and travel information on how to get to the location. If there aren't adequate limo or shuttle services to your venue from the airport, you may need to make your own arrangements.

== '''Food''' ==

Well-planned meals and snacks are critical to a successful conference. Consult with your venue food services, or with a local caterer, determine what is needed, and what it will cost. Let food services or the caterer do the work.

Be sure to negotiate food services in such a way that you are not liable for food costs beyond what you can cover through conference fees. Usually food planners will allow up to 10% more people than you contract for (e.g., for late registrations), but be sure this is clear up front.

To reduce costs, seek sponsors for specific meals where possible. Some larger vendors are happy to get the publicity that comes from sponsoring a breakfast, lunch, reception, or even a dinner. Your own college may be willing to sponsor one such event. In any case, it doesn't hurt to ask. If the sponsor desires it, let the sponsor choose the caterer and take care of the arrangements.

For small conferences, many if not most of the meals can be left up to the attendees. Be sure to provide a good list of local eateries. Include information about which are within walking distance, which are not, and how to get to those that are not.

Strategically scheduled snack breaks, with drinks and fruit or cookies, can add a touch of class to your conference. These don't usually cost too much, and can be covered by registration fees. Don't skimp on the time allotted for breaks, since attendees will want to network and will take the time anyway.

If you do have group meals, be sure to allow for special dietary considerations.

== '''Management Tools''' ==

Larger, OWASP lead conferences can be processed through the Cvent system. For smaller conferences (less than 50 people) an Excel spreadsheet should work fine to manage registrants. If you would like the OWASP office to manage registration for you, please contact [mailto:kate.hartmann@owasp.org Kate Hartmann] as soon as possible to set up your on-line registration process.

== '''Money''' ==

Before sending out the conference brochure/announcement, you must determine a conference registration fee. On the one hand, you want to cover your costs. But on the other, you want to keep the costs low so that as many people as possible can afford to come. Try to find a balance between providing the amenities, and keeping costs down. Be sure to include the following costs: Publicity (brochure, printing, mailing), speaker fees or accommodations, facilities (equipment rentals), transportation, meals (snacks, meals), conference materials (packets, name tags, etc.)

Attendees should be expected to pay their registration fees in advance. This helps provide an accurate picture of the number who will attend because the attendees are more committed to attending. You can consider a slightly higher fee for late registrations or registrations onsite, if your food and facilities planning can handle extra last-minute registrations.

A special account can be set up through OWASP just for your conference. You can use this account to process sponsorship, donations, manage expenses, and help you keep tabs on vendor costs. Again, contact [mailto:kate.hartmann@owasp.org Kate Hartmann] as soon as possible to get this set up.

Don't minimize the importance of a detailed accounting of your conference funds. Setting things up right before you begin to receive registrations fees can make things a lot easier during and after the conference.

== '''Vendor Displays''' ==

An exhibit hall must be easily accessible and must have adequate space to accommodate vendor booths. There may be costs associated with such a hall. Some facilities require that their own people set things up. Make sure you know what is included with any rental costs, and what you may have to pay extra for.

Make sure that there is adequate time for attendees to visit the exhibits and to talk with vendors. Directing breaks and snacks into the vendor expo will encourage participants to visit the exhibits. Depending on the benefits to the vendors, you may ask that they pay for exhibit space, or leverage their participation by asking them to sponsor one or more conference activities (reception, meal, etc.).

== '''Conference Materials''' ==

At a minimum, you need to provide some sort of printed program. For most conferences, the following is usually adequate: a simple folder with program, maps, lists of local restaurants and attractions, a name tag, and writing materials (pen and pad). For larger, conferences you may want to include a conference bag that includes OWASP books or handouts. Be sure to allow ample time for printing and shipping of OWASP materials. International shipping can take several weeks.

== '''Name Tags''' ==

If you plan properly, you should be able to generate name tags to be printed from your conference database program. If you process your registrations through the OWASP office, they can create your nametags.

Keep the name tag layout simple: a small conference logo or title, the person's full name in LARGE, readable letters, and the person's institution. Don't make people squint to read names on name tags.

The actual type of name tag (paper stick-on, pin on plastic case, hang-around-the-neck, etc.) depends on your preferences and budget. If you do provide stick-on tags, you may want to generate at least one tag for each day of the conference since they won't be able to reuse the tags. If you use plastic badges, you can invite attendees to recycle them at the end of the conference.

== '''Equipment and Support''' ==

This is another critically important part of the conference, especially in our technology-driven organization. You should assign a member of your committee to head this up since it's a demanding and time-consuming responsibility.

To the extent that you can, schedule conference sessions in rooms that have basic AV equipment (overhead projectors and screens, for example). If the rooms already have computers and computer/video projection, that's even better. Then assign conference sessions to the appropriate rooms.

Determine ahead of time what portable equipment you have available, and whether you have to rent equipment. Then when you confirm conference presentations, ask presenters to provide you with a list of equipment they need.

== '''Entertainment''' ==

Depending on the size and scope of the conference, you may need to provide for one or more social activities for attendees.

At smaller conferences, organized dinners at local restaurants can be enjoyable. For larger conferences, a banquet may be in order. At the very least, provide a list of recommended local eateries for those who want to venture out on their own.

You should also consider whether your locale has something uniquely interesting to offer. If feasible, you could organize a group outing to a play, local site, etc. Be sure to determine whether costs are included in the registration, or if it is to be a separate (and therefore optional) cost.

Whatever you plan, however, be sure to include some free time for people to do things on their own.

=== '''Conference Organizer's Kit''' ===

== '''Presenters and Presentations''' ==

'''Overall OWASP Conferences Chair''' is ([mailto:eoin.keary@owasp.org Eoin Keary] & [mailto:dave.wichers@owasp.org Dave Wichers]).

* Standard [[Speaker Agreement]]
* [[Media:Presentation_template.ppt | Standard Powerpoint template]]
* Slides should be uploaded to [[:Category:OWASP Presentations | OWASP Presentations]].
* Original vector graphic of the OWASP logo (in EPS and AI formats) [[Media:OWASP_Logo.zip | here]]. Please do [[OWASP Conference Design Components|share them with the other conference chairs]]!

'''

== Helpful links ==
'''
[[Conference Planning Timeline]]

[[Speaker Template]]

[[Sponsor information]]

[[Suggestions for wiki]]

[[OWASP AppSec SAMPLE YYYY-CITY | Wiki Template]]

<headertabs/>