OWASP - User contributions [en]

OWASP Software Assurance Day DC 2009

2009-03-23T15:19:19Z

Sbarnum:

Welcome to the OWASP Software Assurance Day DC 2009.

This single-day conference will be held on March 13th in conjunction with the Software Assurance Forum (March 10th-12th) sponsored by the US Department of Homeland Security, Department of Defense and National Institute of Standards and Technology.

We are pleased to invite OWASP members, attendees of the Software Assurance Forum and any other interested parties to join us for this event.

At this event, you will hear presentations from key leaders in the web application security domain on:

* the state of the union for the Open Web Application Security Project
* the current status of several ongoing OWASP projects
* recently released knowledge resources to assist web application security programs in establishing a standard for minimum due care
* recipes for leveraging OWASP resources in security testing efforts
* the emerging importance of application security in the wireless domain
* a state-of-the-art approach to automating multi-perspective application security assessment

You will also find out how you can leverage OWASP resources and participate in OWASP activities through local chapters in the DC/NOVA/Maryland area.

The co-located Software Assurance Forum is also a free conference and open to any attendees of OWASP Software Assurance Day DC 2009, though it will require separate registration.

For information on registration for the Software Assurance Forum, please contact [mailto:Jennifer.Brezovic@associates.dhs.gov Jennifer Brezovic].

If you have any questions relating to the conference or just want to help out, please email the conference chair, [mailto:sbarnum@cigital.com Sean Barnum].

'''Registrations must be received by Mar 7th!'''

[http://guest.cvent.com/i.aspx?4W,M3,fd34d554-0341-493c-bfdc-94d42d3e3c6d https://www.owasp.org/images/9/9d/Register_now.gif]

==Conference Location==

The OWASP Software Assurance Day DC 2009 will be held in conjunction with the DHS/DOD/NIST Software Assurance Forum at [http://www.mitre.org/about/locations/mitre1_map.html '''MITRE Building 1''']''', 7525 Colshire Drive, McLean, VA 22102.'''

Please use the Conference Center entrance.

==Agenda and Presentations: 13 March 2009==

{| style="width:80%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white" | March 13, 2009
|-
| style="width:10%; background:#7B8ABD" | 08:15-08:30 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''OWASP Software Assurance Day DC kickoff'''
''Sean Barnum, Conference Chair''
|-
| style="width:10%; background:#7B8ABD" | 08:30-09:00 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''Intro to OWASP''' [[Media:Brennan_-_OWASP_SwA_Day_DC_2009_-_OWASP_Intro_and_Overview.pdf‎| (slides)]]
''Tom Brennan, WhiteHat Security''
|-
| style="width:10%; background:#7B8ABD" | 09:00-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[Maturing Software Assessment Through Static Analysis]][[Media:Maturing_Assessment_through_SA.ppt| (slides)]]
''John Steven, Cigital''
|-
| style="width:10%; background:#7B8ABD" | 09:50-10:35 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[Don’t Write Your Own Security Code: The OWASP Enterprise Security API]] ([http://www.owasp.org/images/f/f2/ESAPI_for_OWASP_Day.pptx slides])
''Jeff Williams, Aspect Security''
|-
| style="width:10%; background:#7B8ABD" | 10:35-10:50 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | '''Morning Break'''
|-
| style="width:10%; background:#7B8ABD" | 10:50-11:35 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[Cooking with OWASP: Recipes in Web Security Testing]][[Media:CookingWithOWASP-opt.pdf| (slides)]]
''Paco Hope, Cigital''
|-
| style="width:10%; background:#7B8ABD" | 11:40-12:25 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[OWASP Application Security Verification Standard (ASVS)]][[Media:Wichers_-_About_OWASP_ASVS_Web_Edition_v2.pdf‎| (slides)]]
''Dave Wichers, Aspect Security''
|-
| style="width:10%; background:#7B8ABD" | 12:25-13:40 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | '''Lunch – MITRE Cafeteria'''
|-
| style="width:10%; background:#7B8ABD" | 13:45-14:30 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[CWE/SANS Top 25: Towards Minimum Due Care in Software Security]][[Media:CWE_Top_25_Minimum_Due_Care.pdf‎| (slides)]]
''Steve Christey, Mitre''
|-
| style="width:10%; background:#7B8ABD" | 14:35-15:20 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[The Future of Mobile: Developing Secure Mobile Applications]][[Media:Rouse_-_Securing_Mobile_Applications_(size_reduced).pdf‎| (slides)]]
''Jason Rouse, Cigital''
|-
| style="width:10%; background:#7B8ABD" | 15:25-15:40 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | '''Afternoon Break'''
|-
| style="width:10%; background:#7B8ABD" | 15:40-16:25 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[OWASP Live CD: An open environment for Web Application Security]][[Media:OWASP_Live_CD.pdf‎‎| (slides)]]
''Matt Tesauro, Texas Education Agency''
|-
| style="width:10%; background:#7B8ABD" | 16:25-16:45 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | '''Conference Wrap Up and Opportunities to Contribute'''
|}

==Logistics==

Venue: [http://www.mitre.org/about/locations/mitre1_map.html '''MITRE Building 1''']''', 7525 Colshire Drive, McLean, VA 22102'''

Please use the Conference Center entrance.

==Accommodations==

The conference has not negotiated any special rates for hotel accommodation but the following hotels are near the conference venue:

'''McLean Hilton
7920 Jones Branch Drive
McLean, VA
Tel: 1-703-448-1234'''

Website:
[http://www1.hilton.com/en_US/hi/hotel/MCLMHHH-Hilton-McLean-Tysons-Corner-Virginia/index.do http://www1.hilton.com/en_US/hi/hotel/MCLMHHH-Hilton-McLean-Tysons-Corner-Virginia/index.do]

'''Westin Hotel
7801 Leesburg Pike
Falls Church, VA
Tel: 1-703-893-1340'''

Website:
[http://www.starwoodhotels.com/westin/property/overview/index.html?propertyID=1750 http://www.starwoodhotels.com/westin/property/overview/index.html?propertyID=1750]

'''Marriott
8028 Leesburg Pike
Vienna, VA
Tel: 1-703-734-3200'''

Website:
[http://www.marriott.com/hotels/travel/wastc-tysons-corner-marriott/ http://www.marriott.com/hotels/travel/wastc-tysons-corner-marriott/]

'''Embassy Suites
8517 Leesburg Pike
Vienna, VA
Tel: 1-703-883-0707'''

Website:
[http://embassysuites1.hilton.com/en_US/es/hotel/WASTSES-Embassy-Suites-Tysons-Corner-Virginia/index.do http://embassysuites1.hilton.com/en_US/es/hotel/WASTSES-Embassy-Suites-Tysons-Corner-Virginia/index.do]

'''The Crowne Plaza Tysons Corner (formerly the Holiday Inn)
1960 Chain
Bridge Rd McLean, VA
Tel: 1-703-893-2100'''

Website: [http://www.cptysonscorner.com/ http://www.cptysonscorner.com/]

'''Sheraton Premiere Tysons
8661 Leesburg Pike
Vienna, VA
Tel: 1-703-506-2500'''

Website:
[http://www.starwoodhotels.com/sheraton/property/overview/index.html?propertyID=691 http://www.starwoodhotels.com/sheraton/property/overview/index.html?propertyID=691]

==Transportation to the Conference==
===By plane===
The venue area can be reached by commercial aviation through either [http://www.metwashairports.com/Dulles/ Dulles International Airport] or [http://www.mwaa.com/national/ Reagan National Airport].

Both are roughly equidistant from the venue and offer a range of airline and flight options.
===How to get to the venue?===
See the [http://www.mitre.org/about/locations/mitre1_map.html map].

==Registration and Conference Fees==

OWASP Software Assurance Day DC 2009 will be a free conference.

Despite the fact that this is a free conference, we still need you to register to fulfill security requirements of the facility and to ensure that we don't exceed venue capacity.

'''Registrations must be received by Mar 7th!'''

[http://guest.cvent.com/i.aspx?4W,M3,fd34d554-0341-493c-bfdc-94d42d3e3c6d https://www.owasp.org/images/9/9d/Register_now.gif]

==Conference Contacts==

For more information please contact the team below for conference details, sponsorship or registration.

'''Mr Sean Barnum (Conference Chair)''' , Cigital Federal, Inc.

Email: [mailto:sbarnum@cigital.com sbarnum@cigital.com]

Mobile: 703-473-8262

'''Kate Hartmann'''

OWASP Operations Director

9175 Guilford Road, Suite 300

Columbia, MD 21046, USA

Phone: +1-301-575-0189

Facsimile: +1-301-604-8033

Email: [mailto:kate.hartmann@owasp.org kate.hartmann@owasp.org]

==Conference Sponsors==

Under negotiation.

If you are interested in sponsoring this OWASP conference, please contact [mailto:sbarnum@cigital.com Sean Barnum].

[[Category:OWASP AppSec Conference]]

The Future of Mobile: Developing Secure Mobile Applications

2009-03-23T15:13:05Z

Sbarnum:

==The Presentation: "The Future of Mobile: Developing Secure Mobile Applications"==

Mobile applications enable millions of users to be more productive, have more fun, and interact with their world in more ways than ever before. We're approaching mobile applications with many of the same tried-and-true approaches that we've used in more traditional software, but what are the dangers? Mobile architectures run the gamut from simple web-based applications optimized for mobile displays to custom-built handset-specific applications that can interact directly with the mobile operating system.

In this talk, we’ll explore the hybrid mobile/web application approach, and discuss the threads that binds them together — information protection and convergence. Mobile devices are unique in that they offer one of the most potentially hostile environments imaginable -- privacy, compliance, and capture protection top the charts as the three most difficult issues facing mobile applications and those who use them. We’ll dive into specifics on what are today “mobile-only” threats; that is, those issues such as location-based services or text messages, and discover how they can be compromised, and how we, as security practitioners, can protect them and the back-end applications that service them.

Download: [[Media:Rouse_-_Securing_Mobile_Applications_(size_reduced).pdf‎| Securing Mobile Applications.ppt]]

==The Speaker: Jason Rouse==
Mr. Rouse is Cigital’s Wireless and Mobile Security practice leader. Mr. Rouse has spent the last five years designing, implementing, and deploying state of the art wireless security solutions for mobile environments, spanning access control, application management, payment systems, and hybrid J2EE-and-mobile systems. Drawing from his wealth of experience in the security space and leveraging over a decade of hands-on experience, Mr. Rouse has become a trusted advisor to Fortune 50 companies, financial groups, and private interests. As a trusted advisor, Mr. Rouse has led standards efforts, chairing the FSTC Mobile Payment Security workgroup, and has contributed to several mobile payment solutions, greatly enhancing the security and performance of each project.

[[OWASP_Software_Assurance_Day_DC_2009#Agenda and Presentations:_13_March_2009|back to Presentation Agenda]]

File:Rouse - Securing Mobile Applications (size reduced).pdf

2009-03-23T15:12:07Z

Sbarnum: Securing Mobile Applications slide deck delivered by Jason Rouse at OWASP Software Assurance Day DC 2009

Securing Mobile Applications slide deck delivered by Jason Rouse at OWASP Software Assurance Day DC 2009

OWASP Software Assurance Day DC 2009

2009-03-23T15:06:21Z

Sbarnum:

Welcome to the OWASP Software Assurance Day DC 2009.

This single-day conference will be held on March 13th in conjunction with the Software Assurance Forum (March 10th-12th) sponsored by the US Department of Homeland Security, Department of Defense and National Institute of Standards and Technology.

We are pleased to invite OWASP members, attendees of the Software Assurance Forum and any other interested parties to join us for this event.

At this event, you will hear presentations from key leaders in the web application security domain on:

* the state of the union for the Open Web Application Security Project
* the current status of several ongoing OWASP projects
* recently released knowledge resources to assist web application security programs in establishing a standard for minimum due care
* recipes for leveraging OWASP resources in security testing efforts
* the emerging importance of application security in the wireless domain
* a state-of-the-art approach to automating multi-perspective application security assessment

You will also find out how you can leverage OWASP resources and participate in OWASP activities through local chapters in the DC/NOVA/Maryland area.

The co-located Software Assurance Forum is also a free conference and open to any attendees of OWASP Software Assurance Day DC 2009, though it will require separate registration.

For information on registration for the Software Assurance Forum, please contact [mailto:Jennifer.Brezovic@associates.dhs.gov Jennifer Brezovic].

If you have any questions relating to the conference or just want to help out, please email the conference chair, [mailto:sbarnum@cigital.com Sean Barnum].

'''Registrations must be received by Mar 7th!'''

[http://guest.cvent.com/i.aspx?4W,M3,fd34d554-0341-493c-bfdc-94d42d3e3c6d https://www.owasp.org/images/9/9d/Register_now.gif]

==Conference Location==

The OWASP Software Assurance Day DC 2009 will be held in conjunction with the DHS/DOD/NIST Software Assurance Forum at [http://www.mitre.org/about/locations/mitre1_map.html '''MITRE Building 1''']''', 7525 Colshire Drive, McLean, VA 22102.'''

Please use the Conference Center entrance.

==Agenda and Presentations: 13 March 2009==

{| style="width:80%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white" | March 13, 2009
|-
| style="width:10%; background:#7B8ABD" | 08:15-08:30 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''OWASP Software Assurance Day DC kickoff'''
''Sean Barnum, Conference Chair''
|-
| style="width:10%; background:#7B8ABD" | 08:30-09:00 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''Intro to OWASP''' [[Media:Brennan_-_OWASP_SwA_Day_DC_2009_-_OWASP_Intro_and_Overview.pdf‎| (Download slides)]]
''Tom Brennan, WhiteHat Security''
|-
| style="width:10%; background:#7B8ABD" | 09:00-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[Maturing Software Assessment Through Static Analysis]]
''John Steven, Cigital''
|-
| style="width:10%; background:#7B8ABD" | 09:50-10:35 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[Don’t Write Your Own Security Code: The OWASP Enterprise Security API]] ([http://www.owasp.org/images/f/f2/ESAPI_for_OWASP_Day.pptx slides])
''Jeff Williams, Aspect Security''
|-
| style="width:10%; background:#7B8ABD" | 10:35-10:50 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | '''Morning Break'''
|-
| style="width:10%; background:#7B8ABD" | 10:50-11:35 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[Cooking with OWASP: Recipes in Web Security Testing]]
''Paco Hope, Cigital''
|-
| style="width:10%; background:#7B8ABD" | 11:40-12:25 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[OWASP Application Security Verification Standard (ASVS)]]
''Dave Wichers, Aspect Security''
|-
| style="width:10%; background:#7B8ABD" | 12:25-13:40 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | '''Lunch – MITRE Cafeteria'''
|-
| style="width:10%; background:#7B8ABD" | 13:45-14:30 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[CWE/SANS Top 25: Towards Minimum Due Care in Software Security]]
''Steve Christey, Mitre''
|-
| style="width:10%; background:#7B8ABD" | 14:35-15:20 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[The Future of Mobile: Developing Secure Mobile Applications]]
''Jason Rouse, Cigital''
|-
| style="width:10%; background:#7B8ABD" | 15:25-15:40 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | '''Afternoon Break'''
|-
| style="width:10%; background:#7B8ABD" | 15:40-16:25 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[OWASP Live CD: An open environment for Web Application Security]]
''Matt Tesauro, Texas Education Agency''
|-
| style="width:10%; background:#7B8ABD" | 16:25-16:45 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | '''Conference Wrap Up and Opportunities to Contribute'''
|}

==Logistics==

Venue: [http://www.mitre.org/about/locations/mitre1_map.html '''MITRE Building 1''']''', 7525 Colshire Drive, McLean, VA 22102'''

Please use the Conference Center entrance.

==Accommodations==

The conference has not negotiated any special rates for hotel accommodation but the following hotels are near the conference venue:

'''McLean Hilton
7920 Jones Branch Drive
McLean, VA
Tel: 1-703-448-1234'''

Website:
[http://www1.hilton.com/en_US/hi/hotel/MCLMHHH-Hilton-McLean-Tysons-Corner-Virginia/index.do http://www1.hilton.com/en_US/hi/hotel/MCLMHHH-Hilton-McLean-Tysons-Corner-Virginia/index.do]

'''Westin Hotel
7801 Leesburg Pike
Falls Church, VA
Tel: 1-703-893-1340'''

Website:
[http://www.starwoodhotels.com/westin/property/overview/index.html?propertyID=1750 http://www.starwoodhotels.com/westin/property/overview/index.html?propertyID=1750]

'''Marriott
8028 Leesburg Pike
Vienna, VA
Tel: 1-703-734-3200'''

Website:
[http://www.marriott.com/hotels/travel/wastc-tysons-corner-marriott/ http://www.marriott.com/hotels/travel/wastc-tysons-corner-marriott/]

'''Embassy Suites
8517 Leesburg Pike
Vienna, VA
Tel: 1-703-883-0707'''

Website:
[http://embassysuites1.hilton.com/en_US/es/hotel/WASTSES-Embassy-Suites-Tysons-Corner-Virginia/index.do http://embassysuites1.hilton.com/en_US/es/hotel/WASTSES-Embassy-Suites-Tysons-Corner-Virginia/index.do]

'''The Crowne Plaza Tysons Corner (formerly the Holiday Inn)
1960 Chain
Bridge Rd McLean, VA
Tel: 1-703-893-2100'''

Website: [http://www.cptysonscorner.com/ http://www.cptysonscorner.com/]

'''Sheraton Premiere Tysons
8661 Leesburg Pike
Vienna, VA
Tel: 1-703-506-2500'''

Website:
[http://www.starwoodhotels.com/sheraton/property/overview/index.html?propertyID=691 http://www.starwoodhotels.com/sheraton/property/overview/index.html?propertyID=691]

==Transportation to the Conference==
===By plane===
The venue area can be reached by commercial aviation through either [http://www.metwashairports.com/Dulles/ Dulles International Airport] or [http://www.mwaa.com/national/ Reagan National Airport].

Both are roughly equidistant from the venue and offer a range of airline and flight options.
===How to get to the venue?===
See the [http://www.mitre.org/about/locations/mitre1_map.html map].

==Registration and Conference Fees==

OWASP Software Assurance Day DC 2009 will be a free conference.

Despite the fact that this is a free conference, we still need you to register to fulfill security requirements of the facility and to ensure that we don't exceed venue capacity.

'''Registrations must be received by Mar 7th!'''

[http://guest.cvent.com/i.aspx?4W,M3,fd34d554-0341-493c-bfdc-94d42d3e3c6d https://www.owasp.org/images/9/9d/Register_now.gif]

==Conference Contacts==

For more information please contact the team below for conference details, sponsorship or registration.

'''Mr Sean Barnum (Conference Chair)''' , Cigital Federal, Inc.

Email: [mailto:sbarnum@cigital.com sbarnum@cigital.com]

Mobile: 703-473-8262

'''Kate Hartmann'''

OWASP Operations Director

9175 Guilford Road, Suite 300

Columbia, MD 21046, USA

Phone: +1-301-575-0189

Facsimile: +1-301-604-8033

Email: [mailto:kate.hartmann@owasp.org kate.hartmann@owasp.org]

==Conference Sponsors==

Under negotiation.

If you are interested in sponsoring this OWASP conference, please contact [mailto:sbarnum@cigital.com Sean Barnum].

[[Category:OWASP AppSec Conference]]

File:Brennan - OWASP SwA Day DC 2009 - OWASP Intro and Overview.pdf

2009-03-23T15:05:13Z

Sbarnum:

OWASP Software Assurance Day DC 2009

2009-03-23T15:02:55Z

Sbarnum:

Welcome to the OWASP Software Assurance Day DC 2009.

This single-day conference will be held on March 13th in conjunction with the Software Assurance Forum (March 10th-12th) sponsored by the US Department of Homeland Security, Department of Defense and National Institute of Standards and Technology.

We are pleased to invite OWASP members, attendees of the Software Assurance Forum and any other interested parties to join us for this event.

At this event, you will hear presentations from key leaders in the web application security domain on:

* the state of the union for the Open Web Application Security Project
* the current status of several ongoing OWASP projects
* recently released knowledge resources to assist web application security programs in establishing a standard for minimum due care
* recipes for leveraging OWASP resources in security testing efforts
* the emerging importance of application security in the wireless domain
* a state-of-the-art approach to automating multi-perspective application security assessment

You will also find out how you can leverage OWASP resources and participate in OWASP activities through local chapters in the DC/NOVA/Maryland area.

The co-located Software Assurance Forum is also a free conference and open to any attendees of OWASP Software Assurance Day DC 2009, though it will require separate registration.

For information on registration for the Software Assurance Forum, please contact [mailto:Jennifer.Brezovic@associates.dhs.gov Jennifer Brezovic].

If you have any questions relating to the conference or just want to help out, please email the conference chair, [mailto:sbarnum@cigital.com Sean Barnum].

'''Registrations must be received by Mar 7th!'''

[http://guest.cvent.com/i.aspx?4W,M3,fd34d554-0341-493c-bfdc-94d42d3e3c6d https://www.owasp.org/images/9/9d/Register_now.gif]

==Conference Location==

The OWASP Software Assurance Day DC 2009 will be held in conjunction with the DHS/DOD/NIST Software Assurance Forum at [http://www.mitre.org/about/locations/mitre1_map.html '''MITRE Building 1''']''', 7525 Colshire Drive, McLean, VA 22102.'''

Please use the Conference Center entrance.

==Agenda and Presentations: 13 March 2009==

{| style="width:80%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white" | March 13, 2009
|-
| style="width:10%; background:#7B8ABD" | 08:15-08:30 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''OWASP Software Assurance Day DC kickoff'''
''Sean Barnum, Conference Chair''
|-
| style="width:10%; background:#7B8ABD" | 08:30-09:00 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[Intro to OWASP]]
''Tom Brennan, WhiteHat Security''
|-
| style="width:10%; background:#7B8ABD" | 09:00-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[Maturing Software Assessment Through Static Analysis]]
''John Steven, Cigital''
|-
| style="width:10%; background:#7B8ABD" | 09:50-10:35 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[Don’t Write Your Own Security Code: The OWASP Enterprise Security API]] ([http://www.owasp.org/images/f/f2/ESAPI_for_OWASP_Day.pptx slides])
''Jeff Williams, Aspect Security''
|-
| style="width:10%; background:#7B8ABD" | 10:35-10:50 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | '''Morning Break'''
|-
| style="width:10%; background:#7B8ABD" | 10:50-11:35 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[Cooking with OWASP: Recipes in Web Security Testing]]
''Paco Hope, Cigital''
|-
| style="width:10%; background:#7B8ABD" | 11:40-12:25 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[OWASP Application Security Verification Standard (ASVS)]]
''Dave Wichers, Aspect Security''
|-
| style="width:10%; background:#7B8ABD" | 12:25-13:40 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | '''Lunch – MITRE Cafeteria'''
|-
| style="width:10%; background:#7B8ABD" | 13:45-14:30 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[CWE/SANS Top 25: Towards Minimum Due Care in Software Security]]
''Steve Christey, Mitre''
|-
| style="width:10%; background:#7B8ABD" | 14:35-15:20 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[The Future of Mobile: Developing Secure Mobile Applications]]
''Jason Rouse, Cigital''
|-
| style="width:10%; background:#7B8ABD" | 15:25-15:40 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | '''Afternoon Break'''
|-
| style="width:10%; background:#7B8ABD" | 15:40-16:25 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[OWASP Live CD: An open environment for Web Application Security]]
''Matt Tesauro, Texas Education Agency''
|-
| style="width:10%; background:#7B8ABD" | 16:25-16:45 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | '''Conference Wrap Up and Opportunities to Contribute'''
|}

==Logistics==

Venue: [http://www.mitre.org/about/locations/mitre1_map.html '''MITRE Building 1''']''', 7525 Colshire Drive, McLean, VA 22102'''

Please use the Conference Center entrance.

==Accommodations==

The conference has not negotiated any special rates for hotel accommodation but the following hotels are near the conference venue:

'''McLean Hilton
7920 Jones Branch Drive
McLean, VA
Tel: 1-703-448-1234'''

Website:
[http://www1.hilton.com/en_US/hi/hotel/MCLMHHH-Hilton-McLean-Tysons-Corner-Virginia/index.do http://www1.hilton.com/en_US/hi/hotel/MCLMHHH-Hilton-McLean-Tysons-Corner-Virginia/index.do]

'''Westin Hotel
7801 Leesburg Pike
Falls Church, VA
Tel: 1-703-893-1340'''

Website:
[http://www.starwoodhotels.com/westin/property/overview/index.html?propertyID=1750 http://www.starwoodhotels.com/westin/property/overview/index.html?propertyID=1750]

'''Marriott
8028 Leesburg Pike
Vienna, VA
Tel: 1-703-734-3200'''

Website:
[http://www.marriott.com/hotels/travel/wastc-tysons-corner-marriott/ http://www.marriott.com/hotels/travel/wastc-tysons-corner-marriott/]

'''Embassy Suites
8517 Leesburg Pike
Vienna, VA
Tel: 1-703-883-0707'''

Website:
[http://embassysuites1.hilton.com/en_US/es/hotel/WASTSES-Embassy-Suites-Tysons-Corner-Virginia/index.do http://embassysuites1.hilton.com/en_US/es/hotel/WASTSES-Embassy-Suites-Tysons-Corner-Virginia/index.do]

'''The Crowne Plaza Tysons Corner (formerly the Holiday Inn)
1960 Chain
Bridge Rd McLean, VA
Tel: 1-703-893-2100'''

Website: [http://www.cptysonscorner.com/ http://www.cptysonscorner.com/]

'''Sheraton Premiere Tysons
8661 Leesburg Pike
Vienna, VA
Tel: 1-703-506-2500'''

Website:
[http://www.starwoodhotels.com/sheraton/property/overview/index.html?propertyID=691 http://www.starwoodhotels.com/sheraton/property/overview/index.html?propertyID=691]

==Transportation to the Conference==
===By plane===
The venue area can be reached by commercial aviation through either [http://www.metwashairports.com/Dulles/ Dulles International Airport] or [http://www.mwaa.com/national/ Reagan National Airport].

Both are roughly equidistant from the venue and offer a range of airline and flight options.
===How to get to the venue?===
See the [http://www.mitre.org/about/locations/mitre1_map.html map].

==Registration and Conference Fees==

OWASP Software Assurance Day DC 2009 will be a free conference.

Despite the fact that this is a free conference, we still need you to register to fulfill security requirements of the facility and to ensure that we don't exceed venue capacity.

'''Registrations must be received by Mar 7th!'''

[http://guest.cvent.com/i.aspx?4W,M3,fd34d554-0341-493c-bfdc-94d42d3e3c6d https://www.owasp.org/images/9/9d/Register_now.gif]

==Conference Contacts==

For more information please contact the team below for conference details, sponsorship or registration.

'''Mr Sean Barnum (Conference Chair)''' , Cigital Federal, Inc.

Email: [mailto:sbarnum@cigital.com sbarnum@cigital.com]

Mobile: 703-473-8262

'''Kate Hartmann'''

OWASP Operations Director

9175 Guilford Road, Suite 300

Columbia, MD 21046, USA

Phone: +1-301-575-0189

Facsimile: +1-301-604-8033

Email: [mailto:kate.hartmann@owasp.org kate.hartmann@owasp.org]

==Conference Sponsors==

Under negotiation.

If you are interested in sponsoring this OWASP conference, please contact [mailto:sbarnum@cigital.com Sean Barnum].

[[Category:OWASP AppSec Conference]]

OWASP Application Security Verification Standard (ASVS)

2009-03-23T14:59:34Z

Sbarnum:

==The Presentation: "OWASP Application Security Verification Standard (ASVS)"==

Providers of web application security verification services can take wildly different approaches and levels of rigor, ranging from using simple search tools to performing painstaking code review and manual testing. This process also typically involves searching for and only reporting vulnerabilities, but does not necessarily comment on what good security practices were found.
All of these problems have a single root cause: the lack of a standard for performing application-level security verification that can be used for any application without special interpretation. The OWASP Application Security Verification Standard (ASVS) was designed to normalize the range in coverage, level of rigor, and reporting requirements available in the market when it comes to performing application security verification.
By the end of this presentation, you will understand how OWASP ASVS defines:
* Levels of application-level security verification that increase in breadth and depth as one moves up the levels,
* Verification requirements that prescribe a unique white-list approach for security controls,
* Reporting requirements that ensure reports are sufficiently detailed to make verification repeatable, and to determine if the verification was accurate and complete.

Download: [[Media:Wichers_-_About_OWASP_ASVS_Web_Edition_v2.pdf‎ ‎| About OWASP ASVS Web Edition.pdf‎]]

==The Speaker: Dave Wichers==
Dave Wichers is a cofounder and the Chief Operating Officer (COO) of [http://www.aspectsecurity.com Aspect Security], a company that specializes in application security services. For OWASP, he is the volunteer [[:Category:OWASP_AppSec_Conference | OWASP Conferences]] Chair, a volunteer member of the [[About_OWASP#Global_Board_Members|OWASP Board]], a coauthor of the [[OWASP_Top_Ten_Project | OWASP Top 10]] and the [[ASVS | OWASP Application Security Verification Standard]], and a contributor to the [[ESAPI | OWASP Enterprise Security API (ESAPI)]] project.

[[OWASP_Software_Assurance_Day_DC_2009#Agenda and Presentations:_13_March_2009|back to Presentation Agenda]]

File:Wichers - About OWASP ASVS Web Edition v2.pdf

2009-03-23T14:58:53Z

Sbarnum: Updated deck from OWASP Software Assurance Day DC 2009

Updated deck from OWASP Software Assurance Day DC 2009

OWASP Live CD: An open environment for Web Application Security

2009-03-13T16:11:06Z

Sbarnum:

==The Presentation: "OWASP Live CD: An open environment for Web Application Security"==

The OWASP Live CD is a project that collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can boot from this Live CD and have access to a full security testing suite. This allows its users to test for various security issues in web applications and web sites. The Live CD also contains documentation and an interactive learning environment to enhance users web application security knowledge. This presentation will cover the current state of the OWASP Live CD as well as the plans for future developments. Time permitting, a live demonstration of the OWASP Live CD will be conducted. The OWASP Live CD is a project of the Open Web Application Security Project (OWASP) and is free for commercial or non-commercial use. More information is available at:
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project

Download: [[Media:OWASP_Live_CD.pdf‎‎| OWASP_Live_CD.pdf‎]]

==The Speaker: Matt Tesauro==
Matt Tesauro has worked in web application development and security since 2000. He has worn many different hats, from developer to DBA to System Administrator to Penetration Tester. Matt also taught graduate and undergraduate classes on web application development and XML at the Texas A&M Mays Business School. Currently, he's focused on web application security and developing a Secure SDLC for TEA. Outside work, he is the project lead for the OWASP Live CD Project and is also a member of the OWASP Global Projects Committee. Matt Tesauro has a B.S.
in Economics and a M.S in Management Information Systems from Texas A&M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications.

[[OWASP_Software_Assurance_Day_DC_2009#Agenda and Presentations:_13_March_2009|back to Presentation Agenda]]

File:OWASP Live CD.pdf

2009-03-13T16:10:38Z

Sbarnum: OWASP Live CD: An open environment for web application security presentation deck from OWASP Software Assurance Day DC 2009 Presenter: Matt Tesauro - TEA (LiveCD Project lead)

OWASP Live CD: An open environment for web application security presentation deck from OWASP Software Assurance Day DC 2009
Presenter: Matt Tesauro - TEA (LiveCD Project lead)

The Future of Mobile: Developing Secure Mobile Applications

2009-03-13T16:05:50Z

Sbarnum:

==The Presentation: "The Future of Mobile: Developing Secure Mobile Applications"==

Mobile applications enable millions of users to be more productive, have more fun, and interact with their world in more ways than ever before. We're approaching mobile applications with many of the same tried-and-true approaches that we've used in more traditional software, but what are the dangers? Mobile architectures run the gamut from simple web-based applications optimized for mobile displays to custom-built handset-specific applications that can interact directly with the mobile operating system.

In this talk, we’ll explore the hybrid mobile/web application approach, and discuss the threads that binds them together — information protection and convergence. Mobile devices are unique in that they offer one of the most potentially hostile environments imaginable -- privacy, compliance, and capture protection top the charts as the three most difficult issues facing mobile applications and those who use them. We’ll dive into specifics on what are today “mobile-only” threats; that is, those issues such as location-based services or text messages, and discover how they can be compromised, and how we, as security practitioners, can protect them and the back-end applications that service them.

Download: [[Media:‎| ]]

==The Speaker: Jason Rouse==
Mr. Rouse is Cigital’s Wireless and Mobile Security practice leader. Mr. Rouse has spent the last five years designing, implementing, and deploying state of the art wireless security solutions for mobile environments, spanning access control, application management, payment systems, and hybrid J2EE-and-mobile systems. Drawing from his wealth of experience in the security space and leveraging over a decade of hands-on experience, Mr. Rouse has become a trusted advisor to Fortune 50 companies, financial groups, and private interests. As a trusted advisor, Mr. Rouse has led standards efforts, chairing the FSTC Mobile Payment Security workgroup, and has contributed to several mobile payment solutions, greatly enhancing the security and performance of each project.

[[OWASP_Software_Assurance_Day_DC_2009#Agenda and Presentations:_13_March_2009|back to Presentation Agenda]]

CWE/SANS Top 25: Towards Minimum Due Care in Software Security

2009-03-13T16:01:48Z

Sbarnum:

==The Presentation: "CWE/SANS Top 25: Towards Minimum Due Care in Software Security"==

The CWE/SANS Top 25 Most Dangerous Programming Errors list was released on January 12, 2009, and quickly achieved the rare accomplishment of actually getting noticed by people who don't do security full time. But once January 13 rolled around, the overall response can be summarized in two words: "NOW what?" What place does the Top 25 have in the grand scheme of software security, when there are already competing efforts like the OWASP Top Ten? How was the Top 25 arrived at, and what should its role be in compliance, software acquisition, developer awareness, and - perhaps most importantly - starting the conversation about software security? What are these "weakness" things anyway? If the Top 25 is covered, how much assurance does that really provide, and does anything else get covered for free? And finally: what next? Mr Christey will answer and re-ask these questions in order to frame the Top 25 as an early step in a long journey towards software security. Along the way, he will discuss the Top 25's role in the web world (and outside of it), highlight the two entries that tied for Number 26 and why they didn't make it, and how the Top 25 can concretely demonstrate how there still isn't a "Silver Bullet" for software security.

Download: [[Media:CWE_Top_25_Minimum_Due_Care.pdf‎ ‎| CWE Top 25 Minimum Due Care.pdf‎ ]]

==The Speaker: Steve Christey==
Steve Christey is a Principal Information Security Engineer in the Security and Information Operations Division at The MITRE Corporation.
Since 1999, he has been the Editor of the Common Vulnerabilities and Exposures (CVE) list and the Chair of the CVE Editorial Board. He is the technical lead of the Common Weakness Enumeration (CWE) project.
He was the technical editor of the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors list and an active contributor to other efforts including the SANS Secure Programming exams, NIST's Static Analysis Tool Exposition (SATE), and the Common Vulnerability Scoring System (CVSS). His current interests include secure software development and testing, the theoretical underpinnings of vulnerabilities, making software security accessible to the general public, vulnerability information management including post-disclosure analysis, and vulnerability research. Past work, which dates back to 1993, includes co-authoring the "Responsible Vulnerability Disclosure Process" draft with Chris Wysopal in 2002, reverse engineering of malicious code, automated vulnerability analysis of source code, and vulnerability scanning and incident response. He holds a B.S. in Computer Science from Hobart College.

[[OWASP_Software_Assurance_Day_DC_2009#Agenda and Presentations:_13_March_2009|back to Presentation Agenda]]

File:CWE Top 25 Minimum Due Care.pdf

2009-03-13T16:01:10Z

Sbarnum: CWE Top 25 Minimum Due Care presentation deck from OWASP Software Assurance Day DC 2009 Presenter: Steve Christey - Mitre

CWE Top 25 Minimum Due Care presentation deck from OWASP Software Assurance Day DC 2009
Presenter: Steve Christey - Mitre

OWASP Application Security Verification Standard (ASVS)

2009-03-13T15:58:30Z

Sbarnum:

==The Presentation: "OWASP Application Security Verification Standard (ASVS)"==

Providers of web application security verification services can take wildly different approaches and levels of rigor, ranging from using simple search tools to performing painstaking code review and manual testing. This process also typically involves searching for and only reporting vulnerabilities, but does not necessarily comment on what good security practices were found.
All of these problems have a single root cause: the lack of a standard for performing application-level security verification that can be used for any application without special interpretation. The OWASP Application Security Verification Standard (ASVS) was designed to normalize the range in coverage, level of rigor, and reporting requirements available in the market when it comes to performing application security verification.
By the end of this presentation, you will understand how OWASP ASVS defines:
* Levels of application-level security verification that increase in breadth and depth as one moves up the levels,
* Verification requirements that prescribe a unique white-list approach for security controls,
* Reporting requirements that ensure reports are sufficiently detailed to make verification repeatable, and to determine if the verification was accurate and complete.

Download: [[Media:About_OWASP_ASVS_Web_Edition.pdf‎ ‎| About OWASP ASVS Web Edition.pdf‎]]

==The Speaker: Dave Wichers==
Dave Wichers is a cofounder and the Chief Operating Officer (COO) of [http://www.aspectsecurity.com Aspect Security], a company that specializes in application security services. For OWASP, he is the volunteer [[:Category:OWASP_AppSec_Conference | OWASP Conferences]] Chair, a volunteer member of the [[About_OWASP#Global_Board_Members|OWASP Board]], a coauthor of the [[OWASP_Top_Ten_Project | OWASP Top 10]] and the [[ASVS | OWASP Application Security Verification Standard]], and a contributor to the [[ESAPI | OWASP Enterprise Security API (ESAPI)]] project.

[[OWASP_Software_Assurance_Day_DC_2009#Agenda and Presentations:_13_March_2009|back to Presentation Agenda]]

OWASP Application Security Verification Standard (ASVS)

2009-03-13T15:58:16Z

Sbarnum:

==The Presentation: "OWASP Application Security Verification Standard (ASVS)"==

Providers of web application security verification services can take wildly different approaches and levels of rigor, ranging from using simple search tools to performing painstaking code review and manual testing. This process also typically involves searching for and only reporting vulnerabilities, but does not necessarily comment on what good security practices were found.
All of these problems have a single root cause: the lack of a standard for performing application-level security verification that can be used for any application without special interpretation. The OWASP Application Security Verification Standard (ASVS) was designed to normalize the range in coverage, level of rigor, and reporting requirements available in the market when it comes to performing application security verification.
By the end of this presentation, you will understand how OWASP ASVS defines:
* Levels of application-level security verification that increase in breadth and depth as one moves up the levels,
* Verification requirements that prescribe a unique white-list approach for security controls,
* Reporting requirements that ensure reports are sufficiently detailed to make verification repeatable, and to determine if the verification was accurate and complete.

Download: [[Media:About_OWASP_ASVS_Web_Edition.pdf‎ ‎| About OWASP ASVS Web Edition.pdf‎ .ppt]]

==The Speaker: Dave Wichers==
Dave Wichers is a cofounder and the Chief Operating Officer (COO) of [http://www.aspectsecurity.com Aspect Security], a company that specializes in application security services. For OWASP, he is the volunteer [[:Category:OWASP_AppSec_Conference | OWASP Conferences]] Chair, a volunteer member of the [[About_OWASP#Global_Board_Members|OWASP Board]], a coauthor of the [[OWASP_Top_Ten_Project | OWASP Top 10]] and the [[ASVS | OWASP Application Security Verification Standard]], and a contributor to the [[ESAPI | OWASP Enterprise Security API (ESAPI)]] project.

[[OWASP_Software_Assurance_Day_DC_2009#Agenda and Presentations:_13_March_2009|back to Presentation Agenda]]

File:About OWASP ASVS Web Edition.pdf

2009-03-13T15:56:06Z

Sbarnum: About OWASP ASVS Web Edition presentation deck from OWASP Software Assurance Day DC 2009. Presenter: Dave Wichers - OWASP Board Member (Aspect Security)

About OWASP ASVS Web Edition presentation deck from OWASP Software Assurance Day DC 2009.
Presenter: Dave Wichers - OWASP Board Member (Aspect Security)

Cooking with OWASP: Recipes in Web Security Testing

2009-03-13T15:53:17Z

Sbarnum:

==The Presentation: "Cooking with OWASP: Recipes in Web Security Testing"==

Many of the OWASP projects are tools that you can use to test web applications directly., but not just from a security assessor’s point of view. Software testers need to be able to work security testing into their day-to-day testing regimen. In this talk, Paco will show you a few recipes from his recently released “Web Security Testing Cookbook” that feature OWASP tools. You’ll see how to cheat at some Facebook games by decoding their data with CAL9000, how to assess session ID strength using WebScarab, and how to fuzz web services with wsFuzzer. This talk is all about how to get some actionable hands-on results from some outstanding OWASP tools.

Download: [[Media:CookingWithOWASP-opt.pdf‎‎| Cooking With OWASP.pdf‎]]

==The Speaker: Paco Hope==
Paco Hope is a Technical Manager with Cigital, Inc. and has 12 years of experience in the security of web applications, operating systems, and embedded devices (lottery systems, cell phones, casino gaming devices, smart cards). As a consultant, his customers include MasterCard International, WMS Gaming, GTECH, FINRA (the US securities exchange regulator) and Sterling Commerce (an AT&T Company). He is a frequent speaker on security testing and web application security. His current passion is bringing the techniques of security assessment into the mainstream activities of QA departments and testers. He is co-author of two security books and is also a prior co-chair of VERIFY, an international conference on software testing.

[[OWASP_Software_Assurance_Day_DC_2009#Agenda and Presentations:_13_March_2009|back to Presentation Agenda]]

File:CookingWithOWASP-opt.pdf

2009-03-13T15:51:33Z

Sbarnum: Cooking With OWASP presentation deck from OWASP Software Assurance Day DC 2009 Presenter: Paco Hope - Cigital, Inc. Optimized for printing

Cooking With OWASP presentation deck from OWASP Software Assurance Day DC 2009
Presenter: Paco Hope - Cigital, Inc.
Optimized for printing

OWASP Software Assurance Day DC 2009

2009-02-25T17:39:19Z

Sbarnum:

Welcome to the OWASP Software Assurance Day DC 2009.

This single-day conference will be held on March 13th in conjunction with the Software Assurance Forum (March 10th-12th) sponsored by the US Department of Homeland Security, Department of Defense and National Institute of Standards and Technology.

We are pleased to invite OWASP members, attendees of the Software Assurance Forum and any other interested parties to join us for this event.

At this event, you will hear presentations from key leaders in the web application security domain on:

* the state of the union for the Open Web Application Security Project
* the current status of several ongoing OWASP projects
* recently released knowledge resources to assist web application security programs in establishing a standard for minimum due care
* recipes for leveraging OWASP resources in security testing efforts
* the emerging importance of application security in the wireless domain
* a state-of-the-art approach to automating multi-perspective application security assessment

You will also find out how you can leverage OWASP resources and participate in OWASP activities through local chapters in the DC/NOVA/Maryland area.

The co-located Software Assurance Forum is also a free conference and open to any attendees of OWASP Software Assurance Day DC 2009, though it will require separate registration.

For information on registration for the Software Assurance Forum, please contact [mailto:Jennifer.Brezovic@associates.dhs.gov Jennifer Brezovic].

If you have any questions relating to the conference or just want to help out, please email the conference chair, [mailto:sbarnum@cigital.com Sean Barnum].

'''Registrations must be received by Mar 7th!'''

[http://guest.cvent.com/i.aspx?4W,M3,fd34d554-0341-493c-bfdc-94d42d3e3c6d https://www.owasp.org/images/9/9d/Register_now.gif]

==Conference Location==

The OWASP Software Assurance Day DC 2009 will be held in conjunction with the DHS/DOD/NIST Software Assurance Forum at [http://www.mitre.org/about/locations/mitre1_map.html '''MITRE Building 1''']''', 7525 Colshire Drive, McLean, VA 22102.'''

Please use the Conference Center entrance.

==Agenda and Presentations: 13 March 2009==

{| style="width:80%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white" | March 13, 2009
|-
| style="width:10%; background:#7B8ABD" | 08:15-08:30 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''OWASP Software Assurance Day DC kickoff'''
''Sean Barnum, Conference Chair''
|-
| style="width:10%; background:#7B8ABD" | 08:30-09:00 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''Intro to OWASP'''
''Tom Brennan''
|-
| style="width:10%; background:#7B8ABD" | 09:00-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[Maturing Software Assessment Through Static Analysis]]
''John Steven, Cigital''
|-
| style="width:10%; background:#7B8ABD" | 09:50-10:35 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[Don’t Write Your Own Security Code: The OWASP Enterprise Security API']]
''Jeff Williams, Aspect Security''
|-
| style="width:10%; background:#7B8ABD" | 10:35-10:50 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | '''Morning Break'''
|-
| style="width:10%; background:#7B8ABD" | 10:50-11:35 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[Cooking with OWASP: Recipes in Web Security Testing]]
''Paco Hope, Cigital''
|-
| style="width:10%; background:#7B8ABD" | 11:40-12:25 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[OWASP Application Security Verification Standard (ASVS)]]
''Dave Wichers, Aspect Security''
|-
| style="width:10%; background:#7B8ABD" | 12:25-13:40 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | '''Lunch – MITRE Cafeteria'''
|-
| style="width:10%; background:#7B8ABD" | 13:45-14:30 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[CWE/SANS Top 25: Towards Minimum Due Care in Software Security]]
''Steve Christey, Mitre''
|-
| style="width:10%; background:#7B8ABD" | 14:35-15:20 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[The Future of Mobile: Developing Secure Mobile Applications]]
''Jason Rouse, Cigital''
|-
| style="width:10%; background:#7B8ABD" | 15:25-15:40 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | '''Afternoon Break'''
|-
| style="width:10%; background:#7B8ABD" | 15:40-16:25 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[OWASP Live CD: An open environment for Web Application Security]]
''Matt Tesauro, Texas Education Agency''
|-
| style="width:10%; background:#7B8ABD" | 16:25-16:45 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | '''Conference Wrap Up and Opportunities to Contribute'''
|}

==Logistics==

Venue: [http://www.mitre.org/about/locations/mitre1_map.html '''MITRE Building 1''']''', 7525 Colshire Drive, McLean, VA 22102'''

Please use the Conference Center entrance.

==Accommodations==

The conference has not negotiated any special rates for hotel accommodation but the following hotels are near the conference venue:

'''McLean Hilton
7920 Jones Branch Drive
McLean, VA
Tel: 1-703-448-1234'''

Website:
[http://www1.hilton.com/en_US/hi/hotel/MCLMHHH-Hilton-McLean-Tysons-Corner-Virginia/index.do http://www1.hilton.com/en_US/hi/hotel/MCLMHHH-Hilton-McLean-Tysons-Corner-Virginia/index.do]

'''Westin Hotel
7801 Leesburg Pike
Falls Church, VA
Tel: 1-703-893-1340'''

Website:
[http://www.starwoodhotels.com/westin/property/overview/index.html?propertyID=1750 http://www.starwoodhotels.com/westin/property/overview/index.html?propertyID=1750]

'''Marriott
8028 Leesburg Pike
Vienna, VA
Tel: 1-703-734-3200'''

Website:
[http://www.marriott.com/hotels/travel/wastc-tysons-corner-marriott/ http://www.marriott.com/hotels/travel/wastc-tysons-corner-marriott/]

'''Embassy Suites
8517 Leesburg Pike
Vienna, VA
Tel: 1-703-883-0707'''

Website:
[http://embassysuites1.hilton.com/en_US/es/hotel/WASTSES-Embassy-Suites-Tysons-Corner-Virginia/index.do http://embassysuites1.hilton.com/en_US/es/hotel/WASTSES-Embassy-Suites-Tysons-Corner-Virginia/index.do]

'''The Crowne Plaza Tysons Corner (formerly the Holiday Inn)
1960 Chain
Bridge Rd McLean, VA
Tel: 1-703-893-2100'''

Website: [http://www.cptysonscorner.com/ http://www.cptysonscorner.com/]

'''Sheraton Premiere Tysons
8661 Leesburg Pike
Vienna, VA
Tel: 1-703-506-2500'''

Website:
[http://www.starwoodhotels.com/sheraton/property/overview/index.html?propertyID=691 http://www.starwoodhotels.com/sheraton/property/overview/index.html?propertyID=691]

==Transportation to the Conference==
===By plane===
The venue area can be reached by commercial aviation through either [http://www.metwashairports.com/Dulles/ Dulles International Airport] or [http://www.mwaa.com/national/ Reagan National Airport].

Both are roughly equidistant from the venue and offer a range of airline and flight options.
===How to get to the venue?===
See the [http://www.mitre.org/about/locations/mitre1_map.html map].

==Registration and Conference Fees==

OWASP Software Assurance Day DC 2009 will be a free conference.

Despite the fact that this is a free conference, we still need you to register to fulfill security requirements of the facility and to ensure that we don't exceed venue capacity.

'''Registrations must be received by Mar 7th!'''

[http://guest.cvent.com/i.aspx?4W,M3,fd34d554-0341-493c-bfdc-94d42d3e3c6d https://www.owasp.org/images/9/9d/Register_now.gif]

==Conference Contacts==

For more information please contact the team below for conference details, sponsorship or registration.

'''Mr Sean Barnum (Conference Chair)''' , Cigital Federal, Inc.

Email: [mailto:sbarnum@cigital.com sbarnum@cigital.com]

Mobile: 703-473-8262

'''Kate Hartmann'''

OWASP Operations Director

9175 Guilford Road, Suite 300

Columbia, MD 21046, USA

Phone: +1-301-575-0189

Facsimile: +1-301-604-8033

Email: [mailto:kate.hartmann@owasp.org kate.hartmann@owasp.org]

==Conference Sponsors==

Under negotiation.

If you are interested in sponsoring this OWASP conference, please contact [mailto:sbarnum@cigital.com Sean Barnum].

[[Category:OWASP AppSec Conference]]

OWASP Software Assurance Day DC 2009

2009-02-25T06:31:08Z

Sbarnum:

Welcome to the OWASP Software Assurance Day DC 2009.

This single-day conference will be held on March 13th in conjunction with the Software Assurance Forum (March 10th-12th) sponsored by the US Department of Homeland Security, Department of Defense and National Institute of Standards and Technology.

We are pleased to invite OWASP members, attendees of the Software Assurance Forum and any other interested parties to join us for this event.

At this event, you will hear presentations from key leaders in the web application security domain on:

* the state of the union for the Open Web Application Security Project
* the current status of several ongoing OWASP projects
* recently released knowledge resources to assist web application security programs in establishing a standard for minimum due care
* recipes for leveraging OWASP resources in security testing efforts
* the emerging importance of application security in the wireless domain
* a state-of-the-art approach to automating multi-perspective application security assessment

You will also find out how you can leverage OWASP resources and participate in OWASP activities through local chapters in the DC/NOVA/Maryland area.

The co-located Software Assurance Forum is also a free conference and open to any attendees of OWASP Software Assurance Day DC 2009, though it will require separate registration.

For information on registration for the Software Assurance Forum, please contact [mailto:Jennifer.Brezovic@associates.dhs.gov Jennifer Brezovic].

If you have any questions relating to the conference or just want to help out, please email the conference chair, [mailto:sbarnum@cigital.com Sean Barnum].

[http://guest.cvent.com/i.aspx?4W,M3,fd34d554-0341-493c-bfdc-94d42d3e3c6d https://www.owasp.org/images/9/9d/Register_now.gif]

==Conference Location==

The OWASP Software Assurance Day DC 2009 will be held in conjunction with the DHS/DOD/NIST Software Assurance Forum at [http://www.mitre.org/about/locations/mitre1_map.html '''MITRE Building 1''']''', 7525 Colshire Drive, McLean, VA 22102.'''

Please use the Conference Center entrance.

==Agenda and Presentations: 13 March 2009==

{| style="width:80%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white" | March 13, 2009
|-
| style="width:10%; background:#7B8ABD" | 08:15-08:30 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''OWASP Software Assurance Day DC kickoff'''
''Sean Barnum, Conference Chair''
|-
| style="width:10%; background:#7B8ABD" | 08:30-09:00 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''Intro to OWASP'''
''Tom Brennan''
|-
| style="width:10%; background:#7B8ABD" | 09:00-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[Maturing Software Assessment Through Static Analysis]]
''John Steven, Cigital''
|-
| style="width:10%; background:#7B8ABD" | 09:50-10:35 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[Don’t Write Your Own Security Code: The OWASP Enterprise Security API']]
''Jeff Williams, Aspect Security''
|-
| style="width:10%; background:#7B8ABD" | 10:35-10:50 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | '''Morning Break'''
|-
| style="width:10%; background:#7B8ABD" | 10:50-11:35 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[Cooking with OWASP: Recipes in Web Security Testing]]
''Paco Hope, Cigital''
|-
| style="width:10%; background:#7B8ABD" | 11:40-12:25 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[OWASP Application Security Verification Standard (ASVS)]]
''Dave Wichers, Aspect Security''
|-
| style="width:10%; background:#7B8ABD" | 12:25-13:40 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | '''Lunch – MITRE Cafeteria'''
|-
| style="width:10%; background:#7B8ABD" | 13:45-14:30 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[CWE/SANS Top 25: Towards Minimum Due Care in Software Security]]
''Steve Christey, Mitre''
|-
| style="width:10%; background:#7B8ABD" | 14:35-15:20 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[The Future of Mobile: Developing Secure Mobile Applications]]
''Jason Rouse, Cigital''
|-
| style="width:10%; background:#7B8ABD" | 15:25-15:40 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | '''Afternoon Break'''
|-
| style="width:10%; background:#7B8ABD" | 15:40-16:25 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[OWASP Live CD: An open environment for Web Application Security]]
''Matt Tesauro, Texas Education Agency''
|-
| style="width:10%; background:#7B8ABD" | 16:25-16:45 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | '''Conference Wrap Up and Opportunities to Contribute'''
|}

==Logistics==

Venue: [http://www.mitre.org/about/locations/mitre1_map.html '''MITRE Building 1''']''', 7525 Colshire Drive, McLean, VA 22102'''

Please use the Conference Center entrance.

==Accommodations==

The conference has not negotiated any special rates for hotel accommodation but the following hotels are near the conference venue:

'''McLean Hilton
7920 Jones Branch Drive
McLean, VA
Tel: 1-703-448-1234'''

Website:
[http://www1.hilton.com/en_US/hi/hotel/MCLMHHH-Hilton-McLean-Tysons-Corner-Virginia/index.do http://www1.hilton.com/en_US/hi/hotel/MCLMHHH-Hilton-McLean-Tysons-Corner-Virginia/index.do]

'''Westin Hotel
7801 Leesburg Pike
Falls Church, VA
Tel: 1-703-893-1340'''

Website:
[http://www.starwoodhotels.com/westin/property/overview/index.html?propertyID=1750 http://www.starwoodhotels.com/westin/property/overview/index.html?propertyID=1750]

'''Marriott
8028 Leesburg Pike
Vienna, VA
Tel: 1-703-734-3200'''

Website:
[http://www.marriott.com/hotels/travel/wastc-tysons-corner-marriott/ http://www.marriott.com/hotels/travel/wastc-tysons-corner-marriott/]

'''Embassy Suites
8517 Leesburg Pike
Vienna, VA
Tel: 1-703-883-0707'''

Website:
[http://embassysuites1.hilton.com/en_US/es/hotel/WASTSES-Embassy-Suites-Tysons-Corner-Virginia/index.do http://embassysuites1.hilton.com/en_US/es/hotel/WASTSES-Embassy-Suites-Tysons-Corner-Virginia/index.do]

'''The Crowne Plaza Tysons Corner (formerly the Holiday Inn)
1960 Chain
Bridge Rd McLean, VA
Tel: 1-703-893-2100'''

Website: [http://www.cptysonscorner.com/ http://www.cptysonscorner.com/]

'''Sheraton Premiere Tysons
8661 Leesburg Pike
Vienna, VA
Tel: 1-703-506-2500'''

Website:
[http://www.starwoodhotels.com/sheraton/property/overview/index.html?propertyID=691 http://www.starwoodhotels.com/sheraton/property/overview/index.html?propertyID=691]

==Transportation to the Conference==
===By plane===
The venue area can be reached by commercial aviation through either [http://www.metwashairports.com/Dulles/ Dulles International Airport] or [http://www.mwaa.com/national/ Reagan National Airport].

Both are roughly equidistant from the venue and offer a range of airline and flight options.
===How to get to the venue?===
See the [http://www.mitre.org/about/locations/mitre1_map.html map].

==Registration and Conference Fees==

OWASP Software Assurance Day DC 2009 will be a free conference.

Despite the fact that this is a free conference, we still need you to register to fulfill security requirements of the facility and to ensure that we don't exceed venue capacity.

[http://guest.cvent.com/i.aspx?4W,M3,fd34d554-0341-493c-bfdc-94d42d3e3c6d https://www.owasp.org/images/9/9d/Register_now.gif]

==Conference Contacts==

For more information please contact the team below for conference details, sponsorship or registration.

'''Mr Sean Barnum (Conference Chair)''' , Cigital Federal, Inc.

Email: [mailto:sbarnum@cigital.com sbarnum@cigital.com]

Mobile: 703-473-8262

'''Kate Hartmann'''

OWASP Operations Director

9175 Guilford Road, Suite 300

Columbia, MD 21046, USA

Phone: +1-301-575-0189

Facsimile: +1-301-604-8033

Email: [mailto:kate.hartmann@owasp.org kate.hartmann@owasp.org]

==Conference Sponsors==

Under negotiation.

If you are interested in sponsoring this OWASP conference, please contact [mailto:sbarnum@cigital.com Sean Barnum].

[[Category:OWASP AppSec Conference]]

OWASP Live CD: An open environment for Web Application Security

2009-02-25T06:28:54Z

Sbarnum: New page: ==The Presentation: "OWASP Live CD: An open environment for Web Application Security"== The OWASP Live CD is a project that collects some of the best open source security projects in a s...

==The Presentation: "OWASP Live CD: An open environment for Web Application Security"==

The OWASP Live CD is a project that collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can boot from this Live CD and have access to a full security testing suite. This allows its users to test for various security issues in web applications and web sites. The Live CD also contains documentation and an interactive learning environment to enhance users web application security knowledge. This presentation will cover the current state of the OWASP Live CD as well as the plans for future developments. Time permitting, a live demonstration of the OWASP Live CD will be conducted. The OWASP Live CD is a project of the Open Web Application Security Project (OWASP) and is free for commercial or non-commercial use. More information is available at:
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project

==The Speaker: Matt Tesauro==
Matt Tesauro has worked in web application development and security since 2000. He has worn many different hats, from developer to DBA to System Administrator to Penetration Tester. Matt also taught graduate and undergraduate classes on web application development and XML at the Texas A&M Mays Business School. Currently, he's focused on web application security and developing a Secure SDLC for TEA. Outside work, he is the project lead for the OWASP Live CD Project and is also a member of the OWASP Global Projects Committee. Matt Tesauro has a B.S.
in Economics and a M.S in Management Information Systems from Texas A&M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications.

[[OWASP_Software_Assurance_Day_DC_2009#Agenda and Presentations:_13_March_2009|back to Presentation Agenda]]

The Future of Mobile: Developing Secure Mobile Applications

2009-02-25T06:27:37Z

Sbarnum: New page: ==The Presentation: "The Future of Mobile: Developing Secure Mobile Applications"== Mobile applications enable millions of users to be more productive, have more fun, and interact with t...

==The Presentation: "The Future of Mobile: Developing Secure Mobile Applications"==

Mobile applications enable millions of users to be more productive, have more fun, and interact with their world in more ways than ever before. We're approaching mobile applications with many of the same tried-and-true approaches that we've used in more traditional software, but what are the dangers? Mobile architectures run the gamut from simple web-based applications optimized for mobile displays to custom-built handset-specific applications that can interact directly with the mobile operating system.

In this talk, we’ll explore the hybrid mobile/web application approach, and discuss the threads that binds them together — information protection and convergence. Mobile devices are unique in that they offer one of the most potentially hostile environments imaginable -- privacy, compliance, and capture protection top the charts as the three most difficult issues facing mobile applications and those who use them. We’ll dive into specifics on what are today “mobile-only” threats; that is, those issues such as location-based services or text messages, and discover how they can be compromised, and how we, as security practitioners, can protect them and the back-end applications that service them.

==The Speaker: Jason Rouse==
Mr. Rouse is Cigital’s Wireless and Mobile Security practice leader. Mr. Rouse has spent the last five years designing, implementing, and deploying state of the art wireless security solutions for mobile environments, spanning access control, application management, payment systems, and hybrid J2EE-and-mobile systems. Drawing from his wealth of experience in the security space and leveraging over a decade of hands-on experience, Mr. Rouse has become a trusted advisor to Fortune 50 companies, financial groups, and private interests. As a trusted advisor, Mr. Rouse has led standards efforts, chairing the FSTC Mobile Payment Security workgroup, and has contributed to several mobile payment solutions, greatly enhancing the security and performance of each project.

[[OWASP_Software_Assurance_Day_DC_2009#Agenda and Presentations:_13_March_2009|back to Presentation Agenda]]

Maturing Software Assessment Through Static Analysis

2009-02-25T06:22:51Z

Sbarnum: New page: ==The Presentation: "Maturing Software Assessment Through Static Analysis"== '''Presentation Abstract''' Organizations have struggled to understand the place of dynamic security testing ...

==The Presentation: "Maturing Software Assessment Through Static Analysis"==

'''Presentation Abstract'''

Organizations have struggled to understand the place of dynamic security testing techniques and their penetration testing tool use has suffered setbacks as a result. Likewise, as these same organizations turn to static analysis tools they find themselves struggling to decide who should run the tool and what kinds of vulnerabilities the tool will find for them. Finally, organizations lament the lack of depth or scale associated with their manual security analyses. This presentation will show how recent approaches to holistic application assessment at Cigital have overcome the limitations of existing tools by combining industry-best scanning tools and open source technologies for continuous integration. This combination, in turn, has the security benefit of scanning tools to be seen more closely to when vulnerabilities are introduced (and can be fixed) and allows them to be applied more frequently.

'''Prerequisites'''

A working understanding of common security vulnerabilities and experience using vulnerability scanning tools (preferably static analysis tools) will help.

==The Speaker: John Steven==
John Steven is the Senior Director, Advanced Technology Consulting at Cigital, Inc. His experience includes research in static code analysis and hands-on architecture and implementation of high-performance, scalable Java EE systems. John has provided security consulting services to a broad variety of commercial clients including two of the largest trading platforms in the world and has advised America’s largest internet provider in the Midwest on security and forensics. John led the development of Cigital’s architectural analysis methodology and its approach to deploying enterprise software security frameworks. He has demonstrated success in building Cigital’s intellectual property for providing cutting-edge security. He brings this experience and a track record of effective strategic innovation to clients seeking to change, whether to adopt more cutting-edge approaches, or to solidify ROI. John currently chairs the SD Best Practices security track and co-edits the building security in department of IEEE’s Security and Privacy magazine. John has served on numerous conference panels regarding software security, wireless security and Java EE system development. He holds a B.S. in Computer Engineering and an M.S. in Computer Science from Case Western Reserve University.

[[OWASP_Software_Assurance_Day_DC_2009#Agenda and Presentations:_13_March_2009|back to Presentation Agenda]]

OWASP Application Security Verification Standard (ASVS)

2009-02-25T06:20:31Z

Sbarnum: New page: ==The Presentation: "OWASP Application Security Verification Standard (ASVS)"== Providers of web application security verification services can take wildly different approaches and levels...

==The Presentation: "OWASP Application Security Verification Standard (ASVS)"==

Providers of web application security verification services can take wildly different approaches and levels of rigor, ranging from using simple search tools to performing painstaking code review and manual testing. This process also typically involves searching for and only reporting vulnerabilities, but does not necessarily comment on what good security practices were found.
All of these problems have a single root cause: the lack of a standard for performing application-level security verification that can be used for any application without special interpretation. The OWASP Application Security Verification Standard (ASVS) was designed to normalize the range in coverage, level of rigor, and reporting requirements available in the market when it comes to performing application security verification.
By the end of this presentation, you will understand how OWASP ASVS defines:
* Levels of application-level security verification that increase in breadth and depth as one moves up the levels,
* Verification requirements that prescribe a unique white-list approach for security controls,
* Reporting requirements that ensure reports are sufficiently detailed to make verification repeatable, and to determine if the verification was accurate and complete.

==The Speaker: Dave Wichers==
Dave Wichers is a cofounder and the Chief Operating Officer (COO) of Aspect Security, a company that specializes in application security services. For OWASP, he is the volunteer OWASP Conferences Chair, a volunteer member of the OWASP Board, a coauthor of the OWASP Top 10 and the OWASP ASVS, and a contributor to the OWASP Enterprise Security API (ESAPI) project.

[[OWASP_Software_Assurance_Day_DC_2009#Agenda and Presentations:_13_March_2009|back to Presentation Agenda]]

Cooking with OWASP: Recipes in Web Security Testing

2009-02-25T06:18:54Z

Sbarnum: New page: ==The Presentation: "Cooking with OWASP: Recipes in Web Security Testing"== Many of the OWASP projects are tools that you can use to test web applications directly., but not just from a s...

==The Presentation: "Cooking with OWASP: Recipes in Web Security Testing"==

Many of the OWASP projects are tools that you can use to test web applications directly., but not just from a security assessor’s point of view. Software testers need to be able to work security testing into their day-to-day testing regimen. In this talk, Paco will show you a few recipes from his recently released “Web Security Testing Cookbook” that feature OWASP tools. You’ll see how to cheat at some Facebook games by decoding their data with CAL9000, how to assess session ID strength using WebScarab, and how to fuzz web services with wsFuzzer. This talk is all about how to get some actionable hands-on results from some outstanding OWASP tools.

==The Speaker: Paco Hope==
Paco Hope is a Technical Manager with Cigital, Inc. and has 12 years of experience in the security of web applications, operating systems, and embedded devices (lottery systems, cell phones, casino gaming devices, smart cards). As a consultant, his customers include MasterCard International, WMS Gaming, GTECH, FINRA (the US securities exchange regulator) and Sterling Commerce (an AT&T Company). He is a frequent speaker on security testing and web application security. His current passion is bringing the techniques of security assessment into the mainstream activities of QA departments and testers. He is co-author of two security books and is also a prior co-chair of VERIFY, an international conference on software testing.

[[OWASP_Software_Assurance_Day_DC_2009#Agenda and Presentations:_13_March_2009|back to Presentation Agenda]]

Don’t Write Your Own Security Code: The OWASP Enterprise Security API

2009-02-25T06:17:44Z

Sbarnum: New page: ==The Presentation: "Don’t Write Your Own Security Code: The OWASP Enterprise Security API"== Application security is arguably the most difficult IT challenge facing organizations today...

==The Presentation: "Don’t Write Your Own Security Code: The OWASP Enterprise Security API"==

Application security is arguably the most difficult IT challenge facing organizations today. Chasing the 700 types of common weaknesses with scanners and static analysis is a losing proposition. Rather than chasing after these vulnerabilities, developers can address almost all of these problems with a set of 10 to 12 strong centralized security controls. To make it easier for developers to establish these controls, the Open Web Application Security Project (OWASP) has created a clean, intuitive, and open-source toolbox of the core security building blocks that every web developer needs. In this talk, Jeff will show you how to create an ESAPI for your organization that will solve the OWASP Top Ten vulnerabilities, increase assurance, and dramatically cut costs all at the same time.

==The Speaker: Jeff Williams==
Jeff Williams is the founder and CEO of Aspect Security, specializing exclusively in application security risk management services. Jeff also serves as the volunteer Chair of the Open Web Application Security Project (OWASP). Jeff has made extensive contributions to the application security community through OWASP, including writing the Top Ten, WebGoat, Secure Software Contract Annex, Enterprise Security API, OWASP Risk Rating Methodology, and starting the worldwide local chapters program. Jeff has spent 20 years in security, and for the last 10 has focused on securing enterprise Java applications. He also wasted four years and a ton of money on a law degree from Georgetown that he doesn’t use.

[[OWASP_Software_Assurance_Day_DC_2009#Agenda and Presentations:_13_March_2009|back to Presentation Agenda]]

OWASP Software Assurance Day DC 2009

2009-02-25T06:15:36Z

Sbarnum: created links to presentation details pages

Welcome to the OWASP Software Assurance Day DC 2009.

This single-day conference will be held on March 13th in conjunction with the Software Assurance Forum (March 10th-12th) sponsored by the US Department of Homeland Security, Department of Defense and National Institute of Standards and Technology.

We are pleased to invite OWASP members, attendees of the Software Assurance Forum and any other interested parties to join us for this event.

At this event, you will hear presentations from key leaders in the web application security domain on:

* the state of the union for the Open Web Application Security Project
* the current status of several ongoing OWASP projects
* recently released knowledge resources to assist web application security programs in establishing a standard for minimum due care
* recipes for leveraging OWASP resources in security testing efforts
* the emerging importance of application security in the wireless domain
* a state-of-the-art approach to automating multi-perspective application security assessment

You will also find out how you can leverage OWASP resources and participate in OWASP activities through local chapters in the DC/NOVA/Maryland area.

The co-located Software Assurance Forum is also a free conference and open to any attendees of OWASP Software Assurance Day DC 2009, though it will require separate registration.

For information on registration for the Software Assurance Forum, please contact [mailto:Jennifer.Brezovic@associates.dhs.gov Jennifer Brezovic].

If you have any questions relating to the conference or just want to help out, please email the conference chair, [mailto:sbarnum@cigital.com Sean Barnum].

[http://guest.cvent.com/i.aspx?4W,M3,fd34d554-0341-493c-bfdc-94d42d3e3c6d https://www.owasp.org/images/9/9d/Register_now.gif]

==Conference Location==

The OWASP Software Assurance Day DC 2009 will be held in conjunction with the DHS/DOD/NIST Software Assurance Forum at [http://www.mitre.org/about/locations/mitre1_map.html '''MITRE Building 1''']''', 7525 Colshire Drive, McLean, VA 22102.'''

Please use the Conference Center entrance.

==Agenda and Presentations: 13 March 2009==

{| style="width:80%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white" | March 13, 2009
|-
| style="width:10%; background:#7B8ABD" | 08:15-08:30 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''OWASP Software Assurance Day DC kickoff'''
''Sean Barnum, Conference Chair''
|-
| style="width:10%; background:#7B8ABD" | 08:30-09:00 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''Intro to OWASP'''
''Tom Brennan''
|-
| style="width:10%; background:#7B8ABD" | 09:00-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[CWE/SANS Top 25: Towards Minimum Due Care in Software Security]]
''Steve Christey, Mitre''
|-
| style="width:10%; background:#7B8ABD" | 09:50-10:35 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[Don’t Write Your Own Security Code: The OWASP Enterprise Security API']]
''Jeff Williams, Aspect Security''
|-
| style="width:10%; background:#7B8ABD" | 10:35-10:50 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | '''Morning Break'''
|-
| style="width:10%; background:#7B8ABD" | 10:50-11:35 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[Cooking with OWASP: Recipes in Web Security Testing]]
''Paco Hope, Cigital''
|-
| style="width:10%; background:#7B8ABD" | 11:40-12:25 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[OWASP Application Security Verification Standard (ASVS)]]
''Dave Wichers, Aspect Security''
|-
| style="width:10%; background:#7B8ABD" | 12:25-13:40 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | '''Lunch – MITRE Cafeteria'''
|-
| style="width:10%; background:#7B8ABD" | 13:45-14:30 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[Maturing Software Assessment Through Static Analysis]]
''John Steven, Cigital''
|-
| style="width:10%; background:#7B8ABD" | 14:35-15:20 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[The Future of Mobile: Developing Secure Mobile Applications]]
''Jason Rouse, Cigital''
|-
| style="width:10%; background:#7B8ABD" | 15:25-15:40 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | '''Afternoon Break'''
|-
| style="width:10%; background:#7B8ABD" | 15:40-16:25 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | [[OWASP Live CD: An open environment for Web Application Security]]
''Matt Tesauro, Texas Education Agency''
|-
| style="width:10%; background:#7B8ABD" | 16:25-16:45 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | '''Conference Wrap Up and Opportunities to Contribute'''
|}

==Logistics==

Venue: [http://www.mitre.org/about/locations/mitre1_map.html '''MITRE Building 1''']''', 7525 Colshire Drive, McLean, VA 22102'''

Please use the Conference Center entrance.

==Accommodations==

The conference has not negotiated any special rates for hotel accommodation but the following hotels are near the conference venue:

'''McLean Hilton
7920 Jones Branch Drive
McLean, VA
Tel: 1-703-448-1234'''

Website:
[http://www1.hilton.com/en_US/hi/hotel/MCLMHHH-Hilton-McLean-Tysons-Corner-Virginia/index.do http://www1.hilton.com/en_US/hi/hotel/MCLMHHH-Hilton-McLean-Tysons-Corner-Virginia/index.do]

'''Westin Hotel
7801 Leesburg Pike
Falls Church, VA
Tel: 1-703-893-1340'''

Website:
[http://www.starwoodhotels.com/westin/property/overview/index.html?propertyID=1750 http://www.starwoodhotels.com/westin/property/overview/index.html?propertyID=1750]

'''Marriott
8028 Leesburg Pike
Vienna, VA
Tel: 1-703-734-3200'''

Website:
[http://www.marriott.com/hotels/travel/wastc-tysons-corner-marriott/ http://www.marriott.com/hotels/travel/wastc-tysons-corner-marriott/]

'''Embassy Suites
8517 Leesburg Pike
Vienna, VA
Tel: 1-703-883-0707'''

Website:
[http://embassysuites1.hilton.com/en_US/es/hotel/WASTSES-Embassy-Suites-Tysons-Corner-Virginia/index.do http://embassysuites1.hilton.com/en_US/es/hotel/WASTSES-Embassy-Suites-Tysons-Corner-Virginia/index.do]

'''The Crowne Plaza Tysons Corner (formerly the Holiday Inn)
1960 Chain
Bridge Rd McLean, VA
Tel: 1-703-893-2100'''

Website: [http://www.cptysonscorner.com/ http://www.cptysonscorner.com/]

'''Sheraton Premiere Tysons
8661 Leesburg Pike
Vienna, VA
Tel: 1-703-506-2500'''

Website:
[http://www.starwoodhotels.com/sheraton/property/overview/index.html?propertyID=691 http://www.starwoodhotels.com/sheraton/property/overview/index.html?propertyID=691]

==Transportation to the Conference==
===By plane===
The venue area can be reached by commercial aviation through either [http://www.metwashairports.com/Dulles/ Dulles International Airport] or [http://www.mwaa.com/national/ Reagan National Airport].

Both are roughly equidistant from the venue and offer a range of airline and flight options.
===How to get to the venue?===
See the [http://www.mitre.org/about/locations/mitre1_map.html map].

==Registration and Conference Fees==

OWASP Software Assurance Day DC 2009 will be a free conference.

Despite the fact that this is a free conference, we still need you to register to fulfill security requirements of the facility and to ensure that we don't exceed venue capacity.

[http://guest.cvent.com/i.aspx?4W,M3,fd34d554-0341-493c-bfdc-94d42d3e3c6d https://www.owasp.org/images/9/9d/Register_now.gif]

==Conference Contacts==

For more information please contact the team below for conference details, sponsorship or registration.

'''Mr Sean Barnum (Conference Chair)''' , Cigital Federal, Inc.

Email: [mailto:sbarnum@cigital.com sbarnum@cigital.com]

Mobile: 703-473-8262

'''Kate Hartmann'''

OWASP Operations Director

9175 Guilford Road, Suite 300

Columbia, MD 21046, USA

Phone: +1-301-575-0189

Facsimile: +1-301-604-8033

Email: [mailto:kate.hartmann@owasp.org kate.hartmann@owasp.org]

==Conference Sponsors==

Under negotiation.

If you are interested in sponsoring this OWASP conference, please contact [mailto:sbarnum@cigital.com Sean Barnum].

[[Category:OWASP AppSec Conference]]

CWE/SANS Top 25: Towards Minimum Due Care in Software Security

2009-02-25T06:13:25Z

Sbarnum: Initial page creation

==The Presentation: "CWE/SANS Top 25: Towards Minimum Due Care in Software Security"==

The CWE/SANS Top 25 Most Dangerous Programming Errors list was released on January 12, 2009, and quickly achieved the rare accomplishment of actually getting noticed by people who don't do security full time. But once January 13 rolled around, the overall response can be summarized in two words: "NOW what?" What place does the Top 25 have in the grand scheme of software security, when there are already competing efforts like the OWASP Top Ten? How was the Top 25 arrived at, and what should its role be in compliance, software acquisition, developer awareness, and - perhaps most importantly - starting the conversation about software security? What are these "weakness" things anyway? If the Top 25 is covered, how much assurance does that really provide, and does anything else get covered for free? And finally: what next? Mr Christey will answer and re-ask these questions in order to frame the Top 25 as an early step in a long journey towards software security. Along the way, he will discuss the Top 25's role in the web world (and outside of it), highlight the two entries that tied for Number 26 and why they didn't make it, and how the Top 25 can concretely demonstrate how there still isn't a "Silver Bullet" for software security.

==The Speaker: Steve Christey==
Steve Christey is a Principal Information Security Engineer in the Security and Information Operations Division at The MITRE Corporation.
Since 1999, he has been the Editor of the Common Vulnerabilities and Exposures (CVE) list and the Chair of the CVE Editorial Board. He is the technical lead of the Common Weakness Enumeration (CWE) project.
He was the technical editor of the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors list and an active contributor to other efforts including the SANS Secure Programming exams, NIST's Static Analysis Tool Exposition (SATE), and the Common Vulnerability Scoring System (CVSS). His current interests include secure software development and testing, the theoretical underpinnings of vulnerabilities, making software security accessible to the general public, vulnerability information management including post-disclosure analysis, and vulnerability research. Past work, which dates back to 1993, includes co-authoring the "Responsible Vulnerability Disclosure Process" draft with Chris Wysopal in 2002, reverse engineering of malicious code, automated vulnerability analysis of source code, and vulnerability scanning and incident response. He holds a B.S. in Computer Science from Hobart College.

[[OWASP_Software_Assurance_Day_DC_2009#Agenda and Presentations:_13_March_2009|back to Presentation Agenda]]

OWASP Software Assurance Day DC 2009

2009-02-23T06:02:26Z

Sbarnum: minor tweaks to spacing

Welcome to the OWASP Software Assurance Day DC 2009.

This single-day conference will be held on March 13th in conjunction with the Software Assurance Forum (March 10th-12th) sponsored by the US Department of Homeland Security, Department of Defense and National Institute of Standards and Technology.

We are pleased to invite OWASP members, attendees of the Software Assurance Forum and any other interested parties to join us for this event.

At this event, you will hear presentations from key leaders in the web application security domain on:

* the state of the union for the Open Web Application Security Project
* the current status of several ongoing OWASP projects
* recently released knowledge resources to assist web application security programs in establishing a standard for minimum due care
* recipes for leveraging OWASP resources in security testing efforts
* the emerging importance of application security in the wireless domain
* a state-of-the-art approach to automating multi-perspective application security assessment

You will also find out how you can leverage OWASP resources and participate in OWASP activities through local chapters in the DC/NOVA/Maryland area.

The co-located Software Assurance Forum is also a free conference and open to any attendees of OWASP Software Assurance Day DC 2009, though it will require separate registration.

For information on registration for the Software Assurance Forum, please contact [mailto:Jennifer.Brezovic@associates.dhs.gov Jennifer Brezovic].

If you have any questions relating to the conference or just want to help out, please email the conference chair, [mailto:sbarnum@cigital.com Sean Barnum].

Registration link should be up soon.

==Conference Location==

The OWASP Software Assurance Day DC 2009 will be held in conjunction with the DHS/DOD/NIST Software Assurance Forum at [http://www.mitre.org/about/locations/mitre1_map.html '''MITRE Building 1''']''', 7525 Colshire Drive, McLean, VA 22102.'''

Please use the Conference Center entrance.

==Agenda and Presentations: 13 March 2009==

{| style="width:80%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white" | March 13, 2009
|-
| style="width:10%; background:#7B8ABD" | 08:15-08:30 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''OWASP Software Assurance Day DC kickoff'''
''Sean Barnum, Conference Chair''
|-
| style="width:10%; background:#7B8ABD" | 08:30-09:00 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''Intro to OWASP'''
''Tom Brennan''
|-
| style="width:10%; background:#7B8ABD" | 09:00-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''CWE/SANS Top 25: Towards Minimum Due Care in Software Security'''
''Steve Christey, Mitre''
|-
| style="width:10%; background:#7B8ABD" | 09:50-10:35 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''Don’t Write Your Own Security Code: The OWASP Enterprise Security API'''
''Jeff Williams, Aspect Security''
|-
| style="width:10%; background:#7B8ABD" | 10:35-10:50 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | '''Morning Break'''
|-
| style="width:10%; background:#7B8ABD" | 10:50-11:35 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''Cooking with OWASP: Recipes in Web Security Testing'''
''Paco Hope, Cigital''
|-
| style="width:10%; background:#7B8ABD" | 11:40-12:25 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''OWASP Application Security Verification Standard (ASVS)'''
''Dave Wichers, Aspect Security''
|-
| style="width:10%; background:#7B8ABD" | 12:25-13:40 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | '''Lunch – MITRE Cafeteria'''
|-
| style="width:10%; background:#7B8ABD" | 13:45-14:30 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''Maturing Software Assessment Through Static Analysis'''
''John Steven, Cigital''
|-
| style="width:10%; background:#7B8ABD" | 14:35-15:20 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''The Future of Mobile: Developing Secure Mobile Applications'''
''Jason Rouse, Cigital''
|-
| style="width:10%; background:#7B8ABD" | 15:25-15:40 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | '''Afternoon Break'''
|-
| style="width:10%; background:#7B8ABD" | 15:40-16:25 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''OWASP Live CD: An open environment for Web Application Security'''
''Matt Tesauro, Texas Education Agency''
|-
| style="width:10%; background:#7B8ABD" | 16:25-16:45 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | '''Conference Wrap Up and Opportunities to Contribute'''
|}

==Logistics==

Venue: [http://www.mitre.org/about/locations/mitre1_map.html '''MITRE Building 1''']''', 7525 Colshire Drive, McLean, VA 22102'''

Please use the Conference Center entrance.

==Accommodations==

The conference has not negotiated any special rates for hotel accommodation but the following hotels are near the conference venue:

'''McLean Hilton
7920 Jones Branch Drive
McLean, VA
Tel: 1-703-448-1234'''

Website:
[http://www1.hilton.com/en_US/hi/hotel/MCLMHHH-Hilton-McLean-Tysons-Corner-Virginia/index.do http://www1.hilton.com/en_US/hi/hotel/MCLMHHH-Hilton-McLean-Tysons-Corner-Virginia/index.do]

'''Westin Hotel
7801 Leesburg Pike
Falls Church, VA
Tel: 1-703-893-1340'''

Website:
[http://www.starwoodhotels.com/westin/property/overview/index.html?propertyID=1750 http://www.starwoodhotels.com/westin/property/overview/index.html?propertyID=1750]

'''Marriott
8028 Leesburg Pike
Vienna, VA
Tel: 1-703-734-3200'''

Website:
[http://www.marriott.com/hotels/travel/wastc-tysons-corner-marriott/ http://www.marriott.com/hotels/travel/wastc-tysons-corner-marriott/]

'''Embassy Suites
8517 Leesburg Pike
Vienna, VA
Tel: 1-703-883-0707'''

Website:
[http://embassysuites1.hilton.com/en_US/es/hotel/WASTSES-Embassy-Suites-Tysons-Corner-Virginia/index.do http://embassysuites1.hilton.com/en_US/es/hotel/WASTSES-Embassy-Suites-Tysons-Corner-Virginia/index.do]

'''The Crowne Plaza Tysons Corner (formerly the Holiday Inn)
1960 Chain
Bridge Rd McLean, VA
Tel: 1-703-893-2100'''

Website: [http://www.cptysonscorner.com/ http://www.cptysonscorner.com/]

'''Sheraton Premiere Tysons
8661 Leesburg Pike
Vienna, VA
Tel: 1-703-506-2500'''

Website:
[http://www.starwoodhotels.com/sheraton/property/overview/index.html?propertyID=691 http://www.starwoodhotels.com/sheraton/property/overview/index.html?propertyID=691]

==Transportation to the Conference==
===By plane===
The venue area can be reached by commercial aviation through either [http://www.metwashairports.com/Dulles/ Dulles International Airport] or [http://www.mwaa.com/national/ Reagan National Airport].

Both are roughly equidistant from the venue and offer a range of airline and flight options.
===How to get to the venue?===
See the [http://www.mitre.org/about/locations/mitre1_map.html map].

==Registration and Conference Fees==

OWASP Software Assurance Day DC 2009 will be a free conference.

Despite the fact that this is a free conference, we still need you to register to fulfill security requirements of the facility and to ensure that we don't exceed venue capacity.

Registration links should be up soon.

==Conference Contacts==

For more information please contact the team below for conference details, sponsorship or registration.

'''Mr Sean Barnum (Conference Chair)''' , Cigital Federal, Inc.

Email: [mailto:sbarnum@cigital.com sbarnum@cigital.com]

Mobile: 703-473-8262

'''Kate Hartmann'''

OWASP Operations Director

9175 Guilford Road, Suite 300

Columbia, MD 21046, USA

Phone: +1-301-575-0189

Facsimile: +1-301-604-8033

Email: [mailto:kate.hartmann@owasp.org kate.hartmann@owasp.org]

==Conference Sponsors==

Under negotiation.

If you are interested in sponsoring this OWASP conference, please contact [mailto:sbarnum@cigital.com Sean Barnum].

[[Category:OWASP AppSec Conference]]

OWASP Software Assurance Day DC 2009

2009-02-23T05:58:00Z

Sbarnum: Fixed agenda

Welcome to the OWASP Software Assurance Day DC 2009.

This single-day conference will be held on March 13th in conjunction with the Software Assurance Forum (March 10th-12th) sponsored by the US Department of Homeland Security, Department of Defense and National Institute of Standards and Technology.

We are pleased to invite OWASP members, attendees of the Software Assurance Forum and any other interested parties to join us for this event.

At this event, you will hear presentations from key leaders in the web application security domain on:

* the state of the union for the Open Web Application Security Project
* the current status of several ongoing OWASP projects
* recently released knowledge resources to assist web application security programs in establishing a standard for minimum due care
* recipes for leveraging OWASP resources in security testing efforts
* the emerging importance of application security in the wireless domain
* a state-of-the-art approach to automating multi-perspective application security assessment

You will also find out how you can leverage OWASP resources and participate in OWASP activities through local chapters in the DC/NOVA/Maryland area.

The co-located Software Assurance Forum is also a free conference and open to any attendees of OWASP Software Assurance Day DC 2009, though it will require separate registration.

For information on registration for the Software Assurance Forum, please contact [mailto:Jennifer.Brezovic@associates.dhs.gov Jennifer Brezovic].

If you have any questions relating to the conference or just want to help out, please email the conference chair, [mailto:sbarnum@cigital.com Sean Barnum].

Registration link should be up soon.

==Conference Location==

The OWASP Software Assurance Day DC 2009 will be held in conjunction with the DHS/DOD/NIST Software Assurance Forum at [http://www.mitre.org/about/locations/mitre1_map.html '''MITRE Building 1''']''', 7525 Colshire Drive, McLean, VA 22102.'''

Please use the Conference Center entrance.

==Agenda and Presentations: 13 March 2009==

{| style="width:80%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white" | March 13, 2009
|-
| style="width:10%; background:#7B8ABD" | 08:15-08:30 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''OWASP Software Assurance Day DC kickoff'''
''Sean Barnum, Conference Chair''
|-
| style="width:10%; background:#7B8ABD" | 08:30-09:00 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''Intro to OWASP'''
''Tom Brennan''
|-
| style="width:10%; background:#7B8ABD" | 09:00-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''CWE/SANS Top 25: Towards Minimum Due Care in Software Security'''
''Steve Christey, Mitre''
|-
| style="width:10%; background:#7B8ABD" | 09:50-10:35 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''Don’t Write Your Own Security Code: The OWASP Enterprise Security API'''
''Jeff Williams, Aspect Security''
|-
| style="width:10%; background:#7B8ABD" | 10:35-10:50 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | '''Morning Break'''
|-
| style="width:10%; background:#7B8ABD" | 10:50-11:35 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''Cooking with OWASP: Recipes in Web Security Testing'''
''Paco Hope, Cigital''
|-
| style="width:10%; background:#7B8ABD" | 11:40-12:25 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''OWASP Application Security Verification Standard (ASVS)'''
''Dave Wichers, Aspect Security''
|-
| style="width:10%; background:#7B8ABD" | 12:25-13:40 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | '''Lunch – MITRE Cafeteria'''
|-
| style="width:10%; background:#7B8ABD" | 13:45-14:30 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''Maturing Software Assessment Through Static Analysis'''
''John Steven, Cigital''
|-
| style="width:10%; background:#7B8ABD" | 14:35-15:20 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''The Future of Mobile: Developing Secure Mobile Applications'''
''Jason Rouse, Cigital''
|-
| style="width:10%; background:#7B8ABD" | 15:25-15:40 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | '''Afternoon Break'''
|-
| style="width:10%; background:#7B8ABD" | 15:40-16:25 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''OWASP Live CD: An open environment for Web Application Security'''
''Matt Tesauro, Texas Education Agency''
|-
| style="width:10%; background:#7B8ABD" | 16:25-16:45 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | '''Conference Wrap Up and Opportunities to Contribute'''
|}

==Logistics==

Venue: [http://www.mitre.org/about/locations/mitre1_map.html '''MITRE Building 1''']''', 7525 Colshire Drive, McLean, VA 22102'''

Please use the Conference Center entrance.

==Accommodations==

The conference has not negotiated any special rates for hotel accommodation but the following hotels are near the conference venue:

'''McLean Hilton
7920 Jones Branch Drive
McLean, VA
Tel: 1-703-448-1234'''

Website:
[http://www1.hilton.com/en_US/hi/hotel/MCLMHHH-Hilton-McLean-Tysons-Corner-Virginia/index.do http://www1.hilton.com/en_US/hi/hotel/MCLMHHH-Hilton-McLean-Tysons-Corner-Virginia/index.do]

'''Westin Hotel
7801 Leesburg Pike
Falls Church, VA
Tel: 1-703-893-1340'''

Website:
[http://www.starwoodhotels.com/westin/property/overview/index.html?propertyID=1750 http://www.starwoodhotels.com/westin/property/overview/index.html?propertyID=1750]

'''Marriott
8028 Leesburg Pike
Vienna, VA
Tel: 1-703-734-3200'''

Website:
[http://www.marriott.com/hotels/travel/wastc-tysons-corner-marriott/ http://www.marriott.com/hotels/travel/wastc-tysons-corner-marriott/]

'''Embassy Suites
8517 Leesburg Pike
Vienna, VA
Tel: 1-703-883-0707'''

Website:
[http://embassysuites1.hilton.com/en_US/es/hotel/WASTSES-Embassy-Suites-Tysons-Corner-Virginia/index.do http://embassysuites1.hilton.com/en_US/es/hotel/WASTSES-Embassy-Suites-Tysons-Corner-Virginia/index.do]

'''The Crowne Plaza Tysons Corner (formerly the Holiday Inn)
1960 Chain
Bridge Rd McLean, VA
Tel: 1-703-893-2100'''

Website: [http://www.cptysonscorner.com/ http://www.cptysonscorner.com/]

'''Sheraton Premiere Tysons
8661 Leesburg Pike
Vienna, VA
Tel: 1-703-506-2500'''

Website:
[http://www.starwoodhotels.com/sheraton/property/overview/index.html?propertyID=691 http://www.starwoodhotels.com/sheraton/property/overview/index.html?propertyID=691]

==Transportation to the Conference==
===By plane===
The venue area can be reached by commercial aviation through either [http://www.metwashairports.com/Dulles/ Dulles International Airport] or [http://www.mwaa.com/national/ Reagan National Airport].

Both are roughly equidistant from the venue and offer a range of airline and flight options.
===How to get to the venue?===
See the [http://www.mitre.org/about/locations/mitre1_map.html map].

==Registration and Conference Fees==

OWASP Software Assurance Day DC 2009 will be a free conference.

Despite the fact that this is a free conference, we still need you to register to fulfill security requirements of the facility and to ensure that we don't exceed venue capacity.

Registration links should be up soon.

==Conference Contacts==

For more information please contact the team below for conference details, sponsorship or registration.

Mr Sean Barnum (Conference Chair) , Cigital Federal, Inc.

Email: sbarnum@cigital.com

Mobile: 703-473-8262

Kate Hartmann

OWASP Operations Director

9175 Guilford Road, Suite 300

Columbia, MD 21046, USA

Phone: +1-301-575-0189

Facsimile: +1-301-604-8033

Email: kate.hartmann@owasp.org

==Conference Sponsors==

Under negotiation.

If you are interested in sponsoring this OWASP conference, please contact [mailto:sbarnum@cigital.com Sean Barnum].

[[Category:OWASP AppSec Conference]]

OWASP Software Assurance Day DC 2009

2009-02-23T05:50:49Z

Sbarnum: Initial page creation

Welcome to the OWASP Software Assurance Day DC 2009.

This single-day conference will be held on March 13th in conjunction with the Software Assurance Forum (March 10th-12th) sponsored by the US Department of Homeland Security, Department of Defense and National Institute of Standards and Technology.

We are pleased to invite OWASP members, attendees of the Software Assurance Forum and any other interested parties to join us for this event.

At this event, you will hear presentations from key leaders in the web application security domain on:

* the state of the union for the Open Web Application Security Project
* the current status of several ongoing OWASP projects
* recently released knowledge resources to assist web application security programs in establishing a standard for minimum due care
* recipes for leveraging OWASP resources in security testing efforts
* the emerging importance of application security in the wireless domain
* a state-of-the-art approach to automating multi-perspective application security assessment

You will also find out how you can leverage OWASP resources and participate in OWASP activities through local chapters in the DC/NOVA/Maryland area.

The co-located Software Assurance Forum is also a free conference and open to any attendees of OWASP Software Assurance Day DC 2009, though it will require separate registration.

For information on registration for the Software Assurance Forum, please contact [mailto:Jennifer.Brezovic@associates.dhs.gov Jennifer Brezovic].

If you have any questions relating to the conference or just want to help out, please email the conference chair, [mailto:sbarnum@cigital.com Sean Barnum].

Registration link should be up soon.

==Conference Location==

The OWASP Software Assurance Day DC 2009 will be held in conjunction with the DHS/DOD/NIST Software Assurance Forum at [http://www.mitre.org/about/locations/mitre1_map.html '''MITRE Building 1''']''', 7525 Colshire Drive, McLean, VA 22102.'''

Please use the Conference Center entrance.

==Agenda and Presentations: 13 March 2009==

{| style="width:80%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white" | March 13, 2009
|-
| style="width:10%; background:#7B8ABD" | 08:15-08:3 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''OWASP Software Assurance Day DC kickoff'''
''Sean Barnum, Conference Chair''
|-
| style="width:10%; background:#7B8ABD" | 08:30-09:00 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''Intro to OWASP'''
''Tom Brennan''
|-
| style="width:10%; background:#7B8ABD" | 09:00-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''CWE/SANS Top 25: Towards Minimum Due Care in Software Security'''
''Steve Christey, Mitre''
|-
| style="width:10%; background:#7B8ABD" | 09:50-10:35 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | '''Don’t Write Your Own Security Code: The OWASP Enterprise Security API'''
''Jeff Williams, Aspect Security''
|-
| style="width:10%; background:#7B8ABD" | 10:15-10:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | ‘’’Break’’’
|-
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | OWASP State of the Union
''Tom Brennan, OWASP Board''
|-
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | OWASP State of the Union
''Tom Brennan, OWASP Board''
|-
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | ‘’’Lunch – MITRE Cafeteria’’’
|-
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | OWASP State of the Union
''Tom Brennan, OWASP Board''
|-
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | OWASP State of the Union
''Tom Brennan, OWASP Board''
|-
| style="width:10%; background:#7B8ABD" | 14:50-15:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | ‘’’Break’’’
|-
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="left" | OWASP State of the Union
''Tom Brennan, OWASP Board''
|-
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up and Opportunities to Contribute
|}

==Logistics==

Venue: [http://www.mitre.org/about/locations/mitre1_map.html '''MITRE Building 1''']''', 7525 Colshire Drive, McLean, VA 22102'''

Please use the Conference Center entrance.

==Accommodations==

The conference has not negotiated any special rates for hotel accommodation but the following hotels are near the conference venue:

'''McLean Hilton
7920 Jones Branch Drive
McLean, VA
Tel: 1-703-448-1234'''

Website:
[http://www1.hilton.com/en_US/hi/hotel/MCLMHHH-Hilton-McLean-Tysons-Corner-Virginia/index.do http://www1.hilton.com/en_US/hi/hotel/MCLMHHH-Hilton-McLean-Tysons-Corner-Virginia/index.do]

'''Westin Hotel
7801 Leesburg Pike
Falls Church, VA
Tel: 1-703-893-1340'''

Website:
[http://www.starwoodhotels.com/westin/property/overview/index.html?propertyID=1750 http://www.starwoodhotels.com/westin/property/overview/index.html?propertyID=1750]

'''Marriott
8028 Leesburg Pike
Vienna, VA
Tel: 1-703-734-3200'''

Website:
[http://www.marriott.com/hotels/travel/wastc-tysons-corner-marriott/ http://www.marriott.com/hotels/travel/wastc-tysons-corner-marriott/]

'''Embassy Suites
8517 Leesburg Pike
Vienna, VA
Tel: 1-703-883-0707'''

Website:
[http://embassysuites1.hilton.com/en_US/es/hotel/WASTSES-Embassy-Suites-Tysons-Corner-Virginia/index.do http://embassysuites1.hilton.com/en_US/es/hotel/WASTSES-Embassy-Suites-Tysons-Corner-Virginia/index.do]

'''The Crowne Plaza Tysons Corner (formerly the Holiday Inn)
1960 Chain
Bridge Rd McLean, VA
Tel: 1-703-893-2100'''

Website: [http://www.cptysonscorner.com/ http://www.cptysonscorner.com/]

'''Sheraton Premiere Tysons
8661 Leesburg Pike
Vienna, VA
Tel: 1-703-506-2500'''

Website:
[http://www.starwoodhotels.com/sheraton/property/overview/index.html?propertyID=691 http://www.starwoodhotels.com/sheraton/property/overview/index.html?propertyID=691]

==Transportation to the Conference==
===By plane===
The venue area can be reached by commercial aviation through either [http://www.metwashairports.com/Dulles/ Dulles International Airport] or [http://www.mwaa.com/national/ Reagan National Airport].

Both are roughly equidistant from the venue and offer a range of airline and flight options.
===How to get to the venue?===
See the [http://www.mitre.org/about/locations/mitre1_map.html map].

==Registration and Conference Fees==

OWASP Software Assurance Day DC 2009 will be a free conference.

Despite the fact that this is a free conference, we still need you to register to fulfill security requirements of the facility and to ensure that we don't exceed venue capacity.

Registration links should be up soon.

==Conference Contacts==

For more information please contact the team below for conference details, sponsorship or registration.

Mr Sean Barnum (Conference Chair) , Cigital Federal, Inc.

Email: sbarnum@cigital.com

Mobile: 703-473-8262

Kate Hartmann

OWASP Operations Director

9175 Guilford Road, Suite 300

Columbia, MD 21046, USA

Phone: +1-301-575-0189

Facsimile: +1-301-604-8033

Email: kate.hartmann@owasp.org

==Conference Sponsors==

Under negotiation.

If you are interested in sponsoring this OWASP conference, please contact [mailto:sbarnum@cigital.com Sean Barnum].

[[Category:OWASP AppSec Conference]]

Category:OWASP AppSec Conference

2009-02-22T05:21:41Z

Sbarnum: Added OWASP Software Assurance Day DC 2009

__NOTOC__
The OWASP AppSec conference series is dedicated to bringing together industry, government, and security researchers and practitioners to discuss the state of the art in application security. This series was launched in the U.S. in the Fall of 2004 and in Europe in the Spring of 2005 and this has rapidly grown into a world wide phenomenon which now includes the U.S., Europe, Asia, Australia, and Israel. All of the presentations from our previous conferences can be downloaded from the agenda pages for each conference.

Chapter leaders wanting to host a conference click [[How_to_Host_a_Conference|here]] and when your ready, please contact [https://www.owasp.org/index.php/Global_Conferences_Committee Global Conferences Committee] to make it happen.

Checkout OWASP's conferences for the past two years on [http://maps.google.com/maps/ms?hl=en&gl=us&ie=UTF8&oe=UTF8&msa=0&msid=102471112605576686928.00046255c51af35309c77 Google Maps].
<hr>

[[Category:OWASP AppSec Conference]]

==2009 Conferences Schedule==
; February 2009 - [[Italy_OWASP_Day_3 |Day 3 Italy]]
: Feb 23rd - OWASP Day III: "Web Application Security: research meets industry" - Bari (Italy)

; February 2009 - [[OWASP_AU_Conference_2009|OWASP AppSec Australia 2009]] - Gold Coast
: Feb 25th-27th - Training & Conference, Gold Coast Convention Center, QLD Australia

; March 2009 - [[Front_Range_OWASP_Conference_2009|Front Range OWASP Conference 2009 (aka SNOWFroc)]]
: March 5th, 2nd Annual 1-Day Conference in Denver, Colorado

; March 2009 - [[OWASP_Software_Assurance_Day_DC_2009|OWASP Software Assurance Day DC 2009 (in conjunction with the DHS/DOD/NIST Software Assurance Forum)]]
: March 13th, 1-Day Conference in McLean, Virginia

; May 2009 - [[OWASP_AppSec_Europe_2009_-_Poland |OWASP AppSec Europe 2009]] - Poland
: May 11th-14th - Conference and Training, Qubus Hotel, Krakow, Poland ([[OWASP AppSec Europe 2009 CFP |Call for Presentations is out!]])

; September 2009 - [[OWASP_Ireland_AppSec_2009_Conference |OWASP AppSec Ireland 2009]]
: September 10th - 1-Day Conference at Trinity College in Dublin

; November 2009 - [[OWASP_AppSec_US_2009_-_Washington_DC |OWASP AppSec US 2009]] - Washington, D.C.

; May/June 2010 - [[OWASP_AppSec_Europe_2010_-_Sweden |OWASP AppSec Europe 2010]] - Stockholm, Sweden

==Completed Conferences==

=== 2008 ===
; November 2008 - [[OWASP_Germany_2008_Conference | OWASP Germany Conference]]
: November 25th - 1-Day Conference in Frankfurt, Germany

; November 2008 - [[OWASP_EU_Summit_2008 | OWASP Summit 2008 - Portugal]]
: November 3rd - 7th - Working Sessions, Conference & Training, Algarve, Portugal

; October 2008 - [[OWASP AppSec Asia 2008 - Taiwan]]
: October 27th - 28th - NTUH International Convention Centre, Taipei, Taiwan

; October 2008 - [[OWASP_Minneapolis_St_Paul_2008_Conference | OWASP Minnesota Conference]]
: October 21st - University of Minnesota's St. Paul Student Center

; September 2008 - [[OWASP_NYC_AppSec_2008_Conference | OWASP AppSec U.S. 2008 - New York City]]
: September 22nd - 25th - Conference & Training, Park Central Hotel, NYC

; September 2008 - [[OWASP_Israel_2008_Conference | OWASP Israel 2008 - Herzliya, Israel]]
: September 14th - The Interdisciplinary Center Herzliya, Israel

; August 2008 - [[OWASP_AppSec_India_Conference_2008 | OWASP AppSec India 2008 - Delhi, India]]
: August 20th - 21st - Conference & Training

; June 10th 2008 - [[Front_Range_Web_Application_Security_Summit_Planning_Page | Front Range Web Application Security Conference]] - Denver, CO

; May 2008 - [[OWASP_AppSec_Europe_2008_-_Belgium | OWASP AppSec Europe 2008 - Ghent, Belgium]]
: May 19th - 22nd - Conference & Training, Ghent University, Belgium (view [[OWASP_AppSec_Europe_2008_-_Belgium#Agenda_and_Presentations_-_May_21-22|agenda and presentations]])

; February 2008 - [[OWASP_Australia_AppSec_2008_Conference | OWASP Australia AppSec 2008 Conference]]
: February 27th-29th - Training & Conference, Gold Coast Convention Center, QLD Australia

=== 2007 ===
; December 2007 - [[OWASP_Israel_2007_Conference | OWASP Israel AppSec 2007 Conference]]
: December 3rd, 2007 - Interdisciplinary Center (IDC) Herzliya, Israel

; November 2007 - [[OWASP & WASC AppSec 2007 Conference | OWASP & WASC AppSec U.S. 2007 - San Jose, California]]
: November 12-15 - at eBay in San Jose, CA. (view [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda#OWASP_.26_WASC_AppSec_2007_Conference_Schedule_-_Nov_14-15_.28San_Jose_2007.29|agenda and presentations]])

; September 2007 - [[OWASP_AppSec_Asia_2007 | OWASP AppSec Asia 2007 - Taiwan]]
: September 27 - in Taipei, Taiwan.

; May 2007 - [[OWASP_AppSec_Europe_2007_-_Italy | OWASP AppSec Europe 2007 - Italy]]
: May 15th-17th - in Milan, Italy. (view [[OWASP_AppSec_Europe_2007_-_Italy/Agenda|agenda and presentations]])

=== 2004-2006 ===

; October 2006 - [[OWASP AppSec Seattle 2006| OWASP AppSec U.S. 2006 - Seattle, Washington]]
: October 16th-18th - in Seattle, Washington. (view [[OWASP_AppSec_Seattle_2006/Agenda|agenda and presentations]])

; May 2006 - [[OWASP AppSec Europe 2006| OWASP AppSec Europe 2006 - Belgium ]]
: Held in Leuven, Belgium (view [[AppSec Europe 2006/Agenda|agenda and presentations]])

; October 2005 - [[OWASP AppSec Washington 2005|OWASP AppSec U.S. 2005 - Washington D.C.]]
: Held at NIST in Gaithersburg, MD (view [[AppSec Washington 2005/Agenda|agenda and presentations]])

; April 2005 - [[OWASP AppSec Europe 2005|OWASP AppSec Europe 2005 - London]]
: Held at Royal Holloway University in London (view [[AppSec Europe 2005/Agenda|agenda and presentations]])

; November 2004 - [[OWASP AppSec NYC 2004|OWASP AppSec U.S. 2004 - New York City]]
: Held at Stevens Institute in New Jersey (view [[AppSec NYC 2004|agenda and presentations]])

<center><br>
More [http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference-archive Conference Archives - Click Here]</center>