This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

AppSec Academia Symposium Irvine 09

(Redirected from AppSec Academia Symposium)
Jump to: navigation, search

Welcome to the OWASP Application Security Academia Symposium

For those who attended, please take the evaluation survey

Date: Wednesday 8/26/2009

The "all you pay for is parking event".

Presentation Recordings

Some presentations will be recording using Camstasia Relay. More information about the service can be found at UCI Replay Page

Opening Presentation

Neil Matatall: UC Irvine

Presentation Recording


Tracking the Progress of an SDL (Security Development Lifecycle) Program - Lessons From the Gym

Cassio Goldschmidt, Symantec Corp

Presentaiton Recording

Audio Only

Developing a Security Mindset On Campus

Ed Murphy:  University of Arizona

Presentation Recording

Audio Only

Enterprise Security Practices: Real World Tips and Techniques

Michael Craigue

Presentation Recording

Audio Only

OWASP Live CD Project

Matt Tesauro:  Texas Education Board

Presentation Recording

Audio Only

Software Assurance Maturity Model (SAMM)

Pravir Chandra: Fortify Software

Presentation Recording

Audio Only

Development Issues Within AJAX Applications: How to Divert Threats

Lars Ewe: Cenzic

Presentation Recording

Audio Only

Powerpoint Presentations

All presentations can be found at:


Enterprise Application Security Practices - Real-world Tips and Techniques

Tracking the Progress of an SDL: Lessons From the Gym

Software Assurance Maturity Model (SAMM)

Developing a Security Mindset on Campus

Event's Location

University of California, Irvine.

Building: Calit2 building,building number 325 in quadrant H8 on the UC Irvine Map


UCI AppSec Banner.jpg



Local Hotel Information


Refreshments will be available all day and lunch will be provided by Imperva. Catering from Chick-Fil-A.


The closest airport is the John Wayne Airport (SNA). It is less than 10 minutes away from the UC Irvine Campus. Most major airlines have frequent flights. The other option is LAX, although nobody enjoys LAX.


For those already in Southern California, taking the train may be a good option. There is an Amtrak station less than 15 minutes away from campus. Irvine Amtrak Station


Parking will be $7. Please park in the Anteater Parking Structure

Call for Presentations / Research Papers

The CFP is closed


8:30-9:30 Check-In
9:30-9:50 Event Introduction

Neil Matatall; UC Irvine, OWASP Orange County Kuai Hinojosa; NYU, OWASP MSP

10-10:50 OWASP Live CD: An Open Environment for Web Application Security

Matt Tesauro, Texas Education Agency

11-11:50 Software Assurance Maturity Model (SAMM)

Pravir Chandra; Fortify Software

12-12:50 Enterprise Application Security Practices: Real-world Tips and Techniques

Michael J. Craigue; Dell Inc

12:50-14:00 Lunch :)  :@)

Chick-Fil-A provided By Imperva

14:00-14:50 Don't Be Next: Developing a Security Mindset Among Web Developers on Campus

Ed Murphy; University of Arizona

15:00-15:50 Development Issues Within AJAX Applications: How to Divert Threats

Lars Ewe; Cenzic

16:00-16:30 BREAK
16:30-17:20 Tracking the Progress of an SDL Program: Lessons From the Gym

Cassio Goldschmidt; Symantec Corp

17:30-18:30 Avoiding Injection Attacks in the Drupal Framework

Dave Keays; LA-Drupal

18:30-? Egress: Dinner and Drinks

Anthill Pub and Grille

Agenda and Presentations

Break Out Sessions

Small Rooms (10-15 people) will be available for a majority of the event. These are meant for AdHoc discussions. Ideas can be posted on the wiki or sent to Neil Matatall (nmatatal at These are meant to be freeform, but please be courteous with the time you use.

Tracking the Progress of an SDL Program: Lessons From the Gym

Name: Cassio Goldschmidt

Affiliation: Sr. Manager of Product Security at Symantec Corp.

Abstract: Secure coding and testing training are a vital element of any successful security development lifecycle program. In this talk Symantec, an industry pioneer in internal secure coding education, will present what makes a security class effective, engaging and valuable to an organization with development offices spread in several countries. We’ll also analyze innumerous other successful ongoing educational and awareness initiatives used to keep the staff current, interested and alert about the latest attacks.

Bio: Cassio Goldschmidt is senior manager of the product security team under the Office of the CTO at Symantec Corporation. In this role he leads efforts across the company to ensure the secure development of software products. His responsibilities include managing Symantec’s internal secure software development process, training, threat modeling and penetration testing. Cassio’s background includes over 12 years of technical and managerial experience in the software industry. During the six years he has been with Symantec, he has helped to architect, design and develop several top selling product releases, conducted numerous security classes, and coordinated various penetration tests.

Cassio represents Symantec on the SAFECode technical committee and (ISC)2 in the development of the CSSLP certification. He holds a bachelor degree in computer science from Pontificia Universidade Catolica do Rio Grande Do Sul, a masters degree in software engineering from Santa Clara University, and a masters of business administration from the University of Southern California.

Development Issues Within AJAX Applications: How to Divert Threats

Name: Lars Ewe

Affiliation: CTO and VP of Engineering for Cenzic

Abstract: AJAX has rapidly emerged as a prominent enabling technology in the movement to improve the Web as a software platform for business and consumer applications. Using AJAX development techniques provides software developers with a wide-open platform for creating innovative new Web (2.0) applications. The result is a more readily responsive Web environment which minimizes the “start-stop-start-stop” nature of Web pages, thus increasing the speed and user-interactivity of Web-enabled services.

However, the open, malleable nature of Web 2.0 also has an often overlooked impact on application security that is not necessarily initially visible to application developers, establishing a relatively easy target for malicious behavior to compromise applications and overall network security. Various security issues arise from a number of sources, thus increasing the attack surface of AJAX applications: client side security controls often replace server side data validation, thus creating a false sense of security; so do calls to “hidden” application functionality and URLs; new XML and JavaScript data models, such as JSON, also enable new attack vectors, like JavaScript Hijacking; and the open, easy to use nature of so called Mashups often comes at the price of various security compromises.

Such threats, however, can be thwarted with the proper implementation of security testing. This session will address the development issues of AJAX applications from a security perspective, looking at how today’s common web threats such as SQL injections, Cross Site Scripting, and others are often magnified in an AJAX environment, and it will also explore new threads, such as JavaScript Hijacking. Last but not least it also provides Best Practices for AJAX application developers that are designed to help manage the security complexities inherent to AJAX development.

Bio: Lars Ewe is a technology executive with broad background in (web) application development and security, middleware infrastructure, software development and application/system manageability technologies. Throughout his career Lars has held key positions in engineering and product management in a variety of different markets. Prior to Cenzic, Lars was software development director at Advanced Micro Devices, Inc., responsible for AMD's overall systems manageability and related security strategy and all related engineering efforts.

OWASP Live CD: An Open Environment for Web Application Security

Name: Matt Tesauro

Affiliation: Texas Education Agency

Abstract: The OWASP Live CD is a project that collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can boot from this Live CD and have access to a full security testing suite. The Live CD also contains documentation and an interactive learning environment to enhance users web application security knowledge. This presentation will cover the current state of the OWASP Live CD specifically the migration to an Ubuntu Linux base, the addition of static analysis tools and development of an additional educational environment. Time permitting, a live demonstration of the OWASP Live CD will be conducted. The OWASP Live CD is a project of the Open Web Application Security Project (OWASP) and is free for commercial or non-commercial use. More information is available at:

Bio: Matt Tesauro has worked in web application development and security since 2000. He has worn many different hats, from developer to DBA to System Administrator to Penetration Tester. Matt also taught graduate and undergraduate classes on web application development and XML at the Texas A&M University. Currently, he's focused on web application security and developing a Secure SDLC for the Texas Education Agency (TEA). Outside work, he is the project lead for the OWASP Live CD, a member of the OWASP Global Projects Committee, part of the local OWASP chapters leadership and the membership directory of ISSA of Austin, Texas. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications.

Software Assurance Maturity Model (SAMM)

Name: Pravir Chandra

Affilitation: Director of Strategic Services, Fortify Software

Abstract: The Software Assurance Maturity Model (SAMM) ( is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. SAMM is an open a free project and has recently been added under the Open Web Application Security Project (OWASP).

Bio: Pravir Chandra is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL.

Enterprise Application Security Practices: Real-world Tips and Techniques

Name: Michael J. Craigue

Affiliation: Sr. Application Security Consultant at Dell Inc.

Abstract: Dell Inc. worked with Microsoft and Fortify to create its application security practice. Mike Craigue will discuss some of the challenges and opportunities Dell faced. This session will cover creating policies/standards, deploying a Security Development Lifecycle as an overlay to the SDLC, overcoming concerns of developers and business partners, and addressing global standardization issues. This talk will analyze the creation and evolution of Dell's Security Development Lifecycle over the last few years, including awareness/education/training, application security user groups, security consulting staff development, risk assessments, security reviews, threat modeling, source code scans, deployment scans, and penetration testing. It will include a discussion of Dell's information security organization and the division of labor among internal security consultants in the security development lifecycle. It will also explain the development, socialization, and approval process for the secure application development standard.

Bio: Mike is CISSP- and CSSLP-certified and has taught Database Management and Business Intelligence/Knowledge Management at St. Edward’s University in their MBA and MS CIS programs. Prior to joining Dell’s information security team, he spent over a decade building Web and database applications. He holds a Ph.D. from the University of Texas at Austin in Higher Education Administration and Finance. At Dell since 1999, he’s responsible for application security, with an emphasis on the Ecomm site.

Don't Be Next: Developing a Security Mindset Among Web Developers on Campus

Name: Ed Murphy

Affiliation: Assistant Director, University Information Technology Services at the University of Arizona

Abstract: This presentation focuses on the problem of bad computer code and how to prevent it at a university. Web application development on a university campus is done in a variety ways. Sometimes it is done with student developers, sometimes with outside vendors, sometimes with full-time staff and sometimes with a combination of resources. This presentation will review strategies for developing a security mindset when doing web development on a college or university campus. The strategies covered by the presentation include: - Education such as, developer presentations on vulnerabilities and how to use language specific libraries to eliminate vulnerabilities. - Developing secure coding standards for developers. - Changes to the Software Development Life Cycle (SDLC) to incorporate secure code reviews into the peer review process. - Leveraging your campus Information Security Office to make tools available to distributed developers on campus, such as IBM's Rational AppScan and QualysGuard. - Developing a recommended vendor list for departments who choose to have web applications built by off campus vendors. - Work with your Purchasing and Contracts department to incorporate SANS Application Security Procurement Language into standard contracts.

Bio: Fourteen years experience with software development, database administration and web servers in both the corporate and higher education sectors. My experience with web development covers the java, PHP and .Net (C#) platforms. Most recently I have been leading teams of software developers, both full-time staff and student staff, as well as being a secure coding proponent on campus. I have presented on securing coding practices (in general), secure PHP code development and on the value of vulnerability analysis using pentest tools (i.e., IBM's Rational AppScan). I have also been called upon to lead teams of developers in the investigation and remediation of several high-profile web site hacks on campus. Most notably I lead the team that determined the break in method and implemented the code fixes to secure the Phoenix Mars Lander's [1] mission site.

Avoiding Injection Attacks in the Drupal Framework

Name: Dave Keays

Affiliation: LA-Drupal (LADRUPAL.ORG)

Abstract: Drupal is a driving force in Open Source Web Applications and has numerous security features built in. By following a few guide-lines, all contributed code or modules can have security built in by design.

Drupal's abstraction layers provide protection against some of the most common attacks. This paper will be a look at those protections, code snippets, black-box analysis, and a set of guide-lines to develop modules for Drupal. It will serve as the first chapter in a free ebook on Drupal security.

Bio: Dave Keays is a freelance PHP developer with over one-years experience on security within Drupal. He is a member of the LADrupal Users Group (LADRUPAL.ORG) where he has given talks about secure development at the LADRUPAL Users Group and design, and has lead a discussion group on Desktop and Internet security at North Orange County Computer Club that meets at Chapman University in Orange, California. His security knowledge is certified by COMPTIA and he is pursuing certification by both ICS2 and SANS.

Research At UC Irvine

Various discussions from researchers currently working the field of security. More details will be posted later regarding presenters and topics.


There will be no fees for this event, only registration is required to participate. Space is limited and there is no plan on having on site registration so please register early.


OWASP AppSec Event Sponsor

This conference will be sponsored by Administrative Computing Services at UC Irvine

Pre-Event Organization Team

  • Kuai Hinojosa (kuai.hinojosa 'at'
  • Neil Matatall (nmatatal 'at'

Food/Refreshments supplied by Imperva