Atlanta Member Meeting 03.24.10

March 2010 Meeting

WHAT:: Static & Dynamic Analysis for Web Applications (Panel Discussion)

WHEN:: March 24, 2010 6-8pm

WHERE:: Room 1116-E , Klaus Advanced Computing Building, Georgia Tech :: Web :: Google Maps ::

• Parking spots: Parking Map - Physics building (Area 4)
• Campus Bus: Tech trolley runs between Midtown Marta and the venue

WHO:: Moderator: Tony UV (Chapter Lead). Panel members include Cris Eng (Veracode), Jeremiah Grossman (WhiteHat Security), Caleb Sima (Armorize), Russell Spitler (Fortify) and Matt Wood (HP Web Security)

ABSTRACT:: This meeting format will be in the form of a panel discussion that we hope all of you can not only attend but participate as well. Our chapter lead Tony UV be moderating the event and in preparation for doing so, we would like to get some good group think going around the topics to be discussed. Specifically, the focus of the topic is a comprehensive look at both static and dynamic analysis of web applications, which will encompass current trends, lessons learned from the trenches, myths and misconceptions, success stories, and more from our panel of experts.

In preparation for this meeting we ask that ALL members supply any questions that you would like the panel of experts to answer. We’ll provide responses of this Q&A online after the event.

BIOs::

• Chris Eng, Senior Director of Research at Veracode, is responsible for integrating security expertise into Veracode’s technology and helping to define and prioritize the security feature set of Veracode’s service offerings. His professional experience includes stints at Symantec, @stake, and the US Department of Defense, where he specialized in security assessments and offensive research. Chris has presented at security conferences such as the Black Hat Briefings and OWASP AppSec and has been quoted as a subject matter expert in various industry publications. Chris, along with experts from more than 30 US and international cyber security organizations, helped develop the CWE/SANS Top 25 Most Dangerous Programming Errors.

• Caleb Sima, Caleb Sima was co-founder and CTO to SPI Dynamics, the world's leading and de facto standard for Web application security scanning. After being acquired by HP, Caleb was made HP's Chief Technologist - Application Security Center, where he helped HP build a SaaS version of HP's application security offerings. He also directed the lifecycle of HP's Web application security solutions where he led a team of accomplished security experts that have received worldwide recognition for identifying new security threats and devising advanced countermeasures. Caleb has been engaged in the Internet security arena since 1996, a time when the concept of Internet security was just emerging. After being a security engineer for S1, he joined Internet Security Systems' (later IBM) elite X-Force research and development team, where he founded the first pen testing team and bootstrapped the company's enterprise security assessment business. Since then, he has become widely recognized within the industry as an expert in penetration testing, and for identifying emerging security threats. In early 2000 Caleb co-founded SPI Dynamics and helped to define the industry's directions.

• Jeremiah Grossman founder and chief technology officer of WhiteHat Security, is a world-renowned expert in web application security and a founding member of the Web Application Security Consortium (WASC). At WhiteHat, Mr. Grossman is responsible for web application security R&D and industry evangelism. He is a frequent speaker at industry events including the BlackHat Briefings, ISACA's Networks Security Conference, NASA, ISSA and Defcon. A trusted media resource, Mr. Grossman has been featured in USA Today, the Washington Post, Information Week, NBC Nightly News, and many others. Mr. Grossman is also a featured expert and frequent contributor on TechTarget's SearchAppSecurity.com. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!

• Russell Spitler started his career in software security at Colby College. For his honors thesis he developed a static analysis engine embedded in the eclipse IDE. Shortly after his graduation he started at Fortify Software. At Fortify he initially continued his work with Integrated Development Environments, developing security specific plug-ins for Eclipse and Visual Studio. In addition, he developed an IDE specifically crafted for the security professional: Fortify's Audit Workbench. Russell then acted as lead designer and architect of Fortify's central software security management platform: 360 Server. His experience developing security solutions for all aspects of security programs uniquely positioned him to design and implement the SSA Governance module, an element critical to the successful large scale management of Secure Development programs. Recently Russell has been acting as the Product Manager of the Fortify 360 Suite. During his tenure he has acted as advisor to more than 500 successful deployments of the software and is often a key reference in the design of software security initiatives. In his free time he enjoys skiing, riding motorcycles and drinking whiskey.

• Caleb Sima is the CEO of Armorize that provides end-to-end security solutions for securing enterprise Web apps. He is the former co-founder and CTO of SPI Dynamics, which was acquired by HP Software in August 2007. Prior to starting SPI, Caleb worked for the elite X-Force R&D team at Internet Security Systems and as a security engineer for S1 Corporation. Caleb is a frequent speaker and press resource on Internet attacks and has contributed to Baseline Magazine and (IN)Secure Magazine as well as being featured in the Associated Press. He is also a Microsoft Most Valuable Professional (MVP) in Visual Developer Security.

• Matt Wood is the lead security researcher in HP’s Web Security Research Group. Matt has led the development of both HP Scrawlr and HP SWFScan, which are free security tools designed to help organizations find SQL injection and Adobe Flash security vulnerabilities, respectively. Beyond making sweet free tools, he has also given numerous presentations at major security conferences including BlackHat and RSA. Matt currently is focusing his research on client-side static analysis and using AI to help security practitioners audit complex Ajax/RIA applications.

Presentation from the event: File:Atlanta March 2010 Presentation.pdf Audio recording: TBD