This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP AppSec NYC 2004

Jump to: navigation, search

OWASP Application Security 2004 in NYC

The OWASP Application Security Conference (AppSec) 2004 was a huge success. Thanks to all the presenters and participants for a very interesting weekend.

Day One Agenda

Saturday, June 19th, 2004
Time Title
9.00 - 10.00 AM Welcome to AppSec 2004 - Mark Curphey, OWASP Founder/ Consulting Director Foundstone
10.00 - 10.40 AM KeyNote - Teaching Developers to Fish! - Denis Verdon, Head of CISG, Fidelity National Financial
10.40 - 11.00 AM Break
11.00 - 11.40 PM Software Security Metrics - Jack Danahy, President - Ounce Labs, Inc.
11.40 - 11.50 PM Break
11.50 - 12.30 PM OWASP Projects - ISO7799 - Stan Guzik, Chief Technology Officer, Immediatech Corp
12.30 - 1.30 PM Lunch
1.00 - 1.40 PM OWASP Projects - Testing Guide/SDLC - Mark Curphey, OWASP Founder/ Consulting Director Foundstone
1.40 - 1.50 PM Break
1.50 - 2.15 PM OWASP Projects - WebGoat - Bruce Mayhew, Aspect Security
2.20 - 3.00 PM Discussion - What do you want OWASP to accomplish this year? Jeff Williams, OWASP Chair, CIO Aspect Security
3.00 - 3.10 PM Break
3.10 - 3.40 PM Input validation where and how? Jeff Williams, OWASP Chair, CIO Aspect Security
3.40 - 3.50 PM Break
3.50 - 4.20 PM OASIS WAS-XML - Mark Curphey, OWASP Founder/ Consulting Director Foundstone
4.20 - 4.30PM Break
4.30 - 5.15 PM Discussion - Market Trends: Where is AppSec going? Jeff Williams, OWASP Chair, CIO Aspect Security
5.15 - 6.15 PM Coffee/Social

Day Two Agenda

Sunday, June 20th, 2004
Time Title
9.00 - 9.40 AM Beyond Best Practices - Dave Aitel, Immunity
9.40 - 9.50 AM Break
9.50 - 10.30 AM Application Security Careers
10.30 - 10.40 PM Break
10.40 - 11.10 PM Emerging Trends in Software Security - John Viega, Founder and Chief Scientist of Secure Software
11.10 - 11.50 PM Discussion: Finding Application Vulnerabilities. Comparing approaches
11.50 - 12.30 PM OWASP Project - oPortal - David Raphael
12.30 - 1.30 PM Lunch
1.30 - 2.00 PM Full Trust Asp.Net Insecurity, PPTs, videos - Dinis Cruz
2.00 - 2.30 PM Security Considerations in the System Development Life Cycle... - George Capehart, Founding Member of Capehart Associates LLC
2.30 - 2.40 PM Break
2.40 - 3.10 PM Advanced Google Hacking - Kartik Trivedi, Senior Consultant/Lead Instructor - Foundstone
3.10 - 3.30 PM Stevens Institute of Technology Address
3.30 - 4.00 PM Application Security and Academia - Andreas Fuchsberger, Information Security Group, Royal Holloway, University of London
4.00 - 4.30 PM Conference Wrap Up

Speaker Bios and Talk Summaries

Denis Verdon - Head of CISG, Fidelity National Financial - Denis has 21 years experience in Information Security and IT in the Financial Services industry, much of which gained while working both as a senior security executive and as a consultant to senior security executives at Global 200 companies across 19 countries. Originally from a network design and engineering background, he has held senior positions at Price Waterhouse as European practice leader for Ethical Hacking, Ernst and Young International and as head of information security and risk management at Instinet. [email protected]

Teaching Developers to Fish! - Application security - From requirements definition to operations and maintenance - needs not only policy, good practices and coding standards; it needs an adaptable application security framework and methodology, coupled with culture change and education of the development community. The presentation will share real-world experiences in developing and implementing a methodology, focusing on the challenges of applying risk assessment data to application design, dealing with differing development methodologies and educating developers about the correct application of security technology. It will give a status report on this effort within FNF, from the context of a company that has grown its application development capability through acquisition of multiple software development shops.

Mark Curphey - Mark has a Masters Degree in Information Security from Royal Holloway, University of London. He works for Foundstone as a consulting Director specializing in strategic application security work and was previously a Director for Information Security at Charles Schwab in San Francisco and ran the consulting teams on the East Coast out of Atlanta. He has held various positions with international investment banks in Europe and North America. In his spare time he enjoys his family (wife Cara, Son Jack (aged 3 years) and daughter Hana (aged 10 months)) and driving fast cars. [email protected]

OWASP Projects - Testing Guide/SDLC - For a long time we have known that the root cause of the application security problem is insecure software. While some people try to find new ways to break software, others are focusing their attention on solving the root cause and building more secure software. This speech will cover how to build an enterprise testing program that centers around continuous improvement of the software development lifecycle to improve the security quality of software development.

OASIS WAS-XML - The OASIS WAS technical committee are developing an XML format to describe application security vulnerabilities. OASIS WAS however has far reaching uses beyond simply vulnerability identification including metrics and measurement and risk management. This speech will provide an overview of OASIS WAS and discuss the creative ways people are using the format.

Jack Danahy - Jack is President and CEO of Ounce Labs, innovator of application risk management solutions, based in Waltham, MA. A frequent speaker and writer on the need for application security metrics and a contributor to policy forums and standards organizations, Jack holds patents or has patents pending in kernel security, secure remote communications, systems' management and distributed computing. [email protected]

Security in Numbers: The Need For Metrics in Security Decisions - Good security decisions rely on accurate information. Without knowing the greatest areas of risk, security technology decisions are made based on 'best guess' analysis. At best, this results in an inefficient approach to security. At worst, it is an ineffective one. This presentation will discuss the importance of gathering application security metrics and how to use that information to make targeted, deliberate decisions about how and where to spend security budgets and set a road map towards more effective security.

Stan Guzik - Stan, CISSP, MCP is the CTO for Immediatech Corp. His primary focus is on developing secure Internet based document management technologies targeting the financial markets. His areas of expertise include information security, information systems, SDLC, document management, and workflow. Previously Stan has held senior web application architecture positions for consulting companies specializing in web application development. In addition to holding a number of industry related certificates Stan also holds a Masters of Science in Information Systems from Stevens Institute of Technology. [email protected]

OWASP Projects - ISO7799 - The number of threats against Web Applications is constantly increasing. Threats posed by viruses, hackers, and employees are increasing in complexity and require a comprehensive long-term information security management strategy. We will discuss how we can apply ISO 17799 to reduce these threats as a security management strategy for Web Applications.

Bruce Mayhew - Bruce leads the development of the WebGoat project for OWASP. Bruce works at Aspect Security, Inc. as a Java software architect and security analyst. [email protected]

OWASP Projects - WebGoat - WebGoat is a J2EE web application designed to demonstrate and teach about common web application security vulnerabilities. Bruce will discuss the WebGoat project and plans for the future. The talk will cover the use of WebGoat in the corporate environment for both developers and security professionals. You'll also see demonstrations of the WebGoat approach to learning.

Jeff Williams - Jeff heads up the Top Ten project for OWASP and designed the original WebGoat architecture. Jeff is the founder and CEO of Aspect Security, Inc., an application security consulting company providing security code review, penetration testing, secure development training, and security engineering services. Jeff is an expert in computer security, an avid mountain biker, a lawyer, boomerang designer, and a firm believer in strong AI. [email protected]

Input validation where and how? - Input validation is absolutely critical, yet it is the most often forgotten security mechanism. Most projects leave validation to the developers and the results are generally very spotty. Jeff will discuss why input validation is so important, architectural options for performing validation, and the key considerations for successfully implementing validation in your web application.

Dave Aitel - Dave is the Founder of Immunity, Inc., and a leading researcher in the field of application security. His previous talks have been well received at conferences such as BlackHat, G-Con, and Pacsec. His experience includes time at both leading private information security companies, and the National Security Agency. [email protected]

Beyond Best Practices - Customized Application Security Too often CISO's and application architects are in catch-up mode when it comes to application security. Consulting teams are brought in and demonstrate SQL Injection for the umpteenth time to your development team, or a cross site scripting bug is found on the main web page by a customer and brought to your attention as a "fix right now". Dave Aitel's talk will highlight where and when best practices, even rigorously applied, for application security can fail to address the underlying problem, and present examples of technological measures that can be taken to provide real and obvious security benefits.

Jeff Combs - Jeff is a Senior Recruiter with Alta Associates. Since joining Alta in 1999 Jeff has been recruiting Information Security professionals for corporate clients, professional services firms and security product vendors. He is sought after for his understanding of industry dynamics, hiring trends, professional development strategies and access to market intelligence. Jeff has been recruiting for Application Security professionals since 2001 and has a solid understanding of the different roles, responsibilities and challenges that are unique to this important facet of the industry.

Application Security Careers - Jeff will give a talk on emerging roles, hiring trends and career development strategies for Application Security specialists.

John Viega - John is the CTO and Founder of Secure Software and the co-author of three books on software security, including Building Secure Software (Addison-Wesley) and the Secure Programming Cookbook (O'Reilly). Mr. Viega is also an Adjunct Professor of Computer Science at Virginia Tech (Blacksburg, VA) a Senior Policy Researcher at the Cyberspace Policy Institute, and the founder of the DC Security Geeks, which holds monthly free lectures in the DC area. [email protected]

Emerging Trends in Software Security - Everyone would love a "silver bullet" to the software security problem. While no such bullet yet exists, there are many efforts afoot in this space aimed at making the world a better place. In this talk, we will look at where things may be going. We will address "big picture" issues, such as the impact of government policy efforts and outsourcing, and will also look at technical approaches to the problem, such as programming languages, analysis tools and development processes.

David Raphael - David heads up the oPortal project for OWASP. He guides the direction of oPortal from a technical and marketing standpoint. While not improving the quality of OWASP software, he will be found providing consulting services on J2EE solutions. David has experience in both Software Engineering / Development, InfoSec, and Data-Networks. David thoroughly enjoys tracking the Open Source community, and he hopes to contribute more robust and mature software to the community. His free time is spent with his family (wife Neuza, son Pierce (2 years)). [email protected]

OWASP Project - oPortal -There are many different approaches to Portal architectures throughout the community. We at OWASP created a web framework for developing robust, secure, and feature rich web components. This presentation will go over the motivations and strategies behind the OWASP Portal software - oPortal. It will also review the various things we feel don't work well in large portals.

Dinis Cruz - Dinis Cruz is an experienced security consultant based in London (UK) and specialized in Asp.Net application security, active directory deployments and application security audits. Dinis is also the creator and main developer of the OWASP's ANBS (Asp.Net Baseline Security) tool. [email protected]

Full Trust Asp.Net Security Issues - Full Trust Asp.Net Security Issues - In this session Dinis Cruz will present the OWASP's .Net tool ANBS (Asp.Net Baseline Security) which allows Web developers, System administrators, Security consultants and ISPs to identity vulnerabilities, protect and audit Asp.Net hosting environments.

Andreas Fuchsberger - Andreas is a lecturer in the Information Security Group (ISG) at Royal Holloway, University of London, where he lectures in the areas of computer and network security as well as for the 2004/5 academic year a new course on application programming security. He has over 18 years of experience in teaching and running training classes in IT security architecture and design. After spending the previous 4 years in the big bad world of industry he rejoined the ISG in 2003, but maintains a foot out there consulting to the FACTS Group. [email protected]

Application Security and Academia - Building better programmers, teaching secure coding

Kartik Trivedi - Kartik is a senior consultant and lead instructor with Foundstone, Inc. He specializes in application security assessment, secure software development and security risk management. He has been leading the development of Foundstone's S3i Google hacking tool. Kartik holds MS (Computer science), BS (Computer science), CISSP (Certified Information Systems Security Professional) and CISA (Certified Information Systems Auditor). [email protected]

Advanced Google Hacking - The presentation focuses on the following topics

  1. Advanced hacking concepts with Google Web services API
  2. Pro and Cons of available tools (including Foundstone's S3i Google hacking tool)
  3. Sample "hack" signatures for OWASP top 10 vulnerabilities
  4. Security controls to minimize exposure

George Capehart - George is an information security strategist and the founding member of Capehart Associates LLC. He has had over twenty years of wide-ranging technical and management experience and has had consulting engagements in both hemispheres and three continents. His current focus is on the practical aspects of the formal integration of information assurance and risk management into the processes that support the System Development Life Cycle in enterprise-level systems and large integration projects. [email protected]

Security Considerations in the System Development Life Cycle of Web Services-based Systems - Toto, We're Not in Kansas Any More . . . - Web services introduce a major paradigm shift which violates most, if not all, of the tacit security assumptions made by the systems with which they interact. In addition, the scope of the threats to which Web services-based systems are vulnerable is much broader than that of any systems that have been implemented to this point. It is crucial that everyone involved with Web services-based systems understand the scope of this shift because it affects all phases of the SDLC. In this session, we will begin to outline the implications of this paradigm shift using NIST Special Publication 800-64 as the framework for discussing the security considerations in the system development life cycle of Web services-based systems.