This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP Minneapolis St Paul 2009 Conference

Jump to: navigation, search

The OWASP Minneapolis-St. Paul (OWASP MSP) chapter wants to say thanks again for another year to all who joined us for an afternoon of information security presentations on August 24, 2009 at the St. Paul Student Center Auditorium/Theater on the University of Minnesota - Twin Cities campus. Watch the video at Vimeo.

Thank You to Our Sponsors

Contact Lorna at [email protected] to sponsor future events.

A big thank you goes out to the Office of Internal Audit and OIT Security at the University of Minnesota for sponsoring the event location.

A special thank you goes out to Platinum Sponsors Best Buy, Center for Strategic Information Technology and Security (MnSCU), and Integral.

Best Buy logo.jpg      Center for strategic it n security.png      Integral logo.png

Thank you to the following sponsors for their financial support of this event and the OWASP MSP chapter!

Integral logo.png New Symantec Logo.jpg Imperva Logo.gif Secure360 logo.png        Center for strategic it n security.png

Breach logo.gif      Netspi logo.png                 F5 logo.png                  Mn-issa logo.png         Fortify Logo (Medium).jpg

Social Media

Share the OWASP MSP 2009 Half Day Conference on your favorite social media sites:

Linkedin mini.png Twitter mini.png Facebook mini.png Digg mini.png Delicious mini.png Reddit mini.png Myspace mini.png

Follow OWASP MSP on your favorite social media sites:

Linkedin mini.png Twitter mini.png Facebook mini.png Digg mini.png Delicious mini.png Reddit mini.png Myspace mini.png


12:30 PM - 1:30 PM Check-In
1:30 PM - 1:45 PM

Kuai Hinojosa

OWASP MSP President - Video Archive

Topic: Event Introduction

The OWASP MSP chapter has had a successful year, and will be looking ahead to even more participation in the global OWASP community.

1:45 PM - 2:30 PM

Seth Peter

Chief Technology Officer, NetSPI - Video Archive

Topic: The Developers Guide to PCI DSS and PA-DSS Requirements

The Payment Card Industry (PCI) Data Security Standard (DSS) has a large number of requirements pertaining to the development and maintenance of payment applications. The requirements span development, maintenance, support, access controls, auditing & logging, security awareness, assessment, and policies. Not only does this apply to the systems within a cardholder environment but also to supporting applications and your organization’s overall SDLC. Furthermore, these application specific requirements are often overlooked or misunderstood by development and information security departments. Within this presentation, we will review the most relevant PCI requirements that developers and application owners must focus on and how your organization can confidently comply.

Bio: (From Seth Peter is a computer security expert with extensive experience with all aspects of information security. He was a founder of the computer forensics team at Kroll Ontrack where he provided expert witness testimony and depositions regarding high profile computer security cases. As the founder and CTO of NetSPI, he is a national leader in risk management and security program assessment. Seth has provided consulting to over 100 different organizations within financial services, government, health care, education, nuclear energy, and retail. Seth is a Payment Card Industry Qualified Security Assessor and Visa Qualified Payment Application Security Professional. Seth holds a B.A. degree in Mathematics from Kenyon College.

2:30 PM - 2:45 PM Break
2:45 PM - 3:30 PM

Pravir Chandra

Director of Strategic Services, Fortify - Video Archive

Topic: Software Assurance Maturity Model (OpenSAMM)

The Software Assurance Maturity Model (SAMM) ( is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit

Bio: (From Pravir Chandra is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL.

3:30 PM - 3:45 PM Break
3:45 PM - 4:45 PM Bruce Schneier - Video Archive

Topic: The Future of the Security Industry: IT is Rapidly Becoming a Commodity

More companies are outsourcing their IT infrastructure -- treating it as a service more like electricity, office cleaning, or tax preparation -- and this has profound implications for IT security. Organizational users care less about the technical details of security. Products and services change their focus from the end user to the outsourcer. Industry consolidation results, as non-security IT infrastructure companies seek to bolster their security credentials. Even the profession changes, as jobs move from individual organizations to the outsourcing companies, and in some cases overseas. This talk looks at the future of IT security in a mature IT infrastructure industry. Bio: (From Bruce Schneier is an internationally renowned security technologist and author. Described by The Economist as a "security guru," he is best known as a refreshingly candid and lucid security critic and commentator. When people want to know how security really works, they turn to Schneier.

4:45 PM Event Closing