AppSecAsiaPac2012/Talks - Revision history

Sarah Baso at 23:17, 11 April 2012

2012-04-11T23:17:42Z

Sarah Baso at 21:25, 28 March 2012

2012-03-28T21:25:38Z

Sarah Baso at 22:29, 26 March 2012

2012-03-26T22:29:12Z

Sarah Baso at 22:28, 26 March 2012

2012-03-26T22:28:25Z

Sarah Baso at 13:05, 22 March 2012

2012-03-22T13:05:23Z

Sarah Baso at 14:48, 21 March 2012

2012-03-21T14:48:32Z

Sarah Baso at 18:11, 1 March 2012

2012-03-01T18:11:08Z

Sarah Baso: Removed Almantas

2012-02-23T16:06:22Z

Removed Almantas

Sarah Baso at 16:04, 23 February 2012

2012-02-23T16:04:12Z

Mohd Fazli Azran at 04:06, 23 February 2012

2012-02-23T04:06:01Z

@@ Line 94: / Line 94: @@
 <br><br>
-==David Byrne==
+==Daniel Crowley==
-<br>'''Bio:''' David Byrne has worked in information security for over a decade. Currently, he is a managing consultant in Trustwave's Application Security group. Before Trustwave, David was the Security Architect at Dish Network, one of the world’s largest satellite television companies. In 2006, he started the Denver chapter of OWASP. In 2008, David released Grendel (grendel-scan.com), an open source web application security scanner. David has presented at a number of security events including DEFCON, Black Hat, Toorcon, FROC, the SANS penetration testing summit, and the Computer Security Institute’s annual conference.<br><br>
+<br>'''Bio:''' Daniel is an Application Security Consultant for Trustwave's SpiderLabs team. He has been working in the information security industry for over 7 years and has been focused on penetration testing. Daniel denies all allegations regarding unicorn smuggling and questions your character for even suggesting it. Daniel has developed configurable testbeds such as SQLol and XMLmao for training and research regarding specific vulnerabilities. Daniel enjoys climbing large rocks. Daniel is a frequent speaker at conferences including DEFCON, Shmoocon, and SOURCE. Daniel does his own Charcuterie.<br><br>
 '''Talk Abstract: Anatomy of a Logic Flaw'''<br>

@@ Line 216: / Line 216: @@
 Despite lifecycle differences, many mobile applications are simply new clients backed by existing web applications or services and are therefore subject to the same threats they’ve always faced. We review old threats in the new mobile context and go on to discuss threats unique to the mobile landscape, including: attacks against client-side data persistence, MMS, or GPS; malicious inter-application communication; problems with new security features, such as confusing permission models. We conclude the talk with a frank assessment of what software development organizations can do to take control and avoid being the weakest link in the chain of mobile security.
 <br><br>
 ==Jim Cheetham==

@@ Line 428: / Line 428: @@
 While obtaining good quantity of coverage (both inside a single application from a static and dynamic perspective and across the enterprise application landscape) is critical to understanding the total threat profile of an organization, the organization simply can't forego the quality aspect because a poor test can not only provide a false statement of compliance but create the illusion of security. So what can organizations constrained by resources, capital and knowledge do to balance quantity against quality in their software security programs?
 How can people, process, and technologies be leveraged to effectively balance the quantity vs. quality scale? The speaker will address this very critical balance from a vendor-neutral, technology-agnostic perspective, giving developers, quality analysts and security testers the perspective necessary to provide optimal balance.
 ==Simon Bennetts==
@@ Line 450: / Line 451: @@
 *Describe how you can easily build extensions to ZAP which have full access to all of its functionality.
 <br><br>
 ==Srikar Sagi==

← Older revision		Revision as of 22:28, 26 March 2012
Line 428:		Line 428:
	While obtaining good quantity of coverage (both inside a single application from a static and dynamic perspective and across the enterprise application landscape) is critical to understanding the total threat profile of an organization, the organization simply can't forego the quality aspect because a poor test can not only provide a false statement of compliance but create the illusion of security. So what can organizations constrained by resources, capital and knowledge do to balance quantity against quality in their software security programs?		While obtaining good quantity of coverage (both inside a single application from a static and dynamic perspective and across the enterprise application landscape) is critical to understanding the total threat profile of an organization, the organization simply can't forego the quality aspect because a poor test can not only provide a false statement of compliance but create the illusion of security. So what can organizations constrained by resources, capital and knowledge do to balance quantity against quality in their software security programs?
	How can people, process, and technologies be leveraged to effectively balance the quantity vs. quality scale? The speaker will address this very critical balance from a vendor-neutral, technology-agnostic perspective, giving developers, quality analysts and security testers the perspective necessary to provide optimal balance.		How can people, process, and technologies be leveraged to effectively balance the quantity vs. quality scale? The speaker will address this very critical balance from a vendor-neutral, technology-agnostic perspective, giving developers, quality analysts and security testers the perspective necessary to provide optimal balance.
		+
		+	==Simon Bennetts==
		+	'''Web: http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project]'''<br>
		+	<br>'''Twitter:'''[https://twitter.com/#!/psiinon @psiinon]
		+	<br>'''Bio:''' Simon Bennetts started the OWASP Zed Attack Proxy project, and leads the international group of volunteers who develop it. He is also one of the founders of the OWASP Manchester chapter and the OWASP Data Exchange Format project. In his day job he works for Sage UK Ltd as a Team Leader for both a development and a security team. His day to day work includes designing and building web applications, performing security assessments and delivering security training.<br><br>
		+
		+	'''Talk Abstract: OWASP Zed Attack Proxy (ZAP)'''<br>
		+
		+	The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
		+	It has been identified by the OWASP Global Projects Committee as a flagship OWASP project.
		+
		+	ZAP is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as experienced pentesters.
		+	It has comprehensive help pages, is fully internationalized and has been translated into 11 languages.
		+
		+	A fork of the well regarded Paros Proxy, it was first released in September 2010 and the last version (1.3.4) has been downloaded over 13,000 times.
		+
		+	This talk will:
		+	*Explain why ZAP was released.
		+	*Show what it can do.
		+	*Detail the new features included in ZAP 1.4, which is planned to be released before this conference.
		+	*Describe how you can easily build extensions to ZAP which have full access to all of its functionality.
		+	<br><br>

← Older revision		Revision as of 13:05, 22 March 2012
Line 407:		Line 407:
	Learn how Mobile experts blend their techniques in order to accelerate code reviews. While reviewing Android or iOS applications, you will love these handy tricks that help in detecting famous and a few not-so-famous flaws. Using demonstrations and code snippets, we will highlight the benefits of blended techniques in comparison with those of simple scanning or manual testing. You will also learn how to reduce the time taken for review and obtain a ready-to-use checklist.		Learn how Mobile experts blend their techniques in order to accelerate code reviews. While reviewing Android or iOS applications, you will love these handy tricks that help in detecting famous and a few not-so-famous flaws. Using demonstrations and code snippets, we will highlight the benefits of blended techniques in comparison with those of simple scanning or manual testing. You will also learn how to reduce the time taken for review and obtain a ready-to-use checklist.

		+	<br><br>
		+
		+
		+	==Pravir Chandra==
		+
		+	<br>'''Bio:''' Pravir Chandra is a veteran in the security space and a long-time OWASP contributor, including his role as the creator and leader of the Open Software Assurance Maturity Model (OpenSAMM) project. Currently as security architect for the CTO of Bloomberg, he drives proactive security initiatives that demonstrate concrete value for the firm. Prior to this, Pravir was Director of Strategic Services at HP/Fortify where he lead software security assurance programs for Fortune 500 clients in a variety of verticals. He is responsible for standing up the most comprehensive and measurably effective programs in existence today. As a thought leader in the security field for over 10 years, Pravir has written many articles, whitepapers, and books and is routinely invited to speak at businesses and conferences world-wide.<br><br>
		+
		+	'''Talk Abstract: Modern software security assurance with OpenSAMM'''<br>
		+
		+	For those that haven't seen it already, the Open Software Assurance Maturity Model (OpenSAMM) is a flexible and prescriptive framework for building security into software development (http://opensamm.org). It has been in use by a huge number of organizations since its release in 2009, but what have we learned through seeing where it worked really well and where it could use improvement? This talk will explore the basic framework of the model, how it helps people build assurance programs, and then go far beyond to discuss actual examples of rubber-on-the-road usage of the model within companies. This will also segue into details on the next revision of OpenSAMM due out later this year. OpenSAMM is an open and free project under the Open Web Application Security Project (OWASP).
	<br><br>		<br><br>

@@ Line 203: / Line 203: @@
 The talk will inform attendees about where to get the reference information from and how to test or inspect the security settings using the philosophy that this should not be a black art but just normal IT security practice.<br><br>
 ==Jacob West==
@@ Line 422: / Line 408: @@
 <br><br>
 ==Srikar Sagi==

← Older revision		Revision as of 18:11, 1 March 2012
Line 450:		Line 450:

	The presented technology is cutting edge and although the specification is not final yet, it will be rolled-out in about 6 months time. Two other models that compete or complement this approach will also be discussed (DNSSEC and Moxie's Convergence). <br><br>		The presented technology is cutting edge and although the specification is not final yet, it will be rolled-out in about 6 months time. Two other models that compete or complement this approach will also be discussed (DNSSEC and Moxie's Convergence). <br><br>
		+
		+
		+	==Wayne O'Yong==
		+	'''Web: [http://www.imperva.com http://www.imperva.com]'''<br>
		+	<br>'''Bio:''' Wayne O’Young is a Senior Security Engineer for Imperva Inc, pioneer and leader of a new category of data security solutions. Based out of Sydney, Wayne has over a decade of experience in the IT and telecommunications industry having started his career as developing business applications. Moreover he has spent most of his career focusing on information security.
		+
		+	His professional interests include information systems security, in particular in the virtualized environment, mobility and sustainability of IT. Before joining Imperva, Wayne has held similar positions at Check Point Software Technologies and Juniper Network. Wayne holds an honours degree in Engineering and Computer Science from University of Sydney. <br><br>
		+
		+	'''Talk Abstract: De-Anonymizing Anonymous'''<br>
		+
		+	What do you see when you take the Guy Fawkes mask off? In 2011, Imperva managed to witness an assault by hacktivist group Anonymous including the use of social media for communications and, most importantly, their attack methods. Since Anonymous’ targets are highly variable, anyone can fall victim and security professionals need to know how to prepare.
		+	This talk will give a walk-through the key stages of an Anonymous campaign:
		+	- Recruitment and communication: We show how Anonymous leverages social networks to recruit its members and pick a target.
		+	- Application attack: We detail and sequence the steps Anonymous hackers deploy to take data and bring down websites.
		+	- DDoS: In this final stage, we shed light on the DDoS techniques deployed to take down websites.
		+	Finally, we recommend key mitigation steps that organizations need to take if they ever become a target.
		+	<br><br>

← Older revision		Revision as of 16:06, 23 February 2012
Line 11:		Line 11:
	Cryptography is easy to get wrong and can be a pain to implement. This presentation will take you through practical examples of how to implement solid crypto on a number of common development platforms. We'll talk about how to store and verify passwords, how to safely transport and store backups. What's wrong with some default SSL configurations and maybe even random token generation among other things. Web app crypto should be easy and secure, not just one of those.<br><br>		Cryptography is easy to get wrong and can be a pain to implement. This presentation will take you through practical examples of how to implement solid crypto on a number of common development platforms. We'll talk about how to store and verify passwords, how to safely transport and store backups. What's wrong with some default SSL configurations and maybe even random token generation among other things. Web app crypto should be easy and secure, not just one of those.<br><br>

−	~~==Almantas Kakareka==~~
−
−	<br>'''Bio:''' Almantas is a highly experienced IT Security person, with over 15 years of security related experience. His expertise are vulnerability assessments, and penetration testing. Almantas has a Master of science degree in Computer Science from Florida International University and certifications such as CISSP, GSNA, GSEC, CEH, MCDST, MCP, Net+ and Sec+.<br><br>
−
−	~~'''Talk Abstract: Insight Into Russian Black Market'''<br>~~
−
−	You have all heard the term cybercrime, and you have heard about all things cybercrime – stolen credentials, identity theft, fraud, blackmail, DDOS and more. You may have heard that there are markets for goods connected to computer crime. You may have heard that there’s a lot of money in it (enough to pay off the national debts of most states including the USA, if you total all reports on damages by cybercrime). As usual the problems lie in connecting the dots. What are the mechanisms behind these black markets? What are the goods? Who pays for them and by which means? Surely you cannot just walk into a chat room, drop your credit card number and part with the digital loot, or can you? What if you end up being a trade object yourself? Screenshots are shown of actual high profile advertisements such as post about mysql.com root access for sale.
−
−	IT security companies and law enforcement organizations have a vested interest in investigating these mechanisms. The information is vital for everyone implementing IT security as well. You have to know who is up against you and why. This is the basic information every defender needs to possess, and proper knowledge is one of the few advantages you can use for the protection of your assets.
−
−	Almantas Kakareka will address these questions in his talk Insight Into Russian Black Market. He will give you an insight into the underground and explain which “products” are traded by criminals. If you are in charge of securing the digital heart of your enterprise or implement security, then you should listen to this talk.<br><br>

	==Arshad Noor==		==Arshad Noor==

@@ Line 53: / Line 53: @@
 ==Charles Henderson==
-<br>'''Bio:''' Charles Henderson is the Director of Application Security Services at Trustwave's SpiderLabs. He has been in the information security industry for over fifteen years. His team specializes in application security including application penetration testing, code review, and training in secure development techniques. The team's clients range from the largest of the Fortune lists to small and midsized companies interested in improving their application security posture. Charles routinely speaks at various conferences around the world on various subject matters relating to application security.<br><br>
+<br>'''Bio:''' Charles Henderson, Director of Application Security Services of SpiderLabs
 '''Talk Abstract: Anatomy of a Logic Flaw'''<br>

@@ Line 4: / Line 4: @@
 ==Adrian Hayes==
-'''Web: [http://http://security-assessment.com/ http://http://security-assessment.com/]'''<br>
+'''Web: [http://security-assessment.com/ http://security-assessment.com/]'''<br>
 <br>'''Bio:''' Adrian is a security consultant for the Security-Assessment.com assurance team, providing clients with security penetration testing services and security related advice. He has deep knowledge of secure application design & architecture, mobile device & application security, cryptography, and social engineering based attacks.  Adrian is an active security researcher, and a regular contributor to the OWASP chapter in New Zealand. <br><br>
@@ Line 76: / Line 76: @@
 ==Christian "xntrik" Frichot==
-'''Web: [http://http://labs.asteriskinfosec.com.au/ http://http://labs.asteriskinfosec.com.au/]'''<br>
+'''Web: [http://labs.asteriskinfosec.com.au/ http://labs.asteriskinfosec.com.au/]'''<br>
 <br>'''Bio:''' I'm an information security professional based out of Perth, Western Australia. I've been working in the banking industry for the past 5 years and prior to that for a resources company for a number of years. These days I work for a newly created boutique security firm Asterisk based out of Perth. After initially confusing the BeEF project for something to do with cooking the ultimate steak, I've found myself involved with the open source tool development over the past 2 years, working primarily in module development, core testing, architecture, public relations and acting as the vice president in charge of volcanoes. Apart from BeEF, I'm also one of the Perth OWASP Chapter leads, kicking around talking to everyone I can about application security and keeping safe online.<br><br>
@@ Line 124: / Line 124: @@
 ==Eldar Marcussen==
-'''Web: [http://http://www.justanotherhacker.com http://http://www.justanotherhacker.com]'''<br>
+'''Web: [http://www.justanotherhacker.com http://www.justanotherhacker.com]'''<br>
 <br>'''Bio:''' Eldar is a principal consultant and researcher at stratsec, where he helps organisations test their security and protect intellectual property. He is a perl advocate and in his spare time works on several open source projects aimed at secure web application development and testing. Eldar has presented at AISA and Ruxcon and worked with some of Australia’s leading hosting, search engine optimization and domain parking service providers providing design and security guidance.<br><br>
@@ Line 144: / Line 144: @@
 ==Errazudin Ishak==
-'''Web: [http://http://www.mimos.my http://http://www.mimos.my]'''<br>
+'''Web: [http://www.mimos.my http://www.mimos.my]'''<br>
 <br>'''Bio:''' Errazudin holds a Master’s degree in Computer Science (Sofware Engineering) and works as Staff Engineer at Mimos Berhad, a Malaysian government research arm, in ICT and frontier technology. His job focuses on web application development, deployment, security, performance and stability. He has spoken at several meetups and conferences and has worked with various back-end and web technologies for almost 11 years. In his free time he loves to emulate Rafael Nadal’s swerving forehand on court.<br><br>
@@ Line 214: / Line 214: @@
 ==Jacob West==
-'''Web: [http://http://www.hpenterprisesecurity.com http://http://www.hpenterprisesecurity.com]'''<br>
+'''Web: [http://www.hpenterprisesecurity.com http://www.hpenterprisesecurity.com]'''<br>
 <br>'''Bio:''' Jacob West is CTO and Director of Security Research for the Fortify product line in HP Enterprise Security. West is a world-recognized expert on software security and brings a technical understanding of the languages and frameworks used to build software together with extensive knowledge about how real-world systems fail. In 2007, he co-authored the book "Secure Programming with Static Analysis" with colleague and Fortify founder Brian Chess. Today, the book remains the only comprehensive guide to static analysis and how developers can use it to avoid the most prevalent and dangerous vulnerabilities in code. West is a frequent speaker at industry events, including RSA Conference, Black Hat, Defcon, OWASP, and many others. A graduate of the University of California, Berkeley, West holds dual-degrees in Computer Science and French and resides in San Francisco, California. <br><br>
@@ Line 267: / Line 267: @@
 ==Luke Jahnke==
-'''Web: [http://http://www.securusglobal.com/ http://http://www.securusglobal.com/]'''<br>
+'''Web: [http://www.securusglobal.com/ http://www.securusglobal.com/]'''<br>
 <br>'''Bio:''' Louis and Luke work as security consultants for Securus Global in
 Melbourne. Their research mainly focuses on web and database security
@@ Line 295: / Line 295: @@
 ==Magno (Logan) Rodrigues==
-'''Web: [https://https://www.owasp.org/index.php/User:Magno_Logan https://https://www.owasp.org/index.php/User:Magno_Logan]'''<br>
+'''Web: [https://www.owasp.org/index.php/User:Magno_Logan https://www.owasp.org/index.php/User:Magno_Logan]'''<br>
 <br>'''Bio:''' Magno (Logan) Rodrigues is the OWASP Paraiba Chapter Leader and has spoken in many events like GTS, Co0L, ENSOL, ECD and AppSec Latam 2011. He is also organizing the OWASP Paraíba Day 2012 and the OWASP AppSec Brasil 2012. He is a grad student in Information Security (MBA) from FATEC - I2P. He studied Computer Forensics for one year in New York, US at TC3. Graduated in Internet Systems from the Federal Institute of Technology of Paraiba - IFPB (BS). He works as a System Analyst at Politec Global IT Services, doing services for State Department of Taxation and Finance of the State of Paraiba, in João Pessoa, PB, Brazil.<br><br>
@@ Line 319: / Line 319: @@
 ==Matias Madou==
-'''Web: [http://http://blog.fortify.com/blog http://http://blog.fortify.com/blog]'''<br>
+'''Web: [http://blog.fortify.com/blog http://blog.fortify.com/blog]'''<br>
 <br>'''Bio:''' Matias Madou is Principal Security Researcher at the HP Fortify Security Research Group where he’s working on mainly technical projects, ranging from kicking off an insider threat project, to spearheading new protection mechanisms in the runtime tools. As he always wants to get the most out of solutions, he has a big hand in the correlation and integration of current HP Fortify security solutions.
@@ Line 339: / Line 339: @@
 ==Matt Tesauro==
-'''Web: [http://http://appseclive.org http://http://appseclive.org]'''<br>
+'''Web: [http://appseclive.org http://appseclive.org]'''<br>
 <br>'''Bio:''' Matt has been involved in the Information Technology industry for more than 10 years. Prior to joining Rackspace, Matt was a security consultant for security firms such as Trustwave as well as running an internal application security effort for a large government agency. Matt's focus has been in application security including testing, code reviews, design reviews and training. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he's driven. He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance Workshop, AppSec EU, AppSec US, AppSec Academia, and AppSec Brazil.
@@ Line 351: / Line 351: @@
 ==Mike Park==
-'''Web: [http://http://www.trustwave.com/ http://http://www.trustwave.com/]'''<br>
+'''Web: [http://www.trustwave.com/ http://www.trustwave.com/]'''<br>
 <br>'''Bio:''' Mike Park is a Managing Consultant at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has over 12 years experience building and securing software for a variety of companies. Mike is a CISSP and specializes in application security assessment, penetration testing, reverse engineering and secure development life cycle. Mike is an active member of the Ottawa ISSA.<br><br>
@@ Line 373: / Line 373: @@
 ==Peter Freiberg==
-'''Web: [http://http://shelde.com http://http://shelde.com]'''<br>
+'''Web: [http://shelde.com http://shelde.com]'''<br>
 <br>'''Bio:''' Peter is a Principal Consultant at Shelde and heads up the Application Security
 Practice. Here he assists customers build application security and risk management capabilities including secure design and development, testing and ethical hacking, training and education.
@@ Line 419: / Line 419: @@
 ==Srikar Sagi==
-'''Web: [http://http://www.linkedin.com/in/srikarsagi http://http://www.linkedin.com/in/srikarsagi]'''<br>
+'''Web: [http://www.linkedin.com/in/srikarsagi http://www.linkedin.com/in/srikarsagi]'''<br>
 <br>'''Bio:''' Passionate about building Secure & Reliable Systems at the lowest cost possible for organizations with 16+years of valuable industry experience and knowledge in Information Security & Risk Management, Infrastructure/ Application & Data Security, Threat Modeling, Writing Security Standards, Designing & Building Enterprise Security Architecture, Execution of Strategies & Programs to Mitigate Information Risks, Developing Secure Applications, Writing Standards for Cryptographic Usage & PKI/Cryptography Architectural Solutions, Reviewing Security Architecture, Security Risk  Analysis & Mitigation, Verification of Security Compliance for Data Privacy, Implementing Compliance Programs<br><br>
@@ Line 432: / Line 432: @@
 ==Tobias Gondrom==
-'''Web: [http://http://datatracker.ietf.org/wg/websec/charter/ http://http://datatracker.ietf.org/wg/websec/charter/]'''<br>
+'''Web: [http://datatracker.ietf.org/wg/websec/charter/ http://datatracker.ietf.org/wg/websec/charter/]'''<br>
 <br>'''Bio:''' Tobias Gondrom is Managing Director of an IT Security & Risk Management Advisory based in the United Kingdom and Germany. He has twelve years of experience in software development, application security, cryptography, electronic signatures and global standardisation organisations working for independent software vendors and large global corporations in the financial, technology and government sector, in America, EMEA and APAC. As the Global Head of the Security Team at Open Text (2005-2007) and from 2000-2004 as the lead of the Security Task Force at IXOS Software AG, he was responsible for security, risk and incident management and introduced and implemented a secure SDLC used globally by development departments in the US, Canada, UK and Germany.