This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "EUTour2013 Dublin Agenda"

From OWASP
Jump to: navigation, search
 
(8 intermediate revisions by 2 users not shown)
Line 7: Line 7:
 
| align="center" style="background:#EEEEEE;" colspan="2"                  |  
 
| align="center" style="background:#EEEEEE;" colspan="2"                  |  
 
== '''OWASP Europe Tour - Dublin 2013''' ==  
 
== '''OWASP Europe Tour - Dublin 2013''' ==  
'''Tuesday 25th June''' ''(Training)'' <br>'''Wednesday 26th June''' ''(Conference)''
+
'''Tuesday 25th June''' ''(Training. [https://www.owasp.org/index.php/EUTour2013#Training Info about the training session])'' <br>'''Wednesday 26th June''' ''(Conference)''
 
|-
 
|-
 
| valign="center" bgcolor="#CCCCEE" align="center" colspan="2"            | '''DESCRIPTION'''
 
| valign="center" bgcolor="#CCCCEE" align="center" colspan="2"            | '''DESCRIPTION'''
Line 23: Line 23:
 
|}
 
|}
 
<br>
 
<br>
 +
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="5"
 +
|-
 +
| align="center" style="background:#4B0082;" colspan="2" | <span style="color:#ffffff">
 +
'''Training (Wednesday 25th June)''' </span>
 +
|-
 +
|-
 +
| style="width:20%" valign="middle"  bgcolor="#CCCCEE" align="center" colspan="0" | '''When'''
 +
| style="width:80%" valign="middle"  bgcolor="#CCCCEE" align="center" colspan="0" | '''Where'''
 +
|-
 +
|-
 +
| valign="middle" bgcolor="#EEEEEE" align="center" | ''' Tuesday 25th June '''
 +
| valign="middle" bgcolor="#EEEEEE" align="left" | '''Venue Location: TCube<br>
 +
Venue Address: 32 - 34 Castle Street, Dublin 2, Ireland'''<br>
 +
Venue Map: [https://maps.google.ie/maps?q=32+-+34+Castle+Street,+Dublin+2,+Ireland&hl=en&ll=53.343391,-6.269084&spn=0.004977,0.013679&sll=53.343392,-6.269086&sspn=0.009954,0.027359&hnear=34+Castle+St,+Dublin+2,+County+Dublin&t=m&z=17 Google Maps] <br>
 +
|-
 +
<br>
 +
| align="center" bgcolor="#EEEEEE" colspan="2"| '''DEFENSIVE PROGRAMMING – JAVASCRIPT AND HTML5'''<br><br>
  
 +
HTML5 is the fifth revision of the HTML standard. HTML5, and its integration with JavaScript, introduces new
 +
security risks that we need to carefully consider when writing web front-end code. Modern web-based software, including
 +
mobile web front-end applications, makes heavy use of innovative JavaScript and HTML5 browser support to deliver
 +
advanced user experiences. Front-end developers focus their efforts on creating this experience and are generally not aware
 +
of the security implications of the technologies they use. <br>
 +
 +
The Defensive Programming – JavaScript/HTML5 course helps web front-end developers understand the risks involved with
 +
manipulating the HTML Document Object Model (DOM) and using the advanced features of JavaScript and HTML 5 such as
 +
cross-domain requests and local storage. The course reinforces some important security aspects of modern browser
 +
architecture and presents the student with defensive programming techniques that can be immediately applied to prevent common vulnerabilities from being introduced. Additionally, the course provides a detailed description of typical JavaScript sources and sinks and explains how they can be used to detect problems in code.<br>
 +
 +
'''For more information about the training please see''' [https://www.owasp.org/index.php/EUTour2013#Training Further training information]
 +
<br>
 +
 +
|-
 +
| align="center" style="background:#CCCCEE;" colspan="2" | '''Price and registration'''
 +
|-
 +
| align="center" style="background:#EEEEEE;" colspan="2" | '''Price:''' 350€ Non members / 300€ OWASP members.  <br>
 +
 +
'''Duration:''' 8 hours (09:00h - 18:00h)
 +
<br>
 +
'''Registration Link to the Europe Tour training''': [http://regonline.com/owaspeutourdublindefensiveprogramming Register Here]'''<br>
 +
<br>
 +
|-
 +
|}
 
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="5"
 
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="5"
 
|-
 
|-
Line 41: Line 83:
 
|-
 
|-
 
| align="center" style="background:#EEEEEE;" colspan="2" | This event is '''FREE''' <br>
 
| align="center" style="background:#EEEEEE;" colspan="2" | This event is '''FREE''' <br>
  '''Registration Link to the Europe Tour''': [TBD REGISTER HERE!]'''<br>
+
  '''Registration Link to the Europe Tour''': [http://www.regonline.com/owaspeutourdublin Register Here]'''<br>
 
<br>
 
<br>
 
|-
 
|-
Line 54: Line 96:
 
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description'''
 
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description'''
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 09:30 am<br>(30 mins)
+
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 09:30 <br>(30 mins)
 
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Registration
 
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Registration
 
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |  
 
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |  
 
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |  
 
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |  
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 10:00 am<br>(45 mins)  
+
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 10:00 <br>(15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | The Realex Payments Application Security story
+
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Introduction
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | David Rook
+
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="left" colspan="0" | As the old British Telecom adverts used to say it's good to talk so I thought now was a good time to talk about how we do application security at Realex Payments. Rather than just talk about where we are today this talk will focus on the lessons learned over the past five years and what I'd do differently if I could it all again. I will tell the story of how application security has worked and evolved in a fast growing technology company from the day we created our first application security role in the business to our current application security approach.
+
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |
 +
|-
 +
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 10:15 <br>(15 mins)
 +
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Interactive Workshop - Ultimate Fighting Championship: Bugs vs Flaws
 +
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Paco Hope
 +
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="left" colspan="0" | Abstract
  
The story will include how we scaled application security to keep up with the changes in a fast growing business, how playing card games with developers was one of the best things we've ever done and how following the KISS principle in the early days of an application security program is vital. You will see how we have progressed from having no dedicated application security resources to our current staffing levels and how our goals have evolved from simply security reviewing our applications to more grand goals such as wanting to provide free application security training for anyone in Ireland.
+
We see a lot of defects in software and they fall broadly into two categories: bugs or flaws. How well we understand the defects and our correct categorisation influences how successful we will be fixing them. If we mistake a flaw for a bug and offer a point solution, we'll be back in the same situation as before, only with more broken code. If we mistake a bug for a flaw, we condemn ourselves to reengineering hunks of our system when a localised patch would do. Spend time with Paco Hope analysing defects from real systems. Create rules that distinguish bugs from flaws and cast your vote. Argue about what to do with them. Climb into the ring with that defect and pin it to the mat!
  
This isn't an application security talk focusing on the theory and approaches that seem good on paper. You will have the opportunity to learn the lessons from five years of real world application security from the person who was at the centre of application security in Realex Payments.
+
Learning Objectives
|-
+
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 10:45AM <br>(45 mins)
+
* Identify a small set of rules that will help distinguish flaws from bugs
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | The Building Security In Maturity Model (BSIMM)
+
* Classify defects clearly into one class or the other
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Paco Hope
+
* Articulate why something belongs in one class or another
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="left" colspan="0" | How do you know what security activities belong in your software lifecycle? How do you measure what you're doing? Begun in 2009, the BSIMM, is an observation-based scientific model directly describing the collective software security activities of more than sixty software security initiatives. Used as a measuring tool, BSIMM helps an organisation understand and plan their software security initiative. It covers the full framework of software development from requirements, architecture, code and test, to release management, governance, and training. This talk will introduce the measurements, explain what is measured, how it is measured, and how the measurement can be used to create or improve a software security initiative.
+
* Articulate the difference between flaws and bugs
  
Paco Hope is a Principal Consultant at Cigital, helping Fortune 500 companies secure their software for over 10 years in a variety of industries like online gaming, financial services, retail, and embedded systems. He is the author of two books on security, the most recent being the Web Security Testing Cookbook and a frequent conference speaker. As and a member of (ISC)²'s Application Security Advisory Board, he helps create and advise on the direction of the CSSLP certification. His passion is empowering everyone in the software lifecycle—developers, testers, analysts—to make meaningful contributions to the securing of software.
+
Pre-Requisites
  
 +
All security and software developers should be prepared for this. Prior experience in mixed martial arts is not necessary. :)
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 11:30AM <br>(15 mins)
+
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 11:15 <br>(15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Coffee Break
+
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Coffee Break
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |  
+
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |  
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |  
+
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |  
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 11:45AM <br>(45 mins)
+
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 11:30 <br>(60 mins)
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Using the browser as a platform for security tools  
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Using the browser as a platform for security tools  
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Mark Goodwin
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Mark Goodwin
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |  
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |  
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 12:30AM <br>(60 mins)
+
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 12:30 <br>(60 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Lunch
+
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Lunch
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |  
+
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |  
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |  
+
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |  
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 13:30AM <br>(45 mins)
+
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 13:30 <br>(60 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Lesson learned from the trenches of targeted attack
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Lesson learned from the trenches of targeted attack  
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Robert McArdle
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Robert McArdle
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="left" colspan="0" | Targeted attacks are now a major worry for organisations. In this talk we will describe real life case studies of some of the largest and more sophisticated targeted attacks, including how we infiltrated and mapped criminal networks, and live demos of some such mapping in action.
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="left" colspan="0" | Targeted attacks are now a major worry for organisations. In this talk we will describe real life case studies of some of the largest and more sophisticated targeted attacks, including how we infiltrated and mapped criminal networks, and live demos of some such mapping in action.
Line 103: Line 151:
 
3) You will understand how investigators and security companies investigate these high profile attacks<br>
 
3) You will understand how investigators and security companies investigate these high profile attacks<br>
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 14:15AM <br>(45 mins)
+
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 14:30 <br>(15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |  
+
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Coffee Break
 +
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |
 +
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |
 +
|-
 +
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 14:45 <br>(60 mins)
 +
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | The Building Security In Maturity Model (BSIMM)
 +
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Paco Hope
 +
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="left" colspan="0" | How do you know what security activities belong in your software lifecycle? How do you measure what you're doing? Begun in 2009, the BSIMM, is an observation-based scientific model directly describing the collective software security activities of more than sixty software security initiatives. Used as a measuring tool, BSIMM helps an organisation understand and plan their software security initiative. It covers the full framework of software development from requirements, architecture, code and test, to release management, governance, and training. This talk will introduce the measurements, explain what is measured, how it is measured, and how the measurement can be used to create or improve a software security initiative.
 +
 
 +
Paco Hope is a Principal Consultant at Cigital, helping Fortune 500 companies secure their software for over 10 years in a variety of industries like online gaming, financial services, retail, and embedded systems. He is the author of two books on security, the most recent being the Web Security Testing Cookbook and a frequent conference speaker. As and a member of (ISC)²'s Application Security Advisory Board, he helps create and advise on the direction of the CSSLP certification. His passion is empowering everyone in the software lifecycle—developers, testers, analysts—to make meaningful contributions to the securing of software.
 +
|-
 +
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 15:45 <br>(60 mins)
 +
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Needles in haystacks, why we are not solving the appsec problem & html hacking the
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Eoin Keary
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Eoin Keary
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="left" colspan="0" |  
+
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="left" colspan="0" | We continue to rely on a “pentest” to secure our applications. Why do we think it is acceptable to perform a time-limited test of an application to help ensure security when a determined attacker may spend 10-100 times longer attempting to find a suitable vulnerability? <br><br>
 +
 
 +
Our testing methodologies are non-consistent and rely on the individual and the tools they use. Currently we treat vulnerabilities like XSS and SQLI as different issues but the root causes it the same. – it’s all code injection theory!!<br><br> Why do we do this and make security bugs over complex?<br>
 +
Why are we still happy with “Testing security out” rather than the more superior “building security in”? <br><br>
 +
We shall also look at mark up attacks which break CSP controls.
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 15:00AM <br>(15 mins)
+
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 16:45 <br>(15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Coffee Break
+
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Close
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |
+
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="left" colspan="0" |  
+
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="left" colspan="0" |  
 
|}
 
|}

Latest revision as of 18:13, 25 June 2013

Eu tour1.png
OWASP EUROPE TOUR 2013

Tour Home Page
Tour Scheadule
Tour Organizers Resources
Mailing List

CONFERENCE AND TRAINING

OWASP Europe Tour - Dublin 2013

Tuesday 25th June (Training. Info about the training session)
Wednesday 26th June (Conference)

DESCRIPTION
OWASP Europe TOUR, is an event across the European region that promotes awareness about application security, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
  • Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle.
  • This event aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them.
OWASP MEMBERSHIP
During the OWASP Europe Tour you could become a member and support our mission.

Become an OWASP member by clicking here



Training (Wednesday 25th June)

When Where
Tuesday 25th June Venue Location: TCube

Venue Address: 32 - 34 Castle Street, Dublin 2, Ireland
 Venue Map: Google Maps

DEFENSIVE PROGRAMMING – JAVASCRIPT AND HTML5

HTML5 is the fifth revision of the HTML standard. HTML5, and its integration with JavaScript, introduces new security risks that we need to carefully consider when writing web front-end code. Modern web-based software, including mobile web front-end applications, makes heavy use of innovative JavaScript and HTML5 browser support to deliver advanced user experiences. Front-end developers focus their efforts on creating this experience and are generally not aware of the security implications of the technologies they use.

The Defensive Programming – JavaScript/HTML5 course helps web front-end developers understand the risks involved with manipulating the HTML Document Object Model (DOM) and using the advanced features of JavaScript and HTML 5 such as cross-domain requests and local storage. The course reinforces some important security aspects of modern browser architecture and presents the student with defensive programming techniques that can be immediately applied to prevent common vulnerabilities from being introduced. Additionally, the course provides a detailed description of typical JavaScript sources and sinks and explains how they can be used to detect problems in code.

For more information about the training please see Further training information

Price and registration
Price: 350€ Non members / 300€ OWASP members.

Duration: 8 hours (09:00h - 18:00h) 

Registration Link to the Europe Tour training: Register Here


CONFERENCE (Wednesday 26th June)

When Where
Wednesday 26th June Venue Location: TCube

Venue Address: 32 - 34 Castle Street, Dublin 2, Ireland
 Venue Map: Google Maps

Price and registration
This event is FREE 
Registration Link to the Europe Tour: Register Here



Conference Details - Times are subject to change
Time Title Speaker Description
09:30
(30 mins) 		Registration
10:00
(15 mins) 		Introduction
10:15
(15 mins) 		Interactive Workshop - Ultimate Fighting Championship: Bugs vs Flaws Paco Hope Abstract

We see a lot of defects in software and they fall broadly into two categories: bugs or flaws. How well we understand the defects and our correct categorisation influences how successful we will be fixing them. If we mistake a flaw for a bug and offer a point solution, we'll be back in the same situation as before, only with more broken code. If we mistake a bug for a flaw, we condemn ourselves to reengineering hunks of our system when a localised patch would do. Spend time with Paco Hope analysing defects from real systems. Create rules that distinguish bugs from flaws and cast your vote. Argue about what to do with them. Climb into the ring with that defect and pin it to the mat!

Learning Objectives

  • Identify a small set of rules that will help distinguish flaws from bugs
  • Classify defects clearly into one class or the other
  • Articulate why something belongs in one class or another
  • Articulate the difference between flaws and bugs

Pre-Requisites

All security and software developers should be prepared for this. Prior experience in mixed martial arts is not necessary. :)

11:15
(15 mins) 		Coffee Break
11:30
(60 mins) 		Using the browser as a platform for security tools Mark Goodwin
12:30
(60 mins) 		Lunch
13:30
(60 mins) 		Lesson learned from the trenches of targeted attack Robert McArdle Targeted attacks are now a major worry for organisations. In this talk we will describe real life case studies of some of the largest and more sophisticated targeted attacks, including how we infiltrated and mapped criminal networks, and live demos of some such mapping in action.

In this talk we will discuss some of the major ongoing and previous targeted attack campaigns that have been uncovered by Trend Micro in the last year or so, such as Luckycat, Tinba and others. We will discuss in-depth the modus operandi of the criminals in these so called APT attacks, show how we mapped and infiltrated their infrastructure, and demo some of the tools and techniques that we use when carrying out these type of investigations. All of this presentation will focus on real technical details from real cases studies, and this presentation will also include live demos.

KEY QUESTIONS 1) What is the reality (not the hype) of a modern targeted attack
2) You will understand the Modus Operandi of a two main types of Cybercriminals
3) You will understand how investigators and security companies investigate these high profile attacks

14:30
(15 mins) 		Coffee Break
14:45
(60 mins) 		The Building Security In Maturity Model (BSIMM) Paco Hope How do you know what security activities belong in your software lifecycle? How do you measure what you're doing? Begun in 2009, the BSIMM, is an observation-based scientific model directly describing the collective software security activities of more than sixty software security initiatives. Used as a measuring tool, BSIMM helps an organisation understand and plan their software security initiative. It covers the full framework of software development from requirements, architecture, code and test, to release management, governance, and training. This talk will introduce the measurements, explain what is measured, how it is measured, and how the measurement can be used to create or improve a software security initiative.

Paco Hope is a Principal Consultant at Cigital, helping Fortune 500 companies secure their software for over 10 years in a variety of industries like online gaming, financial services, retail, and embedded systems. He is the author of two books on security, the most recent being the Web Security Testing Cookbook and a frequent conference speaker. As and a member of (ISC)²'s Application Security Advisory Board, he helps create and advise on the direction of the CSSLP certification. His passion is empowering everyone in the software lifecycle—developers, testers, analysts—to make meaningful contributions to the securing of software.

15:45
(60 mins) 		Needles in haystacks, why we are not solving the appsec problem & html hacking the Eoin Keary We continue to rely on a “pentest” to secure our applications. Why do we think it is acceptable to perform a time-limited test of an application to help ensure security when a determined attacker may spend 10-100 times longer attempting to find a suitable vulnerability?

Our testing methodologies are non-consistent and rely on the individual and the tools they use. Currently we treat vulnerabilities like XSS and SQLI as different issues but the root causes it the same. – it’s all code injection theory!!

Why do we do this and make security bugs over complex?
Why are we still happy with “Testing security out” rather than the more superior “building security in”?

We shall also look at mark up attacks which break CSP controls.

16:45
(15 mins) 		Close
Retrieved from "https://wiki.owasp.org/index.php?title=EUTour2013_Dublin_Agenda&oldid=154419"