This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP SAMM Summit 2015"

From OWASP
Jump to: navigation, search
m
m
Line 196: Line 196:
 
<br>
 
<br>
  
 +
 +
<div id="roundtables"></div>
 +
=== SAMM Round Tables, by Kuai Hinojosa (McAfee/Foundstone) & Jerry Hoff (WhiteHat Security) ===
 +
''Abstract:''<br>
 +
During the SAMM round table sessions, we will exchange our experience and lessons learned from using OpenSAMM. Topics will include
 +
* Best practices in performing SAMM self assessments
 +
* SAMM, now what?  How do we build internal support and enthusiasm for security
 +
* Has 2015 and the recent spate of new attacks introduced any new challenges that are not addressed by SAMM?
 +
* Building an educational strategy - can we just force developers to go through training or is there a better way?<br>
 +
<br>
 +
''Bio:''<br>
 +
'''Jerry Hoff''' is the VP of the Static Code Analysis Division at WhiteHat Security. In addition to WhiteHat, he is a co-founder and managing partner at Infrared Security. Jerry has worked at a number of fortune ten financial firms, along with years of hands-on security consulting, where he specialized in manual code review, web application penetration testing, and architecture reviews. Jerry also has years of development and teaching experience. He taught for over seven years at Washington University's CAIT program, and the microcomputer program at University of Missouri in St. Louis. <br>
 +
Jerry is the writer/producer of the popular OWASP Appsec Tutorial Series and the lead developer for the WebGoat.NET project.
 +
<br>
 +
'''Kuai Hinojosa''' - TBD
 +
<br>
 +
 
= Project Day =
 
= Project Day =
  

Revision as of 14:48, 9 March 2015

SammSummitHeader15.png



Welcome to OWASP SAMM Summit 2015

Confirmed speakers, trainers and round table chairs are:

  • Pravir Chandra, Bloomberg
  • Michael Craigue, HP
  • Justin Clarke, Gotham Digital Science
  • John Dickson, Denim Group
  • Yan Kravchenko, NetSPI
  • Sebastien Deleersnyder, Toreon
  • Bart De Win, PWC
  • Kuai Hinojosa, McAfee Foundstone
  • Jerry Hoff, WhiteHat Security

Friday 27-March – User Day

  • Talks
  • Training
  • Topic roundtables

Registration is open now!


Saturday 28-March – Project Day

  • Publish SAMM v1.1
  • Workshops
  • Road map


Max Registrations: 40 People

Price: 150 EUR + VAT (21%).


Venue is

The Venue is The Gibson Hotel.

The Gibson Hotel is located at Point Village Dublin 1, Ireland.

For more details:



Parking & roadmap:


Opening Hours:
Monday - Saturday: 7am to Midnight
Sunday:  9am to Midnight

Tariff:
(Ignore info on Point Village Car Park)
There is a negotiated rate of

€10 per day for delegates. This is payable directly to the car park on
departure. Overnight parking is

available at €14 to 15.00 hrs the following day. Access to the car park is
to the rear of the hotel


Booking Accomodation

Important: Make an early booking if accommodation is required.

Make a reservation on the Gibson Hotel's website:

Or call to book: 01 681 5000

Subject to availability, have a look at below list of hotels nearby if you can't find a place to stay at The Gibson Hotel.



Hotels nearby:

Location

Dublin, The Gibson Hotel.

Agenda

User Day - March 27, 2015
Track 1: Alhambra 1 Track 2: Alhambra 2
08:00-09:00 Registration
09:00-09:15 Welcome

SAMM project leaders

09:15-10:00 OpenSAMM at HP

Michael Craigue, HP

10:00-10:45 Application Security? There is a metric for that!

Yan Kravchenko, NetSPI

10:45-11:00 Break
11:00-12:30 SAMM Introduction

Bart De Win, PWC & Sebastien Deleersnyder, Toreon

SAMM Round Table 1

Kuai Hinojosa, McAfee/Foundstone

12:30-13:30 Lunch
13:30-15:00 SAMM Hands-On

Bart De Win, PWC & Sebastien Deleersnyder, Toreon

SAMM Round Table 2

Jerry Hoff, WhiteHat Security

15:00-15:15 Break
15:15-16:00 SAMM Project 71

Justin Clarke, Gotham Digital Science & John Dickson, Denim Group

16:00-16:45 SAMM Evolutions

Pravir Chandra, Bloomberg

16:45-17:00 User Day Wrap-Up

SAMM Project Leaders




OpenSAMM at HP, by Michael Craigue (HP)

Abstract:
HP uses OpenSAMM to assess the completeness of the security activities in development groups, both in IT and in the business groups that create our products. HP's internal Product Security group has developed the SAMM Self-Assessment Tool, an implementation of the OpenSAMM process wrapped into a portable ASP.Net MVC Razor application. Its aim is to simplify the measurement of your organization against OpenSAMM, to assist in the construction of a roadmap, and in the subsequent tracking of progress down that roadmap. The tool is undergoing internal legal review for release to the public, and we hope it will be ready for release prior to the OpenSAMM summit. Mike will explain the motivation for the tool and its capabilities, and will brag a bit about the contributors who created it.

Bio:
Mike serves as Information Security Officer (ISO) for HP’s Enterprise Group-IT. He also works with the EG business group which IT supports. Prior to joining HP, he worked at Dell for 14 years, most recently as the Director of Security Consulting and Portfolio Governance. He holds a PhD from the University of Texas at Austin in Higher Education Administration / Finance, and the CISSP and CSSLP certifications from (ISC)². He’s been a contributor to the Cloud Security Alliance’s Controls Matrix project, and a speaker at OWASP and RSA conferences. His primary areas of focus are professional development, software security, and information security policy development. In his spare time, he taught Database Management and Business Intelligence / Knowledge Management at St. Edward's University in their MBA / MS CIS programs. He also enjoys cycling, cooking, and learning the cello. https://www.linkedin.com/in/craigue

Application Security? There is a metric for that!, by Yan Kravchenko (NetSPI)

Abstract:
More and more, organizations’ security postures are defined by their growing application portfolios, shifting the emphasis away from more traditional security perimeters. The answer to virtually every business problem large or small is “There is an app for that”, and the nature of these apps range anywhere from simple workflow enablement tools through large enterprise-grade applications. Managing security across all applications is quickly becoming one of the biggest blind spots for organization’s security programs, making it difficult to measure and report metrics related to application security.
Over the past year, Yan has been working on a new approach to manage and measure application security. By combining OWASP’s Software Assurance Maturity Model, traditional risk assessment methodologies, and experience developing security metrics, Yan developed a methodology that may be used to help organizations improve the way they manage and prioritize their application security initiatives. Once fully developed, this approach will be donated to OWASP either as an add-on to the existing SAMM project or as a new project intended to improve application security management.
In this presentation, Yan will provide a detailed walk-through of the overall methodology. We will provide examples of the types of metrics and executive dashboards that can be generated by using this approach to managing application security and help highlight various ways this information can be used to further improve the overall maturity of application security programs.

Bio:
Yan Kravchenko has over 18 years of IT and information security consulting experience, the last seven with NetSPI. Before that, Yan served as the Director of IT for a large agriculture company, and before that Yan spent seven years performing Security Assessments, IT Audits, and assisted creating Business Continuity and Disaster Recovery Plans. In addition to a strong understanding of security and compliance, Yan has a deep technical background, which helps better evaluate and understand security risks, as well as provide meaningful and practical risk remediation advice. The last year, Yan has been focused on developing a new methodology for companies to manage application security, and improving information security metrics.

SAMM Project 71, by Justin Clarke (Gotham Digital Science) & John Dickson (Denim Group)

Abstract:
TBD

Bio:
Justin Clarke is director and Co-Founder of Gotham Digital Science. Security consultant with extensive international Big 4 risk management, security consulting and security testing experience. Based in the United Kingdom, with previous experience in the United States and New Zealand.
Lead author/technical editor of "SQL Injection Attacks and Defenses” (Syngress 2009 & 2012), coauthor of "Network Security Tools” (O’Reilly 2005), contributor to "Network Security Assessment, 2nd Edition” (O’Reilly 2007), as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, OWASP, OSCON, RSA and SANS. Currently Chapter leader of the OWASP London chapter.
John Dickson - TBD


SAMM Round Tables, by Kuai Hinojosa (McAfee/Foundstone) & Jerry Hoff (WhiteHat Security)

Abstract:
During the SAMM round table sessions, we will exchange our experience and lessons learned from using OpenSAMM. Topics will include

  • Best practices in performing SAMM self assessments
  • SAMM, now what? How do we build internal support and enthusiasm for security
  • Has 2015 and the recent spate of new attacks introduced any new challenges that are not addressed by SAMM?
  • Building an educational strategy - can we just force developers to go through training or is there a better way?


Bio:
Jerry Hoff is the VP of the Static Code Analysis Division at WhiteHat Security. In addition to WhiteHat, he is a co-founder and managing partner at Infrared Security. Jerry has worked at a number of fortune ten financial firms, along with years of hands-on security consulting, where he specialized in manual code review, web application penetration testing, and architecture reviews. Jerry also has years of development and teaching experience. He taught for over seven years at Washington University's CAIT program, and the microcomputer program at University of Missouri in St. Louis.
Jerry is the writer/producer of the popular OWASP Appsec Tutorial Series and the lead developer for the WebGoat.NET project.
Kuai Hinojosa - TBD

Location

Dublin, Gibson Hotel

Agenda

This project day will focus on the OWASP project in "Summit Mode".

Topics that will be covered during the day are:

  • Analysis templates / tooling
  • SAMM model improvements
  • What to put in next release / roadmap
  • Finalizing / publishing OpenSAMM v1.1
  • Project 71 follow-up (benchmark repository)

We will end each session with defined outputs including action plans, responsible and timing

Bar sammsummit.jpg

The social event is on Friday the 27th of March.

We have reserved the Cocktail / Winter Garden at Fade Street Social at 6PM.


Food is a set menu for €35 or €50 (not included in the registration)

Address:
Fade Street Social
WinterGarden,
6 Fade Street,
Dublin 2

Made possible by our Sponsors