This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "AppSec ASIA 2016"

From OWASP
Jump to: navigation, search
(Speaker Bios)
(Hotel)
 
(93 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
 +
{|
 +
|-
 +
! width="100" align="center" | <br>
 +
! width="70" align="center" | <br>
 +
|-
 +
| align="center" | [[File:64614893850732793245%.jpg]]
 +
| align="center" |
 +
|}
  
 
= Welcome  =
 
= Welcome  =
Line 42: Line 51:
 
|}
 
|}
  
= Training  =
+
=CFP=
 
<font size=2pt>
 
<font size=2pt>
  
NO training plan.
+
'''APPSEC ASIA 2016'''<br>
 +
=='''Call for Paper'''==
  
=Schedule=
+
OWASP AppSec ASIA 2016 will bring together application security experts and software engineers from all over the world on May 21, 2016. Industry and academia meet to discuss open problems and new solutions in web & mobile security. For this event, we will invite application security researchers, thought leaders and developers worldwide to submit papers for presentations looking for “the next”, cutting edge research in the context of web applications, secure development, security management and privacy. Don't miss the opportunity to share and discuss your ideas and knowledge with other experts and practitioners.
  
Pending...
+
The topics of interest, but not limited:
 +
*Web Security
 +
*Mobile Security
 +
*Cloud Security, specifically secure Cloud Apps
 +
*Infrastructure security
 +
*Secure development
 +
*Application Security Testing
 +
*Privacy protection in web based apps
 +
*Emerging web technologies and associated security considerations
 +
*Security Trainings, Certificates and CTP
  
=Keynotes=
+
Papers should describe new ideas, new implementations, or experiences related to web & mobile security. We are glad to have some leading-edge topics and ideas as well as in-depth discussion in the conference. The conference planning team will review your submission based on a descriptive abstract of your intended presentation. Feel free to attach a preliminary version of your presentation if available, or any other supporting materials. Remember: the better your description is, the better our review will be.
<font size=2pt>
 
  
pending...
+
'''Important dates:'''<br>
 +
Submission deadline: Mar 25, 2016.<br>
 +
Notification of acceptance: Mar 31, 2016.<br>
 +
Presentation PPT due: April 30, 2016.<br>
  
=Speaker Bios=
+
To submit a proposal please use easy chair https://easychair.org/conferences/?conf=appsecasia2016wuhanc<br>
<font size=2pt>
+
To contact the conference planning team, please mail to [email protected][mailto:[email protected]]<br>
 +
OWASP Speaker Agreement: https://www.owasp.org/index.php/Speaker_Agreement<br>
 +
Likely we can cover travel expenses or costs for accommodations.
  
pending...
+
'''Terms'''<br>
 +
By your submission you agree to the OWASP Speaker Agreement. OWASP values vendor neutrality. You need to use the OWASP presentation template and you’re not allowed to place marketing pitches in your slides. All presentation slides will be published on the conference website after the conference. Please make sure that any pictures and other materials in your slides don’t violate any copyrights. You are solely liable for copyright violations. You may choose any CC license for your slides, including CC0. OWASP does suggest open licenses.
  
= Talk Abstracts and Presentations =
+
=Schedule=
<font size=2pt>
+
{|border="0" class="FCK__ShowTableBorders" style="width: 100%;"
 +
|-
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | <font size=2pt>'''Schedule''' </font><br>
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | <font size=2pt>'''Duration''' </font><br>
 +
| align="center" style="width: 30%; background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | <font size=2pt>'''Topic''' </font><br>
 +
| align="center" style="width: 30%; background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | <font size=2pt>'''Venue''' </font><br>
 +
|-
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 9:00-9:15
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 15
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:yellow" | Opening speech
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:yellow" | 主会场
 +
|-
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 9:15-9:45
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 30
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:blue" | OWASP Mobile 2016 & Self-healing apps
 +
Milan Singh Thakur
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:blue" | 主会场
 +
|-
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 9:45-10:15
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 30
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:blue" | Testing next-gen iOS apps
 +
Prateek Gianchandani
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:blue" | 主会场
 +
|-
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 10:15-10:30
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 15
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:yellow" | Coffee & Tea Break
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:yellow" | 大厅
 +
|-
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 10:30-11:00
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 30
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:blue" | Big problems with big data - Hadoop interfaces security
 +
Jakub Kaluzny
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:blue" " | 主会场
 +
|-
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 11:00-11:30
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 30
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:blue" | OWASP CISO Survey Report – Tactical Insights for Managers
 +
Tobias Gondrom
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:blue" | 主会场
 +
|-
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 11:30-12:00
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 30
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:blue" | OWASP Top 10: Effectiveness of Web Application Firewalls
 +
David Caissy
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:blue" | 主会场
 +
|-
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 12:00-14:00
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 120
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:yellow" |LUNCH
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:yellow" | N/A
 +
|-
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 14:00-14:30
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 30
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:brown" | Android硬件隔离及指纹应用的安全研究
 +
顾凌志
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:brown" | 主会场
 +
|-
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 14:30-15:00
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 30
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:brown" | Cloud-ids:智能Web 入侵检测与威胁感知
 +
刘焱
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:brown" | 主会场
 +
|-
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 15:00-15:30
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 35
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:brown" | 企业AppLayer面临的IT安全风险与危机
 +
Dixon Ho
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:brown" | 主会场
 +
|-
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 15:30-15:50
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 20
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:yellow" | Coffee & Tea Break
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:yellow" | 大厅
 +
|-
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 15:50-16:20
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 30
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:brown" | 无人车安全剖析
 +
云朋
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:brown" | 主会场
 +
|-
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 16:20-16:50
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 30
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:brown" | Engineering better security
 +
Collin Chang
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:brown" | 主会场
 +
|-
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 16:50-17:20
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 30
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:brown" | 移动互联网应用的服务端安全防护探讨
 +
权小文
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:brown" | 主会场
 +
|-
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 14:00-14:40
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 40
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:green" | Capture-the-Flag Secrets
 +
Ivan Butler
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:green" | 人才培养分论坛
 +
|-
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 14:40-15:15
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 35
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:green" | 高校源代码安全教育初探
 +
张䶮
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:green" | 人才培养分论坛
 +
|-
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 15:15-15:50
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 35
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:green" | 新型安全人才培养模式
 +
Rip
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:green" | 人才培养分论坛
 +
|-
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 15:50-16:10
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 20
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:yellow" | Coffee & Tea Break
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:yellow" | 大厅
 +
|-
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 16:10-16:45
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 35
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:green" | 从软件工程师到软件安全经理
 +
王文君
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:green" | 人才培养分论坛
 +
|-
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 16:45-17:20
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 10
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:green" | 信息安全高端人才培养实践
 +
张绍浪
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:green" | 人才培养分论坛
 +
|-
  
===Abusing, Exploiting and Pwning with Firefox Add-ons===
+
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 17:20-17:30
'''Ajin Abraham''' [https://docs.google.com/a/owasp.org/file/d/0B5Z9zE0hx0LNZWI0UC1MbjZCSEE/edit (Download the Presentation)]
+
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 10
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:yellow" | Closing speech
 +
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(194, 194, 194);color:yellow" | 主会场
 +
|-
 +
|}
  
The talk is about abusing and exploiting Firefox add-on Security model and explains how JavaScript functions, XPCOM and XPConnect interfaces, technologies like CORS and WebSocket, Session storing and full privilege execution can be abused by a hacker for malicious purposes. The widely popular browser add-ons can be targeted by hackers to implement new malicious attack vectors resulting in confidential data theft and full system compromise. This paper is supported by proof of concept add-ons which abuse and exploits the add-on coding in Firefox 17, the release which Mozilla boasts to have a more secure architecture against malicious plugins and add-ons. The proof of concept includes the implementation of a Local keylogger, a Remote keylogger, stealing Linux password files, spawning a Reverse Shell, stealing the authenticated Firefox session data, and Remote DDoS attack. All of these attack vectors are fully undetectable against anti-virus solutions and can bypass protection mechanisms.
+
=Speaker Bios=
 +
<font size=2pt>
  
  
===A Call for Drastic Action: A Survey of Web Application Firewalls===
+
===Milan Singh Thakur===
'''Jaeson Yoo''' [https://owasp.org/images/2/2b/APAC13_Jaeson_Yoo.pdf (Download the Presentation)]
+
*OWASP Mobile 2016 & Self-healing apps
 +
*主会场
  
Web application firewalls (WAFs) have become an unquestioned necessity in the modern world.
+
Milan is very passionate about Information Security and an International Speaker. He is leading
 +
OWASP Mobile Security Project Globally under which Mobile Appsec Guide, Checklist and various Cheatsheets
 +
are being developed. He also works as Information Security Consultant for a private firm in India.
 +
His primary focus is Mobile Security. He has helped to secure mobile apps for various well known clients
 +
in banking, insurance, health, e-commerce and other sectors. Recently he has done PT for Apple iWatch
 +
for a client.
 +
He has expertise in fields like secure code review, NFC Pentesting, Web Appsec, VAPT activities, Wireless
 +
Pentesting, Payment Gateway Security Assessments and lot more. His scope of exploration is not limited
 +
to these technologies. He is strong supporter of “Open-Source” terminology and has been promoting it
 +
since 2010.
  
According to Gartner, 75% of all IT threats target the web application layer.  The Ponemon Institute announced earlier this year that 93% of organizations hacked in the past two years were breached via insecure web applications.  These are astounding figures, illustrating the vulnerability of web servers, through which we conduct so much of our daily business, as well as the significance of WAFs in addressing this vulnerability.
 
  
So why have so many businesses been reluctant to install WAFs?  After all, they were designed specifically to deal with web application attacks.  WAFs have been proven to block web attacks, and in some cases, provide effective countermeasures against them.
 
  
By taking a closer look at first- and second-generation web application firewalls, it seems to me that we can begin to find answers to this question.  Until now, WAFs have been undermined by modified attacks, false positives, and an inordinate amount of burden to those who are entrusted to manage them. 
+
===Prateek Gianchandani===
 +
*Testing next-gen iOS apps
 +
*主会场
  
First generation WAFs were based on a pattern-matching scheme, and brought about the advent of the Black List. The IT security administration would add a known attack pattern, and compile similar patterns to form the Black List. In so doing, the first-generation WAF could compare web traffic to its updated patterns, analyzing them at the application level. This list was static, meaning that there was no detection system put into place for new or modified attacks against the web application layer.
+
An OWASP member and contributor has been working in the infosec industry for over 5 years. During his five years, he has performed a number of penetration tests on mobile and web applications and even developed a lot of applications for the App Store. His core focus area is mobile pentesting and embedded device hacking. He is also the author of the open source vulnerable application named Damn Vulnerable iOS app. He has presented and trained at Conferences like Defcon, Blackhat USA, Brucon, Hack in paris, Phdays etc.
  
The first generation WAFs were not particular successful in the IT security market.  Perhaps most companies wanted to stick with their Intrusion Detection/Prevention Systems, ignoring the fact that these components did painfully little for the OSI Layer 7, or the web application layer.  Perhaps companies wanted to actualize a return-on-investment on their legacy purchases. 
 
  
But this does not mean that the first generation WAFs themselves didn’t have something to do with their disappointing sales.  First, the heavy workload was a drawback.  Administrators constantly had to update known attack patterns on the black list.  This meant many hours for the WAF administration team, assuming that the end-user even had such a team.  More often, it meant having to hire more people, an especially unattractive prospect for smaller, cash-strapped organizations.  In other words, not only did you have to invest in WAFs, you also had to invest in an expensive, highly-trained IT staff to run them.
 
  
If first-generation WAFs provided top-notch security, perhaps the additional investments could have been digested.  But WAFs did not protect against new or modified attacks.  They also produced a significant number of false positives.  Most significantly, all this work for marginal security also resulted in poor performance.  If you put more than 3,000 signature-based rules, system performance begins to slow.  More than 5,000 signatures means that you may have to delete some old rules, just to make rooms for new ones.
 
  
In light of these limitations, WAF providers came up with a second-generation solution to address some of these problems.  Second-generation WAFs came with a white list, or a list that includes all permissible traffic.  By using the white list along with the black list, these updated WAFs were supposed to make things easier for the WAF administrator, since the white list would essentially serve as an automated security policy. 
+
===Jakub Kaluzny===
 +
*Big problems with big data - Hadoop interfaces security
 +
*主会场
  
Unfortunately, second-generation WAFs did little to alleviate manpower requirements. In fact, these updated WAFs resulted in a heavier workload for the administrator.  The white list would take up to two weeks to implement. Also, in spite of the fact that these automated security policies were supposed to make things easier for the administrator, second-generation WAFs still needed manual configuration.  All of this meant more work, not less.
+
A Senior IT Security Consultant at SecuRing and performs
 +
penetration tests of high-risk applications, systems and devices. He was
 +
a speaker at many international IT Security conferences: OWASP AppSec
 +
EU, BlackHat Asia, PHdays, CONFidence, HackInTheBox AMS, as well at
 +
local events. Previously working for European Space Agency and internet
 +
payments intermediary. Apart from testing applications, he digs into
 +
proprietary network protocols, embedded devices and other enterprise
 +
solutions.
  
Again, if all this meant greater web security, perhaps all of these problems could have been overlooked.  But this wasn’t the case.  It was still a pattern-matching solution, meaning that it was vulnerable to unknown or modified attacks.  It still produced false positives at a significant rate.  And with the white list, it now worsened the system performance problem.
 
  
WAFs were and are definitely necessary.  But these first- and second-generation solutions were coming up significantly short.  More importantly, hackers were becoming increasingly sophisticated with every new day.  So what was needed?
 
  
A whole new breed of WAF, an intelligent WAF, based on an entirely new concept, is needed.  This new breed should be capable of analyzing web traffic, and detect attacks by analyzing and classifying their modus operandi.  After detecting attacks, WAFs needed to apply appropriate countermeasures to block the threat.  And finally, for practically purposes (especially for smaller companies that can’t hire a whole brigade of security administrators), WAFs needed to do all this without continual administrative involvement.  In other words, a new solution was needed to provide much better security, while lessening the administrative burden for customers.
 
  
 +
===Tobias Gondrom===
 +
*OWASP CISO Survey Report 2015 – Tactical Insights for Managers
 +
*主会场
  
===Design Secure Web Applications===
+
CTO Security for global IT company.
'''Ashish Rao''' [https://www.owasp.org/images/f/f4/APAC13_Ashish_Rao.pdf (Download the Presentation)]
+
Chairman of the Board of OWASP, Chair of the IAOC. Experience asHead of Information Security, Chief Information Security Officer, CISO, IT Risk Management, Governance & Compliance
 +
Head of Software Development, CTO,
 +
Manage in global, multinational and complex organisations, Change Management, project management, M&A, Strategy, ArchitectureSDLC, Software development processes and standards CCISO, CISSP, CSSLP.
  
  
[https://www.owasp.org/images/f/f7/Checklist_For_Design.pdf Checklist for securing web application design]
 
  
 +
===David Caissy===
 +
*OWASP Top 10: Effectiveness of Web Application Firewalls
 +
*主会场
  
We are all aware of “secure coding” and practice it to great extent while developing applications. But do we give equal attention to – “Secure Design”?  Most of us would probably say, NO. Design level flaws are lesser known concepts but their presence is a very big risk to the applications. Such flaws are hard to find in static or dynamic application scans and instead require deep understanding of application architecture and layout to uncover them manually. With increasing business needs the complexities in application design and architecture are also increasing. There is a rise in the use of custom design techniques and diverse technologies in the applications today. But in the midst of all this, have we ever thought about design level security?
+
David Caissy, M. Sc., OSCP, GWAPT, GPEN, GSEC, CISSP, CEH is a web application penetration tester with in-depth developer and IT Security background spanning over 16 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other teaching engagements. He has worked for a central bank, various government agencies and private companies. David has been teaching web application security in colleges, conferences and for many government agencies over the last 15 years.
  
Will only secure coding practices help to keep a multi-tiered custom designed application safe?
 
  
If that question gets you thinking this presentation will help fetch you an answer for it.
 
  
This presentation focuses on highlighting some important secure design principles that developers and architects must adapt to build a secure application design. With the help of some design flaws we will see the areas of design that are exposed to security risks and what measures can be taken to avoid them in our design.
 
  
 +
===顾凌志===
 +
*Android硬件隔离及指纹应用的安全研究
 +
*主会场
  
===Dissecting Smart Meters===
 
'''Justin Searle''' [https://owasp.org/images/2/2a/APAC13_Justin_Searle_-_Dissecting_Smart_Meters_v4.pdf (Download the Presentation)]
 
  
The Smart Grid brings greater benefits for electric utilities and customer alike, however these benefits come at a cost from a security perspective.  This presentation will explore the architecture of most Smart Meters, the protocols they use, a breakdown of their embedded components, and the functionality their headend servers contain.  We'll explain the methodologies we've developed to perform penetration testing these AMI systems, enumerate the types of vulnerabilities we commonly find, and discuss the solutions we recommend to Smart Meter vendors. We will even demonstrate at least one of the attacks we commonly perform in our penetration tests.  This will be done without the FUD and over-hyped framing that we usually find in the media and other Smart Grid presentations.
+
华为资深安全专家,华为SDL应用创始人之一,擅长安全架构设计、威胁建模;长期从事移动、虚拟化及通信领域业务安全的分析和研究。
  
  
===The Droid Exploitation Saga===
 
'''Aditya Gupta & Subho Halder''' [https://drive.google.com/a/owasp.org/?tab=mo#folders/0B5Z9zE0hx0LNZmgtazBya0dFMnc (Download the Presentation)]
 
  
In this talk, we will be discussing about the recent trends in Android Security Exploitation, as well as we will be carrying out all the possible attacks using a framework which we've designed called as Android Framework for Exploitation.
 
  
We will show how easy it could get to break into any Android Device, either using any exploit, or creating a malware using AFE. Also, in case the malware gets detected by any of the anti malwares, you 'll have the option to make it Fully Undetectable again and again, using the framework.
+
===刘焱===
 +
*Cloud-ids:智能Web 入侵检测与威胁感知
 +
*主会场
  
The things you would be able to steal with the help of AFE-created malwares, aren't limited to Contacts, Call Logs or Text messages, but you could also steal the application specific information (contained within the database files or saved using Content Providers).
+
百度云安全部资深架构师刘焱,毕业于华中科技大学,具有近十年 bat级互联网公司甲方安全防护经验,主持或者参与了百度内部几乎全部安全监控以及防护项目,黑客入侵主动发现比例超过80%;具有多项国家信息安全专利;在国内外学术期刊、会议发表多篇论文;主持开发的安全产品在十多家国内外中大型互联网企业中使用。
  
We will be covering each topic with live demonstrations and will also discuss the case studies of vulnerabilities in some of the most popular android applications. 
 
  
  
===Growing sophistication of DDoS attacks===
 
'''John Ellis''' [https://owasp.org/images/6/68/APAC13_John_Ellis.pdf (Download the Presentation)]
 
  
2012 saw the unprecedented growth in DDoS attacks, not only in volume but also in sophistication.
+
===Dixon Ho===
 +
*企业AppLayer面临的IT安全风险与危机
 +
*主会场
  
Gone are the days where DDoS attacks were the simple cheap and nasty, simplistic syn floods. Now they have evolved into a powerful cyber weapon, a weapon of choice for:
+
为ISACA北京事务委员会主席、中国信息化推进联盟信息安全专业委员会副主任,主管微软大中华区信息安全领域超过8年。在2008年担任了北京市市政管理委员会奥运城市运行指挥平台安全顾问。
cyber extortion, aiding cyber criminals in their fraud activities, and hacktivists in pushing their cause.
+
信息安全领域从业时间:近20多年。
  
Join John Ellis as he takes a deep dive into the growing sophistication of DDoS attack and examines:latest tools like 'itsoknoproblembro'the migration from the botnet to the Virtual Private Systems (VPS) as the attack platform of choice evolving C2 architecture the use of multi-vector attacks and the increasing attacks against and over SSL
 
common approaches to defending against these attacks, whats worked and what hasn't what organisations should be thinking about next; and ideas on how to build a protect and perform strategy along with the message to senior management to secure funding.
 
  
  
===Hacking Authentication Checks in Web Applications===
 
'''Siddharth Anbalahan''' [https://www.owasp.org/images/c/c2/APAC13_Siddharth_Anabalahan.pdf (Download the Presentation)]
 
  
Authentication is one of the most coveted and targeted features for security attacks. Despite its importance and sensitivity we still fail to see robust implementations of this control in our applications. Developers just don’t seem to get it right and security researchers just cannot stop identifying flaws in them. In this talk we will look at 4 insecure authentication control implementation in web applications that will leave you astounded and make you understand why most of the applications will be prone to these flaws.
 
  
 +
===云朋===
 +
*无人车安全剖析
 +
*主会场
  
===HTML 5 ===
 
'''Han-Ik Joo''' [https://www.owasp.org/images/6/6c/APAC13_JooHanik.pdf (Download the Presentation)]
 
  
HTML5  unlike the predecessors HTML that was impossible to implement features is the next generation standard language. However, vulnerability also is extended, and the fact that it is now possible to bypass existing countermeasures for Web-based security threats. In this talk, We will handle Demonstrations and the presentation of the security threats that can occur in the browser with the newly added features in HTML5. This talk include the following information as below:
 
  
*CSRF Using XHR Level2
 
*XSS using Newly added tag in HTML5
 
*Web Storage using information extraction
 
*WebSQL Information extraction using JavaScript
 
*Web Worker Injection
 
  
  
===Invisibility Purge – Unmasking the Dormant Events of Invisible Web Controls – Advanced Hacking Methods for Asp.Net, Mono and RIA===
+
===常颢Collin.Chang===
'''Shay Chen''' [https://owasp.org/images/6/6d/APAC13_ShayChen.pdf (Download the Presentation)]
+
*Engineering better security
 +
*主会场
  
Web Controls have become common in many popular platforms, enhancing the software lifecycle by speeding up development, and enabling developers to reuse custom content.
+
35岁,居于上海。现就职于Raid7。毕业于复旦大学,有12年的安全经验。曾在Venustech、 McAfee、TippingPoint(HP ESP) 以及 PaloAlto Networks工作过。他也是一个PMP, 参与过中国东部的一些大项目。熟悉Anti-virus 、IPS/IDS、NGFW、脆弱性管理解决方案。
  
In platforms such as ASP.Net and Mono, the implementations of Web controls are packed with features that can enhance the security of applications, usually with minimum effort.
 
  
There are many ways to restrict the access to web controls, including privilege validation, deletion from pages that were duplicated for low privileged users, disabling controls, or even by making them invisible to anyone but users with pre-defined roles.
 
  
However, the event activation mechanism can also be a double-edged sword.
 
  
Invisibility, by definition, is in the eyes of the observer.
 
  
An object might be invisible to some eyes, while still being visible to instruments that were designed to locate it.
+
===权小文===
  
A new research reveals several methods that attackers can harness to unmask, enumerate and activate events of hidden web controls, even in popular platforms such as ASP.Net and Mono.
+
1978年,陕西人,毕业于清华大学,获得硕士学位,2005年获得高级工程师职称,拥有4年大型国企技术和管理经验,6年跨国公司技术和管理从业经验,5年国内创业经验,15年信息安全从业经验,获得5项网络安全相关的发明专利,18项软件著作权,参与国家重大科研专项6项,参与一项网络安全相关国标制定;主要从事信息安全产品研发、技术管理、产品线管理等工作。主持开发的Web安全系列产品,占有国内30%以上市场份额,并且出口到美国、印度、迪拜等国家。创建的远江盛邦(北京)网络安全科技股份有限公司,已经申报全国股转系统,并在2016年4月14日正式挂牌新三板。
  
The slightest mistake or the right conditions can make this development model a fertile ground for attacks, enabling the attacker to completely ignore the security features of controls, and gain access to restricted and dormant server side events.
 
  
Locating invisible controls, Unmasking hidden events and activating them in-spite of various default and custom security measures – once only in theory, and now a step by step methodology that could be performed manually, or using designated tools.
 
  
This presentation will demonstrate several methods that can be used to locate invisible web controls, unmask secret events and activate dormant code. It will also discuss designated modules which are embedded into the upcoming release of the Diviner extension, an extension of the OWASP ZAP proxy project.
 
  
 +
===Ivan Butler===
 +
*Capture-the-Flag Secrets
 +
*人才培养分论坛
  
===Missile of Cyber-terrorism, the reality of APT and Countermeasures===
+
Founder and CEO of Compass Security, a leading Swiss ethical hacking and penetration testing company. Speaker @ BlackHat Las Vegas 2008, IT Underground Warsaw 2009, Unistrategic Singapore 2010 and organizer of Swiss Cyber Storm Security Conference since 2007.
'''Security Expert, Growing''' [https://owasp.org/images/9/9f/APAC13_Ihn-Hyuk._Song.pdf (Download the Presentation)]
 
  
APT’s attack is represented intelligented and sophisticated Hacking. As a result APT can be used to disturb the tackets. Here, this paper proposed to understand the reality of APT. In other words, APT’s definitions, properties, and Life-Cycle. Depending on derived properties, Security defense strategy is suggested differently.
 
  
  
=== Open Source Metasploit - The Elixir of Network Security===
 
'''Harish Chowdhary and Shubham Mittal'''
 
  
<span style="color:red"> Talk Cancelled </span>
 
  
Today every organization intensely relies on the communication. Every part of an organization ought to operate closely & ought to be interconnected for the benefit of the organization. The term interconnected & communication signifies one of the most vital a part of an organization primarily of an IT organization is the Computer NETWORK.
+
===张===
Network is the backbone of an IT organizations Network security is a crucial concern for enterprises, government agencies, and organizations of all sizes. Today’s advanced threats demand an organized approach to network security. Information within a network has same importance like blood in our veins. But the increasing incidence of the network breaches leading to the critical information loss, finally loss of business & credibility, clearly indicates that computers networks are not secured as they seem. Therefore they must be tested for their security. The aim of this paper is to present the most effective open-source Framework for network security testing-METASPLOIT. This paper will provide the focused views on.
+
*高校源代码安全教育初探
 +
*人才培养分论坛
  
What is Metaspliot, how to use Metasploit for Penetration testing & its various advantages, how to customize you pen test. It will additionally also put lights on, how to find the intrusion in the network & mitigation techniques to keep away from the cyber assaults. Whole, the objective of this paper is to provide a detailed understanding of what is Metasploit and how to utilize it as a security professional.
 
  
  
===Pentesting Web Apps with Python===
 
'''Justin Searle''' [https://owasp.org/images/5/58/APAC13_Justin_Searle_Python_Basics_for_Web_App_Pentesters.pdf (Download the Presentation)]
 
 
  
Interested in expanding your scripting skills to further customize your penetration testing approach?  The goal of this talk is to teach you basic python skills you can use every day. Join one of the SamuraiWTF project leads and learn how to interact with websites using
 
python scripts and python shells.  Understand the differences between the major HTTP libraries like httplib and urllib2.  Walk through sample code that performs username harvesting and dictionary attacks. Learn how to use Python's multithreaded features to speed up your scripts.  And most importantly, discover PyCIT, a new opensource
 
project that provides simple, documented, and functional python templates to accelerate your python scripting efforts.
 
  
 +
===Rip===
 +
*新型安全人才培养模式
 +
*人才培养分论坛
  
===Putting Security within the SDLC via Application Threat Modeling===
+
Leader of OWASP China.
'''Tony UV''' [https://owasp.org/images/0/0b/APAC13_TonyUV.pdf (Download the Presentation)]
 
  
As delusions of effective risk management for application environments continue to spread, companies continue to bleed large amounts of security spending without truly knowing if the amount is warranted, effective, or even elevating security at all.  In parallel, hybrid, thought provoking security strategies are moving beyond conceptual ideas to practical applications within ripe environments.  Application Threat Modeling is one of those areas where, beyond the hype, provides practical and sensible security strategy that leverages already existing security efforts for an improved threat model of what is lurking in the shadows.
 
  
This presentation seeks to walk though practical applications and exercises associated with application threat modeling. Integration to multi-security focused disciplines will be included, such as dynamic analysis, static analysis, incident monitoring, vulnerability management, social engineering, penetration testing, and more.
 
  
The objective of the presentation is to illustrate the efficiency and effectiveness of application threat modeling in properly integrating and leveraging security information in order to evolve beyond a broken risk analysis model for application security today.  The PASTA (Process for Attack Simulation & Threat Analysis) methodology will be introduced as part of this talk.
 
  
The target audience will encompass motley of both IS and IT professional, ideally providing a cross section of developers, project managers, system administrators, quality assurance engineers, security analysts, pen testers, network engineers, security risk analysts, and even compliance professionals. Due to the level of depth to be covered in the presentation which will go over Data Flow Diagramming, Application Decomposition exercises, correlation to existing frameworks such as Building Security-In Maturity Modeling, Software Assurance Maturity Modeling, and more.
 
  
 +
===王文君===
 +
*从软件工程师到软件安全经理
 +
*人才培养分论坛
  
===Securing data with a Data Encryption Infrastructure===
+
HP Enterprise Software全球安全技术主管,负责年营业额10亿美元的软件产品线的总体安全,以及SDL(软件安全开发流程)在公司内部的实施。OWASP上海分会负责人,CWASP资深讲师,拥有CSSLP和CISSP认证,是《Web应用安全威胁与防治》的作者之一。
'''Arshad Noor''' [https://owasp.org/images/0/04/APAC13_Arshad_Noor.pdf (Download the Presentation)]
 
  
As companies are challenged to keep up with an increasing number of data-security regulations worldwide, encryption of sensitive data has become the universal ""safe-harbor"", the last bastion of defense against unauthorized disclosure of data, mandated or highly recommended in every regulation.
 
  
While the protection of structured data-elements such as Credit Card Numbers, Bank Account numbers, etc., is addressed by applications on a case-by-case basis, we are entering an era where unstructured sensitive data are becoming equally attractive targets.  Military documents, medical data, blueprints of new products, financial and legal documents, etc. are just as valuable as credit card numbers to attackers depending on their motiviation and backers.
 
  
While it is feasible for companies to address the protection of such documents on a case-by-case basis, it is far more effective to deploy a ubiquitous network service that  addresses all of the following requirements:
 
  
*Provide a single point/protocol for commuication to the service (much like DNS or DHCP);
 
*Is accessible to any platform or programming environment;
 
*Provides automated scheduling of cryptographic operations (synchronous and asynchronous);
 
*Provides automated key-management (generation, escrow, recovery, etc.);
 
*Auto-scales cryptographic capability to address peaks/valleys of processing loads;
 
*Integrates with existing Identity and Access Management (IAM) infrastructure;
 
*Integrates with existing public/private Cloud services;
 
*Provides load-balancing and is highly-available; and
 
*Meets regulatory requirements of any data-security regulation anywhere.
 
  
While sounding more like a pipe-dream, this paper presents a case-study of a real-world implementation of such a network service to protect structured and unstructured content worth hundreds of millions of dollars, for one of the largest e-commerce companies in the world.
+
===张绍浪===
 +
*信息安全高端人才培养实践
 +
*人才培养分论坛
  
The Regulatory Compliant Cloud Computing (RC3) - a web-application architecture for secure cloud-computing - was presented at OWASP AppSec APAC 2012 in Sydney by this author, where it was fairly well received (to the best of my knowledge).  RC3 is gaining  attention worldwide, with IBM having translated the paper into Chinese, Portuguese and Russian for the BRIC markets on its developerWorks web-site (http://ibm.co/rc3dw), and the paper presented at various other conferences around the world (after AppSec APAC 2012).
+
从事信息安全13年,多年来一直从事信息安全产品的研发和产业化,熟悉国内外的网络安全技术,北京易霖博信息技术创史人,红客训练营创史人,公司13年成立,在其带领下从公司三五人目前已经成长为50人的团队其中研发人员35人,承担国家级比赛及省赛数十项。
  
This paper continues the discussion to present, for the first time, a real-world RC3 implementation, and discusses how the experience can be leveraged by others to address data-protection requirements.  It will include details of the architecture, technology components (FOSS), and performance data to support the tenets described in the original RC3 paper from 2012.
+
= Training =
 +
<font size=2pt>
  
 +
{|border="0" class="FCK__ShowTableBorders" style="width: 100%;"
 +
|-
 +
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | <font size=2pt>'''Course Name''' </font><br>
 +
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | <font size=2pt>'''Trainer''' </font><br>
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | <font size=2pt>'''Course Length''' </font><br>
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | <font size=2pt>'''Course Date(s)''' </font><br>
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | <font size=2pt>'''Language''' </font><br>
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | <font size=2pt>'''Price'''</font>
 +
|-
 +
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | OWASP Top 10 Effective Safeguards
 +
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | David Caissy
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 4H
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | May20,8:30-12:00
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | English
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | RMB 1500
 +
|-
 +
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Mobile Application security
 +
| align="center" style="width: 20%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Prateek Gianchandani
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | 4H
 +
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | May20,14:30-18:30
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | English
 +
| align="center" style="width: 10%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | RMB 1500
 +
|-
 +
|}
  
===Security Challenges of Hybrid Mobile Applications===
+
== Note  ==
'''Mikko Saario''' [https://owasp.org/images/2/29/APAC13_Mikko_Saario.pdf (Download the Presentation)]
+
*Price per attendee.  
 
+
*15% off for OWASP Senior Member
Mobile application development leveraging a hybrid technology stack is an accelerated way to bring new apps to market reusing existing competencies. Hybrid technology essentially refers to using several different coding languages instead of just the ""native"" one - whatever it may be in each case. Often existing code and services are reused to avoid expensive development for each distinctive platform. This way the ‘desktop web’ and the ‘mobile web’ are converging quickly - code can be shared and reused more and more. The focus technologies in this presentation are Windows Phone 8 and the Qt framework. Mikko will take a look into what kind of fundamental security mechanisms or threats do or do not exist in the two platforms to protect the user and the application from attacks when mixing several technology stacks. The expanding availability of development technologies opens up new attack surface, often with old attacks, to mobile applications: For instance, Windows Phone 8 introduced the possibility to implement applications in C++ in addition to the existing C#/Silverlight + web technologies. Are buffer overflows back? Qt is built on top of C++ and implements for instance the WebKit and QtQuick (QML with inline JavaScript) technologies for quickly developing cross-platform applications. The combination of these multiple stacks provide ample attack surface against mobile applications.
+
*15% off for groups of above 10
 
+
*Conference Registration is separate.
The presentation will cover security pitfalls when mixing native code and JavaScript in the Qt/QML stack, Qt-specific XSS and other injection issues, deploying code in webviews in both platforms - and the lack of common user security indicators in them, how malicious code can identify native methods exposed to a hybrid environment, how the same origin policy and code sandboxing differ from the typical desktop browser, how to leak your geolocation in Windows Phone, surprising differences in using a headless browser vs. IE Mobile in the older Windows Phone 7.5 and much more. Using a live demo application I will walk through several hybrid platform issues and threats in Windows Phone 8.
 
 
 
During the testing vulnerabilities were discovered in both the WP8 and Qt platforms and these will be demoed in cases where the vendor has either fixed the issue or the information is otherwise already public.
 
 
 
 
 
===Using the Wisdom of the Crowd to Enhance Application Security===
 
'''Moshe Lerner''' [https://owasp.org/images/6/69/APAC13_Moshe_Lerner.pdf (Download the Presentation)]
 
 
 
Security-oriented source code analysis tools detect vulnerabilities only for well-defined hacks and tend to return many results which are hard to remediate. Two problems result: One, how can we overcome the lack of coverage? And two, how can we improve the ability to fix?
 
 
 
These problems are all the more pressing considering today’s short development cycles through Agile methodologies, the ever-increasing requirement for continuous deployment and large applications containing vast amounts of source code. In these environments, automation and accuracy are absolute necessities in order to achieve high rates of vulnerability detection and furthermore, taking the right preventive actions.
 
 
 
To address these challenges our research turned to the field of Big Data analysis to integrate their advanced technologies into our research. In this talk we present our research methodology and findings. In particular, we show how to:
 
# Adopt new technologies from the Big Data realm - used to locate required data and enable proper call for action – and apply them into source code analysis
 
# Identify security vulnerabilities through code irregularities using the Wisdom of the Crowds (large scale apps reference)
 
# Optimize vulnerability remediation of large result sets using smart graph methods that pinpoint vulnerability junctions and best-fix locations
 
 
 
 
 
===Web Security - New Browser Security Technologies===
 
'''Tobias Gondrom''' [https://owasp.org/images/b/b8/APAC13_TobiasGondrom.pdf (Download the Presentation)]
 
 
 
This is cutting edge and will talk about new browser security technologies that have recently been developed and/or will be coming up in the coming months to counter risks that became apparent from the current trust model used in browsers. This will be improving channel protection and enabling better protection against XSS, Clickjacking and XSRF.
 
 
 
In the recent months global standard developing bodies and the browser vendors have in a joined effort developed and implemented many new major security capabilities in the browsers allowing web application developers to counter common security problems with comprehensive new mechanisms.  
 
This talk will be talking about:
 
*Channel protection: Securing SSL against Man-in-the-middle-attacks: New technologies - HTTP Strict Transport Security and and Pinning of Certs
 
*Protection against XSS and clickjacking: the future of X-Frame-Options and the Content Security Policy
 
 
 
The presented technologies are cutting edge and although some parts of the specifications are not final yet, they will be rolled-out in about 6 months time.
 
 
 
 
 
===What your CISO has not told you - Outbound security of cloud and enterprise web services===
 
'''Wong Onn Chee''' [https://owasp.org/images/4/4b/APAC13_Wong_Onn_Chee.pdf (Download the Presentation)]
 
 
 
This presentation will cover an important topic which no CISO ever mentions. Cloud and enterprise e-services are accessible 24x7 by anyone across the world, especially via mobile devices. Yet, efforts for past decades have sorely neglected the outbound risks of enterprise e-services and, in recent years, cloud and mobile services. Without outbound protection, incidents such as leaking private data, infecting visitors with malware and displaying defaced web pages are often reported by the press, damaging reputation and customer confidence. With tighter data privacy laws, many organisations are risking hefty legal penalties if they continue to neglect this risk area.
 
 
 
This talk will highlight the growing trend of web sites being used to leak information, transmit malware and display defaced content. The speaker will walk through a number of case studies and share with the audience on the lessons learnt from each case study. The speaker will also explain how the lack of outbound security protection contributed to the realized risk in each case study.
 
 
 
  
 +
=Registration and Fees=
 +
<font size=2pt>
  
= Open Source Projects =
+
==  Conference  ==  
  
==  ==
+
Free for OWASP China Member.
  
==OWASP Project Track Talks ==
+
Link to http://m.vcooline.com/app/activity_enrolls/new?aid=2569906&wxmuid=24361
  
===OWASP AppSensor the future of Application Security===
 
'''Dennis Groves''' [https://owasp.org/images/8/88/APAC13_Dennis_Groves.pdf (Download the Presentation)]
 
  
The OWASP AppSensor is commonly described as an application layer intrusion detection system. However, it is far more that this. It is also an architecture design pattern, as well as a development practice and an operations methodology. I propose the following outline for my talk:
+
==  Training  ==
 +
Mail to member@owasp.org.cn for training registration.
  
#(describe) I will describe what OWASP AppSenor is and why you would want one.
 
#(design) I will give a brief talk about the principles of secure architecture and design.
 
# I will give a brief history of IDS and NIDS, their strengths and weaknesses.
 
# I will then discuss how how and where AppSensor fits into that history, and how it improves upon the past for example:
 
#(development) The concept in implementation is roughly analogous to an intrusion detection (and prevention) system in the network security world. However, this concept can be applied inside of an application in a more specific way that (importantly) reduces false positives, which is an issue that often plagues network intrusion detection systems. This means that the core of the AppSensor system performs detection, monitoring, and (possibly) response depending on configuration settings.
 
#(deployment) I will the discuss deployment and operation of AppSensor.
 
# I will then describe why I believe this is the most important development in application security, and why everbody will develop software this way by the end of the decade.
 
#I will then propose future developments and enhancements for the OWASP AppSensor
 
  
  
===Using ESAPI for Java to Build Secure Web Applications===
+
'''Please note that conference and training Registration is separate.'''
'''Jim Manico''' [https://owasp.org/images/5/57/APAC13_Jim_Manico.pdf (Download the Presentation)]
 
 
 
We cannot “firewall” or “patch” our way to secure websites. In the past, security professionals thought firewalls, Secure Sockets Layer (SSL), patching, and privacy policies were enough. Today, however, these methods are outdated and ineffective, as attacks on prominent, well-protected websites are occurring every day. Organizations around the world rely on web security services to maintain the safety of their websites in today’s hostile online environment. Website developers must also learn to code in a secure fashion to have any chance of providing organizations with proper defenses in the current threat-scape. The session will provide specific tips and guidelines to make website code both low risk and less vulnerable using the OWASP ESAPI for Java project.
 
 
 
  
 
= Venue  =
 
= Venue  =
 
<font size=2pt>
 
<font size=2pt>
AppSec APAC 2013 will be held at the [http://jeju.regency.hyatt.com Hyatt Regency] in Jeju, South Korea.
+
AppSec ASIA 2016 will be held at Hubei University, Wuhan, in China.
 
 
 
 
The conference training and talk will be held in the Regency Ballroom and Terrace Ballroom.  Exhibitor booths will be set up in the foyer outside the ballrooms on Thursday and Friday.
 
  
 +
==Hubei University==
  
[[Image:APAC13_Floorplan.JPG]]
+
Conference Center of HUBEI University
  
  
 +
Address: No.368 Youyi Avenue, Wuchang District, Wuhan, Hubei Province
  
= Registration and Fees =
 
<font size=2pt>
 
  
{{:AppSecAsiaPac2013/Register}}
 
  
 +
https://www.owasp.org/images/3/31/Hubei_University.jpg
 +
[[File:78380334258971128.png]]
  
 
= Sponsoring  =
 
= Sponsoring  =
 
<font size=2pt>
 
<font size=2pt>
We are looking for sponsors for 2013 edition of Global AppSec APAC.
+
We are looking for sponsors for AppSec ASIA 2016.
 
 
  
If you are interested to sponsor Global AppSec APAC 2013, please contact the conference team: [mailto:[email protected] [email protected]]
 
  
 +
If you are interested to sponsor AppSec ASIA 2016, please contact the conference team:[mailto:[email protected] [email protected]]
  
'''Sponsorship Deadline is January 15, 2013.'''
+
'''Sponsorship Deadline is April 10, 2016.'''
  
  
To find out more about the different sponsorship opportunities please check the document below: <br> [https://www.owasp.org/images/0/0b/AppSec_APAC_2013_Sponsorship_v2.pdf OWASP AppSec APAC 2013 Sponsorship Options - English] <br> 
+
To find out more about the different sponsorship opportunities please check the document below: <br>  
[https://www.owasp.org/images/7/78/AppSec_APAC_2013_Sponsorship_v3_kr.pdf OWASP AppSec APAC 2013 Sponsorship Options - Korean]
+
[https://www.owasp.org/images/4/43/OWASP_AppSec_ASIA_2016_Sponsorship_.pdf OWASP AppSec ASIA 2016 Sponsorship] <br>
<br>  
 
  
 +
===___Gold Sponsor___===
  
'''[https://www.owasp.org/images/5/51/Exhibitor_Kit_-_AppSec_APAC_2013.pdf Conference Exhibitor Information Pack]'''
 
  
 +
[[File:百度2.png]]  [[File:542523505630455198.jpg]]  [[File:小的.png]]
  
 
= Travel and Accommodation  =
 
= Travel and Accommodation  =
 
<font size=2pt>
 
<font size=2pt>
  
For assistance with booking a flight or hotel, feel free to utilize OWASP's preferred travel agency:<br>
+
==Airport Transportation==
Segale Travel Service contact information is:  +1-800-841-2276 <br>
 
Sr. Travel Consultants:  <br>
 
[mailto:[email protected] Maria Martinez]...ext 524 <br>
 
[mailto:[email protected] Linn Vander Molen]...ext 520
 
  
 +
Wuhan Tianhe International Airport
  
Additionally, the [mailto:appsecapac2013@owasp.org Conference Planning Team] is available to answer any questions!
+
==Hotel==
 +
Galllery. F Hotel 玉丰国际酒店
  
 +
Address: Wuhan Central Cultural District of Wuhan City Second District Shochiku Road No.8, 430071<br>
 +
地址:武汉中央文化区-楚河汉街第二街区,松竹路8号,430071
  
== Accommodation  ==
+
Tel: +86 027 8733 7999
  
 +
= Supporting Organization =
  
We've been able to arrange for special rates at the [http://jeju.regency.hyatt.com Hyatt Regency Jeju](where the training and conference will be held).
 
  
The special room rates are available two nights either side of the event ensuring that if you are travelling domestic or international it's easy to find a room at a good rate.  
+
[[File:888276149172680378.png]][[File:415120780601494188小.png]]
  
 
+
= Team =
'''Hyatt Regency Jeju'''<br>
 
114, Jungmungwangwang-ro 72 beon-gil, Seogwipo-si<br>
 
Jeju Special Self-Governing Province <br>
 
South Korea 697-130 <br>
 
 
 
Tel: +82 64 733 1234    Fax: +82 64 732 2039 <br>
 
Email: [email protected]<br>
 
 
 
 
 
[https://www.owasp.org/images/3/3f/HYATT_JEJU_ENGLISH_FACTSHEET.pdf Hotel Regency Information Sheet]
 
 
 
 
 
'''To book a room at the special rate:'''
 
*Add the room to your '''[http://sl.owasp.org/apac13_register online conference registration]''' or
 
*Complete the [https://www.owasp.org/images/3/39/2Revised_Reservation_Form_OWASP_EN.pdf  Hotel Booking Form] and fax or email to the address on the form. 
 
 
 
 
 
''Please notice that if you add the room to your conference registration, the rates are in USD and include all service fees and taxes.''
 
 
 
==Airport Transportation==
 
 
 
 
 
Jeju International Airport is approximately 40 minutes by car from the Hyatt Regency. [http://jeju.regency.hyatt.com/hyatt/hotels-jeju-regency/services/maps/index.jsp?icamp=propMapDirections Hotel Map & Directions]
 
 
 
 
 
'''Arrival by Airport Limousine Bus''' (''Recommended'')
 
 
 
The Airport Limousine Bus (Bus No.600) will be waiting at the Airport exit at all times during its operating hours of 6:20 am to 10:10 pm. The bus will leave the airport at 15 minute intervals, and will take around 50 minutes to reach the hotel’s main entrance. The price is KW 3,900 per person (less than $4 USD).
 
 
 
 
 
'''Arrival by private car'''
 
#Exit Jeju International Airport and enter Jungmun Highway.
 
#Follow the signs to Jungmun.
 
#Make a right from the junction where the wind power plant can be seen on the right.
 
#Go straight ahead to find the sign for the hotel.
 
#Follow the road indicated by the sign for Hyatt Regency Jeju.
 
 
 
 
 
'''Arrival by rental car'''
 
 
 
#Press the navigation code ‘4327’ for the rental car.
 
#Input the address: 3039-1 Saekdal-Dong Seogwipo-Si, Jeju Island.
 
#Input the telephone number: 064-733-1234.
 
 
 
 
 
 
 
==Parking at the Hyatt Regency Jeju==
 
Hyatt Regency Jeju offers the outdoor parking on hotel premises available to hotel guests at no charge.  
 
 
 
Complimentary valet parking is also available on request.  The hotel’s parking area is accessible 24 hours a day.
 
 
 
Information +82 64 735 8495
 
 
 
 
 
 
 
= Networking Events =
 
<font size=2pt>
 
We will be hosting a networking dinner with Korean-style food and beverages on Thursday evening, February 21 from 7:00pm to 9:00 pm at the Hyatt Regency Jeju. 
 
 
 
The cost of this dinner is approximately 53,000 KRW ($50 USD) and can be added to your '''[http://sl.owasp.org/apac13_register online conference registration]'''.
 
 
 
 
 
 
 
= Chapter Leader Workshop =
 
 
<font size=2pt>
 
<font size=2pt>
  
==About the Workshop==
+
==AppSec ASIA 2016 Conference Planning Team==
'''When:''' Wednesday evening, February 20th, from 6:30 to 9:30 pm <br>
+
* Miya Xu
'''Where:''' Hyatt Regency Jeju.''' 
+
* Ivy Zhang
 
+
* Xiaoli Tan
The Global Chapter Committee invites all chapter leaders to participate in the upcoming Chapter Leader Workshops at AppSec APAC 2013.
 
 
 
The Chapter Leader Workshop format will continue to follow the Q & A format used during AppSec USA and AppSec LATAM.  Questions  and discussion will focus on sections of the Chapter Leader Handbook, OWASP Global Chapter resources, and local chapter challenges.
 
 
 
 
 
Dinner will be provided for workshop participants.
 
 
 
 
 
==Register for the Workshop==
 
To confirm your participation in the event, '''[http://sl.owasp.org/apac13_register register for the conference]''' and be sure to select "Chapter Leader Workshop" as an optional registration item.
 
 
 
 
 
==Chapter Leader Sponsorships==
 
 
 
'''IMPORTANT DEADLINES'''
 
- January 7, 2013 - Appsec APAC Chapters Workshop sponsorships applications due<br>
 
- January 14 - Applicants notified of status
 
  
  
*If you need financial assistance* to attend the Chapter Leader Workshops please [http://owasp4.owasp.org/contactus.htm contact us] by the application deadline.
+
'''Do you want to volunteer for AppSec ASIA 2016?'''[mailto:2016@owasp.org.cn Conference Planning Team]
  
  
*  Priority of sponsorships will be given to those not covered by sponsorship to attend a previous workshop. Additionally, we are looking for new or struggling chapter leaders who need assistance kick starting their chapter.
+
==AppSec ASIA 2016 Volunteer Team==
 
 
*  When you apply for funding, please let us know *why we should sponsor you*. While we prefer that chapter leaders use their own chapter's funds before requesting a sponsorship, this is not a requirement for application.
 
 
 
*  If your chapter has fund but will not be using them to sponsor your attendance, please include why you will not be using the funds for this purpose (i.e. what are the other plans for those funds?).
 
 
 
 
 
==Questions==
 
If any questions, please [http://owasp4.owasp.org/contactus.htm contact us]
 
 
 
 
 
 
 
= Team  =
 
<font size=2pt>
 
 
 
==2013 AppSec APAC Conference Volunteer Team==
 
* Johnny Cho
 
* Yune Sung
 
* Hyung Geun Park
 
 
 
 
 
'''Do you want to volunteer for AppSec APAC 2013?''' [http://sl.owasp.org/apac2013_volunteer Click here to sign up]
 
  
 +
* Ankit Giri
 +
* Samit Anwer
  
 
==OWASP Staff Support==
 
==OWASP Staff Support==
* Sarah Baso
+
* Laura Grau
* Samantha Groves
 
 
* Kelly Santalucia
 
* Kelly Santalucia
 
* Kate Hartmann
 
* Kate Hartmann
* Alison Shrader
+
* Noreen Whysel
  
  
  
Contact us at [mailto:appsecAPAC2013@owasp.org appsecAPAC2013@owasp.org]
+
Contact us at [mailto:2016@owasp.org.cn Conference Planning Team]
 +
 
 
</font>
 
</font>
  
 
<headertabs />
 
<headertabs />
 
{{:OWASP AppSec APAC 2013 Footer}}
 
 
 
[[Category:OWASP_AppSec_Conference]]
 

Latest revision as of 02:59, 6 May 2016
64614893850732793245%.jpg

We are pleased to announce that the OWASP China-Mainland Chapter will host the OWASP AppSec ASIA 2016 in Wuhan, China. The event will be held on May 21, Saturday.


The OWASP AppSec ASIA 2016 will bring together application security experts and software engineers from all over the world. Industry and academia meet to discuss open problems and new solutions in web & mobile security.


At the age of Internet+, Global AppSec Asia 2016 brings together application security experts and software engineers from all round the world to explore security technologies for core platforms such as Web applications, Mobile internet and Internet of things. Meantime, the sub-forum will focus on how to build cyber security training systems.


Who Should Attend AppSec ASIA 2016 :

  • Application Developers
  • Application Testers and Quality Assurance
  • Application Project Management and Staff
  • Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
  • Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
  • Security Managers and Staff
  • Executives, Managers, and Staff Responsible for IT Security Governance
  • IT Professionals Interested in Improving IT Security


If you have any questions, please email the conference committee: [email protected]


APPSEC ASIA 2016

Call for Paper

OWASP AppSec ASIA 2016 will bring together application security experts and software engineers from all over the world on May 21, 2016. Industry and academia meet to discuss open problems and new solutions in web & mobile security. For this event, we will invite application security researchers, thought leaders and developers worldwide to submit papers for presentations looking for “the next”, cutting edge research in the context of web applications, secure development, security management and privacy. Don't miss the opportunity to share and discuss your ideas and knowledge with other experts and practitioners.

The topics of interest, but not limited:

  • Web Security
  • Mobile Security
  • Cloud Security, specifically secure Cloud Apps
  • Infrastructure security
  • Secure development
  • Application Security Testing
  • Privacy protection in web based apps
  • Emerging web technologies and associated security considerations
  • Security Trainings, Certificates and CTP

Papers should describe new ideas, new implementations, or experiences related to web & mobile security. We are glad to have some leading-edge topics and ideas as well as in-depth discussion in the conference. The conference planning team will review your submission based on a descriptive abstract of your intended presentation. Feel free to attach a preliminary version of your presentation if available, or any other supporting materials. Remember: the better your description is, the better our review will be.

Important dates:
Submission deadline: Mar 25, 2016.
Notification of acceptance: Mar 31, 2016.
Presentation PPT due: April 30, 2016.

To submit a proposal please use easy chair https://easychair.org/conferences/?conf=appsecasia2016wuhanc
To contact the conference planning team, please mail to [email protected][1]
OWASP Speaker Agreement: https://www.owasp.org/index.php/Speaker_Agreement
Likely we can cover travel expenses or costs for accommodations.

Terms
By your submission you agree to the OWASP Speaker Agreement. OWASP values vendor neutrality. You need to use the OWASP presentation template and you’re not allowed to place marketing pitches in your slides. All presentation slides will be published on the conference website after the conference. Please make sure that any pictures and other materials in your slides don’t violate any copyrights. You are solely liable for copyright violations. You may choose any CC license for your slides, including CC0. OWASP does suggest open licenses.

Schedule
Duration
Topic
Venue
9:00-9:15 15 Opening speech 主会场
9:15-9:45 30 OWASP Mobile 2016 & Self-healing apps

Milan Singh Thakur

主会场
9:45-10:15 30 Testing next-gen iOS apps

Prateek Gianchandani

主会场
10:15-10:30 15 Coffee & Tea Break 大厅
10:30-11:00 30 Big problems with big data - Hadoop interfaces security

Jakub Kaluzny

主会场
11:00-11:30 30 OWASP CISO Survey Report – Tactical Insights for Managers

Tobias Gondrom

主会场
11:30-12:00 30 OWASP Top 10: Effectiveness of Web Application Firewalls

David Caissy

主会场
12:00-14:00 120 LUNCH N/A
14:00-14:30 30 Android硬件隔离及指纹应用的安全研究

顾凌志

主会场
14:30-15:00 30 Cloud-ids:智能Web 入侵检测与威胁感知

刘焱

主会场
15:00-15:30 35 企业AppLayer面临的IT安全风险与危机

Dixon Ho

主会场
15:30-15:50 20 Coffee & Tea Break 大厅
15:50-16:20 30 无人车安全剖析

云朋

主会场
16:20-16:50 30 Engineering better security

Collin Chang

主会场
16:50-17:20 30 移动互联网应用的服务端安全防护探讨

权小文

主会场
14:00-14:40 40 Capture-the-Flag Secrets

Ivan Butler

人才培养分论坛
14:40-15:15 35 高校源代码安全教育初探

张䶮

人才培养分论坛
15:15-15:50 35 新型安全人才培养模式

Rip

人才培养分论坛
15:50-16:10 20 Coffee & Tea Break 大厅
16:10-16:45 35 从软件工程师到软件安全经理

王文君

人才培养分论坛
16:45-17:20 10 信息安全高端人才培养实践

张绍浪

人才培养分论坛
17:20-17:30 10 Closing speech 主会场


Milan Singh Thakur

  • OWASP Mobile 2016 & Self-healing apps
  • 主会场

Milan is very passionate about Information Security and an International Speaker. He is leading OWASP Mobile Security Project Globally under which Mobile Appsec Guide, Checklist and various Cheatsheets are being developed. He also works as Information Security Consultant for a private firm in India. His primary focus is Mobile Security. He has helped to secure mobile apps for various well known clients in banking, insurance, health, e-commerce and other sectors. Recently he has done PT for Apple iWatch for a client. He has expertise in fields like secure code review, NFC Pentesting, Web Appsec, VAPT activities, Wireless Pentesting, Payment Gateway Security Assessments and lot more. His scope of exploration is not limited to these technologies. He is strong supporter of “Open-Source” terminology and has been promoting it since 2010.


Prateek Gianchandani

  • Testing next-gen iOS apps
  • 主会场

An OWASP member and contributor has been working in the infosec industry for over 5 years. During his five years, he has performed a number of penetration tests on mobile and web applications and even developed a lot of applications for the App Store. His core focus area is mobile pentesting and embedded device hacking. He is also the author of the open source vulnerable application named Damn Vulnerable iOS app. He has presented and trained at Conferences like Defcon, Blackhat USA, Brucon, Hack in paris, Phdays etc.



Jakub Kaluzny

  • Big problems with big data - Hadoop interfaces security
  • 主会场

A Senior IT Security Consultant at SecuRing and performs penetration tests of high-risk applications, systems and devices. He was a speaker at many international IT Security conferences: OWASP AppSec EU, BlackHat Asia, PHdays, CONFidence, HackInTheBox AMS, as well at local events. Previously working for European Space Agency and internet payments intermediary. Apart from testing applications, he digs into proprietary network protocols, embedded devices and other enterprise solutions.



Tobias Gondrom

  • OWASP CISO Survey Report 2015 – Tactical Insights for Managers
  • 主会场

CTO Security for global IT company. Chairman of the Board of OWASP, Chair of the IAOC. Experience asHead of Information Security, Chief Information Security Officer, CISO, IT Risk Management, Governance & Compliance Head of Software Development, CTO, Manage in global, multinational and complex organisations, Change Management, project management, M&A, Strategy, ArchitectureSDLC, Software development processes and standards CCISO, CISSP, CSSLP.


David Caissy

  • OWASP Top 10: Effectiveness of Web Application Firewalls
  • 主会场

David Caissy, M. Sc., OSCP, GWAPT, GPEN, GSEC, CISSP, CEH is a web application penetration tester with in-depth developer and IT Security background spanning over 16 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other teaching engagements. He has worked for a central bank, various government agencies and private companies. David has been teaching web application security in colleges, conferences and for many government agencies over the last 15 years.



顾凌志

  • Android硬件隔离及指纹应用的安全研究
  • 主会场


华为资深安全专家,华为SDL应用创始人之一,擅长安全架构设计、威胁建模;长期从事移动、虚拟化及通信领域业务安全的分析和研究。



刘焱

  • Cloud-ids:智能Web 入侵检测与威胁感知
  • 主会场

百度云安全部资深架构师刘焱,毕业于华中科技大学,具有近十年 bat级互联网公司甲方安全防护经验,主持或者参与了百度内部几乎全部安全监控以及防护项目,黑客入侵主动发现比例超过80%;具有多项国家信息安全专利;在国内外学术期刊、会议发表多篇论文;主持开发的安全产品在十多家国内外中大型互联网企业中使用。



Dixon Ho

  • 企业AppLayer面临的IT安全风险与危机
  • 主会场

为ISACA北京事务委员会主席、中国信息化推进联盟信息安全专业委员会副主任,主管微软大中华区信息安全领域超过8年。在2008年担任了北京市市政管理委员会奥运城市运行指挥平台安全顾问。 信息安全领域从业时间:近20多年。



云朋

  • 无人车安全剖析
  • 主会场



常颢Collin.Chang

  • Engineering better security
  • 主会场

35岁,居于上海。现就职于Raid7。毕业于复旦大学,有12年的安全经验。曾在Venustech、 McAfee、TippingPoint(HP ESP) 以及 PaloAlto Networks工作过。他也是一个PMP, 参与过中国东部的一些大项目。熟悉Anti-virus 、IPS/IDS、NGFW、脆弱性管理解决方案。



权小文

1978年,陕西人,毕业于清华大学,获得硕士学位,2005年获得高级工程师职称,拥有4年大型国企技术和管理经验,6年跨国公司技术和管理从业经验,5年国内创业经验,15年信息安全从业经验,获得5项网络安全相关的发明专利,18项软件著作权,参与国家重大科研专项6项,参与一项网络安全相关国标制定;主要从事信息安全产品研发、技术管理、产品线管理等工作。主持开发的Web安全系列产品,占有国内30%以上市场份额,并且出口到美国、印度、迪拜等国家。创建的远江盛邦(北京)网络安全科技股份有限公司,已经申报全国股转系统,并在2016年4月14日正式挂牌新三板。



Ivan Butler

  • Capture-the-Flag Secrets
  • 人才培养分论坛

Founder and CEO of Compass Security, a leading Swiss ethical hacking and penetration testing company. Speaker @ BlackHat Las Vegas 2008, IT Underground Warsaw 2009, Unistrategic Singapore 2010 and organizer of Swiss Cyber Storm Security Conference since 2007.



张

  • 高校源代码安全教育初探
  • 人才培养分论坛



Rip

  • 新型安全人才培养模式
  • 人才培养分论坛

Leader of OWASP China.



王文君

  • 从软件工程师到软件安全经理
  • 人才培养分论坛

HP Enterprise Software全球安全技术主管,负责年营业额10亿美元的软件产品线的总体安全,以及SDL(软件安全开发流程)在公司内部的实施。OWASP上海分会负责人,CWASP资深讲师,拥有CSSLP和CISSP认证,是《Web应用安全威胁与防治》的作者之一。



张绍浪

  • 信息安全高端人才培养实践
  • 人才培养分论坛

从事信息安全13年,多年来一直从事信息安全产品的研发和产业化,熟悉国内外的网络安全技术,北京易霖博信息技术创史人,红客训练营创史人,公司13年成立,在其带领下从公司三五人目前已经成长为50人的团队其中研发人员35人,承担国家级比赛及省赛数十项。

Course Name
Trainer
Course Length
Course Date(s)
Language
Price
OWASP Top 10 Effective Safeguards David Caissy 4H May20,8:30-12:00 English RMB 1500
Mobile Application security Prateek Gianchandani 4H May20,14:30-18:30 English RMB 1500

Note

  • Price per attendee.
  • 15% off for OWASP Senior Member
  • 15% off for groups of above 10
  • Conference Registration is separate.

Conference

Free for OWASP China Member.

Link to http://m.vcooline.com/app/activity_enrolls/new?aid=2569906&wxmuid=24361


Training

Mail to [email protected] for training registration.


Please note that conference and training Registration is separate.

AppSec ASIA 2016 will be held at Hubei University, Wuhan, in China.

Hubei University

Conference Center of HUBEI University


Address: No.368 Youyi Avenue, Wuchang District, Wuhan, Hubei Province


Hubei_University.jpg 78380334258971128.png

We are looking for sponsors for AppSec ASIA 2016.


If you are interested to sponsor AppSec ASIA 2016, please contact the conference team:[email protected]

Sponsorship Deadline is April 10, 2016.


To find out more about the different sponsorship opportunities please check the document below:
OWASP AppSec ASIA 2016 Sponsorship

___Gold Sponsor___

百度2.png 542523505630455198.jpg 小的.png

Airport Transportation

Wuhan Tianhe International Airport

Hotel

Galllery. F Hotel 玉丰国际酒店

Address: Wuhan Central Cultural District of Wuhan City Second District Shochiku Road No.8, 430071
地址:武汉中央文化区-楚河汉街第二街区,松竹路8号,430071

Tel: +86 027 8733 7999

888276149172680378.png415120780601494188小.png

AppSec ASIA 2016 Conference Planning Team

  • Miya Xu
  • Ivy Zhang
  • Xiaoli Tan


Do you want to volunteer for AppSec ASIA 2016?Conference Planning Team


AppSec ASIA 2016 Volunteer Team

  • Ankit Giri
  • Samit Anwer

OWASP Staff Support

  • Laura Grau
  • Kelly Santalucia
  • Kate Hartmann
  • Noreen Whysel


Contact us at Conference Planning Team

Retrieved from "https://wiki.owasp.org/index.php?title=AppSec_ASIA_2016&oldid=216502"