Difference between revisions of "Italy OWASP Day 4"

Latest revision as of 12:46, 22 January 2010

WELCOME

Introduction

Welcome to the OWASP Day IV Italy Conference for 2009. Following on from the great success of last OWASP Days, the new conference has taken place in November 2009 in Milan.

Organization and goals:

The event showed several points of discussion: we presented the state of the art of the Secure Software Initiatives and technical speeches about the new researches in Application Security.
As conclusion of the day, we organized a round table discussing the most interesting subjects came out during the event.
Conference goal is creating a debate on which will be the evolution of the research for the Web Application Security, and how to start a secure software initiative.

References:

"Avete finito di imbottire le vostre reti di firewall e altre diavolerie simili? Allora è tempo di cambiare prospettiva e rendersi conto che oggi, dopo aver messo in sicurezza il perimetro dei nostri sistemi informativi, le minacce più serie provengono dalle nostre stesse applicazioni che, a volte, non sono progettate ed implementate, tenendo conto delle migliori pratiche di sviluppo di software sicuro. In questo campo l’OWASP rappresenta un punto di riferimento costante ed una miniera di informazioni e strumenti, ed al Ministero dell’Istruzione, Università e Ricerca abbiamo imparato ad apprezzarne i materiali e le informazioni disponibili sul suo sito web, nell’ambito del nostro gruppo che si occupa di sicurezza del sistema informativo. Per conoscere le iniziative dell’OWASP, avere un’anteprima delle principali novità in tema di sicurezza del software, incontrare i maggiori esperti in questo settore, partecipate all’OWASP DAY – ITALY IV il 6 novembre prossimo a Milano, sarà un’occasione utilissima di approfondimento."
Paolo De Santis – Dirigente della Direzione Generale per gli Studi, la Statistica ed i Sistemi Informativi del MIUR

“L’OWASP Day è il luogo e il momento per incontrare altri professionisti e appassionati del settore. E’ un’opportunità per conoscere direttamente dai protagonisti le metodologie, le tecniche e gli ambiti di ricerca nel mondo della sicurezza applicativa divenuto ormai il fattore principale, insieme a quello umano, nel campo dell’Information Security. “
Massimo Trevisani—CSO IWBank

"Le conferenze OWASP in Italia rappresentano un momento importante di awareness sulla sicurezza applicativa. L'evento rappresenta un punto di riferimento in cui i professionisti dell'IT possono valutare nuovi approcci allo sviluppo sicuro del software e alla difesa delle proprie applicazioni on-line"
Marco Bavazzano—CISO Telecom Italia

Key Speakers:

Marco Morana — CISO Citigroup
Marco Morana serves the OWASP organization by leading the USA Cincinnati chapter and he is a key contributor of many OWASP projects. Marco works as Technology Information Security Officer for a large financial organization in North America with responsibilities in the definition of the software security coding standards, management of security assessments during the SDLC related to application security. The aim of this presentation is help application security practitioners such as project managers and information security officers to make business cases for software security initiatives. The presentation will first introduce the need to position the organization’s Software Security Initiatives with respect to software security models such as BSIMM and SAMM. In order to create the business case for software security it is essential to make the case for business (e.g. costs) as well as security (e.g. engineering, vulnerability management).

Tobias Christen — CTO, DSwiss Ltd
Tobias began his career in a research team of a swiss bank specializing in new internet technologies. He then went on to join a leading international security-software company - Stonesoft - where he served as Head of R&D, Head of Product Management, and CTO of the company. For several years Tobias was working at Zurich Financial Services where he built up a new security architecture, and developing their IT risk strategy. In early 2008 Tobias joined DSwiss as CTO. In this presentation we look at some typical usability versus security mistakes. We see examples where lack of usability in security controls resulted in work arounds from users, and we also see typical examples where lack of security is blindly accepted. We discuss what is considered "acceptable" security by the general audience and discuss technologies that have a better usability versus security tradeoff.

Official invitation

Agenda & Presentations

9:00h	Registration
9.30h	Introduction to the OWASP-Day Matteo Meucci - OWASP-Italy Chair, CEO Minded Security
9.50h	How to Create Business cases for Your Software Security Initiative Marco Morana — CISO, Citigroup
10.30	OWASP SAMM / Open Software Assurance Maturity Model Claudio Merloni — Software Security Consultant, Fortify Software
11.10h	Coffee break
11.40h	From Web Attacks to Malware. Can Secure Software Development Help Internet Banking Security? Giorgio Fedon — COO, Minded Security
12.20h	Usability versus security: securing Internet facing applications while keeping them highly attractive for everybody (ENG) Tobias Christen — CTO, DSwiss Ltd
13.00h	Business Lunch
14.00h	NoScript, CSP and ABE: When the Browser Is Not Your Enemy Giorgio Maone — CTO, InformAction
14.40h	Building Security In Maturity Model: A Review of Successful Software Security Programs (ENG) Gabriele Giuseppini — Technical Manager, Cigital
15.20h	The art of code reviewing Paolo Perego — Senior Consultant, Spike Reply
16.00h	Round Table: Why Software Security is not a priority in our digital world? Marco Morana, Citigroup - Carlo Merloni, Fortify - Gabriele Giuseppini, Cigital, Mauro Bregolin, Kima Projects & Services - Stefano Di Paola, Minded Security Chairman Raoul Chiesa, MediaService

Photos & Videos

All the photos of the Conference are available here

@@ Line 1: / Line 1: @@
 [http://www.owasp.org/index.php/Italy Back to the Italian Chapter]
-<center>'''OWASP Day IV:  "Secure Software Initiatives"'''</center>
+<center>
+[[File:OWASPDayIV.png]]
+</center>
 ==== WELCOME ====
-=== Introduction ===
+'''Introduction'''
-Welcome to the OWASP Day IV Italy Conference for 2009. Following on from the great success of last OWASP Days the forth conference will take place in November 2009 in Milan.
-Organization and goals:
+Welcome to the OWASP Day IV Italy Conference for 2009. Following on from the great success of last OWASP Days, the new conference has taken place in November 2009 in Milan.
-* The event will show several points of discussion: we will present the state of the art of the Secure Software Initiatives and technical speeches about the new researches in Application Security.
-* As conclusion of the day, we organize a round table discussing the more interesting subjects come out during the event.
-* Conference goal is that to create a debate on which will be the evolution of the research for the Web Application Security, and how to start a secure software initiative.
-==== Call For Paper ====
+'''Organization and goals:'''
-=== Contributions and review process ===
+* The event showed several points of discussion: we presented the state of the art of the Secure Software Initiatives and technical speeches about the new researches in Application Security.
+* As conclusion of the day, we organized a round table discussing the most interesting subjects came out during the event.
+* Conference goal is creating a debate on which will be the evolution of the research for the Web Application Security, and how to start a secure software initiative.
-OWASP solicit contributions on the above topics, or general matters of interest to the community. Those who are interested in participating as speakers to the conference can submit an abstract of the speech to the OWASP-Italy Board by email at owasp-[email protected]. The email subject must be “OWASP Day 4: CFP” and  the email body must contains the following information/sections:
+'''References:'''
+----
-* Name and Surname
+"Avete finito di imbottire le vostre reti di firewall e altre diavolerie simili? Allora è tempo di cambiare prospettiva e rendersi conto che oggi, dopo aver messo in sicurezza il perimetro dei nostri sistemi informativi, le minacce più serie provengono dalle nostre stesse applicazioni che, a volte, non sono progettate ed implementate, tenendo conto delle migliori pratiche di sviluppo di software sicuro. In questo campo l’OWASP rappresenta un punto di riferimento costante ed una miniera di informazioni e strumenti, ed al Ministero dell’Istruzione, Università e Ricerca abbiamo imparato ad apprezzarne i materiali e le informazioni disponibili sul suo sito web, nell’ambito del nostro gruppo che si occupa di sicurezza del sistema informativo. Per conoscere le iniziative dell’OWASP, avere un’anteprima delle principali novità in tema di sicurezza del software, incontrare i maggiori esperti in questo settore, partecipate all’OWASP DAY – ITALY IV il 6 novembre prossimo a Milano, sarà un’occasione utilissima di approfondimento."<br>
-* Affiliation
+'''Paolo De Santis – Dirigente della Direzione Generale per gli Studi, la Statistica ed i Sistemi Informativi del MIUR'''<br><br>
-* Address
-* Telephone number
-* email address
-* list of the author’s previous papers/articles/speeches on the same topics
-* Title of the contribution
-* Type of contribution: Technical or Informative
-* Abstract (max one A4 style page)
-* Why the contribution is relevant for OWASP-Italy Day 4
-The submission will be reviewed by the OWASP-Italy Board and the 8-9 most interesting ones will be selected and invited for presentation
+“L’OWASP Day è il luogo e il momento per incontrare altri professionisti e appassionati del settore. E’ un’opportunità per conoscere direttamente dai protagonisti le metodologie, le tecniche e gli ambiti di ricerca nel mondo della sicurezza applicativa divenuto ormai il fattore principale, insieme a quello umano, nel campo dell’Information Security. “<br>
+'''Massimo Trevisani—CSO  IWBank'''<br><br>
+"Le conferenze OWASP in Italia rappresentano un momento importante di awareness sulla sicurezza applicativa. L'evento rappresenta un punto di riferimento in cui i professionisti dell'IT possono valutare nuovi approcci allo sviluppo sicuro del software e alla difesa delle proprie applicazioni on-line"<br>
+'''Marco Bavazzano—CISO Telecom Italia'''<br><br>
-==== Venue ====
+'''Key Speakers:'''
+----
-TBD
+'''Marco Morana —  CISO Citigroup'''<br>
+Marco Morana serves the OWASP organization by leading the USA Cincinnati chapter  and he is a key contributor of many OWASP projects. Marco works as Technology Information Security Officer for a large financial organization in North America with responsibilities in the definition of the software security coding standards, management of security assessments during the SDLC related to application security.
+The aim of this presentation is help application security practitioners such as project managers and information security officers to make business cases for software security initiatives. The presentation will first introduce the need to position the organization’s Software Security Initiatives with respect to software security models such as BSIMM and SAMM.  In order to create the business case for software security it is essential to make the case for business (e.g. costs) as well as security (e.g. engineering, vulnerability management).
+'''Tobias Christen  — CTO, DSwiss Ltd'''<br>
+Tobias began his career  in a research team of a swiss bank specializing in new internet technologies. He then went on to join a leading international security-software company - Stonesoft - where he served as Head of R&D, Head of Product Management, and CTO of the company. For several years Tobias was working at Zurich Financial Services where he built up a new security architecture, and developing their IT risk strategy. In early 2008 Tobias joined DSwiss as CTO.
+In this presentation we look at some typical usability versus security mistakes. We see examples where lack of usability in security controls resulted in work arounds from users, and we also see typical examples where lack of security is blindly accepted. We discuss what is considered "acceptable" security by the general audience and discuss technologies that have a better usability versus security tradeoff.  <br>
-==== OWASP-Day Sponsors====
+[http://www.owasp.org/images/a/ab/InvitoOWASPDay4.pdf Official invitation]
-If you want to become a Sponsor of the Initiative, please drop an email to:  [mailto:[email protected] Matteo Meucci]
-'''Platinum Sponsors:'''
+==== Sponsors====
+If you want to become a Sponsor of the Initiative, please drop an email to:  [mailto:[email protected] Matteo Meucci]
 '''Gold Sponsors:'''
+<center>
+[http://www.fortifysoftware.com http://www.owasp.org/images/b/b2/FortifyNew.JPG]
+[http://www-306.ibm.com/software/awdtools/appscan/standard/ http://www.owasp.org/images/8/84/IBM.png][http://www-306.ibm.com/software/awdtools/appscan/standard/ http://www.owasp.org/images/8/8e/Rational.gif]
+[http://www.vasco.com http://www.owasp.org/images/c/cb/Vasco.jpg]
+</center>
-==== Conference Schedule ====
+'''Silver Sponsors:'''
+==== Agenda & Presentations ====
 <center>
 <table width="80%">
 <tr>
-<td width=4%>8:30h</td><td bgcolor="#BCA57A" width=*><b>Registration</b></td>
+<td width=4%>9:00h</td><td bgcolor="#BCA57A" width=*><b>Registration</b></td>
 </tr>
 <tr>
-<td valign=top>9.00h</td><td bgcolor="#eeeeee"></td>
+<td valign=top>9.30h</td><td bgcolor="#eeeeee">[http://www.owasp.org/images/7/7b/OWASP-Italy_Day_IV_Meucci.pdf '''Introduction to the OWASP-Day'''] <br>Matteo Meucci - OWASP-Italy Chair, CEO Minded Security</td>
 </tr>
 <tr>
-<td valign=top>9.20h</td><td bgcolor="#b9c2dc"></td>
+<td valign=top>9.50h</td><td bgcolor="#b9c2dc">[http://www.owasp.org/images/7/7b/OWASP-Italy_Day_IV_Morana.pdf '''How to Create Business cases for Your Software Security Initiative''']<br>
+Marco Morana — CISO, Citigroup</td>
 </tr>
 <tr>
-<td valign=top>09.45h</td><td bgcolor="#eeeeee"></td>
+<td valign=top>10.30</td><td bgcolor="#eeeeee">[http://www.owasp.org/images/f/fd/OpenSAMM-1.0_Merloni.pdf '''OWASP SAMM / Open Software Assurance Maturity Model''']<br>
+Claudio Merloni — Software Security Consultant, Fortify Software</td>
 </tr>
 <tr>
-<td valign=top>10.30h</td><td bgcolor="#BCA57A"><b>Coffe break</b></td>
+<td valign=top>11.10h</td><td bgcolor="#BCA57A"><b>Coffee break</b></td>
 </tr>
 <tr>
-<td valign=top>11.00h</td><td bgcolor="#b9c2dc"></td>
+<td valign=top>11.40h</td><td bgcolor="#b9c2dc">[http://www.owasp.org/images/9/9a/Owasp_Day_IV_Fedon.pdf '''From Web Attacks to Malware. Can Secure Software Development Help Internet Banking Security?''']<br> Giorgio Fedon — COO, Minded Security</td>
 </tr>
 <tr>
-<td valign=top>11.30h</td><td bgcolor="#eeeeee"></td>
+<td valign=top>12.20h</td><td bgcolor="#eeeeee">[http://www.owasp.org/images/e/e0/UsableSecurity.pdf '''Usability versus security: securing Internet facing applications while keeping them highly attractive for everybody (ENG)''']<br>Tobias Christen  — CTO, DSwiss Ltd</td>
-</tr>
-<tr>
-<td valign=top>12.15h</td><td bgcolor="#eeeeee"></td>
 </tr>
 <tr>
@@ Line 84: / Line 88: @@
 </tr>
 <tr>
-<td valign=top>14.00h</td><td bgcolor="#b9c2dc"></td>
+<td valign=top>14.00h</td><td bgcolor="#b9c2dc">[http://www.owasp.org/images/5/50/OWASP-Italy_Day_IV_Maone.pdf '''NoScript, CSP and ABE: When the Browser Is Not Your Enemy''']<br>
+Giorgio Maone — CTO, InformAction</td>
 </tr>
 <tr>
-<td valign=top>14.30h</td><td bgcolor="#b9c2dc"></td>
+<td valign=top>14.40h</td><td bgcolor="#eeeeee">[http://www.owasp.org/images/1/12/OWASP-Italy_Day_IV_Giuseppini.pdf '''Building Security In Maturity Model: A Review of Successful Software Security Programs (ENG)''']<br>
+Gabriele Giuseppini — Technical Manager, Cigital</td>
 </tr>
 <tr>
-<td valign=top>15.00h</td><td bgcolor="#eeeeee"></td>
+<td valign=top>15.20h</td><td bgcolor="#b9c2dc">[http://www.owasp.org/images/d/da/Perego_code_reviewing.pdf '''The art of code reviewing''']<br>Paolo Perego — Senior Consultant, Spike Reply</td>
-</tr>
-<tr>
-<td valign=top>15.30h</td><td bgcolor="#BCA57A"><b>Coffe break</b></td>
-</tr>
-<tr>
-<td valign=top>16.00h</td><td bgcolor="#b9c2dc"></td>
-<tr>
-<td valign=top>16.30h</td><td bgcolor="#eeeeee"></td>
 </tr>
 <tr>
-<td valign=top>17:00h</td><td bgcolor="#eeeee1"></td>
+<td valign=top>16.00h</td><td bgcolor="#eeeeee">'''Round Table: Why Software Security is not a priority in our digital world?'''<br>
+Marco Morana, Citigroup - Carlo Merloni, Fortify - Gabriele Giuseppini, Cigital, Mauro Bregolin, Kima Projects & Services - Stefano Di Paola, Minded Security<br>Chairman Raoul Chiesa, MediaService</td>
 </tr>
 </table>
 </center>
-==== REGISTRATION ===
-The conference is open to all attendees for free (coffee break and business lunch are included) but it requires (mandatory) registration.
-In order to guaranty a well organized event,  the unregistered attendees will not be allowed to access the conference.
-To register at the conference please send an email to  [mailto:[email protected] OWASP-Italy] fill your information at the following form:<br>
-- Name, Surname
-- Email, Company
+==== Photos & Videos ====
-==== Call For Sponsorships (OPEN) ====
+All the photos of the Conference are available [http://www.owaspitaly.org/Owasp_Day_IV/Photos/index.html here]
-The aims of OWASP-Italy community is to guarantee access to the conference for free in order to allow for wide participation and empower the community itself. As so the OWASP-Italy community encourages Industries, Research Institutions and Individuals to sponsor their activities and events.
-Three types of sponsorships are available:
-* Silver sponsorship: 1500 euro. It Includes: the publication of the sponsor logo on the web site
-*Gold Sponsorship: 2500 euro. It includes: the publication of the sponsor logo in the agenda, on the web site, on the flyers and in all the official communications with the attendees at the conference. The possibility to distribute the Company brochures, CDs or other materials to the participants during the event.
-* Platinum Sponsorship: 3000 euro. It includes: the gold sponsorship, dedicated space for the Company to show their offering to the attendees.
-Those who are interested in sponsoring OSWAP-Italy Day III Conference can contact the
+You can see all the videos of the conferences at the following URLs:
-OWASP Italy Day IV Organizing Committees:<br>
+<br>
-Voice : +393283019559
+- Matteo Meucci <br>
-Mail: [mailto:owasp-italy@owasp.org OWASP-Italy]
+http://www.owaspitaly.org/Owasp_Day_IV/Video_Hires/1%20-%20Meucci/1%20-%20Meucci.html
+<br>
+- Marco Morana <br>
+http://www.owaspitaly.org/Owasp_Day_IV/Video_Hires/2%20-%20Morana/2%20-%20Morana.html<br>
+http://www.owaspitaly.org/Owasp_Day_IV/Video_Hires/2%20-%20Morana/Owasp-Day%20PA/OWASP_Day_4_Italy_11_6_0_reduced.mp4<br>
+http://www.owaspitaly.org/Owasp_Day_IV/Video_Hires/2%20-%20Morana/Owasp-Day%20PA/OWASP_Day_E_Gov_Italy_11_5_09_reduced.mp4
+<br>
+- Claudio Merloni <br>
+http://www.owaspitaly.org/Owasp_Day_IV/Video_Hires/3%20-%20Merloni/3%20-%20Merloni.html
+<br>
+- Giorgio Fedon<br>
+http://www.owaspitaly.org/Owasp_Day_IV/Video_Hires/4%20-%20Fedon/4%20-%20Fedon.html
+<br>
+- Tobias Christen<br>
+http://www.owaspitaly.org/Owasp_Day_IV/Videos/5%20-%20Christen/5%20-%20Christen.html
+<br>
+- Giorgio Maone<br>
+http://www.owaspitaly.org/Owasp_Day_IV/Video_Hires/6%20-%20Maone/6%20-%20Maone.html
+<br>
+- Gabriele Giuseppini<br>
+http://www.owaspitaly.org/Owasp_Day_IV/Video_Hires/7%20-%20Giuseppini/7%20-%20Giuseppini.html
+<br>
+- Paolo Perego<br>
+http://www.owaspitaly.org/Owasp_Day_IV/Video_Hires/8%20-%20Perego/8%20-%20Perego.html
+<br>
+- Round Table<br>
+http://www.owaspitaly.org/Owasp_Day_IV/Video_Hires/9%20-%20Tavola%20Rotonda/9%20-%20Tavola%20Rotonda.html
-==== Important dates ====
-* Contributions submission deadline: 			21st September 2009
-* Communication of acceptance for contributions: 	10th October 2009
-* Registration deadline: 				XX November 2009
-* Conference Agenda due: 				XX October 2009
-* Conference date: 					XX November 2009

Difference between revisions of "Italy OWASP Day 4"

Latest revision as of 12:46, 22 January 2010

WELCOME

Sponsors

Agenda & Presentations

Photos & Videos

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools