This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "AppSecEU08 The OWASP ESAPI project"

From OWASP
Jump to: navigation, search
(talk details for Owasp Europe)
 
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Here is ab abstract for the keynote...
+
'''Title: Fundamental Application Security Building Blocks - The Benefits of Establishing an Enterprise Security API (ESAPI) for Your Organization'''
  
Software Security: State of the Practice 2008
+
Nobody would trust the safety of a car built by people with no safety experience from parts they designed and made themselves or found lying around. Trying to build secure applications without solid vetted security controls is similarly impossible. To solve this problem, we have created the [[:Category:OWASP Enterprise Security API | OWASP ESAPI project]]. In this talk, Dave Wichers will show you how to create an ESAPI for your organization that will solve the OWASP Top Ten vulnerabilities, give you something concrete to measure, and dramatically cut costs all at the same time.
  
Using the framework described in my book “Software Security: Building Security In”---built around the three pillars of software security: risk management, the touchpoints, and knowledge---I will discuss and describe the state of the practice. This talk is peppered with real data from the field, based on my work with several large financial services companies as a Cigital consultant. Really, the software security field is just getting started, but we are making important forward progress, and the future looks bright.
+
The ESAPI is a free and open collection of all the security methods that a developer needs to build a secure web application. You can just use the interfaces and build your own implementation using your company's infrastructure. Or, you can use the reference implementation as a starting point. In concept, the API is language independent. However, the first deliverables from the project are a Java API and a Java reference implementation. Efforts to build ESAPI in .NET and PHP are already underway.
  
URL http://www.swsec.com
+
'''About the Speaker:''' Dave Wichers is a cofounder and Chief Operating Officer (COO) of [http://www.aspectsecurity.com Aspect Security], a company that specializes in application security services. Dave is  
 
+
also a member of the OWASP board, is the [[:Category:OWASP_AppSec_Conference | OWASP Conferences Chair]], and is a  
Here is the other abstract
+
coauthor of the [[OWASP_Top_Ten_Project | OWASP Top Ten]]. OWASP is a worldwide free and open community focused on improving the security of application software. Mr. Wichers has over 20 years of experience in the information security field, and has focused exclusively on application security for the past 10 years. At Aspect, in addition to his COO duties, he is Aspect's application security courseware lead, one of their chief instructors, and provides a wide variety of application security consulting services to Aspect's clients. Prior to starting Aspect, he ran the Application Security Services Group at Exodus Communications. Mr. Wichers has a Bachelors and Masters degree in Computer Science, is a CISSP, and a CISM.
 
 
Exploiting Online Games
 
 
 
The talk, based on a book of the same title (co-authored by Greg Hoglund), exposes the inner workings of online game security for all to see, drawing illustrations from MMORPGs such as World of Warcraft to discuss:
 
 
 
*      Why online games are a harbinger of software security issues to come
 
*      How millions of gamers have created billion dollar virtual economies
 
*      How game companies invade your privacy
 
*      Why some gamers cheat
 
*      Techniques for breaking online game security
 
*      How to build a bot to play a game for you
 
*      Methods for total conversion and advanced mods
 
 
 
But ultimately this talk is about security problems associated with advanced massively distributed software.  With hundreds of thousands of interacting users, today's online games are a bellwether of modern software yet to come.  The kinds of attack and defense techniques I describe are tomorrow's security techniques on display today.
 
 
 
And here is BIO
 
 
 
BIO
 
Gary McGraw, Ph.D.
 
CTO, Cigital
 
 
 
company www.cigital.com
 
podcast www.cigital.com/silverbullet
 
blog www.cigital.com/justiceleague
 
book www.swsec.com
 
personal www.cigital.com/~gem
 
 
 
Gary McGraw is the CTO of Cigital, Inc., a software security and quality consulting firm with headquarters in the Washington, D.C. area. He is a globally recognized authority on software security and the author of six best selling books on this topic. The latest, Exploiting Online Games was released in 2007. His other titles include Java Security, Building Secure Software, Exploiting Software, and Software Security; and he is editor of the Addison-Wesley Software Security series.  Dr. McGraw has also written over 90 peer-reviewed scientific publications, authors a monthly security column for darkreading.com, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Fortify Software and Raven White. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean’s Advisory Council for the School of Informatics.  Gary is an IEEE Computer Society Board of Governors member and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine.
 

Latest revision as of 19:27, 15 April 2008

Title: Fundamental Application Security Building Blocks - The Benefits of Establishing an Enterprise Security API (ESAPI) for Your Organization

Nobody would trust the safety of a car built by people with no safety experience from parts they designed and made themselves or found lying around. Trying to build secure applications without solid vetted security controls is similarly impossible. To solve this problem, we have created the OWASP ESAPI project. In this talk, Dave Wichers will show you how to create an ESAPI for your organization that will solve the OWASP Top Ten vulnerabilities, give you something concrete to measure, and dramatically cut costs all at the same time.

The ESAPI is a free and open collection of all the security methods that a developer needs to build a secure web application. You can just use the interfaces and build your own implementation using your company's infrastructure. Or, you can use the reference implementation as a starting point. In concept, the API is language independent. However, the first deliverables from the project are a Java API and a Java reference implementation. Efforts to build ESAPI in .NET and PHP are already underway.

About the Speaker: Dave Wichers is a cofounder and Chief Operating Officer (COO) of Aspect Security, a company that specializes in application security services. Dave is also a member of the OWASP board, is the OWASP Conferences Chair, and is a coauthor of the OWASP Top Ten. OWASP is a worldwide free and open community focused on improving the security of application software. Mr. Wichers has over 20 years of experience in the information security field, and has focused exclusively on application security for the past 10 years. At Aspect, in addition to his COO duties, he is Aspect's application security courseware lead, one of their chief instructors, and provides a wide variety of application security consulting services to Aspect's clients. Prior to starting Aspect, he ran the Application Security Services Group at Exodus Communications. Mr. Wichers has a Bachelors and Masters degree in Computer Science, is a CISSP, and a CISM.