This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP AppSec DC 2010"

From OWASP
Jump to: navigation, search
m (updated contact list info)
(2 Day Training)
 
(66 intermediate revisions by 6 users not shown)
Line 1: Line 1:
 
__NOTOC__  
 
__NOTOC__  
[http://www.dcconvention.com/ Walter E. Washington Convention Center] | Registration opening soon!
+
[[Image:468x60-banner-2010.gif|link=http://www.owasp.org/index.php?title=OWASP_AppSec_DC_2010]]
 +
 
 +
[https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=d52c6f5f-d568-4e16-b8e0-b5e2bf87ab3a Registration Now OPEN!] | [https://resweb.passkey.com/Resweb.do?mode=welcome_gi_new&groupID=2766908 Hotel] | [http://www.dcconvention.com/ Walter E. Washington Convention Center]
 
<br> <!-- Header -->
 
<br> <!-- Header -->
 
====Welcome====   
 
====Welcome====   
Line 10: Line 12:
 
|-
 
|-
 
| style="width: 95%; color: rgb(0, 0, 0);" |  
 
| style="width: 95%; color: rgb(0, 0, 0);" |  
'''Press Release June 3rd 2010 -- [http://www.owasp.org/images/1/19/AppSecDC_2010_Announcement.pdf AppSec DC 2010 Conference Announcement and opening CFP & CFT!]'''
+
 
 +
'''All [http://www.owasp.org/index.php/Category:OWASP_AppSec_DC_2010_Schedule Talks] and [http://www.owasp.org/index.php/OWASP_AppSec_DC_2010#tab=Training Training] are posted!  
  
 
We are pleased to announce that the [http://www.owasp.org/index.php/Washington_DC OWASP DC chapter] will host the OWASP AppSecDC 2010 regional conference in Washington, DC. The AppSecDC conference will be a premier gathering of Information Security leaders. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 600-700 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.  
 
We are pleased to announce that the [http://www.owasp.org/index.php/Washington_DC OWASP DC chapter] will host the OWASP AppSecDC 2010 regional conference in Washington, DC. The AppSecDC conference will be a premier gathering of Information Security leaders. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 600-700 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.  
Line 25: Line 28:
 
*Security Managers and Staff  
 
*Security Managers and Staff  
 
*Executives, Managers, and Staff Responsible for IT Security Governance  
 
*Executives, Managers, and Staff Responsible for IT Security Governance  
*IT Professionals Interesting in Improving IT Security<br>
+
*IT Professionals Interested in Improving IT Security<br>
 
 
  
 +
'''Press Release June 3rd 2010 -- [http://www.owasp.org/images/1/19/AppSecDC_2010_Announcement.pdf AppSec DC 2010 Conference Announcement and opening CFP & CFT!]'''
  
 
'''[[OWASP AppSec DC 2010 - FAQ|Conference FAQ]]'''
 
'''[[OWASP AppSec DC 2010 - FAQ|Conference FAQ]]'''
Line 46: Line 49:
 
|-
 
|-
 
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |  
 
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |  
Use the '''[http://search.twitter.com/search?q=%23AppSecDC #AppSecDC]''' hashtag for your tweets (What are [http://hashtags.org/ hashtags]?)  
+
Use the '''[http://search.twitter.com/search?q=%23ASDC10 #ASDC10]''' hashtag for your tweets for AppSec DC (What are [http://hashtags.org/ hashtags]?)  
  
'''@AppSecDC09 Twitter Feed ([http://twitter.com/AppSecDC follow us on Twitter!])''' <twitter>34534108</twitter>  
+
'''@AppSecDC Twitter Feed ([http://twitter.com/AppSecDC follow us on Twitter!])''' <twitter>34534108</twitter>  
  
 
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |  
 
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |  
Line 59: Line 62:
 
==== Registration  ====
 
==== Registration  ====
  
== Registration will open soon  ==
+
== Register [https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=d52c6f5f-d568-4e16-b8e0-b5e2bf87ab3a Here]  ==
 +
 
 +
 
 +
Registration is now '''<span style="color:#0f0">OPEN</span>'''.<br>
 +
You can register via OWASP's CVENT tool '''[https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=d52c6f5f-d568-4e16-b8e0-b5e2bf87ab3a here.]'''
 +
 
 +
===Registration Fees===
 +
{| class="wikitable"
 +
|-
 +
! Ticket Type
 +
! Before 8/15
 +
! Regular Price
 +
! After 10/15
 +
|-
 +
| Non-Member
 +
| $445.00
 +
| $495.00
 +
| style="background: #cef2e0;" | $545.00
 +
|-
 +
| Active OWASP Member
 +
| $395.00
 +
| $445.00
 +
| style="background: #cef2e0;" | $495.00
 +
|-
 +
| Student
 +
| $195.00
 +
| $195.00
 +
| style="background: #cef2e0;" | $245.00
 +
|}
 +
 
 +
{| class="wikitable"
 +
|-
 +
! Course
 +
! Fee
 +
|-
 +
| 1 Day Training
 +
| $745
 +
|-
 +
| 2 Day Training
 +
| $1495
 +
|}
  
'''Who Should Attend AppSec DC 2010:'''
+
'''ATTENTION FEDERAL EMPLOYEES:  Enter code ASDC10FED for $100 off, limited time only!''' (must register with your .gov or .mil email address)
 +
<br> For student discount, attendees must present proof of enrollment when picking up your badge.
 +
 
 +
===Who Should Attend AppSec DC 2010===
  
 
*Application Developers  
 
*Application Developers  
Line 70: Line 116:
 
*Security Managers and Staff  
 
*Security Managers and Staff  
 
*Executives, Managers, and Staff Responsible for IT Security Governance  
 
*Executives, Managers, and Staff Responsible for IT Security Governance  
*IT Professionals Interesting in Improving IT Security<br>
+
*IT Professionals Interesting in Improving IT Security
 +
*Anyone interested in learning about or promoting Web Application Security<br>
 +
<br>
  
<br> For student discount, attendees must present proof of enrollment when picking up your badge.  
+
[http://guest.cvent.com/EVENTS/Info/Summary.aspx?e=d52c6f5f-d568-4e16-b8e0-b5e2bf87ab3a AppSec DC 2010 CVENT Info Page]
  
 
==== Volunteer  ====
 
==== Volunteer  ====
Line 86: Line 134:
 
To volunteer please email [mailto:[email protected] [email protected]] or you can e-mail the Volunteer Coordinators [mailto:[email protected] Josh Feinblum] and [mailto:[email protected] Jon Rose]  
 
To volunteer please email [mailto:[email protected] [email protected]] or you can e-mail the Volunteer Coordinators [mailto:[email protected] Josh Feinblum] and [mailto:[email protected] Jon Rose]  
  
==== CFP ====
+
==== Schedule ====
 +
== Schedule posted [[OWASP AppSec DC 2010 Schedule|here]]==
  
Building on the success of AppSec DC 2009, OWASP is pleased to announce the OWASP AppSecDC 2010 conference held at the Walter E. Washington Convention Center on November 8th through 11th 2010.  Plenary sessions will be on November 10th and 11th preceded by Web Application Security Training on November 8th and 9th.  
+
==== Training  ====
  
You can submit talks at the [http://www.easychair.org/conferences/overview.cgi?a=a08d1d605d3a EasyChair Conference Page]. '''Submission deadline is July 31st 2010'''Inquires can be made to cfp@appsecdc.org.
+
== Training  ==
 +
OWASP strives to provide world class training for a variety of skill levels and interests at its conferences. From the novice to the expert, developers to managers, there is a training course at AppSec DC for you! Classes will begin at 9 AM each day and run until 5 PM (Daily schedule set by the trainer)Morning refreshments and lunch will be provided. Check each course for the required materials.
  
We are seeking presentations on the following topics:
+
[https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=d52c6f5f-d568-4e16-b8e0-b5e2bf87ab3a Registration Now OPEN!]
*OWASP Tools and Projects
 
*Cloud Application Security
 
*Government Approaches to Application Security
 
*Application Security Case Studies
 
*Application Security and Business Risks
 
*Metrics for Application Security
 
*Web Services Security
 
*Source Code Review
 
*Web Application Security Testing
 
*Secure Coding Practices
 
*Privacy Concerns
 
*Vulnerabilities/Exploits in the Web App World
 
*Defense & Countermeasures in the Web App World
 
*Other web application security topics
 
  
Additional information can be found in the FAQ.  You will have to sign up for an EasyChair account at https://www.easychair.org/account/signup.cgi.
+
Price per attendee (conference Registration is a seperate item):  
 +
* 2-Day Class $1495
 +
* 1-Day Class $745
  
===Program Committee===
+
== 2 Day Training  ==
* [mailto:mark.bristow@owasp.org Mark Bristow] (Chair)
+
 
* [mailto:jeff.williams@owasp.org Jeff Williams]
+
==='''Assessing and Exploiting Web Applications with Samurai-WTF''' | [[Assessing and Exploiting Web Applications with Samurai-WTF|Course Detail]]===
* [mailto:doug.wilson@owasp.org Doug Wilson]
+
Come take the official Samurai-WTF training course given by one of the founders and lead developers of the project!  You will learn how to use the latest Samurai-WTF open source tools and the be shown the latest techniques to perform web application assessments. After a quick overview of pen testing methodology, the instructor will lead you through the penetration and exploitation of two different web applications, including client side attacks on the browsers connecting to those sites. Different sets of open source tools will be used on each web application, allow you to learn first hand the pros and cons of each tool. After you have gained experience with the Samurai-WTF tools, you will be challenged with a third web application. This final challenge will give you time to practice your new skills at your own pace and experiment with your favorite new tools. This experience will help you gain the confidence necessary to perform web application assessments and expose you to the wealth of freely available, open source tools.
* [mailto:[email protected] Wade Woolwine]
+
 
* [mailto:jeremy.long@owasp.org Jeremy Long]
+
==='''Leading an AppSec Initative''' | [[Leading an AppSec Initative|Course Detail]]===
* [mailto:tom.hallewell@owasp.org Tom Hallewell]
+
In this two-day management session you’ll get an industry perspective of application security, understand the key vulnerabilities to applications, be able to analyze root cause, and provide practical and proven techniques in building out an application security initiative. This course gives executives and managers the education and practical guidance they need to ensure that software projects properly address security. The course is designed to provide a firm understanding of the importance of software security, the critical security activities required within the software development lifecycle, and how to efficiently manage security issues during development and maintenance. This understanding is reinforced through industry awareness, live demonstrations of commonly found application vulnerabilities and workgroup exercises allowing attendees to conduct capability assessments and recommend improvement plans.
* [mailto:[email protected] Grecs]
+
 
* [mailto:josh.feinblum@owasp.org Josh Feinblum]
+
==='''Remote Testing for Common Web Application Security Threats''' | [[Remote Testing for Common Web Application Security Threats | Course Detail]]===
* [mailto:ben.null@owasp.org Ben Null]
+
The proliferation of web-based applications has increased the enterprise's exposure to a variety of threats. There are overarching steps that can and should be taken at various steps in the application's lifecycle to prevent or mitigate these threats, such as implementing secure design and coding practices, performing source code audits, and maintaining proper audit trails to detect unauthorized use.
* Matt Fisher
+
 
* [mailto:[email protected] Dave Sachdev]
+
This workshop will enable students to test the security of web-based applications from the perspective of the end user. Security testing is especially useful since it can be done at various phases within the application's lifecycle (e.g. during development), or when source code is not available for review.  The most common threats and their potential impact will be covered (based on the industry standard OWASP "Top Ten").   Hands-on labs and demonstrations will be used to teach the tools and techniques needed to remotely detect and validate the presence of these threats.
* [mailto:shawn.duffy@owasp.org Shawn Duffy]
+
 
* [mailto:jrose@owasp.org Jon Rose]
+
== 1 Day Training ==
 +
 
 +
==='''WebAppSec.php: Developing Secure Web Applications''' | [[WebAppSec.php: Developing Secure Web Applications|Course Detail]]===
 +
 
 +
Web applications are the new frontier of wide‐spread security breaches. This tutorial will guide through development practices to ensure the security and integrity of web applications, in turn protecting user data and the infrastructure the application runs on. Several attack types and risks will be reviewed (including OWASP’s Top 10), along with how the proper development practices can mitigate their damage. Although examples covered are PHP‐based, much of the content is also applicable to other languages.
  
==== Training  ====
+
==='''The Art of Exploiting SQL Injections''' | [[The Art of Exploiting SQL Injections |Course Detail]]===
 +
This is a full day hands on training course which will typically target penetration testers, security auditors/administrators  and even web developers  to learn advanced exploitation techniques. SQL Injection, although now nearly 15 years old, still exists in over 30% of the web applications. This vulnerability could result in (Authentication Bypass, Extraction of arbitrary sensitive data from the database, Access and compromise of the internal network)
  
OWASP is currently soliciting training providers for the OWASP AppSec DC 2010 Conference that will take place at the Walter E. Washington Convention Center (801 Mount Vernon Place NW Washington, DC 20001) on November 8th through 11th of 2010.  There will be training courses on November 8th and 9th followed by plenary sessions on the 10th and 11th. There are a total of six classrooms over two days or 12 training days available at the conference.  Three classrooms hold 30 students and the other three have a capacity of 24 students.  
+
To identify the true impact of this vulnerability it is essential that the vulnerability gets exploited to the full extent. While there is a reasonably good awareness when it comes to identify this problem, there are still a lot of grey areas when it comes to exploitation or even identifying complex vulnerabilities like a 2nd order injections. This training will target 3 databases (MS-SQL, Mysql, Oracle) and discuss a variety of exploitation techniques to exploit each scenario.  
  
The following conditions apply for people or organizations that want to provide training at the conference:
+
==='''Java Security Overview''' | [[Java Security Overview |Course Detail]]===
* Training provider should provide class syllabus / training materials.
+
The course on one hand introduces the basic security solutions provided by the Java language and the Java Runtime Environment, tackling issues like the Java Security Architecture and the security services of the Java Standard Edition. On the other hand it provides a comprehensive introduction to Java specific security vulnerabilities. Besides the presentations being continuously updated by the latest advances in the software development industry and the most recent achievements of our security research laboratory, attendees can learn how to use Java security features and can examine and correct typical implementation bugs in example source code snippets through a number of hands-on exercises, prepared in a plug-and-play manner by using a preset VMware virtual machine.
* Proceeds will be split 60/40 (OWASP/Trainer) for the training class.  
 
* The 60% for OWASP goes towards: Classroom Rental, Conference Logistics/Registration, and Food and OWASP Grants for Research Projects.
 
* Courses must have an enrollment of 60% before class is considered operational.
 
* Price per attendee: 2-Day Class $1495/ 1-Day Class $745.
 
* Trainers can brand training materials to increase their exposure
 
* Classes are to be focused around Application Security
 
  
Submissions must use the [http://www.owasp.org/images/d/d1/APPSEC_DC_2010_Training_Form.doc Training Proposal Template]. Training proposals should consist of the following information:
+
==='''Software Security Remediation: How to Fix Application Vulnerabilities''' | [[Software Security Remediation: How to Fix Application Vulnerabilities |Course Detail]]===
* Trainer contact info (country of origin and residence-mail, postal address, phone, E-mail).
+
This class teaches attendees how to fix security vulnerabilities in existing software. It provides a mix of discussion of project concerns for planning and managing remediation efforts with hands-on coding examples fixing specific vulnerabilities. Attendees will learn how to risk-rank vulnerabilities, estimate remediation tasks, perform coding fixes for vulnerabilities and demonstrate the effectiveness of fixes applied. The focus is on the practical: how to use limited resources to make significant improvements to the security of target applications. Code examples use the OWASP ESAPI Java and Microsoft Web Protection Library. Many classes teach developers how to build secure code from the ground up or teach security analysts how to test applications for security vulnerabilities. This class teaches developers and security analysts how to deal with their existing portfolio of insecure applications.  
* Employer and/or affiliations.
 
* Training synopsis, proposed training title, and a one-paragraph description.
 
* Brief biography, list of publications and papers.
 
* Any significant presentation and educational experience/background.
 
* Reason why this material is innovative or significant or an important training for the OWASP conference.
 
* Please list any other publications or conferences where this material has been or will be published/submitted.
 
* Training format (hands-on, lecture …)
 
* Provide a list of items/software students need for the training.
 
* Optionally, any samples of prepared material or outlines.
 
  
'''Submission deadline is July 31st 2010'''.  Submissions must use the [http://www.owasp.org/images/d/d1/APPSEC_DC_2010_Training_Form.doc Training Proposal Template]Submit Proposals to training@appsecdc.org.
+
==='''Threat Modeling Express''' | [[Threat Modeling Express|Course Detail]]===
 +
The benefits of threat modeling at the design stage are well-documented, yet few organizations are able to perform this analysis technique due to time constraints. Based on our experience in real world situations, Security Compass has developed a one day approach to threat modeling based loosely on a Facilitated Risk Assessment Process (FRAP)In this class, students learn how to create a “quick and dirty” application threat model using an organization’s most valuable resource: its people. Students learn about the basics of web application security, as well as learn about and perform a real hands-on Express Threat Model. A deliverable template and list of steps will be provided as takeaways for students.
  
  
 
==== Contests  ====
 
==== Contests  ====
  
TBD
+
== OWASP Member Door Prizes! ==
 +
Are you an [[Membership|OWASP Member]]?  At AppSecDC we will be giving away some amazing door prizes to some randomly selected OWASP members in attendance.  You HAVE to be an OWASP member to be elligable, but if your not, you can easily add the $50 annual membership to your conference ticket and recieve $50 off admission.  That's right, '''FREE OWASP MEMBERSHIP''' when combined with AppSec DC Registration!  So remember to [https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=d52c6f5f-d568-4e16-b8e0-b5e2bf87ab3a Register] today with your OWASP membership!
 +
 
 +
This years contests vary in length, challenges, objectives and the skill-set of the participants. The goal of this year's ASDC challenges are to include application security folks of all backgrounds from developers to ninjas and to do so in a fun environment that keeps contestants scratching their heads.
 +
Contestants have the option of either participating in a more relaxed environment with shorter contest length or going for the more intense route.
 +
Contests consist of:
 +
 
 +
= All our base belong to you =
 +
 
 +
Contestants attempt to defeat multiple application(s) security protections for the glory. These challenges are intended to stretch the breadth and depth of contestants knowledge of AppSec and will call upon a range of skills. Play alone or choose your team wisely :-)
 +
 
 +
==CTF Registration, Prizes and Rules==
 +
 
 +
'''Description:'''
 +
 
 +
AppSec DC 2010 CTF will be a competition in which participants compete for prizes in a test of Web 2.0 hacking skills. The contestants will participate in real-world scenarios designed to simulate vulnerabilities discovered in production applications. The competition will focus on application security but participants should arrive ready with an arsenal of skill-sets to complete these challenges. Mobile Security, Web 2.0, Web services, run-time assessments and much, much more will be included.
 +
 
 +
'''Rules:'''
 +
 
 +
The contest begins on November 10th at 1pm and ends the next day, November 11th at 1pm.
 +
 
 +
Competitors are allowed to team up with a maximum of three (3) other contestants for a total maximum team size of four (4) participants. The scoring system and any other system NOT designated as “In-Scope” is considered OFF-LIMITS and any malicious activity towards or on those systems will result in an immediate disqualification for the team from which the participant(s) exists.
 +
 
 +
Contestants will use their own equipment to compete with but it is HIGHLY recommended that contestants do not bring equipment which hosts personal or sensitive data.
 +
 
 +
Scoring will take place via a web-based scoreboard portal.  Teams will have individual logins that will be required to submit points.
 +
 
 +
'''Resources:'''
 +
 
 +
Internet access will be offered at the conference as a means to obtain tools necessary for the competition, but we recommend that you bring the necessary tools to the event. We cannot guarantee access to all sites via the standard convention network, and visiting some sites you would normally get hacking tools from may be blocked from the normal convention Wi-Fi. OWASP AppSec DC will provide an isolated the environment and systems which will host the vulnerable applications.
 +
 
 +
'''Prizes:'''
 +
 
 +
First Place: Apple iPad
 +
 
 +
Second Place: $250 Amazon Gift Card
 +
 
 +
Third Place: Free admission to AppSecDC 2012 (Or other OWASP conference)
 +
 
 +
Fourth Place: NERF Vulcan Cannon
 +
 
 +
'''Registration:'''
 +
 
 +
Registration will be held up to the day of the competition 11/10/2010 at 12:30PM and can be done either by sending an email to [email protected] in the format listed below or in person in room 146A. We urge participants to register prior to the conference as space is limited.
 +
 
 +
Name: First, Last
 +
 
 +
Alias: Ex: 1337h4xx0r
 +
 
 +
Team Name: Ex: E4tU4br34kf4s7
 +
 
 +
Team Size: Max of 4
 +
 
 +
List Teammates: By Alias, if none, list N/A
  
 
==== Venue  ====
 
==== Venue  ====
Line 169: Line 251:
 
==== Hotel  ====
 
==== Hotel  ====
  
Hotel Information TBD
+
The Grand Hyatt is our hotel sponsor again for this year. Hotel rooms can be booked at a discounted rate prior to October 11th using this link: https://resweb.passkey.com/Resweb.do?mode=welcome_gi_new&groupID=2766908
  
 
==== Sponsors  ====
 
==== Sponsors  ====
Line 178: Line 260:
  
 
Slots are going fast so contact us to sponsor today!  
 
Slots are going fast so contact us to sponsor today!  
 +
 +
{| cellspacing="10" border="0" valign="middle" align="center" style="background: none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;"
 +
|-
 +
| <h2>Diamond Sponsors</h2>
 +
|
 +
|[[Image:AppSecDC2010-Sponsor-akamai.jpg|link=http://www.akamai.com]]
 +
|
 +
 +
|-
 +
| &nbsp;
 +
|-
 +
| <h2>Gold Sponsors</h2>
 +
| [[Image:AppSecDC2009-Sponsor-tenable.gif|link=http://www.tenablesecurity.com/]]
 +
| [[Image:AppSecDC2009-Sponsor-securicon.gif|link=http://www.securicon.com]]
 +
| [[Image:AppSecDC2009-Sponsor-mandiant.gif|link=http://www.mandiant.com/]]
 +
|-
 +
|
 +
| [[Image:AppSecDC2009-Sponsor-aspect.gif|link=http://www.aspectsecurity.com/]]
 +
| [[Image:AppSecDC-2010-Sponsor-fortifyhp.gif|link=https://www.fortify.com/]]
 +
|
 +
|-
 +
| &nbsp;
 +
|-
 +
| <h2>Organizational Sponsors</h2>
 +
| [[Image:Sponsor-isc2.gif‎|link=http://www.isc2.org/]]
 +
| [[Image:Sponsor-mozilla.gif|link=http://www.mozilla.org/]]
 +
| [[Image:AppSecDC2010-sponsor-syngress.gif|link=http://www.syngress.com]]
 +
|-
 +
| &nbsp;
 +
|-
 +
| <h3>Party Sponsor</h3>
 +
|
 +
| [[Image:AppSecDC2010-Sponsor-trustwave.gif|link=https://www.trustwave.com/]]
 +
|
 +
|-
 +
| &nbsp;
 +
|-
 +
| <h3>Exhibitors</h3>
 +
| [[Image:AppSecDC2010-Sponsor-appsecinc.gif|link=http://www.appsecinc.com/]]
 +
| [[Image:AppSecDC2010-Sponsor-barracuda.gif|link=http://www.barracudanetworks.com/]]
 +
|
 +
|-
 +
| &nbsp;
 +
|-
 +
| <h3>Coffee Sponsors</h3>
 +
| [[Image:AppSecDC2010-Sponsor-trustwave.gif|link=https://www.trustwave.com/]]
 +
| [[Image:AppSecDC2010-sponsor-secureideas.gif|link=http://www.secureideas.net]]
 +
| [[Image:AppSecDC2010-sponsor-redspin.gif|link=http://www.redspin.com]]
 +
|-
 +
|}
  
 
==== Travel  ====
 
==== Travel  ====
Line 202: Line 334:
  
 
* Facilities ([mailto:[email protected]  [email protected]])
 
* Facilities ([mailto:[email protected]  [email protected]])
** [mailto:jeremy.long@owasp.org Jeremy Long]
+
** Jeremy Long - jeremy.long[at]owasp.org
 
* Content ([mailto:[email protected]  [email protected]])
 
* Content ([mailto:[email protected]  [email protected]])
** [mailto:jeremy.long@owasp.org Jeremy Long]
+
** Jeremy Long - jeremy.long[at]owasp.org
** [mailto:shawn.duffy@owasp.org Shawn Duffy]
+
** Shawn Duffy - shawn.duffy[at]owasp.org
* Security ([mailto:security@appsecdc.org [email protected]])
+
** Rex Booth - Rex.Booth[at]owasp.org
** TBD
 
  
** [mailto:mike.smith@owasp.org Mike Smith]
+
** Mike Smith mike.smith[at]owasp.org
 
* Registration/Info Desk ([mailto:[email protected] [email protected]])
 
* Registration/Info Desk ([mailto:[email protected] [email protected]])
** [mailto:Kate.Hartmann@owasp.org Kate Hartmann]
+
** Kate Hartmann - Kate.Hartmann[at]owasp.org
* Volunteer Coordinators ([mailto:contests@appsecdc.org contests@appsecdc.org])
+
* Volunteer Coordinators ([mailto:volunteers@appsecdc.org volunteers@appsecdc.org])
** [mailto:[email protected] Josh Feinblum]
+
** Wade Woolwine - wade.woolwine[at]owasp.org
** [mailto:jrose@owasp.org Jon Rose]
+
* Competitions/Contests/Events ([mailto:contests@appsecdc.org contests@appsecdc.org])
* Competitions/Contests/Events ([mailto:volunteers@appsecdc.org volunteers@appsecdc.org])
+
** Jon Rose - jrose[at]owasp.org
** [mailto:jrose@owasp.org Jon Rose] (Chair)
+
** Ken Johnson - ken.johnson[at]owasp.org
** [mailto:ken.johnson@owasp.org Ken Johnson]
+
** Ben Null - ben.null[at]owasp.org
** [mailto:ben.null@owasp.org Ben Null]
 
 
* Marketing/Community Outreach ([mailto:[email protected] [email protected]])
 
* Marketing/Community Outreach ([mailto:[email protected] [email protected]])
** [mailto:dave.sachdev@owasp.org Dave Sachdev]
+
** Dave Sachdev - dave.sachdev[at]owasp.org
** [mailto:lahla@owasp.org Lee Ann Heart]
+
** Lee Anne Hart - lahla[at]owasp.org
 
* Sponsorships ([mailto:[email protected] [email protected]])
 
* Sponsorships ([mailto:[email protected] [email protected]])
** [mailto:josh.feinblum@owasp.org Josh Feinblum]
+
** Josh Feinblum - josh.feinblum[at]owasp.org
** [mailto:tom.hallewell@owasp.org Tom Hallewell]
+
** Tom Hallewell - tom.hallewell[at]owasp.org
** [mailto:grecs@owasp.org Grecs]
+
** Grecs - grecs[at]owasp.org
 +
** Rex Booth - Rex.Booth[at]owasp.org
 +
** [mailto:mark.bristow@owasp.org Mark Bristow]
 +
** [mailto:doug.wilson@owasp.org Doug Wilson]
 +
** [mailto:wade.woolwine@owasp.org Wade Woolwine]
  
  

Latest revision as of 04:15, 31 October 2010

468x60-banner-2010.gif

Registration Now OPEN! | Hotel | Walter E. Washington Convention Center

Welcome

All Talks and Training are posted!

We are pleased to announce that the OWASP DC chapter will host the OWASP AppSecDC 2010 regional conference in Washington, DC. The AppSecDC conference will be a premier gathering of Information Security leaders. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 600-700 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.

AppSecDC 2010 will be held at the Walter E. Washington Convention Center (801 Mount Vernon Place NW Washington, DC 20001) on November 8th through 11th 2010.

Who Should Attend AppSec DC 2010:

  • Application Developers
  • Application Testers and Quality Assurance
  • Application Project Management and Staff
  • Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
  • Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
  • Security Managers and Staff
  • Executives, Managers, and Staff Responsible for IT Security Governance
  • IT Professionals Interested in Improving IT Security

Press Release June 3rd 2010 -- AppSec DC 2010 Conference Announcement and opening CFP & CFT!

Conference FAQ




AppSecDCMMXforsite.png

Use the #ASDC10 hashtag for your tweets for AppSec DC (What are hashtags?)

@AppSecDC Twitter Feed (follow us on Twitter!) <twitter>34534108</twitter>

Registration

Register Here

Registration is now OPEN.
You can register via OWASP's CVENT tool here.

Registration Fees

Ticket Type Before 8/15 Regular Price After 10/15
Non-Member $445.00 $495.00 $545.00
Active OWASP Member $395.00 $445.00 $495.00
Student $195.00 $195.00 $245.00
Course Fee
1 Day Training $745
2 Day Training $1495

ATTENTION FEDERAL EMPLOYEES: Enter code ASDC10FED for $100 off, limited time only! (must register with your .gov or .mil email address)
For student discount, attendees must present proof of enrollment when picking up your badge.

Who Should Attend AppSec DC 2010

  • Application Developers
  • Application Testers and Quality Assurance
  • Application Project Management and Staff
  • Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
  • Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
  • Security Managers and Staff
  • Executives, Managers, and Staff Responsible for IT Security Governance
  • IT Professionals Interesting in Improving IT Security
  • Anyone interested in learning about or promoting Web Application Security


AppSec DC 2010 CVENT Info Page

Volunteer

Volunteers Needed!

Get involved!

We will take all the help we can get to pull off the best Web Application Security Conference of the year!

More opportunities and areas will be added as time goes on. Our Volunteer Guide can be downloaded which outlines some of the responsibilities and available positions.

To volunteer please email [email protected] or you can e-mail the Volunteer Coordinators Josh Feinblum and Jon Rose

Schedule

Schedule posted here

Training

Training

OWASP strives to provide world class training for a variety of skill levels and interests at its conferences. From the novice to the expert, developers to managers, there is a training course at AppSec DC for you! Classes will begin at 9 AM each day and run until 5 PM (Daily schedule set by the trainer). Morning refreshments and lunch will be provided. Check each course for the required materials.

Registration Now OPEN!

Price per attendee (conference Registration is a seperate item):

  • 2-Day Class $1495
  • 1-Day Class $745

2 Day Training

Assessing and Exploiting Web Applications with Samurai-WTF | Course Detail

Come take the official Samurai-WTF training course given by one of the founders and lead developers of the project! You will learn how to use the latest Samurai-WTF open source tools and the be shown the latest techniques to perform web application assessments. After a quick overview of pen testing methodology, the instructor will lead you through the penetration and exploitation of two different web applications, including client side attacks on the browsers connecting to those sites. Different sets of open source tools will be used on each web application, allow you to learn first hand the pros and cons of each tool. After you have gained experience with the Samurai-WTF tools, you will be challenged with a third web application. This final challenge will give you time to practice your new skills at your own pace and experiment with your favorite new tools. This experience will help you gain the confidence necessary to perform web application assessments and expose you to the wealth of freely available, open source tools.

Leading an AppSec Initative | Course Detail

In this two-day management session you’ll get an industry perspective of application security, understand the key vulnerabilities to applications, be able to analyze root cause, and provide practical and proven techniques in building out an application security initiative. This course gives executives and managers the education and practical guidance they need to ensure that software projects properly address security. The course is designed to provide a firm understanding of the importance of software security, the critical security activities required within the software development lifecycle, and how to efficiently manage security issues during development and maintenance. This understanding is reinforced through industry awareness, live demonstrations of commonly found application vulnerabilities and workgroup exercises allowing attendees to conduct capability assessments and recommend improvement plans.

Remote Testing for Common Web Application Security Threats | Course Detail

The proliferation of web-based applications has increased the enterprise's exposure to a variety of threats. There are overarching steps that can and should be taken at various steps in the application's lifecycle to prevent or mitigate these threats, such as implementing secure design and coding practices, performing source code audits, and maintaining proper audit trails to detect unauthorized use.

This workshop will enable students to test the security of web-based applications from the perspective of the end user. Security testing is especially useful since it can be done at various phases within the application's lifecycle (e.g. during development), or when source code is not available for review. The most common threats and their potential impact will be covered (based on the industry standard OWASP "Top Ten"). Hands-on labs and demonstrations will be used to teach the tools and techniques needed to remotely detect and validate the presence of these threats.

1 Day Training

WebAppSec.php: Developing Secure Web Applications | Course Detail

Web applications are the new frontier of wide‐spread security breaches. This tutorial will guide through development practices to ensure the security and integrity of web applications, in turn protecting user data and the infrastructure the application runs on. Several attack types and risks will be reviewed (including OWASP’s Top 10), along with how the proper development practices can mitigate their damage. Although examples covered are PHP‐based, much of the content is also applicable to other languages.

The Art of Exploiting SQL Injections | Course Detail

This is a full day hands on training course which will typically target penetration testers, security auditors/administrators and even web developers to learn advanced exploitation techniques. SQL Injection, although now nearly 15 years old, still exists in over 30% of the web applications. This vulnerability could result in (Authentication Bypass, Extraction of arbitrary sensitive data from the database, Access and compromise of the internal network)

To identify the true impact of this vulnerability it is essential that the vulnerability gets exploited to the full extent. While there is a reasonably good awareness when it comes to identify this problem, there are still a lot of grey areas when it comes to exploitation or even identifying complex vulnerabilities like a 2nd order injections. This training will target 3 databases (MS-SQL, Mysql, Oracle) and discuss a variety of exploitation techniques to exploit each scenario.

Java Security Overview | Course Detail

The course on one hand introduces the basic security solutions provided by the Java language and the Java Runtime Environment, tackling issues like the Java Security Architecture and the security services of the Java Standard Edition. On the other hand it provides a comprehensive introduction to Java specific security vulnerabilities. Besides the presentations being continuously updated by the latest advances in the software development industry and the most recent achievements of our security research laboratory, attendees can learn how to use Java security features and can examine and correct typical implementation bugs in example source code snippets through a number of hands-on exercises, prepared in a plug-and-play manner by using a preset VMware virtual machine.

Software Security Remediation: How to Fix Application Vulnerabilities | Course Detail

This class teaches attendees how to fix security vulnerabilities in existing software. It provides a mix of discussion of project concerns for planning and managing remediation efforts with hands-on coding examples fixing specific vulnerabilities. Attendees will learn how to risk-rank vulnerabilities, estimate remediation tasks, perform coding fixes for vulnerabilities and demonstrate the effectiveness of fixes applied. The focus is on the practical: how to use limited resources to make significant improvements to the security of target applications. Code examples use the OWASP ESAPI Java and Microsoft Web Protection Library. Many classes teach developers how to build secure code from the ground up or teach security analysts how to test applications for security vulnerabilities. This class teaches developers and security analysts how to deal with their existing portfolio of insecure applications.

Threat Modeling Express | Course Detail

The benefits of threat modeling at the design stage are well-documented, yet few organizations are able to perform this analysis technique due to time constraints. Based on our experience in real world situations, Security Compass has developed a one day approach to threat modeling based loosely on a Facilitated Risk Assessment Process (FRAP). In this class, students learn how to create a “quick and dirty” application threat model using an organization’s most valuable resource: its people. Students learn about the basics of web application security, as well as learn about and perform a real hands-on Express Threat Model. A deliverable template and list of steps will be provided as takeaways for students.


Contests

OWASP Member Door Prizes!

Are you an OWASP Member? At AppSecDC we will be giving away some amazing door prizes to some randomly selected OWASP members in attendance. You HAVE to be an OWASP member to be elligable, but if your not, you can easily add the $50 annual membership to your conference ticket and recieve $50 off admission. That's right, FREE OWASP MEMBERSHIP when combined with AppSec DC Registration! So remember to Register today with your OWASP membership!

This years contests vary in length, challenges, objectives and the skill-set of the participants. The goal of this year's ASDC challenges are to include application security folks of all backgrounds from developers to ninjas and to do so in a fun environment that keeps contestants scratching their heads. Contestants have the option of either participating in a more relaxed environment with shorter contest length or going for the more intense route. Contests consist of:

All our base belong to you

Contestants attempt to defeat multiple application(s) security protections for the glory. These challenges are intended to stretch the breadth and depth of contestants knowledge of AppSec and will call upon a range of skills. Play alone or choose your team wisely :-)

CTF Registration, Prizes and Rules

Description:

AppSec DC 2010 CTF will be a competition in which participants compete for prizes in a test of Web 2.0 hacking skills. The contestants will participate in real-world scenarios designed to simulate vulnerabilities discovered in production applications. The competition will focus on application security but participants should arrive ready with an arsenal of skill-sets to complete these challenges. Mobile Security, Web 2.0, Web services, run-time assessments and much, much more will be included.

Rules:

The contest begins on November 10th at 1pm and ends the next day, November 11th at 1pm.

Competitors are allowed to team up with a maximum of three (3) other contestants for a total maximum team size of four (4) participants. The scoring system and any other system NOT designated as “In-Scope” is considered OFF-LIMITS and any malicious activity towards or on those systems will result in an immediate disqualification for the team from which the participant(s) exists.

Contestants will use their own equipment to compete with but it is HIGHLY recommended that contestants do not bring equipment which hosts personal or sensitive data.

Scoring will take place via a web-based scoreboard portal. Teams will have individual logins that will be required to submit points.

Resources:

Internet access will be offered at the conference as a means to obtain tools necessary for the competition, but we recommend that you bring the necessary tools to the event. We cannot guarantee access to all sites via the standard convention network, and visiting some sites you would normally get hacking tools from may be blocked from the normal convention Wi-Fi. OWASP AppSec DC will provide an isolated the environment and systems which will host the vulnerable applications.

Prizes:

First Place: Apple iPad

Second Place: $250 Amazon Gift Card

Third Place: Free admission to AppSecDC 2012 (Or other OWASP conference)

Fourth Place: NERF Vulcan Cannon

Registration:

Registration will be held up to the day of the competition 11/10/2010 at 12:30PM and can be done either by sending an email to [email protected] in the format listed below or in person in room 146A. We urge participants to register prior to the conference as space is limited.

Name: First, Last

Alias: Ex: 1337h4xx0r

Team Name: Ex: E4tU4br34kf4s7

Team Size: Max of 4

List Teammates: By Alias, if none, list N/A

Venue

Walter E. Washington Convention Center

AppSec DC 2010 will be taking place at the Walter E. Washington Convention Center in downtown Washington DC.

The convention center is located over the Mount Vernon Square/Convention Center Metro stop on the Green and Yellow lines of the DC Metro, and only a few blocks from our convention hotel, the Grand Hyatt Washington (reserve rooms here).

Screen_shot_2009-10-03_at_12.55.55_PM.png

Hotel

The Grand Hyatt is our hotel sponsor again for this year. Hotel rooms can be booked at a discounted rate prior to October 11th using this link: https://resweb.passkey.com/Resweb.do?mode=welcome_gi_new&groupID=2766908

Sponsors

Sponsors

We are currently soliciting sponsors for the AppSec DC Conference. Please refer to our sponsorship opportunities for details.

Slots are going fast so contact us to sponsor today!

Diamond Sponsors

AppSecDC2010-Sponsor-akamai.jpg
 

Gold Sponsors

AppSecDC2009-Sponsor-tenable.gif AppSecDC2009-Sponsor-securicon.gif AppSecDC2009-Sponsor-mandiant.gif
AppSecDC2009-Sponsor-aspect.gif AppSecDC-2010-Sponsor-fortifyhp.gif
 

Organizational Sponsors

Sponsor-isc2.gif Sponsor-mozilla.gif AppSecDC2010-sponsor-syngress.gif
 

Party Sponsor

AppSecDC2010-Sponsor-trustwave.gif
 

Exhibitors

AppSecDC2010-Sponsor-appsecinc.gif AppSecDC2010-Sponsor-barracuda.gif
 

Coffee Sponsors

AppSecDC2010-Sponsor-trustwave.gif AppSecDC2010-sponsor-secureideas.gif AppSecDC2010-sponsor-redspin.gif

Travel

Traveling to the DC Metro Area

The Washington DC Area is serviced by three airports -- Reagan National (DCA), Dulles (IAD), and Thurgood Marshall Baltimore/Washington International (BWI). All currently have available transportation to downtown DC via public transportation, shuttles, or cab.

Washington DC is also serviced by Amtrak, VRE, and MARC train lines, which arrive in Union Station, a few metro stops or a short cab ride away from the convention center and the Grand Hyatt.

If you live in the DC Metropolitan area, we suggest taking Metro to the event. The convention center is located over the Mount Vernon Square/Convention Center Metro stop on the Green and Yellow lines of the DC Metro.

Conference Committee

Organizers

Mail List: [email protected]

Arch-Minions

Mail List: [email protected]

  • Facilities ([email protected])
    • Jeremy Long - jeremy.long[at]owasp.org
  • Content ([email protected])
    • Jeremy Long - jeremy.long[at]owasp.org
    • Shawn Duffy - shawn.duffy[at]owasp.org
    • Rex Booth - Rex.Booth[at]owasp.org
  • Press ([email protected])
    • Mike Smith mike.smith[at]owasp.org
  • Registration/Info Desk ([email protected])
    • Kate Hartmann - Kate.Hartmann[at]owasp.org
  • Volunteer Coordinators ([email protected])
    • Wade Woolwine - wade.woolwine[at]owasp.org
  • Competitions/Contests/Events ([email protected])
    • Jon Rose - jrose[at]owasp.org
    • Ken Johnson - ken.johnson[at]owasp.org
    • Ben Null - ben.null[at]owasp.org
  • Marketing/Community Outreach ([email protected])
    • Dave Sachdev - dave.sachdev[at]owasp.org
    • Lee Anne Hart - lahla[at]owasp.org
  • Sponsorships ([email protected])
    • Josh Feinblum - josh.feinblum[at]owasp.org
    • Tom Hallewell - tom.hallewell[at]owasp.org
    • Grecs - grecs[at]owasp.org
    • Rex Booth - Rex.Booth[at]owasp.org
    • Mark Bristow
    • Doug Wilson
    • Wade Woolwine