This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "AppSec US 2010, CA"
KateHartmann (talk | contribs) |
|||
(29 intermediate revisions by 9 users not shown) | |||
Line 7: | Line 7: | ||
= Welcome to AppSec USA 2010 = | = Welcome to AppSec USA 2010 = | ||
− | + | Before you head to SoCal on Thursday, be sure to check out our [http://www.owasp.org/images/2/25/AppSec_USA_2010_Visitors_Guide_%283%29.pdf Visitors Guide] | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
{| class="FCK__ShowTableBorders" style="width: 100%;" | {| class="FCK__ShowTableBorders" style="width: 100%;" | ||
Line 23: | Line 14: | ||
{| class="FCK__ShowTableBorders" style="width: 100%; background: none repeat scroll 0% 0% transparent; -moz-background-inline-policy: continuous;" | {| class="FCK__ShowTableBorders" style="width: 100%; background: none repeat scroll 0% 0% transparent; -moz-background-inline-policy: continuous;" | ||
|- | |- | ||
− | | style="width: 95%; color: rgb(0, 0, 0);" | | + | | style="width: 95%; color: rgb(0, 0, 0);" |'''AppSec US 2010 VIDEOS available [http://vimeo.com/user4863863/videos HERE]'''<br> |
− | ''' | ||
− | |||
− | |||
− | |||
− | |||
− | |||
|} | |} | ||
Line 73: | Line 58: | ||
|- | |- | ||
− | | style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | Instructor: Dave Wichers: [[Image:Aspect logo.gif]] | + | | style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | Instructor: [[User:Wichers|Dave Wichers]]: [[Image:Aspect logo.gif]] |
|- | |- | ||
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | [[Learn More about the Building Secure Ajax and Web 2.0 Applications Class]] | | style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | [[Learn More about the Building Secure Ajax and Web 2.0 Applications Class]] | ||
Line 95: | Line 80: | ||
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | In this two-day management session you’ll get an industry perspective of application security, understand the key vulnerabilities to applications, be able to analyze root cause, and provide practical and proven techniques in building out an application security initiative. This course gives executives and managers the education and practical guidance they need to ensure that software projects properly address security. The course is designed to provide a firm understanding of the importance of software security, the critical security activities required within the software development lifecycle, and how to efficiently manage security issues during development and maintenance. This understanding is reinforced through industry awareness, live demonstrations of commonly found application vulnerabilities and workgroup exercises allowing attendees to conduct capability assessments and recommend improvement plans. | | style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | In this two-day management session you’ll get an industry perspective of application security, understand the key vulnerabilities to applications, be able to analyze root cause, and provide practical and proven techniques in building out an application security initiative. This course gives executives and managers the education and practical guidance they need to ensure that software projects properly address security. The course is designed to provide a firm understanding of the importance of software security, the critical security activities required within the software development lifecycle, and how to efficiently manage security issues during development and maintenance. This understanding is reinforced through industry awareness, live demonstrations of commonly found application vulnerabilities and workgroup exercises allowing attendees to conduct capability assessments and recommend improvement plans. | ||
|- | |- | ||
− | | style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | Instructor: Jeff Williams: [[Image:Aspect logo.gif]] | + | | style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | Instructor: [[User:Jeff Williams|Jeff Williams]]: [[Image:Aspect logo.gif]] |
|- | |- | ||
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | [[Learn More about the Application Security Leadership Essentials Class]] | | style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | [[Learn More about the Application Security Leadership Essentials Class]] | ||
Line 104: | Line 89: | ||
|- | |- | ||
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | This class teaches attendees how to fix security vulnerabilities in existing software. It provides a mix of discussion of project concerns for planning and managing remediation efforts with hands-on coding examples fixing specific vulnerabilities. Attendees will learn how to risk-rank vulnerabilities, estimate remediation tasks, perform coding fixes for vulnerabilities and demonstrate the effectiveness of fixes applied. The focus is on the practical: how to use limited resources to make significant improvements to the security of target applications. Code examples use the OWASP ESAPI Java and Microsoft Web Protection Library. Many classes teach developers how to build secure code from the ground up or teach security analysts how to test applications for security vulnerabilities. This class teaches developers and security analysts how to deal with their existing portfolio of insecure applications. | | style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | This class teaches attendees how to fix security vulnerabilities in existing software. It provides a mix of discussion of project concerns for planning and managing remediation efforts with hands-on coding examples fixing specific vulnerabilities. Attendees will learn how to risk-rank vulnerabilities, estimate remediation tasks, perform coding fixes for vulnerabilities and demonstrate the effectiveness of fixes applied. The focus is on the practical: how to use limited resources to make significant improvements to the security of target applications. Code examples use the OWASP ESAPI Java and Microsoft Web Protection Library. Many classes teach developers how to build secure code from the ground up or teach security analysts how to test applications for security vulnerabilities. This class teaches developers and security analysts how to deal with their existing portfolio of insecure applications. | ||
− | Instructor: Dan Cornell: [[Image:AppSecDC2009-Sponsor-denim.gif]] | + | Instructor: [[User:Dancornell|Dan Cornell]]: [[Image:AppSecDC2009-Sponsor-denim.gif]] |
|- | |- | ||
Line 119: | Line 104: | ||
Students are encouraged to bring a laptop to class. The virtualization software for OWASP WTE runs on Windows, OS X and Linux. Students with a laptop can follow along with the in class demonstrations to get hands on testing experience | Students are encouraged to bring a laptop to class. The virtualization software for OWASP WTE runs on Windows, OS X and Linux. Students with a laptop can follow along with the in class demonstrations to get hands on testing experience | ||
− | <br>Instructors: Matt Tesauro and Charles Henderson: [[Image:TrustwaveLogo.jpg]] | + | <br>Instructors: [[User:Mtesauro|Matt Tesauro]] and Charles Henderson: [[Image:TrustwaveLogo.jpg]] |
|- | |- | ||
Line 147: | Line 132: | ||
|- | |- | ||
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 08:45-9:30 | | style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 08:45-9:30 | ||
− | | align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(252, 252, 150);" | Keynote: Jeff Williams (Crystal Cove Auditorium) | + | | align="center" colspan="3" style="width: 80%; background: none repeat scroll 0% 0% rgb(252, 252, 150);" | Keynote: [[User:Jeff Williams|Jeff Williams]] (Crystal Cove Auditorium) |
|- | |- | ||
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 9:30-10:15 | | style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 9:30-10:15 | ||
Line 158: | Line 143: | ||
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | How I met your Girlfriend, ''Samy Kamkar''<br> | | align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | How I met your Girlfriend, ''Samy Kamkar''<br> | ||
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | Solving Real-World Problems with an Enterprise Security API (ESAPI), ''Chris Schmidt, ServiceMagic''<br> | | align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | Solving Real-World Problems with an Enterprise Security API (ESAPI), ''Chris Schmidt, ServiceMagic''<br> | ||
− | | align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | Panel: Characterizing Software Security as a Mainstream Business Risk – How to talk other CXO’s about Software Security<br>John Dickson - Principal, Denim Group (moderator)<br>Tom Brennan - CEO Proactive Risk, OWASP Board Member<br>Ed Pagett, CISO, Lender Processing Services<br>Richard Greenberg, Information Security Officer, Los Angeles County Department of Public Health<br> John Sapp - IT Governance, Risk & Compliance Manager, McKesson | + | | align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | Panel Discussion: Characterizing Software Security as a Mainstream Business Risk – How to talk to other CXO’s about Software Security<br>John Dickson - Principal, Denim Group (moderator)<br>[[User:Tbrennan|Tom Brennan]] - CEO Proactive Risk, OWASP Board Member<br>Ed Pagett, CISO, Lender Processing Services<br>Richard Greenberg, Information Security Officer, Los Angeles County Department of Public Health<br> John Sapp - IT Governance, Risk & Compliance Manager, McKesson |
|- | |- | ||
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 11:20-11:30 | | style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 11:20-11:30 | ||
Line 164: | Line 149: | ||
|- | |- | ||
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 11:30-12:15 | | style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 11:30-12:15 | ||
− | | align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | State of SSL on the Internet - 2010 Survey, Results and Conclusions, ''Ivan Ristic, Qualys''<br> | + | | align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | State of SSL on the Internet - 2010 Survey, Results and Conclusions, ''[[User:Ivanr|Ivan Ristic]], Qualys''<br> |
<br> | <br> | ||
Line 184: | Line 169: | ||
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | P0w3d for Botnet CnC, ''Gunter Ollmann, Damballa''<br> | | align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | P0w3d for Botnet CnC, ''Gunter Ollmann, Damballa''<br> | ||
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | Cloud Computing, A Weapon of Mass Destruction?, ''David Bryan, Trustwave's SpiderLabs & Michael Anderson, NetSPI''<br> | | align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | Cloud Computing, A Weapon of Mass Destruction?, ''David Bryan, Trustwave's SpiderLabs & Michael Anderson, NetSPI''<br> | ||
− | | align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | | + | | align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | [[OWASP Secure Coding Practices - Quick Reference Guide|OWASP Secure Coding Practices Quick Reference Guide]], ''Keith Turpin, Boeing'' |
|- | |- | ||
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 15:10-15:30 | | style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 15:10-15:30 | ||
Line 192: | Line 177: | ||
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | Smart Phones with Dumb Apps: Threat Modeling for Mobile Applications, ''Dan Cornell, Denim Group''<br> | | align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | Smart Phones with Dumb Apps: Threat Modeling for Mobile Applications, ''Dan Cornell, Denim Group''<br> | ||
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | Assessing, Testing and Validating Flash Content, ''Peleus Uhley, Adobe''<br> | | align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | Assessing, Testing and Validating Flash Content, ''Peleus Uhley, Adobe''<br> | ||
− | | align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | Tour of OWASP Projects,<br> ''Dinis Cruz, OWASP'' | + | | align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | [[OWASP/Training/Guided tour of OWASP Projects|Tour of OWASP Projects]],<br> ''[[User:Dinis.cruz|Dinis Cruz]], OWASP'' |
---- | ---- | ||
− | Using the OWASP O2 Platform, <br>''Dinis Cruz, OWASP'' | + | Using the [[OWASP O2 Platform|OWASP O2 Platform]], <br>''[[User:Dinis.cruz|Dinis Cruz]], OWASP'' |
|- | |- | ||
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 16:15-16:25 | | style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 16:15-16:25 | ||
− | | align="left" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Break | + | | align="left" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Break - CTF |
|- | |- | ||
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 16:25-17:10 | | style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 16:25-17:10 | ||
− | | align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(242, 242, 242);" | Panel Discussion: Security Trends: Jeremiah Grossman, Robert Hansen | + | | align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(242, 242, 242);" | Panel Discussion: Security Trends: Jeremiah Grossman, Robert Hansen. Moderator: Stuart Schwartz |
+ | | <br> | ||
+ | |- | ||
+ | | style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 17:10-17:30 | ||
+ | | align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(242, 242, 242);" | Mozilla Announcement: Content Security Policy | ||
+ | |- | ||
+ | | style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 17:30-18:00 | ||
+ | | align="left" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | Break | ||
+ | |- | ||
+ | | style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 18:00-21:00 | ||
+ | | align="center" colspan="3" style="width: 90%; background: none repeat scroll 0% 0% rgb(242, 242, 242);" | Networking Event (Pacific Ballroom) | ||
|} | |} | ||
Line 233: | Line 228: | ||
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | Security Architecting Applications for the Cloud, ''Alex Stamos, iSEC Partners''<br> | | align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | Security Architecting Applications for the Cloud, ''Alex Stamos, iSEC Partners''<br> | ||
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | Unraveling Cross-Technology, Cross-Domain Trust Relations, ''Peleus Uhley, Adobe''<br> | | align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | Unraveling Cross-Technology, Cross-Domain Trust Relations, ''Peleus Uhley, Adobe''<br> | ||
− | | align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | Real Time Application Defenses - The Reality of AppSensor & ESAPI, ''Michael Coates, Mozilla,'' | + | | align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | Real Time Application Defenses - The Reality of [[:Category:OWASP AppSensor Project|AppSensor]] & ESAPI, ''[[User:MichaelCoates|Michael Coates]], Mozilla,'' |
|- | |- | ||
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 10:55-11:15 | | style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 10:55-11:15 | ||
Line 254: | Line 249: | ||
|- | |- | ||
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 14:05-14:50 | | style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 14:05-14:50 | ||
− | | align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | '' | + | | align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | ''Panel Discussion: Vulnerability Lifecycle for Software Vendors<br>'' |
+ | Edward Bonver - Principal Software Engineer, Symantec (moderator)<br> Kelly FitzGerald, Senior Vulnerability Analyst, Symantec<br> Katie Moussouris, Senior Security Strategist, Microsoft<br> John Steven, Senior Director, Cigital <br> Daniel Holden, Director, DVLabs, HP, TippingPoint<br> | ||
+ | |||
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | Agile + Security = FAIL, ''Adrian Lane''<br> | | align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | Agile + Security = FAIL, ''Adrian Lane''<br> | ||
− | | align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | Bug-Alcoholic 2.0 - Untamed World of Web Vulnerabilities, ''Aditya K. Sood | + | | align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | Bug-Alcoholic 2.0 - Untamed World of Web Vulnerabilities, ''Aditya K. Sood'' |
|- | |- | ||
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 14:50-15:10 | | style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 14:50-15:10 | ||
Line 263: | Line 260: | ||
| style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 15:10-15:55 | | style="width: 10%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | 15:10-15:55 | ||
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | Escalating Privileges through Database Trusts, ''Scott Sutherland and Antti Rantasaari, NetSPI''<br> | | align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 133, 122);" | Escalating Privileges through Database Trusts, ''Scott Sutherland and Antti Rantasaari, NetSPI''<br> | ||
− | | align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | Defining the | + | | align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(188, 165, 122);" | Panel Discussion: Defining the Identity Management Framework, |
+ | Barbara Danzi, Garda Cash Logistics (moderator)<br> Richard Tychansky, Lockheed Martin<br> [[User:Jeff Williams|Jeff Williams]], Aspect Security<br> Hord Tipton, (ISC)²<br> [[Manoranjan (Mano) Paul|Mano Paul]], SecuRisk Solutions<br> ''<br> '' | ||
+ | |||
| align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | Breaking Web Browsers, ''Jeremiah Grossman, WhiteHat Security'' | | align="left" style="width: 30%; background: none repeat scroll 0% 0% rgb(153, 255, 153);" | Breaking Web Browsers, ''Jeremiah Grossman, WhiteHat Security'' | ||
|- | |- | ||
Line 289: | Line 288: | ||
= Gold Sponsors = | = Gold Sponsors = | ||
− | [[Image:Ibmneg blurgb.jpg|140x65px]] [[Image:Fortify logo AppSec Research 2010.png| | + | [[Image:Ibmneg blurgb.jpg|140x65px]] [[Image:Fortify logo AppSec Research 2010.png|139x43px]] [[Image:TrustwaveLogo.jpg]] [[Image:Veracode.gif|140x65px]]<br> |
<br> | <br> |
Latest revision as of 21:21, 18 October 2010
Before you head to SoCal on Thursday, be sure to check out our Visitors Guide
|
|
|
Training September 7th & 8th
T1. Web Security Testing - 2-Days - $1350 |
---|
This course is a deep dive into the world of web application security testing. It is designed to walk testers through every step of web application penetration testing, arming them with the knowledge and tools they will need to begin conducting their own security testing. The course will teach the participants how to think like a security engineer by creating and executing a security test plan. Participants will be exposed to common web application vulnerabilities, testing techniques and tools by a professional security tester.
The course includes a guided penetration test in which the students will execute security test with the help of the instructor. |
Instructor: Joe Basirico, Security Innovation |
Learn More About the Web Security Testing Class |
Click here to register |
T2. Building Secure Ajax and Web 2.0 Applications - 2-Days - $1350 |
---|
This two-day class will cover common Web 2.0 and AJAX security threats, vulnerabilities, and it will provide specific guidance on how to develop Web 2.0 applications to defend against these threats and vulnerabilities.
Training developers on secure coding practices offers one of highest returns on investment of any security investment by eliminating vulnerabilities at the source. Aspect’s Building Secure Ajax and Web 2.0 Applications Course enables developers to securely utilize Web 2.0 technologies in their web applications without introducing security issues. The course provides detailed examples of ‘what to do’ and ‘what not to do.' The class is lead by an experienced developer and delivered in a very interactive manner. The course will use demonstrations, code examples, and spot-the-bug exercises to get developers engaged in the topic. Developers will leave with an understanding of how Ajax attacks work, the impacts of successful attacks, and what to do to defend against them. |
Instructor: Dave Wichers: |
Learn More about the Building Secure Ajax and Web 2.0 Applications Class |
Click here to register |
T3. Assessing and Exploiting Web Applications with Samurai - WTF - 2-Days - $1350 |
Come take the official Samurai-WTF training course given by one of the founders and lead developers of the project! You will learn how to use the latest Samurai-WTF open source tools and the be shown the latest techniques to perform web application assessments. After a quick overview of pen testing methodology, the instructor will lead you through the penetration and exploitation of three different web applications, and the browsers connecting to them. Different sets of open source tools will be used on each web application, allow you to learn first hand the pros and cons of each tool. After you have gained experience with the Samurai-WTF tools, you will be challenged with a fourth web application that contains keys you must find and collect. This final challenge will give you time to practice your new skills at your own pace and experiment with your favorite new tools. This experience will help you gain the confidence necessary to perform web application assessments and expose you to the wealth of freely available open source tools. |
Click here to register |
T4. Application Security Leadership Essentials - 2-Days - $1350 |
In this two-day management session you’ll get an industry perspective of application security, understand the key vulnerabilities to applications, be able to analyze root cause, and provide practical and proven techniques in building out an application security initiative. This course gives executives and managers the education and practical guidance they need to ensure that software projects properly address security. The course is designed to provide a firm understanding of the importance of software security, the critical security activities required within the software development lifecycle, and how to efficiently manage security issues during development and maintenance. This understanding is reinforced through industry awareness, live demonstrations of commonly found application vulnerabilities and workgroup exercises allowing attendees to conduct capability assessments and recommend improvement plans. |
Instructor: Jeff Williams: |
Learn More about the Application Security Leadership Essentials Class |
Click here to register |
T5. Software Security Remediation: How to Fix Application Vulnerabilities 1-Day - Sept 7th- $675 |
This class teaches attendees how to fix security vulnerabilities in existing software. It provides a mix of discussion of project concerns for planning and managing remediation efforts with hands-on coding examples fixing specific vulnerabilities. Attendees will learn how to risk-rank vulnerabilities, estimate remediation tasks, perform coding fixes for vulnerabilities and demonstrate the effectiveness of fixes applied. The focus is on the practical: how to use limited resources to make significant improvements to the security of target applications. Code examples use the OWASP ESAPI Java and Microsoft Web Protection Library. Many classes teach developers how to build secure code from the ground up or teach security analysts how to test applications for security vulnerabilities. This class teaches developers and security analysts how to deal with their existing portfolio of insecure applications.
Instructor: Dan Cornell: |
Click here to register |
T6. Live CD 1-Day - Sept 8th- $675 |
---|
This class will will cover the full range of tools and documentation that OWASP provides under free and open licenses. When the class is complete, students will be familiar with a wide range of tools and techniques to test web applications.
The class will include a DVD of OWASP tools and documentation for testing web applications. Additionally, the DVD will include the OWASP Web Testing Environment. OWASP WTE is a collection of tools and documentation for testing web applications available both as a bootable Live CD and virtual machines. Attendees to this class will receive a customized version of OWASP WTE. It will be provided as a virtual machine which includes the tools, documentation and the applications tested during class. It is a self-contained environment to learn web application testing the students can take from class to further hone their testing skills. Students are encouraged to bring a laptop to class. The virtualization software for OWASP WTE runs on Windows, OS X and Linux. Students with a laptop can follow along with the in class demonstrations to get hands on testing experience
|
Click here to register |
September 9th
Conference Day 1 - September 9th, 2010
| ||||
|
Track 1 - Crystal Cove Auditorium | Track 2 - Emerald Bay | Track 3 - Doheny Beach | |
07:30-08:30 | Registration and Breakfast + Coffee | |||
08:30-08:45 | Welcome to OWASP AppSec US, 2010 (Crystal Cove Auditorium) | |||
08:45-9:30 | Keynote: Jeff Williams (Crystal Cove Auditorium) | |||
9:30-10:15 | Keynote: Chenxi Wang (Crystal Cove Auditorium) | |||
10:15-10:35 | Break - Expo - CTF kick-off (Pacific Ballroom) | |||
10:35-11:20 | How I met your Girlfriend, Samy Kamkar |
Solving Real-World Problems with an Enterprise Security API (ESAPI), Chris Schmidt, ServiceMagic |
Panel Discussion: Characterizing Software Security as a Mainstream Business Risk – How to talk to other CXO’s about Software Security John Dickson - Principal, Denim Group (moderator) Tom Brennan - CEO Proactive Risk, OWASP Board Member Ed Pagett, CISO, Lender Processing Services Richard Greenberg, Information Security Officer, Los Angeles County Department of Public Health John Sapp - IT Governance, Risk & Compliance Manager, McKesson | |
11:20-11:30 | Break - Expo - CTF (Pacific Ballroom) | |||
11:30-12:15 | State of SSL on the Internet - 2010 Survey, Results and Conclusions, Ivan Ristic, Qualys
|
Into the Rabbit Hole: Execution Flow-based Web Application Testing, Rafal Los, Hewlett-Packard
|
Threat Modeling Best Practices, Robert Zigweid, IOActive | |
12:15-13:15 | Lunch - Expo - CTF (Pacific Ballroom) | |||
13:30-14:15 | Keynote: Bill Cheswick (Crystal Cove Auditorium) | |||
14:15-14:25 | Break - Expo - CTF (Pacific Ballroom) | |||
14:25-15:10 | P0w3d for Botnet CnC, Gunter Ollmann, Damballa |
Cloud Computing, A Weapon of Mass Destruction?, David Bryan, Trustwave's SpiderLabs & Michael Anderson, NetSPI |
OWASP Secure Coding Practices Quick Reference Guide, Keith Turpin, Boeing | |
15:10-15:30 | Coffee Break - Expo - CTF (Pacific Ballroom) | |||
15:30-16:15 | Smart Phones with Dumb Apps: Threat Modeling for Mobile Applications, Dan Cornell, Denim Group |
Assessing, Testing and Validating Flash Content, Peleus Uhley, Adobe |
Tour of OWASP Projects, Dinis Cruz, OWASP Using the OWASP O2 Platform, | |
16:15-16:25 | Break - CTF | |||
16:25-17:10 | Panel Discussion: Security Trends: Jeremiah Grossman, Robert Hansen. Moderator: Stuart Schwartz | | ||
17:10-17:30 | Mozilla Announcement: Content Security Policy | |||
17:30-18:00 | Break | |||
18:00-21:00 | Networking Event (Pacific Ballroom) |
September 10th
Conference Day 2 - September 10th, 2010
| |||
|
Track 1 - Crystal Cove Auditorium | Track 2 - Emerald Bay | Track 3 - Doheny Beach |
08:00-09:00 | Coffee - Expo - CTF | ||
09:00-09:15 | Announcements (Crystal Cove Auditorium) | ||
09:15-10:00 | Keynote: David Rice (Crystal Cove Auditorium) | ||
10:00-10:10 | Break - Expo - CTF (Pacific Ballroom) | ||
10:10-10:55 | Security Architecting Applications for the Cloud, Alex Stamos, iSEC Partners |
Unraveling Cross-Technology, Cross-Domain Trust Relations, Peleus Uhley, Adobe |
Real Time Application Defenses - The Reality of AppSensor & ESAPI, Michael Coates, Mozilla, |
10:55-11:15 | Break - Expo - CTF (Pacific Ballroom) | ||
11:15-12:00 | Reducing Web application Vulnerabilities: Moving from a Test-Dependent to Design-Driven development, Joe Basirico, Security Innovation
|
Session Management Security tips and Tricks, Lars Ewe, Cenzic
|
The Dark Side of Twitter: Measuring and Analyzing Malicious Activity on Twitter, Paul Judge, David Maynor, and Daniel Peck, Barracuda Labs |
12:00-13:15 | Lunch - Expo - CTF (Pacific Ballroom) | ||
13:15-14:00 | Keynote: HD Moore (Crystal Cove Auditorium) | ||
14:05-14:50 | Panel Discussion: Vulnerability Lifecycle for Software Vendors Edward Bonver - Principal Software Engineer, Symantec (moderator) |
Agile + Security = FAIL, Adrian Lane |
Bug-Alcoholic 2.0 - Untamed World of Web Vulnerabilities, Aditya K. Sood |
14:50-15:10 | Coffee Break - Expo - CTF (Pacific Ballroom) | ||
15:10-15:55 | Escalating Privileges through Database Trusts, Scott Sutherland and Antti Rantasaari, NetSPI |
Panel Discussion: Defining the Identity Management Framework,
Barbara Danzi, Garda Cash Logistics (moderator) |
Breaking Web Browsers, Jeremiah Grossman, WhiteHat Security |
15:55-16:05 | Break - Expo - CTF (Pacific Ballroom) | ||
16:05-16:50 | Conference Wrap Up: AppSec US 2011 Location Announcement, CTF Results, Prizes (Pacific Ballroom) |
Sponsors
We are currently soliciting sponsors for the AppSec US 2010 Conference. Please refer to our List of Sponsorship Opportunities (or PDF).
Please contact Kate Hartmann for more information.
Slots are going fast so contact us to sponsor today!