This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "AppSecEU2011"

From OWASP
Jump to: navigation, search
(Schedule)
(Schedule)
Line 151: Line 151:
 
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | [http://www.appsecusa.org/register-now.html Click here to register]
 
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | [http://www.appsecusa.org/register-now.html Click here to register]
 
|-
 
|-
! align="center" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | T4. Application Security Leadership Essentials - 2-Days - $1350
+
! align="center" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | T3. Tactical Defense with ModSecurity - 2-Days - 990 Euros
 
|-
 
|-
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | In this two-day management session you’ll get an industry perspective of application security, understand the key vulnerabilities to applications, be able to analyze root cause, and provide practical and proven techniques in building out an application security initiative. This course gives executives and managers the education and practical guidance they need to ensure that software projects properly address security. The course is designed to provide a firm understanding of the importance of software security, the critical security activities required within the software development lifecycle, and how to efficiently manage security issues during development and maintenance. This understanding is reinforced through industry awareness, live demonstrations of commonly found application vulnerabilities and workgroup exercises allowing attendees to conduct capability assessments and recommend improvement plans.
+
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | While application flaws should ideally be fixed in the source code, this is often not a feasible task for various reasons. Web application firewalls are often deployed as an additional layer of security that can monitor, detect and prevent attacks before they reach the web application. ModSecurity, an extremely popular open source web application firewall, is often used to help protect web applications against known and unknown vulnerabilities alike.
 +
 
 +
This two-day boot-camp training is designed for people who want to quickly learn how to configure and deploy ModSecurity in the most effective manner possible. The course will cover topics such as the powerful ModSecurity rules language, extending functionality via the embedded Lua engine and managing suspicious events via AuditConsole. Documented hands-on labs help students understand the inner workings of ModSecurity and how to deploy ModSecurity securely. By leveraging the flexibility within ModSecurity, attendees will be able to write effective rules to mitigate complex web vulnerabilities
 
|-
 
|-
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | Instructor: [[User:Jeff Williams|Jeff Williams]]: [[Image:Aspect logo.gif]]
+
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | Instructor: Josh Amishav-Zlatin, Pure Hacking
 
|-
 
|-
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | [[Learn More about the Application Security Leadership Essentials Class]]
+
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | [[Learn More about the Tactical Defense With Mod Security Class]]
 
|-
 
|-
 
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | [http://www.appsecusa.org/register-now.html Click here to register]
 
| style="background: none repeat scroll 0% 0% rgb(242, 242, 242);" | [http://www.appsecusa.org/register-now.html Click here to register]

Revision as of 18:36, 12 April 2011

Banner-trinity-web.jpg


Follow us on:
Twitter.png Facebook.png Linkedin.png


Welcome

We are pleased to announce that the Ireland chapter will host the OWASP AppSec Europe 2011 global conference in beautiful Dublin, Ireland.

The AppSec Europe conference will be a premier gathering of Information Security leaders. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 400-500 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.

AppSec Europe 2011 will be held at Trinity College Dublin (map) on June 6th through 10th 2011. There will be training courses on June 6th, 7th and 8th followed by plenary sessions on the 9th and 10th with each day having at least three tracks. AppSec Europe may also have BOF (informal adhoc meetings), break out, or speed talks in addition to the standard schedule depending on the submissions received.
If you have any questions, please email the conference chair: appseceu at owasp.org


Who Should Attend AppSec Europe 2011:

  • Application Developers
  • Application Testers and Quality Assurance
  • Application Project Management and Staff
  • Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
  • Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
  • Security Managers and Staff
  • Executives, Managers, and Staff Responsible for IT Security Governance
  • IT Professionals Interested in Improving IT Security

Appseceurope3.png

Use the #AppSecEU hashtag for your tweets for AppSec Europe 2011 (What are hashtags?)

@AppSecEU Twitter Feed (follow us on Twitter!) <twitter>228539824</twitter>

CFT & CFP

Introduction

OWASP is currently soliciting training & presentation proposals for the OWASP AppSec Europe 2011 Conference which will take place at Trinity College Dublin in Ireland, on June 6th through June 10th 2010. There will be training courses on June 6th, 7th and 8th followed by plenary sessions on the 9th and 10th with each day having at least three tracks.

Call for Training

We are seeking training proposals on the following topics (in no particular order):

  • Security in Web 2.0, Web Services/XML
  • Advanced penetration testing
  • Static analysis for security
  • Threat modeling of applications
  • Secure coding practices
  • Security in J2EE/.NET patterns and frameworks
  • Application security with ESAPI
  • OWASP tools in practice

We will look favourably on laboration-based/hands-on training.

Call for Presentations

We are seeking people and organizations that want to present on any of the following topics (in no particular order):

  • Business Risks with Application Security.
  • Starting and Managing Secure Development Lifecycle Programs.
  • Web Services-, XML- and Application Security.
  • Metrics for Application Security.
  • Application Threat Modeling.
  • Hands-on Source Code Review.
  • Web Application Security Testing.
  • OWASP Tools and Projects.
  • Secure Coding Practices (J2EE/.NET).
  • Privacy Concerns with Applications and Data Storage
  • Web Application Security countermeasures
  • Technology specific presentations on security such as AJAX, XML, etc.
  • Anything else relating to OWASP and Application Security.

Submission Deadline and Instructions

Submission deadline is Sunday April 3rd 23:59 (GMT).

To submit your proposal please fill out the form here: https://www.easychair.org/conferences/?conf=appseceu2011

Please specify in the form whether you are submitting a Training or a Presentation proposal. Eg. Title: "Training - Introduction to Web Application Security"

Only for Training Proposals
To submit your training proposal please fill out the AppSec Europe 2011 Call for Training Proposal and attach it while filling out the online form.

Upon acceptance you'll be requested to fill out the Training Instructor Agreement where you'll find details on revenue split etc. The agreement will be reworked but the previous one is here: File:Training Instructor Agreement.doc.

June 6th-8th (Training)

Schedule

T1. Threat Modeling and Architecture Review - 2-Days - 990 Euro
Threat Modeling and Architecture Review are the cornerstones of a preventative approach to Application Security. By combining these topics into single comprehensive course attendees can get a complete understanding of how to understand the threat an application faces and how the application will handle those potential threats. This enables the risk to be accurately assessed and appropriate changes or mitigating controls recommended.
Instructor: Pravir Chandra, Fortify
Learn More About the Threat Modeling and Architecture Review Class
Click here to register
T2. Assessing and Exploiting Web Applications with Samurai - WTF - 2-Days - 990 Euros

Come take the official Samurai-WTF training course given by one of the founders and lead developers of the project! You will learn how to use the latest Samurai-WTF open source tools and the be shown the latest techniques to perform web application assessments. After a quick overview of pen testing methodology, the instructor will lead you through the penetration and exploitation of three different web applications, and the browsers connecting to them. Different sets of open source tools will be used on each web application, allow you to learn first hand the pros and cons of each tool. After you have gained experience with the Samurai-WTF tools, you will be challenged with a fourth web application that contains keys you must find and collect. This final challenge will give you time to practice your new skills at your own pace and experiment with your favorite new tools. This experience will help you gain the confidence necessary to perform web application assessments and expose you to the wealth of freely available open source tools.

Instructor: Justin Searle: InGuardians InGuardians.png

Click here to register
T3. Tactical Defense with ModSecurity - 2-Days - 990 Euros
While application flaws should ideally be fixed in the source code, this is often not a feasible task for various reasons. Web application firewalls are often deployed as an additional layer of security that can monitor, detect and prevent attacks before they reach the web application. ModSecurity, an extremely popular open source web application firewall, is often used to help protect web applications against known and unknown vulnerabilities alike.

This two-day boot-camp training is designed for people who want to quickly learn how to configure and deploy ModSecurity in the most effective manner possible. The course will cover topics such as the powerful ModSecurity rules language, extending functionality via the embedded Lua engine and managing suspicious events via AuditConsole. Documented hands-on labs help students understand the inner workings of ModSecurity and how to deploy ModSecurity securely. By leveraging the flexibility within ModSecurity, attendees will be able to write effective rules to mitigate complex web vulnerabilities

Instructor: Josh Amishav-Zlatin, Pure Hacking
Learn More about the Tactical Defense With Mod Security Class
Click here to register
T5. Software Security Remediation: How to Fix Application Vulnerabilities 1-Day - Sept 7th- $675
This class teaches attendees how to fix security vulnerabilities in existing software. It provides a mix of discussion of project concerns for planning and managing remediation efforts with hands-on coding examples fixing specific vulnerabilities. Attendees will learn how to risk-rank vulnerabilities, estimate remediation tasks, perform coding fixes for vulnerabilities and demonstrate the effectiveness of fixes applied. The focus is on the practical: how to use limited resources to make significant improvements to the security of target applications. Code examples use the OWASP ESAPI Java and Microsoft Web Protection Library. Many classes teach developers how to build secure code from the ground up or teach security analysts how to test applications for security vulnerabilities. This class teaches developers and security analysts how to deal with their existing portfolio of insecure applications.

Instructor: Dan Cornell: AppSecDC2009-Sponsor-denim.gif

Click here to register
T6. Live CD 1-Day - Sept 8th- $675
This class will will cover the full range of tools and documentation that OWASP provides under free and open licenses. When the class is complete, students will be familiar with a wide range of tools and techniques to test web applications.

The class will include a DVD of OWASP tools and documentation for testing web applications. Additionally, the DVD will include the OWASP Web Testing Environment. OWASP WTE is a collection of tools and documentation for testing web applications available both as a bootable Live CD and virtual machines. Attendees to this class will receive a customized version of OWASP WTE. It will be provided as a virtual machine which includes the tools, documentation and the applications tested during class. It is a self-contained environment to learn web application testing the students can take from class to further hone their testing skills.

Students are encouraged to bring a laptop to class. The virtualization software for OWASP WTE runs on Windows, OS X and Linux. Students with a laptop can follow along with the in class demonstrations to get hands on testing experience


Instructors: Matt Tesauro and Charles Henderson: File:TrustwaveLogo.jpg

Click here to register


June 9th

Schedule

Conference Day 1 - June 9, 2011



Track 1 - Defend Track 2 - Prevent Track 3 - Attack
0800-08:50 Registration and Breakfast + Coffee
08:50-09:00 Welcome by AppSec EU Board
09:00-9:55 Keynote: Brad Arkin, Adobe Corp.
10:00-10:30 OWASP Blobal Board Update - Tom Brennan, Eoin Keary, Seba
10:30-10:45 Coffee Break
10:45-11:30 Practical Browser Sandboxing on Windows with Chromium, Tom Keetch, Verizon Business
 Building a Robust Security Plan, Narainder Chandwani, Foundstone
 APT in a Nutshell, "David Stubley, 7 Elements Ltd"
11:30-11:45 Break
11:45-12:30 How to become Twitter's admin: An introduction to Modern Web Service Attacks, Andreas Falkenberg, RUB


 The missing link: Turning Securable apps into secure installations using SCAP, Charles Schmidt, MITRE Corp.


 The Buzz about Fuzz: An enhanced approach to finding vulnerabilities, Joe Basirico, Security Innovation
12:30-13:30 Lunch
13:30-14:30 Keynote: Giles Hogben, ENISA
14:30-14:45 Break
14:45-15:30 Business Risks of Secure Development and Operations of Applications in the Cloud, Warren Axelrod, Delta Risk LLC
 Integrating security testing into a SDLC: what we learned and have the scars to prove it, Mark Crosbie, IBM
 Intranet Footprinting: Discovering Resources from outside, Javier Marcos de Prado & Juan Galiana Lara, IBM
15:30-15:45 Break
15:45-16:30 Building Large Scale Detectors for Web-based Malware, Marco Balduzzi & Davide Canali, EURECOM
 Infosec Stats: Reading between the lines, Chris Eng, Veracode
 Python Basics for Web App Pentesters, Justin Searle, InGuardians Inc
16:30-16:45 Break
16:45-17:30 OWASP AppSensor Project, Colin Watson, Watson Hall Ltd
 A buffer overflow Story: From Responsible Disclosure to Closure, Douglas Held, Fortify (HP)
 CTF: Bringing back more than sexy!, Mark Hillick, HackEire
19:00-23:00 Networking Event - Drinks at the Church Bar


June 10th

Schedule

Conference Day 2 - June 10, 2011



Track 1 - Defend Track 2 - Prevent Track 3 - Attack
08:00-08:50 Registration
08:50-09:00 Day 2 Opening Remarks
09:00-10:00 Keynote: Janne Uusilehto, Nokia.
10:00-10:15 Coffee Break
10:15-11:00 Software Security: Is OK Good Enough?, John Dickson, Denim Group Ltd.
 An Overview of Threat Modeling, Jim Delgrosso, Cigital Inc.
 An Introduction to the OWASP Zed Attack Proxy, "Simon Bennetts, OWASP"
11:00-11:15 Break
11:15-12:00 New standards and upcoming technologies in browser security, Tobias Gondrom, IETF WG


 Simple Approach to Sepcifying Security Requirements for Online Developments, Alexis Fitzgerald, RITS


 A Case Study on Enterprise E-mail (in) Security Solutions, Marian Ventuneac, Genworth Financial
12:00-12:45 Six Key Application Security Program Metrics, Arian Evans, Whitehat Security


 A Critical Look at the Classification Schemes for Privacy Risks, Elke Roth-Mandutz and Georg Simon, Ohm University


 Testing Security Testing: Evaluating Quality of Security Testing, Ofer Maor, Seeker Security
12:45-13:45 Lunch
13:45-14:45 Keynote: Alex Lucas, Microsoft
14:45-15:00 Break
15:00-15:45 Putting the Smart into Smartphones: Security Testing Mobile Applications, Dan Cornell, Denim Group
 Security Design and Coding Reviews for Java Applications using AOP Techniques and Open Source Tools, Srini Penchikala, InfoQ
 The Dark Side: Measuring and Analyzing Malicious Activity On Twitter, Daniel Peck & Paul Judge, Barracuda Networks
15:45-16:00 Break
16:00-16:45 Threat modeling of banking malware-based attacks using the P.A.S.T.A. framework, Marco Morana, Citibank Group
 PCI DSS v2.0: a new challenge for web application security testing?, Laurent Benameur Sauvaire, Espion, Ltd.
 Practical Crypto Attacks Against Web Applications, Justin Clarke, Gotham Digital Science
16:45-17:00 Break
17:00-18:00 Keynote: Ivan Ristic, Qualys
18:00-18:30 Conference Closure and Raffle


Registration

Registration is now open!

RegisterNow.jpg

The first 25 people who register receive an additional €50 discount!

Registration Fees

Ticket Type Before 6th April After 6th April After 6th May
Non-Member €250 €300 €350
Active OWASP Member €200 €250 €300
Student €150 €200 €250
Course Fee
1 Day Training €495
2 Day Training €990

Note: To save on processing expenses, all fees paid for the OWASP conference are non-refundable. OWASP can accommodate transfers of registrations from one person to another, if such an adjustment becomes necessary.

* We need some kind of proof of your full-time student status. Either ask your local OWASP chapter leader to vouch for you by email to [email protected], or email Kate a scanned image of your student ID (please compress the file size :).

Practical Info

Visitors' Guide

VisitDublin.com is the official online tourist office for Dublin. You could check their Insider Guides, designed to ensure you make the most of your time in the capital! These themed guides offer you a taste of what to see and do offering you a great start in exploring Dublin!
Here is the URL: http://www.visitdublin.com/insidersguide/insidersguide.aspx?id=396

Also they have developed an Iphone and Android app that you could use to explore Dublin. You could get it from the visitdublin.com site. Captura de pantalla 2011-01-06 a las 20.39.01.png

UK/Ireland Wall Plugs

This is how UK/Ireland wall plugs look like (image below).

PlugSocketIreland.jpg

Weather Forecast

Met Ireland has good coverage of the weather in Dublin. Check it out here.

Travel

Fly to Dublin Airport:
http://www.dublinairport.com/
A taxi or bus can take you into Dublin city. (€30 - Taxi) (€10 - Bus)

Accommodation

Trinity College:
Please see here if you wish to stay within the grounds of Trinity College:
https://accommodation.tcd.ie/kxHotel/

Hotels Surrounding Trinity College:
 http://maps.google.com/maps?near=Dame+Street,+College+Green,+Dublin+2,+Ireland+(Trinity+College+Campus)&geocode=Cfm6cyTmqt_IFev1LQMdLZCg_yFJu3aKhBD7GA&q=hotels&f=l&dq=Trinity+College+loc:+Dublin+Ireland&sll=53.341482,-6.258302&sspn=0.012043,0.037637&ie=UTF8&ei=U6TMSZSzKpSw2QLG_-CUCA&attrid=1036f063d3d0dafc_&ll=53.343711,-6.254568&spn=0.012042,0.037637&z=15

Social Events

Information will be published here.

Venue

The venue for both training and conference is Trinity College Dublin.

Sponsoring

OWASP is providing sponsors exclusive access to its audience in Trinity College Dublin, Ireland through a limited number of Expo floor slots, providing a focused setting for potential customers.Attendees will be pushed through the Expo floor for breakfast, lunch and coffee breaks giving them direct access to sponsors’ booths and technology.

The conference is expected to draw over 400 international attendees; all with budgets dedicated to web application security initiatives. Financial Services, Media, Pharmaceuticals, Government, Healthcare, Technology, and many other verticals will be represented.
Sponsorship opportunities are filling up rapidly. All proceeds from sponsorship support the conference and the mission of the OWASP Foundation (501c3 Not-For-Profit), driving funding for research grants, tools and documents, local chapters, and more.

All sponsorship opportunities feature significant discounts to OWASP members, allowing you year-round access the web application security’s top thinkers as well as use of OWASP materials in product and service delivery.

To find out more about the different sponsorship opportunities please check the document below:
File:OWASP sponsorship appseceu2011.pdf

Challenges

Countdown Challenges -- Free Tickets to Win!

There will be a challenge posted on the conference wiki page the 21st every month up until the event. The winner will get free entrance to the conference.


Team

Eoin Keary - eoin.keary 'at' owasp.org
Fabio Cerullo - fcerullo 'at' owasp.org
Fiona Walsh - fiona.walsh 'at' owasp.org
Rahim Jina - rahim.jina 'at' owasp.org
Kate Hartmann - kate.hartmann 'at' owasp.org


Retrieved from "https://wiki.owasp.org/index.php?title=AppSecEU2011&oldid=108705"