This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "AppSecAsiaPac2012"
Sarah Baso (talk | contribs) m |
Sarah Baso (talk | contribs) |
||
| Line 51: | Line 51: | ||
=Trainers and Training Schedule= | =Trainers and Training Schedule= | ||
| − | + | {{:AppSecAsiaPac2012/Training}} | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | { | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
= Conference Talks and Schedule= | = Conference Talks and Schedule= | ||
Revision as of 14:48, 21 February 2012
|
|
|
- Welcome
- Trainers and Training Schedule
- Conference Talks and Schedule
- Speakers
- Sponsors
- Call For Papers
- Call for Trainers
- OWASP Track
- Chapter Leader Workshop
- Venue
- Travel and Accommodations
- FAQ
- Conference Committee
- Archives
|
Welcome to the OWASP 2012 Appsec Asia Pacific Conference. The event is being held in Sydney, Australia from the 11th to the 14th of April 2012 at the Four Points Sheraton Darling Harbour. The conference consists of 2 days of world class training by OWASP instructor's followed by 2 days of quality presentations and keynotes from industry leaders, OWASP projects and industry consultants. In previous years the OWASP Asia Pacific conference has been rated as one of the "must attend" events of the year, with the conference always filling up quickly. Who should attend this conference:
Conference Highlights:
|
|
The OWASP 2012 Appsec Asia Pacific Conference has been able to secure world class training sessions for all levels of expertise. Questions? Email [email protected]
Course descriptions and Trainer Bios are listed below the schedule
Training Schedule
| Training Day 1 - Wednesday - April 11th
| ||||||
| (Time Allocated) | Training Room (1) - 2 Day Course (Grand Ballroom 1 - Ground Floor) |
Training Room (2) - 2 Day Courses (Grand Ballroom 2 - Ground Floor) |
Training Room (3) - 2 Day Courses (Grand Ballroom 3 - Ground Floor) |
Training Room (4) - 1 Day Courses (Wharf Room - Level 1) |
Training Room (5) - 1 Day Courses (Bridge Room - Level 1) | |
| 7:30 - 9:00 AM
|
Conference Registration Open - Coffee & Tea Available | |||||
| 9:00-10:30 AM |
Assessing & Exploiting Web Applications with Samurai-WTF
Trainer: Justin Searle |
Hack Your Own Code: Advanced Training for Developers
Trainer: Mike Park & Marc Bown |
Mobile Penetration Testing: Start to Finish for iOS Applications
Trainer: Jason Haddix |
Building Secure Web Applications
Trainer: Klaus Johannes Rusch |
CANCELLED Threat Modeling: from the "cloud" on down Trainer: Matt Tesauro | |
| 10:30-11:00 AM
|
Break - Morning Tea Coffee & Food to be provided to training. | |||||
| 11:00-1:00 PM |
Assessing & Exploiting Web Applications with Samurai-WTF
Trainer: Justin Searle |
Hack Your Own Code: Advanced Training for Developers
Trainer: Mike Park & Marc Bown |
Mobile Penetration Testing: Start to Finish for iOS Applications
Trainer: Jason Haddix |
Building Secure Web Applications
Trainer: Klaus Johannes Rusch |
CANCELLED Threat Modeling: from the "cloud" on down Trainer: Matt Tesauro | |
| 1:00-1:30 PM
|
Break - Lunch - Provided for attendees in main Expo & Conference Hall - Ground Level | |||||
| 1:30-3:00 PM |
Assessing & Exploiting Web Applications with Samurai-WTF
Trainer: Justin Searle |
Hack Your Own Code: Advanced Training for Developers
Trainer: Mike Park & Marc Bown |
Mobile Penetration Testing: Start to Finish for iOS Applications
Trainer: Jason Haddix |
Building Secure Web Applications
Trainer: Klaus Johannes Rusch |
CANCELLED Threat Modeling: from the "cloud" on down Trainer: Matt Tesauro | |
| 3:00-3:30 PM
|
Break - Afternoon Tea - Coffee & Food to be provided to training | |||||
| 3:30-5:00 PM
|
Assessing & Exploiting Web Applications with Samurai-WTF
Trainer: Justin Searle |
Hack Your Own Code: Advanced Training for Developers
Trainer: Mike Park & Marc Bown |
Mobile Penetration Testing: Start to Finish for iOS Applications
Trainer: Jason Haddix |
Building Secure Web Applications
Trainer: Klaus Johannes Rusch |
CANCELLED Threat Modeling: from the "cloud" on down Trainer: Matt Tesauro | |
| Training Day 2 - Thursday- April 12th
| ||||||
| (Time Allocated) | Training Room (1) - 2 Day Course (Grand Ballroom 1 - Ground Floor) |
Training Room (2) - 2 Day Courses (Grand Ballroom 2 - Ground Floor) |
Training Room (3) - 2 Day Courses (Grand Ballroom 3 - Ground Floor) |
Training Room (4) - 1 Day Courses (Wharf Room - Level 1) |
Training Room (5) - 1 Day Courses (Bridge Room - Level 1) |
Chapter Workshop (6) (Bridge Room 2 - Level 1) |
| 7:30 - 9:00 AM
|
Conference Registration Open - Coffee & Tea Available | |||||
| 9:00-10:30 AM |
Assessing & Exploiting Web Applications with Samurai-WTF
Trainer: Justin Searle |
Hack Your Own Code: Advanced Training for Developers
Trainer: Mike Park & Marc Bown |
Mobile Penetration Testing: Start to Finish for iOS Applications
Trainer: Jason Haddix |
Mobile Applications & Security
Trainer: Prashant Verma & Dinesh Shetty |
OWASP for CISO and Senior Managers (Business)
Trainer: Tobias Gondrom |
Workshop starts at 1:30 Workshop Details |
| 10:30-11:00 AM
|
Break - Morning Tea Coffee & Food to be provided to training. | |||||
| 11:00-1:00 PM |
Assessing & Exploiting Web Applications with Samurai-WTF
Trainer: Justin Searle |
Hack Your Own Code: Advanced Training for Developers
Trainer: Mike Park & Marc Bown |
Mobile Penetration Testing: Start to Finish for iOS Applications
Trainer: Jason Haddix |
Mobile Applications & Security
Trainer: Prashant Verma & Dinesh Shetty |
OWASP for CISO and Senior Managers (Business)
Trainer: Tobias Gondrom |
Workshop starts at 1:30 Workshop Details |
| 1:00-1:30 PM
|
Break - Lunch - Provided for attendees in main Expo & Conference Hall - Ground Level | |||||
| 1:30-3:00 PM |
Assessing & Exploiting Web Applications with Samurai-WTF
Trainer: Justin Searle |
Hack Your Own Code: Advanced Training for Developers
Trainer: Mike Park & Marc Bown |
Mobile Penetration Testing: Start to Finish for iOS Applications
Trainer: Jason Haddix |
Mobile Applications & Security
Trainer: Prashant Verma & Dinesh Shetty |
OWASP for CISO and Senior Managers (Business)
Trainer: Tobias Gondrom |
OWASP Chapter Workshop |
| 3:00-3:30 PM
|
Break - Afternoon Tea - Coffee & Food to be provided to training | |||||
| 3:30-5:00 PM
|
Assessing & Exploiting Web Applications with Samurai-WTF
Trainer: Justin Searle |
Hack Your Own Code: Advanced Training for Developers
Trainer: Mike Park & Marc Bown |
Mobile Penetration Testing: Start to Finish for iOS Applications
Trainer: Jason Haddix |
Mobile Applications & Security
Trainer: Prashant Verma & Dinesh Shetty |
OWASP for CISO and Senior Managers (Business)
Trainer: Tobias Gondrom |
OWASP Chapter Workshop |
Two Day Training Courses
Assessing & Exploiting Web Applications with Samurai-WTF
Trainer: Justin Searle
Audience & Level: Novice to intermediate level security professionals: developers, managers, or penetration testers
Date: Wednesday & Thursday, April 11-12
Course Summary:
Course Details & Instructor Bio
Come take the official two-day Samurai-WTF training course given by one of the founders and lead developers of the project! You will learn the latest Samurai-WTF open source tools and as well as the latest techniques to perform web application penetration tests. After a quick overview of pen testing methodology, the instructors will lead you through the end-to-end process of testing and exploiting several different web applications, including client side attacks using flaws within the application. Different sets of open source tools will be used on each web application, allowing you to learn first hand the pros and cons of each tool. Primary emphasis of these instructor lead exercises is how to integrate these tools into your own manual testing procedures to improve your overall workflow. After you have gained experience with the Samurai-WTF tools, you will be challenged with a capture the flag event. This final challenge will give you time to practice your new skills at your own pace and experiment with your favorite new tools. This experience will help you gain the confidence and knowledge necessary to perform web application assessments and expose you to the wealth of freely available, open source tools.
Mobile Penetration Testing: Start to Finish for iOS apps
Trainer: Jason Haddix
Audience: Technical
Level: Basic, Intermediate
Date: Date: Wednesday & Thursday, April 11-12
Course Summary:
Mobile apps are the new horizon for penetration testing and assessment. This class will go from start to finish on how to:
- Overview of Iphone platform
- Overview of 3rd Party application Threat Models
- Overview of Xcode and Obj-C
- Setup a mobile Penetration Testing lab/environment
- Performing Blackbox Assessments
- Performing Whitebox Assessment
- Finding Common Client/Phone Vulnerabilities
- Finding Common Server-side Vulnerabilities
- Tips and Tricks
This training is good for both new and seasoned mobile app security consultants.
Note: Students will need developer Apple licence, Xcode, Laptop
Jason Haddix is the Director of Penetration Testing at HP and develops and trains internal candidates on the mobile penetration testing team. He also has done several training for web application hacking and network penetration testing.
Hack Your Own Code: Advanced Training for Developers
Trainer: Mike Park & Marc Bown
Audience: Technical, Programmers
Level: Intermediate, Advanced, Programmers
Date: Wednesday & Thursday, April 11-12
Course Summary:
Course Outline
This class provides developers an exciting chance to hone their programming skills while also learning to exploit common web vulnerabilities. Unlike most training, this will not use static demos based on pre-canned source code. Students will program small parts of a larger application during the class’s lab periods. After the component has been written, students will review the code for the vulnerability being focused on in the lab. Vulnerable code will be run on a class-accessible server while the instructor guides students through exploiting the vulnerabilities. After the vulnerability has exploited, students will be shown how their own code can be fixed (if it was vulnerable) and the best way to prevent the flaw in the first place.
This full process will be performed for all major code vulnerabilities in the OWASP Top Ten. Exploitation and patching labs (but not programming) will be held for other vulnerabilities, including logic flaws that are hard to represent on the Top Ten. Several labs will feature prizes for the students that first find or exploit the targeted vulnerability. Environments and examples will be setup for all major platforms requested by pre-registered students. Students should bring a laptop with them, preferably with VMWare Player already installed. A virtual machine based on the OWASP Live Boot CD will be provided for lab work. The virtual machine will include development tools, but students should feel free to bring their favorite programs too.
Unlike many classes, this will allow programmers to focus on their own code. This makes the class far more interactive than a typical secure development class. The focus on lab work engage the students and make it a far more memorable experience.
Mike Park is a Managing Consultant at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has over 12 years experience building and securing software for a variety of companies. Mike is a CISSP and specializes in application security assessment, penetration testing, reverse engineering and secure development life cycle. Mike is an active member of the Ottawa ISSA.
One Day Training Courses
CANCELLED Threat Modeling: From the "cloud" on down CANCELLED
Trainer: Matt Tesauro
Audience: Technical
Level: Basic, Intermediate
Date: Wednesday April 11
Course Summary:
Everyone knows that catching software vulnerabilities early is the best way to create secure software with the least cost (and drama). However, how do you do this in the Agile, Cloud-based application environment that we face today? This training walks you trough an overview of threat modeling techniques and tools with an eye on pragmatic solutions to real world problems. Using the topics covered in this class, you will learn how to determine and describe an applications attack surface, understand the probability of an attack while gaining insight into its impact. Whether you're looking to find design flaws early, eliminate low-hanging vulnerabilities or improve and optimize testing, the discussion and hands-on portions of this class provide real-world examples of application security. The hands-on portion draws lessons from actual software such as those powering web-scale, cloud software stacks allowing you to gain practical experience working through tough software problems.
Matt Tesauro has worked in web application development and security since 2000. He has worn many different hats, from developer to DBA to System Administrator to Penetration Tester. Matt also taught graduate and undergraduate classes on web application development and XML at Texas A&M University. Currently, he's focused on application security risk assessments at Praetorian. Outside work, he is the project lead for the OWASP Live CD / WTE, a member of the OWASP Foundation board, and part of the Austin OWASP chapter leadership. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications.
Mobile Applications & Security
Trainers: Prashant Verma & Dinesh Shetty
Audience: Management, Technical, Operations
Level: Basic, Intermediate, People with a background in security but no prior knowledge of mobile applications
Date: Thursday, April 12
Course Summary:
This course covers security tests that are conducted on mobile applications with a focus on iOS and Android platforms.
Students will first learn the basics of mobile applications followed by a brief background of iOS and Android platforms, their security models and an overview of their development basics.
They will then learn how to model a threat profile for mobile applications and then test and debug the mobile applications for security vulnerabilities.
Reading locally stored data in mobiles, setting up a proxy to intercept and test network traffic and reversing Android applications will be a few of the topics discussed. We will also discuss the challenges involved in reversing an iOS application. The course includes examples for both the platforms and sample code snippets will also be provided.
We will also discuss the best practices that have to be followed for secure development of mobile applications. The course would end with a discussion of the OWASP Mobile Top 10 risks.
Prashant Verma is a Senior Security Consultant and Competency Lead at Paladion Networks. He has 6 years of experience. He drives the Mobile Application Security Service and Research at Paladion. He is the co-author of the "Security Testing Handbook for Banking Applications". He has also authored security articles for the Hacki9 and Palisade magazines. He has given presentations at Club Hack 2011 on "Pentesting Mobile Applications". He has also given guest lectures and security trainings at various occasions, which include the National Institute of Bank Management (NIBM) and Babasaheb Ambedkar Marathwada University (BAMU). He is a "Digital Evidence Analyst" i.e. he has conducted Mobile Security Testing, Java, Android and iOS Security Code Reviews. He has also conducted numerous application and network penetration tests, vulnerability assessments, etc.
Dinesh Shetty is currently working as an Information Security Consultant at Paladion Networks. He is the principal researcher in the Mobile Application Security Team at Paladion, having developed Paladion's Android, iOS and BlackBerry Gray Box and Code Review checklists, and has trained 30+ engineers to detect security flaws in mobile applications. He has found flaws in leading Web and Mobile-based financial applications and helped the respective organizations fix those vulnerabilities. He has authored many white papers on information security and network-related research, which have been published in multiple information security magazines and international journals such as Packet Storm, Exploit-DB and the PenTest Magazine among others. He has conducted technical trainings and given presentations about various platforms for multiple customers and reputed institutes like the National Institute of Bank Management (NIBM). He is a Certified Ethical Hacker and an IBM Certified AppScan Specialist.
OWASP for CISO and Senior Managers
Trainer: Tobias Gondrom
Audience: Management
Level: Basic, Intermediate, Advanced
Date: Thursday, April 12
Course Summary:
Setting up, managing and improving your global information security organisation using mature OWASP projects and tools. Achieving cost-effective application security and bringing it all together on the management level. How to use and leverage OWASP and other common best practices to improve your security programs and organization. The workshop will also discuss a number of quick wins and how to effectively use OWASP tools inside your organisation. The author has extensive experience of managing his own secure development organization as well as advising to improve a number of global secure development organisations and processes.
Topics:
- OWASP Top-10 and OWASP projects - how to use within your organisation
- Risk management and threat modeling methods (OWASP risk analysis, ISO-27005,...)
- Benchmarking & Maturity Models
- Organisational Design for global information security programs
- SDLC
- Training: OWASP Secure Coding Practices - Quick Reference Guide, Development Guide, Training tools for developers
- Measuring & Verification: ASVS (Application Security Verification Standard) Project, Code Review Guide, Testing Guide
- Development & Operation: ESAPI (Enterprise Security API), AppSensor
Target audience: CISO and senior head of information security managers (VP/director level) - maximum number of seats should be limited to 20, only senior information security managers/leaders will be admitted.
All discussion and issues raised by participants at the workshop will be under the confidentiality under the Chatham House Rule (http://en.wikipedia.org/wiki/Chatham_House_Rule).
Tobias Gondrom is Managing Director of an IT Security & Risk Management Advisory based in the United Kingdom and Germany. He has twelve years of experience in software development, application security, cryptography, electronic signatures and global standardisation organisations working for independent software vendors and large global corporations in the financial, technology and government sector, in America, EMEA and APAC. As the Global Head of the Security Team at Open Text (2005-2007) and from 2000-2004 as the lead of the Security Task Force at IXOS Software AG, he was responsible for security, risk and incident management and introduced and implemented a secure SDLC used globally by development departments in the US, Canada, UK and Germany.
Since 2003 he is the chair of working groups of the IETF (www.ietf.org) in the security area, member of the IETF security directorate, and since 2010 chair of the formed web security WG at the IETF, and a former chapter lead of the German OWASP chapter from 2007 to 2008 and board member of OWASP London. Tobias is the author of the international standards RFC 4998, RFC 6283 and co-author and contributor to a number of internet standards and papers on security and electronic signatures, as well as the co-author of the book „Secure Electronic Archiving“, and frequent presenter at conferences and publication of articles (e.g. AppSec, ISSE, Moderner Staat, IETF, VOI-booklet “Electronic Signature“, iX).
Building Secure Web Applications
Trainer: Klaus Johannes Rusch
Audience: Management, Technical, Operations
Level: Basic, Intermediate
Date: Wednesday, April 11
Course Summary:
Course Outline
Web application security breaches on websites of major corporations and government entities have received significant media attention due to large number of users affected and the leaking of sensitive personal information.
This training will show how to develop secure Web applications and covers security aspects of the full software development life cycle (SDLC). Participants will learn about general security concepts and review common risks, including OWASP’s Top 10 list, assess the technical and business impact of security risks and apply mitigation strategies. The training includes several hands-on labs covering implementation, white-box analysis and black-box testing for security. While most code examples use PHP, MySQL and JavaScript, the content is equally applicable to other programming languages and database engines.
Participants are welcome to bring Web applications or code samples for review during the training also.
Klaus Johannes Rusch is a certified IT architect and manager at IBM, heading the Web Effectiveness group in the Global Web Services organization, which provides consulting services to business units in IBM for optimizing the Web experience as an in-house agency. Previously he was a team leader on the IBM Corporate Webmaster team that manages www.ibm.com.
Klaus Johannes Rusch has over 20 years of application development experience and a track record of hacking web applications. He received an award for best website back in 1995. He holds an MSc degree in computer science from Vienna University of Technology and was an adjunct professor of computer science at Webster University, where he taught web development and web animation. He lives in Vienna, Austria with his wife and two kids, and online at http://klausrusch.atmedia.net/.
- NOTE: Conference is scheduled to change as required by the conference committee, check back for updates prior to the conference. **
| Conference Day 1 - Friday - April 13th
| |||
| (Time Allocated) | Track 1 - Detect (Grand Ballroom 1 & 2) |
Track 2 - Protect (Grand Ballroom 3) |
Track 3 - Leadership & OWASP (Wharf & Bridge Rooms Level 1) |
| 7:30 - 8:30 AM
|
Conference Registration Open - Coffee & Tea Available | ||
| 8:30-8:40 AM
|
Conference Opening - Appsec Asia 2012
Speakers: Conference Committee Chair - Mr Justin Derry | ||
| 8:40-9:30 AM
|
KeyNote: Presentation
Speaker: Alastair MacGibbon | ||
| 9:30-9:40 AM | Short Break - Conference Movement | ||
| 9:40-10:30 AM
|
KeyNote: Presentation
Speaker: Rafal Los | ||
| 10:30-11:00 AM
|
Break - Morning Tea - Provided for attendees in main EXPO & Conference Hall - Ground Level | ||
| 11:00-11:50 AM
|
Presentation: You can't filter out the stupid!
Speaker: Charles Henderson |
Presentation: Advanced Mobile Application Code Review Techniques
Speaker: Prashant Vema |
Presentation: Effective Software Development in a PCI-DSS Environment
Speaker: Bruce Ashton |
| 11:50-12:00 PM | Short Break - Conference Movement | ||
| 12:00-12:50 PM
|
Presentation: Testing from the Cloud. Is the Sky Falling?
Speaker: Matt Tesauro |
Presentation: Rethinking Web Application Architecture for Cloud
Speaker: Arshad Noor |
Presentation: OWASP Project - TBA
Speaker: TBA |
| 12:50-1:30 PM
|
Break - Lunch - Provided for attendees in main Expo & Conference Hall - Ground Level | ||
| 1:30-2:20 PM
|
Presentation: Security Testing on Web Apps - How to protect yourself
Speaker: Magno Rodrigues |
Presentation: Mobile Security on iOS and Andriod
Speaker: Mike Park (Trustwave) |
Presentation: Insight into the Russian Black Market
Speaker: Almantas Kakareka |
| 2:20-2:30 PM | Short Break - Conference Movement | ||
| 2:30-3:20 PM
|
Presentation: Pen Testing Mobile Applications
Speaker: Frank Fan |
Presentation: Application Security Logging & Monitoring, The Next Frontier
Speaker: Peter Freiberg |
Presentation: OWASP Project - TBA
Speaker: TBA |
| 3:30-4:00 PM
|
Break - Afternoon Tea - Provided for attendees in EXPO & Conference Hall - Ground Level | ||
| 4:00-4:50 PM
|
Presentation: Harder, Better, Faster, Stronger (SQLi)
Speakers: Luke Jahnke |
Presentation: Securing the SSL Channel against Man-in-the-middle Attacks
Speaker: Tobias Gondrom |
Presentation: The risks that Pen Tests don't find
Speaker: Gary Gaskell |
| 4:50-5:00 PM | Short Break - Conference Movement | ||
| 5:00-5:30 PM
|
Panel Discussion - Application Security Trends in 2012
Panelists: TBA | ||
| 5:30-6:30 PM
|
OWASP - Afternoon Networking Event - TBA | ||
| 6:30 - 10:00 PM
|
OWASP - Evening Networking Event - TBA | ||
| Conference Day 2 - Saturday- April 14th
| |||
| (Time Allocated) | Track 1 - Detect (Grand Ballroom 1 & 2) |
Track 2 - Protect (Grand Ballroom 3) |
Track 3 - Leadership & OWASP (Wharf & Bridge Rooms Level 1) |
| 7:30 - 8:30 AM
|
Conference Registration Open - Coffee & Tea Available | ||
| 8:30-8:40 AM
|
Conference Day 2 Update- Appsec Asia 2012
Speakers: Conference Committee Chair - Mr Justin Derry | ||
| 8:40-9:30 AM
|
KeyNote: Presentation
Speaker: Jeremiah Grossman | ||
| 9:30-9:40 AM | Short Break - Conference Movement | ||
| 9:40-10:30 AM
|
KeyNote: Presentation
Speaker: Dr Jason Smith | ||
| 10:30-11:00 AM
|
Break - Morning Tea - Provided for attendees in main EXPO & Conference Hall - Ground Level | ||
| 11:00-11:50 AM
|
Presentation: Attacking Captcha for Fun and Profit
Speaker: Gursev Singh Kalra |
Presentation: Password Less Authentication & Authorization & Payments
Speaker: Srikar Sagi |
Presentation: OWASP Project - TBA
Speaker: TBA |
| 11:50-12:00 PM | Short Break - Conference Movement | ||
| 12:00-12:50 PM
|
Presentation: HTTP Fingerprinting - Next Generation
Speaker: Eldar Marcussen |
Presentation: Web Crypto for the Developer who has better things to do.
Speaker: Adrian Hayes |
Presentation: Static Code Analysis & Governance
Speaker: Jonathan Carter |
| 12:50-1:30 PM
|
Break - Lunch - Provided for attendees in main Expo & Conference Hall - Ground Level | ||
| 1:30-2:20 PM
|
Presentation: Shake Hooves with BeFF
Speaker: Christian Frichot |
Presentation: Software Security Goes Mobile
Speakers: Jacob West & Matias Madou |
Presentation: Data Breaches - When Application Security Goes Wrong
Speaker: Mark Goudie |
| 2:20-2:30 PM | Short Break - Conference Movement | ||
| 2:30-3:20 PM
|
Presentation: How MITM Proxy has been slaying SSL Dragons
Speaker: Jim Cheetham |
Presentation: Breaking is Easy, Preventing is Hard
Speakers: Matias Madou & Jacob West |
Presentation: OWASP Project - TBA
Speaker: TBA |
| 3:20-3:30 PM | Short Break - Conference Movement | ||
| 3:30-4:20 PM
|
Presentation: Rise of the Planet of the Anonymous
Speaker: Errazudin Ishak |
Presentation: Anatomy of a Logic Flaw
Speaker: Charles Henderson |
Presentation: OWASP Australia - Where, How, Why, When
Speaker: Justin Derry & Andrew Vanderstock |
| 4:20-4:30 PM | Short Break - Conference Movement | ||
| 4:30-5:00 PM
|
OWASP Appsec Asia 2012 - Conference Wrap Up
Speakers: OWASP Board, OWASP Appsec Asia Conference Committee | ||
| 5:00-6:00 PM
|
OWASP Sponsor - Afternoon Networking Event - TBA | ||
KEYNOTE SPEAKERS
Alastair MacGibbon
Alastair MacGibbon is an internationally-respected authority on cybercrime, including Internet fraud, consumer victimisation and a range of Internet security and safety issues. He is the managing partner of Surete Group, a consultancy dealing with improved customer retention for Internet companies by increasing trust and reducing negative user experiences. Prior to this for almost 5 years Alastair headed Trust & Safety at eBay Australia and later eBay Asia Pacific. He was a Federal Agent with the Australian Federal Police for 15 years, his final assignment as the founding Director of the Australian High Tech Crime Centre.
Dr. Jason Smith from CERT Australia
Dr Jason Smith is an assistant director at the national CERT, CERT Australia, which is part of the Attorney-General's Department. He is an experienced cyber security researcher and consultant, having provided consultancy services over the last decade on information infrastructure protection to government and critical infrastructure utilities.
Since joining government Jason has been involved in the development and execution national scale cyber exercises and the advanced cyber security training for control systems conducted by the US Department of Homeland Security.
Jason holds a degree in software engineering and data communications, a PhD in information security and is an Adjunct Associate Professor at the Queensland University of Technology.
Jacob West
Jacob West is Director, Software Security Research for the Enterprise Security Products division of Hewlett-Packard. West is a world-recognized expert on software security and brings a technical understanding of the languages and frameworks used to build software together with extensive knowledge about how real-world systems fail. In 2007, he co-authored the book "Secure Programming with Static Analysis" with colleague and Fortify founder Brian Chess. Today, the book remains the only comprehensive guide to static analysis and how developers can use it to avoid the most prevalent and dangerous vulnerabilities in code. West is a frequent speaker at industry events, including RSA Conference, Black Hat, Defcon, OWASP, and many others. A graduate of the University of California, Berkeley, West holds dual-degrees in Computer Science and French and resides in San Francisco, California.
Jeremiah Grossman
Jeremiah Grossman is the Founder and CTO of WhiteHat Security, where he is responsible for Web security R&D and industry outreach. Mr. Grossman has written dozens of articles, white papers, and is a published author. His work has been featured in the Wall Street Journal, NY Times and many other mainstream media outlets. As a well-known security expert and industry veteran, Mr. Grossman has been a guest speaker on five continents at hundreds of events including BlackHat, RSA, ISSA, and others. He has been invited to guest lecture at top universities such as UC Berkeley, Stanford, Harvard, UoW Madison, UCLA, and Carnegie Mellon. Mr. Grossman is also a co-founder of the Web Application Security Consortium (WASC) and previously named one of InfoWorld's Top 25 CTOs. Before founding WhiteHat, Mr. Grossman was an information security officer at Yahoo!
Mr. Grossman was recently a speaker at TEDxMaui. Learn more here.
Rafal Los
Rafal Los, Chief Security Evangelist for Hewlett-Packard Software, combines over a decade of subject-matter expertise in information security and risk management with a critical business perspective. From technical research to building and implementing enterprise application security programs, Rafal has a track record with organizations of diverse sizes and verticals. He is a featured speaker at events around the globe, and has presented at events produced by OWASP, ISSA, Black Hat, and SANS among many others. He stays active in the community by writing, speaking and contributing research, representing HP in OWASP, the Cloud Security Alliance and other industry groups. His blog, Following the White Rabbit, with his unique perspective on security and risk management has amassed a following from his industry peers, business professionals, and even the media and can be found at http://hp.com/go/white-rabbit.
Prior to joining HP, Los defined what became the software security program and served as a regional security lead at a Global Fortune 100 contributing to the global organization's security and risk-management strategy internally and externally. Rafal prides himself on being able to add a 'tint of corporate realism' to information security.
Rafal received his B. S. in Computer Information Systems from Concordia University, River Forest, Ill.
- Threat Profiling the Mobile Application Ecosystem
- The flood gates of the mobile age have swung wide open, and whether your organization is prepared or not - mobile applications utilizing cloud resources are the future. As organizations race to release ‘mobile’ versions of applications that do everything from home automation to managing your medications and health history, software security assurance is paramount from both regulatory and risk management perspectives. This requires an entirely different approach than simply running scans or handing off your source code to be ‘audited.’ Analyzing the source code, the mobile application, remote application interfaces and the communication protocols between them are critical to understanding the complete threat profile of the mobile application. Simply looking at one of these components can provide a dangerously misleading representation and lead to increased risk exposure. Rafal will discuss the full threat profile of mobile applications, including their real attack surface and provide thoughts on the future of mobile applications as enterprises migrate further into cloud computing.
The Conference Committee is excited to announce that the conference has been openly supported by the following vendors and associations. Without the great support of these companies and organisations the 2012 event would not be what it is today.
Diamond & Platinum Sponsors
The OWASP Conference 2012, welcomes our sponsors for Diamond and Platinum. There are still spaces available for sponsorship, but it's closing fast.
More information is available on our sponsorship packages by viewing the sponsor pack File:AppSec AsiaPac 2012 Sponsorship.pdf. Contact our Committee for more information.
Gold & Silver Sponsors
The OWASP Conference 2012, welcomes our sponsors for Gold and Silver. The conference still has availability for other Gold and Silver sponsors.
Associations & Supporters
We are proudly supported by the following Industry Associations and Media outlets.
The OWASP AppSec AsiaPac 2012 Call for Papers (CFP) is now open. Visit the following URL to submit your abstract for the April 13-14, 2012 talks in Sydney Australia:
http://sl.owasp.org/apac2012talks
We will make the first round of selections, based on the CFPs we have received by February 17, 2012. The final closing date for submissions is Friday, March 3, 2012. We look forward to talk submissions over the coming weeks from security practitioners, researchers, thought leaders, and developers in the following content areas:
- Research in Application Security Defense (Defense & Countermeasures)
- Research in Application Security Offense (Vulnerabilities & Exploits)
- Web Application Security
- Critical Infrastructure Security
- Mobile Security
- Government Initiatives & Government Case Studies
- Effective case studies in Policy, Governance, Architecture or Life Cycle
- OWASP Projects (turbo talks)
Speakers will receive free admission (nontransferable) to the conference in return for delivering a 50 minute talk or for delivering a 25 minute OWASP Projects turbo talk.
Speaker Forms
OWASP AppSec AsiaPac 2012 is currently soliciting training providers for the conference. Visit the following URL to submit your training proposal for the April 11-12, 2012 training days in Sydney Australia: http://sl.owasp.org/apac2012training
The following conditions apply for people or organizations that want to provide training at the conference:
- Training provider should provide class syllabus / training materials.
- Proceeds will be split 75/25 (OWASP/Trainer) for the training class.
- OWASP will provide the Venue, Marketing with Conference materials, Registration and basic AV
- Trainers will cover travel and accommodations for the instructor(s) and all course materials for students
- OWASP will reserve up to 2 training slots at no cost and the trainer may reserve up to one slot at no cost
- Price per attendee: 2-Day Class $1295/ 1-Day Class $695
- Trainers can brand training materials to increase their exposure
- Classes are to be focused around Application Security but are in no way limited to web application security.
We will make the first round of selections, based on the Training proposals we have received by February 17, 2012. The final closing date for submissions is Friday, March 3, 2012. Submit proposals to http://sl.owasp.org/apac2012training. All trainers will be required to submit a Training Instructor Agreement in order to have their classed scheduled.
Please forward to all interested practitioners and colleagues.
Trainer Forms
The Call for Papers for the OWASP Track at Global AppSec AsiaPac is now open. OWASP leaders with interesting projects/activities can submit here: https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dHB4VGJPWmV5cUxBRmJuY1pETklrcEE6MQ. The CFP for will close on Feburary 15th 2012.
Submissions must:
- Be about active OWASP Projects or activities
- Be in a 50 Minute or 15 Minute format (final schedule will be determined in conjunction with the event)
- Authors must agree to the OWASP Speaker Agreement
- Comply to the applicable Global Conference Committee Policies (related to all events & speakers)
- Be OWASP branded, no company templates (presenters must limit mention of their employer to a company logo on the concluding slide of their presentation)
Recommendations:
- Presentations that provide a link to a recording of previous presenter performance will be scored significantly higher
- Presentations on active projects will be scored higher
- Some projects will be determined as once OWASP wants to highlight so new project leaders should not be discouraged if they have great presentation skills
The OWASP Track initiative, jointly led by the Global Conferences Committee and the Global Projects Committee, is a new effort to help OWASP promote our projects and activities at our own major conferences. The goal of this track is to highlight and promote OWASP and offer our leaders a chance to showcase their activities. As such this is a different CFP than one typically issued, submissions should highlight a particular OWASP project or activity that is important to the community at large. The joint GCC/GPC program committee will be judging these submissions on a variety of factors, including project/activity maturity, strategic value to OWASP, relevance to the event audience, and past presentation performance. We intend to highlight brand new projects and activities along with established ones, so new project leaders should not be discouraged from applying! Keep in mind though that we are looking for polished presentations so it will help your submission if you can demonstrate that your project/activity has made recent strides in improving quality. There are limited OWASP funds to support travel for selected presenters, we will ask that presenters first solicit funding from their employers for travel to the event.
Presenters that perform well in their OWASP Track talk will be invited to join the OWASP Speakers Group.
Regards,
Global Conferences Committee, Mark Bristow, Chair
Global Projects Committee, Jason Li, Chair
As part of AppSec APAC 2012, on Thursday, April 12 at 1:30PM-5:00PM, the Global Chapter Committee is organizing a chapter leader workshop for all the chapter leaders that attend the conference. Please note that this Workshop will take place on the day before the Conference starts.
Agenda
We plan to start with a 1.5 hour session run by experienced leaders (panel) on how to run a successful chapter. The second part of the workshop will be a roundtable discussion on regional issues and challenges, with a goal of working together to create solutions.
Are there other topics you would like to discuss? Please add them below:
- Best practices of Chapter organization
- How long should a leader lead a chapter?
- ...
Funding to Attend Workshop
If you need financial assistance to attend the Chapter Leader Workshop at AppSec APAC, please submit a request to Josh Sokol and Sarah Baso by March 1, 2012.
Funding for your attendance to the workshop should be worked out in the following order.
- Ask your employer to fund your trip to AppSec Asia Pacific in Sydney, Australia.
- Utilize your chapter funds.
- Ask the chapter committee for funding assistance.
While we wish we could fund every chapter leader, due to the limited amount of budget allocated for this event, we may not be able to fund 100% to all the requests. Priority of sponsorships will be given to those not covered by a sponsorship to attend a workshop in 2011. Additionally, we are looking for new or struggling chapter leaders who need assistance kick starting their chapter.
After March 1, the Global Chapters Committee will make funding decision in a fair and transparent manner. When you apply for funding, please let us know why we should sponsor you. While we prefer that chapter leaders use their own chapter's funds before requesting a sponsorship, this is not a requirement for application. If your chapter has fund but will not be using them to sponsor your attendance, please include why you will not be using the funds for this purpose (i.e. what are the other plans for those funds?).
Participants
If you plan to attend, please fill in your name and chapter below:
- Sarah Baso (OWASP Operational Support)
- Andrew van der Stock
- Mohd Fazli Azran (GCC & Malaysia Chapter)
- Benny Ketelslegers (OWASP Japan)
- Serg Belokamen
- Simon Bennetts (UK)
- Jonathan Carter
- Justin Clarke (London)
- Frank Fan (China)
- Christian Frichot (Perth)
- Kitisak Jirawannakool (Thailand)
- Nahil Mahmood (Pakistan)
- Thanh Nguyen (Vietnam)
- Chris Gatford (Sydney)
- Wouter Veugelen (Sydney)
- Gandhi Aryavalli (India)
...
Remote Participation
Details TBA.
- Zaki Akhmad (Indonesia Chapter)
- ...
- ...
2011 Chapter Leader Workshops
- AppSecEU 2011 chapters workshop agenda and Meeting Minutes
- AppSec USA 2011 chapters workshop agenda and Meeting Minutes 21-Sept-2011 in Minneapolis, MN, USA
- AppSecLatam2011 chapters workshop agenda and Meeting Minutes 5-Oct-2011 in Porto Alegre, Brazil
- OWASP Global AppSec Asia 2011 chapters workshop agenda and Meeting Minutes 9-Nov-2011 in Beijing, China
Questions?
Contact us:
Josh Sokol, Chapters Committee Chair
Sarah Baso, OWASP Operational Support - Conference Logistics & Community Relations
We're excited to announce that the location of the OWASP Conference for Appsec Asia 2012 will be held at:
Four Points Sheraton, Darling Harbour
161 Sussex Street
Sydney, New South Wales 2000
Australia
The facility provides hotel rooms and conference facilities, OWASP has secured cheap room rates directly in the hotel for the duration of the event.
If you don't know your way around Sydney, here's the Google Maps link to the Hotel.
We are using both the Ground and upper levels. The majority of the event will be held on the ground level, including all breaks etc. Attendees will find the registration and conference desk located at the Ground level near Hotel Reception. (You're not going to get lost, as we take up most of the ground level for this event.)
Further details about venue locations will be posted when they become available.
For assistance with any of the items below, feel free to utilize OWASP's preferred travel agency:
Segale Travel Service contact information is: +1-800-841-2276
Sr. Travel Consultants:
Maria Martinez...ext 524
Linn Vander Molen...ext 520
Additionally, the Conference Planning Team is available to answer any questions!
Accommodation
We've been able to arrange for accommodation within the Four Points Sheraton Hotel(where the training and conference will be held) for attendees. These rooms have been allocated at a special rate, and available strictly for a limited time. To book these rooms at the special rate, you need to use the booking link shown below. These rooms are available one night either side of the event ensuring that if you are travelling interstate or international it's easy to find a room at a good rate. The room rate allocated for the event is $200 AUD Inclusive per night.
Four Points Sheraton, Darling Harbour
161 Sussex Street
Sydney, New South Wales 2000
Australia
http://www.starwoodmeeting.com/Book/OWASP
Travel Domestic
The OWASP Conference is to be held in Sydney at the Darling Harbour precinct. Hotel Location, http://maps.google.com.au/maps/place?q=Four+Points+by+Sheraton+Sydney,+Sussex+Street,+Sydney,+New+South+Wales&hl=en&cid=7369128618339939693
International Travel
The Sydney International Airport is located adjacent to the Domestic terminal. Similar taxi fares to the city and hotel venue apply. If you are travelling by train, you can ride the train from the International terminal all the way to the Town Hall station as above.
Airport Transportation
- Any major Airline carrier will fly you into Sydney Airport, from here, you can take a Taxi (Approx $35-40 AUD).
- KST Sydney Airport Shuttle -- $18AUD oneway/ $32AUD roundtrip
- Another option is the train from the Airport, which you can ride all the way into the closest station which is Town Hall. From this stop the hotel is a small downhill walk (no more then 5-10mins) from the station.
Driving Instructions
From Sydney Airport (South)
Travel along Southern Cross Drive and take the South Dowling Street exit.
Turn right onto Dacey Avenue.
At the second set of traffic lights turn left onto Anzac Parade.
Follow Anzac Parade past Moore Park on your right; Anzac Parade will become Flinders Street.
Turn left onto Oxford Street and follow to Liverpool Street; Hyde Park will be on your right.
Continue along Liverpool Street and turn right onto Kent Street.
Travel five blocks and turn left onto Erskine Street.
Immediately turn left again onto Sussex Street. The hotel will be on your right.
From East
Proceed along New South Head Road. Continue onto William Street and then onto Park Street; Hyde Park will be on your right.
Proceed along Park Street as it becomes Druitt Street and turn right onto Kent Street.
Travel approximately three blocks and turn left onto Erskine Street.
Immediately turn left again onto Sussex Street. The hotel will be on your right.
From West
Proceed along the Western Distributor towards the city taking the City North exit followed by the Sussex Street South Exit.
Turn right onto Sussex Street, the hotel will be on your right.
From North
Take the Pacific Highway/Warringah Highway and proceed over the Sydney Harbour Bridge.
Take the York street exit off the bridge and continue along before turning right into Erskine Street .
Proceed approximately three blocks before turning left into Sussex Street. The hotel will be on your right.
Place holder for FAQ
Justin Derry - Planning Committee Co-Chair
Andrew van der Stock - Planning Committee Co-Chair
Christian Frichot - Planning Committee Member
Andrew Mueller - Planning Committee Member
Mohd Fazli Azran - Global Conference Committee Liaison
Sarah Baso - OWASP Operational Support
If you are interested in helping out with this conference or have any questions, please contact us at: [email protected]
