This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "2010 BASC Speakers"
| Line 11: | Line 11: | ||
'''HTML5 Security'''<br/> | '''HTML5 Security'''<br/> | ||
The power of HTML5 allows developers to create | The power of HTML5 allows developers to create | ||
| − | web applications not just structured content, but its new features has increased the attack surface. | + | web applications not just structured content, but its new features has increased the attack surface. This presentation will demo and discuss new attack opportunities, particularly on client machines, including abusing the offline application cache and SQL injection via file-based client-side databases. |
=== Andrew Gronosky (Raytheon/BBN Technologies) === | === Andrew Gronosky (Raytheon/BBN Technologies) === | ||
| Line 30: | Line 30: | ||
=== Paul Schofield (Imperva) === | === Paul Schofield (Imperva) === | ||
'''Business Logic Attacks – BATs and BLBs'''<br/> | '''Business Logic Attacks – BATs and BLBs'''<br/> | ||
| − | Business logic attacks are a set of legal application transactions that are used to carry out a malicious operation that is not part of normal business practices. This presentation will provide a quick introduction to business logic attacks, their unique characteristics and the motivation behind their uptick | + | Business logic attacks are a set of legal application transactions that are used to carry out a malicious operation that is not part of normal business practices. This presentation will provide a quick introduction to business logic attacks, their unique characteristics and the motivation behind their uptick. Concluding this session we will discuss using multiple advanced techniques to battle these attacks, rather than relying exclusively on application code. |
=== Rob Cheyne (Safelight Security Advisors) === | === Rob Cheyne (Safelight Security Advisors) === | ||
'''OWASP Basics 1 and 2'''<br/> | '''OWASP Basics 1 and 2'''<br/> | ||
| − | Rob presents a number of scenarios that walk participants through the basics of SQL injection, XSS and CSRF, along with a few other tricks he has up his sleeve. Participants will come away with | + | Rob presents a number of scenarios that walk participants through the basics of SQL injection, XSS and CSRF, along with a few other tricks he has up his sleeve. Participants will come away with a foundation for further security learning. Those already knowledgeable on application security issues will learn some new techniques for presenting and teaching this information in a clear, concise and effective manner. |
=== John Carmichael (Safelight Security Advisors) === | === John Carmichael (Safelight Security Advisors) === | ||
| Line 46: | Line 46: | ||
=== Kenneth Smith === | === Kenneth Smith === | ||
'''Web Applications and Data Tokenization'''<br/> | '''Web Applications and Data Tokenization'''<br/> | ||
| − | Tokenization | + | Tokenization has become increasingly popular as a method to protect sensitive data and reduce the scope of security requirements such as PCI DSS. Many solutions now integrate directly with web applications, tokenizing data before it ever reaches internal corporate systems. As developers, you may be tasked with integrating tokenization into your applications. If done correctly, this can be a big win for your organization. This talk will cover the types of tokenization solutions, seeing through the marketing hype and vendor claims, and how to avoid some common mistakes that could greatly reduce tokenizations effectiveness. |
=== Shakeel Tufail (Fortify) === | === Shakeel Tufail (Fortify) === | ||
Revision as of 17:31, 15 November 2010
 |
 |
||
 |
|||
 |
 |
||
We kindly thank our sponsors for their support. Please help us keep future BASCs free by viewing and visiting all of our sponsors.
- 1 Speakers
- 1.1 Josh Corman
- 1.2 Ming Chow (Tufts University, CS Department)
- 1.3 Andrew Gronosky (Raytheon/BBN Technologies)
- 1.4 Joshua "Jabra" Abraham, Will Vandevanter (Rapid7)
- 1.5 Christien Rioux (SOURCE Conference)
- 1.6 Paul Schofield (Imperva)
- 1.7 Rob Cheyne (Safelight Security Advisors)
- 1.8 John Carmichael (Safelight Security Advisors)
- 1.9 Dan Crowley (Core Security)
- 1.10 Kenneth Smith
- 1.11 Shakeel Tufail (Fortify)
- 2 Conference Organizers
Speakers
We would like to thank our speakers for donating their time and effort to help make this conference successful and free.
Josh Corman
Joshua Corman is the Research Director of the 451 Group's enterprise security practice. Corman has more than a decade of experience with security and networking software, most recently serving as Principal Security Strategist for IBM Internet Security Systems. Corman’s research cuts across sectors to the core challenges of the industry, and drives evolutionary strategies toward emerging technologies and shifting economics.
Corman is a candid and highly coveted speaker and has spoken at leading industry events such as RSA, Interop, ISACA, and SANS. His efforts to educate and challenge the industry recently lead NetworkWorld magazine to recognize him as a top innovators of IT for 2009. Corman also serves on the Faculty for IANS and is a staunch advocate for CISOs everywhere. In 2010, Corman also co-founded RuggedSoftware.org – a value based initiative to raise awareness and usher in an era of secure digital infrastructure.
Ming Chow (Tufts University, CS Department)
HTML5 Security
The power of HTML5 allows developers to create
web applications not just structured content, but its new features has increased the attack surface. This presentation will demo and discuss new attack opportunities, particularly on client machines, including abusing the offline application cache and SQL injection via file-based client-side databases.
Andrew Gronosky (Raytheon/BBN Technologies)
A Crumple Zone for Service-Oriented Architectures
We present a new architectural construct analogous to the crumple zone in an automobile. It consists of a layer of intelligent service proxies that work together to provide both signature-based and non-signature based defenses. We present our initial design
for Java RMI based services and compare it with web application firewalls.
Joshua "Jabra" Abraham, Will Vandevanter (Rapid7)
Hacking SAP BusinessObjects
BusinessObjects is a very widely deployed business intelligence tool. In this presentation we will present the entire lifecycle of attacking a BusinessObjects server using vulnerabilities that we have found during our research.
Christien Rioux (SOURCE Conference)
The Exploit Arms Race
As defenses have become more sophisticated, so have the attacks required to circumvent them. Learn about the roots of techniques like Stack cookies/Stackguard/Run-Time
Stack Checking, DEP and ASLR, from attacks like trampolining,
return-oriented programming, the evolution of fuzzing techniques, static and dynamic analysis for attacking and defending software.
Paul Schofield (Imperva)
Business Logic Attacks – BATs and BLBs
Business logic attacks are a set of legal application transactions that are used to carry out a malicious operation that is not part of normal business practices. This presentation will provide a quick introduction to business logic attacks, their unique characteristics and the motivation behind their uptick. Concluding this session we will discuss using multiple advanced techniques to battle these attacks, rather than relying exclusively on application code.
Rob Cheyne (Safelight Security Advisors)
OWASP Basics 1 and 2
Rob presents a number of scenarios that walk participants through the basics of SQL injection, XSS and CSRF, along with a few other tricks he has up his sleeve. Participants will come away with a foundation for further security learning. Those already knowledgeable on application security issues will learn some new techniques for presenting and teaching this information in a clear, concise and effective manner.
John Carmichael (Safelight Security Advisors)
Coffee Shop Warfare: Protecting Yourself in Dark Territory
A lighthearted look at the real threats that people face in personal computing, specifically when connected to unknown network at coffee shops and airports. John will cover many of these threats and discuss tools and best practices everyone can engage in to ensure they protect their machine and information from these risks.
Dan Crowley (Core Security)
URL Enlargement
URL shorteners are ubiquitous in today's Internet culture. This talk will aim to demonstrate them. Come see what's behind the short URLs: personal documents, parasitic storage, authentication credentials, attacks and more!
Kenneth Smith
Web Applications and Data Tokenization
Tokenization has become increasingly popular as a method to protect sensitive data and reduce the scope of security requirements such as PCI DSS. Many solutions now integrate directly with web applications, tokenizing data before it ever reaches internal corporate systems. As developers, you may be tasked with integrating tokenization into your applications. If done correctly, this can be a big win for your organization. This talk will cover the types of tokenization solutions, seeing through the marketing hype and vendor claims, and how to avoid some common mistakes that could greatly reduce tokenizations effectiveness.
Shakeel Tufail (Fortify)
Open SAMM (Security Assurance Maturity Model)
SAMM is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. The building blocks of the model are the three maturity levels defined for each of the twelve security practices. These define a wide variety of activities to reduce security risks and increase software assurance. Additional details are included to measure successful activity performance, understand the associated assurance benefits, estimate personnel and other costs.
Conference Organizers
- Conference Organizer
- Jim Weiler, Chairperson
- Program Committee:
- Mark Arnold
- Zach Lanier
- Jim Weiler, Chairperson
- Sponsorship Committee:
- Website Editor
We kindly thank our sponsors for their support.
Please help us keep future BASCs free by viewing and visiting all of our sponsors.
| Gold Sponsors | |||
 |
 |
 |
 |
