Front Range Web Application Security Summit Planning Page
- 1 Front Range Web Application Security Summit Planning
- 2 FROCo8 Proposed Schedule – June 10th 2008
- 3 Speaker Bios and Presentation Summaries
- 3.1 Ed Bellis, CISO, Orbitz Worldwide - Opening Keynote
- 3.2 Jeremiah Grossman, Founder and CTO, WhiteHat Security - Business Logic Flaws – Seven Deadly Web Exploits
- 3.3 tbd, Fortify Software - The Evolution of Application Security in Online Banking
- 3.4 Robert Hansen, CEO and Founder of SecTheory - Web Browser (In)-Security - "Past, Present, and Future"
- 3.5 Mike Zusman, Sr Consultant, Intrepidus Group - Abusing SSL VPNs & Open Reverse Proxies
Front Range Web Application Security Summit Planning
Who, What, Where, When, How Much?
The speakers below will be presenting at the Tivoli on June 10th. This is a free event - all expenses will be covered by our sponsors. Registration will be at www.froc.us as soon as the site has been built.
FROCo8 Proposed Schedule – June 10th 2008
- PLEASE NOTE - The topics and most speakers have been confirmed, however speaker times/dates/topics may change so please check back from time-to-time.
|June 10th, 2008|
|Tech Track:||Management Track:|
|08:00-09:00||Registration Opens and Tech Expo|
|09:00-9:30||Opening Keynote - Ed Bellis, Chief Information Security Officer for Orbitz WorldWide|
|9:40-10:40||Business Logic Flaws – Seven Deadly Web Exploits - Jeremiah Grossman, CTO & Founder of WhiteHat Security|
|10:50-11:50||The Evolution of Application Security in Online Banking - Taylor McKinley, Product Manager, & Troy Stewart, District Manager, Fortify Software|
|11:50-13:00||1 HR BREAK / TECH EXPO / LUNCH BREAK|
|13:00-14:15||Web Browser (In)-Security - "Past, Present, and Future" Robert Hansen|| Threat Modeling
MicroSoft ACE Team
|14:30-15:30||"Abusing SSL VPNs & Open Reverse Proxies" Mike Zusman|| Panel Discussion "Best-practices and lessons learned from integrating security into the SDLC"
Speaker list to be announced
|15:40-16:00||Raffles & Awards|
|16:00-16:45||After-conference refreshments (at Tivoli)|
|17:00+||(tbd) Reception/after-conference mixer|
The purpose of this page is to provide a workspace for Denver/Boulder OWASP members to collaborate and plan the upcoming Front Range Web Application Security Summit. It is official, and we have the meeting space reservation to prove it! Date: June 10, 2008 Location: Tivoli Baerresen Conference Rooms (located on the Auraria Campus in Downtown Denver) 900 Auraria Parkway Denver, CO 80204
Call For Papers
We are seeking presentations for both the Technical and Management tracks at the June 10th conference. A Call For Papers has been issued. The deadline for submissions is March 28th, and speakers who are selected will be notified the week of March 31st. Please download the Call for Papers here
The purpose of the Front Range Web Application Security Summit is to provide a one-day workshop/conference during which individuals and organizations interested in Web Application Security can congregate to transfer knowledge, increase awareness of application layer security in the enterprise, and meet other like minded individuals.
- Guiding Principles
- No vendor soap boxes
- Open, friendly environment
- High quality content, professional delivery
Project Manager: Dariush Rusta
Overall planning and coordination: Kathy Thaxton kthaxton at businesspartnersolutions d0t c0m
Tech track lead: David Campbell (dcampbell at owasp dot org)
Management track lead: tbd
Project Planning Site (Basecamp login required)
Speaker Bios and Presentation Summaries
Ed Bellis, CISO, Orbitz Worldwide - Opening Keynote
Ed is responsible for the protection and security of all information and electronic assets as well as compliance and ethics across the wide array of business units that make up Orbitz Worldwide on a global basis. These assets include Orbitz, CheapTickets, eBookers, Away.com, HotelClub, RatesToGo, AsiaHotels, and Orbitz for Business.
With over 15 years of experience in information security and technology, Ed has worked with and been involved in protecting information assets at several Fortune 500 companies. Prior to joining Orbitz, Ed served as VP of Corporate Information Security for Bank of America within their Global Corporate and Investment Banking division. His credentials also include several security technology and management roles at organizations such as Ernst & Young, Ford Motor Company, and Young & Rubicam. Ed is a CISSP, CISM, a contributor to the ISM Community, and a member of ISC2, ISACA and the Chicago chapter of the ISSA.
Ed is a frequent speaker at information security events across North America and Europe. Past talks have included venues such as The MIS Institute, The Association of Information Technology Professionals, Technology Executives Club, and the National Business Travel Association.
Jeremiah Grossman, Founder and CTO, WhiteHat Security - Business Logic Flaws – Seven Deadly Web Exploits
Jeremiah Grossman founded WhiteHat Security in August 2001.
An internationally recognized security expert, Mr. Grossman is a frequent speaker at security industry events including RSA, CSI NetSec, Black Hat, ISACA Network Security Conference, ISSA and Defcon. He is a popular security media resource, featured in USA Today, The Washington Post, InformationWeek and on NBC news, and was recently named a “friend of Google.” Mr. Grossman is also an influential blogger (www.jeremiahgrossman.blogspot.com) who offers insight and encourages open dialogue regarding current research and vulnerability trend information. He frequently alerts the media community to the latest attacks and is not only able to offer in-depth commentary that usually finds its way into their stories, but can also provide his perspective of what’s to come.
Grossman is also a founding member of the Web Application Security Consortium (WASC). Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!.
Summary: Session handling, credit card transactions, and password recovery are just a few examples of Web-enabled business logic processes that malicious hackers have abused to compromise major websites. During this presentation, Jeremiah Grossman will examine seven real-world scenarios that demonstrate how pernicious and dangerous business logic flaws are to the security of today’s websites.
tbd, Fortify Software - The Evolution of Application Security in Online Banking
Summary: The Evolution of Application Security in Online Banking
With trillions of dollars in transactions, how do the world's leading financial institutions defend against massive cyber attacks while delivering new features and products to customers quickly? How are software security tools, such as dynamic and static analysis, deployed for optimal use? Using case studies, learn how online banking has set the standard for effective application security. We’ll provide an overview of the industry’s migration to online banking and analyze the many security challenges that banks overcame during online banking’s infancy, including SQL injection, cross-site scripting and privilege escalation.
We will then move toward broader security issues, including the steps needed to ensure a secure and robust infrastructure. In addition, we will examine the implementation of Web 2.0 technologies within an online banking environment and discuss the security issues these new technologies bring with them. The session will conclude with two critical take-aways: developing a compliance strategy to leverage the secure development lifecycle, and the steps IT professionals need to take when preparing online corporate infrastructure against future attacks and vulnerabilities.
Robert Hansen, CEO and Founder of SecTheory - Web Browser (In)-Security - "Past, Present, and Future"
Robert Hansen (CISSP) is the CEO and Founder of SecTheory. He has worked for Digital Island, Exodus Communications and Cable & Wireless in varying roles from Sr. Security Architect and eventually product managing many of the managed security services product lines. He also worked at eBay as a Sr. Global Product Manager of Trust and Safety, focusing on anti-phishing, anti-DHTML malware and anti-virus strategies. Later he worked as a director of product management for Realtor.com. Robert sits on the advisory board for the Intrepidus Group, Just Thrive, previously sat on the technical advisory board of ClickForensics and currently contributes to the security strategy of several startup companies.
Mr. Hansen authors content on Dark Reading and co-authored "XSS Exploits" by Syngress publishing. He sits on the NIST.gov Software Assurance Metrics and Tool Evaluation group focusing on web application security scanners and the Web Application Security Scanners Evaluation Criteria (WASC-WASSEC) group. He also speaks at SourceBoston, Toorcon, APWG, ISSA, OWASP/WASC, Microsoft's Bluehat, Blackhat and Networld+Interop. Mr. Hansen is a member of Infragard, Austin Chamber of Commerce, West Austin Rotary, WASC, IACSP, APWG, he is the Industry Liaison for the Austin ISSA and contributed to the OWASP 2.0 guide.
Summary: Browser security is one of the least known but most important aspects to modern security. They are ubiquitous and highly insecure. They are close enough alike that many exploits will work cross browsers, and they are different enough that it makes it difficult for websites to protect themselves. This speech will cover the history of browser security, where it today and where it needs to go in the future.
Mike Zusman, Sr Consultant, Intrepidus Group - Abusing SSL VPNs & Open Reverse Proxies
Mike Zusman is a Senior Consultant for the Intrepidus Group. Prior to joining Intrepidus Group, Mr. Zusman has held the positions of Escalation Engineer at Whale Communications (a Microsoft subsidiary), Security Program Manager at Automatic Data Processing, and lead architect & developer at a number of smaller firms.
In addition to his corporate experience, Mr. Zusman is an independent security researcher, and has responsibly disclosed a number of critical vulnerabilities to commercial software vendors and other clients.
Mike has also founded a number of successful entrepreneurial ventures including Global Uplink Solutions Incorporated (hosting division acquired by Flare Technologies in 2005) and Dish Uplink LLC, a leader in satellite TV subscription activations in the US.
Mike holds the CISSP certification.
Summary: Internet-facing SSL VPNs and Open Reverse Proxies can be abused to perform reconnaissance, data extraction, or general mischief INSIDE the Corporate Intranet and on SSL VPN clients. This presentation will discuss programming and infrastructure flaws permitting this abuse as well as countermeasures.