This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP AppSec DC 2009"

From OWASP
Jump to: navigation, search
(Twitter AppSecDC09)
m (The conference schedule has been moved here)
 
(100 intermediate revisions by 11 users not shown)
Line 1: Line 1:
__NOTOC__
+
__NOTOC__  
== OWASP AppSec USA 2009 Conference ==
 
  
<!-- Header -->
+
[[Image:Dc09.png]]
{|style="width:100%"
 
|style="width:56%;color:#000"|
 
  
{|style="width:280px;border:solid 0px;background:none"
+
[http://www.dcconvention.com/ Walter E. Washington Convention Center] | [http://guest.cvent.com/i.aspx?4W,M3,26bc4c77-e1ef-4bad-be46-eb7b0124276c Registration]
 +
 
 +
<br> <!-- Header -->
 +
====Welcome==== 
 +
 
 +
{| style="width: 100%;"
 +
|-
 +
| style="width: 100%; color: rgb(0, 0, 0);" |
 +
{| style="border: 0px solid ; background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;"
 +
|-
 +
| style="width: 95%; color: rgb(0, 0, 0);" |
 +
'''Press Release August 20th 2009 -- [http://www.owasp.org/images/4/4d/Press_Release_AppSec_DC_August_20th_2009.pdf Speaker Agenda Released and Registration Open!]'''
 +
 
 +
We are pleased to announce that the [http://www.owasp.org/index.php/Washington_DC OWASP DC chapter] will host the OWASP AppSec 2009 conference in Washington, DC. The AppSec DC OWASP Conference will be a premier gathering of Information Security leaders. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 600-700 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.
 +
 
 +
AppSec DC 2009 will be held at the [http://www.dcconvention.com/ Walter E. Washington Convention Center] ([http://maps.google.com/maps?q=801+Mount+Vernon+Place+NW+Washington,+DC+20001&oe=utf-8&client=firefox-a&ie=UTF8&split=0&gl=us&ei=kSntSYT5B5WOMvOWzPUP&ll=38.904977,-77.022979&spn=0.00895,0.019977&z=16&iwloc=A 801 Mount Vernon Place NW Washington, DC 20001]) on November 10th through 13th 2009.
 +
 
 +
'''Who Should Attend AppSec DC 2009:'''
 +
 
 +
*Application Developers
 +
*Application Testers and Quality Assurance
 +
*Application Project Management and Staff
 +
*Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
 +
*Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
 +
*Security Managers and Staff
 +
*Executives, Managers, and Staff Responsible for IT Security Governance
 +
*IT Professionals Interesting in Improving IT Security<br>
 +
 
 +
<br> '''The full AppSecDC Schedule can be found [[OWASP AppSec DC 2009 Schedule|here]].'''
 +
 
 +
'''You can register for the conference [http://guest.cvent.com/i.aspx?4W,M3,26bc4c77-e1ef-4bad-be46-eb7b0124276c here].'''
 +
 
 +
'''On November 11th 2009 OWASP also organizes the [[Summit 2009|OWASP Global Summit 2009]].'''
 +
 
 +
<!-- Mediawiki needs all these spaces -->
 +
 
 +
<br>
 +
 
 +
|}
 +
 
 +
<!-- Twitter Box -->
 +
 
 +
| style="border: 0px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0);" | <!-- DON'T REMOVE ME, I'M STRUCTURAL -->
 +
[[Image:Threestarforsite.png]]
 +
 
 +
{|
 
|-
 
|-
|style="width:468px;color:#000" |
+
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |  
[[Image:Owasp_logo_122106.png]]
+
Use the '''[http://search.twitter.com/search?q=%23AppSecDC #AppSecDC]''' hashtag for your tweets (What are [http://hashtags.org/ hashtags]?)
  
We are pleased to announce that the [http://www.owasp.org/index.php/Washington_DC OWASP DC chapter] will host the OWASP AppSec DC 2009 conference in Washington, DC.  The conference will take place at the [http://www.dcconvention.com/ Walter E. Washington Convention Center] ([http://maps.google.com/maps?q=801+Mount+Vernon+Place+NW+Washington,+DC+20001&oe=utf-8&client=firefox-a&ie=UTF8&split=0&gl=us&ei=kSntSYT5B5WOMvOWzPUP&ll=38.904977,-77.022979&spn=0.00895,0.019977&z=16&iwloc=A 801 Mount Vernon Place NW Washington, DC 20001]) on November 10th through 13th of 2009.  There will be training courses on November 10th and 11th followed by plenary sessions on the 12th and 13th with each day having three tracks.
+
'''@AppSecDC09 Twitter Feed ([http://twitter.com/AppSecDC09 follow us on Twitter!])''' <twitter>34534108</twitter>
 +
 
 +
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |
 
|}
 
|}
<!-- Twitter Box -->
 
|style="width:100%;font-size:95%;color:#000;background-color:#ececec;border:1px solid #ccc"|
 
'''Twitter Feed ([http://twitter.com/AppSecDC09 follow me!])'''
 
<twitter>34534108</twitter>
 
|style="width:110px;font-size:95%;color:#000"|
 
|} <!-- End Banner -->
 
  
<hr>
+
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |
 +
|}
 +
<!-- End Banner -->  
 +
==== Global Summit 09  ====
 +
On November 11th 2009 OWASP leaders and Key Industry Players join forces again to discuss the latest OWASP tools and documentation projects and set the application security agenda for 2010.
  
The [http://www.owasp.org/images/6/65/AppSec_DC_2009_CFP.pdf Call for Papers] is currently '''<span style="color:green">OPEN</span>'''
+
One day prior to the conference OWASP chapter leaders, committee members, project leaders and OWASP members will gather in Washington for the [[Summit 2009|OWASP Global Summit 2009]].
  
The [http://www.owasp.org/images/0/06/AppSec_DC_2009_Call_for_Trainers.pdf Call for Training Providers] is currently '''<span style="color:green">OPEN</span>'''
+
Particiation is free for OWASP chapter leaders, committee members, project leaders and OWASP [[Membership|members]] (hint: membership is only $50).
  
We also have a wide range of '''[https://www.owasp.org/images/3/36/Sponsorship_Form_update_DC.pdf Sponsorship Opportunities]''' available
+
Please [http://owaspsummit.eventbrite.com/ Register] upfront so we can size the venue appropriately. This does NOT provide you access to the OWASP conference, which is a seperate registration.
  
== Call for Papers ==
+
Full details are available on page [[Summit 2009|OWASP Global Summit 2009]].
  
[http://www.owasp.org/images/6/65/AppSec_DC_2009_CFP.pdf PDF Version w/ FAQ]
+
==== Registration  ====
  
OWASP is currently soliciting papers for the OWASP AppSec DC 2009 Conference. There will be training courses on November 10th and 11th followed by plenary sessions on the 12th and 13th with each day having at least three tracks. AppSec DC may also have BOF, break out, or speed talks in addition to the standard schedule depending on the submissions we receive.
+
== [http://guest.cvent.com/i.aspx?4W,M3,26bc4c77-e1ef-4bad-be46-eb7b0124276c Registration] is now open!  ==
  
We are seeking people and organizations that want to present on any of the following topics:
+
=== You can register [http://guest.cvent.com/i.aspx?4W,M3,26bc4c77-e1ef-4bad-be46-eb7b0124276c here]  ===
* Business Risks with Application Security.
 
* Starting and Managing Secure Development Lifecycle Programs.
 
* Web Services-, XML- and Application Security.
 
* Metrics for Application Security.
 
* Application Threat Modeling.
 
* Hands-on Source Code Review.
 
* Web Application Security Testing.
 
* OWASP Tools and Projects.
 
* Secure Coding Practices (J2EE/.NET).
 
* Privacy Concerns with Applications and Data Storage
 
* Web Application Security countermeasures
 
* Technology specific presentations on security such as AJAX, XML, etc.
 
* Anything else relating to OWASP and Application Security.
 
  
To make a call for papers submission you must include :
+
OWASP [[Membership]] ($50 annual membership fee) gets you a discount of $50.
* Presenter(s) name(s)
 
* Presenter(s) Email and Phone numbers
 
* Presenter(s) bio(s)
 
* Title
 
* Abstract
 
* Any supporting research/tools (will not be released outside of CFP committee)
 
  
 +
{|
 +
|-
 +
| $395
 +
| General Public
 +
|-
 +
| $345
 +
| OWASP Members
 +
|-
 +
| $195
 +
| Students
 +
|-
 +
| $1350
 +
| 2-Day Training Course
 +
|-
 +
| $675
 +
| 1-Day Training Course
 +
|}
  
Submission deadline is '''June 15th 2009 at 11:59 PM Eastern Standard Time'''. Submit Proposals To mark.bristow(at)owasp.org with the subject line '''APPSEC DC CFP SUBMISSION'''.  ''It is very important you submit properly or your proposal will not be considered'' (an automated filter is used).
+
<br>[[OWASP AppSec DC 2009#tab.3DTraining|Go here for details on the training courses that are available.]]
  
 +
'''Who Should Attend AppSec DC 2009:'''
  
'''If you have additional questions about the CFP please read the [[OWASP AppSec DC 2009 - FAQ | FAQ]]'''
+
*Application Developers
 +
*Application Testers and Quality Assurance
 +
*Application Project Management and Staff
 +
*Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
 +
*Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
 +
*Security Managers and Staff
 +
*Executives, Managers, and Staff Responsible for IT Security Governance
 +
*IT Professionals Interesting in Improving IT Security<br>
  
== Sponsors ==
+
<br> For student discount, attendees must present proof of enrollment when picking up your badge.  
We are currently soliciting sponsors for the AppSec DC Conference.  Please refer to our '''[https://www.owasp.org/images/3/36/Sponsorship_Form_update_DC.pdf sponsorship opportunities]''' for details.
 
  
== Training ==
+
==== Volunteer  ====
  
=== Call for Training ===
+
== Volunteers Needed!  ==
  
[http://www.owasp.org/images/0/06/AppSec_DC_2009_Call_for_Trainers.pdf PDF Version]
+
Get involved!
  
There are a total of five classrooms over two days or 10 training days available at the conference.  Two classrooms hold 30 students and the other three have a capacity of 24 students.
+
We will take all the help we can get to pull off the best Web Application Security Conference of the year!
  
The following conditions apply for people or organizations that want to provide training at the conference:
+
Please contact the appropriate arch-minion to volunteer for a specific area:  
* Training provider should provide class syllabus / training materials.
 
* Proceeds will be split 75/25 (OWASP/Trainer) for the training class.
 
** The 75% for OWASP goes towards: Classroom Rental, Conference Logistics/Registration, and Food and OWASP Grants for Research Projects.
 
* Courses must have an enrollment of 60% before class is considered operational.
 
* Price per attendee: 2-Day Class $1350/ 1-Day Class $675.
 
* Trainers can brand training materials to increase their exposure
 
* Classes are to be focused around Application Security
 
  
Training proposals should consist of the following information:
+
*Security -- [mailto:angel.contreras(at)owasp.org Angel Contreras]
# Trainer contact info (country of origin and residence-mail, postal address, phone, E-mail).
+
*Speakers and Trainers -- [mailto:wade.woolwine(at)owasp.org Wade Woolwine], [mailto:jeremy.long(at)owasp.org Jeremy Long] and [mailto:josh.feinblum(at)owasp.org Josh Feinblum]
# Employer and/or affiliations.
+
*Vendors -- [mailto:dave.sachdev(at)owasp.org Dave Sachdev]
# Training synopsis, proposed training title, and a one-paragraph description.
+
*Facilities -- [mailto:doug.wilson(at)owasp.org Doug Wilson] and [mailto:barry.austin(at)owasp.org Barry Austin]
# Brief biography, list of publications and papers.
+
 
# Any significant presentation and educational experience/background.
+
More opportunities and areas will be added as time goes on. Our [http://www.owasp.org/images/f/f1/OWASP_DCAppSec_Vol_Guide.pdf Volunteer Guide] can be downloaded which outlines some of the responsibilities and available positions.
# Reason why this material is innovative or significant or an important training for the OWASP conference.
+
 
# Please list any other publications or conferences where this material has been or will be published/submitted.
+
Or, you can e-mail the organizers at mark.bristow(at)owasp.org, doug.wilson(at)owasp.org or rex.booth(at)owasp.org.
# Training format (hands-on, lecture …)
+
 
# Provide a list of items/software students need for the training.
+
Or email appsec_us_09(at)lists.owasp.org or [https://lists.owasp.org/mailman/listinfo/appsec_us_09 sign up] for the mailing list!
# Optionally, any samples of prepared material or outlines.
+
 
 +
==== Schedule  ====
 +
 
 +
 
 +
 
 +
 
 +
 +
 +
 +
 +
 
 +
==The conference schedule has been moved [[OWASP AppSec DC 2009 Schedule|here]]==
 +
 +
 +
 +
 
 +
 
 +
 
 +
 
 +
==== Training ====
 +
 
 +
There are a total of five classrooms over two days or 10 training days available at the conference. Two classrooms hold 30 students and the other three have a capacity of 24 students. The cost for two day training is $1350 USD and the cost for one day training is $675 USD.
 +
 
 +
== 2 Day Training: November 10 and November 11  ==
 +
 
 +
'''Assessing and Exploiting Web Applications with the open source Samurai Web Testing Framework'''
 +
 
 +
This course will focus on using open source tools to perform web application assessments. The course will take attendees through the process of application assessment using the open source tools included in the Samurai Web Testing Framework Live CD (Samurai-WTF). Day one will take students through the steps and open source tools used to assess applications for vulnerabilities. Day two will focus on the exploitation of web app vulnerabilities, spending half the day on server side attacks and the other half of the day on client side attacks. The latest tools and techniques will be use throughout the course, including several tools developed by the trainers themselves.
 +
 
 +
'''Instructor: Justin Searle:''' Justin Searle, a Senior Security Analyst with InGuardians, specializes in penetration testing and security architecture. Previously, Justin served as JetBlue Airway’s IT Security Architect and has provided top-tier support for the largest supercomputers in the world. In his rapidly dwindling spare time, Justin co-leads prominent open source projects including The Middler, Samurai Web Testing Framework, BASE, and the social networking pentest tools: Yokoso! and Laudnum.
 +
 
 +
<br> '''Java EE Secure Code Review'''
 +
 
 +
The gut of any application lies in its source code. With the ever-emerging landscape of threats and attack vectors facing today’s applications, the need for secure source code has never been greater. In this course, students will be working with actual web application source code samples and discover how to pinpoint weaknesses, identify common security flaws, and discuss corrective coding controls. Major application security domains will be covered, including common authentication and access control coding errors, session management vulnerabilities, identifying injection flaws, and more. For anyone looking to learn how to identify common security weaknesses in a code base, this course is a must.  
 +
 
 +
'''Instructor: Sahba Kazerooni:''' Sahba Kazerooni is Practice Lead of Software Security Services. He has a strong background in Java EE architecture and development. At Security Compass, Sahba leads the Software Security Services practice which performs penetration testing, source code review, and Threat Modeling of client applications. He also plays a critical role in the development of curriculum for and delivery of Security Compass training services. He has developed and taught courses on various topics such as Secure Coding in Java EE, Exploiting and Defending Web Applications, and Application Security Awareness. Mr. Kazerooni is also an internationally-renowned speaker on security topics. He has presented at conferences around the world including BlackHat Security Conference in Amsterdam, Security Opus in San Francisco, and IDC WebSec in Mexico City. Sahba delivers Java secure coding training at the SANS Institute, the largest source for information security training and certification, and has also provided numerous presentations through ISC2 to their elite network of certified information security professionals.  
 +
 
 +
== 1 Day Training November 10  ==
 +
 
 +
'''Threat Modeling Express''' The benefits of threat modeling at the design stage are well-documented, yet few organizations are able to perform this analysis technique due to time constraints. Based on our experience in real world situations, Security Compass has developed a one day approach to threat modeling .
 +
 
 +
In this class, students learn how to create a “quick and dirty” application threat model using an organization’s most valuable resource: its people. Students learn about the basics of web application security, as well as learn about and perform a real hands-on Express Threat Model. A deliverable template and list of steps will be provided as takeaways for students.  
 +
 
 +
'''Instructor: Krishna Raja:''' Krishna Raja is an Application Security Consultant with an extensive background in J2EE application development. He has performed comprehensive security assessments for various clients, which involves threat analysis, source code inspection and runtime penetration testing.
 +
 
 +
Mr. Raja has also been instrumental in the development and delivery of Security Compass’ training curriculum. He has developed and taught courses in Exploiting and Defending Web Applications, Application Security Awareness and Advanced Application Attacks to architects, project managers and developers across Canada and the United States. Krishna is an emerging speaker at information security conferences, and last year spoke at Source Boston 2008 and ISSA Secure SD Symposium.  
 +
 
 +
<br> '''Foundations of Web Services and XML Security''' The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software. This course does not require a laptop though a windows based machine is useful for participating in exercises.
 +
 
 +
'''Instructor: [[User:Wichers|Dave Wichers]]''', [http://www.aspectsecurity.com Aspect Security]
 +
 
 +
<br> '''Applying the OWASP Testing Guide with the OWASP Live CD'''
 +
 
 +
The OWASP Live CD provides the necessary tools to test web applications. The OWASP Testing Guide provides a testing framework. You're testing web applications currently, now what? Time to take your testing to the next level. This class will offer information on how to use the OWASP Live CD tools together for greater accuracy and speed, how to feed the results of one tool into another, and how to automate the more tedious aspects of web application testing. The training is focused not on what or how to test, but how to get more out of the testing time you have. Lets face it, testing time frames are always shorter then they should be, so how can you squeeze the most into the engagement time you have. After attending this training, you'll have some tricks in your bag to optimize your testing.
 +
 
 +
'''Instructor: Matt Tesauro:'''
 +
 
 +
== 1 Day Training November 11  ==
 +
 
 +
'''WebAppSec.php: Developing Secure Web Applications'''
 +
 
 +
Web applications are the new frontier of wide‐spread security breaches. This tutorial will guide through development practices to ensure the security and integrity of web applications, in turn protecting user data and the infrastructure the application runs on. Several attack types will be reviewed, along with how the proper development practices can mitigate their damage. Although the tutorial targets the security of PHP‐based applications, much of the content is applicable to other programming languages as well.  
 +
 
 +
'''Instructor: Robert Zakon:''' Robert Zakon is a technology consultant and developer who has been programming web applications since the Web's infancy, over 15 years ago. In addition to developing web applications for web sites receiving millions of daily hits, he works with organizations in an interim CTO capacity, and advises corporations, non‐profits and government agencies on technology, information, and security architectures and infrastructures. He has presented at numerous conferences and taught a handful of courses and tutorials. Robert is a former Principal Engineer with MITRE's Information Security Center, CTO of an Internet consumer portal and application service provider, and Director of a university research lab. He is a Senior Member of the IEEE, and holds BS &amp; MS degrees from Case Western Reserve University in Computer Engineering &amp; Science with concentrations in Philosophy &amp; Psychology. His interests are diverse and can be explored at www.Zakon.org where a full vitae is available.
 +
 
 +
 +
 
 +
<br> '''Leader and Manager Training - Leading the Development of Secure Applications'''
 +
 
 +
Through a series of case studies and scenarios, John will provide awareness of application security vulnerabilities and verification techniques, compare pros/cons of remediation approaches taken, and provide a practical and tried method in establishing a positive application security program.  A program based on four simple balanced focus areas that leverage people, process, and technology to build the capability to reliably produce secure applications.  Together, these areas with established practices will enable your organization to successfully manage, improve and sustain an application security initiative in a cost effective and regulatory compliant manner.
 +
 
 +
'''Instructor: John Pavone:''' John Pavone is Aspect's Vice President of Acceleration Services, specializing in the enablement of application security within organizations.  John has been an IT professional for over 20 years.  In the last 14 years, John has concentrated solely on Information and IT Infrastructure Security. 
 +
 
 +
John held various security related management positions, including the chief security architect for a large financial services firm.  In this role, John established an enterprise–wide IT security program utilizing a quantitative risk assessment and mitigation approach with a direct line of sight to the organization’s corporate dashboard.  Other major accomplishments include the development and mainstreaming of an IT risk management process, the creation of an application vulnerability testing lab, and the security design and implementation of an enterprise single sign-on and authorization system.
 +
 +
 
 +
==== Venue  ====
 +
 
 +
== Walter E. Washington Convention Center  ==
 +
 
 +
AppSec DC 2009 will be taking place at the [http://www.dcconvention.com/ Walter E. Washington Convention Center] in downtown Washington DC.  
 +
 
 +
The convention center is located over the [http://www.wmata.com/rail/station_detail.cfm?station_id=70 Mount Vernon Square/Convention Center Metro stop] on the Green and Yellow lines of the [http://www.wmata.com DC Metro], and only a few blocks from our convention hotel, the [http://grandwashington.hyatt.com/hyatt/hotels/index.jsp Grand Hyatt Washington] (reserve rooms [https://resweb.passkey.com/Resweb.do?mode=welcome_ei_new&eventID=1401279&fromResdesk=true here]).
 +
 
 +
[http://www.dcconvention.com/ http://www.owasp.org/images/8/85/Screen_shot_2009-10-03_at_12.55.55_PM.png]
 +
 
 +
==== Hotel  ====
 +
 
 +
== Grand Hyatt Washington DC  ==
 +
 
 +
[[Image:Hotel_Map.png|left]]
 +
 
 +
We've partnered with the [http://grandwashington.hyatt.com/hyatt/hotels/index.jsp Grand Hyatt Washington] to bring you luxury accommodations at a reasonable price for your stay during our conference.
 +
 
 +
The Grand Hyatt is only a few blocks from the [http://www.dcconvention.com/ DC Convention Center] and adjacent to a wide variety of restaurants and night life in downtown DC.
 +
 
 +
Our [https://resweb.passkey.com/Resweb.do?mode=welcome_ei_new&eventID=1401279&fromResdesk=true convention rate for reservations] can also be applied shortly before or after the conference, if you wish to stay longer and enjoy the Washington DC Metropolitan Area.  
 +
 
 +
You can register for a room at our convention rate of $209/night '''SOLD OUT'''
 +
 
 +
The [http://grandwashington.hyatt.com/hyatt/hotels/index.jsp Grand Hyatt Washington] is one block from the [http://www.wmata.com/rail/station_detail.cfm?station_id=1 Metro Center] metro station, and three blocks from the [http://www.wmata.com/rail/station_detail.cfm?station_id=21 Gallery Place/Chinatown] metro station.
 +
 
 +
==== Sponsors  ====
 +
 
 +
== Sponsors  ==
 +
 
 +
We are currently soliciting sponsors for the AppSec DC Conference. Please refer to our '''[http://www.owasp.org/images/e/ee/AppSec_DC_2009_Sponsorships_v2.pdf sponsorship opportunities]''' for details.
 +
 
 +
Slots are going fast so contact us to sponsor today!
 +
 
 +
{| cellspacing="10" border="0" valign="middle" align="center" style="background: none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;"
 +
|-
 +
| <h2>Platinum Sponsors</h2>
 +
|[[Image:AppSecDC2009-Sponsor-hp.gif|link=http://www.hp.com]]
 +
|[[Image:AppSecDC2009-Sponsor-softtek.gif|link=http://www.softtek.com]]
 +
|
 +
 +
|-
 +
| &nbsp;
 +
|-
 +
| <h2>Gold Sponsors</h2>
 +
| [[Image:AppSecDC2009-Sponsor-aod.gif|link=http://www.artofdefence.com/]]
 +
| [[Image:AppSecDC2009-Sponsor-securicon.gif|link=http://www.securicon.com]]
 +
| [[Image:Ibmneg_blurgb.jpg|link=www.ibm.com]]
 +
|-
 +
| &nbsp;
 +
|-
 +
| <h2>Silver Sponsors</h2>
 +
| [[Image:AppSecDC2009-Sponsor-aspect.gif|link=http://www.aspectsecurity.com/]]
 +
| [[Image:AppSecDC2009-Sponsor-cenzic.gif|link=http://www.cenzic.com/]]
 +
| [[Image:Cigital_OWASP.GIF|link=http://www.cigital.com]]
 +
|-
 +
|
 +
| [[Image:AppSecDC2009-Sponsor-core.gif|link=http://www.coresecurity.com/]]
 +
| [[Image:AppSecDC2009-Sponsor-cross.gif|link=http://www.crosschecknet.com/]]
 +
| [[Image:AppSecDC2009-Sponsor-fishnet.gif|link=http://www.fishnetsecurity.com/]]
 +
 
 +
|-
 +
|
 +
| [[Image:AppSecDC2009-Sponsor-gt.gif|link=http://www.grantthornton.com/]]
 +
| [[Image:AppSecDC2009-Sponsor-mandiant.gif|link=http://www.mandiant.com/]]
 +
| [[Image:AppSecDC2009-Sponsor-tenable.gif|link=http://www.tenablesecurity.com/]]
 +
|-
 +
|
 +
| [[Image:AppSecDC2009-Sponsor-veracode.gif|link=http://www.veracode.com/]]
 +
| [[Image:AppSecDC2009-Sponsor-whitehat.gif|link=http://www.whitehatsec.com/]]
 +
|
 +
|-
 +
| &nbsp;
 +
|-
 +
| &nbsp;
 +
|-
 +
| &nbsp;
 +
|-
 +
| <h3>Organizational Sponsors</h3>
 +
| [[Image:AppSecDC2009-Sponsor-issa.gif|link=http://www.issa-dc.org/]]
 +
| [[Image:Sponsor-isc2.gif‎|link=http://www.isc2.org/]]
 +
|-
 +
| &nbsp;
 +
|-
 +
| <h3>Reception Sponsors</h3>
 +
| [[Image:AppSecDC2009-Sponsor-cenzic.gif|link=http://www.cenzic.com/]]
 +
|-
 +
| <h3>Coffee Sponsors</h3>
 +
| [[Image:AppSecDC2009-Sponsor-fyrm.gif|link=http://www.fyrmassociates.com/]]
 +
| [[Image:AppSecDC2009-Sponsor-denim.gif|link=http://www.denimgroup.com/]]
 +
|-
 +
|}
  
 +
==== Travel  ====
  
'''Submission deadline is June 15th 2009'''.  Submissions must use the training [https://www.owasp.org/images/8/85/OWASP_CFT_Template-1-.doc proposal template]. Submit Proposals To rex.booth(at)owasp.org with the subject line '''APPSEC DC CFT SUBMISSION'''.
+
== Traveling to the DC Metro Area ==
  
== Volunteer ==
+
The Washington DC Area is serviced by three airports -- [http://www.metwashairports.com/national/ Reagan National (DCA)], [http://www.metwashairports.com/Dulles/ Dulles (IAD)], and [http://www.bwiairport.com/en Thurgood Marshall Baltimore/Washington International (BWI)]. All currently have available transportation to downtown DC via public transportation, shuttles, or cab.
Get involved! We need all the help we can get!
 
  
Email mark.bristow(at)owasp.org, doug.wilson(at)owasp.org or rex.booth(at)owasp.org
+
Washington DC is also serviced by [http://www.amtrak.com Amtrak], [http://www.vre.org/ VRE], and [http://www.mtamaryland.com/services/marc/ MARC] train lines, which arrive in [http://www.wmata.com/rail/station_detail.cfm?station_id=25 Union Station], a few metro stops or a short cab ride away from the convention center and the Grand Hyatt.  
  
Email appsec_us_09(at)lists.owasp.org or [https://lists.owasp.org/mailman/listinfo/appsec_us_09 sign up] for the mailing list!
+
If you live in the DC Metropolitan area, we suggest taking [http://www.wmata.com Metro] to the event. The convention center is located over the [http://www.wmata.com/rail/station_detail.cfm?station_id=70 Mount Vernon Square/Convention Center Metro stop] on the Green and Yellow lines of the [http://www.wmata.com DC Metro].
  
 +
<headertabs />
  
[[Category:OWASP AppSec Conference]]
+
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_AppSec_DC_09]]

Latest revision as of 02:46, 7 November 2009


Dc09.png

Walter E. Washington Convention Center | Registration


Welcome

Press Release August 20th 2009 -- Speaker Agenda Released and Registration Open!

We are pleased to announce that the OWASP DC chapter will host the OWASP AppSec 2009 conference in Washington, DC. The AppSec DC OWASP Conference will be a premier gathering of Information Security leaders. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 600-700 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.

AppSec DC 2009 will be held at the Walter E. Washington Convention Center (801 Mount Vernon Place NW Washington, DC 20001) on November 10th through 13th 2009.

Who Should Attend AppSec DC 2009:

  • Application Developers
  • Application Testers and Quality Assurance
  • Application Project Management and Staff
  • Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
  • Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
  • Security Managers and Staff
  • Executives, Managers, and Staff Responsible for IT Security Governance
  • IT Professionals Interesting in Improving IT Security


The full AppSecDC Schedule can be found here.

You can register for the conference here.

On November 11th 2009 OWASP also organizes the OWASP Global Summit 2009.




Threestarforsite.png

Use the #AppSecDC hashtag for your tweets (What are hashtags?)

@AppSecDC09 Twitter Feed (follow us on Twitter!) <twitter>34534108</twitter>

Global Summit 09

On November 11th 2009 OWASP leaders and Key Industry Players join forces again to discuss the latest OWASP tools and documentation projects and set the application security agenda for 2010.

One day prior to the conference OWASP chapter leaders, committee members, project leaders and OWASP members will gather in Washington for the OWASP Global Summit 2009.

Particiation is free for OWASP chapter leaders, committee members, project leaders and OWASP members (hint: membership is only $50).

Please Register upfront so we can size the venue appropriately. This does NOT provide you access to the OWASP conference, which is a seperate registration.

Full details are available on page OWASP Global Summit 2009.

Registration

Registration is now open!

You can register here

OWASP Membership ($50 annual membership fee) gets you a discount of $50.

$395 General Public
$345 OWASP Members
$195 Students
$1350 2-Day Training Course
$675 1-Day Training Course


Go here for details on the training courses that are available.

Who Should Attend AppSec DC 2009:

  • Application Developers
  • Application Testers and Quality Assurance
  • Application Project Management and Staff
  • Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
  • Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
  • Security Managers and Staff
  • Executives, Managers, and Staff Responsible for IT Security Governance
  • IT Professionals Interesting in Improving IT Security


For student discount, attendees must present proof of enrollment when picking up your badge.

Volunteer

Volunteers Needed!

Get involved!

We will take all the help we can get to pull off the best Web Application Security Conference of the year!

Please contact the appropriate arch-minion to volunteer for a specific area:

More opportunities and areas will be added as time goes on. Our Volunteer Guide can be downloaded which outlines some of the responsibilities and available positions.

Or, you can e-mail the organizers at mark.bristow(at)owasp.org, doug.wilson(at)owasp.org or rex.booth(at)owasp.org.

Or email appsec_us_09(at)lists.owasp.org or sign up for the mailing list!

Schedule

The conference schedule has been moved here

Training

There are a total of five classrooms over two days or 10 training days available at the conference. Two classrooms hold 30 students and the other three have a capacity of 24 students. The cost for two day training is $1350 USD and the cost for one day training is $675 USD.

2 Day Training: November 10 and November 11

Assessing and Exploiting Web Applications with the open source Samurai Web Testing Framework

This course will focus on using open source tools to perform web application assessments. The course will take attendees through the process of application assessment using the open source tools included in the Samurai Web Testing Framework Live CD (Samurai-WTF). Day one will take students through the steps and open source tools used to assess applications for vulnerabilities. Day two will focus on the exploitation of web app vulnerabilities, spending half the day on server side attacks and the other half of the day on client side attacks. The latest tools and techniques will be use throughout the course, including several tools developed by the trainers themselves.

Instructor: Justin Searle: Justin Searle, a Senior Security Analyst with InGuardians, specializes in penetration testing and security architecture. Previously, Justin served as JetBlue Airway’s IT Security Architect and has provided top-tier support for the largest supercomputers in the world. In his rapidly dwindling spare time, Justin co-leads prominent open source projects including The Middler, Samurai Web Testing Framework, BASE, and the social networking pentest tools: Yokoso! and Laudnum.


Java EE Secure Code Review

The gut of any application lies in its source code. With the ever-emerging landscape of threats and attack vectors facing today’s applications, the need for secure source code has never been greater. In this course, students will be working with actual web application source code samples and discover how to pinpoint weaknesses, identify common security flaws, and discuss corrective coding controls. Major application security domains will be covered, including common authentication and access control coding errors, session management vulnerabilities, identifying injection flaws, and more. For anyone looking to learn how to identify common security weaknesses in a code base, this course is a must.

Instructor: Sahba Kazerooni: Sahba Kazerooni is Practice Lead of Software Security Services. He has a strong background in Java EE architecture and development. At Security Compass, Sahba leads the Software Security Services practice which performs penetration testing, source code review, and Threat Modeling of client applications. He also plays a critical role in the development of curriculum for and delivery of Security Compass training services. He has developed and taught courses on various topics such as Secure Coding in Java EE, Exploiting and Defending Web Applications, and Application Security Awareness. Mr. Kazerooni is also an internationally-renowned speaker on security topics. He has presented at conferences around the world including BlackHat Security Conference in Amsterdam, Security Opus in San Francisco, and IDC WebSec in Mexico City. Sahba delivers Java secure coding training at the SANS Institute, the largest source for information security training and certification, and has also provided numerous presentations through ISC2 to their elite network of certified information security professionals.

1 Day Training November 10

Threat Modeling Express The benefits of threat modeling at the design stage are well-documented, yet few organizations are able to perform this analysis technique due to time constraints. Based on our experience in real world situations, Security Compass has developed a one day approach to threat modeling .

In this class, students learn how to create a “quick and dirty” application threat model using an organization’s most valuable resource: its people. Students learn about the basics of web application security, as well as learn about and perform a real hands-on Express Threat Model. A deliverable template and list of steps will be provided as takeaways for students.

Instructor: Krishna Raja: Krishna Raja is an Application Security Consultant with an extensive background in J2EE application development. He has performed comprehensive security assessments for various clients, which involves threat analysis, source code inspection and runtime penetration testing.

Mr. Raja has also been instrumental in the development and delivery of Security Compass’ training curriculum. He has developed and taught courses in Exploiting and Defending Web Applications, Application Security Awareness and Advanced Application Attacks to architects, project managers and developers across Canada and the United States. Krishna is an emerging speaker at information security conferences, and last year spoke at Source Boston 2008 and ISSA Secure SD Symposium.


Foundations of Web Services and XML Security The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software. This course does not require a laptop though a windows based machine is useful for participating in exercises.

Instructor: Dave Wichers, Aspect Security


Applying the OWASP Testing Guide with the OWASP Live CD

The OWASP Live CD provides the necessary tools to test web applications. The OWASP Testing Guide provides a testing framework. You're testing web applications currently, now what? Time to take your testing to the next level. This class will offer information on how to use the OWASP Live CD tools together for greater accuracy and speed, how to feed the results of one tool into another, and how to automate the more tedious aspects of web application testing. The training is focused not on what or how to test, but how to get more out of the testing time you have. Lets face it, testing time frames are always shorter then they should be, so how can you squeeze the most into the engagement time you have. After attending this training, you'll have some tricks in your bag to optimize your testing.

Instructor: Matt Tesauro:

1 Day Training November 11

WebAppSec.php: Developing Secure Web Applications

Web applications are the new frontier of wide‐spread security breaches. This tutorial will guide through development practices to ensure the security and integrity of web applications, in turn protecting user data and the infrastructure the application runs on. Several attack types will be reviewed, along with how the proper development practices can mitigate their damage. Although the tutorial targets the security of PHP‐based applications, much of the content is applicable to other programming languages as well.

Instructor: Robert Zakon: Robert Zakon is a technology consultant and developer who has been programming web applications since the Web's infancy, over 15 years ago. In addition to developing web applications for web sites receiving millions of daily hits, he works with organizations in an interim CTO capacity, and advises corporations, non‐profits and government agencies on technology, information, and security architectures and infrastructures. He has presented at numerous conferences and taught a handful of courses and tutorials. Robert is a former Principal Engineer with MITRE's Information Security Center, CTO of an Internet consumer portal and application service provider, and Director of a university research lab. He is a Senior Member of the IEEE, and holds BS & MS degrees from Case Western Reserve University in Computer Engineering & Science with concentrations in Philosophy & Psychology. His interests are diverse and can be explored at www.Zakon.org where a full vitae is available.



Leader and Manager Training - Leading the Development of Secure Applications

Through a series of case studies and scenarios, John will provide awareness of application security vulnerabilities and verification techniques, compare pros/cons of remediation approaches taken, and provide a practical and tried method in establishing a positive application security program. A program based on four simple balanced focus areas that leverage people, process, and technology to build the capability to reliably produce secure applications. Together, these areas with established practices will enable your organization to successfully manage, improve and sustain an application security initiative in a cost effective and regulatory compliant manner.

Instructor: John Pavone: John Pavone is Aspect's Vice President of Acceleration Services, specializing in the enablement of application security within organizations. John has been an IT professional for over 20 years. In the last 14 years, John has concentrated solely on Information and IT Infrastructure Security.

John held various security related management positions, including the chief security architect for a large financial services firm. In this role, John established an enterprise–wide IT security program utilizing a quantitative risk assessment and mitigation approach with a direct line of sight to the organization’s corporate dashboard. Other major accomplishments include the development and mainstreaming of an IT risk management process, the creation of an application vulnerability testing lab, and the security design and implementation of an enterprise single sign-on and authorization system.


Venue

Walter E. Washington Convention Center

AppSec DC 2009 will be taking place at the Walter E. Washington Convention Center in downtown Washington DC.

The convention center is located over the Mount Vernon Square/Convention Center Metro stop on the Green and Yellow lines of the DC Metro, and only a few blocks from our convention hotel, the Grand Hyatt Washington (reserve rooms here).

Screen_shot_2009-10-03_at_12.55.55_PM.png

Hotel

Grand Hyatt Washington DC

Hotel Map.png

We've partnered with the Grand Hyatt Washington to bring you luxury accommodations at a reasonable price for your stay during our conference.

The Grand Hyatt is only a few blocks from the DC Convention Center and adjacent to a wide variety of restaurants and night life in downtown DC.

Our convention rate for reservations can also be applied shortly before or after the conference, if you wish to stay longer and enjoy the Washington DC Metropolitan Area.

You can register for a room at our convention rate of $209/night SOLD OUT

The Grand Hyatt Washington is one block from the Metro Center metro station, and three blocks from the Gallery Place/Chinatown metro station.

Sponsors

Sponsors

We are currently soliciting sponsors for the AppSec DC Conference. Please refer to our sponsorship opportunities for details.

Slots are going fast so contact us to sponsor today!

Platinum Sponsors

AppSecDC2009-Sponsor-hp.gif AppSecDC2009-Sponsor-softtek.gif
 

Gold Sponsors

AppSecDC2009-Sponsor-aod.gif AppSecDC2009-Sponsor-securicon.gif Ibmneg blurgb.jpg
 

Silver Sponsors

AppSecDC2009-Sponsor-aspect.gif AppSecDC2009-Sponsor-cenzic.gif Cigital OWASP.GIF
AppSecDC2009-Sponsor-core.gif AppSecDC2009-Sponsor-cross.gif AppSecDC2009-Sponsor-fishnet.gif
AppSecDC2009-Sponsor-gt.gif AppSecDC2009-Sponsor-mandiant.gif AppSecDC2009-Sponsor-tenable.gif
AppSecDC2009-Sponsor-veracode.gif AppSecDC2009-Sponsor-whitehat.gif
 
 
 

Organizational Sponsors

AppSecDC2009-Sponsor-issa.gif Sponsor-isc2.gif
 

Reception Sponsors

AppSecDC2009-Sponsor-cenzic.gif

Coffee Sponsors

AppSecDC2009-Sponsor-fyrm.gif AppSecDC2009-Sponsor-denim.gif

Travel

Traveling to the DC Metro Area

The Washington DC Area is serviced by three airports -- Reagan National (DCA), Dulles (IAD), and Thurgood Marshall Baltimore/Washington International (BWI). All currently have available transportation to downtown DC via public transportation, shuttles, or cab.

Washington DC is also serviced by Amtrak, VRE, and MARC train lines, which arrive in Union Station, a few metro stops or a short cab ride away from the convention center and the Grand Hyatt.

If you live in the DC Metropolitan area, we suggest taking Metro to the event. The convention center is located over the Mount Vernon Square/Convention Center Metro stop on the Green and Yellow lines of the DC Metro.