This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP IBWAS10 Conference Line-Up"

From OWASP
Jump to: navigation, search
 
(55 intermediate revisions by 5 users not shown)
Line 1: Line 1:
{| style="border: 0px solid ; background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;"
+
{| width="100%" cellspacing="3" cellpadding="5" border="0" align="center" style="background: none repeat scroll 0% 0% transparent; -moz-background-inline-policy: continuous;"
 
|- valign="middle"
 
|- valign="middle"
| height="60" align="center" bgcolor="#8888BB"  colspan="3" style="none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''OWASP IBWAS'10 Conference Day'''</font>
+
| bgcolor="#bbbbff" align="center" rowspan="1" | 08:30 - 09:00
|- valign="middle"
+
| bgcolor="#bbbbff" align="center" colspan="2" | '''PARTICIPANTS RECEPTION''' | Welcome Desk
| height="60" width="100" bgcolor="#BBBBFF" align="center" rowspan="2"| 08:30 - 09:00
 
| width="750" bgcolor="#666699" style="color:white;" align="center" colspan="2" | <b>Welcome Desk</b>
 
 
|-
 
|-
| width="750" bgcolor="#CCCCEE" align="center" colspan="2"| <b>PARTICIPANTS RECEPTION</b>
 
 
|- valign="middle"
 
|- valign="middle"
| height="60" width="100" bgcolor="#BBBBFF" align="center" rowspan="2"| 09:00 - 09:30
+
| bgcolor="#bbbbff" align="center" rowspan="2" | 09:00 - 09:30  
| width="750" bgcolor="#666699" style="color:white;" align="center" colspan="2" | <b>Room B2.04</b>
+
| bgcolor="#666699" align="center" style="color: white;" colspan="2" | '''OPENING SESSION''' | Room B2.04
 
|-
 
|-
| width="750" bgcolor="#CCCCEE" align="center" colspan="2" | <b>OPENING SESSION</b><br>Professor Luís Reto (ISCTE-IUL Dean), Professor Francisco Cercas (ISTA President), [[user:Pontocom|Carlos Serrão (ISCTE-IUL, OWASP Portugal)]], [[user:Vicente.aguilera|Vicente Aguillera (OWASP Spain)]]
+
| bgcolor="#ccccee" align="center" colspan="2" | Carlos Sá da Costa (ISCTE-IUL Vice Chancellor), Francisco Cercas (ISTA President)<br>[[User:Pontocom|Carlos Serrão (ISCTE-IUL, OWASP Portugal)]], [[User:Vicente.aguilera|Vicente Aguillera (OWASP Spain)]], [[User:Dinis.cruz|Dinis Cruz (OWASP Board/Summit)]]
 
|- valign="middle"
 
|- valign="middle"
| height="120" width="100" bgcolor="#BBBBFF" align="center" rowspan="2"| 09:30 - 10:30
+
| bgcolor="#bbbbff" align="center" rowspan="2" | 09:30 - 10:30  
| width="750" bgcolor="#666699" style="color:white;" align="center" colspan="2" | <b>Room B2.04</b>
+
| bgcolor="#666699" align="center" style="color: white;" colspan="2" | '''KEYNOTE SPEECH''' | Room B2.04
 
|-
 
|-
| width="750" bgcolor="#CCCCEE" align="center" colspan="2" | <b>KEYNOTE SPEECH</b><br>Professor Carlos Ribeiro<br>[[#Keynote: How cryptography can rescue the web]]
+
| bgcolor="#ccccee" align="center" colspan="2" | Carlos Ribeiro (IST)<br>[[#Keynote:_How_cryptography_can_rescue_the_web|'''How cryptography can rescue the web''']] | [http://www.owasp.org/images/8/87/Ibwas.pdf slides] [http://www.vimeo.com/18225213 video]
 
|- valign="middle"
 
|- valign="middle"
| height="30" width="100" bgcolor="#BBBBFF" align="center" | 10:30 - 10:45
+
| bgcolor="#bbbbff" align="center" | 10:30 - 10:45  
| width="750" bgcolor="#EEEEFF" align="center" colspan="2" | <b>COFFEE BREAK (*)</b>
+
| bgcolor="#eeeeff" align="center" colspan="2" | COFFEE BREAK (*)
 
|- valign="middle"
 
|- valign="middle"
| height="120" width="100" bgcolor="#BBBBFF" align="center" rowspan="2" | 10:45 - 11:45
+
| bgcolor="#bbbbff" align="center" rowspan="2" | 10:45 - 11:45  
| width="750" bgcolor="#666699" style="color:white;" align="center" colspan="2" | <b>Room B2.04</b>
+
| bgcolor="#666699" align="center" style="color: white;" colspan="2" | '''KEYNOTE SPEECH''' | Room B2.04
 
|-
 
|-
| width="750" bgcolor="#CCCCEE" align="center" colspan="2" | <b>KEYNOTE SPEECH</b><br>[[user:Dinis.cruz|Dinis Cruz (OWASP Board)]]<br>"What is OWASP and a Challenge to Portugal/Spain"
+
| bgcolor="#ccccee" align="center" colspan="2" | [[User:Dinis.cruz|Dinis Cruz (OWASP Board)]]<br>"'''[http://www.owasp.org/images/0/0d/Dcruz.pdf What is OWASP and a Challenge to Portugal/Spain]'''" | [http://www.owasp.org/images/0/0d/Dcruz.pdf slides] [http://www.vimeo.com/18221095 video]
 
|- valign="middle"
 
|- valign="middle"
| height="180" width="100" bgcolor="#BBBBFF" align="center" rowspan="2" | 11:45 - 13:15
+
| width="10%" bgcolor="#bbbbff" align="center" rowspan="2" | 11:45 - 13:15  
| width="375" bgcolor="#666699" style="color:white;" align="center" | <b>Room B2.04</b>
+
| width="45%" bgcolor="#666699" align="center" style="color: white;" | '''TECHNICAL TRACK''' | Room B2.04  
| width="375" bgcolor="#666699" style="color:white;" align="center"  | <b>Room TBD</b>
+
| width="45%" bgcolor="#666699" align="center" style="color: white;" | '''TECHNICAL TRACK''' | Room B2.02
 
|-
 
|-
| width="375" bgcolor="#CCCCEE" align="center" | <b>TECHNICAL TRACK</b><br>Luís Grangeia<br>[[#Talk: Web Security from an auditor's standpoint: What works and what doesn't]]<br>[[user:Buanzo|Arturo 'Buanzo' Busleiman (Project Leader)]]<br>[[#Talk: Jiffy - A secure instant messenger]]
+
| bgcolor="#ccccee" align="center" | Luís Grangeia (Sysvalue)<br>[[#Talk:_Web_Security_from_an_auditor.27s_standpoint:_What_works_and_what_doesn.27t|'''Web Security from an auditor's standpoint: What works and what doesn't''']] | [http://www.owasp.org/images/c/ca/Lgrangeia.pdf slides] [http://www.vimeo.com/18324133 video]<br>[[User:Buanzo|Arturo 'Buanzo' Busleiman (OWASP Project Leader)]]<br>[[#Talk:_Jiffy_-_A_secure_instant_messenger|'''Jiffy - A secure instant messenger''']] | slides [http://www.vimeo.com/18326923 video]
| width="375" bgcolor="#CCCCEE" align="center" | <b>TECHNICAL TRACK</b><br>[[user:Knoblochmartin|Martin Knobloch (Education Committee)]]<br>[[#Talk: Developing Secure Applications with OWASP]]<br>Bruno Morisson<br>[[#Talk: The Thing That Should Not Be (a glimpse into the future of web application security)]]
+
| bgcolor="#ccccee" align="center" | Francisco Rente (FCTUC)<br>[[#Talk:_Insecure_by_Nature_-_Portuguese_Net_Security_Overview|'''Insecure by Nature - Portuguese Net Security Overview''']] | slides video<br>Bruno Pedro (Tarpipe)<br>[[#Talk:_Is_OAuth_really_secure.3F|'''Is OAuth really secure?''']] | [http://www.slideshare.net/bpedro/is-oauth-really-secure slides] [http://www.vimeo.com/18389336 video]
 
|- valign="middle"
 
|- valign="middle"
| height="60" width="100" bgcolor="#BBBBFF" align="center" | 13:15 - 14:30
+
| width="100" bgcolor="#bbbbff" align="center" | 13:15 - 14:30  
| width="750" bgcolor="#EEEEFF" align="center" colspan="2" | <b>LUNCH BREAK (*)</b>
+
| bgcolor="#eeeeff" align="center" colspan="2" | LUNCH BREAK (*)
 
|- valign="middle"
 
|- valign="middle"
| height="300" width="100" bgcolor="#BBBBFF" align="center" rowspan="2" | 14:30 - 17:00
+
| bgcolor="#bbbbff" align="center" rowspan="2" | 14:30 - 17:00  
| width="375" bgcolor="#666699" style="color:white;" align="center" | <b>Room B2.04</b>
+
| bgcolor="#666699" align="center" style="color: white;" | '''TECHNICAL TRACK''' | Room B2.04  
| width="375" bgcolor="#666699" style="color:white;" align="center" | <b>Room TBD</b>
+
| bgcolor="#666699" align="center" style="color: white;" | '''RESEARCH TRACK''' | Room B2.02
 
|-
 
|-
| width="375" bgcolor="#CCCCEE" align="center" | <b>TECHNICAL TRACK</b><br>Miguel Correia<br>[[#Talk: Software Security in the Clouds]]<br>Bruno Pedro<br>[[#Talk: Is OAuth really secure?]]<br>Francisco Rente<br>[[#Talk: Insecure by Nature - Portuguese Net Security Overview]]<br>[[user:Cmartorella|Christian Martorella (Project Leader)]]<br>[[#Talk: 2010 and still bruteforcing]]
+
| bgcolor="#ccccee" align="center" | [[User:Knoblochmartin|Martin Knobloch (OWASP Education Committee)]]<br>[[#Talk:_Developing_Secure_Applications_with_OWASP|'''Developing Secure Applications with OWASP''']] | [http://www.owasp.org/images/7/7c/Martin01.pdf slides] [http://www.vimeo.com/18327894 video]<br>Bruno Morisson (Integrity)<br>[[#Talk:_The_Thing_That_Should_Not_Be_.28a_glimpse_into_the_future_of_web_application_security.29|'''The Thing That Should Not Be''']] | [http://www.slideshare.net/morisson/bruno-morisson-tttsnb-ibwas2010 slides] [http://www.vimeo.com/18330407 video]<br>[[User:Dinis.cruz|Dinis Cruz (OWASP Project Leader)]]<br>[[OWASP O2 Platform|'''OWASP O2 Platform''']] | slides [http://www.vimeo.com/18387261 video]<br>[[User:Cmartorella|Christian Martorella (Project Leader)]]<br>[[#Talk:_2010_and_still_bruteforcing|'''2010 and still bruteforcing''']] | [http://www.edge-security.com/docs/Christian%20Martorella%20-%20IBWAS2010-%20Bruteforce2010.pdf slides] [http://www.vimeo.com/18387820 video]
| width="375" bgcolor="#CCCCEE" align="center" | <b>RESEARCH TRACK</b><br>Nuno Teodoro, Carlos Serrao: "Automating Web Applications Security Assessments through Scanners"<br>Rodrigo Assad and Tarciana Katter: "Security Quality Assurance on Web-based Application through Security Requirements Tests based on OWASP Test Document: elaboration, execution and automation"<br>Rodrigo Assad: "OntoLog: A Security log analyses tool using web semantic and ontology"<br>Rekha Kashyap and Deo Prakash Vidyarthi: "Weighted Deadline Driven Security Aware Scheduling for Real time Computational Grid"
+
| bgcolor="#ccccee" align="center" | Nuno Teodoro (Noesis, ISCTE)<br>'''Automating Web Applications Security Assessments through Scanners''' | slides [http://www.vimeo.com/18390493 video]<br>Felipe Ferraz (CESAR)<br>'''Security Quality Assurance on Web-based Application through Security Requirements Tests based on OWASP Test Document: elaboration, execution and automation''' | slides video<br>Felipe Ferraz (CESAR)<br>'''OntoLog: A Security log analyses tool using web semantic and ontology''' | slides video<br>Rekha Kashyap (LBSIMND)<br>'''Weighted Deadline Driven Security Aware Scheduling for Real time Computational Grid''' | slides [http://www.vimeo.com/18390202 video]
 
|- valign="middle"
 
|- valign="middle"
| height="30" width="100" bgcolor="#BBBBFF" align="center" | 17:00 - 17:15
+
| bgcolor="#bbbbff" align="center" | 17:00 - 17:15  
| width="750" bgcolor="#EEEEFF" align="center" colspan="2" | <b>COFFEE BREAK (*)</b>
+
| bgcolor="#eeeeff" align="center" colspan="2" | COFFEE BREAK (*)
 
|- valign="middle"
 
|- valign="middle"
| height="180" width="100" width="100" bgcolor="#BBBBFF" align="center" rowspan="2"| 17:15 - 18:45
+
| bgcolor="#bbbbff" align="center" rowspan="2" | 17:15 - 19:30
| width="375" bgcolor="#666699" style="color:white;" align="center" | <b>Room B2.04</b>
+
| bgcolor="#666699" align="center" style="color: white;" | '''TECHNICAL TRACK''' | Room B2.04  
| width="375" bgcolor="#666699" style="color:white;" align="center" | <b>Room TBD</b>
+
| bgcolor="#666699" align="center" style="color: white;" | '''RESEARCH TRACK''' | Room B2.02
 
|-
 
|-
| width="375" bgcolor="#CCCCEE" align="center" | <b>TECHNICAL TRACK</b><br>[[user:John.wilander|John Wilander (OWASP Sweden Chapter Leader)]]<br>[[#Talk: Will new HTTP headers save us?]]<br>[[user:Knoblochmartin|Martin Knobloch (Education Committee)]]<br>[[#Talk: Developing compliant applications]]
+
| bgcolor="#ccccee" align="center" | Miguel Correia (FCUL)<br>[[#Talk:_Software_Security_in_the_Clouds|'''Software Security in the Clouds''']] | [http://www.owasp.org/images/9/97/Mcorreia.pdf slides] [http://vimeo.com/18388278 video]<br>[[User:John.wilander|John Wilander (OWASP Sweden Chapter Leader)]]<br>[[#Talk:_Will_new_HTTP_headers_save_us.3F|'''Will new HTTP headers save us?''']] | [http://www.owasp.org/images/5/5c/John_Wilander_IBWAS10_-_Will_New_HTTP_Headers_Save_Us.ppt .ppt] [http://www.owasp.org/images/b/ba/John_Wilander_IBWAS10_-_Will_New_HTTP_Headers_Save_Us.pdf .pdf] [http://www.owasp.org/images/5/5a/John_Wilander_IBWAS10_-_Will_New_HTTP_Headers_Save_Us.key.zip .key.zip] [http://www.vimeo.com/18374129 video]<br>[[User:Knoblochmartin|Martin Knobloch (OWASP Education Committee)]]<br>[[#Talk:_Developing_compliant_applications|'''Developing compliant applications''']] | [http://www.owasp.org/images/3/3a/Martin02.pdf slides] [http://www.vimeo.com/18388657 video]
| width="375" bgcolor="#CCCCEE" align="center" | <b>RESEARCH TRACK</b><br>Sergio Nunes and Miguel Correia: "From Risk Awareness to Security Controls: Benefits of Honeypots to Companies"<br>Joao Franco and Francisco Nina Rente: "Neofelis, High-Interaction Honeypot Framework for Mac OS X"
+
| bgcolor="#ccccee" align="center" | Sergio Nunes (FCUL)<br>'''From Risk Awareness to Security Controls: Benefits of Honeypots to Companies''' | [http://www.owasp.org/images/0/0c/Slides.pdf slides] [http://vimeo.com/18391659 video]<br>João Franco (FCTUC)<br>'''Neofelis, High-Interaction Honeypot Framework for Mac OS X''' | [http://www.owasp.org/images/0/0c/Slides.pdf slides] [http://vimeo.com/18626389 video]
 
|- valign="middle"
 
|- valign="middle"
| height="30" width="100" bgcolor="#BBBBFF" align="center" rowspan="2"| 18:45 - 19:00
+
| bgcolor="#bbbbff" align="center" rowspan="2" | 19:30 - 19:45
| width="750" bgcolor="#666699" style="color:white;" align="center"  colspan="2" | <b>Room B2.04</b>
+
| bgcolor="#666699" align="center" style="color: white;" colspan="2" | '''CLOSING SESSION''' | Room B2.04
 
|-
 
|-
| width="750" bgcolor="#CCCCEE" align="center" colspan="2" | <b>CLOSING SESSION</b><br>[[user:Dinis.cruz|Dinis Cruz (OWASP Board)]], [[user:Buanzo|Arturo 'Buanzo' Busleiman (Project Leader)]]
+
| bgcolor="#ccccee" align="center" colspan="2" | [[User:Buanzo|Arturo 'Buanzo' Busleiman (OWASP Project Leader)]] | [http://www.vimeo.com/18372126 video]
 
|}
 
|}
<br>
+
<br> (*) Coffee Breaks and Lunch are not included in the Conference ticket. <br>  
(*) Not included in the conference cost/ticket.
 
<br>
 
  
 
== Keynote: How cryptography can rescue the web  ==
 
== Keynote: How cryptography can rescue the web  ==
Line 66: Line 61:
 
'''Professor Carlos Ribeiro'''  
 
'''Professor Carlos Ribeiro'''  
  
[[File:carlosribeiro.jpg]]
+
[[Image:Carlosribeiro.jpg]]  
  
[http://www.ist.utl.pt/ Instituto Superior Técnico], [http://www.utl.pt/ Universidade Técnica de Lisboa], Portugal
+
[http://www.ist.utl.pt/ Instituto Superior Técnico], [http://www.utl.pt/ Universidade Técnica de Lisboa], Portugal  
  
The Web is gaining more and more commercial relevance and with that becoming a more interesting target for attack. On the other hand the Web communications foundations have not change much, and the programming skills of the average programmer are decreasing with the increasing number of programmers. This talk will focus on the first issue and how cryptography may be used to prevent several attacks. Crucial to this goal is the recent release of DNSSEC and several other Certificate infrastructures (e.g. Stork - a pan-European authentication infrastructure that may become keystones of this change.
+
The Web is gaining more and more commercial relevance and with that becoming a more interesting target for attack. On the other hand the Web communications foundations have not change much, and the programming skills of the average programmer are decreasing with the increasing number of programmers. This talk will focus on the first issue and how cryptography may be used to prevent several attacks. Crucial to this goal is the recent release of DNSSEC and several other Certificate infrastructures (e.g. Stork - a pan-European authentication infrastructure that may become keystones of this change.  
  
== Talk: The Thing That Should Not Be (a glimpse into the future of web application security) ==
+
== Talk: The Thing That Should Not Be (a glimpse into the future of web application security) ==
  
 
'''Bruno Morisson'''  
 
'''Bruno Morisson'''  
  
[[File:brunomorisson.jpg]]
+
[[Image:Brunomorisson.jpg]]  
  
[http://www.integrity.pt/ Integrity, S.A.], Portugal
+
[http://www.integrity.pt/ Integrity, S.A.], Portugal  
  
Developers are not security practicioners. Security practitioners are not developers. Developers create web applications. Security practitioners want those apps to be secure (sometimes even if security breaks functionality).
+
Developers are not security practicioners. Security practitioners are not developers. Developers create web applications. Security practitioners want those apps to be secure (sometimes even if security breaks functionality). Are developers and security practitioners like oil and water&nbsp;? Are security practitioners taking the right approach to help web developers understand and prevent security issues, or are we simply trying to brute force developers into security gurus&nbsp;?  
Are developers and security practitioners like oil and water ? Are security practitioners taking the right approach to help web developers understand and prevent security issues, or are we simply trying to brute force developers into security gurus ?
 
  
 
== Talk: Developing Secure Applications with OWASP  ==
 
== Talk: Developing Secure Applications with OWASP  ==
  
'''[[user:Knoblochmartin|Martin Knobloch (Education Committee)]]'''
+
'''[[User:Knoblochmartin|Martin Knobloch (OWASP Education Committee)]]'''  
  
[[File:martinknobloch.jpg]]
+
[[Image:Martinknobloch.jpg]]  
  
[http://www.sogeti.nl/ Sogeti Netherlands], [http://www.owasp.org/index.php/Netherlands OWASP Netherlands], Netherlands
+
[http://www.sogeti.nl/ Sogeti Netherlands], [http://www.owasp.org/index.php/Netherlands OWASP Netherlands], Netherlands  
  
After an introduction about OWASP, Martin will higlight the top projects of OWASP. During the presentation Martin does explain how OWASP material can be used to raise awareness about secure appliation development and how OWASP material does fit into a (secure) development lifecycle.
+
After an introduction about OWASP, Martin will higlight the top projects of OWASP. During the presentation Martin does explain how OWASP material can be used to raise awareness about secure appliation development and how OWASP material does fit into a (secure) development lifecycle.  
  
 
== Talk: Developing compliant applications  ==
 
== Talk: Developing compliant applications  ==
  
'''[[user:Knoblochmartin|Martin Knobloch (Education Committee)]]'''
+
'''[[User:Knoblochmartin|Martin Knobloch (Education Committee)]]'''  
  
[[File:martinknobloch.jpg]]
+
[[Image:Martinknobloch.jpg]]  
  
[http://www.sogeti.nl/ Sogeti Netherlands], [http://www.owasp.org/index.php/Netherlands OWASP Netherlands], Netherlands
+
[http://www.sogeti.nl/ Sogeti Netherlands], [http://www.owasp.org/index.php/Netherlands OWASP Netherlands], Netherlands  
  
How to develop applications to be compliant to security related laws and regulations?
+
How to develop applications to be compliant to security related laws and regulations? To be compliant means to follow the regulations, most of the times not known by the developers. To be compliant includes to proof to be compliant. This presentation is about how to develop compliant (Web) applications that prove to be compliant!  
To be compliant means to follow the regulations, most of the times not known by the developers. To be compliant includes to proof to be compliant.
 
This presentation is about how to develop compliant (Web) applications that prove to be compliant!
 
  
 
== Talk: Software Security in the Clouds  ==
 
== Talk: Software Security in the Clouds  ==
  
'''Miguel Correia'''
+
'''Miguel Correia'''  
  
[[File:miguelcorreia.jpg]]
+
[[Image:Miguelcorreia.jpg]]  
  
[http://www.ul.pt/ University of Lisboa], [http://www.fc.ul.pt/ Faculty of Sciences], Portugal
+
[http://www.ul.pt/ University of Lisboa], [http://www.fc.ul.pt/ Faculty of Sciences], Portugal  
  
Recently an expert wrote rather enfatically that "the current state of security in commercial software is rather distasteful, marked by embarrassing public reports of vulnerabilities and actual attacks". This situation is particularly concerning in times when companies are exporting their applications and data to cloud computing systems. The first part of the talk will be a personal vision of the combination of techniques and tools needed for protecing software. The second part will argue that this combination is still insuficient for critical applications in the cloud and propose solutions based on distributing trust among different clouds.
+
Recently an expert wrote rather enfatically that "the current state of security in commercial software is rather distasteful, marked by embarrassing public reports of vulnerabilities and actual attacks". This situation is particularly concerning in times when companies are exporting their applications and data to cloud computing systems. The first part of the talk will be a personal vision of the combination of techniques and tools needed for protecing software. The second part will argue that this combination is still insuficient for critical applications in the cloud and propose solutions based on distributing trust among different clouds.  
  
 
== Talk: Jiffy - A secure instant messenger  ==
 
== Talk: Jiffy - A secure instant messenger  ==
  
'''[[user:Buanzo|Arturo 'Buanzo' Busleiman (Project Leader)]]'''
+
'''[[User:Buanzo|Arturo 'Buanzo' Busleiman (OWASP Project Leader)]]'''  
  
[[File:arturobuanzo.jpg]]
+
[[Image:Arturobuanzo.jpg]]  
  
[http://www.owasp.org/index.php/Argentina OWASP Argentina], Argentina
+
[http://www.owasp.org/index.php/Argentina OWASP Argentina], Argentina  
  
Jiffy - "Just for you" is an instant messaging system baseed
+
Jiffy - "Just for you" is an instant messaging system baseed on OWASP's Enigform, SSL and the OpenPGP Web-of-Trust. In this talk, Buanzo will introduce us to OpenPGP, Enigform and Jiffy.  
on OWASP's Enigform, SSL and the OpenPGP Web-of-Trust. In this talk,
 
Buanzo will introduce us to OpenPGP, Enigform and Jiffy.
 
  
 
== Talk: Is OAuth really secure?  ==
 
== Talk: Is OAuth really secure?  ==
  
'''Bruno Pedro'''
+
'''Bruno Pedro'''  
  
[[File:brunopedro.jpg]]
+
[[Image:Brunopedro.jpg]]  
  
[http://www.tarpipe.com Tarpipe], Portugal
+
[http://www.tarpipe.com Tarpipe], Portugal  
  
Is the OAuth protocol really secure? Even though the OAuth authorization protocol has been published as the RFC 5849 and is being widely adopted by large Internet companies, it's important to stress out its possible security vulnerabilities.
+
Is the OAuth protocol really secure? Even though the OAuth authorization protocol has been published as the RFC 5849 and is being widely adopted by large Internet companies, it's important to stress out its possible security vulnerabilities.  
  
This talk will focus on the OWASP Top 10 Application Security Risks and how OAuth is affected by them. While some of the security risks are mitigated by OAuth, developers need to take some action to prevent other risks from affecting their implementations.
+
This talk will focus on the OWASP Top 10 Application Security Risks and how OAuth is affected by them. While some of the security risks are mitigated by OAuth, developers need to take some action to prevent other risks from affecting their implementations.  
  
 
== Talk: Will new HTTP headers save us?  ==
 
== Talk: Will new HTTP headers save us?  ==
  
'''[[user:John.wilander|John Wilander (OWASP Sweden Chapter Leader)]]'''
+
'''[[User:John.wilander|John Wilander (OWASP Sweden Chapter Leader)]]'''  
  
[[File:johnwilander.jpg]]
+
[[Image:Johnwilander.jpg]]  
  
[http://www.omegapoint.se/ Omegapoint], Sweden
+
[http://www.omegapoint.se/ Omegapoint], Sweden  
  
 
Browser vendors and Internet techies are teaming up to find solutions to some of the most common and dangerous security problems on the web. New HTTP headers seems to be a favorite carrier of security instructions from the server to the browser. During this talk John will demo three such headers – '''Strict-Transport-Security, X-Frame-Options, and X-Content-Security-Policy''' – and discuss if they can solve cross-site scripting, clickjacking, phising, and man-in-the-middle attacks.
 
Browser vendors and Internet techies are teaming up to find solutions to some of the most common and dangerous security problems on the web. New HTTP headers seems to be a favorite carrier of security instructions from the server to the browser. During this talk John will demo three such headers – '''Strict-Transport-Security, X-Frame-Options, and X-Content-Security-Policy''' – and discuss if they can solve cross-site scripting, clickjacking, phising, and man-in-the-middle attacks.
 +
 +
Slides: [http://www.owasp.org/images/5/5c/John_Wilander_IBWAS10_-_Will_New_HTTP_Headers_Save_Us.ppt .ppt] [http://www.owasp.org/images/b/ba/John_Wilander_IBWAS10_-_Will_New_HTTP_Headers_Save_Us.pdf .pdf] [http://www.owasp.org/images/5/5a/John_Wilander_IBWAS10_-_Will_New_HTTP_Headers_Save_Us.key.zip .key.zip]
  
 
== Talk: 2010 and still bruteforcing  ==
 
== Talk: 2010 and still bruteforcing  ==
  
'''[[user:Cmartorella|Christian Martorella (Project Leader)]]'''
+
'''[[User:Cmartorella|Christian Martorella (Project Leader)]]'''  
  
[[File:christianmartorella.jpg]]
+
[[Image:Christianmartorella.jpg]]  
  
[http://www.verizonbusiness.com/ Verizon Business], UK
+
[http://www.verizonbusiness.com/ Verizon Business], UK  
  
The presentation will review some of the latest attacks that affected big companies and involved Brute force attacks, showing that this attack is still very effective. The second part of the presentation will introduce Webslayer, an OWASP project, that intend to cover all needs for web application brute force tests.
+
The presentation will review some of the latest attacks that affected big companies and involved Brute force attacks, showing that this attack is still very effective. The second part of the presentation will introduce Webslayer, an OWASP project, that intend to cover all needs for web application brute force tests.  
  
 
== Talk: Insecure by Nature - Portuguese Net Security Overview  ==
 
== Talk: Insecure by Nature - Portuguese Net Security Overview  ==
  
'''Francisco Rente'''
+
'''Francisco Rente'''  
  
[[File:franciscorente.jpg]]
+
[[Image:Franciscorente.jpg]]  
  
[http://www.uc.pt/fctuc Faculdade de Ciência e Tecnologia], [http://www.uc.pt Universidade de Coimbra], Portugal
+
[http://www.uc.pt/fctuc Faculdade de Ciência e Tecnologia], [http://www.uc.pt Universidade de Coimbra], Portugal  
  
Understanding internet security trends it is a consensual need. Vigilis (former project Nonius), studies the IPv4 address space and .pt TLD allocated to Portugal for two years now. Creates a historical perspective of vulnerability life-cycles and malware presences. Aims to arise awareness among the Portuguese society, giving threat indicators based on real data harvested every four months.
+
Understanding internet security trends it is a consensual need. Vigilis (former project Nonius), studies the IPv4 address space and .pt TLD allocated to Portugal for two years now. Creates a historical perspective of vulnerability life-cycles and malware presences. Aims to arise awareness among the Portuguese society, giving threat indicators based on real data harvested every four months.  
  
The speaker will give a briefing on the last Vigilis results and will identify some possible reasons to this national problem.
+
The speaker will give a briefing on the last Vigilis results and will identify some possible reasons to this national problem.  
  
 
== Talk: Web Security from an auditor's standpoint: What works and what doesn't  ==
 
== Talk: Web Security from an auditor's standpoint: What works and what doesn't  ==
  
'''Luís Grangeia'''
+
'''Luís Grangeia'''  
  
[[File:luisgrangeia.jpg]]
+
[[Image:Luisgrangeia.jpg]]  
  
[http://www.sysvalue.pt/ Sysvalue, S.A.], Portugal
+
[http://www.sysvalue.pt/ Sysvalue, S.A.], Portugal  
  
 
In this talk I will attempt to share my experience of over 10 years conducting Web Application security assessments. I will present the current panorama of Web application security practices and talk about what are we doing well and how we can do better. Also, the Web 2.0 has sparked a “social revolution” of the Web, how can security benefit from that revolution?
 
In this talk I will attempt to share my experience of over 10 years conducting Web Application security assessments. I will present the current panorama of Web application security practices and talk about what are we doing well and how we can do better. Also, the Web 2.0 has sparked a “social revolution” of the Web, how can security benefit from that revolution?

Latest revision as of 17:42, 21 January 2011

08:30 - 09:00 PARTICIPANTS RECEPTION | Welcome Desk
09:00 - 09:30 OPENING SESSION | Room B2.04
Carlos Sá da Costa (ISCTE-IUL Vice Chancellor), Francisco Cercas (ISTA President)
Carlos Serrão (ISCTE-IUL, OWASP Portugal), Vicente Aguillera (OWASP Spain), Dinis Cruz (OWASP Board/Summit)
09:30 - 10:30 KEYNOTE SPEECH | Room B2.04
Carlos Ribeiro (IST)
How cryptography can rescue the web | slides video
10:30 - 10:45 COFFEE BREAK (*)
10:45 - 11:45 KEYNOTE SPEECH | Room B2.04
Dinis Cruz (OWASP Board)
"What is OWASP and a Challenge to Portugal/Spain" | slides video
11:45 - 13:15 TECHNICAL TRACK | Room B2.04 TECHNICAL TRACK | Room B2.02
Luís Grangeia (Sysvalue)
Web Security from an auditor's standpoint: What works and what doesn't | slides video
Arturo 'Buanzo' Busleiman (OWASP Project Leader)
Jiffy - A secure instant messenger | slides video
Francisco Rente (FCTUC)
Insecure by Nature - Portuguese Net Security Overview | slides video
Bruno Pedro (Tarpipe)
Is OAuth really secure? | slides video
13:15 - 14:30 LUNCH BREAK (*)
14:30 - 17:00 TECHNICAL TRACK | Room B2.04 RESEARCH TRACK | Room B2.02
Martin Knobloch (OWASP Education Committee)
Developing Secure Applications with OWASP | slides video
Bruno Morisson (Integrity)
The Thing That Should Not Be | slides video
Dinis Cruz (OWASP Project Leader)
OWASP O2 Platform | slides video
Christian Martorella (Project Leader)
2010 and still bruteforcing | slides video
Nuno Teodoro (Noesis, ISCTE)
Automating Web Applications Security Assessments through Scanners | slides video
Felipe Ferraz (CESAR)
Security Quality Assurance on Web-based Application through Security Requirements Tests based on OWASP Test Document: elaboration, execution and automation | slides video
Felipe Ferraz (CESAR)
OntoLog: A Security log analyses tool using web semantic and ontology | slides video
Rekha Kashyap (LBSIMND)
Weighted Deadline Driven Security Aware Scheduling for Real time Computational Grid | slides video
17:00 - 17:15 COFFEE BREAK (*)
17:15 - 19:30 TECHNICAL TRACK | Room B2.04 RESEARCH TRACK | Room B2.02
Miguel Correia (FCUL)
Software Security in the Clouds | slides video
John Wilander (OWASP Sweden Chapter Leader)
Will new HTTP headers save us? | .ppt .pdf .key.zip video
Martin Knobloch (OWASP Education Committee)
Developing compliant applications | slides video
Sergio Nunes (FCUL)
From Risk Awareness to Security Controls: Benefits of Honeypots to Companies | slides video
João Franco (FCTUC)
Neofelis, High-Interaction Honeypot Framework for Mac OS X | slides video
19:30 - 19:45 CLOSING SESSION | Room B2.04
Arturo 'Buanzo' Busleiman (OWASP Project Leader) | video


(*) Coffee Breaks and Lunch are not included in the Conference ticket.

Keynote: How cryptography can rescue the web

Professor Carlos Ribeiro

Carlosribeiro.jpg

Instituto Superior Técnico, Universidade Técnica de Lisboa, Portugal

The Web is gaining more and more commercial relevance and with that becoming a more interesting target for attack. On the other hand the Web communications foundations have not change much, and the programming skills of the average programmer are decreasing with the increasing number of programmers. This talk will focus on the first issue and how cryptography may be used to prevent several attacks. Crucial to this goal is the recent release of DNSSEC and several other Certificate infrastructures (e.g. Stork - a pan-European authentication infrastructure that may become keystones of this change.

Talk: The Thing That Should Not Be (a glimpse into the future of web application security)

Bruno Morisson

Brunomorisson.jpg

Integrity, S.A., Portugal

Developers are not security practicioners. Security practitioners are not developers. Developers create web applications. Security practitioners want those apps to be secure (sometimes even if security breaks functionality). Are developers and security practitioners like oil and water ? Are security practitioners taking the right approach to help web developers understand and prevent security issues, or are we simply trying to brute force developers into security gurus ?

Talk: Developing Secure Applications with OWASP

Martin Knobloch (OWASP Education Committee)

Martinknobloch.jpg

Sogeti Netherlands, OWASP Netherlands, Netherlands

After an introduction about OWASP, Martin will higlight the top projects of OWASP. During the presentation Martin does explain how OWASP material can be used to raise awareness about secure appliation development and how OWASP material does fit into a (secure) development lifecycle.

Talk: Developing compliant applications

Martin Knobloch (Education Committee)

Martinknobloch.jpg

Sogeti Netherlands, OWASP Netherlands, Netherlands

How to develop applications to be compliant to security related laws and regulations? To be compliant means to follow the regulations, most of the times not known by the developers. To be compliant includes to proof to be compliant. This presentation is about how to develop compliant (Web) applications that prove to be compliant!

Talk: Software Security in the Clouds

Miguel Correia

Miguelcorreia.jpg

University of Lisboa, Faculty of Sciences, Portugal

Recently an expert wrote rather enfatically that "the current state of security in commercial software is rather distasteful, marked by embarrassing public reports of vulnerabilities and actual attacks". This situation is particularly concerning in times when companies are exporting their applications and data to cloud computing systems. The first part of the talk will be a personal vision of the combination of techniques and tools needed for protecing software. The second part will argue that this combination is still insuficient for critical applications in the cloud and propose solutions based on distributing trust among different clouds.

Talk: Jiffy - A secure instant messenger

Arturo 'Buanzo' Busleiman (OWASP Project Leader)

Arturobuanzo.jpg

OWASP Argentina, Argentina

Jiffy - "Just for you" is an instant messaging system baseed on OWASP's Enigform, SSL and the OpenPGP Web-of-Trust. In this talk, Buanzo will introduce us to OpenPGP, Enigform and Jiffy.

Talk: Is OAuth really secure?

Bruno Pedro

Brunopedro.jpg

Tarpipe, Portugal

Is the OAuth protocol really secure? Even though the OAuth authorization protocol has been published as the RFC 5849 and is being widely adopted by large Internet companies, it's important to stress out its possible security vulnerabilities.

This talk will focus on the OWASP Top 10 Application Security Risks and how OAuth is affected by them. While some of the security risks are mitigated by OAuth, developers need to take some action to prevent other risks from affecting their implementations.

Talk: Will new HTTP headers save us?

John Wilander (OWASP Sweden Chapter Leader)

Johnwilander.jpg

Omegapoint, Sweden

Browser vendors and Internet techies are teaming up to find solutions to some of the most common and dangerous security problems on the web. New HTTP headers seems to be a favorite carrier of security instructions from the server to the browser. During this talk John will demo three such headers – Strict-Transport-Security, X-Frame-Options, and X-Content-Security-Policy – and discuss if they can solve cross-site scripting, clickjacking, phising, and man-in-the-middle attacks.

Slides: .ppt .pdf .key.zip

Talk: 2010 and still bruteforcing

Christian Martorella (Project Leader)

Christianmartorella.jpg

Verizon Business, UK

The presentation will review some of the latest attacks that affected big companies and involved Brute force attacks, showing that this attack is still very effective. The second part of the presentation will introduce Webslayer, an OWASP project, that intend to cover all needs for web application brute force tests.

Talk: Insecure by Nature - Portuguese Net Security Overview

Francisco Rente

Franciscorente.jpg

Faculdade de Ciência e Tecnologia, Universidade de Coimbra, Portugal

Understanding internet security trends it is a consensual need. Vigilis (former project Nonius), studies the IPv4 address space and .pt TLD allocated to Portugal for two years now. Creates a historical perspective of vulnerability life-cycles and malware presences. Aims to arise awareness among the Portuguese society, giving threat indicators based on real data harvested every four months.

The speaker will give a briefing on the last Vigilis results and will identify some possible reasons to this national problem.

Talk: Web Security from an auditor's standpoint: What works and what doesn't

Luís Grangeia

Luisgrangeia.jpg

Sysvalue, S.A., Portugal

In this talk I will attempt to share my experience of over 10 years conducting Web Application security assessments. I will present the current panorama of Web application security practices and talk about what are we doing well and how we can do better. Also, the Web 2.0 has sparked a “social revolution” of the Web, how can security benefit from that revolution?