Difference between revisions of "OWASP Minneapolis St Paul 2010 Conference"

Adam Baso, OWASP MSP President

Lorna Alamri, OWASP MSP Vice President

David Bryan, DC612 President

Topic: Opening Remarks

Andre "Dre" Gironda

Topic: Application Assessments Reloaded

Trying to integrate Business Software Assurance into Enterprise Risk Management and Information Security Management programs has had issues over the years. Penetration testing was announced dead over a year ago, but it's still the number one choice of application security professionals when starting out. Can the activities from penetration testing be re-used and turned into something innovative?

Tools (especially application scanners and secure static analysis tools) have error rates so high, they are useless in the hands of newcomers (even for peripheral security testing). Some organizations have built entire applications around or on top of existing appsec tools. Others are looking to use other kinds of tools, such as process/methodology/workflow tools, to enhance their classic penetration testing tools.

Even the testing/inspection methodologies themselves are outdated and we're finding that they are challenging or repetitive in many environments. How do current appsec tools and testing/inspection methods work in the cloud? If we re-run the same kinds of tests during dev-test, software quality, and application security cycles, aren't we wasting valuable time and effort?

This presentation will provide discussion around how to solve many of these and other challenges in application security. The focus will be on web applications that use common technologies (HTTP, SQL, Classic XML/HTML, Javascript, Flash) but also updated to today's standards (RESTful transactions, NoSQL, HTML5, Ajax/Json, Flex2).

Bio: Andre got his start on Unix-TCP/IP hacking before the September that never ended. Bored of embedded platform research by the time the dot-Bomb happened, he joined the largest online auction company and worked as an appsec consultant for many years. He is known for his quirky mailing list posts and blog comments - and at one time wrote for tssci-security.com.

Andrew Becherer

Senior Security Consultant, iSEC Partners

Topic: Attacking Kerberos and the New Hadoop Security Design

The Kerberos protocol provides single sign-on authentication services for users and machines. Its availability on nearly every popular computing platform - Windows, Mac, and UNIX variants - makes it the primary choice for enterprise authentication. However, simply "adding a dash of Kerberos" does not make a magically secure network or application. Kerberos is a complicated protocol whose comprehensive description requires dozens of RFCs. To use it securely requires a careful dance between protocol designers, service developers, and system administrators – the kind of dance that never quite stays in step.

The Hadoop project's Hadoop Distributed File System and MapReduce engine comprise a robust, open source distributed computing platform. Hadoop is in use at many of the world's largest online media companies including Facebook, Fox Interactive Media, LinkedIn, Powerset (now part of Microsoft), and Twitter. Hadoop is entering the enterprise as evidenced by Hadoop World 2009 presentations from Booz Allen Hamilton and JP Morgan Chase. Hadoop has also been elevated to the "cloud" and made available as a service by Amazon and Sun. What the heck is it? Can it be secure? What do I do if I discover it on a network I am testing?

When Hadoop development began in 2004 no effort was expended on creating a secure distributed computing environment. In 2009 discussion about Hadoop security reached a boiling point. The developers behind Hadoop decided they needed to get some of that "security" stuff. After a thorough application of Kerberos, Hadoop is now secure, or is it?

This talk will provide an introduction to Kerberos attack scenarios, describe the new Hadoop security model and Kerberos's (limited) role in it. This talk aims to determine whether Hadoop was made any more secure through the application of Kerberos.

Bio: Andrew Becherer is a Senior Security Consultant with iSEC Partners, a strategic digital security organization. His focus is web application and mobile application security. Prior to joining iSEC Partners, he was a Senior Consultant with Booz Allen Hamilton. Mr. Becherer spent several years as a Risk and Credit Analyst in the financial services industry. His experience in the software security field - consulting financial, non-profit and defense sectors - has provided him experience with a wide range of technologies.

Mr. Becherer has lectured on a number of topics including emerging cloud computing threat models, virtualization, network security tools and embedded Linux development. At the Black Hat Briefings USA 2009, Andrew, along with researchers Alex Stamos and Nathan Wilcox, presented on the topic "Cloud Computing Models and Vulnerabilities:Raining on the Trendy New Parade." Andrew's research on this topic focused on the effect of elasticity and virtualization on the Linux pseudorandom number generator (PRNG). At Black Hat USA 2008, he was a Microsoft Defend the Flag (DTF) instructor and, he is a recurring speaker at the Linuxfest Northwest conference. In addition to his educational outreach work with user groups, he is a member of several nationally recognized organizations. These organizations include the Association of Computing Machinery (ACM), FBI InfraGard, and the Open Web Application Security Project (OWASP).

Mr. Becherer received a B.S. in Computing and Software Systems from the University of Washington, Tacoma, and holds a B.A. in Sociology from the University of Kentucky.

Joe Teff

Vice President - Manager Security Code Review, Wells Fargo

Board Member, OWASP MSP

Topic: Can you implement a static analysis program using the OWASP Code Review Guide?

Many companies are looking at implementing a static analysis program. This discussion will look at the OWASP Code Review Guide and the role it can play in developing a static analysis program. There are many decisions that need to be considered in building a program. We will look at these decisions and discuss the the options available.

Jason Rouse

Principal Consultant, Cigital

Topic: Mobile Security

Mobile applications enable millions of users to be more productive, have more fun, and interact with their world in more ways than ever before. We're approaching mobile applications with many of the same tried-and-true approaches that we've used in more traditional software, but what are the dangers? Mobile architectures run the gamut from simple web-based applications optimized for mobile displays to custom-built handset-specific applications that can interact directly with the mobile operating system. This talk will explore the hybrid mobile/web application approach, and discuss the threads binding it together - information protection and convergence. Mobile devices are unique in that they offer one of the most potentially hostile environments imaginable - privacy, compliance, and capture protection top the charts as the three most difficult issues facing mobile applications and those who use them. This talk will dive into specifics on what are today "mobile-only" threats; that is, those issues such as location-based services or text messages, and discover how they can be compromised, and how security practitioners can protect them and the back-end applications that service them.

Bio: Jason Rouse brings over a decade of hands-on security experience while plying his craft at many of the leading companies in the world. He is currently responsible for many activities at Cigital including leading the mobile and wireless security practice, performing security architecture assessments, and being a trusted advisor to some of the world's largest development organizations. Jason is passionate about security, splitting his time between running Cigital's mobile and wireless practice and leading cutting-edge security projects around the world. At Cigital, in addition to his other responsibilities, Jason is also responsible for the creation of durable, actionable artifacts spanning the entire continuum of software security - from development standards to enterprise risk mitigation frameworks for both Fortune 50 customers and beyond. In his spare time he has also chaired the Financial Services Technology Consortium committee on Mobile Security.

Topic:

Bio:

Charles Henderson

Director of Application Security Services, Trustwave's SpiderLabs

Topic: TBA

Bio: Charles Henderson is the Director of Application Security Services in Trustwave's SpiderLabs. He has been in the information security industry for over fifteen years. His team specializes in application security including application penetration testing, code review, and training in secure development techniques. The team's clients range from the largest of the Fortune lists to small and midsized companies interested in improving their application security posture. Charles routinely speaks at various conferences around the world (including past Black Hat, SOURCE, IAFCI, OWASP AppSec USA, OWASP AppSec Europe, and Merchant Risk Council events) on various subject matters relating to application security.