[Owasp-bayarea] Reminder - OWASP Bay Area Application Security Summit

Mandeep Khera mkhera at owasp.org
Tue Jul 14 13:55:59 EDT 2009


Greetings Security Professionals,

Just a reminder - OWASP Bay Area will host its next Application Security
Summit at the Stanford University on Thursday, July 23rd. As usual
attendance is free and food and beverages will be provided. This will be an
awesome event and a great opportunity to network with industry peers. The
event is open to the public; please forward this invite to your colleagues
and friends who are interested in computer and application security.

Please note, Stanford has parking restrictions and there is a parking fee
applicable till 4 P.M. You can buy parking stickers from the meter. Detailed
instructions are on this site -
http://transportation.stanford.edu/parking_info/VisitorParking.shtml.

WHAT: OWASP Bay Area Chapter - Application Security Summit
WHEN: Thursday, July 23rd, 2009 - From 1 P.M. to 8.00 P.M. (including a
reception from 6.00 to 8.00)
WHERE: Stanford University

Agenda:

1:00 PM - 1:30 PM ... Check-in, registration, networking
1:30 PM - 1:45 PM ... Welcome Remarks and Overview of OWASP Bay Area -
Mandeep Khera, Bay Area Chapter Leader
1:45 PM - 2:30 PM ... Development Issues within AJAX Applications: How to
Divert Threats - Lars Ewe, CTO, Cenzic
2:30 PM - 3:30 PM ... Building a Corporate App Security Assessment
Program-Rob Jerdonek, Staff Information Security Analyst, Intuit
3:30 PM - 4:00 PM ... Networking Break, refreshments
4:00 PM - 5:00 PM ... Mastering Session Management - Siva Ram, Lead Security
Consultant, AppSec Consulting
5:00 PM - 6:00 PM ... From Rivals to BFF: WAF & VA Unite - Brian Contos,
Chief Security Strategist, Imperva
6:00 PM - 8:00 PM ... Networking Reception - Food and Drinks!!

Venue and Directions:

Stanford University
Center for Integrated Services
Room CISX 101
Directions: http://cis.stanford.edu/misc/directions.html

REGISTER EARLY AS SEATING IS LIMITED

Please RSVP by responding to this email or visit
http://owaspbajuly09.eventbrite.com <http://owaspbajuly09.eventbrite.com/>  

Some of you had problem with the last link due to a bug on the Eventbrite
site. I have changed the url so this should work fine now. 

Special thanks to Stanford for hosting this event and to Cenzic
<http://www.cenzic.com/> , AppSec <http://www.appsecconsulting.com/>
Consulting, and Imperva <http://www.imperva.com/>  for sponsoring. 

Best regards,
Mandeep Khera
Cenzic



Detailed Abstracts and Speaker Bios


Development Issues Within AJAX Applications: How to Divert Threats 
AJAX has rapidly emerged as a prominent enabling technology in the movement
to improve the Web as a software platform for business and consumer
applications. Using AJAX development techniques provides software developers
with a wide-open platform for creating innovative new Web (2.0)
applications. The result is a more readily responsive Web environment which
minimizes the "start-stop-start-stop" nature of Web pages, thus increasing
the speed and user-interactivity of Web-enabled services. 


However, the open, malleable nature of Web 2.0 also has an often overlooked
impact on application security that is not necessarily initially visible to
application developers, establishing a relatively easy target for malicious
behavior to compromise applications and overall network security. Various
security issues arise from a number of sources, thus increasing the attack
surface of AJAX applications: client side security controls often replace
server side data validation, thus creating a false sense of security; so do
calls to "hidden" application functionality and URLs; new XML and JavaScript
data models, such as JSON, also enable new attack vectors, like JavaScript
Hijacking; and the open, easy to use nature of so called Mashups often comes
at the price of various security compromises. 

Such threats, however, can be thwarted with the proper implementation of
security testing. This session will address the development issues of AJAX
applications from a security perspective, looking at how today's common web
threats such as SQL injections, Cross Site Scripting, and others are often
magnified in an AJAX environment, and it will also explore new threads, such
as JavaScript Hijacking. Last but not least it also provides Best Practices
for AJAX application developers that are designed to help manage the
security complexities inherent to AJAX development. 


Mastering Session Management
Almost everyone is aware of Cross site Scripting and SQL Injection
vulnerabilities and their impact. Every web application implements session
management techniques to maintain context, but application developers do not
pay a lot of attention to session management because they are usually
managed by the application server. Attacks against sessions can result in
serious compromises and this presentation will cover some of the most common
session management techniques and the attacks that can be launched against
sessions. It will also discuss some of the techniques developers can use to
protect against session attacks.


Building a Corporate Application Security Assessment Program 
The talk will discuss Intuit's experiences in building a corporate
application security assessment program. Areas of discussion will include
tools, processes, and methodologies utilized to conduct effective security
assessments of applications in a large global software development
corporation. 


>From Rivals to BFF: WAF & VA Unite
For years there was a debate in the Web application and data security world
about which approaches are best - black box, white box, SDLC, VA
services/software, Web Application Firewalls (WAF), etc. While it is true
that with a limited budget anything can become competitive - a new copy
machine versus a new coffee machine, the core value propositions of WAF and
VA are distinct and complementary. This presentation will illustrate how
integrating these solutions can enable more secure Web application
development and operations.


 


About the Speakers


Lars Ewe 
Lars Ewe is the CTO and VP of Engineering of Cenzic. Lars is a technology
executive with broad background in (web) application development and
security, middleware infrastructure, software development and
application/system manageability technologies. Throughout his career Lars
has held key positions in engineering and product management in a variety of
different markets. Prior to Cenzic, Lars was software development director
at Advanced Micro Devices, Inc., responsible for AMD's overall systems
manageability and related security strategy and all related engineering
efforts. 


Siva Ram 
Siva is the Lead Security Consultant with AppSec Consulting, an information
security services company, of which he is a founder. He has been in the
security industry since 2001 and has 5 years of prior application
development experience. He specializes in web application security; managing
projects that involve performing penetration tests and vulnerability
assessments, developing secure coding guidelines and delivering security
training in addition to performing PCI-DSS assessments.


Rob Jerdonek 
Rob Jerdonek is a Staff Information Security Analyst at Intuit, working to
strengthen application security across all Intuit products and services.
Prior to working at Intuit, Rob has held positions at Arcot Systems,
Netscape, Nortel, and the Center for Information Technology Integration. Rob
has a B.S.E. and M.S.E. in Computer Science and Engineering from the
University of Michigan, Ann Arbor. Rob is a CISSP, and has earned 4 patents
in the field of information security. 


Brian Contos
Mr. Contos has over fourteen-years of real-world security engineering and
management expertise developed in some of the most sensitive and
mission-critical environments in the world.  As the chief security
strategist for Imperva he advises government organizations, F1000s and
G2000s on security strategy related to application and data security while
being an evangelist for the security space.  He has written two security
books including Enemy at the Water Cooler - Real Life Stories of Insider
Threats and Physical and Logical Security Convergence which was co-authored
with the former Deputy Director of the NSA - Bill Crowell. He is an active
security blogger, host of the Imperva Security Podcast, and has delivered
countless speeches around the globe at shows like RSA, Interop, CSI, and
others. He is regarded as a security expert, often quoted by the media, and
has written articles for Forbes, the London Times, Computerworld,
Sarbanes-Oxley Compliance Journal, SC Magazine and many others. Mr. Contos
was formerly at ArcSight where he served as their Chief Security Officer for
almost seven years, and has held management and engineering positions at
Riptech, Bell Labs, Tandem Computers, and the Defense Information Systems
Agency (DISA). 


 

 

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-bayarea/attachments/20090714/a80726f8/attachment-0001.html 


More information about the Owasp-bayarea mailing list