[Owasp-boston] Wednesdays Meeting

Weiler, Jim Jim.Weiler at Staples.com
Tue Apr 5 11:20:51 EDT 2005

Here's some more info on Wednesday's presentations -

Jothy Rosenberg - 
Dr. Jothy Rosenberg is a serial entrepreneur. He is a founder, director and
CTO of Service Integrity http://www.serviceintegrity.com. Prior to this
venture, Jothy co-founded GeoTrust, the world's second largest certificate
authority and a major innovator in enterprise managed security solutions. As
the company's COO and CTO, Jothy led GeoTrust's product development
initiatives, bringing to market a series of ground breaking security
products. Previous to GeoTrust, Jothy served as CEO and CTO of Factpoint,
Inc, a. pioneer in the area of content certification and content management.

Jothy also held various executive positions at Borland International,
including Vice President and General Manager of the Enterprise Tools
Division. Jothy was head of languages tools development for multiple
versions of Borland C++. He guided the shipment of Delphi 1.0 and created
the initial JBuilder project. Jothy holds a B.A. in Mathematics from
Kalamazoo College and a Ph.D. in Computer Science on VLSI Design algorithms
from Duke University. He is the author of "How Debuggers Work" and "Securing
Web Services with WS-Security" and the holder of several patents.

Presentation description - 
Building Enterprise Trust 
Governance Built on a Foundation of Web Services Security 
Enterprises still proclaim security as the number one concern in their plans
to deploy Web services. Who can blame them? Without proper security
infrastructure in place, Web services can expose sensitive corporate
processes and information and leave a company open to risk and
malfeasance-from both internal and external perpetrators. 
This seminar-based on the SAMS book by the speaker called Securing Web
Services with WS-Security-makes it quite a bit easier to comprehend all the
facets of Web Services Security; plus, it aggregates information on all the
underlying and associated security technologies that WS-Security relies on,
such as SSL, PKI, XKMS, SAML, and a host of other acronyms.  A pragmatic
approach is taken showing which Web Services Security standards are needed
when faced with a variety of security challenges. Most importantly, the
author will try to help everyone understand the vastly different but
critical new way of thinking about security: its about persistent
message-level security not about perimeters or application access control.
Ultimately we use SOA and Web services to create new channels for business.
Business requires Trust and Trust is built on the security concepts
discussed in this seminar. But Trust also requires governance which is the
exercise of authority, management and control. The mechanism for
implementing, policing and enforcing policy must itself fit in to the Web
services fabric on which our SOA-based composite applications will be build
for the foreseeable future. This seminar will conclude with a detailed
discussion of such a system. This one-hour seminar is broken down into four
15-minute segments:
o	Why Web Services Need Security: a review of distributed
message-level security
o	Basic Web Services Security Building Blocks: XML Signature, XML
Encryption and SAML
o	Practical use of WS-Security and WS-Policy to build security into
o	Governing Web Services Security, Policy and Compliance

Jonathan Levin
Jonathan has lots of experience in this area but is speaking as an 'informed
individual' and not as a representative of any security company, and he
doesn't play one on TV.
Presentation Description -
Jonathan will discuss the importance of Random numbers to information
security in general, and web application security in particular. Drawing on
real world examples such as DNS poisoning and TCP sequence number
generation, to a detailed discussion of Session and GUID (Globally unique
Identifier) generation, and describing statistical attacks such as the
birthday attack. Finally, the talk will be concluded by a discussion of hash
functions, their possible use in session identifiers, and recent
developments (e.g. the MD5/SHA-1 "hacks"). 

Jonathan and I have talked a little about differences in session management
between Microsoft IIS and IBM Websphere Commerce server so if you're
interested in either of those platforms this will be a useful discussion.

I try to remember to send these emails out in plain text because I'm
assuming there are some text only email readers out there.

Bring business cards for a raffle of Microsoft home software.

Jim Weiler
Staples North American Application Services
Application Architect
508 2533884

More information about the Owasp-boston mailing list