[Owasp-boston] OWASP Boston July mtg - Web App Scanners, Threat Modeling

Weiler, Jim Jim.Weiler at starwoodhotels.com
Fri Jul 22 11:20:42 EDT 2011

I've received requests for more presentations on web app vulnerability
scanners, so we have Anurag Agarwal, who was the original leader for the
Web Application Security Consortium - Web Application Security Scanner
project. This was the first project to do comparative analysis of web
app vuln scanners. He is also working on a software threat modeling
tool, so this meeting will have 2 presentations - described below.
Bring your questions, this should be a great meeting.  


Anybody want to sponsor pizza?


Feel free to send me your questions in advance and I'll forward them to


Title: False Positive, False Negative and False Sense of Security



This interactive session will talk about the pros and cons of using
black box testing tools and discuss their effectiveness in building a
mature software security program. This session will also mention how
companies worry about false positives coming out of a scanner technology
but overlooking false negatives leading them in a false sense of
security. This half presentation, half Q&A session will highlight what
works and what doesn't work in scanner technology and present case
studies where companies got hacked even after using scanners on their



Title: Managing Risk with Threat Modeling




Threat & Vulnerabilities are gaining momentum at many companies today
because of the recent hacks at Sony, PBS, CIA and other high profile
companies that have a mature vulnerability assessment or static analysis
process. Traditionally companies have relied on vulnerability assessment
or static analysis tools to identify vulnerabilities but recent hacks
have proved that it's not enough. The correct approach is to use threat
modeling to identify vulnerabilities and vulnerability assessment or
static analysis tools should be used to validate if that vulnerability
is actually mitigated. More and more organizations have realized that
identifying threats in the design phase and planning a mitigation
strategy helps them in saving time, money, brand value and generally
overall risk. Threat Modeling can help by guiding the Application
Development Teams to ensure your Security Policies get properly coded
into the Applications at time of Development.  By creating pre-approved
methods of coding for your development teams, and applying them in a
repeatable and scalable process, you can assist your development teams
in building a secure application easily and effortlessly.


Location - Microsoft Waltham




Date - Monday July 25


Time - 6:30 p.m.



Microsoft offices at the Waltham Weston Corporate Center, 201 Jones Rd.,
Sixth Floor Waltham, MA. 

>From Rt. 128 North take exit 26 toward Waltham, East up the hill on Rt.
20. From Rt 128 South take exit 26 but go around the rotary to get to 20
East to Waltham. Follow signs for Rt. 117 (left at the second light).
When you get to 117 turn left (West). 

You will cross back over Rt. 128. Jones Rd. (look for the Waltham Weston
Corporate Center sign) is the second left, at a blinking yellow light,
on Rt. 117 going west about 0.1 miles from Rt. 128 (I95). The office
building is at the bottom of Jones Rd. 

Best parking is to turn right just before the building and park in the
back. Knock on the door to get the security guard to open it. The room
is MPR B. 





Jim Weiler       CISSP   CSSLP   GSSP - Java

Sr. Mgr.  Information Security Risk Assessment

Starwood Hotels      1505 Washington St.   Braintree MA. 02184

desk - 781 356 0067

mobile - 7816546048


This electronic message transmission contains information from the Company that may be proprietary, confidential and/or privileged. 
The information is intended only for the use of the individual(s) or entity named above.  If you are not the intended recipient, be 
aware that any disclosure, copying or distribution or use of the contents of this information is prohibited.  If you have received 
this electronic transmission in error, please notify the sender immediately by replying to the address listed in the "From:" field. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-boston/attachments/20110722/9c48a68e/attachment.html 

More information about the Owasp-boston mailing list