[Owasp-germany] Nur noch bis zum 07.05. ! - Umfrage für den Vortrag von Jim Manico auf dem 41. OWASP Stammtisch in München am 14.05.2013

Ralf Reinhardt ralf.reinhardt at owasp.org
Mon May 6 08:07:33 UTC 2013


Hallo,

a friendly reminder - Jim is going Stammtisch :-) Die Umfrage zum Thema und die Anmeldungen für den Stammtisch läuft noch bis morgen, 07.05. um Mitternacht.

Üblicherweise ist die Ration beim Münchner Stammtisch von Anmeldungen zu tatsächlichen Besuchern ungefähr bei 1 : 2,5. Zaungäste und Kurzentschlossene sind zwar wie immer gern gesehen, jedoch könnte das diesmal Probleme verursachen:

Ich bitte alle, die kommen wollen, sich vorher auch anzumelden. Wir werden im Hackerhaus bei genügend Anmeldungen einen größeren Raum buchen, um alle unterbringen zu können.
Der Raum wird so groß gewählt, dass er dicht besetzt ist (bei mangelndem Kosum fällt eine Saalmiete (!) an).

Und nun wie gehabt:

Jim Manico kommt uns im Mai besuchen. Er wird am 14.05.2013 um 19:00 Uhr
einen Vortrag beim 41. Münchner OWASP Stammtisch halten und ist danach
wohl noch ein wenig beim Bier zum einen oder anderen Gespräch bereit :-)

Wer ist Jim Manico? 

"Jim Manico is the VP of Security Architecture for WhiteHat Security, a
web security firm. He authors and delivers developer security awareness
training for WhiteHat Security and has a background as a software
developer and architect. Jim is also a global board member for the OWASP
foundation. He manages and participates in several OWASP projects,
including the OWASP cheat sheet series and the OWASP podcast series."

Wer ihn schon mal erlebt hat, wird ihn sicher auch als mitreisenden
Redner und echten Entertainer mit breit gefächerten und fundiertem
Wissen wahrgenommen haben.

Title: Top Ten Web Defenses
We cannot "firewall" or "patch" our way to secure websites. In the past,
security professionals thought firewalls, Secure Sockets Layer (SSL),
patching, and privacy policies were enough. Today, however, these
methods are outdated and ineffective, as attacks on prominent,
well-protected websites are occurring every day. Citigroup, PBS, Sega,
Nintendo, Gawker, AT&T, the CIA, the US Senate, NASA, Nasdaq, the NYSE,
Zynga, and thousands of others have something in common - all have had
websites compromised in the last year. No company or industry is immune.
Programmers need to learn to build websites differently. This talk will
review the top coding techniques developers need to master in order to
build a low-risk, high-security web application.

Title: Securing the SDLC
The earlier you address security in the engineering of software, the
less expensive it will be for your organization. This talk will not only
discuss critical security activities necessary to build security
software, but it will also address the unique aspects of secure software
creation specific to the various cloud architectures.

Title: Authentication Best Practices for Developers
This module will discuss the security mechanisms found within an
authentication (AuthN) layer of a web application.  We will review a
series of historical authentication threats. We will also discuss a
variety of authentication design patterns necessary to build a low-risk
high-security web application. Session management threats and best
practices will also be covered. This module will include several
technical demonstrations and code review labs.

Title: Access Control Design Best Practices
Access Control is a necessary security control at almost every layer
within a web application. This talk will discuss several of the key
access control anti-patterns commonly found during website security
audits. These access control anti-patterns include hard-coded security
policies, lack of horizontal access control, and "fail open" access
control mechanisms. In reviewing these and other access control
problems, we will discuss and design a positive access control mechanism
that is data contextual, activity based, configurable, flexible, and
deny-by-default - among other positive design attributes that make up a
robust web-based access-control mechanism.

Title: Cross Site Site Scripting Advanced Defense
This talk will discuss the past methods used for cross-site scripting
(XSS) defense that were only partially effective. Learning from these
lessons, we will also discuss present day defensive methodologies that
are effective, but place an undue burden on the developer. We will then
finish with a discussion of advanced XSS defense methodologies that
shift the burden of XSS defense from the developer to various
frameworks. These include auto-escaping template technologies,
browser-based defenses such as Content Security Policy, and other
Javascript sandboxes such as the Google CAJA project.

Title: Build Application Security Controls into Legal Contracts
Every large organization is building web application software in some
way, normally at great expense. It is a significant organizational and
technical challenge simply to complete complex software projects.
It is and even greater challenge to do so in a secure fashion.The
earlier security is addressed in the engineering of software, the less
expensive it will be for your organization. This talk will discuss
several critical web application security-centric computer programming
techniques necessary to build low-risk web-based applications. This talk
will also describe strategic ways to add prescriptive security control
contract language into software procurement or outsourcing contract
language to encourage even third party developers to build secure code.

Ich bitte jeden, der zum 41. Münchner OWASP-Stammtisch am 14.05.2013
kommen will, an der Umfrage teil zu nehmen (und alle anderen, es zu
lassen ;-)

<http://de.surveymonkey.com/s/955YK7D>

Insbesondere bitte ich diesmal um "offizielle" Anmeldungen, beides nach
Möglichkeit spätestens bis zum 07.05.2013. Vielen Dank!

Schöne Grüße,
Ralf





More information about the Owasp-germany mailing list