[Owasp-indianapolis] Bloomington OWASP: March 26th & April 2nd

Neil Weitzel neil.weitzel at owasp.org
Sat Mar 15 17:51:18 UTC 2014

Hello OWASP Friends,

I wanted to reach out to the Indianapolis list because we have two exciting
speakers coming to visit the Bloomington OWASP Chapter.

*March 26th 6pm at the Indiana Memorial Union:*
*Mobile Security for Everyone (Kids++) by Nabil Hannan*
As smart phones become popular, and everyone seems to have one these days
that they can't live without, the security impact of the daily decisions we
make while downloading applications, jailbreaking/rooting our devices,
playing games and giving them promiscuous permissions to our systems are
not really given much thought by the average user. This talk will focus on
how mobile devices and their threat model is different from the classic
computers; what "old" concepts still apply to our mobile devices, and what
the average consumer should be aware of from a security perspective on
their everyday interactions with their mobile devices. We also take a quick
illustrative detour into looking at how your decisions made in a mobile
games can have security consequences. Lastly, we will discuss some
server-side breaches from 2013 and their impact.

Nabil has over 10 years of experience in product management, software
development and information security. Having worked as a Product Manager at
Research In Motion/BlackBerry, Nabil has managed several initiatives and
projects through the full Software Development Lifecycle. Nabil has been
with Cigital since 2007, and during his tenure, he has identified, scoped
and delivered on software security projects (Architectural Risk Analysis,
Penetration Testing, Secure Code Review, Malicious Code Detection,
Vulnerability Remediation, Mobile Security Assessments, etc.) and products
(SecureAssist, Enterprise Security Portal, Remediation Helpdesk,
Operational Assessment Database, etc.) for many of our clients, in
particular in the financial services sector.  Nabil is based out of Boston,
MA and leads Cigital¹s North East practice, focusing on helping clients
solve their software security needs and build/improve effective software
security initiatives.

*April 2nd 4pm at Monroe County Public Library:*
*Scaling a Software Security Initiative: Lessons from the BSIMM by Gary
This talk highlights important lessons in scaling the software security
touchpoints described in the book Software Security and making them work
efficiently and effectively in a global software security initiative.  The
talk will focus on the top three touchpoints, discussing tools, technology,
people and processes for each:

   - Code review with a static analysis tool.  What is better, a
      centralized factory model or tools on all developer's desktops?
How do you
      set things up to fix what you find?  How do you avoid rejection of a
      complex toolset that requires real expertise to use?  What about
      that are in common use but stymie current commercial tools?  Are false
      positives a real issue?
      - Architectural risk analysis. How do you even begin to scale
      something requiring so much expertise and experience to the enterprise?
       What kinds of knowledge make this process more efficient?  How do you
      gather intelligence about threats?  What are the top ten security design
      - Penetration testing.  What role should pen testing play in a
      software security initiative?  Is it best to develop capability
in house or
      hire outside experts?  What kinds of access to design documents
and source
      code should pen testers get?  Does pen testing scale?  How often
should an
      application be tested?

These questions and others will be addressed head on using examples from
the 70+ BSIMM firms and many years of real world experience.  (Firms in the
BSIMM include, Adobe, Aon, Bank of America, Box, Capital One, The
Depository Trust & Clearing Corporation (DTCC), EMC, F-Secure, Fannie Mae,
Fidelity, Google, Intel, Intuit, JPMorgan Chase & Co., Mashery, McKesson,
Microsoft, Nokia, Nokia Siemens Networks, QUALCOMM, Rackspace, Salesforce,
Sallie Mae, SAP, Scripps Networks, Sony Mobile, Standard Life, SWIFT,
Symantec, Telecom Italia, Thomson Reuters, Visa, VMware, Wells Fargo, and

Speaker Bio:
Gary McGraw, Ph.D.
CTO, Cigital

company: www.cigital.com
podcast: www.cigital.com/silverbullet
blog: www.cigital.com/justiceleague
book: www.swsec.com
personal: www.cigital.com/~gem
twitter: @cigitalgem

Gary McGraw is the CTO of Cigital, Inc., a software security consulting
firm with headquarters in the Washington, D.C. area and offices throughout
the world. He is a globally recognized authority on software security and
the author of eight best selling books on this topic. His titles include
Software Security, Exploiting Software, Building Secure Software, Java
Security, Exploiting Online Games, and 6 other books; and he is editor of
the Addison-Wesley Software Security series. Dr. McGraw has also written
over 100 peer-reviewed scientific publications, authors a monthly security
column for SearchSecurity and Information Security Magazine, and is
frequently quoted in the press. Besides serving as a strategic counselor
for top business and IT executives, Gary is on the Advisory Boards of
Dasient (acquired by Twitter), Fortify Software (acquired by HP), Raven
White, Max Financial, and Wall+Main. His dual PhD is in Cognitive Science
and Computer Science from Indiana University where he serves on the Dean's
Advisory Council for the School of Informatics. Gary served on the IEEE
Computer Society Board of Governors and produces the monthly Silver Bullet
Security Podcast for IEEE Security & Privacy magazine (syndicated by

Please feel free to distribute our social media or attached flyers to any
potentially interested individuals.

If you have any questions please don't hesitate to reach out.

Thank you,

Neil Weitzel
Chapter Leader, Bloomington
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-indianapolis/attachments/20140315/e36f3771/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Gary_flyer.pdf
Type: application/pdf
Size: 500558 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-indianapolis/attachments/20140315/e36f3771/attachment-0002.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Nabil_flyer.pdf
Type: application/pdf
Size: 403454 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-indianapolis/attachments/20140315/e36f3771/attachment-0003.pdf>

More information about the Owasp-indianapolis mailing list