[OWASP-Philadelphia] Next Chapter Meeting: Wednesday, March 23, 2016 from 5:45 PM to 8:00 PM

Aaron Weaver aaron.weaver2 at gmail.com
Wed Mar 2 15:17:08 UTC 2016


Hi all, Come join us for our next meeting in a few weeks at Radian. We have
two great speakers lined up with Chris McGinley, BTB Security and Aravind
Venkataraman, Cigital.

32nd Floor Radian - 1500 Market Street @ 5:45

Please Register:
https://www.eventbrite.com/e/owasp-philadelphia-chapter-meeting-at-radian-tickets-22477335315


For updates follow: @phillyowasp

Application Event Logging
One of the most important sources of information for security threat
detection and investigation is often the most neglected in the application
development process. We're talking about application event logging - it
isn't often sexy or interesting, but it could be the key to detecting an
attack or compromise, or may provide the ability to successfully
investigate unauthorized activities or operational issues.

If it is so important, then why are application developers not building an
event logging framework into every application? And, why are the events
that are being logged from many applications useless for security purposes
or difficult to consume?

In this session we'll aim to answer these questions:
 - Why are developers not implementing application logging capabilities?
 - What mistakes are being made in the events that are logged?
 - What should be logged?
 - In what format should events be logged?
 - What is the difference between security events and operational events?
And, should we care about both?

Chris McGinley, CISSP, CCE
Chris is a Managing Partner at BTB Security based out of Bala Cynwyd, PA.
Chris has been practicing the information security profession for over 10
years and has been in and around the world of IT for nearly 25 years.

Static Analysis Programs – Current State and Future Direction

Static analysis has grown in demand over the past decade and is now seen as
one of the key practices in many software security initiatives across
different industry verticals. When people think of static analysis, they
immediately think of tools and automated solutions.

While there are several well-known tool vendors in the marketplace, there
is not enough knowledge and experience in successfully implementing such
technology in real-world organizations. Successful static analysis program
implementation does not come without challenges and involves a progressive
time-consuming journey. Effective program implementation should
strategically account for people, process, and technology.

This presentation provides a holistic view of how the industry has taken
its shape over the past decade, and what organizations need to know when
planning for a new static analysis initiative.

Mr. Aravind Venkataraman is the Director of Cigital’s Static Analysis
practice. He has over 8 years of experience in software security and
network security. At Cigital (www.cigital.com), he has spent the past 6
years helping a number of Fortune 100 companies build and run software
security practices. He has performed planning, advisory and operational
roles in building such practices. He specializes in deploying static
analysis programs. He has helped several organizations deploy and run
static analysis capabilities of different sizes and shapes.

He presently plays a technical leadership and program advisory role both
for internal staff and clients based out of Washington DC.




-- 
Aaron Weaver
Philadelphia OWASP Chapter Lead
OWASP AppSec Pipeline Lead
https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-philadelphia/attachments/20160302/4cc2c345/attachment.html>


More information about the OWASP-Philadelphia mailing list