[Owasp-portland] SI talks
Timothy D. Morgan
tmorgan-owasp at vsecurity.com
Thu Dec 22 23:47:31 UTC 2011
In my quest for speakers, I asked Joe Basirico from Security Innovation
if he'd like to come down and present for us. He and his colleagues
speak on a number of topics and they sound interested in lending us some
of their insight.
Here are some of the topics Joe offered to present, in no particular
order. If you don't mind, could you all take a moment to read through
these and let us know which 2 topics would most interest you?
A) Business in the Cloud: Mitigating Risk
The cloud is a fundamental paradigm shift from our current or past
thinking about scalable architecture and security. It’s a cost-effective
way to provide maximum mobility and accessibility for your customers,
but there are security tradeoffs: less control of data, new
vulnerability classes, and compliance challenges. However, if managed
properly, these risks can be mitigated. This presentation will discuss
the challenges of cloud computing, demonstrate how to build a secure and
redundant system, and touch upon real-world examples of cloud computing
gone bad. Topics include:
* Pros and cons of cloud computing
* Trust - is it there when you need it to be? Amazon case study
* Security controls
* Securing applications in the cloud
* Redundancy - yes, we still need to think about it. Netflix case study
* The murky waters of compliance: PCI, GLBA, SAS 70, HIPAA, etc
B) Attacker Techniques: Uncut & Uncensored
The security decisions made in each phase software development have a
cascading effect (both positive and negative) in subsequent phases. And
those decisions can make it a lot easier or harder for an attacker to
penetrate security measure. This interactive session, hosted by a
software security expert, will shed light on today’s most pervasive
security flaws like injection and overflows - and the ease with which
they can be exploited, as seen in the recent attacks against Sony
Using automated tools, manual techniques, and software applications
custom-built for this demonstration, the host will show how an attacker
views an application, looks for clues and vulnerabilities, and
ultimately exploits these weaknesses For each attack scenario, he will
discuss the underlying flaw, exploit, vulnerability and consequence, and
encourage attendee participation.
C) Security Debate: Source Code Scanning or Web Application Scanning?
Source code reviews are helpful in finding many known dangerous
functions and structures in code. Web scanning provides insight into
as-deployed Web applications. Individually, each technique provides a
unique and targeted window into true security, but combining the two can
yield amazing results. This presentation will describe the process of
synergistically using tools like source code scanners along with web
application scanners to dramatically reduce costs and harden your web
* When should testing be done: during development or post-deployment?
* Automated vs. manual efforts – each has its time and place, but what
is the optimal mix?
* Debate: the pros and cons of black box vs. white box testing
* Best practices for source code scanning and web application scanning
D) Fragile Relics: Securing Legacy Applications
Legacy applications are often like Wonders of the Ancient World - nobody
can quite explain how exactly they came to be ... and surely nobody
knows how to secure them properly. And a lot of legacy applications are
rewritten or re-wrapped in new code in attempts to improve
interoperability and functionality. New platforms like Service-Oriented
Architectures (SOA) and development techniques like AJAX presents a
great opportunity to give a fresh look to the application development
and management process of legacy applications and introduce
security-specific principles early in the process. This talk will guide
you through best practices in making mission-critical legacy
applications secure using today's latest techniques and technologies.
This talk will walk through several business cases of companies who
built service-oriented architectures using the latest tools and methods
with a specific mind toward securing their mission-critical legacy
applications in the process. We will discuss their decision processes
and analyze their choices of SOA, encryption, outsourcing,
authentication, threat modeling, and SDLC best practices.
E) Finding your Inner Evildoer for Successful Security Testing
Typically, a seasoned tester that can hunt down functional bugs in the
oddest of places does not make the transition to security testing very
easily. This presentation will discuss the three tenants of a great
security tester: Hearing Evil, Seeing Evil, and Doing Evil:
* Hearing Evil - the ability to absorb a massive amount of security
knowledge and immediately and effectively apply it to their daily
testing lives. Testers with this ability can draw upon years of
experience and testing history to detect when things are out of place or
where the deep interesting security bugs reside.
* Seeing evil - visualizing the system in the mind’s eye. Any great
security tester can use his or her imagination to visualize what is
occurring in the various components of a system that we do not have
access to. This imagination leads to deep understanding of how the
system is structured and allows the tester to visualize opportunities
for exploitation well below the surface.
* Doing evil - the ability for a security tester to figure out ways to
replicate an attacker’s master plan and execute on it themselves.
Thinking like an attacker isn’t enough - fully securing a system or
application requires surgical execution of a master attack plan.
F) I'm the Optimist
Despite nearly every metric by which we can measure the overall security
as an industry we're getting worse. How can we continue to feel good
about software in general. Talk about CAs, SSL, DNSSEC, etc., security
bug trends, disclosure, large scales software and small scale software,
and privacy. For each of these things talk about how developers need to
step up, but it's not an insurmountable problem.
More information about the Owasp-portland