[Owasp-portland] SI talks

Matthew Lapworth matthewl at bit-shift.net
Fri Dec 23 15:44:51 UTC 2011

My vote is for topics B &C.

Thanks Tim!

On Thu, Dec 22, 2011 at 3:47 PM, Timothy D. Morgan <
tmorgan-owasp at vsecurity.com> wrote:

> Hi everyone,
> In my quest for speakers, I asked Joe Basirico from Security Innovation
> if he'd like to come down and present for us.  He and his colleagues
> speak on a number of topics and they sound interested in lending us some
> of their insight.
> Here are some of the topics Joe offered to present, in no particular
> order.  If you don't mind, could you all take a moment to read through
> these and let us know which 2 topics would most interest you?
> Thanks!
> tim
> A) Business in the Cloud: Mitigating Risk
> =========================================
> The cloud is a fundamental paradigm shift from our current or past
> thinking about scalable architecture and security. It’s a cost-effective
> way to provide maximum mobility and accessibility for your customers,
> but there are security tradeoffs: less control of data, new
> vulnerability classes, and compliance challenges. However, if managed
> properly, these risks can be mitigated.  This presentation will discuss
> the challenges of cloud computing, demonstrate how to build a secure and
> redundant system, and touch upon real-world examples of cloud computing
> gone bad. Topics include:
> * Pros and cons of cloud computing
> * Trust - is it there when you need it to be? Amazon case study
> * Security controls
> * Securing applications in the cloud
> * Redundancy - yes, we still need to think about it. Netflix case study
> * The murky waters of compliance: PCI, GLBA, SAS 70, HIPAA, etc
> B) Attacker Techniques: Uncut & Uncensored
> ==========================================
> The security decisions made in each phase software development have a
> cascading effect (both positive and negative) in subsequent phases. And
> those decisions can make it a lot easier or harder for an attacker to
> penetrate security measure.  This interactive session, hosted by a
> software security expert, will shed light on today’s most pervasive
> security flaws like injection and overflows - and the ease with which
> they can be exploited, as seen in the recent attacks against Sony
> PlayStation Network.
> Using automated tools, manual techniques, and software applications
> custom-built for this demonstration, the host will show how an attacker
> views an application, looks for clues and vulnerabilities, and
> ultimately exploits these weaknesses For each attack scenario, he will
> discuss the underlying flaw, exploit, vulnerability and consequence, and
> encourage attendee participation.
> C) Security Debate: Source Code Scanning or Web Application Scanning?
> =====================================================================
> Source code reviews are helpful in finding many known dangerous
> functions and structures in code. Web scanning provides insight into
> as-deployed Web applications. Individually, each technique provides a
> unique and targeted window into true security, but combining the two can
> yield amazing results. This presentation will describe the process of
> synergistically using tools like source code scanners along with web
> application scanners to dramatically reduce costs and harden your web
> applications
> Topics covered:
> * When should testing be done: during development or post-deployment?
> * Automated vs. manual efforts – each has its time and place, but what
> is the optimal mix?
> * Debate: the pros and cons of black box vs. white box testing
> * Best practices for source code scanning and web application scanning
> D) Fragile Relics: Securing Legacy Applications
> ===============================================
> Legacy applications are often like Wonders of the Ancient World - nobody
> can quite explain how exactly they came to be ... and surely nobody
> knows how to secure them properly. And a lot of legacy applications are
> rewritten or re-wrapped in new code in attempts to improve
> interoperability and functionality. New platforms like Service-Oriented
> Architectures (SOA) and development techniques like AJAX presents a
> great opportunity to give a fresh look to the application development
> and management process of legacy applications and introduce
> security-specific principles early in the process. This talk will guide
> you through best practices in making mission-critical legacy
> applications secure using today's latest techniques and technologies.
> This talk will walk through several business cases of companies who
> built service-oriented architectures using the latest tools and methods
> with a specific mind toward securing their mission-critical legacy
> applications in the process. We will discuss their decision processes
> and analyze their choices of SOA, encryption, outsourcing,
> authentication, threat modeling, and SDLC best practices.
> E) Finding your Inner Evildoer for Successful Security Testing
> ==============================================================
> Typically, a seasoned tester that can hunt down functional bugs in the
> oddest of places does not make the transition to security testing very
> easily. This presentation will discuss the three tenants of a great
> security tester: Hearing Evil, Seeing Evil, and Doing Evil:
> * Hearing Evil - the ability to absorb a massive amount of security
> knowledge and immediately and effectively apply it to their daily
> testing lives. Testers with this ability can draw upon years of
> experience and testing history to detect when things are out of place or
> where the deep interesting security bugs reside.
> * Seeing evil - visualizing the system in the mind’s eye. Any great
> security tester can use his or her imagination to visualize what is
> occurring in the various components of a system that we do not have
> access to. This imagination leads to deep understanding of how the
> system is structured and allows the tester to visualize opportunities
> for exploitation well below the surface.
> * Doing evil - the ability for a security tester to figure out ways to
> replicate an attacker’s master plan and execute on it themselves.
> Thinking like an attacker isn’t enough - fully securing a system or
> application requires surgical execution of a master attack plan.
> F) I'm the Optimist
> ===================
> Despite nearly every metric by which we can measure the overall security
> as an industry we're getting worse. How can we continue to feel good
> about software in general. Talk about CAs, SSL, DNSSEC, etc., security
> bug trends, disclosure, large scales software and small scale software,
> and privacy. For each of these things talk about how developers need to
> step up, but it's not an insurmountable problem.
> _______________________________________________
> Owasp-portland mailing list
> Owasp-portland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-portland

Matthew Lapworth

We are what we repeatedly do. Excellence then is not an act, but a habit.
  - Aristotle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-portland/attachments/20111223/4cbf7e1f/attachment.html>

More information about the Owasp-portland mailing list