[Owasp-portland] SI talks

Timothy D. Morgan tmorgan-owasp at vsecurity.com
Fri Jan 13 22:20:16 UTC 2012

Hi everyone,

Does anyone else have opinions on this?  I should get back to SI soon 
and nail down the date (probably early March).


On 12/23/2011 07:44 AM, Matthew Lapworth wrote:
> My vote is for topics B&C.
> Thanks Tim!
> On Thu, Dec 22, 2011 at 3:47 PM, Timothy D. Morgan<
> tmorgan-owasp at vsecurity.com>  wrote:
>> Hi everyone,
>> In my quest for speakers, I asked Joe Basirico from Security Innovation
>> if he'd like to come down and present for us.  He and his colleagues
>> speak on a number of topics and they sound interested in lending us some
>> of their insight.
>> Here are some of the topics Joe offered to present, in no particular
>> order.  If you don't mind, could you all take a moment to read through
>> these and let us know which 2 topics would most interest you?
>> Thanks!
>> tim
>> A) Business in the Cloud: Mitigating Risk
>> =========================================
>> The cloud is a fundamental paradigm shift from our current or past
>> thinking about scalable architecture and security. It’s a cost-effective
>> way to provide maximum mobility and accessibility for your customers,
>> but there are security tradeoffs: less control of data, new
>> vulnerability classes, and compliance challenges. However, if managed
>> properly, these risks can be mitigated.  This presentation will discuss
>> the challenges of cloud computing, demonstrate how to build a secure and
>> redundant system, and touch upon real-world examples of cloud computing
>> gone bad. Topics include:
>> * Pros and cons of cloud computing
>> * Trust - is it there when you need it to be? Amazon case study
>> * Security controls
>> * Securing applications in the cloud
>> * Redundancy - yes, we still need to think about it. Netflix case study
>> * The murky waters of compliance: PCI, GLBA, SAS 70, HIPAA, etc
>> B) Attacker Techniques: Uncut&  Uncensored
>> ==========================================
>> The security decisions made in each phase software development have a
>> cascading effect (both positive and negative) in subsequent phases. And
>> those decisions can make it a lot easier or harder for an attacker to
>> penetrate security measure.  This interactive session, hosted by a
>> software security expert, will shed light on today’s most pervasive
>> security flaws like injection and overflows - and the ease with which
>> they can be exploited, as seen in the recent attacks against Sony
>> PlayStation Network.
>> Using automated tools, manual techniques, and software applications
>> custom-built for this demonstration, the host will show how an attacker
>> views an application, looks for clues and vulnerabilities, and
>> ultimately exploits these weaknesses For each attack scenario, he will
>> discuss the underlying flaw, exploit, vulnerability and consequence, and
>> encourage attendee participation.
>> C) Security Debate: Source Code Scanning or Web Application Scanning?
>> =====================================================================
>> Source code reviews are helpful in finding many known dangerous
>> functions and structures in code. Web scanning provides insight into
>> as-deployed Web applications. Individually, each technique provides a
>> unique and targeted window into true security, but combining the two can
>> yield amazing results. This presentation will describe the process of
>> synergistically using tools like source code scanners along with web
>> application scanners to dramatically reduce costs and harden your web
>> applications
>> Topics covered:
>> * When should testing be done: during development or post-deployment?
>> * Automated vs. manual efforts – each has its time and place, but what
>> is the optimal mix?
>> * Debate: the pros and cons of black box vs. white box testing
>> * Best practices for source code scanning and web application scanning
>> D) Fragile Relics: Securing Legacy Applications
>> ===============================================
>> Legacy applications are often like Wonders of the Ancient World - nobody
>> can quite explain how exactly they came to be ... and surely nobody
>> knows how to secure them properly. And a lot of legacy applications are
>> rewritten or re-wrapped in new code in attempts to improve
>> interoperability and functionality. New platforms like Service-Oriented
>> Architectures (SOA) and development techniques like AJAX presents a
>> great opportunity to give a fresh look to the application development
>> and management process of legacy applications and introduce
>> security-specific principles early in the process. This talk will guide
>> you through best practices in making mission-critical legacy
>> applications secure using today's latest techniques and technologies.
>> This talk will walk through several business cases of companies who
>> built service-oriented architectures using the latest tools and methods
>> with a specific mind toward securing their mission-critical legacy
>> applications in the process. We will discuss their decision processes
>> and analyze their choices of SOA, encryption, outsourcing,
>> authentication, threat modeling, and SDLC best practices.
>> E) Finding your Inner Evildoer for Successful Security Testing
>> ==============================================================
>> Typically, a seasoned tester that can hunt down functional bugs in the
>> oddest of places does not make the transition to security testing very
>> easily. This presentation will discuss the three tenants of a great
>> security tester: Hearing Evil, Seeing Evil, and Doing Evil:
>> * Hearing Evil - the ability to absorb a massive amount of security
>> knowledge and immediately and effectively apply it to their daily
>> testing lives. Testers with this ability can draw upon years of
>> experience and testing history to detect when things are out of place or
>> where the deep interesting security bugs reside.
>> * Seeing evil - visualizing the system in the mind’s eye. Any great
>> security tester can use his or her imagination to visualize what is
>> occurring in the various components of a system that we do not have
>> access to. This imagination leads to deep understanding of how the
>> system is structured and allows the tester to visualize opportunities
>> for exploitation well below the surface.
>> * Doing evil - the ability for a security tester to figure out ways to
>> replicate an attacker’s master plan and execute on it themselves.
>> Thinking like an attacker isn’t enough - fully securing a system or
>> application requires surgical execution of a master attack plan.
>> F) I'm the Optimist
>> ===================
>> Despite nearly every metric by which we can measure the overall security
>> as an industry we're getting worse. How can we continue to feel good
>> about software in general. Talk about CAs, SSL, DNSSEC, etc., security
>> bug trends, disclosure, large scales software and small scale software,
>> and privacy. For each of these things talk about how developers need to
>> step up, but it's not an insurmountable problem.
>> _______________________________________________
>> Owasp-portland mailing list
>> Owasp-portland at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-portland

More information about the Owasp-portland mailing list