[Owasp-portland] SI talks

David Pirolo webmaster at warnerpacific.edu
Fri Jan 13 23:54:29 UTC 2012


I'm always up for a good security conversation.   B, C, E or F


On Fri, 2012-01-13 at 14:20 -0800, Timothy D. Morgan wrote:
> Hi everyone,
> 
> Does anyone else have opinions on this?  I should get back to SI soon 
> and nail down the date (probably early March).
> 
> thanks,
> tim
> 
> 
> On 12/23/2011 07:44 AM, Matthew Lapworth wrote:
> > My vote is for topics B&C.
> >
> > Thanks Tim!
> >
> > On Thu, Dec 22, 2011 at 3:47 PM, Timothy D. Morgan<
> > tmorgan-owasp at vsecurity.com>  wrote:
> >
> >> Hi everyone,
> >>
> >> In my quest for speakers, I asked Joe Basirico from Security Innovation
> >> if he'd like to come down and present for us.  He and his colleagues
> >> speak on a number of topics and they sound interested in lending us some
> >> of their insight.
> >>
> >> Here are some of the topics Joe offered to present, in no particular
> >> order.  If you don't mind, could you all take a moment to read through
> >> these and let us know which 2 topics would most interest you?
> >>
> >> Thanks!
> >> tim
> >>
> >>
> >>
> >> A) Business in the Cloud: Mitigating Risk
> >> =========================================
> >> The cloud is a fundamental paradigm shift from our current or past
> >> thinking about scalable architecture and security. It’s a cost-effective
> >> way to provide maximum mobility and accessibility for your customers,
> >> but there are security tradeoffs: less control of data, new
> >> vulnerability classes, and compliance challenges. However, if managed
> >> properly, these risks can be mitigated.  This presentation will discuss
> >> the challenges of cloud computing, demonstrate how to build a secure and
> >> redundant system, and touch upon real-world examples of cloud computing
> >> gone bad. Topics include:
> >>
> >> * Pros and cons of cloud computing
> >> * Trust - is it there when you need it to be? Amazon case study
> >> * Security controls
> >> * Securing applications in the cloud
> >> * Redundancy - yes, we still need to think about it. Netflix case study
> >> * The murky waters of compliance: PCI, GLBA, SAS 70, HIPAA, etc
> >>
> >>
> >> B) Attacker Techniques: Uncut&  Uncensored
> >> ==========================================
> >> The security decisions made in each phase software development have a
> >> cascading effect (both positive and negative) in subsequent phases. And
> >> those decisions can make it a lot easier or harder for an attacker to
> >> penetrate security measure.  This interactive session, hosted by a
> >> software security expert, will shed light on today’s most pervasive
> >> security flaws like injection and overflows - and the ease with which
> >> they can be exploited, as seen in the recent attacks against Sony
> >> PlayStation Network.
> >>
> >> Using automated tools, manual techniques, and software applications
> >> custom-built for this demonstration, the host will show how an attacker
> >> views an application, looks for clues and vulnerabilities, and
> >> ultimately exploits these weaknesses For each attack scenario, he will
> >> discuss the underlying flaw, exploit, vulnerability and consequence, and
> >> encourage attendee participation.
> >>
> >>
> >> C) Security Debate: Source Code Scanning or Web Application Scanning?
> >> =====================================================================
> >> Source code reviews are helpful in finding many known dangerous
> >> functions and structures in code. Web scanning provides insight into
> >> as-deployed Web applications. Individually, each technique provides a
> >> unique and targeted window into true security, but combining the two can
> >> yield amazing results. This presentation will describe the process of
> >> synergistically using tools like source code scanners along with web
> >> application scanners to dramatically reduce costs and harden your web
> >> applications
> >>
> >> Topics covered:
> >> * When should testing be done: during development or post-deployment?
> >> * Automated vs. manual efforts – each has its time and place, but what
> >> is the optimal mix?
> >> * Debate: the pros and cons of black box vs. white box testing
> >> * Best practices for source code scanning and web application scanning
> >>
> >>
> >> D) Fragile Relics: Securing Legacy Applications
> >> ===============================================
> >> Legacy applications are often like Wonders of the Ancient World - nobody
> >> can quite explain how exactly they came to be ... and surely nobody
> >> knows how to secure them properly. And a lot of legacy applications are
> >> rewritten or re-wrapped in new code in attempts to improve
> >> interoperability and functionality. New platforms like Service-Oriented
> >> Architectures (SOA) and development techniques like AJAX presents a
> >> great opportunity to give a fresh look to the application development
> >> and management process of legacy applications and introduce
> >> security-specific principles early in the process. This talk will guide
> >> you through best practices in making mission-critical legacy
> >> applications secure using today's latest techniques and technologies.
> >>
> >> This talk will walk through several business cases of companies who
> >> built service-oriented architectures using the latest tools and methods
> >> with a specific mind toward securing their mission-critical legacy
> >> applications in the process. We will discuss their decision processes
> >> and analyze their choices of SOA, encryption, outsourcing,
> >> authentication, threat modeling, and SDLC best practices.
> >>
> >>
> >> E) Finding your Inner Evildoer for Successful Security Testing
> >> ==============================================================
> >> Typically, a seasoned tester that can hunt down functional bugs in the
> >> oddest of places does not make the transition to security testing very
> >> easily. This presentation will discuss the three tenants of a great
> >> security tester: Hearing Evil, Seeing Evil, and Doing Evil:
> >>
> >> * Hearing Evil - the ability to absorb a massive amount of security
> >> knowledge and immediately and effectively apply it to their daily
> >> testing lives. Testers with this ability can draw upon years of
> >> experience and testing history to detect when things are out of place or
> >> where the deep interesting security bugs reside.
> >>
> >> * Seeing evil - visualizing the system in the mind’s eye. Any great
> >> security tester can use his or her imagination to visualize what is
> >> occurring in the various components of a system that we do not have
> >> access to. This imagination leads to deep understanding of how the
> >> system is structured and allows the tester to visualize opportunities
> >> for exploitation well below the surface.
> >>
> >> * Doing evil - the ability for a security tester to figure out ways to
> >> replicate an attacker’s master plan and execute on it themselves.
> >> Thinking like an attacker isn’t enough - fully securing a system or
> >> application requires surgical execution of a master attack plan.
> >>
> >>
> >> F) I'm the Optimist
> >> ===================
> >> Despite nearly every metric by which we can measure the overall security
> >> as an industry we're getting worse. How can we continue to feel good
> >> about software in general. Talk about CAs, SSL, DNSSEC, etc., security
> >> bug trends, disclosure, large scales software and small scale software,
> >> and privacy. For each of these things talk about how developers need to
> >> step up, but it's not an insurmountable problem.
> >>
> >> _______________________________________________
> >> Owasp-portland mailing list
> >> Owasp-portland at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-portland
> >>
> >
> >
> >
> 
> _______________________________________________
> Owasp-portland mailing list
> Owasp-portland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-portland




More information about the Owasp-portland mailing list