[Owasp-portland] Please Vote: Jim Manico Topics

Tim tim.morgan at owasp.org
Sun Mar 10 18:42:16 UTC 2013

Hi all,

Jim Manico has offered to give another talk for us, tentatively
scheduled for June 5.  Here are some of the topics he offered to
present. Please let me know which of these interest you the most:

Title: Top Ten Web Defenses
We cannot firewall or patch our way to secure websites. In the past,
security professionals thought firewalls, Secure Sockets Layer (SSL),
patching, and privacy policies were enough. Today, however, these methods
are outdated and ineffective, as attacks on prominent, well-protected
websites are occurring every day. Citigroup, PBS, Sega, Nintendo, Gawker,
AT&T, the CIA, the US Senate, NASA, Nasdaq, the NYSE, Zynga, and thousands
of others have something in common  all have had websites compromised in
the last year. No company or industry is immune. Programmers need to learn
to build websites differently. This talk will review the top coding
techniques developers need to master in order to build a low-risk,
high-security web application.

Title: Securing the SDLC
The earlier you address security in the engineering of software, the less
expensive it will be for your organization. This talk will not only
discuss critical security activities necessary to build secure software,
but it will also address the unique aspects of secure software creation
specific to various cloud architectures.

Title: Authentication Best Practices for Developers
This module will discuss the security mechanisms found within an
authentication (AuthN) layer of a web application.  We will review a
series of historical authentication threats. We will also discuss a
variety of authentication design patterns necessary to build a low-risk
high-security web application. Session management threats and best                                            
practices will also be covered. This module will include several technical
demonstrations and code review labs.

Title: Access Control Design Best Practices
Access Control is a necessary security control at almost every layer
within a web application. This talk will discuss several of the key access
control anti-patterns commonly found during website security audits. These
access control anti-patterns include hard-coded security policies, lack of
horizontal access control, and "fail open" access control mechanisms. In      
reviewing these and other access control problems, we will discuss and
design a positive access control mechanism that is data contextual,
activity based, configurable, flexible, and deny-by-default - among other
positive design attributes that make up a robust web-based access-control

Title: Cross Site Site Scripting Advanced Defense
This talk will discuss the past methods used for cross-site scripting
(XSS) defense that were only partially effective. Learning from these
lessons, we will also discuss present day defensive methodologies that are                     
effective, but place an undue burden on the developer. We will then finish
with a discussion of advanced XSS defense methodologies that shift the
burden of XSS defense from the developer to various frameworks. These
include auto-escaping template technologies, browser-based defenses such
as Content Security Policy, and other Javascript sandboxes such as the
Google CAJA project.

Build Application Security Controls into Legal Contracts
Every large organization is building web application software in some way,
normally at great expense. It is a significant organizational and
technical challenge simply to complete complex software projects. It is
and even greater challenge to do so in a secure fashion.The earlier
security is addressed in the engineering of software, the less expensive
it will be for your organization. This talk will discuss several critical
web application security-centric computer programming techniques necessary
to build low-risk web-based applications. This talk will also describe
strategic ways to add prescriptive security control contract language into
software procurement or outsourcing contract language to encourage even
third party developers to build secure code.

BIO: Jim Manico is the VP of Security Architecture for WhiteHat Security,
a web security firm. He authors and delivers developer security awareness
training for WhiteHat Security and has a background as a software
developer and architect. Jim is also a global board member for the
OWASP foundation. He manages and participates in several OWASP projects,
including the OWASP cheat sheet series and the OWASP podcast series.


More information about the Owasp-portland mailing list