[Owasp-portland] Please Vote: Jim Manico Topics

Keith Seymour keseymour at gmail.com
Thu Mar 21 12:50:38 UTC 2013


I'm not sure if I'll make the talk but I'd be interested to hear:

Authentication Best Practices for Developers

or any of them except:

Build Application Security Controls into Legal Contracts


On Wed, Mar 20, 2013 at 2:45 PM, Tim <tim.morgan at owasp.org> wrote:

>
> I've only received one reply to this request...
>
> I know how many people are on this mailing list and how many of them
> are eager to learn more about security.  So I find a ~1% response
> rate to be pretty sad.
>
> What are you most interested in?   Reply on or off list as you desire.
>
> tim
>
>
>
> On Sun, Mar 10, 2013 at 11:42:16AM -0700, Tim wrote:
> >
> >
> > Hi all,
> >
> > Jim Manico has offered to give another talk for us, tentatively
> > scheduled for June 5.  Here are some of the topics he offered to
> > present. Please let me know which of these interest you the most:
> >
> >
> > ===
> > Title: Top Ten Web Defenses
> > We cannot firewall or patch our way to secure websites. In the past,
> > security professionals thought firewalls, Secure Sockets Layer (SSL),
> > patching, and privacy policies were enough. Today, however, these methods
> > are outdated and ineffective, as attacks on prominent, well-protected
> > websites are occurring every day. Citigroup, PBS, Sega, Nintendo, Gawker,
> > AT&T, the CIA, the US Senate, NASA, Nasdaq, the NYSE, Zynga, and
> thousands
> > of others have something in common  all have had websites compromised in
> > the last year. No company or industry is immune. Programmers need to
> learn
> > to build websites differently. This talk will review the top coding
> > techniques developers need to master in order to build a low-risk,
> > high-security web application.
> >
> > Title: Securing the SDLC
> > The earlier you address security in the engineering of software, the less
> > expensive it will be for your organization. This talk will not only
> > discuss critical security activities necessary to build secure software,
> > but it will also address the unique aspects of secure software creation
> > specific to various cloud architectures.
> >
> > Title: Authentication Best Practices for Developers
> > This module will discuss the security mechanisms found within an
> > authentication (AuthN) layer of a web application.  We will review a
> > series of historical authentication threats. We will also discuss a
> > variety of authentication design patterns necessary to build a low-risk
> > high-security web application. Session management threats and best
> > practices will also be covered. This module will include several
> technical
> > demonstrations and code review labs.
> >
> > Title: Access Control Design Best Practices
> > Access Control is a necessary security control at almost every layer
> > within a web application. This talk will discuss several of the key
> access
> > control anti-patterns commonly found during website security audits.
> These
> > access control anti-patterns include hard-coded security policies, lack
> of
> > horizontal access control, and "fail open" access control mechanisms. In
> > reviewing these and other access control problems, we will discuss and
> > design a positive access control mechanism that is data contextual,
> > activity based, configurable, flexible, and deny-by-default - among other
> > positive design attributes that make up a robust web-based access-control
> > mechanism.
> >
> > Title: Cross Site Site Scripting Advanced Defense
> > This talk will discuss the past methods used for cross-site scripting
> > (XSS) defense that were only partially effective. Learning from these
> > lessons, we will also discuss present day defensive methodologies that
> are
> > effective, but place an undue burden on the developer. We will then
> finish
> > with a discussion of advanced XSS defense methodologies that shift the
> > burden of XSS defense from the developer to various frameworks. These
> > include auto-escaping template technologies, browser-based defenses such
> > as Content Security Policy, and other Javascript sandboxes such as the
> > Google CAJA project.
> >
> > Build Application Security Controls into Legal Contracts
> > Every large organization is building web application software in some
> way,
> > normally at great expense. It is a significant organizational and
> > technical challenge simply to complete complex software projects. It is
> > and even greater challenge to do so in a secure fashion.The earlier
> > security is addressed in the engineering of software, the less expensive
> > it will be for your organization. This talk will discuss several critical
> > web application security-centric computer programming techniques
> necessary
> > to build low-risk web-based applications. This talk will also describe
> > strategic ways to add prescriptive security control contract language
> into
> > software procurement or outsourcing contract language to encourage even
> > third party developers to build secure code.
> >
> >
> >
> > BIO: Jim Manico is the VP of Security Architecture for WhiteHat Security,
> > a web security firm. He authors and delivers developer security awareness
> > training for WhiteHat Security and has a background as a software
> > developer and architect. Jim is also a global board member for the
> > OWASP foundation. He manages and participates in several OWASP projects,
> > including the OWASP cheat sheet series and the OWASP podcast series.
> > ===
> >
> > thanks,
> > tim
> _______________________________________________
> Owasp-portland mailing list
> Owasp-portland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-portland
>



-- 
GeekyExplorers.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-portland/attachments/20130321/cdccb812/attachment.html>


More information about the Owasp-portland mailing list