[Owasp-portland] Please Vote: Jim Manico Topics

[email protected] info at btpcconsult.com
Thu Mar 21 18:04:04 UTC 2013

I may not be there as well, but I would be most interested in 

Top Ten Web Defenses

Cross Site Site Scripting Advanced Defense

Bill Dewey
Technical Analyst
Salem Housing Authority

Sent from my Verizon Wireless 4GLTE smartphone

----- Reply message -----
From: "Tim" <tim.morgan at owasp.org>
To: <owasp-portland at lists.owasp.org>
Subject: [Owasp-portland] Please Vote:  Jim Manico Topics
Date: Wed, Mar 20, 2013 14:45

I've only received one reply to this request...

I know how many people are on this mailing list and how many of them
are eager to learn more about security.  So I find a ~1% response
rate to be pretty sad.

What are you most interested in?   Reply on or off list as you desire.


On Sun, Mar 10, 2013 at 11:42:16AM -0700, Tim wrote:
> Hi all,
> Jim Manico has offered to give another talk for us, tentatively
> scheduled for June 5.  Here are some of the topics he offered to
> present. Please let me know which of these interest you the most:
> ===
> Title: Top Ten Web Defenses
> We cannot firewall or patch our way to secure websites. In the past,
> security professionals thought firewalls, Secure Sockets Layer (SSL),
> patching, and privacy policies were enough. Today, however, these methods
> are outdated and ineffective, as attacks on prominent, well-protected
> websites are occurring every day. Citigroup, PBS, Sega, Nintendo, Gawker,
> AT&T, the CIA, the US Senate, NASA, Nasdaq, the NYSE, Zynga, and thousands
> of others have something in common  all have had websites compromised in
> the last year. No company or industry is immune. Programmers need to learn
> to build websites differently. This talk will review the top coding
> techniques developers need to master in order to build a low-risk,
> high-security web application.
> Title: Securing the SDLC
> The earlier you address security in the engineering of software, the less
> expensive it will be for your organization. This talk will not only
> discuss critical security activities necessary to build secure software,
> but it will also address the unique aspects of secure software creation
> specific to various cloud architectures.
> Title: Authentication Best Practices for Developers
> This module will discuss the security mechanisms found within an
> authentication (AuthN) layer of a web application.  We will review a
> series of historical authentication threats. We will also discuss a
> variety of authentication design patterns necessary to build a low-risk
> high-security web application. Session management threats and best                                            
> practices will also be covered. This module will include several technical
> demonstrations and code review labs.
> Title: Access Control Design Best Practices
> Access Control is a necessary security control at almost every layer
> within a web application. This talk will discuss several of the key access
> control anti-patterns commonly found during website security audits. These
> access control anti-patterns include hard-coded security policies, lack of
> horizontal access control, and "fail open" access control mechanisms. In      
> reviewing these and other access control problems, we will discuss and
> design a positive access control mechanism that is data contextual,
> activity based, configurable, flexible, and deny-by-default - among other
> positive design attributes that make up a robust web-based access-control
> mechanism.
> Title: Cross Site Site Scripting Advanced Defense
> This talk will discuss the past methods used for cross-site scripting
> (XSS) defense that were only partially effective. Learning from these
> lessons, we will also discuss present day defensive methodologies that are                     
> effective, but place an undue burden on the developer. We will then finish
> with a discussion of advanced XSS defense methodologies that shift the
> burden of XSS defense from the developer to various frameworks. These
> include auto-escaping template technologies, browser-based defenses such
> as Content Security Policy, and other Javascript sandboxes such as the
> Google CAJA project.
> Build Application Security Controls into Legal Contracts
> Every large organization is building web application software in some way,
> normally at great expense. It is a significant organizational and
> technical challenge simply to complete complex software projects. It is
> and even greater challenge to do so in a secure fashion.The earlier
> security is addressed in the engineering of software, the less expensive
> it will be for your organization. This talk will discuss several critical
> web application security-centric computer programming techniques necessary
> to build low-risk web-based applications. This talk will also describe
> strategic ways to add prescriptive security control contract language into
> software procurement or outsourcing contract language to encourage even
> third party developers to build secure code.
> BIO: Jim Manico is the VP of Security Architecture for WhiteHat Security,
> a web security firm. He authors and delivers developer security awareness
> training for WhiteHat Security and has a background as a software
> developer and architect. Jim is also a global board member for the
> OWASP foundation. He manages and participates in several OWASP projects,
> including the OWASP cheat sheet series and the OWASP podcast series.
> ===
> thanks,
> tim
Owasp-portland mailing list
Owasp-portland at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-portland/attachments/20130321/9385ef6c/attachment.html>

More information about the Owasp-portland mailing list