[Owasp-sanantonio] Jeremiah Grossman to present at regular August meeting of OWASP San Antonio

Dan Cornell dan at denimgroup.com
Mon Aug 9 08:48:23 EDT 2010


We're really fortunate to have Jeremiah Grossman - CTO of WhiteHat Security - here in town Wed 8/18/2010 for our normal OWASP San Antonio meeting.  He will be giving a presentation about their research study on which languages and web application frameworks have more secure applications.  As always - 11:30am in the Web Room at the San Antonio Technology Center.

See: <http://www.owasp.org/index.php/San_Antonio> for more information.  Scroll down a bit for the information about Jeremiah Grossman's talk.

More information below.  Free lunch!

Also the day before Jeremiah is going to be giving a different talk  (Top 10 Web Hacks of 2009) at the ISSA meeting.  More info can be found here:




San Antonio OWASP Chapter: Wed August 18, 2010

Topic: Which Web Programming Languages are Most Secure?

Presenter: Jeremiah Grossman, Founder and CTO, WhiteHat Security

Date: Wednesday, August 18, 2010 11:30am - 1:00pm

Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229

Abstract: Security-conscious organizations make implementing a software security development lifecycle a priority. As part of the process, they evaluate a large number of development technologies for building websites. The assumption by many is that not all development environments are created equal. So the question often asked is, "What is the most secure programming language or development framework available?"

Clearly, familiarity with a specific product, whether it is designed to be secure-by-default or must be configured properly, and whether various libraries are available, can drastically impact the outcome. Still, conventional wisdom suggests that most popular modern languages / frameworks (commercial & open source) perform relatively similarly when it comes to an overall security posture. At least in theory, none is markedly or noticeably more secure than another. Suggesting PHP, Java, C# and others are any more secure than other frameworks is sure to spark heated debate.

As has been said in the past, "In theory, there is no difference between theory and practice. But, in practice, there is." Until now, no website security study has provided empirical research measuring how various Web programming languages / frameworks actively perform in the field. To which classes of attack are they most prone, how often and for how long; and, how do they fare against popular alternatives? Is it really true that popular modern languages / frameworks yield similar results in production websites?

By analyzing the vulnerability assessment results of nearly 1,700 websites under WhiteHat Sentinel management, we may begin to answer some of these questions. These answers may enable the website security community to ask better and deeper questions, which will eventually lead to more secure websites. Organizations deploying these technologies can have a closer look at particularly risk-prone areas; software vendors may focus on areas found lacking; and, developers will increase their familiarity with the strength and weaknesses of their technology stack. All of this is vitally important because security must be baked into development frameworks and be virtually transparent. Only then will application security progress be made.

Presenter Bio: Jeremiah Grossman founded WhiteHat Security in August 2001.

A world-renowned expert in Web security, Mr. Grossman is a founder of the Web Application Security Consortium (WASC), and was named to InfoWorld's Top 25 CTOs for 2007.

Mr. Grossman is a frequent speaker at industry events including the Black Hat Briefings, RSA Conference, ISACA, CSI, InfoSec World, OWASP, ISSA, and Defcon as well as a number of large universities. He has authored dozens of articles and white papers, is credited with the discovery of many cutting-edge attack and defensive techniques and is a co-author of XSS Attacks: Cross Site Scripting Exploits and Defense.

Mr. Grossman is frequently quoted in major media outlets such as USA Today, the Washington Post, The Financial Times, InformationWeek, InfoWorld, USA Today, PC World, Dark Reading, SC Magazine, CNET, CSO and NBC news. He frequently alerts the media community to the latest attacks and is not only able to offer in-depth commentary, but also provide his perspective of what's to come.

Mr. Grossman was named a "friend of Google" and is also an influential blogger (www.jeremiahgrossman.blogspot.com) who offers insight and encourages open dialogue regarding current research and vulnerability trend information.

Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo! responsible for performing security reviews on the company's hundreds of websites. Before Yahoo!, Mr. Grossman worked for Amgen, Inc.

Please RSVP: E-mail owasprsvp at denimgroup.com or call (210) 572-4400.

More information about the Owasp-sanantonio mailing list