Date and Location

OWASP Bay Area will host its next Application Security Summit at the SAP Offices in Palo Alto on July 1st, 2010. As usual attendance is free and food and beverages will be provided. This is an excellent event with great speakers and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security.

We have an excellent line-up of speakers.

Please note that due to security issues, your must pre-register. Badges will be ready for the registered attendees at the lobby where you will check in.

WHAT: OWASP Bay Area Chapter - Application Security Summit

WHEN: Thursday, July 1st, 2010 - From 9 A.M. to 3.00 P.M.

WHERE: SAP Offices, Palo Alto - See below for directions

Venue and Directions:

3410 Hillview Ave, Palo Alto, Building 1 Executive Briefing Center (2nd Floor)

Directions on SAP Labs Web Site. Also on the Event Registration Page.

Parking - You can park in the visitor parking or any of the open spaces at any level of the parking lot.

REGISTER EARLY AS SEATING IS LIMITED

Please RSVP by registering at http://owaspbajuly2010.eventbrite.com/

SPONSORS: Appsec Consulting,Cenzic,Dasient, SAP Labs

Agenda

Detailed Abstracts and Speaker Bios

Drive By Downloads: How To Avoid Getting A Cap Popped In Your App: Which browser do you claim? What color is your screen-saver? It is a world wide hood out there, don’t let yourself become the next victim of a drive by… a drive by download. Email attachments have become synonymous with computer viruses and consumers have become accustom to questioning the legitimacy of email touting male enhancement drugs and lottery winnings. This means hackers are having to come up with new ways to distribute malware. Today, just by loading an infected webpage of from a legitimate website, a virus can be downloaded without any other interaction and will often go undetected. Once the virus is on a PC, hackers can access the computer remotely and steal sensitive information like banking passwords, send out spam or install more malicious executables.

In this talk, we describe in technical detail the "anatomy of a modern web-based malware attack." Web-based malware attacks have evolved significantly over the past 4 years. We present the state-of-the-art in web-based malware attacks and describe how the techniques used have evolved over time.
Bio - Neil Daswani is a co-founder of Dasient, Inc., a security company backed by some of the most influential investors in Silicon Valley and New York. In the past, Neil has served in a variety of research, development, teaching, and managerial roles at Google, Stanford University, DoCoMo USA Labs, Yodlee, and Bellcore (now Telcordia Technologies). While at Stanford, Neil co-founded the Stanford Center Professional Development (SCPD) Security Certification Program (http://proed.stanford.edu/?security). He has published extensively, frequently gives talks at industry and academic conferences, and has been granted several U.S. patents. He received a Ph.D. and a master's in computer science from Stanford University, and earned a bachelor's in computer science with honors with distinction from Columbia University. Neil is also the lead author of "Foundations of Security: What Every Programmer Needs To Know" (published by Apress; ISBN 1590597842; http://tinyurl.com/33xs6g. More information about Neil is available at http://www.neildaswani.com.

Building Secure Web Applications: This presentation will go over core principles involved in launching secure web applications and effectively managing security in a cloud services environment. We will discuss best practices for implementing security programs, review examples of things done right and wrong, and address specific steps required for creating and maintaining a sustainable security framework for your web applications.
Bio - Misha Logvinov is the Vice President of Online Operations at IronKey. In this position, Mr. Logvinov and his team are responsible for designing, implementing and supporting a highly-scalable mission critical infrastructure for IronKey's next-generation security products and services. Mr. Logvinov brings to IronKey over a decade of management experience in information technology, operations and security. Throughout his career, he has been responsible for implementing hundreds of customer solutions, supporting millions of online users, managing complex backoffice applications and building some of the world's most secure online service environments. Prior to IronKey, Mr. Logvinov spent six years at Yodlee, one of the leading online financial service providers. He held various management roles during his tenure, most recently, as Director of Operations Delivery. Mr. Logvinov's earlier experiences included IT management at Outcome, Inc. and INTERSHOP Communications. Mr. Logvinov holds a BA in Business Administration from Plekhanov Russian Academy of Economics. He is a Certified Information Systems Security Professional (CISSP) and a Certified Information Security Manager (CISM).

Bio - Alex Bello has been involved in the computer security field for the last six years with over ten years of combined experience in technical operations, web application development and security. Mr. Bello is currently serving as the Director of Technical Operations and the Product Security Team Lead at IronKey. Mr. Bello is responsible for architecture, operations and security management of the IronKey online services portfolio as well as IronKey products security testing and research. Prior to IronKey, Mr. Bello spent over three years consulting for various security organizations on infrastructure architecture, security research and web application development projects. Earlier in his career, Mr. Bello managed technical operations at one of the biggest online social marketplaces. In addition to his work at IronKey, for the last five years Mr. Bello has been responsible for technical operations and engineering at Anti-Phishing Working Group (APWG) supporting data aggregation, processing and consumption technologies behind one of the largest anti-phishing UBLs.

Cloudy with a chance of a hack: Cloud computing is a cost effective and efficient way for enterprises to automate their processes. However organizations need to be aware of the pitfalls of the many cloud computing solutions out there - one of the main ones being security. Most of these solutions were built for ease of use and without necessarily security in mind. Companies should ask the solution provider the security measures used in developing the application and get an independent verification to make sure there are no gaping holes. With over 75% of attacks occurring through the Web, any attack through these applications can lead to leakage of confidential information and embarrassment.
Bio – Lars Ewe: Chief Technology Officer and VP of Engineering for Cenzic. Lars Ewe is a technology executive with broad background in (web) application development and security, middleware infrastructure, software development and application/system manageability technologies. Throughout his career Lars has held key positions in engineering and product management in a variety of different markets. Prior to Cenzic, Lars was software development director at Advanced Micro Devices, Inc., responsible for AMD's overall systems manageability and related security strategy and all related engineering efforts.

Application Security Deployment Tradeoffs: Application security tradeoffs and choices are made at various stages of application design, development and deployment. This talk will cover deployment aspects of application security. Based on experience in designing, developing and deploying application security solutions and products for the past 10 years, I will do a case study based analysis of security costs and tradeoffs. Specifically, we will correlate security choices during deployment with our observations regarding the relatively higher adoption of security features and products that have an incremental deployment plan over those that are more intrusive and/or are operationally more expensive.
Bio – Anoop Reddy Anoop Reddy has been working in Security and Application Firewalls for the past 8 years and has led many innovations as part of Teros and Citrix. He was the Architect and Technical Lead at Teros and now manages the Engineering Development for the Application Firewall product lines at Citrix.

MashSSL - Extending SSL for securing mashups: In this presentation we will describe MashSSL and how it can be used to solve a fundamental Internet security problem - when two web applications communicate through a potentially un-trusted user they do not have any standard way of mutually authenticating each other and establishing a trusted channel. MashSSL is a new multi-party protocol that has been expressly designed to inherit the security properties of SSL, and to be able to leverage its trust infrastructure. We will also discuss how this can be used to secure a variety of multi-party environments including mashups using Cross-domain XHR, OpenAJAX, as well as scenarios such as OpenID and OAuth.
Bio – Siddharth Bajaj is researching new technologies in the areas of Internet Trust, Identity and Authentication including how these can be applied to solve problems in verticals such as healthcare, online content and cloud computing. Siddharth has been with VeriSign since 1999 and has fulfilled variety of technical leadership roles. He was involved in the development of the VeriSign PKI services platform as well as the early conceptualization and architecture of more recent VeriSign products such as UA and VIP.

RSVP

Please RSVP by registering at http://owaspbajuly2010.eventbrite.com/

Bay Area Past Events

Bay Area Past Events

• Brian Bertacini
• Garrett Gee
• Mandeep Khera
• Robi Papp