AppSec Brasil 2010



Para a versão em português, veja em AppSec Brasil 2010 (pt-br)

= OWASP AppSec Brasil 2010 =

The Second Edition of OWASP's flagship conference in South America will happen in Campinas, SP, Brazil. The Conference consists of two days of training sessions, followed by a two-day conference on a single track.

Conference Dates
The conference will happen from November 16th, 2010 to November 19th, 2010. The first two days will be tutorial days (see below). Plenary sessions will be held on November 18th and 19th.

''' New Deadline: the selected proposals will be announced on Sep. 16th. '''

About the conference
Following the success of the first AppSec Brasil, held in Brasilia in 2009, the OWASP Brazilian Chapter is organizing its second edition in 2010. AppSec Brasil 2010 will happen in the city of Campinas, located 90 km from São Paulo.

Campinas is the 3rd biggest city in the State of São Paulo and is an important economic center and hosts major universities and research centers. It is known to concentrate several high tech industries, including important multi-national companies in the fields of electronics, telecom and chemicals.

This year, we expect to gather a number of Brazilian and Latin American practitioners and researchers to share state-of-the-art information about application security.

Calls

 * DEADLINE EXTENDED - 23 August**
 * OWASP APPSEC BRASIL 2010**
 * CALL FOR PRESENTATIONS**

Colleagues,

OWASP is currently soliciting presentations for the OWASP AppSec Brasil 2010 Conference that will take place at CPqD Foundation in Campinas, SP, Brazil on November 16th through 19th, 2010. There will be training courses on November 16th and 17th followed by plenary sessions on the 18th and 19th with each day having one single track.

We are seeking people and organizations that want to present on any of the following topics (in no particular order): - - Application Threat Modeling - - Business Risks with Application Security - - Hands-on Source Code Review - - Metrics for Application Security - - OWASP Tools and Projects - - Privacy Concerns with Applications and Data Storage - - Secure Coding Practices (J2EE/.NET) - - Starting and Managing Secure Development Lifecycle Programs - - Technology specific presentations on security such as AJAX, XML, etc - - Web Application Security countermeasures - - Web Application Security Testing - - Web Services-, XML- and Application Security - - Anything else relating to OWASP and Application Security

To make a submission you must fill out the form available at http://www.owasp.org/images/f/f7/OWASP_AppSec_Brasil_2010_CFP.rtf.zip and submit through the easychair conference interface at http://www.easychair.org/conferences/?conf=appsecbr2010

Each presenter will have 45 minutes for the presentation, followed by 10 minutes reserved for questions from the audience. The presentations must respect the restrictions of the OWASP Speaker Agreement.

Submission deadline is August 23, 2010 at 11:59 PM (UTC/GMT -3). Notification of acceptance is September 8, 2010. Presentation slides are due September 30, 2010.
 * Important Dates:**

The conference organization team may be contacted by email at organizacao2010 (at) appsecbrasil.org

For more information, please see the following web pages:

Conference Website: https://www.owasp.org/index.php/AppSec_Brasil_2010

OWASP Speaker Agreement: http://www.owasp.org/index.php/Speaker_Agreement

OWASP Website: http://www.owasp.org

Easychair conference site: http://www.easychair.org/conferences/?conf=appsecbr2010

Presentation proposal form: http://www.owasp.org/images/f/f7/OWASP_AppSec_Brasil_2010_CFP.rtf.zip

proposal form will not be considered ************
 * WARNING: Submissions without the information requested in the

Please forward to all interested practitioners and colleagues

Call for training providers
**OWASP APPSEC BRASIL 2010**
 * CALL FOR TRAINING SESSIONS**

Colleagues,

OWASP is currently soliciting training proposals for the OWASP AppSec Brazil 2010 Conference which will take place at Fundação CPqD in Campinas, SP, Brazil, on November 16 through November 19, 2010. There will be training courses on November 16 and 17 followed by plenary sessions on the 18 and 19 with one single track per day.

We are seeking training proposals on the following topics (in no particular order): - Application Threat Modeling - Business Risks with Application Security - Hands-on Source Code Review - Metrics for Application Security - OWASP Tools and Projects - Privacy Concerns with Applications and Data Storage - Secure Coding Practices (J2EE/.NET) - Starting and Managing Secure Development Lifecycle Programs - Technology specific presentations on security such as AJAX, XML, etc - Web Application Security countermeasures - Web Application Security Testing - Web Services, XML- and Application Security - Anything else relating to OWASP and Application Security

Proposals on topics not listed above but related to the conference (i.e. which are related to Application Security) may also be accepted.

To make a submission you must fill out the form available at http://www.owasp.org/images/1/1a/OWASP_AppSec_Brasil_2010_CFT.rtf.zip and submit by email to organizacao2010@appsecbrasil.org

There may be 1 or 2-day courses. The proposals must respect the restrictions of the OWASP Speaker Agreement. The conference will reward trainers with at least 30% of the total revenue of their courses, based on a minimum attendance. Courses that attract more students may be granted higher percentages. No other compensation (such as tickets or lodging) will be provided. If you require a different arrangement, please contact the conference chair at the email address below.

Instructors and authors will be paid based on the number of students in their training sessions. If the training gathers only the minimum number of students, the compensation will be 30% of the revenue. For each group of 10 extra students enrolled, the compensation will be increased by 5% of the revenue, up to a maximum of 45% of the training revenue. For example, a 1-day training with 10 to 19 students will generate a compensation of 30% of the revenue. For classes of 20 to 29 students, the compensation raises to 35% percent of the revenue.
 * Compensation**

In exceptional cases, different compensation schemes may be accepted. Please contact the conference organization team by email (organizacao2010@appsecbrasil.org) for details.

1-day training: R$ 450 per student 2-day training: R$ 900 per student All prices in Brazilian Reais (BRL)
 * Training cost**

1-day trainings: 10 students 2-day trainings: 20 students
 * Minimum number of students**

Submission deadline is July 26, 2010, at 11:59 PM (UTC/GMT-3). Notification of acceptance will be August 16, 2010. Final version is due September 15, 2010.
 * Important Dates:**

The conference organization team may be contacted by email at organizacao2010 (at) appsecbrasil.org

For more information, please see the following web pages: Conference Website: https://www.owasp.org/index.php/AppSec_Brasil_2010 OWASP Speaker Agreement: http://www.owasp.org/index.php/Speaker_Agreement OWASP Website: http://www.owasp.org Easychair conference site: http://www.easychair.org/conferences/?conf=appsecbr2010 Presentation proposal form: http://www.owasp.org/images/1/1a/OWASP_AppSec_Brasil_2010_CFT.rtf.zip

in the proposal form will not be considered ************
 * WARNING: Submissions without all the information requested

Sponsorship
We are currently soliciting sponsors for the AppSec Brasil 2010 Conference. Detailed [[Media:OWASP_-_Sponsorship_Opportunities_-_EN_V.1.2.pdf|sponsorship oportunities]] are now available.

If you are interested in sponsoring AppSec Brasil 2010, please contact the Conference Organization Team (organizacao2010@appsecbrasil.org).

Robert 'Rsnake' Hansen
SecTheory

Title: TBD.

Bio: Robert Hansen aka RSnake is the CEO and founder of SecTheory. He has worked for Digital Island, Exodus Communications and Cable & Wireless in varying roles from Sr. Security Architect and eventually product managing many of the managed security services product lines. He also worked at eBay as a Sr. Global Product Manager of Trust and Safety, focusing on anti-phishing, anti-DHTML malware and anti-virus strategies. Later he worked as a director of product management for Realtor.com. Robert sits on the advisory board for the Intrepidus Group, previously sat on the technical advisory board of ClickForensics and currently contributes to the security strategy of several startup companies.

Mr. Hansen wrote Detecting Malice, authors content on O'Reilly and co-authored "XSS Exploits" by Syngress publishing. He sits on the NIST.gov Software Assurance Metrics and Tool Evaluation group focusing on web application security scanners and the Web Application Security Scanners Evaluation Criteria (WASC-WASSEC) group. He also has briefed the DoD at the Pentagon and speaks at SourceBoston, Secure360, GFIRST/US-CERT, CSI, Toorcon, APWG, ISSA, TRISC, World OWASP/WASC conferences, SANS, Microsoft's Bluehat, Blackhat, DefCon, SecTor, BSides, Networld+Interop, and has been the keynote speaker at the New York Cyber Security Conference, NITES and OWASP Appsec Asia. Mr. Hansen is a member of Infragard, West Austin Rotary, WASC, IACSP, APWG, contributed to the OWASP 2.0 guide and is on the OWASP Connections Committee.

Robert also maintains the http://ha.ckers.org website where he discuss web application security and provides lots of useful content to be used against web application attacks.

Jeremiah Grossman
WhiteHat Security

Title: TBD.

Bio: Jeremiah Grossman, founder and CTO, WhiteHat Security, is a world-renowned Web security expert. A co-founder of the Web Application Security Consortium (WASC), he was named to InfoWorld's Top 25 CTOs in 2007 and is frequently quoted by business and technical media. He has authored dozens of articles and whitepapers, is credited with the discovery of many cutting-edge attack and defensive techniques, and is a co-author of "XSS Attacks: Cross Site Scripting Exploits and Defense." Grossman is also an influential blogger who offers insight and encourages open dialogue regarding Web security research and trends. Prior to WhiteHat, Grossman was an information security officer at Yahoo!

Samy Kamkar
Title: How I Met Your Girlfriend: The discovery and execution of entirely new classes of Web attacks in order to meet your girlfriend.

Summary: This includes entertaining and newly discovered attacks including PHP session prediction and random numbers (accurately guessing PHP session cookies), browser protocol confusion (turning a browser into an SMTP server), firewall and NAT penetration via Javascript (turning your router against you), remote iPhone Google Maps hijacking (iPhone penetration combined with HTTP man-in-themiddle), extracting extremely accurate geolocation information from a Web browser (not using IP geolocation), and more.

Bio: Samy Kamkar is best known for the Samy worm, the first XSS worm, infecting over one million users on MySpace in less than 24 hours. A cofounder of Fonality, Inc., an IP PBX company, Samy previously led the development of all top-level domain name server software and systems for Global Domains International (.ws).

In the past 10 years, Samy has focused on evolutionary and genetic algorithmic software development, Voice over IP software development, automated security and vulnerability research in network security, reverse engineering, and network gaming. When not strapped behind the Matrix, Samy can be found stunt driving and getting involved in local community service projects.

Mano Paul
Title: TBD.

Bio: Shark Researcher turned Security Guru! Manoranjan (Mano) Paul (CSSLP, CISSP, AMBCI, MCSD, MCAD, CompTIA Network+, ECSA) is the Founder and CEO at SecuRisk Solutions and Express Certifications. Based out of Austin, Texas in the USA, SecuRisk Solutions specializes in three areas of information security solutions - Product Development, Consulting and Awareness, Training & Education while Express Certifications focuses on professional certifications like the CISSP, SSCP, CSSLP and the BCI certificate.

Before SecuRisk Solutions and Express Certifications, Mano played several roles from software developer, quality assurance tester, logistics manager, technical architect, IT strategist and Security Engineer/Program Manager/Strategist at Dell Inc. His information security experience includes designing and developing software security programs from Compliance-to-Coding, application security risk management, security strategy & management, and conducting security awareness training and education.

Mano started his career as a shark researcher in the Bimini Biological Field Station, Bahamas. His educational pursuit took him to the University of Oklahoma where he received his Business Administration degree in Management Information Systems (MIS) with various accolades and the coveted 4.0 GPA. He is a member and chair of the OWASP Global Education Committee and actively participates in OWASP speaking, training and leadership events. He is also the appointed Software Assurance Advisor for (ISC)2, representing and advising the organization on software assurance strategy, training, education and certification. He is an appointed faculty member and industry representative of the Capitol of Texas Information System Security Association (ISSA) chapter.

Mano has been featured in various domestic and international security conferences and is an invited speaker and panelist, delivering talks and keynotes in conferences such as the OWASP, CSI, Burton Group Catalyst, TRISC and SC World Congress conferences. He is the author of the Official (ISC)2 Guide to the Certified Secure Software Lifecycle Professional (CSSLPCM), contributing author for the Information Security Management Handbook, writes periodically for the Certification Magazine and has contributed to several security topics for the Microsoft Solutions Developer Network (MSDN).

Mano is married to whom he calls the “most wonderful and sacrificial person in this world” - Sangeetha Johnson and their greatest fulfillment comes from spending time with the son – Reuben A Paul (RAP).

Fabio Cerulo
AIB

Title: Improving Application Security with ESAPI & ASVS

Abstract: The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organisations about the consequences of the most important web application security weaknesses. ESAPI is Enterprise security API's for remediation of OWASP Top 10 vulnerabilities. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI Swingset sample application demonstrates how to leverage ESAPI to protect a web application.

The ASVS standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications.

Bio: Fabio is currently working as an Information Security Specialist at AIB Bank (Dublin, Ireland). His tasks include performing risk analysis, assessing the security of web applications developed internally or purchased from third parties, define policies and standards on secure coding, as well as providing training on web application security to developers, auditors, executives and security professionals.

Prior to joining AIB, he worked as a Security Engineer at Symantec Security Response European Headquarters analyzing malicious code, blended threats, security risks and vulnerabilities in various applications. Before moving to Ireland, he worked in the development of different training programs and activities with emphasis on secure software development in his native Argentina.

As a member of the OWASP organization, Fabio is part of Global Education Committee whose mission is to provide training and educational services to businesses, governments and educational institutions on application security, he coordinates international conferences around this topic, and since early 2010 has been appointed chairman of OWASP Chapter in Ireland. Fabio is a graduate in Computer Engineering from the Universidad Católica Argentina and has been granted the CISSP by (ISC) 2 back in 2006.

Status: To be confirmed

Cassio Goldschmidt
Symantec

Title: Responsibility for the Harm and Risk of Software Security Flaws

Abstract: Who is responsible for the harm and risk of security flaws? The advent of worldwide networks such as the internet made software security (or the lack of software security) became a problem of international proportions. There are no mathematical/statistical risk models available today to assess networked systems with interdependent failures. Without this tool, decision-makers are bound to overinvest in activities that don’t generate the desired return on investment or under invest on mitigations, risking dreadful consequences. Experience suggests that no party is solely responsible for the harm and risk of software security flaws but a model of partial responsibility can only emerge once the duties and motivations of all parties are examine and understood.

State of the art practices in software development won’t guarantee products free of flaws. The infinite principles of mathematics are not properly implemented in modern computer hardware without having to truncate numbers and calculations. Many of the most common operating systems, network protocols and programming languages used today were first conceived without the basic principles of security in mind. Compromises are made to maintain compatibility of newer versions of these systems with previous versions. Evolving software inherits all flaws and risks that are present in this layered and interdependent solution. Lastly, there are no formal ways to prove software correctness using neither mathematics nor definitive authority to assert the absence of vulnerabilities. The slightest coding error can lead to a fatal flaw. Without a doubt, vulnerabilities in software applications will continue to be part of our daily lives for years to come.

Decisions made by adopters such as whether to install a patch, upgrade a system or employed insecure configurations create externalities that have implications on the security of other systems. Proper cyber hygiene and education are vital to stop the proliferation of computer worms, viruses and botnets. Furthermore, end users, corporations and large governments directly influence software vendors’ decisions to invest on security by voting with their money every time software is purchased or pirated.

Security researchers largely influence the overall state of software security depending on the approach taken to disclose findings. While many believe full disclosure practices helped the software industry to advance security in the past, several of the most devastating computer worms were created by borrowing from information detailed by researcher’s full disclosure. Both incentives and penalties were created for security researchers: a number of stories of vendors suing security researchers are available in the press. Some countries enacted laws banning the use and development of “hacking tools”. At the same time, companies such as iDefense promoted the creation of a market for security vulnerabilities providing rewards that are larger than a year’s worth of salary for a software practitioner in countries such as China and India.

Effective policy and standards can serve as leverage to fix the problem either by providing incentives or penalties. Attempts such PCI created a perverse incentive that diverted decision makers’ goals to compliance instead of security. Stiff mandates and ineffective laws have been observed internationally. Given the fast pace of the industry, laws to combat software vulnerabilities may become obsolete before they are enacted. Alternatively, the government can use its own buying power to encourage adoption of good security standards. One example of this is the Federal Desktop Core Configuration (FDCC).

Bio: Cassio Goldschmidt is senior manager of the product security team under the Office of the CTO at Symantec Corporation. In this role he leads efforts across the company to ensure secure development of software products. His responsibilities include managing Symantec’s internal secure software development process, training, threat modeling, penetration testing and vulnerability manegement. Cassio’s background includes over 14 years of technical and managerial experience in the software industry. During the eight years he has been with Symantec, he has helped to architect, design and develop several top selling product releases, conducted numerous security classes, and coordinated various penetration tests. Cassio is also known for leading the OWASP chapter in Los Angeles and is a frequent speaker at security conferences worldwide.

Cassio represents Symantec on the SAFECode technical committee and (ISC)2 in the development of the CSSLP certification. He holds a bachelor degree in computer science from Pontificia Universidade Catolica do Rio Grande Do Sul, a masters degree in software engineering from Santa Clara University, and a masters of business administration from the University of Southern California.

Status: Confirmed

Noa Bar-Yosef
Imperva

Title: Business Logic Attacks – BATs and BLBs

Other authors: Amichai Shulman, Rob Rachwald

Abstract: Cyber attacks are being committed more often by professionals, and are increasingly driven by financial motives. Researchers have discovered the increasing popularity of a certain class of attacks that target business logic. Business logic attacks are a set of legal application transactions that are used to carry out a malicious operation that is not part of normal business practices. For example, brute forcing coupon codes in an ecommerce application to receive multiple discounts. This presentation will provide a quick introduction to business logic attacks, their unique characteristics and the motivation behind their uptick. The session will suggest a classification method for these attacks from which attendees can draw a set of required mitigation capabilities. We will discuss capabilities required for detecting automated interaction with the application, different types of repetitions, flow tampering and even compromised credentials. We will also contemplate on the usage of mitigation techniques such as Captcha, introducing delays and more. Concluding this session we will bring up the claim that all these capabilities can be introduced in the form of a "virtual patch" using a web application firewall, rather than being exclusively fixed in application code.

Bio: Noa Bar-Yosef is currently a sr. security strategist at Imperva. Previously, she held the position of a senior security researcher with the Imperva Application Defense Center. She conducted research on database and Web application vulnerabilities. Prior to Imperva, she has held TA positions in courses on programming and network security at Tel Aviv University and Open University. She has also been a software engineer with educational software vendor Sunburst Technology. Bar-Yosef holds a Masters of Science degree (specializing in information security) from Tel-Aviv University, School of Computer Science and a Bachelors of Science degree from The Hebrew University, School of Computer Science. During her work in Imperva Noa has discovered multiple vulnerabilities in various commercial application and worked with software vendors on their resolutions. She also presented at a number of conferences including Infosec Canada (2008), OWASP BeNeLux (2009)

Status: To be confirmed

Gabriel Quadros
Conviso IT Security

Title: Taint Analysis em Código JavaScript para Detecção de Vulnerabilidades em Aplicações Web

Abstract: As aplicações Web modernas fazem uso cada vez maior de código client-side, com código JavaScript sendo o mais presente na maioria delas. Várias vulnerabilidades são introduzidas com o uso descuidado dessa linguagem. As ferramentas de análise disponíveis publicamente geralmente se baseiam em pattern matching para encontrar possíveis vulnerabilidades, mas essa não é uma estratégia eficiente para analisar grande quantidade de código. Portanto, existe a necessidade do desenvolvimento de ferramentas capazes de realizar análises mais avançacas, como Taint Analysis e Execução Simbólica. Este artigo discute várias abordagens para a análise dinâmica de código JavaScript e apresenta a ferramenta JsInstrumentator, que está sendo desenvolvida pelo Conviso Security Labs.

Bio: Gabriel Quadros começou a estudar segurança da informação em 2003, com interesse principal em engenharia reversa, pesquisa de vulnerabilidades e desenvolvimento de exploits.

Atualmente cursa o último ano do Bacharelado em Ciência da Computação na Universidade Estadual do Sudoeste da Bahia - UESB.

Em abril de 2010, começou suas atividades como consultor de segurança na Conviso IT Security.

Status: Confirmed

Tony Rodrigues
Provider IT Business Solutions

Title: Tony’s Top 10 Application Artifacts: A Computer Forensics Approach to OWASP Top 10

Abstract: Computação Forense para Aplicações tem muitas peculiaridades em relação a outras disciplinas forenses. Além de requerer técnicas diferenciadas, os vestígios relacionados são também bastante específicos. Essa apresentação trata dos dez principais vestígios relacionados com perícias e investigações de aplicações e seus ambientes, abordando-os de maneira paralela ao OWASP Top 10.

Bio: Tony Rodrigues é um profissional certificado CISSP, CFCP e Security+ com mais de 20 anos de experiência em TI e 8 anos em Gestão de Segurança de Informações. Já liderou várias investigações,	perícias e pesquisas sobre Computação Forense. Tony é consultor em Segurança de Informações e palestrou em importantes conferencias internacionais (CNASI, H2HC,YSTS). É autor/criador do blog forcomp.blogspot.com, sobre Resposta a Incidentes e Forense Computacional e também colabora com artigos no blog de Computer Forensics da SANS.

Status: To be confirmedr

Chandrasekar Umapathy
Symphony Services Ltd

Title: Web 2.0 Testing

Abstract: Web 2.0 can be defined as the evolving trend of www technologies and web design that aim to enhance creativity, communications, secure information sharing, collaboration and functionality of the web1. 0. In contrast to the static nature of Web 1.0, Web 2.0 systems rely heavily upon user generated content. In fact, Web 2.0 has been described as the “participatory Web.Security threats associated with them are characteristically considered Web 2.0 security threats.

The Presentation will focus on Web 2.0 attacks and how to gear up to test any 2.0 application.

Bio: Chandrasekar has 10+ years of experience in Information Technology, and 8 years in Information Security. He is a PHD in Application Security, and is currently doing his research in Digital Forensics Investigation. He also holds MCA and MBA degrees. He has also achieved the following international certifications: GCFI,CBCP,CSSLP, LPT, CEH, CHFI, ECSA, ENSA, CPTS, ISO27001 (LA)(I), ITIL, CCSA, and CCSE, CWNA, BS25999, CRISC, CISM. He actively supports State/Central Government of India officials in Digital Forensic investigation. He has been invited for various security conferences as a speaker as the CSI (Computer Security of India), OWASP, ISACA. He has also trained more than 100 IT professionals on Ethical Hacking, Forensic Investigation from all levels of the corporate ladder. He is the current OWASP Chapter Lead for Chennai.Cloud Security Alliance Chennai Chapter Lead.

Status: To be confirmed

Henrich Christopher Pöhls
University of Passau - ISL

Title: The State of XML Digital Signatures --- How to Avoid Technical Pitfalls and Harvest the Power of Newer Signature Schemes

Abstract: XML Digital Signatures are a complex tool, applied right they help to ensure legal compliance, but there are many pitfalls. This talk will provide some basic steps that users and implementers should follow to avoid the pitfalls, among them are: The Talk will also provide an overview of new applications for recent and more specialized digital signature schemes, like sanitizable signature schemes (academic research since roughly 2000) that allow to deal with the need to modify already signed content. And it will highlight the security relevant changes that are planned for the upcoming version of XML Signature Syntax and Processing 2.0.
 * Solid Understanding of the XML Signature processing and verification steps
 * Use of simplistic and coherent references when creating XML Digital Signature
 * Know how to Test what was signed before acting upon it (BitFlip Test)

Bio: Henrich C. Pöhls has presented his scientific work on digital signatures at several academic conferences (i.e. ICICS, GI, Invited Talks) or to technical audiences (i.e. DFN CERT, OWASP). Instructor of a practical IT-security university class for Computer Science and IT-Security Master students for the last 7 years. He has established this course first at the University of Hamburg in 2004 and than at the University of Passau in 2008. The course, now titled "Security Infrastructures", is centered around security infrastructures focussing on secure & authenticated access through the use of digital signatures.

It involves setting-up a certificate authority, using digital signatures and X509 certificates mostly for authentication in open-source software like client and server authentication with apache, secure DNS zone transfers, or client and server authentication in openvpn, as well as in MS Windows environments.It also covers certificate revocation using CRLs and OCSP. Henrich C. Pöhls draws from a rich repository of his own experience from his academic research in the field and the 7 years of using the available tools for creating, applying and managing digital signatures and X509 certificates in different versions and seeing his students struggle with the pitfalls trying to get it to work.

Status: Confirmed

Rodrigo Montoro
Trustwave Spiderlabs

Title: Web Application First Aid - Virtual Patching with ModSecurity

Abstract: Nessa apresentação demonstraremos o processo para criação de um Virtual Patch para sua aplicação web desde o processo para encontrar a falha até a correção provisória. Entre os assuntos abordaremos :


 * Testes de Aplicação Web
 * Como funciona um BlackBox ?
 * Como funciona um WhiteBox ?
 * Funcionamento do ModSecurity
 * Encontrei uma falha e agora ?
 * Entendendo a falha encontrada
 * Criando uma regra para Virtual Patching
 * Testando a(s) regra(s)

Na apresentação daremos enfase que o Web Application Firewall (WAF) não substitui um code review ou teste da aplicação e sim deve e pode ser usada como ótimo complemento de segurança para seu ambiente.

Bio: Rodrigo “Sp0oKeR” Montoro possui grande experiência em ambientes opensource e mercado de segurança especialmente na parte de IPS/IDS, malwares e protocolos. Atualmente trabalha no time de pesquisas do SpiderLabs (Trustwave) onde faz parte do core team de assinaturas do modsecurity além de analise de malwares, assinaturas de IDS e pesquisas na area de arquivos maliciosos especialmente pdfʼs.

Status: Confirmed

Brian Contos
McAfee

Title: Exploring Three Modern Attack Vectors: Insiders, Industrialized and APTs

Abstract: Attacks are coming from all angles. In some cases they are very rudimentary; in others they are highly complex. Organizations must be able to protect themselves regardless, and do so in a way this is in parity with business operations, maintains employee and partner agility, and is manageable without the complexity of the solution being worse than the attack itself.

Failure to address these three different attack types can result in everything from diminished brand loyalty, regulatory penalties, and lost revenue, to stolen intellectual property, economic competitive disadvantage, and military competitive disadvantage. Based on research from McAfee Labs and customer interactions across the globe in the public and private sector, there is much information that can be shared about these attackers and their strategies.

Attendees will leave the presentation more knowledgeable about insider threats, industrialized hacking, and APTs. They will have a strong grasp of the attacker motives and understand their attack vectors. The audience will also be exposed to several non-vender, non-product specific countermeasures that they can leverage within their own organizations.

Bio: Mr. Contos has over 15 years of security engineering and management expertise. He has worked throughout North and South America, Europe, the Middle East, and Asia. At McAfee he advises government organizations and G2000s on security strategy. He has written two books including Enemy at the Water Cooler – Real Life Stories of Insider Threats, and Physical and Logical Security Convergence which he co-authored with former NSA Deputy Director William Crowell. He has delivered speeches at industry events like RSA, Black Hat, Interop, OWASP, CSI, ISACA, ISSA, InfraGard and eCrime. He is often quoted by business and industry press, and has written articles for Forbes, NY Times, London Times, Computerworld, and many others. He was formerly the Chief Security Strategist for Imperva, the Chief Security Officer for ArcSight, and has held management and engineering positions at Riptech, Bell Labs, Tandem Computers, and DISA.

Status: Confirmed

Secure Coding for J2EE Applications
Date and time: November 16th and 17th Instructor: Jason Li Summary Training developers on secure coding practices offers one of the highest returns on investment of any security investment by eliminating vulnerabilities at the source. Aspect’s Java EE Secure Coding Training raises developer awareness of application security issues and provides examples of ‘what to do’ and ‘what not to do.' The class is lead by an experienced developer and is delivered in a very interactive manner. This class includes hands-on exercises where the students get to perform security analysis and testing on a live Java EE web application. This specially designed environment includes deliberate flaws the students have to find, diagnose, and fix. The class also uses Java EE coding exercises to provide students with realistic hands-on secure coding experience. Students gain hands-on experience using freely available web application security test tools to find and diagnose flaws and learn to avoid them in their own code.

Audience The intended audience for this course is intended for Java EE software developers and Java EE software testers who know how to program.

Learning Objectives At the highest level, the objective for this course is to ensure that developers are capable of designing, building, and testing secure Java EE applications and understand why this is important.

Topics


 * HTTP Fundamentals
 * Understand and be able to employ the security features involved with using HTTP (e.g., headers, cookies, SSL)
 * Design Principles and Patterns
 * Understand and be able to apply application security design principles.
 * Threats
 * Be able to identify and explain common web application security threats (e.g., cross-site scripting, SQL injection, denial of service attacks, "Man-in-the-middle" attacks, etc.) and implement mitigation techniques.
 * Authentication and Session Management
 * Be able to handle credentials securely while providing the full range of authentication support functions, including login, change password, forgot password, remember password, logout, reauthentication, and timeouts.
 * Access Control
 * Be able to implement access control rules for the user interface, business logic, and data layers.
 * Input Validation
 * Be able to recognize potential input validation issues, particularly injection and Cross-site Scripting (XSS) problems, and implement appropriate input validation mechanisms for user input and other sources of input.
 * Command Injection
 * Understand the dangers of command injection and techniques for avoiding the introduction of this type vulnerability.
 * Error Handling
 * Be able to implement a consistent error (exception) handling and logging approach for an entire web application.
 * Cryptography
 * Learn when to apply cryptographic techniques and be able to choose algorithms and use encryption/decryption and hash functions securely.

Jason’s Bio Jason is a remarkable trainer, mastering five different training courses within a year’s time to our most valuable longstanding but diverse clients. The client base included a large financial institution, several leading shipping and logistics Management Company, and a leading Government systems integrator.

Jason has also taught Advanced Web Application Security Testing and Building Secure Web Applications classes at OWASP 2008 conferences in Belgium and India.

Common remarks returned from Jason’s class evaluations include “This is probably one of the most important classes I‘ve been exposed to here” and '''“One of the best instructors I’ve ever had. Really knowledgeable of the subject. Kept class interested by sharing real life examples that depicted good scenarios”'''

Using the OWASP ESAPI security API to provide security to web applications
''' Tutorial in Portuguese. '''

Date and time: November 16th (9AM to 6PM) Instructor: Tarcizio Vieira Neto

Summary

The evolution of technology in the development of web applications has contributed to a significant increase in the use of this technology to meet the most diverse purposes. However, this technology is subject to critical security vulnerabilities, especially when recent research show that most vulnerabilities are present in the application itself. OWASP's ESAPI library (Enterprise Security API) appears in this scenario as an open source security library available for several languages such as Java EE, PHP,. NET, Classic ASP, Python, Ruby, among others. This short course addresses the vulnerabilities caused by common errors in applications development and security control mechanisms provided by ESAPI with focus on Java technology. The general principles learned in the course can be applied in the context of other programming languages.

Target audience

The desired profile of the audience are people connected to the area of web application development and security, having as a basic pre-requisite knowledge in web technologies, communication protocols HTTP and HTTPS, basic principles of security: encryption, hashing and digital signature, Java programming for Web systems.

Learning objectives


 * Know the main security vulnerabilities commonly found in Web applications
 * Present the architecture of the ESAPI library and the operation of its modules with examples in Java.
 * Present Web Application Firewall component of ESAPI.

Tópic


 * 1) Introduction
 * 2) # Myths related to security in Web applications
 * 3) # OWASP Project
 * 4) OWASP Top 10
 * 5) OWASP ESAPI Library
 * 6) # Validation and Encoding Module
 * 7) # Authentication Module
 * 8) # Access Control Module
 * 9) # HTTP Utilities Module
 * 10) # Access references module
 * 11) # Cryptographic Module
 * 12) # Log Module
 * 13) # Intrusion Detection Module
 * 14) # integrating the AppSensor module with ESAPI
 * 15) # Using Filters
 * 16) # Configuring ESAPI
 * 17) # Web Application Firewall Module
 * 18) Benefits of Using ESAPI
 * 19) Conclusions

Instructor

Tarcízio Vieira Neto has a degree in Computer Science from Universidade Federal de Goiás (UFG), in Goiania. He began his career as an intern developer on a project of technology initiation funded by CNPq in the company Estratégia, in Goiania. After graduating he worked for six months at the company Fibonacci Soluções Ágeis in the same city, as a development analyst. Then worked for two years and eight months as a Brazilian Air Force officer as a systems analyst in the Air Force Computer Center in Brasilia, where he gained experience with the technologies of digital certification and collaborated in the development of an enterprise electronic document management system.

Currently working at SERPRO since November 2009 as an Analyst in CETEC, working on software development security, dedicated primarily in writing guidelines that standardize techniques and tools tho support security in Web applications development

He is attending a specialization course in Information Security from University of Brasília (UnB) and has altogether more than five years of programming experience in Java.

The Art and Science of Threat Modeling Web Applications
''' This tutorial is in English without translation. '''

Date and Time: November 17 (9AM to 6PM) Instructor: Mano Paul

Summary

To secure your home, you will first need to know how the thief could possibly enter and exit and where you should store your valuables. The same is true of your web applications. Unless you know what the vulnerabilities and threats of your web applications are, and what security measures you should take to protect them, ev1L h@x0rS or the enemy within (insider) could take advantage of the vulnerabilities.

Threat Modeling is a technique that you can use to identify ATVS (attacks, threats, vulnerabilities and safeguards) that could affect your web applications. Threat Modeling helps in designing your application securely from a confidentiality, integrity, availability, authentication, authorization and auditing perspective. It is an essential activity to be undertaken during the design stage of your SDLC and helps mitigate and minimize overall risk.

Target udience

The target audience is made of technical staff and management of system development organizations, with no required knowledge of languages or specific programming techniques.

Learning Objectives


 * 1) Understand Threat Modeling; when to threat model and when not too
 * 2) Translation of threats to risks for the organization
 * 3) Have fun learning complex concepts with exercises and interactive games

Topic


 * 1) Introduction
 * 2) Why Threat Model?
 * 3) Is Threat Modeling Right for You?
 * 4) Challenges
 * 5) Precursors
 * 6) Data Classification and Threat Modeling
 * 7) Web Application Security Mechanisms
 * 8) Benefits of Threat Modeling
 * 9) Common Glossary of Terms
 * 10) Threat Agents
 * 11) OWASP Top 10 and common application attacks
 * 12) Threat Modeling Process
 * 13) Attack Trees
 * 14) Threat and Risk Frameworks e.g., STRIDE and DREAD
 * 15) Threat to Risk translation
 * 16) Threat Modeling (Hands-On Exercise)

Instructor

Manoranjan (Mano) Paul is the Software Assurance Advisor for (ISC)2. His information security and software assurance experience includes designing and developing security programs from compliance-to-coding, security in the SDLC, writing secure code, risk management, security strategy, and security awareness training and education. He founded and serves as the CEO & President of Express Certifications. He also founded SecuRisk Solutions, a company that specializes in security product development and consulting.

Security in Service-oriented architectures
''' Tutorial in Portuguese. '''

Date and time: Nov 17 (9AM to 6PM) Instructors: Douglas Rodrigues, Julio Cesar Estrella e Nuno Manuel dos Santos Antunes

Summary

Web services are the cornerstone of Service-Oriented Architectures (SOA). As critical components of business, Web services must provide high security. However, the deployment of secure Web services is a complex task. In fact, several studies show that a large number of Web Services are deployed with security breaches ranging from code vulnerabilities (eg vulnerabilities that allow code injection, including SQL injection and XPath injection) to the incorrect use of standards and security protocols. The aim of this short course is to present the theoretical and practical tools that allow the detection of vulnerabilities and security protocols and mechanisms against attacks.

Público Alvo

The target audience is composed of technical staff and operational systems development organizations with requirements for knowledge of languages and programming methodologies at the intermediate level.

Learning Objectives

The proposed short course contributes to add new technological trends. The theme is quite interesting in relation to the great challenges of research in computing, since it fits naturally within the technological development of quality, encompassing making systems available, accurate, secure, scalable, persistent and ubiquitous, and notoriously, observing the conference area, which SOA, Web services and security are the subject of growing research in computing, as it is current and of interest to the academic community, as well as professionals who work in the labor market. The interest in SOA has grown in recent years because it is an approach that helps the system to remain flexible and scalable as they grow, and can also help to resolve the gap business / IT. Students and professionals will have the opportunity to understand the basics of vulnerability detection code level and also to detect attacks between protocols and mechanisms. The idea is that participants can use the knowledge gained in this brief short course for the development of distributed applications using Web services secure and obtain knowledge needed to diagnose and prevent attacks on this type of application.

Topics


 * 1) SECURITY STANDARDS AND PROTOCOLS FOR WEB SERVICES
 * 2) ATTACKS IN WEB SERVICES
 * 3) Denial of Service Attacks
 * 4) Attacks Brute Force
 * 5) Spoofing Attacks
 * 6) Flooding Attacks
 * 7) Injection Attacks
 * 8) EVALUATING SECURITY IN WEB SERVICES
 * 9) Case Study on security in Web Services
 * 10) "white box" analysis
 * 11) "Black-box" testing
 * 12) "Gray-box" testing
 * 13) Case study on the effectiveness of tools for security assessment

Instructors

Julio Cesar Estrella - Master in Computer Science and Computational Mathematics, in the area of Distributed Systems (Institute of Mathematical Sciences and Computer ICMC / University of São Paulo - USP). During the Masters, worked with simulated queuing network in a project related to the development of negotiation techniques in models of web servers with service differentiation. Ph.D. in Computer Science and Computational Mathematics (Institute of Mathematical Sciences and Computer ICMC / University of São Paulo - USP). The theme of his doctoral thesis was about service-oriented architectures to support QoS and characterization of workloads for Web Services Composition and Service also supports Quality of Service. He is currently a professor at the Federal Technological University of Paraná (UTFPR - Campo Mourão)

Douglas Rodrigues - Master in Computer Science and Computational Mathematics from Institute of Mathematics and Computer Science, University of São Paulo - ICMC-USP/São Carlos. Bachelor of Computer Science from University Euripides Marília - Univ - Marília / SP. Works on the following subjects: SOA, Web Services, performance evaluation, encryption and security.

Nuno dos Santos Antunes - attended from 2003 to 2007, the Computer Engineering program, University of Coimbra. Since 2008, carries out scientific research in the group of Software and Systems Engineering (SSE) Center for Informatics and Systems University of Coimbra (CISUC), on topics related to methodologies and tools for developing Web Services without vulnerabilities. Concluded in 2009 a Masters in Computer Engineering from the Department of Computer Engineering, University of Coimbra, with the final rating of Very Good. In 2009 he began his PhD in Sciences and Information Technology. He published five scientific papers in conferences with the process of rigorous peer review, including articles in the most prestigious conferences in the areas of reliability and services.

Black-Box & White-Box ASP.NET Security Reviews using the OWASP O2 Platform
 Thsi tutorial will be in Portuguese with materials in English 

Date and time: November 16th (9AM to 6 PM) Instructor: Dinis Cruz

Summary

This is a hands-on Training course on how to use the OWASP O2 Platform to perform both Black-Box and White-Box security reviews on ASP.NET Web Applications

The course is designed for security consultants/developers who are responsible for performing Penetration Tests or Security Code Reviews. The course will show practical examples of how to use the OWASP O2 Platform to find, exploit and document security vulnerabities.

For the course's labs, a number of test and real-world applications/frameworks will be used. In order to give the students a benign test enviroment which is easy to replicate, the (vulnerable-by-design) HacmeBank ASP.NET banking application will be used throughout the course.

Topics


 * What is the OWASP O2 Platform and how to use it?
 * Using O2's Unit Tests for web exploration and browsing
 * Using O2's Unit Tests for web exploitation
 * Understanding and using O2's Web Automation Tools to find and exploit vulnerabilities in HacmeBank (Black-Box)
 * Understanding and using O2's AST .NET Scanner to find vulnerabilities in HacmeBank (White-Box)
 * Connecting the source-code traces with the web exploits to create a unified view of the vulnerabilties
 * Create 'Vulnerability-driven Unit Tests' to be delivered to Developers, QA/Testers and Managers
 * Customizing and writing new APIs (for new or modified frameworks)
 * Using O2 to consume results from open source tools and 3rd party commercial vendors
 * Case Study: Microsoft ASP.NET MVC
 * Case Study: Microsoft Sharpoint

Instructor

The course is delivered by Dinis Cruz who the lead developer of the OWASP O2 Platform and has created and delivered a number of .NET Security training courses

Location
Please check the Venue tab in this page.

Venue
The event will be held in Campinas, SP, Brazil at: Fundação CPQD.

You can check the location at Google Maps

How to get there

TBD

Online Registration
Registration form is available at https://creator.zoho.com/lucas.ferreira/appsec/

Conference Fees
Access to conference:


 * Before Sep 16th: 400.00 BRL
 * Before Oct 16th: 500.00 BRL
 * Before Nov 12th: 550.00 BRL
 * On site:                 600.00 BRL

On site registration subject to the availability of seats.

Trainings


 * One day:   450.00 BRL
 * Two days: 900.00 BRL

Discounts


 * OWASP Member: 100.00 BRL (Note: This discount is greater than the OWASP USD 50.00 annual fee. Check here
 * Student:                100.00 BRL (Note: student ID required).

Conference Committee
OWASP Global Conferences Committee Chair: Mark Bristow

OWASP Brazilian Chapter Leader: Wagner Elias

AppSec Brasil 2010 Organization Team (organizacao2010 at appsecbrasil.org):


 * Conference General Chair: Lucas C. Ferreira
 * Tutorials Chair: Eduardo Camargo Neves
 * Tracks Chair: Luiz Otávio Duarte
 * Local Chair: Alexandre Melo Braga

Team Members

 * Alexandre Melo Braga
 * Eduardo Camargo Neves
 * Lucas C. Ferreira
 * Luiz Otávio Duarte
 * Wagner Elias
 * Eduardo Alves Nonato da Silva
 * Leonardo Buonsanti
 * Dinis Cruz
 * Paulo Coimbra

Programme Committee:

 * Alexandre Braga
 * Carlos Serrao
 * Eduardo alves
 * Fernando Cima
 * Leonardo Buonsanti
 * Lucas Ferreira
 * Luiz Duarte
 * Nelson Uto
 * Rodrigo Rubira
 * Wagner Elias

Travel
TBD

Twitter
124443335

Links
Blog: http://blog.appsecbrasil.org

Twitter: http://twitter.com/owaspappsecbr

Banner: http://www.owasp.org/images/3/31/AppSec_Brasil_2010_Banner.gif

Powerpoint template: [[Media:OWASP_Presentation_Template_BrazilAppSec2010.ppt]]