Bay Area

Local News
Bay Area

Date and Location
OWASP Bay Area Meeting Thursday, July 23rd - 1:00 - 8 pm Stanford University Center for Integrated Services Room CISX 101 http://cis.stanford.edu/misc/directions.html

OWASP Bay Area will host its Application Security Summit meeting at the Stanford University on Thursday, July 23rd. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security.

''' Please note, Stanford has parking restrictions and there is a parking fee applicable till 4 P.M. You can buy parking stickers from the meter. Detailed instructions are on this site - http://transportation.stanford.edu/parking_info/VisitorParking.shtml'''.

http://owaspbajuly09.eventbrite.com

Agenda
1:00 PM - 1:30 PM ... Check-in, registration, networking 1:30 PM - 1:45 PM ... Welcome Remarks and Overview of OWASP Bay Area - Mandeep Khera, Bay Area Chapter Leader [[Media:OWASP_Mandeep_Khera_BA_July09.pdf‎]] 1:45 PM - 2:30 PM ... Development Issues Within AJAX Applications: How to Divert Threats - Lars Ewe, CTO, Cenzic [[Media:OWASP-AJAX-Lars-Final.pdf]] 2:30 PM - 3:30 PM ... Building a Corp App Security Assessment Program-Rob Jerdonek,Info Security Analyst,Intuit [[Media:JerdonekChung_OWASP_July23_2009-public.pdf]] 3:30 PM - 4:00 PM ... Networking Break, refreshments 4:00 PM - 5:00 PM ... Mastering Session Management - Siva Ram, Lead Security Consultant, AppSec Consulting [[Media:Siva Ram-Mastering Session Managment.pdf]] ‎ 5:00 PM - 6:00 PM ... From Rivals to BFF: WAF & VA Unite - Brian Contos, Chief Security Strategist, Imperva [[Media:OWASP Brian Contos WAF and VA July2009 Final PUBLIC.pdf ‎]] 6:00 PM - 8:00 PM ... Networking Reception - Food and Drinks!! [[Media:OWASP- BayArea-July09-Evaluation.pdf]]

Development Issues Within AJAX Applications: How to Divert Threats
AJAX has rapidly emerged as a prominent enabling technology in the movement to improve the Web as a software platform for business and consumer applications. Using AJAX development techniques provides software developers with a wide-open platform for creating innovative new Web (2.0) applications. The result is a more readily responsive Web environment which minimizes the “start-stop-start-stop” nature of Web pages, thus increasing the speed and user-interactivity of Web-enabled services.

However, the open, malleable nature of Web 2.0 also has an often overlooked impact on application security that is not necessarily initially visible to application developers, establishing a relatively easy target for malicious behavior to compromise applications and overall network security. Various security issues arise from a number of sources, thus increasing the attack surface of AJAX applications: client side security controls often replace server side data validation, thus creating a false sense of security; so do calls to “hidden” application functionality and URLs; new XML and JavaScript data models, such as JSON, also enable new attack vectors, like JavaScript Hijacking; and the open, easy to use nature of so called Mashups often comes at the price of various security compromises.

Such threats, however, can be thwarted with the proper implementation of security testing. This session will address the development issues of AJAX applications from a security perspective, looking at how today’s common web threats such as SQL injections, Cross Site Scripting, and others are often magnified in an AJAX environment, and it will also explore new threads, such as JavaScript Hijacking. Last but not least it also provides Best Practices for AJAX application developers that are designed to help manage the security complexities inherent to AJAX development.

Building a Corporate Application Security Assessment Program
The talk will discuss Intuit's experiences in building a corporate application security assessment program. Areas of discussion will include tools, processes, and methodologies utilized to conduct effective security assessments of applications in a large global software development corporation.

Mastering Session Management
Almost everyone is aware of Cross site Scripting and SQL Injection vulnerabilities and their impact. Every web application implements session management techniques to maintain context, but application developers do not pay a lot of attention to session management because they are usually managed by the application server. Attacks against sessions can result in serious compromises and this presentation will cover some of the most common session management techniques and the attacks that can be launched against sessions. It will also discuss some of the techniques developers can use to protect against session attacks.

From Rivals to BFF: WAF & VA Unite
For years there was a debate in the Web application and data security world about which approaches are best - black box, white box, SDLC, VA services/software, Web Application Firewalls (WAF), etc. While it is true that with a limited budget anything can become competitive – a new copy machine versus a new coffee machine, the core value propositions of WAF and VA are distinct and complementary. This presentation will illustrate how integrating these solutions can enable more secure Web application development and operations.

Lars Ewe
Lars Ewe is the CTO and VP of Engineering of Cenzic. Lars is a technology executive with broad background in (web) application development and security, middleware infrastructure, software development and application/system manageability technologies. Throughout his career Lars has held key positions in engineering and product management in a variety of different markets. Prior to Cenzic, Lars was software development director at Advanced Micro Devices, Inc., responsible for AMD's overall systems manageability and related security strategy and all related engineering efforts.

Rob Jerdonek
Rob Jerdonek is a Staff Information Security Analyst at Intuit, working to strengthen application security across all Intuit products and services. Prior to working at Intuit, Rob has held positions at Arcot Systems, Netscape, Nortel, and the Center for Information Technology Integration. Rob has a B.S.E. and M.S.E. in Computer Science and Engineering from the University of Michigan, Ann Arbor. Rob is a CISSP, and has earned 4 patents in the field of information security.

Siva Ram
Siva is the Lead Security Consultant with AppSec Consulting, an information security services company, of which he is a founder. He has been in the security industry since 2001 and has 5 years of prior application development experience. He specializes in web application security; managing projects that involve performing penetration tests and vulnerability assessments, developing secure coding guidelines and delivering security training in addition to performing PCI-DSS assessments.

Brian Contos
Mr. Contos has over fourteen-years of real-world security engineering and management expertise developed in some of the most sensitive and mission-critical environments in the world. As the chief security strategist for Imperva he advises government organizations, F1000s and G2000s on security strategy related to application and data security while being an evangelist for the security space. He has written two security books including Enemy at the Water Cooler – Real Life Stories of Insider Threats and Physical and Logical Security Convergence which was co-authored with the former Deputy Director of the NSA – Bill Crowell. He is an active security blogger, host of the Imperva Security Podcast, and has delivered countless speeches around the globe at shows like RSA, Interop, CSI, and others. He is regarded as a security expert, often quoted by the media, and has written articles for Forbes, the London Times, Computerworld, Sarbanes-Oxley Compliance Journal, SC Magazine and many others. Mr. Contos was formerly at ArcSight where he served as their Chief Security Officer for almost seven years, and has held management and engineering positions at Riptech, Bell Labs, Tandem Computers, and the Defense Information Systems Agency (DISA).

RSVP
REGISTER EARLY AS SEATING IS LIMITED

http://owaspbajuly09.eventbrite.com

=Bay Area Past Events= Bay Area Past Events

Bay Area OWASP Chapter Leaders

 * [mailto:brian@appsecconsulting.com Brian Bertacini]
 * Garrett Gee
 * [mailto:mandeep@cenzic.com Mandeep Khera]
 * [mailto:robipapp@yahoo.com Robi Papp]