OWASP AppSec DC 2010



Walter E. Washington Convention Center | Registration Now OPEN!

Register Here
Registration is now  OPEN . You can register via OWASP's CVENT tool here.

Registration Fees
ATTENTION FEDERAL EMPLOYEES: Enter code ASDC10FED for $100 off, limited time only! (must register with your .gov or .mil email address) For student discount, attendees must present proof of enrollment when picking up your badge.

Who Should Attend AppSec DC 2010

 * Application Developers
 * Application Testers and Quality Assurance
 * Application Project Management and Staff
 * Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
 * Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
 * Security Managers and Staff
 * Executives, Managers, and Staff Responsible for IT Security Governance
 * IT Professionals Interesting in Improving IT Security
 * Anyone interested in learning about or promoting Web Application Security

AppSec DC 2010 CVENT Info Page

Volunteers Needed!
Get involved!

We will take all the help we can get to pull off the best Web Application Security Conference of the year!

More opportunities and areas will be added as time goes on. Our Volunteer Guide can be downloaded which outlines some of the responsibilities and available positions.

To volunteer please email [mailto:volunteers@appsecdc.org volunteers@appsecdc.org] or you can e-mail the Volunteer Coordinators [mailto:josh.feinblum@owasp.org Josh Feinblum] and [mailto:jrose@owasp.org Jon Rose]

CFP
'''AppSec DC's CFP is CLOSED. Initial notifications are going out to select speakers at this time.'''

Building on the success of AppSec DC 2009, OWASP is pleased to announce the OWASP AppSecDC 2010 conference held at the Walter E. Washington Convention Center on November 8th through 11th 2010. Plenary sessions will be on November 10th and 11th preceded by Web Application Security Training on November 8th and 9th.

You can submit talks at the EasyChair Conference Page. New Submission deadline is August 31st 2010. Inquires can be made to cfp@appsecdc.org.

We are seeking presentations on the following topics:
 * OWASP Tools and Projects
 * Cloud Application Security
 * Government Approaches to Application Security
 * Application Security Case Studies
 * Application Security and Business Risks
 * Metrics for Application Security
 * Web Services Security
 * Source Code Review
 * Web Application Security Testing
 * Secure Coding Practices
 * Privacy Concerns
 * Vulnerabilities/Exploits in the Web App World
 * Defense & Countermeasures in the Web App World
 * Other web application security topics

Additional information can be found in the FAQ. You will have to sign up for an EasyChair account at https://www.easychair.org/account/signup.cgi.

Program Committee

 * [mailto:mark.bristow@owasp.org Mark Bristow] (Chair)
 * [mailto:jeff.williams@owasp.org Jeff Williams]
 * [mailto:doug.wilson@owasp.org Doug Wilson]
 * [mailto:wade.woolwine@owasp.org Wade Woolwine]
 * [mailto:jeremy.long@owasp.org Jeremy Long]
 * [mailto:tom.hallewell@owasp.org Tom Hallewell]
 * [mailto:grecs@owasp.org Grecs]
 * [mailto:josh.feinblum@owasp.org Josh Feinblum]
 * [mailto:ben.null@owasp.org Ben Null]
 * Matt Fisher
 * [mailto:dave.sachdev@owasp.org Dave Sachdev]
 * [mailto:shawn.duffy@owasp.org Shawn Duffy]
 * [mailto:jrose@owasp.org Jon Rose]
 * [mailto:Rex.Booth@owasp.org Rex Booth]

Training
OWASP strives to provide world class training for a variety of skill levels and interests at its conferences. From the novice to the expert, developers to managers, there is a training course at AppSec DC for you! Classes will begin at 9 AM each day and run until 5 PM (Daily schedule set by the trainer). Morning refreshments and lunch will be provided. Check each course for the required materials.

Registration Now OPEN!

Price per attendee (conference Registration is a seperate item):
 * 2-Day Class $1495
 * 1-Day Class $745

2 Day Training
Comming Soon

WebAppSec.php: Developing Secure Web Applications
Web applications are the new frontier of wide‐spread security breaches. This tutorial will guide through development practices to ensure the security and integrity of web applications, in turn protecting user data and the infrastructure the application runs on. Several attack types and risks will be reviewed (including OWASP’s Top 10), along with how the proper development practices can mitigate their damage. Although examples covered are PHP‐based, much of the content is also applicable to other languages.

Instructor: Robert Zakon Robert Zakon is a technology consultant and developer who has been programming web applications since the Web's infancy. In addition to developing web applications for web sites receiving millions of daily hits, he works with organizations in an interim CTO capacity, and advises corporations, non‐profits and government agencies on technology, information, and security architecture and infrastructure. Robert is a former Principal Engineer with MITRE's Information Security Center, CTO of an Internet consumer portal and application service provider, and Director of a university research lab. He is a Senior Member of the IEEE, and holds BS & MS degrees from Case Western Reserve University in Computer Engineering & Science with concentrations in Philosophy & Psychology. His interests are diverse and can be explored at www.Zakon.org where his vitae is available.

The Art of Exploiting SQL Injections
This is a full day hands on training course which will typically target penetration testers, security auditors/administrators and even web developers  to learn advanced exploitation techniques. SQL Injection, although now nearly 15 years old, still exists in over 30% of the web applications. This vulnerability could typically result in 3 scenarios:


 * 1) Authentication Bypass
 * 2) Extraction of arbitrary sensitive data from the database
 * 3) Access and compromise of the internal network.

To identify the true impact of this vulnerability it is essential that the vulnerability gets exploited to the full extent. While there is a reasonably good awareness when it comes to identify this problem, there are still a lot of grey areas when it comes to exploitation or even identifying complex vulnerabilities like a 2nd order injections. This training will target 3 databases (MS-SQL, Mysql, Oracle) and discuss a variety of exploitation techniques to exploit each scenario. The aim of the training course is to address the following:


 * 1) Identify the most complicated sql injections which are beyond the scope of any automated tool?
 * 2) Identify and Extract sensitive data from back-end database?
 * 3) Privilege Escalation  within the database and extracting data with database admin privilege?
 * 4) OS code execution on these database server and use this as a pivot to attack internal network?

Instructor: Sumit Siddharth Sumit "sid" Siddharth works as a Principal Security Consultant (Penetration Tester) for 7Safe Limited in the UK. He specializes in the application and database security and has more than 5 years of pentesting. Sid has authored a number of whitepapers and tools. He has been a speaker at many security conferences including Blackhat, Defcon, Troopers, OWASP Appsec, Sec-T etc. He also runs the popular IT security blog: www.notsosecure.com

Contests
TBD

Walter E. Washington Convention Center
AppSec DC 2010 will be taking place at the Walter E. Washington Convention Center in downtown Washington DC.

The convention center is located over the Mount Vernon Square/Convention Center Metro stop on the Green and Yellow lines of the DC Metro, and only a few blocks from our convention hotel, the Grand Hyatt Washington (reserve rooms here).

http://www.owasp.org/images/8/85/Screen_shot_2009-10-03_at_12.55.55_PM.png

Hotel
The Grand Hyatt is our hotel sponsor again for this year. Hotel rooms can be booked at a discounted rate prior to October 15th using this link: https://resweb.passkey.com/Resweb.do?mode=welcome_gi_new&groupID=2766908

Sponsors
We are currently soliciting sponsors for the AppSec DC Conference. Please refer to our sponsorship opportunities for details.

Slots are going fast so contact us to sponsor today!

Traveling to the DC Metro Area
The Washington DC Area is serviced by three airports -- Reagan National (DCA), Dulles (IAD), and Thurgood Marshall Baltimore/Washington International (BWI). All currently have available transportation to downtown DC via public transportation, shuttles, or cab.

Washington DC is also serviced by Amtrak, VRE, and MARC train lines, which arrive in Union Station, a few metro stops or a short cab ride away from the convention center and the Grand Hyatt.

If you live in the DC Metropolitan area, we suggest taking Metro to the event. The convention center is located over the Mount Vernon Square/Convention Center Metro stop on the Green and Yellow lines of the DC Metro.

Organizers
Mail List: [mailto:organizers@appsecdc.org organizers@appsecdc.org]


 * [mailto:mark.bristow@owasp.org Mark Bristow]
 * [mailto:doug.wilson@owasp.org Doug Wilson]
 * [mailto:wade.woolwine@owasp.org Wade Woolwine]

Arch-Minions
Mail List: [mailto:leads@appsecdc.org leads@appsecdc.org]


 * Facilities ([mailto:facilities@appsecdc.org facilities@appsecdc.org])
 * [mailto:jeremy.long@owasp.org Jeremy Long]
 * [mailto:doug.wilson@owasp.org Doug Wilson]
 * [mailto:mark.bristow@owasp.org Mark Bristow]
 * Content ([mailto:content@appsecdc.org content@appsecdc.org])
 * [mailto:jeremy.long@owasp.org Jeremy Long]
 * [mailto:mark.bristow@owasp.org Mark Bristow]
 * [mailto:shawn.duffy@owasp.org Shawn Duffy]
 * [mailto:Rex.Booth@owasp.org Rex Booth]
 * Security ([mailto:security@appsecdc.org security@appsecdc.org])
 * TBD
 * Press ([mailto:press@appsecdc.org press@appsecdc.org])
 * [mailto:mike.smith@owasp.org Mike Smith]
 * [mailto:mark.bristow@owasp.org Mark Bristow]
 * [mailto:doug.wilson@owasp.org Doug Wilson]
 * [mailto:wade.woolwine@owasp.org Wade Woolwine]
 * Registration/Info Desk ([mailto:info@appsecdc.org info@appsecdc.org])
 * [mailto:Kate.Hartmann@owasp.org Kate Hartmann]
 * [mailto:mark.bristow@owasp.org Mark Bristow]
 * [mailto:wade.woolwine@owasp.org Wade Woolwine]
 * Volunteer Coordinators ([mailto:volunteers@appsecdc.org volunteers@appsecdc.org])
 * [mailto:josh.feinblum@owasp.org Josh Feinblum]
 * [mailto:jrose@owasp.org Jon Rose]
 * [mailto:wade.woolwine@owasp.org Wade Woolwine]
 * Competitions/Contests/Events ([mailto:contests@appsecdc.org contests@appsecdc.org])
 * [mailto:jrose@owasp.org Jon Rose] (Chair)
 * [mailto:ken.johnson@owasp.org Ken Johnson]
 * [mailto:ben.null@owasp.org Ben Null]
 * [mailto:wade.woolwine@owasp.org Wade Woolwine]
 * Marketing/Community Outreach ([mailto:outreach@appsecdc.org outreach@appsecdc.org])
 * [mailto:dave.sachdev@owasp.org Dave Sachdev]
 * [mailto:lahla@owasp.org Lee Anne Hart]
 * [mailto:doug.wilson@owasp.org Doug Wilson]
 * [mailto:mark.bristow@owasp.org Mark Bristow]
 * Sponsorships ([mailto:sponsors@appsecdc.org sponsors@appsecdc.org])
 * [mailto:josh.feinblum@owasp.org Josh Feinblum]
 * [mailto:tom.hallewell@owasp.org Tom Hallewell]
 * [mailto:grecs@owasp.org Grecs]
 * [mailto:Rex.Booth@owasp.org Rex Booth]
 * [mailto:mark.bristow@owasp.org Mark Bristow]
 * [mailto:doug.wilson@owasp.org Doug Wilson]
 * [mailto:wade.woolwine@owasp.org Wade Woolwine]