Bay Area

Local News
Bay Area

Date and Location
OWASP Bay Area Meeting Thursday, July 23rd - 1:00 - 8 pm Stanford University

OWASP Bay Area will host its Application Security Summit meeting at the Stanford University on Thursday, July 23rd. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security.

 Please note, because of high security measures at the Federal Reserve Bank, pre-registration is REQUIRED, so you can be issued a badge before entering the meeting.

http://owaspbajuly2009.eventbrite.com/

Agenda
1:00 PM - 1:30 PM ... Check-in, registration, networking 1:30 PM - 1:45 PM ... Welcome Remarks and Overview of OWASP Bay Area - Mandeep Khera (Cenzic), Bay Area Chapter Leader 1:45 PM - 2:30 PM ... Mastering Session Management - Siva Ram (AppSec Consulting) 2:30 PM - 3:30 PM ... Building a Corporate Application Security Assessment Program - Rob Jerdonek, Staff Information Security Analyst, Intuit 3:30 PM - 4:00 PM ... Networking Break, refreshments 4:00 PM - 5:00 PM ... Development Issues Within AJAX Applications: How to Divert Threats - Lars Ewe, CTO, Cenzic 5:00 PM - 6:00 PM ... Best practices of combining scanners and WAFs to minimize risk - Brian Contos, Chief Security Strategist, Imperva 6:00 PM - 6:30 PM ... Web Hacking, Tricks of the Trade - Anurag Agarwal 6:30 PM - 8:00 PM ... Networking Reception - Food and Drinks!!

Building a Corporate Application Security Assessment Program
The talk will discuss Intuit's experiences in building a corporate application security assessment program. Areas of discussion will include tools, processes, and methodologies utilized to conduct effective security assessments of applications in a large global software development corporation.

Development Issues Within AJAX Applications: How to Divert Threats
AJAX has rapidly emerged as a prominent enabling technology in the movement to improve the Web as a software platform for business and consumer applications. Using AJAX development techniques provides software developers with a wide-open platform for creating innovative new Web (2.0) applications. The result is a more readily responsive Web environment which minimizes the “start-stop-start-stop” nature of Web pages, thus increasing the speed and user-interactivity of Web-enabled services.

However, the open, malleable nature of Web 2.0 also has an often overlooked impact on application security that is not necessarily initially visible to application developers, establishing a relatively easy target for malicious behavior to compromise applications and overall network security. Various security issues arise from a number of sources, thus increasing the attack surface of AJAX applications: client side security controls often replace server side data validation, thus creating a false sense of security; so do calls to “hidden” application functionality and URLs; new XML and JavaScript data models, such as JSON, also enable new attack vectors, like JavaScript Hijacking; and the open, easy to use nature of so called Mashups often comes at the price of various security compromises.

Such threats, however, can be thwarted with the proper implementation of security testing. This session will address the development issues of AJAX applications from a security perspective, looking at how today’s common web threats such as SQL injections, Cross Site Scripting, and others are often magnified in an AJAX environment, and it will also explore new threads, such as JavaScript Hijacking. Last but not least it also provides Best Practices for AJAX application developers that are designed to help manage the security complexities inherent to AJAX development.

Siva Ram
Jeremy graduated from Iowa State University in 2006 with a Bachelor’s degree in Computer Engineering with an emphasis in Information Assurance. Currently, he is pursuing a Master’s degree in Computer Science at Stanford specializing in Computer and Network Security. Research interests include web-based malware and exploits, Intrusion Detection Systems and Forensics.

Rob Jerdonek
Rob Jerdonek is a Staff Information Security Analyst at Intuit, working to strengthen application security across all Intuit products and services. Prior to working at Intuit, Rob has held positions at Arcot Systems, Netscape, Nortel, and the Center for Information Technology Integration. Rob has a B.S.E. and M.S.E. in Computer Science and Engineering from the University of Michigan, Ann Arbor. Rob is a CISSP, and has earned 4 patents in the field of information security.

Lars Ewe
Lars Ewe is the CTO and VP of Engineering of Cenzic. Lars is a technology executive with broad background in (web) application development and security, middleware infrastructure, software development and application/system manageability technologies. Throughout his career Lars has held key positions in engineering and product management in a variety of different markets. Prior to Cenzic, Lars was software development director at Advanced Micro Devices, Inc., responsible for AMD's overall systems manageability and related security strategy and all related engineering efforts.

RSVP
REGISTER EARLY AS SEATING IS LIMITED

http://owaspbajuly2009.eventbrite.com/

=Bay Area Past Events= Bay Area Past Events

Bay Area OWASP Chapter Leaders

 * [mailto:brian@appsecconsulting.com Brian Bertacini]
 * Garrett Gee
 * [mailto:mandeep@cenzic.com Mandeep Khera]
 * [mailto:robipapp@yahoo.com Robi Papp]