Front Range Web Application Security Summit Planning Page

Who, What, Where, When, How Much?
The speakers below will be presenting at the Tivoli on June 10th. This is a FREE event - all expenses will be covered by our sponsors. Registration will be at www.froc.us as soon as the site has been built.

FROCo8 Proposed Schedule – June 10th 2008

 * PLEASE NOTE - The topics and most speakers have been confirmed, however speaker times/dates/topics may change so please check back from time-to-time.

The purpose of this page is to provide a workspace for Denver/Boulder OWASP members to collaborate and plan the upcoming Front Range Web Application Security Summit. It is official, and we have the meeting space reservation to prove it! Date: June 10, 2008 Location: Tivoli Baerresen Conference Rooms (located on the Auraria Campus in Downtown Denver) 900 Auraria Parkway Denver, CO 80204

Call For Papers
We are seeking presentations for both the Technical and Management tracks at the June 10th conference. A Call For Papers has been issued. The deadline for submissions is March 28th, and speakers who are selected will be notified the week of March 31st. Please download the Call for Papers here

Mission Statement
The purpose of the Front Range Web Application Security Summit is to provide a one-day workshop/conference during which individuals and organizations interested in Web Application Security can congregate to transfer knowledge, increase awareness of application layer security in the enterprise, and meet other like minded individuals.


 * Guiding Principles
 * No vendor soap boxes
 * Open, friendly environment
 * High quality content, professional delivery

Planner Contact Info
Project Manager: Dariush Rusta

Project Leads:

Overall planning and coordination: Kathy Thaxton kthaxton at businesspartnersolutions d0t c0m

Tech track lead: David Campbell (dcampbell at owasp dot org)

Management track lead: tbd

Project Planning Site (Basecamp login required)

Panel Discussion Topics
These are preliminary ideas; PLEASE FEEL FREE TO CONTRIBUTE by logging in to the wiki... It seems likely that only one or two will be able to get in-depth discussion; the remainder may be subject to a "Lightning round."


 * 1) Biggest problem incorporating security into the SDLC and how/if it was overcome
 * 2) Cost-justification strategies - how did you sell this?
 * 3) If there was one thing you'd do differently...
 * 4) The secret to motivating developers, testers, and QA'ers to adopt secure coding practices...
 * 5) Was a launch really postponed due to security concerns?  What's the rest of the story?
 * 6) What are the best resources or references for succeeding in this area?
 * 7) What do you look for when hiring someone or engaging a company to participate with your SDLC
 * 8) What's your favorite story about how your Security Ops or Management team REDUCED your overall security in the name of security?
 * 9) At what point should security be introduced into the SDLC?
 * 10) What are some of the ways the group has seen security tools used internally and externally?
 * 11) How much time is really needed for manual testing?
 * 12) How do I budget for security testing (manual or otherwise) on applications?

Ed Bellis, CISO, Orbitz Worldwide - Opening Keynote
Ed is responsible for the protection and security of all information and electronic assets as well as compliance and ethics across the wide array of business units that make up Orbitz Worldwide on a global basis. These assets include Orbitz, CheapTickets, eBookers, Away.com, HotelClub, RatesToGo, AsiaHotels, and Orbitz for Business.

With over 15 years of experience in information security and technology, Ed has worked with and been involved in protecting information assets at several Fortune 500 companies. Prior to joining Orbitz, Ed served as VP of Corporate Information Security for Bank of America within their Global Corporate and Investment Banking division. His credentials also include several security technology and management roles at organizations such as Ernst & Young, Ford Motor Company, and Young & Rubicam. Ed is a CISSP, CISM, a contributor to the ISM Community, and a member of ISC2, ISACA and the Chicago chapter of the ISSA.

Ed is a frequent speaker at information security events across North America and Europe. Past talks have included venues such as The MIS Institute, The Association of Information Technology Professionals, Technology Executives Club, and the National Business Travel Association.

Jeremiah Grossman, Founder and CTO, WhiteHat Security - 	Business Logic Flaws – Seven Deadly Web Exploits
Jeremiah Grossman founded WhiteHat Security in August 2001.

An internationally recognized security expert, Mr. Grossman is a frequent speaker at security industry events including RSA, CSI NetSec, Black Hat, ISACA Network Security Conference, ISSA and Defcon. He is a popular security media resource, featured in USA Today, The Washington Post, InformationWeek and on NBC news, and was recently named a “friend of Google.” Mr. Grossman is also an influential blogger (www.jeremiahgrossman.blogspot.com) who offers insight and encourages open dialogue regarding current research and vulnerability trend information. He frequently alerts the media community to the latest attacks and is not only able to offer in-depth commentary that usually finds its way into their stories, but can also provide his perspective of what’s to come.

Grossman is also a founding member of the Web Application Security Consortium (WASC). Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!.

Summary: Session handling, credit card transactions, and password recovery are just a few examples of Web-enabled business logic processes that malicious hackers have abused to compromise major websites. During this presentation, Jeremiah Grossman will examine seven real-world scenarios that demonstrate how pernicious and dangerous business logic flaws are to the security of today’s websites.

Robert Rachwald - Director of Product Management, Fortify Software - The Evolution of Application Security in Online Banking
Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed U.S. product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services.

Summary: With trillions of dollars in transactions, how do the world's leading financial institutions defend against massive cyber attacks while delivering new features and products to customers quickly? How are software security tools, such as dynamic and static analysis, deployed for optimal use? Using case studies, learn how online banking has set the standard for effective application security. We’ll provide an overview of the industry’s migration to online banking and analyze the many security challenges that banks overcame during online banking’s infancy, including SQL injection, cross-site scripting and privilege escalation.

We will then move toward broader security issues, including the steps needed to ensure a secure and robust infrastructure. In addition, we will examine the implementation of Web 2.0 technologies within an online banking environment and discuss the security issues these new technologies bring with them. The session will conclude with two critical take-aways: developing a compliance strategy to leverage the secure development lifecycle, and the steps IT professionals need to take when preparing online corporate infrastructure against future attacks and vulnerabilities.

Akshay Aggarwal - Microsoft ACE Team “Application Security Kung Fu: Threat Modeling your way to competitive advantage”
Akshay Aggarwal is a security strategist and researcher. He is currently a Practice Manager for Microsoft Information Security’s ACE Team where he leads the information security consulting practice for North America. He is responsible for securing Microsoft’s ecosystem by developing a robust security practice, incubating new service lines & helping enterprise customers develop world-class IT security strategies.

Previously as a Senior Security Technologist, Akshay was responsible for conducting architecture design, threat modeling, application security assessments and vulnerability research. He helped Fortune 100 clients evaluate the security of their software products and applications. He has authored several security research papers and been invited to speak at many forums like the RSA Security Conference and Black Hat briefings at Las Vegas.

Akshay holds a MS in Computer Science from the University of California at Davis. There, at the renowned Computer Security Lab, he conducted research on Internet worms and intrusion detection systems.

Summary: Microsoft’s approach to threat modeling line of business (LOB) applications is based on a simple principle: Building a secure application requires an understanding of the threats against that application. The challenge has been the difficulty in adopting threat modeling practice for software application development. Over the past two years, the Microsoft Application Consulting & Engineering (ACE) team has developed a process that allows non-security subject matter experts to produce feature-rich threat models. The process:


 * Provides a consistent methodology for objectively identifying and evaluating threats to applications.
 * Translates technical risk to business impact.
 * Empowers a business to manage risk.
 * Creates awareness among teams of security dependencies and assumptions.

Microsoft Application Threat Modeling is a critical security activity, enabling effective application risk management during the SDLC and beyond. Application Threat Modeling is enforced as part of the Security Development Lifecycle for IT (SDL-IT) at Microsoft IT. This talk will focus on the need for a robust and secure development lifecycle for applications and the value mature organizations can derive from threat modeling.

Robert Hansen, CEO and Founder of SecTheory - Web Browser (In)-Security - "Past, Present, and Future"
Robert Hansen (CISSP) is the CEO and Founder of SecTheory. He has worked for Digital Island, Exodus Communications and Cable & Wireless in varying roles from Sr. Security Architect and eventually product managing many of the managed security services product lines. He also worked at eBay as a Sr. Global Product Manager of Trust and Safety, focusing on anti-phishing, anti-DHTML malware and anti-virus strategies. Later he worked as a director of product management for Realtor.com. Robert sits on the advisory board for the Intrepidus Group, Just Thrive, previously sat on the technical advisory board of ClickForensics and currently contributes to the security strategy of several startup companies.

Mr. Hansen authors content on Dark Reading and co-authored "XSS Exploits" by Syngress publishing. He sits on the NIST.gov Software Assurance Metrics and Tool Evaluation group focusing on web application security scanners and the Web Application Security Scanners Evaluation Criteria (WASC-WASSEC) group. He also speaks at SourceBoston, Toorcon, APWG, ISSA, OWASP/WASC, Microsoft's Bluehat, Blackhat and Networld+Interop. Mr. Hansen is a member of Infragard, Austin Chamber of Commerce, West Austin Rotary, WASC, IACSP, APWG, he is the Industry Liaison for the Austin ISSA and contributed to the OWASP 2.0 guide.

Summary: Browser security is one of the least known but most important aspects to modern security. They are ubiquitous and highly insecure. They are close enough alike that many exploits will work cross browsers, and they are different enough that it makes it difficult for websites to protect themselves. This speech will cover the history of browser security, where it today and where it needs to go in the future.

Mike Zusman, Sr Consultant, Intrepidus Group - Abusing SSL VPNs & Open Reverse Proxies
Mike Zusman is a Senior Consultant for the Intrepidus Group. Prior to joining Intrepidus Group, Mr. Zusman has held the positions of Escalation Engineer at Whale Communications (a Microsoft subsidiary), Security Program Manager at Automatic Data Processing, and lead architect & developer at a number of smaller firms.

In addition to his corporate experience, Mr. Zusman is an independent security researcher, and has responsibly disclosed a number of critical vulnerabilities to commercial software vendors and other clients.

Mike has also founded a number of successful entrepreneurial ventures including Global Uplink Solutions Incorporated (hosting division acquired by Flare Technologies in 2005) and Dish Uplink LLC, a leader in satellite TV subscription activations in the US.

Mike holds the CISSP certification.

Summary: Internet-facing SSL VPNs and Open Reverse Proxies can be abused to perform reconnaissance, data extraction, or general mischief INSIDE the Corporate Intranet and on SSL VPN clients. This presentation will discuss programming and infrastructure flaws permitting this abuse as well as countermeasures.

=== Melissa Tondi Senior Manager, Software Quality Engineering and SQuAD Board Member ===

Melissa has over 12 years experience in Quality Assurance and Testing with over six years experience in consultant management. She has implemented many efficient QA and test processes in dozens of companies including the "AppSec Hit List" that is an SLA within the SQE organization. Recently, she has coined the tenet, "75/25," a standard now common within the 30-person onshore and offshore eCollege, a Pearson Company, SQE team. She focuses on creating and implementing efficiencies that both adhere to industry-standard practices, and align with the individual company's culture.

Back to OWASP Denver

Back to OWASP Boulder