Difference between revisions of "AppSecAsiaPac2013"

From OWASP
Jump to: navigation, search
m
Line 299: Line 299:
 
|-
 
|-
 
| align="center" | [[Image:Robertelee.jpg|100px]]
 
| align="center" | [[Image:Robertelee.jpg|100px]]
| align="justify" | '''Robert Lee''' - Intuit CyberFraud Management (ICFM)
+
| align="justify" | <font size=3pt>'''Robert Lee''' <br> Intuit CyberFraud Management (ICFM)</font>
 
|}
 
|}
  
==Speakers==
 
  
  
To Be Announced.
+
==Track Session Speakers==
  
<!--
+
===Aditya Gupta===
== Speaker Name ==
+
Aditya Gupta is a renowned mobile security expert and information security researcher. Also being the lead developer and co-creator of Android Framework for Exploitation, he has done a lot of in-depth research on the security of mobile devices including Android, iOS and Blackberry.
  
{| style="background-color: transparent"
+
He has also discovered serious security flaws in websites such as Google, Apple, Microsoft, Adobe, Skype and many more. In his work with XYSEC, he is commited to perform VAPT and Mobile Application Security Analysis. He has also been working with government clients and intelligence agencies in India, as well as providing them trainings and services on Malware Analysis, Exploit Development and Advanced Web App Hacking.
|-
+
 
! width="200" align="center" | <br>
+
 
! width="1000" align="center" | <br>
+
===Arshad Noor===
|-
+
Arshad Noor is the CTO of StrongAuth, Inc., a Silicon Valley based company focused on encryption and key-management since 2001.  He is the creator of the industry's first open-source Symmetric Key Management System, the creator of the StrongKey CryptoEngine, an open-source library for securing data in the Cloud and the author of the Regulatory Compliant Cloud Computing (RC3) web-application architecture (presented at OWASP AppSec 2012).
| align="center" | [[Image:___________|100px]]
+
 
| align="justify" | Insert talk title, abstract, and bio
+
 
|}
+
===Breno Silva===
<br>
+
Breno is a computer scientist with over 9 years experience in Information Security, experienced with a wide range of software development techniques and languages, security systems and network technologies. Breno brings a research history publishing articles in academic conferences like IEEE WIFS, IEEE ICMLC, IEEE INDIN, World Academy of Science, as well industry related conferences like OWASP AppSec Latam, OWASP AppSec Research and Ph-Neutral, involving areas as algorithm design for network anomaly detection mechanisms in high-speed networks, application security and malicious code detection. He was a member of Suricata IPS developer team (next-generation IPS funded by US-Homeland Security). Breno is currently a Security Researcher at Trustwave SpiderLabs Research team and maintainer of Apache ModSecurity.
 +
 
 +
 
 +
===Dennis Groves===
 +
Dennis Groves is the founder of OWASP. He is a well known thought leader in application security who's work focuses on multidisciplinary approaches to information security risk management. He holds an MSc in Information Security from Royal Holloway, University of London. He is currently an expert for the UK mirror of ISO subcommittee 27, WG4.
 +
 
 +
 
 +
===Justin Searle===
 +
Justin is a Managing Partner of UtiliSec, specializing in Smart Grid security architecture design and penetration testing. Justin led the Smart Grid Security Architecture group in the creation of NIST Interagency Report 7628 and currently plays key roles in the Advanced Security Acceleration Project for the Smart Grid (ASAP-SG), National Electric Sector Cybersecurity Organization Resources (NESCOR), and Smart Grid Interoperability Panel (SGIP). Justin has taught courses in hacking techniques, forensics, networking, and intrusion detection for multiple universities, corporations, and security conferences, and is currently an instructor for the SANS Institute. In addition to electric power industry conferences, Justin frequently presents at top security conferences such as Black Hat, DEFCON, OWASP, and AusCERT. Justin co-leads prominent open source projects including the Samurai Web Testing Framework, Middler, Yokoso!, and Laudanum. Justin has an MBA in International Technology and is a CISSP and SANS GIAC certified Incident Handler (GCIH), Intrusion Analyst (GCIA), and Web Application Penetration Tester (GWAPT).
 +
 
 +
 
 +
===Moshe Lerner===
 +
Moshe Lerner is VP of Product Strategy and Corporate Development at Checkmarx, a leading provider of a secure testing solutions using innovative source code analysis platforms.
 +
 
 +
Moshe has over 20 years of global experience in the software industry where he served in different executive and professional roles at leading companies. Prior to Checkmarx, Moshe held the position of VP of Product Management and Business Development at ItemField (acquired by Informatica) and before that, as  VP of Product and Delivery at Sapiens (Nasdaq: SPNS).
 +
 
 +
Moshe holds B.S.C in Information systems from Israel’s Institute of Technology (Tecnion)
 +
 
 +
 
 +
===Shay Chen===
 +
Shay Chen is the CTO of Hacktics, an advanced security center of Ernst & Young.
 +
 
 +
As the co-author of the platforms ""Diviner"" and ""WAVSEP"", he was involved in the publication of several large-scale researches in the field of automated security scanners (including the latest 2012 comparison of 61 web application scanners).
 +
 
 +
After a decade of exposure to tons of common vulnerabilities, the law of familiarity caused his researches to revolve around abnormal hacking methodologies and new application-level attack vectors, usually the type that bypasses the known spectrum of security mechanisms.
 +
 +
He is also a prominent blogger and researcher, and is responsible for many security publications, including new application-level attacks, open source projects, testing methodologies and various security tools comparison initiatives.
 +
 +
Shay is an experienced speaker, and has been instructing a wide variety of information security courses for the past 7 years, including appearances in international conferences such as Hacktivity, ZeroNights, and AppSecUSA, as well as multiple appearances in various OWASP conferences.
 +
 
 +
He has over twelve years in information technology and security, including a strong background in software development.
 +
 
 +
 
 +
===Subho Halder===
 +
Subho Halder is a Programmer, Security Researcher and Penetration Tester. He loves writing exploits and programming in PHP, Java, Perl and Python. He is well equipped and has a deep understanding of Android and Blackberry frameworks.
 +
 
 +
 
 +
===Tobias Gondrom===
 +
Tobias Gondrom is Managing Director of an Information Security & Risk Management Advisory based in the United Kingdom, Germany and Hong Kong. He has fifteen years of experience in software development, application security, cryptography, electronic signatures and global standardisation organisations working for independent software vendors and large global corporations in the financial, technology and government sector, in America, EMEA and APAC. As the Global Head of the Security Team at Open Text (2005-2007) and before as the lead of the Security Task Force at a global Independent Software Vendor, he was responsible for information security, risk and incident management globally.
 +
 
 +
Since 2003 he is the chair of working groups of the IETF (www.ietf.org) in the security area, member of the IETF security directorate, and since 2010 chair of the web security WG at the IETF, and currently invited expert member at the W3C WebAppSec working group, board member of OWASP London and chair of the OWASP global industry committee. Tobias is a frequent CISO trainer, the author of international standards RFC 4998, RFC 6283 and co-author and contributor to a number of internet standards and papers on web and application security and electronic signatures, as well as the co-author of the OWASP CISO guide and the book „Secure Electronic Archiving“, and frequent presenter at conferences and publication of articles (e.g. AppSec, CISO Forum, IETF, ISSE, Moderner Staat, iX). He is also certified as CISSP, CSSLP and CCISO.
 +
 
 +
Tobias has post-graduate degrees in Theoretical Physics from the Technical University of Munich and the senior management M.Sc. from London Business School (Sloan Masters in Leadership and Strategy) with his thesis focusing on leading and managing global change programs.
 +
 
 +
 
 +
===Tony UcedaVelez "Tony UV"===
 +
An experienced security management professional, Tony has more than 14 years of hands-on information security and technology expertise across technical and operational areas. He has worked and consulted for numerous firms within the Fortune 500, as well as U.S federal agencies on the subjects of security risk management, application security, human hacking, and security architecture.  He is the founder of VerSprite and consults across several different industries on a myriad of security topics using a hybrid style that encompasses both technical and process based security insights.
 +
 
 +
His diverse IT background in software development, security architecture, and network security, coupled with his expertise in process engineering and security risk management has allowed Tony to be a recognized leader in developing strategic security solutions that are multi-faceted in their approach to addressing enterprise risk.  From both the commercial and government sectors, Tony has applied his expertise across multiple control frameworks (ITIL, NIST, ISO, CoBIT, COSO, etc) in order to help mature security programs built around both automated and manual control sets.
 +
 
 +
In the realm of application security, Tony is a threat modeling evangelist and has provided numerous talks domestically and globally on its many benefits and application.  He has served as a guest mentor to teams participating in Kennesaw State University’s annual Cybercrime capture the flag event as well as a Cybercrime speaker for Southern Polytechnic University in Atlanta (2009).  He has also served as a guest speaker on the subject of application threat modeling during ISACA’s annual Geek Week event and has also served as a keynote speaker on the subject for ISACA’s Global Symposium web cast series.  Additional articles include articles related to CoBIT and the ValIT model (ISACA’s Journal), application threat modeling within the SDLC (InSecureMagazine), and security process engineering for a ROSI (return on security investment) (Journal of Finance). 
 +
 
 +
Tony is also well regarded in the field of FISMA compliance, having worked with various federal entities and their respective certification & accreditation groups in order to manage compliance requirements against both NIST and FIPS requirements for ensuring data and system level security. NIST has invited Tony to speak twice at their annual SCAP conference in Baltimore on the subject of sustaining compliance across large federal information enterprises.
 +
 
 +
Prior to VerSprite, Tony served as Sr. Director of Security Risk Management to a Fortune 50 organization where he led security assessments against global application environments.  His work encompassed web application security testing, security architecture reviews, and analysis for business logic exploits.  He applied effective ways to introduce the subject of application risk to information owners by effectively mapping them to operational business components.  Previous to this role, he spent more than 5 years in the field of application security across other Fortune 500 organizations within the banking, telecom, and information service industry segments.
 +
 
 +
Tony currently leads the OWASP Atlanta Chapter, where he manages monthly workshops and events for the Atlanta web application security community.  He is also serves on the OWASP Global Membership Board and regularly provides talks to other chapters nationwide, primarily on the topic of application threat modeling. Aside from the OWASP organization, Tony has helped to organize BSides Atlanta – an underground grassroots effort aimed at providing 100%, unsolicited security content to Atlanta Information Security professionals.
  
  
-->
 
  
 +
= Talk Abstracts =
 +
===The Droid Exploitation Saga===
 +
'''Aditya Gupta & Subho Halder'''
 +
In this talk, we will be discussing various security holes in the Android Framework, and most of all how it could be exploited using our framework. Android Framework for Exploitation or AFE is a full toolset for a penetration tester to check for android security (app/platform) vulnerabilities as well as exploit it.
  
  

Revision as of 23:54, 2 January 2013




Owasp banner 7b.jpg


Conference Registration is now open! Click Here to Register.


[edit]

We are pleased to announce that the OWASP South Korea chapter will host the OWASP AppSec APAC 2013 conference in Jeju, South Korea at the Hyatt Regency Jeju. The event will be composed of 2 days of training (February 19-20), followed by 2 days of conference talks (February 21-22).


The Global AppSec APAC 2013 Conference will be a reunion of Information Security Asia-Pacific leaders, and will present cutting-edge ideas. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 200-250 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.


Who Should Attend Global AppSec APAC 2013:

  • Application Developers
  • Application Testers and Quality Assurance
  • Application Project Management and Staff
  • Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
  • Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
  • Security Managers and Staff
  • Executives, Managers, and Staff Responsible for IT Security Governance
  • IT Professionals Interested in Improving IT Security


If you have any questions, please email the conference committee: AppSecAPAC2013@owasp.org




                                                                                                                              Owasp social icon.jpg

Use the #AppSecAsia hashtag for your tweets for AppSec APAC 2013 (What are hashtags?)

@AppSecAsia Twitter Feed (follow us on Twitter!)


Overview of the training classes: Scroll down for details on each course and trainer bios.


Course Name
Trainer
Course Length
Course Date(s)
Language
Price
Advanced Android and iOS Hands-on Exploitation Course Aditya Gupta and Subho Halder (XYSec) 2 Days Tuesday and Wednesday, Feb 19-20 English $800 USD
HACKED - The OWASP Top 10 - Incident Response Chris Pogue (Trustwave Spiderlabs) 2 Days Tuesday and Wednesday, Feb 19-20 English $800 USD
CISO training: Managing Web & Application Security for senior manager Tobias Gondrom (Thames Stanley) 1 Day Wednesday, Feb 20 English $400 USD
HTML 5 Kim TI (Core Security) 1 Day Wednesday, Feb 20 Korean $400 USD
Developer Workshop: Approaching Secure Code – Where do I start? Jim Manico 1/2 Day (4 hours) Wednesday, Feb 20 English FREE


Two Day Training Courses

Two day training courses will take place on Tuesday & Wednesday, February 19-20, 2013. Training will run from 9am to 5pm each day with a 1 hour break for lunch.


Advanced Android and iOS Hands-on Exploitation Course

Trainers: Aditya Gupta and Subho Halder (XYSec)
Audience: Management, Technical, DevOps, Developers
Level: Basic, Intermediate
Language: Training will be conducted in English


Course Summary:
This fast-paced workshop will get you familiar with the various Android as well as iOS exploitation techniques, and bypassing most of the existing security models in both of the platforms. We will also discuss about a framework, which we have made for Android Exploitation, named as the Android Framework for Exploitation, which will help security researchers to perform automated and in-depth analysis of bug hunting and security assessment of Android Application and platforms.

For iOS, we will be looking into the application security assessment, creating a pentest environment, present sandboxing model, and much more. We will also be looking into Android rooting and iOS jailbreaking exploits, and recreate the scenario from the scratch.

Course Outline PDF


Aditya Gupta is a renowned mobile security expert and information security researcher. Also being the lead developer and co-creator of Android Framework for Exploitation, he has done a lot of in-depth research on the security of mobile devices including Android, iOS and Blackberry.

He has also discovered serious security flaws in websites such as Google, Apple, Microsoft, Adobe, Skype and many more. In his work with XYSEC, he is committed to perform VAPT and Mobile Application Security Analysis. He has also been working with government clients and intelligence agencies in India, as well as providing them trainings and services on Malware Analysis, Exploit Development and Advanced Web App Hacking.

He has also previously spoken at a bunch of conferences including BlackHat, Toorcon, ClubHack, Nullcon, THC, Defcon India Chapter and many more.


Subho Halder is a Programmer, Security Researcher and Penetration Tester. He loves writing exploits and programming in PHP, Java, Perl and Python. He is well equipped and has a deep understanding of Android and Blackberry frameworks.


HACKED - The OWASP Top 10 - Incident Response

Trainer: Chris Pogue (Trustwave Spiderlabs)
Audience: Management, Technical, Operations, DevOps, Law Enforcement
Level: Intermediate, Advanced
Language: Training will be conducted in English


Course Summary:
After completing this course, you will possess the skills to successfully conduct a basic network intrusion investigation that adheres to a formal methodology to ensure the admissibility of evidence in a court of law and ultimately increases the chances of apprehending the intruder. You will engage in hands-­‐on labs and instructor demos of network intrusion concepts in a “real-­‐world” environment. The real-­‐world environment is made possible through the use of Virtual Machines (VMs). Each VM is pre-­‐configured to mimic the different Operating Systems(OSs), network environments and intrusion issues that you may encounter.


Note: Students must furnish their own laptop running a version of Microsoft Windows. VMware Workstation or Server will also be required in order to participate in the hands-­‐on labs. Laptop should have at least 20GB of free space.


Chris Pogue is a Senior Security Analyst for the Spiderlabs Incident Response and Digital Forensics team at Trustwave. He has over ten years of administrative and security experience including three years on the IBM ISS X-Force Emergency Response Services Team, five years with IBM’s Ethical Hacking Team, and 13 years of Active Military service in the US Army Signal Corps.

Chris also has worked with local, state, and federal law enforcement agencies such as the New York Police Department, the Royal Canadian Mounted Police, the Federal Bureau of Investigation, and The United States Secret Service to help pursue the digital evidence left behind by criminals of all types. His efforts have lead to arrests and convictions in Oklahoma, New York, Florida, Albania, and Germany.

Chris holds a Bachelor's Degree in Business Management, a Master’s degree in Information Security, is a Certified Information Systems Security Professional, (CISSP), a Certified Ethical Hacker (CEH), a Certified Reverse Engineering Analyst (CREA), a GIAC Certified Forensics Analyst (GCFA), and a VISA PCI DSS Qualified Security Assessor (QSA).


One Day Training Courses

One Day Training Courses will take place on Wednesday, February 20, 2013. Training will run from 9am to 5pm with a 1 hour break for lunch.


CISO training: Managing Web & Application Security for senior managers

Trainer: Tobias Gondrom (Thames Stanley)
Audience: Management
Level: Basic, Intermediate, Advanced
Language: Training will be conducted in English


Course Summary:
Setting up, managing and improving your global information security organisation using mature OWASP projects and tools. Achieving cost-effective application security and bringing it all together on the management level. How to use and leverage OWASP and other common best practices to improve your security programs and organization. The workshop will also discuss a number of quick wins and how to effectively manage global security initiatives and use OWASP tools inside your organisation. The author has extensive experience of managing his own secure development organization as well as advising to improve a number of global secure development organisations and processes.

Topics:

  • Managing Web & Application Security in large global organisations
  • OWASP Top-10 and OWASP projects - how to use within your organisation
  • Risk management and threat modeling methods (OWASP risk analysis, ISO-27005,...)
  • Benchmarking & Maturity Models
  • Organisational Design and managing change for global information security programs
  • Secure SDLC
  • Training: OWASP Secure Coding Practices - Quick Reference Guide, Development Guide, Training tools for developers
  • Measuring & Verification: ASVS (Application Security Verification Standard) Project, Code Review Guide, Testing Guide
  • Development & Operation: Frameworks and Tools, e.g. AppSensor


All discussion and issues raised by participants at the workshop will be under the confidentiality under the Chatham House Rule (http://en.wikipedia.org/wiki/Chatham_House_Rule).


Tobias Gondrom is Managing Director of Thames Stanley, a CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and Germany. He has fifteen years of experience in software development, application security, cryptography, electronic signatures and global standardisation organisations working for independent software vendors and large global corporations in the financial, technology and government sector, in America, EMEA and APAC. As the Global Head of the Security Team at Open Text (2005-2007) and from 2000-2004 as the lead of the Security Task Force at IXOS Software AG, he was responsible for security, risk and incident management and introduced and implemented a secure SDLC used globally by development departments in the US, Canada, UK and Germany.

Since 2003 he is the chair of working groups of the IETF (www.ietf.org) in the security area, member of the IETF security directorate, and since 2010 chair of the formed web security WG at the IETF, and a former chapter lead of the German OWASP chapter from 2007 to 2008, and currently board member of OWASP London and member of the OWASP Global Industry Committee. Tobias is the author of the international standards RFC 4998 and RFC 6283 (Evidence Record Syntax) and co-author and contributor to a number of internet standards and papers on security and electronic signatures, as well as the co-author of the book „Secure Electronic Archiving“ (ISBN 3-87081-427-6) and the OWASP CISO guide and frequent presenter at conferences and publication of articles (e.g. AppSec, IETF, ISSE, Moderner Staat, VOI-booklet “Electronic Signature“, iX).


HTML 5

강사명: Kim TI (Core Security) 김태일 (코어시큐리티)
교육 참가자: 기술, 개발 및 운영, 개발자
참가자의 기술 요구 수준: 중간 단계
가능한 언어: 한국어


교육 요약:
HTML5 에서 새롭게 추가된 기능들을 이용하여 웹 어플리케이션에서 발생할 수 있는 보안 위협/ 대응 및 완화 방법.

  • XHR Level2 를 이용한 CSRF & CORS 우회
  • HTML5 에 새롭게 추가된 테그 및 속성을 이용한 XSS
  • 자바스크립트를 이용한 Web Storage 정보 추출
  • 자바스크립트를 이용한 WebSQL 정보 추출


교육 경험:

실무 / 강의 경력 13년

정보보안 기술교육을 중심으로 공공기관, 기업, 대학 강의

CEH /CHFI 해킹 및 컴퓨터포렌식 국제공인강사

IPv6 프로토콜 변환기 개발 참여 (2001년, I2Soft)

주민번호대체수단 I-PIN 모의해킹 수행 (2007년 한국정보보호진흥원)


現 ㈜코어시큐리티 대표이사 (CEO)

現 경찰수사연수원 외래교수

前 ㈜FSK시큐리티 지식사업부 부장

前 SH Information System 기술연구소 지식사업팀

前 보안 프리랜서 강사


[보유자격증]

CEH / CHFI /ECSA /LPT / CEI


Half Day Developer Workshop

This 4 hour developer workshop will take place on Wednesday, February 20, from 1pm-5pm. The Workshop is complementary for Conference Attendees.


Approaching Secure Code – Where do I start?

Trainer: Jim Manico
Audience: Developers (dev managers welcome, assign people from your team to attend). Bring yourself, no materials required.
Level: Basic
Language: Training will be conducted in English


Course Summary:
Regardless of your chosen/mandated framework for building web applications: Spring, Struts, Rails, PHP, Python, etc., you want to make your life easier, and potentially less embarrassing. Don’t be the one who left the door open for hackers. Learn handy tips from one of the world’s leading AppSec experts.


Jim Manico is an OWASP volunteer who leads the OWASP Cheat Sheet Series and produces the OWASP Podcast Series. Jim is also the VP of Security Architecture at WhiteHat Security. Jim provides secure coding and developer awareness training for WhiteHat Security using his 8+ years of experience delivering developer-training courses for SANS, Aspect Security and others. He brings 16 years of database-driven Web software development and analysis experience to WhiteHat and OWASP.


Keynotes



Robertelee.jpg Robert Lee
Intuit CyberFraud Management (ICFM)


Track Session Speakers

Aditya Gupta

Aditya Gupta is a renowned mobile security expert and information security researcher. Also being the lead developer and co-creator of Android Framework for Exploitation, he has done a lot of in-depth research on the security of mobile devices including Android, iOS and Blackberry.

He has also discovered serious security flaws in websites such as Google, Apple, Microsoft, Adobe, Skype and many more. In his work with XYSEC, he is commited to perform VAPT and Mobile Application Security Analysis. He has also been working with government clients and intelligence agencies in India, as well as providing them trainings and services on Malware Analysis, Exploit Development and Advanced Web App Hacking.


Arshad Noor

Arshad Noor is the CTO of StrongAuth, Inc., a Silicon Valley based company focused on encryption and key-management since 2001. He is the creator of the industry's first open-source Symmetric Key Management System, the creator of the StrongKey CryptoEngine, an open-source library for securing data in the Cloud and the author of the Regulatory Compliant Cloud Computing (RC3) web-application architecture (presented at OWASP AppSec 2012).


Breno Silva

Breno is a computer scientist with over 9 years experience in Information Security, experienced with a wide range of software development techniques and languages, security systems and network technologies. Breno brings a research history publishing articles in academic conferences like IEEE WIFS, IEEE ICMLC, IEEE INDIN, World Academy of Science, as well industry related conferences like OWASP AppSec Latam, OWASP AppSec Research and Ph-Neutral, involving areas as algorithm design for network anomaly detection mechanisms in high-speed networks, application security and malicious code detection. He was a member of Suricata IPS developer team (next-generation IPS funded by US-Homeland Security). Breno is currently a Security Researcher at Trustwave SpiderLabs Research team and maintainer of Apache ModSecurity.


Dennis Groves

Dennis Groves is the founder of OWASP. He is a well known thought leader in application security who's work focuses on multidisciplinary approaches to information security risk management. He holds an MSc in Information Security from Royal Holloway, University of London. He is currently an expert for the UK mirror of ISO subcommittee 27, WG4.


Justin Searle

Justin is a Managing Partner of UtiliSec, specializing in Smart Grid security architecture design and penetration testing. Justin led the Smart Grid Security Architecture group in the creation of NIST Interagency Report 7628 and currently plays key roles in the Advanced Security Acceleration Project for the Smart Grid (ASAP-SG), National Electric Sector Cybersecurity Organization Resources (NESCOR), and Smart Grid Interoperability Panel (SGIP). Justin has taught courses in hacking techniques, forensics, networking, and intrusion detection for multiple universities, corporations, and security conferences, and is currently an instructor for the SANS Institute. In addition to electric power industry conferences, Justin frequently presents at top security conferences such as Black Hat, DEFCON, OWASP, and AusCERT. Justin co-leads prominent open source projects including the Samurai Web Testing Framework, Middler, Yokoso!, and Laudanum. Justin has an MBA in International Technology and is a CISSP and SANS GIAC certified Incident Handler (GCIH), Intrusion Analyst (GCIA), and Web Application Penetration Tester (GWAPT).


Moshe Lerner

Moshe Lerner is VP of Product Strategy and Corporate Development at Checkmarx, a leading provider of a secure testing solutions using innovative source code analysis platforms.

Moshe has over 20 years of global experience in the software industry where he served in different executive and professional roles at leading companies. Prior to Checkmarx, Moshe held the position of VP of Product Management and Business Development at ItemField (acquired by Informatica) and before that, as VP of Product and Delivery at Sapiens (Nasdaq: SPNS).

Moshe holds B.S.C in Information systems from Israel’s Institute of Technology (Tecnion)


Shay Chen

Shay Chen is the CTO of Hacktics, an advanced security center of Ernst & Young.

As the co-author of the platforms ""Diviner"" and ""WAVSEP"", he was involved in the publication of several large-scale researches in the field of automated security scanners (including the latest 2012 comparison of 61 web application scanners).

After a decade of exposure to tons of common vulnerabilities, the law of familiarity caused his researches to revolve around abnormal hacking methodologies and new application-level attack vectors, usually the type that bypasses the known spectrum of security mechanisms.

He is also a prominent blogger and researcher, and is responsible for many security publications, including new application-level attacks, open source projects, testing methodologies and various security tools comparison initiatives.

Shay is an experienced speaker, and has been instructing a wide variety of information security courses for the past 7 years, including appearances in international conferences such as Hacktivity, ZeroNights, and AppSecUSA, as well as multiple appearances in various OWASP conferences.

He has over twelve years in information technology and security, including a strong background in software development.


Subho Halder

Subho Halder is a Programmer, Security Researcher and Penetration Tester. He loves writing exploits and programming in PHP, Java, Perl and Python. He is well equipped and has a deep understanding of Android and Blackberry frameworks.


Tobias Gondrom

Tobias Gondrom is Managing Director of an Information Security & Risk Management Advisory based in the United Kingdom, Germany and Hong Kong. He has fifteen years of experience in software development, application security, cryptography, electronic signatures and global standardisation organisations working for independent software vendors and large global corporations in the financial, technology and government sector, in America, EMEA and APAC. As the Global Head of the Security Team at Open Text (2005-2007) and before as the lead of the Security Task Force at a global Independent Software Vendor, he was responsible for information security, risk and incident management globally.

Since 2003 he is the chair of working groups of the IETF (www.ietf.org) in the security area, member of the IETF security directorate, and since 2010 chair of the web security WG at the IETF, and currently invited expert member at the W3C WebAppSec working group, board member of OWASP London and chair of the OWASP global industry committee. Tobias is a frequent CISO trainer, the author of international standards RFC 4998, RFC 6283 and co-author and contributor to a number of internet standards and papers on web and application security and electronic signatures, as well as the co-author of the OWASP CISO guide and the book „Secure Electronic Archiving“, and frequent presenter at conferences and publication of articles (e.g. AppSec, CISO Forum, IETF, ISSE, Moderner Staat, iX). He is also certified as CISSP, CSSLP and CCISO.

Tobias has post-graduate degrees in Theoretical Physics from the Technical University of Munich and the senior management M.Sc. from London Business School (Sloan Masters in Leadership and Strategy) with his thesis focusing on leading and managing global change programs.


Tony UcedaVelez "Tony UV"

An experienced security management professional, Tony has more than 14 years of hands-on information security and technology expertise across technical and operational areas. He has worked and consulted for numerous firms within the Fortune 500, as well as U.S federal agencies on the subjects of security risk management, application security, human hacking, and security architecture. He is the founder of VerSprite and consults across several different industries on a myriad of security topics using a hybrid style that encompasses both technical and process based security insights.

His diverse IT background in software development, security architecture, and network security, coupled with his expertise in process engineering and security risk management has allowed Tony to be a recognized leader in developing strategic security solutions that are multi-faceted in their approach to addressing enterprise risk. From both the commercial and government sectors, Tony has applied his expertise across multiple control frameworks (ITIL, NIST, ISO, CoBIT, COSO, etc) in order to help mature security programs built around both automated and manual control sets.

In the realm of application security, Tony is a threat modeling evangelist and has provided numerous talks domestically and globally on its many benefits and application. He has served as a guest mentor to teams participating in Kennesaw State University’s annual Cybercrime capture the flag event as well as a Cybercrime speaker for Southern Polytechnic University in Atlanta (2009). He has also served as a guest speaker on the subject of application threat modeling during ISACA’s annual Geek Week event and has also served as a keynote speaker on the subject for ISACA’s Global Symposium web cast series. Additional articles include articles related to CoBIT and the ValIT model (ISACA’s Journal), application threat modeling within the SDLC (InSecureMagazine), and security process engineering for a ROSI (return on security investment) (Journal of Finance).

Tony is also well regarded in the field of FISMA compliance, having worked with various federal entities and their respective certification & accreditation groups in order to manage compliance requirements against both NIST and FIPS requirements for ensuring data and system level security. NIST has invited Tony to speak twice at their annual SCAP conference in Baltimore on the subject of sustaining compliance across large federal information enterprises.

Prior to VerSprite, Tony served as Sr. Director of Security Risk Management to a Fortune 50 organization where he led security assessments against global application environments. His work encompassed web application security testing, security architecture reviews, and analysis for business logic exploits. He applied effective ways to introduce the subject of application risk to information owners by effectively mapping them to operational business components. Previous to this role, he spent more than 5 years in the field of application security across other Fortune 500 organizations within the banking, telecom, and information service industry segments.

Tony currently leads the OWASP Atlanta Chapter, where he manages monthly workshops and events for the Atlanta web application security community. He is also serves on the OWASP Global Membership Board and regularly provides talks to other chapters nationwide, primarily on the topic of application threat modeling. Aside from the OWASP organization, Tony has helped to organize BSides Atlanta – an underground grassroots effort aimed at providing 100%, unsolicited security content to Atlanta Information Security professionals.


The Droid Exploitation Saga

Aditya Gupta & Subho Halder In this talk, we will be discussing various security holes in the Android Framework, and most of all how it could be exploited using our framework. Android Framework for Exploitation or AFE is a full toolset for a penetration tester to check for android security (app/platform) vulnerabilities as well as exploit it.


OWASP Project Track Opportunities

The AppSec APAC conference organizers, in conjunction with the Global Projects Division, is pleased to announce a Call for Entries for the 2013 OWASP Project Track (OPT).

We are offering a limited number of FREE speaking opportunities to open source projects this year, as well as FREE conference admission for the representatives of the chosen projects. We would like to invite ALL open source projects to apply.


About the AppSec APAC 2013 OWASP Projects Track

This is a great opportunity for OWASP Project Leaders to showcase their project as an official conference presenter. Please note that successful OPT applicants are responsible for developing and presenting in their designated timeslot at the conference.

For an opportunity to present your open source project through the OPT at AppSec APAC 2013, please submit your application using the OSPT APAC 2013 Application.

OWASP AppSec APAC 2013 – OWASP 프로젝트 트랙(CFP)


Sponsorship Opportunities

OWASP Project Leaders have the option of requesting financial assistance from the Foundation to cover travel and hotel expenses ONLY. This funding is only available to projects that have been selected to participate in the OPT at AppSec APAC 2013. Preference will be given to OWASP Project Leaders that are applying to present at the confernce that is closest to their region. Additionally, preference will be given to OWASP Project Leaders that have not presented or participated in the OPT forum.


Date and Times

APPLICATION DEADLINES

OPT Applications are due: December 28, 2012


CONFERENCE DATE

February 19-22, 2013


OPT DATE & TIME

All OPT Talks will be held between February 21-22, 2013.


LOCATION

Hyatt Regency Jeju
114,Jongmoongwangwang-ro 72 beon-gil,Seogwipo-si,
Jeju Special Self-Governing Province
South Korea
Phone: +82 64 733 1234


Questions?

If you have any questions, or if you simply need some more information, please do not hesitate to Contact Us.


AppSec APAC 2013 will be held at the Hyatt Regency in Jeju, South Korea.



Conference Registration is now open! Click Here to Register.


OWASP AppSec Asia Pacific features two days of training February 19-20, and two days of talks, February 21-22, 2013

Please note - all prices below appear in USD; however arrangements can be made for payment in South Korean Won.


Conference Registration Fees (not including training)

Ticket Type
Early (until January 18) Regular Price
Non-Member $295 USD $395 USD
Non-Member plus 1-year OWASP Membership! $295 USD $395 USD
Active OWASP Member $275 USD $375 USD
Student $75 USD $100 USD
Training Only (See pricing table below)


Training Fees

Course Length
Course Date(s)
Price
1-Day Class Wednesday, Feb 20 $400 USD
2-Day Class Tuesday and Wednesday, Feb 19-20 $800 USD

Price per attendee. Please note that conference Registration is separate.

For more information on available training courses and trainer bios, please select the "Trainers and Training Schedule" tab.


Optional Conference Events

Item
Date & Time
Price
1/2 Day Developer Workshop Wednesday, Feb 20, 1-5pm Complimentary
Chapter Leader Workshop Wednesday, Feb 20, 6:30-9:30pm Complimentary
Conference Networking Dinner Thursday, Feb 21, 7-9pm $50 USD


Sign up for any of these optional items by registering for the conference.


Group Discounts

10% off for groups of 10-19 20% off for groups of 20-29 30% off for groups of 30 or more

Please Contact Us for more information about registering a group.


Membership Discounts

We are pleased to offer $20 off admission for active OWASP members. Multiple discounts can not be applied.


Registration for Trainers and Speakers

If you have been selected to deliver a training or talk at the conference, you should have received a discount code for complimentary admission.
If you did not receive this code or have questions, please Contact Us.


Registration for OWASP Leaders

Complimentary admission to the conference is offered to active OWASP Chapter and Project Leaders. Additionally, two seats for each of the training courses are available at no cost to active OWASP Chapter and Project Leaders (available on a first come, first serve basis). To register as an active Chapter or Project leader, please select the general event registration option and enter discount code: OWASPLEADER. Please email sarah.baso@owasp.org for a registration discount code to the training courses.


Please note: conference and training registration using the OWASPLEADER discount code will be verified by the conference team and if you are not an active OWASP Chapter or Project Leader, you will be contacted regarding your status and your registration may be subject to cancellation.


We are looking for sponsors for 2013 edition of Global AppSec APAC.


If you are interested to sponsor Global AppSec APAC 2013, please contact the conference team: AppSecAPAC2013@owasp.org


Sponsorship Deadline is January 15, 2013.


To find out more about the different sponsorship opportunities please check the document below:
OWASP AppSec APAC 2013 Sponsorship Options - English
OWASP AppSec APAC 2013 Sponsorship Options - Korean



For assistance with booking a flight or hotel, feel free to utilize OWASP's preferred travel agency:
Segale Travel Service contact information is: +1-800-841-2276
Sr. Travel Consultants:
Maria Martinez...ext 524
Linn Vander Molen...ext 520


Additionally, the Conference Planning Team is available to answer any questions!


Accommodation

We've been able to arrange for special rates at the Hyatt Regency Jeju(where the training and conference will be held).

The special room rates are available two nights either side of the event ensuring that if you are travelling domestic or international it's easy to find a room at a good rate.


Hyatt Regency Jeju
114, Jungmungwangwang-ro 72 beon-gil, Seogwipo-si
eju Special Self-Governing Province
South Korea 697-130

Tel: +82 64 733 1234 Fax: +82 64 732 2039
Email: jeju.regency@hyatt.com


Hotel Regency Information Sheet


To book a room at the special rate:
*Add the room to your online conference registration or
*Complete the Hotel Booking Form and fax or email to the address on the form.  


Please notice that if you add the room to your conference registration, the rates are in USD and include all service fees and taxes.

Airport Transportation

Jeju International Airport is approximately 40 minutes by car from the Hyatt Regency. Hotel Map & Directions


Arrival by Airport Limousine Bus (Recommended)

The Airport Limousine Bus (Bus No.600) will be waiting at the Airport exit at all times during its operating hours of 6:20 am to 10:10 pm. The bus will leave the airport at 15 minute intervals, and will take around 50 minutes to reach the hotel’s main entrance. The price is KW 3,900 per person (less than $4 USD).


Arrival by private car

  1. Exit Jeju International Airport and enter Jungmun Highway.
  2. Follow the signs to Jungmun.
  3. Make a right from the junction where the wind power plant can be seen on the right.
  4. Go straight ahead to find the sign for the hotel.
  5. Follow the road indicated by the sign for Hyatt Regency Jeju.


Arrival by rental car

  1. Press the navigation code ‘4327’ for the rental car.
  2. Input the address: 3039-1 Saekdal-Dong Seogwipo-Si, Jeju Island.
  3. Input the telephone number: 064-733-1234.


Parking at the Hyatt Regency Jeju

Hyatt Regency Jeju offers the outdoor parking on hotel premises available to hotel guests at no charge.

Complimentary valet parking is also available on request. The hotel’s parking area is accessible 24 hours a day.

Information +82 64 735 8495


We will be hosting a networking dinner with Korean-style food and beverages on Thursday evening, February 21 from 7:00pm to 9:00 pm at the Hyatt Regency Jeju.

The cost of this dinner is approximately 53,000 KRW ($50 USD) and can be added to your online conference registration.


About the Workshop

When: Wednesday evening, February 20th, from 6:30 to 9:30 pm
Where: Hyatt Regency Jeju.

The Global Chapter Committee invites all chapter leaders to participate in the upcoming Chapter Leader Workshops at AppSec APAC 2013.

The Chapter Leader Workshop format will continue to follow the Q & A format used during AppSec USA and AppSec LATAM. Questions and discussion will focus on sections of the Chapter Leader Handbook, OWASP Global Chapter resources, and local chapter challenges.


Dinner will be provided for workshop participants.


Register for the Workshop

To confirm your participation in the event, register for the conference and be sure to select "Chapter Leader Workshop" as an optional registration item.


Chapter Leader Sponsorships

IMPORTANT DEADLINES - January 7, 2013 - Appsec APAC Chapters Workshop sponsorships applications due
- January 14 - Applicants notified of status


  • If you need financial assistance* to attend the Chapter Leader Workshops please contact us by the application deadline.


  • Priority of sponsorships will be given to those not covered by sponsorship to attend a previous workshop. Additionally, we are looking for new or struggling chapter leaders who need assistance kick starting their chapter.
  • When you apply for funding, please let us know *why we should sponsor you*. While we prefer that chapter leaders use their own chapter's funds before requesting a sponsorship, this is not a requirement for application.
  • If your chapter has fund but will not be using them to sponsor your attendance, please include why you will not be using the funds for this purpose (i.e. what are the other plans for those funds?).


Questions

If any questions, please contact us


2013 AppSec APAC Conference Volunteer Team

  • Johnny Cho
  • Yune Sung
  • Hyung Geun Park


Do you want to volunteer for AppSec APAC 2013? Click here to sign up


OWASP Staff Support

  • Sarah Baso
  • Samantha Groves
  • Kelly Santalucia
  • Kate Hartmann
  • Alison Shrader


Contact us at appsecAPAC2013@owasp.org



Diamond Sponsor

Pentasecurity logo.png

Platinum Sponsor

Akamai Logo.png

Gold Sponsor

ENsecure Logo AppSecAPAC 2013.png

Architectgroup 130131.png

Silver Sponsor

Checkmarx.jpg
SANS Logo 150x45.jpg

Lanyard Sponsor

Checkmarx.jpg

Supporting Organization

SecurityPlus logo.gif
EC-Council Logo.png
Nahs logo.jpg
Main logo.jpg

Media Sponsor

EHN Logo 150.png