Revision as of 11:42, 25 September 2012 by Felipe Zipitria (Talk | contribs)

Jump to: navigation, search

OWASPLatam Banner Screenshot.JPG

Tenemos el agrado de anunciar que el capítulo uruguayo de OWASP será anfitrión del evento regional AppSec Latam. OWASP Uruguay chapter. El evento será en Montevideo, Uruguay en la torre de ANTEL. El evento se compone de 2 días de entrenamiento (18-19 de noviembre de 2012), seguido de 2 días de conferencias(20-21 de noviembre 2012).

La conferencia "Global AppSec Latin America 2012" será el punto de encuentro de los profesionales y líderes de seguridad de la información en Latinoamérica y se presentarán ideas y proyectos innovadores y líderes. En los eventos de OWASP participan personas de todas partes del mundo interesados en saber "¿qué es lo próximo que se viene?". Se esperan unos 200-250 participantes de diversas industrias como ser gobierno, finanzas, medios, farmacéuticas, medicina, tecnología y otras verticales.

Por cualquier consulta por favor contactar al comité académico de la conferencia:

¿Quienes deberían asistir al Global AppSec Latin América 2012?

  • Programadores / Analistas
  • Expetos en Testing / QA
  • Gerentes de proyectos
  • CIOs, CSOs y CTOs
  • CFOs , Auditores, y responsables de cumplimiento regulatorio
  • Gerentes y jefes de seguridad de la información
  • Ejecutivos, Managers, and Staff Responsible for IT Security Governance
  • Profesionales IT interesados en mejorar la postura de seguridad

                                                                                                                              OWASPL Latam2012 Logo.JPG

Use the #AppSecLatam hashtag for your tweets for AppSec Latin America 2012 (What are hashtags?)

@AppSecLatAm Twitter Feed (follow us on Twitter!) <twitter>262394051</twitter>

Los entrenamietos se harán el 18 y 19 de noviembre de 2012 (Domingo y Lunes, respectivamente) en el edificio de la Torre de ANTEL, en el centro de Montevideo (las charlas de las conferencias serán el 20 y 21). En esta edición se estarán ofreciendo 3 cursos diferentes:

Java Secure Coding

Instructor: Ari Elias-Bachrach, Appsec Labs

Resumen del curso

Audiencia: Técnica
Nivel técnico requerido: Intermedio

In this class we discuss secure coding techniques using Java. It is a very hands-on course with many labs. Everything is done from a developers perspective, NOT a hackers perspective. We make an effort to show what to do, and avoid the usual security paradigm of only discussing what not to do.

The course covers input validation, authentication, authorization, session management, databases, output encoding, error handling, logging, file handling, file uploading, and cryptography.

The class is hands-on and will include labs. Attendees should have a laptop capable of running VMs. We will provide a VM at the beginning of the class.

Detalles adicionales sobre esta clase, incluyendo una agenda detallada, está disponible Aquí

Advanced Vulnerability Research and Exploit Development

Instructor: Gianni Gnesa, Ptrace Security

Gianni Gnesa, BCS, MSCS, CEH, OSCP, OSEE, Network+, Linux+, is a security researcher and professional trainer at Ptrace Security, a Swiss-based company that offers specialized IT security services to customers worldwide. With several years of experience in vulnerability research, exploit development, and penetration testing, Gianni is an expert in exposing the vulnerabilities of complex commercial products and modern network infrastructures. In his spare time, Gianni conducts independent security research on kernel exploitation and rootkit detection.

Resumen del curso

The Advanced Vulnerability Research and Exploit Development course offers security professionals an opportunity to test and develop their skills like never before. During this class, attendees will be provided with the latest knowledge and tools to discover vulnerabilities and then develop exploits for a wide range of software including complex Windows applications, interpreted languages, and critical Microsoft services.

In the first half of the course, attendees will use reverse engineering and fuzzing to attack a wide variety of applications (many of which are critical to a successful penetration test) and then use the latest exploitation techniques available today to develop a reliable exploit for Windows 7 / Windows Server 2008.

In the second half of the course, the focus will shift from classic to advanced exploitation techniques. Attendees will learn how to escape from the Java sandbox, how to circumvent ASLR without pointer leaks, and how to use precise heap spraying.

By the end of this course, attendees will have a clear idea of what it’s necessary to find and exploit a vulnerability on a modern Windows machine.

This course is well-suited to penetration testers, exploit developers, malware analysts, and security professionals who are wishing to dive into vulnerability analysis and exploit writing.

Topics covered in this course include stack-based overflows, SEH-based overflows, integer overflows, information leakages, heap spraying, payload development, Unicode payload development, return oriented programming (ROP), and sandbox escaping.

Detalles adicionales sobre esta clase, incluyendo una agenda detallada, está disponible Aquí

Hands on Web Application Testing: Assessing Web Apps the OWASP way

Instructor: Matt Tesauro

Matt Tesauro
Matt Tesauro

Matt Tesauro has worked in web application development and security since 2000. He has worn many different hats, from developer to DBA to System Administrator to Penetration Tester. Matt also taught graduate and undergraduate classes on web application development and XML at Texas A&M University. Currently, he's focused on application security risk assessments at Praetorian. Outside work, he is the project lead for the OWASP Live CD / WTE, a member of the OWASP Foundation board, and part of the Austin OWASP chapter leadership. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications.

Resumen del curso

The goal of the training session is to teach students how to identify, test, and exploit web application vulnerabilities. The creator and project lead of the OWASP Live CD, now recoined OWASP WTE, will be the instructor for this course and WTE will be a major component of the class. Through lecture, demonstrations, and hands on labs, the session will cover the critical areas of web application security testing using the OWASP Testing Guide v3 as the framework and a custom version of OWASP WTE as the platform. Students will be introduced to a number of open source web security testing tools and provided with hands on labs to sharpen their skills and reinforce what they’ve learned. Students will also receive a complementary DVD containing the custom WTE training lab, a copy of the OWASP Testing Guide, handouts and cheat-sheets to use while testing plus several additional OWASP references. Demonstrations and labs will cover both common and esoteric web vulnerabilities and includes topics such as Cross-Site Scripting (XSS), SQL injection, CSRF and Ajax vulnerabilities. Students are encouraged to continue to use and share the custom WTE lab after the class to further hone their testing skills.

Detalles adicionales sobre esta clase, incluyendo una agenda detallada, está disponible Aquí


¡Por favor, contáctenos a con su pregunta!

Envío de presentaciones

Envíe su propuesta de charla aquí: Formulario de envío de presentaciones

Please carefully fill out the CFP form to submit your talk for consideration at OWASP AppSec Latam 2012 in Montevideo, Uruguay.

The talks will be held November 20th and 21st, 2012 at the ANTEL National Telco Company located in downtown Montevideo (training is November 18th and 19th). Talks will be 50 minutes each. We will post your Display Name, Biography, Talk Title, and Talk Abstract to the site if your talk is selected. If you provide a URL or Twitter handle, we will post that if your talk is selected, too.

La fecha límite de envío de trabajos es el 7 de setiembre de 2012. Si su charla es seleccionado, nos pondremos en contacto para confirmarlo, y esperaremos sus diapos no mas tarde del 16 de noviembre de 2012 para ser revisados. Realizaremos una revisión entre pares de sus diapos y otro material presentado para la inclusión en el sitio Web de la conferencia (luego de ésta) y para verificar que cumpla con las guías de presentación de material en conferencias OWASP.

Si quiere enviar múltiples presentaciones, por favor hágalo en envíos de formularios separados.

Los presentadores recibirán admisión gratis a la conferencia (no transferible) como retorno por su charla de 50 minutos.

Speaker Agreement

By submitting your proposal for a talk/paper through our CFP, you are consenting to stay within the guidelines of the speaker agreement:


¡Por favor, contáctenos a con su pregunta!

Jerry Hoff

Jerry.png "Building Security Into Frameworks: Who is doing it right": In this talk, Jerry Hoff, VP of the Static Code Analysis Division at WhiteHat Security, will discuss the importance of security controls in mobile and web frameworks. The talk features a tour through a spectrum of languages and frameworks. A tip of the hat will be given to frameworks and security controls that demonstrably mitigate vulnerabilities, resulting in more secure code. A wag of the finger will be given to frameworks that either lack essential security controls, or implement them improperly.

Many of the OWASP Top 10 vulnerabilities and their corresponding security controls will be discussed. Participants will walk away with a better understanding of the security libraries available across a wide array of popular web technologies.

Jerry Hoff is the VP of the Static Code Analysis Division at WhiteHat Security. Prior to joining WhiteHat, he was a co-founder and managing partner at Infrared Security. Jerry has worked at a number of fortune ten financial firms, along with years of hands-on security consulting, where he specialized in manual code review, web application penetration testing, and architecture reviews. Jerry also has years of development and teaching experience. He taught for over seven years at Washington University's CAIT program, and the microcomputer program at University of Missouri in St. Louis. Jerry is the writer/producer of the popular OWASP Appsec Tutorial Series and the lead developer for the WebGoat.NET project.

Pravir Chandra

PravirChandra_Headshot.jpg Everything you know about Injection Attack is wrong: This casual talk will take a look at several mundane vulnerabilities that we all know about and ask a few deeper questions. What are the underlying mechanisms? Does our advice on preventing them *actually* work? Is there a better way when you think of software design patterns? By the end, we’ll challenge the audience to think past the surface of these code vulnerabilities and hopefully learn a little about how the right abstraction model can save tons of security headaches.

Pravir Chandra is a veteran in the security space and a long-time OWASP contributor, including his role as the creator and leader of the Open Software Assurance Maturity Model (OpenSAMM) project. Currently as security architect for the CTO of Bloomberg, he drives proactive security initiatives that demonstrate concrete value for the firm. Prior to this, Pravir was Director of Strategic Services at HP/Fortify where he lead software security assurance programs for Fortune 500 clients in a variety of verticals. He is responsible for standing up the most comprehensive and measurably effective programs in existence today. As a thought leader in the security field for over 10 years, Pravir has written many articles, whitepapers, and books and is routinely invited to speak at businesses and conferences world-wide.

Cristian Borghello

Cristian-borghello-P.jpg Cristian F. Borghello, es Licenciado en Sistemas, desarrollador, Certified Information Systems Security Professional (CISSP) y Microsoft MVP Security (Most Valuable Professional).

Actualmente es Director de Segu-Info y se desempeña como consultor independiente en Seguridad de la Información. Escribe para diversos medios especializados e investiga en forma independiente sobre Seguridad Informática y de la Información. Ha disertado se congresos y seminarios nacionales e internacionales sobre la temática. El interés por la Seguridad Informática y su investigación lo ha llevado a mantener este sitio:

Hernán M. Racciatti

Photo Hernan Racciatti.jpg Hernan M. Racciatti has 20 years of experience in Information Technology, having dedicated most of his careers in areas related to Information Security.

Currently serves as Director of Security at SIClabs, advising private companies and public agencies, leading Penetration Test, Security Application Assessment, Code Source Review, pursuing researches about information security, teaching and offering seminars and technical lectures at conferences of national and international level related to his field.

Among his contributions to the community, should be noted: active participation as a collaborator in some ISECOM´s project (OSSTMM-Open Source Security Testing Methodology Manual and Hacker High School), OISSG (ISSAF – Information Systems Security Assessment Framework), the development of small tools designed to secure information systems and several papers, articles and technical documents written for digital and print publications whit national and international circulation.

During last year, he found and reported vulnerability in major commercial products.

Hernan Marcelo Racciatti is member of the Core Team at ISECOM (Institute for Security and Open Methodologies), ISSAF Key Contributor at OISSG (Open Information System Security Group), President of CSA (Cloud Security Alliance) Argentina Chapter, Executive Committee Member of the ONG Argentina Cibersegura, ISSA (Information Systems Security Association) and OWASP (Open Web Application Security Project) Buenos Aires Chapter Member.

Learn more about Hernan at

Las siguientes son las presentaciones seleccionadas, sujetas a confirmación de los presentadores.

Name Presentation
Alex Bauert Assessing Application Security Risk
Sebastian Bortnik Malware en dispositivos móviles.
Flavio de Cristofaro Password Security Policies - Lessons learned from recent password leaks
Mauro Flores OWASP Mobile Top 10
Dario Gomez Resource Certification: "Implementation Challenges"
Mennouchi Islam Presentation Of The OWASP ODZ Multi CMS Scanner
Mateo Martínez A real ZAP story
Francisco Nunes Critérios para Institucionalizar Segurança em Processos de Desenvolvimento de Software
Andres Riancho Understanding HTML5 security
Nicolas Rodriguez Don't try to block out the sun with your fingers\!: Information harvesting with Test-driven development tools and understanding how to avoid it
David Schekaiban Lo doloroso de la era cibernética: ataque, crimen, espionaje, activismo y guerra.
Raja Sekhar Templates to Derive Security Metric based on Attack Patterns
Breno Silva Reducing Web Application Attack Surface with a HMAC based protocol
Tony UcedaVelez Using PASTA as a core ingredient to web application threat modeling
Felipe Zipitria How dynamic have been static checking?

La conferencia AppSec Latam 2012 se hará en el centro de Montevideo, Uruguay en la compañia Uruguaya de Telecomunicaciones Antel. Las instrucciones para llegar están disponibles en: Google Maps

Los entrenamientos y charlas serán realizados en el Auditorio y en el salón interactivo, cercano a la torre de Antel.

La torre de Antel:

Antel National Telco Building.jpg

Auditorio de Antel (izquierda) y su entrada principal (derecha):

Antel Telco Venue Auditorium.jpg Antel Telco Main Entrance to Auditorium.jpg

Dentro del Auditorio (izquierda) y del salón interactivo (derecha):

Antel Telco Auditorium 02.jpg Antel Telco Interactive Room 02.jpg]

Costos de la conferencia

El acceso a la conferencia tiene el costo de:

  • Antes del 30 de setiembre: 3200.00 UYU (aproximadamente 150.00 USD)
  • Antes del 31 de octubre: 4250.00 UYU (aproximadamente 200.00 USD)
  • Luego del 1º de noviembre: 5300.00 UYU (aproximadamente 250.00 USD)


  • Un día: 8500.00 UYU (aproximadamente 400.00 USD)
  • Dos días: 17000.00 UYU (aproximadamente 800.00 USD)


  • Miembro de OWASP: 50.00 USD (Note: This discount is equal to the cost of becoming an OWASP paid Member.)
  • Estudiantes: 1600.00 UYU (approx. 75.00 USD). Note: student ID or other proof of current student status is required.
  • Por descuentos especiales disponibles para el registro de grupos. Por favor envíe sus preguntas a

Registro Online

El registro no está aún disponible para este evento. Por favor reintente en breve para ver los detalles de la registración.

Estamos buscando patrocinadores para la edición 2012 de Global AppSec Latin America.

Si tiene interés en patrocinar de forma global AppSec Latin America 2012, le rogamos contacte al equipo de la conferencia:

Para ver más información sobre las diferentes opciones de patrocinio, por favor vea el documento siguiente:
Opciones de patrocinio de OWASP AppSec Latam 2012 - Inglés

Venue Sponsor

Logo Antel.jpg


Se está en proceso de negociación de una tarifa de grupo con uno o dos hoteles en Montevideo. Verifique luego los detalles por estos descuentos.


About the Workshop

2012 Chapters Workshop to be held at the Conference Venue on the afternoon of November 19th, 2012 (the day before the conference)

  • September 17th - AppSec Latam Chapters workshop sponsorship applications due
  • September 21 - Applicants notified of status

We plan to start with a 1.5 hour session including an overview of the chapter handbook. This session will be video taped and available for chapter leaders to use in their local chapters (or to be viewed by those unable to attend). The second part of the workshop will be a roundtable discussion on regional issues and challenges, with a goal of working together to create solutions. If you are interested in participating in either of these workshops, please register for the conference and select this workshop, please register for the Conference and select the optional session "chapter leaders workshop" as part of the registration process. Remember that conference attendance is free for current chapter and project leaders.

Info about last year's workshop: Meeting Minutes from Latin America Chapters Workshop 2011

Sponsorship to Attend the Chapters Workshop

If you need financial assistance to attend the Chapter Leader Workshops please submit a request to via the Contact Us Form by the application deadline for each of the events.

  • September 17th - AppSec Latam Chapters workshop sponsorship applications due
  • September 21 - Applicants notified of status

Additional Information for Applicants:

  • Priority of sponsorships will be given to those not covered by a sponsorship to attend a previous workshop. Additionally, we are looking for new or struggling chapter leaders who need assistance kick starting their chapter.
  • When you apply for funding, please let us know *why we should sponsor you*. While we prefer that chapter leaders use their own chapter's funds before requesting a sponsorship, this is not a requirement for application.
  • If your chapter has fund but will not be using them to sponsor your attendance, please include why you will not be using the funds for this purpose (i.e. what are the other plans for those funds?).


If any questions, please contact us at:

Equipo de voluntarios de la conferencia 2012 AppSec Latam

  • Mateo Martinez
  • Mauro Flores
  • Martin Tartarelli
  • Fabio Cerullo

Equipo de soporte de OWASP

  • Sarah Baso
  • Kate Hartmann


Gold Sponsor

Logo Agesic color.jpg

Silver Sponsors

Core TM wtag.png PwC logo 4colourprint (2) Resized good one.jpg

Conference Room Sponsor


Venue Sponsor

Logo Antel.jpg

Academic Supporters

Ort bord1.JPG Logo-fing.png

Organizational Supporters