AppSec Academia Symposium Irvine 09

Revision as of 23:26, 9 July 2009 by Nmatatal (talk | contribs) (Agenda and Presentations)

Jump to: navigation, search

Welcome to the OWASP Application Security Academia Symposium

Date: The afternoon of Wednesday 8/26/2009 Note the time change! 10 AM - 6PM

Event's Location

University of California Irvine.

Call for Presentations / Research Papers

Please send all proposals to nmatatal 'at' with at least OWASP in the subject line.

Topics include, but not limited to:

  • OWASP ESAPI, Application Security Architectures
  • Security education programs
  • Enterprise authorization service
  • Privacy Concerns with Applications and Data Storage
  • OWASP Code Review
  • OWASP Testing Guide
  • Threat modeling of web applications
  • Separating security from coding, enhancing the security of the infrastructure (HTTPOnly, disabling session token reuse in ASP), etc also platform or language (e.g. Java, .NET) security features that help secure web applications
  • Security of Service Oriented Architectures
  • Vulnerability analysis of web applications (code review, pentest, static analysis, scanning)
  • Secure application development
  • How to use databases securely in web applications
  • OWASP Education Project (live CD)
  • Web services security

Please include at least the following information:

  • Name
  • Affiliation
  • Phone Number
  • Abstract
  • Short Bio

Agenda and Presentations

Name: Cassio Goldschmidt

Affiliation: Sr. Manager of Product Security at Symantec Corp.

Title: Tracking the progress of an SDL program: lessons from the gym.

Abstract: Secure coding and testing training are a vital element of any successful security development lifecycle program. In this talk Symantec, an industry pioneer in internal secure coding education, will present what makes a security class effective, engaging and valuable to an organization with development offices spread in several countries. We’ll also analyze innumerous other successful ongoing educational and awareness initiatives used to keep the staff current, interested and alert about the latest attacks.

Name: Matt Tesauro

Affiliation: Texas Education Agency

Abstract: The OWASP Live CD is a project that collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can boot from this Live CD and have access to a full security testing suite. The Live CD also contains documentation and an interactive learning environment to enhance users web application security knowledge. This presentation will cover the current state of the OWASP Live CD specifically the migration to an Ubuntu Linux base, the addition of static analysis tools and development of an additional educational environment. Time permitting, a live demonstration of the OWASP Live CD will be conducted. The OWASP Live CD is a project of the Open Web Application Security Project (OWASP) and is free for commercial or non-commercial use. More information is available at:

Name: Michael J. Craigue

Affiliation: Sr. Application Security Consultant at Dell Inc.

Title: Enterprise Application Security Practices: Real-world Tips and Techniques.

Abstract: Dell Inc. worked with Microsoft and Fortify to create its application security practice. Mike Craigue will discuss some of the challenges and opportunities Dell faced. This session will cover creating policies/standards, deploying a Security Development Lifecycle as an overlay to the SDLC, overcoming concerns of developers and business partners, and addressing global standardization issues. This talk will analyze the creation and evolution of Dell's Security Development Lifecycle over the last few years, including awareness/education/training, application security user groups, security consulting staff development, risk assessments, security reviews, threat modeling, source code scans, deployment scans, and penetration testing. It will include a discussion of Dell's information security organization and the division of labor among internal security consultants in the security development lifecycle. It will also explain the development, socialization, and approval process for the secure application development standard.

Name: Ed Murphy

Affiliation: Assistant Director, University Information Technology Services at the University of Arizona

Title: Don't Be Next: Developing a Security Mindset Among Web Developers on Campus alternate title: Stay Out of the News: Developing a Security Mindset Among Web Developers on Campus

Abstract: This presentation focuses on the problem of bad computer code and how to prevent it at a university. Web application development on a university campus is done in a variety ways. Sometimes it is done with student developers, sometimes with outside vendors, sometimes with full-time staff and sometimes with a combination of resources. This presentation will review strategies for developing a security mindset when doing web development on a college or university campus. The strategies covered by the presentation include: - Education such as, developer presentations on vulnerabilities and how to use language specific libraries to eliminate vulnerabilities. - Developing secure coding standards for developers. - Changes to the Software Development Life Cycle (SDLC) to incorporate secure code reviews into the peer review process. - Leveraging your campus Information Security Office to make tools available to distributed developers on campus, such as IBM's Rational AppScan and QualysGuard. - Developing a recommended vendor list for departments who choose to have web applications built by off campus vendors. - Work with your Purchasing and Contracts department to incorporate SANS Application Security Procurement Language into standard contracts.

Name: Dave Keays

Affiliation: LA-Drupal (LADRUPAL.ORG)

Title: Avoiding Injection Attacks in the Drupal Framework

Abstract: Drupal is a driving force in Open Source Web Applications and has numerous security features built in. By following a few guide-lines, all contributed code or modules can have security built in by design.

Drupal's abstraction layers provide protection against some of the most common attacks. This paper will be a look at those protections, code snippets, black-box analysis, and a set of guide-lines to develop modules for Drupal. It will serve as the first chapter in a free ebook on Drupal security.


University of California Irvine


Calit2 building,building number 325 in quadrant H8 on the UC Irvine Map


There will be no fees for this event, only registration is required to participate. Space is limited and there is no plan on having on site registration so please register early.



Please park at the Anteater Parking Structure.

Parking is is $7 (may be provided, tbd)

Pre-Event Organization Team

  • Kuai Hinojosa (kuai.hinojosa 'at'
  • Neil Matatall (nmatatal 'at'

OWASP AppSec Event Sponsor

This conference will be sponsored by Administrative Computing Services at UC Irvine