AppSec Academia Symposium Irvine 09

Revision as of 00:46, 10 July 2009 by Nmatatal (talk | contribs) (Agenda and Presentations)

Jump to: navigation, search

Welcome to the OWASP Application Security Academia Symposium

Date: The afternoon of Wednesday 8/26/2009 Note the time change! 10 AM - 6PM

Event's Location

University of California Irvine.

Call for Presentations / Research Papers

Please send all proposals to nmatatal 'at' with at least OWASP in the subject line.

Topics include, but not limited to:

  • OWASP ESAPI, Application Security Architectures
  • Security education programs
  • Enterprise authorization service
  • Privacy Concerns with Applications and Data Storage
  • OWASP Code Review
  • OWASP Testing Guide
  • Threat modeling of web applications
  • Separating security from coding, enhancing the security of the infrastructure (HTTPOnly, disabling session token reuse in ASP), etc also platform or language (e.g. Java, .NET) security features that help secure web applications
  • Security of Service Oriented Architectures
  • Vulnerability analysis of web applications (code review, pentest, static analysis, scanning)
  • Secure application development
  • How to use databases securely in web applications
  • OWASP Education Project (live CD)
  • Web services security

Please include at least the following information:

  • Name
  • Affiliation
  • Phone Number
  • Abstract
  • Short Bio

Agenda and Presentations

Break Out Sessions

Small Rooms (10-15 people) will be available for a majority of the event. These are meant for AdHoc discussions. Ideas can be posted on the wiki or sent to Neil Matatall (nmatatal at These are meant to be freeform, but please be courteous with the time you use.

Tracking the Progress of an SDL Program: Lessons From the Gym

Name: Cassio Goldschmidt

Affiliation: Sr. Manager of Product Security at Symantec Corp.

Abstract: Secure coding and testing training are a vital element of any successful security development lifecycle program. In this talk Symantec, an industry pioneer in internal secure coding education, will present what makes a security class effective, engaging and valuable to an organization with development offices spread in several countries. We’ll also analyze innumerous other successful ongoing educational and awareness initiatives used to keep the staff current, interested and alert about the latest attacks.

Bio: Cassio Goldschmidt is senior manager of the product security team under the Office of the CTO at Symantec Corporation. In this role he leads efforts across the company to ensure the secure development of software products. His responsibilities include managing Symantec’s internal secure software development process, training, threat modeling and penetration testing. Cassio’s background includes over 12 years of technical and managerial experience in the software industry. During the six years he has been with Symantec, he has helped to architect, design and develop several top selling product releases, conducted numerous security classes, and coordinated various penetration tests.

Cassio represents Symantec on the SAFECode technical committee and (ISC)2 in the development of the CSSLP certification. He holds a bachelor degree in computer science from Pontificia Universidade Catolica do Rio Grande Do Sul, a masters degree in software engineering from Santa Clara University, and a masters of business administration from the University of Southern California.

OWASP Live CD: An Open Environment for Web Application Security

Name: Matt Tesauro

Affiliation: Texas Education Agency

Abstract: The OWASP Live CD is a project that collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can boot from this Live CD and have access to a full security testing suite. The Live CD also contains documentation and an interactive learning environment to enhance users web application security knowledge. This presentation will cover the current state of the OWASP Live CD specifically the migration to an Ubuntu Linux base, the addition of static analysis tools and development of an additional educational environment. Time permitting, a live demonstration of the OWASP Live CD will be conducted. The OWASP Live CD is a project of the Open Web Application Security Project (OWASP) and is free for commercial or non-commercial use. More information is available at:

Bio: Matt Tesauro has worked in web application development and security since 2000. He has worn many different hats, from developer to DBA to System Administrator to Penetration Tester.  Matt also taught graduate and undergraduate  classes on web application development and XML at the Texas A&M University. Currently, he's focused on web application security and developing a Secure SDLC for the Texas Education Agency (TEA). Outside work, he is the project lead for the OWASP Live CD, a  member of the OWASP Global Projects Committee, part of the local OWASP chapters leadership and the membership directory of ISSA of Austin, Texas.   Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University.  He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications.

Enterprise Application Security Practices: Real-world Tips and Techniques

Name: Michael J. Craigue

Affiliation: Sr. Application Security Consultant at Dell Inc.

Abstract: Dell Inc. worked with Microsoft and Fortify to create its application security practice. Mike Craigue will discuss some of the challenges and opportunities Dell faced. This session will cover creating policies/standards, deploying a Security Development Lifecycle as an overlay to the SDLC, overcoming concerns of developers and business partners, and addressing global standardization issues. This talk will analyze the creation and evolution of Dell's Security Development Lifecycle over the last few years, including awareness/education/training, application security user groups, security consulting staff development, risk assessments, security reviews, threat modeling, source code scans, deployment scans, and penetration testing. It will include a discussion of Dell's information security organization and the division of labor among internal security consultants in the security development lifecycle. It will also explain the development, socialization, and approval process for the secure application development standard.

Bio: Mike is CISSP- and CSSLP-certified and has taught Database Management and Business Intelligence/Knowledge Management at St. Edward’s University in their MBA and MS CIS programs. Prior to joining Dell’s information security team, he spent over a decade building Web and database applications. He holds a Ph.D. from the University of Texas at Austin in Higher Education Administration and Finance. At Dell since 1999, he’s responsible for application security, with an emphasis on the Ecomm site.

Don't Be Next: Developing a Security Mindset Among Web Developers on Campus

Name: Ed Murphy

Affiliation: Assistant Director, University Information Technology Services at the University of Arizona

Abstract: This presentation focuses on the problem of bad computer code and how to prevent it at a university. Web application development on a university campus is done in a variety ways. Sometimes it is done with student developers, sometimes with outside vendors, sometimes with full-time staff and sometimes with a combination of resources. This presentation will review strategies for developing a security mindset when doing web development on a college or university campus. The strategies covered by the presentation include: - Education such as, developer presentations on vulnerabilities and how to use language specific libraries to eliminate vulnerabilities. - Developing secure coding standards for developers. - Changes to the Software Development Life Cycle (SDLC) to incorporate secure code reviews into the peer review process. - Leveraging your campus Information Security Office to make tools available to distributed developers on campus, such as IBM's Rational AppScan and QualysGuard. - Developing a recommended vendor list for departments who choose to have web applications built by off campus vendors. - Work with your Purchasing and Contracts department to incorporate SANS Application Security Procurement Language into standard contracts.

Bio: Fourteen years experience with software development, database administration and web servers in both the corporate and higher education sectors. My experience with web development covers the java, PHP and .Net (C#) platforms. Most recently I have been leading teams of software developers, both full-time staff and student staff, as well as being a secure coding proponent on campus. I have presented on securing coding practices (in general), secure PHP code development and on the value of vulnerability analysis using pentest tools (i.e., IBM's Rational AppScan). I have also been called upon to lead teams of developers in the investigation and remediation of several high-profile web site hacks on campus. Most notably I lead the team that determined the break in method and implemented the code fixes to secure the Phoenix Mars Lander's [1] mission site.

Avoiding Injection Attacks in the Drupal Framework

Name: Dave Keays

Affiliation: LA-Drupal (LADRUPAL.ORG)

Abstract: Drupal is a driving force in Open Source Web Applications and has numerous security features built in. By following a few guide-lines, all contributed code or modules can have security built in by design.

Drupal's abstraction layers provide protection against some of the most common attacks. This paper will be a look at those protections, code snippets, black-box analysis, and a set of guide-lines to develop modules for Drupal. It will serve as the first chapter in a free ebook on Drupal security.

Bio: Dave Keays is a freelance PHP developer with over one-years experience on security within Drupal. He is a member of the LADrupal Users Group (LADRUPAL.ORG) where he has given talks about secure development at the LADRUPAL Users Group and design, and has lead a discussion group on Desktop and Internet security at North Orange County Computer Club that meets at Chapman University in Orange, California. His security knowledge is certified by COMPTIA and he is pursuing certification by both ICS2 and SANS.

Research At UC Irvine

Various discussions from researchers currently working the field of security. More details will be posted later regarding presenters and topics.


University of California Irvine


Calit2 building,building number 325 in quadrant H8 on the UC Irvine Map


There will be no fees for this event, only registration is required to participate. Space is limited and there is no plan on having on site registration so please register early.



Please park at the Anteater Parking Structure.

Parking is is $7 (may be provided, tbd)

Pre-Event Organization Team

  • Kuai Hinojosa (kuai.hinojosa 'at'
  • Neil Matatall (nmatatal 'at'

OWASP AppSec Event Sponsor

This conference will be sponsored by Administrative Computing Services at UC Irvine