Difference between revisions of "AppSec Brasil 2009"

Jump to: navigation, search
(Conference Dates)
(Conference Dates)
Line 197: Line 197:
<td width="14%" height=32 ALIGN=right>16:20 - 17:10</TD>
<td width="14%" height=32 ALIGN=right>16:20 - 17:10</TD>
<TD ALIGN=CENTER BGCOLOR="#EEEEEE"><B>Klaubert Herr da Silveira</b><br>
<TD ALIGN=CENTER BGCOLOR="#EEEEEE"><B>Klaubert Herr da Silveira</b><br>
ModSecurity, Firewall de Aplicação Web Open Source <br> (''ModSecurity, Open Source Web Application Firewall'')</TD>
ModSecurity: Firewall OpenSource para Aplicações Web (WAF) <br> (''ModSecurity, Open Source Web Application Firewall'')</TD>

Revision as of 10:59, 1 September 2009

Para a versão em português, veja em AppSec Brasil 2009 (pt-br)

International Conference on Application Security

TI-Controle and the Computing Centre of the Deputy Chamber present the First International Conference on Application Security that will happen in Brasilia, Capital of Brazil with the support of OWASP Brazilian Chapter. The Conference consists of two days of training sessions, followed by a two-day conference on a single track. Brasilia Panorama.jpg

Conference Dates

The conference will happen from October 27th, 2009 to October 30th, 2009. The first two days will be tutorial days (see below). Plenary sessions will be held on October 29th and 30th.


This conference is promoted by TI-Controle Community and organized by Computing Centre of Brazilian Deputy Chamber.

The conference is supported by OWASP Brazilian Chapter, as content provider (talks selection, trainings and schedule grid).


Gary McGraw

CTO, Cigital

Title: The Building Security In Maturity Model (BSIMM)

Bio: Gary McGraw is the CTO of Cigital, Inc., a software security and quality consulting firm with headquarters in the Washington, D.C. area. He is a globally recognized authority on software security and the author of eight best selling books on this topic. His titles include Java Security, Building Secure Software, Exploiting Software, Software Security, and Exploiting Online Games; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 100 peer-reviewed scientific publications, authors a monthly security column for informIT, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Fortify Software and Raven White. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean's Advisory Council for the School of Informatics. Gary served on the IEEE Computer Society Board of Governors, produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine (syndicated by informIT), and produces the Reality Check Security Podcast for CSO Online.

Jason Li

Aspect Security

Title: Agile and Secure: Can We Do Both?

Co-author: Jerry Hoff, Aspect Security

Bio: Jason Li is a Senior Application Security Engineer at Aspect Security. Jason has led security architecture reviews, application security code reviews, penetration tests and provided web application security training services for a variety of commercial, financial, and government customers. He is also actively involved in the Open Web Application Security Project (OWASP), serving on the OWASP Global Projects Committee and as a co-author of the OWASP AntiSamy Project (Java version). Jason earned his Post-Master's degree in Computer Science with a concentration in Information Assurance from Johns Hopkins University. He earned his Master's degree in Computer Science from Cornell University, where he also earned his Bachelor's degree, double majoring in Computer Science and Operations Research.

Jerry Hoff is a Senior Application Security Engineer at Aspect Security. Jerry has led and performed numerous application security code reviews for clients across multiple industries. Jerry also provides training services for clients, and has over 10 years teaching and development experience. Jerry is also involved in the Open Web Application Security Project (OWASP) and was the lead developer of AntiSamy.net project. He has a master's degree in Computer Science from Washington University in St. Louis.

Dinis Cruz


Title: To be defined

Bio: Coming Soon.

Kuai Hinojosa


Title: Deploying Secure Web Applications with OWASP Resources

Bio: Kuai Hinojosa has been developing and securing web applications for about 12 years. He previously worked in the banking industry as a database security administrator for the 5th largest bank in the U.S. where he worked in a small team developing applications that protected company's assets. He now works for New York University as a Web Applications Specialist where he continues to use web application development and application security experience to protect university resources. In his spare time Kuai volunteers his time preaching the application security gospel and leading the Minneapolis OWASP chapter. Kuai is a member of the OWASP (Open Web Application Security Project) Global Education Committee.


Conference Program - Day 1 - October 29th 2009

08:30 - 09:00 Reception Desk Open
09:00 - 09:30 Opening Ceremony
09:30 - 10:00 Dinis Cruz
What is OWASP?
10:00 - 12:00 Gary McGraw (Cigital)
The Building Security In Maturity Model (BSIMM)
12:00 - 13:30 Lunch Break
13:30 - 14:20 Dinis Cruz
OWASP Project Tour
14:20 - 15:10 Thomas Schreiber
The Logic and Semantic Layer of Web Application Security
15:10 - 15:30 Break
15:30 - 16:20 Brian Contos
Making a Case for Data Security to Network-Centric Peers and Managers and Leveraging Web Application Firewalls (WAF) and Database Activity Monitoring (DAM) to Augment Secure Coding & Review Practices
16:20 - 17:10 Matt Tesauro
OWASP ROI: Optimize Security Spending using OWASP
17:10 - 18:00 Pravir Chandra
Software Assurance Maturity Model (SAMM)
18:00 - 18:30 End of the First Day Program

Conference Program - Day 2 - October 30th 2009

08:30 - 09:00 Reception Desk Open
09:00 - 09:10 Openning of the Second Day
09:10 - 10:40 Jason Li e Jerry Hoff (Aspect Security)
Agile and Secure - Can we do both?
10:40 - 11:00 Break
11:00 - 12:00 Kuai Hinojosa (NY University)
Deploying Secure Web Applications with OWASP Resources
12:00 - 13:30 Lunch Break
13:30 - 14:20 Sebastian Cufre
Automated SQL Ownage Techniques
14:20 - 15:10 Cassio Goldschmidt
Praticas e ferramentas fundamentais para o desenvolvimento de software seguro
(Tools and Practices for Secure Software Development)
15:10 - 15:30 Break
15:30 - 16:20 Luiz Otávio Duarte
Abordagem Preventiva para Teste de Segurança em Aplicações Web
(Preventive Approach to Web Application Security Testing)
16:20 - 17:10 Klaubert Herr da Silveira
ModSecurity: Firewall OpenSource para Aplicações Web (WAF)
(ModSecurity, Open Source Web Application Firewall)
17:10 - 18:00 Philippe Sevestre
Programação Segura utilizando Análise Estática
(Secure Programming with Static Analysis)
18:00 - 18:30 End of the Conference

Tutorial Days - October 27-28

Please see the Portuguese version of this page at http://www.owasp.org/index.php/AppSec_Brasil_2009_(pt-br)#tab=Mini-Cursos

Presentation Abstracts

The Building Security In Maturity Model (BSIMM)

Gary McGraw, Cigital

As a discipline, software security has made great progress over the last decade. There are now at least 34 large scale software security initiatives underway in enterprises including global financial services firms, independent software vendors, defense organizations, and other verticals. In 2008, Brian Chess, Sammy Migues and I interviewed the executives running nine initiatives using the twelve practices of the Software Security Framework as our guide. Those companies among the nine who graciously agreed to be identified include: Adobe, The Depository Trust and Clearing Corporation (DTCC), EMC, Google, Microsoft, QUALCOMM, and Wells Fargo. The resulting data, drawn from real programs at different levels of maturity was used to guide the construction of the Building Security In Maturity Model (BSIMM). This talk will describe the observation-based maturity model, drawing examples from many real software security programs. A maturity model is appropriate because improving software security almost always means changing the way an organization works ---people, process, and automation are all required. While not all organizations need to achieve the same security goals, all successful large scale software security initiatives share common ideas and approaches. Whether you rely on the Cigital Touchpoints, Microsoft's SDL, or OWASP CLASP, there is much to learn from practical experience. Use the BSIMM as a yardstick to determine where you stand and what kind of software security plan will work best for you.

Agile and Secure: Can We Do Both?

Jason Li and Jerry Hoff, Aspect Security

Agile is taking the software development world by storm, but security has been slow to adapt. What can we learn from the Agile movement? Is it possible to achieve security and remain Agile? Jason and Jerry will share Aspect Security's experiences working with Agile teams to gain assurance and save money. They'll compare and contrast traditional waterfall and agile processes and show how we can achieve assurance and security while remaining true to Agile principles.

Deploying Secure Web Applications with OWASP Resources

Kuai Hinojosa, OWASP

Universities are key to making application security visible and the need to educate software developers about application security as an aspect of proper software development has never been more important. In this presentation I will share how OWASP resources can be used by universities to develop, test and deploy secure web applications. I will discuss challenges that Universities currently face integrating a pplication security best practices, describe how OWASP tools and resources are currently used at New York University to test for most common web application flaws. I will introduce projects such as the OWASP Enterprise Security API which can be used to mitigate most common flaws in web applications and share initiatives the OWASP Global Education Committee is currently working on. If you are interested in securing web applications, and supporting the OWASP Global Education Committee efforts you don't want to miss this!


The Palácio do Congresso building

The event will be held in Brasília, Brazil's Capital at: Câmara dos Deputados, Anexo II, Praça dos Três Poderes.

You can check the location at Google Maps


The registration form is been prepared. As soon as it is available, a link will be posted in this space.

Registration and Conference Fees

There will be no fees for this conference, only registration is required to participate.


Conference Committee

OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org

2009 AppSec Brasil Program Committee (appsec.brasil@camara.gov.br):

  • Conference Chair: Lucas C. Ferreira (lucas.ferreira at owasp.org)
  • Tutorials Organization: Eduardo V. C. Neves (eduardo.neves at owasp.org)
  • Tracks Organization: Wagner Elias (wagner.elias at owasp.org)

Organization Team

  • Cassio Goldschmidt (cassio 'at' owasp.org)
  • Kuai Hinojosa (kuai.hinojosa 'at' owasp.org)
  • Leonardo Cavallari - (leo.cavallari 'at' owasp.org)
  • Thiago Lechuga (thiagoalz 'at' gmail.com)
  • Dinis Cruz (dinis.cruz 'at' owasp.org)

Links and other information

Event page on LinkedIn: http://events.linkedin.com/OWASP-AppSec-Brasil/pub/65160


Q. Who is promoting the conference?

A. This conference is being supported and organized by the TI-Controle Community and the Deputy Chamber, with the contents (presentations, keynotes, training, etc) selected by the OWASP Brazilian Chapter.

Q. What will it cost?

A. Nothing. Thanks to its sponsor, the conference will be free of charge. However we have limited seats, so please register early.

Call For Papers

Q. What is the Open Web Application Security Project (OWASP)?

The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work with your support.

Q. How many speaking slots are there?

Please see the Conference Agenda in its main page.

Q. What are the submission deadlines?

The CFP submission deadline is July 11th, with the final version of the presentation material due September 15th 2009.

Q: Who is allowed to submit presentations?

A: Original authors may submit presentations for consideration. Third party representatives such as PR firms or Speaker Representatives MAY NOT submit materials on behalf of a potential speaker.

Q: Why aren't Third Parties such as PR Firms allowed to submit presentations?

A: Due to potential copyright and intellectual property liability issues as well as the need for OWASP to have direct contact with potential and selected presenters to expedite selection and deliverable materials, we require that only original authors of presentations submit for the Call for Papers. Third party representatives such as PR firms or Speaker Representatives MAY NOT submit materials on behalf of a potential speaker.

Q: Are there any restrictions on the content of the presentations?

A: Yes, all presentations must respect the rules defined in the OWASP Speaker Agreement.

Q: How long will I have to wait before I am notified if I have been accepted or denied?

A: Submitters will be notified of the status (acceptance or denial) on August 7th 2009.

Q. Is there an honorarium for presenters?

No. OWASP is committed to making its conferences available to the widest possible audience. In order to do this OWASP keeps the entrance free for the AppSec Brazil 2009 to make the conference accessible. As a result we are unable to provide a monetary honorarium but we welcome our speakers as our guests to the conference where they can network with other security professionals. We will provide lodging and domestic air travel for one presenter for each selected work.

Q: I have been accepted. What are the materials that I have to turn in and what are the deadlines?

A: The following is a list of materials that are required from each accepted presentation. Failure to proceed these materials by the deadlines set forth for the event the presentation was accepted for will result in cancellation of acceptance.

  • A confirmed Speaker Agreement (July 15th 2009)
  • Presentation in PowerPoint or Keynote format using the OWASP Template (September 15th 2009)
  • Detailed Bibliography of resources, co-authors, etc. (September 15th 2009)
  • Optional White Paper for inclusion on CD (September 15th 2009)

Q: Do I have to submit a White Paper?

A: No. We would certainly appreciate any White Papers that can be included on the conference web site but they are not required. If you have written an existing white paper to go along with your presentation, please submit it with your CFP submission. Submissions with attached White Papers will receive additional consideration.

Q: What if I have a co-author who is not presenting. How do I cite the person(s)?

A: All co-authors and works that have been used should be cited in a detailed bibliography that will be published on the Conference CD.

Q: I have been accepted and would like to add co-presenters. Can I still do this?

A: No. Co-presenters should have been added at the time that the Presentation was submitted. They may attend the conference and present if they register as any other participant.

Q: My PR company/friends/co-workers/family would like to come see me give my presentation. Will they be allowed in for free?

A: Yes, but they need to register on the conference web site as any other conference participant.

Q. I have more questions

A: Email appsec.brasil@camara.gov.br concerning this event.