Front Range Web Application Security Summit Planning Page
Front Range Web Application Security Summit Planning
The purpose of this page is to provide a workspace for Denver/Boulder OWASP members to collaborate and plan the upcoming Front Range Web Application Security Summit. It is official, and we have the meeting space reservation to prove it! Date: June 10, 2008 Location: Tivoli Baerresen Conference Rooms (located on the Auraria Campus in Downtown Denver) 900 Auraria Parkway Denver, CO 80204
Call For Papers
We are seeking presentations for both the Technical and Management tracks at the June 10th conference. A Call For Papers has been issued. The deadline for submissions is March 28th, and speakers who are selected will be notified the week of March 31st. Please download the Call for Papers here
The purpose of the Front Range Web Application Security Summit is to provide a one-day workshop/conference during which individuals and organizations interested in Web Application Security can congregate to transfer knowledge, increase awareness of application layer security in the enterprise, and meet other like minded individuals.
- Guiding Principles
- No vendor soap boxes
- Open, friendly environment
- High quality content, professional delivery
FROCo8 Proposed Schedule – June 10th 2008
- PLEASE NOTE - This is just a notional schedule. Speaker times/dates/topics WILL change once we have a full agenda.
|June 10th, 2008|
|Tech Track:||Management Track:|
|08:00-09:00||Registration Opens and Tech Expo|
|09:30-10:30||Opening Keynote - Not Just Another Security Conference - Ed Bellis, Chief Information Security Officer for Orbitz WorldWide|
|10:00-11:00||Business Logic Flaws – Seven Deadly Web Exploits - Jeremiah Grossman|
|11:00-12:00||The Evolution of Application Security in Online Banking|
|12:00-13:00||1 HR BREAK / TECH EXPO / LUNCH BREAK|
|13:00-14:15||Web Browser (In)-Security - "Past, Present, and Future" Robert Hansen|| Threat Modeling
MicroSoft ACE Team
|14:30-15:30||"Abusing SSL VPNs & Open Reverse Proxies" Mike Zusman|| Panel Discussion "Best-practices and lessons learned from integrating security into the SDLC"
Speaker list to be announced
|15:40-16:00||Closing keynote - speaker and topic tbd; Raffles & Awards|
|16:00-16:45||After-conference refreshments (at Tivoli)|
|17:00+||(tbd) Reception/after-conference mixer|
Project Manager: Dariush Rusta
Overall planning and coordination: Kathy Thaxton kthaxton at businesspartnersolutions d0t c0m
Tech track lead: David Campbell (dcampbell at owasp dot org)
Management track lead: tbd
Project Planning Site (Basecamp login required)
Speaker Bios and Presentation Summaries
Ed Bellis, CISO, Orbitz Worldwide - Opening Keynote
Ed is responsible for the protection and security of all information and electronic assets as well as compliance and ethics across the wide array of business units that make up Orbitz Worldwide on a global basis. These assets include Orbitz, CheapTickets, eBookers, Away.com, HotelClub, RatesToGo, AsiaHotels, and Orbitz for Business.
With over 15 years of experience in information security and technology, Ed has worked with and been involved in protecting information assets at several Fortune 500 companies. Prior to joining Orbitz, Ed served as VP of Corporate Information Security for Bank of America within their Global Corporate and Investment Banking division. His credentials also include several security technology and management roles at organizations such as Ernst & Young, Ford Motor Company, and Young & Rubicam. Ed is a CISSP, CISM, a contributor to the ISM Community, and a member of ISC2, ISACA and the Chicago chapter of the ISSA.
Ed is a frequent speaker at information security events across North America and Europe. Past talks have included venues such as The MIS Institute, The Association of Information Technology Professionals, Technology Executives Club, and the National Business Travel Association.
Robert Hansen, CEO and Founder of SecTheory - Web Browser (In)-Security - "Past, Present, and Future"
Robert Hansen (CISSP) is the CEO and Founder of SecTheory. He has worked for Digital Island, Exodus Communications and Cable & Wireless in varying roles from Sr. Security Architect and eventually product managing many of the managed security services product lines. He also worked at eBay as a Sr. Global Product Manager of Trust and Safety, focusing on anti-phishing, anti-DHTML malware and anti-virus strategies. Later he worked as a director of product management for Realtor.com. Robert sits on the advisory board for the Intrepidus Group, Just Thrive, previously sat on the technical advisory board of ClickForensics and currently contributes to the security strategy of several startup companies.
Mr. Hansen authors content on Dark Reading and co-authored "XSS Exploits" by Syngress publishing. He sits on the NIST.gov Software Assurance Metrics and Tool Evaluation group focusing on web application security scanners and the Web Application Security Scanners Evaluation Criteria (WASC-WASSEC) group. He also speaks at SourceBoston, Toorcon, APWG, ISSA, OWASP/WASC, Microsoft's Bluehat, Blackhat and Networld+Interop. Mr. Hansen is a member of Infragard, Austin Chamber of Commerce, West Austin Rotary, WASC, IACSP, APWG, he is the Industry Liaison for the Austin ISSA and contributed to the OWASP 2.0 guide.
Summary: Browser security is one of the least known but most important aspects to modern security. They are ubiquitous and highly insecure. They are close enough alike that many exploits will work cross browsers, and they are different enough that it makes it difficult for websites to protect themselves. This speech will cover the history of browser security, where it today and where it needs to go in the future.
Mike Zusman, Sr Consultant, Intrepidus Group - Abusing SSL VPNs & Open Reverse Proxies
Mike Zusman is a Senior Consultant for the Intrepidus Group. Prior to joining Intrepidus Group, Mr. Zusman has held the positions of Escalation Engineer at Whale Communications (a Microsoft subsidiary), Security Program Manager at Automatic Data Processing, and lead architect & developer at a number of smaller firms.
In addition to his corporate experience, Mr. Zusman is an independent security researcher, and has responsibly disclosed a number of critical vulnerabilities to commercial software vendors and other clients.
Mike has also founded a number of successful entrepreneurial ventures including Global Uplink Solutions Incorporated (hosting division acquired by Flare Technologies in 2005) and Dish Uplink LLC, a leader in satellite TV subscription activations in the US.
Mike holds the CISSP certification.
Summary: Internet-facing SSL VPNs and Open Reverse Proxies can be abused to perform reconnaissance, data extraction, or general mischief INSIDE the Corporate Intranet and on SSL VPN clients. This presentation will discuss programming and infrastructure flaws permitting this abuse as well as countermeasures.