Difference between revisions of "OWASP AppSec DC 2009"

From OWASP
Jump to: navigation, search
(testing links on sponsor images)
(Trying Links on Sponsor Images again)
Line 3: Line 3:
 
[[Image:Dc09.png]]  
 
[[Image:Dc09.png]]  
  
[http://www.dcconvention.com/ Walter E. Washington Convention Center] | [http://guest.cvent.com/i.aspx?4W,M3,26bc4c77-e1ef-4bad-be46-eb7b0124276c Registration]
+
[http://www.dcconvention.com/ Walter E. Washington Convention Center] | [http://guest.cvent.com/i.aspx?4W,M3,26bc4c77-e1ef-4bad-be46-eb7b0124276c Registration]  
  
 +
<br> ====Welcome==== <!-- Header -->
  
====Welcome====
+
{| style="width: 100%;"
<!-- Header -->
+
{|style="width:100%"
+
|style="width:100%;color:#000"|
+
 
+
{|style="width:100%;border:solid 0px;background:none"
+
 
|-
 
|-
|style="width:95%;color:#000" |
+
| style="width: 100%; color: rgb(0, 0, 0);" |
 +
{| style="border: 0px solid ; background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;"
 +
|-
 +
| style="width: 95%; color: rgb(0, 0, 0);" |  
 +
'''Press Release August 20th 2009 -- [http://www.owasp.org/images/4/4d/Press_Release_AppSec_DC_August_20th_2009.pdf Speaker Agenda Released and Registration Open!]'''
  
'''Press Release August 20th 2009 -- [http://www.owasp.org/images/4/4d/Press_Release_AppSec_DC_August_20th_2009.pdf Speaker Agenda Released and Registration Open!]'''
+
We are pleased to announce that the [http://www.owasp.org/index.php/Washington_DC OWASP DC chapter] will host the OWASP AppSec 2009 conference in Washington, DC. The AppSec DC OWASP Conference will be a premier gathering of Information Security leaders. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 600-700 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.
  
We are pleased to announce that the [http://www.owasp.org/index.php/Washington_DC OWASP DC chapter] will host the OWASP AppSec 2009 conference in Washington, DC.  The AppSec DC OWASP Conference will be a premier gathering of Information Security leaders. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 600-700 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.
+
AppSec DC 2009 will be held at the [http://www.dcconvention.com/ Walter E. Washington Convention Center] ([http://maps.google.com/maps?q=801+Mount+Vernon+Place+NW+Washington,+DC+20001&oe=utf-8&client=firefox-a&ie=UTF8&split=0&gl=us&ei=kSntSYT5B5WOMvOWzPUP&ll=38.904977,-77.022979&spn=0.00895,0.019977&z=16&iwloc=A 801 Mount Vernon Place NW Washington, DC 20001]) on November 10th through 13th 2009.  
  
AppSec DC 2009 will be held at the [http://www.dcconvention.com/ Walter E. Washington Convention Center] ([http://maps.google.com/maps?q=801+Mount+Vernon+Place+NW+Washington,+DC+20001&oe=utf-8&client=firefox-a&ie=UTF8&split=0&gl=us&ei=kSntSYT5B5WOMvOWzPUP&ll=38.904977,-77.022979&spn=0.00895,0.019977&z=16&iwloc=A 801 Mount Vernon Place NW Washington, DC 20001]) on November 10th through 13th 2009. 
+
'''Who Should Attend AppSec DC 2009:'''
  
'''Who Should Attend AppSec DC 2009:'''
+
*Application Developers  
 
+
*Application Testers and Quality Assurance  
*Application Developers
+
*Application Project Management and Staff  
*Application Testers and Quality Assurance
+
*Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff  
*Application Project Management and Staff
+
*Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance  
*Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
+
*Security Managers and Staff  
*Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
+
*Executives, Managers, and Staff Responsible for IT Security Governance  
*Security Managers and Staff
+
*Executives, Managers, and Staff Responsible for IT Security Governance
+
 
*IT Professionals Interesting in Improving IT Security<br>
 
*IT Professionals Interesting in Improving IT Security<br>
  
 +
<br> '''The full AppSecDC Schedule can be found [[AppSecDC Schedule 09|here]].'''
  
'''The full AppSecDC Schedule can be found [[AppSecDC Schedule 09|here]].'''
+
'''You can register for the conference [http://guest.cvent.com/i.aspx?4W,M3,26bc4c77-e1ef-4bad-be46-eb7b0124276c here].'''  
  
'''You can register for the conference [http://guest.cvent.com/i.aspx?4W,M3,26bc4c77-e1ef-4bad-be46-eb7b0124276c here].'''
+
<!-- Gay mediawiki needs all these spaces -->
  
 +
<br>
  
<!-- Gay mediawiki needs all these spaces -->
+
|}
  
 +
<!-- Twitter Box -->
  
 
+
| style="border: 0px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0);" | <!-- DON'T REMOVE ME, I'M STRUCTURAL -->  
|}
+
[[Image:Threestarforsite.png]]  
 
+
<!-- Twitter Box -->
+
|style="width:100%;font-size:95%;color:#000;border:0px solid #ccc"|
+
<!-- DON'T REMOVE ME, I'M STRUCTURAL -->
+
[[Image:Threestarforsite.png]]
+
  
 
{|
 
{|
 +
|-
 
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |  
 
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |  
 
Use the '''[http://search.twitter.com/search?q=%23AppSecDC #AppSecDC]''' hashtag for your tweets (What are [http://hashtags.org/ hashtags]?)  
 
Use the '''[http://search.twitter.com/search?q=%23AppSecDC #AppSecDC]''' hashtag for your tweets (What are [http://hashtags.org/ hashtags]?)  
  
'''@AppSecDC09 Twitter Feed ([http://twitter.com/AppSecDC09 follow us on Twitter!])''' <twitter>34534108</twitter>
+
'''@AppSecDC09 Twitter Feed ([http://twitter.com/AppSecDC09 follow us on Twitter!])''' <twitter>34534108</twitter>  
  
 
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |  
 
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |  
 
|}
 
|}
  
|style="width:110px;font-size:95%;color:#000"|
+
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |  
|}  
+
|}
<!-- End Banner -->
+
<!-- End Banner -->  
 
+
 
==== Registration  ====
 
==== Registration  ====
  
== [http://guest.cvent.com/i.aspx?4W,M3,26bc4c77-e1ef-4bad-be46-eb7b0124276c Registration] is now open! ==
+
== [http://guest.cvent.com/i.aspx?4W,M3,26bc4c77-e1ef-4bad-be46-eb7b0124276c Registration] is now open! ==
  
=== You can register [http://guest.cvent.com/i.aspx?4W,M3,26bc4c77-e1ef-4bad-be46-eb7b0124276c here] ===
+
=== You can register [http://guest.cvent.com/i.aspx?4W,M3,26bc4c77-e1ef-4bad-be46-eb7b0124276c here] ===
  
 
Current pricing reflects an "Early Bird" discount of $50 off the at the door price of $395.  
 
Current pricing reflects an "Early Bird" discount of $50 off the at the door price of $395.  
  
OWASP [[membership]] ($50 annual membership fee) gets you a discount of $50.  
+
OWASP [[Membership]] ($50 annual membership fee) gets you a discount of $50.  
  
 
{|
 
{|
Line 83: Line 79:
 
| Students
 
| Students
 
|-
 
|-
| $1350
+
| $1350  
 
| 2-Day Training Course
 
| 2-Day Training Course
 
|-
 
|-
| $650
+
| $650  
 
| 1-Day Training Course
 
| 1-Day Training Course
 
|}
 
|}
<br>[[OWASP_AppSec_DC_2009#tab=Training | Go here for details on the training courses that are available.]]
 
  
'''Who Should Attend AppSec DC 2009:'''
+
<br>[[OWASP AppSec DC 2009#tab.3DTraining|Go here for details on the training courses that are available.]]
  
*Application Developers
+
'''Who Should Attend AppSec DC 2009:'''
*Application Testers and Quality Assurance
+
 
*Application Project Management and Staff
+
*Application Developers  
*Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
+
*Application Testers and Quality Assurance  
*Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
+
*Application Project Management and Staff  
*Security Managers and Staff
+
*Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff  
*Executives, Managers, and Staff Responsible for IT Security Governance
+
*Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance  
 +
*Security Managers and Staff  
 +
*Executives, Managers, and Staff Responsible for IT Security Governance  
 
*IT Professionals Interesting in Improving IT Security<br>
 
*IT Professionals Interesting in Improving IT Security<br>
  
Line 106: Line 103:
 
==== Volunteer  ====
 
==== Volunteer  ====
  
== Volunteers Needed! ==
+
== Volunteers Needed! ==
  
 
Get involved!  
 
Get involved!  
Line 112: Line 109:
 
We will take all the help we can get to pull off the best Web Application Security Conference of the year!  
 
We will take all the help we can get to pull off the best Web Application Security Conference of the year!  
  
Please contact the appropriate arch-minion to volunteer for a specific area:
+
Please contact the appropriate arch-minion to volunteer for a specific area:  
  
*Security -- [mailto:angel.contreras(at)owasp.org Angel Contreras]
+
*Security -- [mailto:angel.contreras(at)owasp.org Angel Contreras]  
 
*Speakers and Trainers -- [mailto:wade.woolwine(at)owasp.org Wade Woolwine], [mailto:jeremy.long(at)owasp.org Jeremy Long] and [mailto:josh.feinblum(at)owasp.org Josh Feinblum]  
 
*Speakers and Trainers -- [mailto:wade.woolwine(at)owasp.org Wade Woolwine], [mailto:jeremy.long(at)owasp.org Jeremy Long] and [mailto:josh.feinblum(at)owasp.org Josh Feinblum]  
*Vendors -- [mailto:dave.sachdev(at)owasp.org Dave Sachdev]
+
*Vendors -- [mailto:dave.sachdev(at)owasp.org Dave Sachdev]  
 
*Facilities -- [mailto:doug.wilson(at)owasp.org Doug Wilson] and [mailto:barry.austin(at)owasp.org Barry Austin]
 
*Facilities -- [mailto:doug.wilson(at)owasp.org Doug Wilson] and [mailto:barry.austin(at)owasp.org Barry Austin]
  
More opportunities and areas will be added as time goes on.
+
More opportunities and areas will be added as time goes on.  
  
Or, you can e-mail the organizers at mark.bristow(at)owasp.org, doug.wilson(at)owasp.org or rex.booth(at)owasp.org.
+
Or, you can e-mail the organizers at mark.bristow(at)owasp.org, doug.wilson(at)owasp.org or rex.booth(at)owasp.org.  
  
Or email appsec_us_09(at)lists.owasp.org or [https://lists.owasp.org/mailman/listinfo/appsec_us_09 sign up] for the mailing list!
+
Or email appsec_us_09(at)lists.owasp.org or [https://lists.owasp.org/mailman/listinfo/appsec_us_09 sign up] for the mailing list!  
  
 
==== Schedule  ====
 
==== Schedule  ====
Line 129: Line 126:
 
{| cellspacing="0" border="2"
 
{| cellspacing="0" border="2"
 
|- valign="middle"
 
|- valign="middle"
| height="60" align="center" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" colspan="5" | <font size="5">'''Day 1 - Nov 12th 2009'''</font>
+
| height="60" align="center" colspan="5" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Day 1 - Nov 12th 2009'''</font>
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" height="40" width="67" bgcolor="#7b8abd" | &nbsp;  
+
| width="67" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp;  
| valign="middle" height="40" width="200" bgcolor="#c0a0a0" align="center" | '''OWASP'''  
+
| width="200" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''OWASP'''  
| valign="middle" height="40" width="200" bgcolor="#ffdf80" align="center" | '''Tools'''  
+
| width="200" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''Tools'''  
| valign="middle" height="40" width="200" bgcolor="#a0c0e0" align="center" | '''SDLC'''  
+
| width="200" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''SDLC'''  
| valign="middle" height="40" width="200" bgcolor="#b3ff99" align="center" | '''Web 2.0'''
+
| width="200" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''Web 2.0'''
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" width="67" bgcolor="#7b8abd" | 07:30-09:00  
+
| width="67" valign="middle" bgcolor="#7b8abd" | 07:30-09:00  
 
| valign="middle" bgcolor="#909090" align="center" colspan="4" | Registration
 
| valign="middle" bgcolor="#909090" align="center" colspan="4" | Registration
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" width="67" bgcolor="#7b8abd" | 08:45-09:00  
+
| width="67" valign="middle" bgcolor="#7b8abd" | 08:45-09:00  
 
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Welcome and Opening Remarks
 
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Welcome and Opening Remarks
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" width="67" bgcolor="#7b8abd" | 09:00-10:00  
+
| width="67" valign="middle" bgcolor="#7b8abd" | 09:00-10:00  
 
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | Keynote: [[AppSecDC Keynote Jarzomnek|Joe Jarzombek]]
 
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | Keynote: [[AppSecDC Keynote Jarzomnek|Joe Jarzombek]]
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" width="67" bgcolor="#7b8abd" | 10:30-10:30  
+
| width="67" valign="middle" bgcolor="#7b8abd" | 10:30-10:30  
 
| valign="middle" height="30" bgcolor="#909090" align="center" colspan="4" | Coffee Break &amp; Room Change
 
| valign="middle" height="30" bgcolor="#909090" align="center" colspan="4" | Coffee Break &amp; Room Change
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" width="67" bgcolor="#7b8abd" | 10:30-11:30  
+
| width="67" valign="middle" bgcolor="#7b8abd" | 10:30-11:30  
| valign="middle" height="120" width="200" bgcolor="#c0a0a0" align="center" | [[OWASP ESAPI AppSecDC|OWASP ESAPI]]<br>Jeff Williams  
+
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[OWASP ESAPI AppSecDC|OWASP ESAPI]]<br>Jeff Williams  
| valign="middle" height="120" width="200" bgcolor="#ffdf80" align="center" | [[Clubbing WebApps with a Botnet]]<br>Gunter Ollmann  
+
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Clubbing WebApps with a Botnet]]<br>Gunter Ollmann  
| valign="middle" height="120" width="200" bgcolor="#a0c0e0" align="center" | [[Development Issues Within AJAX Applications: How to Divert Threats]]<br>Lars Ewe  
+
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Development Issues Within AJAX Applications: How to Divert Threats]]<br>Lars Ewe  
| valign="middle" height="120" width="200" bgcolor="#b3ff99" align="center" | [[Understanding the Implications of Cloud Computing on Application Security]]<br>Dennis Hurst
+
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Understanding the Implications of Cloud Computing on Application Security]]<br>Dennis Hurst
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" height="120" width="67" bgcolor="#7b8abd" | 11:30-12:30  
+
| width="67" valign="middle" height="120" bgcolor="#7b8abd" | 11:30-12:30  
| valign="middle" height="120" width="200" bgcolor="#c0a0a0" align="center" | [[Software Assurance Maturity Model (SAMM)]]<br>Pravir Chandra  
+
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Software Assurance Maturity Model (SAMM)]]<br>Pravir Chandra  
| valign="middle" height="120" width="200" bgcolor="#ffdf80" align="center" | [[The Case of Promiscuous Parameters and Other Ongoing Capers in Web Security]]<br>Jacob West  
+
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[The Case of Promiscuous Parameters and Other Ongoing Capers in Web Security]]<br>Jacob West  
| valign="middle" height="120" width="200" bgcolor="#a0c0e0" align="center" | [[Enterprise Application Security - GE's approach to solving root cause and establishing a Center of Excellence|Enterprise Application Security - GE's approach to solving root cause]]<br>Darren Challey  
+
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Enterprise Application Security - GE's approach to solving root cause and establishing a Center of Excellence|Enterprise Application Security - GE's approach to solving root cause]]<br>Darren Challey  
| valign="middle" height="120" width="200" bgcolor="#b3ff99" align="center" | [[Transparent Proxy Abuse]]<br>Robert Auger
+
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Transparent Proxy Abuse]]<br>Robert Auger
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" height="120" width="67" bgcolor="#7b8abd" | 12:30-13:30  
+
| width="67" valign="middle" height="120" bgcolor="#7b8abd" | 12:30-13:30  
| valign="middle" height="120" width="200" bgcolor="#c0a0a0" align="center" | [[DISA's Application Security and Development STIG: How OWASP Can Help You]]<br>Jason Li  
+
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[DISA's Application Security and Development STIG: How OWASP Can Help You]]<br>Jason Li  
| valign="middle" height="120" width="200" bgcolor="#ffdf80" align="center" | [[OWASP ModSecurity Core Rule Set Project]]<br>Ryan C. Barnett  
+
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[OWASP ModSecurity Core Rule Set Project]]<br>Ryan C. Barnett  
| valign="middle" height="120" width="200" bgcolor="#a0c0e0" align="center" | [[The essential role of infosec in secure software development]]<br>Kenneth R. van Wyk  
+
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[The essential role of infosec in secure software development]]<br>Kenneth R. van Wyk  
| valign="middle" height="120" width="200" bgcolor="#b3ff99" align="center" | [[Fracturing Flex For Fun- An Alliterative Attackers Approach]]<br>Jon Rose/Kevin Stadmeyer
+
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Fracturing Flex For Fun- An Alliterative Attackers Approach]]<br>Jon Rose/Kevin Stadmeyer
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" height="60" width="67" bgcolor="#7b8abd" | 13:30-14:30  
+
| width="67" valign="middle" height="60" bgcolor="#7b8abd" | 13:30-14:30  
 
| valign="middle" height="60" bgcolor="#909090" align="center" colspan="4" | Lunch
 
| valign="middle" height="60" bgcolor="#909090" align="center" colspan="4" | Lunch
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" height="120" width="67" bgcolor="#7b8abd" | 14:30-15:30  
+
| width="67" valign="middle" height="120" bgcolor="#7b8abd" | 14:30-15:30  
| valign="middle" height="60" width="200" bgcolor="#c0a0a0" align="center" | [[Defend Yourself: Integrating Real Time Defenses into Online Applications]]<br>Michael Coates  
+
| width="200" valign="middle" height="60" bgcolor="#c0a0a0" align="center" | [[Defend Yourself: Integrating Real Time Defenses into Online Applications]]<br>Michael Coates  
| valign="middle" height="60" width="200" bgcolor="#ffdf80" align="center" | [[Finding the Hotspots: Web-security testing with the Watcher tool]]<br>Chris Weber  
+
| width="200" valign="middle" height="60" bgcolor="#ffdf80" align="center" | [[Finding the Hotspots: Web-security testing with the Watcher tool]]<br>Chris Weber  
| valign="middle" height="120" width="200" bgcolor="#a0c0e0" align="center" rowspan="3" | [[SDLC Pannel AppSecDC|SDLC Panel]]  
+
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" rowspan="3" | [[SDLC Pannel AppSecDC|SDLC Panel]]  
| valign="middle" height="120" width="200" bgcolor="#b3ff99" align="center" | [[Social Zombies: Your Friends Want to Eat Your Brains]]<br>Tom Eston/Kevin Johnson
+
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Social Zombies: Your Friends Want to Eat Your Brains]]<br>Tom Eston/Kevin Johnson
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" height="120" width="67" bgcolor="#7b8abd" rowspan="2" | 15:30-16:30  
+
| width="67" valign="middle" height="120" bgcolor="#7b8abd" rowspan="2" | 15:30-16:30  
| valign="middle" height="120" width="200" bgcolor="#c0a0a0" align="center" rowspan="2" | [[The ESAPI Web Application Firewall (ESAPI WAF)|The ESAPI Web Application Firewall]]<br>Arshan Dabirsiaghi  
+
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" rowspan="2" | [[The ESAPI Web Application Firewall (ESAPI WAF)|The ESAPI Web Application Firewall]]<br>Arshan Dabirsiaghi  
| valign="middle" height="60" width="200" bgcolor="#ffdf80" align="center" | [[One Click Ownage]]<br>Ferruh Mavituna  
+
| width="200" valign="middle" height="60" bgcolor="#ffdf80" align="center" | [[One Click Ownage]]<br>Ferruh Mavituna  
| valign="middle" height="120" width="200" bgcolor="#b3ff99" align="center" rowspan="2" | [[Cloudy with a chance of 0-day]]<br>Jon Rose/Tom Leavey
+
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="2" | [[Cloudy with a chance of 0-day]]<br>Jon Rose/Tom Leavey
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" height="60" width="200" bgcolor="#ffdf80" align="center" | [[Web Application Security Scanner Evaluation Criteria]]<br>Brian Shura
+
| width="200" valign="middle" height="60" bgcolor="#ffdf80" align="center" | [[Web Application Security Scanner Evaluation Criteria]]<br>Brian Shura
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" height="120" width="67" bgcolor="#7b8abd" rowspan="2" | 16:30-17:30  
+
| width="67" valign="middle" height="120" bgcolor="#7b8abd" rowspan="2" | 16:30-17:30  
| valign="middle" height="120" width="200" bgcolor="#c0a0a0" align="center" rowspan="2" | [[OWASP Live CD: An open environment for Web Application Security]]<br>Matt Tesauro / Brad Causey  
+
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" rowspan="2" | [[OWASP Live CD: An open environment for Web Application Security]]<br>Matt Tesauro / Brad Causey  
| valign="middle" height="60" width="200" bgcolor="#ffdf80" align="center" | [[Learning by Breaking: A New Project Insecure Web Apps]]<br>Chuck Willis  
+
| width="200" valign="middle" height="60" bgcolor="#ffdf80" align="center" | [[Learning by Breaking: A New Project Insecure Web Apps]]<br>Chuck Willis  
| valign="middle" height="120" width="200" bgcolor="#a0c0e0" align="center" rowspan="2" | [[Vulnerability Management in an Application Security World]]<br>Dan Cornell  
+
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" rowspan="2" | [[Vulnerability Management in an Application Security World]]<br>Dan Cornell  
| valign="middle" height="120" width="200" bgcolor="#b3ff99" align="center" rowspan="2" | [[Attacking WCF Web Services]]<br>Brian Holyfield
+
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="2" | [[Attacking WCF Web Services]]<br>Brian Holyfield
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" height="60" width="200" bgcolor="#ffdf80" align="center" | [[Synergy! A world where the tools communicate]]<br>  
+
| width="200" valign="middle" height="60" bgcolor="#ffdf80" align="center" | [[Synergy! A world where the tools communicate]]<br>  
 
Josh Abraham  
 
Josh Abraham  
  
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" height="120" width="67" bgcolor="#7b8abd" rowspan="2" | 17:30-18:30  
+
| width="67" valign="middle" height="120" bgcolor="#7b8abd" rowspan="2" | 17:30-18:30  
| valign="middle" height="120" width="200" bgcolor="#c0a0a0" align="center" rowspan="2" | [[The Entrepreneur's Guide to Career Management]]<br>Lee Kushner  
+
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" rowspan="2" | [[The Entrepreneur's Guide to Career Management]]<br>Lee Kushner  
| valign="middle" height="60" width="200" bgcolor="#ffdf80" align="center" | [[Advanced SSL: The good, the bad, and the ugly]]<br>Michael Coats  
+
| width="200" valign="middle" height="60" bgcolor="#ffdf80" align="center" | [[Advanced SSL: The good, the bad, and the ugly]]<br>Michael Coats  
| valign="middle" height="120" width="200" bgcolor="#a0c0e0" align="center" rowspan="2" | [[Threat Modeling by John Steven|Threat Modeling]]<br>John Steven  
+
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" rowspan="2" | [[Threat Modeling by John Steven|Threat Modeling]]<br>John Steven  
| valign="middle" height="120" width="200" bgcolor="#b3ff99" align="center" rowspan="2" | [[When Web 2.0 Attacks - Understanding Security Implications of AJAX, Flash and "Highly Interactive" Technologies]]<br>Rafal Los
+
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="2" | [[When Web 2.0 Attacks - Understanding Security Implications of AJAX, Flash and |When Web 2.0 Attacks - Understanding Security Implications of AJAX, Flash and "Highly Interactive" Technologies]]<br>Rafal Los
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" height="60" width="200" bgcolor="#ffdf80" align="center" | [[User input piercing for Cross Site Scripting Attacks]]<br>Matias Blanco
+
| width="200" valign="middle" height="60" bgcolor="#ffdf80" align="center" | [[User input piercing for Cross Site Scripting Attacks]]<br>Matias Blanco
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" height="60" width="67" bgcolor="#7b8abd" | 19:00-????  
+
| width="67" valign="middle" height="60" bgcolor="#7b8abd" | 19:00-????  
 
| valign="middle" height="60" bgcolor="#c0c0c0" align="center" colspan="4" | Reception <!-- Day 2 -->
 
| valign="middle" height="60" bgcolor="#c0c0c0" align="center" colspan="4" | Reception <!-- Day 2 -->
 
|- valign="middle"
 
|- valign="middle"
 
| height="60" colspan="5" |  
 
| height="60" colspan="5" |  
 
|- valign="middle"
 
|- valign="middle"
| height="60" align="center" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" colspan="5" | <font size="5">'''Day 2 - Nov 13th 2009'''</font>
+
| height="60" align="center" colspan="5" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Day 2 - Nov 13th 2009'''</font>
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" height="40" width="67" bgcolor="#7b8abd" | &nbsp;  
+
| width="67" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp;  
| valign="middle" height="40" width="200" bgcolor="#c0a0a0" align="center" | '''Attack &amp; Defend'''  
+
| width="200" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''Attack &amp; Defend'''  
| valign="middle" height="40" width="200" bgcolor="#ffdf80" align="center" | '''Process'''  
+
| width="200" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''Process'''  
| valign="middle" height="40" width="200" bgcolor="#a0c0e0" align="center" | '''Metrics'''  
+
| width="200" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''Metrics'''  
| valign="middle" height="40" width="200" bgcolor="#b3ff99" align="center" | '''Compliance'''
+
| width="200" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''Compliance'''
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" width="67" bgcolor="#7b8abd" | 07:30-09:00  
+
| width="67" valign="middle" bgcolor="#7b8abd" | 07:30-09:00  
 
| valign="middle" bgcolor="#909090" align="center" colspan="4" | Registration
 
| valign="middle" bgcolor="#909090" align="center" colspan="4" | Registration
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" width="67" bgcolor="#7b8abd" | 09:00-10:00  
+
| width="67" valign="middle" bgcolor="#7b8abd" | 09:00-10:00  
 
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | Keynote: TBA
 
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | Keynote: TBA
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" width="67" bgcolor="#7b8abd" | 10:30-10:30  
+
| width="67" valign="middle" bgcolor="#7b8abd" | 10:30-10:30  
 
| valign="middle" height="30" bgcolor="#909090" align="center" colspan="4" | Coffee Break &amp; Room Change
 
| valign="middle" height="30" bgcolor="#909090" align="center" colspan="4" | Coffee Break &amp; Room Change
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" width="67" bgcolor="#7b8abd" | 10:30-11:30  
+
| width="67" valign="middle" bgcolor="#7b8abd" | 10:30-11:30  
| valign="middle" height="120" width="200" bgcolor="#c0a0a0" align="center" | [[Securing the Core JEE Patterns]]<br>Rohit Sethi/Krishna Raja  
+
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Securing the Core JEE Patterns]]<br>Rohit Sethi/Krishna Raja  
| valign="middle" height="120" width="200" bgcolor="#ffdf80" align="center" | [[The Big Picture: Web Risks and Assessments Beyond Scanning]]<br>Matt Fisher  
+
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[The Big Picture: Web Risks and Assessments Beyond Scanning]]<br>Matt Fisher  
| valign="middle" height="120" width="200" bgcolor="#a0c0e0" align="center" | [[The Web Hacking Incidents Database]]<br>Ryan C. Barnett  
+
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[The Web Hacking Incidents Database]]<br>Ryan C. Barnett  
| valign="middle" height="120" width="200" bgcolor="#b3ff99" align="center" | [[Business Logic Automatons: Friend or Foe?]]<br>Ofer Shezaf
+
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Business Logic Automatons: Friend or Foe?]]<br>Ofer Shezaf
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" height="120" width="67" bgcolor="#7b8abd" | 11:30-12:30  
+
| width="67" valign="middle" height="120" bgcolor="#7b8abd" | 11:30-12:30  
| valign="middle" height="120" width="200" bgcolor="#c0a0a0" align="center" | [[Unicode Transformations: Finding Elusive Vulnerabilities]]<br>Chris Weber  
+
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Unicode Transformations: Finding Elusive Vulnerabilities]]<br>Chris Weber  
| valign="middle" height="120" width="200" bgcolor="#ffdf80" align="center" | [[Scalable Application Assessments in the Enterprise]]<br>Tom Parker/Lars Ewe  
+
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Scalable Application Assessments in the Enterprise]]<br>Tom Parker/Lars Ewe  
| valign="middle" height="120" width="200" bgcolor="#a0c0e0" align="center" | [[Application security metrics from the organization on down to the vulnerabilities]]<br>Chris Wysopal  
+
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Application security metrics from the organization on down to the vulnerabilities]]<br>Chris Wysopal  
| valign="middle" height="120" width="200" bgcolor="#b3ff99" align="center" | [[SCAP: Automating our way out of the Vulnerability Wheel of Pain]]<br>Ed Bellis
+
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[SCAP: Automating our way out of the Vulnerability Wheel of Pain]]<br>Ed Bellis
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" height="120" width="67" bgcolor="#7b8abd" | 12:30-13:30  
+
| width="67" valign="middle" height="120" bgcolor="#7b8abd" | 12:30-13:30  
| valign="middle" height="120" width="200" bgcolor="#c0a0a0" align="center" | [[Fox in the Henhouse: Java Rootkits]]<br>Jeff Williams  
+
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Fox in the Henhouse: Java Rootkits]]<br>Jeff Williams  
| valign="middle" height="120" width="200" bgcolor="#ffdf80" align="center" | [[Secure Software Updates: Update Like Conficker]]<br>Jeremy Allen  
+
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Secure Software Updates: Update Like Conficker]]<br>Jeremy Allen  
| valign="middle" height="120" width="200" bgcolor="#a0c0e0" align="center" | [[OWASP Top 10 2009 AppSecDC|OWASP Top 10 2009]]<br>Dave Wichers  
+
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[OWASP Top 10 2009 AppSecDC|OWASP Top 10 2009]]<br>Dave Wichers  
| valign="middle" height="120" width="200" bgcolor="#b3ff99" align="center" | [[Secure SDLC: The Good, The Bad, and The Ugly]]<br>Joey Peloquin
+
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Secure SDLC: The Good, The Bad, and The Ugly]]<br>Joey Peloquin
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" height="60" width="67" bgcolor="#7b8abd" | 13:30-14:30  
+
| width="67" valign="middle" height="60" bgcolor="#7b8abd" | 13:30-14:30  
 
| valign="middle" height="60" bgcolor="#909090" align="center" colspan="4" | Lunch
 
| valign="middle" height="60" bgcolor="#909090" align="center" colspan="4" | Lunch
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" height="120" width="67" bgcolor="#7b8abd" | 14:30-15:30  
+
| width="67" valign="middle" height="120" bgcolor="#7b8abd" | 14:30-15:30  
| valign="middle" height="120" width="200" bgcolor="#c0a0a0" align="center" | [[The 10 least-likely and most dangerous people on the Internet]]<br>Robert Hansen  
+
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[The 10 least-likely and most dangerous people on the Internet]]<br>Robert Hansen  
| valign="middle" height="120" width="200" bgcolor="#ffdf80" align="center" | [[Improving application security after an incident]]<br>Cory Scott  
+
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Improving application security after an incident]]<br>Cory Scott  
| valign="middle" height="120" width="200" bgcolor="#a0c0e0" align="center" | [[Hacking by Numbers]]<br>Tom Brennan  
+
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Hacking by Numbers]]<br>Tom Brennan  
| valign="middle" height="120" width="200" bgcolor="#b3ff99" align="center" rowspan="2" | [[AppSecDC09 Federal CIO Pannel|Federal CIO Pannel]]
+
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="2" | [[AppSecDC09 Federal CIO Pannel|Federal CIO Pannel]]
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" height="120" width="67" bgcolor="#7b8abd" | 15:30-16:30  
+
| width="67" valign="middle" height="120" bgcolor="#7b8abd" | 15:30-16:30  
| valign="middle" height="120" width="200" bgcolor="#c0a0a0" align="center" | [[Automated vs. Manual Security: You can't filter The Stupid]]<br>David Byrne/Charles Henderson  
+
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Automated vs. Manual Security: You can't filter The Stupid]]<br>David Byrne/Charles Henderson  
| valign="middle" height="120" width="200" bgcolor="#ffdf80" align="center" | [[Custom Intrusion Detection Techniques for Monitoring Web Applications]]<br>Matthew Olney  
+
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Custom Intrusion Detection Techniques for Monitoring Web Applications]]<br>Matthew Olney  
| valign="middle" height="120" width="200" bgcolor="#a0c0e0" align="center" | [[Building an in-house application security assessment team]]<br>Keith Turpin
+
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Building an in-house application security assessment team]]<br>Keith Turpin
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" height="120" width="67" bgcolor="#7b8abd" | 16:30-17:30  
+
| width="67" valign="middle" height="120" bgcolor="#7b8abd" | 16:30-17:30  
| valign="middle" height="120" width="200" bgcolor="#c0a0a0" align="center" | [[Advanced SQL Injection]]<br>Joe McCray  
+
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Advanced SQL Injection]]<br>Joe McCray  
| valign="middle" height="120" width="200" bgcolor="#ffdf80" align="center" | [[Is your organization secured against internal threats?]]<br>Lars Ewe  
+
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Is your organization secured against internal threats?]]<br>Lars Ewe  
| valign="middle" height="120" width="200" bgcolor="#a0c0e0" align="center" | [[The OWASP Security Spending Benchmarks Project]]<br>Dr. Boaz Gelbord  
+
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[The OWASP Security Spending Benchmarks Project]]<br>Dr. Boaz Gelbord  
| valign="middle" height="120" width="200" bgcolor="#b3ff99" align="center" | [[Promoting Application Security within Federal Government]]<br>Sarbari Gupta
+
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Promoting Application Security within Federal Government]]<br>Sarbari Gupta
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" height="120" width="67" bgcolor="#7b8abd" rowspan="2" | 17:30-18:30  
+
| width="67" valign="middle" height="120" bgcolor="#7b8abd" rowspan="2" | 17:30-18:30  
| valign="middle" height="60" width="200" bgcolor="#c0a0a0" align="center" | [[Manipulating Web Application Interfaces, a new approach to input validation]]<br>Felipe Moreno-Strauch  
+
| width="200" valign="middle" height="60" bgcolor="#c0a0a0" align="center" | [[Manipulating Web Application Interfaces, a new approach to input validation]]<br>Felipe Moreno-Strauch  
| valign="middle" height="120" width="200" bgcolor="#ffdf80" align="center" rowspan="2" | [[Deploying Secure Web Applications with OWASP Resources]]<br>Kuai Hinojosa  
+
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" rowspan="2" | [[Deploying Secure Web Applications with OWASP Resources]]<br>Kuai Hinojosa  
| valign="middle" height="120" width="200" bgcolor="#a0c0e0" align="center" rowspan="2" | [[SANS Dshield Webhoneypot Project]]<br>Jason Lam  
+
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" rowspan="2" | [[SANS Dshield Webhoneypot Project]]<br>Jason Lam  
| valign="middle" height="120" width="200" bgcolor="#b3ff99" align="center" rowspan="2" | [[Techniques in Attacking and Defending XML/Web Services]]<br>Mamoon Yunus/Jason Macy
+
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="2" | [[Techniques in Attacking and Defending XML/Web Services]]<br>Mamoon Yunus/Jason Macy
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" height="60" width="200" bgcolor="#c0a0a0" align="center" | [[Injectable Exploits: Two New Tools for Pwning Web Apps and Browsers]]<br>Kevin Johnson, Justin Searle, Frank DiMaggio
+
| width="200" valign="middle" height="60" bgcolor="#c0a0a0" align="center" | [[Injectable Exploits: Two New Tools for Pwning Web Apps and Browsers]]<br>Kevin Johnson, Justin Searle, Frank DiMaggio
 
|- valign="bottom"
 
|- valign="bottom"
| valign="middle" height="60" width="67" bgcolor="#7b8abd" | 18:30-19:00  
+
| width="67" valign="middle" height="60" bgcolor="#7b8abd" | 18:30-19:00  
| valign="middle" height="60" bgcolor="#c0c0c0" align="center" colspan="4" | Closing Remarks  
+
| valign="middle" height="60" bgcolor="#c0c0c0" align="center" colspan="4" | Closing Remarks
 
|}
 
|}
  
 
==== Training  ====
 
==== Training  ====
  
There are a total of five classrooms over two days or 10 training days available at the conference. Two classrooms hold 30 students and the other three have a capacity of 24 students. The cost for two day training is $1350 USD and the cost for one day training is $650 USD.
+
There are a total of five classrooms over two days or 10 training days available at the conference. Two classrooms hold 30 students and the other three have a capacity of 24 students. The cost for two day training is $1350 USD and the cost for one day training is $650 USD.  
 
+
== 2 Day Training:  November 10 and November 11 ==
+
 
+
'''Assessing and Exploiting Web Applications with the open source Samurai Web Testing Framework'''
+
 
+
This course will focus on using open source tools to perform web application assessments.  The course will take attendees through the process of application assessment using the open source tools included in the Samurai Web Testing Framework Live CD (Samurai-WTF).  Day one will take students through the steps and open source tools used to assess applications for vulnerabilities.  Day two will focus on the exploitation of web app vulnerabilities, spending half the day on server side attacks and the other half of the day on client side attacks.  The latest tools and techniques will be use throughout the course, including several tools developed by the trainers themselves.
+
 
+
'''Instructor:  Justin Searle:''' Justin Searle, a Senior Security Analyst with InGuardians, specializes in penetration testing and security architecture.  Previously, Justin served as JetBlue Airway’s IT Security Architect and has provided top-tier support for the largest supercomputers in the world. In his rapidly dwindling spare time, Justin co-leads prominent open source projects including The Middler, Samurai Web Testing Framework, BASE, and the social networking pentest tools: Yokoso! and Laudnum.
+
 
+
  
'''Java EE Secure Code Review'''
+
== 2 Day Training: November 10 and November 11  ==
  
The gut of any application lies in its source code.  With the ever-emerging landscape of threats and attack vectors facing today’s applications, the need for secure source code has never been greater.  In this course, students will be working with actual web application source code samples and discover how to pinpoint weaknesses, identify common security flaws, and discuss corrective coding controls.  Major application security domains will be covered, including common authentication and access control coding errors, session management vulnerabilities, identifying injection flaws, and more.  For anyone looking to learn how to identify common security weaknesses in a code base, this course is a must.
+
'''Assessing and Exploiting Web Applications with the open source Samurai Web Testing Framework'''
  
'''Instructor:  Sahba Kazerooni:'''  Sahba Kazerooni is Practice Lead of Software Security Services.  He has a strong background in Java EE architecture and development. At Security Compass, Sahba leads the Software Security Services practice which performs penetration testing, source code review, and Threat Modeling of client applications. He also plays a critical role in the development of curriculum for and delivery of Security Compass training services. He has developed and taught courses on various topics such as Secure Coding in Java EE, Exploiting and Defending Web Applications, and Application Security Awareness. Mr. Kazerooni is also an internationally-renowned speaker on security topics.  He has presented at conferences around the world including BlackHat Security Conference in Amsterdam, Security Opus in San Francisco, and IDC WebSec in Mexico City.  Sahba delivers Java secure coding training at the SANS Institute, the largest source for information security training and certification, and has also provided numerous presentations through ISC2 to their elite network of certified information security professionals.
+
This course will focus on using open source tools to perform web application assessments. The course will take attendees through the process of application assessment using the open source tools included in the Samurai Web Testing Framework Live CD (Samurai-WTF). Day one will take students through the steps and open source tools used to assess applications for vulnerabilities. Day two will focus on the exploitation of web app vulnerabilities, spending half the day on server side attacks and the other half of the day on client side attacks. The latest tools and techniques will be use throughout the course, including several tools developed by the trainers themselves.  
  
== 1 Day Training November 10 ==
+
'''Instructor: Justin Searle:''' Justin Searle, a Senior Security Analyst with InGuardians, specializes in penetration testing and security architecture. Previously, Justin served as JetBlue Airway’s IT Security Architect and has provided top-tier support for the largest supercomputers in the world. In his rapidly dwindling spare time, Justin co-leads prominent open source projects including The Middler, Samurai Web Testing Framework, BASE, and the social networking pentest tools: Yokoso! and Laudnum.
  
'''Threat Modeling Express'''
+
<br> '''Java EE Secure Code Review'''  
The benefits of threat modeling at the design stage are well-documented, yet few organizations are able to perform this analysis technique due to time constraints. Based on our experience in real world situations, Security Compass has developed a one day approach to threat modeling .
+
  
In this class, students learn how to create a “quick and dirty” application threat model using an organization’s most valuable resource: its people. Students learn about the basics of web application security, as well as learn about and perform a real hands-on Express Threat Model. A deliverable template and list of steps will be provided as takeaways for students.
+
The gut of any application lies in its source code. With the ever-emerging landscape of threats and attack vectors facing today’s applications, the need for secure source code has never been greater. In this course, students will be working with actual web application source code samples and discover how to pinpoint weaknesses, identify common security flaws, and discuss corrective coding controls. Major application security domains will be covered, including common authentication and access control coding errors, session management vulnerabilities, identifying injection flaws, and more. For anyone looking to learn how to identify common security weaknesses in a code base, this course is a must.  
  
'''Instructor: Krishna Raja:''' Krishna Raja is an Application Security Consultant with an extensive background in J2EE application development. He has performed comprehensive security assessments for various clients, which involves threat analysis, source code inspection and runtime penetration testing.
+
'''Instructor: Sahba Kazerooni:''' Sahba Kazerooni is Practice Lead of Software Security Services. He has a strong background in Java EE architecture and development. At Security Compass, Sahba leads the Software Security Services practice which performs penetration testing, source code review, and Threat Modeling of client applications. He also plays a critical role in the development of curriculum for and delivery of Security Compass training services. He has developed and taught courses on various topics such as Secure Coding in Java EE, Exploiting and Defending Web Applications, and Application Security Awareness. Mr. Kazerooni is also an internationally-renowned speaker on security topics. He has presented at conferences around the world including BlackHat Security Conference in Amsterdam, Security Opus in San Francisco, and IDC WebSec in Mexico City. Sahba delivers Java secure coding training at the SANS Institute, the largest source for information security training and certification, and has also provided numerous presentations through ISC2 to their elite network of certified information security professionals.  
  
Mr. Raja has also been instrumental in the development and delivery of Security Compass’ training curriculum. He has developed and taught courses in Exploiting and Defending Web Applications, Application Security Awareness and Advanced Application Attacks to architects, project managers and developers across Canada and the United States.  Krishna is an emerging speaker at information security conferences, and last year spoke at Source Boston 2008 and ISSA Secure SD Symposium.
+
== 1 Day Training November 10 ==
  
 +
'''Threat Modeling Express''' The benefits of threat modeling at the design stage are well-documented, yet few organizations are able to perform this analysis technique due to time constraints. Based on our experience in real world situations, Security Compass has developed a one day approach to threat modeling .
  
'''Web 2.0 Security - SOA, Web Services, and XML'''
+
In this class, students learn how to create a “quick and dirty” application threat model using an organization’s most valuable resource: its people. Students learn about the basics of web application security, as well as learn about and perform a real hands-on Express Threat Model. A deliverable template and list of steps will be provided as takeaways for students.
  
 +
'''Instructor: Krishna Raja:''' Krishna Raja is an Application Security Consultant with an extensive background in J2EE application development. He has performed comprehensive security assessments for various clients, which involves threat analysis, source code inspection and runtime penetration testing.
  
'''Secure Coding for .Net'''
+
Mr. Raja has also been instrumental in the development and delivery of Security Compass’ training curriculum. He has developed and taught courses in Exploiting and Defending Web Applications, Application Security Awareness and Advanced Application Attacks to architects, project managers and developers across Canada and the United States. Krishna is an emerging speaker at information security conferences, and last year spoke at Source Boston 2008 and ISSA Secure SD Symposium.  
  
This highly practical, interactive course will focus on secure coding techniques and methodologies that can be immediately applied in your applications. The class uses real-world examples, walking through real code samples, using live, feature-rich applications, and showing how to hunt down, debug, and mitigate these flaws through better coding practices.
+
<br> '''Web 2.0 Security - SOA, Web Services, and XML'''
  
'''Instructor:  Whitehat'''
+
<br> '''Secure Coding for .Net'''  
  
== 1 Day Training November 11 ==
+
This highly practical, interactive course will focus on secure coding techniques and methodologies that can be immediately applied in your applications. The class uses real-world examples, walking through real code samples, using live, feature-rich applications, and showing how to hunt down, debug, and mitigate these flaws through better coding practices.
  
'''WebAppSec.php: Developing Secure Web Applications'''
+
'''Instructor: Whitehat'''  
  
Web applications are the new frontier of wide‐spread security breaches. This tutorial will guide through development practices to ensure the security and integrity of web applications, in turn protecting user data and the infrastructure the application runs on. Several attack types will be reviewed, along with how the proper development practices can mitigate their damage. Although the tutorial targets the security of PHP‐based applications, much of the content is applicable to other programming languages as well.
+
== 1 Day Training November 11  ==
  
'''Instructor:  Robert Zakon:''' Robert Zakon is a technology consultant and developer who has been programming web applications since the Web's infancy, over 15 years ago. In addition to developing web applications for web sites receiving millions of daily hits, he works with organizations in an interim CTO capacity, and advises corporations, non‐profits and government agencies on technology, information, and security architectures and infrastructures. He has
+
'''WebAppSec.php: Developing Secure Web Applications'''  
presented at numerous conferences and taught a handful of courses and tutorials. Robert is a former Principal Engineer with MITRE's Information Security Center, CTO of an Internet consumer portal and application service
+
provider, and Director of a university research lab. He is a Senior Member of the IEEE, and holds BS & MS degrees from Case Western Reserve University in Computer Engineering & Science with concentrations in Philosophy & Psychology. His interests are diverse and can be explored at www.Zakon.org where a full vitae is available.
+
  
 +
Web applications are the new frontier of wide‐spread security breaches. This tutorial will guide through development practices to ensure the security and integrity of web applications, in turn protecting user data and the infrastructure the application runs on. Several attack types will be reviewed, along with how the proper development practices can mitigate their damage. Although the tutorial targets the security of PHP‐based applications, much of the content is applicable to other programming languages as well.
  
'''Applying the OWASP Testing Guide with the OWASP Live CD'''
+
'''Instructor: Robert Zakon:''' Robert Zakon is a technology consultant and developer who has been programming web applications since the Web's infancy, over 15 years ago. In addition to developing web applications for web sites receiving millions of daily hits, he works with organizations in an interim CTO capacity, and advises corporations, non‐profits and government agencies on technology, information, and security architectures and infrastructures. He has presented at numerous conferences and taught a handful of courses and tutorials. Robert is a former Principal Engineer with MITRE's Information Security Center, CTO of an Internet consumer portal and application service provider, and Director of a university research lab. He is a Senior Member of the IEEE, and holds BS &amp; MS degrees from Case Western Reserve University in Computer Engineering &amp; Science with concentrations in Philosophy &amp; Psychology. His interests are diverse and can be explored at www.Zakon.org where a full vitae is available.
  
The OWASP Live CD provides the necessary tools to test web applications.
+
<br> '''Applying the OWASP Testing Guide with the OWASP Live CD'''
The OWASP Testing Guide provides a testing framework. You're testing web applications currently, now what? Time to take your testing to the next level. This class will offer information on how to use the OWASP Live CD tools together for greater accuracy and speed, how to feed the results of one tool into another, and how to automate the more tedious aspects of web application testing. The training is focused not on what or how to test, but how to get more out of the testing time you have. Lets face it, testing time frames are always shorter then they should be, so how can you squeeze the most into the engagement time you have. After attending this training, you'll have some tricks in your bag to optimize your testing.
+
  
'''Instructor:  Matt Tesauro:'''
+
The OWASP Live CD provides the necessary tools to test web applications. The OWASP Testing Guide provides a testing framework. You're testing web applications currently, now what? Time to take your testing to the next level. This class will offer information on how to use the OWASP Live CD tools together for greater accuracy and speed, how to feed the results of one tool into another, and how to automate the more tedious aspects of web application testing. The training is focused not on what or how to test, but how to get more out of the testing time you have. Lets face it, testing time frames are always shorter then they should be, so how can you squeeze the most into the engagement time you have. After attending this training, you'll have some tricks in your bag to optimize your testing.
  
 +
'''Instructor: Matt Tesauro:'''
  
'''Leader and Manager Training - Leading the Development of Secure Applications'''
+
<br> '''Leader and Manager Training - Leading the Development of Secure Applications'''  
  
Managing a project to create a secure application takes the right combination of activities, teams, and supporting technology. This engaging course leads you through a set of proven, practical activities that result in demonstrable security.
+
Managing a project to create a secure application takes the right combination of activities, teams, and supporting technology. This engaging course leads you through a set of proven, practical activities that result in demonstrable security.  
  
'''Instructor: Dave Wichers:''' Aspect's instructors are professional software developers who have dedicated their career to application security. Our instructors spend the majority of their time working with clients to secure critical web applications using a wide variety of web application technology. This practical experience allows our instructors to have interesting discussions about real-world problems that drive home the lessons being taught.
+
'''Instructor: Dave Wichers:''' Aspect's instructors are professional software developers who have dedicated their career to application security. Our instructors spend the majority of their time working with clients to secure critical web applications using a wide variety of web application technology. This practical experience allows our instructors to have interesting discussions about real-world problems that drive home the lessons being taught.  
  
 
==== Venue  ====
 
==== Venue  ====
Line 346: Line 334:
 
The convention center is located over the [http://www.wmata.com/rail/station_detail.cfm?station_id=70 Mount Vernon Square/Convention Center Metro stop] on the Green and Yellow lines of the [http://www.wmata.com DC Metro], and only a few blocks from our convention hotel, the [http://grandwashington.hyatt.com/hyatt/hotels/index.jsp Grand Hyatt Washington] (reserve rooms [https://resweb.passkey.com/Resweb.do?mode=welcome_ei_new&eventID=1401279&fromResdesk=true here]).  
 
The convention center is located over the [http://www.wmata.com/rail/station_detail.cfm?station_id=70 Mount Vernon Square/Convention Center Metro stop] on the Green and Yellow lines of the [http://www.wmata.com DC Metro], and only a few blocks from our convention hotel, the [http://grandwashington.hyatt.com/hyatt/hotels/index.jsp Grand Hyatt Washington] (reserve rooms [https://resweb.passkey.com/Resweb.do?mode=welcome_ei_new&eventID=1401279&fromResdesk=true here]).  
  
==== Hotel  ====
+
==== Hotel  ====
  
 
== Grand Hyatt Washington DC  ==
 
== Grand Hyatt Washington DC  ==
Line 360: Line 348:
 
The [http://grandwashington.hyatt.com/hyatt/hotels/index.jsp Grand Hyatt Washington] is one block from the [http://www.wmata.com/rail/station_detail.cfm?station_id=1 Metro Center] metro station, and three blocks from the [http://www.wmata.com/rail/station_detail.cfm?station_id=21 Gallery Place/Chinatown] metro station.  
 
The [http://grandwashington.hyatt.com/hyatt/hotels/index.jsp Grand Hyatt Washington] is one block from the [http://www.wmata.com/rail/station_detail.cfm?station_id=1 Metro Center] metro station, and three blocks from the [http://www.wmata.com/rail/station_detail.cfm?station_id=21 Gallery Place/Chinatown] metro station.  
  
==== Sponsors ====
+
==== Sponsors ====
  
 
== Sponsors  ==
 
== Sponsors  ==
Line 368: Line 356:
 
Slots are going fast so contact us to sponsor today!  
 
Slots are going fast so contact us to sponsor today!  
  
[http://www.softtek.com [[Image:AppSecDC2009-Sponsor-softtek.gif]]] [[www.ibm.com|[[Image:AppSecDC2009-Sponsor-ibm.gif]]]] [[www.securicon.com|[[Image:AppSecDC2009-Sponsor-securicon.gif]]]] [[Image:AppSecDC2009-Sponsor-cross.gif]] [[Image:AppSecDC2009-Sponsor-fishnet.gif]] [[Image:AppSecDC2009-Sponsor-gt.gif]] [[Image:AppSecDC2009-Sponsor-aspect.gif]] [[Image:AppSecDC2009-Sponsor-fyrm.gif]] [[Image:AppSecDC2009-Sponsor-denim.gif]] [[Image:AppSecDC2009-Sponsor-issa.gif]]  
+
[[Image:AppSecDC2009-Sponsor-softtek.gif|http://www.softtek.com]]
 +
[[Image:AppSecDC2009-Sponsor-ibm.gif|www.ibm.com]] [[Image:AppSecDC2009-Sponsor-securicon.gif|www.securicon.com]]
 +
[[Image:AppSecDC2009-Sponsor-cross.gif|http://www.crosschecknet.com/]] [[Image:AppSecDC2009-Sponsor-fishnet.gif|http://www.fishnetsecurity.com/]] [[Image:AppSecDC2009-Sponsor-gt.gif|http://www.grantthornton.com/]] [[Image:AppSecDC2009-Sponsor-aspect.gif|http://www.aspectsecurity.com/]]
 +
[[Image:AppSecDC2009-Sponsor-fyrm.gif|http://www.fyrmassociates.com/]] [[Image:AppSecDC2009-Sponsor-denim.gif|http://www.denimgroup.com/]]
 +
[[Image:AppSecDC2009-Sponsor-issa.gif|http://www.issa-dc.org/]]  
  
==== Travel ====
+
==== Travel ====
  
== Traveling to the DC Metro Area ==
+
== Traveling to the DC Metro Area ==
  
The Washington DC Area is serviced by three airports -- [http://www.metwashairports.com/national/ Reagan National (DCA)], [http://www.metwashairports.com/Dulles/ Dulles (IAD)], and [http://www.bwiairport.com/en Thurgood Marshall Baltimore/Washington International (BWI)]. All currently have available transportation to downtown DC via public transportation, shuttles, or cab.
+
The Washington DC Area is serviced by three airports -- [http://www.metwashairports.com/national/ Reagan National (DCA)], [http://www.metwashairports.com/Dulles/ Dulles (IAD)], and [http://www.bwiairport.com/en Thurgood Marshall Baltimore/Washington International (BWI)]. All currently have available transportation to downtown DC via public transportation, shuttles, or cab.  
  
Washington DC is also serviced by [http://www.amtrak.com Amtrak], [http://www.vre.org/ VRE], and [http://www.mtamaryland.com/services/marc/ MARC] train lines, which arrive in [http://www.wmata.com/rail/station_detail.cfm?station_id=25 Union Station], a few metro stops or a short cab ride away from the convention center and the Grand Hyatt.
+
Washington DC is also serviced by [http://www.amtrak.com Amtrak], [http://www.vre.org/ VRE], and [http://www.mtamaryland.com/services/marc/ MARC] train lines, which arrive in [http://www.wmata.com/rail/station_detail.cfm?station_id=25 Union Station], a few metro stops or a short cab ride away from the convention center and the Grand Hyatt.  
  
If you live in the DC Metropolitan area, we suggest taking [http://www.wmata.com Metro] to the event. The convention center is located over the [http://www.wmata.com/rail/station_detail.cfm?station_id=70 Mount Vernon Square/Convention Center Metro stop] on the Green and Yellow lines of the [http://www.wmata.com DC Metro].
+
If you live in the DC Metropolitan area, we suggest taking [http://www.wmata.com Metro] to the event. The convention center is located over the [http://www.wmata.com/rail/station_detail.cfm?station_id=70 Mount Vernon Square/Convention Center Metro stop] on the Green and Yellow lines of the [http://www.wmata.com DC Metro].  
  
 
<headertabs />  
 
<headertabs />  
  
[[Category:OWASP_AppSec_Conference]][[Category:OWASP_AppSec_DC_09]]
+
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_AppSec_DC_09]]

Revision as of 01:31, 17 September 2009


Dc09.png

Walter E. Washington Convention Center | Registration


====Welcome====

Press Release August 20th 2009 -- Speaker Agenda Released and Registration Open!

We are pleased to announce that the OWASP DC chapter will host the OWASP AppSec 2009 conference in Washington, DC. The AppSec DC OWASP Conference will be a premier gathering of Information Security leaders. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 600-700 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.

AppSec DC 2009 will be held at the Walter E. Washington Convention Center (801 Mount Vernon Place NW Washington, DC 20001) on November 10th through 13th 2009.

Who Should Attend AppSec DC 2009:

  • Application Developers
  • Application Testers and Quality Assurance
  • Application Project Management and Staff
  • Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
  • Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
  • Security Managers and Staff
  • Executives, Managers, and Staff Responsible for IT Security Governance
  • IT Professionals Interesting in Improving IT Security


The full AppSecDC Schedule can be found here.

You can register for the conference here.




Threestarforsite.png

Use the #AppSecDC hashtag for your tweets (What are hashtags?)

@AppSecDC09 Twitter Feed (follow us on Twitter!)

Registration

Registration is now open!

You can register here

Current pricing reflects an "Early Bird" discount of $50 off the at the door price of $395.

OWASP Membership ($50 annual membership fee) gets you a discount of $50.

$345 General Public
$295 OWASP Members
$195 Students
$1350 2-Day Training Course
$650 1-Day Training Course


Go here for details on the training courses that are available.

Who Should Attend AppSec DC 2009:

  • Application Developers
  • Application Testers and Quality Assurance
  • Application Project Management and Staff
  • Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
  • Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
  • Security Managers and Staff
  • Executives, Managers, and Staff Responsible for IT Security Governance
  • IT Professionals Interesting in Improving IT Security


For student discount, attendees must present proof of enrollment when picking up your badge.

Volunteer

Volunteers Needed!

Get involved!

We will take all the help we can get to pull off the best Web Application Security Conference of the year!

Please contact the appropriate arch-minion to volunteer for a specific area:

More opportunities and areas will be added as time goes on.

Or, you can e-mail the organizers at mark.bristow(at)owasp.org, doug.wilson(at)owasp.org or rex.booth(at)owasp.org.

Or email appsec_us_09(at)lists.owasp.org or sign up for the mailing list!

Schedule

Day 1 - Nov 12th 2009
  OWASP Tools SDLC Web 2.0
07:30-09:00 Registration
08:45-09:00 Welcome and Opening Remarks
09:00-10:00 Keynote: Joe Jarzombek
10:30-10:30 Coffee Break & Room Change
10:30-11:30 OWASP ESAPI
Jeff Williams
Clubbing WebApps with a Botnet
Gunter Ollmann
Development Issues Within AJAX Applications: How to Divert Threats
Lars Ewe
Understanding the Implications of Cloud Computing on Application Security
Dennis Hurst
11:30-12:30 Software Assurance Maturity Model (SAMM)
Pravir Chandra
The Case of Promiscuous Parameters and Other Ongoing Capers in Web Security
Jacob West
Enterprise Application Security - GE's approach to solving root cause
Darren Challey
Transparent Proxy Abuse
Robert Auger
12:30-13:30 DISA's Application Security and Development STIG: How OWASP Can Help You
Jason Li
OWASP ModSecurity Core Rule Set Project
Ryan C. Barnett
The essential role of infosec in secure software development
Kenneth R. van Wyk
Fracturing Flex For Fun- An Alliterative Attackers Approach
Jon Rose/Kevin Stadmeyer
13:30-14:30 Lunch
14:30-15:30 Defend Yourself: Integrating Real Time Defenses into Online Applications
Michael Coates
Finding the Hotspots: Web-security testing with the Watcher tool
Chris Weber
SDLC Panel Social Zombies: Your Friends Want to Eat Your Brains
Tom Eston/Kevin Johnson
15:30-16:30 The ESAPI Web Application Firewall
Arshan Dabirsiaghi
One Click Ownage
Ferruh Mavituna
Cloudy with a chance of 0-day
Jon Rose/Tom Leavey
Web Application Security Scanner Evaluation Criteria
Brian Shura
16:30-17:30 OWASP Live CD: An open environment for Web Application Security
Matt Tesauro / Brad Causey
Learning by Breaking: A New Project Insecure Web Apps
Chuck Willis
Vulnerability Management in an Application Security World
Dan Cornell
Attacking WCF Web Services
Brian Holyfield
Synergy! A world where the tools communicate

Josh Abraham

17:30-18:30 The Entrepreneur's Guide to Career Management
Lee Kushner
Advanced SSL: The good, the bad, and the ugly
Michael Coats
Threat Modeling
John Steven
When Web 2.0 Attacks - Understanding Security Implications of AJAX, Flash and "Highly Interactive" Technologies
Rafal Los
User input piercing for Cross Site Scripting Attacks
Matias Blanco
19:00-???? Reception
Day 2 - Nov 13th 2009
  Attack & Defend Process Metrics Compliance
07:30-09:00 Registration
09:00-10:00 Keynote: TBA
10:30-10:30 Coffee Break & Room Change
10:30-11:30 Securing the Core JEE Patterns
Rohit Sethi/Krishna Raja
The Big Picture: Web Risks and Assessments Beyond Scanning
Matt Fisher
The Web Hacking Incidents Database
Ryan C. Barnett
Business Logic Automatons: Friend or Foe?
Ofer Shezaf
11:30-12:30 Unicode Transformations: Finding Elusive Vulnerabilities
Chris Weber
Scalable Application Assessments in the Enterprise
Tom Parker/Lars Ewe
Application security metrics from the organization on down to the vulnerabilities
Chris Wysopal
SCAP: Automating our way out of the Vulnerability Wheel of Pain
Ed Bellis
12:30-13:30 Fox in the Henhouse: Java Rootkits
Jeff Williams
Secure Software Updates: Update Like Conficker
Jeremy Allen
OWASP Top 10 2009
Dave Wichers
Secure SDLC: The Good, The Bad, and The Ugly
Joey Peloquin
13:30-14:30 Lunch
14:30-15:30 The 10 least-likely and most dangerous people on the Internet
Robert Hansen
Improving application security after an incident
Cory Scott
Hacking by Numbers
Tom Brennan
Federal CIO Pannel
15:30-16:30 Automated vs. Manual Security: You can't filter The Stupid
David Byrne/Charles Henderson
Custom Intrusion Detection Techniques for Monitoring Web Applications
Matthew Olney
Building an in-house application security assessment team
Keith Turpin
16:30-17:30 Advanced SQL Injection
Joe McCray
Is your organization secured against internal threats?
Lars Ewe
The OWASP Security Spending Benchmarks Project
Dr. Boaz Gelbord
Promoting Application Security within Federal Government
Sarbari Gupta
17:30-18:30 Manipulating Web Application Interfaces, a new approach to input validation
Felipe Moreno-Strauch
Deploying Secure Web Applications with OWASP Resources
Kuai Hinojosa
SANS Dshield Webhoneypot Project
Jason Lam
Techniques in Attacking and Defending XML/Web Services
Mamoon Yunus/Jason Macy
Injectable Exploits: Two New Tools for Pwning Web Apps and Browsers
Kevin Johnson, Justin Searle, Frank DiMaggio
18:30-19:00 Closing Remarks

Training

There are a total of five classrooms over two days or 10 training days available at the conference. Two classrooms hold 30 students and the other three have a capacity of 24 students. The cost for two day training is $1350 USD and the cost for one day training is $650 USD.

2 Day Training: November 10 and November 11

Assessing and Exploiting Web Applications with the open source Samurai Web Testing Framework

This course will focus on using open source tools to perform web application assessments. The course will take attendees through the process of application assessment using the open source tools included in the Samurai Web Testing Framework Live CD (Samurai-WTF). Day one will take students through the steps and open source tools used to assess applications for vulnerabilities. Day two will focus on the exploitation of web app vulnerabilities, spending half the day on server side attacks and the other half of the day on client side attacks. The latest tools and techniques will be use throughout the course, including several tools developed by the trainers themselves.

Instructor: Justin Searle: Justin Searle, a Senior Security Analyst with InGuardians, specializes in penetration testing and security architecture. Previously, Justin served as JetBlue Airway’s IT Security Architect and has provided top-tier support for the largest supercomputers in the world. In his rapidly dwindling spare time, Justin co-leads prominent open source projects including The Middler, Samurai Web Testing Framework, BASE, and the social networking pentest tools: Yokoso! and Laudnum.


Java EE Secure Code Review

The gut of any application lies in its source code. With the ever-emerging landscape of threats and attack vectors facing today’s applications, the need for secure source code has never been greater. In this course, students will be working with actual web application source code samples and discover how to pinpoint weaknesses, identify common security flaws, and discuss corrective coding controls. Major application security domains will be covered, including common authentication and access control coding errors, session management vulnerabilities, identifying injection flaws, and more. For anyone looking to learn how to identify common security weaknesses in a code base, this course is a must.

Instructor: Sahba Kazerooni: Sahba Kazerooni is Practice Lead of Software Security Services. He has a strong background in Java EE architecture and development. At Security Compass, Sahba leads the Software Security Services practice which performs penetration testing, source code review, and Threat Modeling of client applications. He also plays a critical role in the development of curriculum for and delivery of Security Compass training services. He has developed and taught courses on various topics such as Secure Coding in Java EE, Exploiting and Defending Web Applications, and Application Security Awareness. Mr. Kazerooni is also an internationally-renowned speaker on security topics. He has presented at conferences around the world including BlackHat Security Conference in Amsterdam, Security Opus in San Francisco, and IDC WebSec in Mexico City. Sahba delivers Java secure coding training at the SANS Institute, the largest source for information security training and certification, and has also provided numerous presentations through ISC2 to their elite network of certified information security professionals.

1 Day Training November 10

Threat Modeling Express The benefits of threat modeling at the design stage are well-documented, yet few organizations are able to perform this analysis technique due to time constraints. Based on our experience in real world situations, Security Compass has developed a one day approach to threat modeling .

In this class, students learn how to create a “quick and dirty” application threat model using an organization’s most valuable resource: its people. Students learn about the basics of web application security, as well as learn about and perform a real hands-on Express Threat Model. A deliverable template and list of steps will be provided as takeaways for students.

Instructor: Krishna Raja: Krishna Raja is an Application Security Consultant with an extensive background in J2EE application development. He has performed comprehensive security assessments for various clients, which involves threat analysis, source code inspection and runtime penetration testing.

Mr. Raja has also been instrumental in the development and delivery of Security Compass’ training curriculum. He has developed and taught courses in Exploiting and Defending Web Applications, Application Security Awareness and Advanced Application Attacks to architects, project managers and developers across Canada and the United States. Krishna is an emerging speaker at information security conferences, and last year spoke at Source Boston 2008 and ISSA Secure SD Symposium.


Web 2.0 Security - SOA, Web Services, and XML


Secure Coding for .Net

This highly practical, interactive course will focus on secure coding techniques and methodologies that can be immediately applied in your applications. The class uses real-world examples, walking through real code samples, using live, feature-rich applications, and showing how to hunt down, debug, and mitigate these flaws through better coding practices.

Instructor: Whitehat

1 Day Training November 11

WebAppSec.php: Developing Secure Web Applications

Web applications are the new frontier of wide‐spread security breaches. This tutorial will guide through development practices to ensure the security and integrity of web applications, in turn protecting user data and the infrastructure the application runs on. Several attack types will be reviewed, along with how the proper development practices can mitigate their damage. Although the tutorial targets the security of PHP‐based applications, much of the content is applicable to other programming languages as well.

Instructor: Robert Zakon: Robert Zakon is a technology consultant and developer who has been programming web applications since the Web's infancy, over 15 years ago. In addition to developing web applications for web sites receiving millions of daily hits, he works with organizations in an interim CTO capacity, and advises corporations, non‐profits and government agencies on technology, information, and security architectures and infrastructures. He has presented at numerous conferences and taught a handful of courses and tutorials. Robert is a former Principal Engineer with MITRE's Information Security Center, CTO of an Internet consumer portal and application service provider, and Director of a university research lab. He is a Senior Member of the IEEE, and holds BS & MS degrees from Case Western Reserve University in Computer Engineering & Science with concentrations in Philosophy & Psychology. His interests are diverse and can be explored at www.Zakon.org where a full vitae is available.


Applying the OWASP Testing Guide with the OWASP Live CD

The OWASP Live CD provides the necessary tools to test web applications. The OWASP Testing Guide provides a testing framework. You're testing web applications currently, now what? Time to take your testing to the next level. This class will offer information on how to use the OWASP Live CD tools together for greater accuracy and speed, how to feed the results of one tool into another, and how to automate the more tedious aspects of web application testing. The training is focused not on what or how to test, but how to get more out of the testing time you have. Lets face it, testing time frames are always shorter then they should be, so how can you squeeze the most into the engagement time you have. After attending this training, you'll have some tricks in your bag to optimize your testing.

Instructor: Matt Tesauro:


Leader and Manager Training - Leading the Development of Secure Applications

Managing a project to create a secure application takes the right combination of activities, teams, and supporting technology. This engaging course leads you through a set of proven, practical activities that result in demonstrable security.

Instructor: Dave Wichers: Aspect's instructors are professional software developers who have dedicated their career to application security. Our instructors spend the majority of their time working with clients to secure critical web applications using a wide variety of web application technology. This practical experience allows our instructors to have interesting discussions about real-world problems that drive home the lessons being taught.

Venue

Walter E. Washington Convention Center

AppSec DC 2009 will be taking place at the Walter E. Washington Convention Center in downtown Washington DC.

The convention center is located over the Mount Vernon Square/Convention Center Metro stop on the Green and Yellow lines of the DC Metro, and only a few blocks from our convention hotel, the Grand Hyatt Washington (reserve rooms here).

Hotel

Grand Hyatt Washington DC

We've partnered with the Grand Hyatt Washington to bring you luxury accommodations at a reasonable price for your stay during our conference.

The Grand Hyatt is only a few blocks from the DC Convention Center and adjacent to a wide variety of restaurants and night life in downtown DC.

Our convention rate for reservations can also be applied shortly before or after the conference, if you wish to stay longer and enjoy the Washington DC Metropolitan Area.

You can register for a room at our convention rate of $209/night here.

The Grand Hyatt Washington is one block from the Metro Center metro station, and three blocks from the Gallery Place/Chinatown metro station.

Sponsors

Sponsors

We are currently soliciting sponsors for the AppSec DC Conference. Please refer to our sponsorship opportunities for details.

Slots are going fast so contact us to sponsor today!

http://www.softtek.com www.ibm.com www.securicon.com http://www.crosschecknet.com/ http://www.fishnetsecurity.com/ http://www.grantthornton.com/ http://www.aspectsecurity.com/ http://www.fyrmassociates.com/ http://www.denimgroup.com/ http://www.issa-dc.org/

Travel

Traveling to the DC Metro Area

The Washington DC Area is serviced by three airports -- Reagan National (DCA), Dulles (IAD), and Thurgood Marshall Baltimore/Washington International (BWI). All currently have available transportation to downtown DC via public transportation, shuttles, or cab.

Washington DC is also serviced by Amtrak, VRE, and MARC train lines, which arrive in Union Station, a few metro stops or a short cab ride away from the convention center and the Grand Hyatt.

If you live in the DC Metropolitan area, we suggest taking Metro to the event. The convention center is located over the Mount Vernon Square/Convention Center Metro stop on the Green and Yellow lines of the DC Metro.