Difference between revisions of "OWASP Minneapolis St Paul 2008 Conference"

From OWASP
Jump to: navigation, search
(Tentative Agenda)
m (Grammar)
 
(30 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008  ==
 
== OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008  ==
The Minneapolis - Saint Paul Chapter invites you to a one-day mini-conference at the University of Minnesota's Saint Paul campus. Thanks to the generous support of our sponsors and OWASP, we are able to offer this event at '''no charge to attendees'''!
+
The [[Minneapolis St Paul|Minneapolis - Saint Paul Chapter]] was very pleased to bring together a line-up of internationally known speakers for a day of application security talks at the University of Minnesota's [http://www1.umn.edu/twincities/maps/StCen/StCen-map.html St. Paul Student Center].
  
The agenda is still being finalized, so watch this space for more information.
+
Video of the presentations is slowly making its way to this page. Check the agenda below for links.
  
== Tentative Agenda ==
+
== Thank You To Our Sponsors ==
<table width="50%" border="0" align="center">
+
<tr>
+
<td style="background-color:#7B8ABD; padding: 1px;">08:00-09:00</td>
+
<td style="background-color:#BC857A; padding: 5px;">Registration Opens and Tech Expo</td>
+
</tr>
+
<tr>
+
<td  style="background-color:#7B8ABD; padding: 5px;">09:00-10:00</td>
+
<td style="background-color:#BC857A; padding: 5px;">Introduction, OWASP conference</td>
+
</tr>
+
<tr>
+
<td style="background-color:#7B8ABD; padding: 5px;">10:00-11:00</td>
+
<td style="background-color:#BC857A; padding: 5px;">
+
Jeff Williams<br />CEO, [http://www.aspectsecurity.com/ Aspect Security]<br />OWASP founder; Chair, OWASP Foundation<br>
+
Bios:<br>
+
I'm Jeff Williams, I work as CEO of Aspect Security and I serve as the volunteer Chair of the OWASP Foundation. I've worked on a number of projects at OWASP, including creating the OWASP Top 10, WebGoat, Stinger, Secure Software Contract Annex, Honeycomb Project and the Enterprise Security API. You can find more about my background here: http://myappsecurity.blogspot.com/2007/03/reflection-on-jeff-williams.html.
+
  
Topic:
+
[http://www.strategicit.org/ https://www.owasp.org/images/8/81/MN-center-strategic-it-security.gif]<br />
 +
[http://www.strategicit.org/ Center for Strategic Information Technology and Security]
  
Serious About Application Security?? Stop Scanning and Put In Some Controls.?
+
[http://www.go-integral.net/ http://www.go-integral.net/files/integral_logo.png]<br />
 +
[http://www.go-integral.com/ Integral Business Solutions]
  
Enterprises are spending a huge amount of effort scanning for vulnerabilities that they already know are in their applications. Here?s a little secret ? there?s no point in scanning if you haven?t at least tried to put in a basic set of defenses.
+
[http://www.symantec.com/ https://www.owasp.org/images/2/26/New_Symantec_Logo.jpg]<br />
 +
[http://www.symantec.com/ Symantec]
  
What Application Security Controls Do You Need?
+
Conference space provided courtesy of the [http://www.umn.edu/oit/ University of Minnesota Office of Information Technology]
  
So what controls does the average web application need?? Here?s a good way to figure it out. Take a look at the common application security vulnerabilities and then list the security controls that developers need to prevent those holes. You?ll end up with a list that includes authentication, session management, access control, input validation, canonicalization, output encoding, parameterized interfaces, encryption, hashing, random numbers, logging, and error handling.
+
== Agenda ==
 +
<table width="80%" border="0">
 +
<tr>
 +
<td style="background-color:#AEB7D5; padding: 1px;">8:00-9:00</td>
 +
<td style="background-color:#D5B4AE; padding: 5px;">Registration / Check-In</td>
 +
</tr>
 +
<tr>
 +
<td  style="background-color:#AEB7D5; padding: 5px;">9:00-9:30</td>
 +
<td style="background-color:#D5B4AE; padding: 5px;">'''Kuai Hinojosa''' [http://video.google.com/videoplay?docid=1665928867290955158 Video]<br />OWASP MN President<br />Conference Introduction<br />
  
It?s not reasonable to expect developers to build a secure application without a decent set of security controls for them to use. So how can you make them available?
+
{{#ev:googlevideo|1665928867290955158}}
 +
</td>
 +
</tr>
 +
<tr>
 +
<td style="background-color:#AEB7D5; padding: 5px;">9:30-10:30</td>
 +
<td style="background-color:#D5B4AE; padding: 5px;">
 +
'''Jeff Williams''' [http://video.google.com/videoplay?docid=-4981336955006017781&hl=en Video] | [https://www.owasp.org/images/d/d7/OWASP_MN_ESAPI.pptx Slides]<br />CEO, [http://www.aspectsecurity.com/ Aspect Security]<br />OWASP founder; Chair, OWASP Foundation<br>
  
  1. Build Your Own In Each Application ? Bad
+
Application security is getting more complicated every day with increasing connectivity, more mixing of code and data, more parsers, more interpreters, more assets, and more functionality available. We have to take steps now to simplify the problem. So if you're tired of securing one application at a time, and wrestling with the same vulnerabilities again and again, is establishing your organization's ESAPI is one of the best things you can do?
  
Writing security controls is time-consuming and extremely prone to mistakes. MITRE?s CWE project lists over 600 different types of security mistakes that developers can make, and most of them are not at all obvious. Most people recognize that developers should not build their own encryption mechanisms, but the same argument applies to all the security controls.
+
'''Bio''':
 +
I'm Jeff Williams, I work as CEO of Aspect Security and I serve as the volunteer Chair of the OWASP Foundation. I've worked on a number of projects at OWASP, including creating the OWASP Top 10, WebGoat, Stinger, Secure Software Contract Annex, Honeycomb Project and the Enterprise Security API. You can find more about my background here: http://myappsecurity.blogspot.com/2007/03/reflection-on-jeff-williams.html.
 +
</td>
 +
</tr>
  
  2. Use Security Libraries Directly ? Bad
+
<tr>
 +
<td style="background-color:#AEB7D5; padding: 1px;">10:30-11:00</td>
 +
<td style="background-color:#D5B4AE; padding: 5px;">'''Arshan Dabirsiaghi''' [http://video.google.com/videoplay?docid=8393196340486939495&hl=en Video]<br />Director of Research, [http://www.aspectsecurity.com/ Aspect Security]
  
There are plenty of libraries and frameworks out there that provide various security functions ? Log4j, Java Cryptographic Extension (JCE), JAAS, Acegi, and dozens more. Some of them are even pretty good at what they do. But there are several reasons why enterprise developers should not use them directly.
+
Many of the challenges we face in application security could be solved at an architectural layer without trying to accomplish the impossible task of fixing millions of websites with billions of lines of code behind them. The OWASP [[Intrinsic Security Working Group]] is a new OWASP effort focused on addressing root causes of application security problems and fixing them where it's easiest. Sometimes that means pushing a browser to include a feature, or asking a language framework to provide a new API, or helping standard-makers come up with useable security protections.  
  
Most importantly, these libraries are overpowerful. Most developers only need a very limited set of security functions and don?t need a complex interface. Further, many of these libraries contain security holes themselves ? such as encoding libraries that don?t canonicalize or authentication libraries that don?t use strong cryptographic functions. Because many security controls use features from other controls, using security libraries that aren?t integrated together is a mistake.
+
Our goal with the OWASP ISWG is to leverage the collective security know-how of OWASP into practical advice and suggestions for all those technologies that our applications lean on in one way or another. We've got the modest goal of fixing the Internet - what could be more valuable?
  
  3. Establish a Standard Security API for Your Enterprise ? Good
+
'''Bio''': Arshan Dabirsiaghi is the Director of Research at Aspect Security. Arshan has over seven of years of professional experience writing code, four years of professionally auditing code, and many years of hobbying in both. At Aspect Security, Arshan performs the normal array of security assurance work, including code reviews, architecture reviews and penetration testing. He spends the balance of his work time teaching classes all over the world and doing research into next generation web application attacks and defenses.
  
We?ve noticed that organizations that have institutionalized a standard application security control tend to have less vulnerabilities in that area. For example, organizations that have standardized on a cryptographic library, and especially the ones that have wrapped that library in a standard encryption component, have significantly less security problems in that area.
+
Arshan earned his Master’s degree in Computer Science from Towson University with a focus on Information Security. He has delivered tutorials at Blackhat and OWASP conferences and has been a featured speaker at a number of security and artificial intelligence conferences. Arshan is also the author of the OWASP AntiSamy project and the founder of the OWASP Intrinsic Security Working Group.
 
+
If you?re tired of the application security scan-and-patch hamster-wheel-of-pain, now is the time to establish a security library for your developers. Once you make the ?secure way? the fastest and easiest way for developers to get their application built, you?ll see dramatically increased interest.
+
 
+
The OWASP Enterprise Security API (ESAPI) Project
+
 
+
To help organizations accomplish this, OWASP has created a security API that covers all the security controls a typical web application or web service project might need. There are about 120 methods across all the different security controls, organized into a simple intuitive set of interfaces.? We also built a ton of test cases and implemented a high-quality reference implementation.
+
 
+
We want organizations to create their own security API for their enterprise. We recognize that every organization has complex platforms, systems, directories, databases, and infrastructure. We are not trying to replace any of that.? We?re trying to simplify the application security problem for your developers by providing a simple consistent API to your security infrastructure.
+
 
+
You can find the ESAPI Project on the OWASP website. Currently, the Java version is complete and several organizations are already using it. Versions for .NET, PHP, and Classic ASP are in development. All ESAPI projects are free and open source (BSD license).
+
 
+
Why Should You Trust ESAPI?
+
 
+
Even if you don?t trust open source code, please consider the concept of establishing an ESAPI. With the OWASP project as a model, it would not take much time at all to create a custom ESAPI for your organization. You could adopt just the interfaces or also use parts of the reference implementation.
+
 
+
The ESAPI project involves a world-class team of software security experts from vendors and industry. The reference implementation is small and well structured ? about 5,000 lines of well-documented and extensively reviewed code. The code is clean in all the major static analysis tools, including FindBugs, PMD, Ounce, and Fortify. The project also includes about 600 test cases that test all aspects of the security mechanisms.
+
 
+
Increased Security AND Cost Savings
+
 
+
Organizations that use an ESAPI will experience cost savings across the entire software development lifecycle.? By simplifying application security, many activities across the lifecycle will take less time and yield better results. For example, security training can be shorter and more focused, security requirements are half the size, and security design and implementation are easier. Security testing is more effective and remediation is much simpler.
+
 
+
Conclusion
+
 
+
Application security is getting more complicated every day with increasing connectivity, more mixing of code and data, more parsers, more interpreters, more assets, and more functionality available. We have to take steps now to simplify the problem. So if you?re tired of securing one application at a time, and wrestling with the same vulnerabilities again and again, establishing your organization?s ESAPI is one of the best things you can do.?
+
 
</td>
 
</td>
 +
</tr>
  
</tr>
 
 
<tr>
 
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">11:00-12:30</td>
+
<td style="background-color: #AEB7D5; padding: 5px;">11:00-12:30</td>
<td style="background-color: #BC857A; padding: 5px;">
+
<td style="background-color: #D5B4AE; padding: 5px;">
lunch break
+
Lunch
 
</td>
 
</td>
 
</tr>
 
</tr>
 
<tr>
 
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">12:30-13:30</td>
+
<td style="background-color: #AEB7D5; padding: 5px;">12:30-13:30</td>
<td style="background-color: #BC857A; padding: 5px;">
+
<td style="background-color: #D5B4AE; padding: 5px;">
 +
'''Anil Kumar Revuru'''
 +
<br />[http://www.miscrosoft.com/ Microsoft]<br>
  
Anil Kumar Revuru
+
Microsoft Connected Information Security Framework (CISF) and Tools: <br />
<br />[http://www.miscrosoft.com/ Microsfot]<br>
+
The Connected Information Security Group, part of Microsoft internal Information Security organization are working on a technology framework and set of applications to support corporate information security management programs. The Microsoft corporate Information Security Organization (and a few 'early adopter'  customers) will be dog-fooding early prototypes in late 2008/early 2009. This presentation provides a short overview of the problem space and current thinking on our approach to solving it.
Bios<br>
+
  
 +
'''Bio''':
 
Anil Kumar Revuru currently works for Microsoft as a Security Technologist where he is responsible for architecting security tools. In his previous life at Microsoft, Anil was conducting security design reviews, threat modeling, and application and source-code assessments. Previously as a Security Consultant for a security services vendor, he helped Fortune 100 clients evaluate the security of their software products and applications. He has authored security tools and has presented courses internally at Microsoft.
 
Anil Kumar Revuru currently works for Microsoft as a Security Technologist where he is responsible for architecting security tools. In his previous life at Microsoft, Anil was conducting security design reviews, threat modeling, and application and source-code assessments. Previously as a Security Consultant for a security services vendor, he helped Fortune 100 clients evaluate the security of their software products and applications. He has authored security tools and has presented courses internally at Microsoft.
  
 
Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development, He also made significant contribution to the security development of products at V-Empower Inc. After joining in Microsoft, he worked towards finding security weaknesses and providing necessary countermeasures to application teams. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool used for application threat modeling
 
Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development, He also made significant contribution to the security development of products at V-Empower Inc. After joining in Microsoft, he worked towards finding security weaknesses and providing necessary countermeasures to application teams. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool used for application threat modeling
 
Topic:
 
Microsoft Connected Information Security Framework (CISF) and Tools
 
Description:
 
The Connected Information Security Group, part of Microsoft internal Information Security organization are working on a technology framework and set of applications to support corporate information security management programs. The Microsoft corporate Information Security Organization (and a few 'early adopter'  customers) will be dog-fooding early prototypes in late 2008/early 2009. This presentation provides a short overview of the problem space and current thinking on our approach to solving it.
 
 
 
</td>
 
</td>
 
</tr>
 
</tr>
 
<tr>
 
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">13:30-14:30</td>
+
<td style="background-color: #AEB7D5; padding: 5px;">1:30-2:30</td>
<td style="background-color: #BC857A; padding: 5px;">Brian Chess<br />[http://www.fortify.com/ Fortify Software]
+
<td style="background-color: #D5B4AE; padding: 5px;">'''Brian Chess'''<br />[http://www.fortify.com/ Fortify Software]
Bios:<br>
+
Dr. Chess's research focuses on methods for creating secure systems. He received his Ph.D. from the University of California at Santa Cruz, where he applied his background in integrated circuit test and verification to the problem of identifying security errors in software. In addition to authoring numerous patents and technical papers, Dr. Chess has more than ten years of experience in the commercial software arena, having led development efforts at Hewlett Packard and NetLedge
+
 
+
  
Topic:<br>
 
 
Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution.
 
Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution.
 
   
 
   
Highlights include:
+
Highlights include:<br>
- The most common security short-cuts and why they lead to security failures
+
* The most common security short-cuts and why they lead to security failures
- Why programmers are in the best position to get security right
+
* Why programmers are in the best position to get security right
- Where to look for security problems
+
* Where to look for security problems
- How static analysis helps
+
* How static analysis helps
- The critical attributes and algorithms that make or break a static analysis tool
+
* The critical attributes and algorithms that make or break a static analysis tool
 
   
 
   
 
We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review.
 
We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review.
 +
 +
'''Bio''': Dr. Chess's research focuses on methods for creating secure systems. He received his Ph.D. from the University of California at Santa Cruz, where he applied his background in integrated circuit test and verification to the problem of identifying security errors in software. In addition to authoring numerous patents and technical papers, Dr. Chess has more than ten years of experience in the commercial software arena, having led development efforts at Hewlett Packard and NetLedge
 
</td>
 
</td>
 
</tr>
 
</tr>
 
<tr>
 
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">14:30-15:00</td>
+
<td style="background-color: #AEB7D5; padding: 5px;">2:30-3:00</td>
<td style="background-color: #BC857A; padding: 5px;">
+
<td style="background-color: #D5B4AE; padding: 5px;">
 
Break
 
Break
 
</td>
 
</td>
 
</tr>
 
</tr>
 
<tr>
 
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">15:00-15:30</td>
+
<td style="background-color: #AEB7D5; padding: 5px;">3:00-4:00</td>
<td style="background-color: #BC857A; padding: 5px;">
+
<td style="background-color: #D5B4AE; padding: 5px;">
Elliot Glazer<br />[http://www.dtcc.com/ DTCC]
+
'''Elliot Glazer'''<br />[http://www.dtcc.com/ DTCC]
  
Bios
+
Information Security Architecture Layers and Key Processes:
 
+
Elliott has over 25 years of information technology experience and has worked in the security field for over 10 years.  He is currently Director of Security Architecture for the Depository Trust and Clearing Corporation (DTCC), where he has created a number of innovative solutions in the areas of security monitoring and security architecture.  He also provides consulting to the organization on critical security issues. Prior to this, Mr. Glazer was Vice President for Security Solutions at American Express, leading many large and small solutions for the Internet, Security, Privacy, and Customer Servicing.  Previous to this, Elliott held leadership positions at Citigroup, Sprint International, and BT Dialcom in software development and operations.  He has led architecture, development, and operations organizations including an enterprise architecture group, Internet software development, and distrbitured operations among others.
+
 
+
Topic:
+
 
+
Information Security Architecture Layers and Key Processes  
+
 
+
    * Information Security Architecture is driven by an Information Security Strategy and Principles.  It is also critical the architecture support the Business Strategy:
+
          o Security Functional Architecture: the layout of key functions in security to be accomplished, which drives security requirements.
+
          o Security Technical Architecture: the solutions and standards to implement key functions, usually an overlay on top of the Functional Architecture.  This is generally a definition of components, intended to be leveraged for reuse by organization, business, line of business or across the enterprise.
+
          o Security Reference Architecture:  the implementation of Technical Architecture components into a strategy, platform, or particular complex solution set, to be used as a model for other, like needs.  This is usually a set of components organized together.
+
          o Security Technology Lifecycle – the process of phasing in and out, technology and process solutions that improve the security environment.  Six phases ranging from researching new solutions to exiting old and failing solutions are defined.
+
          o Security Program Implementation Planning – the process of identifying high level scheduling based on priority and available resources, for solutions defined in the Technical Architecture.  Priority is generally established based on risk.  The program also helps in the planning cycles for budgeting, as it will try to take a multiyear view.
+
  
 +
* Information Security Architecture is driven by an Information Security Strategy and Principles.  It is also critical the architecture support the Business Strategy:
 +
** Security Functional Architecture: the layout of key functions in security to be accomplished, which drives security requirements.
 +
** Security Technical Architecture: the solutions and standards to implement key functions, usually an overlay on top of the Functional Architecture.  This is generally a definition of components, intended to be leveraged for reuse by organization, business, line of business or across the enterprise.
 +
** Security Reference Architecture:  the implementation of Technical Architecture components into a strategy, platform, or particular complex solution set, to be used as a model for other, like needs.  This is usually a set of components organized together.
 +
** Security Technology Lifecycle – the process of phasing in and out, technology and process solutions that improve the security environment.  Six phases ranging from researching new solutions to exiting old and failing solutions are defined.
 +
** Security Program Implementation Planning – the process of identifying high level scheduling based on priority and available resources, for solutions defined in the Technical Architecture.  Priority is generally established based on risk.  The program also helps in the planning cycles for budgeting, as it will try to take a multiyear view.
  
 +
'''Bio''': Elliott has over 25 years of information technology experience and has worked in the security field for over 10 years.  He is currently Director of Security Architecture for the Depository Trust and Clearing Corporation (DTCC), where he has created a number of innovative solutions in the areas of security monitoring and security architecture.  He also provides consulting to the organization on critical security issues. Prior to this, Mr. Glazer was Vice President for Security Solutions at American Express, leading many large and small solutions for the Internet, Security, Privacy, and Customer Servicing.  Previous to this, Elliott held leadership positions at Citigroup, Sprint International, and BT Dialcom in software development and operations.  He has led architecture, development, and operations organizations including an enterprise architecture group, Internet software development, and distrbitured operations among others.
 
</td>
 
</td>
 
</tr>
 
</tr>
 
<tr>
 
<tr>
<td style="background-color: #7B8ABD; padding: 5px;">15:30-16:30</td>
+
<td style="background-color: #AEB7D5; padding: 5px;">4:00-5:00</td>
<td style="background-color: #BC857A; padding: 5px;">
+
<td style="background-color: #D5B4AE; padding: 5px;">
Corey Benninger<br />[http://intrepidusgroup.com/ Intrepidus Group]<br>
+
'''Corey Benninger''' [http://video.google.com/videoplay?docid=-2330450614545589081&hl=en Video]<br />[http://intrepidusgroup.com/ Intrepidus Group]<br>
 +
 
 +
Exploring the how poor application security mixed with a phishing is leading to a costly cocktail of disaster. This talk will go over real world examples of phishing attacks that have taken advantage of cross site scripting flaws, SQL injection vulnerabilities, session fixation attacks, and others web application flaws. Learn what phishers are doing to take their attacks to the next level by chaining multiple vulnerabilities together. The presentation will also share resources that help to track phishing trends and research.
  
Bios:
+
'''Bio''': Corey is a Principal Consultant with the Intrepidus Group, specializing in
Corey is a Principal Consultant with the Intrepidus Group, specializing in
+
 
web and mobile application security. He has performed code reviews and
 
web and mobile application security. He has performed code reviews and
 
conducted application penetration tests for numerous Fortune 500 clients.
 
conducted application penetration tests for numerous Fortune 500 clients.
Line 171: Line 143:
 
Corey has an undergraduate degree from Boston University. He is a Certified
 
Corey has an undergraduate degree from Boston University. He is a Certified
 
Information Systems Security Professional (CISSP).
 
Information Systems Security Professional (CISSP).
 
Topic:
 
Exploring the how poor application security mixed with a phishing is leading to a costly cocktail of disaster. This talk will go over real world examples of phishing attacks that have taken advantage of cross site scripting flaws, SQL injection vulnerabilities, session fixation attacks, and others web application flaws. Learn what phishers are doing to take their attacks to the next level by chaining multiple vulnerabilities together. The presentation will also share resources that help to track phishing trends and research
 
 
</td>
 
</td>
 
</tr>
 
</tr>
 
<tr>
 
<tr>
<td style="background-color: #7B8ABD; padding: 1px;">
+
<td style="background-color: #AEB7D5; padding: 1px;">
 
+
5:00-5:15
 
</td>
 
</td>
<td style="background-color: #BC857A; padding: 5px;">
+
<td style="background-color: #D5B4AE; padding: 5px;">
Richard Stallman
+
'''Richard Stallman'''
</td>
+
</tr>
+
<tr>
+
<td style="background-color: #7B8ABD; padding: 5px;">14:00 - ?
+
</td>
+
<td style="background-color: #BC857A; padding: 5px;">
+
Happy hour and networking opps
+
</td>
+
</tr>
+
</table>
+
  
== Thank You To Our Sponsors ==
+
Richard Matthew Stallman is a software developer and software freedom activist. In 1983 he announced the project to develop the GNU operating system, a Unix-like operating system meant to be entirely free software, and has been the project's leader ever since. With that announcement Stallman also launched the Free Software Movement. In October 1985 he started the Free Software Foundation.
  
[http://www.strategicit.org/ Center for Strategic Information Technology and Security]
+
The GNU/Linux system, which is a variant of GNU that also uses the kernel Linux developed by Linus Torvalds, are used in tens or hundreds of millions of computers, and are now preinstalled in computers available in retail stores. However, the distributors of these systems often disregard the ideas of freedom which make free software important.
  
[http://www.go-integral.com/ Integral Business Solutions]
+
That is why, since the mid-1990s, Stallman has spent most of his time in political advocacy for free software, and spreading the ethical ideas of the movement, as well as campaigning against both software patents and dangerous extension of copyright laws. Before that, Stallman developed a number of widely used software components of the GNU system, including the original Emacs, the GNU Compiler Collection, the GNU symbolic debugger (gdb), GNU Emacs, and various other programs for the GNU operating system.
  
Conference space provided courtesy of the University of Minnesota Office of Information Technology [http://www.umn.edu/ University of Minnesota]
+
Stallman pioneered the concept of copyleft, and is the main author of the GNU General Public License, the most widely used free software license.
 +
 
 +
Stallman gives speeches frequently about free software and related topics. Common speech titles include "The GNU Operating System and the Free Software movement", "The Dangers of Software Patents", and "Copyright and Community in the Age of the Computer Networks". A fourth common topic consists of explaining the changes in version 3 of the GNU General Public License, which was released in June 2007. </td>
 +
</tr>
 +
 
 +
</table>

Latest revision as of 20:38, 4 August 2009

OWASP & FLOSS Application Security Mini-Conference 2008 - October 21, 2008

The Minneapolis - Saint Paul Chapter was very pleased to bring together a line-up of internationally known speakers for a day of application security talks at the University of Minnesota's St. Paul Student Center.

Video of the presentations is slowly making its way to this page. Check the agenda below for links.

Thank You To Our Sponsors

MN-center-strategic-it-security.gif
Center for Strategic Information Technology and Security

integral_logo.png
Integral Business Solutions

New_Symantec_Logo.jpg
Symantec

Conference space provided courtesy of the University of Minnesota Office of Information Technology

Agenda

8:00-9:00 Registration / Check-In
9:00-9:30 Kuai Hinojosa Video
OWASP MN President
Conference Introduction
9:30-10:30

Jeff Williams Video | Slides
CEO, Aspect Security
OWASP founder; Chair, OWASP Foundation

Application security is getting more complicated every day with increasing connectivity, more mixing of code and data, more parsers, more interpreters, more assets, and more functionality available. We have to take steps now to simplify the problem. So if you're tired of securing one application at a time, and wrestling with the same vulnerabilities again and again, is establishing your organization's ESAPI is one of the best things you can do?

Bio: I'm Jeff Williams, I work as CEO of Aspect Security and I serve as the volunteer Chair of the OWASP Foundation. I've worked on a number of projects at OWASP, including creating the OWASP Top 10, WebGoat, Stinger, Secure Software Contract Annex, Honeycomb Project and the Enterprise Security API. You can find more about my background here: http://myappsecurity.blogspot.com/2007/03/reflection-on-jeff-williams.html.

10:30-11:00 Arshan Dabirsiaghi Video
Director of Research, Aspect Security

Many of the challenges we face in application security could be solved at an architectural layer without trying to accomplish the impossible task of fixing millions of websites with billions of lines of code behind them. The OWASP Intrinsic Security Working Group is a new OWASP effort focused on addressing root causes of application security problems and fixing them where it's easiest. Sometimes that means pushing a browser to include a feature, or asking a language framework to provide a new API, or helping standard-makers come up with useable security protections.

Our goal with the OWASP ISWG is to leverage the collective security know-how of OWASP into practical advice and suggestions for all those technologies that our applications lean on in one way or another. We've got the modest goal of fixing the Internet - what could be more valuable?

Bio: Arshan Dabirsiaghi is the Director of Research at Aspect Security. Arshan has over seven of years of professional experience writing code, four years of professionally auditing code, and many years of hobbying in both. At Aspect Security, Arshan performs the normal array of security assurance work, including code reviews, architecture reviews and penetration testing. He spends the balance of his work time teaching classes all over the world and doing research into next generation web application attacks and defenses.

Arshan earned his Master’s degree in Computer Science from Towson University with a focus on Information Security. He has delivered tutorials at Blackhat and OWASP conferences and has been a featured speaker at a number of security and artificial intelligence conferences. Arshan is also the author of the OWASP AntiSamy project and the founder of the OWASP Intrinsic Security Working Group.

11:00-12:30

Lunch

12:30-13:30

Anil Kumar Revuru
Microsoft

Microsoft Connected Information Security Framework (CISF) and Tools:
The Connected Information Security Group, part of Microsoft internal Information Security organization are working on a technology framework and set of applications to support corporate information security management programs. The Microsoft corporate Information Security Organization (and a few 'early adopter' customers) will be dog-fooding early prototypes in late 2008/early 2009. This presentation provides a short overview of the problem space and current thinking on our approach to solving it.

Bio: Anil Kumar Revuru currently works for Microsoft as a Security Technologist where he is responsible for architecting security tools. In his previous life at Microsoft, Anil was conducting security design reviews, threat modeling, and application and source-code assessments. Previously as a Security Consultant for a security services vendor, he helped Fortune 100 clients evaluate the security of their software products and applications. He has authored security tools and has presented courses internally at Microsoft.

Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development, He also made significant contribution to the security development of products at V-Empower Inc. After joining in Microsoft, he worked towards finding security weaknesses and providing necessary countermeasures to application teams. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool used for application threat modeling

1:30-2:30 Brian Chess
Fortify Software

Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution.

Highlights include:

  • The most common security short-cuts and why they lead to security failures
  • Why programmers are in the best position to get security right
  • Where to look for security problems
  • How static analysis helps
  • The critical attributes and algorithms that make or break a static analysis tool

We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review.

Bio: Dr. Chess's research focuses on methods for creating secure systems. He received his Ph.D. from the University of California at Santa Cruz, where he applied his background in integrated circuit test and verification to the problem of identifying security errors in software. In addition to authoring numerous patents and technical papers, Dr. Chess has more than ten years of experience in the commercial software arena, having led development efforts at Hewlett Packard and NetLedge

2:30-3:00

Break

3:00-4:00

Elliot Glazer
DTCC

Information Security Architecture Layers and Key Processes:

  • Information Security Architecture is driven by an Information Security Strategy and Principles. It is also critical the architecture support the Business Strategy:
    • Security Functional Architecture: the layout of key functions in security to be accomplished, which drives security requirements.
    • Security Technical Architecture: the solutions and standards to implement key functions, usually an overlay on top of the Functional Architecture. This is generally a definition of components, intended to be leveraged for reuse by organization, business, line of business or across the enterprise.
    • Security Reference Architecture: the implementation of Technical Architecture components into a strategy, platform, or particular complex solution set, to be used as a model for other, like needs. This is usually a set of components organized together.
    • Security Technology Lifecycle – the process of phasing in and out, technology and process solutions that improve the security environment. Six phases ranging from researching new solutions to exiting old and failing solutions are defined.
    • Security Program Implementation Planning – the process of identifying high level scheduling based on priority and available resources, for solutions defined in the Technical Architecture. Priority is generally established based on risk. The program also helps in the planning cycles for budgeting, as it will try to take a multiyear view.

Bio: Elliott has over 25 years of information technology experience and has worked in the security field for over 10 years. He is currently Director of Security Architecture for the Depository Trust and Clearing Corporation (DTCC), where he has created a number of innovative solutions in the areas of security monitoring and security architecture. He also provides consulting to the organization on critical security issues. Prior to this, Mr. Glazer was Vice President for Security Solutions at American Express, leading many large and small solutions for the Internet, Security, Privacy, and Customer Servicing. Previous to this, Elliott held leadership positions at Citigroup, Sprint International, and BT Dialcom in software development and operations. He has led architecture, development, and operations organizations including an enterprise architecture group, Internet software development, and distrbitured operations among others.

4:00-5:00

Corey Benninger Video
Intrepidus Group

Exploring the how poor application security mixed with a phishing is leading to a costly cocktail of disaster. This talk will go over real world examples of phishing attacks that have taken advantage of cross site scripting flaws, SQL injection vulnerabilities, session fixation attacks, and others web application flaws. Learn what phishers are doing to take their attacks to the next level by chaining multiple vulnerabilities together. The presentation will also share resources that help to track phishing trends and research.

Bio: Corey is a Principal Consultant with the Intrepidus Group, specializing in web and mobile application security. He has performed code reviews and conducted application penetration tests for numerous Fortune 500 clients.

Prior to joining Intrepidus Group’s professional services team, Corey served as a Senior Consultant and Trainer at Foundstone.

Corey is a polished public speaker and has been invited to speak at leading conferences like Black Hat, OWASP AppSec, NYCBSDCon, Secure Development World and Infragard. In addition, his expert opinion has been published in industry publications like eWeek. He has also published several whitepapers on cutting edge security issues, like vulnerabilities in AJAX, and the security implications of web browser data caching. He is the co-founder and leader of the OWASP Mobile Security Project, a consortium of mobile security developers and experts.

Corey has an undergraduate degree from Boston University. He is a Certified Information Systems Security Professional (CISSP).

5:00-5:15

Richard Stallman

Richard Matthew Stallman is a software developer and software freedom activist. In 1983 he announced the project to develop the GNU operating system, a Unix-like operating system meant to be entirely free software, and has been the project's leader ever since. With that announcement Stallman also launched the Free Software Movement. In October 1985 he started the Free Software Foundation.

The GNU/Linux system, which is a variant of GNU that also uses the kernel Linux developed by Linus Torvalds, are used in tens or hundreds of millions of computers, and are now preinstalled in computers available in retail stores. However, the distributors of these systems often disregard the ideas of freedom which make free software important.

That is why, since the mid-1990s, Stallman has spent most of his time in political advocacy for free software, and spreading the ethical ideas of the movement, as well as campaigning against both software patents and dangerous extension of copyright laws. Before that, Stallman developed a number of widely used software components of the GNU system, including the original Emacs, the GNU Compiler Collection, the GNU symbolic debugger (gdb), GNU Emacs, and various other programs for the GNU operating system.

Stallman pioneered the concept of copyleft, and is the main author of the GNU General Public License, the most widely used free software license.

Stallman gives speeches frequently about free software and related topics. Common speech titles include "The GNU Operating System and the Free Software movement", "The Dangers of Software Patents", and "Copyright and Community in the Age of the Computer Networks". A fourth common topic consists of explaining the changes in version 3 of the GNU General Public License, which was released in June 2007.