Difference between revisions of "OWASP Minneapolis St Paul 2010 Conference"

From OWASP
Jump to: navigation, search
m (Adding Midwave and Cigital logos.)
 
(9 intermediate revisions by one user not shown)
Line 1: Line 1:
 
Building on the success of the [[OWASP Minneapolis St Paul 2009 Conference | 2009]] talks, the [[Minneapolis St Paul | OWASP Minneapolis-St. Paul (OWASP MSP) chapter]] and [http://www.dc612.org/ DC612 local DEF CON chapter] will be hosting a day of talks on '''Friday, October 8, 2010''' at the [http://www1.umn.edu/twincities/maps/StCen/ St. Paul Student Center] [http://www.spsc.umn.edu/about/directory/second.php North Star Ballroom] on the [http://www1.umn.edu/twincities/index.php University of Minnesota - Twin Cities] campus.
 
Building on the success of the [[OWASP Minneapolis St Paul 2009 Conference | 2009]] talks, the [[Minneapolis St Paul | OWASP Minneapolis-St. Paul (OWASP MSP) chapter]] and [http://www.dc612.org/ DC612 local DEF CON chapter] will be hosting a day of talks on '''Friday, October 8, 2010''' at the [http://www1.umn.edu/twincities/maps/StCen/ St. Paul Student Center] [http://www.spsc.umn.edu/about/directory/second.php North Star Ballroom] on the [http://www1.umn.edu/twincities/index.php University of Minnesota - Twin Cities] campus.
  
 +
Six great speakers, '''only $25'''.
  
'''See the [[OWASP_Minneapolis_St_Paul_2010_Conference#Agenda | Agenda]].'''<br><br>[[Image:Registerbutton.png|link=http://dayofsecuritytalks2010.eventbrite.com]]<br><br>''To cover the cost of food and beverages, a payment of $25 per attendee is requested for the day of talks. Credit card (online), check, money order, and "Pay by invoice" (PO) accepted. We place food orders based on the number of registrants.''
+
'''We're happy to announce our keynote, [http://www.research.att.com/people/Cheswick_William_R/index.html Bill Cheswick]. Bill is a legendary figure behind the network firewall concept and co-author of ''[http://www.wilyhacker.com/1e/ Firewalls and Internet Security]'', one of the most influential books on the topic. Bill coined the term "proxy" under its current technical meaning and is a creator of the Internet Mapping Project. On October 8 Bill will discuss one of the most fundamental aspects of security, the password, in his talk titled "Rethinking Passwords".'''
 +
 
 +
 
 +
'''See the [[OWASP_Minneapolis_St_Paul_2010_Conference#Agenda | Agenda]].'''<br><br>[[Image:Registerbutton.png|link=http://dayofsecuritytalks2010.eventbrite.com]]<br><br>''To cover the cost of food and beverages, a payment of $25 per attendee is requested for the day of talks. Credit card (online only), check, money order, and PO ("Pay by invoice") accepted. If paying by check or money order please make it payable to '''OWASP''' on the day of the event. We place food orders based on the number of registrants. '''You must register in advance for this event.''' ''
  
  
Line 16: Line 20:
 
Thank you to the following sponsors for their financial support of this event and the OWASP MSP chapter!
 
Thank you to the following sponsors for their financial support of this event and the OWASP MSP chapter!
  
[[Image:Imperva_Logo.gif|link=http://www.imperva.com/]] &nbsp;&nbsp;&nbsp;&nbsp; [[Image:Netspi_logo.png|120px|link=http://www.netspi.com/]] &nbsp;&nbsp;&nbsp;&nbsp; [[Image:AccuvantLogoNEW.jpg||120px|link=http://www.accuvant.com/]]
+
[[Image:Imperva_Logo.gif|link=http://www.imperva.com/]] &nbsp;&nbsp;&nbsp;&nbsp; [[Image:Netspi_logo.png|120px|link=http://www.netspi.com/]] &nbsp;&nbsp;&nbsp;&nbsp; [[Image:AccuvantLogoNEW.jpg||120px|link=http://www.accuvant.com/]] &nbsp;&nbsp;&nbsp;&nbsp; [[Image:midwave.gif||140px|link=http://www.midwave.com/]] &nbsp;&nbsp;&nbsp;&nbsp; [[Image:Cigital_logo.gif|160px|link=https://www.cigital.com/]]
  
  
Line 42: Line 46:
  
  
[[Image:Registerbutton.png|link=http://dayofsecuritytalks2010.eventbrite.com]]<br><br>''To cover the cost of food and beverages, a payment of $25 per attendee is requested for the day of talks. Credit card (online), check, money order, and "Pay by invoice" (PO) accepted. We place food orders based on the number of registrants.''
+
[[Image:Registerbutton.png|link=http://dayofsecuritytalks2010.eventbrite.com]]<br><br>''To cover the cost of food and beverages, a payment of $25 per attendee is requested for the day of talks. Credit card (online only), check, money order, and PO ("Pay by invoice") accepted. If paying by check or money order please make it payable to '''OWASP''' on the day of the event. We place food orders based on the number of registrants. '''You must register in advance for this event.''' ''
  
  
Line 63: Line 67:
 
| style="padding: 5px; background-color: rgb(174, 183, 213);" | 9:00 AM - 9:50 AM
 
| style="padding: 5px; background-color: rgb(174, 183, 213);" | 9:00 AM - 9:50 AM
 
| style="border: 1px solid rgb(174, 183, 213); padding: 5px;" |  
 
| style="border: 1px solid rgb(174, 183, 213); padding: 5px;" |  
'''Andre &quot;Dre&quot; Gironda'''  
+
'''KEYNOTE'''
  
'''Topic:''' Application Assessments Reloaded
+
'''We're happy to announce our keynote, [http://www.research.att.com/people/Cheswick_William_R/index.html Bill Cheswick]. Bill is a legendary figure behind the network firewall concept and co-author of ''[http://www.wilyhacker.com/1e/ Firewalls and Internet Security]'', one of the most influential books on the topic. Bill coined the term "proxy" under its current technical meaning and is a creator of the Internet Mapping Project. On October 8 Bill will discuss one of the most fundamental aspects of security: the password.'''
  
Trying to integrate Business Software Assurance into Enterprise Risk Management and Information Security Management programs has had issues over the years. Penetration testing was announced dead over a year ago, but it's still the number one choice of application security professionals when starting out. Can the activities from penetration testing be re-used and turned into something innovative?
+
[http://www.research.att.com/people/Cheswick_William_R/index.html '''Bill Cheswick''']
  
Tools (especially application scanners and secure static analysis tools) have error rates so high, they are useless in the hands of newcomers (even for peripheral security testing). Some organizations have built entire applications around or on top of existing appsec tools. Others are looking to use other kinds of tools, such as process/methodology/workflow tools, to enhance their classic penetration testing tools.
+
Lead Member of Technical Staff, [http://www.research.att.com/evergreen/about_us/about_us.html AT&T Labs Research]
  
Even the testing/inspection methodologies themselves are outdated and we're finding that they are challenging or repetitive in many environments. How do current appsec tools and testing/inspection methods work in the cloud? If we re-run the same kinds of tests during dev-test, software quality, and application security cycles, aren't we wasting valuable time and effort?
+
'''Topic:''' ''Rethinking Passwords''
  
This presentation will provide discussion around how to solve many of these and other challenges in application security. The focus will be on web applications that use common technologies (HTTP, SQL, Classic XML/HTML, Javascript, Flash) but also updated to today's standards (RESTful transactions, NoSQL, HTML5, Ajax/Json, Flex2).
+
Passwords and PINs are used everywhere these days, but their use is often painful. Traditional password advice and rules are seldom appropriate for today's threats, yet we labor with the password rules and servers of yesteryear. Strong passwords are weakening our security, and it is time to fix that.
  
'''Bio:''' Andre got his start on Unix-TCP/IP hacking before the September that never ended. Bored of embedded platform research by the time the dot-Bomb happened, he joined the largest online auction company and worked as an appsec consultant for many years. He is known for his quirky mailing list posts and blog comments - and at one time wrote for [http://www.tssci-security.com/ tssci-security.com].
+
There are numerous proposals for new password solutions. Bill will present a few half-baked ideas. But Bill says there are good solutions available now.
 +
 
 +
We are facing much more worrisome security challenges: we ought to get this easy stuff right.
 +
 
 +
'''Bio:''' Bill Cheswick logged into his first computer in 1968. Seven years later, he was graduated from Lehigh University in 1975 with a degree resembling Computer Science. Cheswick has worked on (and against) operating system security for over 35 years. He has worked at Lehigh University and the Naval Air Development Center in system software and communications. At the American Newspaper Publishers Association/Research Institute he shared his first patent for a hardware-based spelling checker, a device clearly after its time.
 +
 
 +
For several years he consulted at a variety of universities doing system management, software development, communications design and installation, PC evaluations, etc.
 +
 
 +
Ches joined Bell Labs in December 1987, where he became postmaster and firewall administrator and designer. In 1990 he published a paper on firewall design that coined the word "proxy" in its current meaning. He followed this with "An Evening With Berferd", and then the publication of "Firewalls and Internet Security; Repelling the Wily Hacker", co-authored with Steve Bellovin. This book taught Internet security to a generation of administrators. In 1998, Ches started the Internet Mapping Project with Hal Burch. This work became to core technology of a Bell Labs spin-off, Lumeta Corporation. Ches has pinged a US nuclear attack submarine (distance, 66ms).
 +
 
 +
During his sabbatical over the winter of 2007 he worked on science museum including an upgrade for the Liberty Science Center's digital darkroom.
 +
 
 +
He joined AT&T Research in Florham Park in April 2007 and is working in security, visualization, user interfaces, and a variety of other things. He is a frequent keynote speaker at securty conferences.
 +
 
 +
Ches has a wide interest in science and medicine. In his spare time he reads technical journals, hacks on Mythtv and his home, and develops exhibit software for science museums. He eats very plain food - boring by even American standards.  
  
 
|-
 
|-
Line 87: Line 105:
 
Senior Security Consultant, [https://www.isecpartners.com/ iSEC Partners]
 
Senior Security Consultant, [https://www.isecpartners.com/ iSEC Partners]
  
'''Topic:''' Attacking Kerberos and the New Hadoop Security Design
+
'''Topic:''' ''Attacking Kerberos and the New Hadoop Security Design''
  
 
The Kerberos protocol provides single sign-on authentication services for users and machines. Its availability on nearly every popular computing platform - Windows, Mac, and UNIX variants - makes it the primary choice for enterprise authentication. However, simply "adding a dash of Kerberos" does not make a magically secure network or application. Kerberos is a complicated protocol whose comprehensive description requires dozens of RFCs. To use it securely requires a careful dance between protocol designers, service developers, and system administrators – the kind of dance that never quite stays in step.
 
The Kerberos protocol provides single sign-on authentication services for users and machines. Its availability on nearly every popular computing platform - Windows, Mac, and UNIX variants - makes it the primary choice for enterprise authentication. However, simply "adding a dash of Kerberos" does not make a magically secure network or application. Kerberos is a complicated protocol whose comprehensive description requires dozens of RFCs. To use it securely requires a careful dance between protocol designers, service developers, and system administrators – the kind of dance that never quite stays in step.
Line 115: Line 133:
 
Board Member, [[Minneapolis St Paul | OWASP MSP]]
 
Board Member, [[Minneapolis St Paul | OWASP MSP]]
  
'''Topic:''' Can you implement a static analysis program using the OWASP Code Review Guide?  
+
'''Topic:''' ''Can you implement a static analysis program using the OWASP Code Review Guide?''
  
 
Many companies are looking at implementing a static analysis program. This discussion will look at the [[OWASP_Code_Review_Project | OWASP Code Review Guide]] and the role it can play in developing a static analysis program. There are many decisions that need to be considered in building a program. We will look at these decisions and discuss the the options available.
 
Many companies are looking at implementing a static analysis program. This discussion will look at the [[OWASP_Code_Review_Project | OWASP Code Review Guide]] and the role it can play in developing a static analysis program. There are many decisions that need to be considered in building a program. We will look at these decisions and discuss the the options available.
Line 126: Line 144:
 
| style="padding: 5px; background-color: rgb(174, 183, 213);" | 1:30 PM - 2:20 PM
 
| style="padding: 5px; background-color: rgb(174, 183, 213);" | 1:30 PM - 2:20 PM
 
| style="border: 1px solid rgb(174, 183, 213); padding: 5px;" |
 
| style="border: 1px solid rgb(174, 183, 213); padding: 5px;" |
'''Jason Rouse'''
+
'''Charles Henderson'''  
  
Principal Consultant, [https://www.cigital.com/ Cigital]
+
Director of Application Security Services, [https://www.trustwave.com/spiderLabs.php Trustwave's SpiderLabs]
  
'''Topic:''' Mobile Security  
+
'''Topic:''' ''Global Security Report''
  
Mobile applications enable millions of users to be more productive, have more fun, and interact with their world in more ways than ever before. We're approaching mobile applications with many of the same tried-and-true approaches that we've used in more traditional software, but what are the dangers? Mobile architectures run the gamut from simple web-based applications optimized for mobile displays to custom-built handset-specific applications that can interact directly with the mobile operating system. This talk will explore the hybrid mobile/web application approach, and discuss the threads binding it together - information protection and convergence. Mobile devices are unique in that they offer one of the most potentially hostile environments imaginable - privacy, compliance, and capture protection top the charts as the three most difficult issues facing mobile applications and those who use them. This talk will dive into specifics on what are today "mobile-only" threats; that is, those issues such as location-based services or text messages, and discover how they can be compromised, and how security practitioners can protect them and the back-end applications that service them.
+
From January 1, 2009 to December 31, 2009, Trustwave's SpiderLabs performed approximately 1,900 penetration tests and over 200 security incident and compromise investigations around the world.
  
'''Bio:''' Jason Rouse brings over a decade of hands-on security experience while plying his craft at many of the leading companies in the world. He is currently responsible for many activities at Cigital including leading the mobile and wireless security practice, performing security architecture assessments, and being a trusted advisor to some of the world's largest development organizations. Jason is passionate about security, splitting his time between running Cigital's mobile and wireless practice and leading cutting-edge security projects around the world. At Cigital, in addition to his other responsibilities, Jason is also responsible for the creation of durable, actionable artifacts spanning the entire continuum of software security - from development standards to enterprise risk mitigation frameworks for both Fortune 50 customers and beyond. In his spare time he has also chaired the Financial Services Technology Consortium committee on Mobile Security.
+
This presentation will be a summary of the results of the analysis of the data gathered during 2009. The results will be presented in terms of both technical and business impact analysis.
 +
 
 +
'''Bio:''' Charles Henderson is the Director of Application Security Services in Trustwave's SpiderLabs. He has been in the information security industry for over fifteen years. His team specializes in application security including application penetration testing, code review, and training in secure development techniques. The team's clients range from the largest of the Fortune lists to small and midsized companies interested in improving their application security posture. Charles routinely speaks at various conferences around the world (including past Black Hat, SOURCE, IAFCI, OWASP AppSec USA, OWASP AppSec Europe, and Merchant Risk Council events) on various subject matters relating to application security.
  
 
|-
 
|-
Line 142: Line 162:
 
| style="padding: 5px; background-color: rgb(174, 183, 213);" | 2:30 PM - 3:20 PM
 
| style="padding: 5px; background-color: rgb(174, 183, 213);" | 2:30 PM - 3:20 PM
 
| style="border: 1px solid rgb(174, 183, 213); padding: 5px;" |
 
| style="border: 1px solid rgb(174, 183, 213); padding: 5px;" |
''' '''  
+
'''Jason Rouse'''
  
'''Topic:'''
+
Principal Consultant and Mobile/Wireless Security Lead, [https://www.cigital.com/ Cigital]
  
 +
'''Topic:''' ''Mobile Security''
 +
 +
Mobile applications enable millions of users to be more productive, have more fun, and interact with their world in more ways than ever before. We're approaching mobile applications with many of the same tried-and-true approaches that we've used in more traditional software, but what are the dangers? Mobile architectures run the gamut from simple web-based applications optimized for mobile displays to custom-built handset-specific applications that can interact directly with the mobile operating system. This talk will explore the hybrid mobile/web application approach, and discuss the threads binding it together - information protection and convergence. Mobile devices are unique in that they offer one of the most potentially hostile environments imaginable - privacy, compliance, and capture protection top the charts as the three most difficult issues facing mobile applications and those who use them. This talk will dive into specifics on what are today "mobile-only" threats; that is, those issues such as location-based services or text messages, and discover how they can be compromised, and how security practitioners can protect them and the back-end applications that service them.
 +
 +
'''Bio:''' Jason Rouse brings over a decade of hands-on security experience while plying his craft at many of the leading companies in the world. He is currently responsible for many activities at Cigital including leading the mobile and wireless security practice, performing security architecture assessments, and being a trusted advisor to some of the world's largest development organizations. Jason is passionate about security, splitting his time between running Cigital's mobile and wireless practice and leading cutting-edge security projects around the world. At Cigital, in addition to his other responsibilities, Jason is also responsible for the creation of durable, actionable artifacts spanning the entire continuum of software security - from development standards to enterprise risk mitigation frameworks for both Fortune 50 customers and beyond. In his spare time he has also chaired the Financial Services Technology Consortium committee on Mobile Security.
  
'''Bio:'''
 
  
 
|-
 
|-
Line 155: Line 179:
 
| style="padding: 5px; background-color: rgb(174, 183, 213);" | 3:30 PM - 4:30 PM
 
| style="padding: 5px; background-color: rgb(174, 183, 213);" | 3:30 PM - 4:30 PM
 
| style="border: 1px solid rgb(174, 183, 213); padding: 5px;" |
 
| style="border: 1px solid rgb(174, 183, 213); padding: 5px;" |
'''Charles Henderson'''  
+
'''Andre &quot;Dre&quot; Gironda'''  
  
Director of Application Security Services, [https://www.trustwave.com/spiderLabs.php Trustwave's SpiderLabs]
+
'''Topic:''' ''Application Assessments Reloaded''
  
'''Topic:''' TBA
+
Trying to integrate Business Software Assurance into Enterprise Risk Management and Information Security Management programs has had issues over the years. Penetration testing was announced dead over a year ago, but it's still the number one choice of application security professionals when starting out. Can the activities from penetration testing be re-used and turned into something innovative?
  
'''Bio:''' Charles Henderson is the Director of Application Security Services in Trustwave's SpiderLabs. He has been in the information security industry for over fifteen years. His team specializes in application security including application penetration testing, code review, and training in secure
+
Tools (especially application scanners and secure static analysis tools) have error rates so high, they are useless in the hands of newcomers (even for peripheral security testing). Some organizations have built entire applications around or on top of existing appsec tools. Others are looking to use other kinds of tools, such as process/methodology/workflow tools, to enhance their classic penetration testing tools.
development techniques. The team's clients range from the largest of the Fortune lists to small and midsized companies interested in improving their application security posture. Charles routinely speaks at various conferences around the world (including past Black Hat, SOURCE, IAFCI, OWASP AppSec USA, OWASP AppSec Europe, and Merchant Risk Council events) on various subject matters relating to application security.
+
 
 +
Even the testing/inspection methodologies themselves are outdated and we're finding that they are challenging or repetitive in many environments. How do current appsec tools and testing/inspection methods work in the cloud? If we re-run the same kinds of tests during dev-test, software quality, and application security cycles, aren't we wasting valuable time and effort?
 +
 
 +
This presentation will provide discussion around how to solve many of these and other challenges in application security. The focus will be on web applications that use common technologies (HTTP, SQL, Classic XML/HTML, Javascript, Flash) but also updated to today's standards (RESTful transactions, NoSQL, HTML5, Ajax/Json, Flex2).
 +
 
 +
'''Bio:''' Andre got his start on Unix-TCP/IP hacking before the September that never ended. Bored of embedded platform research by the time the dot-Bomb happened, he joined the largest online auction company and worked as an appsec consultant for many years. He is known for his quirky mailing list posts and blog comments - and at one time wrote for [http://www.tssci-security.com/ tssci-security.com].
  
 
|-
 
|-

Latest revision as of 22:38, 29 September 2010

Building on the success of the 2009 talks, the OWASP Minneapolis-St. Paul (OWASP MSP) chapter and DC612 local DEF CON chapter will be hosting a day of talks on Friday, October 8, 2010 at the St. Paul Student Center North Star Ballroom on the University of Minnesota - Twin Cities campus.

Six great speakers, only $25.

We're happy to announce our keynote, Bill Cheswick. Bill is a legendary figure behind the network firewall concept and co-author of Firewalls and Internet Security, one of the most influential books on the topic. Bill coined the term "proxy" under its current technical meaning and is a creator of the Internet Mapping Project. On October 8 Bill will discuss one of the most fundamental aspects of security, the password, in his talk titled "Rethinking Passwords".


See the Agenda.

Registerbutton.png

To cover the cost of food and beverages, a payment of $25 per attendee is requested for the day of talks. Credit card (online only), check, money order, and PO ("Pay by invoice") accepted. If paying by check or money order please make it payable to OWASP on the day of the event. We place food orders based on the number of registrants. You must register in advance for this event.


Sponsors

A BIG thank you goes out to the Office of Internal Audit and OIT Security at the University of Minnesota for sponsoring the event location.

A special thank you goes out to Platinum Sponsor Best Buy.


Best Buy logo.jpg


Thank you to the following sponsors for their financial support of this event and the OWASP MSP chapter!

Imperva Logo.gif      Netspi logo.png      AccuvantLogoNEW.jpg      Midwave.gif      Cigital logo.gif


How to Sponsor

Contact Lorna at lorna.alamri@owasp.org to sponsor this event. Sponsorship of the October 8, 2010 day of talks includes literature inclusion in attendee bags (up to 2 items), prominent display of your sponsor banner in the presentation room, and recognition for sponsorship of the event on this page, event mailings, and printed event materials.

Sponsorship of day of talks: $500

Sponsorship of day of talks plus have your logo on our chapter homepage for a year: $750

Show your support for OWASP MSP as we get ready as hosts for OWASP AppSec USA 2011 in Minneapolis in September 2011!


Click the following Donate button to submit your sponsorship.

SPONSOR OWASP MSP

funds to OWASP earmarked for Minneapolis St Paul.


Agenda

Date: October 8, 2010

Location: St. Paul Student Center North Star Ballroom on the University of Minnesota - Twin Cities campus

2017 Buford Avenue
St. Paul, MN 55108


Registerbutton.png

To cover the cost of food and beverages, a payment of $25 per attendee is requested for the day of talks. Credit card (online only), check, money order, and PO ("Pay by invoice") accepted. If paying by check or money order please make it payable to OWASP on the day of the event. We place food orders based on the number of registrants. You must register in advance for this event.


8:00 AM - 8:30 AM Check-In
8:30 AM - 9:00 AM

Adam Baso, OWASP MSP President

Lorna Alamri, OWASP MSP Vice President

David Bryan, DC612 President

Topic: Opening Remarks

9:00 AM - 9:50 AM

KEYNOTE

We're happy to announce our keynote, Bill Cheswick. Bill is a legendary figure behind the network firewall concept and co-author of Firewalls and Internet Security, one of the most influential books on the topic. Bill coined the term "proxy" under its current technical meaning and is a creator of the Internet Mapping Project. On October 8 Bill will discuss one of the most fundamental aspects of security: the password.

Bill Cheswick

Lead Member of Technical Staff, AT&T Labs Research

Topic: Rethinking Passwords

Passwords and PINs are used everywhere these days, but their use is often painful. Traditional password advice and rules are seldom appropriate for today's threats, yet we labor with the password rules and servers of yesteryear. Strong passwords are weakening our security, and it is time to fix that.

There are numerous proposals for new password solutions. Bill will present a few half-baked ideas. But Bill says there are good solutions available now.

We are facing much more worrisome security challenges: we ought to get this easy stuff right.

Bio: Bill Cheswick logged into his first computer in 1968. Seven years later, he was graduated from Lehigh University in 1975 with a degree resembling Computer Science. Cheswick has worked on (and against) operating system security for over 35 years. He has worked at Lehigh University and the Naval Air Development Center in system software and communications. At the American Newspaper Publishers Association/Research Institute he shared his first patent for a hardware-based spelling checker, a device clearly after its time.

For several years he consulted at a variety of universities doing system management, software development, communications design and installation, PC evaluations, etc.

Ches joined Bell Labs in December 1987, where he became postmaster and firewall administrator and designer. In 1990 he published a paper on firewall design that coined the word "proxy" in its current meaning. He followed this with "An Evening With Berferd", and then the publication of "Firewalls and Internet Security; Repelling the Wily Hacker", co-authored with Steve Bellovin. This book taught Internet security to a generation of administrators. In 1998, Ches started the Internet Mapping Project with Hal Burch. This work became to core technology of a Bell Labs spin-off, Lumeta Corporation. Ches has pinged a US nuclear attack submarine (distance, 66ms).

During his sabbatical over the winter of 2007 he worked on science museum including an upgrade for the Liberty Science Center's digital darkroom.

He joined AT&T Research in Florham Park in April 2007 and is working in security, visualization, user interfaces, and a variety of other things. He is a frequent keynote speaker at securty conferences.

Ches has a wide interest in science and medicine. In his spare time he reads technical journals, hacks on Mythtv and his home, and develops exhibit software for science museums. He eats very plain food - boring by even American standards.

9:50 AM - 10:00 AM Break
10:00 AM - 10:50 AM

Andrew Becherer

Senior Security Consultant, iSEC Partners

Topic: Attacking Kerberos and the New Hadoop Security Design

The Kerberos protocol provides single sign-on authentication services for users and machines. Its availability on nearly every popular computing platform - Windows, Mac, and UNIX variants - makes it the primary choice for enterprise authentication. However, simply "adding a dash of Kerberos" does not make a magically secure network or application. Kerberos is a complicated protocol whose comprehensive description requires dozens of RFCs. To use it securely requires a careful dance between protocol designers, service developers, and system administrators – the kind of dance that never quite stays in step.

The Hadoop project's Hadoop Distributed File System and MapReduce engine comprise a robust, open source distributed computing platform. Hadoop is in use at many of the world's largest online media companies including Facebook, Fox Interactive Media, LinkedIn, Powerset (now part of Microsoft), and Twitter. Hadoop is entering the enterprise as evidenced by Hadoop World 2009 presentations from Booz Allen Hamilton and JP Morgan Chase. Hadoop has also been elevated to the "cloud" and made available as a service by Amazon and Sun. What the heck is it? Can it be secure? What do I do if I discover it on a network I am testing?

When Hadoop development began in 2004 no effort was expended on creating a secure distributed computing environment. In 2009 discussion about Hadoop security reached a boiling point. The developers behind Hadoop decided they needed to get some of that "security" stuff. After a thorough application of Kerberos, Hadoop is now secure, or is it?

This talk will provide an introduction to Kerberos attack scenarios, describe the new Hadoop security model and Kerberos's (limited) role in it. This talk aims to determine whether Hadoop was made any more secure through the application of Kerberos.

Bio: Andrew Becherer is a Senior Security Consultant with iSEC Partners, a strategic digital security organization. His focus is web application and mobile application security. Prior to joining iSEC Partners, he was a Senior Consultant with Booz Allen Hamilton. Mr. Becherer spent several years as a Risk and Credit Analyst in the financial services industry. His experience in the software security field - consulting financial, non-profit and defense sectors - has provided him experience with a wide range of technologies.

Mr. Becherer has lectured on a number of topics including emerging cloud computing threat models, virtualization, network security tools and embedded Linux development. At the Black Hat Briefings USA 2009, Andrew, along with researchers Alex Stamos and Nathan Wilcox, presented on the topic "Cloud Computing Models and Vulnerabilities:Raining on the Trendy New Parade." Andrew's research on this topic focused on the effect of elasticity and virtualization on the Linux pseudorandom number generator (PRNG). At Black Hat USA 2008, he was a Microsoft Defend the Flag (DTF) instructor and, he is a recurring speaker at the Linuxfest Northwest conference. In addition to his educational outreach work with user groups, he is a member of several nationally recognized organizations. These organizations include the Association of Computing Machinery (ACM), FBI InfraGard, and the Open Web Application Security Project (OWASP).

Mr. Becherer received a B.S. in Computing and Software Systems from the University of Washington, Tacoma, and holds a B.A. in Sociology from the University of Kentucky.

10:50 AM - 11:00 AM Break
11:00 AM - 12:00 PM

Joe Teff

Vice President - Manager Security Code Review, Wells Fargo

Board Member, OWASP MSP

Topic: Can you implement a static analysis program using the OWASP Code Review Guide?

Many companies are looking at implementing a static analysis program. This discussion will look at the OWASP Code Review Guide and the role it can play in developing a static analysis program. There are many decisions that need to be considered in building a program. We will look at these decisions and discuss the the options available.

12:00 PM - 1:30 PM Lunch
1:30 PM - 2:20 PM

Charles Henderson

Director of Application Security Services, Trustwave's SpiderLabs

Topic: Global Security Report

From January 1, 2009 to December 31, 2009, Trustwave's SpiderLabs performed approximately 1,900 penetration tests and over 200 security incident and compromise investigations around the world.

This presentation will be a summary of the results of the analysis of the data gathered during 2009. The results will be presented in terms of both technical and business impact analysis.

Bio: Charles Henderson is the Director of Application Security Services in Trustwave's SpiderLabs. He has been in the information security industry for over fifteen years. His team specializes in application security including application penetration testing, code review, and training in secure development techniques. The team's clients range from the largest of the Fortune lists to small and midsized companies interested in improving their application security posture. Charles routinely speaks at various conferences around the world (including past Black Hat, SOURCE, IAFCI, OWASP AppSec USA, OWASP AppSec Europe, and Merchant Risk Council events) on various subject matters relating to application security.

2:20 PM - 2:30 PM Coffee Break
2:30 PM - 3:20 PM

Jason Rouse

Principal Consultant and Mobile/Wireless Security Lead, Cigital

Topic: Mobile Security

Mobile applications enable millions of users to be more productive, have more fun, and interact with their world in more ways than ever before. We're approaching mobile applications with many of the same tried-and-true approaches that we've used in more traditional software, but what are the dangers? Mobile architectures run the gamut from simple web-based applications optimized for mobile displays to custom-built handset-specific applications that can interact directly with the mobile operating system. This talk will explore the hybrid mobile/web application approach, and discuss the threads binding it together - information protection and convergence. Mobile devices are unique in that they offer one of the most potentially hostile environments imaginable - privacy, compliance, and capture protection top the charts as the three most difficult issues facing mobile applications and those who use them. This talk will dive into specifics on what are today "mobile-only" threats; that is, those issues such as location-based services or text messages, and discover how they can be compromised, and how security practitioners can protect them and the back-end applications that service them.

Bio: Jason Rouse brings over a decade of hands-on security experience while plying his craft at many of the leading companies in the world. He is currently responsible for many activities at Cigital including leading the mobile and wireless security practice, performing security architecture assessments, and being a trusted advisor to some of the world's largest development organizations. Jason is passionate about security, splitting his time between running Cigital's mobile and wireless practice and leading cutting-edge security projects around the world. At Cigital, in addition to his other responsibilities, Jason is also responsible for the creation of durable, actionable artifacts spanning the entire continuum of software security - from development standards to enterprise risk mitigation frameworks for both Fortune 50 customers and beyond. In his spare time he has also chaired the Financial Services Technology Consortium committee on Mobile Security.


3:20 PM - 3:30 PM Break
3:30 PM - 4:30 PM

Andre "Dre" Gironda

Topic: Application Assessments Reloaded

Trying to integrate Business Software Assurance into Enterprise Risk Management and Information Security Management programs has had issues over the years. Penetration testing was announced dead over a year ago, but it's still the number one choice of application security professionals when starting out. Can the activities from penetration testing be re-used and turned into something innovative?

Tools (especially application scanners and secure static analysis tools) have error rates so high, they are useless in the hands of newcomers (even for peripheral security testing). Some organizations have built entire applications around or on top of existing appsec tools. Others are looking to use other kinds of tools, such as process/methodology/workflow tools, to enhance their classic penetration testing tools.

Even the testing/inspection methodologies themselves are outdated and we're finding that they are challenging or repetitive in many environments. How do current appsec tools and testing/inspection methods work in the cloud? If we re-run the same kinds of tests during dev-test, software quality, and application security cycles, aren't we wasting valuable time and effort?

This presentation will provide discussion around how to solve many of these and other challenges in application security. The focus will be on web applications that use common technologies (HTTP, SQL, Classic XML/HTML, Javascript, Flash) but also updated to today's standards (RESTful transactions, NoSQL, HTML5, Ajax/Json, Flex2).

Bio: Andre got his start on Unix-TCP/IP hacking before the September that never ended. Bored of embedded platform research by the time the dot-Bomb happened, he joined the largest online auction company and worked as an appsec consultant for many years. He is known for his quirky mailing list posts and blog comments - and at one time wrote for tssci-security.com.

4:30 PM Closing Remarks