OWASP Minneapolis St Paul 2010 Conference

Revision as of 22:02, 13 September 2010 by Webappsecguy (talk | contribs) (Adding title for Joe Teff.)

Jump to: navigation, search

Building on the success of the 2009 talks, the OWASP Minneapolis-St. Paul (OWASP MSP) chapter and DC612 local DEF CON chapter will be hosting a day of talks on Friday, October 8, 2010 at the St. Paul Student Center North Star Ballroom on the University of Minnesota - Twin Cities campus.

See the Agenda


To cover the cost of food and beverages, a payment of $25 per attendee is requested.


A BIG thank you goes out to the Office of Internal Audit and OIT Security at the University of Minnesota for sponsoring the event location.

A special thank you goes out to Platinum Sponsor Best Buy.

Best Buy logo.jpg

Thank you to the following sponsors for their financial support of this event and the OWASP MSP chapter!

Imperva Logo.gif

How to Sponsor

Contact Lorna at lorna.alamri@owasp.org to sponsor this event. Sponsorship of the October 8, 2010 day of talks includes literature inclusion in attendee bags (up to 2 items), prominent display of your sponsor banner in the presentation room, and recognition for sponsorship of the event on this page, event mailings, and printed event materials.

Sponsorship of day of talks: $500

Sponsorship of day of talks plus have your logo on our chapter homepage for a year: $750

Show your support for OWASP MSP as we get ready as hosts for OWASP AppSec USA 2011 in Minneapolis in September 2011!

Click the following Donate button to submit your sponsorship.

SPONSOR OWASP MSP <paypal>Minneapolis St Paul</paypal>

Become a Paid Member

Not a paid member yet? For $50 get cool stuff, support OWASP globally, and fund our local OWASP MSP chapter for things like our speaker travel budget.

$50 today guarantees you a $50 discount for the international OWASP AppSec USA 2011 conference, which will be hosted in Minneapolis in September 2011!

Just click the following Donate Now button and choose Minneapolis St Paul during registration.



Social Media

Follow OWASP MSP on your favorite social media sites:

Linkedin mini.png Twitter mini.png Facebook mini.png Digg mini.png Delicious mini.png Reddit mini.png Myspace mini.png



To cover the cost of food and beverages, a payment of $25 per attendee is requested.

8:00 AM - 8:30 AM Check-In
8:30 AM - 9:00 AM

Adam Baso, OWASP MSP President

David Bryan, DC612 President

Lorna Alamri, OWASP MSP Vice President

Topic: Opening Remarks

9:00 AM - 9:50 AM

Andre "Dre" Gironda

Topic: Web App / Web Service Security Testing

9:50 AM - 10:00 AM Break
10:00 AM - 10:50 AM

Andrew Becherer

Senior Security Consultant, iSEC Partners

Topic: Attacking Kerberos and the New Hadoop Security Design

The Kerberos protocol provides single sign-on authentication services for users and machines. Its availability on nearly every popular computing platform - Windows, Mac, and UNIX variants - makes it the primary choice for enterprise authentication. However, simply "adding a dash of Kerberos" does not make a magically secure network or application. Kerberos is a complicated protocol whose comprehensive description requires dozens of RFCs. To use it securely requires a careful dance between protocol designers, service developers, and system administrators – the kind of dance that never quite stays in step.

The Hadoop project's Hadoop Distributed File System and MapReduce engine comprise a robust, open source distributed computing platform. Hadoop is in use at many of the world's largest online media companies including Facebook, Fox Interactive Media, LinkedIn, Powerset (now part of Microsoft), and Twitter. Hadoop is entering the enterprise as evidenced by Hadoop World 2009 presentations from Booz Allen Hamilton and JP Morgan Chase. Hadoop has also been elevated to the "cloud" and made available as a service by Amazon and Sun. What the heck is it? Can it be secure? What do I do if I discover it on a network I am testing?

When Hadoop development began in 2004 no effort was expended on creating a secure distributed computing environment. In 2009 discussion about Hadoop security reached a boiling point. The developers behind Hadoop decided they needed to get some of that "security" stuff. After a thorough application of Kerberos, Hadoop is now secure, or is it?

This talk will provide an introduction to Kerberos attack scenarios, describe the new Hadoop security model and Kerberos's (limited) role in it. This talk aims to determine whether Hadoop was made any more secure through the application of Kerberos.

10:50 AM - 11:00 AM Break
11:00 AM - 12:00 PM

Joe Teff

Vice President - Manager Security Code Review, Wells Fargo

Board Member, OWASP MSP

Topic: Can you implement a static analysis program using the OWASP Code Review Guide?

Many companies are looking at implementing a static analysis program. This discussion will look at the OWASP Code Review Guide and the role it can play in developing a static analysis program. There are many decisions that need to be considered in building a program. We will look at these decisions and discuss the the options available.

12:00 PM - 1:30 PM Lunch
1:30 PM - 2:20 PM


Topic: TBA

2:20 PM - 2:30 PM Coffee Break
2:30 PM - 3:20 PM


Topic: TBA

3:20 PM - 3:30 PM Break
3:30 PM - 4:30 PM

Charles Anderson

Director of Application Security Services, Trustwave SpiderLabs

Topic: TBA

4:30 PM Closing Remarks