OWASP Minneapolis St Paul 2010 Conference

Revision as of 23:32, 20 September 2010 by Webappsecguy (talk | contribs) (Adding verbiage about placing food orders based on the number of registrants.)

Jump to: navigation, search

Building on the success of the 2009 talks, the OWASP Minneapolis-St. Paul (OWASP MSP) chapter and DC612 local DEF CON chapter will be hosting a day of talks on Friday, October 8, 2010 at the St. Paul Student Center North Star Ballroom on the University of Minnesota - Twin Cities campus.

See the Agenda.


To cover the cost of food and beverages, a payment of $25 per attendee is requested for the day of talks. Credit card (online), check, money order, and "Pay by invoice" (PO) accepted. We place food orders based on the number of registrants.


A BIG thank you goes out to the Office of Internal Audit and OIT Security at the University of Minnesota for sponsoring the event location.

A special thank you goes out to Platinum Sponsor Best Buy.

Best Buy logo.jpg

Thank you to the following sponsors for their financial support of this event and the OWASP MSP chapter!

Imperva Logo.gif      Netspi logo.png      AccuvantLogoNEW.jpg

How to Sponsor

Contact Lorna at lorna.alamri@owasp.org to sponsor this event. Sponsorship of the October 8, 2010 day of talks includes literature inclusion in attendee bags (up to 2 items), prominent display of your sponsor banner in the presentation room, and recognition for sponsorship of the event on this page, event mailings, and printed event materials.

Sponsorship of day of talks: $500

Sponsorship of day of talks plus have your logo on our chapter homepage for a year: $750

Show your support for OWASP MSP as we get ready as hosts for OWASP AppSec USA 2011 in Minneapolis in September 2011!

Click the following Donate button to submit your sponsorship.

SPONSOR OWASP MSP <paypal>Minneapolis St Paul</paypal>

Become a Paid Member

Not a paid member yet? For $50 get cool stuff, support OWASP globally, and fund our local OWASP MSP chapter for things like our speaker travel budget.

$50 today guarantees you a $50 discount for the international OWASP AppSec USA 2011 conference, which will be hosted in Minneapolis in September 2011!

Just click the following Donate Now button and choose Minneapolis St Paul during registration.



Social Media

Follow OWASP MSP on your favorite social media sites:

Linkedin mini.png Twitter mini.png Facebook mini.png Digg mini.png Delicious mini.png Reddit mini.png Myspace mini.png


Date: October 8, 2010

Location: St. Paul Student Center North Star Ballroom on the University of Minnesota - Twin Cities campus

2017 Buford Avenue
St. Paul, MN 55108


To cover the cost of food and beverages, a payment of $25 per attendee is requested for the day of talks. Credit card (online), check, money order, and "Pay by invoice" (PO) accepted. We place food orders based on the number of registrants.

8:00 AM - 8:30 AM Check-In
8:30 AM - 9:00 AM

Adam Baso, OWASP MSP President

David Bryan, DC612 President

Lorna Alamri, OWASP MSP Vice President

Topic: Opening Remarks

9:00 AM - 9:50 AM

Andre "Dre" Gironda

Topic: Application Assessments Reloaded

Trying to integrate Business Software Assurance into Enterprise Risk Management and Information Security Management programs has had issues over the years. Penetration testing was announced dead over a year ago, but it's still the number one choice of application security professionals when starting out. Can the activities from penetration testing be re-used and turned into something innovative?

Tools (especially application scanners and secure static analysis tools) have error rates so high, they are useless in the hands of newcomers (even for peripheral security testing). Some organizations have built entire applications around or on top of existing appsec tools. Others are looking to use other kinds of tools, such as process/methodology/workflow tools, to enhance their classic penetration testing tools.

Even the testing/inspection methodologies themselves are outdated and we're finding that they are challenging or repetitive in many environments. How do current appsec tools and testing/inspection methods work in the cloud? If we re-run the same kinds of tests during dev-test, software quality, and application security cycles, aren't we wasting valuable time and effort?

This presentation will provide discussion around how to solve many of these and other challenges in application security. The focus will be on web applications that use common technologies (HTTP, SQL, Classic XML/HTML, Javascript, Flash) but also updated to today's standards (RESTful transactions, NoSQL, HTML5, Ajax/Json, Flex2).

Bio: Andre got his start on Unix-TCP/IP hacking before the September that never ended. Bored of embedded platform research by the time the dot-Bomb happened, he joined the largest online auction company and worked as an appsec consultant for many years. He is known for his quirky mailing list posts and blog comments - and at one time wrote for tssci-security.com.

9:50 AM - 10:00 AM Break
10:00 AM - 10:50 AM

Andrew Becherer

Senior Security Consultant, iSEC Partners

Topic: Attacking Kerberos and the New Hadoop Security Design

The Kerberos protocol provides single sign-on authentication services for users and machines. Its availability on nearly every popular computing platform - Windows, Mac, and UNIX variants - makes it the primary choice for enterprise authentication. However, simply "adding a dash of Kerberos" does not make a magically secure network or application. Kerberos is a complicated protocol whose comprehensive description requires dozens of RFCs. To use it securely requires a careful dance between protocol designers, service developers, and system administrators – the kind of dance that never quite stays in step.

The Hadoop project's Hadoop Distributed File System and MapReduce engine comprise a robust, open source distributed computing platform. Hadoop is in use at many of the world's largest online media companies including Facebook, Fox Interactive Media, LinkedIn, Powerset (now part of Microsoft), and Twitter. Hadoop is entering the enterprise as evidenced by Hadoop World 2009 presentations from Booz Allen Hamilton and JP Morgan Chase. Hadoop has also been elevated to the "cloud" and made available as a service by Amazon and Sun. What the heck is it? Can it be secure? What do I do if I discover it on a network I am testing?

When Hadoop development began in 2004 no effort was expended on creating a secure distributed computing environment. In 2009 discussion about Hadoop security reached a boiling point. The developers behind Hadoop decided they needed to get some of that "security" stuff. After a thorough application of Kerberos, Hadoop is now secure, or is it?

This talk will provide an introduction to Kerberos attack scenarios, describe the new Hadoop security model and Kerberos's (limited) role in it. This talk aims to determine whether Hadoop was made any more secure through the application of Kerberos.

Bio: Andrew Becherer is a Senior Security Consultant with iSEC Partners, a strategic digital security organization. His focus is web application and mobile application security. Prior to joining iSEC Partners, he was a Senior Consultant with Booz Allen Hamilton. Mr. Becherer spent several years as a Risk and Credit Analyst in the financial services industry. His experience in the software security field - consulting financial, non-profit and defense sectors - has provided him experience with a wide range of technologies.

Mr. Becherer has lectured on a number of topics including emerging cloud computing threat models, virtualization, network security tools and embedded Linux development. At the Black Hat Briefings USA 2009, Andrew, along with researchers Alex Stamos and Nathan Wilcox, presented on the topic "Cloud Computing Models and Vulnerabilities:Raining on the Trendy New Parade." Andrew's research on this topic focused on the effect of elasticity and virtualization on the Linux pseudorandom number generator (PRNG). At Black Hat USA 2008, he was a Microsoft Defend the Flag (DTF) instructor and, he is a recurring speaker at the Linuxfest Northwest conference. In addition to his educational outreach work with user groups, he is a member of several nationally recognized organizations. These organizations include the Association of Computing Machinery (ACM), FBI InfraGard, and the Open Web Application Security Project (OWASP).

Mr. Becherer received a B.S. in Computing and Software Systems from the University of Washington, Tacoma, and holds a B.A. in Sociology from the University of Kentucky.

10:50 AM - 11:00 AM Break
11:00 AM - 12:00 PM

Joe Teff

Vice President - Manager Security Code Review, Wells Fargo

Board Member, OWASP MSP

Topic: Can you implement a static analysis program using the OWASP Code Review Guide?

Many companies are looking at implementing a static analysis program. This discussion will look at the OWASP Code Review Guide and the role it can play in developing a static analysis program. There are many decisions that need to be considered in building a program. We will look at these decisions and discuss the the options available.

12:00 PM - 1:30 PM Lunch
1:30 PM - 2:20 PM

Jason Rouse

Principal Consultant, Cigital

Topic: Mobile Security

Mobile applications enable millions of users to be more productive, have more fun, and interact with their world in more ways than ever before. We're approaching mobile applications with many of the same tried-and-true approaches that we've used in more traditional software, but what are the dangers? Mobile architectures run the gamut from simple web-based applications optimized for mobile displays to custom-built handset-specific applications that can interact directly with the mobile operating system. This talk will explore the hybrid mobile/web application approach, and discuss the threads binding it together - information protection and convergence. Mobile devices are unique in that they offer one of the most potentially hostile environments imaginable - privacy, compliance, and capture protection top the charts as the three most difficult issues facing mobile applications and those who use them. This talk will dive into specifics on what are today "mobile-only" threats; that is, those issues such as location-based services or text messages, and discover how they can be compromised, and how security practitioners can protect them and the back-end applications that service them.

Bio: Jason Rouse brings over a decade of hands-on security experience while plying his craft at many of the leading companies in the world. He is currently responsible for many activities at Cigital including leading the mobile and wireless security practice, performing security architecture assessments, and being a trusted advisor to some of the world's largest development organizations. Jason is passionate about security, splitting his time between running Cigital's mobile and wireless practice and leading cutting-edge security projects around the world. At Cigital, in addition to his other responsibilities, Jason is also responsible for the creation of durable, actionable artifacts spanning the entire continuum of software security - from development standards to enterprise risk mitigation frameworks for both Fortune 50 customers and beyond. In his spare time he has also chaired the Financial Services Technology Consortium committee on Mobile Security.

2:20 PM - 2:30 PM Coffee Break
2:30 PM - 3:20 PM


Topic: TBA

3:20 PM - 3:30 PM Break
3:30 PM - 4:30 PM

Charles Henderson

Director of Application Security Services, Trustwave SpiderLabs

Topic: TBA

Bio: Charles Henderson is the Director of Application Security Services in Trustwave's SpiderLabs. He has been in the information security industry for over fifteen years. His team specializes in application security including application penetration testing, code review, and training in secure development techniques. The team's clients range from the largest of the Fortune lists to small and midsized companies interested in improving their application security posture. Charles routinely speaks at various conferences around the world (including past Black Hat, SOURCE, IAFCI, OWASP AppSec USA, OWASP AppSec Europe, and Merchant Risk Council events) on various subject matters relating to application security.

4:30 PM Closing Remarks