This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP NYC AppSec 2008 Conference

Revision as of 08:48, 31 July 2008 by Manopaul (talk | contribs)

Jump to: navigation, search


Last Update: 07/31/2008

Scroll down to see speaker agenda, and training options

Diamond Sponsor - Imperva_2color_RGB.jpg

Platinum Sponsor - 20080703021901%21Whitehat.gif - CenzicLogo_RGB.gif - Ibm.jpg

Gold, Silver & Other Sponsors - Isc2logo.gif - 50px-F5_50px.jpg - Aspect_logo.gif - Foundstone.jpg - Proactiverisk_logo.jpg - OunceLabs_logo.jpg - Fortify.jpg - Cigital_OWASP.GIF - Acuneti.gif - Accessit.JPG - Arctec.jpg - Airtight.gif - AOD_Logo.gif - Security_university.jpg - Breach_logo.gif - Logo_new_armorize_2_150dpi_%282%29.png ~ Sponsorsm.gif

Sponsorship Opportunities -- Press Registration -- Other OWASP Member Offers

With assistance from: WASC, NYM InfraGard, AITGlobal, NYC PHP, NYCBUG, NYC ISACA, NYC ISSA and Pace University you're invited to (2) days of Seminars and Technology Pavilion from the world's best application security technology minds, (2) days of hardcore hands-on training, all held at Pace University, located in downtown New York City at One Pace Plaza New York, NY 10038. Event Fees: $350 Members / $400 Non-Members / $200 for Students. 2 days of hands on training classes are also available.


2008 OWASP USA, NYC Conference Schedule – Sept 24th - Sept 25th

OWASP Speaker Agreement
Day 1 – Sept 24th, 2008
Track 1: Track 2: Track 3:
07:30-10:00 Doors Open for Attendee/Speaker Registration & Exhibit/Sponsor Area
09:00-09:45 OWASP Version 3.0 who we are, where we are.. where we are going

OWASP Foundation: Jeff Williams, Dinis Cruz, Dave Wichers, Tom Brennan, Sebastien Deleersnyder, Paulo Coimbra, Kate Hartmann, Alison Shrader & all local chapter leaders

10:00-10:45 Analysis of the Web Hacking Incidents Database (WHID)

Ofer Shezaf

Web Application Security Road Map

Joe White

DHS Software Assurance Initiatives

Stan Wisseman & Joe Jarzombek

11:00-11:45 Web Security Education using Open Source Tools

Prof. Li-Chiou Chen & Chienitng Lin, Pace Univ

Http Bot Research

Andre M. DiMino - ShadowServer Foundation

MalSpam Research

Garth Bruen

12:00-13:00 Capture the Flag Sign-Up

LUNCH - Provided by event sponsors @ TechExpo

12:00-12:30 Cross-Site Scripting Filter Evasion

Alexios Fakos

Framework-level Threat Analysis: Adding Science to the Art of Source-code review

Nishchal Bhalla

Automated Web-based Malware Behavioral Analysis

Tyler Hudak

13:00-13:45 OWASP Testing Guide - Offensive Assessing Financial Applications

Daniel Cuthbert

WAF ModSecurity

Ivan Ristic

How the City of New York Uses Layer8 and OWASP to Secure Web Applications

David Stern & Roman Garber

14:00-14:45 Logic Attacks and Inefficiencies of Robotic Detection

Robert "RSnake" Hansen, CEO SecTheory

OWASP Testing Guide - Reverse Engineering .NET

Adam Boulton

JBroFuzz 0.1 - 1.1: Building a Java Fuzzer for the Web

Yiannis Pavlosoglou

15:00-15:45 Industry Outlook Panel: Mark Clancy EVP CitiGroup, Jim Routh CISO DTCC, Sunil Seshadri CISO NYSE-Euronet, Warren Axelrod SVP Bank of America, Joe Bernik SVP, RBS,Jennifer Bayuk Infosec Consultant & Philip Venables CISO, Goldman Sachs

Mahi Dontamsetti Moderator

Wild Wild Web on Security Planet

Mano Paul, CEO SecuRisk Solutions

Multidisciplinary Bank Attacks

Gunter Ollmann

16:00-16:45 OWASP Enterprise Security API (ESAPI) Project

Jeff Williams & Jim Manico

Shootout @ Blackbox Corral

Larry Suto

Case Studies: Exploiting application testing tool deficiencies via "out of band" injection

Vijay Akasapu & Marshall Heilman

17:00-17:45 Threading the Needle:

Bypassing web application/service security controls using Encoding, Transcoding, Filter Evasion, and other Canonicalization Attacks Arian Evans

Shhhh Don’t Tell Anybody

Petko D. Petkov

W3AF Open Source App Scanner

Andres Riancho

18:00-18:45 OWASP Live CD

Joshua Perrymon

Coding Secure w/PHP

Hans Zaunere

Payment Card Data Security and the new Enterprise Java

Dr. B. V. Kumar & Mr. Abhay Bhargav

20:00-23:00 OWASP NYC AppSec 2008 VIP Party

Location: TBD

Day 2 – Sept 25th, 2008
08:00-10:00 BREAKFAST - Provided by event sponsors @ TechExpo
08:00-08:45 State of the Union

Prof. Howard A. Schmidt, CISSP, CISM (Hon.) Current (ISC)² Security Strategist and Former White House Cyber Security Advisor

Best Practices Guide: Web Application Firewalls

Alexander Meisel

The Good The Bad and The Ugly - Pen Testing VS. Source Code Analysis

Thomas Ryan

09:00-09:45 Good vs. Evil JavaScript

Jeremiah Grossman

OWASP V2 Testing Guide 4.2.3 Spidering and Googling in depth

Christian Heinrich

OWASP Web Services Top Ten

Gunnar Peterson

10:00-10:45 OWASP Update

Dinis Cruz/Jeff Williams + Surprise Guest

Help Wanted 7 Things You Need to Know APPSEC/INFOSEC Employment

Lee Kushner

APPSEC Analyst w/ Forrester Research

Chenxi Wang

11:00-11:45 CLASP (Comprehensive, Lightweight Application Security Process)

Pravir Chandra

Next Generation Cross Site Scripting Worms

Arshan Dabirsiaghi

Secure Software Impact

Jack Danahy

12:00-12:45 Security in Agile Development

Dave Wichers

Security of Software-as-a-Service (SaaS)

James Landis

Open Reverse Benchmarking Project

Marce Luck & Tom Stracener

12:00-13:00 Capture the Flag Status

LUNCH - Provided @ TechExpo

13:00-13:45 Security Research Report

Dinis Cruz

Pantera Advances

Simon Roses Femerling

Lotus Notes Insecurity

Jian Hui Wang

14:00-14:45 Practical Advanced Threat Modeling

John Steven

Owasp Orizon

Paolo Perego

Building Usable Security

Zed Abbadi

15:00-15:45 Input validation: the Good, the Bad and the Ugly

Johan Peeters

Off-shoring Application Development? Security is Still Your Problem

Rohyt Belani

NIST SAMATE Static Analysis Tool Exposition (SATE)

Vadim Okun

16:00-16:45 Vulnerabilities in application interpreters and runtimes

Erik Cabetas

Flash Parameter Injection (FPI)

Ayal Yogev & Adi Sharabani

Mastering PCI Section 6.6

Taylor McKinley and Jacob West

17:00-17:45 Wizdom of Crowds / CTF Awards & Raffles
18:30-19:30 OWASP Foundation, Chapter Leader Meeting


Technology Pavilion - September 24th and 25th

Want to see the latest offerings from technology product and service firms, visit the Technology Pavilion. On September 24th and 25th. 2 full days of exhibits by service providers and manufacturers from around the world.

Do you want to preview the event space Click Here

OWASP NYC AppSec 2008 Training Courses - September 22nd and 23rd, 2008

T1. Defensive Programming - 2-Days - $1350
This class will teach you how to program defensively. A must for developers, managers, testers and security professionals. Learn the latest techniques to build attack resistant code, protect from current and future vulnerabilities and how to secure an application from both implementation bugs and design flaws. The instructor Pravir Chandra is well known security expert, project lead for OWASP CLASP project and former co-founder & CTO of secure software Learn More Here

Instructor: Jason Rouse, Technical Manager, Cigital_OWASP.GIF

T2. Secure Coding for Java EE - 2-Days - $1350
This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of Java focused content, including:
  1. Java EE security overview,
  2. All coding examples and recommendations are specifically focused on Java and Java servers, and
  3. 3 additional hands on coding labs where the students find and then fix security vulnerabilities in a Java EE application developed for the class.

Learn More Here

Instructor: This tutorial is provided by longtime OWASP contributor: Aspect_logo.gif

T3. Web Services and XML Security - 2-Days - $1350
The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software. Learn More Here

Instructor: Gunnar Peterson Arctec.jpg

T4. Advanced Web Application Security Testing - 2-Days - $1350
Course Overview While all developers need to know the basics of web application security testing, application security specialists will want to know all the advanced techniques for finding and diagnosing security problems in applications. Aspect’s Advanced Web Application Security Testing training is based on a decade of work verifying the security of critical applications. The course is taught by an experienced application security practitioner in an interactive manner. Learn More Here

Instructor: This tutorial is provided by longtime OWASP contributor: Aspect_logo.gif

T5. Leading the Development of Secure Applications 1-Day - Sept 22nd- $675
In this one-day management session you’ll get the answers to the ten key questions that most CIOs and development managers face when trying to improve security in the development process. The course provides proven techniques and valuable lessons learned that can be applied to projects at any phase of their application’s lifecycle. Learn More Here

Instructor: This tutorial is provided by longtime OWASP contributor: Aspect_logo.gif

T8. Writing Secure Code ASP.NET - 2-Days - $1350
Understand the key security features of the .NET platform, the common web security pitfalls developers make, and how to build secure and reliable web applications using ASP.NET. Students are lead through hands on code examples that highlight issues and prescribe solutions. Learn More Here

The instructors are Foundstone's Technical Director, Rudolph Araujo and Foundstone's Professional Services Conlultant, Alex Smolen. Foundstone.jpg



Hotels in the area of the event

New York City MTA:

New York City Subway & walking directions:

New York Sights & Sounds - SightsSounds

New York City Travel Guide -

New York City Attractions -

New York TV Show Tickets - Get free tickets to TV shows! -

New York City local news:


The OWASP Conferences & Training security technologists including CSOs,admins, application admins, MIS directors, homeland defense chiefs. These important influencers drive buying decisions exclusive access to its audiences. OWASP has established strategic relationships with security—print publications, newsletters, portals, consultants,message—and leadership positioning OWASP events. OWASP’s mission is supported by organizations who share our application, and software security communities. This approach should be part of your mix.

Sponsorship Opportunities- Register online: click here