|
2009 Software Security Track
|
|
|
|
|
|
Software Security Track
|
Thursday
Oct 29, 2009
|
Presentation Abstract
|
|
Registration and Continental Breakfast
|
8:00-8:30
|
|
Welcome
Andrea Cogliati, OWASP |
8:30-8:45
|
|
OWASP Today. Featured project: Application Security Verification Standards
Rochester OWASP Board |
8:45-9:45
|
Meet the Rochester OWASP board, and see why Web Application security matters and how OWASP can help you improve the security of your web applications. In the second half of the session, we will introduce one of the latest OWASP documentation projects: Application Security Verification Standards (ASVS). ASVS are specifications produced by OWASP in cooperation with secure applications developers and verifiers worldwide for the purpose of accelerating the deployment of secure Web applications. First published in 2008 as a result of an OWASP Summer of Code grant and meetings with a small group of early adopters, the ASVS documents have become widely referenced and implemented.
|
Best practices using regex for XSS filters
Kyle Adams |
9:45-10:45
|
The best way to block against XSS attacks on your application is to constrain and validate input, and encode output. And the best way to do that is to write regular expressions that only allow specific characters, apply formatting rules, and check lengths. These need to be applied to text fields for names, addresses, phone numbers, etc, as well as other user input, including query strings and cookies. As Lead Software Architect for Mykonos, a secure web application framework for the enterprise, Kyle has lots of experience writing regex expressions to filter malicious input. He will share what he's learned, along with lots of examples for blocking known attack vectors.
|
|
Break
|
10:45-11:00
|
|
From Rivals to BFF: WAF & VA Unite
Paul Schofield |
11:00-12:00
|
For years there was a debate in the Web application and data security world about which approaches are best - black box, white box, SDLC, VA services/software, Web Application Firewalls (WAF), etc. While it is true that with a limited budget anything can become competitive – a new copy machine versus a new coffee machine, the core value propositions of WAF and VA are distinct and complementary. This presentation will illustrate how integrating these solutions can enable more secure Web application development and operations.
|
|
Lunch
|
12:00-1:00
|
|
Future of High Assurance Computing
Bruce Potter |
1:00-2:00
|
For more than 40 years, computer scientists have researched mechanisms to make software systems more secure. From cryptographically assure boot processes to process segregation to capabilities-based operating systems, there are many fantastic concepts that modern day engineers could leverage to build higher assurance systems. Unfortunately, most of the attempts to apply these concepts have resulted in stunning failures. The few systems that have survived are relegated to niche markets and solutions that require much higher security than commodity COTS systems can provide.
With 40 years of failure under our belt, many of these high assurance concepts have been written off. However, given the current threat environment many enterprises are facing it may be time to re-examine some of them. Enterprises around the world, including banks, manufacturing companies, and even local governments are finding that the defensive security mechanisms they have in place are becoming useless in the face of modern-day attackers. Phishing attacks are easy to carry out and can result in malware being placed deep within networks as well as total compromise of credentialing systems. Fed up with attempting to stop the attackers, some enterprises are turning their efforts toward detection of successful attack... basically admitting that there is no effective defense available.
This talk will examine the history of high assurance computing. Then, using the backdrop of the current state of the attack space, this presentation will discuss why the current trend of defensive technologies (such as firewalls, proxies, host based security, and policy engines) is unlikely to stop attackers. Finally, we will examine the current state of initiatives such as the Trusted Computing Group and discuss high assurance technologies that may be of use to developers in the next 3-5 years.
|
Testing Web Application Security
Ted Husted |
2:00-3:00
|
Web applications are commonly used to transmit, accept and store data that is personal, company confidential and sensitive. More enterprises are spending more time testing web applications, but many still do not integrate security testing into an application's overall test plan.
In this session, we will explore ways to integrate security testing to an application's end-to-end test plan, showing how security features can be exercised in unit tests, integration tests, and acceptance tests.
|
|
Sponsor Visitation Break
|
3:00-3:30
|
|
|
Keynote - Zen & The Art Of An
Internal Penetration Testing Program - Larry
Pesce co-host of Pauldotcom.com |
3:30-4:30
|
Larry will discuss why internal penetration testing is so important
and
then identify key components that must exist to create a successful
program:
• Getting Management Buy-In
• Identify The Types Of Testing You Will Perform
• Create A Workflow For Reporting
The presentation also provides several steps and tips for defining
and
developing your internal penetration testing, including:
• Target identification
• Detect OS & Services
• Identify Vulnerabilities
• Exploitation
• Post-Exploitation
• Reporting
The intent is to provide the starting point with a myriad of tips
to guide
your organization to create your own internal penetration testing
program.
|
|
Attendee Reception
|
4:30-6:00
|
|
|
|
|
|
|
(All schedules are subject to change)
|
|
