Conference Program - OWASP AppSec USA 2011

More documents

Recommendations

Info

KeynotesMark CurpheyIt’s a homecoming: OWASP AppSec USA 2011’s September22 morning keynote (8:30-9:20) will be OWASP founder MarkCurphey, who will reflect on community.OWASP Foundation Board DiscussionThe OWASP Foundation Board discussion will be held duringlunch (12:30-13:30) September 22, 2011. We welcome JeffWilliams (Chair), Tom Brennan, Eoin Keary, Matt Tesauro,Dave Wichers, and incoming board member Michael Coates.* Sebastien Deleersnyder will not be able to attend due to ascheduling conflict.Ira WinklerThe famous real world spy author Ira Winkler will be theSeptember 23 morning keynote (8:30-9:30).Moxie MarlinspikeMoxie Marlinspike of SSL cracking fame will be keynoting overlunch September 23 (12:30-13:30).The TalksAndroid Security, or This is not the Kind of “Open” I Meant…Mike ParkAndroid phones and applications are rapidly gaining marketshare and becoming more popular. While the availability ofmultiple Android Markets provides users with greater choice,it also provides attackers more opportunities.Not only are Android applications plentiful, but the platformand security model means the apps are easy to abuse. Thispresentation will expose the security issues associated withAndroid Apps and how attackers take advantage of them.These include the ease with which Android Apps can bereversed, the ability to store sensitive data locally, and howthese apps can be trojaned to access personal information onthe device.The presentation will demonstrate the use of various opensource tools for reversing Android Apps, as well as the useof the Android SDK features for pen testing, again includingtechniques and fast demos. Solutions to app and marketplacesecurity will be covered as well.Application Security Advisory Board SDLC PanelGlenn Leifheit (moderator), Andreas Fuchsberger, AjoyKumar, Richard Tychansky, Alessandro MorettiCompanies are increasingly concerned about the risks tocustomer data and the potential damage to their reputationshould a breach occur, but many are failing to recognize thatsoftware remains a significant weak spot in security defenses.Attackers are increasingly targeting the software and applications,rather than the infrastructure or operating system, as away in to the organization.The (ISC)²/Creative Intellect Survey on the State of SecureApplication Lifecycle management, conducted late lastyear to understand the impact of security on the softwaredevelopment and delivery process, found that managers arejeopardizing secure software delivery, but they are not alone.This panel will identify who we need to influence in the SDLCprocess to ensure security is considered at the beginning ofthe process and discuss five tips for approaching them.Application Security and User ExperienceAlex SmolenYou might think application security and usability are a zerosumgame. Strong password policies, tight access controls,and cycle-burning cryptography improve system securitybut hamper the user experience. From a security advocate’sperspective, it’s important to minimize risk, even if it makesa system hard to use. But what if introducing strict securitymechanisms actually increases risk? When do security and usabilitycomplement, rather than detract from, each other?No application is solely technical. Systems operate within asocial context. People define, build, and use systems, andtheir needs and capabilities affect the security of a system.Ignoring the users’ perspective when evaluating systemsecurity neglects an important attack surface - the humanmachineinterface.Security mechanisms should be a barrier to attackers, but notfor every user in the system. Draconian security measurescan actually have the opposite effect of making systems lesssecure. Users demand more and more usable software, butsecurity departments shouldn’t have to compromise. Instead,security mechanisms should be designed with the user andthe attacker in mind, so tradeoffs between security and usabilitycan be minimized or avoided entirely.6
Application Security Debt & Application Interest RatesChris WysopalArchitects and developers are well aware of the term technicaldebt but many in the security community have never heardof this concept. Ward Cunningham, a programmer who developedthe first wiki program, describes it like this:“Shipping first time code is like going into debt. A little debtspeeds development so long as it is paid back promptly witha rewrite… The danger occurs when the debt is not repaid.Every minute spent on not-quite-right code counts as intereston that debt. Entire engineering organizations can be broughtto a stand-still under the debt load of an unconsolidatedimplementation, object-oriented or otherwise.”The cost of technical debt is the time and money it will taketo rewrite the poor code after you ship and bring it back tothe quality required to maintain the software over the longhaul. Using debt in the financial world costs more absolutedollars than not using debt but it allows financial flexibility todo things you couldn’t do without using debt. It’s this flexibilitythat makes debt a valuable business tool. Technical debtallows development teams to meet a ship deadline or get aparticular feature out to customers quickly which ultimatelyserves the business.Application Security Debt:We can think of all the latent vulnerabilities in a piece ofsoftware as its application security debt. Security debt accumulatesover time as more code is written without performingsecurity processes during the development life cycle. A projecttakes on a lot of debt during the design phase if there is nothreat modeling or architecture risk analysis performed. Thiswill translate into costly redesign work at a later date. If codeis written without using static analysis or following securecoding guidelines then security bugs are going to get into thefinal application that will eventually need to be eliminated at ahigher cost. The more code that is written this way the moresecurity debt accumulates.AppSec Inception - Exploiting Software CultureJeff WilliamsNo matter how fast you are at playing vulnerability whack-amole,eventually the moles always win. If you truly want toget in front of application security, you have to start looking atchanging your software development culture. In this talk, Jeffwill share experiences with multiple approaches to changingsecurity culture, going back to the late-80’s. Not surprisingly,few of these approaches have made any difference. OWASPrepresents a new approach, and is an interesting experiment7in how we change software culture worldwide. Jeff will extractand clarify the lessons from OWASP that you can use in yourown organization to bootstrap a software culture that generatessecurity.Behavioral Security Modeling: Eliminating Vulnerabilitiesby Building Predictable SystemsJohn BenninghoffIn addressing the human behavioral aspects of InformationSecurity, we’ve largely failed as a profession. Historically,we’ve tried to force people to adapt to the technology webuilt, and then blame the user when they fail to use it properly– the talking point is, “people are stupid, and you can’tfix stupid,” or “People should know better,” as discussed in arecent SANS ISC Diary posting on CVE-0. (http://isc.sans.org/diary.html?storyid=10933) Security Awareness training, one ofthe few tools we have to address people problems, has beenand continues to be poorly executed. At best, Awarenessexplains security rules well enough so that we can fire peoplewhen they break them, and at worst is a series of postersasking people to “do good things,” or tries to make themsecurity experts, with no evidence that it is even effective.Although we have started to improve, our understanding ofhuman/computer interaction (in the security context) is poor,and we do little, if any, to understand the motivation and behaviorof both external attackers as well as internal personnel.Behavioral Information Security, (BIS) A formal methodologyto manage information risk, derived from knowledgeof how humans behave and interact with information, is anew philosophy of information security that places peoplein the center of the model, and can be used to design andimplement security architectures and controls based on ourunderstanding of people. Borrowing from other professions,BIS seeks to develop practical tools for security practitioners,with the ultimate goal of reducing the cost and improving theeffectiveness of information security. This talk will introduceBehavioral Information Security, and Behavioral Security Modeling;a tool developed using BIS principles.Blackbox Android: Breaking “Enterprise Class” Applicationsand Secure ContainersMarc Blanchou, Justine Osborne, Mathew SolnikThe Android platform is growing in popularity and is quicklybeing adopted in the enterprise environment. In order tofacilitate this adoption, security solutions have been developed,such as “secure containers” which claim to provideenterprise grade security for Android devices. There is anincreasing need to be able to assess the security claims ofsuch “Enterprise Class” Android software vendors. Yet there
Page 3 and 4: Welcome to OWASP AppSec USA 2011, a
Page 5 and 6: TALKS: Friday, September 23, 2011Ab
Page 7: MORE EVENTS:Tuesday, September 20,
Page 11 and 12: ESAPI 2.0 - Defense Against the Dar
Page 16: surface and vectors to protect next
Page 22 and 23: Application Security,Risk, & Compli
Page 24: Web Application Security PayloadsAn
Page 28 and 29: Downtown Minneapolis26
Page 30 and 31: Platinum Sponsors:Security Innovati
Page 32 and 33: Silver Sponsors:Aspect Security spe
Page 34 and 35: Notes:32

Conference Program - OWASP AppSec USA 2011

Create successful ePaper yourself

Delete template?

Save as template?