OWASP Tampa Day 2011
Monday, June 20, 2011 from 9:30 AM to 3:00 PM (EDT)
The 1st ever OWASP Tampa Day will take place on Monday, June 20th at Tampa International Airport (TPA). This FREE event will feature presentations aimed at providing developers and Information Security professionals with an introduction to application security. However, ALL are welcome to attend. Attendees will leave the event with a greater understanding of how and when to integrate application security principles into their daily processes and procedures. Additionally, attendees will learn how common attacks are performed and how to mitigate them.
|9:30 to 10:00||Registration & Refreshments||Sponsored by Qualys|
|10:00 to 10:15||Welcome||Justin Morehouse|
|10:15 to 11:15||Analysis of Deadly Combination of XSS and CSRF||Sherif Koussa|
|11:15 to 11:30||Break||Sponsored by Qualys|
|11:30 to 12:30||How to Defend the Universe from Evil-doers: A Guide for Software Developers and Security Teams||Bruce Jenkins|
|12:30 to 13:00||Lunch||Sponsored by WhiteHat Security|
|13:00 to 14:00||PCI for Developers: Lessons from the Real World||Trevor Hawthorn|
|14:00 to 14:15||Break||Sponsored by Stratum Security|
|14:15 to 14:45||Top Website Vulnerabilities: Trends, Business, Effects and How to Fight Them||Rinaldi Rampen|
|14:45 to 15:00||Closing Remarks & Giveaways||Justin Morehouse|
Sherif Koussa, Principal Application Security Consultant, Software Secured
Analysis of Deadly Combination of XSS and CSRF
Flashback to April 11th, 2009 as a major attack targeted Twitter and led to a huge embarrassment for this famous social media network. This presentation will delve into the details of the attack, what happened and how cross-site scripting (XSS) and cross-site request forgery (CSRF) played a major role. We will explore the insides of the real attack, including inspecting the actual malicious code utilized by the attacker. Attendees will gain an understanding of how malicious code exploits weaknesses and how to better secure your web applications from similar attacks.
Bruce Jenkins, Managing Consultant, Fortify Software
How to Defend the Universe from Evil-doers: A Guide for Software Developers and Security Teams
Software security is often a bolt-on afterthought for dealing with potentially serious yet non-functional product issues. However, software developers frequently have neither the time nor inclination to deal with anything but functional enhancements and bug fixes identified in their defect tracking system. The Security Group, having a corporate mandate to “secure the enterprise,” unmercifully throws at the Dev Team an enormous list of non-actionable “issues” derived from dynamic and static security testing. The Project Lead is naturally and legitimately concerned about release schedules, which are now understandably threatened by unfocused approaches to security issue identification and mitigation. Add to this a mixture of overt distrust and skepticism between the Security Group and software developers, and organizations are left with a pile of suspected security issues and no resolution in sight. The CISO, meanwhile, could not care less about minutia such as Cross-Site Request Forgery, but instead is focused on reducing business risk.
“Status quo” or “save the day”? The answer is obvious, but getting there is easier said than done. This presentation outlines the dysfunction common in organizations attempting to tackle software security assurance. The message ultimately focuses on what developers and security teams alike can do to lift themselves out of the quagmire in support of their C-level, who is endeavoring to prevent the next TJX- or Heartland-like security event.
Trevor Hawthorn, Managing Principal, Stratum Security
PCI for Developers: Lessons from the Real World
Any organization that stores, processes, or transmits credit card data must comply with the Payment Card Industry's (PCI) Data Security Standards (DSS). PCI can be daunting even for compliance and security experts. If you are a developer, it can be a major headache. Sooner or later the day will come when you (or your developers) will need to integrate PCI into your Software Development Lifecycle (SDLC). During this talk Trevor will discuss what is required to meet PCI compliance, and examine how a wide variety of organizations tackle their compliance obligations.
Rinaldi Rampen, Director, Solutions Architecture, WhiteHat Security
Top Website Vulnerabilities: Trends, Business Effects and How to Fight Them
Website attacks continue to prevail despite the best efforts of enterprises to fight them. Websites are an ongoing business concern and security must be assured all the time, not just at a point in time. And yet, most websites were exposed to at least one serious vulnerability every day of 2010, leaving valuable corporate and customer date at risk. Why?
In this presentation, Rinaldi will explore a new way to measure website security, Windows of Exposure, that tracks an organization's current and historical website security posture. Window of Exposure is a useful combination of vulnerability prevalence, how long vulnerabilities take to get fixed, and the percentage of them that are remediated. By carefully tracking these metrics, an organization can determine where resources would be best invested.
Using data from WhiteHat's 11th Website Security Statistics Report, based on assessments of over 3,000 websites, Rampen will reveal the most secure (and insecure) vertical markets and the Windows of Exposure of each. Find out how your industry ranks, and the top ten vulnerabilities plaguing your peers. Attendees will also learn how to determine which metrics are critical to increasing their remediation rates, thereby limiting their Window of Exposure. The good news is that companies that take this approach are increasing remediation rates by 5 percent per year.
WhiteHat Security is the leading provider of website risk management solutions that protect critical data, ensure compliance and narrow the window of risk. WhiteHat Sentinel, the company’s flagship product family, was launched in 2003. WhiteHat Sentinel is the most accurate, complete and cost-effective website vulnerability management solution available.
Qualys, Inc. is the leading provider of on demand IT security risk and compliance management solutions — delivered as a service. Qualys' Software-as-a-Service solutions are deployed in a matter of hours anywhere in the world, providing customers an immediate and continuous view of their security and compliance postures
Stratum Security is an information security services firm that provides services to clients worldwide. Their list of successful engagements include large multi-national enterprises to small start-ups in a wide array of industries including finance, insurance, retail, hospitality, education, health care, government, technology, energy, and telecommunications.
- Parking at Tampa International Airport will be FREE with validation. Validation stickers will be handed out during the event, so make sure to bring your parking ticket with you to the event. Please park in the short term or long term parking garages (NOT the Marriott Hotel's parking).
- Once you enter the Airport, proceed to the 3rd floor. The Boardroom is on the 3rd level of the main terminal building (Located near the Airside A Shuttle, follow the hallway between the barbershop and the Earhart elevators).
A reminder that you may be able to earn 4 CPE credit hours for attending OWASP Tampa Day 2011. CPE verification information will be provided during the event's Closing Remarks.
When & Where
OWASP - Tampa Chapter
The Open Web Application Security Project (OWASP) is an international organization and the OWASP Foundation supports OWASP efforts around the world.
OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.
All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security.
We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas.