A day of talks hosted by the U of MN.
7:30 - Sign in and Coffee
8 AM - Josh Sokol Risk Management Like a Boss: Making Your Work for You 4 hour Hands On session for the SimpleRisk Tool. Limited Seating
12 PM - Lunch - Box Lunches provided
1 PM - Dan Cornell Managing Your Application Security Program with the Threadfix Ecosystem
2:30 PM Matt Tesauro Cloudkeep: OpenStack key management as a Service
3:30 PM Fosaaen & Gruber Building a GPU Cracking RIg (on the Cheap)
Risk Management Like a Boss: Making Your Risks Work for You
Arguably, the single most valuable skill that you can learn in Information Security today in order to improve your security posture for tomorrow is Risk Management. The simple process of identifying your risks, planning your mitigations, and performing reviews, puts your company squarely in the drivers seat when it comes to justifying its security expenditures in order to reduce risk. SimpleRisk is the only free and open source alternative to the bloated and expensive Governance, Risk, and Compliance (GRC) platforms out there and is being used by corporations of all sizes, around the world, to perform their risk management activities. During this half-day seminar, Josh Sokol, the Creator of SimpleRisk, will walk attendees through the basics of risk management using hands-on activities and the SimpleRisk tool. By the end of the course, attendees will have the knowledge necessary in order to deploy SimpleRisk in their environment, use it to manage their risks, and have a firm grasp on the processes involved in managing risks.
Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information Security Program Owner at National Instruments. In his current role, Sokol manages all compliance, security architecture, risk management, and vulnerability management activities for NI. Sokol created the free and open source risk management tool named SimpleRisk, has spoken on dozens of security topics including the much-hyped “HTTPSCan Byte Me” talk at Black Hat 2010, and currently serves on the OWASP Global Board of Directors.
Managing Your Application Security Program with the Threadfix Ecosystem
ThreadFix is an open source application vulnerability management system that helps automate many common application security tasks and integrate security and development tools. This tutorial will walk through the capabilities of the ecosystem of ThreadFix applications, showing how ThreadFix can be used to:
- Manage a risk-ranked application portfolio
- Consolidate, normalize and de-duplicate the results of DAST, SAST and other application security testing activities and track these results over time to produce trending and mean-time-to-fix reporting
- Convert application vulnerabilities into software defects in developer issue tracking systems
- Pre-seed DAST scanners such as OWASP ZAP with application attack surface data to allow for better scan coverage
- Instrument developer Continuous Integration (CI) systems such as Jenkins to automatically collect security test data
- Map the results of DAST and SAST scanning into developer IDEs
The presentation walks through these scenarios and demonstrates how ThreadFix, along with other open source tools, can be used to address common problems faced by teams implementing software security programs. It will also provide insight into the ThreadFix development roadmap and upcoming enhancements.
Cloud Keep: OpenStack key management as a Service
This presentation will cover Cloud Keep, an open source project sponsored by Rackspace to build a secure, Cloud-ready key management solution. We hope to solve a need for our customers as well as other OpenStack projects, several of which have published blueprints around encryption recently (Cinder: https://blueprints.launchpad.net/nova/+spec/encrypt-cinder-volumes, Swift: https://blueprints.launchpad.net/swift/+spec/encrypted-objects). We will walk through our plans for the system, its technical architecture and demonstrate our current proof of concept implementation.
Building a GPU Cracking Rig (on the Cheap)
Password cracking has made major advances in recent years with the introduction of GPU-based cracking. Many organizations are turning to GPU cracking to audit passwords and ensure compliance with password complexity policies. In this talk, we will walk you through how we were able to build our own cracking system with high-end gaming parts, for minimal cost. We'll be honest and let you know how we screwed up and how we succeeded. Additionally, there will be demos of our GPU cracking rig's performance along with tips and tricks for building your own cracking box, both the cheap way and the right way.
When & Where
The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas. The OWASP Minneapolis-St. Paul chapter was host to OWASP AppSec USA 2011 at the Minneapolis Convention Center September 20-23, 2011. Get the presentation material at http://www.appsecusa.org/.