Above all else, Secure Development World offers its Attendees the invaluable opportunity to learn from the industry's most accomplished and skilled presenters. Our Speakers boast a wealth of expertise in secure development and will be available to share their insight with you throughout the duration of the Conference. Register now to become part of the ultimate Meeting of the Minds.
Our roster of Speakers is growing exponentially. Secure Development World will post their respective biographies as we receive them.
Jimmy Alderson, Intelguardians
Jimmy Alderson is a founder and Senior Security Consultant with Intelguardians. He is a member of the CVE Editorial Board and a founding member of the Behavioral Computational Neuroscience Group, which specializes in application of stratification theory. Jimmy was the author of the first Security Information Management system as well as the original pioneer of the use of Taps for performing intrusion detection on switched networks. He has been an active member of the security community since 1992 specializing in vulnerability assessments, penetration tests, code review, intrusion detection, architecture design/review, policy compliance, and product design. Jimmy is a co-author of the Syngress Published "Nessus Network Auditing" and other technical papers such as "Intrusion Detection on Switched Networks" and "Load balancing IDS". During his military service Mr Alderson was one of two enlisted personnel to stand up the Naval Computer Incident Response Team where he performed as a SOC Analyst, Pen Tester, and liaison to the Naval Criminal Investigative Service. Since then he has provided security services for the US Navy and other commercial organizations as manager, consultant, trainer, analyst, pen tester, developer, and product manager. |
|
| :: TOP :: |
The Self-Defeating Network
Many product vendors claim to have the answer to your security problems. It's been over fifteen years since commercial security tools first appeared on the market, but it's tough to understand where all our money went. In this presentation, I argue that the focus on preventing intrusions has diverted valuable time and resources away from the most basic aspect of digital security: understanding your enterprise. This talk will provide recommendations from security application and product operators that can feed the application security development lifecycle. Special emphasis will be placed on the sorts of data operators needed to
detect, understand, and recover from security incidents. |
Richard Bejtlich, TaoSecurity
Richard Bejtlich is founder of TaoSecurity (www.taosecurity.com). He was previously a principal consultant at Foundstone. Richard created network security monitoring operations for ManTech and Ball Corporations. From 1998 to 2001 then-Captain Bejtlich defended global American information assets in the Air Force Computer Emergency Response Team (AFCERT). Formally trained as an intelligence officer, Richard is a graduate of Harvard University and the United States Air Force Academy. He wrote "The Tao of Network Security Monitoring" and "Extrusion Detection," and co-authored "Real Digital Forensics." He also writes for his Web log ( taosecurity.blogspot.com) and teaches at USENIX. |
|
| :: TOP :: |
Offshoring Development: Financial Dream or Security Nightmare?
As IT budgets continue to be squeezed and organizations struggle to find new ways to grow and innovate, identifying potential candidates for outsourcing moves higher on the CIO's "to do" list. Application development — including web applications — seems a logical choice considering the potential cost and time savings. But at what expense? Although there may be clear benefits to outsourcing web application development, there are also significant security risks to be considered. This presentation will discuss real world cases of security failures due to the neglegence of security in the outsourcing process and how such situations can be avoided through appropriate contractual terms and technical assurance.
Attendees will take away the following:
- Common security pitfalls in the outsourcing process
- The true impact of these pitfalls
- Understand the responsibilities of the outsourcer and the development company
- Best practices, both contractual and technical, during the outsourcing process
|
Rohyt Belani, Intrepidus Group
Rohyt Belani is a Managing Partner and co-founder of the Intrepidus Group. Prior to starting Intrepidus, Mr. Belani has held the positions of Managing Director at Mandiant, Principal Consultant at Foundstone and Researcher at the US-CERT. During his tenure in information security consulting, Mr. Belani has provided strategic security consulting to information security executives, and performed numerous technical security reviews of critical financial applications and networks. In addition he has assisted organizations in responding to high exposure security incidents involving securities fraud, credit card theft, and cyber-extortion.
He is a contributing author for Osborne's Hack Notes - Network Security, as well as Addison Wesley's Extrusion Detection: Security Monitoring for Internal Intrusions.
Mr. Belani is a regular speaker at various industry conferences including Black Hat, OWASP, ASIS, Hack In The Box, Infosec World, DallasCon, CPM and several forums catering to the FBI and US Secret Service agents. He currently teaches a class at Carnegie Mellon University and has been invited to guest lecture at the University of Wisconsin.
As an industry expert he has opined on security issues via columns for online publications like Securityfocus and SC magazine, and interviews with international media including BBC UK Radio and Hacker Japan.
Mr. Belani holds a Bachelor of Engineering in Computer Engineering from Bombay University and a Master of Science in Information Networking from Carnegie Mellon University. He currently leads the OWASP Java Project a world-wide consortium of Java security experts.
|
|
| :: TOP :: |
Anthony Bettini, McAfee
Anthony Bettini manages the Foundstone, HIPS, MPE, and MTIS research teams within McAfee Avert Labs. His professional security experience comes from working for companies like McAfee, Foundstone, Guardent, Bindview, and independent contracting. Anthony has spoken publicly at NIST's NISSC in the greater Washington, DC area on new anti-tracing techniques and has spoken privately for numerous Fortune 500 organizations. For Foundstone, Anthony published new vulnerabilities found in PGP, ISS Scanner, Microsoft Windows XP, and Winamp. |
|
| :: TOP :: |
Models for Security Testing in the Software Development Lifecycle
What is the best model for developing secure software in your organization? There is general agreement in the industry that improving software security is a valuable endeavor, but implementing programs that generate positive, measurable results has eluded most companies. Questions arise about the lack of security expertise among development teams and lack of development expertise among security teams, and there is a misconception that the addition of security reviews will ultimately extend development schedules. At the same time, centralized decisions have to be made to define security policies, determine what constitutes a vulnerability, and prioritize remediation efforts according to available resources. What organizations need is a concrete model for security evaluation and a comprehensive task list detailing the roles and responsibilities for each group involved.
Several workable models for source code analysis in the software development lifecycle will be discussed. The talk will include models that give testing responsibility to developers, QA staff, or security teams, explaining the specific requirements for each approach as well as expected outcomes. Attendees will come away with a checklist to evaluate their current security efforts, initial steps they can use immediately to begin incorporating security testing procedures in their current development programs, and how to make the appropriate choice for their organization. |
Ryan Berg, Ounce Labs
Ryan Berg is a Co-Founder and Chief Scientist for Ounce Labs, innovator of software assurance solutions. Prior to Ounce, Ryan co-founded Qiave Technologies, a pioneer in kernel-level security. Ryan holds patents and patents pending in multi-language security assessment, intermediary security assessment language, communication protocols, and security management systems. |
|
| :: TOP :: |
Meeting Regulatory Requirements through Proper System Development
Following numerous corporate scandals near the turn of the century, various legislation was introduced imposing new regulatory requirements regarding the security of certain key information systems. The Sarbanes-Oxley Act of 2002 (SOX) is the most famous such legislation with its impact on publicly traded companies, but the Federal Information Security Management Act of 2002 (FISMA) and OMB Circular A-123 also have substantial impacts upon federal agencies. Meeting and evaluating these new security requirements represents a substantial cost to organizations.
System architects and developers can help mitigate these costs by understanding the regulatory environment, anticipating the security requirements for a developing system, and integrating the fulfillment of security requirements into the software development life cycle.
This presentation will accomplish the following:
- Describe the regulatory environment for both private and governmental organizations.
- Describe how to anticipate the specific security requirements on a per-system basis.
- Describe how to integrate security requirements into the SDLC.
|
Rex Booth, Grant Thornton
Rex Booth, CISSP, has over seven years of professional experience in application development and information security for government agencies, private industry, and financial institutions. During his tenure at previous employers, he developed complex distributed web-based applications in support of distance learning initiatives for up to 250,000 dedicated users. As a member of a managed security services team, Mr. Booth co-architected and implemented a scalable information aggregation solution for use in a real-time 24/7 IDS monitoring system. Since joining Grant Thornton, he has managed and assisted with multiple InfoSec projects auditing IT system controls, including SOX, OMB A-123, and FISMA engagements as well as identity management and system certification and accreditation efforts. Mr. Booth holds a Bachelor of Arts in both Computer Science and Political Science from Mary Washington College and a Master of Science in Information Systems and Technology Management from the University of Delaware. |
|
| :: TOP :: |
Aaron Brazell, b5media
Aaron Brazell is the Technology Manager with b5media, Inc, a global new media network focusing in the areas of blogging and content production. He is responsible for the development, deployment and maintenance of over 200 blogs built on the widely popular open source blogging platform WordPress and works closely with WordPress developers in the extension of the community. As a result, he is an advocate for open source processes and development. He has over 10 years of combined development and systems experience in the open source world, as well as six years in government contracting. Prior to his work with b5media, Aaron worked for such notable enterprise companies such as Northrop Grumman, Lockheed Martin and CSC. Aaron currently works from his home office in Baltimore, Maryland and travels the "Web 2.0" conference circuit throughout the U.S. and Canada meeting like minded individuals and "web players". He relishes his role as an advocate for citizen journalism, with a mind to "teach a man to fish." |
|
| :: TOP :: |
Web Application Hacking
Developers and Information Security Professionals have a common goal to work together to develop robust systems to enable business in a secure manner. Information assurance of such systems must take into account the Availability, Integrity and Confidentiality of the business or classified data at all times. Mr. Brennan will focus on the Software Development Life Cycle (SDLC) and discuss and demo classes of "bugs" in web applications. He will also provide expert insight and guidance on how to mitigate attacks and discuss the co-authored Open Web Application Security Project (OWASP) testing guide released in Feb 2007. |
Tom Brennan, AccessIT Group
Tom Brennan specializes in providing business risk assessments and penetration testing of critical IT infrastructures. His technical focus includes web application, VOIP and Wireless. Tom's assessment methodology is based on the National Security Agency INFOSEC Assessment Methodology and the Open Source Security Testing Methodology Manual (OSSTMM). Tom is a co-author of the OWASP Version 2.0 testing guide for web application security and been featured on NYC Channel 5, Channel 7 as a subject matter security expert.
Tom was elected to the Board of Directors for the FBI/Department of Homeland Security, Infragard New Jersey Chapter where he served from 2002-2004. Tom is the current New Jersey Chapter President of the Open Web Application Security Project (OWASP) from 2005-Current. Tom has demonstrated his knowledge and experience becoming a Certified Information Systems Security Professional (CISSP #54039) and is recognized as a Certified Ethical Hacker (C|EH) and instructor. In addition, he also holds multiple commercial product certifications from vendors such as Check Point, CyberGuard, Network Associates, Ironport, Microsoft, Cisco and others...
He is a member in good standing of the Computer Security Institute (CSI) and Information Systems Security Association (ISSA) #602855
Tom was formerly with Data Safe Services, Datek Online (Acquired by Ameritrade), Automated Data Processing (ADP), Pall Corporation and the United States Marine Corps, 2nd AAV before joining AccessIT Group in 2005 as the Risk Assessment Practice Manager - www.accessitgroup.com |
|
| :: TOP :: |
New Types of Attacks and Vulnerabilities in the Public Record
Not all of the newest, coolest security issues involve Web 2.0. In 2006 alone, over 7000 vulnerabilities were publicly reported in the Common Vulnerabilities and Exposures (CVE) list. Due to the volume of raw data, interesting discoveries can be lost in the noise, especially if they aren't published by well-known researchers for software with large installation bases. These problems might fly under the radar today, but they could become the research fad of tomorrow.
This talk will include up-to-the-minute vulnerability classes and attacks that have yet to be well-documented. It will cover common analytical errors and terminology issues that prevent a deeper appreciation of the weaknesses that lead to security problems. It will introduce the basic tenets of vulnerability theory, which is a framework for understanding and reasoning about vulnerabilities, including a vocabulary for discussing important security concepts. Vulnerability theory can be used to anticipate new security issues, instead of waiting and hoping that we'll notice them the next time we dare to drink from the Internet firehose. |
Steven M. Christey, MITRE Corporation
Steve Christey is a Principal Information Security Engineer in the Security and Information Operations Division at The MITRE Corporation. Since 1999, he has been the Editor of the Common Vulnerabilities and Exposures (CVE) list and the Chair of the CVE Editorial Board. He is a technical consultant to the Common Weakness Enumeration (CWE) project. He is a contributor to standards-based efforts such as the SANS Secure Programming exams, the Common Vulnerability Scoring System (CVSS), and others. His current interests include secure software development, vulnerability information management, post-disclosure analysis, and vulnerability research. Past work, which dates back to 1993, includes co-authoring the "Responsible Vulnerability Disclosure Process" draft in 2002, reverse engineering of malicious code, automated vulnerability analysis of source code, and vulnerability scanning and incident response. He holds a B.S. in Computer Science from Hobart College. |
|
| :: TOP :: |
Beyond the Coding Errors — The Complete View of Software Security
Security professionals and vendors have traditionally focused on blocking attacks and, more recently, addressing the underlying issue of coding flaws in application source code. However, ignoring software design elements built into the code itself, such as encryption, authentication, access control, and so on, may cause even greater exposure to internal and external threats. Many of the largest recent security and privacy breaches exploited software systems that violated simple, well-established design requirements and policies, which could have easily been verified before the applications went live. Organizations are being compelled by customers, regulations, and best practices guidance to identify these root causes of risk and eliminate them before they pose a threat to their business.
This talk will provide a practical discussion of the root causes of software risk, including the most common types of coding flaws, as well as the ways in which improper implementation of other security mechanisms can introduce risk into an application. Additionally, the course will discuss software security assurance processes that can mitigate these kinds of risks from the very beginning of the development lifecycle. The speaker draws upon decades of security industry expertise from both the government and commercial perspective, and will present case studies of experiences with effective software security assurance programs in place. Attendees will be given a checklist of baseline security and design policies for all Internet-facing applications as well as a step-by-step look at how to assess software security before it is deployed. |
Jack Danahy, Ounce Labs
Jack Danahy is founder and CTO of Ounce Labs as well as one of the industry's most prominent advocates for software security assurance. Prior to Ounce Labs, he founded Qiave Technologies, a pioneer in kernel-level security that was acquired by WatchGuard Technologies in October of 2000. Previously, Jack served as Managing Director of Engineering for BBN/Genuity's managed security services. |
|
| :: TOP :: |
Secure Development of Web Applications Using PHP
Web applications implemented in PHP have a bad reputation in the security arena with almost daily reports of new vulnerabilities Some say it is because this powerful and popular scripting language is used by amateurs who don't know how to code, others say it is because the language itself is insecure. Finger pointing and blaming games won't help the situation so instead of arguing about the reasons leading to it, this presentation will provide a practitioner's look at how to address it.
Securing any web application boils down to properly validating user input and being mindful of the output generated. This presentation will focus on how to avoid getting bitten by the most common couple of web application vulnerabilities, XSS and SQL Injection. In the process a set of best practices will be developed and some quirks specific to PHP will be exposed.
|
Sebastien Diebler, Qualys
Concentrating on delivering a powerful user experience through the QualysGuard Web interface, Sebastien is in charge of the Web Application architecture at Qualys. He previously contributed to the automation of QualysGuard's internal distribution system and performance monitoring tools, and has worked on a myriad of projects to enhance the performance of the service's core engine. Sebastien has also worked on designing and implementing QualysMap, the network discovery process that produces a complete visual topology of customers' network perimeter devices. Prior to Qualys, Sebastien worked at Intrinsec, developing penetration tools and performing penetration testing. |
|
| :: TOP :: |
Gadi Evron, Beyond Security
Gadi Evron works for the McLean, VA based vulnerability assessment
solution vendor Beyond Security as Security Evangelist and is the chief
editor of the security portal SecuriTeam. He is a known leader in the
world of Internet security operations, and especially in the realm of
botnets and phishing as well as is the operations manager for the Zeroday
Emergency Response Team (ZERT). He is a known expert on corporate security
and espionage threats. Previously Gadi was the Israeli Government Internet
Security Operations Manager (CISO) and the Israeli Government CERT Manager
which he founded.
|
|
| :: TOP :: |
Tom Ferris, Adobe
Tom Ferris has gained a wealth of experience working as a Senior Security Researcher, Security Architect, and Research and Development Engineer. These responsibilities included analytical skills, reverse engineering, vulnerability research, knowledge of OS X and Windows security, research content development experience, Python, C, and C++ coding. Tom is a Security Researcher with Adobe Systems, where he locates security vulnerabilities within all of Adobe's products and work with developers to get them fixed. He is the founder of Security-Protocols.com, and has released several important advisories on Windows, Mozilla, Internet Explorer, MAC, AOL, and QuickTime platforms. Mr. Ferris boasts extensive experience in programming languages such as C, C++, Python, Ruby, Perl, and ASM, and reverse engineering/vulnerability research tools such as SoftICE, Ollydbg, IDA Pro, PE Explorer, Process Explorer, Hex Editors, gdb, SPIKE framework, and other private fuzzing tools. |
|
| :: TOP :: |
RESURRECTING THE DEAD: Integrating and Assessing Legacy COBOL Applications
Question: "Do you know how much of the world's money is transacted through COBOL applications?"
Answer: All of it
Dusty, old servers, the size of minivans still house IBM and HP-based COBOL applications that are responsible for processing trillions of dollars. Most of these applications have never, and I mean never been assessed or reviewed from a security perspective. Furthermore, it is becoming increasingly popular to integrate these legacy COBOL applications into new Service-Oriented Architectures and Web-accessible environments. This introduces a significant risk for major Government and Financial Institutions alike whereas new complex threats and injection points are created due to new functionality and communication links. This presentation will outline the new threats that are introduced due to modernization projects and their associated security countermeasures. Come see us blow the roof off the COBOL world: You'll laugh, you'll cry, and best of all you'll see COBOL code exploited in ways that would make your grandfather blush. |
James C. Foster, Ciphent
James C. Foster is the President and Chief Scientist at Ciphent. Mr. Foster's speaking appearances at Microsoft, the National Press Club, and the Massachusetts Institute of Technology won him accolades as one of the world's foremost IT Security and Technology experts. In his extensive experience, Foster has worked with numerous government and top-tier commercial clients throughout the past decade solving key security and business challenges. These technical challenges included testing a wide variety of applications, infrastructures, and systems for known and previously unknown security flaws. Foster has also worked on a series of forensic engagements, application assessments, and code reviews for multiple clients and is a proficient code analyst for many programming languages. Considered to be an industry visionary, Foster has gained global recognition for his accomplishments in the Software Security arena. In addition to writing more books than anyone in the Security Industry to include Buffer Overflow Attacks, Writing Security Tools and Exploits, and Ultimate Programmer's Security Desk Reference, he has served as a contributing Editor at Information Security Magazine and SearchSecurity.com. |
|
| :: TOP :: |
| COTS vs. In-house: To Build or Not to Build
This topic will cover the risks, cost considerations, pros and cons of developing your own application security toolset in-house vs. buying a commercial product off the shelf. Critical considerations that must be made in order to make an informed decision will be covered. There will also be a focus on the must do's and do not's of developing in-house (including gaining the support, financial backing, and skills). |
Willie Gonzalez, Computer Sciences Corporation
Willie Gonzalez is a Senior Security Architect for the Chemical group of Computer Sciences Corporation. This position utilizes his security expertise across some of CSC's largest fortune 100 and government accounts. Having been with CSC for over five years, Willie has also held positions within CSC's Managed Security Services department including Senior Security Engineer and Research & Development Lead where he was responsible for presenting the tools, that he and his team designed and architected, to public and private industries. Prior to CSC, Willie worked at e-Security's Satellite Labs (SATLABS) where he designed and developed a Time Based Event Correlation Engine that utilizes polymorphic pattern matching. In his earlier years, he was published in The Hacker Diaries: Confessions of Teenage Hackers. Willie now brings over a decade of extensive experience in security incident response, the deployment of various security technologies, conducting security assessments, and leading security research & development teams. |
|
| :: TOP :: |
David Klug, Booz Allen Hamilton
Dave is currently a Senior Information Assurance Consultant with Booz Allen Hamilton who provides strategic guidance and helps both operational and research clients achieve their Information Assurance goals. During his tenure with Booz Allen, he plays an instrumental role in a security testing lab by leading an integrated project team tasked to develop requirements, prototype technologies, and test GOTS/COTS security products including encryption devices for wired and wireless applications in the Global Information Grid (GIG).
Dave's professional career began after earning a Bachelors Degree in Mathematics from the University of Virginia and a commission in the Air Force, with several years of operational experience providing command and control of communications satellites and nuclear armed Inter-Continental Ballistic Missiles. When Dave transitioned from the Air Force to civilian life he enthusiastically pursued a variety of IT and IT security focused roles in both small commercial and large government contracting companies such as West Interactive, Computer Sciences Corporation and General Dynamics providing leading edge security services for government, military, and commercial clients in their efforts to evaluate and improve their security postures.
Dave is experienced and comfortable in multiple operating systems, hardware platforms, and programming languages. His areas of expertise also include hands on application development for advanced computer telephony systems, data warehousing, system security testing, Unix/Linux programming and systems administration. He has led small and medium sized teams of engineers perform full life cycle software development and enterprise security integration. Dave is committed to sharing what he has learned and has developed and taught several courses about penetration testing methodology and practice, and advanced Unix security to dozens of students worldwide. |
|
| :: TOP :: |
Top 10 Mistakes When Implementing an SDL
What you wish someone had told you before you started.
There is a lot you can learn about "baking" security into the SDLC from researching information on the web, reading books, and watching presentations. While many of these resources do a great job of telling you what you to do in an ideal environment, few pay attention to something equally as important - what not to do. This presentation will cover the 10 biggest mistakes we have seen companies make when trying to integrate security into the SDLC. We will show you what problems to look for, how to make sense of what you find, and how to avoid making those mistakes. Everyone involved in the SDL process should come to this presentation as it is a great opportunity to learn from and discuss the mistakes often made by management, developers, and security teams alike.
|
Vincent Liu, Stach & Liu
Vincent Liu, CISSP, CCNA, is the Managing Director at Stach & Liu, a professional services firm providing advanced IT security solutions to the Fortune 500, national law firms, and global financial institutions. Before founding Stach & Liu, Vincent led the Attack & Penetration and Reverse Engineering teams for the Global Security unit at Honeywell International. Prior to that, he was a consultant with the Ernst & Young Advanced Security Centers and an analyst at the National Security Agency. In these roles, he gained extensive experience conducting risk assessments, performing application code reviews, and supporting incident response situations. Vincent is a developer for the Metasploit Project and a respected member of the security community. He is an experienced speaker and has presented his research at conferences including BlackHat, ToorCon, and Microsoft BlueHat. Vincent has been published in interviews, journals, and books with highlights including: Penetration Tester’s Open Source Toolkit; Writing Security Tools and Exploits; Sockets, Shellcode, Porting, and Coding; and the upcoming Hacking Exposed: Wireless. Vincent holds a Bachelor of Science and Engineering from the University of Pennsylvania with a major in Computer Science and Engineering and a minor in Psychology. |
|
| :: TOP :: |
Certifying Applications for Known Software Security Weaknesses
The secure software development community is developing a standard dictionary of the weaknesses that lead to exploitable software vulnerabilities. The Common Weakness Enumeration (CWE) and related efforts are intended to serve as a unifying language of discourse and act as a measuring stick for comparing the tools and services that analyze software for security issues. Without a common, high-fidelity description of these weaknesses, efforts to address vulnerabilities will be piecemeal at best, only solving part of the problem. The various efforts at DHS, DoD, NIST, NSA, and in industry cannot move forward in a meaningful fashion or with any hope of their efforts being aligned and integrated with each other without agreement on the weaknesses we are trying to avoid. While the current driver for CWE is in code assessment tool analysis, we believe that CWE and its related efforts could a have broader impact.
In this talk you will find out what the government and others are up to in secure code analysis. We'll hit the highlights and details of some new activities, as well as what we have learned from running CVE for over 8 years and 23,000+ vulnerabilities. We will cover new types of information about code and design weaknesses, not to mention their associated attacks and vulnerabilities, and some concepts that you can exploit for your own benefit. |
Robert A. Martin, MITRE
Robert A. Martin is a Principal Engineer at MITRE, a not-for-profit company that works in partnership with the government and industry to address issues of critical national importance. For the past 16 years, Robert's efforts have been focused on the interplay of risk management, cyber security, quality assessment and the use of software-based technologies. The majority of this time has been spent working on the CVE, OVAL, and CWE family of security initiatives and assessing the quality risks within software applications. A frequent speaker on the various quality and security issues surrounding software systems, Robert's risk assessment approaches have been applied to over 100 government systems and licensed by MITRE to 15 commercial and educational organizations. Robert joined the MITRE in 1981 with a bachelor's and master's from Rensselaer Polytechnic Institute, later he earned an MBA from Babson College. |
|
| :: TOP :: |
Can Secure Programming Skills Be Measured?
Ever since the first security flaw was discovered in a program, security professionals have wondered, "why don't programmers write secure code?"e; The answers are fascinating. In this fast-paced briefing Alan will show how programmers are actually taught and incented to write insecure code, how the education system has failed programmers and their employers, why security flaws are so hard to find, and how 300 companies and government agencies are joining together to establish examinations that allow them to measure the secure programming skills of their employees and consultants, their suppliers, and the job candidates who they consider hiring. |
Alan Paller, SANS Institute
Alan Paller is director of research at the SANS Institute, the cooperative research and education organization whose 75,000 alumni are responsible for securing computer networks and systems in organizations throughout the world. SANS also operates the Internet Storm Center, the Internet's early warning system, and compiles the definitive weekly, quarterly, and annual lists of the most critical security vulnerabilities that must be fixed.
Alan has testified before both the US House of Representatives and the US Senate. In 2001 the President named him to the US National Infrastructure Assurance Council (NIAC), and in 2005, the Federal CIO Council selected him as one of two annual Azimuth Award winners. The awards recognize vision and outstanding service to the federal information technology community. In 2007 he was named by CIO Decisions magazine as one of the 100 most influential people in information technology. Earlier in his career, Alan was one of five entrepreneurs who built the first large computer graphics software company that earned listing on the NASDAQ exchange and then merged it into a New York Stock Exchange company. He is also the author of "The EIS Book: Information Systems for Top Managers" (Dow Jones, 1990) and "How To Give The Best Presentation of Your Life" (ISSCo, 1981). Alan's degrees are from Cornell University and the Massachusetts Institute of Technology. |
|
| :: TOP :: |
Emerging Web 2.0 Application Security Trends
The dynamic nature of application environments necessitates continued vigilance and adaptation to new threats. This presentation starts by providing a brief history of web technologies and their associated vulnerabilities leading up to Web 2.0. The presentation then details the latest attack vectors and emerging security issues introduced by Web 2.0 technologies, such as SOAP, RSS, and AJAX. In addition, we will review, evaluate, and demonstrate new exploitation techniques and frameworks that target web applications. As the security industry continues to evolve at a rapid pace, it is important to evaluate innovative technologies and gain an understanding of the emerging vulnerabilities.
This session is designed for anyone who is involved in web application development, security, or management and wants to learn more about application security trends and vulnerabilities. It will provide an overview of traditional web application vulnerabilities; a discussion of emerging security threats for web 2.0 technologies; and demonstrations of new attack techniques and tools. This session is aimed at the application security novice with a basic understanding of web applications, HTML, and JavaScript. |
Jon Rose, Stach & Liu
Jon Rose, CISSP, MCSD is a Senior Security Consultant at Stach &Liu, a professional services firm providing advanced IT security solutions to the Fortune 500, national law firms, and global financial institutions. Before his role at Stach & Liu, Jon was a Senior Security Engineer at Ernst & Young’s New York Advanced Security Center (ASC). In this role, he conducted application assessments for Fortune 100 clients while also developing and delivering training classes including Secure Application Development and eXtreme Hacking. Prior to that, Jon consulted with a government-focused security firm based out of Washington, D.C. In this capacity, he performed security assessments and guided regulatory compliance for numerous federal agencies. Jon is an active researcher with the Stach & Liu Research Team and has developed a number of advanced application assessment tools. In addition to founding and presiding over the Phoenix OWASP chapter, he is a regular speaker and published author with highlights including the upcoming Hacking Exposed: Wireless. Jon holds a Bachelor of Business Administration from the James Madison University with a major in Computer Information Systems.
|
|
| :: TOP :: |
Secure Coding in C and C++: Integral Security
Integers represent a growing and underestimated source of vulnerabilities in C and C++ programs. This presentation provides a detailed explanation of common programming errors in C and C++ involving integers and integral operations and describes how these errors can lead to code that is vulnerable to exploitation. This presentation uses examples from Microsoft Visual Studio and Linux/GCC and the 32-bit Intel Architecture (IA-32) but also describes how these issues can be addressed in a portable fashion. Material in this presentation was derived from the Addison-Wesley book Secure Coding in C and C++.
|
Robert C. Seacord, CERT
Robert C. Seacord is a senior vulnerability analyst at the CERT/Coordination Center (CERT/CC) at the Software Engineering Institute (SEI) located at Carnegie Mellon University in Pittsburgh, PA. Seacord is the author of Secure Coding in C and C++ (Addison-Wesley, 2005) and coauthor of Building Systems from Commercial Components (Addison-Wesley,2002) and Modernizing Legacy Systems (Addison-Wesley, 2003). Seacord has also authored more than 40 papers on topics including software security, component-based software engineering, web-based system design, legacy-system modernization, component repositories and search engines, and user interface design and development.
Seacord is an adjunct professor for the CMU School of Computer Science and a part time faculty member at the University of Pittsburgh.
Seacord started programming professionally for IBM in 1982, where he specialized in communications and operating system software, processor development, and software engineering. Seacord has worked at the X Consortium, where he developed and maintained code for the Common Desktop Environment and the X Window System. He also is actively involved in the JTC1/SC22/WG14 international standardization working group for the C programming language. Seacord received a BS in computer science from Rensselaer Polytechnic Institute in 1983.
|
|
| :: TOP :: |
Using Open Source Frameworks to Create Secure J2EE Applications
Preventing security vulnerabilities in J2EE is made difficult by its inherent complexity. In the past few years, however, open source frameworks have emerged that facilitate Java enterprise development. Although they are widely adopted, many of their built-in and customizable security features are sparsely used. In this talk, Rohit Sethi of Security Compass will talk specifically about using Struts, Spring and Acegi to help create secure applications. He will discuss how input & output validation, access control, session management, error handling, and logging can be facilitated by using some of the features built into these frameworks. By learning about these security features, developers can dramatically reduce the complexity of integrating security into their applications. |
Rohit Sethi, Security Compass
Rohit Sethi, Manager of Professional Services, Security Compass, is a specialist in threat analysis, application security reviews, and building security controls into the software development lifecycle. Rohit has spoken and taught at Infosecurity New York and Toronto, the ISC2's Secure Toronto conference and at OWASP chapter meetings. At Security Compass, Rohit has taught courses on web applications security in cities across North America. He has also performed extensive threat analysis, source code reviews, and penetration testing for clients in financial services, utilities, telecommunications and healthcare. He is often consulted as an expert for his dual expertise in information security and software engineering and is currently in the process of contributing to a book on J2EE security and writing a series of articles on application security for a major online security portal. |
Nish Bhalla, Security Compass
Nishchal Bhalla, the Founder of Security Compass, is a specialist in product, code, web application, host and network reviews. Nish has coauthored "Buffer Overflow Attacks: Detect, Exploit & Prevent" and is a contributing author for "Windows XP Professional Security", "HackNotes: Network Security", "Writing Security Tools and Exploits" and "Hacking Exposed: Web Applications, 2nd Edition". Nish has also been involved in the open source projects such as YASSP and OWASP, and is the chair of the Toronto Chapter. He has also written articles for securityfocus and also spoken at web seminars for Global Knowledge and University of Florida. |
|
| :: TOP :: |
SCIT Architecture to Enhance Security by Reducing Exposure Time
Networks and the systems that run on them have become essential to the operation of business enterprises, functioning of the global economy, and the defense of the nation. Yet these critical information systems remain vulnerable even with the recently increased focus on security. The problem stems in large part from the constant innovation and evolution of attack techniques. The increasing sophistication and incessant morphing of cyber attacks lend importance to the concept of intrusion tolerance: a critical system must fend off or at least limit the damage caused by unknown and/or undetected attacks. The current approach to security is based on perimeter defense and relies on prevention (firewalls) and intrusion detection. Both these approaches depend on a priori information. Thus, they are unable to defend against attacks exploiting newly identified vulnerabilities, and/or attack techniques that are yet unknown to the public. Our response to these formidable challenges is Self Cleansing Intrusion Tolerance (SCIT). SCIT represents a paradigm shift as compared to firewalls and IDSs.
Our underlying assumption is that all software is malleable — firewalls cannot prevent all attacks and intrusion detection cannot reliably detect all system breaches. In the SCIT approach, a server that has been online and exposed to attacks is assumed compromised. An online server is periodically cleansed and restored to a known clean state, regardless of whether an intrusion is detected or not. In this way SCIT reduces the exposure time of the server, while continuing to provide uninterrupted service. Modern Virtualization technology is used in SCIT to provide enhanced level of intrusion tolerance. The key features of the SCIT approach are:
- SCIT does not rely on prior knowledge of signatures or intrusion detection.
- SCIT uses hardware to ensure that its primitive operations are always implemented, i.e. no hacker can interfere with this process. We believe that hardware solutions are more reliable and more secure than software solutions.
- SCIT limits the exposure of systems to attacks. We have developed methods to reduce exposure to seconds. We are able to tune the exposure times to fit the situation — more valuable systems can be protected more.
- SCIT can be an additional layer of defense, complementing existing security measures such as IDS.
- SCIT helps manage delayed upgrades problem. System administrators often find it difficult to keep up with upgrades.
- SCIT is focused on protecting servers, as distinct from networks. Our approach relies on redundancy and virtualization technologies.
|
Arun Sood, George Mason University
|
|
| :: TOP :: |
Essential Custom Rules for Any Organization’s Adoption of a Static Analysis Tool
Code analysis tools implement a good amount of security guidance out of the box. Most effectively uncover buffer overflow, SQL injection and TOCTOU-based attacks. Getting real deep value out of these tools means customizing them, though. Once accurate results demonstrate a properly tuned tool, implementing your own corporate security standards as custom rules may make sense as a starting point.
This talk will present and demonstrate a framework for selecting, prototyping and implementing custom rules that codify your own corporate security standards so that your organization’s code can be programmatically scanned for compliance. Basing its technical content on Mr. Steven’s talk will show using the Fortify tool, hands-on creation, prototyping and execution of custom rules. |
John Steven, Cigital
John Steven is a Technical Director with Cigital and a founding member of the company's Office of the CTO. He also holds the title of Principal for Cigital's Software Security practice. In these roles, John is responsible for creating Cigital's methodologies and building its knowledge collateral. His more-than-eight years of experience spans consulting, distributed systems architecture, operating systems, and software quality and security research. Mr. Steven works closely with Cigital's largest clients to define and roll out enterprise security frameworks as well as security improvement and delivery programs. Mr. Steven combines experience in Cigital's Software Security, Quality Assurance, and Process Improvement practices to deliver clients innovative solutions.
Mr. Steven designed and developed jRapture, a capture/replay tool with profiling support for the Java2 platform. His work was presented at the 2000 International Symposium on Software Testing and Analysis (ISSTA). Mr. Steven has served on conference panels regarding software security, wireless security, and J2EE system development. Mr. Steven is currently under contract with Addison Wesley to publish a book on developing large-scale J2EE software securely. In addition to his extensive Java software development and testing experience, he has served as a technical advisor on large financial securities trading systems, including a J2EE municipal bond trading system. He is a published author and a sought-after reviewer of journal and conference submissions. Mr. Steven holds a B.S. in Computer Engineering and an M.S. in Computer Science from Case Western Reserve University. |
|
| :: TOP :: |
Secure Development with ASP.NET AJAX
AJAX is changing the way Web applications look and how they are developed, but Web developers are not aware of the security risks they are introducing into their applications with these emerging technologies. While most developers are aware of the importance of designing and testing for security in their applications, few of them are aware of the unique security implications of AJAX technologies. AJAX fundamentally changes the user experience and server interactions in Web applications, so developers may be taking otherwise secure applications and opening up new angles of attack for hackers by hastily adopting these new approaches without understanding their vulnerabilities. This talk will discuss and demonstrate the security pitfalls common in AJAX development. The talk will then introduce secure AJAX development principles for building secure AJAX applications for Microsoft’s Atlas AJAX framework, complete with working examples of secure Atlas development. |
Bryan Sullivan, SPI Dynamics
Bryan Sullivan is a development manager for SPI Dynamics (www.spidynamics.com), the leading provider of Web application security testing software and services. At SPI Dynamics, Bryan is in charge of development for the company's DevInspect and QAInspect products, which can automatically detect security vulnerabilities during the development and QA phases of the software development lifecycle. He is a frequent speaker at industry events - most recently Atlanta Code Camp and RSA 2007 - and a published author. Bryan is currently co-authoring a book on AJAX security for the publisher Addison-Wesley, which will be published in the summer of 2007. |
|
| :: TOP :: |
Deeper Injections: Command Injection Attacks Beyond SQL
More and more, developers are becoming aware of the threats posed by SQL injection vulnerabilities. While SQL is certainly the most popular type of command injection attack, there are several others that can be just as dangerous to your applications and your data. Much of the common wisdom concerning remediation of SQL (and other) injection attacks is inadequate and only serves to leave you with a false sense of security until the next time your application is compromised and your data stolen.
In this session, we will begin by briefly covering the concepts of SQL and blind SQL injection. We will continue by examining some other, lesser known, types of command injection attacks such as XPath injection and LDAP injection. Attacks will be performed on demonstration Web sites, and the potential damage to those sites will be shown. Finally, we will learn the correct programming patterns and practices (in both Java and C#) with which to protect our applications against all of these threats and others. |
Bryan Sullivan, SPI Dynamics
Bryan Sullivan is a development manager for SPI Dynamics (www.spidynamics.com), the leading provider of Web application security testing software and services. At SPI Dynamics, Bryan is in charge of development for the company's DevInspect and QAInspect products, which can automatically detect security vulnerabilities during the development and QA phases of the software development lifecycle. He is a frequent speaker at industry events - most recently Atlanta Code Camp and RSA 2007 - and a published author. Bryan is currently co-authoring a book on AJAX security for the publisher Addison-Wesley, which will be published in the summer of 2007. |
|
| :: TOP :: |
Key Tools and Techniques for Building Secure Applications
In this talk, Dave Wichers will discuss the key challenges to achieving secure applications faced by most enterprises. From contracting through security testing, there are many free and commercial resources to help your organization improve their ability to produce secure code. We'll discuss all the tools, training, guides, methodologies, and other information available. We'll show how all these resources fit together to support your successful application security initiative. |
Dave Wichers, Aspect Security
Dave Wichers is the COO and cofounder of Aspect, where he is responsible for running daily operations of the company. Prior to founding Aspect, Dave started and ran the application security practice at Exodus Communications, which provided a full suite of application security consulting services to Fortune 500 and other commercial companies starting in 1998.
Dave has focused on information security during his entire career, starting in 1988. His information security background spans the entire security engineering lifecycle, including software development, system security requirements, security architectures, secure designs, security policies, models, and system testing. He has supported the design and development of trusted operating systems, trusted databases, secure routers, multilevel secure guards, and large integrated systems for a wide variety of customers, including NSA, DoD, and Fortune 500 vendors and end customers.
Dave is a primary author of the OWASP Top 10 Web Application Security Vulnerabilities and is the OWASP Conferences Chair. He was also a primary contributor to the group responsible for creating ISO 21827, the Systems Security Engineering Capability Maturity Model (SSE-CMM).
Dave earned a B.S. summa cum laude in Computer Systems Engineering from Arizona State University and an M.S. summa cum laude in Computer Science from the University of California at Davis. Dave holds both CISSP and CISM certifications. |
|
| :: TOP :: |
Practical Threat Modeling
Threat modeling is the process of organizing security relevant information to support informed decisions about risk. In this talk, Jeff Williams will demonstrate how to use the techniques of threat modeling to analyze a software architecture to gain assurance quickly and efficiently. We’ll analyze a security architecture, define threat zones, identify vulnerabilities, and create a prioritized action plan. This talk is based on highly successful techniques developed at Aspect Security and used for a decade to perform commercial application security architecture reviews. |
Jeff Williams, Aspect Security
Jeff Williams is the CEO and a cofounder of Aspect, where he is responsible for strategic direction for the company and research and development efforts. Prior to founding Aspect, Jeff had a leadership role in the worldwide security consulting practice at Exodus Communications. Jeff also serves as the chair of the non-profit OWASP Foundation.
Jeff has specialized in information security since 1989 and has published numerous papers focused on practical risk and assurance techniques. Jeff has been writing code for 25 years in many different environments but has focused primarily on Java and J2EE security for the past 10 years.
Jeff is a primary author of the OWASP Top 10 Web Application Security Vulnerabilities and the OWASP Secure Software Development Contract Annex, and he leads several OWASP projects. He also chaired the group responsible for creating ISO 21827, the Systems Security Engineering Capability Maturity Model (SSE-CMM).
Jeff has undergraduate degrees in Psychology and Computer Science from the University of Virginia, an MA in Human Factors Engineering from George Mason University, and a JD cum laude from the Georgetown University Law Center, where he specialized in intellectual property and cyberlaw. |
|
| :: TOP :: |
