OWASP MSP and DC612 Present the Annual

Day of Security Talks

Featuring Bill Cheswick, legendary figure behind the network firewall concept and co-author of Firewalls and Internet Security.

Credit cards online only. Use "Other Payment Options" during ordering for check / money order / invoice.

If paying by check or money order please make it payable to OWASP on the day of the event. We place food orders based on the number of registrants. You must register in advance for this event.

Thank you to our generous sponsors!

A BIG thank you goes out to the Office of Internal Audit and OIT Security at the University of Minnesota for sponsoring the event location.

Please e-mail lorna.alamri@owasp.org if you would like to sponsor this event.

Date: Friday, October 8th, 2010

Location: Northstar Ballroom (Second Floor), University of Minnesota - Twin Cities St. Paul Student Center, 2017 Buford Avenue, St. Paul, MN 55108

Doors open for check-in at 8:00 AM. Opening remarks at 8:30 AM, first speaker at 9:00 AM. Boxed lunch at noon.

Registration closes at 9:00 PM Central Time on Wednesday, October 6, 2010.

You must register in advance for this event.

Speakers:

KEYNOTE: Bill Cheswick

Lead Member of Technical Staff, AT&T Labs Research

See Bill's profile.

9:00 AM - 9:50 AM

We're happy to announce our keynote, Bill Cheswick. Bill is a legendary figure behind the network firewall concept and co-author of Firewalls and Internet Security, one of the most influential books on the topic. Bill coined the term "proxy" under its current technical meaning and is a creator of the Internet Mapping Project. On October 8 Bill will discuss one of the most fundamental aspects of security: the password.

Topic: Rethinking Passwords

Passwords and PINs are used everywhere these days, but their use is often painful. Traditional password advice and rules are seldom appropriate for today's threats, yet we labor with the password rules and servers of yesteryear. Strong passwords are weakening our security, and it is time to fix that.

There are numerous proposals for new password solutions. Bill will present a few half-baked ideas. But Bill says there are good solutions available now.

We are facing much more worrisome security challenges: we ought to get this easy stuff right. 

Bio: Bill Cheswick logged into his first computer in 1968. Seven years later, he was graduated from Lehigh University in 1975 with a degree resembling Computer Science. Cheswick has worked on (and against) operating system security for over 35 years. He has worked at Lehigh University and the Naval Air Development Center in system software and communications. At the American Newspaper Publishers Association/Research Institute he shared his first patent for a hardware-based spelling checker, a device clearly after its time.

For several years he consulted at a variety of universities doing system management, software development, communications design and installation, PC evaluations, etc.

Ches joined Bell Labs in December 1987, where he became postmaster and firewall administrator and designer. In 1990 he published a paper on firewall design that coined the word "proxy" in its current meaning. He followed this with "An Evening With Berferd", and then the publication of "Firewalls and Internet Security; Repelling the Wily Hacker", co-authored with Steve Bellovin. This book taught Internet security to a generation of administrators. In 1998, Ches started the Internet Mapping Project with Hal Burch. This work became to core technology of a Bell Labs spin-off, Lumeta Corporation. Ches has pinged a US nuclear attack submarine (distance, 66ms).

During his sabbatical over the winter of 2007 he worked on science museum including an upgrade for the Liberty Science Center's digital darkroom.

He joined AT&T Research in Florham Park in April 2007 and is working in security, visualization, user interfaces, and a variety of other things. He is a frequent keynote speaker at securty conferences.

Ches has a wide interest in science and medicine. In his spare time he reads technical journals, hacks on Mythtv and his home, and develops exhibit software for science museums. He eats very plain food - boring by even American standards. 

Andrew Becherer

Senior Security Consultant, iSEC Partners

10:00 AM - 10:50 AM

Topic: Attacking Kerberos and the New Hadoop Security Design

The Kerberos protocol provides single sign-on authentication services for users and machines. Its availability on nearly every popular computing platform - Windows, Mac, and UNIX variants - makes it the primary choice for enterprise authentication. However, simply "adding a dash of Kerberos" does not make a magically secure network or application. Kerberos is a complicated protocol whose comprehensive description requires dozens of RFCs. To use it securely requires a careful dance between protocol designers, service developers, and system administrators – the kind of dance that never quite stays in step.

The Hadoop project's Hadoop Distributed File System and MapReduce engine comprise a robust, open source distributed computing platform. Hadoop is in use at many of the world's largest online media companies including Facebook, Fox Interactive Media, LinkedIn, Powerset (now part of Microsoft), and Twitter. Hadoop is entering the enterprise as evidenced by Hadoop World 2009 presentations from Booz Allen Hamilton and JP Morgan Chase. Hadoop has also been elevated to the "cloud" and made available as a service by Amazon and Sun. What the heck is it? Can it be secure? What do I do if I discover it on a network I am testing?

When Hadoop development began in 2004 no effort was expended on creating a secure distributed computing environment. In 2009 discussion about Hadoop security reached a boiling point. The developers behind Hadoop decided they needed to get some of that "security" stuff. After a thorough application of Kerberos, Hadoop is now secure, or is it?

This talk will provide an introduction to Kerberos attack scenarios, describe the new Hadoop security model and Kerberos's (limited) role in it. This talk aims to determine whether Hadoop was made any more secure through the application of Kerberos.

Bio: Andrew Becherer is a Senior Security Consultant with iSEC Partners, a strategic digital security organization. His focus is web application and mobile application security. Prior to joining iSEC Partners, he was a Senior Consultant with Booz Allen Hamilton. Mr. Becherer spent several years as a Risk and Credit Analyst in the financial services industry. His experience in the software security field - consulting financial, non-profit and defense sectors - has provided him experience with a wide range of technologies.

Mr. Becherer has lectured on a number of topics including emerging cloud computing threat models, virtualization, network security tools and embedded Linux development. At the Black Hat Briefings USA 2009, Andrew, along with researchers Alex Stamos and Nathan Wilcox, presented on the topic "Cloud Computing Models and Vulnerabilities:Raining on the Trendy New Parade." Andrew's research on this topic focused on the effect of elasticity and virtualization on the Linux pseudorandom number generator (PRNG). At Black Hat USA 2008, he was a Microsoft Defend the Flag (DTF) instructor and, he is a recurring speaker at the Linuxfest Northwest conference. In addition to his educational outreach work with user groups, he is a member of several nationally recognized organizations. These organizations include the Association of Computing Machinery (ACM), FBI InfraGard, and the Open Web Application Security Project (OWASP).

Mr. Becherer received a B.S. in Computing and Software Systems from the University of Washington, Tacoma, and holds a B.A. in Sociology from the University of Kentucky.

Joe Teff

Vice President - Manager Security Code Review, Wells Fargo

Board Member, OWASP MSP

11:00 AM - 12:00 PM

Topic: Can you implement a static analysis program using the OWASP Code Review Guide?

Many companies are looking at implementing a static analysis program. This discussion will look at the OWASP Code Review Guide and the role it can play in developing a static analysis program. There are many decisions that need to be considered in building a program. We will look at these decisions and discuss the the options available.

Box lunch will be served at noon.

Charles Henderson

Director of Application Security Services, Trustwave SpiderLabs

1:30 PM - 2:20 PM

Topic: Global Security Report

From January 1, 2009 to December 31, 2009, Trustwave's SpiderLabs performed approximately 1,900 penetration tests and over 200 security incident and compromise investigations around the world.

This presentation will be a summary of the results of the analysis of the data gathered during 2009. The results will be presented in terms of both technical and business impact analysis.

Bio: Charles Henderson is the Director of Application Security Services in Trustwave's SpiderLabs. He has been in the information security industry for over fifteen years. His team specializes in application security including application penetration testing, code review, and training in secure development techniques. The team's clients range from the largest of the Fortune lists to small and midsized companies interested in improving their application security posture. Charles routinely speaks at various conferences around the world (including past Black Hat, SOURCE, IAFCI, OWASP AppSec USA, OWASP AppSec Europe, and Merchant Risk Council events) on various subject matters relating to application security.

Jason Rouse

Principal Consultant, Cigital

2:30 PM - 3:20 PM

Topic: Mobile Security

Mobile applications enable millions of users to be more productive, have more fun, and interact with their world in more ways than ever before. We're approaching mobile applications with many of the same tried-and-true approaches that we've used in more traditional software, but what are the dangers? Mobile architectures run the gamut from simple web-based applications optimized for mobile displays to custom-built handset-specific applications that can interact directly with the mobile operating system. This talk will explore the hybrid mobile/web application approach, and discuss the threads binding it together - information protection and convergence. Mobile devices are unique in that they offer one of the most potentially hostile environments imaginable - privacy, compliance, and capture protection top the charts as the three most difficult issues facing mobile applications and those who use them. This talk will dive into specifics on what are today "mobile-only" threats; that is, those issues such as location-based services or text messages, and discover how they can be compromised, and how security practitioners can protect them and the back-end applications that service them.

Bio: Jason Rouse brings over a decade of hands-on security experience while plying his craft at many of the leading companies in the world. He is currently responsible for many activities at Cigital including leading the mobile and wireless security practice, performing security architecture assessments, and being a trusted advisor to some of the world's largest development organizations. Jason is passionate about security, splitting his time between running Cigital's mobile and wireless practice and leading cutting-edge security projects around the world. At Cigital, in addition to his other responsibilities, Jason is also responsible for the creation of durable, actionable artifacts spanning the entire continuum of software security - from development standards to enterprise risk mitigation frameworks for both Fortune 50 customers and beyond. In his spare time he has also chaired the Financial Services Technology Consortium committee on Mobile Security.

Andre "Dre" Gironda

Application Security Expert

3:30 PM - 4:30 PM

Topic: Application Assessments Reloaded

Trying to integrate Business Software Assurance into Enterprise Risk Management and Information Security Management programs has had issues over the years. Penetration testing was announced dead over a year ago, but it's still the number one choice of application security professionals when starting out. Can the activities from penetration testing be re-used and turned into something innovative?

Tools (especially application scanners and secure static analysis tools) have error rates so high, they are useless in the hands of newcomers (even for peripheral security testing). Some organizations have built entire applications around or on top of existing appsec tools. Others are looking to use other kinds of tools, such as process/methodology/workflow tools, to enhance their classic penetration testing tools.

Even the testing/inspection methodologies themselves are outdated and we're finding that they are challenging or repetitive in many environments. How do current appsec tools and testing/inspection methods work in the cloud? If we re-run the same kinds of tests during dev-test, software quality, and application security cycles, aren't we wasting valuable time and effort?

This presentation will provide discussion around how to solve many of these and other challenges in application security. The focus will be on web applications that use common technologies (HTTP, SQL, Classic XML/HTML, Javascript, Flash) but also updated to today's standards (RESTful transactions, NoSQL, HTML5, Ajax/Json, Flex2).

Bio: Andre got his start on Unix-TCP/IP hacking before the September that never ended. Bored of embedded platform research by the time the dot-Bomb happened, he joined the largest online auction company and worked as an appsec consultant for many years. He is known for his quirky mailing list posts and blog comments - and at one time wrote for tssci-security.com.