By Dan Cornell
After OWASP AppSec 2009 last year everyone knows the OWASP DC folks can run a conference so I am looking forward to the upcoming OWASP DC con. Their next event will be held November 8th – 11th, 2010 at the Washington Convention Center. Denim Group has a couple of areas where we will be involved:
· Training: Software Security Remediation on Tuesday November 9th, 2010
· Session: Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
· Session: Smart Phones, Dumb Apps
For the training we will be giving the same class we did at OWASP AppSec 2010 in Irvine. The description is:
This class teaches attendees how to fix security vulnerabilities in existing software. It provides a mix of discussion of project concerns for planning and managing remediation efforts with hands-on coding examples fixing specific vulnerabilities. Attendees will learn how to risk-rank vulnerabilities, estimate remediation tasks, perform coding fixes for vulnerabilities and demonstrate the effectiveness of fixes applied. The focus is on the practical: how to use limited resources to make significant improvements to the security of target applications. Code examples use the OWASP ESAPI Java and Microsoft Web Protection Library. Many classes teach developers how to build secure code from the ground up or teach security analysts how to test applications for security vulnerabilities. This class teaches developers and security analysts how to deal with their existing portfolio of insecure applications.
Please click here to register.
For the sessions we will be talking about smartphone security as well as application portoflio risk management. I will be giving a once-again-updated version of my “Smart Phones, Dumb Apps” presentation. The abstract is:
Enterprises are targeting both internal users and customers with smartphone applications for platforms such as Apple iPhone and Google Android. Many of these applications are constructed without fully considering the associated security implications of their deployment. Breaches can impact both users as well as the enterprise distributing the application as attackers take advantage of expanded access to sensitive data and network services. This talk discusses emerging threats associated with deploying smartphone applications and provides an overview of the threat modeling process. The presentation then walks example applications from an attacker’s perspective demonstrating the sort of information they are able to extract allowing for more advanced attacks.
This is a fun talk and you can see a preview of slides and code here: www.smartphonesdumbapps.com. I’ll have updated material (even since HouSecCon) so if you’ve seen it before I promise there will be new stuff.
I will also be presenting some new material we have been working on with some clients dealing with how to risk-rank applications in your portfolio and how to create structured assessment plans based on this data. The abstract is:
Far too often application security decisions are made in an ad hoc manner and based on little or no data. This leads to an inefficient allocation of scarce resources. To move beyond fear, uncertainty and doubt, organizations must adopt an approach to application risk management based on a structured process and quantitative data. This talk outlines such an approach for organizations to enumerate all the applications in their portfolio. It then goes through background information to collect for each application to support further decision-making. In addition, the talk presents an application risk-ranking framework allowing security analysts to quantitatively categorize their application assets and then plan for assessment activities based on available budgets. Attendees will leave with the knowledge and tools required for them to use the approach on the applications they are responsible for in their organization. Template spreadsheets and a How-To guide will also be provided.
Contact us if you would like to meet up in DC.
dan _at_ denimgroup.com