Search your favorite song for free

1. Dan Cornell: Smart Phones, Dumb Apps

  • Published: 2010-12-10T23:28:14+00:00
  • Duration: 5619
  • By OWASP
Dan Cornell: Smart Phones, Dumb Apps

Enterprises are targeting both internal users and customers with smartphone applications for platforms such as Apple iPhone and Google Android. Many of these applications are constructed without fully considering the associated security implications of their deployment. Breaches can impact both users and the enterprise distributing the application as attackers take advantage of expanded access to sensitive data and network services. Dan Cornell discusses in this talk delivered at the December 7, 2010 OWASP Minneapolis-St. Paul (OWASP MSP) chapter meeting the emerging threats associated with deploying smartphone applications. More information about OWASP is available at Follow OWASP MSP, host to OWASP AppSec USA 2011 conference to be held in September 2011, at and

2. Building Predictable Systems Using Behavioral Security Modeling: Functional Security Requirements - John Benninghoff

Building Predictable Systems Using Behavioral Security Modeling: Functional Security Requirements - John Benninghoff

Title: Building Predictable Systems Using Behavioral Security Modeling: Functional Security Requirements Abstract Behavioral Security Modeling (BSM), first presented at AppSec USA 2011 in Minneapolis, was conceived as a way of modeling interactions between information and people in terms of socially defined roles and the expected behaviors of the system being designed. By reducing the difference between the expected system behaviors and the actual system behaviors, we can manage the vulnerabilities that are inevitably introduced when the expected and actual system behaviors are out of alignment. BSM asserts that robust, secure information systems are best achieved through carefully modeling human/information interactions in social terms. Modeling human/information interactions starts with requirements gathering. While traditional security requirements describe how to "keep the bad guys from messing with our stuff," BSM functional requirements seek to define "what the good guys are allowed to do." To address this gap, we have developed a practical, SDLC agnostic method for gathering functional security requirements by defining limits on interactions through a series of questions to identify and clarify constraints, as well as uncover hidden constraints. We will discuss the development of the methodology and demonstrate its use, as described in our white paper, including early experiences implementing the approach. ***** Speaker: John Benninghoff, Security Consultant, Transvasive Security John Benninghoff started Transvasive Security to develop Behavioral Information Security, a new philosophy of security that draws on knowledge of how people behave and interact with information. He has spoken at national and regional security conferences, and writes regularly for his company blog at John began his information security career when he was asked to build and deploy a Network IDS using free software (SHADOW) after returning from a SANS conference in 1998. John has experience in security policy, program management, incident response, identity management, and network security. John’s accomplishments include developing a comprehensive vulnerability management program that effectively eliminated business outages due to network worms after it was implemented in 2001. ***** Date: Thursday October 25, 2012 10:00am - 10:45am Location: AppSecUSA, Austin, TX. Hyatt Regency Hotel, NTObjectives Room. Track: Developer Presentation Slides:

3. Speed Debates

  • Published: 2014-12-01T15:47:28+00:00
  • Duration: 2757
  • By OWASP
Speed Debates

Moderator: Matt has been involved in the Information Technology and application development for more than 10 years. He is currently working at Rackspace in the Cloud product’s application security team. Prior to joining Rackspace, Matt spent time as a application security consultant and spent several years as the “appsec guy” at a government agency. Matt's focus has been in application security including testing, code reviews, design reviews and training. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he's driven. He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance Workshop, Agile Austin, AppSec EU, AppSec US, AppSec Academia, and AppSec Brazil. Speakers: Williams, Kevin Robert Hansen (CISSP) is the Director of Product Management at WhiteHat Security. He's the former Chief Executive of SecTheory and Falling Rock Networks which focused on building a hardened OS. Mr. Hansen began his career in banner click fraud detection at ValueClick. Mr. Hansen has worked for Cable & Wireless doing managed security services, and eBay as a Sr. Global Product Manager of Trust and Safety. Mr. Hansen contributes to and sits on the board of several startup companies. Matt Johansen is a Sr. Manager for the Threat Research Center at WhiteHat Security where he manages a team of Application Security Specialists, Engineers and Supervisors to prevent website security attacks and protect companies’ and their customers’ data. Before this he was an Application Security Engineer where he oversaw and assessed more than 35,000 web applications that WhiteHat has under contract for many Fortune 500 companies across a range of technologies. Matt Konda has given numerous industry talks including the following: WindyCityRails - September 2013 - Insecure Expectations; Secure360 - May 2013 - Agile Security by Example; ChicagoRuby - April 2013 - Hack Night with brakeman, burp and secure_headers; OWASP Chicago Meeting - January 2013 - Rails Pitfalls; ChicagoRuby - December 2012 - Rails Security in the Wild; OWASP MSP Meeting - November 2012 - Builders Vs. Breakers; OWASP AppSec USA - October 2012 - Builders Vs. Breakers; Defcon SkyTalks - July 2012 - Builders Vs. Breakers; BSidesChicago - April 2012 - Builders Vs. Breakers; BSidesChicago - April 2011 - Builders Vs. Breakers. Those with slides are here: Matt provides training as part of his work, and is providing training as part of Lone Star Ruby: Lone Star Ruby - July 2013 - Attacking Rails, Defending Rails. Matt also lead the collaborative effort to produce the OWASP Rails Security Cheat Sheet. Jim Manico is an author and educator of developer security awareness trainings. He is a frequent speaker on secure software practices and is a member of the JavaOne "rockstar hall of fame". He has a 17 year history building software as a developer and architect. Jim is also a Global Board Member for the OWASP foundation where he helps drive the strategic vision for the organization. He manages and participates in several OWASP projects, including the OWASP cheat sheet series and several secure coding projects. Jim is currently working on a book with McGraw-Hill and Oracle-Press on Java Web Security. For more information, see Mano 'dash4rk' Paul SecuRisk Solutions Christian, CyberSecurity Advisor and Strategist, Author, Shark Biologist, Entrepreneur, Security Trainer, Speaker, HackFormer, yada yada yada ... | Ask a resident of Hawaii what Mano means and they would say that it is one of the above. Do you know which one? Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information Security Program Owner at National Instruments. In his current role, Josh manages all compliance, security architecture, risk management, and vulnerability management activities for NI. Josh holds a CISSP certification and has spoken on dozens of security topics including the much hyped "HTTPSCan Byte Me" talk at BlackHat 2010. Jeff Williams is a co-founder and CTO of Contrast Security, the world's fastest and most accurate application security technology. Previously, Jeff was a founder and CEO of Aspect Security. He also served as Global Chairman of the OWASP Foundation where he created many open-source standards, tools, libraries, and guidelines – including the OWASP Top Ten, WebGoat, ESAPI, XSS CheatSheet, ASVS and more. Jeff welcomes hearing from you and may be reached directly at [email protected]