[SC-L] CALL FOR TRAINING PROVIDERS - OWASP AppSec Europe 2009 Poland
CALL FOR TRAINING PROVIDERS - OWASP AppSec Europe 2009 Poland. The Call For Presentations send out earlier can be found on the OWASP web site here http://www.owasp.org/index.php/OWASP_AppSec_Europe_2009_CFP. May 13th–14th 2009, OWASP will hold its annual European Application Security conference in wonderfull Kraków, Poland. The Conference consists of two days of training sessions on May 11th–12th, followed by a two-day conference with 2 different tracks. In 2008, we attracted great European and international speakers and trainers in Belgium, and we hope to achieve the same again in 2009. This year we organise the conference together with OWASP Poland and Confidence2009http://2009.confidence.org.pl/lang-pref/en/, a conference in the same venue on May 15th-16th. We are seeking people and organisations that want to provide training courses on any of the following topics: - Business Risks with Application Security. - Starting and Managing Secure Development Lifecycle Programs. - Web Services-, XML- and Application Security. - Application Threat Modeling. - Hands-on Source Code Review. - Web Application Security Testing. - OWASP Tools and Projects. - Secure Coding Practices (J2EE/.NET). - Technology specific presentations on security such as AJAX, XML, etc. - Anything else relating to OWASP and Application Security. The following conditions apply for people or organisations that want to provide training at the conference: - Training provider should provide class syllabus / training materials. - Proceeds will be split 75/25 (OWASP/Trainer) for the training class. The 75% for OWASP goes towards: - Classroom Rental, Conference Logistics/Registration, and Food. - OWASP Grants for Research Projects. - Each classroom has a maximum capacity of 30 people, minimum of 12 people signed up before class is considered operational. - Price per attendee: 2-Day Class €910 / 1-Day Class €455. - Provider branded training materials to increase your exposure. - Students are to bring their own laptops. - Classes are to be focused around Application Security as mentioned above. - Training provider must be an OWASP Member. The call for trainings is out. The official closing date for receiving a synopsis of the training is February 1, 2009, with announcements on selected candidates to be provided the second week of February 2009. Complete training material will need to be submitted by May 1, 2009. Training proposals should consist of the following information: 1. Trainer contact info (country of origin and residence-mail, postal address, phone, E-mail). 2. Employer and/or affiliations. 3. Training synopsis, proposed training title, and a one paragraph description. 4. Brief biography, list of publications and papers. 5. Any significant presentation and educational experience/background. 6. Reason why this material is innovative or significant or an important training for the OWASP conference. 7. Please list any other publications or conferences where this material has been or will be published/submitted. 8. Will you perform hands-on labs / slides or both? 9. Provide a list of items/software needed for the training. 10. Optionally, any samples of prepared material or outlines ready. We would appreciate your proposal using the provided EU09 training proposal template http://www.owasp.org/images/1/16/OWASP_EU09_CFT_Template.doc. If you do not support the Word format, please include the plain text version of this information in your email. Please submit your proposals to s...@owasp.org. The conference page will be updated regularly: AppSecEU09https://www.owasp.org/index.php/AppSecEU09 Please forward to all interested practitioners and colleagues. Thank you, Regards, Seba 2009 EU Planning Committee Chair s...@owasp.org +32.478.504.117 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Fwd: CALL FOR PRESENTATIONS - OWASP AppSec Europe 2009 Poland
Hi, May 13th–14th 2009, OWASP will hold its annual European Application Security conference in wonderfull Kraków, Poland. The Conference consists of two days of training sessions on May 11th–12th, followed by a two-day conference with 2 different tracks. In 2008, we attracted great European and international speakers in Belgium, and we hope to achieve the same again in 2009. This year we organise the conference together with OWASP Poland and Confidence2009http://2009.confidence.org.pl/lang-pref/en/ , a conference in the same venue on May 15th-16th. We are seeking presentations on any of the following topics: - Web Services and Application Security - Common Application related Threats and Risks - Business Risks with Application Security - Vulnerability Research in Application Security - Web Application Penetration Testing - OWASP Tools and Projects - Secure Coding Practices - Technology specific presentations on security such as AJAX, XML, etc. - Anything else relating to OWASP and Application Security. The call for presentations is out. The official closing date for receiving a synopsis of the presentation is February 1th, 2009, with announcements on selected candidates to be provided the second week of February 2009. Complete presentations will need to be submitted by the 1th of May 2009. A call for refereed research papers will also be published in the coming weeks. The selected papers will also be presented at the conference. This year, as per last year, any presenter will receive a free invitation to the conference. If required, OWASP can cover some of the travel costs associated with coming to the conference. Please submit your presentation topics to s...@owasp.org. The conference page will be updated regularly: AppSecEU09https://www.owasp.org/index.php/AppSecEU09 Regards Seba 2009 EU Planning Committee Chair s...@owasp.org +32.478.504.117 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Invitation - OWASP AppSec Europe May 19-22 2008 - Belgium
Hi, 2 weeks left for the conference! We would like to invite you to the European OWASP Application Security Conference! After successful OWASP Conferences in the United States (San Jose), Europe (Milan), Asia (Taiwan) and Australia (Queensland), we are back in Belgium: 5 tutorials and 2 conference tracks in the historic center of Ghent on May 19-22 2008! More details and registration on http://www.owasp.org/index.php/AppSecEU08 The conference is stuffed with top notch presentations from industry recognized speakers and technical experts on the latest application security risks and trends. Conference (May 21-22) Keynotes * The Great Information Security Scrap Yard Challenge (Mark Curphey) * Software Security: State of the Practice 2008 (Gary McGraw) Topics * The OWASP ESAPI project - Dave Wichers * Trends in Web Hacking Incidents: What's hot for 2008 - Ofer Shezaf * Evaluation Criteria for Web Application Firewalls - Ivan Ristic * HTML5 security - Thomas Roessler * The OWASP Orizon Project internals - Paolo Perego * Remo presentation (Input Validation) - Christian Folini * Best Practices Guide: Web Application Firewalls (OWASP German chapter) - Alexander Meisel * Google-Hacking and Google-Shielding - Amichai Shulman * NTLM Relay Attacks - Eric Rachner * PHPIDS Monitoring attack surface activity - Mario Heiderich * Security in Agile Development - Dave Wichers * Security framework is not in the code - Sam Reghenzi * Exploiting Online Games - Gary McGraw * SHIELDS: metrics, tools and Internet services to improve security in application developments - Domenico Rotondi * Graph Analysis for WebApps: From Nodes to Edges - Simon Roses Femerling * The OWASP Education Project - Martin Knobloch * Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking - Matias Madou * Threat Modeling for Application Designers Architects - Shay Zalalichin * Scanstud: Evaluating static analysis tools - Martin Johns, * Office 2.0: Software as a Service, Security on the Sidelines? - John Heasman * How Data Privacy affects Applications and Databases - Dirk De Maeyer * The OWASP Anti-Samy project - Jason Li * Input validation: the Good, the Bad and the Ugly - Johan Peeters Refereed paper track * Refereed paper track keynote * Know Thyself! - Dieter Gollmann * Refereed paper track selections: * SWF and the Malware Tragedy - fukami and Ben Fuhrmannek * Building and Stopping Next Generation XSS Worms - Arshan Dabirsiaghi * Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis with Penetration Testing - Andrew Petukhov and Dmitry Kozlov * The Need for Fourth Generation Static Analysis Tools for Security: From Bugs to Flaws - Evgeny Lebanidze * Preventing SQL Injections in Online Applications: Study, Recommendations and Java Solution Prototype Based on the SQL DOM - Etienne Janot and Pavol Zavarsky * Watch What You Write: Preventing Cross-Site Scripting by Observing Program Output - Matias Madou, Edward Lee, Jacob West and Brian Chess New for AppSec Europe: there is an expo with technical vendor demos and a Capture the Flag event! Tutorials (May 19-20) * Building and Testing Secure Web Applications * Leading the Development of Secure Applications * Building Secure Rich Internet Applications * Web Services and XML Security * Open Source ModSecurity Training OWASP Dinner (May 21) At every conference we have an evening social event the first night. They are always fun and allow participants to have some unstructured time to mingle with the other attendees. This year's event will be a Flemish buffet with special Belgian beers at the Monasterium (near the conference location). Cocktail Party (May 20) In what is also becoming a tradition, there will be a cocktail party the night before the conference begins, sponsored by Breach Security. The free and open for all conference attendees event will be held at the Vintage Wine Bar at 6:30pm (near the conference location). We would appreciate it if you let us know if you are coming so we can be ready, please mail [EMAIL PROTECTED] to confirm. The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about application security risks. More details and registration on http://www.owasp.org/index.php/AppSecEU08 Hope to see you all in May! Conference Committee OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org 2008 EU Planning Committee Chair: Sebastien Deleersnyder - Telindus - seba 'at' owasp.org Vendor Exhibition Chair: Pravir Chandra - Cigital - chandra 'at' cigital.com Capture the Flag Chair: Pieter Danhieux - Ernst Young - pieter.danhieux 'at' be.ey.com Refereed Papers Chair: Lieven Desmet - KU Leuven - Lieven.Desmet 'at' cs.kuleuven.ac.be
[SC-L] Invitation - OWASP AppSec Europe May 19-22 2008 - Belgium
Hi, We would like to invite you to the European OWASP Application Security Conference! After successful OWASP Conferences in the United States (San Jose), Europe (Milan), Asia (Taiwan) and Australia (Queensland), we are back in Belgium: 5 tutorials and 2 conference tracks in the historic center of Ghent on May 19-22 2008! The conference is stuffed with top notch presentations from industry recognized speakers and technical experts on the latest application security risks and trends. Conference (May 21-22) Keynotes * The Great Information Security Scrap Yard Challenge (Mark Curphey) * Software Security: State of the Practice 2008 (Gary McGraw) Topics * The OWASP ESAPI project - Dave Wichers * Trends in Web Hacking Incidents: What's hot for 2008 - Ofer Shezaf * Evaluation Criteria for Web Application Firewalls - Ivan Ristic * HTML5 security - Thomas Roessler * The OWASP Orizon Project internals - Paolo Perego * Remo presentation (Input Validation) - Christian Folini * Best Practices Guide: Web Application Firewalls (OWASP German chapter) - Alexander Meisel * Google-Hacking and Google-Shielding - Amichai Shulman * NTLM Relay Attacks - Eric Rachner * The Law of Conservation of Bugs - Gunnar Peterson * Security in Agile Development - Dave Wichers * Security framework is not in the code - Sam Reghenzi * Exploiting Online Games - Gary McGraw * SHIELDS: metrics, tools and Internet services to improve security in application developments - Eva Coscia * Graph Analysis for WebApps: From Nodes to Edges - Simon Roses Femerling * The OWASP Education Project - Martin Knobloch * Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking - Brian Chess * Threat Modeling for Application Designers Architects - Shay Zalalichin * Scanstud: Evaluating static analysis tools - Martin Johns, * Office 2.0: Software as a Service, Security on the Sidelines? - John Heasman * How Data Privacy affects Applications and Databases - Dirk De Maeyer * The OWASP Anti-Samy project - Jason Li * Input validation: the Good, the Bad and the Ugly - Johan Peeters Refereed paper track * Refereed paper track keynote - Dieter Gollmann * Refereed paper track selections New for AppSec Europe: there is an expo with technical vendor demos and a Capture the Flag event! Tutorials (May 19-20) * Building and Testing Secure Web Applications * Leading the Development of Secure Applications * Building Secure Rich Internet Applications * Web Services and XML Security * Open Source ModSecurity Training OWASP Dinner (May 21) At every conference we have an evening social event the first night. They are always fun and allow participants to have some unstructured time to mingle with the other attendees. This year's event will be a Flemish buffet with special Belgian beers at the Monasterium (near the conference location). The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about application security risks. More details and registration on http://www.owasp.org/index.php/AppSecEU08 Hope to see you all in May! Regards Sebastien Conference Committee OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org 2008 EU Planning Committee Chair: Sebastien Deleersnyder - Telindus - seba 'at' owasp.org Vendor Exhibition Chair: Pravir Chandra - Cigital - chandra 'at' cigital.com Capture the Flag Chair: Pieter Danhieux - Ernst Young - pieter.danhieux 'at' be.ey.com Refereed Papers Chair: Lieven Desmet - KU Leuven - Lieven.Desmet 'at' cs.kuleuv en.ac.be ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Secure Coding Books
There is a list on http://www.owasp.org/index.php/Education_Module_Good_WebAppSec_Resources I am currently reading a Secure Programming with Statical Analysi which I like. Regards Seba -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Manico Sent: vrijdag 7 maart 2008 16:40 To: Lawson, David L Cc: sc-l@securecoding.org Subject: Re: [SC-L] Secure Coding Books How to break web software is one of the best web security coder- centric books I have read. Its concise and useful. Sent from my iPhone On Mar 7, 2008, at 7:45 AM, Lawson, David L [EMAIL PROTECTED] wrote: I've read several secure coding books in the past, and was wondering if anyone has recommendations for secure coding books (preferably from the last year or two). Thanks, David Lawson ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com ) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.21.6/1317 - Release Date: 7/03/2008 8:15 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] challenge: 4 hour What_Developers_Should_Know_on_Web_Application_Security
Hi, I am working out a proposal on this OWASP Education track: http://www.owasp.org/index.php/Education_Track:_What_Developers_Should_Know_ on_Web_Application_Security Assume this company that is convinced that they need to do something on web application security. They decide to send their developers on a 4h course on web application security. Limitation: the course can not be tuned to the company risk profile or development environment. I know this should be done, but amuse me on this one. What would you add as minimal topics to cover? Thx, Seba ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] statical analysis tools: language supports...
Hi, Correction: Paros Proxy is owned and copyrighted by Chinotec Technologies Co. OWASP provides another usefull tool: WebScarab (http://www.owasp.org/index.php/OWASP_WebScarab_Project) I you look for PHP security resources, http://www.owasp.org/index.php/Category:OWASP_PHP_Project can also be of help. Regards, Sebastien Belgium OWASP Chapter Leader _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J. M. Seitz Sent: woensdag 21 maart 2007 17:03 To: 'Indrek Saar'; 'Secure Coding' Subject: Re: [SC-L] statical analysis tools: language supports... RATS will do PHP as well there is a plugin for Eclipse that will do static analysis on PHP code which is called Pixy. The next step would be to investigate some of the tools from SPI Dynamics, a few of them are black-box but if you combine some black-box testing with some static analysis, add some fuzzing with Paros Proxy or JBrofuzz (both from OWASP) you should see some success. The other thing to consider are some of the settings in the .ini file, configuration in PHP speaks volumes about security, kill register_globals, check the magic_quotes value, etc. Be aware that calls to include() have to be 100% correctly sanitized or you are asking for local|remote file includes, etc. ad nauseum. Anyways, hopefully this points you in the right direction. JS _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Indrek Saar Sent: Wednesday, March 21, 2007 4:49 AM To: Secure Coding Subject: [SC-L] statical analysis tools: language supports... Hi guys, I have question about source-code statical analysis tools that are available at the market now. Are there tools that support C/C++, Java, PHP, Flash (actionscript) all in one? Most of the tools support C/C++ and Java, but I have not found any that can handle also PHP. Do you know some? Or have some information that some tool provider has plan for supporting PHP. And Flash. Indrek Saar. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___