[SC-L] CALL FOR TRAINING PROVIDERS - OWASP AppSec Europe 2009 Poland

2009-01-10 Thread Sebastien Deleersnyder
CALL FOR TRAINING PROVIDERS - OWASP AppSec Europe 2009 Poland.

The Call For Presentations send out earlier can be found on the OWASP web
site here http://www.owasp.org/index.php/OWASP_AppSec_Europe_2009_CFP.

May 13th–14th 2009, OWASP will hold its annual European Application Security
conference in wonderfull Kraków, Poland. The Conference consists of two days
of training sessions on May 11th–12th, followed by a two-day conference with
2 different tracks.

In 2008, we attracted great European and international speakers and trainers
in Belgium, and we hope to achieve the same again in 2009. This year we
organise the conference together with OWASP Poland and
Confidence2009http://2009.confidence.org.pl/lang-pref/en/,
a conference in the same venue on May 15th-16th.

We are seeking people and organisations that want to provide training
courses on any of the following topics:

   - Business Risks with Application Security.
   - Starting and Managing Secure Development Lifecycle Programs.
   - Web Services-, XML- and Application Security.
   - Application Threat Modeling.
   - Hands-on Source Code Review.
   - Web Application Security Testing.
   - OWASP Tools and Projects.
   - Secure Coding Practices (J2EE/.NET).
   - Technology specific presentations on security such as AJAX, XML, etc.
   - Anything else relating to OWASP and Application Security.

The following conditions apply for people or organisations that want to
provide training at the conference:

   - Training provider should provide class syllabus / training materials.
   - Proceeds will be split 75/25 (OWASP/Trainer) for the training class.
   The 75% for OWASP goes towards:
  - Classroom Rental, Conference Logistics/Registration, and Food.
  - OWASP Grants for Research Projects.
   - Each classroom has a maximum capacity of 30 people, minimum of 12
   people signed up before class is considered operational.
   - Price per attendee: 2-Day Class €910 / 1-Day Class €455.
   - Provider branded training materials to increase your exposure.
   - Students are to bring their own laptops.
   - Classes are to be focused around Application Security as mentioned
   above.
   - Training provider must be an OWASP Member.

The call for trainings is out. The official closing date for receiving a
synopsis of the training is February 1, 2009, with announcements on selected
candidates to be provided the second week of February 2009. Complete
training material will need to be submitted by May 1, 2009.

Training proposals should consist of the following information:

   1. Trainer contact info (country of origin and residence-mail, postal
   address, phone, E-mail).
   2. Employer and/or affiliations.
   3. Training synopsis, proposed training title, and a one paragraph
   description.
   4. Brief biography, list of publications and papers.
   5. Any significant presentation and educational experience/background.
   6. Reason why this material is innovative or significant or an important
   training for the OWASP conference.
   7. Please list any other publications or conferences where this material
   has been or will be published/submitted.
   8. Will you perform hands-on labs / slides or both?
   9. Provide a list of items/software needed for the training.
   10. Optionally, any samples of prepared material or outlines ready.

We would appreciate your proposal using the provided EU09 training proposal
template http://www.owasp.org/images/1/16/OWASP_EU09_CFT_Template.doc. If
you do not support the Word format, please include the plain text version of
this information in your email. Please submit your proposals to
s...@owasp.org.

The conference page will be updated regularly:
AppSecEU09https://www.owasp.org/index.php/AppSecEU09

Please forward to all interested practitioners and colleagues.

Thank you,

Regards,

Seba

2009 EU Planning Committee Chair

s...@owasp.org

+32.478.504.117
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Fwd: CALL FOR PRESENTATIONS - OWASP AppSec Europe 2009 Poland

2009-01-03 Thread Sebastien Deleersnyder
Hi,

May 13th–14th 2009, OWASP will hold its annual European Application Security
conference in wonderfull Kraków, Poland. The Conference consists of two days
of training sessions on May 11th–12th, followed by a two-day conference with
2 different tracks.

In 2008, we attracted great European and international speakers in Belgium,
and we hope to achieve the same again in 2009. This year we organise the
conference together with OWASP Poland and
Confidence2009http://2009.confidence.org.pl/lang-pref/en/ ,
a conference in the same venue on May 15th-16th.

We are seeking presentations on any of the following topics:

   - Web Services and Application Security
   - Common Application related Threats and Risks
   - Business Risks with Application Security
   - Vulnerability Research in Application Security
   - Web Application Penetration Testing
   - OWASP Tools and Projects
   - Secure Coding Practices
   - Technology specific presentations on security such as AJAX, XML, etc.
   - Anything else relating to OWASP and Application Security.

The call for presentations is out. The official closing date for receiving a
synopsis of the presentation is February 1th, 2009, with announcements on
selected candidates to be provided the second week of February 2009.
Complete presentations will need to be submitted by the 1th of May 2009.

A call for refereed research papers will also be published in the coming
weeks. The selected papers will also be presented at the conference.

This year, as per last year, any presenter will receive a free invitation to
the conference. If required, OWASP can cover some of the travel costs
associated with coming to the conference.

Please submit your presentation topics to s...@owasp.org.

The conference page will be updated regularly:
AppSecEU09https://www.owasp.org/index.php/AppSecEU09

Regards

Seba

2009 EU Planning Committee Chair

s...@owasp.org

+32.478.504.117
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Invitation - OWASP AppSec Europe May 19-22 2008 - Belgium

2008-05-05 Thread Sebastien Deleersnyder

Hi,

2 weeks left for the conference!

We would like to invite you to the European OWASP Application Security
Conference! After successful OWASP Conferences in the United States (San
Jose), Europe (Milan), Asia (Taiwan) and Australia (Queensland), we are back
in Belgium: 5 tutorials and 2 conference tracks in the historic center of
Ghent on May 19-22 2008!

More details and registration on http://www.owasp.org/index.php/AppSecEU08

The conference is stuffed with top notch presentations from industry
recognized speakers and technical experts on the latest application security
risks and trends. 

Conference (May 21-22)

Keynotes
* The Great Information Security Scrap Yard Challenge (Mark Curphey)
* Software Security: State of the Practice 2008 (Gary McGraw) 

Topics
* The OWASP ESAPI project - Dave Wichers
* Trends in Web Hacking Incidents: What's hot for 2008 - Ofer Shezaf
* Evaluation Criteria for Web Application Firewalls - Ivan Ristic
* HTML5 security - Thomas Roessler
* The OWASP Orizon Project internals - Paolo Perego
* Remo presentation (Input Validation) - Christian Folini
* Best Practices Guide: Web Application Firewalls (OWASP German chapter) - 
  Alexander Meisel
* Google-Hacking and Google-Shielding - Amichai Shulman
* NTLM Relay Attacks - Eric Rachner
* PHPIDS Monitoring attack surface activity - Mario Heiderich
* Security in Agile Development - Dave Wichers
* Security framework is not in the code - Sam Reghenzi
* Exploiting Online Games - Gary McGraw
* SHIELDS: metrics, tools and Internet services to improve security in 
  application developments - Domenico Rotondi
* Graph Analysis for WebApps: From Nodes to Edges - Simon Roses Femerling
* The OWASP Education Project - Martin Knobloch
* Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking -

  Matias Madou
* Threat Modeling for Application Designers  Architects - Shay Zalalichin
* Scanstud: Evaluating static analysis tools - Martin Johns,
* Office 2.0: Software as a Service, Security on the Sidelines? - John 
  Heasman
* How Data Privacy affects Applications and Databases - Dirk De Maeyer
* The OWASP Anti-Samy project - Jason Li
* Input validation: the Good, the Bad and the Ugly - Johan Peeters 

Refereed paper track
* Refereed paper track keynote 
  * Know Thyself! - Dieter Gollmann
* Refereed paper track selections:
  * SWF and the Malware Tragedy - fukami and Ben Fuhrmannek
  * Building and Stopping Next Generation XSS Worms - Arshan Dabirsiaghi
  * Detecting Security Vulnerabilities in Web Applications Using Dynamic  
Analysis with Penetration Testing - Andrew Petukhov and Dmitry Kozlov
  * The Need for Fourth Generation Static Analysis Tools for Security: From 
Bugs to Flaws - Evgeny Lebanidze
  * Preventing SQL Injections in Online Applications: Study, Recommendations

and Java Solution Prototype Based on the SQL DOM - Etienne Janot and 
Pavol Zavarsky
  * Watch What You Write: Preventing Cross-Site Scripting by Observing 
Program Output - Matias Madou, Edward Lee, Jacob West and Brian Chess

New for AppSec Europe: there is an expo with technical vendor demos and a
Capture the Flag event!

Tutorials (May 19-20)   
* Building and Testing Secure Web Applications
* Leading the Development of Secure Applications
* Building Secure Rich Internet Applications
* Web Services and XML Security
* Open Source ModSecurity Training

OWASP Dinner (May 21)
At every conference we have an evening social event the first night. They
are always fun and allow participants to have some unstructured time to
mingle with the other attendees. This year's event will be a Flemish buffet
with special Belgian beers at the Monasterium (near the conference
location).

Cocktail Party (May 20)
In what is also becoming a tradition, there will be a cocktail party the
night before the conference begins, sponsored by Breach Security. The free
and open for all conference attendees event will be held at the Vintage Wine
Bar at 6:30pm (near the conference location). We would appreciate it if you
let us know if you are coming so we can be ready, please mail
[EMAIL PROTECTED] to confirm.

The Open Web Application Security Project (OWASP) is a worldwide free and
open community focused on improving the security of application software.
Our mission is to make application security visible, so that people and
organizations can make informed decisions about application security risks.

More details and registration on http://www.owasp.org/index.php/AppSecEU08 

Hope to see you all in May!

Conference Committee

OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at'
owasp.org
2008 EU Planning Committee Chair: Sebastien Deleersnyder - Telindus - seba
'at' owasp.org 
Vendor Exhibition Chair: Pravir Chandra - Cigital - chandra 'at' cigital.com

Capture the Flag Chair: Pieter Danhieux - Ernst  Young - pieter.danhieux
'at' be.ey.com
Refereed Papers Chair: Lieven Desmet - KU Leuven - Lieven.Desmet 'at'
cs.kuleuven.ac.be

[SC-L] Invitation - OWASP AppSec Europe May 19-22 2008 - Belgium

2008-04-07 Thread Sebastien Deleersnyder
Hi,

We would like to invite you to the European OWASP Application Security
Conference! After successful OWASP Conferences in the United States (San
Jose), Europe (Milan), Asia (Taiwan) and Australia (Queensland), we are back
in Belgium: 5 tutorials and 2 conference tracks in the historic center of
Ghent on May 19-22 2008!

The conference is stuffed with top notch presentations from industry
recognized speakers and technical experts on the latest application security
risks and trends. 

Conference (May 21-22)
Keynotes
* The Great Information Security Scrap Yard Challenge (Mark Curphey)
* Software Security: State of the Practice 2008 (Gary McGraw) Topics
* The OWASP ESAPI project - Dave Wichers
* Trends in Web Hacking Incidents: What's hot for 2008 - Ofer Shezaf
* Evaluation Criteria for Web Application Firewalls - Ivan Ristic
* HTML5 security - Thomas Roessler
* The OWASP Orizon Project internals - Paolo Perego
* Remo presentation (Input Validation) - Christian Folini
* Best Practices Guide: Web Application Firewalls (OWASP German chapter) -
Alexander Meisel
* Google-Hacking and Google-Shielding - Amichai Shulman
* NTLM Relay Attacks - Eric Rachner
* The Law of Conservation of Bugs - Gunnar Peterson
* Security in Agile Development - Dave Wichers
* Security framework is not in the code - Sam Reghenzi
* Exploiting Online Games - Gary McGraw
* SHIELDS: metrics, tools and Internet services to improve security in
application developments - Eva Coscia
* Graph Analysis for WebApps: From Nodes to Edges - Simon Roses Femerling
* The OWASP Education Project - Martin Knobloch
* Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking -
Brian Chess
* Threat Modeling for Application Designers  Architects - Shay Zalalichin
* Scanstud: Evaluating static analysis tools - Martin Johns,
* Office 2.0: Software as a Service, Security on the Sidelines? - John
Heasman
* How Data Privacy affects Applications and Databases - Dirk De Maeyer
* The OWASP Anti-Samy project - Jason Li
* Input validation: the Good, the Bad and the Ugly - Johan Peeters Refereed
paper track
* Refereed paper track keynote - Dieter Gollmann
* Refereed paper track selections

New for AppSec Europe: there is an expo with technical vendor demos and a
Capture the Flag event!

Tutorials (May 19-20)
* Building and Testing Secure Web Applications
* Leading the Development of Secure Applications
* Building Secure Rich Internet Applications
* Web Services and XML Security
* Open Source ModSecurity Training

OWASP Dinner (May 21)
At every conference we have an evening social event the first night. They
are always fun and allow participants to have some unstructured time to
mingle with the other attendees. This year's event will be a Flemish buffet
with special Belgian beers at the Monasterium (near the conference
location).

The Open Web Application Security Project (OWASP) is a worldwide free and
open community focused on improving the security of application software.
Our mission is to make application security visible, so that people and
organizations can make informed decisions about application security risks.

More details and registration on http://www.owasp.org/index.php/AppSecEU08

Hope to see you all in May!

Regards

Sebastien

Conference Committee

OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at'
owasp.org
2008 EU Planning Committee Chair: Sebastien Deleersnyder - Telindus - seba
'at' owasp.org Vendor Exhibition Chair: Pravir Chandra - Cigital - chandra
'at' cigital.com Capture the Flag Chair: Pieter Danhieux - Ernst  Young -
pieter.danhieux 'at' be.ey.com


Refereed Papers Chair: Lieven Desmet - KU Leuven - Lieven.Desmet 'at'
cs.kuleuv   en.ac.be

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Secure Coding Books

2008-03-08 Thread Sebastien Deleersnyder
There is a list on 
http://www.owasp.org/index.php/Education_Module_Good_WebAppSec_Resources

I am currently reading a Secure Programming with Statical Analysi which I
like.

Regards

Seba

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Jim Manico
Sent: vrijdag 7 maart 2008 16:40
To: Lawson, David L
Cc: sc-l@securecoding.org
Subject: Re: [SC-L] Secure Coding Books

How to break web software is one of the best web security coder- 
centric books I have read. Its concise and useful.

Sent from my iPhone

On Mar 7, 2008, at 7:45 AM, Lawson, David L  
[EMAIL PROTECTED] wrote:

 I've read several secure coding books in the past, and was wondering  
 if
 anyone has recommendations for secure coding books (preferably from  
 the
 last year or two).

 Thanks,

 David Lawson
 ___
 Secure Coding mailing list (SC-L) SC-L@securecoding.org
 List information, subscriptions, etc -
http://krvw.com/mailman/listinfo/sc-l
 List charter available at - http://www.securecoding.org/list/charter.php
 SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com 
 )
 as a free, non-commercial service to the software security community.
 ___
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


-- 
No virus found in this incoming message.
Checked by AVG Free Edition. 
Version: 7.5.516 / Virus Database: 269.21.6/1317 - Release Date: 7/03/2008
8:15


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] CALL FOR TOPICS-PAPERS - OWASP AppSec Conference Europe 2008 - May 22-23, Belgium

2008-02-11 Thread Sebastien Deleersnyder
*** CALL FOR TOPICS-PAPERS ***

OWASP AppSec Conference Europe 2008
May 22-23, 2008 - Brussels, Belgium 

http://www.owasp.org/index.php/AppSecEU08

Call for papers: Business  Technical Sessions

Following on from the great success of OWASP Conferences in 2006 and 2007 
in the United States and Europe, the conference comes back to Belgium in 
May 2008. The conference will offer an opportunity for security 
professionals, developers, and managers to hear from industry recognised 
speakers on the latest critical security risks associated with 
application security.

OWASP is seeking for presentations on Application Security and related
OWASP projects from the community. Over the conference program there 
are 9 technical and 9 business presentation sessions running 
approximately 1 hour in length each.

TOPICS OF INTEREST

Topics of interest include, but are not limited to:
- OWASP Project Presentation (i.e Tool Updates/Project Status etc)
- Business Risk from Applications
- Privacy Concerns with Applications and Data Storage
- Baseline or Metrics for Application Security
- Web application security
- Secure application development
- Security of Service Oriented Architectures
- Threat modeling of web applications
- Vulnerability analysis of web applications (code review, pentest, 
  static analysis, scanning)
- Countermeasures for web application vulnerabilities
- Platform or language (e.g. Java, .NET) security features that help 
secure web applications
- How to use databases securely in web applications
- Access control in web applications
- Browser security
- Web services security

As there a limited number of available presentations please email your
proposed presentation ideas to: seba 'at' owasp.org
Simply reply to this email with your idea and a short paragraph or two
on what you propose to present on.

Closing date for presentation ideas is March 1st 2008, with
presentation material due May 1st 2008.

Visit http://www.owasp.org for more information on OWASP and the
Conferences.

Thank you,

Kind regards,

Seba

As in the previous editions, the OWASP AppSec Europe 2008 conference
will also feature a refereed papers track which focuses on academic
research. More information on 
http://www.owasp.org/index.php/OWASP_AppSec_Europe_2008_-_Belgium/CFP

ORGANIZING COMMITTEE

OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at'
owasp.org

2008 EU Planning Committee Chair: Sebastien Deleersnyder - Telindus - seba
'at' owasp.org

Refereed Papers Chair: Lieven Desmet - KU Leuven - Lieven.Desmet 'at'
cs.kuleuven.ac.be 





___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] challenge: 4 hour What_Developers_Should_Know_on_Web_Application_Security

2007-06-10 Thread Sebastien Deleersnyder
Hi,

I am working out a proposal on this OWASP Education track:
http://www.owasp.org/index.php/Education_Track:_What_Developers_Should_Know_
on_Web_Application_Security

Assume this company that is convinced that they need to do something on web
application security. They decide to send their developers on a 4h course on
web application security. 

Limitation: the course can not be tuned to the company risk profile or
development environment. I know this should be done, but amuse me on this
one.

What would you add as minimal topics to cover?

Thx,

Seba

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] statical analysis tools: language supports...

2007-03-21 Thread Sebastien Deleersnyder
Hi,

 

Correction: Paros Proxy is owned and copyrighted by Chinotec Technologies
Co. 
OWASP provides another usefull tool: WebScarab
(http://www.owasp.org/index.php/OWASP_WebScarab_Project)

 

I you look for PHP security resources,
http://www.owasp.org/index.php/Category:OWASP_PHP_Project can also be of
help.

 

Regards,

 

Sebastien

Belgium OWASP Chapter Leader

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of J. M. Seitz
Sent: woensdag 21 maart 2007 17:03
To: 'Indrek Saar'; 'Secure Coding'
Subject: Re: [SC-L] statical analysis tools: language supports...

 

RATS will do PHP as well there is a plugin for Eclipse that will do static
analysis on PHP code which is called Pixy. The next step would be to
investigate some of the tools from SPI Dynamics, a few of them are black-box
but if you combine some black-box testing with some static analysis, add
some fuzzing with Paros Proxy or JBrofuzz (both from OWASP) you should see
some success.

 

The other thing to consider are some of the settings in the .ini file,
configuration in PHP speaks volumes about security, kill register_globals,
check the magic_quotes value, etc. Be aware that calls to include() have to
be 100% correctly sanitized or you are asking for local|remote file
includes, etc. ad nauseum. Anyways, hopefully this points you in the right
direction.

 

JS

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Indrek Saar
Sent: Wednesday, March 21, 2007 4:49 AM
To: Secure Coding
Subject: [SC-L] statical analysis tools: language supports...

Hi guys,

I have question about source-code statical analysis tools that are available
at the market now.
Are there tools that support C/C++, Java, PHP, Flash (actionscript) all in
one?
Most of the tools support C/C++ and Java, but I have not found any that can
handle also PHP. 

Do you know some? Or have some information that some tool provider has plan
for supporting PHP. And Flash.


Indrek Saar.

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___