9:00 - 10:30

Application Security in the Real World
Joey Peloquin (HP)

This talk, given by a former “IT Security Guy” with a major US retailer, tells the story of the state of application security today, and how the things you’re dealing with every day in your enterprises rarely syncs up with what vendors are trying to sell you. Regulations will also be discussed, though most of the time will be spent on the Payment Card Industry (PCI) Data Security Standard (DSS), which affects application security far more than any other.

Next, you’ll learn about the “security guy’s” attempt at creating an application security program for his enterprise. How it started, how it began to blossom, and how it crashed and burned without executive sponsorship and other support from management. Then you’ll hear how this was somewhat overcome – a framework was created, goals were set, policies written, and relationships forged. Now the enterprise has a version of an application security program, but it’s far from perfect. Learn from his (and his former employer’s) mistakes and succeed with your program!

Finally, the paper will offer practical suggestions on implementing an enterprise application security program. This will primarily be demonstrated through the three P’s – policy, process, and people (and technology). Each of these essential elements will be covered in depth, and at the conclusion, the author sincerely believes you’ll walk away with a high level view of the knowledge you need to succeed. You’ll also know you’re not alone, and help is out there!

10:45 - 12:15

Practical Compliance
Francis Brown (Stach & Liu)

Practical Compliance: Translating from requirement to the real-world – take an in-depth look at the established and emerging regulations that affect your industry and understand how it affects your application security program. Coverage includes PCI, GLBA, SOX, HIPAA, and more.

1:30 - 3:00

oWASC Meeting
oWASC / WASC Update Meeting

3:15 - 4:45

Microsoft Security Development Lifecycle (SDL)
Bryan Sullivan
The Microsoft Security Development Lifecycle (SDL) has been instrumental in reducing the number and severity of security vulnerabilities in Microsoft products. This session is a deep-dive into the SDL process, giving a detailed and technical description of each SDL requirement and the security benefits that each requirement provides. We will also be giving some practical tips on the best ways to start using the SDL within your organization. Finally, we will take a look at some of the future directions the SDL will be taking.

Penetration Testing

9:00 - 10:30

10:45 - 12:15

Hacker Attacks on the Horizon: Understanding the Top Web 2.0 Attack Vectors
Danny Allan (IBM)

As more traditional sites adopt Web 2.0 technologies including AJAX, Web Services, SOA and PHP to perform online transactions one thing is certain--- these new technologies bring security issues and ignoring them could lead to serious breaches.
Danny will demonstrate and discuss the most common Web 2.0 attack vectors, analyze the specific security issues of AJAX, cross-site request forgery (CSRF), cross-site scripting and explain techniques for exploiting and protecting web services and AJAX including secure coding practices and how to properly secure web applications.

1:30 - 3:00

oWASC Meeting
oWASC / WASC Update Meeting

3:15 - 4:45

The Big Picture: Web Risks and assessments beyond automated scanning.

Matt Fisher
...coming soon...