9:00 - 10:30

Subject
name

Abstract

10:45 - 12:15

Subject
Name

Abstract

1:30 - 3:00

Application Security in the real world
Joey, Peloquin
Lessons learned while implementing PCI at a major US Retailer.
abstract

3:15 - 4:45

Web intrusion detection and ModSecurity
Ivan Ristic
Intrusion detection is a well-known network security technique--it introduces monitoring and correlation devices to networks, enabling administrators to monitor events and detect attacks and anomalies in real-time. Web intrusion detection does the same but on the HTTP level, making it suitable to deal with security issues in web applications. This session will start with an overview of web intrusion detection and web application firewalls, discussing where they belong in the overall protection strategy. The second part of the talk will discuss ModSecurity and its capabilities. ModSecurity is an open source web application firewall that can be deployed either embedded (in the Apache HTTP server) or as a network gateway (as part of an Apache reverse proxy). Now in it's sixth year of development, ModSecurity is mature, robust and flexible. Due to its popularity and wide usage it is now positioned as a de-facto standard in the web intrusion detection space.

Penetration Testing

9:00 - 10:30

Framework-induced Vulnerabilities in J2EE
Ryan Berg

In the J2EE world, it is common practice for enterprise applications to use multiple frameworks to implement key components of their Web Applications. The problem is that there is very little visibility on the internal behavior of these frameworks and its security implications. This talk will focus on the risk created by the improper use of J2EE frameworks, and how to most effectively monitor and reduce that risk throughout the development lifecycle. Several case studies will be presented of REAL world vulnerabilities in enterprise applications (i.e. past/current 0-days) created by improper use of these widely-used frameworks.

10:45 - 12:15

Subject
Name

Abstract

1:30 - 3:00

Real-world Code Review
Vincent Liu

Real-world Code Review Using the right tools in the right place at the right time – A thorough and objective review of the benefits, shortcomings, and trade‑offs of static code analysis tools, black box application scanners, and expert analysis. This session is a MUST SEE for anyone involved with the security review of source code from management to developers.

3:15 - 4:45

Subject
Name
Abstract

Vendor Track

9:00 - 10:30

Subject
name

Abstract

10:45 - 12:15

Why YOU (Attendee) Need to Stop Laughing and Start Using Static Source Code Analyzers
Dinis Cruz

Historically, static code analyzers have been used by security consultants without (significant) web application security experience. This was caused by some initial limitations on the static code analyzers technology; by the tools’ cost; and by a "Hey I'm still finding vulnerabilities everywhere without them!" attitude by the knowledgeable web application security consultants. But as applications get more complex and clients want more assurance from their security evaluation investments, it is time for the web application security community to embrace the power that can be provided by source code security analyzers. This talk is not a 'Marketing BS' presentation! The objective is to show how the best of both worlds is the 'human + tool' combination and how by going under-the-hood, enormous power can be harvest from static code analyzers.

1:30 - 3:00

Subject
Name

Abstract

3:15 - 4:45

Subject
Name
Abstract