OWASP logo

OWASP logo
OWASP board member and application security superstar Jim Manico (http://www.manico.net/) will be in Perth in early May and has offered to run training and/or present at an OWASP Perth chapter meeting.

This survey is intended to gauge interest in both of these options.

Please forward this survey URL to any of your colleagues or associates that might be interested.

* 1. !!!NOTE!!!: We have reached maximum capacity for the training session. At this point we are only accepting details for the wait-list / cancellation list for this event. (Or, if we get enough numbers we may run a second training session on the Thursday).

Are you interested in going on the wait-list for a (free) half-day training session for developers on Wednesday the 8th of May 2013?

Title: Building Secure Web Applications Bootcamp
The major cause of web insecurity is poor development practices. This highly intensive 4 hour bootcamp provides essential web application security training for web application software developers and architects. The class is a combination of lecture and demonstrations. Participants will not only learn the most common threats against web applications, but more importantly they will learn how to also fix the problems and design secure web solutions via defense-based code samples and review.

Modules include:

1) HTTP Basics and Introduction to Application Security
2) Input Validation
3) SQL and other Injection
4) Access Control Design
5) XSS Defense
6) Advanced XSS Defense
7) Authentication and Session Management
9) Secure SDLC and Security Architecture
10) Crypto Basics
11) Crypto Advanced
12) Mobile Security Basics
13) Webservice Security

* 2. Are you interested in attending the OWASP Perth chapter meeting on Wednesday the 8th of May 2013 (5.30pm)?

3. If you will be attending the OWASP Perth chapter meeting...
Jim has several pre-prepared one hour presentations that he is able to deliver at the OWASP chapter meeting:

Title: Top Ten Web Defenses
We cannot “firewall” or “patch” our way to secure websites. In the past, security professionals thought firewalls, Secure Sockets Layer (SSL), patching, and privacy policies were enough. Today, however, these methods are outdated and ineffective, as attacks on prominent, well-protected websites are occurring every day. Citigroup, PBS, Sega, Nintendo, Gawker, AT&T, the CIA, the US Senate, NASA, Nasdaq, the NYSE, Zynga, and thousands of others have something in common – all have had websites compromised in the last year. No company or industry is immune. Programmers need to learn to build websites differently. This talk will review the top coding techniques developers need to master in order to build a low-risk, high-security web application.

Title: Securing the SDLC
The earlier you address security in the engineering of software, the less expensive it will be for your organization. This talk will not only discuss critical security activities necessary to build security software, but it will also address the unique aspects of secure software creation specific to the various cloud architectures.

Title: Authentication Best Practices for Developers
This module will discuss the security mechanisms found within an authentication (AuthN) layer of a web application. We will review a series of historical authentication threats. We will also discuss a variety of authentication design patterns necessary to build a low-risk high-security web application. Session management threats and best practices will also be covered. This module will include several technical demonstrations and code review labs.

Title: Access Control Design Best Practices
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

Title: Cross Site Site Scripting Advanced Defense
This talk will discuss the past methods used for cross-site scripting (XSS) defense that were only partially effective. Learning from these lessons, we will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer. We will then finish with a discussion of advanced XSS defense methodologies that shift the burden of XSS defense from the developer to various frameworks. These include auto-escaping template technologies, browser-based defenses such as Content Security Policy, and other Javascript sandboxes such as the Google CAJA project.

Title: Build Web Application Security Controls into Legal Contracts
Quick Abstract: The earlier security is addressed in the engineering of software, the less expensive it will be for your organization. This talk will discuss several critical web application security-centric computer programming techniques necessary to build low-risk web-based applications. This talk will also describe strategic ways to add prescriptive security control contract language into software procurement or outsourcing contract language to encourage even third party developers to build secure code.
Abstract: Every large organization is building web application software in some way, normally at great expense. It is a significant organizational and technical challenge simply to complete complex

Please provide your contact details below, so that we can keep you updated on these events.

* 4. Your name:

* 5. Your email address:

If you have any questions on these events (or have a venue that we could use for either), please contact David Taylor (david.taylor@asteriskinfosec.com.au) or Christian Frichot (christian.frichot@asteriskinfosec.com.au).