Conference Presentations

Oh, WASP! Security Essentials for Web Apps

The past few years have seen a rapid increase in business efficiency through Web-based applications. Unfortunately, a dramatic increase in the number of web application vulnerabilities has followed. Insecure web applications can be disastrous for mission critical businesses and users'...

Benny Paul, Cognizant Technology Solutions
Software Security Goes Mobile

Erik Costlow says that, as more and more business is transacted on mobile platforms, securing the applications and data that run on them is a business imperative. Developers and their managers are asked to make key decisions regarding data caching, authorized permissions, authentication...

Erik Costlow, HP Enterprise Security
Hybrid Security Analysis: Bridging the Gap between Inside-Out and Outside-In

With the rising adoption of the cloud and the mobile revolution, software security is more important and complex than ever. The efforts of developers and testers are frequently disconnected, wasting time and reducing effectiveness. Arthur Hicken describes how hybrid security analysis...

Arthur Hicken, Parasoft
Better Security Testing: Using the Cloud and Continuous Delivery

Even though many organizations claim that security is a priority, that claim doesn’t always translate into supporting security initiatives in software development or test. Security code reviews often are overlooked or avoided, and when development schedules fall behind, security testing...

Gene Gotimer, Coveros, Inc.
T23 HTML5 Security Testing at Spotify

HTML5 is one of the hottest technologies around right now because HTML5 apps are beautiful, engaging, and can perform important and entertaining functions. With the wide range of devices and platforms to support, the promise of multi-platform support is appealing. 

Alexander Andelkovic, Spotify
Protection Poker: An Agile Security Game

Each time a new feature is added to a product, developers need to consider the security risk implications, find ways to securely implement the function, and develop tests to confirm that the risk is gone or significantly lowered. Laurie Williams shares a Wideband Delphi practice called Protection Poker she's employed as a collaborative, interactive, and informal agile structure for "misuse case" development and threat modeling. Laurie shares the case study results of a software development team at RedHat that used Protection Poker to identify security risks, find ways to mitigate those risks, and increase security knowledge throughout the team. In this session, Laurie leads an interactive Protection Poker exercise in which you and other participants analyze the security risk of sample new features and learn to collaboratively think like an attacker.

Laurie Williams, North Carolina State University
Information Obfuscation: Protecting Corporate Data

With corporate data breaches occurring at an ever-alarming rate, all levels of organizations are struggling with ways to protect corporate data assets. Rather than choosing one or two of the many options available, Michael Jay Freer believes that the best approach is a combination of tools and practices to address the specific threats. To get you started, Michael Jay introduces the myriad of information security tools companies are using today: firewalls, virus controls, access and authentication controls, separation of duties, multi-factor authentication, data masking, banning user-developed MS-Access databases, encrypting data (both in-flight and at-rest), encrypting emails and folders, disabling jump drives, limiting web access, and more. Then, he dives deeper into data masking and describes a powerful data-masking language.

Michael Jay Freer, Quality Business Intelligence
Danger! Danger! Your Mobile Applications Are Not Secure

A new breed of mobile devices with sophisticated processors and ample storage has given rise to sophisticated applications that move more and more data and business logic to devices. The result is significant and potentially dangerous security challenges, especially for location-aware mobile applications and those storing sensitive or valuable data on devices. To counter these risks, Johannes Ullrich introduces and demonstrates design strategies you can use to mitigate these risks and make applications safer and less vulnerable. Johannes illustrates design patterns to: co-validate data on both the client and server; authenticate transactions on the server; and store only authenticated and access-controlled data on the client. Learn to apply these solutions without losing access to powerful HTML5 JavaScript APIs such as those required for location-based mobile applications.

Johannes Ullrich, SANS Technology Institute
Penetration Testing Demystified

Penetration testing is a method of evaluating the security of a system by maliciously attacking it and analyzing its possible weaknesses. Penetration testing uses a suite of tests, generally performed in a gray-box fashion, to attack the system as real attackers would-approaching the system with attacker eyes, knowledge, skills, and tools. Edward Bonver explains why and how penetration testing should be done on any mission-critical system as part of a comprehensive security testing strategy. He describes the factors that influence the success of penetration testing include testing environment readiness, technical information, and the availability of the product teams’ key contacts. You’ll learn the details behind penetration testing, common approaches, testing options, and best practices.

Edward Bonver, Symantec Corporation
Security Testing: Thinking Like an Attacker

Compared to traditional functional testing, security testing requires testers to develop the mindset of real attackers and pro-actively look for security vulnerabilities throughout the software development lifecycle. Using live demos, Frank Kim shows you how to think-and act-like a hacker. Rather than just talking about issues such as Cross Site Scripting (XSS), SQL Injection, and Cross Site Request Forgery (CSRF), Frank shows-live and in color-how hackers abuse potentially devastating defects by finding and exploiting vulnerabilities in a live web application. Find out how attackers approach the problem of gaining unauthorized access to systems. Discover the tools hackers have that you don't even know exist and how you can find critical security defects in your production apps. In this revealing session, you'll learn how to become a better tester and find serious security vulnerabilities in your systems before the bad guys do.

Frank Kim, ThinkSec


StickyMinds is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.