Conference Presentations

Client-Side Attacks: The New Vulnerability

Historically, we have focused on server-side security vulnerabilities rather than their client-side counterparts. As cybercrime continues to evolve, the sophistication of client-side attacks is increasing and the severity of these vulnerabilities is growing. The advent of phishing and efforts to create botnet armies have exploded in recent years due to their profit potential. Client-side issues such as vulnerabilities in Web browsers and file corruption have become the facilitators, which make these attacks possible. Matt Fisher demonstrates examples in which client-side vulnerabilities have been leveraged for criminal gain. Matt walks through typical attack scenarios to help you better understand how these attacks succeed-and how you can combat them. He'll also peer into his crystal ball in an attempt to anticipate how such attacks will evolve in the future.

  • Vulnerabilities in Web browsers and how to combat them
Matt Fisher, Hewlett-Packard

Hackers think differently, have strange goals, and will relentlessly "test" your software for security bugs. Hugh Thompson exposes how attackers view software to find security weaknesses and explains the economics of software risk for organizations. He vividly illustrates the laws of hackernomics with real vulnerabilities and helps you think like an attacker. Hugh takes you through crafting input like an attacker would. He describes the features that attackers find most attractive and why. Learn from Hugh how to prioritize a security bug and how to explore the security implications of a functional bug. Gain a better understanding of where the biggest risks in your software might be hiding and be better armed to test for those weaknesses. Warning-there will be live exploits. Software will be harmed during this presentation!

Herbert Thompson, Peoples Security
Is Web 2.0 a Hacker's Dream?

Web 2.0 promises to make Web applications far more usable and enjoyable than we have ever imagined. We have just begun to digest the host of exciting Web 2.0 technologies such as AJAX, SOAP, RSS, and "mashups." However, are we making a big mistake by increasing the complexity of Web applications without taking new security risks into account? Will Web 2.0 usher in the next great Internet expansion or turn it into a landscape where consumers are too frightened to pull out their credit cards? Michael Sutton explains how poor coding practices in the Web 2.0 technologies can expose new Web site vulnerabilities that put your company at risk. He demonstrates case studies illustrating real world examples of Web 2.0 exploitations. Most importantly, Michael describes secure coding practices in the Web 2.0 world that will help you avoid turning these next generation Web technologies into a hacker's dream.

Michael Sutton, SPI Dynamics
Stop Spyware through Improved Software Security Practices

As organizations spend more time and money to protect their systems from security breaches, the threat landscape is shifting from widespread attacks to specifically targeted, malicious spyware invasions. Gerhard Eschelbeck presents current research on spyware and how it is different from-and potentially more deadly than-traditional computer viruses. Gerhard offers insights into the changing attack trends from automated worms to targeting users directly via email and the browser. Gerhard discusses how spyware writers take advantage of security flaws in software applications to make systems highly vulnerable targets. He reveals surprising infection data from recent spyware audits and highlights infection rates of systems from different types of spyware-monitors, trojans, adware, and cookies. Learn more about these threats, their propagation strategies, and their infection vectors.

Gerhard Eschelbeck, Webroot
Automated Software Audits for Assessing Product Readiness

Rather than continually adding more testing, whether manual or automated, how can you assess the readiness of a software product or application for release? By extracting and analyzing the wealth of information available from existing data sources-software metrics, measures of code volatility, and historical data-you can significantly improve release decisions and overall software quality. Susan Kunz shares her experiences using these measures to decide when and when not, to release software. Susan describes how to derive quality index measures for risk, maintainability, and architectural integrity through the use of automated static and dynamic code analyses. Find out how to direct limited testing resources to error-prone code and code that really matters in a system under test. Take back new tools to make your test efforts more efficient.

  • How to apply adaptive analysis to evaluate software quality
Susan Kunz, Solidware Technologies, Inc.
Testing Web Applications for Security Defects

Approximately three-fourths of today’s successful system security breaches are perpetrated not through network or operating system security flaws, but through
customer-facing Web applications. How can you ensure that your organization is protected from holes that let hackers invade your systems? Only by thoroughly testing your Web applications for security defects and vulnerabilities. Brian
English describes the three basic security testing approaches available to testers-source code analysis, manual penetration testing, and automated penetration testing. Brian also explains the key differences in these methods, the types of defects and vulnerabilities that each detects, and the advantages and disadvantages of each. Learn how to get started in security testing and how to choose the best strategy for your organization.

  • Understand the basic security vulnerabilities in Web applications
Brian Christian, SPI Dynamics Inc
Testing for the Five Most Dangerous Security Vulnerabilities

Today, secure applications are vital for every organization. Security attacks seem to come from every corner of the globe. If your applications are breached, your organization could lose millions. Currently, the biggest holes in IT security are found in applications rather than system or network software. Perimeter and network defenses are not enough to protect your organization from attacks.
Unfortunately, most development and testing teams do not have the expertise or the tools they need to properly secure their applications. Joe Basirico, an experienced software security expert, will highlight the top five security vulnerabilities that testers face today and offer practical how-to tips for testing their applications with security in mind.

  • Address security issues before the product ships
  • Understand the trade-offs among functionality, usability, and security
Joe Basirico, Security Innovation LLC
Security Testing: From Threat to Attack to Fix

Based on his years of experience in security testing, Julian Harty believes that most system stakeholders don't understand-or even recognize-the need for security testing. Perhaps they will pay an external consultant to perform an
occasional security audit, but they do not recognize the need for ongoing security testing. Julian will explain why security testing is vital, though often unappreciated. He will describe the security testing lifecycle, from threat, to attack, to fix. Julian shows how to gather information to become productive quickly if we're invited late to security testing. Julian prefers that we prevent attacks but also describes how to repair damage-to both data and reputation-if your systems are attacked. Join this session to begin security testing at your organization.

  • Examine the typical software security issues lifecycle
Julian Harty, Google, Inc.
Integrating Security into the Development Lifecycle

Software security is neither a development problem nor an IT operations problem. Rather, it is a paramount business problem requiring a multidisciplinary approach that minimizes organizational risk when delivering software products. By making a program-level commitment to security, IT organizations will be in the best position to defend their businesses from growing threats. Ryan English explores business management and the process components of defining, designing, instituting, and verifying secure development practices. He describes a broad set of principles that leading companies are adopting to improve the security of their software and outlines an application security program your company can implement. This approach requires a commitment to application security at all levels of management and offers the promise of a mature level of security without undue effect on the overall development process and delivery schedules.

Ryan English, SPI Dynamics Inc
Operational Security in Software Development

Research conducted by CERT, the computer security incident response team based at the Software Engineering Institute (SEI), indicates that writing quality coding is not enough to ensure system security. Operating platforms, supported user devices, interface designs, linkages with legacy systems, source code management, data exchange protocols, and controls for authentication data among system modules all impact operational security. Incomplete security requirements and poorly planned implementations further contribute to security risk. Using both research and a follow-up case study, Carol Woody describes the things you can do in your development and test organizations to improve operational security. She introduces an analysis technique for evaluating operational risks within the development process and offers guidelines for clearly defining testable security requirements.

Carol Woody, Software Engineering Institute


StickyMinds is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.