OWASP Bay Area Summit - June, 2008

Greetings Security Professionals,

OWASP Bay Area will host its half day Application Security Summit at the Microsoft Facility in Mountain View on Wednesday, June 25th. As usual attendance is free and food and beverages will be provided. We have some excellent speakers lined up for this and it should be an event not to be missed. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security.

WHAT: OWASP Bay Area Chapter - Application Security Summit
WHEN: Wednesday, June 25th, 2008 - From 2 P.M. to 7.00 P.M.
WHERE: Microsoft Building, Mountain View

Agenda and Presentations:

1.30 PM - 2.00 PM - Check-in and registration
2:00 PM - 2:10 PM - Overview of the OWASP Bay Area Chapter - Mandeep Khera, Bay Area Chapter Leader
2:10 PM - 2:55 PM - Co
nsumerization of enterprises: a security conundrum – Dr. Chenxi Wang, Principal Analyst, Forrester Group
2:55 PM - 3:40 PM - Cross-Site Request Forgery- New Attacks and Defenses - Collin Jackson, Ph.D. student, Stanford University
3:40 PM - 4:00 PM - Networking Break
4:00 PM - 4.45 PM - Google Gadget Security - Tom Stracener
4:45 PM - 5:30 PM - How Cybercriminals Steal Money - Neil Daswani, Google

5.30 PM - 7.00M - Networking Reception - Drinks and Food

1065 La Avenida St.,
Mountain View, CA 94043
Conference Room - Galileo


Please RSVP by responding to this email or visit http://owaspbajune2008.eventbrite.com

Special thanks to Microsoft for hosting this event and to Cenzic, AppSec Consulting, Rapid7, and Imperva for sponsoring.

Best regards,
Mandeep Khera


Detailed abstracts and bios
Presenter: Dr. Chenxi Wang, Principal Analyst, Forrester Group
Consumerization of enterprises: a security conundrum
Dr. Chenxi Wang is a principal analyst with Forrester. She leads Forrester's research in areas including content security, application security, threats and vulnerability management, and software security. Chenxi brings to Forrester years of sophisticated research experience; her previous experience includes a five-year stint as an associate research professor at Carnegie Mellon University, where she published many research papers on network security and distributed systems.

Previously, Chenxi served as the chief scientist for KSR, a managed security service startup in the San Francisco bay area. Chenxi also serves as an investigative forensics expert for the Federal Trade Commission. She is the recipient of a Critical Infrastructure Protection Fellowship from the Army Research Office and the Samuel Alexander Fellowship of ACM for outstanding Ph.D. thesis research.

Presenter: Collin Jackson, PH.D. Student, Stanford University
Cross-Site Request Forgery- New Attacks and Defenses
Cross-Site Request Forgery (CSRF) is a widely exploited web site vulnerability, but none of the three major CSRF defenses are satisfactory and many web sites neglect to prevent login CSRF. In a login CSRF attack, an attacker uses the victim's browser to forge a cross-site request to the honest site's login URL, supplying the attacker's user name and password. This forged request can disrupt the integrity of the session and enable theft of confidential information.

Although the HTTP Referer header could be used as an effective general CSRF defense, our experiments indicate that the header is widely blocked at the network layer due to privacy concerns. Our experimental data shows, however, that the header can be used today as a reliable CSRF defense over HTTPS, which is ideal for login CSRF prevention. For the long term, we propose the Origin header, which provides the security benets of the Referer header while responding to privacy concerns. Additionally, we show that a network attacker can often disrupt session integrity even when the site deploys CSRF defenses, and propose additional defenses against these identity-misbinding attacks.

Bio: Collin Jackson is a fourth-year Ph.D. student in Computer Science at Stanford University. His research focuses on browser vulnerabilities, web authentication, mashups, and web application security.

Presenter: Tom Stracener, Sr. Security Analyst, Cenzic
Google Gadget Security
Google Gadgets are HTML and Javascript applications that can be embedded in other web applications or the user's desktop (provided they are using Google Desktop). Gadget code is highly portable and can run on multiple sites or applications with few changes to the underlying code. This talk will focus on gadget security, an area where the current implementation is deeply flawed. We will examine Rsnake's XSS vulnerability in Google gadgets, consider possible attack scenarios, and also look at the reasons why Google chose not to fix this vulnerability. We take a critical look on they ways attackers can exploit the current Gadget implementation when performing attacks. This talk will provide the audience with background information for the upcoming Blackhat 2008 session "Xploiting Google Gadgets: Gmalware and Beyond" by Robert Hansen and Tom Stracener.

Bio: Tom is the Senior Security Analyst for Cenzic’s CIA Labs. Mr. Stracener was one of the founding members of nCircle Network Security. While at nCircle he served as the head of vulnerability research from 1999 to 2001, developing one of the industry’s first quantitative vulnerability scoring systems, and co-inventing several patented technologies. Mr. Stracener is an experienced security consultant, penetration tester, and vulnerability researcher. One of his patents, “Interoperability of vulnerability and intrusion detection systems,” was granted by the USPTO in October 2005. Tom has spoken at various conferences including New York Security Conference, ISSA, OWASP, Defcon, and others.

Presenter: Neil Daswani, Google
How Cybercriminals Steal Money
This talk discusses how we can prevent cybercrime due to the most significant emerging application security vulnerabilities. Such vulnerabilities are used to commit various types of wide-scale fraud, and attacks based on them steal money right out of people's bank accounts, capture tens of millions of credit card numbers, and aid in the construction of next-generation botnets.

In the talk, I will present some industry-wide statistics on software security vulnerabilities reported to various databases, and emerging trends in the field of software security. This talk will then:

* review how attacks such as XSRF (Cross-Site-Request-Forgery), XSSI (Cross-Site-Script-Inclusion), and SQL Injection work,

* discuss their impact on Web 2.0, AJAX, mashup, and social networking applications,
* outline how to defend against them, and
* describe how to modify a software development process to achieve security.
Finally, the talk will discuss the current state of security education, and provide pointers to certification programs, books, and organizations where you and your colleagues can learn more.

Bio: Neil Daswani has served in a variety of research , development, teaching, and managerial roles at Google, Stanford University , DoCoMo USA Labs, Yodlee, and Bellcore (now Telcordia Technologies). While at Stanford, Neil co-founded the Stanford Center Professional Development (SCPD) Security Certification Program (http://proed.stanford.edu/?security). His areas of expertise include security, wireless data technology, and peer-to-peer systems. He has published extensively in these areas, frequently gives talks at industry and academic conferences, and has been granted several U.S. patents. He received a Ph.D. and a master's in computer science from Stanford University, and earned a bachelor's in computer science with honors with distinction from Columbia University. Neil is also the lead author of "Foundations of Security: What Every Programmer Needs To Know" (published by Apress; ISBN 1590597842; http://tinyurl.com/33xs6g )

More information about Neil is available at http://www.neildaswani.com/


Name Sales End Price
Public Ended Free

On the Web

Ocean Climate Summits - Gulf of the Farallones National ...

Ocean Climate Summits 3rd Biennial Summit ... 2008 Summit Objectives • Identify the key climate change factors affecting the San Francisco Bay Area's coast and ...


OLPC San Francisco Bay Area - OLPC

OLPC San Francisco Bay Area is a general interest group in the San Francisco and ... OLPC San Francisco Community Summit 2012 (October ... June meeting (June 21, 2008)


Security for the Web: OWASP's (non)role in the Backdoored ...

7/15/2010 · OWASP's (non)role in the Backdoored Firefox Addon Posted by Michael Coates. You may have recently read about two addons that were removed from the …


mightyohm's photostream - Welcome to Flickr - Photo Sharing

June 2008 Member Since. Photostream; Albums; ... Open Hardware Summit 2013. mightyohm. 4 0. ... Maker Faire Bay Area 2013. mightyohm. 0.


Events – North Bay Business Journal - North San ...

The Business Journal will present its 2014 Health Care Conference and Healthiest Companies in the North Bay Awards on ... McGladrey Alliance, Summit State ...


Tim Dickinson - Wikipedia, the free encyclopedia

Tim Dickinson with Rolling Stone magazine at the Bay Area New Media Summit 2009. Tim Dickinson is an ... Barack Obama's 2008 political campaign was ...


Daniel Liebeskind | LinkedIn

January 2014 – June 2014 (6 months) San Francisco Bay Area. Myo Alpha Program ... 2008 – 2008 (less than a year) ... Arizona Area. Daniel Liebeskind.


San Francisco Bazaar

San Francisco's Favorite Craft Fair. Holiday Show. Dec 13 & 14. Sponsored in part by: ...


Weekend Hike: Tiger Mountain - West Tiger Mtn #3

Tuesday, March 18, 2008. Tiger Mountain ... follow West Tiger Mountain #3 trail to the summit Trail Report: Most guide books, ... SF Bay Area Hiking.


Bay Area Drupal Camp 2014

Bay Area Drupal Camp. The Bay Area Drupal Camp is a gathering of like-minded people to discuss and learn about Drupal, an open-source content management …


Investor Relations - Summit State Bank

Summit State Bank Recognized Again as a Top Corporate Philanthropist in the Bay Area. July ... June 04, 2008 - News ... Privacy Policy © 2009 Summit State Bank.


Disasters Affecting the San Francisco Bay Area

State, including the San Francisco Bay Area ... 2008. The location was Summit road and Maymen flats, ... June 6, 2006 - Water ...


lists.owasp.org Mailing Lists

OWASP SF Bay Area: Owasp-belfast: ... Open Web Application Security Project (OWASP) ... The Owasp Europe Summit 2008: Owasp-suncoast


Bay Ridge Journal

Bay Ridge, Bay Ridge Journal, The View from My Block


The bright Side of Life Womens Center

The Bright Side of Life Women’s Gathering was founded in ... We unite hundreds of women from all around the Bay Area to celebrate our ... June of 2011, Sahar ...


Bottoms Up - - Blogs - Inside Bay Area

Thanks for reading the Bottoms Up Blog over the ... including a few that we don’t often see in the Bay Area, ... Silver: True Brit IPA, Summit Brewing Co., Saint ...


Weekend Hike: Top Seattle Local Hikes

Listed below are some of the best hikes around the Seattle area for hikers. ... follow West Tiger Mountain #3 trail to the summit Trail Report: ... SF Bay Area Hiking.


A guide to San Francisco’s J-Pop Summit Festival ...

7/16/2014 · A guide to San Francisco’s J-Pop Summit ... Festival of San Francisco, the only fully dedicated annual Japanese film celebration in the Bay Area, ...


Senior Softball-USA

Bay Area Blasters: Vallejo: CA: AAA: ... June 10, 2008: Chicano Cubs: Tucson: AZ: Major: ... June 14, 2013: San Antonio Softball Club: San Antonio: TX: Major:


The Historic Summit Inn in Farmington, Pennsylvania | B&B ...

Explore The Historic Summit Inn, a Farmington, ... 101 Skyline Drive , Farmington, PA 15437 USA ... My wife and I stayed at The Summit in August 2008 and found it ...