This session provides a gentle introduction to cryptography then covers the many subtle mistakes that even experienced developers make when writing cryptographic code.

Attendees will learn about proper implementation of the Java Cryptography Extension, Java Secure Sockets Extension, and jarsigner. Special attention is given to the challenges of key management and Public Key Infrastructure. No prior knowledge of cryptography is necessary.

See the hacker's toolbox in action as various web applications are ripped open by exploiting simple software bugs. Common problems such as Cross-Site Scripting (XSS) and SQL Injection will be demonstrated and explained, along with more subtle vulnerabilities including privilege escalation, data tampering, and Cross-Site Request Forgery.

Even if you've seen XSS and SQL Injection before, advanced techniques will be presented that can slip through many protections. As a finale, the holy grail of web security will be broken with a Man-In-The-Middle attack on SSL. Although countermeasures are briefly covered, this is first and foremost a shock and awe presentation that will motivate you to secure your applications. Attendees will receive a CD with all the Hacme applications used during the presentation so you can practice your new 'skillz.'

This session examines the code that developers must write in order to enable the detection of malicious activity and preservation of evidence after a security breach.

There are only two kinds of software applications: those that have been hacked, and those that will be hacked. Since it is only a matter of time before an incident occurs, take action now to make sure you find out before the Wall Street Journal does. Key components of your strategy should include tamper-proof audit trails, appropriate log events (some might surprise you!), and regular monitoring. Because hackers know they need to cover their tracks, specific attacks against logging mechanisms are also covered.

This session is a hand-on exercise in Java code review that will cover both manual and automated techniques. If you envision code review as a line-by-line slog through thousands of programs, you will be surprised to learn some effective techniques that reduce the tedium and increase your enjoyment of this activity (well, maybe not the enjoyment part). Familiar methods such as pair programming and peer reviews are a great place to start and will immediately increase the security of your code base.

Other approaches will also be examined, ranging from the use of IDE-integrated tools to formal code review exercises and everything in between. In particular, threat modeling is presented as a means to identify sections of the code that have the highest security risks. Enforcing a code review policy is the last (and most contentious) topic that will be covered in this session.