Speakers
- Dan Allen
- Aaron Bedra
- Tim Berglund
- Rohit Bhardwaj
- David Bock
- Stevie Borne
- Jeff Brown
- James Carr
- Scott Davis
- Jeremy Deane
- Keith Donald
- Michael Easter
- Robert Fischer
- Neal Ford
- Brian Gilstrap
- Andrew Glover
- Brian Goetz
- Stuart Halloway
- David Hussman
- Mark Johnson
- Dave Klein
- Scott Leberknight
- Tiffany Lentz
- Howard Lewis Ship
- Chris Maki
- Matthew McCullough
- Alex Miller
- Ted Neward
- Michael Nygard
- Pratik Patel
- Mark Richards
- Brian Sam-Bodden
- Srivaths Sankaran
- Nathaniel Schutta
- Aleksandar Seovic
- Ken Sipe
- Brian Sletten
- Matt Stine
- Venkat Subramaniam
- Burr Sutter
- Vladimir Vivien
- Mark Volkmann
- Craig Walls
- Richard Worth
Roman Hustad
Software Security Consultant at Foundstone
Presentations
Web Application Hacking
See the hacker's toolbox in action as various web applications are ripped open by exploiting simple software bugs. Common problems such as Cross-Site Scripting (XSS) and SQL Injection will be demonstrated and explained, along with more subtle vulnerabilities including privilege escalation, data tampering, and Cross-Site Request Forgery.
Even if you've seen XSS and SQL Injection before, advanced techniques will be presented that can slip through many protections. As a finale, the holy grail of web security will be broken with a Man-In-The-Middle attack on SSL. Although countermeasures are briefly covered, this is first and foremost a shock and awe presentation that will motivate you to secure your applications. Attendees will receive a CD with all the Hacme applications used during the presentation so you can practice your new 'skillz.'
What You Don't Know About Cryptography
This session provides a gentle introduction to cryptography then covers the many subtle mistakes that even experienced developers make when writing cryptographic code.
Attendees will learn about proper implementation of the Java Cryptography Extension, Java Secure Sockets Extension, and jarsigner. Special attention is given to the challenges of key management and Public Key Infrastructure. No prior knowledge of cryptography is necessary.
How to Catch Hackers: Security Auditing and Logging
This session examines the code that developers must write in order to enable the detection of malicious activity and preservation of evidence after a security breach.
There are only two kinds of software applications: those that have been hacked, and those that will be hacked. Since it is only a matter of time before an incident occurs, take action now to make sure you find out before the Wall Street Journal does. Key components of your strategy should include tamper-proof audit trails, appropriate log events (some might surprise you!), and regular monitoring. Because hackers know they need to cover their tracks, specific attacks against logging mechanisms are also covered.
Application Security Part 1: Stop the Bleeding
This session is geared for those who are ready to take the first steps towards securing their applications with minimal cost and effort. Most development teams know that they have not given security the attention it deserves, but also don't know where to begin. Should you run a scanning tool, go to security training, or just bury your head in the sand and pretend everything is OK?
A few simple activities are introduced that will pay big dividends for the security of your applications. One size does NOT fit all, and this session will enable you to spend your time and money where it will make the most difference. Peripheral issues are also addressed, such as obtaining management support and working with your IT security department.
Application Security Part 2: Building a Software Security Program
This session provides a comprehensive, flexible plan for baking security into the software development lifecycle. First off, we will talk about why you would want to do such a thing and how to get support for it. Then the discussion will turn to the practical aspects of planning and implementing a secure SDLC, covering all aspects of people, process, and technology.
Last and probably most important, we present ideas to help you avoid having your shiny new program ignored by the development team. If you are serious about producing secure software, this talk is for you.
How to Do a Security Code Review
This session is a hand-on exercise in Java code review that will cover both manual and automated techniques. If you envision code review as a line-by-line slog through thousands of programs, you will be surprised to learn some effective techniques that reduce the tedium and increase your enjoyment of this activity (well, maybe not the enjoyment part). Familiar methods such as pair programming and peer reviews are a great place to start and will immediately increase the security of your code base.
Other approaches will also be examined, ranging from the use of IDE-integrated tools to formal code review exercises and everything in between. In particular, threat modeling is presented as a means to identify sections of the code that have the highest security risks. Enforcing a code review policy is the last (and most contentious) topic that will be covered in this session.