OWASP AppSec India – Keynote and Training

My keynote address on “Application Security Trends and Challenges”  and the training session on “Advanced Threat Modeling” went well and a few friends have posted some comments about their experience.

Check it out.
http://armorize-cht.blogspot.com/2008/09/owasp-appsec_22.html
http://projectbee.org/blog/archive/owasp-appsec-conf-delhi-day-2-and-more/
http://projectbee.org/blog/archive/owasp-appsec-conf-delhi-day-1/

The Road Less Traveled – Software Security from Shakespeare, Jungle Book and Nature …

What do you think Shakespeare had to say about Software Security? What does an naked motorist have to do with Confidentiality? What does the Jungle Book character Baloo have to say about Security Essentials (The Bare Necessities of security)? What does the African Wildlife have to do with Security Concepts? What does pH have to do with Security? and more …

The Road Less Travelled by renowned poet, Robert Frost ends by with the statement “And that has made all the difference”. Come to find out the answers to the questions above and see what it takes to look at Security from a different perspective, that would make ALL the difference. The session will cover not only the higher level abstractions of security concepts, but will dive deep wherever applicable into concepts and code, making it a MUST attend for Development, QA, PM and Management Staff on both the IT and Business side.

At the Austin Open Web Application Security Project (OWASP) session on April 29th, 2008, I presented the following presentation that you can download by clicking on the link below.

 

Security Management
(Managing Elephants)?
Sleep Swimming
(Vigilant Software)

Software Security – The Road Less Traveled

SD3LC – Secure By Design, Development & Deployment @ TRISC

In the current day and age, the chief drivers for software development projects are meeting business requirements and deadlines. Security is generally an afterthought for software development projects. Incorporating security from inception is more cost effective.This session will address the various security controls and activities associated with each phase of the software development lifecycle (SDLC). The controls and activities include but are not limited to; modeling use/abuse cases, threat modeling, security code review, security testing, etc.

I presented at the Texas Regional Infrastructure Security Conference (TRISC) on SD3LC – Secure By Design, Development and Deployment. You can download the presentation by clicking on the link below.


Integral – As part of the SDLC
SD3LC – Secure by Design, Development and Deployment

TRISC was held in San Antonio, Texas from April 21-23, 2008. The key note session by Mary Ann Davidson (Oracle CSO) and Dan Korem’s workshop session on the Art of Profiling (from Rage of the Random Actor) was excellent. Getting to meet Woody (Elwood G. Norris), master inventor and technologist with 47 U.S. Patents and 100 others pending was an honor. Another highlight of the event was meeting DefCon’s ‘Deviant’ Ollam who had a training on Lockpicking (Physical Security) through The Open Organisation Of Lockpickers (TOOOL) and learning how to pick a padlock using an aluminium can.

Robert Hansen’s (RSnake) talk on “Why I dont use Web App Scanners, all the time” was a great talk and Doug Landoll’s case study on ”Why Technology has Failed to Solve Security Problems” was rife with real world examples and extremely relatable. There were other great sessions by DenimGroup and Whitehat Security and all of the sessions, I could attend were informative and useful. In addition to the conference, it was Fiesta week honoring the memory of the heroes on the Alamo and the Battle of San Jacinto, and so the city was extremely festive and my family and I had a fantastic time in the city, especially the River Walk.

Two Application Security Catalysts – SQL Injection & Cross-site Scripting (XSS) @ Burton Group Catalyst EU 2007

The Burton Group Catalyst Europe conference held in Barcelona from Oct 22-25, 2007 was a blast. The conference sessions were informative and very educational as always. You will need to have a Burton Group login to access the conference postings. In addition to the conference, the city of Barcelona is so beautiful, that my family and I throughly enjoyed every minute there.

I presented on Stopping SQL Injection and Crossing over Cross-Site Scripting demonstrating the attacks and discussing the control measures. You can download the presentation by clicking on the link below.

Defenses against SQL Injection and Cross-site Scripting
Defenses against SQL Injection and Cross-site Scripting (XSS)

Stopping SQL Injection and Crossing over Cross-site Scripting (XSS) – Catalyst EU Presentation By Mano Paul

Session Abstract -
Two of the most prevalent application attacks in this day and age are SQL Injection and Cross-Site Scripting (XSS). Perimeter defense devices such as intrusion detection systems (IDS) and firewalls offer no protection against such attacks. The risk of sensitive information theft, alteration, insertion of data along with other effects such as URL redirection, website defacement and authentication theft are high and will be demonstrated. This session would demonstrate the effects of SQL Injection and XSS attacks and provide insight into the control measures to successful mitigate the risk against such attacks. It will also provide insight into the different process control measures that are necessary across the systems development life cycle to harden the code from within, so that such susceptibilities are addressed. Session takeaways include a complete understanding of the anatomy of SQL Injection and XSS attack, their effects when exploited and the mitigation control measures to stop SQL Injection and cross over XSS.

(ISC)2 Official CISSP Practice Exams and (ISC)2 Official SSCP Practice Exams

(ISC)² is dedicated to creating new value-added services for its prospective and more than 50,000 current members worldwide. One of the most exciting of these is studISCope, our online self-assessment tool that helps candidates assess their knowledge of the CISSP or SSCP CBK®. Together with our partner, Express Certifications – a company renowned for developing innovative testing and training techniques – (ISC)² can now maximize your learning experience and focus your study efforts more precisely along whichever information security career path you choose.

Read More

WANTED – Sponsors, Speakers and Volunteers for the Austin Chapter

The Austin Chapter of the ISM-Community is looking for the following -

  1. Hosts Sponsors / Companies to host and sponsor upcoming events
  2. Speakers to speak in these ISM-Community hosted events
  3. Volunteers to assist in the various ISM-Community projects and activities

We are currently compiling the event calendar for this year. If interested, please contact Mano Paul

Note: ISM-Community requires that all events that are conducted are vendor-neutral.

Upcoming InfoSec World Events

Check out some of the upcoming InfoSec events around the world that are published on the (ISC)2 website.
The link is https://www.isc2.org/cgi-bin/content.cgi?page=924 

Austin Chapter of the Information Security Community Formed

The Austin Chapter of the ISM-Community was formed and successfully launched this month.

We are looking for the following to grow the ISM-Community in the Austin and Greater Texas area.

  1. Hosts Sponsors / Companies to host and sponsor upcoming events
  2. Speakers to speak in these ISM-Community hosted events
  3. Volunteers to assist in the various ISM-Community projects and activities

If you are interested or would like to recommend someone for the upcoming event, please contact the Austin ISM-Community Chair, Mano Paul