Setting the Web Application Security Agenda for 2009: OWASP Invites You to Join Our Summit in Portugal

http://www.owasp.org/index.php/OWASP_EU_Summit_2008

With the theme ‘Setting the AppSec agenda for 2009′, the OWASP Summit will be a worldwide gathering of OWASP leaders and key industry players to present and discuss the latest OWASP tools, documentation projects, and web application security trends. Join us in Portugal in just a few short weeks! This venue hosts a diverse selection of training courses along with technical and business tracks, making it THE place to learn about web application security and the resources OWASP has available for use today.

OWASP is a not-for-profit organization with the purpose of supporting the Web Application Security community around the world, and has granted $250,000 USD for web application security research. In addition to over 40 presentations from the OWASP Leaders and grant recipients, the OWASP Summit will host multiple Working Sessions designed to improve collaboration, achieve specific objectives and identify roadmaps for OWASP projects, chapters, and the OWASP community itself.

To facilitate this event, OWASP is investing $150,000 USD which will be used to cover air travel and accommodation expenses for OWASP leaders, active contributors, and select key industry leaders. With their confirmed presence, the OWASP Summit will provide a relaxed but professional environment to meet, discuss, influence and contribute to OWASP projects.

There are still funds available! If you are interested in attending and you meet the profile of the current OWASP supported attendees (see list here: http://spreadsheets.google.com/pub?key=pAX6n7m2zaTVLrPtR07riBA) contact Paulo Coimbra (paulo.coimbra@owasp.org). Please note that you should do so only if you meet the paid attendance criteria (see herehttps://www.owasp.org/index.php/OWASP_EU_Summit_2008_paid_participation_rules) and are unable to get corporate support to attend this event (for other corporate sponsorship opportunities see http://www.owasp.org/index.php/OWASP_EU_Summit_2008_Sponsors).

The OWASP Summit will also host a large and diverse selection of training courses, covering multiple OWASP specific and Web Application Security Topics.

The remarkable impact of OWASP is made possible only by the collaboration of many dedicated people and organizations worldwide. In that spirit of cooperation, OWASP invites all its members (who have 20% discount + 1 VIP Ticket) and interested individuals and companies to attend this thrilling event. Please join us and help to set the Web Application Security Agenda for 2009!

Please see below for additional details about the OWASP Summit or visit the OWASP Summit website: http://www.owasp.org/index.php/OWASP_EU_Summit_2008.

Projects

OWASP projects selected for Summit presentation include new documentation and innovative tools to help developers, architects, and security specialists ensure that applications are secure:

• Application Security Verification Standard,
• Code review guide, V1.1,
• Ruby on Rails Security Guide v2,
• Securing WebGoat using ModSecurity,
• Testing Guide v3,
• GTK+ GUI for w3af project,
• Access Control Rules Tester,
• AntiSamy .NET,
• Live CD & DVD Project,
• OpenPGP Extensions for HTTP,
• Orizon Project,
• Python Static Analysis,
• WebScarab-NG,
• And many, many others.

Working Sessions

Expecting the presence of the application security industry key players, the Working Sessions will cover a wide range of issues such as:

• OWASP Top 10 2009,
• Browser Security,
• Web Application Framework Security,
• Enterprise Security API Project,
• Best Practices for OWASP Chapter Leaders,
• OWASP Documentation Projects,
• OWASP Tools Projects,
• OWASP Education Project,
• OWASP Strategic Planning for 2009,
• OWASP Certification,
• OWASP Winter of Code 2009
• Two-way Internationalization of OWASP Content
• And many more.

Training

These 2-day, 1-day or 1/2-day training courses cover a wide range of OWASP specific and Web Application Security Topics:

• OWASP Top 10 - What Developers Should Know on Web Application Security
• Uncovering WebScarab’s Secret Treasures
• Securing WebGoat with ModSecurity
• Secure Programming with Java
• Advanced Web Application Security Testing
• Building Secure Web 2.0 Applications
• Building Secure Web Services
• Building Secure Web Applications with OWASP’s Enterprise Security API (ESAPI)
• Classic ASP Security using OWASP tools
• Web Application Assessments
• Hacking Owasp Orizon Project v1.0
• Ajax Security
• Practical Penetration Testing: Think Like an Attacker to Stop Attacks
• Linux Software Exploitation
• Web server/services hardening using SELinux

Main Contact:

Kate Hartmann
OWASP Operations Director
9175 Guilford Road, Suite 300
Columbia, MD 21046, USA
Phone: +1-301-575-0189
Facsimile: +1-301-604-8033
Email: kate.hartmann@owasp.org

People ask why do you blog?  In the final analysis I blog because I like to. Every once in a while though you get a comment from a reader that reminds you why it is all worth while.  Here is one I received today from a person alleging to be a Julie Peterson:

Julie Peterson commented on Safe Access wins SC Magazine Award Reader Trust Award, again!:

Dressed in a tuxedo and chewing those rubber chicken breasts at the award ceremony is your idea of fun? Aren't you the same mentally retarded idiot who said in 2007 that you hated SC awards and that anyone can buy the SC awards with a sponsorship? Why do you think people give over $10k as sponsorship for the SC awards? Who is watching the awards except other vendors? By the way you suck big time with your rubbish blogs. Didn't networld magazine give you the boot within 3 months? Think before you write Mr. mental. Well done on winning, but please, dont give the impression that you cant buy an award from SC! And don't forget to eat your medication pills tonight, otherwise from your hair it is obvious you ran away from a mental hospital.

First of all Julie, let me thank you for your kind words! You made the statement and let me answer your questions for you.

1. Is dressing in a tuxedo and chewing rubber chicken breasts my idea of fun?  Actually, I do enjoy dressing up in a tuxedo once in a while.  The food at the awards ceremony was actually pretty good, if not diet friendly, as were the cocktails.  The entertainment at the awards show was pretty good as well. Catching up with friends you had not seen for a while and networking with industry peers was pretty worthwhile too.  Maybe your idea of a good time is putting on a bowling shirt and swilling a couple of beers and pretzels before going home and undressing into your dirty ripped underwear. Hey I say to each his own.

2. I am not the idiot who in 2007 said that I hated the SC awards and that anyone can buy the SC awards with a sponsorship.  I am the idiot who said that about the InfoSec Products Guide award by the folks at Silicon Valley Communications.  In contrast I have always said nice things about the SC awards. I actually have a lot of respect for them.  Also for the record, StillSecure has never been a sponsor of the SC Magazine awards. I have seen sponsors who did not win awards as well.  So looks like you got that one wrong Julie, but it happens.

3. ???Networld??? magazine didn???t give me the boot within 3 months.  They never had the chance, as I never wrote for ???networld, network world or any other magazine. Maybe you have me confused with Mike Rothman or Mitchell Ashley, who do and did write for Network World. But let me assure you that I do try and think before I write.

4. Regarding what medication pills I take and does my hair make it obvious I ran away from a mental hospital. I don???t take any medication, maybe I should.  Better living through chemistry you know ;-)  As to my hair, what can I say.  At this stage I am happy I have any hair at all.  My wife always says when I get my haircut it looks like a Buzz Lightyear style, but no one ever mentioned a mental hospital look to it.  In any event sorry it doesn???t appeal to you.

So who is this troll Julie Peterson?  Could it be Richard Stiennon in drag?  Maybe his wife striking out?  Maybe another one of my fans?  Who knows, but these sort of comments keep me juiced about blogging and remind me of how much fun I have doing it.  Thanks again Julie!

People ask why do you blog?  In the final analysis I blog because I like to. Every once in a while though you get a comment from a reader that reminds you why it is all worth while.  Here is one I received today from a person alleging to be a Julie Peterson:

Julie Peterson commented on Safe Access wins SC Magazine Award Reader Trust Award, again!:

Dressed in a tuxedo and chewing those rubber chicken breasts at the award ceremony is your idea of fun? Aren't you the same mentally retarded idiot who said in 2007 that you hated SC awards and that anyone can buy the SC awards with a sponsorship? Why do you think people give over $10k as sponsorship for the SC awards? Who is watching the awards except other vendors? By the way you suck big time with your rubbish blogs. Didn't networld magazine give you the boot within 3 months? Think before you write Mr. mental. Well done on winning, but please, dont give the impression that you cant buy an award from SC! And don't forget to eat your medication pills tonight, otherwise from your hair it is obvious you ran away from a mental hospital.

First of all Julie, let me thank you for your kind words! You made the statement and let me answer your questions for you.

1. Is dressing in a tuxedo and chewing rubber chicken breasts my idea of fun?  Actually, I do enjoy dressing up in a tuxedo once in a while.  The food at the awards ceremony was actually pretty good, if not diet friendly, as were the cocktails.  The entertainment at the awards show was pretty good as well. Catching up with friends you had not seen for a while and networking with industry peers was pretty worthwhile too.  Maybe your idea of a good time is putting on a bowling shirt and swilling a couple of beers and pretzels before going home and undressing into your dirty ripped underwear. Hey I say to each his own.

2. I am not the idiot who in 2007 said that I hated the SC awards and that anyone can buy the SC awards with a sponsorship.  I am the idiot who said that about the InfoSec Products Guide award by the folks at Silicon Valley Communications.  In contrast I have always said nice things about the SC awards. I actually have a lot of respect for them.  Also for the record, StillSecure has never been a sponsor of the SC Magazine awards. I have seen sponsors who did not win awards as well.  So looks like you got that one wrong Julie, but it happens.

3. “Networld” magazine didn’t give me the boot within 3 months.  They never had the chance, as I never wrote for “networld, network world or any other magazine. Maybe you have me confused with Mike Rothman or Mitchell Ashley, who do and did write for Network World. But let me assure you that I do try and think before I write.

4. Regarding what medication pills I take and does my hair make it obvious I ran away from a mental hospital. I don’t take any medication, maybe I should.  Better living through chemistry you know ;-)  As to my hair, what can I say.  At this stage I am happy I have any hair at all.  My wife always says when I get my haircut it looks like a Buzz Lightyear style, but no one ever mentioned a mental hospital look to it.  In any event sorry it doesn’t appeal to you.

So who is this troll Julie Peterson?  Could it be Richard Stiennon in drag?  Maybe his wife striking out?  Maybe another one of my fans?  Who knows, but these sort of comments keep me juiced about blogging and remind me of how much fun I have doing it.  Thanks again Julie!

From the Last Hope:

For Immediate Release

THE LAST HOPE TO FEATURE HACKER RADIO

At The Last HOPE conference, hackers will broadcast their minds and their iPods.

In the center of the summer’s top hacker event will be a small isolation booth. “Radio Statler!” as the station is called, will send out a three day broadcast of all-original material. From the center of Manhattan, around the clock, discussions of the past, present, and future of technology, creativity, and humanity itself will be transmitted.

The first night of the conference, July 18th, the station will carry a program called Digital Music Night, hosted by Peter Kirn, editor of createdigitalmusic.com. The three hour live concert will feature a convergence of artists and musicians using custom, original tools for performing live in new and bizarre ways, including:

* Houseplants hooked up to live computer visuals and music
* A mutant trumpet, halfway between the digital and acoustic worlds
* Packets of data visualized as three-dimensional eye candy
* An animated digital art sketchpad controlled by Wii remote
* A set of digital gloves for gestural DJing
* A robotic drummer
* Computer-generated vocals that sing your spam folder to you
* Live digital art made from vintage game consoles and computers

The station will give additional talk and interview time to the conference’s speakers, broadcast the keynotes and other popular seminars, and offer attendees who don’t speak at the podium a chance to share their ideas. Many hackers who already do their own podcasts are being asked to contribute and do special programs for the conference.

Program and content submissions are still being taken, volunteers are being sought, and the organizers are looking for promotional sponsors to help cover the cost of broadcasting. More information can be found at http://radio.hope.net/ or by emailing projects@hope.net.

Damn, I’ll have to break out Garageband or maybe I’ll have to submit one of these tracks? HA!

Recently Alan wrote an interesting post about the lack of “interoperability” at Interop, but we saw just the opposite.

Because we were a very active part of InteropNet (EM7 provided the network monitoring and help desk solutions), our perspective is completely different. InteropNet (and iLabs) are by nature meant to be examples of very large multi-vendor efforts to build interoperability solutions that literally run the show floor and are available for all attendees to inspect – via the NOC tours.

Maybe it all comes down to perspective? From Alan’s perspective, vendors at the show did their own thing and cared less about how their products worked with one another and more about why people should buy them. Of course they did; exhibiting vendors market their own solutions for proprietary technologies. From our perspective, we spent something like 6-8 man-weeks over the last few months building and managing InteropNet with the other 16 technology sponsors that had to come together and work together to deliver the largest temporary network in the world.

So, to Alan’s point, perhaps there is more that Interop could do to get the word out about interoperability achievements. Beyond the NOC and iLabs tours, the show could hold attendee sessions or tape a video documentary on how InteropNet is built – to borrow a few ideas from Michael Wilde of Splunk. And how about an “Interop Historian” who captures just such stories at the show? I think it’s far more compelling to read about multi-vendor solutions and how they operate in the real world than one more story taken from a press release a vendor did just to have news at a show.

So Alan, one question for you since you brought it up.What has StillSecure done to create interoperability with other vendors that you could promote at Interop?

ShareThis

I met so many people, I hate to even begin to start naming names… first, because I’m horrible at remembering names and secondly, I’m sure I’d forget to include someone.

It was a blast and it was PACKED. In fact, the only thing I could have wished for was more seating. After running around RSA day and night for 3 days in 3” and 4” heels, my toesies were tired.  

Some names you may recognize- I did see CMP’s Mike Fratto, Bruce Schneier, SC Magazine’s Illena Armstrong, Network World columnist Andreas Antonopoulos (please let me have spelled that correctly), George Ou, eWeek’s Ryan Nariane, Network World writer Mitchell Ashley,  Todd Hooper CEO of Napera, Ryan Russell and Amrit Williams from BigFix, Stacy Thayer of the one and only SOURCEBoston, Augusto Barros, Dan O’Neill, Jack Daniel, Apneet Jolly, no show would be complete without Chris Hoff  and of course we have to not miss Alan Shimel  (how can you miss Alan?), Rich Mogull and blogger and world-wide famous podcaster Martin McKeay. 

More-than-honorable mention goes to miss Jennifer Leggio, blogger, PR queen and planner extraoirdinaire.

We started off with a warm welcome by the sponsors and team. I was already a Guinness into it, but I believe Rich, Alan and Martin all had a word. The next couple of hours flew by as we met-n-mingled. During the party, Rich and Martin had the live streaming video running and were pulling victims over for beer-laden interviews. I did get sucked into the trap- 3 of them ganged up on me and dragged me over- but luckily the first hour or so ran live but didn’t record, so there’s no proof of our silly ramblings.

Somehow the majority of our blogger mass managed to stay together and hang out for a continuation of the party at a variety of San Francisco hot spots. I couldn’t begin to tell you where all we went. There were a couple more RSA parties, we got yelled at for having cigars at one point, I couldn’t seem to find a taxi at another, and finally we made it to the W (I think).

I’m certainly impressed by the caliber of our members and the passion we all share. I’ll certainly be keeping in touch with many of these folks for a long time to come!

# # #

As part of their investigation, the Committee engaged a multitude of experts ranging from e.g. PayPal CISO Michael Barrett to Prof. Ross Anderson, Bruce Schneier to Robert Littas, Head of Fraud Management in Visa Europe. Both the report and evidence (submitted in writing and during interview sessions) are available from the Parliament's web site and are a must read for every security professional.

Amongst renowned security experts and executives of multi-billion companies, Ilkley Computer Club - a local community support group in a small town (population 13,828) in the north of England (UK), was asked to submit their views on the subject. They did so with the following introduction:

Ilkley Computer Club is approximately 25 years old. When it started, it was the time of the first micro computers for home use; Ataris, Commodores, Sinclairs and BBCs. Membership was mainly 5th & 6th Formers from local schools. Today, the majority of members are “silver surfers” who almost always use a Windows computer. When the Club started, the Internet had not been invented. Now all members use it and at most meetings, Internet issues dominate discussions. The members wanted to pool their recent experiences with Internet use and to present them to the Committee in the hope that their collective knowledge – or lack of it – may aid understanding.

Like every other witness the Club was asked to suggest ways of "tackling the problem" and provided 6 recommendations. What I could not fail to note is that the Committee adopted 5 out of 6 suggestions made by the Club. The following excerpts from the report illustrate this.

Club: "There must be positive Government guidance pushed to users;"

Committee:

8.24. We recommend that the Department for Children, Schools and Families, in recognition of its revised remit, establish a project, involving a wide range of partners, to identify and promote new ways to educate the adult population, in particular parents, in online security and safety. (6.49)

Club: "Government advice must be from a single point of contact;"

Committee:

8.21. The Government-sponsored Get Safe Online website already provides useful information and practical advice to Internet users, but its impact is undermined by the multiplication of other overlapping websites. We recommend that the Government provide more explicit high-level political support to the Get Safe Online initiative and make every effort to recruit additional private sector sponsors. If necessary, the site should be relaunched as a single Internet security “portal”, providing access not only to the site itself but acting as a focus and entry-point for other related projects.
(6.46)

Club: "Internet Service Providers must take a proactive stance in prevention (viruses, trojans, spam, spyware, etc);"

Committee:

8.10. We recommend that the “mere conduit” immunity should be removed once ISPs have detected or been notified of the fact that machines on their network are sending out spam or infected code. This would give third parties harmed by infected machines the opportunity to recover damages from the ISP responsible. However, in order not to discourage ISPs from monitoring outgoing traffic proactively, they should enjoy a time-limited immunity when they have themselves detected the problem. (3.69)

Club: "Software produces must take more care when writing software to avoid bugs in the first place;"

Committee:

8.12. The IT industry has not historically made security a priority. This is gradually changing—but more radical and rapid change is needed if the industry is to keep pace with the ingenuity of criminals and avoid a disastrous loss of confidence in the Internet. The major companies, particularly the software vendors, must now make the development of more secure technologies their top design priority. We urge the industry, through selfregulation and codes of best practice, to demonstrate its commitment to this principle. (4.38)

8.15. We therefore recommend that the Government explore, at European level, the introduction of the principle of vendor liability within the IT industry. In the short term we recommend that such liability should be imposed on vendors (that is, software and hardware manufacturers), notwithstanding end user licensing agreements, in circumstances where negligence can be demonstrated. In the longer term, as the industry matures, a comprehensive framework of vendor liability and consumer protection should be introduced. (4.41)

Club: "If washing machines can be “kite marked” to EU or UK standards, why not computers?"

Committee:

8.23. We further recommend that, in addition to the new kite mark for content control software, Ofcom work with the industry partners and the British Standards Institute to develop additional kite marks for security software and social networking sites; and that it continue to keep under review possible areas where codes of best practice, backed up by kite marks, might be appropriate. (6.48)

Everyone might have their own interpretation of how the suggestions of ordinary computer users ended up being so spot-on as far as the Committee's conclusions are concerned, but undoubtedly it is a fascinating result. Perhaps, "users don't know what they want" is not as true as many vendors tend to believe and users can not only help to identify problems but also to develop solutions?

I would like to invite the readers of my blog to join the DEBS 2008 group on LinkedIn. Joining this group will allow you to find and contact other DEBS 2008 members on LinkedIn.

The goal of the DEBS 2008 group is to help members:

• Reach other event processing people, sponsors and attendees of DEBS 2008.
• Accelerate careers, business, and research opportunities through referrals from other DEBS 2008 group members.
• Know more than a name – view rich professional profiles from fellow DEBS 2008 group members.

Please click here to join the group.

Yours sincerely, Tim

Co-Chair, International Relations
Distributed Event-Based Systems (DEBS) 2008

Selling software and related professional services is like a horse race.

The field is composed of horses named SOA, CEP, EDA, RSS, Web 2.0, Social Networking, BPM, BAM, BI, XTP and so forth.   Each horse has one or more primary sponsors, some are consulting organizations, who seem to have a nack for creating and marketing acronyms, and others are software companies, who’s hope is that their horse is in the winners circle.    There are also investors, venture capitalists and so much more.

There are the jockeys, those supported by the sponsors (for example the analysts) who will ride the horse fast and hard until it starts to fade, then find another horse to ride  (often at the same time!).   There are also the trainers, the vets, the racing forms, the cheering crowds and those who bet on the different races.  

Many of us are in this profession because we love the racing action.

Just like horse racing, the technology sponsors, the jockeys and other interested parties wear many hats, sponsors and jockeys generally betting heavily on their own horse.   Organizations, especially large ones, sponsor many horses and they place their bets accordingly, betting on exactas, trifectas and superfectas and various combinations.

The SOA - CEP exacta in the racing forms are interesting, including Joe McKendrick’s Complex Event Processing and SOA: a ‘beautiful thing’? and Jerry Cuomo’s, IBM WebSphere CTO sees CEP as SOA’s ‘next big thing’ .  There also continues to be heavy betting on the the SOA - EDA - CEP trifecta.

Betting on horses is a risky business.  Exactas and trifecta have enormous payouts, but the odds are remote.  Very few people win these exactas or trifectas.   I recall warm memories of my years in New Orleans when I was a university student at Tulane University.   We loved the excitement (and the beer!) at Jefferson Downs, in Kenner, Louisiana.   We took our dates to the horse races at Jefferson Downs and these evenings were always great fun!  What a good life!  Let the good times roll, as we used to say!

You know, I don’t recall anyone ever winning a trifecta.  I can barely recall anyone winning an exacta.

We won, and we did win big at times (and lost big), by hedging our bets, betting on a single horse or combinations of horses to win, place and show.

This is the essense of the excitement of the software industry, isn’t it?

Companies who bet heavily on SOA are now seeing the SOA horse is fading.   They see CEP coming around the track and hear the pounding of hoof against pay dirt as CEP starts to move up into the pack, and they place their bets, accordingly, on the CEP horse.  Will the CEP horse really survive the race?   No one knows, so they hedge their position by betting on EDA. 

The main difference between real horse races and technology horse races is that you can’t bet on the live horses after the gate opens.  However, you can definately bet on the technology horses at any time, and the race goes on and on and on and on. 

That is why technology horse racing is so exciting!