As we announced last month AppSecDC is upon us and I’m excited to be heading down into the city soon! For those interested I’m honored to be presenting twice at this event … one on Wednesday at 2:30 and another on Thursday at 4:30. I’ve included the title and abstracts below.
I always enjoy meeting new people so please don’t be shy … come up and introduce yourself. I’ll be doing a mix of attending talks, networking, blogging, and of course trying to keep up back at the office somewhat so please excuse me if I seem distracted. When not attending sessions, you’ll probably find me in the vendor or CTF areas (or wherever I can find a power and Internet access) hungered down over my laptop. I’ll probably be sporting my black t-shirt (surprised?) with the @grecs profile pic on it and maybe my ScotteVest vest if I can find it. To get updates as to where I might be the best way is to probably track me on Twitter at @grecs.
I’ve been looking over the talks and following my three-a-day rule (see rule 3 in my ShmooCon Fight Club Rules post from earlier this year) these are the talks I am looking forward to attending. I’ve included an extra one each day as a backup since I’m not known for being a morning person.
- Dan Geer Keynote (9:00 AM)
- Python Basics for Web App Pentesters – Part 2 (Justin Searle; 11:00 PM): I so need to learn a language again … and Python seems to be it.
- OWASP Broken Web Applications OWASP BWA 1.0 Release (Chuck Willis; 3:30): I need to learn more about this as it would be very useful in some classes I’m teaching.
- Old Webshells, New Tricks (Ryan Kazanciyan; 4:30): I remember these back in the day. Can’t wait to learn about what’s available now.
- Overcoming the Quality vs Quantity Problem in Software Security Testing (Rafal Los; 9:00 AM): I just got to attend this so I can argue with Rafal… )
- SharePoint Security 101 (Rob Rachwald; 11:00 AM): I’ve written about this before but am looking to see what Rob has to add to the topic.
- Whack-a-Mobile II Mobile App Pen Testing with the MobiSec Live Environment (Kevin Johnson and Tony Delagrange; 1:30 PM)
- Cloud-based dWAF A Real World Deployment Case Study (Alexander Meisel; 3:30)
There are a bunch more presentations I’d like to attend but I guess I’ll have to wait for the videos to come out. You can see all the talks over on the AppSecDC website. I also recommend this same three-a-day rule to you. We sit in front of our computers probably 8 to 12 hours a day not directly interacting with anyone. Take the opportunity of a conference like this to actually shake hands with the people you exchange tweets with as well as meet new people.
Anyway here are my two talks and I hope to see as many of you there as I can.
“The Easy Button for Your Web Application Security Career”
(Wednesday, April 4th at 2:30 PM)
The web application security field has been rapidly growing over the past decade due in part to the continued webinization of the world in combination of ever evolving government laws and regulations, industry compliance requirements, and the ongoing increases in online crime. If you have an interest in the web and security, there has never been a better time to make the transition into this specialization. For those already practicing in this field it’s a great time to take advantage of this rapid growth and managing your career to most efficiently meet your goals. Although many career presentations or articles leave people motivated, they don’t often provide the quick next steps that participants can take home and immediately start implementing. This presentation tries to overcome this deficiency by not only discussing career planning basics but also providing a career “easy” button with a template framework and actions audience members can start working on immediately.
“Using PHPIDS to Understand Attacks Trends”
(Thursday, April 5 at 4:30 PM)
As described by its author, PHPIDS “is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application.” As an open source project it provides web site owners unfamiliar with traditional log analysis an easy way to learn of attacks against their site. This presentation will provide an overview of PHPIDS as well as instructions for incorporating it into your web infrastructure. Specifically, the talk will start with a detailed description of PHPIDS, including its architecture and operational flow. Next, the discussion will turn to the basics of installing, configuring, and testing it for any PHP web application. Finally, the presenter will provide insight into operations and maintenance of PHPIDS from over two years of use, including calibration, signature updates, incident response, and attack trends.
Hope to see everyone there… Today’s post pic is from AppSecDC.org. See ya!