Overview

Date – Wednesday December 1
Time – 6:30 p.m.
Location – Microsoft Offices in Waltham, MA
Topic – Application Architecture Security Assessment – First Session

Presenter – Rob Cheyne, Safelight Security

In the December 1st session, Rob will conduct a sample architecture assessment against a real-world system, and in the process, teach participants how to conduct an architecture of their own. Brave volunteers will be welcome to share their own architectures and have them reviewed. This is an opportunity to get free consulting that typically costs thousands of dollars. There is limited time, so not every one will get chosen. If you are interested in this, please contact Rob Cheyne (rcheyne@safelightsecurity.com) directly.

Additional information:

Penetration testing is a common way to evaluate an application’s security. Yet a comprehensive architecture and design assessment can uncover critical security issues that often cost far less to resolve early on in a project. Many companies overlook this element of system design.

Rob was one of a select few at security consulting company @stake who regularly led and conducted full-blown enterprise-level architecture assessments for Fortune 500 companies. Drawing from his experience with dozens of real-world architecture assessments over the past 12 years, and his 20 years as a software developer, architect, and consultant, Rob teaches students to challenge assumptions that frequently lead to long-term security and reliability problems.

Location and Directions

Microsoft offices at the Waltham Weston Corporate Center, 201 Jones Rd., Sixth Floor Waltham, MA

John Carmichael and Rob Cheyne presented to over 150 attendees of the 2010 OWASP Boston Application Security Conference.

Coffee Shop Warfare:Protecting Yourself in Dark Territory

Presented by: John Carmichael
Time: 13:00-13:50
Track: 2

A lighthearted look at the real threats that people face in personal computing, specifically when connected to unknown network at coffee shops and airports. John will cover many of these threats and discuss tools and best practices everyone can engage in to ensure they protect their machine and information from these risks.

OWASP Basics 1 and 2

Presented by: Robert Cheyne
Time: 10:00-11:50
Track: 2

Rob presents a number of scenarios that walk participants through the basics of SQL injection, XSS and CSRF, along with a few other tricks he has up his sleeve. Participants will come away with a foundation for further security learning. Those already knowledgeable on application security issues will learn some new techniques for presenting and teaching this information in a clear, concise and effective manner.

Next meeting – Wed. Oct 6. Microsoft Waltham. This is the first of a 2 part session. The second part will be Wed. Dec. 1.

Overview:

In this highly interactive two-part workshop, Rob Cheyne of Safelight Security will show you the basics of conducting a real-world architecture & design review. This workshop draws from Safelight’s Security Architecture Fundamentals training course, a two-day course frequently used to teach Fortune 500 companies how to look at their system architectures from both the hacker’s and the designer’s point of view.

First session:

In the first session on October 6, Rob discusses a practical approach to architecture review and threat modeling using real-world examples. This session lays the foundation for participants to participate in a real-world architecture review in the December session.

Attendees will learn:

• How to holistically examine a system architecture for security issues from both the designer’s and the hacker’s point of view
• To identify frequently overlooked areas where security vulnerabilities commonly occur
• Tips for assessing a system at the host-level, network level, and application level
• Practical ways to apply threat modeling to help manage risk

Second session:

In the December 1st session, Rob will conduct a sample architecture assessment against a real-world system, and in the process, teach participants how to conduct an architecture of their own. Brave volunteers will be welcome to share their own architectures and have them reviewed. This is an opportunity to get free consulting that typically costs thousands of dollars. There is limited time, so not every one will get chosen. If you are interested in this, please contact Rob Cheyne (rcheyne@safelightsecurity.com) directly.

Who should attend?

Anyone can participate and learn from the discussion in this accessible and dynamic workshop. Whether you are an architect, a developer, or a manager, there will be something here for you. Come learn to challenge your assumptions.

Additional information:

Penetration testing is a common way to evaluate an application’s security. Yet a comprehensive architecture and design assessment can uncover critical security issues that often cost far less to resolve early on in a project. Many companies overlook this element of system design. Rob was one of a select few at security consulting company @stake who regularly led and conducted full-blown enterprise-level architecture assessments for Fortune 500 companies. Drawing from his experience with dozens of real-world architecture assessments over the past 12 years, and his 20 years as a software developer, architect, and consultant, Rob teaches students to challenge assumptions that frequently lead to long-term security and reliability problems.

http://www.owasp.org/index.php/Boston

We will still have a November meeting, featuring Pravir Chandra, project leader for OWASP Open SAMM. http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model#tab=Main

In the second installment of Safelight’s Lightning Talk series, Rob Cheyne will present the basics of cross-site scripting (XSS) at OWASP Boston.

He will cover the two primary methods of XSS attack, reflected and persistent, as well as provide detailed demonstrations that show how an attacker would use these methods in the real world.

 

As part of the demo, Rob will go beyond proof of concept and present an example of a “weaponized” JavaScript that could be used to steal another user’s session information.

 

Rob will also offer practical tips for defending against cross-site scripting flaws in your own applications.

 

When: June 2, 2010

Time: 6:30 p.m.

Where: Microsoft offices at the Waltham Weston Corporate Center, 201 Jones Rd., Sixth Floor Waltham, MA

IT Security Education Key to Defending Against OWASP Top 10 Most Critical Web Application Vulnerabilities

In the first of the Safelight Security Advisors Lightning Talk Series, CEO Rob Cheyne will discuss “An Introduction to SQL Injection,” at the Open Web Application Security Project (OWASP) Boston chapter meeting, Monday, May 3.

Rob will cover the methodology used by professional attackers, along with detailed demonstrations of one of the most common and dangerous OWASP Top 10 issues.

After demonstrating how SQL injection can be used to run system commands and gain root access on a database server, Rob will provide practical tips for defending against SQL injection flaws.

Safelight’s Lightning talks are designed for members newer to OWASP interested in understanding the basics of web application security, although everyone should feel free to attend.

When: May 3, 2010, with subsequent meetings typically the first Wednesday of the month

6:30 – 7:00 p.m. Networking 7:00 – 9:00 p.m. Main Presentations Join the Boston mailing list.

RSA 2010 Conference

March 1-3

Moscone Center

San Francisco, CA

Join Safelight at Booth #2058 to see the latest in information security training, including our newest online learning programs. Attend our customer presentation, Banking on Security Education with State Street Bank’s Vice President Jeff Richard, and cocktail reception from 6:00 -8:00 p.m. at The St. Regis Hotel to hear how this leading financial institution rolled out a comprehensive security training program for thousands of developers worldwide. You must register for this event in advance in order to attend.

Safelight’s CEO Rob Cheyne will present a webcast for the Microsoft SDL Pro Network community on “New Technology Wearing Hand-Me-Down Vulns,” February 25, 2010 from 1:00-1:30 p.m. EDT.

Using a web service as an example, Rob will demonstrate how classic vulnerabilities can crop up in new technologies and how applying SDL principles can help build secure systems. Register for the Webcast.

At BlackHat DC 2010, Safelight Security Advisors today became a training member of Microsoft’s Security Development Lifecycle (SDL) Pro Network. Microsoft created the SDL Pro Network to help development organizations adopt the SDL and address the challenges of embedding security and privacy into their software and development culture. As one of seven new members and the only training company selected among the latest group, Safelight joins a select network of industry leaders specializing in application security with significant experience in secure development lifecycle methodologies.

“Microsoft is happy to have SafeLight join the SDL Pro Network.  We believe training is a cornerstone to the SDL and SafeLight can help train developers on secure coding practices,” said David Ladd, Principal Security Program Manager, Microsoft’s Trustworthy Computing Group.

As part of the SDL Pro Network, Safelight looks forward to continuing the mission of training students on a disciplined process that’s proven to reduce vulnerabilities and lower the total cost of development. Safelight’s instructor-led and online learning programs helps companies incorporate security best practices into their development initiatives, offering security education courses that cover all phases of the SDL:

• Introduction to the Microsoft Development Lifecycle
• Application Security Fundamentals
• Architecting Secure Systems
• Language-Specific & Language-Agnostic Secure Coding
• Testing for Secure Systems
• Managing a SDL (for project managers and team leaders)
• Risks of Insecure Applications (for business owners and executives)

Visit Safelight’s SDL Pro Network page at http://securityadvisors.com/sdl to learn more about our offerings.

Read Microsoft’s announcement on the new SDL Pro Network members in their press room.

Safelight’s CEO Rob Cheyne will present, “Banking on Education: A Case Study on Developer Security” at CSI 2009 on Tuesday, October 27, 2009 from 9:45-10:45 a.m.

Learn how Safelight Security Advisors helped a major U.S. bank create security training for its internal developers: both employees and contractors located in multiple countries. Attendees will learn ways to shift the mindset of this critical audience, leaving with ideas they can start to implement themselves.

CSI 2009 features a comprehensive program, covering 18 main topic areas, to provide the security knowledge needed to succeed in today’s environment. To attend, visit http://csiannual.com.

I am currently preparing for the Business vs. Security panel that I am moderating at the Source:Boston conference on Wednesday, March 11th from 4:15-5:30pm.

You can read about it here . Click the link that says "The end of our rope: the ongoing tug-o-war between business and security", The gist is that we get two business people and two security people together, and they discuss the finer points of managing business and security requirements in real-world environments. Many of us have been there. Security people have a notoriously difficult time convincing the business that security is important, and business folks are just trying to run the company and often view security as a speed bump.

I’m very excited to moderate this panel two years in a row. It is relatively rare to get security and business people together at one table with the sole purpose of discussing how security impacts real-world decisions. As they say on TV, "Let’s get ready to rumble!"

How you can help

Below are some examples of questions I could ask the panelists. I have a much longer list, but I think it would be much more interesting to open this up to the security community. So, given this opportunity, what questions would YOU like me to ask the panelists?

Sample questions:

• When you are ‘selling’ security, how do you get appropriate attention when you are talking about what MIGHT happen instead of things that ARE happening? You are essentially asking people to spend money on a problem that "THEY DON’T HAVE". How do you justify the expense?
• Whose responsibility IS it to manage security?
• With security, it is possible to spend an unknown amount of money on an intangible problem. What is the right amount to spend?
• As an industry, security people tend to NOT be very good at communicating security concepts to NON security people. How do you communicate technical security concepts to business people in a way that they get it?

See you at the conference!
–rob