He will cover the two primary methods of XSS attack, reflected and persistent, as well as provide detailed demonstrations that show how an attacker would use these methods in the real world.

As part of the demo, Rob will go beyond proof of concept and present an example of a “weaponized” JavaScript that could be used to steal another user’s session information.

Rob will also offer practical tips for defending against cross-site scripting flaws in your own applications.

When: June 2, 2010

Time: 6:30 p.m.

Where: Microsoft offices at the Waltham Weston Corporate Center, 201 Jones Rd., Sixth Floor Waltham, MA

]]> http://safelightsecurity.com/news/2010/05/28/owasp-boston-lighting-talk-cross-site-scripting-reflected-and-persistent/feed/ 0 http://safelightsecurity.com/news/2010/05/05/safelight-headlines-owasp-boston-with-monthly-lightning-talk-series/ http://safelightsecurity.com/news/2010/05/05/safelight-headlines-owasp-boston-with-monthly-lightning-talk-series/#comments Wed, 05 May 2010 19:33:01 +0000 Kim Novino http://safelightsecurity.com/?p=404 IT Security Education Key to Defending Against OWASP Top 10 Most Critical Web Application Vulnerabilities

In the first of the Safelight Security Advisors Lightning Talk Series, CEO Rob Cheyne will discuss “An Introduction to SQL Injection,” at the Open Web Application Security Project (OWASP) Boston chapter meeting, Monday, May 3.

Rob will cover the methodology used by professional attackers, along with detailed demonstrations of one of the most common and dangerous OWASP Top 10 issues.

After demonstrating how SQL injection can be used to run system commands and gain root access on a database server, Rob will provide practical tips for defending against SQL injection flaws.

Safelight’s Lightning talks are designed for members newer to OWASP interested in understanding the basics of web application security, although everyone should feel free to attend.

When: May 3, 2010, with subsequent meetings typically the first Wednesday of the month

6:30 – 7:00 p.m. Networking 7:00 – 9:00 p.m. Main Presentations Join the Boston mailing list.

]]> http://safelightsecurity.com/news/2010/05/05/safelight-headlines-owasp-boston-with-monthly-lightning-talk-series/feed/ 0 http://safelightsecurity.com/news/2010/02/19/join-us-at-the-rsa-2010-conference/ http://safelightsecurity.com/news/2010/02/19/join-us-at-the-rsa-2010-conference/#comments Fri, 19 Feb 2010 17:21:54 +0000 Kim Novino http://www.securityadvisors.com/?p=184 RSA 2010 Conference

March 1-3

Moscone Center

San Francisco, CA

Join Safelight at Booth #2058 to see the latest in information security training, including our newest online learning programs. Attend our customer presentation, Banking on Security Education with State Street Bank’s Vice President Jeff Richard, and cocktail reception from 6:00 -8:00 p.m. at The St. Regis Hotel to hear how this leading financial institution rolled out a comprehensive security training program for thousands of developers worldwide. You must register for this event in advance in order to attend.]]> http://safelightsecurity.com/news/2010/02/19/join-us-at-the-rsa-2010-conference/feed/ 0 http://safelightsecurity.com/news/2010/02/10/webcast-new-technology-wearing-hand-me-down-vulns/ http://safelightsecurity.com/news/2010/02/10/webcast-new-technology-wearing-hand-me-down-vulns/#comments Wed, 10 Feb 2010 21:51:17 +0000 Kim Novino http://www.securityadvisors.com/?p=115

Using a web service as an example, Rob will demonstrate how classic vulnerabilities can crop up in new technologies and how applying SDL principles can help build secure systems. Register for the Webcast. ]]> http://safelightsecurity.com/news/2010/02/10/webcast-new-technology-wearing-hand-me-down-vulns/feed/ 0 http://safelightsecurity.com/news/2010/02/02/safelight-named-member-of-microsoft-sdl-pro-network/ http://safelightsecurity.com/news/2010/02/02/safelight-named-member-of-microsoft-sdl-pro-network/#comments Tue, 02 Feb 2010 14:30:38 +0000 Kim Novino http://www.securityadvisors.com/?p=104 BlackHat DC 2010, Safelight Security Advisors today became a training member of Microsoft’s Security Development Lifecycle (SDL) Pro Network. Microsoft created the SDL Pro Network to help development organizations adopt the SDL and address the challenges of embedding security and privacy into their software and development culture. As one of seven new members and the only training company selected among the latest group, Safelight joins a select network of industry leaders specializing in application security with significant experience in secure development lifecycle methodologies.

“Microsoft is happy to have SafeLight join the SDL Pro Network.  We believe training is a cornerstone to the SDL and SafeLight can help train developers on secure coding practices,” said David Ladd, Principal Security Program Manager, Microsoft’s Trustworthy Computing Group.

As part of the SDL Pro Network, Safelight looks forward to continuing the mission of training students on a disciplined process that’s proven to reduce vulnerabilities and lower the total cost of development. Safelight’s instructor-led and online learning programs helps companies incorporate security best practices into their development initiatives, offering security education courses that cover all phases of the SDL:

• Introduction to the Microsoft Development Lifecycle
• Application Security Fundamentals
• Architecting Secure Systems
• Language-Specific & Language-Agnostic Secure Coding
• Testing for Secure Systems
• Managing a SDL (for project managers and team leaders)
• Risks of Insecure Applications (for business owners and executives)

Learn how Safelight Security Advisors helped a major U.S. bank create security training for its internal developers: both employees and contractors located in multiple countries. Attendees will learn ways to shift the mindset of this critical audience, leaving with ideas they can start to implement themselves.

CSI 2009 features a comprehensive program, covering 18 main topic areas, to provide the security knowledge needed to succeed in today’s environment. To attend, visit http://csiannual.com.

You can read about it here . Click the link that says "The end of our rope: the ongoing tug-o-war between business and security", The gist is that we get two business people and two security people together, and they discuss the finer points of managing business and security requirements in real-world environments. Many of us have been there. Security people have a notoriously difficult time convincing the business that security is important, and business folks are just trying to run the company and often view security as a speed bump.

I’m very excited to moderate this panel two years in a row. It is relatively rare to get security and business people together at one table with the sole purpose of discussing how security impacts real-world decisions. As they say on TV, "Let’s get ready to rumble!"

How you can help

Below are some examples of questions I could ask the panelists. I have a much longer list, but I think it would be much more interesting to open this up to the security community. So, given this opportunity, what questions would YOU like me to ask the panelists?

• When you are ’selling’ security, how do you get appropriate attention when you are talking about what MIGHT happen instead of things that ARE happening? You are essentially asking people to spend money on a problem that "THEY DON’T HAVE". How do you justify the expense?
• Whose responsibility IS it to manage security?
• With security, it is possible to spend an unknown amount of money on an intangible problem. What is the right amount to spend?
• As an industry, security people tend to NOT be very good at communicating security concepts to NON security people. How do you communicate technical security concepts to business people in a way that they get it?

See you at the conference!
–rob

Speaker: Paul Hinkle (Chief Technology Officer, Safelight Security Advisors)
Date/Time: Friday (March 13, 2009) 1:30pm — 3:00pm
Track: Security
Presentation Format: 90-minute Case Studies
Audience level: All

Presentation Abstract

Four years in the making, State Street Bank has created a pioneering security education program for its internal developers: both employees and contractors located in multiple countries. This case study will discuss how to properly implement an internal security training program. It will discuss the unique challenges State Street faced, how they were addressed, and the process the company went through to create a successful training program that is now mandatory for all staff involved in systems development worldwide.

Please email info@securityadvisors.com for a discount code to receive $100 off the lowest price.

What: Conference on California’s Future
When: May 12-16, 2008

Sacramento Convention Center
1400 J Street Sacramento, California 95814

Instructor: Paul Hinkle, CTO, Safelight Security Advisors

Security Training

Threat Update

Monday, May 12, 2008, 9:00 a.m. – 12:00 p.m.

Audience: IT network administrators and managers

The news is full of stories of stolen laptops, hacked databases and identity theft on a massive scale. From social engineering and spam, to directed attacks and virtualized rootkits, learn how different threats may impact the overall security posture of your organization. This half-day course brings you up to date with the latest attack methods, and anticipates some of the changes the industry expects in the near future.

Securing your Web Applications

Monday, May 12, 2008, 1:30 p.m. – 4:30 p.m.

Audience: application developers, project managers and business analysts

According to Acunetix (a vendor of Web application scanning tools), 70% of applications they reviewed contained high or medium ranked security vulnerabilities. Learn how to develop more secure applications using simple, repeatable steps. This introductory half-day session includes: demonstrations of key attacks, step-by-step analysis of those attacks and solid countermeasures that any development team can use in its Web environment.

The talks are decent, but this year there are 17 tracks!!! It is incredibly difficult to figure out which talks to go to – and if you don’t get into a talk early enough, there is a strong possibility that you will get locked out (this has already happened to me twice!). Apparently the fire marshall cracked down because standing in the back of the room is no longer allowed.

All this make me wish that there were more conferences like the Source conference in Boston. Full disclosure – I am on the Source advisory board, so I am clearly biased! However, Source was small, intimate, and you could actually interact with most of the attendees and speakers during the week. The talks were as good if not better than anything I’ve seen out here so far. In some ways it is like a combination of RSA and Black Hat talks. There were excellent business talks like the CEO Panel, and there were also great technical talks like James Atkinson’s terrifying discussion of physical security issues and Roger Dingledine’s TOR talk. And of course there was Dan Geer’s excellent keynote and the L0pht panel, which were the highlights of the show for me. All in all, it really was a blast, and I can’t wait for next year’s Source conference.

In the meantime, I’ve been enjoying the “real” RSA conference, which takes place in the bars after hours. Last night a ton of ex-@stake folks descended upon the Westin Market Street bar, a pre-cursor to Thursday night’s iSec event at Tres Agaves.