Advertise on ITWeb         Mon, 24 Feb, 05:23:31 AM

Practical Security: Solutions for challenging times
Don't miss out, book your seat today!


Dates: 11 - 13 May 2010

Venue: Sandton Convention Centre

DAY 3 - Workshops: 13 May 2009 (Thursday)
8:30 - 12:00 WORKSHOP 1: Web hacking & security in the software development lifecycle
Part 1: Web Application Hacking
Ian de VilliersAn increasing need for custom applications and ever-changing business processes result in developers becoming a key component of all businesses’ IT staff. By extension, this means that developers should also be a core component of any company’s defence strategy.

However, in many cases developers have not been exposed to security practices. As a result of this, although they may be aware of many attack concepts and have a rudimentary grasp of the manner by which these attacks work, they may have never born witness to such an attack or realized the severity of the impact should such an attack be successfully executed against a deployed application.

The Web Application Hacking, presented by SensePost, is meant to alleviate this issue. It focuses on the most common shortcomings found within web applications, such as injection, cross site scripting, broken authentication and session management, insecure direct object references, security misconfiguration, invalidated redirects and forwards, and insufficient transport layer security

In this workshop, developers will be introduced to these attacks and exercises based on real-life scenarios observed by SensePost staff in the past ten years. Although it focuses specifically on vulnerabilities found within web applications, traditional thick applications are vulnerable to similar attacks.

As such, this workshop would be applicable to any developer as the mind-set and awareness instilled by the course would be of value to the developer of any type of application.

Presenter: Ian de Villiers
Ian de Villiers is an associate security analyst for SensePost.
Coming from a development background, his areas of expertise are in application and web application assessments. Ian has spent considerable time researching application frameworks, and has published a number of advisories relating to portal platforms. He has also provided training on web application security at prestigious events such as the BlackHat briefings in the USA and spoken at security conferences on this topic.
Ian will also be presenting at the Security Summit on the subject of Hacking Web Application Portals.
13:00 - 16:00 Part 2: Security in the Software Development Lifecycle
Theo van NiekerkSoftware security is hard and is becoming increasingly elusive as applications increase in complexity and the attacks against them become more sophisticated. To suitably secure their applications, organisations must formalise their application security efforts, specifically in the Software Development Life Cycle (SDLC). ThinkSmart will facilitate an interactive workshop on how you can bootstrap information security into your SDLC. It will cover some of the popular development methodologies and discuss how security should be woven into them. Included will be a discussion and demonstration of useful application security frameworks and techniques from resources such as OWASP.

If you want your development team to learn and share on how to implement a secure SDL then this workshop is for you.

Key discussion points:
Security and popular development methodologies

Paul van Woudenberg

Demonstration of useful application security frameworks
Techniques from resources such as OWASP
Implementation of a Secure SDL

Presenters: Paul van Woudenberg and Theo van Niekerk
Paul is a co-founder of ThinkSmart, a focussed software development shop with a range of experience in web application security. Paul has diverse skills in information security, from writing policies a la ISO27001 to designing transaction authentication processes. Paul is at his happiest professionally when bridging the gap between business and technology. He holds an M.Eng from Stellenbosch University, is a CISSP and CSSLP (ISC2 qualifications) and is a member of OWASP.

Theo is a co-founder of ThinkSmart, a focussed software development shop with a range of experience in web application security. Theo is a seasoned software developer with a strong focus on security. At ThinkSmart, Theo helps clients build secure systems from the inside out, focussing on applying OWASP tools and by leading code audits, performing security testing and generally providing web application security thought leadership. He is an active member of OWASP and a contributor to the OWASP development guide project.

8:00 - 16:00
Threat Modelling Workshop

Dominc WhiteSecurity is a trade-off. Within systems, we choose to protect what we think will be likely attacks knowing that there is rarely the time or budget to defend against all threats. So too across the organisation, security teams are rarely larger than a handful of staff, and often no more than one or two. The chosen priorities are often driven by our intuitions, direction from the business, compliance, audit findings or in some cases, the latest hype cycle. With all of these drivers it's easy for security to blow in the wind, instead of being the wind.

What's needed is a method of thinking about security risks in a methodical and systematic way. A way to enumerate all the potential threats, systematically represent systems, their vulnerabilities and controls and combine them to provide a prioritised view of information security risks to an organisation or system. With such a view, the other drivers can line up behind it.

Several methods of threat modelling exist, with Microsoft having recently rejuvenated the field with the incorporation of threat modelling in their Secure Development Lifecycle. This and other threat modelling approaches will be examined.
The practical threat modelling workshop will present such a methodology and will engage participants in understanding a practical threat modelling approach.

In particular, participants will:
Learn the fundamentals of the risk equation "risk = threat x vulnerability x impact"
Look at various threat modelling approaches
Learn how to use the SensePost corporate threat modelling tool
Develop a sample threat model

Participants will also be provided with a free copy of the Corporate Threat Modelling Tool tool, and the ability to use it within their organisations.

Presenter: Dominic White

Dominic is a consultant for SensePost. Dominic has spent much time examining information security risk, starting with a Masters dissertation in the field. Dominic is interested in the management and improvement of information security within organisations, and spends his time at SensePost consulting to help people build better security.













SecureData offers extended value-add to customers, resellers and vendors alike. Our multi-centric, best-practice security solutions span the perimeter, network, endpoint, storage application and data protection - all supported by SecureData’s highly skilled technical, product, marketing and sales teams, enabling our partners to deliver high-quality security solutions and services.