MONDAY, APRIL 16
TECHNICAL CLASSES

Quick links:
Tuesday full-day tutorials
Conference faculty
Conference program home page

Today's Class Schedule:

8:45 am: Morning Keynote
9:45 am: 100-Series Classes
11:00 am: 200-Series Classes
1:00 pm: Technical Session / Management Session
2:00 pm: 300-Series Classes
3:30 pm: 400-Series Classes
4:45 pm: Afternoon Keynote

Monday, April 16, 8:45 am - 9:30 am
Morning Keynote: Security Testing: Uncut and Uncensored
Herbert H. Thompson

Warning: This talk contains graphic examples of software failure...not for the faint of heart.

With software running our most critical business processes, we need to think about both its utility and the risk it can bring to those processes. In this presentation, Dr. Herbert H. Thompson shares the results of a multiyear study on how software fails with respect to security. Dr. Thompson will illustrate the major categories of vulnerabilities with live, uncut and uncensored demonstrations of the most pressing and current types of vulnerabilities in software. In this keynote you will learn what the biggest risks are to your software, understand the major categories of security vulnerabilities and what their consequences are, and learn how to begin the risk assessment process. You’ll also become equipped to make more security-savvy software acquisition, development and outsourcing decisions.

Monday, April 16, 9:45 am - 10:45 am
101. Making Source Code Analysis Part of the Security Review Process, Part 1
By Brian Chess

How do you know if your software applications are secure? Manual audits cover only a small percentage of the source code base, and periodic checks provide only a snapshot in time. Source code analysis allows development organizations to manage software security by leveraging well-documented best practices that can be automated.

This technical class will teach you how source code analysis can be a powerful tool for software security architects, developers and QA professionals by pinpointing security vulnerabilities throughout an entire code base as an integral part of the development cycle, or as part of software security audits in order to significantly improve application security. The instructor will describe the ins and outs of the technology, including its limitations and newly explored areas. Real-life examples from actual engagements will be used throughout to show you how source code analysis can benefit you and your organization.

Monday, April 16, 9:45 am - 10:45 am
102. Cross Site Reference Forgery: An Introduction to a Common Web Application Weakness
By Himanshu Dwivedi

This presentation explains Cross Site Request Forgery, how it can be exploited and the security implications for Web applications. It then examines solutions to the problems, comments on weaknesses in some common solutions, and makes recommendations for Web application developers or security analysts. The presentation ends with a discussion of common misunderstandings around XSRF, setting the record straight on this emerging security issue.

Monday, April 16, 9:45 am - 10:45 am
103. Security Requirements Engineering
By Paco Hope

You know you want to develop software securely. You might even need to comply with regulations like the Payment Card Industry (PCI) guidelines from MasterCard, Visa and other card associations. How does your company or team adopt a policy and build requirements that will guide and inform developers to do it right the first time?

A well-developed security policy simultaneously speaks to two audiences: management and developers. Policy allows management to demonstrate to auditors and shareholders that applications are built securely and in compliance. Requirements built from policy can be testable against PCI or other external standards. In this session you will learn where software policy fits in relation to IT policy, software best practices and other organizational policies.

You will learn what goes into good software security policy: how to make it unambiguous and testable and how to tailor it to your needs. Although the material applies to any organization building software, the examples in the session will highlight PCI guidelines and making software and software processes that comply with those guidelines.

Monday, April 16, 9:45 am - 10:45 am
104. Securing Java EE Applications: Coding Patterns for Secure Connections to Services
By Jeff Williams

In this class, you will learn patterns for building secure connections to all kinds of services, including databases, directories, Web services and legacy systems. We’ll discuss a simple threat model for connecting with external entities, and look at specific code examples that demonstrate both good and bad security.

Topic areas will include:
• Using Eclipse for verifying security
• Establishing secure connections
• Authenticating to services
• Controlling access to services
• Validating both input to and output from services
• Error-handling and logging-in services
• Cryptography for services
• Concurrency and availability in services

Monday, April 16, 9:45 am - 10:45 am
105. AJAX Vulnerabilities and Hacking Techniques
By Caleb Sima

AJAX (Asynchronous JavaScript and XML) is a method of building interactive applications for the Web that process user requests immediately. AJAX is an aggressively evolving software development technology used by industry leaders such as Google and Microsoft. However, this new technology presents many security concerns because AJAX-based applications are susceptible to the same types of common vulnerabilities overwhelmingly found in Web applications; they just need a little more determination by the hacker to exploit.

This class demonstrates how AJAX works and how it is vulnerable to threats typically associated with Web applications with examples of hacking techniques used to compromise an application using AJAX. In addition, the presentation will explore how the technology underlying AJAX opens up a number of other interesting vulnerabilities that all organizations should be aware of.

Monday, April 16, 9:45 am - 10:45 am
106. Constructing and Using Application Threat Models
By David LeBlanc

Threat models are used to help find design flaws in applications, as well as call out areas where special care needs to be taken in coding and testing. A threat model provides a structured approach to evaluating the security of an application, deciding how to mitigate risks and determining the riskiest portions so that code review and testing resources can be most effectively applied.

This class will teach how to construct and use threat models. You’ll see overall threat modeling techniques, including the use of data-flow diagrams and threat trees.

Monday, April 16, 9:45 am - 10:45 am
107-M. Software Security: The Problem and Why You Should Care
By Kenneth R. van Wyk

This introductory class addresses the security problems in software today and why they are so important. Today’s software faces unprecedented levels of complexity and connectivity, as well as user-defined extensibility. All this leads to inevitable trade-offs between functionality and security. All too often, new functions are adopted without adequate consideration given to security. This occurs at both the design and architecture level, as well as the code implementation level. Many of these mistakes are easily avoided without having to abandon the functionality that users demand.

Monday, April 16, 9:45 am - 10:45 am
108-M. A Manager’s Security Checklist
By Djenana Campara

As existing software systems get larger and more complex, they evolve into challenging and often conflicting designs that hinder system comprehension, compromise architectural integrity and decrease maintenance productivity. This creates severe problems moving forward. The system becomes more defect-prone, vulnerable to attacks and resistant to enhancements, which drastically reduces the level of confidence in the security of the system. Traditional black-box testing has limited success in overcoming this issue. The session will talk about efficient and cost-effective ways to improve software security, while keeping development priorities on track.

You’ll leave this class with a checklist that will help managers and their organizations to:

• Become proactive in the treatment of software security vulnerabilities.
• Increase the level of confidence in software systems.
• Prevent new vulnerabilities entering system.

Monday, April 16, 11:00 am - 12:00 pm
201. Making Source Code Analysis Part of the Security Review Process, Part 2
By Brian Chess

Please see description under Class 101.

Monday, April 16, 11:00 am - 12:00 pm
202. Software Protection—Making Software Self-Protecting
By Mark Hearn

Most of today’s systems depend on some combination of trusted people, processes, platforms and products to provide an environment in which programs can execute with relative safety. How do you protect the logic of programs and the data they are processing on systems that are “out in the wild”? How do you enforce security policies on systems where the attackers have complete physical access, and may have the ability to rewrite or replace portions of the underlying operating system?

In this class, you’ll learn about protecting intellectual property, both in source code and in data, and how to ensure “integrity of processing.” This session will review the current state of practice and practical research in data and key hiding, software tamper-resistance and software self-protection.

Monday, April 16, 11:00 am - 12:00 pm
203. Scaling Application of Security Standards by Customizing a Code Analysis Tool
By John Steven

Code analysis tools implement a good amount of security guidance out of the box. Most effectively uncover buffer overflow, SQL injection and TOCTOU-based attacks. Getting real deep value out of these tools means customizing them, though. Once accurate results demonstrate a properly tuned tool, implementing your own corporate security standards as custom rules may make sense as a starting point.

This talk will present and demonstrate a framework for selecting, prototyping and implementing custom rules that codify your own corporate security standards so that your organization’s code can be programmatically scanned for compliance. Basing its technical content on Mr. Steven’s all-day security standards tutorial, the talk will show, using the Fortify tool, hands-on creation, prototyping and execution of custom rules.

Monday, April 16, 11:00 am - 12:00 pm
204. Secure Web Site: From Dream to Reality
By Joe Basirico

A truly secure Web site: It’s the Web developer's dream. It’s the CSO’s dream, the test manager’s dream, the consumer’s dream, everyone’s dream. So many people are talking about it, but so many organizations struggle with it. The culprit: lack of understanding and know-how about application reliability and security!

Reliability and security are undisputedly the most critical components of application quality, but they are treated as mutually exclusive facets that can be “bolted on,” “baked in” or “fixed later.” This is the fundamental flaw that organizations have in their software development process.

In this class, you’ll learn how to integrate reliability and security into every aspect of the software development life cycle—from requirements to design, development, testing, deployment and monitoring. We’ll cover best practices, tools and knowledge for maximizing Web security effectiveness.

Monday, April 16, 11:00 am - 12:00 pm
205. Hybrid Application Security Analysis—Ensuring Your Code Is Secure
By Dennis Hurst

As Web application vulnerabilities skyrocketed over the past few years, developers are beginning to take security very seriously. A new class of products has emerged, called source code analyzers, that enable developers to test the security of their Web applications during implementation. But source code analysis tools prove to be only a partial solution because they are able only to infer, or guess, what the actual system behavior will be, and can determine only what security vulnerabilities might be possible in the application.

To increase the fidelity of security testing results, developers should look to security testing products that feature a combination of analysis techniques of source code analysis and a more practical approach called black box testing, also known as dynamic analysis.

This session discusses the difference between source code and black box testing and how the combination, or hybrid analysis, produces the accurate and reliable security information developers need to assess the security of their code.

Monday, April 16, 11:00 am - 12:00 pm
206. Writing Secure Code for Windows Vista
By David LeBlanc

The combination of Windows Vista and Visual Studio 2005 gives developers some great tools for hardening applications against buffer overruns. In this session, you’ll learn how address space layout randomization works, how to enable ASLR for your application, and what ASLR does and does not protect you against.

We’ll also cover the latest developments and enhancements to the /GS stack protection switch, how the “No Execute” NX instructions work to provide data execution protection, and how software-based NX works (and what to do if it breaks your code). We’ll also talk about SafeSEH, a system of safe exception handlers for Windows Vista. Come find out how these overlapping Windows security technologies will make life harder on the attackers!

Monday, April 16, 11:00 am - 12:00 pm
207-M. Security the Easy Way: Grabbing the Low-Hanging Fruit
By Kenneth R. van Wyk

There is no shortage of security touchpoints that can be integrated into a development life cycle. The trouble for many software development organizations is that there’s just too much to integrate in one shot, especially when there’s no prior experience with the best practices for writing secure software. So, is there any low-hanging fruit, where your developers can find a lot of value for their investments? Of course there is!

In this immediately practical class, you’ll learn the things that you and your development team can do to get started down the software security path, such as design reviews and security testing of the code, that can make a tremendous impact on the security of your applications.

Monday, April 16, 11:00 am - 12:00 pm
208-M. Application Security—Whose Job Is It?
By Chris Bush

Information Security departments vary from organization to organization. In some cases they are very technically focused, with engineering and operational responsibility for firewalls, intrusion detection systems, anti-virus, identity management and more. In other cases, they may be strictly responsible for governance and oversight, setting security policy and direction for the organization as a whole, with no operational security responsibilities. What seems to be a common factor, though, is the lack of attention paid to application development, and the security of those applications.

The result of this lack of attention has been a dramatic increase in the number of security incidents occurring as a result of application-layer vulnerabilities. This talk will examine the role of Information Security in the application development process, and look at ways that Information Security can influence the development organization to build and deploy applications more securely. We will discuss some of the roles and responsibilities across the organization that can impact the development of more secure applications, as well as some activities, such as code reviews and penetration testing, that Information Security can use to ensure the security of the organization’s applications.

Monday, April 16, 1:00 pm - 1:45 pm
Technical General Session: The Latest Trends in Advanced Web Hacking and Secure Coding in the Real World
By Caleb Sima

Through demonstrations of advanced Web application hacking techniques and the problems that they uncover, participants will learn about the newest vulnerabilities targeting the application layer. The discussion will also focus on practical design principles and secure coding techniques to protect against the growing number of threats.

Monday, April 16, 1:00 pm - 1:45 pm
Management General Session: CSO Panel: Real-World Software Security Best Practices
Moderator: Alan Zeichick

This lively panel discussion will bring together IT development managers whose 9-to-5 jobs involve keeping their enterprise software safe 24x7. What works, what doesn’t work—and what do they wish they could do differently? Come hear your peers and colleagues discuss the reality of software security on the front lines.

Monday, April 16, 2:00 pm - 3:00 pm
301. Integrating Automated Tools Into the Software Security Development Workflow
By Kenneth R. van Wyk

Automated security tools are often used in software development, from static source code analysis tools to penetration testing tools. Unfortunately, many development organizations fail to get the maximum benefit from the tools. Worse, sometimes those tools may actually hamper effective development work.

This class delves deep into the automated tools associated with secure software development, and how they can be successfully integrated into a development workflow. We’ll talk not only about what the tools do, but also their pitfalls. The class will include a survey of tool categories, and recommendations on how they can be integrated into a secure software development workflow. If your team uses tools – and who doesn’t? – you won’t want to miss this session.

Monday, April 16, 2:00 pm - 3:00 pm
302. Techniques for Exploiting—and Protecting—Web Services
By Danny Allan

The adoption of Web services and service-oriented architecture paradigms to perform more critical online transactions has resulted in the urgent need to audit and assess these applications for security vulnerabilities. Many enterprises are currently developing new Web services or adding and acquiring Web services functionality into existing applications. With cybercrime also on the rise, Web services security is more important than ever and businesses must incorporate security best practices into application development. In order for Web services to reach their full potential, inherent security issues must be recognized and addressed.

This session will demonstrate common Web services vulnerabilities, and the attacks that those vulnerabilities can enable. You’ll learn what hackers look for, and how to discover vulnerabilities within your own Web services applications. Most important, we’ll provide tips and techniques for building and securing next-generation Web services applications that can be applied immediately.

Monday, April 16, 2:00 pm - 3:00 pm
303. SQL Injection Live!
By Paco Hope

Bring your laptop and your black T-shirt, and spend an hour exploiting one of the most common vulnerabilities in Web applications today: SQL injection. Dubbed “the new black” in security, these sorts of attacks are the height of fashion among hackers today. Nothing teaches better than really doing it, and this session will be a hands-on tutorial using your own laptop and your own Web browser to thoroughly explore this vulnerability.

After a brief introduction to what SQL injections are and how they work, you’ll walk step-by-step through a variety of exploit techniques. If you bring a laptop, you can plug into our switch or join our wireless network and attack a demonstration Web site, using a variety of techniques. No laptop? Watch, learn and be amazed. Learn basic “first order” attacks, intermediate attacks that evade simple input checks, and advanced “second order” attacks. The session will conclude with recommended techniques—both general and specific—that help avoid these sorts of problems in your software. Bring any laptop, any operating system, any Web browser. Arrive early so you can get connected.

Monday, April 16, 2:00 pm - 3:00 pm
304. The Dark Side of AJAX
By Brian Chess

The AJAX revolution is written in JavaScript. After the introduction of Google Maps, the Web seems to be sprouting new AJAX-enabled applications every day. This session considers the security implications of AJAX and the pitfalls and alternatives involved in creating rich Web applications.

We will begin with a brief technical introduction to AJAX. We will then look at AJAX security concerns and point out ways in which AJAX is both similar to and different from client/server technologies of the past. We will compare the security concerns that come with AJAX to the security concerns that come with competing technologies such as Adobe’s Flash platform. We will discuss ways that AJAX could be implemented to make it less risky, and finally, we will be taking a look at AJAX security incidents to date, and guess at the ways that increased adoption of AJAX is likely to change the way hackers behave.

Monday, April 16, 2:00 pm - 3:00 pm
305. Mastering ASP.NET 2.0 Application User Security
By Joe Stagner

Security is critical for Web applications—and with ASP.NET 2.0, you don’t need to reinvent the wheel but can leverage the user management functionality within the .NET Framework. In this technical class, you’ll learn about the ASP.NET roles and membership providers. You’ll leave the session knowing how to use these critical facilities to secure your applications by making permission decisions based on user roles.

Monday, April 16, 2:00 pm - 3:00 pm
306. Defeating Rootkit Backdoor Attacks, Part 1
By Greg Hoglund

Rootkits are backdoor programs that can be placed in a computer without detection. Virus scanners and desktop firewalls are woefully inadequate to stop a rootkit. Attackers can get in and stay in for years, without detection.

This class will introduce rootkits for Windows XP, and explain how rootkits are built. It will make clear what a rootkit can do, and what a rootkit is not. It will cover detailed technical aspects of rootkit development, such as compilation, loading and unloading, function hooking, paged and nonpaged memory, interrupts and inline code injections. You’ll also learn the technical aspects of the hardware environment.

Monday, April 16, 2:00 pm - 3:00 pm
307-M. Enterprise Software Security Programs
By Gary McGraw

Software security has made important inroads in large enterprises. Microsoft’s Trustworthy Computing Initiative is one high-profile software security program, but there are many other large companies making great progress—especially in the financial market.

There are four primary components to a successful software security initiative:
• A strategic playbook that defines roles and responsibilities and sets out a plan.
• A portal with developer-oriented information including guidelines, code samples and design pattern.
• Alignment of the software development life cycle with the software security touchpoints.
• A large-scale training program.

In this class you will learn what works and what doesn’t when rolling out an enterprise software security program, based on real-world implementations.

Monday, April 16, 2:00 pm - 3:00 pm
308-M. Ensuring the Integrity of Software Under a “Mixed Code” Model
By Mark Tolliver

Development teams are taking advantage of multisourcing, creating new service offerings that cost effectively leverage both proprietary and third-party (open-source, commercial and outsourced) code. This “mixed code” model demands increased attention to software security and risk mitigation.

To create a foundation for a secure application portfolio, organizations need to integrate security best practices into their software development and auditing processes. This includes a code scan to identify known vulnerabilities in existing components so that teams can then assess the level of risk and act accordingly.

This session will explore harnessing the “mixed code” model to develop timely, secure software in today’s deadline-driven corporate environment.

Specifically, you will learn:
• How to conduct a baseline audit of your software portfolio to discover security vulnerabilities.
• How to use code scanning on an ongoing basis during the development process to develop secure code.
• How to create accountability in the development process.

Monday, April 16, 3:30 pm - 4:30 pm
401. From Theory to Reality: Seven Practical Steps to Delivering More Secure Software
By Jacob West

This presentation focuses on turning abstract software security theories into practical steps that you can use to develop and deploy measurably more secure software. The key to solving the software security problem is getting started. Away from broad process re-engineering and silver-bullet technologies, the session focuses on practical actions that every organization can take today. The steps are based on real-world examples and cover the development process from up-front risk assessment to post-deployment. Artifacts of the steps, including checklists and software security metrics, will be reviewed and discussed.

Monday, April 16, 3:30 pm - 4:30 pm
402. Building ASP.NET Applications That Defend Themselves
By Joe Stagner

The best defense against attacks is a strong offense—and you can teach your ASP.NET applications how to fight back. This class will show you how to design and build self-defensive applications using ASP.NET 2.0. We’ll teach you how to create Web applications that can gracefully withstand attacks and use the Microsoft Platform to react to malicious behavior.

Monday, April 16, 3:30 pm - 4:30 pm
403. Bringing IT Security Into the Software Development Process
By Kenneth R. van Wyk

Software developers are generally very good at designing and coding to functional spec. From a security standpoint, their primary failure is that they do not adequately address the security ramifications of their decisions, such as design weaknesses (and their associated risks) and failure to plan for rigorous security testing. They often have a tough time “thinking like a security guy.”

This class shows where IT security experts can help. You’ll learn how to address weaknesses at an early stage, and mitigate them in the final project, by working with your IT security team in the design and test planning phases of a project. You’ll see the best way to work with IT security most effectively for everyone in the development life cycle.

Monday, April 16, 3:30 pm - 4:30 pm
404. Models for Security Testing in the Software Development Life Cycle
By Ryan Berg

How should security testing be implemented during software development to ensure a more secure product? Programs that generate positive, measurable results have eluded most companies. Questions arise about the lack of security expertise among development teams and lack of development expertise among security teams, and there is a misconception that the addition of security reviews will ultimately extend development schedules. At the same time, centralized decisions must be made to define security policies, determine what constitutes a vulnerability and prioritize remediation efforts according to available resources. Organizations need a concrete model for security evaluation and a comprehensive task list detailing the roles and responsibilities for each group involved.

This class will include practical models that give testing responsibility to developers, QA staff or security teams, explaining the specific requirements for each approach as well as expected outcomes.

Monday, April 16, 3:30 pm - 4:30 pm
405. Deeper SQL Injections
By Caleb Sima

More and more, developers are becoming aware of the threats posed by SQL injection vulnerabilities. While SQL is certainly the most popular type of command injection attack, there are several others that can be just as dangerous to your applications and your data. Also, much of the common wisdom concerning remediation of SQL (and other) injection attacks is inadequate and only serves to leave you with a false sense of security until the next time your application is compromised and your data stolen.

In this session, we will begin by briefly covering the concepts of SQL and blind SQL injection. We will continue by examining some other, lesser known, types of command injection attacks, such as XPath injection and LDAP injection. Finally, we will learn the correct programming methods with which to protect our applications against all of these attacks (and others).

Monday, April 16, 3:30 pm - 4:30 pm
406. Defeating Rootkit Backdoor Attacks, Part 2
By Greg Hoglund

This continuing class on rootkits will delve deeper in specific technologies, including memory subversion, direct kernel object manipulation, TDI and NDIS hooking, covert channels and detouring functions.

You’ll learn about advanced topics, including desktop firewall subversion and firmware modification, and use of flash RAM will be discussed. In addition to known techniques, you’ll learn at least one new technique that has not been released publicly. The class will also teach how to detect rootkits, including runtime integrity checks and detecting hooks of all kinds, such as IRP hooks, SSDT hooks and IDT hooks.

Monday, April 16, 3:30 pm - 4:30 pm
407-M. Security Metrics That Matter—and How to Use Them
By Brian Chess

Are your security practices effective? In order to know, you have to be able to measure them. However, there are no widely accepted metrics for software security. This session explores the security metrics problem and establishes the criteria necessary for creating accurate, comprehensive software security metrics for software ranging from legacy applications to newly deployed Web applications. The focus of the session is on making estimates about the security of a piece of software before it has been released for the purpose of improving the development process. We will look at how the measurement problem is handled in a range of other disciplines and what separates good metrics from bad ones.

Monday, April 16, 3:30 pm - 4:30 pm
408-M. Outsourcing: IT Dream or Security Nightmare?
By Danny Allan

As IT budgets continue to be squeezed and organizations struggle to find new ways to grow and innovate, identifying potential candidates for outsourcing moves higher on the CIO’s “to do” list. Application development—including Web applications—seems a logical choice considering the potential cost and time savings. But at what expense? Although there are clear benefits to outsourcing Web application development, there are also significant security risks to be considered. Negotiating compliance into contracts, investing in a well-thought-out process and insisting on audits and automation to manage and mitigate breaches should be considered best practice.

In this session you’ll learn about potential security vulnerabilities in outsourced applications, and what you can do to prevent them from happening. We’ll discuss contractual issues, real-world examples and how best to avoid a security breach using both manual and automated approaches.

Monday, April 16, 4:45 pm - 5:45 pm
Afternoon Keynote: Software Security: State of the Practice 2007
Gary McGraw

At the Software Security Summit 2006, Gary McGraw presented the software security framework described in his book “Software Security: Building Security In.” Using that same framework—built around the three pillars of software security: applied risk management, best practices/touchpoints and knowledge—Dr. McGraw will discuss and describe the state of the practice one year later.

This keynote will present real data from the field, drawing upon Dr. McGraw’s experience with large enterprises as a consultant. Come hear this keynote, and see why Dr. McGraw is optimistic about the future of software security.