OWASP IBWAS10 Conference Line-Up

(*) Coffee Breaks and Lunch are not included in the Conference ticket.

Keynote: How cryptography can rescue the web
Professor Carlos Ribeiro



Instituto Superior Técnico, Universidade Técnica de Lisboa, Portugal

The Web is gaining more and more commercial relevance and with that becoming a more interesting target for attack. On the other hand the Web communications foundations have not change much, and the programming skills of the average programmer are decreasing with the increasing number of programmers. This talk will focus on the first issue and how cryptography may be used to prevent several attacks. Crucial to this goal is the recent release of DNSSEC and several other Certificate infrastructures (e.g. Stork - a pan-European authentication infrastructure that may become keystones of this change.

Talk: The Thing That Should Not Be (a glimpse into the future of web application security)
Bruno Morisson



Integrity, S.A., Portugal

Developers are not security practicioners. Security practitioners are not developers. Developers create web applications. Security practitioners want those apps to be secure (sometimes even if security breaks functionality). Are developers and security practitioners like oil and water ? Are security practitioners taking the right approach to help web developers understand and prevent security issues, or are we simply trying to brute force developers into security gurus ?

Talk: Developing Secure Applications with OWASP
Martin Knobloch (OWASP Education Committee)



Sogeti Netherlands, OWASP Netherlands, Netherlands

After an introduction about OWASP, Martin will higlight the top projects of OWASP. During the presentation Martin does explain how OWASP material can be used to raise awareness about secure appliation development and how OWASP material does fit into a (secure) development lifecycle.

Talk: Developing compliant applications
Martin Knobloch (Education Committee)



Sogeti Netherlands, OWASP Netherlands, Netherlands

How to develop applications to be compliant to security related laws and regulations? To be compliant means to follow the regulations, most of the times not known by the developers. To be compliant includes to proof to be compliant. This presentation is about how to develop compliant (Web) applications that prove to be compliant!

Talk: Software Security in the Clouds
Miguel Correia



University of Lisboa, Faculty of Sciences, Portugal

Recently an expert wrote rather enfatically that "the current state of security in commercial software is rather distasteful, marked by embarrassing public reports of vulnerabilities and actual attacks". This situation is particularly concerning in times when companies are exporting their applications and data to cloud computing systems. The first part of the talk will be a personal vision of the combination of techniques and tools needed for protecing software. The second part will argue that this combination is still insuficient for critical applications in the cloud and propose solutions based on distributing trust among different clouds.

Talk: Jiffy - A secure instant messenger
Arturo 'Buanzo' Busleiman (OWASP Project Leader)



OWASP Argentina, Argentina

Jiffy - "Just for you" is an instant messaging system baseed on OWASP's Enigform, SSL and the OpenPGP Web-of-Trust. In this talk, Buanzo will introduce us to OpenPGP, Enigform and Jiffy.

Talk: Is OAuth really secure?
Bruno Pedro



Tarpipe, Portugal

Is the OAuth protocol really secure? Even though the OAuth authorization protocol has been published as the RFC 5849 and is being widely adopted by large Internet companies, it's important to stress out its possible security vulnerabilities.

This talk will focus on the OWASP Top 10 Application Security Risks and how OAuth is affected by them. While some of the security risks are mitigated by OAuth, developers need to take some action to prevent other risks from affecting their implementations.

Talk: Will new HTTP headers save us?
John Wilander (OWASP Sweden Chapter Leader)



Omegapoint, Sweden

Browser vendors and Internet techies are teaming up to find solutions to some of the most common and dangerous security problems on the web. New HTTP headers seems to be a favorite carrier of security instructions from the server to the browser. During this talk John will demo three such headers – Strict-Transport-Security, X-Frame-Options, and X-Content-Security-Policy – and discuss if they can solve cross-site scripting, clickjacking, phising, and man-in-the-middle attacks.

Slides: .ppt .pdf .key.zip

Talk: 2010 and still bruteforcing
Christian Martorella (Project Leader)



Verizon Business, UK

The presentation will review some of the latest attacks that affected big companies and involved Brute force attacks, showing that this attack is still very effective. The second part of the presentation will introduce Webslayer, an OWASP project, that intend to cover all needs for web application brute force tests.

Talk: Insecure by Nature - Portuguese Net Security Overview
Francisco Rente



Faculdade de Ciência e Tecnologia, Universidade de Coimbra, Portugal

Understanding internet security trends it is a consensual need. Vigilis (former project Nonius), studies the IPv4 address space and .pt TLD allocated to Portugal for two years now. Creates a historical perspective of vulnerability life-cycles and malware presences. Aims to arise awareness among the Portuguese society, giving threat indicators based on real data harvested every four months.

The speaker will give a briefing on the last Vigilis results and will identify some possible reasons to this national problem.

Talk: Web Security from an auditor's standpoint: What works and what doesn't
Luís Grangeia



Sysvalue, S.A., Portugal

In this talk I will attempt to share my experience of over 10 years conducting Web Application security assessments. I will present the current panorama of Web application security practices and talk about what are we doing well and how we can do better. Also, the Web 2.0 has sparked a “social revolution” of the Web, how can security benefit from that revolution?