2011 15 12 Birmingham

Location: KPMG Offices Birmingham

One Snowhill

Snow Hill Queensway

Birmingham

West Midlands

B4 6GH

Massive thanks to KPMG who again are supporting OWASP and giving something back to the community.

Schedule: 18:00 for 18:20 start

18:20-18:30

OWASP Chapter introduction. OWASP values and membership. Chapter information.

OWASP Birmingham Chapter Leader

18:30 - 19:10

Talk 1 Agnitio: the security code review Swiss army knife

Teaching developers to write secure code, helping security professionals find security flaws in source code, producing application security metrics and reports with integrity checks and audit trails. If you want to implement an SDLC that produces secure software with the audit trails and reports frequently demanded by auditors and management you need to acknowledge that these are key constituents and implement them in a form that is both easy to understand and use.

This is far easier to talk about than it is to implement in the real world where well structured SDLC’s are rare and application security programmes are usually under funded. Working with developers, security professionals and management to cultivate an environment where secure code is written and flaws found consistently requires both time and money. The same can be said for producing informative reports and metrics when all of your security code review data resides in notepad, Word and Excel files. With these problems in mind I developed Agnitio to be my security code review Swiss army knife and released it as a free tool in late 2010.

In this demonstration filled talk I will show how Agnitio can be used to addresses repeatability, integrity and audit trail concerns by requiring the creation of application profiles, the use of a security code review checklist consisting of over 80 application security questions and mandatory integrity checks for reviews and reports created using the tool. I will demonstrate how the inbuilt secure coding and security code review guidance modules allow developers and security professionals to access the information they need precisely when they need it. I will also show how Agnitio automatically creates metrics and reports bringing much needed visibility to the security code review process with no extra effort required from the reviewer, developers or management.

Agnitio v2.1 will be demonstrated during this talk which will show how Agnitio’s already powerful feature set has been expanded to guidance and questions linked to the OWASP top 10 mobile risks as well as the ability to decompile and analyse Android applications.

Speaker David Rook Application Security Lead - Realex Payments Ltd

19:30 - 20:10

Talk 2: Mobile Security - The Tune is Different, The Dance is the Same

Paco Hope will discuss what is fundamentally new about mobile applications, and what is fundamentally not new with respect to securing them. Looking at how the platforms work, their respective app stores, and the role of carriers and their security, we will understand four golden rules to ensuring secure use and development of mobile apps. Whether we are the app developer, security professional, or just someone trying to use their mobile securely, these four rules are important to know.

Speaker Paco Hope, Principal Consultant, Cigital

20:20 -21-00

Talk 3: Mobile Application Security

This talk will start by taking a look at the mobile applosion that we have all witnessed since the Apple App Store was launched on the 11th July 2008. Mobile users have downloaded over 25 billion mobile apps since that day which is roughly 14,000 apps for every minute since Apple launched the App Store. Those kinds of numbers make it clear that mobile apps are big business and that we need to quickly understand how to secure these applications.

I will show how mobile manufacturers and network operators are now a big part of your threat models and how their approach to security could undermine your application security efforts.

The final part of the talk will focus on Android and iOS applications. I will give an overview of each platform as well guidance on how you should approach security code reviews for Android and iOS applications.

Speaker David Rook Application Security Lead - Realex Payments Ltd

Speaker Bio's

David Rook is the Application Security Lead at Realex Payments in Dublin. He is a contributor to several OWASP projects including the code review guide and the Cryptographic Storage Cheat Sheet. He has presented at leading information security conferences including DEF CON, BlackHat USA and RSA Europe. In addition to his work with OWASP David created a security resource website and blog called Security Ninja (http://www.securityninja.co.uk).

In 2010 the Security Ninja blog was nominated for five awards including the best technology blog at the Irish Blog Awards, the Computer Weekly IT Security blog award and was a finalist for the Irish Web Awards Best Technology Site. In 2011 David received a Developer Security MVP award from Microsoft. David has recently become one of the first mentors in the Information Security Mentors project helping young people progress their information security careers.

Paco Hope is a Principal Consultant with Cigital, Inc. and has 12 years of experience in mobile security, embedded security, web software security and operating system security. He has led numerous engagements assessing source code and implementations of mobile phones, lottery systems, casino gaming devices, smart cards and web applications. He is the co-author of The Web Security Testing Cookbook and Mastering FreeBSD and OpenBSD Security. Mr. Hope also serves on the Application Security Advisory Board of (ISC)2, acting as a subject matter expert for the Certified Information Systems Security Professional (CISSP) and the Certified Secure Software Lifecycle Professional (CSSLP).