SANS WhatWorks in Application Security Summit 2007

Lessons from the Pioneers: Finding and Eliminating Security Flaws in Web and other Applications

On August 15-16 managers from more than a hundred and fifty user organizations are getting together to share the lessons learned in their application security initiatives. Two dozen pioneering companies such as Cisco, Depository Trust, USAID, Deloitte & Touche, TSA, J.C. Penney, and Sovereign Bank will provide case studies of their application security initiatives and answer dozens of questions including:

1. Which application security tools work best: application firewalls, web application scanners, code analyzers and challenges have users have found in implementing them?
2. What is the most effective way to meet the PCI requirement for application security?
3. How can you gain confidence in the security of outsourced application development? How do you verify the skills of the outsourced programmers? How do you embed application security testing into the outsourcer's process? How do you ensure the outsourcer has adequate but tightly limited access to your own networks?
4. What works best in getting programmers and project managers to actually fix the applications that are flawed?
5. How can we ensure our programmers know the common security flaws and can consistently eliminate them from the code we are deploying? Training? Testing? Hiring?
6. How can contracting be used to improve the security of applications at minimum cost? What specific contract clauses work best?
7. What's the right relationship between the security staff and the development team?
8. What are the primary attack vectors criminals are using to compromise applications and which programming errors account for the vast majority of those attacks?

Contents

Dates and Location

Who is coming?

How do they justify their attendance?

How is SANS Application Security Summit unique?

What's the Agenda?

Dates

Summit: August 15th & 16th

Post-Summit Courses: August 17th & 18th

Summit Venue

Marriott Wardman Park Hotel
Washington, DC

Who is coming?

Application Security Managers and their teams

CIOs and CTOs

Web Security Consultants

Development Managers

Software Architects and Developers

Test/QA Professionals

PCI Project Managers

Auditors

How do they justify their participation?

Because their customers and/or executives are demanding improved application security, and they are starting up an application security project to meet that demand. Coming to the Summit will save them months of time in product evaluation, project planning, and just avoiding errors other companies have made. There's no better way to find out what others have tried and what works. Others are coming because 70-80% of vulnerabilities now exist at the application layer, that 3 out of 4 business websites are vulnerable to attack, and the PCI standard now mandates application security in order to continue processing credit cards...and they want to learn how get ahead without reinventing the wheel.

How is the SANS Application Security Summit unique?

Because it is the only user-to-user meeting on application where nearly all the speakers are managers from user organizations that have actually implemented application security and are coming to share what they learned. As importantly, more than half of each of the panel sessions are Q&A segments where you get to ask questions (anonymously). Fast-paced and fascinating. SANS completely prohibits the long, thinly-veiled vendor marketing pitches or sessions where consultants tell why they should be hired. Instead you learn things you can use immediately, from people who have actually done them. The vendors will all be there, of course, so you can decide on your short list, but they give short (7-10 minute) talks and then subject themselves to on-the-record Q&A. They also run great evening receptions and lunch-and-learn sessions.

Here's what earlier summit attendees say:

One of the best conferences I've attended. Technical, timely, informative and fun.
Philip Hoffman, Technology Planning & Architecture LLC

The chance to meet customers and vendors face-to-face was invaluable.
David Stycos, Zoculo Engineering

Great Summit! It gave the Who, the What, the Hows and the Nots from real-life experiences.
Rolo Guzman, Hess

What's the Agenda?
(Subject to revision)

Expert Briefings

1. Expert Briefing: The Three Programming Errors that Caused More than 90% of all Critical Vulnerabilities Reported in 2006. Surprisingly, nearly all critical vulnerabilities reported during 2006 were caused by just three types of programming errors. You'll learn what they are, how they happen and how to fix them in this briefing. Rohit Dhamankar, editor @RISK, and Senior Engineer, TippingPoint
2. Expert Briefing: New Frontiers of Web Hacking: AJAX Vulnerabilities, Deep SQL Injection, Cross Site Reference Forgery, and More. An eye-opening briefing on a series of the newest attacks enabling criminals to compromise web-application (leaders from the application security field)
3. Expert Panel: Application Security and PCI Compliance - What It Means The credit card industry has changed its standards requiring every organization that processes credit cards to upgrade application security, In this expert panel you'll learn what PCI requires and how to meet the requirements.

User Panels

4. User Panel: Validating Application Security: Choosing the Right Combination of Tools for Your Application Security Tool Box. Can application firewalls replace application scanners? Do application scanners do a better job than source code analyzers? How bad are the false positives? In this panel users of experienced users of the various tools will share their experiences and try to reach consensus on the right tools for an application security toolbox.
5. User Panel: Essentials of a comprehensive application security program. Some organizations start their application security initiative without a comprehensive picture of the elements they will be putting in place as part of that program. This panel of very experienced users illuminates the elements you may have missed in your planning and explains why they matter.
6. User Panel: Justifying, planning, launching and organizing an application security program. This panel will address questions such as: What are the costs of an application security program and how are the benefits best presented to management? Who should be in charge and what are the first steps to get a program solidly on track?
7. User Panel: Promising Practices in Building the Partnership Between Security Staff and the Developers (building into SDLC, when to use code reviews). In this panel users focus squarely on the ultimate goal - moving beyond application testing by the security group to get the programmers to embrace the tools or at least to get them to fix the problems willingly and quickly. This panel also looks at where application security best fits in the SDLC.
8. User Panel: Training and testing our application developers and testers. Are the courses being offered by web security experts actually working? How do you know? In this panel users and experts will discuss the various training alternatives open to application developers and review the new international certification examinations that were launched this summer to measure application security skills in each major programming language.
9. User Panel: Innovative uses of procurement to improve application security. Innovative CIOs have discovered that the most powerful weapon in the application security arsenal is the language they use in their procurements. In fact they have discovered that when they don't include explicit application security requirements in their procurement documents and contracts, the cost of better security rises exponentially. This panel will review ways to use procurement language effectively.
10. User Panel: Trust but Verify: Managing application security when applications development projects are outsourced. Expanding on the procurement panel topics, this panel explores the unique character of outsourced development and looks at what special programs help ensure outsourced application development meet high security standards.

Vendor Panels

11. Vendor Panel: Implementation lessons learned. When users deploy application security tools, they often make mistakes that lessen the value of the tools. In this panel technical experts from application security tool vendors share the most common mistakes and tell how to avoid them.
12. Vendor Panel: Tools shootout. A great chance to pick the application security vendors you'll want on your short list of products to consider.

Some of the companies who will be participating on the panels:

• Honeywell
• Sovereign Bank
• TSA
• Polk Automotive
• Depository Trust
• USAID
• George Washington University
• Deloitte & Touche
• T Rowe Price
• Cisco
• Ounce Labs

Plus two bonuses:

Bonus 1: Attend one of four in-depth SANS secure programming courses following the summit:

Web Application Security Workshop

Knowing how and where to look for the weak interfaces and how to lock them down is the only way to keep the mission critical Web applications of today (and tomorrow) running and available for those who use them. This two-day workshop covers the techniques and challenges of securing Web applications and presents a hands-on approach to the latest practices and tools in Web application design and security.

Introduction to Testing Web Applications

Don't let hackers be the first the first to test your critical web applications. This class gives you the know-how to test common vulnerabilities in web applications so you can hit the ground running when it comes to testing web application's security posture. It provides an overview of software security testing and how it fits into the development lifecycle. Students also get a overview of them current testing tools and hands on labs to run some of those tools against a vulnerable web application.

Ajax and Web Services Security Overview

If you are tasked with implementing secure web applications using Web Services or AJAX, this course is for you. Asynchronous JavaScript and XML (AJAX) and Web Services the most active areas in web application development and many organizations are diving in head first without first understanding them - resulting in 'swiss cheese' applications. This one-day hands-on course covers the security issues, mitigation strategies and general best practices for implementing AJAX and Web Services. We also examine real world attacks and trends to give you a better understanding of exactly what you're protecting against.

Bonus 2: The National Secure Coding Assessment for Programmers

Invite your programmers to take the new GIAC Certified Secure Programmer examination on August 14. For more data on the certifications and exams, see GIAC Secure Software Programmer Certification Exam