Security

This month, we have industry leading security experts to help make sure your apps are locked down. Please note our change in location - this month we'll be located at The Commons on Champa (http://www.thecommons.co/). Please join us for a night filled with great talks, food, and friends. We're looking forward to seeing everyone!

For our main talk, Steve Kosten (https://www.sans.org/instructors/steve-kosten) and Aaron Cure (https://www.sans.org/instructors/aaron-cure) will show us how to avoid common security pitfalls by live demoing security vulnerabilities, some of which are on the OWASP Top 10 (http://www.veracode.com/directory/owasp-top-10) list. This talk will be appropriate for all skill levels and will be packed full of security tips.

To start the night, David Waite (https://twitter.com/dwaite) will address the importance of Single Sign On (SSO) in your applications. David will discuss the basics of SSO, why everyone should be using it (even if you don't need social login or federation), and how to secure it.

Schedule:

5:30 - Doors open
6:30 - Why you should use standards-based SSO - David Waite
7:30 - Break
7:45 - Attacking and Defending: Common Web Application Vulnerabilities - Steve Kosten and Aaron Cure
9:00 - Doors close

Please note that Full Stack is governed by a Code of Conduct (http://www.meetup.com/fullstack/about/).

Attacking and Defending: Common Web Application Vulnerabilities - Steve Kosten and Aaron Cure

Aaron is a senior security consultant at Cypress Data Defense and an instructor and contributing author for the DEV544 Secure Coding in .NET course. After ten years in the U.S. Army as a Russian Linguist and a Satellite Repair Technician he worked as a database administrator and programmer on the Iridium project, with subsequent positions as a telecommunications consultant, senior programmer, and security consultant. He also has experience developing security tools, performing secure code reviews, vulnerability assessments, and penetration testing, as well as risk assessments, static source code analysis, and security research. Aaron holds the GIAC GSSP-.NET, GWAPT, GMOB, and CISSP certifications and is located in Arvada, CO. Outside the office Aaron enjoys boating, travel, and playing hockey.

Steve Kosten is a security consultant at Cypress Data Defense and an instructor for the SANS DEV541 Secure Coding in Java/JEE: Developing Defensible Applications course. He's previously performed security work in the defense and financial sectors and headed up the security department for a financial services firm. He is currently the Open Web Application Security Project (OWASP) Denver chapter leader and is on the board for the OWASP AppSec USA conference. He has presented security talks before numerous conferences. He is experienced in secure code review, vulnerability assessment, penetration testing, risk management. He holds a bachelor of science in Aerospace Engineering from the Pennsylvania State University and a Master of Science in Information Security from James Madison University. He currently maintains GSSP-JAVA, GWAPT, CISSP, and CISM certifications. Steve resides in Golden, Colorado. In his spare time, Steve enjoys attending his childrens' sporting events with his wife, road and mountain biking, snowboarding, golfing, volleyball, and paragliding.

Why you should use standards-based SSO - David Waite

It is very easy to justify using some SSO toolkit when you have a requirement to integrate with Google, Microsoft Live or Facebook.

This talk is about justify using them even when you are only authenticating within your own systems.

I will detail how these protocols work - what is digital identity, what is single sign-on, what people mean when they say federation. Then, I will cover the value of using them as a core part of your web app and mobile strategy, regardless of a need to handle social logins.

I will also cover how they work "on the wire" to give a better idea of what is needed to support these protocols in your applications even without third party libraries.

David is the Technical Architect of Advanced Projects at Ping Identity.