OWASP and ISSA-LA (PAID Holiday Party) - December 16, 2015

Mark your calendars: AppSec California 2016 is Jan 25-27

For our December Holiday Party:

You will have to RSVP on this Meetup site and also PAY at the ISSA-LA registration site: http://www.issala.org/event/issa-la-december-dinner-meeting/

Speaker: Jim Manico

Topic: OAuth is a new kind of security protocol.

Abstract: The best time to address secure software is before most developers even start writing code. In fact, the best time to address secure software occurs before most developers even start thinking about their various projects. Months sometimes years before most developers even start writing code, various open source or corporate developers work together to build software frameworks that other developers may depend upon in the future as a harness to build their software. These decisions will ripple though time and have a large impact on the security posture of software that is built upon these frameworks.

OAuth is a new kind of security protocol. It’s used for delegating various features from one service to another on behalf of your users. OAuth intersects with authentication and access control, let would not likely use OAuth in and of itself for authentication, session management or for access control in your applications. Even more confusing, OAuth is not a standard and various service providers will likely have different implementations. Let’s say it again, OAuth is not a standard – its a framework for delegation. So this leaves us with questions! What really is delegation? Where does OAuth fit in? How can I use OAuth in a secure fashion? These questions and more will me answered in this talk!

HTTPS/SSL/TLS has been under fire for years. FREAK, POODLE, BEAST, CRIME, problems with the weakness of the CA system, problems with various versions of the protocol – and more – have plagued HTTPS to be less than satisfactory, at best, as a transport security protocol. However, there is hope. Recent enhancements in browsers have made encryption in transit over the web viable for the first time in history. This talk with review the HTTPS protocol and describe how it works. Historical attacks and other legacy issues with HTTPS will be discussed. And most important, we will talk about what can be done today to ensure that your users will have the most secure HTTPS experience possible.

Speaker: Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He has a 18 year history building software as a developer and architect. Jim is a frequent speaker on secure software practices and is a member of the JavaOne rockstar speaker community. Jim is also a Global Board Member for the OWASP foundation where he helps drive the strategic vision for the organization. He is the author of Iron-Clad Java: Building Secure Web Applications (http://www.amazon.com/Iron-Clad-Java-Building-Secure-Applications/dp/0071835881) from McGraw-Hill. For more information, visit http://www.linkedin.com/in/jmanico .

Thanks to our sponsors:

Gemalto (formerly SafeNet) and PhishMe