El próximo mes de diciembre (días 10 y 11) se celebrará en Madrid el primer IBWAS (IBeric Web Application Security Conferences, www.ibwas.com).
En estas conferencias tendrán la oportunidad de debatir, junto a reconocidos expertos a nivel internacional, sobre las nuevas amenazas y soluciones en el campo de la seguridad en las aplicaciones.
Entre los ponentes, contaremos con:
*Keynote Speakers*:
- Bruce Schneier. Chief Security Technology Officer. BT.
Bruce Schneier is an internationally renowned security technologist and author. Described by The Economist as a “security guru,” he is best known as a refreshingly candid and lucid security critic and commentator. When people want to know how security really works, they turn to Schneier. His first bestseller, Applied Cryptography, explained how the arcane science of secret codes actually works, and was described by Wired as “the book the National Security Agency wanted never to be published.” His book on computer and network security, Secrets and Lies, was called by Fortune “[a] jewel box of little surprises you can actually use.” Beyond Fear tackles the problems of security from the small to the large: personal safety, crime, corporate security, national security. His current book, Schneier on Security, offers insight into everything from the risk of identity theft (vastly overrated) to the long-range security threat of unchecked presidential power and the surprisingly simple way to tamper-proof elections. Regularly quoted in the media, he has testified on security before the United States Congress on several occasions and has written articles and op eds for many major publications, including The New York Times, The Guardian, Forbes, Wired, Nature, The Bulletin of the Atomic Scientists, The Sydney Morning Herald, The Boston Globe, The San Francisco Chronicle, and The Washington Post.
Schneier also publishes a free monthly newsletter, Crypto-Gram, with over 150,000 readers. In its ten years of regular publication, Crypto-Gram has become one of the most widely read forums for free-wheeling discussions, pointed critiques, and serious debate about security. As head curmudgeon at the table, Schneier explains, debunks, and draws lessons from security stories that make the news.
- Jorge Martin. Inspector Jefe de la B.I.T. Cuerpo Nacional de Policía.
Jorge Martín is an inspector of the Spanish National Police, and currently the Head of the Logical Security Group from the High-Tech Crime Unit in the Comisaria General de Policía Judicial. He his a Computer Systems Technical Engineer and since five years now dedicates himself to police investigation in the technological area, focusing his activity on crimes related to intrusions, different types of attacks, malware creation and dissemination and other related issues. He has also a large experience on the filed of computer forensics. He has participated on different courses and conferences, both in Spain and abroad. Regularly participates on training initiatives with other law enforcement forces on different countries, several Interpol projects about technological investigation techniques and on different European Union studies on the obtaining and manipulation of digital evidences.
*Panel Speakers*:
- David Rook. Security Analyst. Realex Payments.
“The Principles of Secure Development”
The Principles of Secure Development talk will deliver a unique view on how to build secure web applications. It will bring clarity to an area which desperately needs a clear and simple approach to addressing its biggest pain point – security.
We have seen a dramatic rise in the amount of vulnerabilities being found and exploited in web applications. The two biggest issues facing web applications in recent years are SQL Injection and Cross Site Scripting. They accounted for less than 1% of all CVE numbers issued in 2006 to over 33% in 2009 so far; that represents a 4000% increase in the space of 3 years. The most recent figures show that there are roughly 230,000,000 websites on the internet and it is estimated that over 60% of them have security vulnerabilities. The attackers have changed their focus to web applications as they are now the weakest link in the security chain for most businesses. The Principles of Secure Development is our answer to this weakness, the attackers have changed their tactics and with more businesses web enabling services every day the security and development communities must also change their tactics.
- Justin Clarke. Co-fundador y Director de Gotham Digital Science.
“SQL Injection – how far does the rabbit hole go?”
SQL Injection has been around for over 10 years, and yet it is still to this day not truly understood by many security professionals and developers. With the recent mass attacks against sites across the world, and well publicised data breaches with SQL Injection as a component, it has again come to the fore of vulnerabilities under the spotlight, however many consider it to only be a data access issue, or parameterized queries to be a panacea. This talk explores the deeper, darker areas of SQL Injection, hybrid attacks, SQL Injection worms, and exploiting database functionality. Explore
what kinds of things we can expect in future.
- Dinis Cruz. Chief OWASP Evangelist. Security Consultant.
“OWASP 02 Platform”
O2 is an Open Platform for Automating Application Security Knowledge and Workflows. O2 is a collection of Open Source modules that help Web Application Security Professionals to maximize their efforts and quickly obtain high visibility into an application’s security profile. Originally O2 (OunceOpen) originated from OunceLabs Advanced Research Team (ART) work, and aims to push to the limit the power of multiple Static Analysis engines. These tools have been developed by Security Professionals FOR security professionals, and are designed to automate the security consultant’s brain.
- Luis Corrons. PANDA. International Technical Support Team.
The growth and complexity of the underground cybercrime economy has grown significantly over the past couple of years due to a variety of factors including the rise of social media tools, the global economic slowdown, and an increase in the total number of internet users. For the past 3 years, PandaLabs has monitored the ever-evolving cybercrime economy to discover its tactics, tools, participants, motivations and victims to understand the full extent of criminal activities and ultimately bring an end to the offenses. In October of 2008, PandaLabs published findings from a comprehensive study on the rogueware economy which concluded that the cybercriminals behind fake antivirus software applications were generating upwards of $15 million per month. In July of 2009, it released a follow-on study that proved monthly earnings had more than doubled to approximately $34 million through rougeware attacks distributed via Facebook, MySpace, Twitter, Digg and targeted Blackhat SEO. This session will reveal the latest results from PandaLabs’ ongoing study of the cybercrime economy by illustrating the latest malware strategies used by criminals, examining the changes in their attack strategies over time. The goal of this presentation is to raise the awareness of this growing underground economy.
- Marc Chisinevski. P
roject lead for the OWASP Logging Project
“The OWASP Logging Project”
The goals of the Logging Project are: To provide tools for software developers in order to help them define and provide meaningful logs, to provide code audit tools to ensure that log messages are consistent and complete (content, format, timestamps), to facilitate the integration of logs from different sources, to facilitate attack reconstruction, to facilitate information sharing around security events. The talk will explore these areas, as well as provide details on existing tools and on related OWASP projects. Research directions for the future will also be discussed.
- Simon Roses. Microsoft ACE Security Services.
“Microsoft Infosec Team: Security Tools Roadmap”
The Microsoft IT’s Information Security (InfoSec) group is responsible for information security risk management at Microsoft. We concentrate on the data protection of Microsoft assets, business and enterprise. Our mission is to enable secure and reliable business for Microsoft and its customers. We are an experienced group of IT professionals including architects, developers, program managers and managers. This talk will present different technologies developed by Infosec to protect Microsoft and released for free, such as CAT.NET, SPIDER, SDR, TAM and SRE and how they fit into SDL (Security Development Lifecycle).
- Dave Harper. EMEA Services Director for Fortify Software.
“Empirical Software Security Assurance”
By now everyone knows that security must be built in to software; it cannot be bolted on. For more than a decade, scientists, visionaries, and pundits have put forth a multitude of techniques and methodologies for building secure software, but there has been little to recommen one approach over another or to define the boundary between ideas that merely look good on paper and ideas that actually get results. The alchemists and wizards have put on a good show, but it’s time to look at the real empirical evidence.
This talk examines software security assurance as it is practiced today. We will discuss popular methodologies and then, based on in-depth interviews with leading enterprises such as Adobe, EMC, Google, Microsoft, QUALCOMM, Wells Fargo, and Depository Trust Clearing Corporation (DTCC), we present a set of benchmarks for developing and growing an enterprise-wide software security initiative, including but not limited to integration into the software development lifecycle (SDLC). While all initiatives are unique, we find that the leaders share a tremendous amount of common ground and wrestle with many of the same problems. Their lessons can be applied in order to build a new effort from scratch or to expand the reach of existing security capabilities.
El evento tendrá lugar en la Escuela Universitaria de Ingeniería Técnica de Telecomunicación (EUITT) de la UPM, y está organizado conjuntamente por OWASP Portugal y OWASP Spain. Se trata de la primera edición de estas conferencias, y una oportunidad única para conocer el presente y futuro de la seguridad en las aplicaciones de la mano de renombrados expertos de la comunidad internacional.
Disponéis de más información sobre las conferencias en: http://www.ibwas.com
La idea es difundir este evento aunque creo que no podre asistir 
Después de haber vivido uno noche mágica, llena de sentimientos de los más profundos, pude volver a creer en la vida, en la gente.
