Never Ending Security

It starts all here

Category Archives: Video’s

Computer Science Videos


All CS Videos

Never Ending LearningProf. Tom Mitchell
Samuel D. Conte Distinguished Lecture Series in Computer Science
Date: Nov 28, 2012

Solving Large Sparse Linear Systems: The Exascale ChallengeIain Duff
STFC Rutherford Appleton Laboratory
Date: Nov 1, 2012

Computer Science at Purdue: The Good Ol’ DaysDouglas Comer
Purdue University
Date: Oct 5, 2012

Going Non-Linear from Point A to Point BMichael Stoppelman
Yelp
Date: Oct 5, 2012

Exponential Change: Challenges and OpportunitiesDaniel Reed
Microsoft Research
Date: Oct 5, 2012

Analysis of Algorithms: When Will I Ever Use This?Kevin Grazier
N/A.
Date: Oct 5, 2012

Adventures in Computer ScienceDavid Schrader
Teradata
Date: Oct 5, 2012

New Directions in Computer ScienceJohn Hopcroft
Cornell University
Date: Sep 21, 2012

Implications of Storage Class Memories on Software and HardwareC. Mohan
IBM Research – Almaden
Date: Aug 31, 2012

CUDA 5 and BeyondMark Ebersole
NVIDIA
Date: Jul 19, 2012

The Ultimate Visualization DisplayDavid H. Laidlaw
Brown University
Date: Nov 21, 2011

Social Search – Information Retrieval with Ephemeral DataBruce Croft
University of Massachusetts Amherst
Date: Oct 19, 2011

Towards a Highly Available InternetThomas Anderson
University of Washington
Date: Apr 12, 2011

Sequoia: Programming the Memory HierarchyAlex Aiken
Stanford University
Date: Apr 19, 2010

Foreseeing the Unseen: Probability Estimation over Large AlphabetsAlon Orlitsky
University of California, San Diego
Date: Apr 19, 2010

Information Theory: Models, Algorithms, AnalysisBrigitte Vallee
National Center of Scientific Research (CNRS), Université de Caen Basse-Normandie
Date: Apr 12, 2010

Fundamental Limits of Cognitive NetworksNatasha Devroye
University of Illinois at Chicago
Date: Feb 22, 2010

Program Obfuscation and One-Time ProgramsShafi Goldwasser
MIT
Date: Nov 9, 2009

Computer Modeling of the Orion Spacecraft ParachutesTayfun Tezduyar
Rice University
Date: Oct 19, 2009

Bringing (Web) Databases to the MassesAlon Halevy
Google Inc.
Date: Oct 14, 2009

In Search of Impact: Service Counts, Too!Stuart Zweben
The Ohio State University
Date: Apr 17, 2009

Temporal Guarantees over Wireless NetworksP.R. Kumar
University of Illinois, Urbana-Champaign
Date: Feb 2, 2009

Networks: How Information Theory Met the Space and the TimePhilippe Jacquet
INRIA, France
Date: Nov 19, 2008

Beauty and the Beast: The Theory and Practice of Information IntegrationLaura Haas
IBM Almaden Research Center
Date: Nov 12, 2008

New Sciences for a New WebPrabhakar Raghavan
Yahoo! Research
Date: Nov 3, 2008

Learning to Think About the WorldLeslie Kaelbling
MIT
Date: Oct 27, 2008

New Directions in the Application of Model Order ReductionDanny Sorensen
Rice University
Date: Oct 6, 2008

Purdue University: Archives & Special Collections Oral History ProgramJeff Vitter
Purdue University
Date: Jul 29, 2008

Personal Reflections on ComputingDaniel Reed
Microsoft
Date: Apr 10, 2008

ACM SIDMOD: Distinguished Profiles in DatabasesJeff Vitter
Purdue University
Date: Mar 3, 2008

Sensitive Information in a Networked WorldJoan Feigenbaum
Yale University
Date: Jan 28, 2008

Information Theory in an Industrial Research LabMarcelo Weinberger
Hewlett-Packard Labs
Date: Nov 19, 2007

The Role of Science and Mathematics in Software DevelopmentRobert Sedgewick
Princeton University
Date: Nov 12, 2007

Graph Mining: Laws, Generators and ToolsChristos Faloutsos
Carnegie Mellon University
Date: Oct 15, 2007

Compilers and Multicore Computing SystemsFrances Allen
IBM
Date: Sep 24, 2007

When is the Pen Mightier Than the Keyboard?Andries van Dam
Brown University
Date: Aug 27, 2007

Towards Universal Semantic CommunicationMadhu Sudan
MIT
Date: Apr 16, 2007

From Vacuum Tubes to Plasma TV’s: Five Decades of ChangeWilliam Nylin
Conn’s Incorporated
Date: Apr 6, 2007

Just Like Magic: Anthropological Accounts of Wireless TechnologyGenevieve Bell
Intel Corporation
Date: Apr 5, 2007

Leonhard Euler: 300 Years OldWalter Gautschi
Purdue University
Date: Mar 22, 2007

The Interplay of Information Theory, Probability, and StatisticsAndrew Barron
Yale University
Date: Feb 26, 2007

Contracts Under Asymmetric InformationNicholas C. Yannelis
University Illinois Urbana Champaign
Date: Feb 12, 2007

Supercomputers and Clusters and Grids, Oh My!Jack Dongarra
University of Tennessee
Date: Nov 20, 2006

What is Information? Insights from Quantum PhysicsBen Schumacher
Kenyon College
Date: Nov 13, 2006

The Logic of Biological NetworksJehoshua Bruck
California Institute of Technology
Date: Oct 30, 2006

A New Scheduling Paradigm for Internet-Based ComputingArnold Rosenberg
University of Massachusetts
Date: Oct 23, 2006

Information Theory TodaySergio Verdu
Princeton University
Date: Oct 2, 2006

Stable Internet Routing Without Global CoordinationJennifer Rexford
Princeton University
Date: Sep 25, 2006

The Future of LAPACK and ScaLAPACKJames Demmel
University of California at Berkeley
Date: Sep 11, 2006

Great Principles of ComputingPeter Denning
Naval Postgraduate School
Date: Apr 7, 2006

Tracks, Trackers, & TrackingDorothy Denning
Naval Postgraduate School
Date: Apr 6, 2006

How to Hurt Scientific ProductivityUC Berkeley
David Patterson
Date: Feb 9, 2006

from: https://www.cs.purdue.edu/news/videos/all-videos.html

CERIAS – CERIAS Learning Products


Learning with the CERIAS Edge

At CERIAS, we understand the vital importance of information assurance and security to an organization. We know what’s important. And we know what’s not. Organizations need to confront security issues in an informed and proactive manner-CERIAS Learning products allow organizations to do just that by providing general and specific education and training to enable employees and organizations to improve the security of the systems they use and manage.

Learning Advantages

Today’s learners need to feel supported and have control of their learning. They need to be inspired. In the world of information security, technology may change, but human beings-and the learning experience-remain the same. At CERIAS, we understand that everyone does not learn the same way-and that each learner has a preferred learning style. That’s why our learning products range from traditional print materials to high-quality videos and self-paced multimedia with multiple paths and multiple representations that allow for multiple methods of learning.

Being able to perform a skill successfully and being able to understand why the skill is performed are two different, yet equally important, educational goals. CERIAS Learning products offer opportunities for both. Beginning with a strong overview of security fundamentals, CERIAS Learning products branch out into specific areas of policy, awareness, and technology, balancing a straightforward and easy-to-understand presentation of IS theory with hands on skill application.

Product Information

Picture of Brochure Page 1Overview Brochure and Order Form
Please note that products P3, P4, P9, P10, P11, and P12 have been discontinued. We apologize for any inconvenience this may have caused.

Specific course information:

Screenshot from ModuleP1. Information Security Management Concepts
Information Security Management Concepts provides an overview of the key concepts and goals of information security and how information security relates to an organization’s information and technology assets. This interactive, self-paced module uses video, audio, text, case studies, practice exercises, and quizzes to promote and guide learning and understanding.
Preview the First Module

Image of Speaker in VideoP2. Information Security Principles: An Overview
Featuring authoritative experts in information security and assurance, this video provides a concise summery of the current state of information security, starting with an overview of goals, concepts, and terms, and ending with procedures that will help you reduce risks to your organization. Anyone involved with the use or management of computer or information systems will benefit from this video.
Preview Video Clips

NCMS ScreenshotP5-P8. Information Security Management Series
This series is intended for managers and administrators concerned with intellectual property, corporate assets, infrastructure, and information assurance. This series will provide you with a current look at the information assurance landscape including intellectual property crime, threats to your information assets, vulnerabilities in information systems, and countermeasures to strengthen information assurance and security in your organization.

Forensic Lunch – Learn Forensics with David Cowen


SANS Digital Forensics Webcasts


Lockpicking Video Course

CyLab Faculty Seminars


CyLab Faculty Seminars

Youtube playlist: https://www.youtube.com/playlist?list=PL8FD44D6D4A92CD32

Florida State University’s Offensive Computer Security Spring 2013 – CIS4930 & CIS5930


Instructors

Prof. Xiuwen Liu (homepage: http://www.cs.fsu.edu/~liux/)
W. Owen Redwood (homepage: http://ww2.cs.fsu.edu/~redwood/)

Rationale:

The primary incentive for an attacker to exploit a vulnerability, or series of vulnerabilities is to achieve a return on an investment (his/her time usually). This return need not be strictly monetary—an attacker may be interested in obtaining access to data, identities, or some other commodity that is valuable to them. The field of penetration testing involves authorized auditing and exploitation of systems to assess actual system security in order to protect against attackers. This requires thorough knowledge of vulnerabilities and how to exploit them. Thus, this course provides an introductory but comprehensive coverage of the fundamental methodologies, skills, legal issues, and tools used in white hat

Spring 2013 Lectures & Videos

This page contains all the lecture Lecture Slides and youtube videos for the Spring 2013 semester of this course.


HD Video Download:

You can download and watch each lecture for this class at the following URL.
Simply streaming them from dropbox will not work. Dropbox will cut the stream off about 1/4 of the way through the video.

Video download URL
Lecture Video Torrent

The videos are much higher quality than their youtube versions.


Course Lecture Videos / Slides / Reading:

Below you can find and watch all the course videos, required reading, and lecture slides for each lecture (where applicable). The videos hosted on youtube are lower quality than the ones avaiable for direct download (see above). On the left you can find a navigation sidebar which will help you find the lectures relevant to each meta-topic.

Week 1 (Intro / Overview):

Lecture 1: Intro, Ethics, & Overview:

[No video was recorded for this lecture due to technical difficulties]

This lecture covers the course Intro, syllabus review, distinction between hacking vs. penetration testing, ethics discussion, course motivation, threat models and some of the basics.

Resources:

Lecture 2: Linux Overview:

This lecture covers the basics to an OS, Kernel vs user space, system calls, unix permissions, ruid vs euid etc…, ext file system (for the limited focus of forensics), persistence mechanisms used by malware, and /var/log, and more.

Resources:


Week 2 (Overview / Code Auditing):

Lecture 3: Windows Overview

This lecture provides an overview of the registry and registry hives, persistence mechanisms used by malware, Portable Executable (PE) file format overview, window systems calls commonly used by malware, and the windows API.

Resources:

Lecture 4: Rootkits; Code Auditing

The first half of this lecture covers rootkits and rootkit techniques for windows and linux. The second half covers code auditing concepts like design flaws, software analysis, vulnerability identification, signed bugs (int over/under flows), incorrect use of length params (strncpy, strncat, snprintf), format strings, …

Resources:

  • [Lecture Slides]
  • Required reading:
    Chapter 0x200 up to 0x250 in HAOE.

Week 3 (Reverse Engineering Workshop Week):

Lecture 5: x86 Reverse engineering

This lecture is day one of our weeklong x86 reverse engineering workshop lead by guest lecturer Mitch Adair.

Resources:

Lecture 6:

This lecture is day two of our weeklong x86 reverse engineering workshop lead by guest lecturer Mitch Adair.

Resources:


Week 4 (Exploit Development)

Lecture 7: Fuzzing and Exploit Development 101

This lecture covers a fuzzing overview, the basics of exploit development, environment variables, stack attacks, buffer overflow, nop-sleds, etc…

Resources:

Lecture 8: Shellcode and Exploit Development 102

Lectore topics: more on writing Shellcode (linux vs windows), win32 process memory map …

Resources:


Week 5 (Exploit Dev / Networking)

Lecture 9: Exploit Development 103: SEH Exploitation, Heap Sprays, and Executable Security Mechanisms

This lecture covers SEH exploitation, heap sprays, and executable security mechanisms like ASLR, DEP/NX, Stack Cookies…

Resources:

Lecture 10: Networking 101: Data Layer, Link Layer, and IP layer

[No video was recorded for this lecture due to technical difficulties]

This lecture covers an overview of networking concepts and network security concepts. Topics covered: Wireshark, Nmap, nc, Hubs vs switches vs routers, manufacturer default logins / backdoors… ARP & dns (dnssec), proxies, weak IP vs strong IP model (RFC 1122)

Resources:


Week 6 (Networking / Web Application Hacking)

Lecture 11: Networking 102: TCP layer, Important Protocols, Services, Portscanning, ARP

[No video was recorded for this lecture due to technical difficulties]

This lecture finishes up the networking overview from last time.

Resources:

Lecture 12: Web application Hacking 101

Its a bit shorter than other videos as the class time was taken up going over homework beforehand. This lecture addresses some of the big picture with the topics covered so far, and moves into web application security topics.

Resources:


Week 7 (Web Application Hacking)

Lecture 13: Web Application Hacking 102: Big picture of topics so far, SQLi, XSS

This lecture’s topices cover HTTP proxies, SQLi and XSS
Resources:

Lecture 14: Web Application Hacking 103: SSL attacks, advanced techniques

This lecture’s topics cover SSL/TLS, Certificate Authorities, and the serious problems with the Certificate Authority infrastructure, and a history of CA hacks / breaches, and SSL hacking tools like sslstrip …

Resources:


Week 8 (Web Application Hacking / Exploit dev)

Lecture 15: Web Application Hacking 104 & Exploit Development 104

This class was two lectures in one. In the web application 104 lecture we cover topics like WAF, and IDS and how to evade them – which leads into the exploit development 104 lecture. In the exploit dev 104 section we cover topics like networking shellcode, polymorphic shellcode / encoders, and the methodology for defeating IDS/WAF

Resources:

Lecture 16: Midterm review & Exploit Development 105 (ROP)

This lecture’s first half is a review of topics for the midterm. The second half introduces Return Oriented Programming.

Resources:


Week 9: (Special Topics)

Lecture 17: The Modern History of Cyber Warfare

This lecture covers just a small sample of the major events one might consider part of the history of cyber warfare. The lecture discusses some of the potential tactical and strategic differences between traditional warfare and cyber warfare – as well as the policy and perspective hurdles we face today. This lecture happened shortly after the ground-breaking APT1 report from Mandiant.

Resources:

Lecture 18: Social Engineering

The first portion of this video is a continuation of the previous lecture on cyber warfare. Afterwards, this lecture offers a new spin on social engineering – by staring with fundamental psychological flaws in the human brain, and discussing how they can be exploited…

Resources:


Week 10 (Metaspl0it):

Lecture 19: Metasploit

This lecture covers the metasploit framework, its interfaces, basic usage, and some of its utilities, along with a brief discussion of the social-engineering toolkit (SET)…

Resources:

MIDTERM

No video for this class…

The midterm was at this point, covering lectures 1-16.


Week 11 (Post Exploitation and Forensics):

Lecture 20: Meterpreter and Post Exploitation

This lecture starts by finishing the SET discussion from last time, covers Windows access-tokens, then delves into meterpreter and post exploitation…

Resources:

Lecture 21: Volatility and Incident Response:

This lecture covers an overview of Incident Response and delves into Volatility and memory analysis..

Resources:


Week 12 (Physical Security):

Midterm / Homework recap (no lecture)

No video for this class…

The lecture was sacrified for administrative things like reviewing the midterm, homeworks, and term project expectations.

Resources:

Lecture 22: Physical Security Workshop: Lockpicking, USB mischief, and BacNET/SCADA system security

This class was an open workshop, thus there is no video for it…

This lecture covers physical security, with a hands-on workshop on lockpicking, along with a simultaneous discussion of USB-related-mischief, building hacking (BacNET / SCADA) ….

Resources:


Week 13 (Malware / Student Presentations):

Lecture 23: Advanced Malware Techniques

No video for this class…

The lecture slides have been emailed out to the students, and will not be posted online.

Student Presentations Begin

No video for this class, nor the rest of the semester…

At this point, the course lectures have concluded. The remainder of the semester is taken up by student presentations on their term projects


Week 14-15 (Student Presentations):

(No lectures)


More Information about this course can be found on:

Florida State University’s Offensive Computer Security Spring 2014 – CIS4930 & CIS5930


Instructors

Prof. Xiuwen Liu (homepage: http://www.cs.fsu.edu/~liux/)
W. Owen Redwood (homepage: http://ww2.cs.fsu.edu/~redwood/)

Rationale:

The primary incentive for an attacker to exploit a vulnerability, or series of vulnerabilities is to achieve a return on an investment (his/her time usually). This return need not be strictly monetary—an attacker may be interested in obtaining access to data, identities, or some other commodity that is valuable to them. The field of penetration testing involves authorized auditing and exploitation of systems to assess actual system security in order to protect against attackers. This requires thorough knowledge of vulnerabilities and how to exploit them. Thus, this course provides an introductory but comprehensive coverage of the fundamental methodologies, skills, legal issues, and tools used in white hat penetration testing, secure system administration, and incident response.

Course Lecture Videos / Slides / Reading:

Below you can find and watch all the course videos, required reading, and lecture slides for each lecture (where applicable). The videos hosted on youtube are lower quality than the ones avaiable for direct download. On the left you can find a navigation sidebar which will help you find the lectures relevant to each meta-topic.


Week 1 (Intro / Overview):

Lecture 1: Intro, Ethics, & Overview:

This lecture covers the course Intro, syllabus review, distinction between hacking vs. penetration testing, ethics discussion, course motivation, threat models and some of the basics.

Resources:

Lecture 2: Secure C Coding 101:

What you absolutely need to know about secure coding in C. C is everywhere.

Resources:


Week 2 (Secure C / Code Auditing):

Lecture 3: Secure C Coding 102:

What you absolutely need to know about secure coding in C. C is everywhere.

Resources:

Lecture 4: Code Auditing:

Auditing C Code, basic tips / strategies / and exercises

Resources:


Week 3 (Permissions Spectrum):

Holiday (No Class, Jan 20)

MLK Day Holiday

Lecture 5: The Permissions Spectrum:

Intro to Vulnerability Research topics and the Permissions spectrum.

Resources:


Week 4 (Reverse Engineering Week):

Lecture 6: Reverse Engineering Workshop 1

Guest lecturer Mitch Adair will lead a two day RE workshop, exposing students to x86 reverse engineering with IDA and CFF Explorer. Meet in the lecture room prepared (See email).
Resources:

Lecture 7: Reverse Enginerring Workshop 2:

Guest lecturer Mitch Adair will lead a two day RE workshop, exposing students to x86 reverse engineering with IDA and CFF Explorer. Meet in the lecture room prepared (See email).


Week 5 (Fuzzing Week):

Lecture 8: Fuzzing Lecture 1

Coverage of Fuzzing techniques for SDL, VR, and other applications.
[Slides]

Lecture 9: MIDTERM REVIEW:

[No class video, see slides!]

Week 6 (MIDTERM 1 and Exploit Development Week 1):

MIDTERM 1

[no video for this class]

Lecture 10: Fuzzing Lecture #2 and Exploitation Lecture 101:

PART 1:

PART 2:

There are two videos for this lecture. The first half is a wrap up of fuzzing topics. The second half the beginning of the exploit development lectures.

Resources:


Week 6 (MIDTERM 1 and Exploit Development Week 1):

Lecture 11: Exploit Development 102

Second lecture in the exploit development lecture series. Covering the very very basics of exploitation. Concept of ret2libc is covered, examples with basic exit() shellcode, and some position-independent basic shellcode.

Resources:

  • [Slides]
  • Reading:
    Read 0x500 up to 0x540 in HAOE (Writing shellcode)
    Read 0x6A0 up to 0x700 in HAOE

This class was cancelled (postponed to next week)


Week 7 (Exploit Development / Networking):

Lecture 12: Exploit Development 103

Third lecture in the exploit development lecture series. Coverage of heap and format string exploition (with demos), as well as exploit mitigations (ASLR, NX/DEP, stack cookies, EMET, etc…)

Resources:

  • [Slides]
  • Reading:
    Read 0x680 up to 0x6A0 in HAOE

Lecture 13: Networking Lecture 101:

This lecture covers an overview of networking concepts and network security concepts. Topics covered: Wireshark, Nmap, nc, Hubs vs switches vs routers, manufacturer default logins / backdoors… ARP & dns (dnssec), proxies, weak IP vs strong IP model (RFC 1122)

Resources:


Week 8 (Exploit Dev / Web Application Hacking/Security)

Lecture 14: Exploit Development 102

Resources:

  • [Slides]
  • Reading:
    Read 0x450 up to 0x500 in HAOE(27 pages)
    Read 0x540 up through 0x550 in HAOE(11 pages)
    Read Chapter 1 in WAHH (15 pages)

Lecture 15: Wireshark and Web Application Hacking/Security 101

[Video on Wireshark coming soon]

Its a bit shorter than other videos as the class time is split between this lecture and a wireshark/tcpflow demo. This lecture addresses some of the big picture with the topics covered so far, and moves into web application security topics, as well as a very basic demo using BurpSuite as a HTTP Proxy.
Resources:

Required Reading:

Related Reading:


Week 10 (Web Applications):

Lecture 16: Web Application Hacking/Security 102

Coverage of SQLi, XSS, Metacharacter Injection, OWASP top 10, and demos.
Resources:

Lecture 17: Web Application Hacking/Security 103


Week 11 (Web Applications and Exploitation):

Lecture 18: Web Application Hacking/Security 104 and Exploitation 104

This class was two lectures in one. In the web application 104 lecture we cover topics like WAF, and IDS and how to evade them – which leads into the exploit development 104 lecture. In the exploit dev 104 section we cover topics like networking shellcode, polymorphic shellcode / encoders, and the methodology for defeating IDS/WAF.
Resources:

Lecture 19: Midterm review #2 and Exploitation 105

ROP Lecture:

This lecture covers ret2libc, return chaining, ROP, how calling conventions affect ROP, how ROP is used to defeat DEP, how ASLR affects ROP, how to defeat ASLR to enable ROP, stack pivoting, and etc… This lecture is just the concepts, next time is the demos.

Resources:

Reading:


Week 12 (ROP and Metasploit):

Lecture 21: Guest Lecturer Devin Cook on ROP and a brief history of exploitation

Devin Cook presented a recap of all the exploitation techniques covered thusfar and lectured on ROP and presented demos on ROP exploitation. Lastly defenses against ROP were discussed.
Resources:

Lecture 22: Metasploit

This lecture covers the Metasploit framework. Resources:


Week 13 (MIDTERM #2 and Post Exploitation):

MIDTERM #2

[No video / lecture]

Lecture 23: Meterpreter and Post Exploitation

Post exploitation, Windows authentication / tokens, and pivoting techniques are covered. Demos of SET, Meterpreter, and etc are shared. Resources:


Week 14 (Forensics and Incident Response):

Lecture 24: Volatility and Forensics

Old video covering Volatility and performing forensic analysis on hacked machines.
Resources:

Lecture 25: Revisiting Old Topics

Wrapping up the course, revisiting old topics: stack cookies and going in depth on how they are bypassed, covering the SSL bugs, digitally signed malware, and then the big picture. Resources:


Week 15 (Last Week: Physical Security and Social Engineering):

Lecture 26: Social Engineering


More information about this course can be found on:

BSDnow.tv Episodes


Interesting Security Project and Resources for Training, Education, Research and Learning.


“A good traveler has no fixed plans and is not intent on arriving.” –Lao Tzu

“Hence that general is skillful in attack whose opponent does not know what to defend; and he is skillful in defense whose opponent does not know what to attack.” –Sun Tzu

“The true science of martial arts means practicing them in such a way that they will be useful at any time, and to teach them in such a way that they will be useful in all things.” –Miyamoto Musashi


Resources

  • Academic Programs
  • Application Security
  • Capture The Flag Competitions
  • Cryptography
  • Embedded Device Security
  • Exploitation
  • Exploitation Mitigation Techniques
  • Fuzzing
  • Mobile Security
  • Network Security
  • Program Analysis
  • Programming
  • Reverse Engineering
  • Source Code Analysis
  • Web Security



Application Security

Application Security describes the fundamental technical skills required to identify and prevent application vulnerabilities.

Introduction

Sandboxes

Research

Projects



Capture The Flag Competitions

Capture The Flag competitions describe challenge-based or adventure-based competitions that involve solving a series of technical challenges. After a team has solved a challenge, the team is presented with a flag, hence the name.

Types of Capture The Flag Competitions

Challenge-Based Competitions

Challenge-Based Capture The Flag competitions are comprised of discrete and individual challenges. Each challenge is typically given a point value that will be awarded to the team that solves it. Challenges can be solved in any order; this allows teams to work on challenges individually and of any difficulty. Newbie teams that are trying to gain experience favor this type of competition because it makes it easy to give up on frustrating challenges to work on other challenges.

Attack-Defend Competitions

Attack-Defend CTF Competitions are multifaceted; teams must ensure security over their own infrastructure while finding flaws and attacking the infrastructure of other teams. Challenges are typically services that run on server, and do not follow any order; again allowing teams to work on challenges individually and of any difficulty. These types of competitions are more focused towards advanced teams who won’t leave any part of the competition untouched.

Wargames

Wargames are always online CTF competitions.

Getting Started

Experience

Teams can only gain experience three ways: practice, practice, practice. But also, watching presentations about competitions and reading write-ups.

Why

Competitions

There are many different competitions held all year around, all around the world. Thecapture.thefl.ag Google Calendar and Forgotten Security’s CTF Wiki are good resources to use. Rankings and more information can be found at CTFtime.

Wargames

There are many different wargames available. WeChall aggregates stats from many of them. Others are listed below.

Teams

Many teams keep an online presence and keep updated blogs with write-ups from many different competitions.

Running A CTF Competition

Related Resources


Cryptography

Cryptography is the practice and study of techniques for secure communication in the presence of third parties.http://en.wikipedia.org/wiki/Cryptography

Projects


Embedded Device Security

An embedded device is a computer that is designed to accomplish a single task.

Introduction

Research

Resources



Exploitation

Exploitation is the process of taking advantage of vulnerabilities in binary applications, usually resulting in arbitrary code execution.

Introduction

Research

Shellcode

Resources



Exploitation Mitigation Techniques

Exploitation mitigation techniques are mechanisms that are used to make exploitation of a vulnerability difficult or impossible.

Introduction

NX

SEHOP

Resources


Fuzzing

Fuzzing is sending data (random or deterministic) to an application in order to cause it to crash.

Introduction

Research

Projects


Mobile Security

Information

Tools

Challenges



Network Security

Network Security consists of the policies and activities which govern usability, reliability, integrity, and safety of a network its data.

Resources

Tools


Program Analysis

Program analysis is the process of automatically analyzing the behavior of computer programs.

Introduction

Full Courses

Research

Projects

Presenatations

Resources


Programming

If you don’t know what programming is, you need to leave.

C

C++

JavaScript

PHP

Python

Ruby


Reverse Engineering

Reverse engineering is the process of understanding binary programs, usually in an environment where source code is not available and there is little knowledge about the original functionality of the binary.

Introduction

Full Courses

x86 Manuals

Disassemblers

Debuggers

Dynamic Instrumentation Tools

Projects

Challenges

x86 Resources


Source Code Analysis

Source Code Analysis is the process of studying code for bugs and vulnerabilities, typically when original source code is available.

Introduction

http://pentest.cryptocity.net/code-audits/

Tools

Resources


Web Security

Web Security encompasses attacks, bugs, vulnerabilities, and exploits on server-side and client-side web application logic and inherent vulnerabilities in web architecture.

Introduction

Challenges

Resources


Digital Forensic Trainings


Hash VerificationStart!
Intro to Files, Filesystems, and DisksStart!
Password CrackingStart!
PDF ForensicsStart!
Reddit Analysis ToolStart!
Basic Analysis of Web Browsing ActivityStart!
Malicious Website AnalysisStart!
Data Acquisition with ddStart!
Building a VM from a dd imageStart!
BEViewer 1.3Start!
Bulk Extractor v1.2Start!
Disk Forensics ConceptsStart!
Disk ScannerStart!
File Carving with ForemostStart!
File Carving with Magic NumbersStart!
Image RipperStart!
Pattern Matching with grepStart!
Raw Disk Image to Virtual MachineStart!
ScalpelStart!
ExtundeleteStart!
File Filtering Using HashsetsStart!
File Signature AnalysisStart!
md5deep & hashdeepStart!
NTFS Compression & File Recovery/CarvingStart!
OS Forensics ToolsStart!
TSK & AutopsyStart!
Malware SSL using BurpStart!
Android SDK ManagerStart!
Introduction & Installation of SantokuStart!
tcpdump 4.3.0Start!
Computer Networking & ProtocolsStart!
Intro to Network ForensicsStart!
Intro to VOIP ExtractionStart!
Intro to WiresharkStart!
Network MinerStart!
chrootkitStart!
Intro to OS LayoutStart!
Intro to Windows ForensicsStart!
Linux Log AnalysisStart!
Windows Registry Part 1Start!
Windows Registry Part 2Start!
Windows Registry Part 3Start!
Memory Analysis with VolatilityStart!
Steganography/SteganalysisStart!
NIST Hacking CaseStart!

Code

Documentation

from: http://cyfor.isis.poly.edu/43-spring_2013_digital_forensics_final_project_page.html



Code

Documentation

from: http://cyfor.isis.poly.edu/57-fall_2013_digital_forensics_final_project_page.html




Code

Documentation

from: http://cyfor.isis.poly.edu/60-spring_2014_digital_forensics_final_project_page.html


Code

Documentation

from: http://cyfor.isis.poly.edu/61-summer_2014_digital_forensics_final_project_page.html


Code

Documentation

from: http://cyfor.isis.poly.edu/62-fall_2014_digital_forensics_final_project_page.html


The CSAW High School Forensic Challenge is a rigorous test of cyber forensic knowledge.  This area of the CyFor site is dedicated to previous years’ challenges.  Where possible, we make evidence available for download, as well as the solutions.

Mini Challenges

Mini-Challenge 1

Mini-Challenge 2

Mini-Challenge 3

Mini-Challenge 4

Mini-Challenge 5

Mini-Challenge 6

Mini-Challenge 7

Past CSAW Challenges

HSF 2011 Finals

HSF 2011 Preliminary

HSF 2012 Finals

HSF 2012 Preliminary

HSF 2013 Finals

HSF 2013 Preliminary

from: http://cyfor.isis.poly.edu/7-challenges.html

Exploit Creation Video’s


Exploit Creation

How to find vulnerabilities, write shellcode, exploit the vulnerability and finally turn it into a Metasploit exploit module! David Hoelzer is a Senior Fellow with the SANS Institute and author of the SANS Secure Coding in C/C++ course. TnX

Build your own Google TV Using Raspberry Pi


Build your own Google TV Using RaspberryPi

Please note that this project is not intended to replicate an actual GoogleTV, but it’s simply a proof of concept using modern web technologies.

This is the new project I will ‘try-out’ in the next few days [ which I actually dig out from Donald’s Blog ]. All Credit goes to him along with a big TnX for this wonderful idea. Make sure to support the developer and visit his page and [ also fork the project]. This workshop was given at Lamba Labs Beirut First Hackerspace after a series of lightning talks check out the presentation here If you’d like to bypass the tutorial and jump into the fun stuff, you can always  fork the code on Github

Google-tv-logo3-l

What’s Google TV ?

Turned out that Google is also doing its own thing for the 10-foot screen. Google announced 2 versions of their famous new TV, the first is called the Buddy Box which is currently an expensive box manufactured by Sony and the second is an Integrated TV built right into the TV set that will be announced soon.

The Google TV looks something like that:

google_tv_preview

Google TV preview

Developers: you can start building your own Web Apps for the Google TV or renovate any android app to fit the 10′ Screen, all the resources can be found at Google’s Developers Site


Build your own Google TV

Hackers & makers like to re-invent the wheel, and it’s always fun when you do. So we’re going tobuild our own version of the Google TV using the following open source technologies:

Hardware:

Software Stack:

  • Raspbian OS – a Debian distro specially made for the rPi
  • NodeJsChromium Browser
    • Socket.io – to handle the connection between our remote and our TV via websockets
    • Express – to handle some basic http requests
    • Omxcontrol – a simple module to control the OMXPlayer which is the best video player on the rPi
  • OMXPlayer
  • Youtube-dl – a script that let you download youtube videos
  • QuoJS – to handle swipe gestures on the mobile web app
  • HTML5, CSS3 transitions, Javascript, and Moustache as a template engine
  • Youtube API


The end result

raspberrypi_tv_google_tv
Raspberry Pi TV with its special remote controller

Walkthrough

The project is divided into 4 main categories:

  1. Installing the software stack
  2. Basic shell commands & scripts
  3. Building the backend: NodeJS + Express + Socket.io
  4. Building the front end


1.Installing the software stack:

INSTALL RASPBIAN & NODEJS

Follow this tutorial to install Raspbian and Node Js on your Raspberry Pi

INSTALL CHROMIUM & YOUTUBE-DL

Install Chromium Browser for the Raspberry Pi Source

sudo apt-get install chromium-browser

In order to have a better display you can also install MC core fonts using

sudo apt-get install ttf-mscorefonts-installer

Install and Update Youtube Downloader

sudo apt-get install youtube-dl 

sudo youtube-dl -U

Note-1: There’s a problem when you want to stream videos on the RaspberryPi from youtube in Chromium, they’re extremely slow because the videos are not being rendered on the GPU. Youtube-dl comes as a quick alternative, the video is downloaded instead then played by the OMXPlayer which will render our videos on the GPU giving us a good quality of HD videos.

Note-2: The OMXPlayer is installed by default on the Raspbian.


2.Basic shell commands & scripts

If you’re using SSH to connect to your RaspberryPi you should first add “DISPLAY=:0.0″ to your env variables, by simply executing

export DISPLAY=:0.0

To check all your environment variables

env

Test Chromium in Kiosk Mode:

chromium --kiosk http://www.google.com

Test Youtube-dl

youtube-dl youtube_video_url

I’ve added few parameters to youtube-dl to change the name of the downloaded file to be just the “-o youtube ID [dot] the extension” and with the “-f /22/18 ” I can force this script to download for me a 720p version of the video. Check out the full list of supported youtube formats here

youtube-dl  -o "%(id)s.%(ext)s" -f /22/18 youtube_video_url

After downloading the video, try playing it using OMXPLayer

omxplayer youtube_video_file

Have fun trying the keyboard shortcuts to pause/resume your video and a lot more

Fancy! Let’s automate this process using Node JS


Building the backend: NodeJS + Express + Socket.io

The source code is intended to be simple for the sake of the workshop. Here’s the project’s hierarchy:

  • publicapp.js
    • js
    • css
    • images
    • fonts
    • index.html
    • remote.html
  • package.json

Package.json – A JSON file needed by npm to auto-install dependencies and save some basic info about your project

{
    "name": "GoogleTV-rPi",
    "version": "0.0.1",
    "private": false,
    "scripts": {
        "start": "node app.js"
    },
    "dependencies": {
    "express": "3.1.1",
    "socket.io":"0.9.14",
    "omxcontrol":"*"
    }
}

after creating this file, go to your app directory and run the following to install the dependencies.

npm install
Note-3: Notice that a folder called node_modules will be created prior to this action, if you like to use git, don’t forget to create a .gitignore file and simply write into it “node_modules” this will ignore the folder node_modules from being added to your git project

Create the app.js file and lets start by creating our basic HTTP Express Server

var express = require('express')
  , app = express()  
  , server = require('http').createServer(app)
  , path = require('path')

// all environments
app.set('port', process.env.TEST_PORT || 8080);
app.use(express.favicon());
app.use(express.logger('dev'));
app.use(express.bodyParser());
app.use(express.methodOverride());
app.use(express.static(path.join(__dirname, 'public')));

//Routes
app.get('/', function (req, res) {
  res.sendfile(__dirname + '/public/index.html');
});

app.get('/remote', function (req, res) {
  res.sendfile(__dirname + '/public/remote.html');
});

server.listen(app.get('port'), function(){
  console.log('Express server listening on port ' + app.get('port'));
});

This is our basic Express HTTP server configuration with our routes. To test what’ve done so far, you should first create the index.html and remote.html files inside the public/ directory, write your favorite “Hello, World” messages into them, then go back to your terminal and execute

node app.js

or

npm start
Note-4: That will only work if you have added the following piece of code to your package.json
...
"scripts": {
        "start": "node app.js"
    },
...

Once your server starts it will output that Express server listening on port 8080
To test your “Hello, World” pages you should run this application in the background by simply doing

node app.js &

Now this is the most primitive way to launch a Node application in the background, while learning node you might bump into some modules that automates this simple task, just likeForever.js

Now we have our Node Application up and running in the background, let’s open chromium in kiosk mode and test our Hello, World pages.

chromium --kiosk http://localhost:8080


Adding the Socket.io Magic

I strongly believe that WebSockets are the foundation of the modern web, I always like to point out the following analogy that helped me understand Socket.io

When AJAX first popped out, old skool developers felt its magic, but they’ve encountered many problems due to how different browsers handle Asynchronous JavaScript and XML requests. jQuery came with the solution by providing a nice and minimal set of functions to deal with the browsers nightmare. Socket.io did the same but for WebSockets, even more!

In order to provide realtime connectivity on every browser, Socket.IO selects the most capable transport at runtime, without it affecting the API.

  1. WebSocket
  2. Adobe® Flash® Socket
  3. AJAX long polling
  4. AJAX multipart streaming
  5. Forever Iframe
  6. JSONP Polling

In order to integrate Socket.io we should add the following to our app.js file:

var express = require('express')
  , app = express()  
  , server = require('http').createServer(app)
  , path = require('path')
  , io = require('socket.io').listen(server)
  , spawn = require('child_process').spawn

and to minify the logs add this:

//Socket.io Config
io.set('log level', 1);

When developing with Socket.io always think like you’re creating a Hello, World Chat Application. I’ve added a simple Chat Application done with Node & Socket.io on a github repo for the sake of this tutorial!

Our Socket.io Server is ready, but it doesn’t do anything, we should implement how we process messages and events sent from the client to the server.

Here’s how you implement this on the server’s side, note that you should also implement how you handle messages on the client’s side, we will see that as we progress throughout this tutorial.

io.sockets.on('connection', function (socket) {
    socket.emit('message', { message: 'welcome to the chat' });
    socket.on('send', function (data) {
        //Emit to all
        io.sockets.emit('message', data);
    });
});

Now our server Emits the message “message” whenever a new client is connected, and waits for an event name “send” to process the data and emit it back to all connected clients

In our case We have two types of clients: The RaspberryPi Display (Screen) and the Mobile Web Application (Remote)

var ss;
//Socket.io Server
io.sockets.on('connection', function (socket) {

 socket.on("screen", function(data){
   socket.type = "screen";
   //Save the screen socket
   ss = socket;
   console.log("Screen ready...");
 });

 socket.on("remote", function(data){
   socket.type = "remote";
   console.log("Remote ready...");
   if(ss != undefined){
      console.log("Synced...");
   }
 });
)};


Client Side Sockets Handeling

inside remote.html we should have the following:


    <script src="/socket.io/socket.io.js"> </script>
    <script>
      //use http://raspberryPi.local if your using Avahi Service 
          //or use your RasperryPi IP instead
          var socket = io.connect('http://raspberrypi.local:8080');
      socket.on('connect', function(data){
        socket.emit('screen');
      });
    </script>

On our index.html


    <script src="/socket.io/socket.io.js"> </script>
    <script>
      //use http://raspberryPi.local if your using Avahi Service 
          //or use your RasperryPi IP instead
          var socket = io.connect('http://raspberrypi.local:8080');
      socket.on('connect', function(data){
        socket.emit('screen');
      });
    </script>


Execute Shell Commands from Node Server

Node enables us to run a system command within a new child process, and listen in on its input/output. This includes being able to pass arguments to the command, and even pipe the results of one command to another. 

The basic way of executing shell commands from NodeJS is very simple

spawn('echo',['foobar']);

But if you want to pipe in the output, you should add the following function to your app.js file:

//Run and pipe shell script output 
function run_shell(cmd, args, cb, end) {
    var spawn = require('child_process').spawn,
        child = spawn(cmd, args),
        me = this;
    child.stdout.on('data', function (buffer) { cb(me, buffer) });
    child.stdout.on('end', end);
}


Adding OMXControl – the OMXPlayer controller Node Module

Luckily I found a node module on npmjs.org that let you control your OMXPlayer using Express!
just add the following to your app.js file to use it.

var omx = require('omxcontrol');

//use it with express
app.use(omx());

This will create for us the following routes, that we can use to control and play our videos:

http://localhost:8080/omx/start/:filename

http://localhost:8080/omx/pause


http://localhost:8080/omx/quit

Pretty Awesome!


Putting it all together

Our evolved app.js file


/**
 * Module dependencies.
 */

var express = require('express')
  , app = express()  
  , server = require('http').createServer(app)
  , path = require('path')
  , io = require('socket.io').listen(server)
  , spawn = require('child_process').spawn
  , omx = require('omxcontrol');

// all environments
app.set('port', process.env.TEST_PORT || 8080);
app.use(express.favicon());
app.use(express.logger('dev'));
app.use(express.bodyParser());
app.use(express.methodOverride());
app.use(express.static(path.join(__dirname, 'public')));
app.use(omx());

//Routes
app.get('/', function (req, res) {
  res.sendfile(__dirname + '/public/index.html');
});

app.get('/remote', function (req, res) {
  res.sendfile(__dirname + '/public/remote.html');
});

//Socket.io Congfig
io.set('log level', 1);

server.listen(app.get('port'), function(){
  console.log('Express server listening on port ' + app.get('port'));
});

//Run and pipe shell script output 
function run_shell(cmd, args, cb, end) {
    var spawn = require('child_process').spawn,
        child = spawn(cmd, args),
        me = this;
    child.stdout.on('data', function (buffer) { cb(me, buffer) });
    child.stdout.on('end', end);
}

//Save the Screen Socket in this variable
var ss;
//Socket.io Server
io.sockets.on('connection', function (socket) {

 socket.on("screen", function(data){
   socket.type = "screen";
   ss = socket;
   console.log("Screen ready...");
 });
 socket.on("remote", function(data){
   socket.type = "remote";
   console.log("Remote ready...");
 });

 socket.on("controll", function(data){
    console.log(data);
   if(socket.type === "remote"){

     if(data.action === "tap"){
         if(ss != undefined){
            ss.emit("controlling", {action:"enter"}); 
            }
     }
     else if(data.action === "swipeLeft"){
      if(ss != undefined){
          ss.emit("controlling", {action:"goLeft"}); 
          }
     }
     else if(data.action === "swipeRight"){
       if(ss != undefined){
           ss.emit("controlling", {action:"goRight"}); 
           }
     }
   }
 });

 socket.on("video", function(data){

    if( data.action === "play"){
    var id = data.video_id,
         url = "http://www.youtube.com/watch?v="+id;

    var runShell = new run_shell('youtube-dl',['-o','%(id)s.%(ext)s','-f','/18/22',url],
        function (me, buffer) { 
            me.stdout += buffer.toString();
            socket.emit("loading",{output: me.stdout});
            console.log(me.stdout)
         },
        function () { 
            //child = spawn('omxplayer',[id+'.mp4']);
            omx.start(id+'.mp4');
        });
    }    

 });
});


Building the front-end

Raspberry Pi TV Screen Front-end

Raspberry Pi TV Screen Front-end

Describing in details how I built the front-end is outside the scope of this tutorial, however I would like to point out few tips that I discovered while doing this project over the weekend.

When designing for the 10′ Screen there’s some design considerations that you should follow, Google assembled a nice set of these standards on their Developers Site

Raspberry Pi TV Remote

Raspberry Pi TV Remote

Instead of creating a typical remote, full of fake buttons, I decided to give QuoJS a try, it’s really fantastic and easy to use!

$$(".r-container").swipeLeft(function(){
socket.emit('control',{action:"swipeLeft"}); 
});

Here’s an example of how I send the message “Control” back to the server with the data action:”swipeLeft”
the server will handle that message by sending it to the screen, the screen client will handle this message by moving the selected square to the next app (Watch, Listen, Play)

I’ve also stumbled upon few trick that will let your iPhone mobile web app look like a native one with a nice icon and a splash screen.
Just add the following to your HTML <head></head> blocks

<link rel="apple-touch-icon" href="images/custom_icon.png"/>
<link rel="apple-touch-startup-image" href="images/startup.png">
<meta name="viewport" content="width=device-width initial-scale=1, maximum-scale=1, user-scalable=no" />
<meta name="apple-mobile-web-app-title" content="Remote">
<meta name="apple-mobile-web-app-capable" content="yes">


Wrap-up

This project is still a work in progress, updates coming soon. If you liked this tutorial please don’t forget to check the source code on Github and show some love by starring it .

logo_ll

Special Thanks to everyone at Lamba Labs Beirut Hackerspace , and of course Donald Derek.

I would Highly recommend this project. A lot of quality time [again]  spent  playing with RaspberryPi building interesting and very useful setup.

How to Convert a Video to Animated GIF Image on Linux


Video To Animated GIF

How to convert video to animated gif image on Linux

Once thought of as outdated art forms, animated GIF images have now come back. If you haven’t noticed, quite a few online sharing and social networking sites are now supporting animated GIF images, for example, on Tumblr, Flickr, Google+, and partly on Facebook. Due to their ease of consumption and sharing, GIF-ed animations are now part of mainstream Internet culture.

So some of you may wonder how you can create such animated GIF images. There are various online or offline tools dedicated to create animated GIF images. Another option is to create an animated GIF image off of an existing video clip. In this tutorial, I will describe how to convert a video file to an animated GIF image on Linux.

Step 1: Download a YouTube Video

First, download a YouTube video that you would like to convert. You can use youtube-dl tool to save a YouTube video as an MP4 file. Suppose you saved your favorite YouTube video as “funny.mp4″.

Step 2: Extract Video Frames from a Video

Next, install FFmpeg on your Linux system, which I will use to extract video frames from the video.

The following command will extract individual video frames, and save them as GIF images. Make sure to use the output file format (“out%04d.gif”) as is. That way, individual frames will be named and saved properly.

ffmpeg -t <duration> -ss <starting position in hh:mm:ss format> -i <input_video> out%04d.gif

For example, if you want to extract the video frames of input video, for 5 seconds, starting at 10 seconds from the beginning, run the following command.

$ ffmpeg -t 5 -ss 00:00:10 -i funny.mp4 out%04d.gif

After FFmpeg is completed, you will see a list of GIF files created, which are named as “out[\d+].gif”.

Step 3: Merge Video Frames into an Animated GIF

The next step is to merge individual GIF files into one animated GIF image. For that, you can use ImageMagick.

First, install ImageMagick on your Linux system if you haven’t done so.

Then, run the following command to merge created GIF images into a single animated GIF file.

convert -delay <ticks>x<ticks-per-second> -loop 0 out*gif <output-gif-file>

In the command, “-delay” is an option that controls the animation speed. This option indicates that [ticks/ticks-per-second] seconds must elapse before the display of the next frame. The “-loop 0″ option indicates infinite loops of animation. If you want, you can specify “-loop N”, in which case the animation will repeat itself N times.

For example, to create an animated GIF image with 20 frames-per-second and infinite loop, use the following command.

$ convert -delay 1x20 -loop 0 out*.gif animation.gif

Step 4 (Optional): Reduce the Size of an Animated GIF

The last (optional) step is to reduce the size of the created GIF file, by using ImageMagick’s GIF optimizer.

Use the following command to reduce the GIF size.

$ convert -layers Optimize animation.gif animation_small.gif

Now you are ready to share the GIF image on your social networks. The following shows a sample GIF image that I created from a cute YouTube video.

Offensive Computer Security Video Lectures


OWASP Video Collection


  • 1 Welcome to the OWASP Video Collection
    • 1.1 OWASP Global Webinars
    • 1.2 OWASP AppSecUSA 2014 Conference
    • 1.3 OWASP AppSec Europe 2014 Conference
    • 1.4 OWASP AppSec California 2014 Conference
    • 1.5 OWASP AppSecUSA 2013 Conference
    • 1.6 OWASP AppSec EU Research 2013 Conference
    • 1.7 OWASP AppSec Video Tutorial Series w/ Jerry Hoff
    • 1.8 OWASP AppSecUSA 2012 Conference
    • 1.9 OWASP AppSecUSA 2011 Conference
    • 1.10 OWASP Summit 2011
    • 1.11 OWASP Appsec DC 2010 Conference
    • 1.12 OWASP USA 2010 Conference
    • 1.13 OWASP EU 2010 Conference
    • 1.14 OWASP FROC 2010 Conference
    • 1.15 OWASP USA 2009 Conference
    • 1.16 OWASP AppSecEMEA 2009 Conference
    • 1.17 OWASP Israel 2008
    • 1.18 OWASP AppSecUSA 2008 Conference
    • 1.19 OWASP SnowFROC
    • 1.20 OWASP Minneapolis/St. Paul (OWASP MSP)
    • 1.21 Black Hat 2006
    • 1.22 AppSec Washington 2005

OWASP Global Webinars

YouTube Playlist

OWASP AppSecUSA 2014 Conference

YouTube Playlist

OWASP AppSec Europe 2014 Conference

YouTube Playlist

OWASP AppSec California 2014 Conference

YouTube Playlist

OWASP AppSecUSA 2013 Conference

YouTube Playlist

OWASP AppSec EU Research 2013 Conference

news entry “Video Recordings online”

https://www.its.fh-muenster.de/owasp-appseceu13/rooms/Grosser_Saal

[VID] OWASP-AppsecEU13-AmirAlsbih-ExperiencemadeinTechnicalDueDiligence_720p.mp4 01-Sep-2013 12:28 376M
[VID] OWASP-AppsecEU13-AngelaSasse-KeynoteBustingTheMythofDancingPigsAngelasTop10listofreasonswhyusersbypasssecuritymeasures_720p.mp4 28-Aug-2013 14:20 517M
[VID] OWASP-AppsecEU13-BenStock-EradicatingDNSRebindingwiththeExtendedSame-OriginPolicy_720p.mp4 28-Aug-2013 13:44 447M
[VID] OWASP-AppsecEU13-ChrisEngRyanOBoyle-FromtheTrenchesReal-WorldAgileSDLC_720p.mp4 28-Aug-2013 12:15 518M
[VID] OWASP-AppsecEU13-DavidRoss-InsaneintheIFRAME–Thecaseforclient-sideHTMLsanitization_720p.mp4 28-Aug-2013 15:11 478M
[VID] OWASP-AppsecEU13-DirkWetter-Welcomenoteandamanualfortheconferenceandeverythingelse_720p.mp4 28-Aug-2013 13:52 141M
[VID] OWASP-AppsecEU13-ErlendOftedal-SecuringamodernJavaScriptbasedsinglepagewebapplication_720p.mp4 28-Aug-2013 14:45 429M
[VID] OWASP-AppsecEU13-FlorianStahlJohannesStroeher-SecurityTestingGuidelinesformobileApps_720p.mp4 28-Aug-2013 13:20 353M
[VID] OWASP-AppsecEU13-FrederikBraun-OriginPolicyEnforcementinModernBrowsers_720p.mp4 28-Aug-2013 16:18 284M
[VID] OWASP-AppsecEU13-JimManico-OWASPTop10ProactiveControls_720p.mp4 28-Aug-2013 12:36 403M
[VID] OWASP-AppsecEU13-KrzysztofKotowicz-Iminurbrowserpwningyourstuff-AttackingwithGoogleChromeextensions_720p.mp4 28-Aug-2013 16:36 329M
[VID] OWASP-AppsecEU13-NickNikiforakisLievenDesmetStevenVanAcker-SandboxingJavascript_720p.mp4 28-Aug-2013 16:54 317M
[VID] OWASP-AppsecEU13-OWASPBoard-OWASPIntroduction_720p.mp4 28-Aug-2013 11:04 160M
[VID] OWASP-AppsecEU13-SebastianLekiesBenStock-ClickjackingProtectionUnderNon-trivialCircumstances_720p.mp4 28-Aug-2013 16:03 345M
[VID] OWASP-AppsecEU13-StefanoDiPaola-JavascriptlibrariesinsecurityAshowcaseofrecklessusesandunwittingmisuses_720p.mp4 28-Aug-2013 15:44 634M
[VID] OWASP-AppsecEU13-TarasIvashchenko-ContentSecurityPolicy-thepanaceaforXSSorplacebo_720p.mp4 28-Aug-2013 13:01 459M
[VID] OWASP-AppsecEU13-ThomasRoessler-KeynoteSecureallthethingsfictionfromtheWebsimmediatefuture_720p.mp4 28-Aug-2013 17:19 466M
[VID] OWASP-AppsecEU13-TobiasGondrom-OWASP-CISOGuideandCISOreport2013formanagers_720p.mp4 28-Aug-2013 11:47 419M

https://www.its.fh-muenster.de/owasp-appseceu13/rooms/Aussichtsreich_+_Freiraum

[VID] OWASP-AppsecEU13-AbrahamAranguren-IntroducingOWASPOWTF5x5_720p.mp4 27-Aug-2013 04:28 211M
[VID] OWASP-AppsecEU13-AchimHoffmannOferShezaf-WAFEC-contentandhistoryofanunbiasedprojectchallenge_720p.mp4 27-Aug-2013 04:14 299M
[VID] OWASP-AppsecEU13-BastianBraunJoachimPoseggaChristianV.Pollak-ADoormanforYourHome-Control-FlowIntegrityMeansinWebFrameworks_720p.mp4 27-Aug-2013 00:54 327M
[VID] OWASP-AppsecEU13-ColinWatsonDennisGroves-OWASPAppSensorInTheoryInPracticeandInPrint_720p.mp4 27-Aug-2013 05:29 322M
[VID] OWASP-AppsecEU13-DanCornell-DoYouHaveaScanneroraScanningProgram_720p.mp4 27-Aug-2013 03:54 353M
[VID] OWASP-AppsecEU13-DaveWichers-OWASPTop10-2013_720p.mp4 31-Aug-2013 12:02 474M
[VID] OWASP-AppsecEU13-DieterGollmann-ClosingNoteAccessControloftheWeb-TheWebofAccessControl_720p.mp4 27-Aug-2013 06:40 479M
[VID] OWASP-AppsecEU13-DirkWetter-ClosingCeremony_720p.mp4 27-Aug-2013 06:53 206M
[VID] OWASP-AppsecEU13-EduardoVela-Matryoshka_720p.mp4 26-Aug-2013 23:26 324M
[VID] OWASP-AppsecEU13-ErlendOftedal-RESTfulsecurity_720p.mp4 26-Aug-2013 22:36 435M
[VID] OWASP-AppsecEU13-FredDonovan-Q-BoxandH-BoxRaspberryPIfortheInfrastructureandHacker_720p.mp4 27-Aug-2013 01:18 350M
[VID] OWASP-AppsecEU13-JrgSchwenk-KeynoteCryptographyinWebSecurityStupidBrokenandmaybeWorking_720p.mp4 26-Aug-2013 17:50 213M
[VID] OWASP-AppsecEU13-KonstantinosPapapanagiotouSpyrosGasteratos-OWASPHackademicapracticalenvironmentforteachingapplicationsecurity_720p.mp4 27-Aug-2013 05:08 319M
[VID] OWASP-AppsecEU13-LucaViganLucaCompagna-TheSPaCIoSToolproperty-drivenandvulnerability-drivensecuritytestingforWeb-basedapplicationscenarios_720p.mp4 27-Aug-2013 05:50 311M
[VID] OWASP-AppsecEU13-MarcoBalduzziVincenzoCiangagliniRobertMcArdle-HTTPS-BasedClusteringforAssistedCybercrimeInvestigations_720p.mp4 26-Aug-2013 23:05 450M
[VID] OWASP-AppsecEU13-MarioHeiderich-TheinnerHTMLApocalypse-HowmXSSattackschangeeverythingwebelievedtoknowsofar_720p.mp4 27-Aug-2013 00:33 584M
[VID] OWASP-AppsecEU13-MicheleOrr-RootingyourinternalsInter-ProtocolExploitationcustomshellcodeandBeEF_720p.mp4 26-Aug-2013 18:16 406M
[VID] OWASP-AppsecEU13-MiltonSmith-MakingtheFutureSecurewithJava_720p.mp4 27-Aug-2013 02:55 559M
[VID] OWASP-AppsecEU13-NickNikiforakis-WebFingerprintingHowWhoandWhy_720p.mp4 27-Aug-2013 01:51 490M
[VID] OWASP-AppsecEU13-NicolasGrgoire-BurpPro-Real-lifetipsandtricks_720p.mp4 26-Aug-2013 20:30 562M
[VID] OWASP-AppsecEU13-PaulStone-PrecisionTiming-AttackingbrowserprivacywithSVGandCSS_720p.mp4 26-Aug-2013 19:22 518M
[VID] OWASP-AppsecEU13-PhilippeDeRyckLievenDesmetFrankPiessensWouterJoosen-ImprovingtheSecurityofSessionManagementinWebApplications_720p.mp4 26-Aug-2013 23:54 427M
[VID] OWASP-AppsecEU13-RetoIschi-AnAlternativeApproachforReal-LifeSQLiDetection_720p.mp4 27-Aug-2013 04:47 286M
[VID] OWASP-AppsecEU13-RobertoSuggiLiverani-AugmentedRealityinyourWebProxy_720p.mp4 26-Aug-2013 21:34 505M
[VID] OWASP-AppsecEU13-SahbaKazerooni-NewOWASPASVS2013_720p.mp4 27-Aug-2013 06:09 269M
[VID] OWASP-AppsecEU13-SaschaFahlMarianHarbachMatthewSmith-MalloDroidHuntingDownBrokenSSLinAndroidApps_720p.mp4 26-Aug-2013 22:06 498M
[VID] OWASP-AppsecEU13-SaschaFahlMatthewSmithHenningPerlMichaelBrenner-QualitativeComparisonofSSLValidationAlternatives_720p.mp4 26-Aug-2013 18:49 512M
[VID] OWASP-AppsecEU13-SimonBennetts-OWASPZAPInnovations_720p.mp4 27-Aug-2013 03:31 524M
[VID] OWASP-AppsecEU13-TalBeEry-APerfectCRIMEOnlytimewilltell_720p.mp4 26-Aug-2013 21:00 463M
[VID] OWASP-AppsecEU13-ThomasHerleaNelisBouckJohanPeeters-RecipesforenablingHTTPS_720p.mp4 26-Aug-2013 19:53 483M
[VID] OWASP-AppsecEU13-YvanBoilyMinion-MakingSecurityToolsaccessibleforDevelopers_720p.mp4 27-Aug-2013 02:17 390M

OWASP AppSec Video Tutorial Series w/ Jerry Hoff

OWASP Appsec Tutorial Series Click Here

OWASP AppSecUSA 2012 Conference

Vimeo







OWASP AppSecUSA 2011 Conference

Videos and Slides

Thursday, September 22, 2011

TIME ATTACKS &
DEFENSES
CLOUD MOBILE THOUGHT
LEADERSHIP
0730-0830 CONTINENTAL BREAKFAST
0830-0920 KEYNOTE
Mark Curphey
Community – The Killer App (Video – starts at time marker 5:30, PDF)
0920-0930 BREAK
0930-1020 Andrés Riancho

Web Application Security Payloads(Video, PDF)

Andy Murren

SwA and the Cloud – Counting the Risks (Video,PPTX)

Patrick Tatro

Principles of Patrolling: Applying Ranger School to Information Security (Video,PPTX)

* Thank you to Patrick who, true to form, willingly stepped forward as an alternate

Arian Evans

Six Key Metrics: A look at the future of appsec (Video, sorry – no slides)

1020-1040 COFFEE BREAK
1040-1130 Jim Manico

Ghosts of XSS Past, Present and Future(Video, PDF)

Shankar Babu Chebrolu, PhD, CISSP

Top Ten Risks with Cloud that will keep you Awake at Night(Video, PPTX)

Ryan W Smith

STAAF: An Efficient Distributed Framework for Performing Large-Scale Android Application Analysis (Video,PDF)

Charles Henderson

Global Security Report (PDF)

1130-1140 BREAK
1140-1230 Shreeraj Shah

Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2) (Video,PDF)

Scott Matsumoto

Threat Modeling in the Cloud: What You Don’t Know Will Hurt You!(Video, PDF)

Tom Fischer

Lessons Learned Building Secure ASP.NET Applications(Video, PDF)

* Moved from Patterns Track for scheduling purposes

John Benninghoff

Behavioral Security Modeling: Eliminating Vulnerabilities by Building Predictable Systems (Video,PDF)

1230-1330 LUNCH & OWASP FOUNDATION BOARD DISCUSSION
Jeff Williams (Chair), Tom Brennan, Eoin Keary, Matt Tesauro, Dave Wichers, and incoming board member Michael Coates (Video, PDF)* Sebastien Deleersnyder was unable to attend due to a scheduling conflict.
1330-1420 Javier Marcos de Prado, Juan Galiana Lara

Pwning intranets with HTML5 (Video,PDF)

Dan Cornell

The Self Healing Cloud: Protecting Applications and Infrastructure with Automated Virtual Patching (Video,PDF)

Mike Park

Android Security, or This is not the Kind of “Open” I Meant… (Video,PPTX)

Rafal Los, Mike McCormick,Christophe Veltsos, Jeff Williams

Making it in Information Security and Application Security (Video,PPT)

1420-1430 BREAK
1430-1520 Ganesh Devarajan,Todd Redfoot

Keeping up with the Web-Application Security (Video,PPTX)

Matt Tesauro

Testing from the Cloud: Is the Sky Falling? (Video,PDF)

Kevin Stadmeyer,Garrett Held

Hacking (and Defending) iPhone Applications(Video, PPTX)

John B. Dickson, CISSP

Software Security: Is OK Good Enough?(Video, PDF)

1520-1540 COFFEE BREAK
1540-1630 Jon McCoy (DigitalBodyGuard)

Hacking .NET (C#) Applications: The Black Arts (Video,PDF)

Adrian Lane

CloudSec 12-Step(Video, PDF)

Ashkan Soltani,Gerrit Padgham

When Zombies Attack – a Tracking Love Story (Video, PDF)

Jeff Williams

AppSec Inception – Exploiting Software Culture(Video, Prezi [Flash])

1630-1700 UNIVERSITY CHALLENGE WINNERS TALK! (Video, PPT)
1700-1800 HAPPY HOUR

Friday, September 23, 2011

TIME SOFTWARE
ASSURANCE
OWASP PATTERNS SECURE SDLC
0730-0830 CONTINENTAL BREAKFAST
0830-0920 KEYNOTE
Ira Winkler (Video, PPT)
0920-0930 BREAK
0930-1020 Richard Struse

Software Assurance Automation throughout the Lifecycle (Video,PPTX)

Michael Coates

Pure AppSec, No Fillers or Preservatives – OWASP Cheat Sheet Series(Video, PDF)

Colin Watson

OWASP Codes of Conduct (PDF)

Dr. Bill Chu, Jing Xie

Secure Programming Support in IDE(Video, PDF)

Brian Chess

Gray, the New Black: Gray-Box Web Penetration Testing (Video,PPTX)

1020-1040 COFFEE BREAK
1040-1130 Ryan Stinson

Improve your SDLC with CAPEC and CWE (Video,PPTX)

Jack Mannino,Zach Lanier,Mike Zusman

OWASP Mobile Top 10 Risks(Video, PPTX)

Aditya K Sood,Richard Enbody

The Good Hacker – Dismantling Web Malware (Video,PDF)

Chris Wysopal

Application Security Debt and Application Interest Rates (Video, PPT)

1130-1140 BREAK
1140-1230 Chuck Willis,Kris Britton

Sticking to the Facts: Scientific Study of Static Analysis Tools(Video, PDF)

Simon Bennetts

Introducing the OWASP Zed Attack Proxy(Video, PPTX)

Justin Collins,Tin Zaw

Brakeman and Jenkins: The Duo Detect Defects in Ruby on Rails Code (Video,PPTX)

Mike Ware

Simplifying Threat Modeling (Video,PDF)

1230-1330 LUNCH & KEYNOTE Moxie Marlinspike (Video, PDF)
1330-1420 Adam Meyers

Mobile Applications Software Assurance (Video,PDF)

Anthony J. Stieber

How NOT to Implement Cryptography for the OWASP Top 10 (Video, PDF)

Michael Coates

Security Evolution – Bug Bounty Programs for Web Applications(Video, PDF)

Wendy Nather (moderator),Dinis Cruz, Chris Eng, Jerry Hoff,Darren Meyer,John Steven,Sean Fay

Speeding Up Security Testing Panel (Video,PPTX)

1420-1430 BREAK
1430-1520 Charles Schmidt

You’re Not Done (Yet) – Turning Securable Apps into Secure Installations using SCAP (Video,PPTX)

Beef (Chris Schmidt), Kevin Wall

ESAPI 2.0 – Defense Against the Dark Arts(Video, PPT)

Jason Li

OWASP Projects Portal Launch! (5-10 Minutes)(Video, PPTX)

Srini Penchikala

Messaging Security using GlassFish 3.1 and Open Message Queue (Video,PDF)

Glenn Leifheit (moderator), Andreas Fuchsberger,Ajoy Kumar,Richard Tychansky,Alessandro Moretti

Application Security Advisory Board SDLC Panel(Video, PPTX)

1520-1540 COFFEE BREAK
1540-1630 Michelle Moss,Nadya Bartol

Why do developers make these dangerous software errors?(Video, PPTX)

Ryan Barnett

OWASP CRS and AppSensor Project(Video, Prezi [Flash])

Alex Smolen

Application Security and User Experience (Video,PDF)

Gunnar Peterson

Mobile Web Services (Video, sorry – no slides)

* Moved from Mobile Track for scheduling purposes

1630-1640 BREAK
1640-1730 RECAP AND LOOKING AHEAD TO THE NEXT TEN YEARS AND APPSEC USA 2012

OWASP Summit 2011

OWASP Summit 2011 Vimeo videos are available at

OWASP Appsec DC 2010 Conference

OWASP Appsec DC 2010 Click Here




  1. Cloudy with a Chance of Hack! with Lars Ewe, Cenzic

OWASP USA 2010 Conference

OWASP USA 2010 Click Here

  1. HD Moore, Keynote Speaker

    23.3K Plays

  2. Jeremiah Grossman, Breaking Web Browsers

    2,220 Plays

  3. Samy Kamkar, How I Met Your Girlfriend

    2,033 Plays

  4. Keith Turpin: The Secure Coding Practices Quick Reference Guide

    1,625 Plays

  5. Dan Cornell, Smart Phones with Dumb Apps: Threat Modeling for Mobile Applications

    1,244 Plays

  6. Robert Zigweid: Threat Modeling Best Practices

    998 Plays

  7. Peleus Uhley, Assessing, Testing & Validating Flash Content

    829 Plays

  8. Joe Basirico, Reducing Web Application Vulnerabilities: Moving from a Test-Dependent to Design-Driven Development.

    789 Plays

  9. Michael Coates, Real Time Application Defenses – The Reality of AppSensor & ESAPI

    767 Plays

  10. Adrian Lane, Agile + Security = FAIL

    646 Plays

  11. David Rice, Keynote Speaker

    546 Plays

  12. Paul Judge, The Dark Side of Twitter, Measuri



  1. OWASP: AppSec 2010 Promo

    411 Plays

  2. Rafal Los, Into the Rabbit Hole: Execution Flow-based Web Application Testing

    303 Plays

  3. Panel Discussion: Vulnerability Lifecycle for Software Vendors with Kelly FitzGerald, Katie Moussouris, John Steven & Daniel Hol

    202 Plays

  4. Aditya K. Sood, Bug-Alcoholic 2.0 – Untamed World of Web Vulnerabilities

    198 Plays

  5. Lars Ewe, Session Management Security Tips and Tricks

    198 Plays

  6. Panel Discussion: Security Trends with Jeremiah Grossman, Robert Hansen, Jeff Williams & Eric Chen

    197 Plays

  7. David Bryan & Michael Anderson, Cloud Computing, A Weapon of Mass Destruction?

    187 Plays

  8. Gunter Ollmann, P0w3d for Botnet CNC

    181 Plays

  9. Chenxi Wang

    167 Plays

  10. Chris Schmidt: Solving Real-World Problems with an Enterprise Security API (ESAPI)

    161 Plays

  11. Dinis Cruz: Tour of OWASP Projects & Using the OWASP 02 Platform

    132 Plays

  12. Bill Cheswick

    121 Plays



  1. Jeff Williams

    116 Plays

  2. Panel Discussion: Characterizing Software Security as a Mainstream Business risk with Ed Pagett, Richard Greenberg, John Sapp &

    116 Plays

  3. Ivan Ristic, State of SSL on the Internet – 2010 Survey

    112 Plays

  4. Antti Rantasaari & Scott Sutherland, Escalating Privileges through Database Trusts

    88 Plays

  5. Alex Stamos

    85 Plays

  6. Peleus Uhley, Unraveling Cross-Technology, Cross-Domain Trust Relations

    83 Plays

  7. Panel Discussion: Defining the Identity Management Framework with Mano Paul, Richard Tychansky, Jeff Williams & Hord Tipton

    82 Plays

OWASP EU 2010 Conference

OWASP Stockholm Sweden 2010 Click Here and Click Here

Conference Day 1 – June 23, 2010OWASP AppSec Research 2010 Research R.gif = Research paper OWASP AppSec Research 2010 Demo D.gif = Demo OWASP AppSec Research 2010 Presentation P.gif = Presentation
Track 1 Track 2 Track 3
08:00-08:50 Registration and Breakfast + Coffee
08:50-09:00 Welcome to OWASP AppSec Research 2010 Conference (John Wilander & OWASP Global Board Members) (pdf)
09:00-10:00 #Keynote: Cross-Domain Theft and the Future of Browser Security (pdf) (video)Chris Evans, Information Security Engineer, and Ian Fette, Product Manager for Chrome Security, Google
10:10-10:45 OWASP AppSec Research 2010 Research R.gif #BitFlip: Determine a Data’s Signature Coverage from Within the Application (pdf) (video)Henrich Christopher Poehls, University of Passau OWASP AppSec Research 2010 Presentation P.gif #CsFire: Browser-Enforced Mitigation Against CSRF (pdf) (video)Lieven Desmet and Philippe De Ryck, Katholieke Universiteit Leuven OWASP AppSec Research 2010 Presentation P.gif #Deconstructing ColdFusion (pdf) (video)Chris Eng, Veracode
10:45-11:10 Break – Expo – CTF kick-off, Coffee break sponsoring position open ($2,000)
11:10-11:45 OWASP AppSec Research 2010 Research R.gif #Towards Building Secure Web Mashups (pdf) (video)M Decat, P De Ryck, L Desmet, F Piessens, W Joosen, Katholieke Universiteit Leuven OWASP AppSec Research 2010 Presentation P.gif #New Insights into Clickjacking (pdf) (video)Marco Balduzzi, Eurecom

OWASP AppSec Research 2010 Presentation P.gif #How to Render SSL Useless (pdf) (video)Ivan Ristic, Qualys
11:55-12:30 OWASP AppSec Research 2010 Research R.gif #Busting Frame Busting (pdf) (video)

Gustav Rydstedt, Stanford Web Security Research

OWASP AppSec Research 2010 Presentation P.gif #Web Frameworks and How They Kill Traditional Security Scanning (pdf) (video)Christian Hang and Lars Andren, Armorize Technologies OWASP AppSec Research 2010 Demo D.gif #The State of SSL in the World (pdf) (video without sound :()Michael Boman, Omegapoint
12:30-13:45 Lunch – Expo – CTF, Lunch sponsor: OWASP AppSec Research 2010 IIS logo for program.png
13:45-14:20 OWASP AppSec Research 2010 Research R.gif #(New) Object Capabilities and Isolation of Untrusted Web Applications (pdf) (video)Sergio Maffeis, Imperial College, London OWASP AppSec Research 2010 Presentation P.gif #Beyond the Same-Origin Policy (pdf) (video)Jasvir Nagra and Mike Samuel, Google
OWASP AppSec Research 2010 Demo D.gif #SmashFileFuzzer – a New File Fuzzer Tool(pdf) (video)Komal Randive, Symantec
14:30-15:05 OWASP AppSec Research 2010 Demo D.gif #Security Toolbox for .NET Development and Testing (pdf) (video)Johan Lindfors and Dag König, Microsoft OWASP AppSec Research 2010 Demo D.gif #Cross-Site Location Jacking (XSLJ) (not really)(pdf) (video)David Lindsay, Cigital
Eduardo Vela Nava, sla.ckers.org
OWASP AppSec Research 2010 Demo D.gif #Owning Oracle: Sessions and Credentials (pdf) (video)Wendel G. Henrique and Steve Ocepek, Trustwave
15:05-15:30 Break – Expo – CTF, Coffee break sponsoring position open ($2,000)
15:30-16:05 OWASP AppSec Research 2010 Demo D.gif #Value Objects a la Domain-Driven Security: A Design Mindset to Avoid SQL Injection and Cross-Site Scripting (pdf) (video)Dan Bergh Johnsson, Omegapoint OWASP AppSec Research 2010 Presentation P.gif #Automated vs. Manual Security: You Can’t Filter “The Stupid” (pdf not available yet) (video)
David Byrne and Charles Henderson, Trustwave
OWASP AppSec Research 2010 Research R.gif #Session Fixation – the Forgotten Vulnerability?(pdf) (video)Michael Schrank and Bastian Braun, University of Passau
Martin Johns, SAP Research
16:15-17:00 Panel Discussion: “Is Application Security a Losing Battle?” (video, partly poor sound)
19:00-23:00 Stockholm City Hall, photo by Yanan Li Gala Dinner at Stockholm City Hall
Sponsored by
OWASP AppSec Research 2010 Google logo for program.png
The Golden Hall, photo by Yanan Li
Conference Day 2 – June 24, 2010OWASP AppSec Research 2010 Research R.gif = Research paper OWASP AppSec Research 2010 Demo D.gif = Demo OWASP AppSec Research 2010 Presentation P.gif = Presentation
Track 1 Track 2 Track 3
08:00-08:50 Breakfast + Coffee
08:50-09:00 Three Announcements from OWASP (video)
09:00-10:00 #Keynote: The Security Development Lifecycle – The Creation and Evolution of a Security Development Process (pdf) (video)
Steve Lipner, Senior Director of Security Engineering Strategy, Microsoft Corporation
10:10-10:45 OWASP AppSec Research 2010 Presentation P.gif #The Anatomy of Real-World Software Security Programs (pdf) (video)

Pravir Chandra, Fortify

OWASP AppSec Research 2010 Demo D.gif #Promon TestSuite: Client-Based Penetration Testing Tool (pdf not available yet) (video)

Folker den Braber and Tom Lysemose Hansen, Promon

OWASP AppSec Research 2010 Research R.gif #A Taint Mode for Python via a Library (pdf) (video)

Juan José Conti, Universidad Tecnológica Nacional
Alejandro Russo, Chalmers Univ. of Technology

10:45-11:10 Break – Expo – CTF, Coffee sponsor: OWASP AppSec Research 2010 MyNethouse logo for program.png
11:10-11:45 OWASP AppSec Research 2010 Presentation P.gif #Microsoft’s Security Development Lifecycle for Agile Development (pdf) (video)

Nick Coblentz, OWASP Kansas City Chapter and AT&T Consulting

OWASP AppSec Research 2010 Presentation P.gif #Detecting and Protecting Your Users from 100% of all Malware – How? (pdf) (video)

Bradley Anstis and Vadim Pogulievsky, M86 Security

OWASP AppSec Research 2010 Research R.gif #OPA: Language Support for a Sane, Safe and Secure Web (pdf) (video without sound :( )

David Rajchenbach-Teller and François-Régis Sinot, MLstate

11:55-12:30 OWASP AppSec Research 2010 Presentation P.gif #Secure Application Development for the Enterprise: Practical, Real-World Tips (pdf) (video)

Michael Craigue, Dell

OWASP AppSec Research 2010 Presentation P.gif #Responsibility for the Harm and Risk of Software Security Flaws (pdf) (video)

Cassio Goldschmidt, Symantec

OWASP AppSec Research 2010 Research R.gif #Secure the Clones: Static Enforcement of Policies for Secure Object Copying (pdf) (video)

Thomas Jensen and David Pichardie, INRIA Rennes – Bretagne Atlantique

12:30-13:45 Lunch – Expo – CTF, Lunch break sponsoring position open ($4,000)
13:45-14:20 OWASP AppSec Research 2010 Presentation P.gif #Product Security Management in Agile Product Management (pdf) (video)

Antti Vähä-Sipilä, Nokia

OWASP AppSec Research 2010 Presentation P.gif #Hacking by Numbers (pdf) (video)

Tom Brennan, WhiteHat Security and OWASP Foundation

OWASP AppSec Research 2010 Research R.gif #Safe Wrappers and Sane Policies for Self Protecting JavaScript (pdf) (video)

Jonas Magazinius, Phu H. Phung, and David Sands, Chalmers Univ. of Technology

14:30-15:05 OWASP AppSec Research 2010 Presentation P.gif #OWASP_Top_10_2010 (pdf) (video)

Dave Wichers, Aspect Security and OWASP Foundation

OWASP AppSec Research 2010 Presentation P.gif #Application Security Scoreboard in the Sky(pdf) (video)

Chris Eng, Veracode

OWASP AppSec Research 2010 Research R.gif #On the Privacy of File Sharing Services (pdf & video not available because of potential zero-day)

N Nikiforakis, F Gadaleta, Y Younan, and W Joosen, Katholieke Universiteit Leuven

15:05-15:30 Break – Expo – CTF, Coffee break sponsoring position open ($2,000)
15:30-16:00 CTF Price Ceremony, Announcement of OWASP AppSec EU 2011, Closing Notes (pdf)

OWASP FROC 2010 Conference

FROC 2010 – Click Here

JUNE 2, 2010
07:30-08:30 Registration and Continental Breakfast in the Sponsor Expo Room
08:30-08:35 Welcome to FROC 2010 ConferenceDavid Campbell, OWASP Denver
08:35-09:35 Keynote: “Watching Software Run: Software Security Beyond Defect Elimination”Brian Chess, Fortify Software

Presentation Video

09:35-10:00 OWASP: State of the UnionTom Brennan, OWASP Board – BIO

Video

10:00-10:20 Cloud Security Alliance: State of the UnionRandy Barr, Cloud Security Alliance

Video

10:20-10:30 Break – Expo – CTF
AppSec/Technical Track: Room 1 Cloud/Mobile/Emerging Track: Room 2 Management / Exec Track: Room 3
10:30-11:15 2010: Web Hacking Odyssey – The Top Hacks of the YearJeremiah Grossman

Presentation Video Note the blip version seems broken, so linked to WhiteHatSec webex.

“Building a Secure, Compliant Cloud for the Enterprise”Matt Ferrari, Hosting.com “Anatomy of a Logic Flaw”David Byrne and Charles Henderson, Trustwave
11:15-12:00 Advanced MITM Techniques for Security TestersMike Zusman, Raj Umadas and Aaron Rhodes, Intrepidus Group

Presentation

“YOU are the weakest link”Chris Nickerson, Lares Consulting

Presentation

“Effectively marketing security as a win for both the business and the customer”Ben Whaley, Applied Trust Engineering and Jeff Smith, Rally Software

Presentation

12:00-13:00 Lunch – Expo – CTF
13:00-13:50 Vulnerabilities in Secure Code: Now and BeyondAlex Wheeler and Ryan Smith, Accuvant

Video

“Real life CSI – Data Mining and Intelligence Gathering for the masses”Chris Roberts, Cyopsis

Presentation

“The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise”John Dickson, Denim Group

Presentation

13:50-14:40 Beware of Serialized GUI Objects Bearing DataDavid Byrne and Rohini Sulatycki, Trustwave

Video

“What’s Old Is New Again: An Overview of Mobile Application Security”Zach Lanier and Mike Zusman, Intrepidus Group “Fundamental Practices and Tools to implement a security development lifecycleR