Next week its time for the 2009 OWASP AppSec Europe conference. It'll be held in lovely Krakow, Poland.
The conference runs from May 13th -14th, and I'll be there for this years festivities. I'm speaking on the Thursday afternoon at 15:45 on the topic "Factoring Malware and Organized Crime in to Web Application Security".
If you're responsible for corporate security or secure Web application development, you should be planning on being at OWASP next week already. Don't forget to drop in on my talk.
The abstract for my talk:
The “good old days” of Web security being a battle between the application development team and a sole attacker operating from his bedroom have long since disappeared. Today’s Web application security is a battle with professional criminal hacking teams, organized at a global level, whose primary motivation is financial gain.
Despite knowledge of who the combatants are and their capabilities, both Web application developers and security consultants alike have persisted in largely ignoring this threat. Their doggedness with designing Web applications in the traditional way – with layers of authentication, authorization and complexity – have, to an extent, helped facilitate much of the success organized cyber-criminal teams have had over recent years.
Today’s security professionals need to factor in this organized criminal threat. With malware being near ubiquitous at the client, application developers need to address the fact that upwards of one-third of their customers are likely to be infected at any point in time. If so, how do you trust the data coming from your own customers and continue to do business with them?
The threat is most prevalent within the online banking industry, but the success of the tactics used by cyber-criminals to exploit these Web application vulnerabilities has seen them increasingly adopted in other profitable online spheres. How should Web developers factor in the use of malware (running on a host they have no control over) in to their application design? How should security consultants test and evaluate the countermeasures deployed by application designers to combat an organized cyber-crime threat?
With even the most advanced client authentication technologies being defeated, this session will cover how cyber-criminals are really defeating Web applications (by example) along with the multi-disciplinary skills and tactics developers and consultants need to adopt in order to help combat the evolving threat.