Friday, October 24, 2014


OWASP (the Open Web Application Security Project) sponsors LASCON, the Lonestar Application Security Conference.  This year's two-day assembly brought together cutting edge vendors, theoreticians, and developers.  It was my privilege to be the introductory speaker serving KUNAL ANAND of Prevoty and KSENIA DMITRIEVA of Cigital.  The general session guest speakers included Martin Hellman, co-inventor of Public Key Cryptography, and Kelley Misata, formerly of Tor, now with Suricata.
Martin Hellman (left)
"The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks." -

Ksenia Dmitrieva of Cigital answers questions
after her presentation
"Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. You'll find everything about OWASP here on or linked from our wiki and current information on our OWASP Blog. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. We ask that the community look out for inappropriate uses of the OWASP brand including use of our name, logos, project names and other trademark issues." -- OWASP.

Keynote Speaker Kelley Misata spoke on behalf of Tor.
Misata is now working with the CERIAS project of Purdue
and Suricata, an Open Source Foundation partner
Martin Hellman worked directly with Whitfield Diffie to realize public key cryptography. They then discovered that Ralph Merkle had independently submitted papers some months earlier.  Merkle's work was rejected for openly running contrary to the mainstream of cryptographic theory. ("Secure Communications over Insecure Channels" on his website here.) They published congruent ideas but under a less contrarian article title, "New Directions in Cryptography." (On his own pages here and archived widely, including here.).  Also,  Hellman was a professor. (Diffie was his doctoral student). On the other hand, Merkle was working on his doctorate; and he had no support for his theories from his own mentors.  So Hellman brought more social status to the supposedly impartial peer-review process.  He also brought Merkle to Stanford from Berkeley.

Kelley Misata had been cyber-stalked for eight years. She watched while her computer was taken over and worked remotely. Trashy emails were posted in her name from cuts and pastes from her own Facebook pages. She could not apply for a job without her stalker knowing it and intruding.  She figured out who he was.  However, the FBI said that they were powerless, and a judge refused to issue a restraining order, both because the stalker hid behind Tor and could not be identified.  So, she took her MBA and her experience in marketing to Tor where she advocated for privacy and security. She now helps the Center for Education and Research in Information Assurance and Security (CERIAS) while working on her doctorate at Purdue.

Appropriately, the front of the vendor's hall was held by White Hat Security of Santa Clara.  All of the sellers were satisfied to have made good contacts. While setting up his talk, Kunal Anand underscored for me the importance of qualified leads to a start-up looking to scale its services. 

OWASP co-founder and Contrast Security CTO Jeff Williams 
Among the fifteen sponsors set up in the vendor hall were HP (both local and national sales offices), Contrast Security of Palo Alto, Trustwave, F5 Networks (headquartered in Seattle), Checkmarx from Chicago, Qualys (Redwood City), and K2Share from College Station. Texas.
Wade Williamson from Shape Security of Mountainview. 
OWASP conventions always include several security challenges, such as "capture the flag" and locksporting.  The convention name tags were puzzles with imbedded clues.  (Decipher the Roman numerals into an IP address and go from there.)  Winners received a challenge coin. "Capture the flag" lets would-be hackers attack knowledgeable defenders of a target computer.  Of course, all the firewalls do you no good if someone can pop the lock on your server cage. 

Jgor taught me how to pick a four-wheel combination lock.
After I felt successfully for the solution, he showed a slide
with a cutaway view of the internals . 
Over 40 different breakout sessions provided expert presentations on application security, rugged development, agile development, cryptography, IoT and mobile platforms, and an array of special case studies.  The two-day conference ended with giveaways and drawings. The top prize was a Pwn Phone from Pwnie Express.

We enjoyed great guitar work from Chris Devore
at both lunches and the Thursday evening social.
B-Sides 2013
Open Secrets
Fortune Cookie in Hex Code
The Eurion Project
Securing Your Viper Against Cylons

No comments:

Post a Comment