SOS is a proud supporter of AusCERT and is pleased to announce our consultants have been invited to present at the 2012 conference. Our presentations include; Managed Service Provider Security, Smart Phone Security and a tutorial on Secure Application Development Practices.

The AusCERT security conference is arguably Australia’s premier information security event on the annual calendar. Sense of Security has again been recognised for our pedigree in information security research and has been invited to present on contemporary topics impacting business today.

Presentation 1 – Keeping your Service Provider Honest: Managed Hosting Services (MHS).

Prashant Haldankar, Senior Security Consultant for Governance, Risk and Compliance at Sense of Security will provide valuable insight to this topic. His presentation will include the following themes:

  • Managed Hosting Services – what is on offer today?
  • Some of the keys aspects organisation consider when using MHS
  • Why use them? Benefits presented by MHS
  • Key risks and challenges related to MHS
  • Keys items to consider when engaging a MHS
  • Scope of Services
  • Defining Responsibilities
  • Contract Clauses
  • Third Party Management Techniques
  • Risk Management
  • Compliance Requirements (government and commercial)
  • Audit and Assurance (including reports, testing)

Presentation 2 – Help! My Mobile Device is Spying on Me.

The use of mobile devices is now mainstream across all sectors with the very rapid rise in adoption of smartphones and tablet technology. This is the technology that is driving both personal mobility requirements and the mobile workforce revolution, providing access to corporate resources and applications across global networks as well as online access to social platforms.

Unfortunately new technologies are not impervious to security vulnerabilities.

Murray Goldschmidt, Chief Operating Officer at Sense of Security, will present our research on this topic and discuss methods through which successful compromise is most likely to occur. Murray’s presentation will include:

  1. Sample scenarios to establish breadth and depth of the issue.
  2. Describe approach to research undertaken.
  3. Platforms assessed for exposure to remote compromise, including ranking for ease of exploit and capability once device is compromised.
  4. Initial platforms under review: iOS, Android, Blackberry, Windows Mobile.
  5. Implications for corporate, education and government sectors.
  6. Mitigation strategies.

Tutorial – Web Application Security Testing and Practical Secure Application Development

The last few years has seen a significant surge in the number of application specific vulnerabilities that were disclosed to the public. No application technology has shown itself invulnerable, and discoveries are made every day that affect both owners’ and users’ security and privacy.

Jason Edelstein, Chief Technology Officer at Sense of Security, will host this one day tutorial. The tutorial will focus on educating delegates on how hackers attack web applications, how to test your applications to determine whether they are vulnerable, through to writing secure code practically and embedding security throughout the SDLC. Secure application development will be taught with reference to some of the most prevalent programming languages in use today: Java, ASP.NET, and PHP.

The high-level course outline is as follows:

  1. Current security solutions
  • What they are
  • Why they fail to protect web applications
  1. HTTP anatomy 101
  • How requests and responses are formed
  • Cookies, session management and authentication
  • Web technologies
  1. Secure Architectures – Pitfalls and Solutions
  • Security controls to be implemented at the network, system, and application layers
  1. Common web application attacks
  • How do they work (focus on OWASP top 10)
  • What are the consequences
  1. Lab time to test the theory that has been taught against some buggy applications
  2. Protecting against web application attacks
  • Writing secure code
  • Security testing
  1. Secure SDLC
  • Embedding security throughout
  • What security activities should be conducted and when?
  • How should they be conducted and by whom?
  • What frequency should the activities be conducted?