Presentation Title What application security tools vendors don’t want you to know and holes they will never find!

Presentation Abstract

Software and application security is a hard nut to crack. Traditional network and operating system assessment and protection tools can be taught to look for repeatable conditions with reasonable results. However (and despite heavy marketing suggesting other wise) application protection and assessment tools suffer from a significant different order of problem. In this talk John Viega and Mark Curphey will systematically discuss and demonstrate the limitations of automated protection and assessment tools using live working examples. The talk will focus on code review tools, web application scanners and web application firewalls.

About John Viega

John is the co-author of three books on application security, Building Secure Software (Addison Wesley, 2001), Network Security with OpenSSL (O’Reilly, 2002) and the Secure Programming Cookbook (O’Reilly, 2003). He also built the CLASP application security process, which is available on-line. John’s research areas have included application security, cryptography, programming languages and usability. He co-developed GCM, a mode of operation for block ciphers such as AES that has been incorporated into IPSec and the 802.1AE draft document, and is currently being standardized by NIST. Despite being cautious about embracing the open source security theory, John has been involved in many open source projects. He was the original author of the Mailman mailing list manager, and has been author or co-author of many other free projects, including RATS, SafeStr, XXL and ITS4.

---

Note: John will be presenting this keynote with Mark Curphey (Vice President, Foundstone Professional Services - A division of McAfee Inc. )