There are simply too many great conferences in the world to attend each, and keep the lights on at the home office. In April HITB Sec Conference 2008 in Dubai had a few excellent presentations surrounding current issues for PCI DSS corporations (application security), and several insights into other areas of concern for global security. The full presentation files are available here. A few of the presentations I would recommend in your review are listed below: (Title, Summary, and Author are pulled from Conference agenda as the downloads are only referenced by speaker name):
Shreeraj Shah (Director, BlueInfy)
Presentation Title: Securing Next Generation Applications – Scan, Detect and Mitigate
McKinsey’s recent global survey suggested that 80% of companies are investing in Web 2.0 technologies. Web 2.0 technologies are no longer restricted to social networking site but forming backend to enterprise level applications. This evolution is giving rise to next generation application hacking and attack vectors. It is imperative to understand these new attacks and scanning methods to detect vulnerabilities. This presentation is going to cover following important aspects of next
generation application security.
– Footprinting, Scanning and Crawling of Web 2.0 applications.
– Ajax and Flash based XSS for Web 2.0 application.
– One-Way and Two-Way Cross Site Request Forgery for XML and JSON streams.
– Threat Model 2.0 for Web 2.0 applications.
– Hacking and Securing Service Oriented Architecture (SOAP, XML-RPC and REST based applications)
– Strategic security controls by leveraging Source code scanning and application layer filtering.
This presentation will be full of real life cases, live demonstrations, new tools and techniques along in-depth coverage on the latest concepts and methodologies.
Raoul Chiesa (Board of Directors Member @Mediaservice.net, ISECOM Group & TSTF)
Presentation Title: Penetration Testing SCADA and National Critical Infrastructure: Real-Life Experiences and Case Studies
SCADA acronym stand for “Supervisory Control And Data Acquisition”, and it’s related to industrial automation inside critical infrastructures. This talk will introduce the audience to SCADA environments and its totally different security approaches, outlining the main key differences with typical IT Security best practices.
We will analyze a real world case study related to industry. We will describe the most common security mistakes and some of the direct consequences of such mistakes to a production environment. In addition, attendees will be shown a video of real SCADA machines reacting to these attacks in the most “interesting” of ways!
Petko D. Petkov [pdp] (GNUCITIZEN)
Presentation Title: For My Next Trick… Client-Side Hacking
This paper describes numerous techniques for attacking Clients-side technologies. The content of the paper is based the research that has been conducted over the past year by the GNUCITIZEN Ethical Hacker Outfit.
The slides on the new vectors of attack in the Web 2.0 arena (which represents at least one instance where every piece of our data is accessed, managed, and manipulated) are interesting and educational.
Of course, as much fun as the slides are the presenters are really the show, so I do encourage everyone to contact and contribute to the community where you are able.
Client-side software generally refers to a class of computer programs that are executed on the client, by the user’s supporting environment, instead of the server. Both, clients and servers are in constant interaction. In a Web environment, the client is represented by the user’s web browser, while the server is the remote computer which serves dynamic content. In a much broader context, the client-server relationships can be represented by a network client connected to a WiFi network.
All the best,