Presentaion by Charl van der Walt at the ITweb security summit 2010.
This presentation is an introduction to the security summit 2010. It introduces all the speakers.
24. Thank You [email_address] [email_address] [email_address] [email_address]
Notas del editor
Good morning, than you for being here, and welcome again to the ITWeb Security Summit of 2010. This is the 5 th time this event is being staged and we are extremely excited about the three days that lie ahead of us.
I represent the Security Summit “Technical Committee”. ITWeb has shown great integrity in their commitment to keeping the Security Summit at the forefront of both local and global trend. To achieve this we have enlisted a team of practitioners to assist us in planning for the event. This team's role is to advise us on theme, tracks, topics and speakers and, finally, to review and provide input on talks and papers. This is the second year that we’ve been involved in the conference in this capacity and we’d like to thank ITWeb, and thank you, for the privilege of being a part in this enriching and rewarding experience.
An organization like ITWeb has to maintain a careful balance between delivering the content you want to hear, delivering the content you need to hear, and delivering the content the sponsors want you to hear. Maintaining this balance lead us from time-to-time into some degree of conflict with ITWeb, but in each case they have responded with integrity and fairness and firm commitment the quality of speakers and content this event has come to represent.
We are extremely excited about the line-up of speakers at this year’s event.
So, what has this conference come to represent. Well, we believe that over the next three day you will be exposed to as much high quality, relevant and objective information security content as you can expect to see at one place anywhere in the world. A brief look back into time at our visiting speakers alone illustrates this point very clearly. 2006: Kevin Mitnick Tom Scholtz (Gartner) 2007: Bruce Schneier 2008: Johnny Cache, Roberto Preatoni, Howard Schmidt Eugene Kaspersky David Litchfield Johnny Long 2009: Phil Zimmermann Jeremiah Grossman Tyler Moore Michael Dahn Adam Schostack Frank Artes ‘ The Grucq’ 2010: Joe Grande Jeremiah Felix (FX) Linder Moxie Marlinspike Charlie Miller Saumil Shah Dino Disovi Nitesh Dhanjani Alli Miller
2006: Kevin Mitnick Tom Scholtz (Gartner) 2007: Bruce Schneier 2008: Johnny Cache, Roberto Preatoni, Howard Schmidt Eugene Kaspersky David Litchfield Johnny Long 2009: Phil Zimmermann Jeremiah Grossman Tyler Moore Michael Dahn Adam Schostack Frank Artes ‘ The Grucq’ 2010: Joe Grande Jeremiah Felix (FX) Linder Moxie Marlinspike Charlie Miller Saumil Shah Dino Disovi Nitesh Dhanjani Alli Miller
2006: Kevin Mitnick Tom Scholtz (Gartner) 2007: Bruce Schneier 2008: Johnny Cache, Roberto Preatoni, Howard Schmidt Eugene Kaspersky David Litchfield Johnny Long 2009: Phil Zimmermann Jeremiah Grossman Tyler Moore Michael Dahn Adam Schostack Frank Artes ‘ The Grucq’ 2010: Joe Grande Jeremiah Felix (FX) Linder Moxie Marlinspike Charlie Miller Saumil Shah Dino Disovi Nitesh Dhanjani Alli Miller
Joe Grande, is one of the world’s few hacker ‘celebrities’. He’s best known for the role he plays on the Discovery Channel series “Model This”, But he is also a respected veteran of our industry and one of the founding members of the L0pht Hacking crew back in the ‘90s. Joe reckons that over the last decade things have arguably gotten worse Hey points out that … The online presence of people, companies, and organizations has grown larger Users and vendors are not learning from history Many companies now involved in this industry selling security products that give us a false sense of security
Moxie Marlinspike’s real passion is yachting. He stripped the paint off that old bastion of Internet security, SSL , He says he did it mostly to prove a point with Microsoft after something they did made him really, really, really mad.
Here are some other people you don’t want to make mad… At the CanSecWest “pown2own” in April this year, Charlie Miller , Jake Honoroff , and Mark Daniel from Independent Security Evaluators have successfully compromised the Apple MacBook Air via a Safari 0day in "10 seconds". Charlie reckons he used one of 20 bugs he found, but there are probably 100's more...
Dino Dai Zovi is mad already. In his talk in TRACK 1 on Wednesday he points out that Patching every security vulnerability and writing 100% bug-free code is impossible And that Even the advanced exploit mitigation techniques developed on exactly this premise , can now regularly be bypassed
We all remember Jeremiah Grossman from last year. His keynote presentation is on the ‘ The Top Ten Hacks of the Year’ The 2010 WASC Statistics reort , to which his team contributed. Shows that M ore than 13% * of sites can be compromised completely automatically . About 49% of web applications contain vulnerabilities of high risk level 99% of web application are not compliant with PCI DSS standard requirements
Ian deViilliers works for SenePost. He doesn’t get mad, he get’s even. Ian’s presentation is in TRACK 1 tomorrow. He points out that even securely-coded applications can be undermined by deployment on weak frameworks and platforms Ian will demonstrate some of the emerging techniques he’s using to cleave through the security of some very high-profile organizations using some very high-profile portal frameworks
Some of other our local speakers would get mad if I didn’t mention their talks. Frans Lategan: Estimates only 1.7% of online banking users can adequately protect themselves online Tony Stephanou: Education does not effectively affect user behaviour Barry Irwin: Calculates that potentially > 70% of computers in in Africa are unpatched Tony Olivier (Helaine Leggat, Matt Erasmus) Change escalating You will always be behind the curve The next threat will come from an unexpected source
Saumil Shah is presenting a little later this afternoon (he’s talk was postponed). He’s a grumpy guy at the best of times, and his flight was cancelled so I image he’s going to be even grumpier still. Saumil points out The web is fragile by design. The fundamental design weakness of HTTP allows thriving malware It’s 2010 what are we going to do about it?
It’s a sad state of affairs really
But as with with many clouds, this one has a silver lining and we’ve tried in this event to map out a path toward the proverbial pot of (security) gold. We believe that the journey to that pot of gold should take us through four major phases… Regulation Formulation Measurement and Communication
Its is becoming increasingly apparent that without external pressure businesses are not willing to accept the cost of effective security programmes. As governments and other authoritative bodies step in to regulate industries that will not regulate themselves, we should carefully observe the impact of work like King III The Protection of Personal Information Act (PPIA) The Companies Act The new DoC “Cyber Policy” The PCI DSS And others. These regulations have the potential to significantly change our industry and the way we go about doing our work. Look out for the presentations by Helainne Legat Ritasha Jethva Bryce Thorold And others Most of which will be after lunch today in TRACK 1 & TRACK 2.
Regulation must invariably force us into a formalization of our practice. In some areas such formalization is already quite common, but in others, like application development, its sadly still in its infancy. Security standards and formalization are extensively covered on day one, particularly in TRACK 1 and TRACK 2 after lunch. Look out for presentations by: Kris Budick on behald of Edcon David Volschenk & Justin Williams of E&Y But especially Paul and Theo from Thinksmart in TRACK 3 this afternoon And Allie Miller’s keynote this morning consistent security model for web services Dominique dHotman , Manager: Enterprise Architecture, Ooba • The Ooba story: SOA deployment across many different business lines and application types • Practical advice on building WS-* compliant software across the board • How to connect with clients and/or business partners in a simple, secure and standards based fashion • How Ooba's development life-cycle ensures governance and consistent application
The old adage says: “ Show me how you’ll measure me, I’ll tell you how I’ll perform” Formalization, if successful, will demand formal, objective and intelligent measure of outcomes, something that our industry has still not really been able to produce. The people of ‘securitymetrics.org’ – Andrew Jacquith, Adam Shostack and Brice Schneier (both of whom have spoken here in the past) have started building an invaluable body of work in this field. Tony Stephanou of T-Systems, who speaks in TRACK 1 today and will share valuable insights and experience that he has gained in his efforts to develop metrics and measure security.
Finally (and this has been said often before) if security is to impact business then security has to learn to speak to business. In our opening keynote this morning Pat Pather of Standard Bank explores