Web Application Security Peer Working Group

Upcoming Event

March 4, 2010 1:00 pm - 2:30 pm
Where: UW Tower Auditorium"

The Winter 2010 WASP event will feature a talk by Billy Rios. A proud UW alum, Billy is currently a security engineer at Microsoft and formerly of VeriSign.

Past WASP Events

November 3, 2009 2:00 pm - 3:20 pm
Where: CSE 691, The "Bill and Melinda Gates Commons"

The Autumn quarter WASP event will feature a talk on securing AJAX applications and one on recent security research that includes security considerations for medical devices.

Securing AJAX Applications

Charlie Reis, Google

Slides

Developing secure web applications can be hard, and AJAX can make it harder. This talk will provide an overview of several key topics web developers should know about to avoid common vulnerabilities, from XSS and CSRF to threats posed by JSON. I'll cover basic techniques for defending against these attacks, as well as a few advanced topics emerging from recent research.

Bio: Charlie Reis finished his PhD at UW CSE in 2009, and he is now working at Google's Seattle office on Google Chrome. His research focuses on improving web browsers for safely running web-based programs.

Tadayoshi Kohno, University of Washington

Tadayoshi Kohno, University of Washington

Implantable medical devices, such as pacemakers and implantable cardiac defibrillators, can save lives and greatly improve a patient's quality of life. But what are the security considerations about IMDs that signal wirelessly and live inside of a human being? Some of the revelations are surprising-- and chilling. Professor Kohno will talk about his work in this area as well as other security related research.

Bio: Tadayoshi Kohno is an Assistant Professor in Computer Science and Engineering. His primary research interests are in computer security and privacy.

October 31st, at 2:00, 2008 - 2:00 pm - 4:00 pm
Where: North Training Room on \ the 22nd floor of the UW tower

Threat Modeling for Systems and Applications

For those who missed it, or asked questions that never got answered, please have a look at the public access wiki page, WASP "Threat Modeling" Presentation and Discussion, that I (Anne Hopkins) just put together at https://wiki.cac.washington.edu/x/2Jvi

When: Wednesday March 18, 2009 - 2:30 pm
Where: UW Tower, Magnolia room (22nd floor)

The Web Grades Submission project team performed a uniquely thorough Security Review and Threat Analysis of the sensitive and powerful new online Web Grades system. Anne Hopkins, who led the Web Grades Security effort, will:

  1. Outline the rewards and limitations of their threat modeling effort.
  2. Present their threat modeling process.
  3. Highlight two low-cost exercises all dev teams should do.
  4. Provide examples of diagrams and docs that emerge from the process.
  5. Note where UW Security Policies intersect with this process.
  6. Discussion and Q&A
    • Do you need to be a security expert?
    • How much of this is realistic to incorporate into YOUR dev shop?
    • Would templates, examples or other resources be worth providing?
    • Your questions.

Securely publishing to MyUW

October 31st, at 2:00, 2008 - 2:00 pm - 4:00 pm
Where: North Training Room on the 22nd floor of the UW tower

Talks:

  • Securely publishing to MyUW
    Dan Boren, Computer Science and Engineering
  • The state of web security on campus
    Kirk Bailey, CISO

How Catalyst got out of its identity quagmire using shibboleth

When: Wednesday March 26, 2008 - 1:30 pm - 3:30 pm
Where: South Campus Center Room 316L

A joint presentation by Catalyst developers and developers from UW Technology's Identity and Access Management group (formerly known as C&C Security Middleware). The presenters will tell their identity management story and how they came to use Shibboleth as their authentication technology.

For more information on shibboleth, refer to: http://shibboleth.internet2.edu/

Live! Somebody gets 0wn3d!

When: Monday December 10, 2007 - 1:30 pm - 3:30 pm
Where: HUB 108

IOActive will perform a live penetration test of a real UW web application, kindly provided by the department of Academic Personnel Information. The team will then show developers how to fix the problems and learn how to avoid common programming errors with the help of the WASP secure coding guidelines and the upcoming WASP secure code repository.

Optional 1 hour session immediately following the above (same location)

"Ask the hacker" Q&A session and a chance for face to face interaction with fellow attendees.

Click here for the presentation slides from the event.

About the WASP

What is WASP?

The Web Application Security Peer Working Group (WASP) is a cross-campus group established under the Office of Information Management to address Web application security at the University of Washington.

The WASP aims to become a leader for web application security at the UW and to help push the UW to become a web application security leader within the greater education technology community.

WASP meetings for 2008 are typically scheduled for Wednesdays 1pm in EE303. Meetings are open to all interested parties at the UW. Contact the WASP for information on time and upcoming locations.

Contact the WASP

Contact the WASP by mailing wasp-nest@u.washington.edu.

Sign up here for all general WASP announcements including meeting agendas and events.

Sign up here to join the WASP carnivores for secure BBQ outings.

Sign up here to receive a weekly newsletter of security related news, with coverage oriented towards a UW audience

Or contact WASP Co-Coordinators directly (check the UW Directory for contact info):
  • Dan Boren
  • Ryan Ositis