Web Application Security Peer Working Group
Warning! This site is no longer maintained!

Past WASP Events

Threat Modeling for Systems and Applications

For those who missed it, or asked questions that never got answered, please have a look at the public access wiki page, WASP "Threat Modeling" Presentation and Discussion, that I (Anne Hopkins) just put together at https://wiki.cac.washington.edu/x/2Jvi

When: Wednesday March 18, 2009 - 2:30 pm
Where: UW Tower, Magnolia room (22nd floor)

The Web Grades Submission project team performed a uniquely thorough Security Review and Threat Analysis of the sensitive and powerful new online Web Grades system. Anne Hopkins, who led the Web Grades Security effort, will:

1. Outline the rewards and limitations of their threat modeling effort.
2. Present their threat modeling process.
3. Highlight two low-cost exercises all dev teams should do.
4. Provide examples of diagrams and docs that emerge from the process.
5. Note where UW Security Policies intersect with this process.
6. Discussion and Q&A
   • Do you need to be a security expert?
   • How much of this is realistic to incorporate into YOUR dev shop?
   • Would templates, examples or other resources be worth providing?
   • Your questions.

Securely publishing to MyUW

October 31st, at 2:00, 2008 - 2:00 pm - 4:00 pm
Where: North Training Room on the 22nd floor of the UW tower

Talks:

• Securely publishing to MyUW
  Dan Boren, Computer Science and Engineering
• The state of web security on campus
  Kirk Bailey, CISO

How Catalyst got out of its identity quagmire using shibboleth

When: Wednesday March 26, 2008 - 1:30 pm - 3:30 pm
Where: South Campus Center Room 316L

A joint presentation by Catalyst developers and developers from UW Technology's Identity and Access Management group (formerly known as C&C Security Middleware). The presenters will tell their identity management story and how they came to use Shibboleth as their authentication technology.

For more information on shibboleth, refer to: http://shibboleth.internet2.edu/

Live! Somebody gets 0wn3d!

When: Monday December 10, 2007 - 1:30 pm - 3:30 pm
Where: HUB 108

IOActive will perform a live penetration test of a real UW web application, kindly provided by the department of Academic Personnel Information. The team will then show developers how to fix the problems and learn how to avoid common programming errors with the help of the WASP secure coding guidelines and the upcoming WASP secure code repository.

Optional 1 hour session immediately following the above (same location)

"Ask the hacker" Q&A session and a chance for face to face interaction with fellow attendees.

Be Afraid, Be Very Afraid: Live UW Intrusion Demo

September 19, 2007 - 85 attendees!

Network security engineer Lucas Reber from UW Security Operations discussed web app penetration using real hacker tools. Based on a true story!

• Lucas' Slide Presentation [PowerPoint]
• Video of the event - coming someday?