February 29 - March 2, 2012
Montreal, Canada

Montreal Security Conference

Security Somehow you met the impossible deadline, your project is on-line and you now deserve some time to relax. Other than you and me though, the internet does not sleep and your application is under constant attack having hackers have their ways to break into applications and steal or modify private information. Switch sides for an hour and attack the demo blackbox application! Learn how attackers gather information, exploit vulnerabilities and hijack servers - and what to do to stop them.
Security The case for online identity has been present for as long as there has been a need to customize a web experience for an individual person. From OpenID to BrowserID, there are open solutions for solving the issue of having different logins for all of the sites and services we use. The problem with open identity systems in the Ecommerce world is that the identifying characteristics of a user in current implementations is shallow, providing basically a “yes, this person has an account” answer to “who is this user?”.

This is where new X.commerce identity is trying to change identity. By leveraging off of the massive user Ecommerce information of PayPal and eBay, open Ecommerce identity is now a valuable source of real user data. Using buying and selling history, user ratings, profile identifiers and a vast array of different user data, X.commerce identity is able to define “trust levels” for a user who signs in to your site and provide solutions for easy, secure identity and payment.
Security La cryptographie n'est pas facile à comprendre et encore moins la mettre en place.

Cette présentation se veut une introduction à la cryptographie par la définition, des exemples (php) et la mise en place.
Security In this session, we will discuss how to assure the security and quality of code through the use of static analysis and the application of software code governance. Attendees will learn how static analysis can be used to find and address defects that could become security vulnerabilities while the code is still in development. We will also discuss how to assess the security of code coming from the open source. We’ll look at some specific issues which could become security vulnerabilities that we found in some of the leading open source projects through the Scan initiative.

Finally we’ll present some case studies of customers who have implemented static analysis with software code governance. We’ll discuss how to establish and enforce quality and security thresholds for managing the software assurance of internally developed code and third-party code.
Security You've been hacked, and you're both the web developer and the sysadmin. It was probably through that sketchy plugin you just added to your third-party PHP application. You removed it, but they're back. Now what? In this presentation we will walk through the steps of dealing with security incidents, from identifying that the compromise occurred, how it happened, and what they did after they got in. We'll go through several very real post-compromise scenarios that we hope are never useful
Security Vega is a cross-platform, open-source toolkit for testing the security of web applications, developed by Montreal-based Subgraph. Vega includes an automated vulnerability scanner and an intercepting proxy. The Vega vulnerability checks are implemented as Javascript modules. While Vega comes with a set of modules comprising the standard checks, a rich API makes it possible to extend the functionality of Vega. In this talk we will explain how some of the standard modules work, and then introduce the API for the development of new ones.
Security Code injection into web apps is not a new phenomenon. It's been a constant on the web even longer than IE6. It's been around since the very first .cgi scripts were chmod +x'ed, resulting in a chroot 0wn3d.

Code injection is mainly brought about by web programmers not making sure that the input received from users is what was expected.

This talk, will concentrate mainly on XSS injection, but will also talk a little about SQLi and CSRF. We'll go over the kinds of programming mistakes that result in code injection, and how to change your mindset to prevent these issues.
Security Les smartphones sont aujourdhui partie prenante de toutes les entreprises (on ne parle plus que de iPhone, iPad, Android, ....)

Malheureusement ces outils sont actuellement la cible de toutes les attaques pour entrer dans l'entreprise.

Nous détaillerons dans cette présentatino les dix risques les plus courants s'appliquant aux smartphones ainsi que les remédiations possibles.

Security Plusieurs nouvelles technologies et nouveaux protocoles pour aider la sécurité, votre identité et votre vie privé ont été ajoutés au niveau des navigateurs. Plusieurs doivent être ajoutés ou activés à partir de votre serveur web.

Dans cette présentation nous allons explorer ces technologies et nous apprendrons comment nous en servir.
Security Nowadays many modern web applications are solely relying on JavaScript to render their frontend and only provide an API endpoint at their backend, resulting in a much more fluent and desktop-application-like user experience. But if you want to create mashups, load data from many different places or include external widgets into your site, you are quickly running into boundaries because of browser and security restrictions. In this presentation I will talk about techniques, some older, some brand new which will help you to:

* create rich JavaScript based Web Applications
* make API calls to external domains
* authenticate these calls through OAuth2 without compromising your secrets
* load external content and JavaScript widgets safely
* send JavaScript messages between frames on different domains
* get real-time notifications from your backendand use the browser to store the some of the user's data.
Security Présentation de la SDL et du modèle simplifié de la SDL
- Adapter la SDL à un processus existant de développement Web; comment s'y prendre
=> Modélisation de menaces/attaques
=> Développement sécurisé, principes et concepts
=> Test/Fuzzing
- Utilisation des outils open-source existants
Security To ensure the high quality of your source code, you of course write (unit) tests and do regular code reviews. Judging the state of security though may seem a lot harder than it is - if you don't know what to look for and where to get started. This talk will introduce you to security audits, why and how tools can assist a manual review and why a mere scanner based approach doesn't work.
Security Nous présenterons des bonnes pratiques autour de Ruby on Rails pour éviter :

- La mauvaise gestion des sessions
- Les problèmes de XSS/CSRF
- Les injections SQL,
....
En parallèle nous aborderons le Top10 2010 OWASP autour de Ruby on Rails

Security La cyber-archéologie, ou l'art d'essayer de découvrir des fichiers et des répertoires non-exposés sur un domaine donné est depuis très longtemps un sujet connu et surtout outillé. Cependant, les outils déjà sur le marché comme Nikto, Dirbuster, Vega, skipfish ou autres couvrent mal la problématique. Alors que certains sont simplement des détecteurs de vulnérabilités très complet avec une extension pour ce type d'opération, d'autre sont mal maintenu, prompt à de faux positifs ou carrément trop lent pour la tâche. Tachyon se positionne comme un outil de cyber-archéologie dédié. Avec son architecture de plugin, son exécution parallèle optimisée, son approche novatrice pour la détection de faux positifs et son support pour le réseau Tor, l'outil se démarque lors des situations réelles. La session présentera l'outil, les raisons de son existence, sa technique de détection de faux-positifs ainsi que son architecture de plugins. Si nous avons le temps, nous écrirons un petit plugin en exemple
Security Vous êtes sur le point de signer un contrat avec un éditeur d'applications web. Tous les éléments du cahier des charges ont été pris en compte dans l'offre, même la sécurité: le contrôle d'accès, la disponibilité, et...et c'est tout! Où est le reste? Pirates informatiques? Fraudeurs? Revendeurs d'informations? Concurrence? Lois? Qui s'en occupe? Y a-t-on pensé?

Lors de cette séance, nous simulerons l'intervention d'un spécialiste en modélisation de menaces (threat modeling) au tout début du projet de développement d'une application web mobile hébergée en cloud.

Son rôle sera de recenser les menaces spécifiques auxquelles votre application est exposée, techniques et/ou fonctionnels, puis de formuler des recommandations pour les architectes et développeurs.

En quoi cette activité consiste-t-elle? Qui la réalise? Comment trouve-t-on les menaces? Avec quelles techniques? Que doit-on insérer dans le cahier des charges destiné à l'éditeur de l'application?
Security 45 minutes pour parcourir une série d'exemples de code source, tirés d'applications web ou moins web, toutes technologies confondues, et présentant une faille de sécurité de plus ou moins grande gravité.

La séance se veut ludique et organisée sous la forme d'un quizz: nous disposeront de quelques minutes pour tenter de trouver les failles de sécurité dans chaque exemple de code affiché à l'écran. La faille et ses impacts potentiels seront ensuite expliqués.
Security According to a study, nine out of ten web applications have security vulnerabilities. Recent events proved that not only old legacy sites were successfully attacked, but also new and recent applications, built with the best intentions and also with security in mind. We will have a look at common attacks, new attacks, and new twists to old attacks that demonstrate why so many websites may be compromised. We will have a look at recent attacks that made mainstream media, analyze some aspects of them, and will provide guidelines and best practices to become website ten out of ten. This session, as usual, comes with code and demos.
Security Almost every day now, we are told in the news about some huge hacking incident resulting from a vulnerable application in some organization. Unfortunately, we are rarely told about less sensational intrusions. Who are the guys behind those incidents and what suddenly brings their attention to a particular victim?

During this presentation, the audience will discover the "who", "what" and "why" of application security. We will not only talk about the "bad guys" but also about what is being done on the bright side of the picture, by developers, and by other people also involved in software defense.
Security This talk will focus on XSS, CSRF, Session Hijacking, SQL Injection, and other security issues need addressed in Website Development, and how to close them. This talk will delve into some specific code examples showing where vulnerabilities exist, and how to prevent them.

Explore all 161 sessions

Presented by

Sponsored by

Media