Session Description (include details of proposed agenda, potential speakers and expected outcomes)
The first three talks make an "version a)" of the session (2 hours)
1. "Writing secure code not being a security specialist" - 45-60 mins
2. "A developer's security toolset: what if I scan the code myself?" - 30 mins
3. "My Web server safe & sound" - 30-45 mins
The following two talks are an extension to the session (version "b"), would be given by someone else.
4. "Defensive network programming" - up to 1 hour
5. "Raising applications security in EGEE with gLite" - up to 1 hour
Project(s) or EGEE activity presenting the demo or poster (project or activity names only)
SA3, Gerard Frankowski (PSNC) - three talks (1-3)
The talks 4 and 5 would be given by someone else
Special requirements other than the set up mentioned in the CfA text.
ca 60-80, the session is basically for the developers and the system administrators
Please indicate your preferred day to give a demo.
versions: a) 2hrs,b) 4hrs
PSNC is performing source code security tests of gLite; basing on our experience (and commonly found vulnerabilities) we'd like to tell the programmers how to avoid making common security vulnerabilities and how to use several simple tools to find the most trivial vulnerabilities (like using potentially dangerous functions or simple memory leaks). Input data filtering mechanisms would be especially emphasized. Another short talk will show some simple tools that may be used by the developers (of C, PHP, Java). Additionally, a talk about a simple hardening of a Web server would be included (e.g. avoiding Information Disclosure attacks).
A general idea is that the programmers and administrators should not be security specialists, but should be taught more about secure programming/configuration and its significance. That would help also the security specialists, who would be able to devote more effort for finding vulnerabilities that are hidden deeply and require a thorough analysis.