It’s still January, but we have several public speaking and training sessions where Ken will be featured. Here’s the list (so far), but we’ll be updating it from time to time:

5-9 March - Ken will once again be on the faculty of the annual SecAppDev training event in Leuven, Belgium. SecAppDev is a non-profit organization that runs an annual event in association with KU Leuven and the Solvay Business School.

6 March - During SecAppDev, Ken will be presenting a short intro to iOS security and the OWASP iGoat tool at the Belgian chapter meeting of OWASP.

27-30 March - Ken will be attending and presenting at the FIRST Symposium in São Paolo, Brazil. Ken will be doing a hands-on session on iOS security, with coding labs for the developers. (This is an invitation only event. Contact Ken for details.)

14-17 May - Ken will be delivering a 1-day tutorial on developing secure Android apps at this year’s AnDevCon III conference in Burlingame, California, USA.

11-13 June - Ken will be doing his 3-day web application security class in Rome, Italy. This is an open enrollment class, presented in collaboration with long time business partner, Technology Transfer.

Stay tuned here for further updates as they come in.

To see what KRvW Associates has been up to for the past year -- and what we’ll be doing in the future -- check out our 2012 update.

We’re pleased to announce that we’re teaming up with Gunnar Peterson at Arctec Group, LLC to deliver our first ever Mobile App Sec Triathlon.

The 3-day heavily hands-on training event will be held 2-4 November 2011 in San Jose, California. See the web site for details:

http://www.mobileappsectriathlon.com

Faced with the problem of managing a fleet of iPhones and/or iPads? Well, we’ve added a course to our training catalog that will help you do your job more effectively.

Rolling out a fleet of iPads and iPhones across an entire enterprise is a massive undertaking, and mistakes can be costly. How do you enforce enterprise IT policies for passwords, acceptable software, and so on? Our latest course, Managing the iPad/iPhone in the Enterprise, was built to answer these and many more questions.

The course includes hands-on labs where you’ll analyze off-the-shelf iOS software to determine whether it should be acceptable in an enterprise environment, as well as labs where you’ll learn how to build from scratch a custom configuration profile to enforce your enterprise’s security policies and practices. You’ll also learn how to deploy and centrally (and wirelessly) manage configurations across an entire enterprise fleet of devices.

Along with the release of the OWASP iGoat tool, KRvW is also announcing that iGoat has been integrated into our popular mobile application courses.

Effective immediately, all students taking our course, “The art of building bulletproof iPhone apps” will use the iGoat tool to step through and learn about various iOS security pitfalls and how to avoid them. A 1/2- to 1-day coding lab is also available in which the students implement the necessary remediations to remove the vulnerabilities from each of the exercises included in iGoat.

Contact KRvW Associates for additional information.

Last week, we released the OWASP iGoat learning tool under GPLv3 licensing.

The iGoat tool is a learning tool, primarily meant for iOS developers (but also useful to IT security practitioners, security architects, and others who simply want to learn about iOS security). It takes its name and inspiration from the venerable OWASP WebGoat tool.

Like WebGoat, iGoat users explore a number of security weaknesses in iOS by exploiting them first. Then, once each weakness has been explored, the iGoat user must implement a remediation to protect against each weakness and validate that the remediation was successful--similar to the WebGoat Developer Edition.

Hints and other background information are provided, right down to commented solutions in the source code, so that developers can use iGoat as a self-study learning tool to explore and understand iOS weaknesses and how to avoid them.

The iGoat project leader is Ken van Wyk from KRvW Associates, and the lead developer is Sean Eidemiller, also from KRvW Associates. Although we sponsored the initial release here at KRvW, we’re inviting the OWASP community to contribute and participate in this important open source project.

A project mailing list is available through OWASP, and is free and open to all.

Today, we have the pleasure to announce a new Principal Consultant has joined KRvW Associates, LLC. Sean Eidemiller brings to KRvW his extensive software development experience.

Sean’s software development experience, combined with his experience and knowledge of software security practices, helps KRvW Associates continue to build on its reputation of being a world-class provider of security consulting and training services.

Sean has worked with KRvW Associates over the years on various special projects, so it’s great to bring him on board as a Principal at last.

We’re excited to announce today the addition of a pair of new classes to our offerings. We are now offering a pair of classes on secure app development for the iOS and Android platforms. See the course description for additional information, or contact us directly for a detailed description of the course outlines and availability.

KRvW Associates, LLC is pleased to announce a partnership with the Saltbush Group. Following recent training for the Department of Education, Employment and Workplace Relations (DEEWR), Ken received the following kind words from one of the students in the class:

"Ken van Wyk runs an up-to-date comprehensive course that I would highly recommend it to anyone in this area.

He presents with years of experience and stories, in a friendly, down-to-earth fashion, adjusting his presentation style to the audience. In the course, he presents a balanced approach and explains the cost-benefits of mitigation controls. He never gets carried away and reminds us of the real goal, which is to serve busines. He doesn't try to push any particular vender, technology or system. Nor does he try to sell you any of his books but he will be glad to sign them if you do.

I learnt a lot and really enjoyed the course. Thanks Ken!"

Good news. We’ve added a 1-day optional addition to our 3-day web application security class.

This optional day includes 3 in-depth coding labs for software developers to fine tune their Java EE skills. The labs include patching existing Java EE code to make it resilient to cross-site scripting (XSS) and SQL injection flaws, as well as adding various role-based access control code to some existing web servlets.

Additionally, in this 1-day add-on, students will get hands-on exposure to a commercial static code analysis tool by analyzing some existing open source Java software.

See our course descriptions for more details, or contact us directly.

By popular demand, we’ve recently added a hands-on 3-day workshop on intrusion detection and prevention systems. See our course descriptions for details.

Our 2009 speaking calendar is taking shape quickly. We have several Q1 commitments already, and several others in the works for Q2 and beyond.

Here’s quick look at some of what we’ll be doing in Q1 and early Q2:

• Ken will be doing a 1-day tutorial on web application security essentials -- inside the OWASP Top-10 -- at ESSoS | International Symposium on Engineering Secure Software and Systems, in Leuven, Belgium, 04-06 February 2009.
• Again for 2009, Ken will be on the faculty for the annual SecAppDev 2009 seminar in Leuven, Belgium, 02-06 March 2009.
• Ken will present a 1/2-day tutorial at SD West 2008, in Santa Clara, California, 09-13 March 2009.

• Ken will be presenting a 3-day in-depth seminar on Intrusion Detection and Prevention for AdAstra, in Singapore, Singapore, 23-25 March 2009.

• Continuing our strong support for Technology Transfer S.r.l., Ken will be teaching an in-depth 3-day seminar on Building Secure Web Applications in Java/J2EE, in Rome, Italy, 27-29 April 2009.
• LATE BREAKING: Ken will be doing a 1-day tutorial on the OWASP Top-10 security issues at AusCERT2009, in Brisbane, Australia, 17-22 May 2009.

If you’re looking for in-depth technical training at your conference or internally at your company, please don’t hesitate to contact us. We’ll gladly work with you to put together a tailored offering that fits perfectly with your needs.

We’ve started this “blog” format page for KRvW-related announcements, upcoming events, etc. Feedback is always welcome.

Ken