Web 2.0 promises to make Web applications far more usable and enjoyable than we have ever imagined. We have just begun to digest the host of exciting Web 2.0 technologies such as AJAX, SOAP, RSS, and "mashups." However, are we making a big mistake by increasing the complexity of Web applications without taking new security risks into account? Will Web 2.0 usher in the next great Internet expansion or turn it into a landscape where consumers are too frightened to pull out their credit cards? Michael Sutton explains how poor coding practices in the Web 2.0 technologies can expose new Web site vulnerabilities that put your company at risk. He demonstrates case studies illustrating real world examples of Web 2.0 exploitations. Most importantly, Michael describes secure coding practices in the Web 2.0 world that will help you avoid turning these next generation Web technologies into a hacker's dream.

Rather than continually adding more testing, whether manual or automated, how can you assess the readiness of a software product or application for release? By extracting and analyzing the wealth of information available from existing data sources-software metrics, measures of code volatility, and historical data-you can significantly improve release decisions and overall software quality. Susan Kunz shares her experiences using these measures to decide when and when not, to release software. Susan describes how to derive quality index measures for risk, maintainability, and architectural integrity through the use of automated static and dynamic code analyses. Find out how to direct limited testing resources to error-prone code and code that really matters in a system under test. Take back new tools to make your test efforts more efficient.

• How to apply adaptive analysis to evaluate software quality

Approximately three-fourths of today’s successful system security breaches are perpetrated not through network or operating system security flaws, but through
customer-facing Web applications. How can you ensure that your organization is protected from holes that let hackers invade your systems? Only by thoroughly testing your Web applications for security defects and vulnerabilities. Brian
English describes the three basic security testing approaches available to testers-source code analysis, manual penetration testing, and automated penetration testing. Brian also explains the key differences in these methods, the types of defects and vulnerabilities that each detects, and the advantages and disadvantages of each. Learn how to get started in security testing and how to choose the best strategy for your organization.

• Understand the basic security vulnerabilities in Web applications

Based on his years of experience in security testing, Julian Harty believes that most system stakeholders don't understand-or even recognize-the need for security testing. Perhaps they will pay an external consultant to perform an
occasional security audit, but they do not recognize the need for ongoing security testing. Julian will explain why security testing is vital, though often unappreciated. He will describe the security testing lifecycle, from threat, to attack, to fix. Julian shows how to gather information to become productive quickly if we're invited late to security testing. Julian prefers that we prevent attacks but also describes how to repair damage-to both data and reputation-if your systems are attacked. Join this session to begin security testing at your organization.

• Examine the typical software security issues lifecycle