OWASP - User contributions [en]

GSoC2019 Ideas

2019-03-09T21:58:21Z

Aaron.weaver2: /* OWASP DefectDojo */

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''
'''* Read the [[GSoC SAT]] '''
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]
* Contact us through the mailing list or irc channel.
* Check our [https://github.com/OWASP github organization]

==OWASP-SKF==

=== Idea 1 Improving the Machine Learning chatbot: ===
We want to extend the functionality of SKF Bot. (Security Knowledge Framework Chatbot):

Some improvements or the suggestions which we can do to improve the functionality are:

1. Create a desktop version of the chatbot. Where people can install the setup file on their local machine.

2. Create a Plugin or website bot which we can add in the website for better chat experience for the user.

3. Extend the bots capability to do the google search (using web scraping) for the things which are not available in the database. So, it will have a wider scope of knowledge.

4. Add basic conversation flow which makes SKF Bot friendly and provides the better user experience. Example: Replies to the general queries like How are you? What is your Name etc?

5. Extend the bot capability to reply to what security controls should be followed from the ASVS and MASVS or other custom checklists that are present in SKF.
# Extend the bot to different platforms like Facebook, telegram, slack, Google Assistant etc.
Existing chatbot implementation is on Gitter. You can test the bot by typing @skfchatbot on Gitter Community.

'''Getting started:'''

· Get familiar with the architecture and code base of SKF (Security Knowledge Framework)

· Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results

· Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''

· Python 3+, Flask, Coffee Script

'''Mentors and Leaders'''

Glenn ten Cate (Mentor, Project leader)

Riccardo ten Cate (Mentor, Project leader)

Priyanka Jain (Mentor)

=== Idea 2 Improving and building Lab challenges and write-ups: ===
Build lab examples and write-ups (how to test) for different vulnerabilities over different technology stacks. These challenges are to be delivered in Docker so they can be

easily deployed.

In the current situation the security knowledge framework ultimately presents a list of security controls with correlating knowledge base items that contain a description and

a solution. The new labs are used to give the software developers or application security specialists a more in depth understanding and approach on how to test the

vulnerabilities in their own code.
* For example we have now around 20 lab challenges in Docker container build in Python:
** A Local File Inclusion Docker app example:
*** https://github.com/blabla1337/skf-labs/tree/master/LFI
** A write-up example:
*** https://owasp-skf.gitbook.io/asvs-write-ups/filename-injection
The images that are pushed to the Github repository are already automatically build and pushed to a docker registry where the SKF users can easily pull the images from to get their

labs running. Of course they can download it and build it themselves from source by pulling the original repository.

'''Mentors and Leaders'''

Glenn ten Cate (Mentor, Project leader)

Riccardo ten Cate (Mentor, Project leader)

== OWASP DefectDojo ==
OWASP DefectDojo is a popular open source vulnerability management tool and is used as the backbone for security programs. It is easy to get started with to work on! We welcome volunteers of all experience levels and are happy to provide mentorship.

'''Issue Tracking:'''

Enhancement [https://github.com/DefectDojo/django-DefectDojo/issues?q=is%3Aissue+is%3Aopen+label%3Aenhancement requests] and [https://github.com/DefectDojo/django-DefectDojo/issues?q=is%3Aissue+is%3Aopen+label%3Abug bugfixes] are located in Github issues. This project could implement a whole bunch of new features one by one and release them over the course of several small releases.

'''Expected Results:'''
* 5 or more new features or functional enhancements of significant scope for OWASP DefectDojo
* Each feature comes with full functional unit and integration tests
'''Getting started:'''
* Get familiar with the architecture and code base of the application built on Django
* Review the application functionality and familiarize yourself with Products, Engagements, Tests and Findings.
* Get familiar with the CI/CD process based on Travis-CI
'''Knowledge Prerequisites:'''
* Python, Django, Javascript, Unit/Integration testing.
'''Potential Mentors:'''
* [[Mailto:aaron.weaver2+gsoc@gmail.com|Aaron Weaver]] - DefectDojo Project Leader
* [[Mailto:greg.anderson@owasp.org|Greg Anderson]] - DefectDojo Project Leader
* [[Mailto:matt.tesauro@owasp.org|Matt Tesauro]] - DefectDojo Project Leader
'''Option 1: Unit Tests - Difficulty: Easy'''
* If you're new to programming, unit tests are short scripts designed to test a specific function of an application.
* The project needs additional unit tests to ensure that new code functions properly.
* Review the current [https://github.com/DefectDojo/django-DefectDojo/tree/dev/dojo/unittests unit tests]
* Complete Code Coverage Testing
** Validate Tests exist for the following (create any that are missing):
*** Finding, Test, Engagement, Reports, Endpoints
*** Import from all scanners
'''Option 2: Python3 Completion'''
* DefectDojo is finishing up a migration to Python3
Test the current [https://github.com/DefectDojo/django-DefectDojo/tree/python3/dojo/unittests state] of Python3
* Ensure all features work
* Travis testing works correctly
'''Option 3: Scan 2.0 / Launch Containers'''

Scan 2.0 consists of automating the scanning orchestration within DefectDojo. Several proof of concepts exist for this using the AppSecpPipeline to launch containers and then push those finding into the appropriate product.
* Use the [https://github.com/appsecpipeline/AppSecPipeline-Specification AppSecPipeline] containers to build a scanning pipeline built on top of [https://www.openfaas.com/ OpenFaaS]
* Scans should be able to be scheduled by DefectDojo and then invoked via the REST API call to OpenFaaS
* Upon scan completion the results will be posted back to DefectDojo via DefectDojo's REST API and consumed as an engagement/test.
* Pick 2 or 3 popular open source scanners such as NMAP, ZAP and Nikto to start out with.

== OHP (OWASP Honeypot) ==

[[OWASP_Python_Honeypot|OWASP Honeypot]] is an open source software in Python language which designed for creating honeypot and honeynet in an easy and secure way! This project is compatible with Python 2.x and 3.x and tested on Windows, Mac OS X and Linux.

=== Getting Start ===

It's best to start from [https://github.com/zdresearch/OWASP-Honeypot/wiki GitHub wiki page], we are looking forward to adding more modules and optimize the core.

=== Technologies ===

Currently we are using

* Docker
* Python
* MongoDB
* TShark
* Flask
* ChartJS
* And more linux services

=== Expected Results ===

* Zero Bugs: Currently we may have several bugs in different conditions, and it's best to test the all functions and fix them
* Monitoring: Right now monitoring limited to the connections (send&recieve) and it's best to store and analysis the contents for farther investigations and recognizing incoming attacks.
* Duplicated codes: codes are complicated and duplicated in engine, should be fixed/clean up
* New modules: add some creative ICS/Network/Web modules andvulnerable web applications, services and stuff
* API: update API sync to all features
* WebUI: Demonstrate and add API on WebUI and Live version with all features
* WebUI Special Reports: Track the attacks more creative and provide high risk IPs
* Database: Better database structure, faster and use queue
* Data analysis: Analysis stored data and attack signatures
* OWASP Top 10: Preparing useful processed/raw data for OWASP top 10 project

=== Students Requirements ===

* Python
* Packet Analysis & Tshark & Libpcap
* Docker
* Database
* Web Development Skills
* Honeypot and Deception knowledge

=== Mentors and Leaders ===

* [mailto:ali.razmjoo@owasp.org Ali Razmjoo] (Mentor & Project Leader)
* [mailto:ehsan@nezami.me Ehsan Nezami] (Mentor & Project Leader)
* [mailto:reza.espargham@owasp.org Reza Espargham](Mentor)
* [mailto:abiusx@owasp.org Abbas Naderi] (Mentor)

== OWASP Juice Shop ==

[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and Angular. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.
The best way to get in touch with us is the '''community chat on https://gitter.im/bkimminich/juice-shop<nowiki/>.''' You can also send PMs to the potential mentors (@bkimminich, @J12934 and @CaptainFreak) there if you like!

To receive early feedback please '''put your proposal on Google Docs and submit it to the OWASP Organization on Google's GSoC page''' in ''Draft Shared'' mode. Please pick '''''juice shop'' as Proposal Tag''' to make them easier to find for us. '''Thank you!'''

=== Feature Pack 2019 ===

'''Brief Explanation:'''

Ideas for potential new functionality and "business" features are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Afeature GitHub issues labeled "feature"]. This project could implement a whole bunch of new features one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

''Coming up with good additional ideas for features and new functionality in the proposal could make the difference between being selected or declined as a student for this project!''

'''Expected Results:'''
* 5 or more new features or functional enhancements of significant scope for OWASP Juice Shop (not necessarily including corresponding challenges)
* Each feature comes with full functional unit and integration tests
* Extending the functional walk-through chapter of the "Pwning OWASP Juice Shop" ebook
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, security knowledge is optional.

'''Potential Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)

=== Juice Shop Mobile ===

'''Brief Explanation:'''

A complete mobile client for Juice-Shop API which will serve a legit mobile experience for Juice-Shop user as well as a plethora of Mobile app vulnerabilities and challenges around them to solve. Should in the best case translate the idea of Juice Shop's hacking challenges with a score board and success notifications into the mobile world.

''Coming up with a sophisticated proposal (optimally even with a good initial sample implementation) could make the difference between being selected or declined as a student for this project!''

''' Getting started '''
* Get familiar with the architecture and code base of the application's RESTful backend
* Get familiar with Native App developement
* Get familiar with Mobile vulnerabilities

'''Expected Results:'''
* A mobile App with consistent UI/UX for Juice-Shop with standard client side vulnerabilities.
* Sufficient initial release quality (en par with Juice Shop and Juice Shop CTF) to make it an official extension project hosted in its own GitHub repository ''bkimminich/juice-shop-mobile''
* Code follows existing styleguides and applies similar quality gates regarding code smells, test coverage etc. as the main project.

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) React Native and NodeJS/Express, some Mobile security knowledge would be preferable.

'''Potential Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)

=== Challenge Pack 2019 ===

'''Brief Explanation:'''

Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

''Coming up with good additional ideas for challenges in the proposal could make the difference between being selected or declined as a student for this project!''

'''Expected Results:'''
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges)
* Each challenge comes with full functional unit and integration tests
* Each challenge is verified to be exploitable by corresponding end-to-end tests
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.

'''Potential Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)

=== Hacking Instructor ===

'''Brief Explanation:'''

While the Juice Shop is offering a lot of long-lasting motivation and challenges for security experts, it might be a bit daunting for newcomers and less experienced hackers.
The "Hacking Instructor" as sketched in [https://github.com/bkimminich/juice-shop/issues/440 GitHub issue #440] could guide users from this target audience through at least some of the hacking challenges. As this would be an entirely new and relatively independent feature of the Juice Shop, students should be able to bring in their own creativity and ideas a lot.

''For this project, a good proposal with a design & implementation proposal more sophisticated than the rough ideas in [https://github.com/bkimminich/juice-shop/issues/440 #440] is paramount to be selected as a student!''

'''Expected Results:'''
* A working implementation of e.g. an avatar-style "Hacking Instructor" or other solution based on the students own proposal
* Coverage of at least the trivial (1-star) and some easy (2-star) challenges
* Documentation how to configure or script the "Hacking Instructor" for challenges in general

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular, some UI/UX experience would be preferable.

'''Potential Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)

=== Your idea ===

'''Brief Explanation:'''

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

''' Getting started '''
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]

'''Expected Results:'''
* A new feature that makes OWASP Juice Shop even better
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader

==OWASP-Securetea Tools Project ==
The purpose of this application is to warn the user (via various communication mechanisms) whenever their laptop accessed. This small application was developed and tested in python in Linux machine is likely to work well on the Raspberry Pi as well. -
https://github.com/OWASP/SecureTea-Project/blob/master/README.md

===Brief Explanation===
We are looking any awesome idea to improve Securetea Project that is not on this list? We are expecting make this project will be useful to everyone to secure their Small IoT.

===Idea===
Below roadmap and expect results you can choose to improve Securetea Project .
if any bugs please help to fix it

===Roadmap===
See Our Roadmap 
https://github.com/OWASP/SecureTea-Project#roadmap 
Notify by Twitter (done) 
Securetea Dashboard / Gui (done) 

===Expect Results ===
 
Securetea Protection /firewall 
Securetea Antivirus 
Notify by Whatsapp 
Notify by SMS Alerts 
Notify by Line 
Notify by Telegram 
Intelligent Log Monitoring 
Login History 
=== Students Requirements ===

* Python
* Javascript
* Angular and NodeJS/Express
* Database
* Linux

=== Mentors ===

* [mailto:ade.putra@owasp.org Ade Yoseman Putra] - (OWASP Securetea Project Leader) 
* [mailto:rejah.rehim@owasp.org Rejah Rehim.A.A]]- (OWASP Securetea Project Leader)
 

==OWASP OWTF==
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.
===OWASP OWTF - MiTM proxy interception and replay capabilities===
'''Brief Explanation:'''

The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).

The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible
*ability to intercept the transactions
*modify or replay transaction on the fly
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code
Bonus:
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)

*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)
*Create a browser instance and do the necessary login procedure
*Handle the browser for the URI
*When called to close the browser, do a clean logout and kill the browser instance.
'''Expected results:'''
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
*CRITICAL: Excellent reliability
*Good performance
*Unit tests / Functional tests
*Good documentation
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.

'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders
===OWASP OWTF - Web interface enhancements===
'''Brief explanation:'''

The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/develop.

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

'''Expected results:'''
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''
*'''CRITICAL''': Excellent reliability and performance.
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.

'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders
===OWASP OWTF - New plugin architecture===
'''Brief explanation:'''

The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.

This issue is documented in detail at https://github.com/owtf/owtf/issues/905.

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

'''Expected results:'''
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
*CRITICAL: Excellent reliability
*Good performance
*Unit tests / Functional tests
*Good documentation

== OWASP iGoat (draft) ==
'''Idea 1:''' Completing OWASP iGoat documentation at https://docs.igoatapp.com/ and creating demo videos at for OWASP iGoat YouTube channel for learning purpose.

'''Idea 2:''' Adding new challenge pack / CTF for iGoat. It should be one point solution for learning iOS app security

== OWASP Seraphimdroid ==
[[OWASP SeraphimDroid Project|OWASP Seraphimdroid]] is Android security and privacy app, with features to enhance user's knowledge about security and privacy on his/her mobile device. If you are interested in this project and working on it during Google Summer of Code, please contact [[User:Nikola Milosevic|Nikola Milosevic]] and express your interest.

=== Idea 1: Anomaly detection of device state ===
The idea is that certain features of a device would be constantly monitored (battery use, internet usage, opp calls, etc.). Initially, the usual behaviour of the device would be learned. Later, anomalies normal behavior would be reported to the user. This should involve some explanations, such as which applications are causing an anomaly the device behaviors

=== Idea 2: On device machine learning of maliciousness of an app ===
Tensor-flow for on-device processing and some other libraries have been released that enable machine learning. We have previously applied a system, that based on permissions, is able to distinguish malicious apps from non-malicious. Now, we would like to learn also from other outputs and things one can monitor about application whether it can be malicious.

=== Idea 3: Enhansing privacy features ===
The vision of Seraphimdroid is to be aware of privacy threats. This may be achieved throug knowing which applications are using user accounts or other information that uthe user has on phone to send to the server, or just by knowing which applications may be doing it. Knowledgebase shouldbbeextending with the suggestions on how to improve privacy. Also, automated settings of various apps to use encryption should be proposed.
==OWASP ZAP==
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

=== Active Scanning WebSockets ===
: '''Brief Explanation:'''
: ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesn't currently support active scanning (automated attacking) of websocket traffic (messages).
: We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.
: This project will be a continuation of the work that was started as part of last year's GSoC.
: '''Expected Results:'''
:* An pluggable infrastructure that allows us to active scan websockets
:* Converting the relevant existing scan rules to work with websockets
:* Implementing new websocket specific scan rules
: '''Getting Started:'''
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding' section.
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].
: '''Knowledge Prerequisites:'''
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
: '''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Automated Authentication Detection and Configuration ===
: '''Brief Explanation:'''
: Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki>
: This is time consuming and error prone.
: Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.
: This project will be a continuation of the work that was started as part of last year's GSoC.
: '''Expected Results:'''
:* Detect login and registration pages
:* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible
:* An option to completely automate the authentication process, for as many authentication mechanisms as possible
: '''Getting Started:'''
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding' section.
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].
: '''Knowledge Prerequisites:'''
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
: '''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team
:

== IoT Goat ==
IoT Goat will be a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf IoT Top 10 2018].

===Insecure web services/application===
''' Getting started '''
* [https://github.com/scriptingxss/IoTGoat/blob/master/README.md Get familiar with OpenWrt]

'''Expected Results:'''
* Web services deployed in OpenWRT containing critical vulnerabilities showcasing the traditional IoT problems. It must contain the following vulnerabilities to be used with the IoT testing guide: SQL injection, local inclusion and XXE injection (I1), Insufficient Authentication (I2), transfer sensitive information using insecure channels (I4).

'''Knowledge Prerequisites:'''
* OpenWRT
* Web security
* Embedded Security

'''Potential Mentors:'''
* Aaron Guzman - OWASP IoT Goat Contributor (Project leader of the IoT and Embedded AppSec project)
* Fotios Chantzis - OWASP IoT Goat Contributor (and former GSoC Student/GSoc Mentor)
* [[User:Calderpwn|Paulino Calderon]] - OWASP IoT Goat Contributor (and former GSoC 2011 Student/GSoc Mentor in 2015 and 2017)

===Insecure services===
''' Getting started '''
* [https://github.com/scriptingxss/IoTGoat/blob/master/README.md Get familiar with OpenWrt]

'''Expected Results:'''
* Create/Install/Document network services with security vulnerabilities and insecure configurations that can be abused during the challenges.

'''Knowledge Prerequisites:'''
* OpenWRT
* Network security

'''Potential Mentors:'''
* Aaron Guzman - OWASP IoT Goat Contributor (Project leader of the IoT and Embedded AppSec project)
* Fotios Chantzis - OWASP IoT Goat Contributor (and former GSoC Student/GSoc Mentor)
* [[User:Calderpwn|Paulino Calderon]] - OWASP IoT Goat Contributor (and former GSoC 2011 Student/GSoc Mentor in 2015 and 2017)

===Insecure web services/application===
''' Getting started '''
* [https://github.com/scriptingxss/IoTGoat/blob/master/README.md Get familiar with OpenWrt]

'''Expected Results:'''
* Web services deployed in OpenWRT containing critical vulnerabilities showcasing the traditional IoT problems. It must contain the following vulnerabilities to be used with the IoT testing guide: SQL injection, local inclusion and XXE injection (I1), Insufficient Authentication (I2), transfer sensitive information using insecure channels (I4).

'''Knowledge Prerequisites:'''
* OpenWRT
* Web security

'''Potential Mentors:'''
* Aaron Guzman - OWASP IoT Goat Contributor (Project leader of the IoT and Embedded AppSec project)
* Fotios Chantzis - OWASP IoT Goat Contributor (and former GSoC Student/GSoc Mentor)
* [[User:Calderpwn|Paulino Calderon]] - OWASP IoT Goat Contributor (and former GSoC 2011 Student/GSoc Mentor in 2015 and 2017)

===Insecure Android/iOS application===
''' Getting started '''
* [https://github.com/scriptingxss/IoTGoat/blob/master/README.md Get familiar with OpenWrt]

'''Expected Results:'''
* .Android application containing client and server side vulnerabilities covering the OWASP TOP 10 Mobile Risks.
* iOS application containing client and server side vulnerabilities covering the OWASP TOP 10 Mobile Risks.
* Web Services deployed as a service in OpenWrt to be used by the Android/iOS clients.

'''Knowledge Prerequisites:'''
* OpenWRT
* Mobile security knowledge.
* Mobile/Web development knowledge.

'''Potential Mentors:'''
* Aaron Guzman - OWASP IoT Goat Contributor (Project leader of the IoT and Embedded AppSec project)
* Fotios Chantzis - OWASP IoT Goat Contributor (and former GSoC Student/GSoc Mentor)
* [[User:Calderpwn|Paulino Calderon]] - OWASP IoT Goat Contributor (and former GSoC 2011 Student/GSoc Mentor in 2015 and 2017)

===Suggest your own ideas===
You may suggest additional challenges or ideas that fit this project's objectives.

Philadelphia

2018-09-20T13:12:05Z

Aaron.weaver2: Clean up

{{Chapter Template|chaptername=Philadelphia|extra=The chapter leaders are [mailto:aaron.weaver2@gmail.com Aaron Weaver], [mailto:john.kh.baek@gmail.com John Baek].

Follow us [https://twitter.com/phillyowasp @phillyowasp]

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-philadelphia|emailarchives=http://lists.owasp.org/pipermail/owasp-philadelphia}}

<meetup group="OWASP-Philadelphia" />

[[Category:Pennsylvania]]

2015-11-04T15:25:38Z

Aaron.weaver2:

{{Chapter Template|chaptername=Philadelphia|extra=The chapter leaders are [mailto:aaron.weaver2@gmail.com Aaron Weaver], [mailto:john.baek@btbsecurity.com John Baek], and [mailto:justin@madirish.net Justin C. Klein Keane].

Follow us [https://twitter.com/phillyowasp @phillyowasp]

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-philadelphia|emailarchives=http://lists.owasp.org/pipermail/owasp-philadelphia}}

== Next Meeting '''Tuesday, November 17, 2015 from 5:00 PM - 7:30 PM'''==

'''When:''' Tuesday, November 17, 2015 from 5:00 PM - 7:30 PM 
'''Where:''' OSIsoft 1700 Market Street, Suite 2201 Philadelphia (22nd Floor, signs for the conference room will be posted.)

'''Please [https://www.eventbrite.com/e/owasp-chapter-meeting-at-osisoft-tickets-19402906616 register] so that we can get an accurate count for ordering Pizza.'''

'''Title: IoT Beyond the Hype''' 
'''Presenter:''' Justin C. Klein Keane is the security architect for ThingWorx (http://www.thingworx.com), a PTC business, that makes IoT development framework software. Justin has over 15 years of experience in the security field and is a major contributor to the OWASP IoT Project (https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project), a member of the Build it Securely group (BuildItSecure.ly), the Securing Smart Cities project (http://securingsmartcities.org), and an official contributor to the Online Trust Alliance feedback to the Federal Trade Commission's proposed guidelines on IoT security and privacy (https://otalliance.org/iot-comments-draft-trust-framework).

'''Abstract:''' IoT security is one of the most exciting new fields in the industry, but few understand its scope beyond hacking your connected toaster. Hospitals, industry, and agriculture are all leveraging IoT to realize value from big data, predictive analytics, remote management, and cloud connectivity. IoT is more than just the next evolution from desktop to web to mobile to cloud. IoT presents very real, and new, challenges, including machine to machine (M2M) trust, transitive ownership, and more. The OWASP IoT Project seeks to define this new problem space, enumerate common vulnerabilities, and propose methodologies for secure development. This talk will provide an overview of the OWASP IoT Project and movement in the problem space that goes well beyond hacking cars and baby monitors.

'''Title: Getting out of the Comfort Zone''' 
'''Presenter:''' Aaron Weaver, Associate Director - Application Security, Protiviti

'''Abstract:''' In the last few years the development and operation practices have changed significantly in many organizations. Many organizations are embracing DevOps and what started out as an idea a few years ago with startups and large cloud companies is now being adopted by banks and traditional retailers. We in the security community need to be part of this change or we will be ignored or bypassed. It's time for security to look for news ways to enable change in a secure manner while still allowing the business to move at the speed they require.

== Previous Meeting '''Tuesday, October 20, 2015 from 5:00 PM - 7:00 PM'''==

'''When:''' Tuesday, October 20, 2015 from 5:00 PM - 7:00 PM 
'''Where:''' Temple University, SERC (1925 N 12th Street, Philadelphia) room 358

'''Topic: OWASP Primer - Security and Penetration Testing''' 
'''Presenter:''' John Baek, OSCP, CISSP, CISA

'''Abstract:'''

Forthcoming

== Previous Meeting '''Thursday, July 30, 2015 from 11:30 AM - 1:00 PM'''==

'''When:''' Thursday, July 30, 2015 from 11:30 AM - 1:00 PM 
'''Where:''' Giordano's Pizza 633 E Cypress St, Kennett Square, PA 19348

'''Topic: Building an AppSec Pipeline''' 
'''Presenter:''' Aaron Weaver

'''Abstract:'''

Are you currently running an AppSec program? AppSec programs fall into a odd middle ground; highly technical interactions with the dev and ops teams yet a practical business focus is required as you go up the org chart. How can you keep your far too small team efficient while making sure you meet the needs of the business all while making sure you're catching vulnerabilities as early and often as possible?

This talk will discuss a real world case study of an AppSec Pipeline. The pipeline starts with "Bag of Holding", an open source web application which helps automate and streamline the activities of your AppSec team. At the end of the pipeline is ThreadFix to manage all the findings from all the sources. Finally we incorporated a chatbot to tie all the information into one place. This talk will cover the motivation behind an AppSec pipeline, its implementation and how it can help you get the most out of your AppSec program.

'''Topic: Back to Basics: Application Assessment 101 - Pen Test Using Proxy Tool (Burp Suite Pro/ZAP)''' 
'''Presenter:''' John Baek

'''Abstract:'''

We will drill down one aspect of web application assessment: web app penetration test. We'll discuss a popular tool for performing web app pen test and what the tester needs to understand to make it a successful/useful assessment. The techniques presented here can be used in your SDLC to look for security flaws (hopefully prior to the production release).

== Previous Meeting: '''Thursday, September 25th, 2014 from 11:30 AM - 1:30 PM''' ==

'''OWASP Philly/ Lunch Meeting Thursday September 25th'''

'''When:''' Thursday, September 25th, 2014 from 11:30 - 1:30 PM 
'''Where:''' Protiviti - 50 S 16th St, Philadelphia, PA 19102

Food will be provided, [http://www.eventbrite.com/e/owasp-philly-lunch-meeting-tickets-13142911803 please RSVP].

'''Topic: Securing The Android Apps On Your Wrist and Face''' 
'''Presenter:''' Jack Mannino

'''Abstract:'''

Android Wear introduces new ways of interacting with our apps and receiving timely, contextual information from the world around us. Smartphones and tablets are becoming the central point for sending and receiving data from wearables and sensors. Building apps for a wearable world introduces new risks as well as shifts the responsibilities for implementing security controls to other layers.

Many of the same issues we’re familiar with from past Android experiences are still relevant, while some issues are less impactful or not (currently) possible within existing wearables. At the same time, extending the app’s trust boundaries introduces new points of exposure for developers to be aware of in order to proactively defend against attacks. We want to highlight these areas, which developers may not be aware of when adding a wearable component to an existing app.

In this presentation, we will explore how Android Wear works underneath the hood. We will examine its methods of communication, data replication, and persistence options. We will examine how these applications into the Android development ecosystem and the new risks to privacy and security that need to be considered. Our goal isn’t to deter developers from building wearable apps, but to enable them to make strong security decisions throughout development.

'''Bio:'''

Jack Mannino is the CEO at nVisium and loves solving problems in the field of application security. With experience building, breaking, and securing software, he founded nVisium to invent new and more efficient ways of protecting software. Jack is a huge fan of contributing to open source projects, and leads the OWASP Northern Virginia chapter. In his spare time, he loves to kick around new frameworks and technologies, especially things that run Android and code written in Scala. He’s also an optimistic New York Mets fan, although that optimism slowly fades away every summer.

== Previous Meeting: '''Tuesday, March 11, 2014 from 6:00 - 7:30 PM''' ==

'''OWASP Philly/ Meeting '''

'''When:''' Tuesday, March 11, 2014 from 6:000 - 7:30 PM 
'''Where:''' 3220 Market St. Room 369

'''Topic: Proven Strategies for Web Application Security''' 
'''Presenter:''' Justin C. Klein Keane and Aaron Weaver

'''Abstract:'''

The rising dominance of the web as an application delivery platform has focused attacker attention squarely on the security of dynamic web applications. Application security is a complex, and shifting, field. Learn about and discuss tested and successful techniques to build safer applications, find flaws before they become vulnerabilities, and deploy applications that can detect, and resist attack. Includes a discussion of common web application vulnerabilities such as the OWASP Top 10.

== Previous Meeting: '''Tuesday,August 13th, 2013 from 7:000 - 8:30 PM''' ==
'''OWASP Philly/ Meeting '''

'''When:''' Tuesday ,August 13th, 2013 from 7:000 - 8:30 PM 
'''Where:''' University of Pennsylvania, [http://www.facilities.upenn.edu/maps/locations/fisher-bennett-hall Fisher-Bennett Hall] room 322

'''Topic: HTML5 Security''' 
'''Presenter:''' Justin C. Klein Keane or others

'''Abstract:'''

HTML 5 Security

While HTML 5 is a wonderful tool for developer, the new features also present some new security challenges. Security in HTML 5 is a widely varied topic and we may not yet understand all of the security challenges it will bring. HTML 5 poses a major paradigm shift in the way that web applications are delivered and consumed and time will tell whether this will result in a net positive or negative for security. The new anti-XSS mitigation features of HTML 5 are amazing, and well worth investigating if you're looking to develop a new application.

Presentation material available at https://sites.sas.upenn.edu/kleinkeane/presentations/html-5-security

'''Reminder:'''

OWASP App Sec USA is coming up in November in NYC (http://appsecusa.org/2013/)! It's a short trip and an awesome opportunity to hear some really great talks. If folks want to go, please register with the discount code "Support_PHI" to support the chapter. Additionally, if you're going to go, it's $50 cheaper if you're an OWASP member, and individual membership only costs $50 (https://owasp.org/index.php/Individual_Member) so join!

'''Upcoming Events:'''
* Friday, October 11 is [http://drupaldelphia.com/ Drupaldelphia], at the Philadelphia Convention Center
* Friday-Sunday, October 25-27 is [http://pumpcon.org/ Pumpcon] in Philadelphia, follow [https://twitter.com/pumpcon @pumpcon]

== Previous Meeting: '''Tuesday, January 8th, 2013 from 7:000 - 8:30 PM''' ==
'''OWASP Philly/ Meeting - University of Pennsylvania, Fisher-Bennett Hall Hall Room 224'''

'''When:''' Tuesday, January 8th, 2013 from 7:000 - 8:30 PM 
'''Where:''' University of Pennsylvania, Fisher-Bennett Hall Hall Room 224

'''Topic: Capture the Flag Exercise''' 
'''Presenter:''' Justin C. Klein Keane

'''Abstract:'''

NB: Please RSVP to jukeane@sas.upenn.edu for this meeting if you plan to attend so that we can provide sufficient materials for all attendees.

Capture the Flag (CTF) exercise. Come learn about how web applications are compromised by actually breaking one yourself. This hands on exercise will guide attendees through common web application vulnerabilities and their potential impact by allowing participants to utilize tools to test and attack a target web application in a controlled environment. The exercise will include a vulnerable virtual machine image and documentation on one of many possible routes to complete the exercise.

This meeting will be lead by Justin Klein Keane, a veteran of web application capture the flag exercises and maintainer of the LAMPSecurity project on SourceForge.net (https://sourceforge.net/projects/lampsecurity). This exercise will be released as part of the LAMPSecurity project after the meeting.

== Previous Meeting: '''Tuesday, November 27th, 2012 from 7:000 - 8:30 PM''' ==
'''OWASP Philly/ Meeting - Meyerson Hall, Room B4'''

'''When:''' Tuesday, November 27th from 7:000 - 8:30 PM 
'''Where:''' University of Pennsylvania, Meyerson Hall, Room B4, Philadelphia

'''Penetration Testing - Attack Vector and Vulnerability Trends''' 
'''Presenter:''' Shannon Schriver and Garrett Fails

'''Abstract:'''

The more things change, the more they stay the same. Even though the Top Ten hasn't been updated since 2010, the vulnerabilities that are prevalent in the wild in 2012 still map directly to items on the list.

Shannon Schriver and Garrett Fails, penetration testers for PwC, will be discussing the most successful web application vulnerabilities and attack vectors that they have used during client penetration tests in 2012. Topics will include local file inclusion, insecure administrative consoles (including JBoss and Tomcat), and WPAD man-in-the-middle browser vulnerabilities.

== Previous Meeting: '''Monday April 16th, 2012, from 7:00 - 8:30 PM''' ==
'''OWASP Philly/ Meeting - Fisher-Bennett Hall - 231'''

'''When:''' Monday, Monday April 16th from 7:000 - 8:03 PM 
'''Where:''' University of Pennsylvania, Fisher-Bennett Hall - 231, Philadelphia

'''HECTOR, our evolving security intelligence platform''' 
'''Presenter:''' Justin Klein Keane

'''Abstract:'''

Asset management is an ever present challenge for any IT organization,
and especially so for information security groups. Even more
challenging is data aggregation for intelligent security analysis (or
security intelligence). HECTOR is an effort by the University of
Pennsylvania's School of Arts and Sciences to provide such a security
intelligence platform. Organizing assets, scanning for vulnerabilities
and profiles, correlating attacks on your network to services offered by
hosts, tracking changes, following remediation, and making information
available to multiple users via a web interface are all goals of HECTOR.
HECTOR leverages honeypot technology, darknet sensors, port scans,
vulnerability scans, intrusion detection systems, the powerful open
source MySQL database, and a PHP based web front end to provide security
intelligence to security practitioners.

HECTOR is an evolving, open source effort that attempts to leverage a wide variety of tools and
information sources to empower security practitioners with better
insights as well as to track and trend security related data. Come hear
about HECTOR in advance the official open source launch at the Educause
Security Professionals 2012 conference. Presentation material will
include a discussion of the philosophy behind HECTOR, the open source
technologies that make HECTOR work, as well as design challenges and
solutions. Even if you don't end up using HECTOR the presentation seeks
to spur new ideas and ways of thinking about asset management and
security data.

== Previous Meeting: '''Friday September 16th, 2011, from 1:00 PM - 4:15 PM''' ==
'''Joint Meeting with ISSA-DV, Infragard - VWR International, Radnor Corporate Center'''

'''When:''' Friday September 16th, 1:00 PM 
'''Where:''' VWR International
Radnor Corporate Center
100 Matsonford Road
Wayne, PA 19087

'''Register:''' [http://www.issa-dv.org/meetings/registration.php Please register to attend this free conference]

===Agenda===

{| class="wikitable"
|-
| '''1:00 - 1:15'''
| '''OWASP, INFRAGARD, ISSA Joint Session'''
|''Registration''
|-
|'''1:15 – 2:00'''
|'''Dan Kuykendall, CTO NT Objectives'''
|''"Not Your Granddad's Web App."''
|-
|'''2:00 – 2:45'''
|'''Jack Mannino from nVisium Security'''
|''"Building Secure Android Apps"''
|-
|'''2:30 – 2:45'''
|'''BREAK'''
|
|-
|'''2:45 – 3:30'''
|'''CEO Matthew Jonkman Emergingthreats.net'''
|''Open Information Security Foundation (OISF Suricata)''
|-
|'''3:30 – 4:15'''
|'''Aaron Weaver - OWASP'''
|''Breaking Botnets: Finding App Vulnerabilities in Botnet Command & Control servers''
|}

'''Directions to [http://www.mapquest.com/maps?address=100+Matsonford+Rd&city=Radnor&state=PA&zipcode=19087 VWR International]'''

== Previous Meeting: '''Monday June 20th, from 6:30 - 8:00 PM''' ==
'''OWASP Philly/ Meeting - Fisher-Bennett Hall - 231'''

'''When:''' Monday, June 20th from 6:30 - 8:00 PM 
'''Where:''' University of Pennsylvania, Fisher-Bennett Hall - 231, Philadelphia

''Three lightning round presentations'' - Each presentation will be about 20 minutes long

* Using PHP for Security - Justin C. Klein Keane
* Perl for AppSec - Darian Anthony Patrick
* What does your metadata say about your organization? A look at the open source tool Foca - Aaron Weaver

Thanks to Penn for hosting the OWASP event!

'''Directions:'''
The building entrance faces the intersection of 34th and Walnut
streets and the room is on the third floor. Folks should bring
identification and if the guard asks let him know you are coming to the OWASP
meeting.

== Previous Meeting: '''Monday, May 23rd, from 6:30 - 8:00 PM''' ==
'''OWASP Philly/ Meeting - Fisher-Bennett Hall - 231'''

'''When:''' Monday, May 23rd from 6:30 - 8:00 PM 
'''Where:''' University of Pennsylvania, Fisher-Bennett Hall - 231, Philadelphia

'' The Search for Intelligent Life''

'''Synopsis:''' For years organizations have been mining and culling data warehouses to measure every layer of their business right down to the clickstream information of their web sites. These business intelligence tools have helped organizations identify points of poor product performance, highlighting areas of current and potential future demand, key performance indicators, etc. In the information security field we still tend to look at our information in silos. Dedicated engineers solely focused on web application security, network security, compliance and so on, all while bemoaning a lack of information and decision support.

In this talk, Ed will cover some of the many sources of security data publicly available and how to apply them to add context to your security data and tools to help make more intelligent decisions. Ed also points out a number of ways to repurpose information and tools your company is already using in order to glean a clearer view into your security and the threats that may effect it.

'''Bio:''' Ed Bellis is the CEO of HoneyApps Inc, a vulnerability management Software as a Service that centralizes, correlates, prioritizes and automates the entire stack of security vulnerabilities and remediation workflow. Prior to HoneyApps, Ed served as the Chief Information Security Officer for Orbitz, the well known online travel agency where he built and led the information security program and personnel for over 6 years. Ed has over 18 years experience in information security and technology.
He is a frequent speaker at information security events across North America and Europe. Past talks have included venues such as IANS Security Forum, SaaScon, AppSec DC, BlackHat, CSO Perspectives, MIS Institute, and several others. Additionally, Ed is a contributing author to the book Beautiful Security by O’Reilly and a blogger on CSO Online.

For a summary of the presentation please see http://www.madirish.net/justin/security-intelligence-philly-owasp-ed-bellis

'''Directions:'''
The building entrance faces the intersection of 34th and Walnut
streets and the room is on the third floor. Folks should bring
identification and let the guard know they're coming for the OWASP
meeting.

== Previous Meeting: '''Monday, April 11th, from 6:30 - 8:00 PM''' ==
'''OWASP Philly/ Meeting - Fisher-Bennett Hall - 322'''

'''When:''' Monday, April 11th from 6:30 - 8:00 PM 
'''Where:''' University of Pennsylvania, Fisher-Bennett Hall - 322, Philadelphia

'''Topic: TBD'''

Supervisory Special Agent Brian Herrick of the Philadelphia FBI - Cyber Squad

The building entrance faces the intersection of 34th and Walnut
streets and the room is on the third floor. Folks should bring
identification and let the guard know they're coming for the OWASP
meeting.

== Previous Meeting: '''Monday, March 7th, from 6:30 - 8:00 PM''' ==
'''OWASP Philly/ Meeting - Fisher-Bennett Hall - 322'''

'''When:''' Monday, March 7th from 6:30 - 8:00 PM 
'''Where:''' University of Pennsylvania, Fisher-Bennett Hall - 322, Philadelphia

'''The Power of Code Review'''

Dave Wichers is a cofounder and the Chief Operating Officer (COO) of Aspect Security.
*As a volunteer to OWASP, Dave is:
*A member of the OWASP Board,
*The OWASP Conferences Chair,
*Project lead and coauthor of the OWASP Top 10,
*Coauthor of the OWASP Application Security Verification Standard, and
*Contributor to the OWASP Enterprise Security API (ESAPI) project.

The building entrance faces the intersection of 34th and Walnut
streets and the room is on the third floor. Folks should bring
identification and let the guard know they're coming for the OWASP
meeting.

For a write up of the meeting please see http://www.madirish.net/justin/owasp-philadelphia-march-7-2011-meeting

== Previous Meeting: '''Tuesday, August 17th, 2010 6:30pm - 8:00pm''' ==
'''OWASP Philly/ Meeting - 307 Levine Hall'''

'''When:''' Tuesday, August 17th, from 6:30 - 8:00 PM 
'''Where:''' University of Pennsylvania, 307 Levine Hall, Philadelphia

'''Mobile App Security Techniques'''

Look left, look right, look in your pocket, you probably glanced over a cellular phone. These devices are getting more and more pervasive in today's society. More importantly they are getting very powerful. This new market of software users have been the catalyst of the "app" boom. Everyone is jumping on board and developing mobile applications. This influx of mobile application development means there are a large number of mobile applications that get rushed to the market before they can be properly reviewed from a security standpoint. So guess what, more bugs for the taking!

In this talk we will lay out a few basic techniques that we use when we perform mobile application assessments, highlight possible pit falls that one should be aware and hopefully give those up and coming mobile application penetration testers a leg up on the competition.

'''Raj Umadas''' is a Consultant with the Intrepidus Group. Mr. Umadas graduated Summa Cum-Laude from The Polytechnic Institute of NYU with a BS in Computer Engineering. At NYU:Poly, Mr. Umadas pursued a highly expansive computer security curriculum. He is just as comfortable sniffing out a memory corruption bug as he is assessing the risk management decisions of large projects.

Coupled with Mr. Umadas' fresh academic outlook on security, he obtained a no-nonsense business sense of security while working in an Information Risk Management arm of a large investment bank. Corporate governance, segregation of duties, and SOX compliance were all daily concerns for Mr. Umadas.

Mr. Umadas is eager to establish his own niche in the security world where he will be the catalyst of some very major innovation. With his strong academics, proven real world experience, and never-say-no attitude; it is only a matter of time.

For a summary of this presentation please see http://www.madirish.net/security-tools/470

== Previous Meeting: '''Tuesday, July 20th, 2010 6:30pm - 8:30pm''' ==
'''OWASP Philly/ Meeting - University of Pennsylvania - Philadelphia'''

All are welcome to join us on Tuesday as we discuss web application security.

When: Tuesday, July 20th, 2010 6:30pm - 8:30pm 
Where: Fisher-Bennett Room 401, University of Pennsylvania 
3340 Walnut Street St.
Philadelphia, PA 19104

'''Agenda:''' 
1.) Opening Remarks 
2.) Balancing Security & Usability, Justin Klein Keane 
3.) Arshan Dabirsiaghi - Aspect Security 
4.) Informal meetup afterwards at New Deck

[http://owaspphiladelphia.eventbrite.com/ Please RSVP]

[http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=3330+Walnut+St.,+Philadelphia,+Pennsylvania+19104&sll=39.953372,-75.191352&sspn=0.006678,0.013797&ie=UTF8&hq=&hnear=3330+Walnut+St,+Philadelphia,+Pennsylvania+19104&ll=39.954787,-75.191352&spn=0.006678,0.013797&z=16&iwloc=A&iwstate1=dir Directions to Fisher-Bennett]

Questions should be directed to [mailto:aaron.weaver2@gmail.com Aaron Weaver]

'''User Interface and Security in Web Applications'''

Security is often seen as a competing priority to good user experience, but the two are not diametrically opposed. Good user experience is essential to good security. Without ease of use, most people simply ignore or bypass security protections in systems. In order to craft effective security measures it is essential to take user experience into consideration. With the meteoric growth of web applications as a medium for service delivery it is critical to deploy good security measures. Web applications offer an always on, globally available target for attackers. Users need to be allies in the drive for application security, but far too often security measures are presented as onerous, time consuming, bothersome add-on's to web applications rather than seamlessly integrated, easy to use, user friendly features. In this talk I propose to explore some of the reasons why good security in web applications matters and how you can make security effective by making it easy to use.

'''Speaker: Justin Klein Keane'''

Bio: Justin C. Klein Keane has over 8 years of experience in information
security starting with his role as Editor in Chief of the Hack in the
Box e-zine. Currently Justin works as in Information Security
Specialist with the University of Pennsylvania School of Arts and
Sciences' Information Security and Unix Systems group. Justin's past
work included several positions as a web application developer, often
utilizing PHP. Justin is a regular contributer to the Full-Disclosure
mailing list and is credited with dozens of vulnerability discoveries.
Justin holds several ethical hacking and penetration testing
certifications and regularly posts computer security related articles on
his website http://www.MadIrish.net.

== Previous Meeting: '''Thursday, December 3rd, 2009 6:30pm - 8:30pm''' ==
'''OWASP Philly/ Meeting - University of Pennsylvania - Philadelphia'''

'''This is a joint meeting with the [http://www.meetup.com/phillyphp/ Philadelphia Area PHP Meetup group]'''. All are welcome to join us on Tuesday as we discuss web application security.

When: December 3rd, 2009 6:30pm - 8:30pm 
Where: Wu & Chen Auditorium, Levine Hall, University of Pennsylvania 
3330 Walnut St.
Philadelphia, PA 19104

'''Agenda:''' 
1.) Opening Remarks 
2.) Discovering PHP Vulnerabilities Via Code Auditing, Justin Klein Keane 
3.) TBD: Bruce Diamond 

[http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=3330+Walnut+St.,+Philadelphia,+Pennsylvania+19104.&sll=39.953372,-75.191352&sspn=0.006678,0.013797&ie=UTF8&hq=&hnear=3330+Walnut+St,+Philadelphia,+Pennsylvania+19104&ll=39.954787,-75.191352&spn=0.006678,0.013797&z=16&iwloc=A&iwstate1=dir Directions to Levine Hall]

Questions should be directed to [mailto:darian@criticode.com Darian Anthony Patrick]

'''Discovering PHP Vulnerabilities Via Code Auditing'''

Abstract: PHP provides an accessible, easy to use platform for developing dynamic
web applications. As the number of web based applications grow, so too
does the threat from external attackers. The open and global nature of
the web means that web applications are exposed to attack from around
the world around the clock. Automated web application vulnerability
scanning technology is still very much in its infancy, and unable to
identify complex vulnerabilities that could lead to complete server
compromise. While intrusion detection systems prove very valuable in
detecting attacks, the best way to prevent vulnerabilities is to engage
in active code review. There are many advantages of direct code review
over automated testing, from the ability to identify complex edge
scenario vulnerabilities to finding non-exploitable flaws and fixing
them proactively. Many vulnerabilities in PHP based web applications
are introduced with common misuse of the language or misunderstanding of
how functions can be safely utilized. By understanding the common ways
in which vulnerabilities are introduced into PHP code it becomes easy to
quickly and accurately review PHP code and identify problems. In
addition to common problems, PHP includes some obscure functionality
that can lead developers to unwittingly introduce vulnerabilities into
their applications. By understanding the security implications of some
common PHP functions, code reviewers can pinpoint the use of such
functions in code and inspect them to ensure safety.

Speaker: Justin Klein Keane

Bio: Justin C. Klein Keane has over 8 years of experience in information
security starting with his role as Editor in Chief of the Hack in the
Box e-zine. Currently Justin works as in Information Security
Specialist with the University of Pennsylvania School of Arts and
Sciences' Information Security and Unix Systems group. Justin's past
work included several positions as a web application developer, often
utilizing PHP. Justin is a regular contributer to the Full-Disclosure
mailing list and is credited with dozens of vulnerability discoveries.
Justin holds several ethical hacking and penetration testing
certifications and regularly posts computer security related articles on
his website http://www.MadIrish.net.

----

== Previous Meeting: '''October 27th, 2009 6:00pm - 9:00pm''' ==
'''OWASP Philly Meeting - Comcast - Philadelphia'''

Presentations: 
[http://www.owasp.org/images/7/79/Agile_Practices_and_Methods.ppt Agile Practices and Methods] 
[http://www.owasp.org/images/d/d0/OWASP-AJAX-Final.ppt AJAX Security] 
[http://www.owasp.org/images/0/06/Adobe_AMF.ppt Adobe AMF] 

Food and space provided by Comcast.

'''Sponsor:'''
[[Image:comcastlogo.gif]]

When: October 27th, 2009 6:00pm - 9:00pm
Where: Floor (TBD), Comcast, 1701 John F Kennedy Blvd Philadelphia, PA 08054

'''Agenda:''' 
1.) OWASP Meeting Opening Remarks: Bruce A. Kaalund Director, Product Security 
2.) Development Issues Within AJAX Applications: How to Divert Threats: Tom Tucker, Cenzic 
3.) Agile Software Development Principles and Practices : Ravindar Gujral, Agile Philadelphia 
4.) Testing Adobe Flex/SWF's, focusing on flash remoting (AMF): Aaron Weaver, Pearson eCollege 

[http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1701+John+F+Kennedy+Blvd+philadelphia&sll=39.954255,-75.16839&sspn=0.006908,0.013711&ie=UTF8&hq=&hnear=1701+John+F+Kennedy+Blvd,+Philadelphia,+Pennsylvania+19103&ll=39.956185,-75.168393&spn=0.006908,0.013711&t=h&z=16&iwloc=A Directions to Comcast]

'''Development Issues Within AJAX Applications: How to Divert Threats'''

Speaker: Tom Tucker

Bio: Tom Tucker has over 25 years of experience within the enterprise hardware, software, network, and security market. As a Senior Systems Engineer at Cenzic, Tom works directly with customers to protect their Web applications from hacker attacks. Previously Tom's worked with Tier 1 and Tier 2 Network Service Providers such as BBN, GTE, AT&T, iPass, New Edge Networks and MegaPath Networks, designing firewall, VPN, WAN, LAN and Hosting solutions. Tom was also the Director of Intranet Engineering for Associates Information Services (now a part of Citigroup) implementing secure Internet technology solutions for both internal and external application delivery.

----

== Previous Meeting: '''Wednesday June 24th 2009, 6:30 PM - 8:00 PM''' ==
'''OWASP Philly Meeting - AccessIT Group - King of Prussia'''

Pizza provided by AccessIT Group.

'''Sponsors:'''
[[Image:Logo_accessitgroup.gif]][[Image:Sanslogo_vertical.jpg]]

'''Agenda:''' 
1.) OWASP Introduction 
2.) How to Analyze Malicious Flash Programs - Lenny Zeltser 
3.) OWASP .NET, OWASP Report Generator,OWASP Cryttr/Encrypted Syndication - Mark Roxberry 

[http://atlas.mapquest.com/maps/map.adp?formtype=address&country=US&popflag=0&latitude=&longitude=&name=&phone=&level=&addtohistory=&cat=Access+It+Group+Inc&address=2000+Valley+Forge+Cir&city=King+of+Prussia&state=PA&zipcode=19406 Directions]

2000 Valley Forge Circle 
Suite 106 
King of Prussia, PA 19406 

AccessIT Group is located in the 2000 Building (middle building) of the Valley
Forge Towers. The offices are located on the bottom floor of the
building. Parking is available in the front or rear of the building.

'''How to Analyze Malicious Flash Programs'''

by Lenny Zeltser (http://www.zeltser.com)

'''About the talk:'''
Attackers increasingly use malicious Flash programs, often in the form of banner ads, as initial infection vectors. Obfuscation techniques and multiple Flash virtual machines complicate this task of analyzing such threats. Come to learn insights, tools and techniques for reverse-engineering this category of browser malware.

'''Bio:'''
Lenny Zeltser leads the security consulting practice at Savvis. He is also a board of directors member at SANS Technology Institute, a SANS faculty member, and an incident handler at the Internet Storm Center. Lenny frequently speaks on information security and related business topics at conferences and private events, writes articles, and has co-authored several books. Lenny is one of the few individuals in the world who've earned the highly-regarded GIAC Security Expert (GSE) designation. He also holds the CISSP certification. Lenny has an MBA degree from MIT Sloan and a computer science degree from the University of Pennsylvania. You can stay in touch with him via http://twitter.com/lennyzeltser.

'''OWASP .NET, OWASP Report Generator, OWASP Cryttr / Encrypted Syndication'''

by Mark Roxberry

About the talk: Mark is looking to generate some interest in participating in OWASP projects. He will be speaking about projects that he is involved in and hoping to recruit folks who have time, energy and motivation to help out.

Bio: Mark Roxberry is a frequent contributor of research and code to OWASP. His credits include OWASP Testing Guide contributor and reviewer, the OWASP .NET Project Lead, the OWASP Report Generator Lead and just recently the OWASP Encrypted Syndication Lead. He is a Senior Consultant at Database Solutions in King of Prussia. Mark has a B.S. in Russian Technical Translation from the Pennsylvania State University and has the CEH and CISSP certificates hanging in his bunker where he tries to figure out how to hack into Skynet when it comes online.

== Previous Meetings ==

Next Meeting: '''October 28th 2008, 6:30 PM - 8:00 PM'''
 OWASP Philly Meeting - Protiviti - Two Libery Place Philadelphia

Come join us in Philadelphia as we discuss web application security.

'''Agenda:''' 
1.) Web Application Security and PCI requirements (V 1.1 and 1.2) 
2.) Clickjacking: What is it and should we be concerned about it? 
3.) Summary of OWASP conference in New York.

[Google Directions][http://maps.google.com/maps?q=50+South+16th+St+Philadelphia,+PA&ie=UTF-8&oe=utf-8&rls=org.mozilla:en-US:official&client=firefox-a&um=1&sa=X&oi=geocode_result&resnum=1&ct=title]

Two Libery Place 50 South 16th St 
Suite 2900 
Philadelphia, PA 19102 USA 

[[Category:Pennsylvania]]

Philadelphia

2015-11-04T15:25:06Z

Aaron.weaver2:

{{Chapter Template|chaptername=Philadelphia|extra=The chapter leaders are [mailto:aaron.weaver2@gmail.com Aaron Weaver], [mailto:john.baek@btbsecurity.com John Baek], and [mailto:justin@madirish.net Justin C. Klein Keane].

Follow us [https://twitter.com/phillyowasp @phillyowasp]

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-philadelphia|emailarchives=http://lists.owasp.org/pipermail/owasp-philadelphia}}

== Next Meeting '''Tuesday, November 17, 2015 from 5:00 PM - 7:30 PM'''==

'''When:''' Tuesday, November 17, 2015 from 5:00 PM - 7:30 PM 
'''Where:''' OSIsoft 1700 Market Street, Suite 2201 Philadelphia (22nd Floor, signs for the conference room will be posted.)

'''Please [https://www.eventbrite.com/e/owasp-chapter-meeting-at-osisoft-tickets-19402906616 register] so that we can get an accurate count for ordering Pizza.'''

'''Topic: Title: IoT Beyond the Hype''' 
'''Presenter:''' Justin C. Klein Keane is the security architect for ThingWorx (http://www.thingworx.com), a PTC business, that makes IoT development framework software. Justin has over 15 years of experience in the security field and is a major contributor to the OWASP IoT Project (https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project), a member of the Build it Securely group (BuildItSecure.ly), the Securing Smart Cities project (http://securingsmartcities.org), and an official contributor to the Online Trust Alliance feedback to the Federal Trade Commission's proposed guidelines on IoT security and privacy (https://otalliance.org/iot-comments-draft-trust-framework).

'''Abstract:''' IoT security is one of the most exciting new fields in the industry, but few understand its scope beyond hacking your connected toaster. Hospitals, industry, and agriculture are all leveraging IoT to realize value from big data, predictive analytics, remote management, and cloud connectivity. IoT is more than just the next evolution from desktop to web to mobile to cloud. IoT presents very real, and new, challenges, including machine to machine (M2M) trust, transitive ownership, and more. The OWASP IoT Project seeks to define this new problem space, enumerate common vulnerabilities, and propose methodologies for secure development. This talk will provide an overview of the OWASP IoT Project and movement in the problem space that goes well beyond hacking cars and baby monitors.

'''Topic: Title: Getting out of the Comfort Zone''' 
'''Presenter:''' Aaron Weaver, Associate Director - Application Security, Protiviti

'''Abstract:''' In the last few years the development and operation practices have changed significantly in many organizations. Many organizations are embracing DevOps and what started out as an idea a few years ago with startups and large cloud companies is now being adopted by banks and traditional retailers. We in the security community need to be part of this change or we will be ignored or bypassed. It's time for security to look for news ways to enable change in a secure manner while still allowing the business to move at the speed they require.

== Previous Meeting '''Tuesday, October 20, 2015 from 5:00 PM - 7:00 PM'''==

'''When:''' Tuesday, October 20, 2015 from 5:00 PM - 7:00 PM 
'''Where:''' Temple University, SERC (1925 N 12th Street, Philadelphia) room 358

'''Topic: OWASP Primer - Security and Penetration Testing''' 
'''Presenter:''' John Baek, OSCP, CISSP, CISA

'''Abstract:'''

Forthcoming

== Previous Meeting '''Thursday, July 30, 2015 from 11:30 AM - 1:00 PM'''==

'''When:''' Thursday, July 30, 2015 from 11:30 AM - 1:00 PM 
'''Where:''' Giordano's Pizza 633 E Cypress St, Kennett Square, PA 19348

'''Topic: Building an AppSec Pipeline''' 
'''Presenter:''' Aaron Weaver

'''Abstract:'''

Are you currently running an AppSec program? AppSec programs fall into a odd middle ground; highly technical interactions with the dev and ops teams yet a practical business focus is required as you go up the org chart. How can you keep your far too small team efficient while making sure you meet the needs of the business all while making sure you're catching vulnerabilities as early and often as possible?

This talk will discuss a real world case study of an AppSec Pipeline. The pipeline starts with "Bag of Holding", an open source web application which helps automate and streamline the activities of your AppSec team. At the end of the pipeline is ThreadFix to manage all the findings from all the sources. Finally we incorporated a chatbot to tie all the information into one place. This talk will cover the motivation behind an AppSec pipeline, its implementation and how it can help you get the most out of your AppSec program.

'''Topic: Back to Basics: Application Assessment 101 - Pen Test Using Proxy Tool (Burp Suite Pro/ZAP)''' 
'''Presenter:''' John Baek

'''Abstract:'''

We will drill down one aspect of web application assessment: web app penetration test. We'll discuss a popular tool for performing web app pen test and what the tester needs to understand to make it a successful/useful assessment. The techniques presented here can be used in your SDLC to look for security flaws (hopefully prior to the production release).

== Previous Meeting: '''Thursday, September 25th, 2014 from 11:30 AM - 1:30 PM''' ==

'''OWASP Philly/ Lunch Meeting Thursday September 25th'''

'''When:''' Thursday, September 25th, 2014 from 11:30 - 1:30 PM 
'''Where:''' Protiviti - 50 S 16th St, Philadelphia, PA 19102

Food will be provided, [http://www.eventbrite.com/e/owasp-philly-lunch-meeting-tickets-13142911803 please RSVP].

'''Topic: Securing The Android Apps On Your Wrist and Face''' 
'''Presenter:''' Jack Mannino

'''Abstract:'''

Android Wear introduces new ways of interacting with our apps and receiving timely, contextual information from the world around us. Smartphones and tablets are becoming the central point for sending and receiving data from wearables and sensors. Building apps for a wearable world introduces new risks as well as shifts the responsibilities for implementing security controls to other layers.

Many of the same issues we’re familiar with from past Android experiences are still relevant, while some issues are less impactful or not (currently) possible within existing wearables. At the same time, extending the app’s trust boundaries introduces new points of exposure for developers to be aware of in order to proactively defend against attacks. We want to highlight these areas, which developers may not be aware of when adding a wearable component to an existing app.

In this presentation, we will explore how Android Wear works underneath the hood. We will examine its methods of communication, data replication, and persistence options. We will examine how these applications into the Android development ecosystem and the new risks to privacy and security that need to be considered. Our goal isn’t to deter developers from building wearable apps, but to enable them to make strong security decisions throughout development.

'''Bio:'''

Jack Mannino is the CEO at nVisium and loves solving problems in the field of application security. With experience building, breaking, and securing software, he founded nVisium to invent new and more efficient ways of protecting software. Jack is a huge fan of contributing to open source projects, and leads the OWASP Northern Virginia chapter. In his spare time, he loves to kick around new frameworks and technologies, especially things that run Android and code written in Scala. He’s also an optimistic New York Mets fan, although that optimism slowly fades away every summer.

== Previous Meeting: '''Tuesday, March 11, 2014 from 6:00 - 7:30 PM''' ==

'''OWASP Philly/ Meeting '''

'''When:''' Tuesday, March 11, 2014 from 6:000 - 7:30 PM 
'''Where:''' 3220 Market St. Room 369

'''Topic: Proven Strategies for Web Application Security''' 
'''Presenter:''' Justin C. Klein Keane and Aaron Weaver

'''Abstract:'''

The rising dominance of the web as an application delivery platform has focused attacker attention squarely on the security of dynamic web applications. Application security is a complex, and shifting, field. Learn about and discuss tested and successful techniques to build safer applications, find flaws before they become vulnerabilities, and deploy applications that can detect, and resist attack. Includes a discussion of common web application vulnerabilities such as the OWASP Top 10.

== Previous Meeting: '''Tuesday,August 13th, 2013 from 7:000 - 8:30 PM''' ==
'''OWASP Philly/ Meeting '''

'''When:''' Tuesday ,August 13th, 2013 from 7:000 - 8:30 PM 
'''Where:''' University of Pennsylvania, [http://www.facilities.upenn.edu/maps/locations/fisher-bennett-hall Fisher-Bennett Hall] room 322

'''Topic: HTML5 Security''' 
'''Presenter:''' Justin C. Klein Keane or others

'''Abstract:'''

HTML 5 Security

While HTML 5 is a wonderful tool for developer, the new features also present some new security challenges. Security in HTML 5 is a widely varied topic and we may not yet understand all of the security challenges it will bring. HTML 5 poses a major paradigm shift in the way that web applications are delivered and consumed and time will tell whether this will result in a net positive or negative for security. The new anti-XSS mitigation features of HTML 5 are amazing, and well worth investigating if you're looking to develop a new application.

Presentation material available at https://sites.sas.upenn.edu/kleinkeane/presentations/html-5-security

'''Reminder:'''

OWASP App Sec USA is coming up in November in NYC (http://appsecusa.org/2013/)! It's a short trip and an awesome opportunity to hear some really great talks. If folks want to go, please register with the discount code "Support_PHI" to support the chapter. Additionally, if you're going to go, it's $50 cheaper if you're an OWASP member, and individual membership only costs $50 (https://owasp.org/index.php/Individual_Member) so join!

'''Upcoming Events:'''
* Friday, October 11 is [http://drupaldelphia.com/ Drupaldelphia], at the Philadelphia Convention Center
* Friday-Sunday, October 25-27 is [http://pumpcon.org/ Pumpcon] in Philadelphia, follow [https://twitter.com/pumpcon @pumpcon]

== Previous Meeting: '''Tuesday, January 8th, 2013 from 7:000 - 8:30 PM''' ==
'''OWASP Philly/ Meeting - University of Pennsylvania, Fisher-Bennett Hall Hall Room 224'''

'''When:''' Tuesday, January 8th, 2013 from 7:000 - 8:30 PM 
'''Where:''' University of Pennsylvania, Fisher-Bennett Hall Hall Room 224

'''Topic: Capture the Flag Exercise''' 
'''Presenter:''' Justin C. Klein Keane

'''Abstract:'''

NB: Please RSVP to jukeane@sas.upenn.edu for this meeting if you plan to attend so that we can provide sufficient materials for all attendees.

Capture the Flag (CTF) exercise. Come learn about how web applications are compromised by actually breaking one yourself. This hands on exercise will guide attendees through common web application vulnerabilities and their potential impact by allowing participants to utilize tools to test and attack a target web application in a controlled environment. The exercise will include a vulnerable virtual machine image and documentation on one of many possible routes to complete the exercise.

This meeting will be lead by Justin Klein Keane, a veteran of web application capture the flag exercises and maintainer of the LAMPSecurity project on SourceForge.net (https://sourceforge.net/projects/lampsecurity). This exercise will be released as part of the LAMPSecurity project after the meeting.

== Previous Meeting: '''Tuesday, November 27th, 2012 from 7:000 - 8:30 PM''' ==
'''OWASP Philly/ Meeting - Meyerson Hall, Room B4'''

'''When:''' Tuesday, November 27th from 7:000 - 8:30 PM 
'''Where:''' University of Pennsylvania, Meyerson Hall, Room B4, Philadelphia

'''Penetration Testing - Attack Vector and Vulnerability Trends''' 
'''Presenter:''' Shannon Schriver and Garrett Fails

'''Abstract:'''

The more things change, the more they stay the same. Even though the Top Ten hasn't been updated since 2010, the vulnerabilities that are prevalent in the wild in 2012 still map directly to items on the list.

Shannon Schriver and Garrett Fails, penetration testers for PwC, will be discussing the most successful web application vulnerabilities and attack vectors that they have used during client penetration tests in 2012. Topics will include local file inclusion, insecure administrative consoles (including JBoss and Tomcat), and WPAD man-in-the-middle browser vulnerabilities.

== Previous Meeting: '''Monday April 16th, 2012, from 7:00 - 8:30 PM''' ==
'''OWASP Philly/ Meeting - Fisher-Bennett Hall - 231'''

'''When:''' Monday, Monday April 16th from 7:000 - 8:03 PM 
'''Where:''' University of Pennsylvania, Fisher-Bennett Hall - 231, Philadelphia

'''HECTOR, our evolving security intelligence platform''' 
'''Presenter:''' Justin Klein Keane

'''Abstract:'''

Asset management is an ever present challenge for any IT organization,
and especially so for information security groups. Even more
challenging is data aggregation for intelligent security analysis (or
security intelligence). HECTOR is an effort by the University of
Pennsylvania's School of Arts and Sciences to provide such a security
intelligence platform. Organizing assets, scanning for vulnerabilities
and profiles, correlating attacks on your network to services offered by
hosts, tracking changes, following remediation, and making information
available to multiple users via a web interface are all goals of HECTOR.
HECTOR leverages honeypot technology, darknet sensors, port scans,
vulnerability scans, intrusion detection systems, the powerful open
source MySQL database, and a PHP based web front end to provide security
intelligence to security practitioners.

HECTOR is an evolving, open source effort that attempts to leverage a wide variety of tools and
information sources to empower security practitioners with better
insights as well as to track and trend security related data. Come hear
about HECTOR in advance the official open source launch at the Educause
Security Professionals 2012 conference. Presentation material will
include a discussion of the philosophy behind HECTOR, the open source
technologies that make HECTOR work, as well as design challenges and
solutions. Even if you don't end up using HECTOR the presentation seeks
to spur new ideas and ways of thinking about asset management and
security data.

== Previous Meeting: '''Friday September 16th, 2011, from 1:00 PM - 4:15 PM''' ==
'''Joint Meeting with ISSA-DV, Infragard - VWR International, Radnor Corporate Center'''

'''When:''' Friday September 16th, 1:00 PM 
'''Where:''' VWR International
Radnor Corporate Center
100 Matsonford Road
Wayne, PA 19087

'''Register:''' [http://www.issa-dv.org/meetings/registration.php Please register to attend this free conference]

===Agenda===

{| class="wikitable"
|-
| '''1:00 - 1:15'''
| '''OWASP, INFRAGARD, ISSA Joint Session'''
|''Registration''
|-
|'''1:15 – 2:00'''
|'''Dan Kuykendall, CTO NT Objectives'''
|''"Not Your Granddad's Web App."''
|-
|'''2:00 – 2:45'''
|'''Jack Mannino from nVisium Security'''
|''"Building Secure Android Apps"''
|-
|'''2:30 – 2:45'''
|'''BREAK'''
|
|-
|'''2:45 – 3:30'''
|'''CEO Matthew Jonkman Emergingthreats.net'''
|''Open Information Security Foundation (OISF Suricata)''
|-
|'''3:30 – 4:15'''
|'''Aaron Weaver - OWASP'''
|''Breaking Botnets: Finding App Vulnerabilities in Botnet Command & Control servers''
|}

'''Directions to [http://www.mapquest.com/maps?address=100+Matsonford+Rd&city=Radnor&state=PA&zipcode=19087 VWR International]'''

== Previous Meeting: '''Monday June 20th, from 6:30 - 8:00 PM''' ==
'''OWASP Philly/ Meeting - Fisher-Bennett Hall - 231'''

'''When:''' Monday, June 20th from 6:30 - 8:00 PM 
'''Where:''' University of Pennsylvania, Fisher-Bennett Hall - 231, Philadelphia

''Three lightning round presentations'' - Each presentation will be about 20 minutes long

* Using PHP for Security - Justin C. Klein Keane
* Perl for AppSec - Darian Anthony Patrick
* What does your metadata say about your organization? A look at the open source tool Foca - Aaron Weaver

Thanks to Penn for hosting the OWASP event!

'''Directions:'''
The building entrance faces the intersection of 34th and Walnut
streets and the room is on the third floor. Folks should bring
identification and if the guard asks let him know you are coming to the OWASP
meeting.

== Previous Meeting: '''Monday, May 23rd, from 6:30 - 8:00 PM''' ==
'''OWASP Philly/ Meeting - Fisher-Bennett Hall - 231'''

'''When:''' Monday, May 23rd from 6:30 - 8:00 PM 
'''Where:''' University of Pennsylvania, Fisher-Bennett Hall - 231, Philadelphia

'' The Search for Intelligent Life''

'''Synopsis:''' For years organizations have been mining and culling data warehouses to measure every layer of their business right down to the clickstream information of their web sites. These business intelligence tools have helped organizations identify points of poor product performance, highlighting areas of current and potential future demand, key performance indicators, etc. In the information security field we still tend to look at our information in silos. Dedicated engineers solely focused on web application security, network security, compliance and so on, all while bemoaning a lack of information and decision support.

In this talk, Ed will cover some of the many sources of security data publicly available and how to apply them to add context to your security data and tools to help make more intelligent decisions. Ed also points out a number of ways to repurpose information and tools your company is already using in order to glean a clearer view into your security and the threats that may effect it.

'''Bio:''' Ed Bellis is the CEO of HoneyApps Inc, a vulnerability management Software as a Service that centralizes, correlates, prioritizes and automates the entire stack of security vulnerabilities and remediation workflow. Prior to HoneyApps, Ed served as the Chief Information Security Officer for Orbitz, the well known online travel agency where he built and led the information security program and personnel for over 6 years. Ed has over 18 years experience in information security and technology.
He is a frequent speaker at information security events across North America and Europe. Past talks have included venues such as IANS Security Forum, SaaScon, AppSec DC, BlackHat, CSO Perspectives, MIS Institute, and several others. Additionally, Ed is a contributing author to the book Beautiful Security by O’Reilly and a blogger on CSO Online.

For a summary of the presentation please see http://www.madirish.net/justin/security-intelligence-philly-owasp-ed-bellis

'''Directions:'''
The building entrance faces the intersection of 34th and Walnut
streets and the room is on the third floor. Folks should bring
identification and let the guard know they're coming for the OWASP
meeting.

== Previous Meeting: '''Monday, April 11th, from 6:30 - 8:00 PM''' ==
'''OWASP Philly/ Meeting - Fisher-Bennett Hall - 322'''

'''When:''' Monday, April 11th from 6:30 - 8:00 PM 
'''Where:''' University of Pennsylvania, Fisher-Bennett Hall - 322, Philadelphia

'''Topic: TBD'''

Supervisory Special Agent Brian Herrick of the Philadelphia FBI - Cyber Squad

The building entrance faces the intersection of 34th and Walnut
streets and the room is on the third floor. Folks should bring
identification and let the guard know they're coming for the OWASP
meeting.

== Previous Meeting: '''Monday, March 7th, from 6:30 - 8:00 PM''' ==
'''OWASP Philly/ Meeting - Fisher-Bennett Hall - 322'''

'''When:''' Monday, March 7th from 6:30 - 8:00 PM 
'''Where:''' University of Pennsylvania, Fisher-Bennett Hall - 322, Philadelphia

'''The Power of Code Review'''

Dave Wichers is a cofounder and the Chief Operating Officer (COO) of Aspect Security.
*As a volunteer to OWASP, Dave is:
*A member of the OWASP Board,
*The OWASP Conferences Chair,
*Project lead and coauthor of the OWASP Top 10,
*Coauthor of the OWASP Application Security Verification Standard, and
*Contributor to the OWASP Enterprise Security API (ESAPI) project.

The building entrance faces the intersection of 34th and Walnut
streets and the room is on the third floor. Folks should bring
identification and let the guard know they're coming for the OWASP
meeting.

For a write up of the meeting please see http://www.madirish.net/justin/owasp-philadelphia-march-7-2011-meeting

== Previous Meeting: '''Tuesday, August 17th, 2010 6:30pm - 8:00pm''' ==
'''OWASP Philly/ Meeting - 307 Levine Hall'''

'''When:''' Tuesday, August 17th, from 6:30 - 8:00 PM 
'''Where:''' University of Pennsylvania, 307 Levine Hall, Philadelphia

'''Mobile App Security Techniques'''

Look left, look right, look in your pocket, you probably glanced over a cellular phone. These devices are getting more and more pervasive in today's society. More importantly they are getting very powerful. This new market of software users have been the catalyst of the "app" boom. Everyone is jumping on board and developing mobile applications. This influx of mobile application development means there are a large number of mobile applications that get rushed to the market before they can be properly reviewed from a security standpoint. So guess what, more bugs for the taking!

In this talk we will lay out a few basic techniques that we use when we perform mobile application assessments, highlight possible pit falls that one should be aware and hopefully give those up and coming mobile application penetration testers a leg up on the competition.

'''Raj Umadas''' is a Consultant with the Intrepidus Group. Mr. Umadas graduated Summa Cum-Laude from The Polytechnic Institute of NYU with a BS in Computer Engineering. At NYU:Poly, Mr. Umadas pursued a highly expansive computer security curriculum. He is just as comfortable sniffing out a memory corruption bug as he is assessing the risk management decisions of large projects.

Coupled with Mr. Umadas' fresh academic outlook on security, he obtained a no-nonsense business sense of security while working in an Information Risk Management arm of a large investment bank. Corporate governance, segregation of duties, and SOX compliance were all daily concerns for Mr. Umadas.

Mr. Umadas is eager to establish his own niche in the security world where he will be the catalyst of some very major innovation. With his strong academics, proven real world experience, and never-say-no attitude; it is only a matter of time.

For a summary of this presentation please see http://www.madirish.net/security-tools/470

== Previous Meeting: '''Tuesday, July 20th, 2010 6:30pm - 8:30pm''' ==
'''OWASP Philly/ Meeting - University of Pennsylvania - Philadelphia'''

All are welcome to join us on Tuesday as we discuss web application security.

When: Tuesday, July 20th, 2010 6:30pm - 8:30pm 
Where: Fisher-Bennett Room 401, University of Pennsylvania 
3340 Walnut Street St.
Philadelphia, PA 19104

'''Agenda:''' 
1.) Opening Remarks 
2.) Balancing Security & Usability, Justin Klein Keane 
3.) Arshan Dabirsiaghi - Aspect Security 
4.) Informal meetup afterwards at New Deck

[http://owaspphiladelphia.eventbrite.com/ Please RSVP]

[http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=3330+Walnut+St.,+Philadelphia,+Pennsylvania+19104&sll=39.953372,-75.191352&sspn=0.006678,0.013797&ie=UTF8&hq=&hnear=3330+Walnut+St,+Philadelphia,+Pennsylvania+19104&ll=39.954787,-75.191352&spn=0.006678,0.013797&z=16&iwloc=A&iwstate1=dir Directions to Fisher-Bennett]

Questions should be directed to [mailto:aaron.weaver2@gmail.com Aaron Weaver]

'''User Interface and Security in Web Applications'''

Security is often seen as a competing priority to good user experience, but the two are not diametrically opposed. Good user experience is essential to good security. Without ease of use, most people simply ignore or bypass security protections in systems. In order to craft effective security measures it is essential to take user experience into consideration. With the meteoric growth of web applications as a medium for service delivery it is critical to deploy good security measures. Web applications offer an always on, globally available target for attackers. Users need to be allies in the drive for application security, but far too often security measures are presented as onerous, time consuming, bothersome add-on's to web applications rather than seamlessly integrated, easy to use, user friendly features. In this talk I propose to explore some of the reasons why good security in web applications matters and how you can make security effective by making it easy to use.

'''Speaker: Justin Klein Keane'''

Bio: Justin C. Klein Keane has over 8 years of experience in information
security starting with his role as Editor in Chief of the Hack in the
Box e-zine. Currently Justin works as in Information Security
Specialist with the University of Pennsylvania School of Arts and
Sciences' Information Security and Unix Systems group. Justin's past
work included several positions as a web application developer, often
utilizing PHP. Justin is a regular contributer to the Full-Disclosure
mailing list and is credited with dozens of vulnerability discoveries.
Justin holds several ethical hacking and penetration testing
certifications and regularly posts computer security related articles on
his website http://www.MadIrish.net.

== Previous Meeting: '''Thursday, December 3rd, 2009 6:30pm - 8:30pm''' ==
'''OWASP Philly/ Meeting - University of Pennsylvania - Philadelphia'''

'''This is a joint meeting with the [http://www.meetup.com/phillyphp/ Philadelphia Area PHP Meetup group]'''. All are welcome to join us on Tuesday as we discuss web application security.

When: December 3rd, 2009 6:30pm - 8:30pm 
Where: Wu & Chen Auditorium, Levine Hall, University of Pennsylvania 
3330 Walnut St.
Philadelphia, PA 19104

'''Agenda:''' 
1.) Opening Remarks 
2.) Discovering PHP Vulnerabilities Via Code Auditing, Justin Klein Keane 
3.) TBD: Bruce Diamond 

[http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=3330+Walnut+St.,+Philadelphia,+Pennsylvania+19104.&sll=39.953372,-75.191352&sspn=0.006678,0.013797&ie=UTF8&hq=&hnear=3330+Walnut+St,+Philadelphia,+Pennsylvania+19104&ll=39.954787,-75.191352&spn=0.006678,0.013797&z=16&iwloc=A&iwstate1=dir Directions to Levine Hall]

Questions should be directed to [mailto:darian@criticode.com Darian Anthony Patrick]

'''Discovering PHP Vulnerabilities Via Code Auditing'''

Abstract: PHP provides an accessible, easy to use platform for developing dynamic
web applications. As the number of web based applications grow, so too
does the threat from external attackers. The open and global nature of
the web means that web applications are exposed to attack from around
the world around the clock. Automated web application vulnerability
scanning technology is still very much in its infancy, and unable to
identify complex vulnerabilities that could lead to complete server
compromise. While intrusion detection systems prove very valuable in
detecting attacks, the best way to prevent vulnerabilities is to engage
in active code review. There are many advantages of direct code review
over automated testing, from the ability to identify complex edge
scenario vulnerabilities to finding non-exploitable flaws and fixing
them proactively. Many vulnerabilities in PHP based web applications
are introduced with common misuse of the language or misunderstanding of
how functions can be safely utilized. By understanding the common ways
in which vulnerabilities are introduced into PHP code it becomes easy to
quickly and accurately review PHP code and identify problems. In
addition to common problems, PHP includes some obscure functionality
that can lead developers to unwittingly introduce vulnerabilities into
their applications. By understanding the security implications of some
common PHP functions, code reviewers can pinpoint the use of such
functions in code and inspect them to ensure safety.

Speaker: Justin Klein Keane

Bio: Justin C. Klein Keane has over 8 years of experience in information
security starting with his role as Editor in Chief of the Hack in the
Box e-zine. Currently Justin works as in Information Security
Specialist with the University of Pennsylvania School of Arts and
Sciences' Information Security and Unix Systems group. Justin's past
work included several positions as a web application developer, often
utilizing PHP. Justin is a regular contributer to the Full-Disclosure
mailing list and is credited with dozens of vulnerability discoveries.
Justin holds several ethical hacking and penetration testing
certifications and regularly posts computer security related articles on
his website http://www.MadIrish.net.

----

== Previous Meeting: '''October 27th, 2009 6:00pm - 9:00pm''' ==
'''OWASP Philly Meeting - Comcast - Philadelphia'''

Presentations: 
[http://www.owasp.org/images/7/79/Agile_Practices_and_Methods.ppt Agile Practices and Methods] 
[http://www.owasp.org/images/d/d0/OWASP-AJAX-Final.ppt AJAX Security] 
[http://www.owasp.org/images/0/06/Adobe_AMF.ppt Adobe AMF] 

Food and space provided by Comcast.

'''Sponsor:'''
[[Image:comcastlogo.gif]]

When: October 27th, 2009 6:00pm - 9:00pm
Where: Floor (TBD), Comcast, 1701 John F Kennedy Blvd Philadelphia, PA 08054

'''Agenda:''' 
1.) OWASP Meeting Opening Remarks: Bruce A. Kaalund Director, Product Security 
2.) Development Issues Within AJAX Applications: How to Divert Threats: Tom Tucker, Cenzic 
3.) Agile Software Development Principles and Practices : Ravindar Gujral, Agile Philadelphia 
4.) Testing Adobe Flex/SWF's, focusing on flash remoting (AMF): Aaron Weaver, Pearson eCollege 

[http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1701+John+F+Kennedy+Blvd+philadelphia&sll=39.954255,-75.16839&sspn=0.006908,0.013711&ie=UTF8&hq=&hnear=1701+John+F+Kennedy+Blvd,+Philadelphia,+Pennsylvania+19103&ll=39.956185,-75.168393&spn=0.006908,0.013711&t=h&z=16&iwloc=A Directions to Comcast]

'''Development Issues Within AJAX Applications: How to Divert Threats'''

Speaker: Tom Tucker

Bio: Tom Tucker has over 25 years of experience within the enterprise hardware, software, network, and security market. As a Senior Systems Engineer at Cenzic, Tom works directly with customers to protect their Web applications from hacker attacks. Previously Tom's worked with Tier 1 and Tier 2 Network Service Providers such as BBN, GTE, AT&T, iPass, New Edge Networks and MegaPath Networks, designing firewall, VPN, WAN, LAN and Hosting solutions. Tom was also the Director of Intranet Engineering for Associates Information Services (now a part of Citigroup) implementing secure Internet technology solutions for both internal and external application delivery.

----

== Previous Meeting: '''Wednesday June 24th 2009, 6:30 PM - 8:00 PM''' ==
'''OWASP Philly Meeting - AccessIT Group - King of Prussia'''

Pizza provided by AccessIT Group.

'''Sponsors:'''
[[Image:Logo_accessitgroup.gif]][[Image:Sanslogo_vertical.jpg]]

'''Agenda:''' 
1.) OWASP Introduction 
2.) How to Analyze Malicious Flash Programs - Lenny Zeltser 
3.) OWASP .NET, OWASP Report Generator,OWASP Cryttr/Encrypted Syndication - Mark Roxberry 

[http://atlas.mapquest.com/maps/map.adp?formtype=address&country=US&popflag=0&latitude=&longitude=&name=&phone=&level=&addtohistory=&cat=Access+It+Group+Inc&address=2000+Valley+Forge+Cir&city=King+of+Prussia&state=PA&zipcode=19406 Directions]

2000 Valley Forge Circle 
Suite 106 
King of Prussia, PA 19406 

AccessIT Group is located in the 2000 Building (middle building) of the Valley
Forge Towers. The offices are located on the bottom floor of the
building. Parking is available in the front or rear of the building.

'''How to Analyze Malicious Flash Programs'''

by Lenny Zeltser (http://www.zeltser.com)

'''About the talk:'''
Attackers increasingly use malicious Flash programs, often in the form of banner ads, as initial infection vectors. Obfuscation techniques and multiple Flash virtual machines complicate this task of analyzing such threats. Come to learn insights, tools and techniques for reverse-engineering this category of browser malware.

'''Bio:'''
Lenny Zeltser leads the security consulting practice at Savvis. He is also a board of directors member at SANS Technology Institute, a SANS faculty member, and an incident handler at the Internet Storm Center. Lenny frequently speaks on information security and related business topics at conferences and private events, writes articles, and has co-authored several books. Lenny is one of the few individuals in the world who've earned the highly-regarded GIAC Security Expert (GSE) designation. He also holds the CISSP certification. Lenny has an MBA degree from MIT Sloan and a computer science degree from the University of Pennsylvania. You can stay in touch with him via http://twitter.com/lennyzeltser.

'''OWASP .NET, OWASP Report Generator, OWASP Cryttr / Encrypted Syndication'''

by Mark Roxberry

About the talk: Mark is looking to generate some interest in participating in OWASP projects. He will be speaking about projects that he is involved in and hoping to recruit folks who have time, energy and motivation to help out.

Bio: Mark Roxberry is a frequent contributor of research and code to OWASP. His credits include OWASP Testing Guide contributor and reviewer, the OWASP .NET Project Lead, the OWASP Report Generator Lead and just recently the OWASP Encrypted Syndication Lead. He is a Senior Consultant at Database Solutions in King of Prussia. Mark has a B.S. in Russian Technical Translation from the Pennsylvania State University and has the CEH and CISSP certificates hanging in his bunker where he tries to figure out how to hack into Skynet when it comes online.

== Previous Meetings ==

Next Meeting: '''October 28th 2008, 6:30 PM - 8:00 PM'''
 OWASP Philly Meeting - Protiviti - Two Libery Place Philadelphia

Come join us in Philadelphia as we discuss web application security.

'''Agenda:''' 
1.) Web Application Security and PCI requirements (V 1.1 and 1.2) 
2.) Clickjacking: What is it and should we be concerned about it? 
3.) Summary of OWASP conference in New York.

[Google Directions][http://maps.google.com/maps?q=50+South+16th+St+Philadelphia,+PA&ie=UTF-8&oe=utf-8&rls=org.mozilla:en-US:official&client=firefox-a&um=1&sa=X&oi=geocode_result&resnum=1&ct=title]

Two Libery Place 50 South 16th St 
Suite 2900 
Philadelphia, PA 19102 USA 

[[Category:Pennsylvania]]

Philadelphia

2015-11-04T15:24:22Z

Aaron.weaver2:

{{Chapter Template|chaptername=Philadelphia|extra=The chapter leaders are [mailto:aaron.weaver2@gmail.com Aaron Weaver], [mailto:john.baek@btbsecurity.com John Baek], and [mailto:justin@madirish.net Justin C. Klein Keane].

Follow us [https://twitter.com/phillyowasp @phillyowasp]

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-philadelphia|emailarchives=http://lists.owasp.org/pipermail/owasp-philadelphia}}

== Next Meeting '''Tuesday, November 17, 2015 from 5:00 PM - 7:30 PM'''==

'''When:'''Tuesday, November 17, 2015 from 5:00 PM - 7:30 PM 
'''Where:'''OSIsoft 1700 Market Street, Suite 2201 Philadelphia (22nd Floor, signs for the conference room will be posted.)

'''Please [https://www.eventbrite.com/e/owasp-chapter-meeting-at-osisoft-tickets-19402906616 register] so that we can get an accurate count for ordering Pizza.'''

'''Topic: Title: IoT Beyond the Hype''' 
'''Presenter:''' Justin C. Klein Keane is the security architect for ThingWorx (http://www.thingworx.com), a PTC business, that makes IoT development framework software. Justin has over 15 years of experience in the security field and is a major contributor to the OWASP IoT Project (https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project), a member of the Build it Securely group (BuildItSecure.ly), the Securing Smart Cities project (http://securingsmartcities.org), and an official contributor to the Online Trust Alliance feedback to the Federal Trade Commission's proposed guidelines on IoT security and privacy (https://otalliance.org/iot-comments-draft-trust-framework).

'''Abstract:''' IoT security is one of the most exciting new fields in the industry, but few understand its scope beyond hacking your connected toaster. Hospitals, industry, and agriculture are all leveraging IoT to realize value from big data, predictive analytics, remote management, and cloud connectivity. IoT is more than just the next evolution from desktop to web to mobile to cloud. IoT presents very real, and new, challenges, including machine to machine (M2M) trust, transitive ownership, and more. The OWASP IoT Project seeks to define this new problem space, enumerate common vulnerabilities, and propose methodologies for secure development. This talk will provide an overview of the OWASP IoT Project and movement in the problem space that goes well beyond hacking cars and baby monitors.

'''Topic: Title: Getting out of the Comfort Zone''' 
'''Presenter:''' Aaron Weaver, Associate Director - Application Security, Protiviti

'''Abstract:''' In the last few years the development and operation practices have changed significantly in many organizations. Many organizations are embracing DevOps and what started out as an idea a few years ago with startups and large cloud companies is now being adopted by banks and traditional retailers. We in the security community need to be part of this change or we will be ignored or bypassed. It's time for security to look for news ways to enable change in a secure manner while still allowing the business to move at the speed they require.

== Previous Meeting '''Tuesday, October 20, 2015 from 5:00 PM - 7:00 PM'''==

'''When:''' Tuesday, October 20, 2015 from 5:00 PM - 7:00 PM 
'''Where:''' Temple University, SERC (1925 N 12th Street, Philadelphia) room 358

'''Topic: OWASP Primer - Security and Penetration Testing''' 
'''Presenter:''' John Baek, OSCP, CISSP, CISA

'''Abstract:'''

Forthcoming

== Previous Meeting '''Thursday, July 30, 2015 from 11:30 AM - 1:00 PM'''==

'''When:''' Thursday, July 30, 2015 from 11:30 AM - 1:00 PM 
'''Where:''' Giordano's Pizza 633 E Cypress St, Kennett Square, PA 19348

'''Topic: Building an AppSec Pipeline''' 
'''Presenter:''' Aaron Weaver

'''Abstract:'''

Are you currently running an AppSec program? AppSec programs fall into a odd middle ground; highly technical interactions with the dev and ops teams yet a practical business focus is required as you go up the org chart. How can you keep your far too small team efficient while making sure you meet the needs of the business all while making sure you're catching vulnerabilities as early and often as possible?

This talk will discuss a real world case study of an AppSec Pipeline. The pipeline starts with "Bag of Holding", an open source web application which helps automate and streamline the activities of your AppSec team. At the end of the pipeline is ThreadFix to manage all the findings from all the sources. Finally we incorporated a chatbot to tie all the information into one place. This talk will cover the motivation behind an AppSec pipeline, its implementation and how it can help you get the most out of your AppSec program.

'''Topic: Back to Basics: Application Assessment 101 - Pen Test Using Proxy Tool (Burp Suite Pro/ZAP)''' 
'''Presenter:''' John Baek

'''Abstract:'''

We will drill down one aspect of web application assessment: web app penetration test. We'll discuss a popular tool for performing web app pen test and what the tester needs to understand to make it a successful/useful assessment. The techniques presented here can be used in your SDLC to look for security flaws (hopefully prior to the production release).

== Previous Meeting: '''Thursday, September 25th, 2014 from 11:30 AM - 1:30 PM''' ==

'''OWASP Philly/ Lunch Meeting Thursday September 25th'''

'''When:''' Thursday, September 25th, 2014 from 11:30 - 1:30 PM 
'''Where:''' Protiviti - 50 S 16th St, Philadelphia, PA 19102

Food will be provided, [http://www.eventbrite.com/e/owasp-philly-lunch-meeting-tickets-13142911803 please RSVP].

'''Topic: Securing The Android Apps On Your Wrist and Face''' 
'''Presenter:''' Jack Mannino

'''Abstract:'''

Android Wear introduces new ways of interacting with our apps and receiving timely, contextual information from the world around us. Smartphones and tablets are becoming the central point for sending and receiving data from wearables and sensors. Building apps for a wearable world introduces new risks as well as shifts the responsibilities for implementing security controls to other layers.

Many of the same issues we’re familiar with from past Android experiences are still relevant, while some issues are less impactful or not (currently) possible within existing wearables. At the same time, extending the app’s trust boundaries introduces new points of exposure for developers to be aware of in order to proactively defend against attacks. We want to highlight these areas, which developers may not be aware of when adding a wearable component to an existing app.

In this presentation, we will explore how Android Wear works underneath the hood. We will examine its methods of communication, data replication, and persistence options. We will examine how these applications into the Android development ecosystem and the new risks to privacy and security that need to be considered. Our goal isn’t to deter developers from building wearable apps, but to enable them to make strong security decisions throughout development.

'''Bio:'''

Jack Mannino is the CEO at nVisium and loves solving problems in the field of application security. With experience building, breaking, and securing software, he founded nVisium to invent new and more efficient ways of protecting software. Jack is a huge fan of contributing to open source projects, and leads the OWASP Northern Virginia chapter. In his spare time, he loves to kick around new frameworks and technologies, especially things that run Android and code written in Scala. He’s also an optimistic New York Mets fan, although that optimism slowly fades away every summer.

== Previous Meeting: '''Tuesday, March 11, 2014 from 6:00 - 7:30 PM''' ==

'''OWASP Philly/ Meeting '''

'''When:''' Tuesday, March 11, 2014 from 6:000 - 7:30 PM 
'''Where:''' 3220 Market St. Room 369

'''Topic: Proven Strategies for Web Application Security''' 
'''Presenter:''' Justin C. Klein Keane and Aaron Weaver

'''Abstract:'''

The rising dominance of the web as an application delivery platform has focused attacker attention squarely on the security of dynamic web applications. Application security is a complex, and shifting, field. Learn about and discuss tested and successful techniques to build safer applications, find flaws before they become vulnerabilities, and deploy applications that can detect, and resist attack. Includes a discussion of common web application vulnerabilities such as the OWASP Top 10.

== Previous Meeting: '''Tuesday,August 13th, 2013 from 7:000 - 8:30 PM''' ==
'''OWASP Philly/ Meeting '''

'''When:''' Tuesday ,August 13th, 2013 from 7:000 - 8:30 PM 
'''Where:''' University of Pennsylvania, [http://www.facilities.upenn.edu/maps/locations/fisher-bennett-hall Fisher-Bennett Hall] room 322

'''Topic: HTML5 Security''' 
'''Presenter:''' Justin C. Klein Keane or others

'''Abstract:'''

HTML 5 Security

While HTML 5 is a wonderful tool for developer, the new features also present some new security challenges. Security in HTML 5 is a widely varied topic and we may not yet understand all of the security challenges it will bring. HTML 5 poses a major paradigm shift in the way that web applications are delivered and consumed and time will tell whether this will result in a net positive or negative for security. The new anti-XSS mitigation features of HTML 5 are amazing, and well worth investigating if you're looking to develop a new application.

Presentation material available at https://sites.sas.upenn.edu/kleinkeane/presentations/html-5-security

'''Reminder:'''

OWASP App Sec USA is coming up in November in NYC (http://appsecusa.org/2013/)! It's a short trip and an awesome opportunity to hear some really great talks. If folks want to go, please register with the discount code "Support_PHI" to support the chapter. Additionally, if you're going to go, it's $50 cheaper if you're an OWASP member, and individual membership only costs $50 (https://owasp.org/index.php/Individual_Member) so join!

'''Upcoming Events:'''
* Friday, October 11 is [http://drupaldelphia.com/ Drupaldelphia], at the Philadelphia Convention Center
* Friday-Sunday, October 25-27 is [http://pumpcon.org/ Pumpcon] in Philadelphia, follow [https://twitter.com/pumpcon @pumpcon]

== Previous Meeting: '''Tuesday, January 8th, 2013 from 7:000 - 8:30 PM''' ==
'''OWASP Philly/ Meeting - University of Pennsylvania, Fisher-Bennett Hall Hall Room 224'''

'''When:''' Tuesday, January 8th, 2013 from 7:000 - 8:30 PM 
'''Where:''' University of Pennsylvania, Fisher-Bennett Hall Hall Room 224

'''Topic: Capture the Flag Exercise''' 
'''Presenter:''' Justin C. Klein Keane

'''Abstract:'''

NB: Please RSVP to jukeane@sas.upenn.edu for this meeting if you plan to attend so that we can provide sufficient materials for all attendees.

Capture the Flag (CTF) exercise. Come learn about how web applications are compromised by actually breaking one yourself. This hands on exercise will guide attendees through common web application vulnerabilities and their potential impact by allowing participants to utilize tools to test and attack a target web application in a controlled environment. The exercise will include a vulnerable virtual machine image and documentation on one of many possible routes to complete the exercise.

This meeting will be lead by Justin Klein Keane, a veteran of web application capture the flag exercises and maintainer of the LAMPSecurity project on SourceForge.net (https://sourceforge.net/projects/lampsecurity). This exercise will be released as part of the LAMPSecurity project after the meeting.

== Previous Meeting: '''Tuesday, November 27th, 2012 from 7:000 - 8:30 PM''' ==
'''OWASP Philly/ Meeting - Meyerson Hall, Room B4'''

'''When:''' Tuesday, November 27th from 7:000 - 8:30 PM 
'''Where:''' University of Pennsylvania, Meyerson Hall, Room B4, Philadelphia

'''Penetration Testing - Attack Vector and Vulnerability Trends''' 
'''Presenter:''' Shannon Schriver and Garrett Fails

'''Abstract:'''

The more things change, the more they stay the same. Even though the Top Ten hasn't been updated since 2010, the vulnerabilities that are prevalent in the wild in 2012 still map directly to items on the list.

Shannon Schriver and Garrett Fails, penetration testers for PwC, will be discussing the most successful web application vulnerabilities and attack vectors that they have used during client penetration tests in 2012. Topics will include local file inclusion, insecure administrative consoles (including JBoss and Tomcat), and WPAD man-in-the-middle browser vulnerabilities.

== Previous Meeting: '''Monday April 16th, 2012, from 7:00 - 8:30 PM''' ==
'''OWASP Philly/ Meeting - Fisher-Bennett Hall - 231'''

'''When:''' Monday, Monday April 16th from 7:000 - 8:03 PM 
'''Where:''' University of Pennsylvania, Fisher-Bennett Hall - 231, Philadelphia

'''HECTOR, our evolving security intelligence platform''' 
'''Presenter:''' Justin Klein Keane

'''Abstract:'''

Asset management is an ever present challenge for any IT organization,
and especially so for information security groups. Even more
challenging is data aggregation for intelligent security analysis (or
security intelligence). HECTOR is an effort by the University of
Pennsylvania's School of Arts and Sciences to provide such a security
intelligence platform. Organizing assets, scanning for vulnerabilities
and profiles, correlating attacks on your network to services offered by
hosts, tracking changes, following remediation, and making information
available to multiple users via a web interface are all goals of HECTOR.
HECTOR leverages honeypot technology, darknet sensors, port scans,
vulnerability scans, intrusion detection systems, the powerful open
source MySQL database, and a PHP based web front end to provide security
intelligence to security practitioners.

HECTOR is an evolving, open source effort that attempts to leverage a wide variety of tools and
information sources to empower security practitioners with better
insights as well as to track and trend security related data. Come hear
about HECTOR in advance the official open source launch at the Educause
Security Professionals 2012 conference. Presentation material will
include a discussion of the philosophy behind HECTOR, the open source
technologies that make HECTOR work, as well as design challenges and
solutions. Even if you don't end up using HECTOR the presentation seeks
to spur new ideas and ways of thinking about asset management and
security data.

== Previous Meeting: '''Friday September 16th, 2011, from 1:00 PM - 4:15 PM''' ==
'''Joint Meeting with ISSA-DV, Infragard - VWR International, Radnor Corporate Center'''

'''When:''' Friday September 16th, 1:00 PM 
'''Where:''' VWR International
Radnor Corporate Center
100 Matsonford Road
Wayne, PA 19087

'''Register:''' [http://www.issa-dv.org/meetings/registration.php Please register to attend this free conference]

===Agenda===

{| class="wikitable"
|-
| '''1:00 - 1:15'''
| '''OWASP, INFRAGARD, ISSA Joint Session'''
|''Registration''
|-
|'''1:15 – 2:00'''
|'''Dan Kuykendall, CTO NT Objectives'''
|''"Not Your Granddad's Web App."''
|-
|'''2:00 – 2:45'''
|'''Jack Mannino from nVisium Security'''
|''"Building Secure Android Apps"''
|-
|'''2:30 – 2:45'''
|'''BREAK'''
|
|-
|'''2:45 – 3:30'''
|'''CEO Matthew Jonkman Emergingthreats.net'''
|''Open Information Security Foundation (OISF Suricata)''
|-
|'''3:30 – 4:15'''
|'''Aaron Weaver - OWASP'''
|''Breaking Botnets: Finding App Vulnerabilities in Botnet Command & Control servers''
|}

'''Directions to [http://www.mapquest.com/maps?address=100+Matsonford+Rd&city=Radnor&state=PA&zipcode=19087 VWR International]'''

== Previous Meeting: '''Monday June 20th, from 6:30 - 8:00 PM''' ==
'''OWASP Philly/ Meeting - Fisher-Bennett Hall - 231'''

'''When:''' Monday, June 20th from 6:30 - 8:00 PM 
'''Where:''' University of Pennsylvania, Fisher-Bennett Hall - 231, Philadelphia

''Three lightning round presentations'' - Each presentation will be about 20 minutes long

* Using PHP for Security - Justin C. Klein Keane
* Perl for AppSec - Darian Anthony Patrick
* What does your metadata say about your organization? A look at the open source tool Foca - Aaron Weaver

Thanks to Penn for hosting the OWASP event!

'''Directions:'''
The building entrance faces the intersection of 34th and Walnut
streets and the room is on the third floor. Folks should bring
identification and if the guard asks let him know you are coming to the OWASP
meeting.

== Previous Meeting: '''Monday, May 23rd, from 6:30 - 8:00 PM''' ==
'''OWASP Philly/ Meeting - Fisher-Bennett Hall - 231'''

'''When:''' Monday, May 23rd from 6:30 - 8:00 PM 
'''Where:''' University of Pennsylvania, Fisher-Bennett Hall - 231, Philadelphia

'' The Search for Intelligent Life''

'''Synopsis:''' For years organizations have been mining and culling data warehouses to measure every layer of their business right down to the clickstream information of their web sites. These business intelligence tools have helped organizations identify points of poor product performance, highlighting areas of current and potential future demand, key performance indicators, etc. In the information security field we still tend to look at our information in silos. Dedicated engineers solely focused on web application security, network security, compliance and so on, all while bemoaning a lack of information and decision support.

In this talk, Ed will cover some of the many sources of security data publicly available and how to apply them to add context to your security data and tools to help make more intelligent decisions. Ed also points out a number of ways to repurpose information and tools your company is already using in order to glean a clearer view into your security and the threats that may effect it.

'''Bio:''' Ed Bellis is the CEO of HoneyApps Inc, a vulnerability management Software as a Service that centralizes, correlates, prioritizes and automates the entire stack of security vulnerabilities and remediation workflow. Prior to HoneyApps, Ed served as the Chief Information Security Officer for Orbitz, the well known online travel agency where he built and led the information security program and personnel for over 6 years. Ed has over 18 years experience in information security and technology.
He is a frequent speaker at information security events across North America and Europe. Past talks have included venues such as IANS Security Forum, SaaScon, AppSec DC, BlackHat, CSO Perspectives, MIS Institute, and several others. Additionally, Ed is a contributing author to the book Beautiful Security by O’Reilly and a blogger on CSO Online.

For a summary of the presentation please see http://www.madirish.net/justin/security-intelligence-philly-owasp-ed-bellis

'''Directions:'''
The building entrance faces the intersection of 34th and Walnut
streets and the room is on the third floor. Folks should bring
identification and let the guard know they're coming for the OWASP
meeting.

== Previous Meeting: '''Monday, April 11th, from 6:30 - 8:00 PM''' ==
'''OWASP Philly/ Meeting - Fisher-Bennett Hall - 322'''

'''When:''' Monday, April 11th from 6:30 - 8:00 PM 
'''Where:''' University of Pennsylvania, Fisher-Bennett Hall - 322, Philadelphia

'''Topic: TBD'''

Supervisory Special Agent Brian Herrick of the Philadelphia FBI - Cyber Squad

The building entrance faces the intersection of 34th and Walnut
streets and the room is on the third floor. Folks should bring
identification and let the guard know they're coming for the OWASP
meeting.

== Previous Meeting: '''Monday, March 7th, from 6:30 - 8:00 PM''' ==
'''OWASP Philly/ Meeting - Fisher-Bennett Hall - 322'''

'''When:''' Monday, March 7th from 6:30 - 8:00 PM 
'''Where:''' University of Pennsylvania, Fisher-Bennett Hall - 322, Philadelphia

'''The Power of Code Review'''

Dave Wichers is a cofounder and the Chief Operating Officer (COO) of Aspect Security.
*As a volunteer to OWASP, Dave is:
*A member of the OWASP Board,
*The OWASP Conferences Chair,
*Project lead and coauthor of the OWASP Top 10,
*Coauthor of the OWASP Application Security Verification Standard, and
*Contributor to the OWASP Enterprise Security API (ESAPI) project.

The building entrance faces the intersection of 34th and Walnut
streets and the room is on the third floor. Folks should bring
identification and let the guard know they're coming for the OWASP
meeting.

For a write up of the meeting please see http://www.madirish.net/justin/owasp-philadelphia-march-7-2011-meeting

== Previous Meeting: '''Tuesday, August 17th, 2010 6:30pm - 8:00pm''' ==
'''OWASP Philly/ Meeting - 307 Levine Hall'''

'''When:''' Tuesday, August 17th, from 6:30 - 8:00 PM 
'''Where:''' University of Pennsylvania, 307 Levine Hall, Philadelphia

'''Mobile App Security Techniques'''

Look left, look right, look in your pocket, you probably glanced over a cellular phone. These devices are getting more and more pervasive in today's society. More importantly they are getting very powerful. This new market of software users have been the catalyst of the "app" boom. Everyone is jumping on board and developing mobile applications. This influx of mobile application development means there are a large number of mobile applications that get rushed to the market before they can be properly reviewed from a security standpoint. So guess what, more bugs for the taking!

In this talk we will lay out a few basic techniques that we use when we perform mobile application assessments, highlight possible pit falls that one should be aware and hopefully give those up and coming mobile application penetration testers a leg up on the competition.

'''Raj Umadas''' is a Consultant with the Intrepidus Group. Mr. Umadas graduated Summa Cum-Laude from The Polytechnic Institute of NYU with a BS in Computer Engineering. At NYU:Poly, Mr. Umadas pursued a highly expansive computer security curriculum. He is just as comfortable sniffing out a memory corruption bug as he is assessing the risk management decisions of large projects.

Coupled with Mr. Umadas' fresh academic outlook on security, he obtained a no-nonsense business sense of security while working in an Information Risk Management arm of a large investment bank. Corporate governance, segregation of duties, and SOX compliance were all daily concerns for Mr. Umadas.

Mr. Umadas is eager to establish his own niche in the security world where he will be the catalyst of some very major innovation. With his strong academics, proven real world experience, and never-say-no attitude; it is only a matter of time.

For a summary of this presentation please see http://www.madirish.net/security-tools/470

== Previous Meeting: '''Tuesday, July 20th, 2010 6:30pm - 8:30pm''' ==
'''OWASP Philly/ Meeting - University of Pennsylvania - Philadelphia'''

All are welcome to join us on Tuesday as we discuss web application security.

When: Tuesday, July 20th, 2010 6:30pm - 8:30pm 
Where: Fisher-Bennett Room 401, University of Pennsylvania 
3340 Walnut Street St.
Philadelphia, PA 19104

'''Agenda:''' 
1.) Opening Remarks 
2.) Balancing Security & Usability, Justin Klein Keane 
3.) Arshan Dabirsiaghi - Aspect Security 
4.) Informal meetup afterwards at New Deck

[http://owaspphiladelphia.eventbrite.com/ Please RSVP]

[http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=3330+Walnut+St.,+Philadelphia,+Pennsylvania+19104&sll=39.953372,-75.191352&sspn=0.006678,0.013797&ie=UTF8&hq=&hnear=3330+Walnut+St,+Philadelphia,+Pennsylvania+19104&ll=39.954787,-75.191352&spn=0.006678,0.013797&z=16&iwloc=A&iwstate1=dir Directions to Fisher-Bennett]

Questions should be directed to [mailto:aaron.weaver2@gmail.com Aaron Weaver]

'''User Interface and Security in Web Applications'''

Security is often seen as a competing priority to good user experience, but the two are not diametrically opposed. Good user experience is essential to good security. Without ease of use, most people simply ignore or bypass security protections in systems. In order to craft effective security measures it is essential to take user experience into consideration. With the meteoric growth of web applications as a medium for service delivery it is critical to deploy good security measures. Web applications offer an always on, globally available target for attackers. Users need to be allies in the drive for application security, but far too often security measures are presented as onerous, time consuming, bothersome add-on's to web applications rather than seamlessly integrated, easy to use, user friendly features. In this talk I propose to explore some of the reasons why good security in web applications matters and how you can make security effective by making it easy to use.

'''Speaker: Justin Klein Keane'''

Bio: Justin C. Klein Keane has over 8 years of experience in information
security starting with his role as Editor in Chief of the Hack in the
Box e-zine. Currently Justin works as in Information Security
Specialist with the University of Pennsylvania School of Arts and
Sciences' Information Security and Unix Systems group. Justin's past
work included several positions as a web application developer, often
utilizing PHP. Justin is a regular contributer to the Full-Disclosure
mailing list and is credited with dozens of vulnerability discoveries.
Justin holds several ethical hacking and penetration testing
certifications and regularly posts computer security related articles on
his website http://www.MadIrish.net.

== Previous Meeting: '''Thursday, December 3rd, 2009 6:30pm - 8:30pm''' ==
'''OWASP Philly/ Meeting - University of Pennsylvania - Philadelphia'''

'''This is a joint meeting with the [http://www.meetup.com/phillyphp/ Philadelphia Area PHP Meetup group]'''. All are welcome to join us on Tuesday as we discuss web application security.

When: December 3rd, 2009 6:30pm - 8:30pm 
Where: Wu & Chen Auditorium, Levine Hall, University of Pennsylvania 
3330 Walnut St.
Philadelphia, PA 19104

'''Agenda:''' 
1.) Opening Remarks 
2.) Discovering PHP Vulnerabilities Via Code Auditing, Justin Klein Keane 
3.) TBD: Bruce Diamond 

[http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=3330+Walnut+St.,+Philadelphia,+Pennsylvania+19104.&sll=39.953372,-75.191352&sspn=0.006678,0.013797&ie=UTF8&hq=&hnear=3330+Walnut+St,+Philadelphia,+Pennsylvania+19104&ll=39.954787,-75.191352&spn=0.006678,0.013797&z=16&iwloc=A&iwstate1=dir Directions to Levine Hall]

Questions should be directed to [mailto:darian@criticode.com Darian Anthony Patrick]

'''Discovering PHP Vulnerabilities Via Code Auditing'''

Abstract: PHP provides an accessible, easy to use platform for developing dynamic
web applications. As the number of web based applications grow, so too
does the threat from external attackers. The open and global nature of
the web means that web applications are exposed to attack from around
the world around the clock. Automated web application vulnerability
scanning technology is still very much in its infancy, and unable to
identify complex vulnerabilities that could lead to complete server
compromise. While intrusion detection systems prove very valuable in
detecting attacks, the best way to prevent vulnerabilities is to engage
in active code review. There are many advantages of direct code review
over automated testing, from the ability to identify complex edge
scenario vulnerabilities to finding non-exploitable flaws and fixing
them proactively. Many vulnerabilities in PHP based web applications
are introduced with common misuse of the language or misunderstanding of
how functions can be safely utilized. By understanding the common ways
in which vulnerabilities are introduced into PHP code it becomes easy to
quickly and accurately review PHP code and identify problems. In
addition to common problems, PHP includes some obscure functionality
that can lead developers to unwittingly introduce vulnerabilities into
their applications. By understanding the security implications of some
common PHP functions, code reviewers can pinpoint the use of such
functions in code and inspect them to ensure safety.

Speaker: Justin Klein Keane

Bio: Justin C. Klein Keane has over 8 years of experience in information
security starting with his role as Editor in Chief of the Hack in the
Box e-zine. Currently Justin works as in Information Security
Specialist with the University of Pennsylvania School of Arts and
Sciences' Information Security and Unix Systems group. Justin's past
work included several positions as a web application developer, often
utilizing PHP. Justin is a regular contributer to the Full-Disclosure
mailing list and is credited with dozens of vulnerability discoveries.
Justin holds several ethical hacking and penetration testing
certifications and regularly posts computer security related articles on
his website http://www.MadIrish.net.

----

== Previous Meeting: '''October 27th, 2009 6:00pm - 9:00pm''' ==
'''OWASP Philly Meeting - Comcast - Philadelphia'''

Presentations: 
[http://www.owasp.org/images/7/79/Agile_Practices_and_Methods.ppt Agile Practices and Methods] 
[http://www.owasp.org/images/d/d0/OWASP-AJAX-Final.ppt AJAX Security] 
[http://www.owasp.org/images/0/06/Adobe_AMF.ppt Adobe AMF] 

Food and space provided by Comcast.

'''Sponsor:'''
[[Image:comcastlogo.gif]]

When: October 27th, 2009 6:00pm - 9:00pm
Where: Floor (TBD), Comcast, 1701 John F Kennedy Blvd Philadelphia, PA 08054

'''Agenda:''' 
1.) OWASP Meeting Opening Remarks: Bruce A. Kaalund Director, Product Security 
2.) Development Issues Within AJAX Applications: How to Divert Threats: Tom Tucker, Cenzic 
3.) Agile Software Development Principles and Practices : Ravindar Gujral, Agile Philadelphia 
4.) Testing Adobe Flex/SWF's, focusing on flash remoting (AMF): Aaron Weaver, Pearson eCollege 

[http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1701+John+F+Kennedy+Blvd+philadelphia&sll=39.954255,-75.16839&sspn=0.006908,0.013711&ie=UTF8&hq=&hnear=1701+John+F+Kennedy+Blvd,+Philadelphia,+Pennsylvania+19103&ll=39.956185,-75.168393&spn=0.006908,0.013711&t=h&z=16&iwloc=A Directions to Comcast]

'''Development Issues Within AJAX Applications: How to Divert Threats'''

Speaker: Tom Tucker

Bio: Tom Tucker has over 25 years of experience within the enterprise hardware, software, network, and security market. As a Senior Systems Engineer at Cenzic, Tom works directly with customers to protect their Web applications from hacker attacks. Previously Tom's worked with Tier 1 and Tier 2 Network Service Providers such as BBN, GTE, AT&T, iPass, New Edge Networks and MegaPath Networks, designing firewall, VPN, WAN, LAN and Hosting solutions. Tom was also the Director of Intranet Engineering for Associates Information Services (now a part of Citigroup) implementing secure Internet technology solutions for both internal and external application delivery.

----

== Previous Meeting: '''Wednesday June 24th 2009, 6:30 PM - 8:00 PM''' ==
'''OWASP Philly Meeting - AccessIT Group - King of Prussia'''

Pizza provided by AccessIT Group.

'''Sponsors:'''
[[Image:Logo_accessitgroup.gif]][[Image:Sanslogo_vertical.jpg]]

'''Agenda:''' 
1.) OWASP Introduction 
2.) How to Analyze Malicious Flash Programs - Lenny Zeltser 
3.) OWASP .NET, OWASP Report Generator,OWASP Cryttr/Encrypted Syndication - Mark Roxberry 

[http://atlas.mapquest.com/maps/map.adp?formtype=address&country=US&popflag=0&latitude=&longitude=&name=&phone=&level=&addtohistory=&cat=Access+It+Group+Inc&address=2000+Valley+Forge+Cir&city=King+of+Prussia&state=PA&zipcode=19406 Directions]

2000 Valley Forge Circle 
Suite 106 
King of Prussia, PA 19406 

AccessIT Group is located in the 2000 Building (middle building) of the Valley
Forge Towers. The offices are located on the bottom floor of the
building. Parking is available in the front or rear of the building.

'''How to Analyze Malicious Flash Programs'''

by Lenny Zeltser (http://www.zeltser.com)

'''About the talk:'''
Attackers increasingly use malicious Flash programs, often in the form of banner ads, as initial infection vectors. Obfuscation techniques and multiple Flash virtual machines complicate this task of analyzing such threats. Come to learn insights, tools and techniques for reverse-engineering this category of browser malware.

'''Bio:'''
Lenny Zeltser leads the security consulting practice at Savvis. He is also a board of directors member at SANS Technology Institute, a SANS faculty member, and an incident handler at the Internet Storm Center. Lenny frequently speaks on information security and related business topics at conferences and private events, writes articles, and has co-authored several books. Lenny is one of the few individuals in the world who've earned the highly-regarded GIAC Security Expert (GSE) designation. He also holds the CISSP certification. Lenny has an MBA degree from MIT Sloan and a computer science degree from the University of Pennsylvania. You can stay in touch with him via http://twitter.com/lennyzeltser.

'''OWASP .NET, OWASP Report Generator, OWASP Cryttr / Encrypted Syndication'''

by Mark Roxberry

About the talk: Mark is looking to generate some interest in participating in OWASP projects. He will be speaking about projects that he is involved in and hoping to recruit folks who have time, energy and motivation to help out.

Bio: Mark Roxberry is a frequent contributor of research and code to OWASP. His credits include OWASP Testing Guide contributor and reviewer, the OWASP .NET Project Lead, the OWASP Report Generator Lead and just recently the OWASP Encrypted Syndication Lead. He is a Senior Consultant at Database Solutions in King of Prussia. Mark has a B.S. in Russian Technical Translation from the Pennsylvania State University and has the CEH and CISSP certificates hanging in his bunker where he tries to figure out how to hack into Skynet when it comes online.

== Previous Meetings ==

Next Meeting: '''October 28th 2008, 6:30 PM - 8:00 PM'''
 OWASP Philly Meeting - Protiviti - Two Libery Place Philadelphia

Come join us in Philadelphia as we discuss web application security.

'''Agenda:''' 
1.) Web Application Security and PCI requirements (V 1.1 and 1.2) 
2.) Clickjacking: What is it and should we be concerned about it? 
3.) Summary of OWASP conference in New York.

[Google Directions][http://maps.google.com/maps?q=50+South+16th+St+Philadelphia,+PA&ie=UTF-8&oe=utf-8&rls=org.mozilla:en-US:official&client=firefox-a&um=1&sa=X&oi=geocode_result&resnum=1&ct=title]

Two Libery Place 50 South 16th St 
Suite 2900 
Philadelphia, PA 19102 USA 

[[Category:Pennsylvania]]