OWASP - User contributions [en]

User:Alex Norman

2011-04-06T00:07:57Z

Alex Norman: /* Alex's Ongoing Job Duties */

To see my wiki contributions, [[:Special:Contributions/Alex Norman|click here]].

===Alex's Info===

- Past OWASP intern - Nov. 2008 - March 2009 - It was a great experience with a very skilled group!

Template:Chapter Template Tabs

2009-03-13T19:50:42Z

Alex Norman:

== OWASP {{{chaptername}}} Local Chapter ==

Welcome to the local {{{chaptername}}} chapter homepage. {{{extra}}}

<IfLanguage Is="en">== Participation ==

Local OWASP Chapter meetings are FREE and [http://www.owasp.org/index.php/About_OWASP#CODE_OF_ETHICS OPEN] to anyone interested in learning more about application security. We encourage individuals to provide knowledge transfer via hands-on [https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project training] and [https://www.owasp.org/index.php/Category:OWASP_Presentations presentations] of specific [http://www.owasp.org/index.php/Category:OWASP_Project OWASP projects] and research topics and sharing SDLC knowledge. We the encourage vendor-agnostic presentations to utilize the OWASP Powerpoint [http://www.owasp.org/images/5/54/Presentation_template.ppt template] when applicable and individual volunteerism to enable perpetual growth. As a [http://www.owasp.org/index.php/About_OWASP 501(3)c non-profit association] donations of meeting space or refreshments sponsorship is encouraged, simply contact the local chapter leaders listed on this page to discuss. Prior to participating with OWASP please review the [[Chapter Rules]]. </IfLanguage><IfLanguage Is="es">== Participación ==
Unirse a las juntas de un capítulo de OWASP es gratuito y libre para cualquiera que este interesado en la seguridad en aplicaciones. Alentamos a los miembros a dar presentaciones en temas específicos y contribuir a el capítulo local compartiendo su conocimiento con otros.</IfLanguage>[{{{mailinglistsite}}} Click here to join local chapter mailing list]

==== Local News ====
{{{paypal}}}

{{{LocalNews}}}

==== Chapter Meetings ====
'''Meeting Location'''

Everyone is welcome to join us at our chapter meetings.

==== {{{chaptername}}} OWASP Chapter Leaders ====
{{{extra}}}
__NOTOC__
<headertabs/>

[[Category:OWASP Chapter]]

Amman

2009-03-13T19:50:24Z

Alex Norman:

{{Chapter Template Tabs|chaptername=Jordan|extra=The chapter leader is [mailto:mrmallouk@owasp.org Romez Mallouk]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-jordan|emailarchives=http://lists.owasp.org/pipermail/owasp-jordan|paypal=<paypal>Jordan</paypal>|
LocalNews= '''OWASP Moves to MediaWiki Portal - 11:19, 20 May 2006 (EDT)'''

OWASP is pleased to announce the arrival of OWASP 2.0!

OWASP 2.0 utilizes the MediaWiki portal to manage and provide
the latest OWASP related information. Enjoy!
}}

Amman

2009-03-13T19:49:45Z

Alex Norman:

Amman

2009-03-13T19:49:27Z

Alex Norman:

Template:Chapter Template Tabs

2009-03-13T18:41:08Z

Alex Norman: New page: == OWASP {{{chaptername}}} Local Chapter == Welcome to the local {{{chaptername}}} chapter homepage. {{{extra}}} <IfLanguage Is="en">== Participation == Local OWASP Chapter meetings ar...

== OWASP {{{chaptername}}} Local Chapter ==

Welcome to the local {{{chaptername}}} chapter homepage. {{{extra}}}

<IfLanguage Is="en">== Participation ==

Local OWASP Chapter meetings are FREE and [http://www.owasp.org/index.php/About_OWASP#CODE_OF_ETHICS OPEN] to anyone interested in learning more about application security. We encourage individuals to provide knowledge transfer via hands-on [https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project training] and [https://www.owasp.org/index.php/Category:OWASP_Presentations presentations] of specific [http://www.owasp.org/index.php/Category:OWASP_Project OWASP projects] and research topics and sharing SDLC knowledge. We the encourage vendor-agnostic presentations to utilize the OWASP Powerpoint [http://www.owasp.org/images/5/54/Presentation_template.ppt template] when applicable and individual volunteerism to enable perpetual growth. As a [http://www.owasp.org/index.php/About_OWASP 501(3)c non-profit association] donations of meeting space or refreshments sponsorship is encouraged, simply contact the local chapter leaders listed on this page to discuss. Prior to participating with OWASP please review the [[Chapter Rules]]. </IfLanguage><IfLanguage Is="es">== Participación ==
Unirse a las juntas de un capítulo de OWASP es gratuito y libre para cualquiera que este interesado en la seguridad en aplicaciones. Alentamos a los miembros a dar presentaciones en temas específicos y contribuir a el capítulo local compartiendo su conocimiento con otros.</IfLanguage>[{{{mailinglistsite}}} Click here to join local chapter mailing list]

==== Local News ====
{{{paypal}}}

==== Chapter Meetings ====
'''Meeting Location'''

Everyone is welcome to join us at our chapter meetings.

==== {{{chaptername}}} OWASP Chapter Leaders ====
{{{extra}}}
__NOTOC__
<headertabs/>

[[Category:OWASP Chapter]]

Dublin

2009-03-11T21:55:25Z

Alex Norman:

{{Chapter Template|chaptername=Ireland|extra=The chapter leader is [mailto:eoin.keary@owasp.org Eoin Keary]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-ireland|emailarchives=http://lists.owasp.org/pipermail/owasp-ireland}}

==== Local News ====
<paypal>Ireland</paypal>

==== Chapter Meetings ====
OWASP are holding an event in Ireland.
The venue is Trinity College, Dublin.
Date: September 10, 2009

Web Link: [[OWASP_Ireland_AppSec_2009_Conference]]

We have a host of international speakers lined up for the event such as Professor [[Ian_O._Angell]] of the London School of Economics and [[Danny_Allen]], Director of security research, IBM.

The event is split into two tracks; technical and risk mgt.

'''TBA 2009''':

'''Location: Harcourt Street, thanks to Ernst & Young. 

===Agenda===

'''Title''': '''''' 
'''With:

'''Title: ''' 
'''With:''' 

'''Title:''' 
'''With:''' 

===Time===
6:15 
===Location===
Ernst & Young, Harcourt Centre, Harcourt St, Dublin 2 
Opposite the Odeon Pub 

Drop me a mail if you have any queries: eoin.keary <at> owasp.org

==== Ireland OWASP Chapter Leaders ====
The chapter leader is [mailto:eoin.keary@owasp.org Eoin Keary]
__NOTOC__
<headertabs/>

Iran

2009-03-11T21:51:34Z

Alex Norman:

{{Chapter Template|chaptername=Iran|extra=The chapter leader is [mailto:behrang@dadehban.com Behrang Fouladi]

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Iran|emailarchives=http://lists.owasp.org/pipermail/owasp-Iran}}

==== Local News ====
<paypal>Iran</paypal>

==== Chapter Meetings ====
"Software security vulnerabilities and defense" seminar presented in YAZD University by Hamid kashfi (26 June 2008). ([http://strcpy.persiangig.com/Attacking_Software.ppt download link ])

==== Iran OWASP Chapter Leaders ====
The chapter leader is [mailto:behrang@dadehban.com Behrang Fouladi]
__NOTOC__
<headertabs/>

[[Category:OWASP Chapter]]

Indianapolis

2009-03-11T21:49:27Z

Alex Norman:

{{Chapter Template|chaptername=Indianapolis, Indiana|extra=The chapter leaders are [mailto:dwoodward@geezeo.com Dave Woodward] and [mailto:carl.sampson@gmail.com Carl Sampson]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-indianapolis|emailarchives=http://lists.owasp.org/pipermail/owasp-indianapolis}}

==== Local News ====
<paypal>Indianapolis</paypal>

==== Chapter Meetings ====
'''Meeting Location'''

Everyone is welcome to join us at our chapter meetings.

==== Indianapolis OWASP Chapter Leaders ====
The chapter leaders are [mailto:dwoodward@geezeo.com Dave Woodward] and [mailto:carl.sampson@gmail.com Carl Sampson]
__NOTOC__
<headertabs/>

[[Category:Indiana]]

Hyderabad

2009-03-11T21:48:05Z

Alex Norman:

{{Chapter Template|chaptername=Hyderabad|extra=The chapter leader is [mailto:kcsarath@gmail.com Sarath Kummamuru]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-hyderabad|emailarchives=http://lists.owasp.org/pipermail/owasp-hyderabad}}

==== Local News ====
<paypal>Hyderabad</paypal>

==== Chapter Meetings ====
'''OWASP Moves to MediaWiki Portal - 11:10, 20 May 2006 (EDT)'''

OWASP is pleased to announce the arrival of OWASP 2.0!

OWASP 2.0 utilizes the MediaWiki portal to manage and provide
the latest OWASP related information. Enjoy!

==== Hyderabad OWASP Chapter Leaders ====
The chapter leader is [mailto:kcsarath@gmail.com Sarath Kummamuru]
__NOTOC__
<headertabs/>

[[Category:India]]

Hungary

2009-03-11T21:46:39Z

Alex Norman:

{{Chapter Template|chaptername=Hungary|extra=The chapter leader is [mailto:trifonov@websec.hu Gergely Trifonov]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Hungary|emailarchives=http://lists.owasp.org/pipermail/owasp-Hungary}}

==== Local News ====
<paypal>Hungary</paypal>

==== Chapter Meetings ====
'''Meeting Location'''

Everyone is welcome to join us at our chapter meetings.

==== Hungary OWASP Chapter Leaders ====
The chapter leader is [mailto:trifonov@websec.hu Gergely Trifonov]
__NOTOC__
<headertabs/>

[[Category:OWASP Chapter]]

Houston

2009-03-11T21:44:50Z

Alex Norman:

{{Chapter Template|chaptername=Houston|extra=The chapter leader is [mailto:owasp_at_icrew.org David Nester]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-houston|emailarchives=http://lists.owasp.org/pipermail/owasp-houston}}

==== Local News ====

The Houston Chapter will focus around Web Application Security issues with discussions on application layer vulnerabilties, penetration testing, and secure coding practices within the numerous development languages. Our chapter will meet on the second (2nd) Wednesday of each month and participation in OWASP Houston is free and open to all. Please subscribe to the [http://lists.owasp.org/mailman/listinfo/owasp-houston mailing list] for meeting announcements. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics. If you would like to make a presentation, or have any questions about the Houston Chapter, send an email to [mailto:owasp_at_icrew.org David Nester].

<paypal>Houston</paypal>

==== Chapter Meetings ====
== March 11, 2009 :: Web Application Security in the Airline Industry: Stealing the Airlines' Online Data ==

REGISTER NOW! Send an email to owasp at icrew.org '''What?''' In this session, attendees will learn about the types of airline data that is at risk of being stolen by online data thieves. In addition, the following topics will be further explored: 

* Important attack scenarios and Web-based vulnerabilities accompanied by examples of how these attacks can be mitigated by deploying comprehensive defense solutions;
* Protection strategies and tools, such as Web application scanners and Web application firewalls, which help equalize the gap between the advanced Web hacker and the security professional; and
* Compliance and Software development life cycle approaches. 

Following the September 11 attacks, the airline industry recognized its need to 'webify' online ticket reservation systems, crew scheduling, and passenger profiles in order to enhance operational efficiency. This ultimately served to decrease the airlines' operating costs, thereby increasing their operating profits. However, the following questions remain: At what costs? What are the information systems and customer data security risks associated with the airline 'webification' process? Additionally, attendees will discover hidden data services that the airlines utilize to 'run-the-business' and the risks associated with Web-based application attacks. 
'''Who? Quincy Jackson- CISSP, CEH''' Quincy Jackson, a CISSP and Certified Ethical Hacker, has more than 15 years of experience in the Information Technology ("IT") profession, which include 8 years in Information Security. His career in the aviation industry began with 8 years in the United States Army as an Avionics System Specialist. Quincy began to explore his passion for IT Security as Sr. Manager - Information Security for Continental Airlines. Quincy currently serves as the IT Security Manager for Universal Weather and Aviation, Inc. ("UWA"). UWA provides business aviation operators various aviation support services, including flight coordination, ground handling, fuel arrangement and coordination, online services, and weather briefings. '''When and Where?''' 5:30-6:00 Reception 6:00-7:30 Welcome, Announcements and Presentation Microsoft Campus One Briar Lake Plaza 2000 W. Sam Houston Pkwy. S. #350 Houston, TX 77042 Phone: (832) 252-4300 '''Food will be provided'''
 

== April 8, 2009 :: Vulnerability Management in an Application Security World ==

'''Vulnerability Management in an Application Security World''' The [http://www.denimgroup.com/ Denim Group] presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.
 

Registration not being taken at this time.

 

== Past Presentations ==

* '''August 19, 2008: "Dirty Dozen" - Truth and facts about PCI DSS''' [http://owasp.icrew.org/downloads/pci_dss_dirty_dozen.pdf'''Presentation Download'''] Presentation by Genady Vishnevetsky, CISSP Director, IT Operations and Security. [http://www.paymetric.com/ Paymetric, Inc] presented the Truth and facts about PCI DSS. If you haven't heard about Payment Card Industry Data Security Standard (PCI DSS), it is becoming de-facto of security standards in the industry. This presentation will cover broad range of topics on PCI Standard that would be in interest to any security professional. We will be covering many aspects and best practices that came out of PCI DSS. If you have never heard of PCI, then you will learn how it began. If you are in need of credit card processing (now or in the near future), you will learn what you need to succeed, and you will be ahead of the game. If you are a seasoned PCI professional, you will learn what is new in the last 12 months (PCI DSS 1.1, changes to SAQ, just released PA DSS. If you don't fall into any of these categories, come to listen how PCI DSS can help you in your day-to-day job to ensure that you are protected. 

* '''June 11, 2008: The OWASP Top 10''' [http://blog.microsoft-j.net/2008/06/12/ContentFromOWASPUserGroup.aspx'''Presentation Download'''] Presentation by [http://blog.microsoft-j.net/default.aspx '''J Sawyer'''], Developer Evangelist of [http://www.microsoft.com/ Microsoft] presented the OWASP Top Ten. The OWASP Top 10 provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. There are currently versions in English, French, Japanese, Korean and Turkish. A Spanish version is in the works. We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code. 

* '''November 7, 2007: Black Box versus White Box: Different App Testing Strategies''' [http://owasp.icrew.org/downloads/owasp_houston_20071107.pdf'''Presentation Download'''] Presentation by [http://www.denimgroup.com/about_team_john.html John Dickson] of the [http://www.denimgroup.com/ Denim Group]. Competing approaches for application security testing have pros and cons. This presentation will look at a number of security assessment strategies-white box testing, black box testing, static analysis and dynamic analysis- discussing the benefits and drawbacks of each. 

* '''October 10, 2007 :: Top 10 Website Attack Techniques''' [http://owasp.icrew.org/downloads/owasp_houston_20071010.pdf'''Presentation Download'''] During this presentation, Jeremiah Grossman will draw upon his extensive website security experience to discuss the most creative, useful and interesting Web attack techniques discovered in 2007, focusing on the top ten. This year has been significant for website hacking, with issues ranging from Cross-Site Scripting (XSS) and Cross-Site Request Forgery, to confusion about the impact of AJAX and Javascript vulnerabilities on Web 2.0 sites. Mr. Grossman will address these issues, including debunking the myth of AJAX insecurity. 

*'''September 12, 2007: Fortify Software''' Bytecode instrumentation allows a user to inject additional code into an application’s binary. This technique has traditionally been used to measure the runtime performance and test coverage of Web applications. However, bytecode instrumentation has other promising uses, including software security. As the overall security space evolves from the outside-in approach we saw with Web Application Firewalls in the 1990s, bytecode instrumentation provides the perfect opportunity to embed security into the application itself. This talk will provide an overview of bytecode instrumentation, demonstrate how the technology works, and show some concrete ways it can be used to inject security features into an application after it has been developed. 

*'''August 8, 2007: Atrysk Security [http://atrysk.blogspot.com/2008/01/atrysk-owasp-presentation.html Presentation Download] ''' Today, hackers are manipulating Web applications inside the corporate firewall, enabling them to access and sabotage corporate and customer data as we’ve seen with very highly publicized Web hacking events in 2005 such as MySpace.com, Paris Hilton’s T-mobile phone compromise, and the perl.santy worm. Given even a tiny hole in a company’s Web application code, an experienced intruder armed with only a Web browser and a little determination can break into most Web sites. The reality is traditional Internet security is not enough because these methods do not ensure the security of your entire Web presence by checking Web application content (HTML pages, scripts, proprietary applications, cookies, and other Web servers). With the ever-increasing threat of cyber attacks, today’s Web environment has made application security an essential element in the application development lifecycle. We will explain and demonstrate with common Web attacks such as SQL Injection, Cross-Site Scripting (XSS), AJAX [in]Security and Session Hijacking why applications are increasingly at risk of malicious attack because of security defects and how easily they are exploited. 

* '''June 5, 2007 :: Web 2.0''' [http://owasp.icrew.org/downloads/owasp_houston_20070605.pdf'''Presentation Download'''] Presentation by [http://denimgroup.typepad.com/denim_group/dan_cornell/index.html Dan Cornell] of the [http://www.denimgroup.com/ Denim Group]. With the integration of new technologies into web application development, there are more security dangers than ever before to be found in the application layer. This session discusses the landscape of web application security, new technologies being used in developing web applications and web services and the implications these have on system security. Technical vulnerabilities in web applications such as SQL injection and cross-site scripting (XSS) will be discussed alongside logical, business-level issues. The evolution of these flaws will be tracked as traditional web applications have expanded to include Web 2.0, AJAX and web services capabilities. The goal of the presentation is to educate developers, project managers and quality assurance personnel about the risks inherent in developing web applications and provide meaningful recommendations for addressing those risks during the software development lifecycle. [http://www.owasp.org/index.php/Category:OWASP_Sprajax_Project Sprajax Download]. 

==== Houston OWASP Chapter Leaders ====
The chapter leader is [mailto:owasp_at_icrew.org David Nester]
__NOTOC__
<headertabs/>

[[Category:OWASP Chapter]]
[[Category:Texas]]

Houston

2009-03-11T21:42:37Z

Alex Norman:

==== Local News ====

The Houston Chapter will focus around Web Application Security issues with discussions on application layer vulnerabilties, penetration testing, and secure coding practices within the numerous development languages. Our chapter will meet on the second (2nd) Wednesday of each month and participation in OWASP Houston is free and open to all. Please subscribe to the [http://lists.owasp.org/mailman/listinfo/owasp-houston mailing list] for meeting announcements. Our chapter's meetings are informal and encourage open discussion of all aspects of application security. Anyone in our area interested in web application security is welcome to attend. We encourage attendees to give short presentations about specific topics. If you would like to make a presentation, or have any questions about the Houston Chapter, send an email to [mailto:owasp_at_icrew.org David Nester]. 

<paypal>Houston</paypal>
 

==== Chapter Meetings ====
== March 11, 2009 :: Web Application Security in the Airline Industry: Stealing the Airlines' Online Data ==

REGISTER NOW! Send an email to owasp at icrew.org '''What?''' In this session, attendees will learn about the types of airline data that is at risk of being stolen by online data thieves. In addition, the following topics will be further explored: 

* Important attack scenarios and Web-based vulnerabilities accompanied by examples of how these attacks can be mitigated by deploying comprehensive defense solutions;
* Protection strategies and tools, such as Web application scanners and Web application firewalls, which help equalize the gap between the advanced Web hacker and the security professional; and
* Compliance and Software development life cycle approaches. 

Following the September 11 attacks, the airline industry recognized its need to 'webify' online ticket reservation systems, crew scheduling, and passenger profiles in order to enhance operational efficiency. This ultimately served to decrease the airlines' operating costs, thereby increasing their operating profits. However, the following questions remain: At what costs? What are the information systems and customer data security risks associated with the airline 'webification' process? Additionally, attendees will discover hidden data services that the airlines utilize to 'run-the-business' and the risks associated with Web-based application attacks. 
'''Who? Quincy Jackson- CISSP, CEH''' Quincy Jackson, a CISSP and Certified Ethical Hacker, has more than 15 years of experience in the Information Technology ("IT") profession, which include 8 years in Information Security. His career in the aviation industry began with 8 years in the United States Army as an Avionics System Specialist. Quincy began to explore his passion for IT Security as Sr. Manager - Information Security for Continental Airlines. Quincy currently serves as the IT Security Manager for Universal Weather and Aviation, Inc. ("UWA"). UWA provides business aviation operators various aviation support services, including flight coordination, ground handling, fuel arrangement and coordination, online services, and weather briefings. '''When and Where?''' 5:30-6:00 Reception 6:00-7:30 Welcome, Announcements and Presentation Microsoft Campus One Briar Lake Plaza 2000 W. Sam Houston Pkwy. S. #350 Houston, TX 77042 Phone: (832) 252-4300 '''Food will be provided'''
 

== April 8, 2009 :: Vulnerability Management in an Application Security World ==

'''Vulnerability Management in an Application Security World''' The [http://www.denimgroup.com/ Denim Group] presentation outlines strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management are also addressed.
 

Registration not being taken at this time.

 

== Past Presentations ==

* '''August 19, 2008: "Dirty Dozen" - Truth and facts about PCI DSS''' [http://owasp.icrew.org/downloads/pci_dss_dirty_dozen.pdf'''Presentation Download'''] Presentation by Genady Vishnevetsky, CISSP Director, IT Operations and Security. [http://www.paymetric.com/ Paymetric, Inc] presented the Truth and facts about PCI DSS. If you haven't heard about Payment Card Industry Data Security Standard (PCI DSS), it is becoming de-facto of security standards in the industry. This presentation will cover broad range of topics on PCI Standard that would be in interest to any security professional. We will be covering many aspects and best practices that came out of PCI DSS. If you have never heard of PCI, then you will learn how it began. If you are in need of credit card processing (now or in the near future), you will learn what you need to succeed, and you will be ahead of the game. If you are a seasoned PCI professional, you will learn what is new in the last 12 months (PCI DSS 1.1, changes to SAQ, just released PA DSS. If you don't fall into any of these categories, come to listen how PCI DSS can help you in your day-to-day job to ensure that you are protected. 

* '''June 11, 2008: The OWASP Top 10''' [http://blog.microsoft-j.net/2008/06/12/ContentFromOWASPUserGroup.aspx'''Presentation Download'''] Presentation by [http://blog.microsoft-j.net/default.aspx '''J Sawyer'''], Developer Evangelist of [http://www.microsoft.com/ Microsoft] presented the OWASP Top Ten. The OWASP Top 10 provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. There are currently versions in English, French, Japanese, Korean and Turkish. A Spanish version is in the works. We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code. 

* '''November 7, 2007: Black Box versus White Box: Different App Testing Strategies''' [http://owasp.icrew.org/downloads/owasp_houston_20071107.pdf'''Presentation Download'''] Presentation by [http://www.denimgroup.com/about_team_john.html John Dickson] of the [http://www.denimgroup.com/ Denim Group]. Competing approaches for application security testing have pros and cons. This presentation will look at a number of security assessment strategies-white box testing, black box testing, static analysis and dynamic analysis- discussing the benefits and drawbacks of each. 

* '''October 10, 2007 :: Top 10 Website Attack Techniques''' [http://owasp.icrew.org/downloads/owasp_houston_20071010.pdf'''Presentation Download'''] During this presentation, Jeremiah Grossman will draw upon his extensive website security experience to discuss the most creative, useful and interesting Web attack techniques discovered in 2007, focusing on the top ten. This year has been significant for website hacking, with issues ranging from Cross-Site Scripting (XSS) and Cross-Site Request Forgery, to confusion about the impact of AJAX and Javascript vulnerabilities on Web 2.0 sites. Mr. Grossman will address these issues, including debunking the myth of AJAX insecurity. 

*'''September 12, 2007: Fortify Software''' Bytecode instrumentation allows a user to inject additional code into an application’s binary. This technique has traditionally been used to measure the runtime performance and test coverage of Web applications. However, bytecode instrumentation has other promising uses, including software security. As the overall security space evolves from the outside-in approach we saw with Web Application Firewalls in the 1990s, bytecode instrumentation provides the perfect opportunity to embed security into the application itself. This talk will provide an overview of bytecode instrumentation, demonstrate how the technology works, and show some concrete ways it can be used to inject security features into an application after it has been developed. 

*'''August 8, 2007: Atrysk Security [http://atrysk.blogspot.com/2008/01/atrysk-owasp-presentation.html Presentation Download] ''' Today, hackers are manipulating Web applications inside the corporate firewall, enabling them to access and sabotage corporate and customer data as we’ve seen with very highly publicized Web hacking events in 2005 such as MySpace.com, Paris Hilton’s T-mobile phone compromise, and the perl.santy worm. Given even a tiny hole in a company’s Web application code, an experienced intruder armed with only a Web browser and a little determination can break into most Web sites. The reality is traditional Internet security is not enough because these methods do not ensure the security of your entire Web presence by checking Web application content (HTML pages, scripts, proprietary applications, cookies, and other Web servers). With the ever-increasing threat of cyber attacks, today’s Web environment has made application security an essential element in the application development lifecycle. We will explain and demonstrate with common Web attacks such as SQL Injection, Cross-Site Scripting (XSS), AJAX [in]Security and Session Hijacking why applications are increasingly at risk of malicious attack because of security defects and how easily they are exploited. 

* '''June 5, 2007 :: Web 2.0''' [http://owasp.icrew.org/downloads/owasp_houston_20070605.pdf'''Presentation Download'''] Presentation by [http://denimgroup.typepad.com/denim_group/dan_cornell/index.html Dan Cornell] of the [http://www.denimgroup.com/ Denim Group]. With the integration of new technologies into web application development, there are more security dangers than ever before to be found in the application layer. This session discusses the landscape of web application security, new technologies being used in developing web applications and web services and the implications these have on system security. Technical vulnerabilities in web applications such as SQL injection and cross-site scripting (XSS) will be discussed alongside logical, business-level issues. The evolution of these flaws will be tracked as traditional web applications have expanded to include Web 2.0, AJAX and web services capabilities. The goal of the presentation is to educate developers, project managers and quality assurance personnel about the risks inherent in developing web applications and provide meaningful recommendations for addressing those risks during the software development lifecycle. [http://www.owasp.org/index.php/Category:OWASP_Sprajax_Project Sprajax Download]. 

==== Houston OWASP Chapter Leaders ====

__NOTOC__
<headertabs/>

[[Category:OWASP Chapter]]
[[Category:Texas]]

Houston

2009-03-11T21:42:11Z

Alex Norman:

Helsinki

2009-03-11T21:37:38Z

Alex Norman:

{{Chapter Template|chaptername=Helsinki|extra=The chapter leader is [mailto:antti@owasp.org Antti Laulajainen]
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-helsinki|emailarchives=http://lists.owasp.org/pipermail/owasp-helsinki}}

==== Local News ====
<paypal>Helsinki</paypal>

'''Welcome to the OWASP Helsinki Chapter'''

The plan is to meet at least three to four times a year, each lasting 1,5-3 hours (more active "hands" means more meetings). This chapter is based in the capital area and therefore the meetings will be in or around Helsinki.

If you wish to present at one of the meetings or have any other inquiries, please contact the chapter leader.

==== Chapter Meetings ====

Currently OWASP Helsinki is working on the following tasks:
*[[Top 10 2007 Finnish]] aim to translate OWASP Top 10 list in Finnish

== OWASP Helsinki Chapter Meeting #9: April May 2009 ==

TBA

== OWASP OWASP Goes! Viestimuseo: March 29 2009 ==
'''Location: Varuskunta, Takakasarmi, Viestimuseontie rak. 64, 11311 Riihimäki '''

'''Time: 13:00-15:00'''

Viestimuseossa Riihimäellä, http://www.viestikiltojenliitto.fi/viestimuseo/ on maaliskuun loppuun WWII radiotiedustelua esittelevä erikoisnäyttely, josta voi löytyä ammennettavaa myös tämän päivän tietoturvatekniikoiden parissa työskenteleville. Koska OWASP:in tiimoilta löytyi kiinnostusta lähteä tutustumaan ko. näyttelyyn, museolle on varattu opastettu kierros maaliskuun viimeiselle sunnuntaille su 29.3.2009 klo 13:00 eli kokoontuminen museolla ko. aikaan.

Museo ja näyttely ovat auki myös muina aikoina, joten jos tämä aika ei käy, paikalla voi toki käydä muulloinkin.

Tarkemmat ajo-ohjeet ja yhteystiedot löytyvät museon kotisivuilta, http://www.viestikiltojenliitto.fi/viestimuseo/yhteystiedot.html

Museo sijaitsee Viestirykmentin vieressä, mutta varsinaisen varuskunta-alueen ulkopuolella, joten museokäynti ei vaadi kulkulupia alueelle.

Paikalle innostuvat hoitavat oman logistiikkaratkaisunsa & sisäänpääsymaksunsa.

Lisätietoja tarvittaessa timo.merilainen (ät) iki.fi

== OWASP Helsinki Chapter Meeting #8: March 12 2009 ==

'''Location: Samlink, Linnoitustie 9, Espoo (Leppävaara)'''

'''Time: 17:00-19:00'''

'''Schedule''' 

'''17:00 OWASP latest activities Antti Laulajainen, OWASP Helsinki Chapter Leader'''

'''17:15 Introduction to Samlink, Jari Pirhonen, security director, Samlink

'''17:30 Methodology owner’s point of view: Information security as part of software development methodology, Topi Mattila, methodology manager, Samlink'''

'''18:15 Presentation from Finnish Tax Administration", Petri Puhakainen, security director, Finnish Tax Administration'''

'''19:00 or so'''

* Enjoy local establishments at own risk & cost at Sello

'''Please register with Jari Pirhonen jari.pirhonen##samlink.fi'''

== OWASP Introduction to startup firms: Thursday January 15th 2009 ==
'''Location: Ravintola Korjaamo, Töölönkatu 51, 00250 Helsinki'''

'''Time: 18:00-20:00'''

'''Schedule''' 

'''18:00 Introduction to OWASP by Henri Lindberg, OWASP Helsinki Active Visitor'''
* What OWASP is
* Examples of useful Tools and Documents
* OWASP in Finland
Presentation: [[Image:OWASP_Startups_20090115_Henri.pdf]]

(Antti Laulajainen, OWASP Helsinki Chapter Leader was originally supposed to introduce OWASP)

'''18:15 Implementing application security in a Finnish startup by Henri Lindberg, Scred'''
* Henri Lindberg from Scred shares experiences and lessons learned
* How to make your web application more secure with minimal budget
Presentation: [[Image:SDG_Scred_090115.pdf]]

'''18:30 or so'''

* Enjoy local establishments at own risk & cost

== OWASP Helsinki Meeting #7: Tuesday November 11th 2008 ==

'''Location: Nokia Ruoholahti, Itämerenkatu 11-13, 00180 Helsinki'''

'''Time: 17:00-18:30'''

'''Schedule''' 

'''17:00 Welcome by Antti Laulajainen, OWASP Chapter Leader'''

*Current state and progress of OWASP Top 10 Finnish translation

'''17:20 Antti Vähä-Sipilä, Nokia: SAFECode'''

*Introduction and overview of SAFECode (The Software Assurance Forum for Excellence in Code)
*SAFECode publications

'''17:40 Juhani Eronen, CERT-FI: Lifecycle of a security vulnerability'''

*Microsoft MS08-067 (Vulnerability in Server Service Could Allow Remote Code Execution), its history (MS06-040) and exploitation.

'''Discussion'''

'''18:30 or so'''

* Enjoy local establishments at own risk & cost [cerveza, aqua con gas, etc]

''' PLEASE REGISTER WITH: mikko . saario at nokia . com (we have reserved snacks for 25 people)'''

== OWASP Helsinki Web Hacking Workshop, Tuesday September 10th 2008 ==

'''Location: Teleware / KPMG, Laajalahdentie 23, 6. floor, reception at the ground floor, 00330 Helsinki'''

'''Time: 18.00 - 20.00'''

'''Schedule'''

'''18.00 Welcome and recent activities. Antti Laulajainen '''

'''18.05 Web Hacking Workshop, Anssi Porttikivi, Senior ICT Advisor KPMG/Teleware'''

*KPMG Oy IT Security Advisory marketing presentation 15 min
*Web hacking exercises and demonstrations in a laboratory class (using WebGoat and WebScarab tools)

'''Snacks available. Send your reservations to Anssi's mail address, anssi.porttikivi@kpmg.fi. Room for 20 participants.'''

'''Note! Be in time, because the reception closes at 18.'''

== OWASP Goes! CERT-FI, Thursday, June 12th 2008 ==

'''Location: Viestintävirasto, Itämerenkatu 3 A, 00180 Helsinki and One Pint Pub Santakatu 2, 00180 Helsinki'''

'''Time: 16.00 - 20.00'''

'''Schedule'''

'''16.00 Welcome and recent activities. Antti Laulajainen '''

'''16.10 Introduction of CERT-FI. Juhani Eronen, Information Security Adviser, CERT-FI'''

'''16.30 Vulnerability coordination. Juhani Eronen'''
* CERT-FI as a vulnerability coordinator
* Coordination examples

'''18.00 Possibility to continue the evening at the One Pint Pub'''
* If someone fancies a (self-financed) beer

'''Viestintävirasto asks those who wish to participate to the meeting to register in advance. For registrations please contact CERT-FI Unit Secretary Virpi Hienonen (virpi.hienonen(at)ficora.fi). The deadline is June 6, 2008.'''

== OWASP Helsinki Chapter meeting/Get Together #6 Tuesday, May 13th 2008 ==

Thank you for attending.

You can download the presentation here''' https://www.owasp.org/images/7/70/OWASP_HelsinkiChapter_130508.pdf

Coverage of the event in local news (Finnish only) http://mikropc.net/uutiset/index.jsp?categoryId=atk&day=20080514#w2008051411524012715

'''Location: Ixonos, Hitsaajankatu 20, 00810 Helsinki and Ravintola Kaisla, Vilhonkatu 4, 00100 Helsinki'''

'''Time: 16.00 - 20.00'''

Welcome to spring meeting 2008.

'''Schedule'''

'''16.00 - 16.10 OWASP update. Antti Laulajainen'''

'''16.10-17.00 Notes From The field, OWASP tools and usage experiences, Jarkko Holappa & Antti Laulajainen'''

'''17.30 - 20.00 Drinks at Ravintola Kaisla (Bring Your Own Wallet)'''

Hope to see as many of you as possible!

== OWASP Helsinki Chapter meeting #5 Tuesday, March 11th 2008 ==
'''Location: Ixonos, Hitsaajankatu 20, 00810 Helsinki.'''

'''Time: 18.30 - 20.30'''

Welcome to first meeting of 2008. OWASP Helsinki resumes activities after winter break.

We are pleased to have as a speaker Technology Manager of Nokia Product Security, Alexandr Seleznyov. His topic will be current state of application security.

'''Schedule'''

'''18.30 - 18.40 OWASP update. Antti Laulajainen'''

'''18.40 - 20.30 Current State of Application Security. Alexandr Seleznyov'''

Hope to see as many of you as possible!

== OWASP Helsinki & RWSUG Seminar Tuesday, January 29th 2008 ==
'''Location: IBM, Laajalahdentie 23, 00330 Helsinki.'''
'''Time: 11.15 - 19.00'''

OWASP Helsinki and Rational and Websphere User Group Finland RWSUG are aiming to co-operate to raise application security awareness. OWASP Helsinki will have a presentation in RWSUG agility seminar. More information from http://www.rwsug.fi/default.asp?path=1,39,385

'''You can download the presentation here''' https://www.owasp.org/images/c/cd/RWSUG5_Agile_Security_Management.pdf

See program below. Most of it is Finnish only
*11.15 Ilmoittautuminen alkaa
*11.15-12.00 Buffet-lounas
*12.00-12.10 Tilaisuuden avaus Jussi Jutila, Puheenjohtaja, RWSUG ry

KEYNOTE

*12.10-13.30 Scaling Agile Software Development: Strategies for Applying Agile in Complex Situations Scott W. Ambler, Practice Leader Agile Development, IBM Canada
*13.30-13.45 Kahvitauko
*13.45-15.30 SOA liiketoiminnan näkökulmasta ja SOA toteutuksen näkökulmasta kansainvälisessa hankkeessa Kari Laine, IT Architect, IF ja Jarmo Laine, Senior Software Architect,Primasoft
*15.30-15.45 Tauko
*15.45-16.30 Ketterä tietoturvan hallinta ohjelmistotuotannossa Reijo Savola, VTT
*16.30-17.15 Jazz Update IBM
*17.15-19.00 Iltapalaa ja verkostoitumista IBM Forumissa
 

== OWASP Helsinki Introduction to ISACA Finland Thursday January 24th 2008 ==
OWASP Helsinki participated in ISACA Finland meeting to raise application security awareness among system auditors and inspectors.
 A presentation was held that introduced basic web techniques, some security issues, OWASP in general, OWASP projects and OWASP Helsinki chapter.
 
'''You can download the presentation here''': https://www.owasp.org/images/e/e4/OWASP_ISACA_20080124.pdf (Finnish Only)
 

== OWASP Helsinki meeting #4 Fall 2007 with Mark Curphey, Tuesday, October 2 2007 ==
'''Location: Ixonos, Hitsaajankatu 20, 00810 Helsinki.'''

Thank you for all participants and Mark from great presentation.

Coverage of the meeting in the local news (in Finnish):
http://mikropc.net/uutiset/index.jsp?categoryId=atk&day=20071003#w2007100315112711629

We are delighted to have Mark Curphey - the OWASP founder and new head of Microsoft's ACE (Application Consulting & Engineering) team in Europe - to visit Finland and discuss web app security with us. Hopefully as many as of you possible can participate!

'''18:30 Welcome and recent Helsinki chapter activities. Antti Laulajainen'''

'''18:40 Naked Software Security. Mark Curphey'''
*Commentary on how to build secure software
*Thoughts on the industry

'''WELCOME!'''

== OWASP Helsinki meeting #3 Summer 2007: "SOA, Web Services & XML Security", Tuesday, June 5th 2007 ==

Date: June 5th

Location: Smilehouse, Itälahdenkatu 22A (Stonesoft building), Lauttasaari.

Coverage of the meeting in the local news (in Finnish): http://www.tietoviikko.fi/tietoturva_docview.jsp?f_id=1186167

'''19:00 Welcome & quick recap of recent OWASP activity and the Spring conference. Mikko Saario.'''

'''19:15 Gunnar Peterson, CTO Arctec Group and project lead for the OWASP "XML Security Gateway Evaluation Criteria".'''

Gunnar will be visiting Finland to provide training via Tietoturva ry on this subject. Topics to be covered:
* XML Security Gateways
* Message level threats and security countermeasures in Web services
* OWASP XML Security Gateway Evaluation Criteria Project

'''20:15 "Real-life usage of OWASP tools". Alexandr Seleznyov, Nokia Product Security.'''

(There is a chance Alex cannot make it. In that case we will discuss SOA stuff in more detail or just head off to bar earlier.)

'''20:45 Enter Bar 52...'''
--> Enjoy (sponsored) beverages.

== OWASP Helsinki meeting #2 Winter 2007, Web Application Firewalls, Thursday, February 22 2007 ==

Thank you for the 29 participants, the speakers and the host - Nixu - for making this event happen!

'''Location: Nixu, Mäkelänkatu 91, 00601 Helsinki.'''

What are Web Application Firewalls (WAF), how do they work, what do they do and what don't they do. Discussion and sharing of experiences of various technologies and products.

'''18.30 Welcome. Mikko Saario, Chapter Leader.'''

Today's topic and agenda in short.

'''18.35 "Web Application Firewalls Technical Analysis". Joakim Sandström, CTO nSense.'''

http://www.owasp.org/images/6/6a/Owasp_waf_joakim.pdf

- Technology

- Blacklisting & Whitelisting

- mod_security features

- Do's and Don'ts

'''19.30 "The Core Rule Sets". Ofer Shezaf, CTO Breach Security.'''

http://www.owasp.org/images/f/f4/The_Core_Rule_Set_-_Ofer.pdf

- WAF deployment and protection strategies

- Detection of generic web layer attacks

- Virtual patching

== OWASP Helsinki meeting #1, Tuesday, Dec 12 2006 at Ernst & Young ==

The Helsinki chapter had the first meeting at Ernst & Young office in Elielinaukio 5 B. The agenda and the presentations for the meeting are below. We had a good turnout: 22 people were present i.e. all seats were taken - we were very happy to see all these people to be interested in application security issues.

Coverage of the meeting in the local news (in Finnish): http://www.tietoviikko.fi/doc.do?f_id=1083463

'''18:30 Welcome. What is OWASP and why OWASP Helsinki?'''

Mikko Saario made a short presentation about OWASP and the objective for the local Helsinki chapter.

'''19:00 Analyzing Threats (Olli Wiren; olli [at] juurihoito.org)'''

Olli Wiren discussed application related threats and corresponding security issues.

http://www.owasp.org/images/7/7c/Owasp-olli.pdf

'''19:45 Open discussion regarding OWASP Helsinki; what is expected or wished; how to go ahead and so forth.'''

There was a lively discussion regarding what type of activities should be arranged in the future. More details will follow...

==== Helsinki OWASP Chapter Leaders ====
The chapter leader is [mailto:antti@owasp.org Antti Laulajainen]
__NOTOC__
<headertabs/>

Hawaii

2009-03-11T21:33:22Z

Alex Norman:

{{Chapter Template|chaptername=hawaii|extra=The chapter Big Kahuna's are [mailto:gimmesomebeach@gmail.com David Graham] and [mailto:jim.manico@aspectsecurity.com Jim Manico].|mailinglistsite=https://lists.owasp.org/mailman/listinfo/owasp-hawaii/listinfo/owasp-hawaii|emailarchives=http://lists.owasp.org/pipermail/owasp-hawaii}}

==== Local News ====
<paypal>Hawaii</paypal>

==== Chapter Meetings ====
'''Chapter Meetings Virtual via Teleconference'''
'''When: TDB'''
'''Dial In #: (213) 985-1930 (or Skype jmanico)'''

==== Hawaii OWASP Chapter Leaders ====
The chapter Big Kahuna's are [mailto:gimmesomebeach@gmail.com David Graham] and [mailto:jim.manico@aspectsecurity.com Jim Manico]
__NOTOC__
<headertabs/>

[[Category:OWASP Chapter]]

[[Category:Hawaii]]

Eugene

2009-03-11T21:28:44Z

Alex Norman:

{| style="width: 80%; margin: 0 auto; border-collapse: collapse; background: #FBFBFB; border: 1px solid #aaa; border-left: 10px solid #000066;"
|-
| style="padding: 0.25em 0.25em;" align="center" valign="center" | '''Next Meeting'''
| style="padding: 0.25em 2em;" | Wednesday, March 26, 6:00pm-8:00pm Symantec, Vista Room See [[#Next_Meeting|below]] for more information.
|}

{{Chapter Template|chaptername=Eugene, Oregon|extra=The chapter leader is [[User:Kkenan|Kevin Kenan]]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-eugene|emailarchives=http://lists.owasp.org/pipermail/owasp-eugene}}

==== Local News ====
<paypal>Eugene</paypal>

To join the Eugene Chapter, simply sign-up for the mailing list at:

https://lists.owasp.org/mailman/listinfo/owasp-eugene

==== Chapter Meetings ====

6:00pm-8:00pm Wednesday, March 26 
Symantec, Vista Room 
555 International Way 
Springfield, OR 
[http://maps.google.com/maps?f=q&hl=en&geocode=&q=555+International+Way&sll=44.04988,-123.08892&sspn=0.29907,0.482712&ie=UTF8&ll=44.086599,-123.036243&spn=0.037361,0.060339&z=14 Google Maps] 

Defending Against Cross-Site Scripting 
Kevin Kenan, K2 Digital Defense

Cross-site scripting, a.k.a. XSS, leads the OWASP top ten and is perhaps
the most common vulnerability found on web sites today. It is a key
component of many phishing attacks and can allow an attacker to hijack
user sessions. This talk will demonstrate the different types of
cross-site scripting, explore how to find XSS vulnerabilities, and
discuss how to protect your site.

This meeting is free and open to all so please forward this message to your
colleagues who are interested in application security. You can read more
about OWASP at:

http://www.owasp.org

==== Eugene OWASP Chapter Leaders ====
The chapter leader is [[User:Kkenan|Kevin Kenan]]
__NOTOC__
<headertabs/>

[[Category:Oregon]]

Cairo

2009-03-11T21:25:35Z

Alex Norman:

{{Chapter Template|chaptername=Egypt|extra=The chapter leader is [mailto:Omar.Sherin@infosec2.com Omar Sherin]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-egypt|emailarchives=http://lists.owasp.org/pipermail/owasp-egypt}}

==== Local News ====
<paypal>Egypt</paypal>

==== Chapter Meetings ====
'''OWASP-Egypt Holds a Presentation in Qatar'''

Doha,Qatar 24th of February 2008 , OWASP-Egypt participated in a web security awareness session held in Qatar Sponsored by the country's national CERT team.

the delegates were briefed on OWASP and its objectives, the role OWASP-Egypt chapter is playing in promoting web security best practices in the local IT community and our personal experience on how Qatar can start its very own OWASP chapter.

With the amount of enthusiasm we felt we are expecting a new chapter in the region very soon !

==== Egypt OWASP Chapter Leaders ====
The chapter leader is [mailto:Omar.Sherin@infosec2.com Omar Sherin]
__NOTOC__
<headertabs/>

Edmonton

2009-03-11T21:23:08Z

Alex Norman:

{{Chapter Template|chaptername=Edmonton|extra=The chapter leader is [mailto:robert.martin@shunda.com Robert Martin]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-edmonton|emailarchives=http://lists.owasp.org/pipermail/owasp-edmonton}}
==== Local News ====
<paypal>Edmonton</paypal>

==== Chapter Meetings ====
Our chapter's next meeting will take place Tuesday, April 10, 2007 at 6:00 PM at the Telus Plaza North Tower. Please meet us in the building's lobby before 6:00 so that we can escort you to the boardroom. The meeting will be over by 7:15. This [http://maps.google.ca/maps?f=q&hl=en&q=10025+Jasper+Ave+NW,+Edmonton,+AB&ie=UTF8&z=17&ll=53.54097,-113.491248&spn=0.004578,0.010493&t=h&om=1 map] guides you to Telus Plaza North.

The April topic will be "Using OWASP WSFuzzer for Web Service Penetration Testing", by Mark Gordon.

You don't need to bring an understanding of web services to the talk. After a 5-minute introduction to the basics of web services you will know plenty of new buzzwords, enough to impress your friends and befuddle your enemies. After the intro Mark will demonstrate several concrete examples of how [http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project WSFuzzer] helps automate testing web services for vulnerabilities. If time permits we can also discuss other details of web services such as using Akamai for better performance and the acronym soup that is the world of [http://en.wikipedia.org/wiki/Service-oriented_architecture SOA].

Previous meetings covered:
* OWASP's Top Ten Project
* OWASP's WebGoat insecure web application
* Cross Site Scripting Attacks (Yegor's [http://www.owasp.org/images/5/5e/XssYegorJbanov.pdf slideshow])
* Pub Night(!); discussed strategies for secure use of personal web applications
* "Building Defensible Web App Architectures", by Jason Meltzer of Strange Research

==== Edmonton OWASP Chapter Leaders ====
The chapter leader is [mailto:robert.martin@shunda.com Robert Martin]
__NOTOC__
<headertabs/>
[[Category:Canada]]

Denver

2009-03-11T21:20:16Z

Alex Norman:

{{Chapter Template|chaptername=Denver|extra=Chapter leaders are [mailto:eduprey@gmail.com Eric Duprey] and [mailto:dcampbell@owasp.org David Campbell]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-denver|emailarchives=http://lists.owasp.org/pipermail/owasp-denver}}

==== Local News ====
<paypal>Denver</paypal>
<hr>
== SnowFROC 2009 Survey ==
Thanks to everybody who made SnowFROC 2009 a standing room only success!!

If you attended the event, please take a few moments to complete this (very) short survey here:
[http://www.surveymonkey.com/s.aspx?sm=SROlU_2f1S8SEtA9SR8o5uKw_3d_3d SnowFROC 2009 Survey]

==Questions, Comments==
Questions can be directed to
*David Campbell, Denver OWASP: dcampbell 'at' owasp.org
*Eric Duprey, Denver OWASP: eduprey 'at' exploits.org

== Mailing List ==
Join the [http://lists.owasp.org/mailman/listinfo/owasp-denver OWASP Denver Mailing List] to receive meeting notifications via email

==== Chapter Meetings ====

We are still recovering from [[Front_Range_OWASP_Conference_2009|SnowFROC]], and trying to get all the presentations and videos from the conference online. However, there has been talk about doing a hands-on session on Man in the Middle (MITM) attacks at an all new (beer friendly) location in April. Watch this space for details.

== Future Meetings ==
=== TBD ===

==[[Related_Organizations|Local Organizations of Interest]]==

== Past Meetings ==

[[Front_Range_OWASP_Conference_2009|March 2009: Front Range OWASP Conference (SnowFROC)]]

[[Denver January 2009 meeting|January 2009: David Campbell & Eric Duprey: Guided Tour: AppSec NYC '08 CTF]]

[[Denver October 2008 meeting|October 2008: Alex Smolen: The OWASP ASP .NET ESAPI]]

[[Denver September 2008 meeting|September 2008: John Dickson: Black Box vs. White Box: Different App Testing Strategies]]

[[Denver August 2008 meeting|August 2008: Dan Cornell: Static Analysis]]

[[Denver July 2008 meeting|July 2008: David Byrne & Eric Duprey: Grendel-Scan]]

[[Front Range OWASP Conference|June 2008: Front Range OWASP Conference: Jeremiah Grossman, Robert Hansen, and more!]]

[[Denver May 2008 meeting|May 2008: David Campbell & Eric Duprey: XSS Attacks & Defenses]]

[[Denver April 2008 meeting|April 2008: Ryan Barnett: Virtual Patching with ModSecurity]]

[[Denver February 2008 meeting|February 2008: Michael Sutton: SQL Injection Revisited]]

[[Denver June 2007 meeting|June 2007]]

[[Denver April 2007 meeting|April 2007]]

[[Denver February 2007 meeting|February 2007]]

[[Denver January 2007 meeting|January 2007]]

[[Denver November 2006 meeting|November 2006]]

==== Denver OWASP Chapter Leaders ====
*David Campbell, Denver OWASP: dcampbell 'at' owasp.org
*Eric Duprey, Denver OWASP: eduprey 'at' exploits.org
==Chapter Management Links==
[[Pizza|Best pizza in Centennial]]
__NOTOC__
<headertabs/>
[[Category:Colorado]]

Archived Page for Delhi Chapter

2009-03-11T19:39:20Z

Alex Norman:

{{Chapter Template|chaptername=Delhi|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-delhi|emailarchives=http://lists.owasp.org/pipermail/owasp-delhi}} 
==== Local News ====
<paypal>Delhi</paypal>

== Chapter Sponsors ==
Sponsor OWASP Delhi Chapter to help us organize open and free monthly meetings. For more information, contact board of directors.

== Chapter Mailing Address ==

OWASP Delhi Chapter 
H-110, First Floor, 
Sector-63, Noida (National Capital Region), India

==== Chapter Meetings ====
OWASP Delhi Chapter call for Papers (CFP) is OPEN ~ to submit educational topic for an upcoming local meeting please submit your bio and talk abstract via email to one of the [https://www.owasp.org/index.php/Delhi#New_Delhi_OWASP_Board_Members OWASP Delhi Board Members]. When accepted, it will be required to use the following powerpoint [http://www.owasp.org/images/5/54/Presentation_template.ppt Template].

== OWASP Delhi Meeting January 2009 ==
[https://www.owasp.org/index.php/OWASP_Delhi_January_Meeting_2009 Click here for meeting details]

== Event Archives ==
*[https://www.owasp.org/index.php/OWASP_Delhi_Meeting_November_29th_2008 OWASP Delhi Meeting - November 29th 2008]
*[http://www.owasp.org/index.php/OWASP_Delhi_Meeting_October_18th_2008 OWASP Delhi Meeting - October 18th 2008]
*[http://www.owasp.org/index.php/OWASP_AppSec_India_Conference_2008_-_August_20th_and_21st_2008 OWASP AppSec India Conference 2008 - August 20th and 21st 2008]

==== Delhi OWASP Chapter Leaders ====
== Chapter Founders ==
<ul>
*Founder & Director - [mailto:dhruv.soi(at)owasp.org Dhruv Soi] +91-987-115-0021
*Co-Founder & Director - [mailto:puneet.mehta(at)owasp.org Puneet Mehta] +91-991-014-0437
</ul>

== Communication Committee ==
'''Committee Lead''' - [mailto:saurabh.rai@torridnet.com Saurabh Rai] +91-981-019-2557

== Events Committee ==
'''Committee Lead''' - [mailto:nitins@cybermedia.co.in Nitin Saxena] +91-981-167-5559
__NOTOC__
<headertabs/>
[[Category:India]]

Dallas

2009-03-11T19:32:30Z

Alex Norman:

{{Chapter Template|chaptername=Dallas|extra=The chapter leader is [mailto:jdsmith@owasp.org JD Smith ]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-dallas|emailarchives=http://lists.owasp.org/pipermail/owasp-dallas}}
==== Local News ====
<paypal>Dallas Chapter</paypal>

==== Chapter Meetings ====
Dallas OWASP Chapter: February 2009 Meeting

Topic: "Vulnerability Management in an Application Security World."

Presenter: Dan Cornell, Principal, Denim Group

Date: February 25, 2009 11:30am – 1:30pm

Location:
UTD Campus - Galaxy Room of the Student Union, Room SU 2.602
Doors open at 11:00 am.

Abstract:

Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups.

Presenter Bio:

Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications.

Please RSVP: OWASP.DFW.RSVP@denimgroup.com

[[Dallas_OWASP_Flyer.pdf‎]]

==== Dallas OWASP Chapter Leaders ====
The chapter leader is [mailto:jdsmith@owasp.org JD Smith ]
__NOTOC__
<headertabs/>

Curitiba

2009-03-11T19:29:43Z

Alex Norman:

{{Chapter Template|chaptername=Curitiba|extra=The chapter leader is [mailto:eduardo.neves@owasp.org Eduardo Neves]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Curitiba|emailarchives=http://lists.owasp.org/pipermail/owasp-Curitiba}}
==== Local News ====
<paypal>Curitiba</paypal>

==== Chapter Meetings ====
'''Meeting Location'''

Everyone is welcome to join us at our chapter meetings.

==== Curitiba OWASP Chapter Leaders ====
The chapter leader is [mailto:eduardo.neves@owasp.org Eduardo Neves]
__NOTOC__
<headertabs/>

[[Category:OWASP Chapter]]

Croatia

2009-03-11T19:28:37Z

Alex Norman:

{{Chapter Template|chaptername=Croatia|extra=The chapter leader is [mailto:kost@linux.hr Vlatko Kosturjak]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Croatia|emailarchives=http://lists.owasp.org/pipermail/owasp-croatia/}}
==== Local News ====
<paypal>Croatia</paypal>

Welcome. We're just starting organizing things here. You're invited to subscribe to the mailing list for up2date news and also if you want help in
organizing local chapter. Everyone is welcome to join us at our chapter meetings.

==== Chapter Meetings ====
'''Regular Meeting Location''': CARNet CERT, Ulica Josipa Marohnića 5, 10000 Zagreb, Hrvatska

'''Next meeting''': 23th of January, 2009 at Barcamp Zagreb, FER, Unska 3, 10000 Zagreb

==== Croatia OWASP Chapter Leaders ====
The chapter leader is [mailto:kost@linux.hr Vlatko Kosturjak]
__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]

Columbus

2009-03-11T19:27:11Z

Alex Norman:

{{Chapter Template|chaptername=Columbus, OH|extra=The chapter leaders are [mailto:owasp(at)hayesdf.com Chris Hayes] and Greg Green. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-columbus|emailarchives=http://lists.owasp.org/pipermail/owasp-columbus}}
==== Local News ====
<paypal>Columbus</paypal>

'''– REMINDER – Next chapter meeting - Wednesday 3/18/2009; details on Chapter Meetings tab'''
We are still seeking one or two more board members and to get the local community involved by publicizing the chapter. We are currently planning activities for early 2009; at least one chapter meeting per quarter - more if interest warrants.

To submit educational topics for upcoming meetings, please submit your powerpoint using the
[http://www.owasp.org/images/5/54/Presentation_template.ppt OWASP Template] and include a speaker BIO. Any inquiries regarding chapter or meeting sponsors can be directed to [mailto:owasp(at)hayesdf.com Chris Hayes]. Please begin the subject header with: [OWASP COLUMBUS].

Thank you!

==== Chapter Meetings ====
== 2009 Q1 Meeting ==

'''When:''' March 18th, 2009, 11:00 AM - 1:00 PM, Doors open at 10:30 AM; ** Refreshments Provided **

''' *** Please RSVP to owasp@hayesdf.com as soon as possible. We will provide detailed meeting logistics in the coming days! *** '''

'''Where:''' 215 N. Front St, Columbus, OH 43215 (corner of N. Front and W. Spring);2nd Floor, Room 2C. Please ensure you have a photo ID available for security purposes. http://maps.google.com/maps?f=q&hl=en&geocode=&q=215+N.+Front+Street,+Columbus,+OH&sll=37.0625,-95.677068&sspn=58.731174,113.203125&ie=UTF8&layer=x&ll=39.96903,-83.005207&spn=0.007038,0.013819&z=16

'''Parking:''' We recommend parking at the Front St. Garage.

'''General Session Topic:''' Web Service Security

'''Additional Meeting Topics:'''

1. OWASP Individual and Corporate Membership

'''Who:''' Speakers:

Greg Green, CISSP, Enterprise Security Architecture, Nationwide Insurance

Jeff Bonifant, CISSP, Enterprise Information Risk Management, Nationwide Insurance

''' ** Please RSVP to owasp@hayesdf.com as soon as possible. ** '''

==== Columbus OWASP Chapter Leaders ====
The chapter leaders are [mailto:owasp(at)hayesdf.com Chris Hayes] and Greg Green.
__NOTOC__
<headertabs/>
[[Category:Ohio]]

Colombia

2009-03-11T19:24:13Z

Alex Norman:

{{Chapter Template|chaptername=Colombia|extra=The chapter leader is [mailto:luis.londono@360sec.com Luis Enrique Londono]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-colombia|emailarchives=http://lists.owasp.org/pipermail/owasp-colombia}}
==== Local News ====
<paypal>Colombia</paypal>

==== Chapter Meetings ====
'''OWASP Moves to MediaWiki Portal - 10:56, 20 May 2006 (EDT)'''

OWASP is pleased to announce the arrival of OWASP 2.0!

OWASP 2.0 utilizes the MediaWiki portal to manage and provide
the latest OWASP related information. Enjoy!

==== Colombia OWASP Chapter Leaders ====
The chapter leader is [mailto:luis.londono@360sec.com Luis Enrique Londono]
__NOTOC__
<headertabs/>

Cleveland

2009-03-11T19:23:04Z

Alex Norman:

{{Chapter Template|chaptername=Cleveland|extra=The chapter leader is [mailto:kstasiak@securestate.com Ken Stasiak]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-cleveland|emailarchives=http://lists.owasp.org/pipermail/owasp-cleveland}}

==== Local News ====
<paypal>Cleveland</paypal>

==== Chapter Meetings ====

OWASP chapter meetings are free and open. Anybody interested in web application security is welcome. We encourage attendees to give presentations on specific topics, however please review [[Chapter Rules]].

To join the chapter mailing list, please visit our [http://lists.owasp.org/mailman/listinfo/owasp-cleveland mailing list] homepage. The list is used to discuss the meetings and to arrange meeting locations. Please check the mailing list before coming to a meeting to confirm the location and time and to catch any last minute notes.

Our chapter is sponsored by [http://www.securestate.com/ SecureState].

'''Meeting Postponed'''

==== Cleveland OWASP Chapter Leaders ====
The chapter leader is [mailto:kstasiak@securestate.com Ken Stasiak]
__NOTOC__
<headertabs/>

[[Category:OWASP Chapter]]
[[Category:Ohio]]

Chile

2009-03-11T19:16:20Z

Alex Norman:

{{Chapter Template|chaptername=Chile|extra=The chapter leader is [mailto:csoto@neosecure.cl Cristobal Soto Y]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-chile|emailarchives=http://lists.owasp.org/pipermail/owasp-chile}}
==== Local News ====
<paypal>Chile</paypal>

==== Chapter Meetings ====
'''OWASP Moves to MediaWiki Portal - 10:54, 20 May 2006 (EDT)'''

OWASP is pleased to announce the arrival of OWASP 2.0!

OWASP 2.0 utilizes the MediaWiki portal to manage and provide
the latest OWASP related information. Enjoy!

==== Chile OWASP Chapter Leaders ====
The chapter leader is [mailto:csoto@neosecure.cl Cristobal Soto Y]
__NOTOC__
<headertabs/>

Chicago

2009-03-11T19:14:32Z

Alex Norman:

{{Chapter Template|chaptername=Chicago|extra=The chapter leaders are [mailto:cory@crazypenguin.com Cory Scott] or [mailto:jason@wittys.com Jason Witty]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-chicago|emailarchives=http://lists.owasp.org/pipermail/owasp-chicago}}

==== Local News ====

<paypal>Chicago</paypal>

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:cory@crazypenguin.com Cory Scott] or [mailto:jason@wittys.com Jason Witty.]

The Chicago chapter is sponsored by Bank of America[http://www.bankofamerica.com/]

==== Chapter Meetings ====

The next quarterly Chicago OWASP Chapter meeting will be November 13th at the Bank of America Plaza, 540 W Madison Street at 6pm. Please RSVP to jason@wittys.com by November 12th so we can enter your name into the building's security system.

===Agenda===

6:00 Refreshments and Networking / Overview of recent OWASP projects - Cory Scott

6:15 Concurrency Attacks in Web Applications - Scott Stender, iSEC Partners

7:15 The Seven Deadly Features of Web Applications - Matasano Security

===Presentation abstracts===

''Concurrency Attacks in Web Applications''

ABSTRACT

Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes. However, these attributes often encourage programming practices that make managing state difficult for a typical programmer.

Web application developers must carefully manage access to all resources that can shared by threads. Global variables, session variables, back-end systems, and application-specific data stores are common examples of such resources.

Concurrency flaws result when access to shared resources is not managed properly - something that is easy to do when the development environment purposefully encapsulates and abstracts the resources that need to be managed! When manipulating those resources carries a security impact, the attackers take notice.

Each prevalent class of security flaw shares a common attribute: mistakes happen when doing the right thing is difficult. It is our opinion that concurrency flaws, especially in the context of web applications, share this attribute. This presentation will provide insight into the ease with which concurrency flaws can be introduced into systems, offer guidance on evaluating the security impact of such flaws, and discuss strategies for eliminating such flaws that will be helpful to developers and testers alike.

SPEAKER BIO

Scott Stender
Principal Partner, iSEC Partners

Scott Stender is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

==== Chicago OWASP Chapter Leaders ====
[mailto:cory@crazypenguin.com Cory Scott]

[mailto:jason@wittys.com Jason Witty]
__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2009-03-11T19:12:50Z

Alex Norman:

==== Local News ====

<paypal>Chicago</paypal>

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:cory@crazypenguin.com Cory Scott] or [mailto:jason@wittys.com Jason Witty.]

The Chicago chapter is sponsored by Bank of America[http://www.bankofamerica.com/]

==== Chapter Meetings ====

The next quarterly Chicago OWASP Chapter meeting will be November 13th at the Bank of America Plaza, 540 W Madison Street at 6pm. Please RSVP to jason@wittys.com by November 12th so we can enter your name into the building's security system.

===Agenda===

6:00 Refreshments and Networking / Overview of recent OWASP projects - Cory Scott

6:15 Concurrency Attacks in Web Applications - Scott Stender, iSEC Partners

7:15 The Seven Deadly Features of Web Applications - Matasano Security

===Presentation abstracts===

''Concurrency Attacks in Web Applications''

ABSTRACT

Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes. However, these attributes often encourage programming practices that make managing state difficult for a typical programmer.

Web application developers must carefully manage access to all resources that can shared by threads. Global variables, session variables, back-end systems, and application-specific data stores are common examples of such resources.

Concurrency flaws result when access to shared resources is not managed properly - something that is easy to do when the development environment purposefully encapsulates and abstracts the resources that need to be managed! When manipulating those resources carries a security impact, the attackers take notice.

Each prevalent class of security flaw shares a common attribute: mistakes happen when doing the right thing is difficult. It is our opinion that concurrency flaws, especially in the context of web applications, share this attribute. This presentation will provide insight into the ease with which concurrency flaws can be introduced into systems, offer guidance on evaluating the security impact of such flaws, and discuss strategies for eliminating such flaws that will be helpful to developers and testers alike.

SPEAKER BIO

Scott Stender
Principal Partner, iSEC Partners

Scott Stender is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

==== Chicago OWASP Chapter Leaders ====
[mailto:cory@crazypenguin.com Cory Scott]

[mailto:jason@wittys.com Jason Witty]
__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chennai

2009-03-11T19:10:22Z

Alex Norman:

{{Chapter Template|chaptername=Chennai|extra=The chapter leader is [mailto:Myoosuf@cognizant.com Yoosuf Mohamed]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-chennai|emailarchives=http://lists.owasp.org/pipermail/owasp-chennai}}

==== Local News ====
<paypal>Chennai</paypal>

== Security Articles ==
March 2008 - '''A Checklist for Identifying Vulnerabilities''' - Vulnerabilities are holes in the application design / development / deployment that enable attackers to take advantage of the flaws present in the application...
[[https://www.owasp.org/images/c/c5/Vulnerability_Checklist.doc More]

==== Chapter Meetings ====
== You are Invited for the OWASP Chennai chapter Kick off Meeting - 2 February 2007 ==
This first meeting will serve as an introduction to OWASP and will have a discussion centered around our activities for the year 2007.

The agenda:

14.00 - 14.15: Welcome & Member Introduction
14.15 - 14.30: OWASP Introduction, Anand,Cognizant
14.30 - 15.30: Presentation on Phishing, Sreemathy Varadan, Cognizant [[https://www.owasp.org/images/a/a3/Phishing.ppt Download Presentation]]
15.30 - 16.00: Discussion - Meeting Schedule for 2007, Chennai Chapter Activities

Cognizant Technology solutions will be the sponsor for this meeting and the location would be
Third Floor,
Elnet Software City,
T.S.140, Block 2&9 C.P.T.Road,
Taramani,
Chennai - 600113

For any queries, pls call 044-42284056.

Pls confirm your participation by sending a mail to owasp@cognizant.com

Pls note that all OWASP chapter meetings are free and there will not be any vendor pitches or sales presentations at OWASP meetings]

==== Chennai OWASP Chapter Leaders ====
The chapter leader is [mailto:Myoosuf@cognizant.com Yoosuf Mohamed]
__NOTOC__
<headertabs/>
[[Category:India]]

Buffalo

2009-03-11T19:07:57Z

Alex Norman:

{{Chapter Template|chaptername=Buffalo|extra=The chapter leader is [mailto:james.kist@gmail.com James Kist]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-buffalo|emailarchives=http://lists.owasp.org/pipermail/owasp-buffalo}}

==== Local News ====
<paypal>Buffalo</paypal>

The Buffalo NY chapter was formed in August 2004. We meet 4 times a year for 1 to 2 hours per meeting and discuss topics related to web application security.

== Goals & Objectives ==

It is our goal to freely distribute information related specifically to web application security. We want to ensure our members receive "free, professional-quality, open-source documentation, tools, and standards", as quoted directly from the main OWASP site. Participation is free and open to all. All are encouraged to participate.

== Local Mailing List ==

You can sign up for the local mailing list. This list hosts discussions about chapter activity, planning for meetings and discussions about past and future presentations. To subscribe, go to http://lists.owasp.org/mailman/listinfo/owasp-buffalo and supply your email address.

== Participation ==

You can participate by either signing up for the mailing list or just show up for the next meeting!

==== Chapter Meetings ====
'''Next Chapter Meeting'''

The next Buffalo chapter meeting is currently being planned. Stay tuned for details!

== Location ==

The meetings for OWASP Buffalo will be held at: 
'''KnowledgeAir, LLC''' 
726 Exchange St 
Suite 628 (6th floor) 
Buffalo, NY 14210 

== Other Local IT Organizations ==

[http://www.isacawny.org/ ISACA WNY]

[http://www.rochissa.org/ ISSA Rochester]

[http://dc585.info/ Rochester, NY Defcon Group]

[http://www.infotechniagara.org/ infoTech Niagara]

[http://www.wnydnug.org/ WNY .NET Users Group]

[http://www.issabuffaloniagara.org/ ISSA Buffalo Niagara]

[http://www.wnysip.org/ WNYSIP - Western New York Society for Information Professionals ]

[http://wnyruby.com/ WNY Ruby Users Group]

==== Buffalo OWASP Chapter Leaders ====

President [mailto:james.kist@gmail.com James Kist]



For information on how to join the chapter or if you would like to attend a meeting or even speak at a meeting, please send one of the officers an email. If you have any suggestions for meeting topics, please send an email with your ideas.
__NOTOC__
<headertabs/>

[[Category:OWASP Chapter]]
[[Category:New York]]

Buffalo

2009-03-11T19:06:30Z

Alex Norman:

==== Local News ====
<paypal>Buffalo</paypal>

The Buffalo NY chapter was formed in August 2004. We meet 4 times a year for 1 to 2 hours per meeting and discuss topics related to web application security.

== Goals & Objectives ==

It is our goal to freely distribute information related specifically to web application security. We want to ensure our members receive "free, professional-quality, open-source documentation, tools, and standards", as quoted directly from the main OWASP site. Participation is free and open to all. All are encouraged to participate.

== Local Mailing List ==

You can sign up for the local mailing list. This list hosts discussions about chapter activity, planning for meetings and discussions about past and future presentations. To subscribe, go to http://lists.owasp.org/mailman/listinfo/owasp-buffalo and supply your email address.

== Participation ==

You can participate by either signing up for the mailing list or just show up for the next meeting!

==== Chapter Meetings ====
'''Next Chapter Meeting'''

The next Buffalo chapter meeting is currently being planned. Stay tuned for details!

== Location ==

The meetings for OWASP Buffalo will be held at: 
'''KnowledgeAir, LLC''' 
726 Exchange St 
Suite 628 (6th floor) 
Buffalo, NY 14210 

== Other Local IT Organizations ==

[http://www.isacawny.org/ ISACA WNY]

[http://www.rochissa.org/ ISSA Rochester]

[http://dc585.info/ Rochester, NY Defcon Group]

[http://www.infotechniagara.org/ infoTech Niagara]

[http://www.wnydnug.org/ WNY .NET Users Group]

[http://www.issabuffaloniagara.org/ ISSA Buffalo Niagara]

[http://www.wnysip.org/ WNYSIP - Western New York Society for Information Professionals ]

[http://wnyruby.com/ WNY Ruby Users Group]

==== Buffalo OWASP Chapter Leaders ====

President [mailto:james.kist@gmail.com James Kist]



For information on how to join the chapter or if you would like to attend a meeting or even speak at a meeting, please send one of the officers an email. If you have any suggestions for meeting topics, please send an email with your ideas.
__NOTOC__
<headertabs/>

[[Category:OWASP Chapter]]
[[Category:New York]]

Brisbane

2009-03-11T19:03:17Z

Alex Norman:

{{Chapter Template|chaptername=Brisbane|extra=The chapter leader is [mailto:jderry@owasp.org Justin Derry]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-brisbane|emailarchives=http://lists.owasp.org/pipermail/owasp-brisbane}}
==== Local News ====
<paypal>Brisbane</paypal>

==== Chapter Meetings ====

NEXT MEETING SCHEDULE: Soon

Come to the OWASP Conference on the Gold Coast (Feb 25-27th 2009). We are going to have a chapter meeting there, and work out how to grow the chapter over the coming year.

==Location==
Meetings are held at:

Dimension Data Office - Boardroom

Level 1, 139 Coronation Drive Milton Queensland
(Enter from the back off Little Cribb Street).

All Welcome, join us for an hour of great networking opportunities.

==Agenda==

Conference 2009

==== Brisbane OWASP Chapter Leaders ====
The chapter leader is [mailto:jderry@owasp.org Justin Derry]
__NOTOC__
<headertabs/>

[[Category:Australia]]

BostonFinancialDist

2009-03-11T18:53:55Z

Alex Norman:

{{Chapter Template|chaptername=Boston-Financial District|extra=The chapter leader is [mailto:jaboltz@bu.edu Jeff Boltz]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bostonfinancialdist|emailarchives=http://lists.owasp.org/pipermail/owasp-bostonfinancialdist}}

==== Local News ====
<paypal>BostonFinancialDist</paypal>

==== Chapter Meetings ====
'''First Meeting: Got SQL Injection??

June 26, 2006 3:30 PM to 5:00 PM: 50 Milk Street, Boston, MA 02109'''

Everyone is welcome to join us at our chapter meetings. The location is 50 Milk Street, Boston, MA 02109.

A representative from Fortify Software will be present to talk about The Top 10 Vulnerabilities in Enterprise Software System.

Please contact Jeff Boltz at jaboltz@bu.edu or call at (617) 772-1952 if you would like to attend.

==== Boston Financial District OWASP Chapter Leaders ====
The chapter leader is [mailto:jaboltz@bu.edu Jeff Boltz]
__NOTOC__
<headertabs/>
[[Category:Massachusetts]]

Boston

2009-03-11T18:52:18Z

Alex Norman:

{{Chapter Template|chaptername=Boston|extra=The chapter leader is [mailto:jim.weiler@starwoodhotels.com Jim Weiler]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Boston|emailarchives=http://lists.owasp.org/pipermail/owasp-Boston}}

[[Category:OWASP Chapter]]

==== Local News ====
<paypal>Boston</paypal>

To find out more about the Boston chapter, just join the [http://lists.owasp.org/mailman/listinfo/owasp-boston OWASP Boston mailing list].

== Local Chapter Information ==
The chapter shipping/mailing address is:

OWASP Boston
35 Wachusett Dr
Lexington, MA. 02421

== Reviews ==

[http://www.owasp.org/index.php/Reviews_of_security_podcasts Reviews of security podcasts]

==== Chapter Meetings ====
We meet the FIRST WEDNESDAY of EVERY MONTH (Unless a speaker can only present another night), 6:30 to 9 pm.

Everyone is welcome to come to any meeting, there is no signup or joining criteria, just come if it sounds interesting. Feel free to sign up to the [http://lists.owasp.org/mailman/listinfo/owasp-boston OWASP Boston mailing list]. This list is very low volume (2 - 3 emails/month); it is used to remind people about each monthly meeting, inform about local application security events and special chapter offers.

Information and an RSS feed for meeting updates about this and other Boston area user groups can be found at [http://www.bostonusergroups.net/DNN/ Boston User Groups].

== Location ==

The Boston OWASP Chapter meets the FIRST WEDNESDAY of every month (''' Unless a speaker can only present another night'''), 6:30 pm at the Microsoft offices at the Waltham Weston Corporate Center, 201 Jones Rd., Sixth Floor Waltham, MA.

From Rt. 128 North take exit 26 toward Waltham, East up the hill on Rt. 20. From Rt 128 South take exit 26 but go around the rotary to get to 20 East to Waltham. Follow signs for Rt. 117 (left at the second light). When you get to 117 turn left (West). You will cross back over Rt. 128. Jones Rd. (look for the Waltham Weston Corporate Center sign) is the second left, at a blinking yellow light, on Rt. 117 going west about 0.1 miles from Rt. 128 (I95). The office building is at the bottom of Jones Rd. Best parking is to turn right just before the building and park in the back. Knock on the door to get the security guard to open it. The room is MPR C.

== Next Meeting ---- ''' Tuesday March 10 ''' ==

'''Web Application Source Code Threat Analysis; Pen Test Tools, from Security Compass'''

'''Tool demo - '''

'''Exploit-Me Series – Free Firefox Application Penetration Testing Suite'''

The Exploit-Me series of tools are plug-ins to Firefox that allow for easy "right-click" style parameter fuzzing for web applications. The toolset is made specifically for security consultants, developers and QA staff to facilitate testing of applications. Sahba Kazerooni of Security Compass will demonstrate the use of the XSS-Me and SQL Inject Me tools.

'''Main Presentation'''

'''Framework-Level Threat Analysis - Adding science to the art of source code review'''

A traditional Threat Model is an effective tool for determining the threats that pose a risk to the architectural components of an application. But what if we wish to enumerate the threats that face the developmental components? Framework-Level Threat Analysis is a systemic approach to code review that speaks to the development staff by examining the underlying object model of an application.

In Framework-Level Threat Analysis, you are reviewing the application’s source code and breaking it down to it’s various components (servlet container, servlets, controller, delegate, command/business object, DAO, etc…), very similar to how you break down an app into its various architectural components in a standard TM. You then analyze a good number of use cases and model the way that data moves between the various components. The next step is to analyze each of the components in the path (can be as detailed as reviewing class by class) and document which security controls are happening where in the call flow. Once you’ve done that, it becomes visually apparent which security controls are missing in each use case.

Sahba Kazerooni is a security consultant with a strong background in J2EE software architecture and development. At Security Compass he harvests his unique blend of development and security knowledge in threat modeling, runtime security assessment, and source code review of client applications while at the same time leveraging his field experience to deliver Security Compass' one-of-a-kind training curriculum to organizations around the world. Mr. Kazerooni is an expert in application security assessments, having performed threat analysis, penetration testing, and source code review on numerous client applications. Sahba also plays a critical role in the developing and delivering the curriculum of Security Compass training services. He has developed and taught courses on various topics such as Exploiting and Defending Web Applications, Application Security Awareness, and Secure Coding in J2EE. He has presented at conferences around the world, including the Black Hat Security Conference in Amsterdam. He delivers Java secure coding training at the SANS Institute and has provided numerous presentations through ISC2 to their elite network of certified information security professionals.

== Past Meeting Notes ==

'''Feb 2005'''

Application Security Inc. PowerPoint slides for the [http://www.owasp.org/docroot/owasp/misc/Anatomy+of+an+Attack.ppt Anatomy of a Database Attack.]

'''March 2005'''

Joe Stagner: Microsoft
Let's talk about Application Security

'''April 2005'''

Jonathan Levin - [http://www.owasp.org/docroot/owasp/misc/JLevinRandoms.pdf Of Random Numbers]

Jothy Rosenberg, Founder and CTO: Service Integrity - [http://www.owasp.org/docroot/owasp/misc/JothyRWebSvcsSec.ppt Web Services Security]

'''May 2005'''

Patrick Hynds, CTO: Critical Sites - [http://www.owasp.org/docroot/owasp/misc/Passwords-Keys_to_the_Kingdom_Dev_V1.ppt Passwords - Keys to the Kingdom]

'''June 2005'''

Arian Evans, National Practice Lead, Senior Security Engineer: Fishnet Security
[http://www.owasp.org/conferences/appsec2005dc/schedule.html Overview of Application Security Tools]

'''July 2005'''

Mark O'Neill, CTO: Vordel -
[http://www.owasp.org/docroot/owasp/misc/MarkOneill.pdf Giving SOAP a REST? A look at the intersection of Web Application Security and Web Services Security]

'''September 2005'''

Dr. Herbert Thompson, Chief Security Strategist: SecurityInnovation -
How to Break Software Security

'''October 2005'''

Prateek Mishra, Ph.D. Director, Security Standards and Strategy: Oracle Corp
Chaiman of the OASIS Security Services (SAML) Technical Committee -
[http://www.owasp.org/docroot/owasp/misc/Federation-Introduction-Overview-01.ppt Identity Federation : Prospects and Challenges]

Ryan Shorter, Sr. System Engineer: Netcontinuum -
Application Security Gateways

'''November 2005'''

Robert Hurlbut, Independent Consultant
[http://www.owasp.org/docroot/owasp/misc/OWASP_Hurlbut_ThreatModelingforWebApplicaitons.zip Threat Modeling for web applications]

'''December 2005'''

Paul Galwas, Product Manager: nCipher
[http://www.owasp.org/docroot/owasp/misc/OWASP051207.ppt Enigma variations: Key Management controlled]

'''January 2006'''

David Low, Senior Field Engineer: RSA
Practical Encryption

'''February 2006'''

Ron Ben Natan; Guardium CTO
Database Security: Protecting Identity Information at the Source

'''March 2006'''

Mateo Meucci; OWASP Italy
[http://www.owasp.org/images/8/8c/Anatomy_of_2_Web_App_Testing.zip Anatomy of 2 web attacks]

Tom Stracener; Cenzic
Web Application Vulnerabilities

'''April 2006'''

Dennis Hurst; SPI Dynamics: A study of AJAX Hacking

Jim Weiler; OWASP Boston: Using Paros HTTP proxy, part 1.
first meeting with all demos, no powerpoints!

'''May 2006'''

'''June 2006'''
Imperva - Application and Database Vulnerabilities and Intrusion Prevention

Jim Weiler - Using Paros Proxy Server as a Web Application Vulnerability tool

'''September 2006'''
Mike Gavin, Forrester Research: Web Application Firewalls

'''November 2006'''

'''January 2007'''
Dave Low, RSA the Security Division of EMC: encryption case studies

'''March 2007'''
Jeremiah Grossman, CTO Whitehat Security: Top 10 Web Application Hacks of 2006

'''June 2007'''
Tool Talk - Jim Weiler - WebGoat and Crosssite Request Forgeries

Danny Allan; Director, Security Research, Watchfire

Topic: Exploitation of the OWASP Top 10: Attacks and Strategies

'''September 2007'''

Day of Worldwide OWASP 1 day conferences on the topic "Privacy in the 21st Century"

'''October 2007'''

George Johnson, Principal Software Engineer EMC; CISSP

An Introduction to Threat Modeling.

Jim Weiler CISSP

Web Application Security and PCI compliance.

'''November 2007'''
Tom Mulvehill Ounce Labs

Description – Tom will share his knowledge and expertise on implementing security into the software
development life cycle. This presentation will cover how to bring practicality into secure software
development. Several integration models will be explored as well as solutions for potential obstacles

[https://www.owasp.org/images/f/f8/Ounce_OWASP_07NOV07ppt.zip Ounce presentation]

'''December 2007'''
Scott Matsumoto; Principal Consultant, Cigital

Description – You Say Tomayto and I Say Tomahto – Talking to Developers about Application Security

[https://www.owasp.org/images/5/5b/BostonOWASP200712-Cigital.pdf Cigital Presentation]

'''March 2008'''
Chris Eng; Senior Director, Security Research, Veracode

Description – Attacking crypto in web applications

'''June 2008'''
Main Speaker - Jeremiah Grossman; Founder and CTO, Whitehat Security

Appetizer - Hacking Intranets from the Outside (Just when you thought your network was safe) Port scanning with JavaScript

Main Topic - Business Logic Flaws: How they put your Websites at Risk

'''December 2008'''
Main Speaker - Brian Holyfield, Gothem Digital Science

Tamper Proofing Web Applications http://www.gdssecurity.com/l/b/2008/12/04/

==== Boston OWASP Chapter Leaders ====

'''President'''

[mailto:jim.weiler@starwoodhotels.com Jim Weiler] 781 356 0067

'''Program Committee'''

Mark Arnold

[mailto:jim.weiler@starwoodhotels.com Jim Weiler] 781 356 0067

__NOTOC__
<headertabs/>

[[Category:OWASP Chapter]]
[[Category:Massachusetts]]

Boise

2009-03-11T18:44:36Z

Alex Norman:

{{Chapter Template|chaptername=Boise|extra=The chapter leader is [http://techfeed.net/blog/ Jacob Munson].
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-boise|emailarchives=http://lists.owasp.org/pipermail/owasp-boise}}
==== Local News ====
<paypal>Boise</paypal>

The chapter mailing address is: 
Boise OWASP 
604 N Lauren Ave 
Kuna, ID 83634 

==== Chapter Meetings ====

Our next meeting will be Tuesday March 25th, at 6:30. For this meeting, [http://errorik.com/ Erik Goodlad] will present on secure storage, and I will cover the latest news from the global OWASP community. I hope to see you there!

We meet the 4th Tuesday of each month at 6:30 PM. Our meeting location is at the [http://www.keynetics.com/ Keynetics] offices in downtown Boise, between Ann Morrison Park and Boise State University. Here is [http://maps.google.com/maps?f=q&hl=en&geocode=&time=&date=&ttype=&q=917+Lusk+Street,+boise+id&sll=37.0625,-95.677068&sspn=48.688845,81.738281&ie=UTF8&z=16&iwloc=addr&om=1 a map] showing the location. The address is 917 S Lusk St.

==== Boise OWASP Chapter Leaders ====
The chapter leader is [http://techfeed.net/blog/ Jacob Munson]
__NOTOC__
<headertabs/>
[[Category:Idaho]]

Belgium

2009-03-11T18:41:24Z

Alex Norman:

{{Chapter Template|chaptername=Belgium|extra=The chapter leader is [mailto:seba@owasp.org Sebastien Deleersnyder]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-belgium|emailarchives=http://lists.owasp.org/pipermail/owasp-belgium}}

==== Local News ====

<paypal>Belgium</paypal>

Coming up: a new season of Belgium chapter meetings!

== Structural Sponsors 2008-2009 ==
OWASP BeLux would like to thank the following organizations for sponsoring this chapter. If you are interested in sponsoring the Belgium chapter please contact seba 'at' owasp.org .

[http://www.f5.com http://www.owasp.org/images/7/7e/50px-F5_50px.jpg]
[http://www.telindus.com http://www.owasp.org/images/b/b3/Telindus.jpg]
[http://www.zionsecurity.com http://www.owasp.org/images/e/e6/Zionsecurity.jpg]
[http://www.radarsec.com http://www.owasp.org/images/9/93/Radarsec.jpg]
[http://www.radware.com http://www.owasp.org/images/8/82/Rad_logo.gif]

==== Chapter Meetings ====
== Next Meeting (Mar-4-2009) in Brussels ==

===WHEN===
Wednesday, March 4th, 2009 (18h00pm-21h00pm)

===WHERE===
Location is sponsored by [http://one.belgacom.be/one/en/?setlang=en Telindus, Belgacom-ICT]. 
Address: Geldenaaksebaan 335, B-3001 Heverlee ([http://www.telindus.com/resources/location_telindus_hq.pdf Route] + [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=Geldenaaksebaan+335+B-3001+Leuven&sll=37.0625,-95.677068&sspn=51.177128,89.648437&ie=UTF8&z=16&iwloc=addr Google Maps])

===PROGRAM===
The agenda:

* 18h00 - 18h30: Welcome & Refreshments 
* 18h30 - 18h45: '''OWASP Update''' (by Sebastien Deleersnyder, Telindus, OWASP Board) 
* 18h45 - 20h45: '''A Software Security Maturity Model''' (by Gary McGraw, CTO of Cigital) 
:''Presentation + discussion:'' As a discipline, software security has made great progress over the last decade. There are now at least 23 large scale software security initiatives underway in enterprises including global financial services firms, independent software vendors, defense organizations, and other verticals. In 2008, Brian Chess, Sammy Migues and I interviewed the executives running nine initiatives using the twelve practices of [http://www.informit.com/articles/article.aspx?p=1271382 the Software Security Framework] as our guide. The resulting data, drawn from real programs at different levels of maturity was used to guide the construction of a Software Security Maturity Model. This talk will describe the maturity model, drawing examples from many real software security programs. A maturity model is appropriate because improving software security almost always means changing the way an organization works ---people, process, and automation are all required. While not all organizations need to achieve the same security goals, all successful large scale software security initiatives share common ideas and approaches. Whether you rely on the Cigital Touchpoints, Microsoft's SDL, or OWASP CLASP, there is much to learn from practical experience. Use the software security maturity model to determine where you stand and what kind of software security plan will work best for you.
:'''[http://www.rstcorp.com/gem/ Gary McGraw (aka gem)]''' is the CTO of Cigital, Inc., a software security and quality consulting firm with headquarters in the Washington, D.C. area. He is a globally recognized authority on software security and the author of six best selling books on this topic. The latest, Exploiting Online Games was released in 2007. His other titles include Java Security, Building Secure Software, Exploiting Software, and Software Security; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 90 peer-reviewed scientific publications, authors a monthly security column for darkreading.com, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Fortify Software and Raven White. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean's Advisory Council for the School of Informatics. Gary is an IEEE Computer Society Board of Governors member and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine.

=== REGISTRATION ===
Please '''send a mail''' to Belgium 'at' owasp.org if you plan to attend, so we can size the venue appropriately and keep you updated on last-minute changes.

== Previous Meeting (Feb-4-2009) in Brussels ==

BLOG posts by 
[http://blog.security4all.be/2009/02/overview-of-owasp-be-chapter-meeting-4.html security4all] 
[http://blog.rootshell.be/2009/02/05/first-owasp-belgian-chapter-meeting-of-2009/ rootshell]

===WHEN===
Wednesday, February 4th, 2009 (18h00pm-21h00pm)

===WHERE===
Location was sponsored by [http://www.ey.com/be Ernst&Young]'s Information Security Team. 
address: De Kleetlaan 2, 1831 Diegem ([http://www.ey.com/Global/assets.nsf/Belgium_E/Office_Map_Brussels/$file/EY_Brussels_Office.pdf Route] + [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=De+Kleetlaan+2,+1831+Diegem&sll=37.0625,-95.677068&sspn=49.176833,89.648437&ie=UTF8&z=16&iwloc=cent Google Maps])

===PROGRAM===
The agenda:

* 18h00 - 18h30: Welcome & Refreshments 
* 18h30 - 18h40: '''OWASP Update''' (by Sebastien Deleersnyder, Telindus, OWASP Board) 
* 18h40 - 19h30: '''Best Practices Guide Web Application Firewalls''' (by Alexander Meisel, CTO and founder of [http://www.artofdefence.com/ Art of Defence]) 
:''Presentation + discussion:'' the OWASP German chapter has put together a [http://www.owasp.org/images/1/1b/Best_Practices_Guide_WAF.pdf paper] to give a better understanding in how and where Web Application Firewalls should be used.
:'''Alexander Meisel''' is CTO and founder of [http://www.artofdefence.com/ art of defence]. He is in charge of product development, professional services and support. His interest and expertise in the area of security dates back to his thesis in which he wrote about avoiding and tracing distributed denial-of-service attacks. He worked for a Swiss IT service provider as a Web security expert; later he joined LINX, Europe’s largest Internet exchange, where he took care of member network security issues. After working for three years as a senior consultant designing and implementing large Web farms, including security audits with a leading producer of web servers, Alexander switched to a SPX Corporation company, where he was the main project manager for Web application solutions in the SAP area.
* 19h30 - 20h00: '''I thought you were my friend - Evil Markup, browser issues and other obscurities''' (by Mario Heiderich) 
:''Presentation:'' This talk is a preview of the upcoming Poland talk (still in selection process). The talk will cover a short exegesis of how and where browser vendors talk about security - and what can be seen from a security professionals perspective. The ratio between the growth of new browser technologies and the amount of time for developers to learn working with them could turn out to be a problem - especially when knowing that todays browsers support a vast amount of lost treasures. Amongst them various XML quirks, data islands, SVG fonts etc. which make it hard to protect rich web applications. Surprising but true: several of the most recent in-the-wild browser exploits were possible due to those legacy features like the IE6-8 code execution flaw. Reason enough to dive into a collection of weird techniques and standards exposing attack vectors and scenarios that WAF systems and filters might have some trouble with. The talk also shows some issues regarding IE8 and Opera 10 - as well as current Firefox versions. The conclusion of the talk features an overview of what we can expect during the next months, ways for developers and related parties to deal with those security risks.
:'''Mario Heiderich''', is a cologne based CTO for an online enterprise based in Cologne and New York. He was visitor and speaker on several OWASP conferences, maintains the PHPIDS and other security related projects and recently authored a German book on Web Security together with Christian Matthies, fukami and Johannes Dahse. He is currently into browser security and digging the HTML5 specifications.
* 20h00 - 20h10: '''Break'''
* 20h10 - 21h00: '''Research on Belgian bank trojan attacks''' (by Richard Bennett, software consultant) 
:''Presentation + discussion:'' Richard will present results of his research on trojans attacking customers of Belgian banks.
:The paper summarizes the following aspects:
:* What are these 'Banking Trojans'?
:* Who creates them and why?
:* What kind of infrastructure are they using?
:* Which banks and organizations are they targeting?
:* How do these trojans affect the target PC, and how are they spread?
:* How can they be detected and removed?
:* What are the risks to banking and e-commerce?
:* What are the CBFA's updated 2009 recommendations, and do they make sense?
:* How can we further mitigate this risk?
:It is quite a high-level paper aimed to be used as input and context during a risk-analysis.
:The PDF will be made available shortly.
:'''[https://www.owasp.org/index.php/Special:Emailuser/Richard_Bennett Richard_Bennett]''' is an OWASP member and consultant with [http://www.elmos.be Elmos NV], currently working for a Belgian business bank as test and QA engineer.

== Past Events ==
* Events held in [[Belgium_Previous_Events_2008|2008]]
* Events held in [[Belgium_Previous_Events_2007|2007]]
* Events held in [[Belgium_Previous_Events_2006|2006]]
* Events held in [[Belgium_Previous_Events_2005|2005]]

==== Belgium OWASP Chapter Leaders ====
The BeLux Chapter is supported by the following board:
* Erwin Geirnaert, Zion Security
* Philippe Bogaerts, NetAppSec
* André Mariën, Inno.com
* Lieven Desmet, K.U.Leuven
* Joël Quinet, Telindus
* Sebastien Deleersnyder, Telindus
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects.
__NOTOC__
<headertabs/>

Bay Area

2009-03-11T18:39:13Z

Alex Norman:

{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}

==== Local News ====
<paypal>Bay Area</paypal>

==== Chapter Meetings ====
==Date and Location==
'''March 18th @ 6PM - Gap Inc'''
Conference Center C
2 Folsom Street,
San Francisco , CA 94105

OWASP Bay Area will host its next meeting at Gap Inc in San Francisco on Wednesday, March 18th. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security.

Special thanks to Gap Inc for hosting this event and to ___, ___ for sponsoring.

==Agenda==
5:45 PM - 6:15 PM ... Check-in and registration
6:15 PM - 7:15 PM ... Back to the Future - Phishing and Malware by Brendan O’Conner, Saleforce.com
7:15 PM - 7:30 PM ... Break
7:30 PM - 8:30 PM ... Testing Methodologies: White-box, Gray-Box, Black-box or Something Else by Kirk Greene, Accuvant

==Speakers==

'''Back to the Future - Phishing and Malware''' by Brendan O’Conner, Saleforce.com

Abstract: The more things change, the more they stay the same. We'll take a trip back in time to look at the phishing and anti-malware solutions of the past. Why did they fail? With companies investing hundreds of thousands of dollars or more in these solutions, what does the future of this space look like and what tricks can you apply to stay one step ahead?

Bio: Brendan O'Connor is originally from the Midwest , currently residing in the Bay Area as a security engineer . He worked in security for a communications company for four years before switching to the financial sector in 2004 and onto Software as a Service in 2008. Brendan currently works on the Product Security team at Salesforce.com, where his duties include vulnerability research, security architecture, and application security.

'''Testing Methodologies: White-box, Gray-Box, Black-box or Something Else''' by Kirk Greene, Accuvant

Abstract: In this presentation we will discuss the different testing methodologies used when assessing the security of both binary applications as well as web-based applications. We will focus on the differences and advantages as they relate to black-box testing, white-box testing, gray-box testing, reverse engineering, and fuzzing. Unfortunately there is no one testing methodology that provides the best balance of time and accuracy for every application, in this talk we will provide metrics for helping decide what methodology should be used for what types of applications.

Bio: Kirk has been providing security consulting services for over a decade. Through that time Kirk has served clients in a variety of industries including federal and local government, healthcare, financial services, telecommunications, e-Commerce, fuel and natural gases, manufacturing, application service providers, gaming, Internet start-ups, and Internet service providers. In his tenure with Accuvant, Kirk has performed a variety of consulting and managerial responsibilities from developing and performing financial institution regulation audits to managing performing enterprise assessments for multi-national corporations. Kirk is a Certified Information Systems Security Professional (CISSP), ISS Certified Engineer, PCI Qualified Data Security Professional (QDSP), Qualified Payment Application Security Professional (QPASP).

==RSVP==
'''REGISTER EARLY AS SEATING IS LIMITED'''

Please RSVP at http://bayareaowasp.eventbrite.com

=Bay Area Past Events=
[[Bay Area Past Events]]

==== Bay Area OWASP Chapter Leaders ====
*[mailto:brian@appsecconsulting.com Brian Bertacini]
*[http://garrettgee.com Garrett Gee]
*[mailto:mandeep@cenzic.com Mandeep Khera]
*[mailto:robipapp@yahoo.com Robi Papp]
__NOTOC__
<headertabs/>
[[Category:California]]

Bahrain

2009-03-11T18:35:35Z

Alex Norman:

{{Chapter Template|chaptername=Bahrain|extra=The chapter leader is [mailto:asharma@secureitlab.com Ashish Sharma]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Bahrain|emailarchives=http://lists.owasp.org/pipermail/owasp-Bahrain}}

==== Local News ====
<paypal>Bahrain</paypal>

==== Chapter Meetings ====
'''Meeting Location'''

Everyone is welcome to join us at our chapter meetings.

==== Bahrain OWASP Chapter Leaders ====
The chapter leader is [mailto:asharma@secureitlab.com Ashish Sharma]
__NOTOC__
<headertabs/>

[[Category:OWASP Chapter]]

Austin

2009-03-11T18:32:19Z

Alex Norman:

{{Chapter Template|chaptername=Austin|extra=The chapter leadership includes: [mailto:wickett@gmail.com James Wickett, President], [mailto:josh.sokol@ni.com Josh Sokol, Logistics Chair], [mailto:rich.vazquez@gmail.com Rich Vazquez, Communications Chair], [mailto:sfoster@austinnetworking.com Scott Foster, Membership Chair], and the former chapter president is [mailto:cdewitt@indepthsec.com Cris Dewitt]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-austin|emailarchives=http://lists.owasp.org/pipermail/owasp-austin}}

==== Local News ====

''If a link is available, click for more details on directions, speakers, etc. You can also review [http://lists.owasp.org/pipermail/owasp-austin/ Email Archives] to see what folks have been talking about''
<paypal>Austin</paypal>

==== Chapter Meetings ====

'''When:''' February 24, 2009, 11:30am - 1:00pm

'''Topic: ''' Web Application Security in the Airline Industry: Stealing the Airlines’ Online Data

In this session, attendees will learn about the types of airline data that is at risk of being stolen by online data thieves. In addition, the following topics will be further explored:

1. Important attack scenarios and Web-based vulnerabilities accompanied by examples of how these attacks can be mitigated by deploying comprehensive defense solutions;

2. Protection strategies and tools, such as Web application scanners and Web application firewalls, which help equalize the gap between the advanced Web hacker and the security professional; and

3. Compliance and Software development life cycle approaches.

Following the September 11 attacks, the airline industry recognized its need to ‘webify’ online ticket reservation systems, crew scheduling, and passenger profiles in order to enhance operational efficiency. This ultimately served to decrease the airlines’ operating costs, thereby increasing their operating profits. However, the following questions remain: At what costs? What are the information systems and customer data security risks associated with the airline ‘webification’ process?

Please join in this presentation, which will outline some of the challenges that members of the airlines industry may face when attempting to protect their online services. Additionally, attendees will discover methodologies that airlines may utilize to identify, assess, and protect against the various risks associated with Web-based application attacks.

'''Who:''' Quincy Jackson

Quincy Jackson, a CISSP and Certified Ethical Hacker, has more than 15 years of experience in the Information Technology (“IT”) profession, which include 8 years in Information Security. In addition, Quincy has 15 years in the aviation industry. His career in the aviation industry began in the United States Army as an Avionics System Specialist. Quincy began to explore his passion for IT Security as Sr. Manager - Information Security for Continental Airlines. Over his 8-year tenure at Continental Airlines, Quincy was instrumental in the development of the Company’s first Information Security Program. Quincy currently serves as the IT Security Manager for Universal Weather and Aviation, Inc. (“UWA”). UWA provides business aviation operators various aviation support services, including flight coordination, ground handling, fuel arrangement and coordination, online services, and weather briefings. Quincy enjoys both learning about and sharing his knowledge of Web application security with others, including ISSA and OWASP members.

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

'''Cost:''' Always Free

'''Questions or help with Directions...''' call: Scott Foster 512-637-9824.

'''When:''' March 26th, 2009, 5:00pm - 7:00pm

'''Topic: ''' OWASP March Happy Hour

'''Where: ''' Sherlock's in Austin (183 and Burnet area near Furniture Row) - See http://austinowasp.ning.com/ for more info

== Future Speakers and Events ==

February 24th, 2009 - Quincy Jackson (@ National Instruments)

March 31st, 2009 - OPEN (@ National Instruments)

April 28th, 2009 - OPEN (@ National Instruments)

== Record Hall of Meetings ==

'''When:''' February 5th, 2009, 5:00pm - 7:00pm

'''Topic: ''' OWASP Live CD Release Party

'''Where: ''' Sherlock's in Austin (183 and Burnet area near Furniture Row) - See http://austinowasp.ning.com/ for more info

'''When:''' January 27, 2009, 11:30am - 1:00pm

'''Topic: ''' Cross-Site Request Forgery attacks and mitigation in domain vulnerable to Cross-Site Scripting.

The presentation will include the following topics in addition to a hands-on demonstration for each portion of the talk:

1. The statelessness of the internet

2. How the naive attack works

3. A mitigation strategy against this naive attack

4. An combined CSRF/XSS attack that defeats this mitigation strategy

5. And finally suggestions for mitigation of the combined attack

'''Who:''' Ben L Broussard

I am new in the world of Web App security; my passion started when I took a continuing education class related to Web App security. My background is in Number Theory with an emphasis in Cryptography and especially Cryptanalysis. I am an avid puzzler, taking 2nd place (along with my teammates) at UT in this year's Microsoft College Puzzle Challenge. I am currently a developer (database and web apps) for the Accounting department of The University of Texas at Austin.

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

'''When:''' October 28, 2008, 11:30am - 1:00pm

'''Who:''' Josh Sokol

Josh Sokol graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as a Web Systems Administrator at National Instruments. In his current role, Josh provides expertise in topics such as web application availability, performance, and security. Josh is also a frequent contributor on the [http://www.webadminblog.com Web Admin Blog].

'''Topic: ''' Using Proxies to Secure Applications and More

The last Austin OWASP presentation of the year is a must see for anyone responsible for the security of a web application. It is a demonstration of the various types of proxy software and their uses. We've all heard about WebScarab, BurpSuite, RatProxy, or Paros but how familiar are you with actually using them to inspect for web security issues? Did you know that you can use RatProxy for W3C compliance validation? By the time you leave this presentation, you will be able to go back to your office and wow your co-workers with the amazing new proxy skills that you've acquired.

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

'''Cost:''' Always Free

'''Questions or help with Directions...''' call: Scott Foster 512-637-9824.

'''When:''' September 30, 2008, 11:30am - 1:00pm

'''Who:''' Josh Sokol

'''Josh's Bio:''' Josh Sokol graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as a Web Systems Administrator at National Instruments. In his current role, Josh provides expertise in topics such as web application availability, performance, and security. Josh is also a frequent contributor on the [http://www.webadminblog.com Web Admin Blog].

'''Topic: ''' OWASP AppSec NYC Conference 2008

'''Where:''' Whole Foods, 550 Bowie Street, Austin, TX 78703. Come to the Whole Foods plaza level and sign in with receptionist. To get to the plaza take the stairs from the main entrance. The stairs are located on the West Side of the building, just north of the main entrance. There is no access to the Plaza level from inside the store.

See [http://tinylink.com/?chLCAmvxKA directions to Whole Foods].

'''Cost:''' Always Free

'''Questions or help with Directions...''' call: Scott Foster 512-637-9824.

'''When:''' August 26th, 2008, 11:30am - 1:00pm

'''Who:''' Matt Tesauro

Matt's Bio: Matt Tesauro has worked in web application development and security since 2000. He's worn many different hats, from developer to DBA to sys admin to university lecturer to pen tester. Currently, he's focused on web application security and developing a Secure SDLC for TEA. Outside work, he is the project lead for the topic of this talk: OWASP Live CD 2008.

'''Topic: ''' OWASP Live CD 2008 - An OWASP Summer of Code Project

The OWASP Live CD 2008 project is an OWASP SoC project to update the previously created OWASP 2007 Live CD. As the project lead, I'll show you the latest version of the Live CD and discuss where its been and where its going. Some of the design goals include:
# easy for the users to keep the tools updated
# easy for the project lead to keep the tools updated
# easy to produce releases (I'm thinking quarterly releases)
# focused on just web application testing - not general Pen Testing

OWASP Project Page:
http://www.owasp.org/index.php/Category:OWASP_Live_CD_2008_Project

Project Wiki:
http://mtesauro.com/livecd/

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

'''Cost:''' Always Free

'''Questions or help with Directions...''' call: Scott Foster 512-637-9824.

'''When:''' July 29th, 2008, 11:30am - 1:00pm

'''Who:''' Whurley and Mando

William Hurley is the Chief Architect of Open Source Strategy at BMC Software, Inc. Also known as "whurley", he is responsible for creating BMC's open source agenda and overseeing the company's participation in various free and open source software communities to advance the adoption and integration of BSM solutions. A technology visionary and holder of 11 important patents, whurley brings 16 years of experience in developing groundbreaking technology. He is the Chairman of the Open Management Consortium, a non-profit organization advancing the adoption, development, and integration of open source systems management. Named an IBM Master Inventor, whurley has received numerous awards including an IBM Pervasive Computing Award and Apple Computer Design Award.

Mando Escamilla is the Chief Software Architect at Symbiot, Inc. He is responsible for the technical vision and architecture for the Symbiot product line as well as the technical direction for the openSIMS project. He stands (mostly firmly) on the shoulders of giants at Symbiot and he hopes to not embarrass himself.

'''Topic: ''' The rebirth of openSIMS http://opensims.sourceforge.net Correlation, visualization, and remediation with a network effect

OpenSIMS has a sordid history. The project was originally a way for tying together the open source tools used for security management into a common infrastructure. Then the team added a real-time RIA for a new kind of analysis and visualization of enterprise network security (winning them an Apple Design Award in 2004). Then out of nowhere the project went dark. Now, Mando Escamilla (Symbiot/openSIMS) and whurley give you a look at the future of openSIMS as a services layer and explain why community centric security is valuable to your enterprise.

'''Where:''' Whole Foods, 550 Bowie Street, Austin, TX 78703. Come to the Whole Foods plaza level and sign in with receptionist. To get to the plaza take the stairs from the main entrance. The stairs are located on the West Side of the building, just north of the main entrance. There is no access to the Plaza level from inside the store.

See [http://tinylink.com/?chLCAmvxKA directions to Whole Foods].

'''Cost:''' Always Free

'''Questions or help with Directions...''' call: Scott Foster 512-637-9824.

'''When:''' June 24th, 2008, 11:30am - 1:00pm

'''Who:''' Matt Tesauro (presenting) and A.J. Scotka, Texas Education Agency

Matt's Bio: Matt Tesauro has worked in web application development and
security since 2000. He's worn many different hats, from developer to
DBA to sys admin to university lecturer to pen tester. Currently, he's
focused on web application security and developing a Secure SDLC for
TEA. Outside work, he is the project lead for the OWASP SoC Live CD
project: https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Applications#OWASP_Live_CD_2008_Project

A.J.'s Bio: A. J. Scotka Senior Software Quality Engineer, Texas
Education Agency
As an ASQ Certified Software Quality Engineer (CSQE), A. J. is currently
responsible for quality reviews on design and code, software
configuration management process, build engineering process, release
engineering process, verification and validation throughout the life
cycle and over all quality improvement across all areas of enterprise
code manufacturing.

'''Topic: ''' Securely Handling Sensitive Configuration Data.

One of the age old problems with web applications was keeping sensitive
data available on a need to know basis. The classic case of this is
database credentials. The application needs them to connect to the
database but developers shouldn't have direct access to the DB -
particularly the production DB. The presentation will discuss how we
took on this specific problem, our determination that this was a
specific case of a more general problem and how we solved that general
problem. In our solution, sensitive data is only available to the
application and trusted 3rd parties (e.g. DBAs). We will then cover our
implementation of that solution in a .Net 2.0 environment and discuss
some options for J2EE environments. So far, we used our .Net solution
successfully for database credentials and private encryption keys used
in XML-DSig. Sensitive data is only available to the application and
trusted 3rd parties (e.g. DBAs).

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

'''When:''' May 27th, 2008, 11:30am - 1:00pm

'''Who:''' Nathan Sportsman and Praveen Kalamegham, Web Services Security

'''Topic: '''Web Services Security
The concept of web services has become ubiquitous over the last few years. Frameworks are now available across many platforms and languages to greatly ease and expedite the development of web services, often with a vast amount of existing code reuse. Software companies are taking advantage of this by integrating this technology into their products giving increased power and interoperability to their customers. However, the power web services enables also introduces new risks to an environment. As with web applications, development has outpaced the understanding and mitigation of vulnerabilities that arise from this emerging technology. This presentation will first aim to identify the risks associated with web services. We will describe the existing security standards and technologies which target web services (i.e., WS-Security) including its history, pros and cons, and current status. Finally we will attempt to extrapolate the future of this space to determine what changes must be made going forward.

'''Where:''' Whole Foods, 550 Bowie Street, Austin, TX 78703. Come to the Whole Foods plaza level and sign in with receptionist. To get to the plaza take the stairs from the main entrance. The stairs are located on the West Side of the building, just north of the main entrance. There is no access to the Plaza level from inside the store.

See [http://tinylink.com/?chLCAmvxKA directions to Whole Foods].

'''When:''' April 29th, 2008, 11:30am - 1:00pm

'''Who:''' Mano Paul

Bio
Manoranjan (Mano) Paul started his career as a Shark Researcher in the Bimini Biological Field Station, Bahamas. His educational pursuit took him to the University of Oklahoma where he received his Business Administration degree in Management Information Systems (MIS) with a 4.0 GPA and valedictory accolades. Partnering with (ISC)2, the global leader in information security certification and education, he founded and serves as the President & CEO of Express Certifications, a professional certification assessment and training company whose product (studISCope) is (ISC)2’s OFFICIAL self assessment offering for renowned security certifications like the CISSP® and SSCP®. Express Certifications is also the self assessment testing engine behind the US Department of Defense certification education program as mandated by the 8570.1 directive.
He also founded and serves as the CEO of SecuRisk Solutions, a company that specializes in three areas of information security - Product Development, Consulting, and Awareness, Training & Education.

'''What:''' Security – The Road Less Travelled

Abstract -
What do you think Shakespeare had to say about Software Security? What does an naked motorist have to do with Confidentiality? What does the Jungle Book character Baloo have to say about Security Essentials (The Bear Bare Necessities of Life security)? What does the African Wildlife have to do with Security Concepts? What does pH have to do with Security? and more …
The Road Less Travelled by renowed poet, Robert Frost ends by with the statement “And that has made all the difference”. Come to find out the answers to the questions above and see what it takes to look at Security from a different perspective, that would make ALL the difference. The session will cover not only the higher level abstractions of security concepts, but will dive deep wherever applicable into concepts and code, making it a MUST attend for Development, QA, PM and Management Staff on both the IT and Business side.
Also, if you are interested in becoming a CISSP® or SSCP®, come find out about the official (ISC)2 self-assessment tool developed by Express Certifications to aid candidates in their study efforts and how you can get valuable discounts.

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

'''When:''' March 25th, 2008, 11:30am - 1:00pm

'''Who:''' Dan Cornell, Principal of Denim Group, Ltd., OWASP San Antonio Leader, Creator of Sprajax

Dan Cornell has over ten years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.

'''Topic: '''Static Analysis Techniques for Testing Application Security

Static Analysis of software refers to examining source code and other software artifacts without executing them. This presentation looks at how these techniques can be used to identify security defects in applications. Approaches examined will range from simple keyword search methods used to identify calls to banned functions through more sophisticated data flow analysis used to identify more complicated issues such as injection flaws. In addition, a demonstration will be given of two freely-available static analysis tools: FindBugs for the Java platform and FXCop for the .NET platform. Finally, some approaches will be presented on how organizations can start using static analysis tools as part of their development and quality assurance processes.

'''Where:''' Whole Foods, 550 Bowie Street, Austin, TX 78703. Come to the Whole Foods plaza level and sign in with receptionist. To get to the plaza take the stairs from the main entrance. The stairs are located on the West Side of the building, just north of the main entrance. There is no access to the Plaza level from inside the store.

See [http://tinylink.com/?chLCAmvxKA directions to Whole Foods].

February 26th, 2008 - Michael Howard, Author of Writing Secure Code

'''Topic: '''Microsoft's SDL: A Deep Dive

In this presentation, Michael will explain some of the inner workings of the SDL as well as some of the decision making process that went into some of the SDL requirements. He will also explain where SDL can be improved.

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

January 29th, 2008 - Mark Palmer, Hoovers and Geoff Mueller, NI @ WHOLE FOODS, Downtown

'''Where:''' Whole Foods, 550 Bowie Street, Austin, TX 78703. Come to the Whole Foods plaza level and sign in with receptionist. To get to the plaza take the stairs from the main entrance. The stairs are located on the West Side of the building, just north of the main entrance. There is no access to the Plaza level from inside the store.

See [http://tinylink.com/?chLCAmvxKA directions to Whole Foods].

'''When:''' December 4th, 2007, 11:30am - 1:00pm

'''Who:''' Jeremiah Grossman (WhiteHat Security, CTO, OWASP Founder, Security Blogger)

'''Topic: Business Logic Flaws'''

Session handling, credit card transactions, and password recovery are just a few examples of Web-enabled business logic processes that malicious hackers have abused to compromise major websites. These types of vulnerabilities are routinely overlooked during QA because the process is intended to test what a piece of code is supposed to do and not what it can be made to do. The other problem(s) with business logic flaws is scanners can’t identify them, IDS can’t detect them, and Web application firewalls can’t defend them. Plus, the more sophisticated and Web 2.0 feature-rich a website, the more prone it is to have flaws in business logic.

This presentation will provide real-world demonstrations of how pernicious and dangerous business logic flaws are to the security of a website. He’ll also show how best to spot them and provide organizations with a simple and rational game plan to prevent them.

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

'''November 27th, 2007 Austin OWASP chapter meeting''' - Robert Hansen (SecTheory.com, ha.ckers.org and is regarded an expert in Web Application Security)

Robert will be talking about different ways to de-anonymize and track users both from an offensive and defensive standpoint. He will discuss how the giants of the industry do it and next generation tactics alike.

Whole Foods, 550 Bowie Street, Austin, TX 78703. Come to the Whole Foods plaza level and sign in with receptionist.
See [http://tinylink.com/?chLCAmvxKA directions to Whole Foods].

'''October 2007 Austin OWASP chapter meeting ''' October 30th, 11:30am - 1:00pm at National Instruments
"Social networking" - Social networking is exploding with ways to create your own social networks. As communities move more and more online and new types of communities start to form, what are some of the security concerns that we have and might face in the future? by Rich Vázquez, and Tom Brown.

'''September 2007 Austin OWASP Chapter September 2007 ''' - Tue, September 25, 2007 11:30 AM – 1:00 PM at Whole Foods Meeting 550 Bowie Street, Austin
"Biting the hand that feeds you" - A presentation on hosting malicious content under well know domains to gain a victims confidence.
"Virtual World, Real Hacking" - A presentation on "Virtual Economies" and game hacking.
"Cover Debugging - Circumventing Software Armoring techniques" - A presentation on advanced techniques automating and analyzing malicious code.

'''August 2007 Austin OWASP chapter meeting''' - '''8/28,''' 11:30am - 1:00pm at National Instruments. Josh Sokol presented on OWASP Testing Framework and how to use it, along with free and Open Source tools, in a live and interactive demonstration of web site penetration testing.

'''July 2007 Austin OWASP chapter meeting''' - '''7/31,''' 11:30am - 1:00pm at Whole Foods. Dan Cornell will be presenting on Cross Site Request Forgery

'''June 2007 Austin OWASP chapter meeting''' - 6/26, 11:30am - 1:00pm at National Instruments.
[http://www.stokescigar.com James Wickett] from Stokes [http://www.stokescigar.com Cigar] Club presented on OWASP Top 10 and using Web Application Scannners to detect Vulnerabilities.

'''May 2007 Austin OWASP chapter meeting''' - 5/29, "Bullet Proof UI - A programmer's guide to the complete idiot". Robert will be talking about ways to secure a web-app from aggressive attackers and the unwashed masses alike.

'''April 2007 Austin OWASP chapter meeting''' - 4/24, 11:30am - 1:00pm at National Instruments. H.D. Moore (creator of MetaSploit will be presenting)

'''March 2007 Austin OWASP chapter meeting''' - 3/27, 11:30am - 1:00pm at National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

[[January 2007 Austin Chapter Meeting]] - 1/30, 11:30am - 1:00pm at National Instruments, 11500 N Mopac, Building C Conference Room 1S15.

December Meeting - Due to the holidays, there will be no December OWASP meeting. However, we are looking for speakers for the January meeting. If you or anyone you know would be a good candidate, let us know! Happy Holidays!

[[November 2006 Austin Chapter Meeting]] - 11/21, 11:30am - 1:00pm at National Instruments, 11500 N Mopac, Building C Conference Room 1S14.

[[October 2006 Austin Chapter Meeting]] - 10/31 - Boo!

[[September 2006 Austin Chapter Meeting]] - 9/26, 12-1:00 at Texas ACCESS Alliance building located at the intersection of IH-35 South and Ben White

[[August 2006 Austin Chapter Meeting]] - Tuesday- 8/29, 11:30-1:30 on the National Instruments campus, Mopac B (the middle building), conference room 112 (in the Human Resources area to the left of the receptionist). See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments]. ''Hint:'' It is on your left on Mopac if you were heading up to Fry's from Austin.

'''Austin OWASP chapter kickoff meeting''' - Thursday, 7/27, 12-2pm @ Whole Foods Market (downtown, plaza level, sign in with receptionist)

== Presentation Archives ==

The following presentations have been given at local chapter meetings:

* Using Proxies to Secure Applications and More Austin OWASP Chapter October 2008 [https://www.owasp.org/images/f/ff/Using_Proxies_to_secure_applications_and_more.pptx Josh Sokol Presentation]

* OWASP Testing Framework Austin OWASP Chapter August 2007 [https://www.owasp.org/images/d/db/The_OWASP_Testing_Framework_Presentation.ppt Josh Sokol Presentation]

* Single Sign On (7/27)

* [http://www.threatmind.net/papers/franz-basic-j2ee-tools-owasp-austin.pdf A Rough Start of a Toolset for Assessing Java/J2EE Web Apps] (7/27) - [[MattFranz]] discussed some custom Python tools he has been writing for conducting security testing of a Struts (and other Java) web applications.

* [http://www.owasp.org/index.php/Image:DenimGroup_AJAXSecurityHereWeGoAgain_Content_20060829.pdf AJAX Security: Here we go again] - Dan Cornell from [http://www.denimgroup.com/ Denim Group] discussed security issues in the one the popular Web 2.0 technlogy (8/29)

==== Austin OWASP Chapter Leaders ====
[mailto:wickett@gmail.com James Wickett, President] - (512) 989-6808

[mailto:josh.sokol@ni.com Josh Sokol, Logistics Chair] - (512) 683-5230

[mailto:rich.vazquez@gmail.com Rich Vazquez, Communications Chair] - (512) 989-6808

[mailto:sfoster@austinnetworking.com Scott Foster, Membership Chair] - (512) 637-9824

__NOTOC__
<headertabs/>
[[Category:Texas]]

Atlanta Georgia

2009-03-11T18:29:50Z

Alex Norman:

{{Chapter Template|chaptername=Atlanta|extra=The chapter leaders are Tony UcedaVelez, Matt McKeen, Charles Burke, and Dean Saxe|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-atlanta|emailarchives=http://lists.owasp.org/pipermail/owasp-atlanta}}

==== Local News ====
We are finally going to have our first meeting for 2009. After nearly two years of dormancy, we are back in full swing with two key events in April. The 411 on these events is listed below. Please feel free to pass along the info to co-workers, employers, or peers whom you think may benefit. You all should be receiving an email on our first meeting shortly. Please follow the RSVP instructions provided in the email.
<paypal>Atlanta Georgia</paypal>

==== Chapter Meetings ====
'''OWASP-ATLANTA CHAPTER REBIRTH MEETING'''
''WHEN'': Thursday - April 2nd 2009
''WHERE'': GA Tech (specific bldg to be announced)
''WHO'': ALL Atlanta Members
''FORMAT'': PRESENTATION
''WHAT'': Chapter Lead will provide an overview to the chapter, OWASP as a global security organization, and review current tools and projects that can be leveraged by developers, security pros, and even middle management. Food will be provided, hopefully in the form of fermented liquids. Social activities to follow event.
''COST'': Nothing, however we ask that you make a charitable donation for the "food" to be provided in the form of (a) cash donations at the door OR by becoming a SUPPORTING MEMBER (only $50!). Well worth the network and growing list of projects, tools, and frameworks that are provided.
 

'''FILTER EVASION TECHNIQUES'''
We are finally ready to have our first all member meeting. After nearly two years of dormancy, we are back in full swing with two key events in April. The 411 on these events is listed below. Please feel free to pass along the info to co-workers, employers, or peers whom you think may benefit.
''WHEN'': Saturday - April 25th 2009
''WHERE'': GA Tech (specific bldg to be announced)
''WHO'': ALL are welcomed; tech-heads encouraged
''FORMAT'': Workshop presented by Rob Regan
''WHAT'': Hands on workshop on how to evade signature based IPS devices will be conducted through the use of filter evasion techniques. 
''COST'': Nothing, however we ask that you make a charitable donation for the "food" to be provided in the form of (a) cash donations at the door OR by becoming a SUPPORTING MEMBER (only $50!). Well worth the network and growing list of projects, tools, and frameworks that are provided.

'''OWASP Atlanta Member Survey'''
Deadline for filling out the survey is next Friday (3/13/2009). Please take 5 minutes to fill out this brief 10 question survey in order that we can get as many responses back from the ATL chapter members.

Click here for survey (NOTE: You will be directed away from OWASP site) --> [http://www.surveymonkey.com/s.aspx?sm=sCuoT3FEdrOPuLfvfDvk9w_3d_3d]
 
--[[User:Versprite|Versprite]] 01:38, 28 February 2009 (EST)

'''New OWASP Atlanta Linkedin Group.'''
For those addicted to LinkedIn, we have a group you can further feed your addiction. The OWASP Atlanta Chapter. http://www.linkedin.com/groups?home=&gid=1811960&trk=anet_ug_hm

'''New IRC channel on EFnet called #owasp-atlanta'''
Join us, everyday, all-day in our IRC channel for questions, answers, and discussions.

--[[User:Versprite|Versprite]] 01:38, 28 February 2009 (EST)

== Past Meetings ==

[[Atlanta_Leadership_Meeting_03.05.09]]

[[Atlanta Leadership Meeting 02.26.09]]

[[Atlanta OWASP May 2007 Meeting]]

[[Atlanta OWASP December 06 Social]]

[[Atlanta OWASP April Meeting]]

[[Chapter Meeting March 29th 2006]]

[[October 26th Meeting]]

[[April 27th, Chapter meeting a SUCCESS!]]

[[March 30th, 2005]]

[[February Meeting]]

[[June 2005]]

==== Atlanta Georgia OWASP Chapter Leaders ====

__NOTOC__
<headertabs/>

[[Category:Georgia]]

Atlanta Georgia

2009-03-11T18:29:16Z

Alex Norman:

{{Chapter Template|chaptername=Atlanta|extra=The chapter leaders are Tony UcedaVelez, Matt McKeen, Charles Burke, and Dean Saxe|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-atlanta|emailarchives=http://lists.owasp.org/pipermail/owasp-atlanta}}
<paypal>Atlanta Georgia</paypal>

==== Local News ====
We are finally going to have our first meeting for 2009. After nearly two years of dormancy, we are back in full swing with two key events in April. The 411 on these events is listed below. Please feel free to pass along the info to co-workers, employers, or peers whom you think may benefit. You all should be receiving an email on our first meeting shortly. Please follow the RSVP instructions provided in the email.

==== Chapter Meetings ====
'''OWASP-ATLANTA CHAPTER REBIRTH MEETING'''
''WHEN'': Thursday - April 2nd 2009
''WHERE'': GA Tech (specific bldg to be announced)
''WHO'': ALL Atlanta Members
''FORMAT'': PRESENTATION
''WHAT'': Chapter Lead will provide an overview to the chapter, OWASP as a global security organization, and review current tools and projects that can be leveraged by developers, security pros, and even middle management. Food will be provided, hopefully in the form of fermented liquids. Social activities to follow event.
''COST'': Nothing, however we ask that you make a charitable donation for the "food" to be provided in the form of (a) cash donations at the door OR by becoming a SUPPORTING MEMBER (only $50!). Well worth the network and growing list of projects, tools, and frameworks that are provided.
 

'''FILTER EVASION TECHNIQUES'''
We are finally ready to have our first all member meeting. After nearly two years of dormancy, we are back in full swing with two key events in April. The 411 on these events is listed below. Please feel free to pass along the info to co-workers, employers, or peers whom you think may benefit.
''WHEN'': Saturday - April 25th 2009
''WHERE'': GA Tech (specific bldg to be announced)
''WHO'': ALL are welcomed; tech-heads encouraged
''FORMAT'': Workshop presented by Rob Regan
''WHAT'': Hands on workshop on how to evade signature based IPS devices will be conducted through the use of filter evasion techniques. 
''COST'': Nothing, however we ask that you make a charitable donation for the "food" to be provided in the form of (a) cash donations at the door OR by becoming a SUPPORTING MEMBER (only $50!). Well worth the network and growing list of projects, tools, and frameworks that are provided.

'''OWASP Atlanta Member Survey'''
Deadline for filling out the survey is next Friday (3/13/2009). Please take 5 minutes to fill out this brief 10 question survey in order that we can get as many responses back from the ATL chapter members.

Click here for survey (NOTE: You will be directed away from OWASP site) --> [http://www.surveymonkey.com/s.aspx?sm=sCuoT3FEdrOPuLfvfDvk9w_3d_3d]
 
--[[User:Versprite|Versprite]] 01:38, 28 February 2009 (EST)

'''New OWASP Atlanta Linkedin Group.'''
For those addicted to LinkedIn, we have a group you can further feed your addiction. The OWASP Atlanta Chapter. http://www.linkedin.com/groups?home=&gid=1811960&trk=anet_ug_hm

'''New IRC channel on EFnet called #owasp-atlanta'''
Join us, everyday, all-day in our IRC channel for questions, answers, and discussions.

--[[User:Versprite|Versprite]] 01:38, 28 February 2009 (EST)

== Past Meetings ==

[[Atlanta_Leadership_Meeting_03.05.09]]

[[Atlanta Leadership Meeting 02.26.09]]

[[Atlanta OWASP May 2007 Meeting]]

[[Atlanta OWASP December 06 Social]]

[[Atlanta OWASP April Meeting]]

[[Chapter Meeting March 29th 2006]]

[[October 26th Meeting]]

[[April 27th, Chapter meeting a SUCCESS!]]

[[March 30th, 2005]]

[[February Meeting]]

[[June 2005]]

==== Atlanta Georgia OWASP Chapter Leaders ====

__NOTOC__
<headertabs/>

[[Category:Georgia]]

Alaska

2009-03-11T18:26:59Z

Alex Norman:

{{Chapter Template|chaptername=Alaska|extra=The chapter leader is [mailto:travis@moxxy.com Travis Morrison]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Alaska|emailarchives=http://lists.owasp.org/pipermail/owasp-Alaska}}

==== Local News ====
<paypal>Alaska</paypal>

==== Chapter Meetings ====
'''First meeting to be scheduled early 2009 '''

Everyone is welcome to join us at our chapter meetings.

==== Alaska OWASP Chapter Leaders ====

__NOTOC__
<headertabs/>

[[Category:OWASP Chapter]]

Ahmedabad

2009-03-11T18:25:09Z

Alex Norman:

{{Chapter Template|chaptername=Ahmedabad|extra=The chapter leader is [mailto:shreeraj.shah@gmail.com Shreeraj Shah]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-ahmedabad|emailarchives=http://lists.owasp.org/pipermail/owasp-ahmedabad}}

==== Local News ====

<paypal>Ahmedabad</paypal>

We are building awareness for application security and open source tools in the community. We are focusing on Ahmedabad and Gandhinagar for spreading words about our objectives with keeping IT community as primary target to start with. Please join the group and wait for our announcements.

==== Chapter Meetings ====

'''OWASP chapter meeting''' on June 23rd 2008 - Agenda and Venue will be declared soon.

==== Ahmedabad OWASP Chapter Leaders ====
<ul>
Board of Directors
*Chapter Founder and Board Member: [mailto:shreeraj.shah(at)gmail.com Shreeraj Shah]
*Board Member: [mailto:ketan.vyas(at)tcs.com Ketan Vyas]
</ul>
__NOTOC__
<headertabs/>
[[Category:India]]

Alabama

2009-03-11T18:24:00Z

Alex Norman:

{{Chapter Template|chaptername=Alabama|extra=The chapter leader is [mailto:josh@packetfocus.com Josh Perrymon]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Alabama|emailarchives=http://lists.owasp.org/pipermail/owasp-Alabama}}

==== Local News ====

<paypal>Alabama</paypal>

==== Chapter Meetings ====
'''Meeting Location'''

Everyone is welcome to join us at our chapter meetings.

==== Alabama OWASP Chapter Leaders ====

__NOTOC__
<headertabs/>

[[Category:OWASP Chapter]]

[[Category:Alabama]]

Ahmedabad

2009-03-11T18:21:55Z

Alex Norman:

{{Chapter Template|chaptername=Ahmedabad|extra=The chapter leader is [mailto:shreeraj.shah@gmail.com Shreeraj Shah]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-ahmedabad|emailarchives=http://lists.owasp.org/pipermail/owasp-ahmedabad}}

==== Local News ====

<paypal>Ahmedabad</paypal>

We are building awareness for application security and open source tools in the community. We are focusing on Ahmedabad and Gandhinagar for spreading words about our objectives with keeping IT community as primary target to start with. Please join the group and wait for our announcements.

==== Chapter Meetings ====

'''OWASP chapter meeting''' on June 23rd 2008 - Agenda and Venue will be declared soon.

==== OWASP Ahmedabad Chapter Leaders and Team ====
<ul>
Board of Directors
*Chapter Founder and Board Member: [mailto:shreeraj.shah(at)gmail.com Shreeraj Shah]
*Board Member: [mailto:ketan.vyas(at)tcs.com Ketan Vyas]
</ul>
__NOTOC__
<headertabs/>
[[Category:India]]

Category:OWASP Enterprise Security API

2009-03-06T19:08:23Z

Alex Norman:

{{ProjectTabs |
Proj_ShortDesc= [[Image:Esapi-bannerbug.JPG|200px|right]]Reinventing the wheel when it comes to developing security controls for every web application or web service leads to wasted time and massive security holes. The '''OWASP Enterprise Security API (ESAPI) Toolkits''' help software developers guard against security-related design and implementation flaws. The ESAPI Toolkit architecture is very simple – a collection of classes that encapsulate the key security operations most applications need. ESAPI is designed to make it easy to retrofit security into existing applications, as well as providing a solid foundation for new development. ESAPI comes with an ESAPI filter that minimizes the changes required to your base application. There are ESAPI Toolkits for the following platforms:
* '''Java EE''' - This version of the ESAPI Toolkit is currently available.
* '''.NET''' - This version of the ESAPI Toolkit is currently under development.
* '''PHP''' - This version of the ESAPI Toolkit is currently under development.|

Proj_Contributors= Project Leader [[:User:Jeff Williams|Jeff Williams]] Project Contibutors [[User:Jmanico|Jim Manico]] [[User:Dwichers|Dave Wichers]] [[User:Adabirsiaghi|Arshan Dabirsiaghi]] [[User:Jerryhoff|Jerry Hoff]] |

Proj_Lists= [https://lists.owasp.org/mailman/listinfo/owasp-esapi '''Subscribe here'''] [mailto:owasp-esapi@lists.owasp.org '''Use here'''] |

Proj_License= [http://en.wikipedia.org/wiki/BSD_license '''BSD license'''] |

Proj_Type= [[:Category:OWASP_Project#Release Quality Projects|'''Tool''']] |

Proj_Sponsor= <div style="background:#ffffff">[http://www.aspectsecurity.com/ https://www.owasp.org/images/d/d1/Aspect_logo.gif]</div> |

Proj_Status= Provisory '''[[:Category:OWASP Project Assessment#Release Quality Tool Criteria|Release Quality]]''' (Waiting for Second Reviewer's assessment) [[:OWASP Enterprise Security API Project - Assessment Frame|Please see here for complete information.]] |

Proj_Links= [http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/OWASP%20ESAPI%20Overview.pptx ESAPI PowerPoint presentation] [http://www.youtube.com/watch?v=QAPD1jPn04g ESAPI Video presentation] ESAPI Demo application - [[ESAPI_Swingset|The ESAPI Swingset]] JAVA 1.4 compatible JAR for ESAPI v1.4 - [http://owasp-esapi-java.googlecode.com/files/owasp-esapi-full-java-1.4.jar Complete] & [http://owasp-esapi-java.googlecode.com/files/owasp-esapi-basic-java-1.4.jar Basic] JAR files [http://owasp-esapi-java.googlecode.com/files/owasp-esapi-java-src-1.4.zip Source files for ESAPI v1.4] [http://code.google.com/p/owasp-esapi-java/ ESAPI Google Code repository] [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/index.html ESAPI Javadocs] [http://code.google.com/p/owasp-esapi-java/source/browse/#svn/trunk/src/main/java/org/owasp/esapi Browse the Java source at Google] [https://www.owasp.org/index.php/ESAPI_Javadocs Javadocs' information generation] [http://code.google.com/p/owasp-esapi-java/issues/list Problems with the ESAPI may be reported here] |

Proj_Related= [[Top Ten|OWASP Top Ten]]
}}

'''What is ESAPI?'''

[[Image:Esapi-beta.JPG|thumb|300px|right|OWASP ESAPI Book]]
Just as web applications and web services can be Public Key Infrastructure (PKI) enabled (PK-enabled) to perform for example certificate-based authentication, applications and services can be OWASP ESAPI-enabled (ES-enabled) to enable applications and services to protect themselves from attackers. OWASP ESAPI Toolkits empower web application and web service developers with the ability to increase the overall degree of trust that can be placed in their applications and services. ESAPI Toolkit security controls operate using a unique deny-by-default strategy, performing security checks using white lists.

Using an ESAPI Toolkit realizes cost savings through reduced development time, and the increased security due to using heavily analyzed and carefully designed security methods provide developers with a massive advantage over organizations that are trying to deal with security using existing ad hoc secure coding techniques. Available platforms, frameworks, and toolkits (Java EE, Struts, Spring, etc...) simply do not provide enough protection! ESAPI Toolkits are designed to automatically take care of many aspects of application security, making these issues invisible to the developers.

OWASP ESAPI Toolkits provide the same basic interfaces (including common logging interfaces) across common platforms, including Java EE, .NET, and PHP.

'''Additional Benefits'''

The use of the ESAPI will also make it much easier for static analysis tools to verify an application, by building ESAPI calls into static analysis tool rulesets.

'''Where did ESAPI come from?'''

The OWASP ESAPI project is led by [[User:Jeff Williams|Jeff Williams]], who serves as the volunteer chair of OWASP and is the CEO of Aspect Security. Jeff is a software developer who has specialized in application security since 1995. The ESAPI is the result of over a decade of code review and penetration testing of critical enterprise applications. If you'd like to volunteer to help on the project, you can contact him at jeff.williams@owasp.org.

More information about the ESAPI can be found [http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#OWASP_ESAPI_Documentation_Downloads here].

==Architecture==
 
[[Image:OWASPTopTen.jpg|thumb|600px|right|OWASP ESAPI Top Ten Coverage]]OWASP ESAPI Toolkits are not frameworks! The ESAPI Toolkit architecture is very simple, just a collection of classes that encapsulate the key security operations most applications need. ESAPI Toolkits provide common sets of interfaces for security controls including:

* Authentication
* Access Control
* Input Validation
* Output Encoding/Escaping
* Cryptography
* Error Handling and Logging
* Data Protection
* Communication Security
* HTTP Security
* Security Configuration

ESAPI Toolkit interfaces only include methods that are widely useful and focus on the most risky areas. Interfaces are designed to be simple to understand and use. ESAPI Toolkits are designed to make it easy to retrofit security into existing applications, as well as providing a solid foundation for new development. New development projects should consider ES-enabling their framework to make even more of the security happen automatically. ESAPI Toolkits include an ESAPI filter that can be used to minimize the changes required to your base application.

ESAPI Toolkits are designed and implemented to guard against the risks described in the OWASP [[Top Ten]], and to meet the requirements of the [http://www.owasp.org/index.php/ASVS OWASP Application Security Verification Standard (ASVS)]. Compare this coverage with automated scanning and static analysis tools, and then consider how your time is best spent!

==OWASP ESAPI Java EE Beta Code Downloads==
 
[[Image:Esapi-beta.JPG|thumb|110px|left|ESAPI]]
Download free:

'''OWASP ESAPI'''

This release is the first public release and will undoubtably undergo significant revision over the coming months. We are seeking organizations willing to pilot this ESAPI and work with us to make this library better. Please contact jeff.williams@owasp.org for more information. If you're interested in application security, please join the [http://lists.owasp.org/mailman/listinfo/owasp-esapi OWASP ESAPI mailing list] and help make ESAPI better!

Versions (archived source files are also available on the SVN under tags)
<table width="100%" valign="top"><tr><th width="50%">JAR Files</th><th>Source Files</th></tr><tr valign="top"><td>
; [http://owasp-esapi-java.googlecode.com/files/owasp-esapi-full-java-1.4.jar ESAPI v1.4 Complete JAR file]
: JAVA 1.4 compatible JAR for ESAPI v1.4

; [http://owasp-esapi-java.googlecode.com/files/owasp-esapi-basic-java-1.4.jar ESAPI v1.4 Basic JAR file]
: Java 1.4 compatible JAR for ESAPI v1.4 (does not contain many reference implementations)

</td><td>
; [http://owasp-esapi-java.googlecode.com/files/owasp-esapi-java-src-1.4.zip ESAPI v1.4 Source archive]
: Source files for ESAPI v1.4

</td></tr>
</table>

'''Additional Resources'''

* Information regarding the ESAPI SVN can be found at [http://code.google.com/p/owasp-esapi-java/ the ESAPI Google Code repository].

* If you have any problems with the ESAPI, please report them to [http://code.google.com/p/owasp-esapi-java/issues/list the issues section].

* For more information about the ESAPI, please view the [http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/OWASP%20ESAPI%20Overview.pptx ESAPI PowerPoint presentation].

* If you are generating your own Javadocs for the ESAPI project, information regarding generation can be found [https://www.owasp.org/index.php/ESAPI_Javadocs here].
 

==OWASP ESAPI Documentation Downloads==
 
[[Image:Esapi-project.JPG|thumb|110px|left|Project Presentation]]
Download free:

'''About OWASP ESAPI'''

* ESAPI interface documentation ([http://owasp-esapi-java.googlecode.com/svn/trunk_doc/index.html JavaDocs])
* Project presentation ([http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/OWASP%20ESAPI%20Overview.pptx PowerPoint])
* Video presentation ([http://www.youtube.com/watch?v=QAPD1jPn04g YouTube])
* One Page Conference Handout ([http://www.owasp.org/images/3/31/ESAPI_One_Page_Handout.pdf PDF], [http://www.owasp.org/images/d/d0/ESAPI_One_Page_Handout.doc Word])

==Changing/Building/Using the ESAPI==
If you would like to work with the ESAPI source code, or build the project, please [[ESAPI-Building | see here]].

===Using the ESAPI===
If you want to see what the ESAPI is all about, and want to use the built-in implementations,
* Download the latest version of the ESAPI JAR from above.
* Add the ESAPI JAR to your project's build path.
* The current ESAPI JAR has been built for Java 1.6, however support for Java 1.4.2+ is available. Please see [https://www.owasp.org/index.php/ESAPI-Building here] for information on building ESAPI for a different version of Java.
* Use the [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/index.html ESAPI's Javadocs ] to take advantage of all the built-in functions of the ESAPI.

===Running Demo App===
The ESAPI Demo application has been named [[ESAPI_Swingset|''The ESAPI Swingset'']]. More information about Swingset is available [[ESAPI_Swingset | here]].

==Project Sponsors==

The OWASP ESAPI project is sponsored by
[http://www.aspectsecurity.com https://www.owasp.org/images/d/d1/Aspect_logo.gif]

==Licensing==
This project licensed under the [http://en.wikipedia.org/wiki/BSD_license BSD license], which is very permissive and about as close to public domain as is possible. You can use or modify ESAPI however you want, even include it in commercial products.

== Articles - More About ESAPI and Using ESAPI ==

Category:OWASP Enterprise Security API

2009-03-06T19:07:41Z

Alex Norman:

{{ProjectTabs |
Proj_ShortDesc= [[Image:Esapi-bannerbug.JPG|200px|right]]Reinventing the wheel when it comes to developing security controls for every web application or web service leads to wasted time and massive security holes. The '''OWASP Enterprise Security API (ESAPI) Toolkits''' help software developers guard against security-related design and implementation flaws. The ESAPI Toolkit architecture is very simple – a collection of classes that encapsulate the key security operations most applications need. ESAPI is designed to make it easy to retrofit security into existing applications, as well as providing a solid foundation for new development. ESAPI comes with an ESAPI filter that minimizes the changes required to your base application. There are ESAPI Toolkits for the following platforms:
* '''Java EE''' - This version of the ESAPI Toolkit is currently available.
* '''.NET''' - This version of the ESAPI Toolkit is currently under development.
* '''PHP''' - This version of the ESAPI Toolkit is currently under development.|

Proj_Contributors= Project Leader [[:User:Jeff Williams|Jeff Williams]] Project Contibutors [[User:Jmanico|Jim Manico]] [[User:Dwichers|Dave Wichers]] [[User:Adabirsiaghi|Arshan Dabirsiaghi]] [[User:Jerryhoff|Jerry Hoff]

Proj_Lists= [https://lists.owasp.org/mailman/listinfo/owasp-esapi '''Subscribe here'''] [mailto:owasp-esapi@lists.owasp.org '''Use here'''] |

Proj_License= [http://en.wikipedia.org/wiki/BSD_license '''BSD license'''] |

Proj_Type= [[:Category:OWASP_Project#Release Quality Projects|'''Tool''']] |

Proj_Sponsor= <div style="background:#ffffff">[http://www.aspectsecurity.com/ https://www.owasp.org/images/d/d1/Aspect_logo.gif]</div> |

Proj_Status= Provisory '''[[:Category:OWASP Project Assessment#Release Quality Tool Criteria|Release Quality]]''' (Waiting for Second Reviewer's assessment) [[:OWASP Enterprise Security API Project - Assessment Frame|Please see here for complete information.]] |

Proj_Links= [http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/OWASP%20ESAPI%20Overview.pptx ESAPI PowerPoint presentation] [http://www.youtube.com/watch?v=QAPD1jPn04g ESAPI Video presentation] ESAPI Demo application - [[ESAPI_Swingset|The ESAPI Swingset]] JAVA 1.4 compatible JAR for ESAPI v1.4 - [http://owasp-esapi-java.googlecode.com/files/owasp-esapi-full-java-1.4.jar Complete] & [http://owasp-esapi-java.googlecode.com/files/owasp-esapi-basic-java-1.4.jar Basic] JAR files [http://owasp-esapi-java.googlecode.com/files/owasp-esapi-java-src-1.4.zip Source files for ESAPI v1.4] [http://code.google.com/p/owasp-esapi-java/ ESAPI Google Code repository] [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/index.html ESAPI Javadocs] [http://code.google.com/p/owasp-esapi-java/source/browse/#svn/trunk/src/main/java/org/owasp/esapi Browse the Java source at Google] [https://www.owasp.org/index.php/ESAPI_Javadocs Javadocs' information generation] [http://code.google.com/p/owasp-esapi-java/issues/list Problems with the ESAPI may be reported here] |

Proj_Related= [[Top Ten|OWASP Top Ten]]
}}

'''What is ESAPI?'''

[[Image:Esapi-beta.JPG|thumb|300px|right|OWASP ESAPI Book]]
Just as web applications and web services can be Public Key Infrastructure (PKI) enabled (PK-enabled) to perform for example certificate-based authentication, applications and services can be OWASP ESAPI-enabled (ES-enabled) to enable applications and services to protect themselves from attackers. OWASP ESAPI Toolkits empower web application and web service developers with the ability to increase the overall degree of trust that can be placed in their applications and services. ESAPI Toolkit security controls operate using a unique deny-by-default strategy, performing security checks using white lists.

Using an ESAPI Toolkit realizes cost savings through reduced development time, and the increased security due to using heavily analyzed and carefully designed security methods provide developers with a massive advantage over organizations that are trying to deal with security using existing ad hoc secure coding techniques. Available platforms, frameworks, and toolkits (Java EE, Struts, Spring, etc...) simply do not provide enough protection! ESAPI Toolkits are designed to automatically take care of many aspects of application security, making these issues invisible to the developers.

OWASP ESAPI Toolkits provide the same basic interfaces (including common logging interfaces) across common platforms, including Java EE, .NET, and PHP.

'''Additional Benefits'''

The use of the ESAPI will also make it much easier for static analysis tools to verify an application, by building ESAPI calls into static analysis tool rulesets.

'''Where did ESAPI come from?'''

The OWASP ESAPI project is led by [[User:Jeff Williams|Jeff Williams]], who serves as the volunteer chair of OWASP and is the CEO of Aspect Security. Jeff is a software developer who has specialized in application security since 1995. The ESAPI is the result of over a decade of code review and penetration testing of critical enterprise applications. If you'd like to volunteer to help on the project, you can contact him at jeff.williams@owasp.org.

More information about the ESAPI can be found [http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#OWASP_ESAPI_Documentation_Downloads here].

==Architecture==
 
[[Image:OWASPTopTen.jpg|thumb|600px|right|OWASP ESAPI Top Ten Coverage]]OWASP ESAPI Toolkits are not frameworks! The ESAPI Toolkit architecture is very simple, just a collection of classes that encapsulate the key security operations most applications need. ESAPI Toolkits provide common sets of interfaces for security controls including:

* Authentication
* Access Control
* Input Validation
* Output Encoding/Escaping
* Cryptography
* Error Handling and Logging
* Data Protection
* Communication Security
* HTTP Security
* Security Configuration

ESAPI Toolkit interfaces only include methods that are widely useful and focus on the most risky areas. Interfaces are designed to be simple to understand and use. ESAPI Toolkits are designed to make it easy to retrofit security into existing applications, as well as providing a solid foundation for new development. New development projects should consider ES-enabling their framework to make even more of the security happen automatically. ESAPI Toolkits include an ESAPI filter that can be used to minimize the changes required to your base application.

ESAPI Toolkits are designed and implemented to guard against the risks described in the OWASP [[Top Ten]], and to meet the requirements of the [http://www.owasp.org/index.php/ASVS OWASP Application Security Verification Standard (ASVS)]. Compare this coverage with automated scanning and static analysis tools, and then consider how your time is best spent!

==OWASP ESAPI Java EE Beta Code Downloads==
 
[[Image:Esapi-beta.JPG|thumb|110px|left|ESAPI]]
Download free:

'''OWASP ESAPI'''

This release is the first public release and will undoubtably undergo significant revision over the coming months. We are seeking organizations willing to pilot this ESAPI and work with us to make this library better. Please contact jeff.williams@owasp.org for more information. If you're interested in application security, please join the [http://lists.owasp.org/mailman/listinfo/owasp-esapi OWASP ESAPI mailing list] and help make ESAPI better!

Versions (archived source files are also available on the SVN under tags)
<table width="100%" valign="top"><tr><th width="50%">JAR Files</th><th>Source Files</th></tr><tr valign="top"><td>
; [http://owasp-esapi-java.googlecode.com/files/owasp-esapi-full-java-1.4.jar ESAPI v1.4 Complete JAR file]
: JAVA 1.4 compatible JAR for ESAPI v1.4

; [http://owasp-esapi-java.googlecode.com/files/owasp-esapi-basic-java-1.4.jar ESAPI v1.4 Basic JAR file]
: Java 1.4 compatible JAR for ESAPI v1.4 (does not contain many reference implementations)

</td><td>
; [http://owasp-esapi-java.googlecode.com/files/owasp-esapi-java-src-1.4.zip ESAPI v1.4 Source archive]
: Source files for ESAPI v1.4

</td></tr>
</table>

'''Additional Resources'''

* Information regarding the ESAPI SVN can be found at [http://code.google.com/p/owasp-esapi-java/ the ESAPI Google Code repository].

* If you have any problems with the ESAPI, please report them to [http://code.google.com/p/owasp-esapi-java/issues/list the issues section].

* For more information about the ESAPI, please view the [http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/OWASP%20ESAPI%20Overview.pptx ESAPI PowerPoint presentation].

* If you are generating your own Javadocs for the ESAPI project, information regarding generation can be found [https://www.owasp.org/index.php/ESAPI_Javadocs here].
 

==OWASP ESAPI Documentation Downloads==
 
[[Image:Esapi-project.JPG|thumb|110px|left|Project Presentation]]
Download free:

'''About OWASP ESAPI'''

* ESAPI interface documentation ([http://owasp-esapi-java.googlecode.com/svn/trunk_doc/index.html JavaDocs])
* Project presentation ([http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/OWASP%20ESAPI%20Overview.pptx PowerPoint])
* Video presentation ([http://www.youtube.com/watch?v=QAPD1jPn04g YouTube])
* One Page Conference Handout ([http://www.owasp.org/images/3/31/ESAPI_One_Page_Handout.pdf PDF], [http://www.owasp.org/images/d/d0/ESAPI_One_Page_Handout.doc Word])

==Changing/Building/Using the ESAPI==
If you would like to work with the ESAPI source code, or build the project, please [[ESAPI-Building | see here]].

===Using the ESAPI===
If you want to see what the ESAPI is all about, and want to use the built-in implementations,
* Download the latest version of the ESAPI JAR from above.
* Add the ESAPI JAR to your project's build path.
* The current ESAPI JAR has been built for Java 1.6, however support for Java 1.4.2+ is available. Please see [https://www.owasp.org/index.php/ESAPI-Building here] for information on building ESAPI for a different version of Java.
* Use the [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/index.html ESAPI's Javadocs ] to take advantage of all the built-in functions of the ESAPI.

===Running Demo App===
The ESAPI Demo application has been named [[ESAPI_Swingset|''The ESAPI Swingset'']]. More information about Swingset is available [[ESAPI_Swingset | here]].

==Project Sponsors==

The OWASP ESAPI project is sponsored by
[http://www.aspectsecurity.com https://www.owasp.org/images/d/d1/Aspect_logo.gif]

==Licensing==
This project licensed under the [http://en.wikipedia.org/wiki/BSD_license BSD license], which is very permissive and about as close to public domain as is possible. You can use or modify ESAPI however you want, even include it in commercial products.

== Articles - More About ESAPI and Using ESAPI ==

Category:OWASP Enterprise Security API

2009-03-06T19:07:11Z

Alex Norman:

{{ProjectTabs |
Proj_ShortDesc= [[Image:Esapi-bannerbug.JPG|200px|right]]Reinventing the wheel when it comes to developing security controls for every web application or web service leads to wasted time and massive security holes. The '''OWASP Enterprise Security API (ESAPI) Toolkits''' help software developers guard against security-related design and implementation flaws. The ESAPI Toolkit architecture is very simple – a collection of classes that encapsulate the key security operations most applications need. ESAPI is designed to make it easy to retrofit security into existing applications, as well as providing a solid foundation for new development. ESAPI comes with an ESAPI filter that minimizes the changes required to your base application. There are ESAPI Toolkits for the following platforms:
* '''Java EE''' - This version of the ESAPI Toolkit is currently available.
* '''.NET''' - This version of the ESAPI Toolkit is currently under development.
* '''PHP''' - This version of the ESAPI Toolkit is currently under development.|

Proj_Contributors= Project Leader [[:User:Jeff Williams|Jeff Williams]] Project Contibutors [[User:Jmanico|Jim Manico]] [[User:Dwichers|Dave Wichers]] [[User:Adabirsiaghi|Arshan Dabirsiaghi]] [[User:Jerryhoff|Jerry Hoff]]

Proj_Lists= [https://lists.owasp.org/mailman/listinfo/owasp-esapi '''Subscribe here'''] [mailto:owasp-esapi@lists.owasp.org '''Use here'''] |

Proj_License= [http://en.wikipedia.org/wiki/BSD_license '''BSD license'''] |

Proj_Type= [[:Category:OWASP_Project#Release Quality Projects|'''Tool''']] |

Proj_Sponsor= <div style="background:#ffffff">[http://www.aspectsecurity.com/ https://www.owasp.org/images/d/d1/Aspect_logo.gif]</div> |

Proj_Status= Provisory '''[[:Category:OWASP Project Assessment#Release Quality Tool Criteria|Release Quality]]''' (Waiting for Second Reviewer's assessment) [[:OWASP Enterprise Security API Project - Assessment Frame|Please see here for complete information.]] |

Proj_Links= [http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/OWASP%20ESAPI%20Overview.pptx ESAPI PowerPoint presentation] [http://www.youtube.com/watch?v=QAPD1jPn04g ESAPI Video presentation] ESAPI Demo application - [[ESAPI_Swingset|The ESAPI Swingset]] JAVA 1.4 compatible JAR for ESAPI v1.4 - [http://owasp-esapi-java.googlecode.com/files/owasp-esapi-full-java-1.4.jar Complete] & [http://owasp-esapi-java.googlecode.com/files/owasp-esapi-basic-java-1.4.jar Basic] JAR files [http://owasp-esapi-java.googlecode.com/files/owasp-esapi-java-src-1.4.zip Source files for ESAPI v1.4] [http://code.google.com/p/owasp-esapi-java/ ESAPI Google Code repository] [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/index.html ESAPI Javadocs] [http://code.google.com/p/owasp-esapi-java/source/browse/#svn/trunk/src/main/java/org/owasp/esapi Browse the Java source at Google] [https://www.owasp.org/index.php/ESAPI_Javadocs Javadocs' information generation] [http://code.google.com/p/owasp-esapi-java/issues/list Problems with the ESAPI may be reported here] |

Proj_Related= [[Top Ten|OWASP Top Ten]]
}}

'''What is ESAPI?'''

[[Image:Esapi-beta.JPG|thumb|300px|right|OWASP ESAPI Book]]
Just as web applications and web services can be Public Key Infrastructure (PKI) enabled (PK-enabled) to perform for example certificate-based authentication, applications and services can be OWASP ESAPI-enabled (ES-enabled) to enable applications and services to protect themselves from attackers. OWASP ESAPI Toolkits empower web application and web service developers with the ability to increase the overall degree of trust that can be placed in their applications and services. ESAPI Toolkit security controls operate using a unique deny-by-default strategy, performing security checks using white lists.

Using an ESAPI Toolkit realizes cost savings through reduced development time, and the increased security due to using heavily analyzed and carefully designed security methods provide developers with a massive advantage over organizations that are trying to deal with security using existing ad hoc secure coding techniques. Available platforms, frameworks, and toolkits (Java EE, Struts, Spring, etc...) simply do not provide enough protection! ESAPI Toolkits are designed to automatically take care of many aspects of application security, making these issues invisible to the developers.

OWASP ESAPI Toolkits provide the same basic interfaces (including common logging interfaces) across common platforms, including Java EE, .NET, and PHP.

'''Additional Benefits'''

The use of the ESAPI will also make it much easier for static analysis tools to verify an application, by building ESAPI calls into static analysis tool rulesets.

'''Where did ESAPI come from?'''

The OWASP ESAPI project is led by [[User:Jeff Williams|Jeff Williams]], who serves as the volunteer chair of OWASP and is the CEO of Aspect Security. Jeff is a software developer who has specialized in application security since 1995. The ESAPI is the result of over a decade of code review and penetration testing of critical enterprise applications. If you'd like to volunteer to help on the project, you can contact him at jeff.williams@owasp.org.

More information about the ESAPI can be found [http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#OWASP_ESAPI_Documentation_Downloads here].

==Architecture==
 
[[Image:OWASPTopTen.jpg|thumb|600px|right|OWASP ESAPI Top Ten Coverage]]OWASP ESAPI Toolkits are not frameworks! The ESAPI Toolkit architecture is very simple, just a collection of classes that encapsulate the key security operations most applications need. ESAPI Toolkits provide common sets of interfaces for security controls including:

* Authentication
* Access Control
* Input Validation
* Output Encoding/Escaping
* Cryptography
* Error Handling and Logging
* Data Protection
* Communication Security
* HTTP Security
* Security Configuration

ESAPI Toolkit interfaces only include methods that are widely useful and focus on the most risky areas. Interfaces are designed to be simple to understand and use. ESAPI Toolkits are designed to make it easy to retrofit security into existing applications, as well as providing a solid foundation for new development. New development projects should consider ES-enabling their framework to make even more of the security happen automatically. ESAPI Toolkits include an ESAPI filter that can be used to minimize the changes required to your base application.

ESAPI Toolkits are designed and implemented to guard against the risks described in the OWASP [[Top Ten]], and to meet the requirements of the [http://www.owasp.org/index.php/ASVS OWASP Application Security Verification Standard (ASVS)]. Compare this coverage with automated scanning and static analysis tools, and then consider how your time is best spent!

==OWASP ESAPI Java EE Beta Code Downloads==
 
[[Image:Esapi-beta.JPG|thumb|110px|left|ESAPI]]
Download free:

'''OWASP ESAPI'''

This release is the first public release and will undoubtably undergo significant revision over the coming months. We are seeking organizations willing to pilot this ESAPI and work with us to make this library better. Please contact jeff.williams@owasp.org for more information. If you're interested in application security, please join the [http://lists.owasp.org/mailman/listinfo/owasp-esapi OWASP ESAPI mailing list] and help make ESAPI better!

Versions (archived source files are also available on the SVN under tags)
<table width="100%" valign="top"><tr><th width="50%">JAR Files</th><th>Source Files</th></tr><tr valign="top"><td>
; [http://owasp-esapi-java.googlecode.com/files/owasp-esapi-full-java-1.4.jar ESAPI v1.4 Complete JAR file]
: JAVA 1.4 compatible JAR for ESAPI v1.4

; [http://owasp-esapi-java.googlecode.com/files/owasp-esapi-basic-java-1.4.jar ESAPI v1.4 Basic JAR file]
: Java 1.4 compatible JAR for ESAPI v1.4 (does not contain many reference implementations)

</td><td>
; [http://owasp-esapi-java.googlecode.com/files/owasp-esapi-java-src-1.4.zip ESAPI v1.4 Source archive]
: Source files for ESAPI v1.4

</td></tr>
</table>

'''Additional Resources'''

* Information regarding the ESAPI SVN can be found at [http://code.google.com/p/owasp-esapi-java/ the ESAPI Google Code repository].

* If you have any problems with the ESAPI, please report them to [http://code.google.com/p/owasp-esapi-java/issues/list the issues section].

* For more information about the ESAPI, please view the [http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/OWASP%20ESAPI%20Overview.pptx ESAPI PowerPoint presentation].

* If you are generating your own Javadocs for the ESAPI project, information regarding generation can be found [https://www.owasp.org/index.php/ESAPI_Javadocs here].
 

==OWASP ESAPI Documentation Downloads==
 
[[Image:Esapi-project.JPG|thumb|110px|left|Project Presentation]]
Download free:

'''About OWASP ESAPI'''

* ESAPI interface documentation ([http://owasp-esapi-java.googlecode.com/svn/trunk_doc/index.html JavaDocs])
* Project presentation ([http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/OWASP%20ESAPI%20Overview.pptx PowerPoint])
* Video presentation ([http://www.youtube.com/watch?v=QAPD1jPn04g YouTube])
* One Page Conference Handout ([http://www.owasp.org/images/3/31/ESAPI_One_Page_Handout.pdf PDF], [http://www.owasp.org/images/d/d0/ESAPI_One_Page_Handout.doc Word])

==Changing/Building/Using the ESAPI==
If you would like to work with the ESAPI source code, or build the project, please [[ESAPI-Building | see here]].

===Using the ESAPI===
If you want to see what the ESAPI is all about, and want to use the built-in implementations,
* Download the latest version of the ESAPI JAR from above.
* Add the ESAPI JAR to your project's build path.
* The current ESAPI JAR has been built for Java 1.6, however support for Java 1.4.2+ is available. Please see [https://www.owasp.org/index.php/ESAPI-Building here] for information on building ESAPI for a different version of Java.
* Use the [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/index.html ESAPI's Javadocs ] to take advantage of all the built-in functions of the ESAPI.

===Running Demo App===
The ESAPI Demo application has been named [[ESAPI_Swingset|''The ESAPI Swingset'']]. More information about Swingset is available [[ESAPI_Swingset | here]].

==Project Sponsors==

The OWASP ESAPI project is sponsored by
[http://www.aspectsecurity.com https://www.owasp.org/images/d/d1/Aspect_logo.gif]

==Licensing==
This project licensed under the [http://en.wikipedia.org/wiki/BSD_license BSD license], which is very permissive and about as close to public domain as is possible. You can use or modify ESAPI however you want, even include it in commercial products.

== Articles - More About ESAPI and Using ESAPI ==