OWASP - User contributions [en]

Global Conferences Committee - Application 6

2010-11-08T15:44:18Z

Ashubert:

[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]

----
{| style="width:100%" border="0" align="center"
! colspan="2" align="center" style="background:#4058A0; color:white"|'''COMMITTEE APPLICATION FORM'''
|-
| style="width:25%; background:#7B8ABD" align="center"|'''Applicant's Name'''
| colspan="1" style="width:85%; background:#cccccc" align="left"|Cassio Goldschmidt
|-
| style="width:25%; background:#7B8ABD" align="center"| '''Current and past OWASP Roles'''
| colspan="1" style="width:85%; background:#cccccc" align="left"|OWASP LA Chapter Founder, former OWASP LA Chapter Leader, OWASP LA Chapter Board Member, OWASP AppSec USA Co-chair, Regular Presenter at OWASP Conferences around the globe.
|-
| style="width:25%; background:#7B8ABD" align="center"| '''Committee Applying for'''
| colspan="1" style="width:85%; background:#cccccc" align="left"|Global Conferences Committee
|}
----

----
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''.
An incomplete application will not be considered for vote.
----

----
{| style="width:100%" border="0" align="center"
! colspan="8" align="center" style="background:#4058A0; color:white"|'''COMMITTEE RECOMMENDATIONS'''
|-
! align="center" style="background:white; color:white"|
! align="center" style="background:#7B8ABD; color:white"|'''Who Recommends/Name'''
! align="center" style="background:#7B8ABD; color:white"|'''Role in OWASP'''
! align="center" style="background:#7B8ABD; color:white"|'''Recommendation Content'''
|-
| style="width:3%; background:#cccccc" align="center"|'''1'''
| style="width:20%; background:#cccccc" align="center"|David Campbell
| style="width:20%; background:#cccccc" align="center"|Denver/FROC
| style="width:57%; background:#cccccc" align="center"|AppsecUSA 2010. Nuff said :)
|-
| style="width:3%; background:#cccccc" align="center"|'''2'''
| style="width:20%; background:#cccccc" align="center"|Michael Coates
| style="width:20%; background:#cccccc" align="center"|Global Membership Committee / AppSensor Project Lead
| style="width:57%; background:#cccccc" align="center"|Great job coordinating AppSecUSA 2010. Extensive involvement in OWASP and security community. Would be a great addition to the conference committee.
|-
| style="width:3%; background:#cccccc" align="center"|'''3'''
| style="width:20%; background:#cccccc" align="center"|Tin Zaw
| style="width:20%; background:#cccccc" align="center"|Los Angeles chapter leader/AppSec USA 2010 organizer
| style="width:57%; background:#cccccc" align="center"|It is a great win for GCC that Cassio is interested in joining the committee. He has shown tremendous amount of passion, drive, knowledge and wisdom in leading Los Angeles chapter and organizing AppSec USA 2010. Without Cassio's involvement, these would not have been success stories. I strongly recommend him.
|-
| style="width:3%; background:#cccccc" align="center"|'''4'''
| style="width:20%; background:#cccccc" align="center"|Allison Shubert
| style="width:20%; background:#cccccc" align="center"|Cincinnati Chapter Vice Chair
| style="width:57%; background:#cccccc" align="center"|I have had the pleasure of hearing Cassio Speak at our chapter. Additionally I have worked with Cassio on CSSLP initiatives outside of OWASP. He is open minded, he is knowledgable, and passionate about application security. He would be a great addition to the global conference committee.
|-
| style="width:3%; background:#cccccc" align="center"|'''5'''
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:20%; background:#cccccc" align="center"|Role
| style="width:57%; background:#cccccc" align="center"|Recommendation
|-
| style="width:3%; background:#cccccc" align="center"|'''6'''
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:20%; background:#cccccc" align="center"|Role
| style="width:57%; background:#cccccc" align="center"|Recommendation
|-
| style="width:3%; background:#cccccc" align="center"|'''7'''
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:20%; background:#cccccc" align="center"|Role
| style="width:57%; background:#cccccc" align="center"|Recommendation
|-
| style="width:3%; background:#cccccc" align="center"|'''8'''
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:20%; background:#cccccc" align="center"|Role
| style="width:57%; background:#cccccc" align="center"|Recommendation
|}
----

Summer Of Code 2008 Index of Tasks Assigned

2008-05-08T01:16:34Z

Ashubert:

[[OWASP Code Review Guide Table of Contents]]__TOC__
Methodology 

Code Review Introduction|Introduction 
Steps and Roles 
Code Review Processes 
Transaction Analysis Want to update 
How to write an application_security finding 
Applicaiton Threat Modeling NEW-Author Name:<Add Here> 
The Round Trip Code Review NEW-Author Name:<Add Here> 
Code review Metrics NEW-Author Name:<Add Here> 
Allison Shubert

Crawling Code 
Introduction 
First sweep of the code base 

Examples by Vulnerability 
 The Following sections need to be updated. Extra examples of good and bad code needed. Diagrams and flows regarding solutions. Additional vulnerabilities to be added also 
Reviewing Code for Buffer Overruns and Overflows 
Reviewing Code for OS Injection 
Reviewing Code for SQL Injection 
Reviewing Code for Data Validation 
Reviewing code for XSS issues 
Reviewing code for Cross-Site Request Forgery issues 
Reviewing Code for Error Handling 
Reviewing Code for Logging Issues 
Reviewing The Secure Code Environment 
Reviewing Code for Authorization Issues 
Reviewing Code for Authentication 
Reviewing Code for Session Integrity issues 
Reviewing Cryptographic Code 
Reviewing Code for Race Conditions 

Language specific best practice 

Java 
Java gotchas 
Java leading security practice 

PHP 
PHP Security Leading Practice 

C/C++ 
Strings and Integers 

MySQL 
Reviewing MySQL Security 

Need to Update and add additional examples and text 
Rich Internet Applications 
Flash Applications 
AJAX Applications 
Web Services 

Example reports 
How to write NEW-Author Name:<Add Here> 
How to determine the risk level of a finding NEW-Author Name:<Add Here> 
Sample form NEW-Author Name:<Add Here> 

Automating Code Reviews 
Preface 
Reasons for using automated tools 
Education and cultural change 
Tool Deployment Model 
Code Auditor Workbench Tool 
The Owasp Orizon Framework 

Ways to achieve secure code on a budget 
The OWASP Enterprise Security API ( ESAPI) NEW-Author Name:<Add Here> 
Resource & Budget NEW-Author Name:<Add Here> 

References

File:Sca.jpg

2008-03-28T03:52:32Z

Ashubert:

Cincinnati

2008-03-27T18:39:20Z

Ashubert: /* April Meeting */

{{Chapter Template|chaptername=Cincinnati|extra=The chapter leader is [mailto:marco.m.morana@gmail.com Marco Morana]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-cincinnati|emailarchives=http://lists.owasp.org/pipermail/owasp-cincinnati}}

== Local News ==
Since we started the chapter in 2008 we held a meeting every month. We currently have about 35 members enrolled in the
mailing list and the attendance to the meeting has been very good.
The next meeting is planned on April 22nd (5.30 PM-7.30 PM). This meeting is an event sponsored with Fortify and will
feature the premiere of the movie: " The New face of Cybercrime".[http://www.youtube.com/watch?v=c5Rxkm6wiyM A trailer can be preview here] The plan is to hold a special topic meeting on Cross Site
Request Forgery (CSRF) in May and another one on SQL injection in June/July.
We always look for presenters/contributors for the coming OWASP meeting. If you would like to present a topic, please submit
your proposal in powerpoint format using the
[http://www.owasp.org/images/5/54/Presentation_template.ppt OWASP Template] and include the speaker's BIO and send an email
to the chapter leader. If you wish to become a sponsor or to held the meeting at your company premises please send an email
to the chapter leader.

== April Meeting ==
Please Join us for the Fortify Premiere. <table style="font-family: 'Trebuchet MS',Helvetica,sans-serif; font-size: 11px" align="center" border="0" cellpadding="0" cellspacing="0" width="500">
<tr>
<td colspan="2">[http://www.fortify.com/cybercrime/OWASPCincinnati/registration.html Reserve Your Seat Now!]
</td>
</tr>

<tr>
<td colspan="2">http://www.fortify.com/images/email/OWASPCincinnati/top.jpg</td>
</tr>
<tr>
<td colspan="2">http://www.fortify.com/images/email/OWASPCincinnati/middle_reserve.jpg</td>
</tr>
<tr>
<td>http://www.fortify.com/images/email/OWASPCincinnati/lowerleft_fortify.jpg</td>
<td>http://www.fortify.com/images/email/OWASPCincinnati/lowerright_owasp.jpg</td>
</tr>
<tr>
<td colspan="2">[http://www.fortify.com/cybercrime/OWASPCincinnati/registration.html Reserve Your Seat Now!]
</td>
</tr>
</table>

== March Meeting ==
'''When:''' March 25th, 2008, 6.15 PM presentation starts 6.30 PM
'''Where:''' Citibank N.A, 9997 Carver Road, Bldg. 1, Cincinnati, Ohio, 45242-5537.
Please access the building from the visitor [http://www.flickr.com/photos/adamslight/2163531917/ lobby].
'''
'''RSVP is required to attend the meeting. If you plan to attend the meeting please email with your RSVP to [mailto:blainekwilson@msn.com Blaine Wilson] . This list is given to Citi guards to verify you and grant you access as visitor to the Buckeyes lecture room. For help with directions contact Citi Blue Ash help desk at (513) 979-9000

'''Session Topics:'''

'''Source Code Reviews and Open Source Static Analysis Tools'''

'''Presented by''': Allison Shubert, Security Specialist, Citigroup'''

Static analysis is the process of analyzing software for security vulnerabilities. Static analysis can be a costly and time consuming process, but is a link in the chain for producing secure software. Join us as we explorer building a business case for static analysis and review the current open source static analysis tools.

'''An Introduction to Web Proxies'''

'''Presented by''':Blaine Wilson, Technology Information Security Officer, Citigroup '''

Web proxies will be explained and the group will be shown how to install and configure WebScarab. WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. The presentation will include several examples of intercepting, reviewing and modifying HTTP requests and responses.

== February Meeting ==

'''Session Topic: OWASP Top Ten Vulnerabilities and Software Root Causes: Solving The Software Security Problem From an Information Security Perspective'''

'''Who:''' Marco Morana (Citigroup, TISO, OWASP Chapter Leader, Security Blogger)
'''The presentation is available [https://www.owasp.org/images/e/eb/OWASP_Top_10_And_Root_Causes_Cincy_Feb_26_08_Final.pdf herein].'''

Before to diagnose the disease and provide the cure a doctor looks at the root causes of the sickness, the risk factors and the symptoms. In case of application security the majority of the root causes of the security issues are in-secure software, the risk factors can be found in how bad the application is designed, the software is coded and the application is tested and the symptoms in how the application vulnerabilities are exposed. The presentation will articulate the problem of secure software, the costs, the software security risks and how these are typically dealt with by most organizations. Solving the problem of software security requires people, process and tools. From the information security perspective we will look at ways to enforcing software security by looking at risks that threat agents (attacks) can exploit vulnerabilities due to insecure software and the resulting impact on company assets. Implementing a set of software security requirements is the best place to start to address the root causes of web application vulnerabilities. With a categorization of web application vulnerabilities as weakness in application security controls, it is easier to describe the root cases as coding errors. A good place to start documenting software security requirements is the OWASP Top Ten, for each of these vulnerabilities we will discuss the threat, the risk factors, the software root causes of the vulnerability, how to find if you are vulnerable and if you are which countermeasures need to be implemented.

== January Meeting ==

'''When:''' January 29th, 2008, 11:30am - 1:00pm

'''General Session Topic: Introduction to OWASP'''

'''Who:''' Marco Morana (Citigroup, TISO, OWASP Chapter Leader, Security Blogger)
'''The presentation is available [https://www.owasp.org/images/5/53/Introduction_to_OWASP.pdf herein].'''

OWASP plays a special role in the application security ecosystem, is vehicle for sharing knowledge and lead best practices across organizations. As an example
OWASP is a community of people passionate about application security. We all share a vision of a world where you can confidently trust the software you use.
One of our primary missions is to make application security visible so that people can make informed decisions about risk.
OWASP is the most authoritative and resourceful application security organization to share and open source tools, documents, basic information, guidelines, presentations projects worldwide.
The OWASP Top Ten list includes a reference for most critical web application security flaws compiled by a variety of security experts from around the world.
The list is recommended by U.S. Federal Trade Commission, the U.S. Defense Information Systems Agency and is adopted by Payment Card Industry (PCI) as a requirement for security code reviews.Through OWASP you’ll find a rich community of people to connect through mailing lists, participating in the local chapters, and attending conferences.
The people involved in OWASP recognize the world’s software is most likely getting less and less secure. As we increase our interconnections and use more and more powerful computing technologies, the likelihood of introducing vulnerabilities increases exponentially.
Whatever the internet becomes, OWASP can play a key role in making sure that it is a place we can trust. This meeting will provide an opportunity to meet local OWASP affiliates and members and know more about how to contribute to OWASP.

'''Specific Session Topic: Webgoat and Webscarab Security Tools Use Cases'''

'''Who:''' Blaine Wilson (Citigroup, TISO)

The presentation will show how to use popular OWASP tools such as Webscarab web proxy and Webgoat to learn about common security vulnerabilities in applications

== Cincinnati OWASP Chapter Leaders ==
<ul>
Officers
*Chapter Leader: [mailto:marco.morana@owasp.org Marco Morana]
*Vice Chapter Leader: [mailto:allisonshubert@yahoo.com Allison Shubert]
*Secretary: [mailto:blainekwilson@msn.com Blaine Wilson]
Board of Directors
*Chairman: [mailto:wayne@quirksofart.com Wayne H. Browning]
*Board Member: [mailto:john.fellers@gmail.com John Fellers]
</ul>

== About OWASP ==
* [[How OWASP Works]] for more information about projects and governance

==OWASP News==
* [http://www.owasp.org/index.php/OWASP_News OWASP Application Security News]

Cincinnati

2008-03-27T18:07:04Z

Ashubert:

{{Chapter Template|chaptername=Cincinnati|extra=The chapter leader is [mailto:marco.m.morana@gmail.com Marco Morana]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-cincinnati|emailarchives=http://lists.owasp.org/pipermail/owasp-cincinnati}}

== Local News ==
Since we started the chapter in 2008 we held a meeting every month. We currently have about 35 members enrolled in the
mailing list and the attendance to the meeting has been very good.
The next meeting is planned on April 22nd (5.30 PM-7.30 PM). This meeting is an event sponsored with Fortify and will
feature the premiere of the movie: " The New face of Cybercrime".[http://www.youtube.com/watch?v=c5Rxkm6wiyM A trailer can be preview here] The plan is to hold a special topic meeting on Cross Site
Request Forgery (CSRF) in May and another one on SQL injection in June/July.
We always look for presenters/contributors for the coming OWASP meeting. If you would like to present a topic, please submit
your proposal in powerpoint format using the
[http://www.owasp.org/images/5/54/Presentation_template.ppt OWASP Template] and include the speaker's BIO and send an email
to the chapter leader. If you wish to become a sponsor or to held the meeting at your company premises please send an email
to the chapter leader.

== April Meeting ==

== March Meeting ==
'''When:''' March 25th, 2008, 6.15 PM presentation starts 6.30 PM
'''Where:''' Citibank N.A, 9997 Carver Road, Bldg. 1, Cincinnati, Ohio, 45242-5537.
Please access the building from the visitor [http://www.flickr.com/photos/adamslight/2163531917/ lobby].
'''
'''RSVP is required to attend the meeting. If you plan to attend the meeting please email with your RSVP to [mailto:blainekwilson@msn.com Blaine Wilson] . This list is given to Citi guards to verify you and grant you access as visitor to the Buckeyes lecture room. For help with directions contact Citi Blue Ash help desk at (513) 979-9000

'''Session Topics:'''

'''Source Code Reviews and Open Source Static Analysis Tools'''

'''Presented by''': Allison Shubert, Security Specialist, Citigroup'''

Static analysis is the process of analyzing software for security vulnerabilities. Static analysis can be a costly and time consuming process, but is a link in the chain for producing secure software. Join us as we explorer building a business case for static analysis and review the current open source static analysis tools.

'''An Introduction to Web Proxies'''

'''Presented by''':Blaine Wilson, Technology Information Security Officer, Citigroup '''

Web proxies will be explained and the group will be shown how to install and configure WebScarab. WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. The presentation will include several examples of intercepting, reviewing and modifying HTTP requests and responses.

== February Meeting ==

'''Session Topic: OWASP Top Ten Vulnerabilities and Software Root Causes: Solving The Software Security Problem From an Information Security Perspective'''

'''Who:''' Marco Morana (Citigroup, TISO, OWASP Chapter Leader, Security Blogger)
'''The presentation is available [https://www.owasp.org/images/e/eb/OWASP_Top_10_And_Root_Causes_Cincy_Feb_26_08_Final.pdf herein].'''

Before to diagnose the disease and provide the cure a doctor looks at the root causes of the sickness, the risk factors and the symptoms. In case of application security the majority of the root causes of the security issues are in-secure software, the risk factors can be found in how bad the application is designed, the software is coded and the application is tested and the symptoms in how the application vulnerabilities are exposed. The presentation will articulate the problem of secure software, the costs, the software security risks and how these are typically dealt with by most organizations. Solving the problem of software security requires people, process and tools. From the information security perspective we will look at ways to enforcing software security by looking at risks that threat agents (attacks) can exploit vulnerabilities due to insecure software and the resulting impact on company assets. Implementing a set of software security requirements is the best place to start to address the root causes of web application vulnerabilities. With a categorization of web application vulnerabilities as weakness in application security controls, it is easier to describe the root cases as coding errors. A good place to start documenting software security requirements is the OWASP Top Ten, for each of these vulnerabilities we will discuss the threat, the risk factors, the software root causes of the vulnerability, how to find if you are vulnerable and if you are which countermeasures need to be implemented.

== January Meeting ==

'''When:''' January 29th, 2008, 11:30am - 1:00pm

'''General Session Topic: Introduction to OWASP'''

'''Who:''' Marco Morana (Citigroup, TISO, OWASP Chapter Leader, Security Blogger)
'''The presentation is available [https://www.owasp.org/images/5/53/Introduction_to_OWASP.pdf herein].'''

OWASP plays a special role in the application security ecosystem, is vehicle for sharing knowledge and lead best practices across organizations. As an example
OWASP is a community of people passionate about application security. We all share a vision of a world where you can confidently trust the software you use.
One of our primary missions is to make application security visible so that people can make informed decisions about risk.
OWASP is the most authoritative and resourceful application security organization to share and open source tools, documents, basic information, guidelines, presentations projects worldwide.
The OWASP Top Ten list includes a reference for most critical web application security flaws compiled by a variety of security experts from around the world.
The list is recommended by U.S. Federal Trade Commission, the U.S. Defense Information Systems Agency and is adopted by Payment Card Industry (PCI) as a requirement for security code reviews.Through OWASP you’ll find a rich community of people to connect through mailing lists, participating in the local chapters, and attending conferences.
The people involved in OWASP recognize the world’s software is most likely getting less and less secure. As we increase our interconnections and use more and more powerful computing technologies, the likelihood of introducing vulnerabilities increases exponentially.
Whatever the internet becomes, OWASP can play a key role in making sure that it is a place we can trust. This meeting will provide an opportunity to meet local OWASP affiliates and members and know more about how to contribute to OWASP.

'''Specific Session Topic: Webgoat and Webscarab Security Tools Use Cases'''

'''Who:''' Blaine Wilson (Citigroup, TISO)

The presentation will show how to use popular OWASP tools such as Webscarab web proxy and Webgoat to learn about common security vulnerabilities in applications

== Cincinnati OWASP Chapter Leaders ==
<ul>
Officers
*Chapter Leader: [mailto:marco.morana@owasp.org Marco Morana]
*Vice Chapter Leader: [mailto:allisonshubert@yahoo.com Allison Shubert]
*Secretary: [mailto:blainekwilson@msn.com Blaine Wilson]
Board of Directors
*Chairman: [mailto:wayne@quirksofart.com Wayne H. Browning]
*Board Member: [mailto:john.fellers@gmail.com John Fellers]
</ul>

== About OWASP ==
* [[How OWASP Works]] for more information about projects and governance

==OWASP News==
* [http://www.owasp.org/index.php/OWASP_News OWASP Application Security News]

Cincinnati

2008-03-27T17:59:56Z

Ashubert: /* April Meeting */

{{Chapter Template|chaptername=Cincinnati|extra=The chapter leader is [mailto:marco.m.morana@gmail.com Marco Morana]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-cincinnati|emailarchives=http://lists.owasp.org/pipermail/owasp-cincinnati}}

== Local News ==
Since we started the chapter in 2008 we held a meeting every month. We currently have about 35 members enrolled in the
mailing list and the attendance to the meeting has been very good.
The next meeting is planned on April 22nd (5.30 PM-7.30 PM). This meeting is an event sponsored with Fortify and will
feature the premiere of the movie: " The New face of Cybercrime".[http://www.youtube.com/watch?v=c5Rxkm6wiyM A trailer can be preview here] The plan is to hold a special topic meeting on Cross Site
Request Forgery (CSRF) in May and another one on SQL injection in June/July.
We always look for presenters/contributors for the coming OWASP meeting. If you would like to present a topic, please submit
your proposal in powerpoint format using the
[http://www.owasp.org/images/5/54/Presentation_template.ppt OWASP Template] and include the speaker's BIO and send an email
to the chapter leader. If you wish to become a sponsor or to held the meeting at your company premises please send an email
to the chapter leader.

== March Meeting ==
'''When:''' March 25th, 2008, 6.15 PM presentation starts 6.30 PM
'''Where:''' Citibank N.A, 9997 Carver Road, Bldg. 1, Cincinnati, Ohio, 45242-5537.
Please access the building from the visitor [http://www.flickr.com/photos/adamslight/2163531917/ lobby].
'''
'''RSVP is required to attend the meeting. If you plan to attend the meeting please email with your RSVP to [mailto:blainekwilson@msn.com Blaine Wilson] . This list is given to Citi guards to verify you and grant you access as visitor to the Buckeyes lecture room. For help with directions contact Citi Blue Ash help desk at (513) 979-9000

'''Session Topics:'''

'''Source Code Reviews and Open Source Static Analysis Tools'''

'''Presented by''': Allison Shubert, Security Specialist, Citigroup'''

Static analysis is the process of analyzing software for security vulnerabilities. Static analysis can be a costly and time consuming process, but is a link in the chain for producing secure software. Join us as we explorer building a business case for static analysis and review the current open source static analysis tools.

'''An Introduction to Web Proxies'''

'''Presented by''':Blaine Wilson, Technology Information Security Officer, Citigroup '''

Web proxies will be explained and the group will be shown how to install and configure WebScarab. WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. The presentation will include several examples of intercepting, reviewing and modifying HTTP requests and responses.

== February Meeting ==

'''Session Topic: OWASP Top Ten Vulnerabilities and Software Root Causes: Solving The Software Security Problem From an Information Security Perspective'''

'''Who:''' Marco Morana (Citigroup, TISO, OWASP Chapter Leader, Security Blogger)
'''The presentation is available [https://www.owasp.org/images/e/eb/OWASP_Top_10_And_Root_Causes_Cincy_Feb_26_08_Final.pdf herein].'''

Before to diagnose the disease and provide the cure a doctor looks at the root causes of the sickness, the risk factors and the symptoms. In case of application security the majority of the root causes of the security issues are in-secure software, the risk factors can be found in how bad the application is designed, the software is coded and the application is tested and the symptoms in how the application vulnerabilities are exposed. The presentation will articulate the problem of secure software, the costs, the software security risks and how these are typically dealt with by most organizations. Solving the problem of software security requires people, process and tools. From the information security perspective we will look at ways to enforcing software security by looking at risks that threat agents (attacks) can exploit vulnerabilities due to insecure software and the resulting impact on company assets. Implementing a set of software security requirements is the best place to start to address the root causes of web application vulnerabilities. With a categorization of web application vulnerabilities as weakness in application security controls, it is easier to describe the root cases as coding errors. A good place to start documenting software security requirements is the OWASP Top Ten, for each of these vulnerabilities we will discuss the threat, the risk factors, the software root causes of the vulnerability, how to find if you are vulnerable and if you are which countermeasures need to be implemented.

== January Meeting ==

'''When:''' January 29th, 2008, 11:30am - 1:00pm

'''General Session Topic: Introduction to OWASP'''

'''Who:''' Marco Morana (Citigroup, TISO, OWASP Chapter Leader, Security Blogger)
'''The presentation is available [https://www.owasp.org/images/5/53/Introduction_to_OWASP.pdf herein].'''

OWASP plays a special role in the application security ecosystem, is vehicle for sharing knowledge and lead best practices across organizations. As an example
OWASP is a community of people passionate about application security. We all share a vision of a world where you can confidently trust the software you use.
One of our primary missions is to make application security visible so that people can make informed decisions about risk.
OWASP is the most authoritative and resourceful application security organization to share and open source tools, documents, basic information, guidelines, presentations projects worldwide.
The OWASP Top Ten list includes a reference for most critical web application security flaws compiled by a variety of security experts from around the world.
The list is recommended by U.S. Federal Trade Commission, the U.S. Defense Information Systems Agency and is adopted by Payment Card Industry (PCI) as a requirement for security code reviews.Through OWASP you’ll find a rich community of people to connect through mailing lists, participating in the local chapters, and attending conferences.
The people involved in OWASP recognize the world’s software is most likely getting less and less secure. As we increase our interconnections and use more and more powerful computing technologies, the likelihood of introducing vulnerabilities increases exponentially.
Whatever the internet becomes, OWASP can play a key role in making sure that it is a place we can trust. This meeting will provide an opportunity to meet local OWASP affiliates and members and know more about how to contribute to OWASP.

'''Specific Session Topic: Webgoat and Webscarab Security Tools Use Cases'''

'''Who:''' Blaine Wilson (Citigroup, TISO)

The presentation will show how to use popular OWASP tools such as Webscarab web proxy and Webgoat to learn about common security vulnerabilities in applications

== Cincinnati OWASP Chapter Leaders ==
<ul>
Officers
*Chapter Leader: [mailto:marco.morana@owasp.org Marco Morana]
*Vice Chapter Leader: [mailto:allisonshubert@yahoo.com Allison Shubert]
*Secretary: [mailto:blainekwilson@msn.com Blaine Wilson]
Board of Directors
*Chairman: [mailto:wayne@quirksofart.com Wayne H. Browning]
*Board Member: [mailto:john.fellers@gmail.com John Fellers]
</ul>

== About OWASP ==
* [[How OWASP Works]] for more information about projects and governance

==OWASP News==
* [http://www.owasp.org/index.php/OWASP_News OWASP Application Security News]

Cincinnati

2008-03-27T17:43:50Z

Ashubert:

{{Chapter Template|chaptername=Cincinnati|extra=The chapter leader is [mailto:marco.m.morana@gmail.com Marco Morana]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-cincinnati|emailarchives=http://lists.owasp.org/pipermail/owasp-cincinnati}}

== Local News ==
Since we started the chapter in 2008 we held a meeting every month. We currently have about 35 members enrolled in the
mailing list and the attendance to the meeting has been very good.
The next meeting is planned on April 22nd (5.30 PM-7.30 PM). This meeting is an event sponsored with Fortify and will
feature the premiere of the movie: " The New face of Cybercrime".[http://www.youtube.com/watch?v=c5Rxkm6wiyM A trailer can be preview here] The plan is to hold a special topic meeting on Cross Site
Request Forgery (CSRF) in May and another one on SQL injection in June/July.
We always look for presenters/contributors for the coming OWASP meeting. If you would like to present a topic, please submit
your proposal in powerpoint format using the
[http://www.owasp.org/images/5/54/Presentation_template.ppt OWASP Template] and include the speaker's BIO and send an email
to the chapter leader. If you wish to become a sponsor or to held the meeting at your company premises please send an email
to the chapter leader.

== April Meeting ==

== March Meeting ==
'''When:''' March 25th, 2008, 6.15 PM presentation starts 6.30 PM
'''Where:''' Citibank N.A, 9997 Carver Road, Bldg. 1, Cincinnati, Ohio, 45242-5537.
Please access the building from the visitor [http://www.flickr.com/photos/adamslight/2163531917/ lobby].
'''
'''RSVP is required to attend the meeting. If you plan to attend the meeting please email with your RSVP to [mailto:blainekwilson@msn.com Blaine Wilson] . This list is given to Citi guards to verify you and grant you access as visitor to the Buckeyes lecture room. For help with directions contact Citi Blue Ash help desk at (513) 979-9000

'''Session Topics:'''

'''Source Code Reviews and Open Source Static Analysis Tools'''

'''Presented by''': Allison Shubert, Security Specialist, Citigroup'''

Static analysis is the process of analyzing software for security vulnerabilities. Static analysis can be a costly and time consuming process, but is a link in the chain for producing secure software. Join us as we explorer building a business case for static analysis and review the current open source static analysis tools.

'''An Introduction to Web Proxies'''

'''Presented by''':Blaine Wilson, Technology Information Security Officer, Citigroup '''

Web proxies will be explained and the group will be shown how to install and configure WebScarab. WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. The presentation will include several examples of intercepting, reviewing and modifying HTTP requests and responses.

== February Meeting ==

'''Session Topic: OWASP Top Ten Vulnerabilities and Software Root Causes: Solving The Software Security Problem From an Information Security Perspective'''

'''Who:''' Marco Morana (Citigroup, TISO, OWASP Chapter Leader, Security Blogger)
'''The presentation is available [https://www.owasp.org/images/e/eb/OWASP_Top_10_And_Root_Causes_Cincy_Feb_26_08_Final.pdf herein].'''

Before to diagnose the disease and provide the cure a doctor looks at the root causes of the sickness, the risk factors and the symptoms. In case of application security the majority of the root causes of the security issues are in-secure software, the risk factors can be found in how bad the application is designed, the software is coded and the application is tested and the symptoms in how the application vulnerabilities are exposed. The presentation will articulate the problem of secure software, the costs, the software security risks and how these are typically dealt with by most organizations. Solving the problem of software security requires people, process and tools. From the information security perspective we will look at ways to enforcing software security by looking at risks that threat agents (attacks) can exploit vulnerabilities due to insecure software and the resulting impact on company assets. Implementing a set of software security requirements is the best place to start to address the root causes of web application vulnerabilities. With a categorization of web application vulnerabilities as weakness in application security controls, it is easier to describe the root cases as coding errors. A good place to start documenting software security requirements is the OWASP Top Ten, for each of these vulnerabilities we will discuss the threat, the risk factors, the software root causes of the vulnerability, how to find if you are vulnerable and if you are which countermeasures need to be implemented.

== January Meeting ==

'''When:''' January 29th, 2008, 11:30am - 1:00pm

'''General Session Topic: Introduction to OWASP'''

'''Who:''' Marco Morana (Citigroup, TISO, OWASP Chapter Leader, Security Blogger)
'''The presentation is available [https://www.owasp.org/images/5/53/Introduction_to_OWASP.pdf herein].'''

OWASP plays a special role in the application security ecosystem, is vehicle for sharing knowledge and lead best practices across organizations. As an example
OWASP is a community of people passionate about application security. We all share a vision of a world where you can confidently trust the software you use.
One of our primary missions is to make application security visible so that people can make informed decisions about risk.
OWASP is the most authoritative and resourceful application security organization to share and open source tools, documents, basic information, guidelines, presentations projects worldwide.
The OWASP Top Ten list includes a reference for most critical web application security flaws compiled by a variety of security experts from around the world.
The list is recommended by U.S. Federal Trade Commission, the U.S. Defense Information Systems Agency and is adopted by Payment Card Industry (PCI) as a requirement for security code reviews.Through OWASP you’ll find a rich community of people to connect through mailing lists, participating in the local chapters, and attending conferences.
The people involved in OWASP recognize the world’s software is most likely getting less and less secure. As we increase our interconnections and use more and more powerful computing technologies, the likelihood of introducing vulnerabilities increases exponentially.
Whatever the internet becomes, OWASP can play a key role in making sure that it is a place we can trust. This meeting will provide an opportunity to meet local OWASP affiliates and members and know more about how to contribute to OWASP.

'''Specific Session Topic: Webgoat and Webscarab Security Tools Use Cases'''

'''Who:''' Blaine Wilson (Citigroup, TISO)

The presentation will show how to use popular OWASP tools such as Webscarab web proxy and Webgoat to learn about common security vulnerabilities in applications

== Cincinnati OWASP Chapter Leaders ==
<ul>
Officers
*Chapter Leader: [mailto:marco.morana@owasp.org Marco Morana]
*Vice Chapter Leader: [mailto:allisonshubert@yahoo.com Allison Shubert]
*Secretary: [mailto:blainekwilson@msn.com Blaine Wilson]
Board of Directors
*Chairman: [mailto:wayne@quirksofart.com Wayne H. Browning]
*Board Member: [mailto:john.fellers@gmail.com John Fellers]
</ul>

== About OWASP ==
* [[How OWASP Works]] for more information about projects and governance

==OWASP News==
* [http://www.owasp.org/index.php/OWASP_News OWASP Application Security News]

Cincinnati

2008-03-27T17:33:55Z

Ashubert:

{{Chapter Template|chaptername=Cincinnati|extra=The chapter leader is [mailto:marco.m.morana@gmail.com Marco Morana]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-cincinnati|emailarchives=http://lists.owasp.org/pipermail/owasp-cincinnati}}

== Local News ==
Since we started the chapter in 2008 we held a meeting every month. We currently have about 35 members enrolled in the
mailing list and the attendance to the meeting has been very good.
The next meeting is planned on April 22nd (5.30 PM-7.30 PM). This meeting is an event sponsored with Fortify and will
feature the premiere of the movie: " The New face of Cybercrime".[http://www.youtube.com/watch?v=c5Rxkm6wiyM A trailer can be preview here] The plan is to hold a special topic meeting on Cross Site
Request Forgery (CSRF) in May and another one on SQL injection in June/July.
We always look for presenters/contributors for the coming OWASP meeting. If you would like to present a topic, please submit
your proposal in powerpoint format using the
[http://www.owasp.org/images/5/54/Presentation_template.ppt OWASP Template] and include the speaker's BIO and send an email
to the chapter leader. If you wish to become a sponsor or to held the meeting at your company premises please send an email
to the chapter leader.

== April Meeting ==
Please Join us for the exciting Fortify premeier.

<table style="font-family: 'Trebuchet MS',Helvetica,sans-serif; font-size: 11px" align="center" border="0" cellpadding="0" cellspacing="0" width="500">

<tr>
<td colspan="2"><img src="http://www.fortify.com/images/email/OWASPCincinnati/top.jpg" alt="The New Face of CyberCrime: Private Screening" width="500" height="646" border="0" /></td>
</tr>
<tr>
<td colspan="2"><a href="http://www.fortify.com/cybercrime/OWASPCincinnati/registration.html"><img src="http://www.fortify.com/images/email/OWASPCincinnati/middle_reserve.jpg" alt="Reserve your seat now" width="500" height="77" border="0" /></a></td>
</tr>
<tr>
<td><a href="http://www.fortify.com/"><img src="http://www.fortify.com/images/email/OWASPCincinnati/lowerleft_fortify.jpg" alt="Fortify Software" width="250" height="99" border="0" /></a></td>
<td><a href="http://www.owasp.org/"><img src="http://www.fortify.com/images/email/OWASPCincinnati/lowerright_owasp.jpg" alt="WAMU" width="250" height="99" border="0" /></a></td>
</tr>

</table>

== March Meeting ==
'''When:''' March 25th, 2008, 6.15 PM presentation starts 6.30 PM
'''Where:''' Citibank N.A, 9997 Carver Road, Bldg. 1, Cincinnati, Ohio, 45242-5537.
Please access the building from the visitor [http://www.flickr.com/photos/adamslight/2163531917/ lobby].
'''
'''RSVP is required to attend the meeting. If you plan to attend the meeting please email with your RSVP to [mailto:blainekwilson@msn.com Blaine Wilson] . This list is given to Citi guards to verify you and grant you access as visitor to the Buckeyes lecture room. For help with directions contact Citi Blue Ash help desk at (513) 979-9000

'''Session Topics:'''

'''Source Code Reviews and Open Source Static Analysis Tools'''

'''Presented by''': Allison Shubert, Security Specialist, Citigroup'''

Static analysis is the process of analyzing software for security vulnerabilities. Static analysis can be a costly and time consuming process, but is a link in the chain for producing secure software. Join us as we explorer building a business case for static analysis and review the current open source static analysis tools.

'''An Introduction to Web Proxies'''

'''Presented by''':Blaine Wilson, Technology Information Security Officer, Citigroup '''

Web proxies will be explained and the group will be shown how to install and configure WebScarab. WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. The presentation will include several examples of intercepting, reviewing and modifying HTTP requests and responses.

== February Meeting ==

'''Session Topic: OWASP Top Ten Vulnerabilities and Software Root Causes: Solving The Software Security Problem From an Information Security Perspective'''

'''Who:''' Marco Morana (Citigroup, TISO, OWASP Chapter Leader, Security Blogger)
'''The presentation is available [https://www.owasp.org/images/e/eb/OWASP_Top_10_And_Root_Causes_Cincy_Feb_26_08_Final.pdf herein].'''

Before to diagnose the disease and provide the cure a doctor looks at the root causes of the sickness, the risk factors and the symptoms. In case of application security the majority of the root causes of the security issues are in-secure software, the risk factors can be found in how bad the application is designed, the software is coded and the application is tested and the symptoms in how the application vulnerabilities are exposed. The presentation will articulate the problem of secure software, the costs, the software security risks and how these are typically dealt with by most organizations. Solving the problem of software security requires people, process and tools. From the information security perspective we will look at ways to enforcing software security by looking at risks that threat agents (attacks) can exploit vulnerabilities due to insecure software and the resulting impact on company assets. Implementing a set of software security requirements is the best place to start to address the root causes of web application vulnerabilities. With a categorization of web application vulnerabilities as weakness in application security controls, it is easier to describe the root cases as coding errors. A good place to start documenting software security requirements is the OWASP Top Ten, for each of these vulnerabilities we will discuss the threat, the risk factors, the software root causes of the vulnerability, how to find if you are vulnerable and if you are which countermeasures need to be implemented.

== January Meeting ==

'''When:''' January 29th, 2008, 11:30am - 1:00pm

'''General Session Topic: Introduction to OWASP'''

'''Who:''' Marco Morana (Citigroup, TISO, OWASP Chapter Leader, Security Blogger)
'''The presentation is available [https://www.owasp.org/images/5/53/Introduction_to_OWASP.pdf herein].'''

OWASP plays a special role in the application security ecosystem, is vehicle for sharing knowledge and lead best practices across organizations. As an example
OWASP is a community of people passionate about application security. We all share a vision of a world where you can confidently trust the software you use.
One of our primary missions is to make application security visible so that people can make informed decisions about risk.
OWASP is the most authoritative and resourceful application security organization to share and open source tools, documents, basic information, guidelines, presentations projects worldwide.
The OWASP Top Ten list includes a reference for most critical web application security flaws compiled by a variety of security experts from around the world.
The list is recommended by U.S. Federal Trade Commission, the U.S. Defense Information Systems Agency and is adopted by Payment Card Industry (PCI) as a requirement for security code reviews.Through OWASP you’ll find a rich community of people to connect through mailing lists, participating in the local chapters, and attending conferences.
The people involved in OWASP recognize the world’s software is most likely getting less and less secure. As we increase our interconnections and use more and more powerful computing technologies, the likelihood of introducing vulnerabilities increases exponentially.
Whatever the internet becomes, OWASP can play a key role in making sure that it is a place we can trust. This meeting will provide an opportunity to meet local OWASP affiliates and members and know more about how to contribute to OWASP.

'''Specific Session Topic: Webgoat and Webscarab Security Tools Use Cases'''

'''Who:''' Blaine Wilson (Citigroup, TISO)

The presentation will show how to use popular OWASP tools such as Webscarab web proxy and Webgoat to learn about common security vulnerabilities in applications

== Cincinnati OWASP Chapter Leaders ==
<ul>
Officers
*Chapter Leader: [mailto:marco.morana@owasp.org Marco Morana]
*Vice Chapter Leader: [mailto:allisonshubert@yahoo.com Allison Shubert]
*Secretary: [mailto:blainekwilson@msn.com Blaine Wilson]
Board of Directors
*Chairman: [mailto:wayne@quirksofart.com Wayne H. Browning]
*Board Member: [mailto:john.fellers@gmail.com John Fellers]
</ul>

== About OWASP ==
* [[How OWASP Works]] for more information about projects and governance

==OWASP News==
* [http://www.owasp.org/index.php/OWASP_News OWASP Application Security News]