OWASP - User contributions [en]

San Jose

2007-09-03T06:49:23Z

Bbertacini: /* Next Meeting - Thursday, September 6, 2007 */

San Jose

2007-07-13T19:42:09Z

Bbertacini: /* Next Meeting - Wednesday, July 25, 2007 */

{{Chapter Template|chaptername=San Jose|extra=The chapter leader is [mailto:brian.bertacini@owasp.org Brian Bertacini]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sanjose|emailarchives=http://lists.owasp.org/pipermail/owasp-sanjose}}

== Next Meeting - Wednesday, July 25, 2007 ==
Open to the public, attendance is free

'''Agenda and Presentations:''' 
6:00pm - 6:30pm ... Check-in and reception (food & bev) 
6:30pm - 7:15pm ... Attacking XML Security - Brad Hill 
7:15pm - 8:00pm ... Development of a Security Metric System to Rate Enterprise Software - Fredrick Lee 
8:00pm - 8:30pm ... Networking Session 

'''Venue:''' 
Ariba 
807 11th Avenue 
Sunnyvale, Ca 94089 
[http://www.ariba.com/company/hq_map.cfm Map and Directions] 

'''Attacking XML Security''' 
'''''Presented by: Brad Hill, iSEC Partners''''' 

'''Abstract:'''
Brad will present his ongoing research into attacking the XML Digital Signature and Encryption standards that underpin the security of Web Services, mobile code, SAML, federated identity systems and more. The talk will begin with a high-level, critical take on the emerging conventional wisdom about message-oriented security and continue with a detailed discussion of design and implementation weaknesses in the standards. Technical material will include a root cause analysis of the recent iSEC advisory on cross-platform, remote code execution vulnerabilities discovered in multiple XML Digital Signature products. 

'''Bio:''' Based out of Seattle, Brad Hill is a Senior Security Consultant at iSEC Partners, a full-service security consulting firm that provides penetration testing, secure systems development, security education and software design verification. Brad brings a ten year background as a software developer and architect in the technology and financial services sectors to his work at iSEC, where he does design review, application assessment and development lifecycle improvement for some of the world’s leading software companies.
 
 
 
'''Development of a Security Metric System to Rate Enterprise Software''' 
'''''Presented by: Fredrick Lee, Fortify Software''''' 

'''Abstract:'''
As part of Fortify Software’s Java Open Review (JOR) project, both security defects and quality issues discovered in open source software are collected. The projects being analyzed are diverse in their development methodologies, development stages, and application styles. The projects range from small utility packages (e.g. Apache Commons), to mid-size intranet applications (e.g. JSPWiki), to large-scale, commercial grade enterprise projects (e.g. JBoss). In essence, participants in the Java Open Review project reflect the typical enterprise organization’s code base: a large collection of several small utility/internal applications and a handful of enterprise “flagship” products.

As part of the project, we have been challenged to answer the question: Which
application is more “secure.” To answer this question, Fortify has sought to develop a set of metrics that combine lessons learned from our experience working on various enterprise code bases and our work on the JOR project. The metrics are designed to incorporate diverse criteria, including the size of the application, the types of vulnerabilities identified, and time required to fix the vulnerabilities. The metrics provide a mechanism to rate software components for security concerns and enable enterprises to:

- Evaluate which open source projects offer an acceptable level of security 
- Compare competing open source software solutions based on their security 
- Measure internal development efforts against open source open source counterparts

Ultimately, with sufficient industry adoption, the metrics can also enable enterprises to compare their internal efforts against other enterprises within the same vertical. As part of the talk we will present our experience to date working with companies to develop an effective mechanism for evaluating the security of enterprise software.

'''Bio:''' Fredrick Lee is a member of Fortify Software’s Security Research Group, where he manages the Java Open Review Project. Scanning the code of over 100 applications so far, Fredrick is helping assess and improve the security of open source software. Fredrick also helps the Security Research Group develop the secure coding rules that are use to run Fortify’s suite of products.

Prior to joining Fortify Software, Fredrick was a Senior Information Security Engineer at Bank of America, where he helped roll out a secure development framework, performed security assessments, and developed enterprise security solutions.

Fredrick graduated from the University of Oklahoma, with a BS in Computer Engineering.

 

'''Upcoming Security Workshops''' 
'''''Presented by: Brian Bertacini, Volunteer Chapter Organizer''''' 

'''Abstract:''' Introduce local volunteer expert trainers that are planning web application and infrastructure security workshops.

Please RSVP to via email [mailto:brian.bertacini@owasp.org Brian Bertacini], call 408-979-0571 or visit [http://owasp.mollyguard.com OWASP.Mollyguard.com]

Special thanks to [http://www.ariba.com Ariba] for hosting this event and to [http://www.appsecconsulting.com AppSec Consulting] and [http://www.isecpartners.com iSEC Partners] for sponsoring.

OWASP Community

2007-07-13T19:07:11Z

Bbertacini: /* Events */

This page is for people to post OWASP related events, such as chapter meetings, OWASP conferences, get-togethers, and OWASP sponsored events.

Events from previous years are archived here:
* '''[[OWASP Community 2006]]'''

This page is monitored, and items posted here will be copied to the OWASP [[Main Page]]. Please post new items in chronological order using the following format:

'''Mon ## (##:00h) - [[Article]]'''



==Events==
'''July 25 (18:00h) - [[San Jose|San Jose Chapter Meeting]]'''

'''July 24 (17:00h) - [[Switzerland|Switzerland chapter meeting]]'''

'''July 14 (11:00h) - [[Turkey|Turkey chapter meeting - 1st Web Security Days]]'''

'''July 6 (17:00h) - [[Spain|Spain chapter meeting]]'''

'''June 26 (11:30hr) - [[Austin|Austin chapter meeting]]''' - Running Web Application Scans

'''June 22 (18:00h) - [[Belgium|Belgium chapter meeting]]'''

'''June 21 (19:00h) - [[Denver]]''' - Anti-DNS Pinning Attacks / Calculating Return on Security Investment (ROSI)

'''June 19 (18:00h) - [[Minneapolis St Paul|Minneapolis St Paul chapter meeting]]'''

'''June 15 (17:00hr) - [[Spain|Spain chapter meeting]]'''

'''June 13 (18:30hr) - [[Kansas City|Kansas City chapter meeting]]'''

'''June 12 (18:00hr) - [[New York|NY/NJ Metro chapter meeting]]'''

'''Jun 5 (19:00h) - [[Helsinki|Helsinki chapter meeting]]'''

'''Jun 5 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''

'''Jun 5 (17:30h) - [[Houston | Houston Chapter Meeting]]'''

'''May 29 (9:00h) - [[http://www.owasp.org/index.php/Italy#May_29th.2C_2007_-_Seminar:_.22Software_Security.22 Italy@Firenze Tecnologia]]'''

'''May 29 (11:30h) - [[Austin | Austin Chapter Meeting]]''' - Bullet Proof UI - A programmer's guide to the complete idiot".

'''May 29 (18:00h) - [[Ottawa | Ottawa Chapter Meeting]]'''

'''May 22 (18:30h) - [[New Zealand|1st New Zealand chapter Meeting]]'''

'''May 21 (14:00h) - [[Israel|2nd OWASP Israel mini conference]]'''

'''May 15 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''May 10 (18:00h) - [[Belgium|Belgium chapter meeting]]'''

'''May 9 (18:00h) - [[Toronto|Toronto chapter meeting]]'''

'''May 8 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''May 6 (11:00h) - [[Turkey|Turkey chapter meeting]]'''

'''May 2 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''May 1 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''

'''Apr 26 (11:00h) - [[San Antonio|San Antonio chapter meeting]]'''

'''Apr 26 (17:00h) - [[Switzerland|Switzerland chapter meeting and "Swiss Security Dinner"]]'''

'''Apr 24 (18:00h) - [[Minneapolis St Paul|Minneapolis St Paul chapter meeting]]'''

'''Apr 20 (19:00h) - [[Hong Kong|Hong Kong chapter meeting - Objectives for 2007]]'''

'''Apr 19 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''Apr 18 (17:00h) - [[San Francisco City Chapter Meeting]]'''

'''Apr 17 (18:00h) - [[New Jersey|NY/NJ Metro chapter meeting]]'''

'''Apr 17 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Apr 12 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''

'''Apr 12 (18:00h) - [[San Jose|San Jose chapter meeting]]'''

'''Apr 11 (18:00h) - [[Toronto|Toronto chapter meeting]]'''

'''Apr 4 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''Apr 3 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''

'''Mar 30 - [[http://www.owasp.org/index.php/Italy#March_30th.2C_2007_-_Master_in_Security_-_University_of_Rome_.22La_Sapienza.22| Italy@Master in Security at "La Sapienza"]]'''

'''Mar 28 (18:00h) - [[Washington DC|Washington DC (MD) chapter meeting]]'''

'''Mar 28 (11:30h) - [[San Antonio|San Antonio chapter meeting]]'''

; '''Mar 27-30 - [http://www.blackhat.com Black Hat Euro]'''
: OWASP members receive a Euro 100 Briefings discount by inserting BH7EUASSOC in the box marked “Coupon Codes”

'''Mar 22 (18:00h) - [[London|London chapter meeting]]'''

'''Mar 21-22 - [[Belgium#OWASP_Top_10_2007_Update_.28Infosecurity_Belgium.2C_21_.26_.2622_Mar_2007.29|Belgium@InfoSecurity]]'''

'''Mar 20 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Mar 14 (18:00h) - [[Toronto|Toronto chapter meeting]]'''

'''Mar 14 (18:00h) - [[Chicago|Chicago chapter meeting]]'''

'''Mar 13 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''Mar 8 (18:00h) - [[Ottawa|Ottawa Chapter Meeting]] '''

'''Mar 7 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''Mar 7 (18:30h) - [[Kansas City|Kansas City chapter meeting]]'''

'''Mar 6 (18:30h) - [[Philadelphia|Philadelphia chapter meeting]]'''

'''Mar 6 (18:30h) - [[San Francisco|San Francisco and San Jose chapter meeting]]'''

'''Mar 6 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''

'''Mar 5 (11:00h) - [[New Jersey|New Jersey chapter meeting]]'''

'''Mar 1 (11:30h) - [http://www.eusecwest.com/agenda.html EUSecWest 07: Testing Guide]'''

; '''Feb 26-Mar 1 - [http://www.blackhat.com Black Hat DC]'''
: OWASP members receive a $100 Briefings discount by inserting BH7DCASSOC in the box marked “Coupon Codes”

'''Feb 28 (18:00h) - [[Seattle|Seattle chapter meeting]]'''

'''Feb 27 (18:00h) - [[Edmonton|Edmonton chapter meeting]]'''

'''Feb 22 (18:30h) - [[Helsinki|Helsinki chapter meeting]]'''

'''Feb 22 (18:00h) - [[London|London chapter meeting]]'''

'''Feb 21 (18:30h) - [[Denver|Denver chapter meeting]]'''

'''Feb 19 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Feb 15 (18:00h) - [[Washington DC|Washington DC (MD) chapter meeting]]'''

'''Feb 15 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''Feb 14 (18:00h) - [[Toronto|Toronto chapter meeting]]'''

'''Feb 13 (18:00h) - [[Ireland|Ireland chapter meeting]]'''

'''Feb 12 (18:30h) - [[Switzerland|Switzerland chapter meeting]]'''

'''Feb 7 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''Feb 6-7 - [[Italy#February_6th-8th.2C_2007_-_InfoSecurity|Italy@InfoSecurity]]'''

'''Feb 6 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''

'''Feb 2 (14:00h) - [[Chennai|Chennai chapter meeting]]'''

'''Jan 31 (15:00h) - [[Mumbai|Mumbai chapter meeting]]'''

'''Jan 30 (11:30h) - [[Austin|Austin chapter meeting]]'''

'''Jan 25 (18:00h) - [[San Francisco| San Francisco chapter meeting]]'''

'''Jan 25 (14:30h) - [[Italy#October_25th.2C_2007_-_Isaca_Rome|Italy@ISACA Rome]]'''

'''Jan 24 (17:30h) - [[Israel#6th_OWASP_IL_meeting:_Wednesday.2C_January_24th_2007|6th OWASP Israel chapter meeting]]'''

'''Jan 23 (18:00h) - [[Belgium|Belgium chapter meeting]]'''

'''Jan 22 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Jan 17 (18:30h) - [[Denver|Denver chapter meeting]]'''

'''Jan 16 (17:45h) - [[Edmonton|Edmonton chapter meeting]]'''

'''Jan 11 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''

'''Jan 11 (18:30h) - [[Phoenix|Phoenix chapter meeting]]'''

'''Jan 11 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''Jan 10 (18:00h) - [[Toronto|Toronto chapter meeting]]'''

'''Jan 8 (18:00h) - [[Seattle|Seattle chapter meeting]]'''

'''Jan 3 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''May 1 - [[Melbourne | Melbourne chapter meeting]]'''

'''May 2 - [[Boston]]'''

'''May 6 - [[Turkey]]'''

'''May 8 - [[Virginia (Northern Virginia)|Washington DC (VA)]]'''

'''May 9 - [[Toronto]]'''

'''May 10 - [[Belgium]]'''

'''May 15 - [[Rochester]]'''

'''May 21 - [[Israel]]'''

'''May 22 - [[New Zealand]]'''

'''May 29 - [[Italy]]'''

'''June 5 - [[Houston]]'''

'''June 5 - [[Melbourne]]'''

'''June 5 - [[Helsinki]]'''

'''June 12 - [[New Jersey]]'''

'''June 15 - [[Spain]]'''

'''July 14 - [[Turkey]]'''

San Jose

2007-07-13T18:20:12Z

Bbertacini: /* Next Meeting - Wednesday, July 25, 2007 */

OWASP Community

2007-04-02T17:05:05Z

Bbertacini: /* Events */

This page is for people to post OWASP related events, such as chapter meetings, OWASP conferences, get-togethers, and OWASP sponsored events.

Events from previous years are archived here:
* '''[[OWASP Community 2006]]'''

This page is monitored, and items posted here will be copied to the OWASP [[Main Page]]. Please post new items in chronological order using the following format:

'''Mon ## (##:00h) - [[Article]]'''



==Events==
'''May 15 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''May 10 (18:00h) - [[Belgium|Belgium chapter meeting]]'''

'''May 9 (18:00h) - [[Toronto|Toronto chapter meeting]]'''

'''May 9 (18:00h) - [[Ottawa|Ottawa Chapter Meeting]] '''

'''May 8 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''May 2 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''May 1 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''

'''May 21 (14:00h) - [[Israel|2nd OWASP Israel mini conference]]'''

'''Apr 26 (17:00h) - [[Switzerland|Switzerland chapter meeting and "Swiss Security Dinner"]]'''

'''Apr 20 (19:00h) - [[Hong Kong|Hong Kong chapter meeting - Objectives for 2007]]'''

'''Apr 17 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Apr 17 (18:00h) - [[New Jersey|NY/NJ Metro chapter meeting]]'''

'''Apr 12 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''

'''Apr 12 (18:00h) - [[San Jose|San Jose chapter meeting]]'''

'''Apr 11 (18:00h) - [[Toronto|Toronto chapter meeting]]'''

'''Apr 10 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''Apr 4 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''Apr 3 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''

'''Mar 30 - [[http://www.owasp.org/index.php/Italy#March_30th.2C_2007_-_Master_in_Security_-_University_of_Rome_.22La_Sapienza.22| Italy@Master in Security at "La Sapienza"]]'''

'''Mar 28 (18:00h) - [[Washington DC|Washington DC (MD) chapter meeting]]'''

'''Mar 28 (11:30h) - [[San Antonio|San Antonio chapter meeting]]'''

; '''Mar 27-30 - [http://www.blackhat.com Black Hat Euro]'''
: OWASP members receive a Euro 100 Briefings discount by inserting BH7EUASSOC in the box marked “Coupon Codes”

'''Mar 22 (18:00h) - [[London|London chapter meeting]]'''

'''Mar 21-22 - [[Belgium#OWASP_Top_10_2007_Update_.28Infosecurity_Belgium.2C_21_.26_.2622_Mar_2007.29|Belgium@InfoSecurity]]'''

'''Mar 20 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Mar 14 (18:00h) - [[Toronto|Toronto chapter meeting]]'''

'''Mar 14 (18:00h) - [[Chicago|Chicago chapter meeting]]'''

'''Mar 13 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''Mar 8 (18:00h) - [[Ottawa|Ottawa Chapter Meeting]] '''

'''Mar 7 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''Mar 7 (18:30h) - [[Kansas City|Kansas City chapter meeting]]'''

'''Mar 6 (18:30h) - [[Philadelphia|Philadelphia chapter meeting]]'''

'''Mar 6 (18:30h) - [[San Francisco|San Francisco and San Jose chapter meeting]]'''

'''Mar 6 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''

'''Mar 5 (11:00h) - [[New Jersey|New Jersey chapter meeting]]'''

'''Mar 1 (11:30h) - [http://www.eusecwest.com/agenda.html EUSecWest 07: Testing Guide]'''

; '''Feb 26-Mar 1 - [http://www.blackhat.com Black Hat DC]'''
: OWASP members receive a $100 Briefings discount by inserting BH7DCASSOC in the box marked “Coupon Codes”

'''Feb 28 (18:00h) - [[Seattle|Seattle chapter meeting]]'''

'''Feb 27 (18:00h) - [[Edmonton|Edmonton chapter meeting]]'''

'''Feb 22 (18:30h) - [[Helsinki|Helsinki chapter meeting]]'''

'''Feb 22 (18:00h) - [[London|London chapter meeting]]'''

'''Feb 21 (18:30h) - [[Denver|Denver chapter meeting]]'''

'''Feb 19 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Feb 15 (18:00h) - [[Washington DC|Washington DC (MD) chapter meeting]]'''

'''Feb 15 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''Feb 14 (18:00h) - [[Toronto|Toronto chapter meeting]]'''

'''Feb 13 (18:00h) - [[Ireland|Ireland chapter meeting]]'''

'''Feb 12 (18:30h) - [[Switzerland|Switzerland chapter meeting]]'''

'''Feb 7 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''Feb 6-7 - [[Italy#February_6th-8th.2C_2007_-_InfoSecurity|Italy@InfoSecurity]]'''

'''Feb 6 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''

'''Feb 2 (14:00h) - [[Chennai|Chennai chapter meeting]]'''

'''Jan 31 (15:00h) - [[Mumbai|Mumbai chapter meeting]]'''

'''Jan 30 (11:30h) - [[Austin|Austin chapter meeting]]'''

'''Jan 25 (18:00h) - [[San Francisco| San Francisco chapter meeting]]'''

'''Jan 25 (14:30h) - [[Italy#October_25th.2C_2007_-_Isaca_Rome|Italy@ISACA Rome]]'''

'''Jan 24 (17:30h) - [[Israel#6th_OWASP_IL_meeting:_Wednesday.2C_January_24th_2007|6th OWASP Israel chapter meeting]]'''

'''Jan 23 (18:00h) - [[Belgium|Belgium chapter meeting]]'''

'''Jan 22 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Jan 17 (18:30h) - [[Denver|Denver chapter meeting]]'''

'''Jan 16 (17:45h) - [[Edmonton|Edmonton chapter meeting]]'''

'''Jan 11 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''

'''Jan 11 (18:30h) - [[Phoenix|Phoenix chapter meeting]]'''

'''Jan 11 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''Jan 10 (18:00h) - [[Toronto|Toronto chapter meeting]]'''

'''Jan 8 (18:00h) - [[Seattle|Seattle chapter meeting]]'''

'''Jan 3 (18:30h) - [[Boston|Boston chapter meeting]]'''

San Jose

2006-12-08T07:30:29Z

Bbertacini: /* Next Meeting - Tuesday, December 19, 2006 */

San Jose

2006-12-08T07:20:01Z

Bbertacini: /* Next Meeting - Tuesday, December 19, 2006 */

San Jose

2006-12-08T07:06:15Z

Bbertacini: /* Next Meeting - Tuesday, December 19, 2006 */

San Jose

2006-12-08T07:03:47Z

Bbertacini: /* Next Meeting - Tuesday, December 19, 2006 */

San Jose

2006-12-08T06:57:38Z

Bbertacini: /* Next Meeting - Thursday, August 10, 2006 */

Talk:San Jose

2006-12-08T06:32:10Z

Bbertacini: /* Previous Meetings: */

== Previous Meetings: ==

'''August 10, 2006 - The Next Generation of Vulnerable Applications'''

'''Presented by: Alex Stamos, Founding Partner, iSEC Partners'''

'''Abstract:''' Web Services represent a new and unexplored set of security-sensitive technologies that have been widely deployed by large companies, governments, financial institutions, and in consumer applications. Unfortunately, the attributes that make web services attractive, such as their ease of use, platform independence, use of HTTP and powerful functionality, also make them a great target for attack. In this talk, we will explain the basic technologies (such as XML, SOAP, and UDDI) upon which web services are built, and explore the innate security weaknesses in each. We will then demonstrate new attacks that exist in web service infrastructures, and show how classic web application attacks (SQL Injection, XSS, etc…) can be retooled to work with the next-generation of enterprise applications.

'''Bio:''' Alex Stamos is a founding partner of iSEC Partners - a strategic digital security organization. Alex is an experienced security engineer and consultant specializing in application security and securing large infrastructures, and has taught multiple classes in network and application security. He is a leading researcher in the field of web application and web services security and has been a featured speaker at top industry conferences such as BlackHat, DefCon, SyScan, Microsoft BlueHat and OWASP App Sec.

Before he helped form iSEC Partners, Alex spent two years as a Managing Security Architect with @stake. Alex performed as a technical leader on many complex and difficult assignments, including a thorough penetration test and architectural review of a 6 million line enterprise management system, a secure re-design of a multi-thousand host ASP network, and a thorough analysis and code review of a major commercial web server. He was also one of @stake’s West Coast trainers, educating select technical audiences in advanced network and application attacks.

Alex has also worked in at a DoE National Laboratory. He holds a BS in Electrical Engineering and Computer Science from the University of California, Berkeley, where he participated in research projects related to distributed secure storage and automatic C code auditing.

Talk:San Jose

2006-12-08T06:31:33Z

Bbertacini: /* Previous Meetings: */

== Previous Meetings: ==

'''August 10, 2006 - The Next Generation of Vulnerable Applications'''

'''Presented by: Alex Stamos, Founding Partner, iSEC Partners'''
'''Abstract:''' Web Services represent a new and unexplored set of security-sensitive technologies that have been widely deployed by large companies, governments, financial institutions, and in consumer applications. Unfortunately, the attributes that make web services attractive, such as their ease of use, platform independence, use of HTTP and powerful functionality, also make them a great target for attack. In this talk, we will explain the basic technologies (such as XML, SOAP, and UDDI) upon which web services are built, and explore the innate security weaknesses in each. We will then demonstrate new attacks that exist in web service infrastructures, and show how classic web application attacks (SQL Injection, XSS, etc…) can be retooled to work with the next-generation of enterprise applications.

'''Bio:''' Alex Stamos is a founding partner of iSEC Partners - a strategic digital security organization. Alex is an experienced security engineer and consultant specializing in application security and securing large infrastructures, and has taught multiple classes in network and application security. He is a leading researcher in the field of web application and web services security and has been a featured speaker at top industry conferences such as BlackHat, DefCon, SyScan, Microsoft BlueHat and OWASP App Sec.

Before he helped form iSEC Partners, Alex spent two years as a Managing Security Architect with @stake. Alex performed as a technical leader on many complex and difficult assignments, including a thorough penetration test and architectural review of a 6 million line enterprise management system, a secure re-design of a multi-thousand host ASP network, and a thorough analysis and code review of a major commercial web server. He was also one of @stake’s West Coast trainers, educating select technical audiences in advanced network and application attacks.

Alex has also worked in at a DoE National Laboratory. He holds a BS in Electrical Engineering and Computer Science from the University of California, Berkeley, where he participated in research projects related to distributed secure storage and automatic C code auditing.

Talk:San Jose

2006-12-08T06:29:47Z

Bbertacini:

== Previous Meetings: ==

'''August 10, 2006

The Next Generation of Vulnerable Applications'''Presented by: Alex Stamos, Founding Partner, iSEC Partners
Abstract: Web Services represent a new and unexplored set of security-sensitive technologies that have been widely deployed by large companies, governments, financial institutions, and in consumer applications. Unfortunately, the attributes that make web services attractive, such as their ease of use, platform independence, use of HTTP and powerful functionality, also make them a great target for attack. In this talk, we will explain the basic technologies (such as XML, SOAP, and UDDI) upon which web services are built, and explore the innate security weaknesses in each. We will then demonstrate new attacks that exist in web service infrastructures, and show how classic web application attacks (SQL Injection, XSS, etc…) can be retooled to work with the next-generation of enterprise applications.

'''Bio:''' Alex Stamos is a founding partner of iSEC Partners - a strategic digital security organization. Alex is an experienced security engineer and consultant specializing in application security and securing large infrastructures, and has taught multiple classes in network and application security. He is a leading researcher in the field of web application and web services security and has been a featured speaker at top industry conferences such as BlackHat, DefCon, SyScan, Microsoft BlueHat and OWASP App Sec.

Before he helped form iSEC Partners, Alex spent two years as a Managing Security Architect with @stake. Alex performed as a technical leader on many complex and difficult assignments, including a thorough penetration test and architectural review of a 6 million line enterprise management system, a secure re-design of a multi-thousand host ASP network, and a thorough analysis and code review of a major commercial web server. He was also one of @stake’s West Coast trainers, educating select technical audiences in advanced network and application attacks.

Alex has also worked in at a DoE National Laboratory. He holds a BS in Electrical Engineering and Computer Science from the University of California, Berkeley, where he participated in research projects related to distributed secure storage and automatic C code auditing.

OWASP Community

2006-12-08T06:20:37Z

Bbertacini: /* Events */

This page is for people to post OWASP related events, such as chapter meetings, OWASP conferences, get-togethers, and OWASP sponsored events. This page is monitored, and items will be copied to the front page.

Please post new items in chronological order using the following format:

<nowiki>
'''Mon ## (##:00h) - [[Article]]'''
</nowiki>



==Events==

'''Jan 17 (18:30h) - [[Denver|Denver chapter meeting]]'''

'''Jan 4 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''Dec 19 (18:00h) - [[San Jose|San Jose chapter meeting]]'''

'''Dec 18 (18:30h) - [[Rochester|Rochester chapter meeting]]'''

'''Dec 14 (18:00h) - [[Washington DC|Washington DC (MD) chapter meeting]]'''

'''Dec 13 (18:00h) - [[Chicago|Chicago chapter meeting]]'''

'''Dec 12 (18:30h) - [[Helsinki|Helsinki chapter meeting]]'''

'''Dec 12 (18:00h) - [[Cleveland|Cleveland chapter meeting]]'''

'''Dec 12 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''Dec 7 (17:30h) - [[New Jersey|New Jersey chapter meeting]]'''

'''Dec 6 (18:30h) - [[Kansas City|Kansas City chapter meeting]]'''

'''Dec 6 (18:30h) - [[Boston|Boston chapter meeting]] (cancelled)'''

'''Dec 5 (18:00h) - [[Edmonton|Edmonton chapter meeting]]'''

'''Nov 21 (11:30h) - [[Austin|Austin chapter meeting]]

'''Nov 20 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Nov 15 (18:30h) - [[Denver|Denver chapter meeting]]'''

'''Nov 14 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''Nov 13 (14:30h) - [[Israel|Israeli chapter mini-conference at IDC Herzliya]]'''

'''Nov 11 (10:00h) - [[Switzerland|Kickoff Meeting OWASP Switzerland Local Chapter]]'''

'''Nov 9 (18:30h) - [[Phoenix|Phoenix chapter meeting]]'''

'''Nov 8 (18:00h) - [[Toronto|Toronto chapter meeting]]'''

'''Nov 6 (18:00h) - [[Ottawa|Ottawa chapter meeting]]'''

'''Nov 1 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''Oct 31 (12:00h) - [[Austin|Austin OWASP chapter]]'''

'''Oct 30 (11:00h) - [[Montgomery|Montgomery chapter meeting]]'''

'''Oct 26 (18:00h) - [[Washington DC|Washington DC (MD) chapter meeting]]'''

'''Oct 24 (18:00h) - [[Edmonton|Edmonton chapter meeting]]'''

'''Oct 16-18 - [[OWASP AppSec Seattle 2006|OWASP AppSec Seattle 2006 Conference]]'''

'''Oct 16 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Oct 12 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''Oct 7 - [[Italy| OWASP Italy at SMAU 06]]'''

'''Oct 4 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''Oct 2 (18:00h) - [[Ottawa|Ottawa chapter meeting]]'''

'''Sep 29 - [[Italy| OWASP Italy at OpenEXP]]'''

'''Sep 28 (18:00h) - [[Washington DC|Washington DC (MD) chapter meeting]]'''

'''Sep 27 (11:30h) - [[San Antonio|San Antonio chapter meeting]]'''

'''Sep 26-27 (08:00h) - [[Manila|OWASP Manila presenting at PhilOSC 2006]]'''

'''Sep 26 (12:00h) - [[Austin|Austin OWASP chapter]]'''

'''Sep 25 (17:00h) - [[New Jersey|New Jersey chapter meeting]]'''

'''Sep 21 (17:30h) - [[San Francisco|San Francisco chapter meeting]]'''

'''Sep 18 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

'''Sep 14 (18:00h) - [[Brisbane|Brisbane chapter meeting]]'''

'''Sep 14 (18:00h) - [[Belgium|Belgium chapter meeting in Antwerp]]'''

'''Sep 14 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]] (cancelled)'''

'''Sep 12 - [[Edmonton|Edmonton chapter meeting]]'''

'''Sep 7 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''Aug 31 (15:00h) - [[Mumbai|Mumbai chapter meeting]]'''

'''Aug 31 (08:00h) - [[Manila|OWASP Manila presentation at UST]]'''

'''Aug 29 (11:30h) - [[Austin|Austin OWASP chapter]]'''

'''Aug 24 (17:30h) - [[Brisbane|Brisbane chapter meeting]]'''

'''Aug 23 (11:30h) - [[San Antonio|San Antonio chapter meeting]]'''

'''Aug 19 - [[Bangalore|Bangalore chapter meeting]]'''

'''Aug 17 - [[London|London chapter meeting (Central London)]]'''

'''Aug 10 - [[San Jose|San Jose chapter meeting (SJ Hyatt - Airport)]]'''

'''Aug 9 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''Aug 9 (18:00h) - [[Toronto|Toronto chapter meeting]]'''

'''Aug 8 (18:00h) - [[Minneapolis St Paul|Minneapolis / St.Paul chapter meeting]]'''

'''Aug 7 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''Aug 2 (19:30h) - [[OWASP/Blackhat Vegas International Meet-Up]]'''

'''Jul 31 (15:00h) - [[Mumbai|Mumbai chapter meeting]]'''

'''Jul 27 (12:00h) - [[Austin|Austin OWASP chapter kickoff meeting]]'''

'''Jul 26 (19:15h) - [[Israel|Israel chapter meeting]]'''

'''Jul 19 (12:15h) - [[Hong Kong|Hong Kong chapter meeting]]'''

'''Jul 15 - [[Bangalore|Bangalore chapter meeting]]'''

'''Jul 12 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''Jul 7 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''Jul 5 (18:00h) - [[Ottawa|Ottawa chapter meeting]]'''

'''Jun 29 (18:00h) - [[San Jose|San Jose chapter meeting]]'''

'''Jun 26 (15:30h) - [[BostonFinancialDist|Boston financial district chapter meeting]]'''

'''Jun 24 (9:30h) - [[Mumbai|Mumbai chapter meeting]]'''

'''Jun 22 (18:00h) - [[Washington DC|Washington DC (MD) chapter meeting]]'''

'''Jun 21 - [[Italy|OWASP presentations at InfoSecurity 2006 (Italy)]]'''

'''Jun 21 (11:30h) - [[San Antonio|San Antonio chapter meeting]]'''

'''Jun 20 (18:00h) - [[Minneapolis St Paul|Minneapolis/St. Paul chapter meeting]]'''

'''Jun 19 (18:00h) - [[Ottawa|Ottawa chapter meeting]]'''

'''Jun 16 (16:45h) - [[Spain|Spain chapter meeting (Barcelona)]]'''

'''Jun 14-16 - [http://www.nyphpcon.com NY PHP Conference]'''

'''Jun 14 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

'''Jun 7 (18:30h) - [[Boston|Boston chapter meeting]]'''

'''Jun 2 (12:00h) - [[Hong Kong|Hong Kong chapter meeting]]'''

'''May 29-31 - [[AppSec Europe 2006|OWASP AppSec 2006 Europe Conference]]'''

San Jose

2006-07-26T16:03:11Z

Bbertacini: /* Next Meeting - Thursday, June 29, 2006 */

{{Chapter Template|chaptername=San Jose|extra=The chapter leader is [mailto:brian.bertacini@owasp.org Brian Bertacini]|mailinglistsite=http://lists.sourceforge.net/lists/listinfo/owasp-sanjose/}}

== Next Meeting - Thursday, August 10, 2006 ==
Open to the public, attendance is free

'''Agenda and Presentations:''' 
6:00pm – 6:30pm Check-in and reception (food & bev) 
6:30pm – 6:40pm Chapter announcements 
6:40pm – 8:00pm The Next Generation of Vulnerable Applications, Alex Stamos, iSec Partners 
8:00pm – 8:30pm Open discussion & Networking 

'''Venue:''' 
San Jose Hyatt (Airport) 
1740 North First Street 
San Jose, CA 95112 

'''The Next Generation of Vulnerable Applications''' 
'''''Presented by: Alex Stamos, Founding Partner, iSEC Partners''''' 
'''Abstract:''' Web Services represent a new and unexplored set of security-sensitive technologies that have been widely deployed by large companies, governments, financial institutions, and in consumer applications. Unfortunately, the attributes that make web services attractive, such as their ease of use, platform independence, use of HTTP and powerful functionality, also make them a great target for attack. In this talk, we will explain the basic technologies (such as XML, SOAP, and UDDI) upon which web services are built, and explore the innate security weaknesses in each. We will then demonstrate new attacks that exist in web service infrastructures, and show how classic web application attacks (SQL Injection, XSS, etc…) can be retooled to work with the next-generation of enterprise applications.

'''Bio:''' Alex Stamos is a founding partner of iSEC Partners - a strategic digital security organization. Alex is an experienced security engineer and consultant specializing in application security and securing large infrastructures, and has taught multiple classes in network and application security. He is a leading researcher in the field of web application and web services security and has been a featured speaker at top industry conferences such as BlackHat, DefCon, SyScan, Microsoft BlueHat and OWASP App Sec.

Before he helped form iSEC Partners, Alex spent two years as a Managing Security Architect with @stake. Alex performed as a technical leader on many complex and difficult assignments, including a thorough penetration test and architectural review of a 6 million line enterprise management system, a secure re-design of a multi-thousand host ASP network, and a thorough analysis and code review of a major commercial web server. He was also one of @stake’s West Coast trainers, educating select technical audiences in advanced network and application attacks.

Alex has also worked in at a DoE National Laboratory. He holds a BS in Electrical Engineering and Computer Science from the University of California, Berkeley, where he participated in research projects related to distributed secure storage and automatic C code auditing.

Please RSVP to via email [mailto:brian.bertacini@owasp.org Brian Bertacini], call 408-979-0571 or visit [http://owasp.mollyguard.com OWASP.Mollyguard.com]

This event is co-sponsored by [http://www.appsecconsulting.com AppSec Consulting, Inc]. and [http://www.whitehatsec.com WhiteHat Security, Inc.]

OWASP Community

2006-07-26T15:55:42Z

Bbertacini: /* Events */

San Jose

2006-06-29T04:32:53Z

Bbertacini: /* Next Meeting - Thursday, June 29, 2006 */

{{Chapter Template|chaptername=San Jose|extra=The chapter leader is [mailto:brian.bertacini@owasp.org Brian Bertacini]|mailinglistsite=http://lists.sourceforge.net/lists/listinfo/owasp-sanjose/}}

== Next Meeting - Thursday, June 29, 2006 ==
Open to the public, attendance is free

'''Agenda and Presentations:''' 
6:00pm – 6:30pm Check-in and reception (food & bev) 
6:30pm – 6:40pm Chapter announcements 
6:40pm – 7:30pm FoRMa for Secure Software Development, Kris Kahn, Seagate Technology 
7:35pm – 8:25pm JavaScript Attacks & Intranet Applications, Jeremiah Grossman, WhiteHat Security 
8:30pm – 9:00pm Open discussion & Networking 

'''Venue:''' 
San Jose Hyatt (Airport) 
1740 North First Street 
San Jose, CA 95112 

'''Framework of Risk Management & Analysis (FoRMA) for Secure Software Development''' 
'''''Presented by: Kris Kahn, Sr. Governance Analyst, Seagate Technology''''' 
'''Abstract:''' We frequently apply Risk Management concepts in our daily lives, whether it’s driving in the rain on the freeway, or crossing a busy intersection. It comes down to making a choice, taking a calculated risk to reach our objective. We decide quickly, making assumptions about the threats and about our environment. The lessons we learn from our failures help us make wiser decisions next time, if we survive.

Using a new Framework of Risk Management & Analysis (FoRMA) for Secure Software Development, we will be able to make better decisions by understanding our threats. FoRMA will help us ensure that we have the appropriate level of protection to maximize our business objectives, increasing quality and minimizing cost.

'''Bio:''' Kris Kahn, CISSP-ISSAP,ISSMP, CISA, OPSA, currently a Sr. Governance Analyst at Seagate Technology. Passionate about security for more than 15 years, also worked for companies in the San Francisco Bay Area that include Autodesk, and Best Internet Communications. A CISSP since 2001, his key contributions include firewall architectures, risk management models, security assessment methodologies, and security awareness training. Kris has expertise in offensive, defensive and governance facets of security.

'''JavaScript Attacks and Threats to Intranet Applications''' 
'''''Presented by: Jeremiah Grossman, Founder and CTO, WhiteHat Security''''' 
'''Abstract:''' Malicious JavaScript is capable of stealing cookies, capturing keystrokes, monitoring activity and planting root kits. Attackers are using JavaScript to hijack browser sessions to commit bank fraud, hack other websites, or post derogatory comments in a public forum – all without traces, tracks or warning sirens. Web application security research is revealing that outsiders can also use these hijacked browsers to exploit intranet websites.

Most assume while surfing the Web we are protected by firewalls that are isolated through private networks. We believe nothing is capable of directly connecting in from the outside world. Right? Well, not quite. Web browsers can be completely controlled by any web page, enabling them to become launching points to attack internal network resources.

The web browser of every user on an enterprise network becomes a stepping stone for intruders. During this presentation we'll demonstrate a wide variety of cutting-edge web application attack techniques and describe best practices for securing websites and users against these threats.

You’ll see

* Port scanning and attacking intranet devices using JavaScript
* Blind web server fingerprinting using unique URLs
* Discovery NAT'ed IP addresses with Java Applets
* Stealing web browser history with Cascading Style Sheets
* Best-practice defense measures for securing websites
* Essential habits for safe web surfing

'''Bio:''' Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security and responsible for web application security R&D and industry evangelism. Mr. Grossman is a frequent speaker at the Black Hat Briefings, ISSA, ISACA, NASA, and other industry events. Jeremiah been published in USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, Computerworld and BetaNews. Prior to WhiteHat, Mr. Grossman served as an information security officer at Yahoo!.

Please RSVP to via email [mailto:brian.bertacini@owasp.org Brian Bertacini] or call 408-979-0571

This event is co-sponsored by [http://www.appsecconsulting.com AppSec Consulting, Inc]. and [http://www.whitehatsec.com WhiteHat Security, Inc.]

San Jose

2006-06-29T04:31:39Z

Bbertacini: /* Next Meeting - Thursday, June 29, 2006 */

{{Chapter Template|chaptername=San Jose|extra=The chapter leader is [mailto:brian.bertacini@owasp.org Brian Bertacini]|mailinglistsite=http://lists.sourceforge.net/lists/listinfo/owasp-sanjose/}}

== Next Meeting - Thursday, June 29, 2006 ==
Open to the public, attendance is free

'''Agenda and Presentations:''' 
6:00pm – 6:30pm Check-in and reception (food & bev) 
6:30pm – 6:40pm Chapter announcements 
6:40pm – 7:30pm FoRMa for Secure Software Development, Kris Kahn, Seagate Technology 
7:35pm – 8:25pm JavaScript Attacks & Intranet Applications, Jeremiah Grossman, WhiteHat Security 
8:30pm – 9:00pm Open discussion & Networking 

'''Venue:''' 
San Jose Hyatt (Airport) 
1740 North First Street 
San Jose, CA 95112 

'''Framework of Risk Management & Analysis (FoRMA) for Secure Software Development''' 
'''''Presented by: Kris Kahn, Sr. Governance Analyst, Seagate Technology''''' 
'''Abstract:''' We frequently apply Risk Management concepts in our daily lives, whether it’s driving in the rain on the freeway, or crossing a busy intersection. It comes down to making a choice, taking a calculated risk to reach our objective. We decide quickly, making assumptions about the threats and about our environment. The lessons we learn from our failures help us make wiser decisions next time, if we survive.

Using a new Framework of Risk Management & Analysis (FoRMA) for Secure Software Development, we will be able to make better decisions by understanding our threats. FoRMA will help us ensure that we have the appropriate level of protection to maximize our business objectives, increasing quality and minimizing cost.

'''Bio:''' Kris Kahn, CISSP-ISSAP,ISSMP, CISA, OPSA, currently a Sr. Governance Analyst at Seagate Technology. Passionate about security for more than 15 years, also worked for companies in the San Francisco Bay Area that include Autodesk, and Best Internet Communications. A CISSP since 2001, his key contributions include firewall architectures, risk management models, security assessment methodologies, and security awareness training. Kris has expertise in offensive, defensive and governance facets of security.

'''JavaScript Attacks and Threats to Intranet Applications''' 
'''''Presented by: Jeremiah Grossman, Founder and CTO, WhiteHat Security''''' 
'''Abstract:''' Malicious JavaScript is capable of stealing cookies, capturing keystrokes, monitoring activity and planting root kits. Attackers are using JavaScript to hijack browser sessions to commit bank fraud, hack other websites, or post derogatory comments in a public forum – all without traces, tracks or warning sirens. Web application security research is revealing that outsiders can also use these hijacked browsers to exploit intranet websites.

Most assume while surfing the Web we are protected by firewalls that are isolated through private networks. We believe nothing is capable of directly connecting in from the outside world. Right? Well, not quite. Web browsers can be completely controlled by any web page, enabling them to become launching points to attack internal network resources.

The web browser of every user on an enterprise network becomes a stepping stone for intruders. During this presentation we'll demonstrate a wide variety of cutting-edge web application attack techniques and describe best practices for securing websites and users against these threats.

You’ll see

* Port scanning and attacking intranet devices using JavaScript
* Blind web server fingerprinting using unique URLs
* Discovery NAT'ed IP addresses with Java Applets
* Stealing web browser history with Cascading Style Sheets
* Best-practice defense measures for securing websites
* Essential habits for safe web surfing

'''Bio:''' Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security and responsible for web application security R&D and industry evangelism. Mr. Grossman is a frequent speaker at the Black Hat Briefings, ISSA, ISACA, NASA, and other industry events. Jeremiah been published in USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, Computerworld and BetaNews. Prior to WhiteHat, Mr. Grossman served as an information security officer at Yahoo!.

Please RSVP to via email [mailto://brian.bertacini@owasp.org Brian Bertacini] or call 408-979-0571

This event is co-sponsored by [http://www.appsecconsulting.com AppSec Consulting, Inc]. and [http://www.whitehatsec.com WhiteHat Security, Inc.]

San Jose

2006-06-19T20:15:47Z

Bbertacini: /* Next Meeting - Thursday, June 29, 2006 */

{{Chapter Template|chaptername=San Jose|leaderemail=brian.bertacini@owasp.org|leadername=Brian Bertacini|mailinglistsite=http://lists.sourceforge.net/lists/listinfo/owasp-sanjose/}}

== Next Meeting - Thursday, June 29, 2006 ==
Open to the public, attendance is free

'''Agenda and Presentations:''' 
6:00pm – 6:30pm Check-in and reception (food & bev) 
6:30pm – 6:40pm Chapter announcements 
6:40pm – 7:30pm FoRMa for Secure Software Development, Kris Kahn, Seagate Technology 
7:35pm – 8:25pm JavaScript Attacks & Intranet Applications, Jeremiah Grossman, WhiteHat Security 
8:30pm – 9:00pm Open discussion & Networking 

'''Venue:''' 
San Jose Hyatt (Airport) 
1740 North First Street 
San Jose, CA 95112 

'''Framework of Risk Management & Analysis (FoRMA) for Secure Software Development''' 
'''''Presented by: Kris Kahn, Sr. Governance Analyst, Seagate Technology''''' 
'''Abstract:''' We frequently apply Risk Management concepts in our daily lives, whether it’s driving in the rain on the freeway, or crossing a busy intersection. It comes down to making a choice, taking a calculated risk to reach our objective. We decide quickly, making assumptions about the threats and about our environment. The lessons we learn from our failures help us make wiser decisions next time, if we survive.

Using a new Framework of Risk Management & Analysis (FoRMA) for Secure Software Development, we will be able to make better decisions by understanding our threats. FoRMA will help us ensure that we have the appropriate level of protection to maximize our business objectives, increasing quality and minimizing cost.

'''Bio:''' Kris Kahn, CISSP-ISSAP,ISSMP, CISA, OPSA, currently a Sr. Governance Analyst at Seagate Technology. Passionate about security for more than 15 years, also worked for companies in the San Francisco Bay Area that include Autodesk, and Best Internet Communications. A CISSP since 2001, his key contributions include firewall architectures, risk management models, security assessment methodologies, and security awareness training. Kris has expertise in offensive, defensive and governance facets of security.

'''JavaScript Attacks and Threats to Intranet Applications''' 
'''''Presented by: Jeremiah Grossman, Founder and CTO, WhiteHat Security''''' 
'''Abstract:''' Malicious JavaScript is capable of stealing cookies, capturing keystrokes, monitoring activity and planting root kits. Attackers are using JavaScript to hijack browser sessions to commit bank fraud, hack other websites, or post derogatory comments in a public forum – all without traces, tracks or warning sirens. Web application security research is revealing that outsiders can also use these hijacked browsers to exploit intranet websites.

Most assume while surfing the Web we are protected by firewalls that are isolated through private networks. We believe nothing is capable of directly connecting in from the outside world. Right? Well, not quite. Web browsers can be completely controlled by any web page, enabling them to become launching points to attack internal network resources.

The web browser of every user on an enterprise network becomes a stepping stone for intruders. During this presentation we'll demonstrate a wide variety of cutting-edge web application attack techniques and describe best practices for securing websites and users against these threats.

You’ll see

* Port scanning and attacking intranet devices using JavaScript
* Blind web server fingerprinting using unique URLs
* Discovery NAT'ed IP addresses with Java Applets
* Stealing web browser history with Cascading Style Sheets
* Best-practice defense measures for securing websites
* Essential habits for safe web surfing

'''Bio:''' Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security and responsible for web application security R&D and industry evangelism. Mr. Grossman is a frequent speaker at the Black Hat Briefings, ISSA, ISACA, NASA, and other industry events. Jeremiah been published in USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, Computerworld and BetaNews. Prior to WhiteHat, Mr. Grossman served as an information security officer at Yahoo!.

Please RSVP to via email [brian.bertacini@owasp.org] or call 408-979-0571

This event is co-sponsored by AppSec Consulting, Inc. and WhiteHat Security, Inc.

San Jose

2006-06-19T15:48:43Z

Bbertacini: /* '''Next Meeting - Thursday, June 29, 2006''' */

San Jose

2006-06-19T15:47:27Z

Bbertacini: /* '''Next Meeting - Thursday, June 29, 2006''' */

San Jose

2006-06-19T15:43:24Z

Bbertacini: /* Local News */