OWASP - User contributions [en]

Austin

2010-03-19T20:35:35Z

Blbroussard: added a section for whitepapers

{{Chapter Template|chaptername=Austin|extra=The chapter leadership includes: [mailto:josh.sokol@ni.com Josh Sokol, President], [mailto:wickett@gmail.com James Wickett, Vice President], [mailto:rich.vazquez@gmail.com Rich Vazquez, Communications Chair], [mailto:ggenung@denimgroup.com Greg Genung, Membership Chair], and the former chapter president is [mailto:cdewitt@indepthsec.com Cris Dewitt]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-austin|emailarchives=http://lists.owasp.org/pipermail/owasp-austin}}

[http://austinowasp.ning.com/ Austin OWASP Ning Site]

==== Chapter Meetings ====

'''When:''' March 18, 2010, 5:00pm - 7:00pm

'''What: '''Austin Security Professionals Happy Hour (Sponsored by Denim Group)

'''Where:''' Sherlock's (9012 Research Blvd, Austin, TX 78757)

----

'''When:''' March 30, 2010, 11:30am - 1:00pm

'''Topic: ''' Enterprise Application Security Practices: Real-world Tips and Techniques

How can you re-energize your company’s or institution’s commitment to secure development practices as part of the SDLC, while keeping costs in check? Dell's Security Consulting team created an application security practice with the help of several internal teams in legal, enterprise architecture, vendor management, privacy, compliance, and network engineering. Team members Addison Lawrence, Chad Barker, and Mike Craigue will discuss some of the challenges and opportunities they have faced over the last three years, ramping from 27 project engagements in 2007, to 726 project engagements in 2009. In this session, we will discuss the creation of policies/standards, deploying a Security Development Lifecycle as an overlay to the SDLC, overcoming concerns of developers and business partners, and addressing global standardization issues. Also included: awareness/education/training, application security user groups, security consulting staff development, risk assessments, security reviews, threat modeling, source code scans, deployment scans, penetration testing, exception management, and executive escalations. Tell us what we might do to improve our program and increase our effectiveness; discuss how you could adapt parts of this approach to your own program.

'''Who:''' Addison Lawrence, Chad Barker, and Mike Craigue (Dell, Inc.)

Addison Lawrence has 10 years of experience at Dell with leadership responsibilities in database and data warehouse security, PCI, SOX, and Dell Services security. He is a part of the Cloud Security Alliance team developing their Controls Matrix. Previously he worked for 13 years at Mobil Oil (now ExxonMobil) as a software developer and DBA. He holds an MBA from Texas A&M University and a BS in Computer Science from Texas A&M-Corpus Christi, and is a certified CISSP.

Chad has worked at Dell for 10 years primarily in software development. Chad has led global development standardization initiatives including release management automation and static source code analysis. He holds a BS in Information Systems from the University of Texas at Arlington.

Before joining Dell’s information security team 5 years ago, Mike worked as a database and web application developer at Dell and elsewhere in central Texas. He’s responsible for Dell’s application security strategy globally, and focuses primarily on Dell’s ecommerce site. He holds a PhD in Higher Education Administration / Finance from the University of Texas-Austin, and has the CISSP and CSSLP certifications.

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

'''Cost:''' Always Free

'''Questions or help with Directions...''' call: Josh Sokol (512) 619-6716.

[http://austinowasp.ning.com/ RSVP on the Austin OWASP Ning Site]

----

'''When:''' April 22, 2010, 5:00pm - 7:00pm

'''What: '''Austin Security Professionals Happy Hour (Sponsored by Fortify)

'''Where:''' Sherlock's (9012 Research Blvd, Austin, TX 78757)

----

'''When:''' April 27, 2010, 11:30am - 1:00pm

'''Topic: ''' Automated vs. Manual Security: You can't filter The Stupid

Everyone wants to stretch their security budget, and automated application security tools are an appealing choice for doing so. However, manual security testing isn’t going anywhere until the HAL application scanner comes online. This presentation will use often humorous, real-world examples to illustrate the relative strengths and weaknesses of automated solutions and manual techniques.

Automated tools have some strengths, namely low incremental cost, detecting simple vulnerabilities, and performing highly repetitive tasks. However, automated solutions are far from perfect. There are entire classes of vulnerabilities that are theoretically impossible for automated software to detect. Examples include complex information leakage, race conditions, logic flaws, design flaws, and multistage process attacks. Beyond that, there are many vulnerabilities that are too complicated or obscure to practically detect with an automated tool.

'''Who:''' Charles Henderson (Trustwave)

Charles Henderson has been in the security industry for over 15 years and manages the Application Security Practice at Trustwave. He has specialized in application security testing and application security assessment throughout his career but has also worked in physical security testing and network security testing.

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

'''Cost:''' Always Free

'''Questions or help with Directions...''' call: Josh Sokol (512) 619-6716.

[http://austinowasp.ning.com/ RSVP on the Austin OWASP Ning Site]

== Future Speakers and Events ==

April 22, 2010 - Austin Security Professionals Happy Hour (Sponsored by Fortify)

April 27, 2010 - Anatomy of a Logic Flaw

May 20, 2010 - Austin Security Professionals Happy Hour (Sponsored by BlueCoat)

May 25, 2010 - Attacking Intranets from the Web Using DNS Rebinding (@ National Instruments)

June 17, 2010 - Austin Security Professionals Happy Hour (Sponsored by WhiteHat Security)

June 29, 2010 - Suggest a Topic (@ National Instruments)

July 15 2010 - Austin Security Professionals Happy Hour (Sponsored by Praetorian Group)

July 27, 2010 - Suggest a Topic (@ National Instruments)

August 12, 2010 (UNCONFIRMED) - Austin Security Professionals Happy Hour

August 31, 2010 - Suggest a Topic (@ National Instruments)

September 16, 2010 (UNCONFIRMED) - Austin Security Professionals Happy Hour

September 28, 2010 - Suggest a Topic (@ National Instruments)

October 14, 2010 (UNCONFIRMED) - Austin Security Professionals Happy Hour

October 26, 2010 - Suggest a Topic (@ National Instruments)

November 2010 - No Meeting (Happy Holidays!)

December 2010 - No Meeting (Happy Holidays!)

==== Record Hall of Meetings ====

'''When:''' February 23, 2010, 11:30am - 1:00pm

'''Topic: ''' Advanced Persistent Threat - What Does it Mean for Application Security?

Targeted attacks, slow moving malware, foreign intelligence/government sponsored hackers, corporate/industrial espionage – all fun and games? Not really. These vectors are occurring today, and the threat vector has bled into the application space. What do you have to contend with once it passes through the firewall.

'''Who:''' Matt Pour (Blue Coat Systems)

Matt is a Systems Engineer for Blue Coat Systems. Utilizing over ten years of information security experience, Matt provides subject matter expertise of ensuring security effectiveness while addressing business controls and requirements to a multitude of industries regardless of size and scope. Previous to Blue Coat Systems, Matt Pour was a Security Solutions Architect and X-Force Field Engineer for IBM ISS.

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

'''Cost:''' Always Free

'''Questions or help with Directions...''' call: Josh Sokol (512) 619-6716.

[http://austinowasp.ning.com/ RSVP on the Austin OWASP Ning Site]

----

'''When:''' February 11, 2010, 5:00pm - 7:00pm

'''What: '''Austin Security Executives Happy Hour (Sponsored by WhiteHat Security)

'''Where:''' Sherlock's (9012 Research Blvd, Austin, TX 78757)

----

'''When:''' January 26, 2010, 11:30am - 1:00pm

'''Topic: ''' Reducing Your Data Security Risk Through Tokenization

The first Austin OWASP meeting of the year is on a really interesting topic that many of you have probably never thought about: Tokenization. The concept is simple...use tokens to represent your data instead of passing around the data itself. For example, why would you give a customer account representative a full credit card number when all they need to do their job is the last four digits? Using tokenization, we are able to reduce the data security risk by limiting the number of systems that actually store the data. This extremely simplifies audits for regulations like SOX, HIPAA, and PCI DSS. This presentation will cover the business drivers for data protection, what tokenization is, and how to implement it. If your organization has data to protect, then you're going to want to check out this presentation.

'''Who:''' Josh Sokol (National Instruments)

Josh Sokol graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as a Web Systems Administrator at National Instruments. In his current role, Josh provides expertise in topics such as web application availability, performance, and security. Josh is also a frequent contributor on the [http://www.webadminblog.com Web Admin Blog].

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

'''Cost:''' Always Free

'''Questions or help with Directions...''' call: Josh Sokol (512) 619-6716.

[http://austinowasp.ning.com/ RSVP on the Austin OWASP Ning Site]

----

'''When:''' January 14, 2010, 5:00pm - 7:00pm

'''What: '''Austin Security Executives Happy Hour

'''Where:''' Sherlock's (9012 Research Blvd, Austin, TX 78757)

----

'''When:''' November 17, 2009, 11:30am - 1:00pm

'''Topic: ''' Tracking the progress of an SDL program: lessons from the gym

Forcing muscle growth is a long process which requires high intensity
weight training and high mental concentration. While the ultimate goal is
often clear, one of the greatest mistakes bodybuilders consistently make is
to overlook the importance of tracking their weight lifting progress.

Like a successful bodybuilding workout, a security development lifecycle
program must consistently log simple to obtain, yet meaningful metrics
throughout the entire process. Good metrics must lack subjectivity and
clearly aid decision makers to determine areas that need improvement. In
this presentation we’ll discuss metrics used to classify and appropriately
compare security vulnerabilities found in different phases of the SDL by
different teams working in different locations and in different products.
We’ll also discuss how to easily provide decision makers different views of
the same data and verify whether the process is indeed catching critical
vulnerabilities internally.

'''Who:''' Cassio Goldschmidt (Symantec)

Cassio Goldschmidt is senior manager of the product security team under the
Office of the CTO at Symantec Corporation. In this role he leads efforts
across the company to ensure the secure development of software products.
His responsibilities include managing Symantec’s internal secure software
development process, training, threat modeling and penetration testing.
Cassio’s background includes over 12 years of technical and managerial
experience in the software industry. During the six years he has been with
Symantec, he has helped to architect, design and develop several top
selling product releases, conducted numerous security classes, and
coordinated various penetration tests.

Cassio represents Symantec on the SAFECode technical committee and (ISC)2
in the development of the CSSLP certification. He holds a bachelor degree
in computer science from Pontificia Universidade Catolica do Rio Grande Do
Sul, a masters degree in software engineering from Santa Clara University,
and a masters of business administration from the University of Southern
California.

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

'''Cost:''' Always Free

'''Questions or help with Directions...''' call: James Wickett 512-964-6227.

[http://austinowasp.ning.com/ RSVP on the Austin OWASP Ning Site]

----

'''When:''' October 27, 2009, 11:30am - 1:00pm

'''Topic: ''' Vulnerability Management In An Application Security World

Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities.

This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups.

'''Who:''' Dan Cornell (Denim Group)

Dan Cornell has over ten years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.

Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the San Antonio chapter leader of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, OWASP's open source tool for assessing the security of AJAX-enabled web applications.

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

'''Cost:''' Always Free

'''Questions or help with Directions...''' call: James Wickett 512-964-6227.

[http://austinowasp.ning.com/ RSVP on the Austin OWASP Ning Site]

----

'''When:''' September 29, 2009, 11:30am - 1:00pm

'''Topic: ''' OWASP ROI: Optimize Security Spending using OWASP

Considering the current economic times, security spending is tighter than ever. This presentation will cover the Open Web Application Security Project (OWASP) projects and how they can improve your application security posture in a budget-friendly way. OWASP is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. The OWASP Foundation is a not-for-profit entity and provides unbiased, practical, cost-effective information about application security. Projects covered include the OWASP Top 10, OWASP Testing Guide, Enterprise Security API (ESAPI), Application Security Verification Standard (ASVS), Application Security Desk Reference (ASDR) and others. A case study of a specific company's success with implementing OWASP methodologies and tools will also be provided. In this case study the company realized annual reduction in spending of several hundred thousand dollars.

'''Who:''' Matt Tesauro

Matt Tesauro has worked in web application development and security since 2000. He has worn many different hats, from developer to DBA to System Administrator to Penetration Tester. Matt also taught graduate and undergraduate classes on web application development and XML at the Texas A&M Mays Business School. Currently, he's focused on web application security, developing a Secure SDLC and launching a two-year application security program for Texas Education Agency (TEA). Outside work, he is the project lead for the OWASP Live CD, a member of the OWASP Global Tools and Projects Committee, part of the local OWASP chapters leadership and the membership directory of ISSA of Austin, Tx. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications.

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

'''Cost:''' Always Free

'''Questions or help with Directions...''' call: James Wickett 512-964-6227.

----

'''When:''' August 25, 2009, 11:30am - 1:00pm

'''Topic: ''' Threat Modeling

In this talk, Michael will discuss Microsoft SDL Threat Modeling, how to apply it to design more secure applications and finally, will show a demo and hold a short lab exercise.

'''Who:''' Michael Howard, PRINCIPAL Security Program Manager, Microsoft's Security Engineering Team

Michael Howard is a principal security program manager on the Trustworthy Computing (TwC) Group’s Security Engineering team at Microsoft, where he is responsible for managing secure design, programming, and testing techniques across the company. Howard is an architect of the Security Development Lifecycle (SDL), a process for improving the security of Microsoft’s software.

Howard began his career with Microsoft in 1992 at the company’s New Zealand office, working for the first two years with Windows and compilers on the Product Support Services team, and then with Microsoft Consulting Services, where he provided security infrastructure support to customers and assisted in the design of custom solutions and development of software. In 1997, Howard moved to the United States to work for the Windows division on Internet Information Services, Microsoft’s next-generation web server, before moving to his current role in 2000.

Howard is an editor of IEEE Security & Privacy, a frequent speaker at security-related conferences and he regularly publishes articles on secure coding and design, Howard is the co-author of six security books, including the award-winning Writing Secure Code, 19 Deadly Sins of Software Security, The Security Development Lifecycle and his most recent release, Writing Secure Code for Windows Vista

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

'''Cost:''' Always Free

'''Questions or help with Directions...''' call: James Wickett 512-964-6227.

----

'''When:''' July 28, 2009, 3:30pm - 5:00pm

'''Topic: ''' Slowloris: A DOS tool for Apache

Slowloris was designed and developed as a low bandwidth denial of service tool to take advantage of an architectural design flaw in Apache web servers. It was quickly picked up and used by Iranian government protesters. This speech will cover the technical issues around the design flaw, and the events prior to, during and since the release of the tool.

'''Who:''' RSnake, Robert Hansen, CEO of SecTheory, ha.ckers.org

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

'''Cost:''' Always Free

'''Questions or help with Directions...''' call: James Wickett 512-964-6227.

----

'''When:''' June 25, 2009, 5:00pm - 8:00pm

'''Topic: ''' OWASP/ISSA/ISACA June Happy Hour Sponsored by VMWare!!!

'''Where:''' Sherlock's in Austin (183 and Burnet area near Furniture Row) - See http://austinowasp.ning.com/ for more info

----

'''When:''' June 30, 2009, 3:30pm - 5:00pm

'''Topic: ''' Web 2.0 Cryptology - A Study in Failure

'''Who:''' Travis

'''Travis's Bio:''' Travis H. is an jack-of-all-trades and independent security
enthusiast. He has worked in the AFCERT looking for intrusions into
Air Force computers, and handled application security and cryptography
issues for Paypal. He is currently a programmer for Giganews in
Austin. He is also the author of an online book on security called
"Security Concepts", located here:

http://www.subspacefield.org/security/security_concepts.html

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

'''Cost:''' Always Free

'''Questions or help with Directions...''' call: Scott Foster 512-637-9824.

----

'''When:''' May 26, 2009, 11:30am - 1:00pm

'''Topic: ''' Clickjack This!

This speech will cover clickjacking - one of the most obscure client side hacking techniques. After the speech at the world OWASP conference was canceled due to Adobe asking for more time to construct a patch, Robert Hansen never ended up doing a complete speech on the topic. This presentation will cover some of the history of how this exploit came to be, how it works, and how it eventually turned into real world weaponized code.

'''Who:''' RSnake, Robert Hansen, CEO of SecTheory, ha.ckers.org

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

'''Cost:''' Always Free

'''Questions or help with Directions...''' call: James Wickett 512-964-6227.

----

'''When:''' April 28, 2009, 11:30am - 1:00pm

'''Topic: ''' Architecting Secure Web Systems

For this month's presentation, we diverge from the typical OWASP topics of writing secure code, testing to make sure your code is secure, and other code related topics and delve into the process of actually architecting a secure web application from the ground up. We'll start with some basic n-tier architecture (web vs app vs DB), throw in some firewall and DMZ concepts, then talk about server hardening with client firewalls (iptables), disabling services, and other techniques. Whether you're a code monkey wondering how the rest of the world works, a security guy trying to figure out what you're missing, or an auditor just trying to understand how the pieces fit together, this presentation is for you.

'''Who:''' Josh Sokol

'''Josh's Bio:''' Josh Sokol graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as a Web Systems Administrator at National Instruments. In his current role, Josh provides expertise in topics such as web application availability, performance, and security. Josh is also a frequent contributor on the [http://www.webadminblog.com Web Admin Blog] and recently presented at the TRISC 2009 Conference.

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

'''Cost:''' Always Free

'''Questions or help with Directions...''' call: Scott Foster 512-637-9824.

----

'''When:''' April 23rd, 2009, 5:00pm - 7:00pm

'''Topic: ''' OWASP April Happy Hour

'''Where: ''' Sherlock's in Austin (183 and Burnet area near Furniture Row) - See http://austinowasp.ning.com/ for more info

----

'''When:''' March 31, 2009, 11:30am - 1:00pm

'''Topic: ''' PCI Compliance and Web App Security

The purpose of this presentation is to give an objective view of PCI Compliance including the good, the bad and the ugly.

Topics covered include:

What do an ASV really do.

What does a QSA really do.

What does an ASV scan really pick up.

Are you really secure when you are compliant.

A product neutral look at how to get the most out of your compliance push.

'''Who:''' Fritz has more than five years of experience in offensive and defensive security practices and strategies. Since 2006 Fritz has been dedicated to managing PCI Data Security Standards (PCI DSS) for ControlScan as well as helping to develop products and services that are designed to make it easier for small merchants to complete and maintain compliance and long term security best practices. Fritz also authors regular security briefings on www.pcicomplianceguide.org <http://www.pcicomplianceguide.org/> and addresses the "Ask the Expert" questions on the site.

Fritz a member of the Application Security Group of the SPSP (The Society of Payment Security Professionals), a participant on the PCI Knowledge Base's Panel of Experts and is a Certified Information Systems Security Professional (CISSP).

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

'''Cost:''' Always Free

'''Questions or help with Directions...''' call: Scott Foster 512-637-9824.

----

'''When:''' February 24, 2009, 11:30am - 1:00pm

'''Topic: ''' Web Application Security in the Airline Industry: Stealing the Airlines’ Online Data

In this session, attendees will learn about the types of airline data that is at risk of being stolen by online data thieves. In addition, the following topics will be further explored:

1. Important attack scenarios and Web-based vulnerabilities accompanied by examples of how these attacks can be mitigated by deploying comprehensive defense solutions;

2. Protection strategies and tools, such as Web application scanners and Web application firewalls, which help equalize the gap between the advanced Web hacker and the security professional; and

3. Compliance and Software development life cycle approaches.

Following the September 11 attacks, the airline industry recognized its need to ‘webify’ online ticket reservation systems, crew scheduling, and passenger profiles in order to enhance operational efficiency. This ultimately served to decrease the airlines’ operating costs, thereby increasing their operating profits. However, the following questions remain: At what costs? What are the information systems and customer data security risks associated with the airline ‘webification’ process?

Please join in this presentation, which will outline some of the challenges that members of the airlines industry may face when attempting to protect their online services. Additionally, attendees will discover methodologies that airlines may utilize to identify, assess, and protect against the various risks associated with Web-based application attacks.

'''Who:''' Quincy Jackson

Quincy Jackson, a CISSP and Certified Ethical Hacker, has more than 15 years of experience in the Information Technology (“IT”) profession, which include 8 years in Information Security. In addition, Quincy has 15 years in the aviation industry. His career in the aviation industry began in the United States Army as an Avionics System Specialist. Quincy began to explore his passion for IT Security as Sr. Manager - Information Security for Continental Airlines. Over his 8-year tenure at Continental Airlines, Quincy was instrumental in the development of the Company’s first Information Security Program. Quincy currently serves as the IT Security Manager for Universal Weather and Aviation, Inc. (“UWA”). UWA provides business aviation operators various aviation support services, including flight coordination, ground handling, fuel arrangement and coordination, online services, and weather briefings. Quincy enjoys both learning about and sharing his knowledge of Web application security with others, including ISSA and OWASP members.

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

'''Cost:''' Always Free

'''Questions or help with Directions...''' call: Scott Foster 512-637-9824.

----

'''When:''' March 26th, 2009, 5:00pm - 7:00pm

'''Topic: ''' OWASP March Happy Hour

'''Where: ''' Sherlock's in Austin (183 and Burnet area near Furniture Row) - See http://austinowasp.ning.com/ for more info

----

'''When:''' February 5th, 2009, 5:00pm - 7:00pm

'''Topic: ''' OWASP Live CD Release Party

'''Where: ''' Sherlock's in Austin (183 and Burnet area near Furniture Row) - See http://austinowasp.ning.com/ for more info

----

'''When:''' January 27, 2009, 11:30am - 1:00pm

'''Topic: ''' Cross-Site Request Forgery attacks and mitigation in domain vulnerable to Cross-Site Scripting.

The presentation will include the following topics in addition to a hands-on demonstration for each portion of the talk:

1. The statelessness of the internet

2. How the naive attack works

3. A mitigation strategy against this naive attack

4. An combined CSRF/XSS attack that defeats this mitigation strategy

5. And finally suggestions for mitigation of the combined attack

'''Who:''' Ben L Broussard

I am new in the world of Web App security; my passion started when I took a continuing education class related to Web App security. My background is in Number Theory with an emphasis in Cryptography and especially Cryptanalysis. I am an avid puzzler, taking 2nd place (along with my teammates) at UT in this year's Microsoft College Puzzle Challenge. I am currently a developer (database and web apps) for the Accounting department of The University of Texas at Austin.

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

----

'''When:''' October 28, 2008, 11:30am - 1:00pm

'''Who:''' Josh Sokol

Josh Sokol graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as a Web Systems Administrator at National Instruments. In his current role, Josh provides expertise in topics such as web application availability, performance, and security. Josh is also a frequent contributor on the [http://www.webadminblog.com Web Admin Blog].

'''Topic: ''' Using Proxies to Secure Applications and More

The last Austin OWASP presentation of the year is a must see for anyone responsible for the security of a web application. It is a demonstration of the various types of proxy software and their uses. We've all heard about WebScarab, BurpSuite, RatProxy, or Paros but how familiar are you with actually using them to inspect for web security issues? Did you know that you can use RatProxy for W3C compliance validation? By the time you leave this presentation, you will be able to go back to your office and wow your co-workers with the amazing new proxy skills that you've acquired.

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

'''Cost:''' Always Free

'''Questions or help with Directions...''' call: Scott Foster 512-637-9824.

----

'''When:''' September 30, 2008, 11:30am - 1:00pm

'''Who:''' Josh Sokol

'''Josh's Bio:''' Josh Sokol graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as a Web Systems Administrator at National Instruments. In his current role, Josh provides expertise in topics such as web application availability, performance, and security. Josh is also a frequent contributor on the [http://www.webadminblog.com Web Admin Blog].

'''Topic: ''' OWASP AppSec NYC Conference 2008

'''Where:''' Whole Foods, 550 Bowie Street, Austin, TX 78703. Come to the Whole Foods plaza level and sign in with receptionist. To get to the plaza take the stairs from the main entrance. The stairs are located on the West Side of the building, just north of the main entrance. There is no access to the Plaza level from inside the store.

See [http://tinylink.com/?chLCAmvxKA directions to Whole Foods].

'''Cost:''' Always Free

'''Questions or help with Directions...''' call: Scott Foster 512-637-9824.

----

'''When:''' August 26th, 2008, 11:30am - 1:00pm

'''Who:''' Matt Tesauro

Matt's Bio: Matt Tesauro has worked in web application development and security since 2000. He's worn many different hats, from developer to DBA to sys admin to university lecturer to pen tester. Currently, he's focused on web application security and developing a Secure SDLC for TEA. Outside work, he is the project lead for the topic of this talk: OWASP Live CD 2008.

'''Topic: ''' OWASP Live CD 2008 - An OWASP Summer of Code Project

The OWASP Live CD 2008 project is an OWASP SoC project to update the previously created OWASP 2007 Live CD. As the project lead, I'll show you the latest version of the Live CD and discuss where its been and where its going. Some of the design goals include:
# easy for the users to keep the tools updated
# easy for the project lead to keep the tools updated
# easy to produce releases (I'm thinking quarterly releases)
# focused on just web application testing - not general Pen Testing

OWASP Project Page:
http://www.owasp.org/index.php/Category:OWASP_Live_CD_2008_Project

Project Wiki:
http://mtesauro.com/livecd/

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

'''Cost:''' Always Free

'''Questions or help with Directions...''' call: Scott Foster 512-637-9824.

----

'''When:''' July 29th, 2008, 11:30am - 1:00pm

'''Who:''' Whurley and Mando

William Hurley is the Chief Architect of Open Source Strategy at BMC Software, Inc. Also known as "whurley", he is responsible for creating BMC's open source agenda and overseeing the company's participation in various free and open source software communities to advance the adoption and integration of BSM solutions. A technology visionary and holder of 11 important patents, whurley brings 16 years of experience in developing groundbreaking technology. He is the Chairman of the Open Management Consortium, a non-profit organization advancing the adoption, development, and integration of open source systems management. Named an IBM Master Inventor, whurley has received numerous awards including an IBM Pervasive Computing Award and Apple Computer Design Award.

Mando Escamilla is the Chief Software Architect at Symbiot, Inc. He is responsible for the technical vision and architecture for the Symbiot product line as well as the technical direction for the openSIMS project. He stands (mostly firmly) on the shoulders of giants at Symbiot and he hopes to not embarrass himself.

'''Topic: ''' The rebirth of openSIMS http://opensims.sourceforge.net Correlation, visualization, and remediation with a network effect

OpenSIMS has a sordid history. The project was originally a way for tying together the open source tools used for security management into a common infrastructure. Then the team added a real-time RIA for a new kind of analysis and visualization of enterprise network security (winning them an Apple Design Award in 2004). Then out of nowhere the project went dark. Now, Mando Escamilla (Symbiot/openSIMS) and whurley give you a look at the future of openSIMS as a services layer and explain why community centric security is valuable to your enterprise.

'''Where:''' Whole Foods, 550 Bowie Street, Austin, TX 78703. Come to the Whole Foods plaza level and sign in with receptionist. To get to the plaza take the stairs from the main entrance. The stairs are located on the West Side of the building, just north of the main entrance. There is no access to the Plaza level from inside the store.

See [http://tinylink.com/?chLCAmvxKA directions to Whole Foods].

'''Cost:''' Always Free

'''Questions or help with Directions...''' call: Scott Foster 512-637-9824.

----

'''When:''' June 24th, 2008, 11:30am - 1:00pm

'''Who:''' Matt Tesauro (presenting) and A.J. Scotka, Texas Education Agency

Matt's Bio: Matt Tesauro has worked in web application development and
security since 2000. He's worn many different hats, from developer to
DBA to sys admin to university lecturer to pen tester. Currently, he's
focused on web application security and developing a Secure SDLC for
TEA. Outside work, he is the project lead for the OWASP SoC Live CD
project: https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Applications#OWASP_Live_CD_2008_Project

A.J.'s Bio: A. J. Scotka Senior Software Quality Engineer, Texas
Education Agency
As an ASQ Certified Software Quality Engineer (CSQE), A. J. is currently
responsible for quality reviews on design and code, software
configuration management process, build engineering process, release
engineering process, verification and validation throughout the life
cycle and over all quality improvement across all areas of enterprise
code manufacturing.

'''Topic: ''' Securely Handling Sensitive Configuration Data.

One of the age old problems with web applications was keeping sensitive
data available on a need to know basis. The classic case of this is
database credentials. The application needs them to connect to the
database but developers shouldn't have direct access to the DB -
particularly the production DB. The presentation will discuss how we
took on this specific problem, our determination that this was a
specific case of a more general problem and how we solved that general
problem. In our solution, sensitive data is only available to the
application and trusted 3rd parties (e.g. DBAs). We will then cover our
implementation of that solution in a .Net 2.0 environment and discuss
some options for J2EE environments. So far, we used our .Net solution
successfully for database credentials and private encryption keys used
in XML-DSig. Sensitive data is only available to the application and
trusted 3rd parties (e.g. DBAs).

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

----

'''When:''' May 27th, 2008, 11:30am - 1:00pm

'''Who:''' Nathan Sportsman and Praveen Kalamegham, Web Services Security

'''Topic: '''Web Services Security
The concept of web services has become ubiquitous over the last few years. Frameworks are now available across many platforms and languages to greatly ease and expedite the development of web services, often with a vast amount of existing code reuse. Software companies are taking advantage of this by integrating this technology into their products giving increased power and interoperability to their customers. However, the power web services enables also introduces new risks to an environment. As with web applications, development has outpaced the understanding and mitigation of vulnerabilities that arise from this emerging technology. This presentation will first aim to identify the risks associated with web services. We will describe the existing security standards and technologies which target web services (i.e., WS-Security) including its history, pros and cons, and current status. Finally we will attempt to extrapolate the future of this space to determine what changes must be made going forward.

'''Where:''' Whole Foods, 550 Bowie Street, Austin, TX 78703. Come to the Whole Foods plaza level and sign in with receptionist. To get to the plaza take the stairs from the main entrance. The stairs are located on the West Side of the building, just north of the main entrance. There is no access to the Plaza level from inside the store.

See [http://tinylink.com/?chLCAmvxKA directions to Whole Foods].

----

'''When:''' April 29th, 2008, 11:30am - 1:00pm

'''Who:''' Mano Paul

Bio
Manoranjan (Mano) Paul started his career as a Shark Researcher in the Bimini Biological Field Station, Bahamas. His educational pursuit took him to the University of Oklahoma where he received his Business Administration degree in Management Information Systems (MIS) with a 4.0 GPA and valedictory accolades. Partnering with (ISC)2, the global leader in information security certification and education, he founded and serves as the President & CEO of Express Certifications, a professional certification assessment and training company whose product (studISCope) is (ISC)2’s OFFICIAL self assessment offering for renowned security certifications like the CISSP® and SSCP®. Express Certifications is also the self assessment testing engine behind the US Department of Defense certification education program as mandated by the 8570.1 directive.
He also founded and serves as the CEO of SecuRisk Solutions, a company that specializes in three areas of information security - Product Development, Consulting, and Awareness, Training & Education.

'''What:''' Security – The Road Less Travelled

Abstract -
What do you think Shakespeare had to say about Software Security? What does an naked motorist have to do with Confidentiality? What does the Jungle Book character Baloo have to say about Security Essentials (The Bear Bare Necessities of Life security)? What does the African Wildlife have to do with Security Concepts? What does pH have to do with Security? and more …
The Road Less Travelled by renowed poet, Robert Frost ends by with the statement “And that has made all the difference”. Come to find out the answers to the questions above and see what it takes to look at Security from a different perspective, that would make ALL the difference. The session will cover not only the higher level abstractions of security concepts, but will dive deep wherever applicable into concepts and code, making it a MUST attend for Development, QA, PM and Management Staff on both the IT and Business side.
Also, if you are interested in becoming a CISSP® or SSCP®, come find out about the official (ISC)2 self-assessment tool developed by Express Certifications to aid candidates in their study efforts and how you can get valuable discounts.

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

----

'''When:''' March 25th, 2008, 11:30am - 1:00pm

'''Who:''' Dan Cornell, Principal of Denim Group, Ltd., OWASP San Antonio Leader, Creator of Sprajax

Dan Cornell has over ten years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.

'''Topic: '''Static Analysis Techniques for Testing Application Security

Static Analysis of software refers to examining source code and other software artifacts without executing them. This presentation looks at how these techniques can be used to identify security defects in applications. Approaches examined will range from simple keyword search methods used to identify calls to banned functions through more sophisticated data flow analysis used to identify more complicated issues such as injection flaws. In addition, a demonstration will be given of two freely-available static analysis tools: FindBugs for the Java platform and FXCop for the .NET platform. Finally, some approaches will be presented on how organizations can start using static analysis tools as part of their development and quality assurance processes.

'''Where:''' Whole Foods, 550 Bowie Street, Austin, TX 78703. Come to the Whole Foods plaza level and sign in with receptionist. To get to the plaza take the stairs from the main entrance. The stairs are located on the West Side of the building, just north of the main entrance. There is no access to the Plaza level from inside the store.

See [http://tinylink.com/?chLCAmvxKA directions to Whole Foods].

----

'''When:'''February 26th, 2008 - Michael Howard, Author of Writing Secure Code

'''Topic: '''Microsoft's SDL: A Deep Dive

In this presentation, Michael will explain some of the inner workings of the SDL as well as some of the decision making process that went into some of the SDL requirements. He will also explain where SDL can be improved.

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

January 29th, 2008 - Mark Palmer, Hoovers and Geoff Mueller, NI @ WHOLE FOODS, Downtown

'''Where:''' Whole Foods, 550 Bowie Street, Austin, TX 78703. Come to the Whole Foods plaza level and sign in with receptionist. To get to the plaza take the stairs from the main entrance. The stairs are located on the West Side of the building, just north of the main entrance. There is no access to the Plaza level from inside the store.

See [http://tinylink.com/?chLCAmvxKA directions to Whole Foods].

----

'''When:''' December 4th, 2007, 11:30am - 1:00pm

'''Who:''' Jeremiah Grossman (WhiteHat Security, CTO, OWASP Founder, Security Blogger)

'''Topic: Business Logic Flaws'''

Session handling, credit card transactions, and password recovery are just a few examples of Web-enabled business logic processes that malicious hackers have abused to compromise major websites. These types of vulnerabilities are routinely overlooked during QA because the process is intended to test what a piece of code is supposed to do and not what it can be made to do. The other problem(s) with business logic flaws is scanners can’t identify them, IDS can’t detect them, and Web application firewalls can’t defend them. Plus, the more sophisticated and Web 2.0 feature-rich a website, the more prone it is to have flaws in business logic.

This presentation will provide real-world demonstrations of how pernicious and dangerous business logic flaws are to the security of a website. He’ll also show how best to spot them and provide organizations with a simple and rational game plan to prevent them.

'''Where:''' National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

'''November 27th, 2007 Austin OWASP chapter meeting''' - Robert Hansen (SecTheory.com, ha.ckers.org and is regarded an expert in Web Application Security)

Robert will be talking about different ways to de-anonymize and track users both from an offensive and defensive standpoint. He will discuss how the giants of the industry do it and next generation tactics alike.

Whole Foods, 550 Bowie Street, Austin, TX 78703. Come to the Whole Foods plaza level and sign in with receptionist.
See [http://tinylink.com/?chLCAmvxKA directions to Whole Foods].

----

'''October 2007 Austin OWASP chapter meeting ''' October 30th, 11:30am - 1:00pm at National Instruments
"Social networking" - Social networking is exploding with ways to create your own social networks. As communities move more and more online and new types of communities start to form, what are some of the security concerns that we have and might face in the future? by Rich Vázquez, and Tom Brown.

----

'''September 2007 Austin OWASP Chapter September 2007 ''' - Tue, September 25, 2007 11:30 AM – 1:00 PM at Whole Foods Meeting 550 Bowie Street, Austin
"Biting the hand that feeds you" - A presentation on hosting malicious content under well know domains to gain a victims confidence.
"Virtual World, Real Hacking" - A presentation on "Virtual Economies" and game hacking.
"Cover Debugging - Circumventing Software Armoring techniques" - A presentation on advanced techniques automating and analyzing malicious code.

----

'''August 2007 Austin OWASP chapter meeting''' - '''8/28,''' 11:30am - 1:00pm at National Instruments. Josh Sokol presented on OWASP Testing Framework and how to use it, along with free and Open Source tools, in a live and interactive demonstration of web site penetration testing.

----

'''July 2007 Austin OWASP chapter meeting''' - '''7/31,''' 11:30am - 1:00pm at Whole Foods. Dan Cornell will be presenting on Cross Site Request Forgery

----

'''June 2007 Austin OWASP chapter meeting''' - 6/26, 11:30am - 1:00pm at National Instruments.
[http://www.stokescigar.com James Wickett] from Stokes [http://www.stokescigar.com Cigar] Club presented on OWASP Top 10 and using Web Application Scannners to detect Vulnerabilities.

----

'''May 2007 Austin OWASP chapter meeting''' - 5/29, "Bullet Proof UI - A programmer's guide to the complete idiot". Robert will be talking about ways to secure a web-app from aggressive attackers and the unwashed masses alike.

----

'''April 2007 Austin OWASP chapter meeting''' - 4/24, 11:30am - 1:00pm at National Instruments. H.D. Moore (creator of MetaSploit will be presenting)

----

'''March 2007 Austin OWASP chapter meeting''' - 3/27, 11:30am - 1:00pm at National Instruments, 11500 N Mopac, Building C which is the tallest building on campus (8 levels). There will be signs posted in the lobby to direct you where to go and the receptionists will be able to assist you as well. See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments].

----

[[January 2007 Austin Chapter Meeting]] - 1/30, 11:30am - 1:00pm at National Instruments, 11500 N Mopac, Building C Conference Room 1S15.

----

<b>December Meeting</b> - Due to the holidays, there will be no December OWASP meeting. However, we are looking for speakers for the January meeting. If you or anyone you know would be a good candidate, let us know! Happy Holidays!

----

[[November 2006 Austin Chapter Meeting]] - 11/21, 11:30am - 1:00pm at National Instruments, 11500 N Mopac, Building C Conference Room 1S14.

----

[[October 2006 Austin Chapter Meeting]] - 10/31 - Boo!

----

[[September 2006 Austin Chapter Meeting]] - 9/26, 12-1:00 at Texas ACCESS Alliance building located at the intersection of IH-35 South and Ben White

----

[[August 2006 Austin Chapter Meeting]] - Tuesday- 8/29, 11:30-1:30 on the National Instruments campus, Mopac B (the middle building), conference room 112 (in the Human Resources area to the left of the receptionist). See [http://maps.google.com/maps?f=q&hl=en&q=11500+N+Mo-Pac+Expy,+Austin,+TX+78759&ie=UTF8&ll=30.406377,-97.726135&spn=0.017211,0.036778&om=1 directions to National Instruments]. ''Hint:'' It is on your left on Mopac if you were heading up to Fry's from Austin.

----

'''Austin OWASP chapter kickoff meeting''' - Thursday, 7/27, 12-2pm @ Whole Foods Market (downtown, plaza level, sign in with receptionist)

==== Presentation Archives ====

The following presentations have been given at local chapter meetings:

* OWASP ROI: Optimize Security Spending using OWASP Austin OWASP Chapter September 2009 [http://www.owasp.org/images/d/d6/Austin_Chapter_OWASP_ROI-mtesauro.pdf Matt Tesauro Presentation]

* Threat Modeling August 2009 [http://www.owasp.org/images/9/97/TM.pptx Michael Howard Presentation]

* Architecting a Secure Web System Austin OWASP Chapter April 2009 [http://www.owasp.org/images/8/8b/OWASP_-_Architecting_Secure_Web_Systems.pptx Josh Sokol Presentation]

* Using Proxies to Secure Applications and More Austin OWASP Chapter October 2008 [https://www.owasp.org/images/f/ff/Using_Proxies_to_secure_applications_and_more.pptx Josh Sokol Presentation]

* OWASP Testing Framework Austin OWASP Chapter August 2007 [https://www.owasp.org/images/d/db/The_OWASP_Testing_Framework_Presentation.ppt Josh Sokol Presentation]

* Single Sign On (7/27)

* [http://www.threatmind.net/papers/franz-basic-j2ee-tools-owasp-austin.pdf A Rough Start of a Toolset for Assessing Java/J2EE Web Apps] (7/27) - [[MattFranz]] discussed some custom Python tools he has been writing for conducting security testing of a Struts (and other Java) web applications.

* [http://www.owasp.org/index.php/Image:DenimGroup_AJAXSecurityHereWeGoAgain_Content_20060829.pdf AJAX Security: Here we go again] - Dan Cornell from [http://www.denimgroup.com/ Denim Group] discussed security issues in the one the popular Web 2.0 technlogy (8/29)

==== Austin OWASP Whitepapers ====

==== Austin OWASP Chapter Leaders ====
[mailto:josh.sokol@ni.com Josh Sokol, President] - (512) 683-5230

[mailto:wickett@gmail.com James Wickett, Vice President] - (512) 989-6808

[mailto:rich.vazquez@gmail.com Rich Vazquez, Communications Chair] - (512) 989-6808

[mailto:sfoster@austinnetworking.com Scott Foster, Membership Chair] - (512) 637-9824

==== Sponsorship Opportunities ====
The Austin OWASP Chapter can offer your company three unique sponsorship opportunities. If you are interested in taking advantage of any of these opportunities, please contact [mailto:josh.sokol@ni.com Josh Sokol], the Austin OWASP Chapter President.

'''Opportunity #1 - Austin Security Professionals Happy Hour Sponsorship'''

The Austin OWASP Chapter organizes a monthly Austin Security Professionals Happy Hour event along with the Capitol of Texas ISSA Chapter. This event has historically drawn around 30 of Austin's finest security professionals for networking and more. Your sponsorship of this event includes appetizers and drinks for the attendees. We typically do $100 in appetizers and $200 in drink tickets. By using drink tickets, we ensure that our sponsors are able to interact with every attendee who wants a drink. Feel free to pass out business cards and network just like you would anywhere else. You'll find no better opportunity to get your name in front of 30+ security professionals for around $300.

'''Opportunity #2 - OWASP Meeting Lunch Sponsorship'''

Our monthly Austin OWASP meetings are held during a person's typical lunch hours from 11:30 AM to 1:00 PM. For your sponsorship of around $250 we can arrange food and drinks for up to 50 attendees. In exchange for your sponsorship, our chapter will provide you with 5 minutes at the start of the meeting to introduce yourself and tell us about the products or services that your company offers. You'll also receive mention of being the lunch sponsor in all e-mail communications about the meeting.

'''Opportunity #3 - OWASP Meeting Presenter Sponsorship'''

Although OWASP is a non-profit organization, we strive to provide our members with the best presenters we possibly can. While the Austin area has tons of security talent, sometimes it's worthwhile to reach beyond our borders to pull in more awesome presenters. In exchange for covering travel expenses for these presenters, our chapter will provide you with 5 minutes at the start of the meeting to introduce yourself and tell us about the products or services that your company offers. You'll also receive mention of being the presenter sponsor in all e-mail communications about the meeting.

The Austin OWASP Chapter would like to thank [http://www.whitehatsec.com WhiteHat Security] and [http://www.expandingsecurity.com Expanding Security] for their sponsorships during the past year.

==== Local News ====

''If a link is available, click for more details on directions, speakers, etc. You can also review [http://lists.owasp.org/pipermail/owasp-austin/ Email Archives] to see what folks have been talking about''
<paypal>Austin</paypal>

__NOTOC__
<headertabs/>
[[Category:Texas]]

Talk:XSS (Cross Site Scripting) Prevention Cheat Sheet

2009-05-29T21:37:05Z

Blbroussard:

Rule #5 has a few concerning points:
It mentions <a href=http://...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...>link</a >, but I think more common is <a href=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...>link</a > where the full href contents are untrusted. There should be some mention here about relative links too.

Is the following a contradiction?

"Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the %HH escaping format."

"Note that entity encoding is useless in this context."

The following is confusing and possibly nonsensical. "Including untrusted data in data: URLs should not be allowed as there is no good way to disable attacks with escaping to prevent switching out of the URL."

Other points about Rule #5:

There are numerous special characters that must be accepted in URLs. The note that entity encoding is useless is not quite right. Entity encoding is useful to stop injecting UP. The problem with it, which should be explained in the article, is that when an anchor tag is clicked on, the entities are interpreted. This usually means that the link has to be clicked on to trigger the payload. However, if there is other javascript on the page which references this href value, it will use the un-encoded value. I've seen this in redirection javascript.

Does forcing the untrusted data to start with http remediate this hole for absolute URLs? My assumption here is that the way to attack here would be to use "Javascript:some javascript" as the untrusted input.

Talk:XSS (Cross Site Scripting) Prevention Cheat Sheet

2009-05-29T21:35:41Z

Blbroussard: Rule #5 issues

Rule #5 has a few concerning points:
1. It mentions <a href=http://...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...>link</a >, but I think more common is <a href=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...>link</a > where the full href contents are untrusted. There should be some mention here about relative links too.

2. Is the following a contradiction?

"Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the %HH escaping format."

"Note that entity encoding is useless in this context."

3. The following is confusing and possibly nonsensical. "Including untrusted data in data: URLs should not be allowed as there is no good way to disable attacks with escaping to prevent switching out of the URL."

Other points about Rule #5:
There are numerous special characters that must be accepted in URLs. The note that entity encoding is useless is not quite right. Entity encoding is useful to stop injecting UP. The problem with it, which should be explained in the article, is that when an anchor tag is clicked on, the entities are interpreted. This usually means that the link has to be clicked on to trigger the payload. However, if there is other javascript on the page which references this href value, it will use the un-encoded value. I've seen this in redirection javascript.

Does forcing the untrusted data to start with http remediate this hole for absolute URLs? My assumption here is that the way to attack here would be to use "Javascript:some javascript" as the untrusted input.

Top 10 2007

2009-05-11T14:44:59Z

Blbroussard: SDLC (Software Development Life Cycle)

{{Top_10_2007:TopTemplate|usenext=NextLink|next=-Methodology|useprev=Nothing|usemain=Nothing}}

==Introduction==

Welcome to the OWASP Top 10 2007! This totally re-written edition lists the most serious web application vulnerabilities, discusses how to protect against them, and provides links to more information. '''The OWASP Top 10 has been translated into French. [https://www.owasp.org/images/c/ce/OWASP_Top_10_2007_-_French.pdf Click Here] for the French Translation!'''

The OWASP Top 10 for Java Enterprise Edition is available for download [https://www.owasp.org/images/8/89/OWASP_Top_10_2007_for_JEE.pdf here]

== Aim ==

'''The primary aim of the OWASP Top 10 is to educate developers, designers, architects, and organizations''' about the consequences of the most common web application security vulnerabilities. The Top 10 provides basic methods to protect against these vulnerabilities – a great start to your secure coding security program.

'''Security is not a one-time event'''. It is insufficient to secure your code just once. By 2008, this Top 10 will have changed, and without changing a line of your application’s code, you may be vulnerable. Please review the advice in [[Top_10_2007-Where to Go From Here|Where to Go From Here]] for more information.

'''A secure coding initiative must deal with all stages of a program’s lifecycle'''. Secure web applications are '''''only''''' possible when a secure SDLC (Software Development Life Cycle) is used. Secure programs are secure by design, during development, and by default. There are at least 300 issues that affect the overall security of a web application. These 300+ issues are detailed in the [[OWASP_Guide_Project|OWASP Development Guide]], which is essential reading for anyone developing web applications today.

'''This document is first and foremost an education piece, not a standard'''. Please do not adopt this document as a policy or standard without [mailto:owasp@owasp.org talking to us] first! If you need a secure coding policy or standard, OWASP has secure coding policies and standards projects in progress. Please consider joining or financially assisting with these efforts.

== Acknowledgements ==

{|
|-

|We thank [http://www.mitre.org/ MITRE] for making ''Vulnerability Type Distribution in [http://cve.mitre.org/ CVE]'' data freely available for use. The OWASP Top Ten project is led and sponsored by [http://www.aspectsecurity.com https://www.owasp.org/images/d/d1/Aspect_logo.gif].
|}

Project Lead: Andrew van der Stock (Executive Director, OWASP Foundation)

Co-authors: Jeff Williams (Chair, OWASP Foundation), Dave Wichers (Conference Chair, OWASP Foundation)

We’d like to thank our reviewers:

*Raoul Endres for help in getting the Top 10 going again and with his valuable comments.
*[mailto:coley...at...mitre.org Steve Christey](MITRE) for an extensive peer review and adding the MITRE CWE data
*[http://jeremiahgrossman.blogspot.com/ Jeremiah Grossman] ([http://www.whitehatsec.com/ WhiteHat Security]) for peer reviewing and contributing information about the success (or otherwise) of automated means of detection.
*[http://www.smithline.net/ Neil Smithline] ([http://www.OneStopAppSecurity.com/ OneStopAppSecurity.com]) for comments and producing the Wiki version.
*Sylvan von Stuppe for an exemplary peer review.
*Colin Wong, Nigel Evans and Andre Gironda for e-mailed comments.

== Summary ==

{| border='1' cellpadding='2'
|-
|[[Top_10_2007-A1|A1 - Cross Site Scripting (XSS)]]
|XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.
|-

|[[Top_10_2007-A2|A2 - Injection Flaws]]
|Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data.
|-

|[[Top_10_2007-A3|A3 - Malicious File Execution]]
|Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users.
|-

|[[Top_10_2007-A4|A4 - Insecure Direct Object Reference]]
|A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.
|-

|[[Top_10_2007-A5|A5 - Cross Site Request Forgery (CSRF)]]
|A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks.
|-

|[[Top_10_2007-A6|A6 - Information Leakage and Improper Error Handling]]
|Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to steal sensitive data, or conduct more serious attacks.
|-

|[[Top_10_2007-A7|A7 - Broken Authentication and Session Management]]
|Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users' identities.
|-

|[[Top_10_2007-A8|A8 - Insecure Cryptographic Storage]]
|Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.
|-

|[[Top_10_2007-A9|A9 - Insecure Communications]]
|Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications.
|-

|[[Top_10_2007-A10|A10 - Failure to Restrict URL Access]]
|Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly.
|}
'''<center>Table 1: Top 10 Web application vulnerabilities for 2007</center>'''

There are several pages in this document that are not dedicated to a specific vulnerability and hence are not listed in the table. Here is the list of them.

{| border='1' cellpadding='2'
|-
|[[Top 10 2007]]
|The main page for the document (this page). Besides providing an introduction, bookmarking the "Summary" section (this can be done by dragging [https://www.owasp.org/index.php/Top_10_2007#Summary this link] to your browser's bookmarks) gives you quick access to the entire document.
|-
|[[Top 10 2007-Methodology]]
|A description of the methodology used to select the vulnerabilities for this document.
|-
|[[Top 10 2007-Where to Go From Here]]
|Some advice as to how to proceed once you have read this document.
|-
|[[Top 10 2007-References]]
|Recommendations for further reading.
|}
'''<center>Table 1a: Pages in the ''OWASP Top Ten 2007'' document other than the vulnerability pages listed above.</center>'''

==A Note About The Different Versions==
While the only official version of the ''OWASP Top Ten 2007'' list is the downloadable English PDF version, OWASP has put together this Wiki that initially contains the same content as the PDF. But OWASP hopes that will change with your help. OWASP encourages community involvement and wants your help to make the Wiki version even better. To aid in this they have put together a brief [[Editing:Top_10_2007|tutorial]] to get you started.

==Downloadable Versions==
You can download the Top 10 2007 (Final) here:

* [http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf (PDF, 930 kb)]


* [https://www.owasp.org/images/c/ce/OWASP_Top_10_2007_-_French.pdf (French Version PDF, 455 kb)]

* [http://www.metasecurity.org/owasp/OWASP_Top_10_2007_Korean.pdf (Korean Version PDF, 768 kb)]

* [http://csirt.ulakbim.gov.tr/dokumanlar/Ceviri_OWASP_ilk10_2007.pdf (Turkish Version PDF, 718 kb)]

* [http://www.owasp.org/images/4/42/OWASP_TOP_10_2007_PT-BR.pdf (Brazilian Portuguese PDF, 329 kb)]

* [https://www.owasp.org/images/a/ae/OWASP_Top_10_2007_Spanish.pdf (Spanish PDF, 488kb)]

* [https://www.owasp.org/images/8/89/OWASP_Top_10_2007_for_JEE.pdf OWASP Top 10 for Java Enterprise Edition (PDF, 630 kb)]

* Looking for a version in another language? We could use your help translating. Contact Andrew van der Stock (vanderaj ...(@)... owasp.org) to help translating the OWASP Top 10 into your language.

{{Top_10_2007:BottomTemplate|usenext=NextLink|next=-Methodology|useprev=Nothing|usemain=Nothing}}

Category talk:OWASP CSRFGuard Project

2009-01-16T22:09:10Z

Blbroussard: How are standard browser navigation functions affected?

How does this affect certain standard browser navigation features? Specifically, does this break the "Back," "Forward," and "Reload/Refresh" buttons?

Also, I would assume that re-authentication would be necessary for bookmarked pages. Does it handle these well, or does it choke on an invalid (not blank) request token?

Talk:How CSRFGuard Works

2009-01-16T22:05:12Z

Blbroussard: How are standard browser navigation functions affected?