__NOTOC__
{|
|-
! width="700" align="center" |
! width="500" align="center" |
|-
| align="center" | [[Image:AppSec Brasil 11 medio.png]]
| align="center" |
 '''Language: [http://www.owasp.org/index.php?title=AppSecLatam2011 http://www.owasp.org/images/8/88/Bandeira_reino_unido.png]
[http://www.owasp.org/index.php?title=AppSecLatam2011_(pt-br) http://www.owasp.org/images/4/49/Bandeira_brasil.png] [http://www.owasp.org/index.php?title=AppSecLatam2011_(es) http://www.owasp.org/images/1/1c/Bandeira_espanha.png] | 
*[http://www.owasp.org/images/1/19/AppSecLatam_2011_Announcement.pdf Press Release]
*[[AppSecLA2011/Media Mentions|Media Mentions]]
*[[AppSecLA2011/Archived|Archived]]
 '''Follow us: [http://www.twitter.com/AppSecLatam http://www.owasp.org/images/f/f7/Twitter.png]
[http://www.facebook.com/event.php?eid=155195651207509 http://www.owasp.org/images/5/55/Facebook.png] [http://events.linkedin.com/OWASP-Global-AppSec-Latin-America-2011/pub/607738 http://www.owasp.org/images/1/1a/Linkedin.png]
|}

==== Welcome ====

{| style="width: 100%;"
|-
| style="width: 100%; color: rgb(0, 0, 0);" |
{| style="border: 0px solid ; background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;"
|-
| style="width: 95%; color: rgb(0, 0, 0);" |

We are pleased to announce that the [http://www.owasp.org/index.php/Porto_Alegre OWASP Porto Alegre Local Chapter] will organize the '''Global AppSec Latin America 2011 Conference''' in Porto Alegre-RS, Brazil. 

The Global AppSec Latin America 2011 Conference will be a reunion of Information Security latin american leaders, and will present cutting-edge ideas. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 200-250 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals. 

If you have any questions, please email the conference chair: [mailto:AppSec2011@AppSecLatam.org AppSec2011@AppSecLatam.org] 

'''Who Should Attend Global AppSec Latin América 2011:'''

*Application Developers
*Application Testers and Quality Assurance
*Application Project Management and Staff
*Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
*Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
*Security Managers and Staff
*Executives, Managers, and Staff Responsible for IT Security Governance
*IT Professionals Interested in Improving IT Security 



|}



| style="border: 0px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0);" | 
[[Image:Owasp-poa-eng.png]]

{{#ev:youtube|pXQ9z8sPcHI}}

{|
|-
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |
Use the '''[http://search.twitter.com/search?q=%23AppSecLatam #AppSecLatam]''' hashtag for your tweets for Global AppSec Latin America 2011 (What are [http://hashtags.org/ hashtags]?)

'''@AppSecLatAm Twitter Feed ([http://twitter.com/AppSecLatam Follow us on Twitter!])''' <twitter>262394051</twitter>

| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |

|}

| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |

|}



==== CFT & CFP ====

== CFT ==
Read the Call for Trainings in: [https://www.owasp.org/index.php/AppSecLatam2011/CFT https://www.owasp.org/index.php/AppSecLatam2011/CFT]

We are doing a research about subjects of the trainings. You can help us, answering the questions in the follow address:

[http://www.surveymonkey.com/s/3RCZ9RR http://www.surveymonkey.com/s/3RCZ9RR]

== CFP ==

Read the Call for Presentations in: [https://www.owasp.org/index.php/AppSecLatam2011/CFP https://www.owasp.org/index.php/AppSecLatam2011/CFP]

 

== Program Committee ==

* Kuai Hinojosa
* Leandro Gomes
* Leonardo Buonsanti
* Leonardo Lemes
* Luiz Eduardo
* Luiz Otávio Duarte
* Mateo Martinez
* Rodrigo Rubira

==== Keynotes ====

== '''Keynotes''' ==
== Bruce Schneier ==
{| style="background-color: transparent"
|-
! width="200" align="center" |
! width="1000" align="center" |
|-
| align="center" | https://www.owasp.org/images/3/3f/Bruce2.png
| align="justify" | [http://www.schneier.com Bruce Schneier] is an internationally renowned security technologist, referred to by The Economist as a "security guru." He is the author of eleven books -- including the best sellers Beyond Fear, Secrets and Lies, and Applied Cryptography – as well as hundreds of articles and essays, and many more academic papers. His influential newsletter "Crypto-Gram," and his blog "Schneier on Security," are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, served on several government technical committees, and is regularly quoted in the press. Schneier is the Chief Security Technology Officer of BT.
|}

== Bryan Sullivan ==
{| style="background-color: transparent"
|-
! width="200" align="center" |
! width="1000" align="center" |
|-
| align="center" |https://www.owasp.org/images/3/36/Bryan-sullivan.jpg
| align="justify" |[http://www.linkedin.com/in/bryanjsullivan Bryan Sullivan ] is a Senior Security Researcher with Adobe Systems, where he focuses on cloud security issues. Prior to Adobe, he was a program manager on Microsoft's Security Development Lifecycle team, and a development manager at HP, where he helped to design HP's vulnerability scanning tools WebInspect and DevInspect.

Bryan has spoken at security industry conferences such as Black Hat, RSA Conference, BlueHat and TechEd on a diverse range of topics including NoSQL, RIA architecture, REST, cryptography, denial-of-service defense, URL rewriting, and applying secure development processes to Agile projects. He was the author of the MSDN Magazine column Security Briefs, and is the coauthor of the books Ajax Security (Addison-Wesley, 2007) and the upcoming Secure Web Applications, A Beginner's Guide (McGraw-Hill, 2011). [http://www.linkedin.com/in/bryanjsullivan Linkedin]
|}

== '''Guest Speakers''' ==

== Michael Craigue ==
{| style="background-color: transparent"
|-
! width="200" align="center" |
! width="1000" align="center" |
|-
| align="center" | https://www.owasp.org/images/0/0c/MichaelCraigue.jpg
| align="justify" |[http://www.linkedin.com/in/craigue Michael Craigue] (CISSP/CSSLP) is Director of the Security Consulting group at Dell, with 14 team members in Brazil, India, Malaysia, and the US. He and his team have responsibility for consulting with all of Dell’s internal organizations, including IT, Product Group, Services, and Mergers and Acquisitions, with a particular focus on the Secure Software Development Lifecycle. He has taught Database Management and Business Intelligence / Knowledge Management at St. Edward’s University in their MBA / MS CIS programs. Prior to joining Dell’s information security team, he spent a decade building Web and database applications. He has a PhD from the University of Texas at Austin in Higher Education Administration / Finance. [http://www.linkedin.com/in/craigue Linkedin]

|}

==== October 4th-5th (Training) ====

== Schedule ==

To be published soon.

==== October 6th ====
== Schedule ==

To be published soon.

==== October 7th ====
== Schedule ==

To be published soon.

==== Registration ====

To be published soon.

===Registration Fees===

To be published soon.

==== Practical Info ====

== Visitors' Guide ==

Gate for tourists in the state of Rio Grande do Sul in Brazil, and only 120 miles from the pleasant Serra Gaucha, Porto Alegre is a bustling hub of services and infrastructure with quality recognized, and a base of large national and international companies and a major destination for international events in Brazil.

Usefull links:

[http://www2.portoalegre.rs.gov.br/turismo http://www2.portoalegre.rs.gov.br/turismo]

[https://secure.wikimedia.org/wikipedia/en/wiki/Porto_Alegre https://secure.wikimedia.org/wikipedia/en/wiki/Porto_Alegre]

 60 Minutes recent report about Brazil and his development potencial: 
{{#ev:youtube|DMM7OJ_Kj9I}}

 Tourist video about Porto Alegre City: 
{{#ev:youtube|pXQ9z8sPcHI}}

==== Social Events ====

Information will be published here.

==== Sponsoring ====

We are looking for sponsors for 2011 edition of Global AppSec Latin America. See more details about sponsor opportunities.

If you are interested to sponsor Global AppSec Latin America 2011, please contact the conference chair: [mailto:AppSec2011@AppSecLatam.org AppSec2011@AppSecLatam.org].

To find out more about the different sponsorship opportunities please check the document below:
 
[http://www.owasp.org/images/4/4f/OWASP_AppSec_2011_Sponsorship_English.pdf OWASP AppSec 2011 Sponsorship English.pdf]

==== Team ====

[https://www.owasp.org/index.php/User:Cassio_Goldschmidt Cassio Goldschmidt] 
[http://www.owasp.org/index.php/User:Jeronimo_Zucco Jerônimo Zucco ] 
[http://www.owasp.org/index.php/User:Gustavo_Barbato L. Gustavo C. Barbato ] 
[http://www.owasp.org/index.php/User:Sapao Lucas C. Ferreira ] 
[http://www.owasp.org/index.php/User:Rafael_Dreher Rafael Dreher ] 

<headertabs />

[[Category:OWASP_AppSec_Conference]]

AppSecLatam2011 (es)

2011-04-18T03:31:50Z

Cgoldsch:

AppSec US 2010, CA/Attending Owasp Leaders

2011-04-18T03:29:39Z

Cgoldsch:

Page to manage the participation of the OWASP leaders at the [[AppSec US 2010, CA|AppSec USA in Irvine USA]]

=== Attending Leaders - Confirmed ===

#[[User:Dancornell|Dan Cornell]]- ''San Antonio Chapter and Global Membership Committee''
#Tony UV - ''Atlanta Chapter''
#[[User:Jmanico|Jim Manico]] - ''Podcast Project''
#[[User:MichaelCoates|Michael Coates]] - ''AppSensor project and Global Membership Committee''
#[[User:Knoblochmartin|Martin Knobloch]] - ''Education and Connections Committee''
#[[User:Rsnake|Robert Hansen]] - ''Connections Committee''
#[[User:Mtesauro|Matt Tesauro]] - ''Live CD project, Board Member''
#[[User:Wichers|Dave Wichers]] - ''Top 10 project, Board Member''
#[[User:Brennan|Tom Brennan]] - ''NYC Chapter Leader, RFP Criteria project, OWASP-CRM, Board Member''
#[[User:Jeff Williams|Jeff Williams]] - ''ESAPI project, Board Member''
#[[User:Dinis.cruz|Dinis Cruz]] - ''O2 Platform project, Board Member''
#[[User:Dc|David Campbell]] - ''Denver Chapter, Industry Committee''
#[[User:Eduprey|Eric Duprey]] - ''Denver Chapter''
#[[User:Justin42|Justin Clarke]] - ''London Chapter and Connections Committee''
#Roman Hustad - ''Sacramento Chapter''
#Peter Dean - ''NYC Chapter Leader''
#Georg Hess - ''German Chapter, Industry Committee''
#John Steven - ''NoVA Chapter Lead''
#[[User:Lorna Alamri|Lorna Alamri]] - ''Connections Committee''
#[[User:Chris Schmidt|Chris Schmidt]] - ''ESAPI Project''
#David Bryan - ''MSP Chapter Leader''
#Eric Duprey - ''Denver Chapter Leader''
#Mandeep Khera -

'''Part of the conference organization'''

#[https://www.owasp.org/index.php/User:Cassio_Goldschmidt Cassio Goldschmidt] - ''Los Angeles Chapter''
#[[:User:Tin Zaw|Tin Zaw]] - ''Los Angeles Chapter''
#[[User:Richard greenberg|Richard Greenberg]] - ''Los Angeles Chapter''
#[http://www.owasp.org/index.php/User:Nmatatal Neil Matatall] - ''[[http://www.owasp.org/index.php/Orange_County Orange County Chapter]]''
#Kate Hartmann - OWASP Foundation
#Alison McNamee - OWASP Foundation (remote support)

=== Also attending (part of OWASP community) ===

#Joseph Dawson
#Howard Fore - ''Atlanta Chapter (Bring a Developer Attendee)''
#Jon Bango - ''Atlanta Chapter (Bring a Developer Attendee)''
#August Detlefsen - ''(Bring a Developer Attendee)''

=== Key WebAppSec players ===

objective: identfy potential synergies between WebAppSec industry players and OWASP leaders (for example too meet and have a meeting)

*Firefox Browser
**There are a number of Firefox employees participating and they have shown interest in talking to OWASP about how we can work together
***Michael Coates (Owasp Leader)
***Sid Stamm
***Brandon Sterne
***Dan Veditz

=== Developers and QA participating ===

'''Sponsored by the Atlanta Chapter'''

#''Howard Fore (Atlanta Developer)'' - Howard Fore is a senior web developer in Atlanta, Georgia. He's involved in some high-visibility web projects at the Federal Reserve Bank of Atlanta. Increasing awareness of secure software development practices is an departmental objective for 2010 and he's a member of the security workgroup, which is leading the way in that endeavor. Other practices the security workgroup are implementing include static code analysis and code inspection.
#''Jon Bango (Atlanta Developer)'' - Jon Bango is an Information Technology professional with over 13 years experience in the education, financial services and retail industries. Primarily working at the enterprise level, Jon has utilized the J2EE stack in building web applications for the largest home improvement retailer in the world. Most recently he has branched out into RIA technologies working in Adobe Flex and Microsoft Silverlight. Currently, Jon has transitioned into the dark arts at his company’s Information Assurance department in which the groundwork has been laid to utilize his developer talents to create a company wide secure coding initiative.
#''August Detlefsen (Oakland Developer)'' - August Detlefsen is a 13+ year Java web architect veteran. As an independent contractor he has developed solutions for such companies as Sun Microsystems, Oracle, VMware, NetApp and others, managing all phases of the software development lifecycle from initial specification to final disposal. August recently began focusing on web application security and has worked on projects for WhiteHat Security, Security Compass, and AppSec Consulting and donated time on the OWASP ESAPI and AppSensor projects.

=== Meetings and sessions ===

So far we have identified 6 slots were there will be an event happening around this group

*'''Wed Lunch Break''' : 'ESAPI4JS: Where do we go from here?'
*'''Wed Night''' : 9PM-12PM Drinks at TDB
*'''Thursday Lunch Break''' : 'OWASP and the Browsers: How can we work together?'
*'''Thursday After the conference''' : OWASP Leaders meeting
*'''Thursday Night''' : TBD ''(and maybe the OWASP band?)''
*'''Friday Lunch Break''' : OWASP Summit 2011
*'''Friday After the conference''' : AppSec Soccer Tournament
*'''Friday Night''' : TDB

Note that there are meeting facilities available, so if you need a quite space to meet and talk about OWASP let us know.

=== How to track an OWASP Leader ===

Ideally we should be able to track OWASP leaders, the question is how?

What could we give the leaders that would easily identify them (in practical and usable way):

*a special wristband
**with a particular color?
**with a particular logo or message?
**wth a GPC tag? (or auto-location-tweet)
*an armband
*a hat
*a scarf
*a t-shirt
*a bag
*with a paintball gun?

=== AppSec Soccer Tournament ===

'''When:''' Friday after the conference '''Where:''' TBC '''Participants:''' 

*Dinis Cruz
*Kate Hartmann (can also be a referre)

 

=== To do (tasks) ===

*for each each participant
**link to MediaWiki user page
**add twitter accounts
*Travel arrangements
**map travel dates
**when/where they are arriving
**where are they staying
*figure out what to do with the leaders when they are there
*should we create a welcome pack for these leaders?
*should we see if they need help in their travel arrangements?
*should we see if its possible to find a local host for the accomodation (it is always better than going into an hotel)?
*do we need a budget? if so, how much?

[[Category:Connections_Committee]]

2009-12-22T08:01:50Z

Cgoldsch:

Los Angeles Previous Presentations 2009, 2010

2009-11-28T03:13:21Z

Cgoldsch: /* Wednesday, November 18th, 2009 7:30PM */

= Previous Presentations =
== Wednesday, November 18th, 2009 7:30PM ==
* [http://www.owasp.org/images/b/bc/Watching_software_run_11.18.09.pptx Watching Software Run with Brian Chess, Fortify Founder and Chief Scientist]
 
Now more than ever before, computer systems are vulnerable because software is vulnerable. No matter how good programmers get at making secure software, it will never be perfect—we will always have to contend with incomplete or inadequate code. Most efforts at living with bad code have focused on shoring it up from the outside: limiting network access (firewalls) or watching for suspicious behavior (intrusion detection). This talk takes a different perspective: we’ll look at methods for identifying and blunting the effects of software shortcomings from the inside by watching the software run.

Modern languages like Java and C# are good for more than just programmers. They also provide a wealth of structured information when they execute. We can apply many same techniques developed for outside-in security, but at a finer granularity and with much more context. Along the way there is a lot to talk about: Where web application firewalls excel and where they fall down. Fuzzing vs. static analysis. The disappointments of both aspect oriented programming and building security in. Why nobody uses the Java Security model. Taking your security with you into the cloud. The reason SQL injection won’t go away. Revenge of the reference monitor. Why was Twitter’s security so bad?
 

Brian Chess is a founder of Fortify Software and serves as Fortify's Chief Scientist, where his work focuses on practical methods for creating secure systems. His book, Secure Programming with Static Analysis, shows how static source code analysis is an indispensable tool for getting security right. Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service.
 

== Wednesday, October 21st, 2009 7:30PM ==
* [http://www.owasp.org/images/c/ca/ISO27001_OWASPLA_Shankar_10212009.pdf Enabling Compliance Requirements using Information Security Management System (ISMS) Framework (ISO27001)]
 
Growing threats and complex regulatory requirements emphasize the need for an effective Information Security Management System (ISMS) framework for an organization. Comprehensive and globally accepted standards like ISO27001 can help in protecting information assets and in enabling compliance requirements. ISO27001 provides an Information Security framework based on best practices and controls to ensure the confidentiality, integrity and availability of information assets. This presentation analyzes the possible synergies between the goals of Information Security Management System (ISMS) and the various compliance requirements, thus making the compliance efforts less complex.
 
Following are the key objectives of this presentation :
* Provide an introduction to ISO27001 and its controls
* Discuss the implementation approach for an Information Security Management System (ISMS) framework
* Familiarize the audience with some common challenges in implementation
* Outline synergy between ISO27001 controls and some compliance requirements( PCI , etc)
 
Attendees will learn about ISO27001 Information Security Standard, ISMS implementation approach and how ISO27001 can be used in meeting various regulatory/compliance requirements like Sox, PCI etc. It will also help the attendees to improve the information security posture of the organization and provide an effective and efficient approach for handling various information security/compliance audits with less effort.
 

Shankar Subramaniyan has over 11 years of experience as a technology consulting and project management executive in the areas of IT Governance, Risk and Compliance (GRC), Business Continuity Planning and Network Design & Architecture. He has thorough expertise on setting up Information Security Framework and Policies on the basis of industry standards such as ISO 27001. He has worked extensively on industry standards and best practices like BS7799 and ITIL. He also has good understanding and knowledge of various compliance requirements like PCI, Sox etc. Shankar' s experience includes IT audit, SOX remediation, ISMS (ISO27001) implementation, PCI compliance assessment, disaster recovery solution, enterprise risk management, designing IT security architecture and implementing ITIL processes. Shankar has rich experience in handling large projects and managing client relationships across corporate and educational sectors.
 

== Wednesday, September 16th, 2009 7:30PM ==
* The Rise of Threat Analysis and the Fall of Compliance, Policies, and Standards in mitigating Web Application Security Risks
 
On August 5th of 2009, Federal prosecutors on Monday charged Albert Gonzales with the largest case of credit and debit card data theft ever in the United States: 130 million credit cards numbers by hacking into the systems of Heartland Payment Systems, the New Jersey-based card processing company, as well as Hannaford Brothers, 7-Eleven and two unnamed national retailers. Using a SQL-injection attack, the hackers installed malware on Hannaford Brothers. Hannaford was PCI compliant at the time they were compromise that lets question the validity of regulatory compliance frameworks, and specifically PCI standards as an effective method to reduce data breaches, identity theft, and the proliferation of credit card fraud. This presentation will further analyze how status quo security standards, such as PCI-DSS, as well as other policies, standards, and guidelines truly affect security risk mitigation efforts against cybercrime based threats. These traditional efforts will be compared to threat modeling workflows in order to demonstrate how real risk is mitigated under each scenario.
 
Cases for financial fraud will be anonymously presented to create a business case for application threat modeling as a viable methodology to drive improved application design and security risk mitigation. Threat modeling concepts will be elaborated in order to prove how application architecture walkthroughs via threat modeling improve the mitigation of cybercrime threats. Attacker motives and goals will be presented and incorporated into attack trees and it will show how attack libraries can be used to effectively identify application vulnerabilities and devise countermeasures in web application.
 
From the risk analysis perspective, several attacks will be considered and highlighted, particularly attacks that represent a systemic impact to an organization or government (such as for example a distributed denial of service).
 
Through the presentation of threat modeling scenarios, analyses and correlations will be drawn from the represented model(s) to attack patterns, associated and discovered security vulnerabilities, data sources, application topologies, and possible roles and permissions associated with the application environment. The purpose of the presentation is to demonstrate how application threat modeling can be used as part of a nouveau age form of security risk mitigation and overall application security. Data flow diagrams and application walkthroughs will enable audience members to witness how application threat modeling is an evolved form of security process engineering for improved application design and overall application security. The presentation will also demonstrate how threat modeling is capable of delivering critical business functions as well as in mitigating current and future cyber attacks, such as distributed denial of service, botnet driven-malware, spear phishing techniques, and more attacks that ultimately lead to identity and credit card fraud.
 
From the point of view of current and future cybercrime risk mitigation, several different strategies for application threat modeling will be discussed as related to securing both the web application web and critical financial infrastructures, such as ATMs. Finally some emphasis will be given to countermeasures that provide for incident response, intelligence and forensics capabilities.
 
Presentation outline, defining all topics that will be covered:
* Status quo of regulatory compliance in mitigating risk
* Threat modeling techniques for cybercrime threats
* Attack tree analysis for attack tree vectors
* Threat modeling for multi-channel fraud threat scenarios
* Cyber crime threats and application countermeasures via threat modeling
* Example of mitigation strategies for cybercrime and application of defense in depth for web applications
 
Any supporting research/tools:
* Threat models and attack trees
* Threat model are produced using the Microsoft™ threat modeling tool
* Public available cybercrime data will be presented and correlated
 

Marco Morana serves as one of the leaders of OWASP (Open Web Application Security Project) organization where he is actively involved in evangelize on web application security through presentations at local chapter meetings in USA as well as internationally. Marco has recently been awarded a contract from Wiley Publishing to co-author a book on Application Threat Modeling.
 
Besides being the OWASP Cincinnati chapter lead, Marco is also active contributor to OWASP projects such as the application threat modeling methodology for secure coding guideline and the security testing guide (ver. 2 and 3). Besides contributing to OWASP, Marco works as Technology Information Security Officer for a large financial organization in North America with responsibilities in the definition of the organization web application security standards, management of application security assessments during the SDLC, threat-fraud analysis and training of software developers, project managers and architects on different topics related to application security.
 
In the past, Marco served as senior security consultant and independent consultant where his responsibilities included providing software security services for several clients in the financial and banking, telecommunications and commercial sector industry. Besides security consulting, Marco had a career as technologist in the security industry where he contributed to the design business critical security products currently being used by several FORTUNE 500 companies as well by the US Government.
 
Marco work on software security is referred in the 2007 State Of the Art report by the Information Assurance Technology Analysis Center (IATAC). Marco received the NASA’s Space Act Award in 1999 for the patenting the S/MIME SEP (Secure Email Plug-in) application.
 
Marco research work on application and software security is widely published on several magazines such as In-secure magazine, Secure Enterprise, ISSA Journal and the C/C++ Users journal. Marco’s ideas and strategies for writing secure software are posted on his blog: http://securesoftware.blogspot.com.
 

Tony UcedaVelez has more than 10 years of hands-on security and technology experience and is a vocal advocate of security process engineering – a terminology that describes the design and development of secure processes and controls working symbiotically to a unique business workflow. Tony currenlty serves as Managing Director for an Atlanta based risk advisory firm that focuses on security strategy and delivering effective means for risk mitigation and security process engineering. He has worked and consulted for the Fortune 500, as well as federal agencies in the U.S on the topic of application security and security process engineering. His diverse background in software development, security architecture, and network security, coupled with his expertise in process engineering and security risk management has allowed Tony to be a recognized leader in developing strategic security solutions that are multi-faceted in their approach to addressing enterprise risk.
 
In the realm of application security, Tony is a threat modeling evangelist and has provided numerous talks domestically and globally on its many benefits and application. He has served as a guest mentor to teams participating in Kennesaw State University’s annual Cybercrime capture the flag event as well as a Cybercrime speaker for Southern Polytechnic University in Atlanta. He has also served as a guest speaker on the subject of application threat modeling during ISACA’s annual Geek Week event and has also served as a keynote speaker on the subject for ISACA’s Global Symposium web cast series. Additional articles include articles related to CoBIT and the ValIT model (ISACA’s Journal), application threat modeling within the SDLC (InSecureMagazine), and security process engineering for a ROSI (return on security investment) (Journal of Finance). He is currently finalizing a Wiley publishing book on Application Threat Modeling with Marco Morana.
 
Prior to VerSprite, Tony served as Sr. Director of Security Risk Management to a Fortune 50 organization where he led security assessments against global application environments. His work encompassed web application security testing, security architecture reviews, and analysis for business logic exploits. He applied effective ways to introduce the subject of application risk to information owners by effectively mapping them to causal factors for business. Previous to this role, he spent more than 5 years in the field of application security across other Fortune 500 organizations within the banking, telecom, and information service industry segments.
 
Tony currently leads the OWASP Atlanta Chapter, where he manages monthly workshops and events for the Atlanta web application security community. He also has developed a case study program for the Atlanta chapter in order to develop case studies with local Atlanta companies who are seeking to apply application threat modeling techniques within the SDLC and/ or incorporate the many OWASP produced tools and frameworks. Tony can be reached at tonyuv@versprite.com or tonyuv@owasp.org.
 

== Tuesday, August 25th, 2009 3:00PM ==
* OWASP Live CD Demo and Q&A with Matt Tessauro
 
Matt Tesauro will be in visiting our LA chapter and providing a quick demo of [http://www.owasp.org/index.php/Category:OWASP_Live_CD_2008_Project OWASP Live CD]
 
Matt Tesauro has worked in web application development and security since 2000. He's worn many different hats, from developer to DBA to sys admin to university lecturer to pen tester. Currently, he's focused on web application security and developing a Secure SDLC for TEA. Outside work, he is the project lead for the OWASP Live CD.
 

== Thursday, August 20th, 2009 7:30PM ==
* The Software Assurance Maturity Model (SAMM)
 
[http://www.opensamm.org/ The Software Assurance Maturity Model (SAMM)]
is a flexible and prescriptive framework for building security into a
software development organization. Covering more than typical
SDLC-based models for security, SAMM enables organizations to
self-assess their security assurance program and then use recommended
roadmaps to improve in a way that's aligned to the specific risks
facing the organization. Beyond that, SAMM enables creation of
scorecards for an organization's effectiveness at secure software
development throughout the typical governance, development, and
deployment business functions. Scorecards also enable management
within an organization to demonstrate quantitative improvements
through iterations of building a security assurance program. This
workshop will introduce the SAMM framework and walk through useful
activities such as assessing an assurance program, mapping an existing
organization to a recommended roadmap, and iteratively building an
assurance program. Time allowing, additional case studies will also be
discussed. SAMM is an open and free project and has recently been added
under the Open Web Application Security Project (OWASP) Foundation.
 

Pravir Chandra is Director of Strategic Services at Fortify Software
and works with clients on software security assurance programs.
Pravir is recognized for his expertise in software security, code
analysis, and his ability to strategically apply technical knowledge.
Prior to Fortify, he was a Principal Consultant affiliated with
Cigital and led large software security programs at Fortune 500
companies. Pravir Co-Founded Secure Software, Inc. and was Chief
Security Architect prior to its acquisition by Fortify. He recently
created and led the Open Software Assurance Maturity Model (OpenSAMM)
project with the OWASP Foundation, leads the OWASP CLASP project, and
also serves as member of the OWASP Global Projects Committee. Pravir
is author of the book Network Security with OpenSSL.
 

== Tuesday, July 21st, 2009 7:30PM ==
* Lock picks, BumpKeys, and Hackers oh my! How secure is your application?
 
This talk will focus on physical security controls, weaknesses, and counter measures. I will present on what lock picking is, how bump keys work, and ways to subverting electronic locks. We will also go into what are good controls, and what is often overlooked when designing secure environments. Many of the topics covered apply to application security, as the methods for securing these devices is by using obscurity. In the application world with automated tools and scripts, this does not hold water for very long.
 

David M. N. Bryan, NetSPI has 10 years of computer security experience, including consulting, engineering, and administration. He has performed security assessment projects in the healthcare, nuclear, manufacturing, pharmaceutical, banking and educational sectors.
 
As an active participant in the information security community, he volunteers at DEFCON, where he designs and implements the firewall and network for what is said to be the most hostile network environment in the world. This network allows speakers, press, vendors, and others to gain access to the Internet, without being hacked. In his spare time he and his wife run the local DEFCON group, DC612 and participate in the Minneapolis OWASP chapter.
 

== June 24th, 2009 7:30PM ==
* Information Warfare: Past, Present and Future
 
Information warfare is the composite use of psychological operations
(PYOPS), military deception (MILDEC), operational security (OPSEC),
computer network operations (CNO), and electronic warfare (EW) to
control and disrupt information flow. Recently, interest in
information war technologies, techniques and policy issues have
increased, especially in the domain of CNO. Increased scrutiny over
network operations is both legitimate and valid, as global commerce
and military powers are integrated and dependent on the Internet for
critical operations. This presentation will describe the five domains
of information warfare, the past use of information warfare in the
Gulf war and recent Cyber attacks on the Eastern European countries of
Georgia and Estonia. Information will be presented on possible new
directions of information warfare.
 
Mikhael Felker, CISSP-ISSEP has worked in a variety of roles including
instructor, engineer, and researcher. He is currently employed by The
Aerospace Corporation in the Information Assurance Technology
Department, supporting Information Assurance (IA) for satellite
systems. He is also an Instructor within the Computer & Information
Systems Division at UCLA Extension, teaching a course in networking.
Actively involved in the Los Angeles security community, he is the
Education Director for Los Angeles Chapter of Information Systems
Security Association (ISSA), member and speaker of Information Systems
Audit and Control Association (ISACA), and former Defense Sector
Coordinator for InfraGard. Mikhael has published articles in IEEE
Security & Privacy, the ISSA Journal, Information Systems Control
Journal, and SecurityFocus. He is a recipient of the Scholarship for
Service Program (SFS) Fellowship, sponsored by the National Science
Foundation and Department of Homeland Security (DHS). Mikhael
completed his graduate work at Carnegie Mellon University with a
Master's in Information Security Policy & Management and Bachelor's at
UCLA in Computer Science. He holds over 10 certifications in IT and
Security.
 

== May 20th, 2009 ==
* [http://video.google.com/videoplay?docid=2875886330538461390 Top Ten Web Hacking Techniques of 2008: "What's possible, not probable"] 
 
The polls are closed, votes are in, and we have the winners making up the Top Ten Web Hacking Techniques of 2008! The competition was fierce with the newest and most innovative web hacking techniques to the test. This session will review the top ten hacks from 2008 - what they indicate about the security of the web, what they mean for businesses, and what might be used against us soon down the road.
 
Jeremiah Grossman is the founder and CTO of WhiteHat Security. He is considered a world-renowned expert in Web security, is a co- founder of the Web Application Security Consortium, and was named to InfoWorld's Top 25 CTOs for 2007. Grossman is a frequent speaker at industry events including the Black Hat Briefings, RSA, CSI, HiTB, OWASP, ISSA, and a number of large universities. He has authored dozens of articles and white papers; is credited with the discovery of many cutting-edge attack and defensive techniques and is a co-author of XSS Attacks. Grossman is often quoted in the the business and technical press. Prior to WhiteHat, Grossman was an information security officer at Yahoo!
 
 

== April 15th, 2009 ==

* Cross Site Scripting, Exploits and Defenses 
For a long time, the impact of XSS vulnerabilities has been grossly underestimated. Recent compromises, such as the pro-Hillary [http://cyberinsecure.com/hacked-obama-site-redirects-visitors-to-clintons-site/ defacement] of Barack Obama's website, and a [http://www.securescience.net/twoubledtwitter.html Viral XSS in Twitter] demonstrated the impact of XSS vulnerabilities to the masses.

During this presentation, David Campbell will demonstrate exactly how effective XSS vulns can be, and show you what you can do to protect yourself and your sites.

This presentation was originally delivered to OWASP Colorado in May of 2008, and has been updated for this session.

[https://www.owasp.org/index.php/Image:DC_ED_OWASP_XSS_MAY2008_v1.0.pdf Slide deck from May '08 talk]
 
David Campbell is an infosec veteran, with experience ranging from penetration testing for Fortune 100's to architecting security solutions for large multinational financials to consulting for government agencies. DC is presently chapter leader of OWASP Denver and is Principal Consultant at Electric Alchemy.
 
 

== March 12th, 2009 ==

* NETWORK SECURITY DINNER WITH ISSA - CISO'S Security Dashboard Panel!! 
This month will be joining forces with ISSA to create the biggest netowork event for security professionals in Los Angeles for this year.
 
Agenda
* 5:30 p.m., Networking and tours of the antivirus facility
* 6:30 p.m., Dinner
* 7:30 p.m., CISO Panel
 
Panelists
* Robert J. Brown, CISSP, CISO WestCorp Credit Union
* Steve Haydostian, CISSP, Former CISO, Healthnet
* David Lam, CISSP, CISO, Stephen S. Wise
* Edward G. Pagett II, CISSP, CISO, Lender Processing Services, Inc.
* Mike O. Villegas, CISA, CISSP, Director of Information Security, Newegg.com
 
Dinner Fees:
* ISSA-LA members & OWASP members - Pre-Register and Pay online: $25
* ISSA-LA members & OWASP members - Pay at the door: $30
* Non-members - Pre-Register and Pay online: $30
* Non-members - Pay at the door: $35
 
Thanks to David Lam and Stan Stahl for agreeing to have OWASP joining this ISSA LA event!

== February 18th 2009 ==
[https://www.owasp.org/images/5/58/Cloud_Computing_Security.pdf Cloud Computing and Security]
 
The Cloud Computing and Software as a Service models are driving many companies to build innovative, scalable and cost effective alternatives to the traditional IT computing model. Even with the potential cost and scalability benefits of cloud computing, its use by more traditional enterprises has been retarded by the concerns of their professional security and audit staffs. In our experience these concerns are legitimate, and although surveys have shown that security is the #1 factor preventing adoption of cloud computing, there has been very little reliable discussion of the technical security risks inherent in the model and how engineers, sys-admins and architects can deal with these risks.
 
In this session, we will explore the widely differing security models of the leading cloud computing providers, including Amazon, Google and Salesforce. We will also reveal the significant differences in operational and application security practices necessary to deal with a cloud computing environment.
 
Alex Stamos is a co-founder and Partner at iSEC Partners Inc., a strategic digital security organization. Alex is an experienced security engineer specializing in solving difficult problems in application security and is a leading researcher in the field of web application and mobile security. He has been a featured speaker at top industry conferences such as Black Hat, Web 2.0 Expo, CanSecWest, DefCon, SyScan, SD Best Practices, Microsoft BlueHat and OWASP App Sec. Alex is a contributing author to "Hacking Exposed: Web 2.0" and an author of the upcoming book "Mobile Application Security", both from McGraw-Hill. He holds a BSEE from the University of California, Berkeley.
 

== January 28th 2009 ==
Building Security into the Test Organization
 
The common approach to detecting web security issues is still the regular application of a post-release pen-test or tool based scan. These last minute examinations rarely live up to broader organizational goals; they can be difficult to repeat, measure, or optimize over time. Most of all they're expensive: they find bugs late in the lifecycle. This talk recommends moving security testing responsibility within the test team itself. The approach discussed will work with-or-without the existence of explicit security requirements. See how security testing has been applied at other organizations and how it might be customized for yours.
 
Ben Walther firmly believes testers have a wonderfully devious mindset, and has been promoting the idea of "security testing" at Cigital's clients, at OWASP events, and to any friends and relatives who will listen. To this end, with the aid of O'Reilly media, Ben Walther and Paco Hope recently published a book entitled the "Web Security Testing Cookbook."
 

== December 10th 2008 ==
[http://www.owasp.org/images/7/79/OWASP-WASCAppSec2007SanJose_SamyWorm.ppt The MySpace Worm]
 
The most virulent worm in the history of the series of tubes known as the Internet. One of the most highly accessed websites ever [see comScore]. One of the most ostentatious hackers alive. Over one million victims. Less than 24 hours. Fueled only by Chipotle burritos. The MySpace Worm.
 
Samy will be recapping the story of the development, release and eventual future of the MySpace worm. The 24 hours that led up to over one million friends. The eventual downfall of the MySpace site for several hours. The non-malicious intent and humorous progression of the worm. The t-shirts. The copycats. The behind-the-scenes story of the Secret Service raid at Samy's home and office. The demise of Samy's legal use of computers, community service, restitution, high-risk offender probation, and rehabilitation. And where Samy is today. 

Samy Kamkar, software engineer and self-proclaimed playboy, is a meddler in the security and software realms. He is currently the Director of Engineering and co-founder of Fonality, Inc., an IP PBX startup located in Culver City. Previously, Samy led the development of all core top-level domain name server software and systems for Global Domains International (.ws). Prior to that, Samy worked with Penn State University developing psychometric personality assessment software with attention to artificial intelligence and bioinformatics. When not strapped behind the Matrix, Samy can be found performing parkour (free running), practicing urban escape artist maneuvers, or is found getting involved in local community service projects. In the past 10 years, Samy has focused on evolutionary and genetic algorithmic software development, Voice over IP software development, automated security and vulnerability research in the areas of network security, reverse engineering, and network gaming, and continues his focus in staying out of jail. 

== November 19th 2008 ==
A new web attack vector: [http://www.eweek.com/c/a/Security/Security-Researcher-to-Reveal-New-Web-Attack-Vector/ Script Fragmentation] 

This presentation will introduce a new web-based attack vector which
utilizes client-side scripting to fragment malicious web content. 

This involves distributing web exploits in a asynchronous manner to
evade signature detection. Similar to TCP fragmentation attacks, which
are still an issue in current IDS/IPS products, This attack vector
involves sending any web exploit in fragments and uses the already
existing components within the web browser to reassemble and execute
the exploit. 

Our presentation will discuss this attack vector used to evade both
gateway and client side detection. We will show several proof of
concepts containing common readily available web exploits. 

Stephan Chenette is a Senior Security Researcher who helps lead Websense Security
Labs working on malcode detection techniques. Mr. Chenette specializes
in research tools ranging from kernel-land sandboxes, to static
analysis scanners. He has released public analyses on various
vulnerabilities and malware. Prior to joining Websense, Stephan was a
security software engineer for 4 years working in research and product
development at eEye Digital Security. 

== October 29th 2008 ==
Entitlements Management: Security and policies for SOA using XML appliances 

Loosely coupled Web Services can be insecure as, by their very nature, are exposed to application consumers. Security built into XML appliances alleviates the developer with the burden of coding security and policies into their application, freeing the developer to concentrate on conding business processes.
This evenings meeting will discuss SOA security challenges and introduce the Layer7 XML appliance that allows for dynamic policies to be configured on the fly using an intuitive user interface.
 
Jonathan Gershater’s career started at 3Com, managing servers and networks. His initial foray into Enterprise Software began in 1999 at enCommerce, which was later acquired by Entrust. He worked at Sun Microsystems from 2005 to 2008 architecting and deploying identity solutions for customers using Sun Java System Identity products. He recently joined Layer 7 Technologies as a senior solution architect.
He can be reached at jgershater@layer7tech.com.
 

== September 17th 2008 ==
The web hacking incident database (WHID) 2007 Report is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents. The database classifies each reported attack by, among other criteria, the method used, the outcome of the attack and the industry and the country of the attacked organization. Based on the database Breach Labs which sponsors WHID issues a periodical report on trends in Web Application Security.

By providing answers to questions such as:

* The drivers behind Web hacking.
* The technology hackers use.
* The types of organizations attacked most often.
* The common outcomes

The presentation will discuss WHID statistics, focusing on rising trends in Web Attacks in the 1st half of 2008. As the WHID enables research into the business model behind hacking, the presentation goes beyond discussing the technical aspects of attacks such as SQL injection crawlers and Web Site herding, to discussing the business model common to all of the attacks: Economy of scale.
 
 

Ryan C. Barnett is a recognized security thought leader and evangelist who frequently speaks with the media and industry groups.

He is the director of application security at Breach Security. He is also a faculty member for the SANS Institute, where his duties include instructor/courseware developer for Apache Security/Building a Web Application Firewall Workshop, Top 20 Vulnerabilities Team Member and Local Mentor for the SANS Track 4, "Hacker Techniques, Exploits and Incident Handling" course. He holds six SANS Global Information Assurance Certifications (GIAC): Intrusion Analyst (GCIA), Systems and Network Auditor (GSNA), Forensic Analyst (GCFA), Incident Handler (GCIH), Unix Security Administrator (GCUX) and Security Essentials (GSEC).

Mr. Barnett also serves as the team lead for the Center for Internet Security Apache Benchmark Project and is a member of the Web Application Security Consortium. His web security book, "Preventing Web Attacks with Apache,” was published by Addison/Wesley in 2006.

== August 19th 2008 ==
"Don't Write Your Own Security Code" – Application security is arguably the most difficult IT challenge facing organizations today. There are over 600 different categories of vulnerabilities to avoid and they are all tricky. Most of these problems are related to the design, implementation, and use of a relatively small set of security controls. To solve this problem for developers, Jeff created the OWASP ESAPI project – a clean intuitive toolbox of the core security building blocks that every web developer needs. In this talk, Jeff will show you how to create an ESAPI for your organization that will solve the OWASP Top Ten vulnerabilities, increase assurance, and dramatically cut costs all at the same time.

Jeff Williams is the founder and CEO of Aspect Security, specializing in application security services. Jeff also serves as the volunteer Chair of the Open Web Application Security Project (OWASP). Jeff has made extensive contributions to the application security community through OWASP, including the Top Ten, WebGoat, Stinger, Secure Software Contract Annex, Enterprise Security API, and the local chapters program. Jeff holds advanced degrees in psychology, computer science, and human factors, and graduated cum laude from Georgetown Law.