OWASP - User contributions [en]

Bay Area

2013-07-10T22:20:52Z

Cscott:

{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}

== Chapter Meetings ==

=== July 2013 ===
'''When''': Thursday, July 11, 2013 from 5:30 PM to 8:30 PM (PST)

'''Location''': Room 150, University Hall, UC Berkeley.

The room is to the immediate left after entering the building from
Addison street at ground level (not basement level).

For driving/public-transit directions, look up:
2199 Addison St., Berkeley, CA, 94720

'''No RSVP Required'''

Details:

5:30 - 5:45 Social gathering

5:45 - 6:00 Welcome (Cory Scott) / OWASP Update (Sarah Baso)

6:00 - 6:15 An Empirical Study of Vulnerability Rewards Programs, Devdatta Akhawe

6:15 - 7:15 "Putting Your Robots to Work", Twitter Security Team

Getting There:

BART:
The "Downtown Berkeley" BART station is two blocks away.

Parking:
It's Summer, and metered street parking is available nearby.

Paid off-street parking is also available. One street south on Center street, the Bank of America lot is cheap but small, and there is a large
lot on Alston street between Shattuck and Milvia.

== Bay Area Past Events ==

[https://www.owasp.org/index.php/Bay_Area_Past_Events Bay Area Past Events]

== Bay Area Chapter Leaders ==

*[mailto:teresa.ann.stevens2009@gmail.com Teresa Stevens]
*[mailto:cory@crazypenguin.com Cory Scott]

[[Category:California]]
[[Category:OWASP Chapter]]

Chicago

2012-01-19T17:09:59Z

Cscott: /* Agenda */

== Next Chapter Meeting: January 19th, 2012 ==

The next OWASP Chicago chapter will be on '''January 19th, 2012''' from 6PM to approximately 9:30PM. Space for the meeting is being graciously provided by Morningstar at their [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=22+West+Washington+Street+Chicago,+IL+60602&aq=&sll=37.0625,-95.677068&sspn=30.599615,68.554688&ie=UTF8&hq=&hnear=22+W+Washington+St,+Chicago,+Illinois+60602&z=16 downtown Chicago headquarters location] (22 West Washington Street Chicago, IL 60602).

'''You must RSVP for this event''' by sending an email to [mailto:vitaly.mclain@gmail.com Vitaly McLain]. Please try to include "OWASP" in the subject, and send your name no later than 4PM on January 18th. When you arrive, you will need to sign in with security in the lobby of the building, who will direct you to the cafeteria for refreshments. We will then move to the Auditorium for talks. The meeting is open to everyone and is free to attend!

The schedule is as follows:

* 6:00PM - 6:30PM - Refreshments
* 6:30PM - ~9:30PM - Talks!

==Agenda==

'''Speakers''':

* '''Abraham Kang - DOM-based XSS and output encoding'''

An interactive presentation that intends to turn all of the listeners of the presentation into XSS experts and help them understand how to mitigate XSS properly using output encoding.

* '''Luca Carettoni - From CVE-2010-0738 to the recent JBoss worm'''

Being a widely deployed enterprise application server, JBoss has always been a juicy target for attackers. Security vulnerabilities and misconfigurations in critical components, such as the infamous JMX-console, can be exploited in order to execute arbitrary code and harm the confidentiality, integrity and availability of the entire system. Our quick journey through JBoss insecurity will start from the analysis of a critical authentication bypass flaw to the recent JBoss worm which affected numerous installations worldwide. This presentation will also cover practical aspects on how to detect misconfigurations and secure your application server. Slides here: [[File:OWASP3011_Luca.pdf‎]]

Also, follow (and/or DM us) on twitter @owaspchicago

We'll firm up the evening's agenda as the date nears.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:mtracy@matasano.com Mike Tracy] or [mailto:jason@wittys.com Jason Witty.] Any questions about the January meeting please contact [mailto:vitaly.mclain@gmail.com Vitaly McLain].

==Presentation abstracts==

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
[mailto:mtracy@matasano.com Mike Tracy]

[mailto:jason@wittys.com Jason Witty]

__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

File:OWASP3011 Luca.pdf

2012-01-19T17:08:07Z

Cscott: Luca Carettoni's OWASP Chicago slides presented on January 19th, 2012 on JBoss Security.

Luca Carettoni's OWASP Chicago slides presented on January 19th, 2012 on JBoss Security.

Bay Area

2011-12-03T06:54:01Z

2011-11-23T05:04:06Z

Cscott:

{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}

==== Chapter Meetings ====

== Date and Location ==

=== Next Event ===

November 30, 2011

Stanford Campus, Alumni Center, Lane/Ladato rooms 
Directions: http://www.stanfordalumni.org/aboutsaa/alumni_center/directions.html 
Parking will be available on Galvez field right next to the center. 
'''Agenda'''

5:30pm - Welcome

5:40pm - Jason Chan, Practical Cloud Security

6:15pm - Luca Carettoni, From CVE-2010-0738 to the recent JBoss worm

6:50pm - David Fifield, Evading censorship with browser-based proxies

7:25pm - Abraham Kang, DOM-based XSS and output encoding

'''You must RSVP''' at http://owaspbayareanov2011.eventbrite.com/ prior to attending, we need to know how many people are coming to make sure we have the correct room sizing.

----

'''Jason Chan - Practical Cloud Security''' Over the past several years, there has been much hand wringing and teeth gnashing related to public cloud security. Because of this, many organizations have limited or delayed their cloud usage. Faced with business and market imperatives that demanded scale and elasticity that traditional data center architectures could not provide, Netflix jumped head first into the public cloud two years ago. As we continue to mature our environment, we’ve also begun leveraging the benefits of the public cloud to enhance our security posture and capabilities. This presentation will be a practical examination of Netflix’s approach to cloud security. Topics covered include: • Using public cloud automation and APIs to enhance security visibility • Netflix’s “Security Monkey” tool for cloud security monitoring and alerting • Inter-host reachability and connectivity analysis for firewall policy evaluation and optimization • Netflix’s model-driven architecture for securing and managingsystems and applications • Call to action: Cloud Security Gap Analysis and Next Steps

'''Luca Carettoni - From CVE-2010-0738 to the recent JBoss worm''' Being a widely deployed enterprise application server, JBoss has always been a juicy target for attackers. Security vulnerabilities and misconfigurations in critical components, such as the infamous JMX-console, can be exploited in order to execute arbitrary code and harm the confidentiality, integrity and availability of the entire system. Our quick journey through JBoss insecurity will start from the analysis of a critical authentication bypass flaw to the recent JBoss worm which affected numerous installations worldwide. This presentation will also cover practical aspects on how to detect misconfigurations and secure your application server.

'''David Fifield - Evading censorship with browser-based proxies''' Proxy systems like Tor and VPNs can be used to get around Internet censorship and access blocked resources, but what happens when the circumvention system itself is blocked? A flash proxy is a miniature proxy that runs in a web browser, that can be activated just by viewing a web page. Web site visitors provide a large and constantly changing pool of proxy addresses that are difficult to block. Even though each proxy may last only seconds or minutes, it is possible to switch between them in a way that makes web browsing more or less seamless. We will share details of our flash proxy implementation and explain how to add a proxy to your web page.

'''Abraham Kang - DOM-based XSS and output encoding''' An interactive presentation that intends to turn all of the listeners of the presentation into XSS experts and help them understand how to mitigate XSS properly using output encoding.

=== Previous Event ===

'''WHAT''': OWASP Silicon Valley Chapter Meeting

'''WHEN''': Thursday, August 25th, 2011 - From 6 PM to 8.30 PM

'''WHERE''': Mozilla Foundation Offices - 650 Castro Street, Unit 300, Mountain View , CA 94041

(right next to Starbucks)

REGISTER EARLY AS SEATING IS LIMITED

Please RSVP by registering at http://www.regonline.com/owaspsiliconvalleychaptermeeting

Agenda:
* 6:00 PM - 6:30 PM .............Check-in, registration, networking
* 6:30 PM – 6:35 PM ........... Welcome Remarks/Agenda - Mandeep Khera
* 6:35 PM - 7:45 PM ............ Enabling Browser Security in Web Applications- Michael Coates, Mozilla
* 7:45 PM – 8:30 PM…......... Blackhat spam SEO - Julien Sobrier, Zscaler

'''SPONSORS''': Special Thanks to our host and sponsor - Mozilla Foundation.

==== Donate Funds to Bay Area Chapter ====

<paypal>Bay Area</paypal>

= Bay Area Past Events =

[[Bay Area Past Events]]

==== Bay Area OWASP Chapter Leaders ====

*[mailto:brian@appsecconsulting.com Brian Bertacini]
*[http://garrettgee.com Garrett Gee]
*[mailto:mandeep@cenzic.com Mandeep Khera]
*[mailto:robipapp@yahoo.com Robi Papp]

__NOTOC__ <headertabs />

[[Category:California]]

Bay Area

2011-11-20T19:25:23Z

Cscott: /* Next Event */

{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}

==== Chapter Meetings ====

== Date and Location ==

=== Next Event ===

November 30, 2011

Stanford Campus, CIS Auditorium (CIS-X) 
Map: http://campus-map.stanford.edu/?id=04-055&lat=37.4299079646&lng=-122.174800726&zoom=17&srch=CIS 
Directions: http://isl.stanford.edu/groups/elgamal/people/kfife/CIS-X_directions.pdf 

'''Agenda'''

5:30pm - Welcome

5:40pm - Jason Chan, Practical Cloud Security

6:15pm - Luca Carettoni, From CVE-2010-0738 to the recent JBoss worm

6:50pm - David Fifield, Evading censorship with browser-based proxies

7:25pm - Abraham Kang, DOM-based XSS and output encoding

'''You must RSVP''' at http://owaspbayareanov2011.eventbrite.com/ prior to attending, we need to know how many people are coming to make sure we have the correct room sizing.

----

'''Jason Chan - Practical Cloud Security''' Over the past several years, there has been much hand wringing and teeth gnashing related to public cloud security. Because of this, many organizations have limited or delayed their cloud usage. Faced with business and market imperatives that demanded scale and elasticity that traditional data center architectures could not provide, Netflix jumped head first into the public cloud two years ago. As we continue to mature our environment, we’ve also begun leveraging the benefits of the public cloud to enhance our security posture and capabilities. This presentation will be a practical examination of Netflix’s approach to cloud security. Topics covered include: • Using public cloud automation and APIs to enhance security visibility • Netflix’s “Security Monkey” tool for cloud security monitoring and alerting • Inter-host reachability and connectivity analysis for firewall policy evaluation and optimization • Netflix’s model-driven architecture for securing and managingsystems and applications • Call to action: Cloud Security Gap Analysis and Next Steps

'''Luca Carettoni - From CVE-2010-0738 to the recent JBoss worm''' Being a widely deployed enterprise application server, JBoss has always been a juicy target for attackers. Security vulnerabilities and misconfigurations in critical components, such as the infamous JMX-console, can be exploited in order to execute arbitrary code and harm the confidentiality, integrity and availability of the entire system. Our quick journey through JBoss insecurity will start from the analysis of a critical authentication bypass flaw to the recent JBoss worm which affected numerous installations worldwide. This presentation will also cover practical aspects on how to detect misconfigurations and secure your application server.

'''David Fifield - Evading censorship with browser-based proxies''' Proxy systems like Tor and VPNs can be used to get around Internet censorship and access blocked resources, but what happens when the circumvention system itself is blocked? A flash proxy is a miniature proxy that runs in a web browser, that can be activated just by viewing a web page. Web site visitors provide a large and constantly changing pool of proxy addresses that are difficult to block. Even though each proxy may last only seconds or minutes, it is possible to switch between them in a way that makes web browsing more or less seamless. We will share details of our flash proxy implementation and explain how to add a proxy to your web page.

'''Abraham Kang - DOM-based XSS and output encoding''' An interactive presentation that intends to turn all of the listeners of the presentation into XSS experts and help them understand how to mitigate XSS properly using output encoding.

=== Previous Event ===

'''WHAT''': OWASP Silicon Valley Chapter Meeting

'''WHEN''': Thursday, August 25th, 2011 - From 6 PM to 8.30 PM

'''WHERE''': Mozilla Foundation Offices - 650 Castro Street, Unit 300, Mountain View , CA 94041

(right next to Starbucks)

REGISTER EARLY AS SEATING IS LIMITED

Please RSVP by registering at http://www.regonline.com/owaspsiliconvalleychaptermeeting

Agenda:
* 6:00 PM - 6:30 PM .............Check-in, registration, networking
* 6:30 PM – 6:35 PM ........... Welcome Remarks/Agenda - Mandeep Khera
* 6:35 PM - 7:45 PM ............ Enabling Browser Security in Web Applications- Michael Coates, Mozilla
* 7:45 PM – 8:30 PM…......... Blackhat spam SEO - Julien Sobrier, Zscaler

'''SPONSORS''': Special Thanks to our host and sponsor - Mozilla Foundation.

==== Donate Funds to Bay Area Chapter ====

<paypal>Bay Area</paypal>

= Bay Area Past Events =

[[Bay Area Past Events]]

==== Bay Area OWASP Chapter Leaders ====

*[mailto:brian@appsecconsulting.com Brian Bertacini]
*[http://garrettgee.com Garrett Gee]
*[mailto:mandeep@cenzic.com Mandeep Khera]
*[mailto:robipapp@yahoo.com Robi Papp]

__NOTOC__ <headertabs />

[[Category:California]]

Bay Area

2011-11-02T22:12:06Z

Cscott: /* Next Event */

{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}

==== Chapter Meetings ====

== Date and Location ==

=== Next Event ===

November 30, 2011

Stanford Campus, Gates 104 Directions to the Gates building available here: http://forum.stanford.edu/visitors/directions/gates.php

'''Agenda'''

5:30pm - Welcome

5:40pm - Jason Chan, Practical Cloud Security

6:15pm - Luca Carettoni, From CVE-2010-0738 to the recent JBoss worm

6:50pm - David Fifield, Evading censorship with browser-based proxies

7:25pm - Abraham Kang, DOM-based XSS and output encoding

'''You must RSVP''' at http://owaspbayareanov2011.eventbrite.com/ prior to attending, we need to know how many people are coming to make sure we have the correct room sizing.

----

'''Jason Chan - Practical Cloud Security''' Over the past several years, there has been much hand wringing and teeth gnashing related to public cloud security. Because of this, many organizations have limited or delayed their cloud usage. Faced with business and market imperatives that demanded scale and elasticity that traditional data center architectures could not provide, Netflix jumped head first into the public cloud two years ago. As we continue to mature our environment, we’ve also begun leveraging the benefits of the public cloud to enhance our security posture and capabilities. This presentation will be a practical examination of Netflix’s approach to cloud security. Topics covered include: • Using public cloud automation and APIs to enhance security visibility • Netflix’s “Security Monkey” tool for cloud security monitoring and alerting • Inter-host reachability and connectivity analysis for firewall policy evaluation and optimization • Netflix’s model-driven architecture for securing and managingsystems and applications • Call to action: Cloud Security Gap Analysis and Next Steps

'''Luca Carettoni - From CVE-2010-0738 to the recent JBoss worm''' Being a widely deployed enterprise application server, JBoss has always been a juicy target for attackers. Security vulnerabilities and misconfigurations in critical components, such as the infamous JMX-console, can be exploited in order to execute arbitrary code and harm the confidentiality, integrity and availability of the entire system. Our quick journey through JBoss insecurity will start from the analysis of a critical authentication bypass flaw to the recent JBoss worm which affected numerous installations worldwide. This presentation will also cover practical aspects on how to detect misconfigurations and secure your application server.

'''David Fifield - Evading censorship with browser-based proxies''' Proxy systems like Tor and VPNs can be used to get around Internet censorship and access blocked resources, but what happens when the circumvention system itself is blocked? A flash proxy is a miniature proxy that runs in a web browser, that can be activated just by viewing a web page. Web site visitors provide a large and constantly changing pool of proxy addresses that are difficult to block. Even though each proxy may last only seconds or minutes, it is possible to switch between them in a way that makes web browsing more or less seamless. We will share details of our flash proxy implementation and explain how to add a proxy to your web page.

'''Abraham Kang - DOM-based XSS and output encoding''' An interactive presentation that intends to turn all of the listeners of the presentation into XSS experts and help them understand how to mitigate XSS properly using output encoding.

=== Previous Event ===

'''WHAT''': OWASP Silicon Valley Chapter Meeting

'''WHEN''': Thursday, August 25th, 2011 - From 6 PM to 8.30 PM

'''WHERE''': Mozilla Foundation Offices - 650 Castro Street, Unit 300, Mountain View , CA 94041

(right next to Starbucks)

REGISTER EARLY AS SEATING IS LIMITED

Please RSVP by registering at http://www.regonline.com/owaspsiliconvalleychaptermeeting

Agenda:
* 6:00 PM - 6:30 PM .............Check-in, registration, networking
* 6:30 PM – 6:35 PM ........... Welcome Remarks/Agenda - Mandeep Khera
* 6:35 PM - 7:45 PM ............ Enabling Browser Security in Web Applications- Michael Coates, Mozilla
* 7:45 PM – 8:30 PM…......... Blackhat spam SEO - Julien Sobrier, Zscaler

'''SPONSORS''': Special Thanks to our host and sponsor - Mozilla Foundation.

==== Donate Funds to Bay Area Chapter ====

<paypal>Bay Area</paypal>

= Bay Area Past Events =

[[Bay Area Past Events]]

==== Bay Area OWASP Chapter Leaders ====

*[mailto:brian@appsecconsulting.com Brian Bertacini]
*[http://garrettgee.com Garrett Gee]
*[mailto:mandeep@cenzic.com Mandeep Khera]
*[mailto:robipapp@yahoo.com Robi Papp]

__NOTOC__ <headertabs />

[[Category:California]]

Bay Area

2011-11-02T22:11:20Z

Cscott: /* Previous Event */

{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}

==== Chapter Meetings ====

== Date and Location ==

=== Next Event ===

November 30, 2011

Stanford Campus, Gates 104
Directions to the Gates building available here: http://forum.stanford.edu/visitors/directions/gates.php

'''Agenda'''
5:30pm - Welcome
5:40pm - Jason Chan, Practical Cloud Security
6:15pm - Luca Carettoni, From CVE-2010-0738 to the recent JBoss worm
6:50pm - David Fifield, Evading censorship with browser-based proxies
7:25pm - Abraham Kang, DOM-based XSS and output encoding

'''You must RSVP''' at http://owaspbayareanov2011.eventbrite.com/ prior to attending, we need to know how many people are coming to make sure we have the correct room sizing.

----
'''Jason Chan - Practical Cloud Security
'''
Over the past several years, there has been much hand wringing and teeth gnashing related to public cloud security. Because of this, many organizations have limited or delayed their cloud usage.
Faced with business and market imperatives that demanded scale and elasticity that traditional data center architectures could not provide, Netflix jumped head first into the public cloud two years ago. As we continue to mature our environment, we’ve also begun leveraging the benefits of the public cloud to enhance our security posture and capabilities.
This presentation will be a practical examination of Netflix’s approach to cloud security. Topics covered include:
• Using public cloud automation and APIs to enhance security visibility
• Netflix’s “Security Monkey” tool for cloud security monitoring and alerting
• Inter-host reachability and connectivity analysis for firewall policy evaluation and optimization
• Netflix’s model-driven architecture for securing and managingsystems and applications
• Call to action: Cloud Security Gap Analysis and Next Steps

'''Luca Carettoni - From CVE-2010-0738 to the recent JBoss worm
'''
Being a widely deployed enterprise application server, JBoss has always been a juicy target for attackers. Security vulnerabilities and misconfigurations in critical components, such as the infamous JMX-console, can be exploited in order to execute arbitrary code and harm the confidentiality, integrity and availability of the entire system. Our quick journey through JBoss insecurity will start from the analysis of a critical authentication bypass flaw to the recent JBoss worm which affected numerous installations worldwide. This presentation will also cover practical aspects on how to detect misconfigurations and secure your application server.

'''David Fifield - Evading censorship with browser-based proxies
'''
Proxy systems like Tor and VPNs can be used to get around Internet censorship and access blocked resources, but what happens when the circumvention system itself is blocked? A flash proxy is a miniature proxy that runs in a web browser, that can be activated just by viewing a web page. Web site visitors provide a large and constantly changing pool of proxy addresses that are difficult to block. Even though each proxy may last only seconds or minutes, it is possible to switch between them in a way that makes web browsing more or less seamless. We will share details of our flash proxy implementation and explain how to add a proxy to your web page.

'''Abraham Kang - DOM-based XSS and output encoding
'''
An interactive presentation that intends to turn all of the listeners of the presentation into XSS experts and help them understand how to mitigate XSS properly using output encoding.

=== Previous Event ===

'''WHAT''': OWASP Silicon Valley Chapter Meeting

'''WHEN''': Thursday, August 25th, 2011 - From 6 PM to 8.30 PM

'''WHERE''': Mozilla Foundation Offices - 650 Castro Street, Unit 300, Mountain View , CA 94041

(right next to Starbucks)

REGISTER EARLY AS SEATING IS LIMITED

Please RSVP by registering at http://www.regonline.com/owaspsiliconvalleychaptermeeting

Agenda:
* 6:00 PM - 6:30 PM .............Check-in, registration, networking
* 6:30 PM – 6:35 PM ........... Welcome Remarks/Agenda - Mandeep Khera
* 6:35 PM - 7:45 PM ............ Enabling Browser Security in Web Applications- Michael Coates, Mozilla
* 7:45 PM – 8:30 PM…......... Blackhat spam SEO - Julien Sobrier, Zscaler

'''SPONSORS''': Special Thanks to our host and sponsor - Mozilla Foundation.

==== Donate Funds to Bay Area Chapter ====

<paypal>Bay Area</paypal>

= Bay Area Past Events =

[[Bay Area Past Events]]

==== Bay Area OWASP Chapter Leaders ====

*[mailto:brian@appsecconsulting.com Brian Bertacini]
*[http://garrettgee.com Garrett Gee]
*[mailto:mandeep@cenzic.com Mandeep Khera]
*[mailto:robipapp@yahoo.com Robi Papp]

__NOTOC__ <headertabs />

[[Category:California]]

Bay Area

2011-11-02T22:10:59Z

Cscott: /* Next Event */

{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}

==== Chapter Meetings ====

== Date and Location ==

=== Next Event ===

November 30, 2011

Stanford Campus, Gates 104
Directions to the Gates building available here: http://forum.stanford.edu/visitors/directions/gates.php

'''Agenda'''
5:30pm - Welcome
5:40pm - Jason Chan, Practical Cloud Security
6:15pm - Luca Carettoni, From CVE-2010-0738 to the recent JBoss worm
6:50pm - David Fifield, Evading censorship with browser-based proxies
7:25pm - Abraham Kang, DOM-based XSS and output encoding

'''You must RSVP''' at http://owaspbayareanov2011.eventbrite.com/ prior to attending, we need to know how many people are coming to make sure we have the correct room sizing.

----
'''Jason Chan - Practical Cloud Security
'''
Over the past several years, there has been much hand wringing and teeth gnashing related to public cloud security. Because of this, many organizations have limited or delayed their cloud usage.
Faced with business and market imperatives that demanded scale and elasticity that traditional data center architectures could not provide, Netflix jumped head first into the public cloud two years ago. As we continue to mature our environment, we’ve also begun leveraging the benefits of the public cloud to enhance our security posture and capabilities.
This presentation will be a practical examination of Netflix’s approach to cloud security. Topics covered include:
• Using public cloud automation and APIs to enhance security visibility
• Netflix’s “Security Monkey” tool for cloud security monitoring and alerting
• Inter-host reachability and connectivity analysis for firewall policy evaluation and optimization
• Netflix’s model-driven architecture for securing and managingsystems and applications
• Call to action: Cloud Security Gap Analysis and Next Steps

'''Luca Carettoni - From CVE-2010-0738 to the recent JBoss worm
'''
Being a widely deployed enterprise application server, JBoss has always been a juicy target for attackers. Security vulnerabilities and misconfigurations in critical components, such as the infamous JMX-console, can be exploited in order to execute arbitrary code and harm the confidentiality, integrity and availability of the entire system. Our quick journey through JBoss insecurity will start from the analysis of a critical authentication bypass flaw to the recent JBoss worm which affected numerous installations worldwide. This presentation will also cover practical aspects on how to detect misconfigurations and secure your application server.

'''David Fifield - Evading censorship with browser-based proxies
'''
Proxy systems like Tor and VPNs can be used to get around Internet censorship and access blocked resources, but what happens when the circumvention system itself is blocked? A flash proxy is a miniature proxy that runs in a web browser, that can be activated just by viewing a web page. Web site visitors provide a large and constantly changing pool of proxy addresses that are difficult to block. Even though each proxy may last only seconds or minutes, it is possible to switch between them in a way that makes web browsing more or less seamless. We will share details of our flash proxy implementation and explain how to add a proxy to your web page.

'''Abraham Kang - DOM-based XSS and output encoding
'''
An interactive presentation that intends to turn all of the listeners of the presentation into XSS experts and help them understand how to mitigate XSS properly using output encoding.

=== Previous Event ===

When: June 22nd 11:30am - 1:30pm

Where: Pacific Gas & Electric Co Inc, 245 Market Street, Room 1417, San Francisco CA 94111 [http://maps.google.com/maps?q=245+market+street+san+francisco+ca&ie=UTF8&hq=&hnear=245+Market+St,+San+Francisco,+California+94111&gl=us&z=16 Directions]

Agenda:

Networking

1) Tom Brennan, International Board of Directors OWASP Foundation "Where we are... Where we are going"

2) Sam Bowne, City College San Francisco Computer Networking and Information Technology- [http://samsclass.info/contact.html BIO]

3) TBD

RSVP to: Teresa Stevens - ExSi(at)pge(dot)com so she can get a head count.

Lunch will be provided.

==== Donate Funds to Bay Area Chapter ====

<paypal>Bay Area</paypal>

= Bay Area Past Events =

[[Bay Area Past Events]]

==== Bay Area OWASP Chapter Leaders ====

*[mailto:brian@appsecconsulting.com Brian Bertacini]
*[http://garrettgee.com Garrett Gee]
*[mailto:mandeep@cenzic.com Mandeep Khera]
*[mailto:robipapp@yahoo.com Robi Papp]

__NOTOC__ <headertabs />

[[Category:California]]

2009-09-03T02:56:24Z

Cscott: /* Presentation abstracts */

{{Chapter Template|chaptername=Chicago|extra=The chapter leaders are [mailto:cory@crazypenguin.com Cory Scott] and [mailto:jason@wittys.com Jason Witty]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-chicago|emailarchives=http://lists.owasp.org/pipermail/owasp-chicago}}

==== Local News ====

==Next Meeting: September 17th==
http://www.owasp.org/index.php/Chicago#tab=Chapter_Meetings

==Make sure you sign up for the mailing list to receive meeting announcements.==

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago
==General Information==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:cory@crazypenguin.com Cory Scott] or [mailto:jason@wittys.com Jason Witty.]

Chicago chapter meetings are hosted by Bank of America[http://www.bankofamerica.com/]

<paypal>Chicago</paypal>
==== Chapter Meetings ====

The next quarterly Chicago OWASP Chapter meeting will be September 17th at the Bank of America Plaza, 540 W Madison Street at 6pm. Please RSVP to cory@crazypenguin.com by September 16th so we can enter your name into the building's security system.

===Agenda===

6:00 Refreshments and Welcome

6:15 AppSensor: Real Time Defenses against Application Worms and Malicious Attackers - Michael Coates

7:15 Assessing Thick Web Applications - Timur Duehr

===Presentation abstracts===

''AppSensor: Real Time Defenses against Application Worms and Malicious Attackers''

ABSTRACT

The OWASP AppSensor project was created to address the lack of defensive systems within applications. Regardless if an application is secure or insecure, malicious actions should be recorded, analyzed and responded to by the system. It is unacceptable to allow an attacker unrestricted attack attempts against the application. Eventually a known or unknown vulnerability will be discovered by the attacker and exploited. AppSensor monitors attack activity and takes defensive actions such as throttling or disabling the malicious account. Behavior analysis techniques are also employed to identify application worms. Defensive techniques are described which provide real-time containment of the application worm while maintaining overall system availability.

SPEAKER BIO

Michael Coates is a Senior Application Security Engineer for Aspect Security and has performed numerous penetration assessments, security code reviews, and security training sessions for leading corporations worldwide. Michael is the creator and leader of the AppSensor project and is completing a Masters Degree in Computer Security from DePaul University. In past years, Michael assessed the security of GSM and WiMAX telecommunication networks, application and network systems for financial institutions and performed social engineering testing.

''Assessing Thick Web Applications''

ABSTRACT

Recently, web applications have been pushing more application to the browser and in many cases entirely out of the browser. Technologies for pushing richer content to the client, such as ActiveX, Flash, Google's NaCl and browser extensions, can frustrate efforts to assess an application. Occasionally, these technologies remove the browser entirely to create a semi thick client that uses standard web application methodologies and transport methods.

While a few framework specific tools have begun to mature, they are geared toward debugging an application for quality assurance purposes rather than security assessment. A solution for many of these technologies is simply repurposing and reinventing some of the old application assessment tool chain: the debugger. A new generation of scriptable debuggers is showing up. Using these tools allows increased automation and visibility into the newest thick web application frameworks.

SPEAKER BIO

Timur Duehr is a Security Consultant at Matasano Security and a graduate student in Mathematical Computer Science at the University of Illinois at Chicago. Timur is one of the lead developers of Ragweed, a scriptable debugger written in Ruby for win32, OSX and linux applications.

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

==== Chicago OWASP Chapter Leaders ====
[mailto:cory@crazypenguin.com Cory Scott]

[mailto:jason@wittys.com Jason Witty]
__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2009-09-03T02:55:29Z

Cscott: /* Agenda */

Chicago

2009-08-25T15:27:05Z

Cscott:

Chicago

2009-08-25T14:53:47Z

Cscott: /* Next Meeting: October 17th */

2008-10-30T01:07:36Z

Cscott: /* Next Meeting */

== Welcome to the OWASP Chicago Local Chapter ==

<paypal>Chicago</paypal>

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:cory@crazypenguin.com Cory Scott] or [mailto:jason@wittys.com Jason Witty.]

The Chicago chapter is sponsored by Bank of America[http://www.bankofamerica.com/]

== Next Meeting ==

The next quarterly Chicago OWASP Chapter meeting will be November 13th at the Bank of America Plaza, 540 W Madison Street at 6pm. Please RSVP to jason@wittys.com by November 12th so we can enter your name into the building's security system.

===Agenda===

6:00 Refreshments and Networking / Overview of recent OWASP projects - Cory Scott

6:15 Concurrency Attacks in Web Applications - Scott Stender, iSEC Partners

7:15 (Title yet to be provided) - Thomas Ptacek, Matasano Security

===Presentation abstracts===

''Concurrency Attacks in Web Applications''

ABSTRACT

Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes. However, these attributes often encourage programming practices that make managing state difficult for a typical programmer.

Web application developers must carefully manage access to all resources that can shared by threads. Global variables, session variables, back-end systems, and application-specific data stores are common examples of such resources.

Concurrency flaws result when access to shared resources is not managed properly - something that is easy to do when the development environment purposefully encapsulates and abstracts the resources that need to be managed! When manipulating those resources carries a security impact, the attackers take notice.

Each prevalent class of security flaw shares a common attribute: mistakes happen when doing the right thing is difficult. It is our opinion that concurrency flaws, especially in the context of web applications, share this attribute. This presentation will provide insight into the ease with which concurrency flaws can be introduced into systems, offer guidance on evaluating the security impact of such flaws, and discuss strategies for eliminating such flaws that will be helpful to developers and testers alike.

SPEAKER BIO

Scott Stender
Principal Partner, iSEC Partners

Scott Stender is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2008-10-09T14:29:36Z

Cscott: /* Welcome to the OWASP Chicago Local Chapter */

Chicago

2008-08-27T01:30:56Z

Cscott: /* Next Meeting */

== Welcome to the OWASP Chicago Local Chapter ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:cory@crazypenguin.com Cory Scott] or [mailto:jason@wittys.com Jason Witty.]

The Chicago chapter is sponsored by Bank of America[http://www.bankofamerica.com/]

== Next Meeting ==

The next Quarterly Chicago OWASP Chapter meeting will take place in November or December 2008.

===Agenda===

TBD

===Presentation abstracts===

TBD

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2008-08-27T01:24:48Z

Cscott:

== Welcome to the OWASP Chicago Local Chapter ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:cory@crazypenguin.com Cory Scott] or [mailto:jason@wittys.com Jason Witty.]

The Chicago chapter is sponsored by Bank of America[http://www.bankofamerica.com/]

== Next Meeting ==

The next Quarterly Chicago OWASP Chapter meeting will take place in November or December 2008..

===Agenda===

TBD

===Presentation abstracts===

TBD

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

[[Category:OWASP Chapter]]
[[Category:Illinois]]