https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=DancornellOWASP - User contributions [en]2026-04-14T22:02:18ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=San_Antonio&diff=159141San Antonio2013-09-25T15:17:05Z<p>Dancornell: /* Local News */</p>
<hr />
<div>{{Chapter Template|chaptername=San Antonio|extra=The chapter leader is [mailto:dan@denimgroup.com Dan Cornell]<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sanantonio|emailarchives=http://lists.owasp.org/pipermail/owasp-sanantonio}} <br />
<br />
== Local News ==<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, October 2nd, 2013'''<br />
<br />
Topic: Cloud Keep: Vision of the SWAMP<br />
<br />
Presenters: Patrick Beyer<br />
<br />
Date: Wednesday, October 2, 2013<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
<br />
3463 Magic Drive<br />
<br />
San Antonio, TX 78229<br />
<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
Abstract:<br />
<br />
This Presentation is an overview of the Software Assurance Marketplace (SWAMP) project. The SWAMP is a 23 Million dollar DHS funded initiative to<br />
build a physical and virtual facility to help improve the quality of software that is being designed, both open-source and proprietary. This<br />
platform democratizes the SwA environment by providing a free, virtual market where the user community can come to share tools, techniques, resources and experiences with the goal of improving software assurance (reducing software vulnerabilities)"<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, July 10th, 2013'''<br />
<br />
Topic: Cloud Keep: Protect Your Secrets at Scale<br />
<br />
Presenters: Jarret Raim and Matt Tesauro<br />
<br />
Date: Wednesday, July 10, 2013<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
<br />
3463 Magic Drive<br />
<br />
San Antonio, TX 78229<br />
<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
Abstract:<br />
<br />
One saying in the software security world has rung true for longer than any other encryption is easy, key management is hard. Unfortunately, the tools we have for properly generating, storing, using and protecting keys are sorely lacking. This presentation will present a "key management as a service" architecture that allows for rapid scaling, Cloud use cases while achieving high security, auditability and compliance using open source technologies.<br />
<br />
Presenter Bios:<br />
<br />
Jarret Raim is the Security Product Manager at Rackspace Hosting. Since joining Rackspace, he has built a software assurance program for Rackspace’s internal software teams as well as defined strategy for building secure systems on Rackspace’s OpenStack Cloud implementation. Through his experience at Rackspace, and as a consultant for Denim Group, Jarret has assessed and remediated applications in all industries and has experience width a wide variety of both development environments and the tools used to audit them. Jarret has recently taken charge of Rackspace's efforts to secure the Cloud through new product development, training and research. Jarret holds a Masters in Computer Science from Lehigh University and Bachelors in Computer Science from Trinity University.<br />
<br />
Matt has been involved in the information technology and application development for more than 10 years. He is currently the Product Security Engineering lead at Rackspace. Prior to joining Rackspace, Matt spent time as a application security consultant and spent several years as the “appsec guy” at a government agency. Matt's focus has been in application security including testing, code reviews, design reviews and training. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he's driven.<br />
<br />
He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance Workshop, Agile Austin, AppSec EU, AppSec US, AppSec Academia, and AppSec Brazil. Matt is currently active with the OpenStack Security Group (OSSG) and a fomer board member of the OWASP Foundation. He is highly involved in many OWASP projects and committees. Matt is the project leader of the OWASP OpenStack Security project - a project to bring the OpenStack and OWASP communities together.<br />
<br />
He has also run the OWASP WTE (Web Testing Environment) since 2008 which is the source of the OWASP Live CD Project and Virtual Machines pre-configured with tools and documentation for testing web applications - all running on Linux (of course). Industry designations include the RHCE, Linux+, Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University.<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, June 5th, 2013'''<br />
<br />
Topic: Be Mean to Your Code Using Gauntlt [Slides http://www.slideshare.net/wickett/be-mean-to-your-code-owasp-san-antonio]<br />
<br />
Presenter: James Wickett<br />
<br />
Date: Wednesday, June 5, 2013<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
<br />
3463 Magic Drive<br />
<br />
San Antonio, TX 78229<br />
<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
Abstract:<br />
<br />
"Be Mean to Your Code” is the core concept behind the ruggedization framework called Gauntlt (http://gauntlt.org) which brings the benefits of Behaviour Driven Development to the realms of automated security testing, application hardening and ruggedization. Security testing is often done at a cadence set by the audit team and is often obscured from the development and operations teams. This isn't good and this creates an adversarial relationship between security, dev and ops.<br />
<br />
Gauntlt helps security, ops, and development teams work together. Gauntlt is meant to be used by security experts with interest in automation as well as developers with interest in security. It can be used to deliver the results of a security audit or penetration test via failing Gauntlt attacks (tests) which can in turn be added to automated test suites. Developers know they have resolved a particular vulnerability when Gauntlt no longer reports a failure. Gauntlt can also be used in regression tests to detect when a previously resolved vulnerability has been re-introduced.<br />
<br />
Traditional approaches to web security can be less effective in cloud environments, due to the highly dynamic nature of cloud infrastructure. Fortunately, infrastructure-driven, continuous testing can overcome many of these challenges. Netflix uses Gauntlt to continuously validate that the security configuration of its cloud deployment and applications remains as expected, even with a rapid rate of change and high degree of self-service.<br />
<br />
One of the core contributors of the Gauntlt project, James Wickett will talk about the history of the project, the current features, examples of how to use Gauntlt and the future roadmap of Gauntlt. As part of this talk we will do a demo where we will walk through getting started using pre-built Gauntlt attacks and then move to writing our own Gauntlt attacks. Come find out how to "Be Mean to Your Code" and ruggedize your next project.<br />
<br />
Gauntlt is an open source ruggedization framework using cucumber and written in ruby. It has been developed in collaboration with the security engineering teams at Netflix and Twitter. Gauntlt is MIT Licensed and hosted on github at http://github.com/gauntlt/gauntlt.<br />
<br />
Presenter Bio:<br />
<br />
http://about.me/wickett<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400 and mention that you are coming to the OWASP San Antonio meeting.<br />
<br />
<br />
<br />
'''OWASP Developer Security Training at BSides San Antonio: Saturday May 4th, 2013'''<br />
<br />
Attend BSides San Antonio for three mini-courses for developers wanting to learn about security.<br />
<br />
To register: <br />
<br />
https://bsidessatx.eventbrite.com/<br />
<br />
The event is sold out - looking forward to seeing everyone there on Saturday.<br />
<br />
Each mini-course will be around 1.5 hours in length. Attendees will also have full access to the rest of the BSides San Antonio event.<br />
<br />
Main BSides San Antonio site:<br />
<br />
http://bsidestexas.blogspot.com/p/san-antonio-april-2013.html<br />
<br />
''Mini-Course 1''<br />
<br />
Title: Threat Modeling for Developers '''(10:30am - Noon)'''<br />
<br />
Abstract:<br />
<br />
Threat modeling is a valuable technique for identifying potential security<br />
issues in complex applications but many development teams have been slow<br />
to adopt it because of a perception that it can only be done by security<br />
specialists as well as a lack of guidance on how to get the most out of<br />
the activity. This mini-course walks through the process of Threat<br />
modeling from the perspective of a developer trying to identify issues<br />
early in the development process so that problems can be avoided and<br />
controls can be put in place with a minimum level of effort. The materials<br />
include discussion of where threat modeling is best done during the<br />
development lifecycle as well as the process of creating and refining a<br />
threat model. This is an interactive experience, with participants working<br />
together to walk through the threat modeling process.<br />
<br />
''Mini-Course 2''<br />
<br />
Title: Developing Secure Web Applications '''(1:00pm - 2:30pm)'''<br />
<br />
Abstract:<br />
<br />
Web applications are a convenient entry point for attackers because they<br />
are often publicly-available and many are built without a focus on<br />
security. This mini-course provides a developer-focused introduction to<br />
building web applications designed to operate in the face of malicious<br />
attackers. It walks through a basic threat model for a web application and<br />
uses this threat model as a framework for making good decisions when<br />
designing and building applications. The focus of the course is less on<br />
enumerating various types of vulnerabilities but rather on design and<br />
coding techniques that can be used to help create resilient applications.<br />
Some code examples in Java and .NET will be provided, but the techniques<br />
can be applied to any web application environment. [It would be beneficial<br />
to attend the earlier Threat Modeling session, but not required.]<br />
<br />
''Mini-Course 3''<br />
<br />
Title: Developing Secure Mobile Applications '''(3:00pm - 4:30pm)'''<br />
<br />
Abstract:<br />
<br />
Organizations of all sizes are rushing to provide their customers and<br />
employees with applications taking advantage of the power of mobile<br />
computing. As with many new technologies, these organizations often deploy<br />
applications first and come to realize the security implications of these<br />
new systems only post-deployment. This mini-course provides a<br />
developer-focused introduction to security for mobile applications. It<br />
walks through a basic threat model for a mobile application and uses this<br />
threat model as a framework for making good decisions when designing and<br />
building mobile application systems. Examples are provided for both iOS<br />
(iPhone and iPad) and Android platforms but the overall approach can be<br />
applied for all mobile applications. [It would be beneficial to attend the<br />
earlier Threat Modeling and Web Application sessions, but not required.]<br />
<br />
<br />
'''San Antonio OWASP Chapter: Tuesday, September 25, 2012'''<br />
<br />
Topic: Dev/Ops, Continuous Deployment and APIs, Oh My! <br />
<br />
Presenter: Jarret Raim and Matt Tesauro<br />
<br />
Date: Tuesday, September 25, 2012<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
<br />
3463 Magic Drive<br />
<br />
San Antonio, TX 78229<br />
<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
Abstract:<br />
As the world of application development continues to change, the security community needs to change with it. With agile development, continuous deployment, the pace of change in IT has only increased. Add in Dev/Ops and the traditional security processes just don’t work. Even if testing windows exist, they are too short for the traditional scanning or manual testing programs. Then, there’s the lack of viable tools to test API’s. What’s a security professional in charge of rolling out an SDLC supposed to do? This talk will cover methods of adapting traditional security practices into a test driven development (TDD) for security and provide practical advice on how to handle short development and promotion cycles with few or no testing windows. A demonstration of a new testing tool will also be part of the presentation.<br />
<br />
<br />
Presenter Bios:<br />
Jarret Raim is the Security Product Manager at Rackspace Hosting. Since joining Rackspace, he has built a software assurance program for Rackspace’s internal software teams as well as defined strategy for building secure systems on Rackspace’s OpenStack Cloud implementation. Through his experience at Rackspace, and as a consultant at Denim Group, Jarret has assessed and remediated applications in all industries and has experience width a wide variety of both development environments and the tools used to audit them. Jarret has recently taken charge of Rackspace's efforts to secure the Cloud through new product development, training and research. Jarret holds an M.S. in Computer Science from Lehigh University and a B.S. in Computer Science from Trinity University.<br />
<br />
Matt Tesauro has been involved in the Information Technology industry for more than 10 years. Matt's focus has been in application security including testing, code reviews, design reviews and training. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he's driven. Matt is currently on the board of the OWASP Foundation and highly involved in many OWASP projects and committees. Matt is the project leader of the OWASP WTE (Web Testing Environment) which is the source of the OWASP Live CD Project and Virtual Machines pre-configured with tools and documentation for testing web applications. He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance Workshop, AppSec EU, AppSec US, AppSec Academia, and AppSec Brazil. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications. <br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, April 18, 2012'''<br />
<br />
Topic: Secure Coding Practices for 2012<br />
<br />
Presenter: Keith Turpin<br />
<br />
Date: Wednesday, April 18, 2012<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
<br />
3463 Magic Drive<br />
<br />
San Antonio, TX 78229<br />
<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
Abstract:<br />
Keith Turpin will present OWASP's "The Secure Coding Practices Quick Reference Guide." The guide is a technology agnostic set of software security coding practices, in a comprehensive checklist format, that can be integrated into the development life-cycle. At only 17 pages long, it is easy for development teams to read and use. The coding practices are mapped to functional requirements, so you can quickly locate the practices you need. It also provides a brief introduction to security principles and vocabulary to help developers and security folks get on the same page, but the focus is on requirements not vulnerabilities or exploits. This presentation will provide an overview of the guide and discuss some concepts about how to use it. Keith will cover the guide as well as the direction of the project for 2012, and alignment with integrating components of the guide with an organizations application security policy.<br />
<br />
<br />
Presenter Bio:<br />
Keith Turpin, CISSP, CSSLP, CRISC, leads Boeing’s enterprise application security assessment team. He previously served as the lead IT security advisor for all of Boeing’s international operations. <br />
<br />
Keith is a member of the (ISC)2 Application Security Advisory Board and has served as a U.S. delegate to the International Standards Organization's (ISO) sub-committee on cyber security. He is the project leader for the OWASP Secure Coding Practices Quick Reference Guide and is a member of the OWASP Global Projects Committee. He also spent four years as the Director of Communication for the Seattle chapter of the Information Systems Security Association. <br />
<br />
He is a frequent speaker at conferences, professional organizations and corporations on a variety of security topics and in his spare time he is the director of a nationally recognized intercollegiate engineering competition. <br />
<br />
Keith holds a BS in Mechanical Engineering and MS in Computer Systems.<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Tuesday, February 22, 2012'''<br />
<br />
Topic: Testing from the Cloud: Is the Sky Falling?<br />
<br />
Presenter: Matt Tesauro<br />
<br />
Date: Wednesday, February 22, 2012<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
Geekdom<br />
The Weston Centre<br />
112 East Pecan, 11th floor<br />
San Antonio TX 78205<br />
Map: http://www.geekdom.com/location/<br />
Check map for parking info.<br />
<br />
Abstract:<br />
More and more IT is being moved to the cloud, why shouldn't your testing move there too? This talk will cover what it takes to take your testing tools from your laptop to the cloud using new features of the OWASP Web Testing Environment (WTE). WTE allows you to create custom installations of application security tools in the cloud on demand. Has your IP been shunned? No problem, kill that cloud instance and startup another. Is your life as mobile as your phone? No problem, a laptop + Internet = access to all your favorite tools from anywhere. Multiple clients? No problem, start an an instance for each one. By the end of this talk, you'll know all you need to fire up an cloud instance with all of your favorite tools and start having fun.<br />
<br />
<br />
Presenter Bio:<br />
Matt has been involved in the Information Technology industry for more than 10 years. Prior to joining Rackspace, Matt was a security consultant for security firms such as Trustwave as well as running an internal application security effort. Matt's focus has been in application security including testing, code reviews, design reviews and training. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he's driven. He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance Workshop, AppSec EU, AppSec US, AppSec Academia, and AppSec Brazil.<br />
<br />
Matt is currently on the board of the OWASP Foundation and highly involved in many OWASP projects and committees. Matt is the project leader of the OWASP WTE (Web Testing Environment) which is the source of the OWASP Live CD Project and Virtual Machines pre-configured with tools and documentation for testing web applications.<br />
<br />
Industry designations include the Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University.<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, November 16, 2011'''<br />
<br />
Topic: You're Bleeding Sensitive Data - Find it Before They Do<br />
<br />
Presenter: Steve Werby<br />
<br />
Date: Wednesday, November 16, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
3463 Magic Drive<br />
San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
With the proliferation of Internet accessible applications and files within organizations and the number of employees capable of making sensitive content available growing rapidly, knowing what sensitive information is accessible is increasingly difficult. And expensive DLP and scanning tools are not the only option. I will cover management strategies to reduce the risk, as well as demonstrate free and low-cost tools (FOCA, Shodan, Google Hacking Database and more) to discover sensitive data.<br />
<br />
<br />
Presenter Bio:<br />
Steve Werby is Chief Information Security Officer at the University of Texas at San Antonio, where he leads the university's 10-person Office of Information Security. He has also served as CISO for Virginia Commonwealth University and the Virginia Department of Corrections (where he gained a new appreciation for physical security). Prior to that, he operated an information security consultancy with an international client base consisting largely of ISPs, web hosting companies and online businesses. Steve has an engineering degree, an MBA and numerous certs, but he is prouder of the fact that he hasn't signed his name the same way twice since 2009.<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, August 17, 2011'''<br />
<br />
Topic: Secure Development Lifecycle at Symantec<br />
<br />
Presenter: Edward Bonver<br />
<br />
Date: Wednesday, August 17, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
3463 Magic Drive<br />
San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
Given complexities and diversity of development technologies and processes as well as the deployment environments, in combination with customer expectations, software development in modern world is an immense undertaking. Building security into a development lifecycle of a large software vendor could prove quite challenging. This presentation covers how security practices are being followed by various product teams across Symantec, including the related processes and guidelines from Symantec’s Product Security Team. <br />
<br />
<br />
Presenter Bio:<br />
A senior principal software engineer on the product security team at Symantec Corporation, Edward Bonver is responsible for working with software developers and quality assurance professionals across Symantec to continuously enhance the company’s software security practices through the adoption of methodologies, procedures, and tools for secure coding and security testing. Edward teaches secure coding and security testing classes for Symantec engineers and leads the company’s QA Security Task Force, which he founded. He is a Certified Information Systems Security Professional (CISSP) and a Certified Secure Software Lifecycle Professional (CSSLP).<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Thursday, June 16, 2011'''<br />
<br />
Topic: Building a Secure Login<br />
<br />
Presenter: Ben Broussard<br />
<br />
Date: Thursday, June 16, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
3463 Magic Drive<br />
San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
This talk takes the standard, cookie-based login and authorization functionality through its paces. First I will walk through the requirements of common, single sign-on functionality. Then I will walk through attacks and their countermeasures including SQL injection and parameterized queries, session fixation and cookie cycling, session hijacking and about a dozen necessary countermeasures, and so on. The discussion will be programming language agnostic, instead focusing on the functional specifications.<br />
<br />
<br />
Presenter Bio:<br />
Ben Broussard has been involved in the Austin OWASP chapter since 2008, giving technical talks, serving on the LASCON board, the chapter board, and organizing a study group. Outside of OWASP he has worn the hats of mainframe and web application developer, cryptographer, pentester, and he recently launched his own application security business, Kedalion Security, LLC. On the side he does research into brains and AI, and is an avid 80's dancer.<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, April 20, 2011'''<br />
<br />
Topic: Vulnerable Frameworks Yield Vulnerable Apps<br />
<br />
Presenter: Javier Castro<br />
<br />
Date: Wednesday, April 20, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room) 3463 Magic Drive, San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
Major software vendors such as VMware and SAP are getting significantly better at writing <br />
secure software, but all of this effort is lost when they forget to properly configure or secure <br />
the frameworks that their software is built upon. This talk gives an overview of several <br />
recently discovered vulnerabilities in the products of major software companies. In each <br />
case the flaw leads to a complete system compromise and was located in a framework that <br />
the product was built upon. We as software developers can learn from these cases and <br />
avoid similar scenarios.<br />
<br />
Bio: <br />
Javier Castro is a senior vulnerability researcher at Digital Defense, Inc. where he writes explicit vulnerability checks, develops proprietary exploits, and researches popular software deployments. As exciting as vulnerability exploitation is, Javier finds it more rewarding to find ways to develop a secure application in the first place.<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br />
<br><br />
<br />
'''San Antonio OWASP Chapter: Wednesday, March 23, 2011''' <br />
<br />
Topic: Attack Aware Applications <br />
<br />
Presenter: Michael Coates <br />
<br />
Date: Wednesday, March 23, 2011 <br />
<br />
Time: 11:30am-1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: Attack Aware Applications: Imagine being able to detect an attacker in your application while they are searching for vulnerability and then locking out their account before they can do any harm. The OWASP AppSensor project provides a strategy for enabling your applications to detect and respond to attackers in real time. More powerful then generic detection with a WAF, the AppSensor approach allows detection of targeted application attacks attempting to exploit all areas including: business logic, access control, session management, injection attacks and more. This presentation will discuss techniques for implementing such a system within your application using existing technologies or by leveraging ESAPI. <br />
<br />
Presenter Bio: Michael Coates has extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers worldwide. Michael holds a MS in Computer Security from DePaul University and a BS in Computer Science from the University of Illinois. <br />
<br />
Michael is the creator and leader of the AppSensor project and a contributor to the 2010 OWASP Top 10. He is a frequent speaker at international OWASP security conferences and has also spoken at the Chicago Thotcon conference and provided security training at BlackHat. <br />
<br />
As the web security lead at Mozilla, Michael protects web applications used by millions of users each day. <br />
<br />
<br> Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> '''San Antonio OWASP Chapter: Wednesday, January 19, 2011''' <br />
<br />
Topic: Smart Phones with Dumb Apps <br />
<br />
Presenter: Dan Cornell <br />
<br />
Date: Wednesday, January 19, 2011 <br />
<br />
Time: 11:30am-1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 [http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229] <br />
<br />
<br> Abstract: Enterprises are targeting both internal users and customers with smartphone applications for platforms such as Apple iPhone and Google Android. Many of these applications are constructed without fully considering the associated security implications of their deployment. Breaches can impact both users as well as the enterprise distributing the application as attackers take advantage of expanded access to sensitive data and network services. This talk discusses emerging threats associated with deploying smartphone applications and provides an overview of the threat modeling process. The presentation then walks example applications from an attacker’s perspective demonstrating the sort of information they are able to extract allowing for more advanced attacks. <br />
<br />
Presenter Bio: Dan Cornell has over ten years of experience architecting and developing web-based software systems. As CTO of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group security research team, investigating the application of secure coding and development techniques to the improvement of web-based software development methodologies. <br />
<br />
Dan Cornell has performed as the CTO of BrandDefense, as founder and Vice President of Engineering for Atension prior to its acquisition by Rare Medium, Inc. and as the Vice President, Global Competency Leader for Rare Medium’s Java and Unix Competency Center. Cornell has also developed simulation applications for the Air Force with Southwest Research Institute. <br />
<br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the chapter leader of the San Antonio chapter of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, Denim Group's open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Tue, November 16, 2010''' <br />
<br />
Topic: OWASP Top 10: What is it all about? <br />
<br />
Presenter: Dean Bushmiller <br />
<br />
Date: Tuesday, November 16, 2010 <br />
<br />
Time: 12:00pm-1:00pm <br />
<br />
Location: Methodist Health System – System Office 8109 Fredericksburg Road San Antonio, TX 78229-3311 Women’s Center Classroom 1 http://maps.google.com/maps?f=q&amp;source=s_q&amp;hl=en&amp;geocode=&amp;q=8109+fredericksburd+rd,+78229&amp;sll=37.0625,-95.677068&amp;sspn=35.494074,72.070313&amp;ie=UTF8&amp;hq=&amp;hnear=8109+Fredericksburg+Rd,+San+Antonio,+Bexar,+Texas+78229&amp;z=16 <br />
<br />
<br> Abstract: Everyone knows exactly what the OWASP top ten security threats are, right? Well sort of... I ask people if they have heard of the top ten they say yes. I ask them to name a few they pause, then they blurt out 2-3. Then I ask them to explain those 2-3 and they look at me like a deer-in-the-headlights. I want to make sure that everyone who walks out of the presentation can clearly define the top ten and be able to communicate to another what each of the top ten vulnerabilities are. <br />
<br />
<br> Presenter Bio: Dean Bushmiller has taught for 12 years. He is the recipient of five Mission Coins from various military branches. He has led national certification organizations in development, policy, and educational materials for over 10 years. He has presented, consulted, and instructed government, education, military, and private organizations. Dean has worked for SANS, ISC2, and other security training organizations. He has bee the keynote speaker at information security conferences as well as state and local colleges. He is now Director of Training for Expanding Security. <br />
<br />
Feel free to bring a brown bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed August 18, 2010''' <br />
<br />
Topic: Which Web Programming Languages are Most Secure? <br />
<br />
Presenter: Jeremiah Grossman, Founder and CTO, WhiteHat Security <br />
<br />
Date: Wednesday, August 18, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: Security-conscious organizations make implementing a software security development lifecycle a priority. As part of the process, they evaluate a large number of development technologies for building websites. The assumption by many is that not all development environments are created equal. So the question often asked is, “What is the most secure programming language or development framework available?” <br />
<br />
<br> Clearly, familiarity with a specific product, whether it is designed to be secure-by-default or must be configured properly, and whether various libraries are available, can drastically impact the outcome. Still, conventional wisdom suggests that most popular modern languages / frameworks (commercial &amp; open source) perform relatively similarly when it comes to an overall security posture. At least in theory, none is markedly or noticeably more secure than another. Suggesting PHP, Java, C# and others are any more secure than other frameworks is sure to spark heated debate. <br />
<br />
<br> As has been said in the past, “In theory, there is no difference between theory and practice. But, in practice, there is.” Until now, no website security study has provided empirical research measuring how various Web programming languages / frameworks actively perform in the field. To which classes of attack are they most prone, how often and for how long; and, how do they fare against popular alternatives? Is it really true that popular modern languages / frameworks yield similar results in production websites? <br />
<br />
<br> By analyzing the vulnerability assessment results of nearly 1,700 websites under WhiteHat Sentinel management, we may begin to answer some of these questions. These answers may enable the website security community to ask better and deeper questions, which will eventually lead to more secure websites. Organizations deploying these technologies can have a closer look at particularly risk-prone areas; software vendors may focus on areas found lacking; and, developers will increase their familiarity with the strength and weaknesses of their technology stack. All of this is vitally important because security must be baked into development frameworks and be virtually transparent. Only then will application security progress be made. <br />
<br />
<br> Presenter Bio: Jeremiah Grossman founded WhiteHat Security in August 2001. <br />
<br />
<br> A world-renowned expert in Web security, Mr. Grossman is a founder of the Web Application Security Consortium (WASC), and was named to InfoWorld's Top 25 CTOs for 2007. <br />
<br />
<br> Mr. Grossman is a frequent speaker at industry events including the Black Hat Briefings, RSA Conference, ISACA, CSI, InfoSec World, OWASP, ISSA, and Defcon as well as a number of large universities. He has authored dozens of articles and white papers, is credited with the discovery of many cutting-edge attack and defensive techniques and is a co-author of XSS Attacks: Cross Site Scripting Exploits and Defense. <br />
<br />
<br> Mr. Grossman is frequently quoted in major media outlets such as USA Today, the Washington Post, The Financial Times, InformationWeek, InfoWorld, USA Today, PC World, Dark Reading, SC Magazine, CNET, CSO and NBC news. He frequently alerts the media community to the latest attacks and is not only able to offer in-depth commentary, but also provide his perspective of what’s to come. <br />
<br />
<br> Mr. Grossman was named a “friend of Google” and is also an influential blogger (www.jeremiahgrossman.blogspot.com) who offers insight and encourages open dialogue regarding current research and vulnerability trend information. <br />
<br />
<br> Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo! responsible for performing security reviews on the company's hundreds of websites. Before Yahoo!, Mr. Grossman worked for Amgen, Inc. <br />
<br />
Pizza will be served. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> '''San Antonio OWASP Chapter: Fri. August 13, 2010''' <br />
<br />
Topic: 1)How OWASP Works and Guided Tour of OWASP Projects / 2) Using the O2 Platform to Consume OWASP projects <br />
<br />
Presenter: Dinis Cruz <br />
<br />
Date: Friday, August 13, 2010, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: 1) How OWASP Works and Guided Tour of OWASP Projects - This presentation will focus on my experience in getting things done at OWASP, what resources are available and what types of initiatives should the local chapters be doing. In addition to a quick overview of a number of key OWASP projects, this talk will also provide a tutorial on how the OWASP WIKI (MediaWiki based) can be used as a database (using the MediaWiki templates technology) <br />
<br />
2) Using the O2 Platform to Consume OWASP projects - This presentation will focus on how to consume the OWASP Wiki and a number of OWASP projects using the OWASP O2 Platform. The O2 Platform has powerful technology and capabilities for both BlackBox and WhiteBox analysis and this presentation will provide examples on how to use O2 with: WebGoat, WebScarab, Code Crawler, Dir Buster, Testing Guide, Code Review Guide and OpenSAMM <br />
<br />
The O2 Platform is focused on automating application security knowledge and workflows. It is specifically designed for developers and security consultants to be able to perform quick, effective and thorough 'source-code-driven' application security reviews (BlackBox + WhiteBox). In addition to the manual findings created/discovered by security consultants, the OWASP O2 Platform allows the easy consumption of results from multiple OWASP projects and commercial scanning tools. This allows security consultants to find, exploit and automate (via Unit Tests) security vulnerabilities usually dismissed by the community as impossible to find/recreate. More importantly, it provides the Security Consultants a mechanism to: a) 'talk' with developers (via UnitTest) , b) give developers a way to replicate + "check if it's fixed" the vulnerabilities reported and c) engage on a two-way conversion on the best way to fix/remediate those vulnerabilities. <br />
<br />
<br> Presenter Bio: Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development. For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform. Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences At OWASP, Dinis is the leader of the OWASP O2 Platform project, member of the OWASP Global Projects Committee, chair of the OWASP Connections Committee and member of the OWASP <br />
<br />
<br> Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
<br> Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed July 21, 2010''' <br />
<br />
Topic: A Caching Technique (PHP Implementation) <br />
<br />
Presenter: Dan Ross, VP Engineering, PIC Business Systems <br />
<br />
Date: Wednesday July 19, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: Reduce 304's and improve web application performance. A caching technique is demonstrated using PHP. Easy implementation as well as caching override are discussed. <br />
<br />
<br> Presenter Bio: Dan Ross has been VP Engineering for over 20 years at PIC Business Systems, which provides integrated business software for the several industries. He has led the design, development, and maintenance of many commercial web applications and programs. He has a BS in Industrial Engineering from St. Mary's University in San Antonio. <br />
<br />
Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed June 16, 2010''' <br />
<br />
Topic: Securing Software Applications Using Dynamic Dataflow Analysis <br />
<br />
Presenter: Steve Cook, Senior Research Analyst, SwRI <br />
<br />
Date: Wednesday June 16, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: In this presentation, we present an ongoing research effort that ensures that a wide variety of user-defined security policies are enforced on executing C programs while keeping runtime overhead low and with little disruption to the development process by leveraging Dynamic Dataflow Analysis (DDFA). The DDFA system is built upon the Broadway static data flow analysis and error checking system, which is a source-to-source translator for C developed by the computer sciences department at the University of Texas at Austin (UT-Austin). UT-Austin and the Southwest Research Institute (SwRI) recently collaborated to further enhance the system through a government research project funded by Intelligence Advanced Research Projects Activity (IARPA) and a SwRI internal research project. <br />
<br />
The system works by automatically instrumenting the original source, guided by the security policy, with DDFA runtime library calls. The modified program is then compiled for the platform of choice so that its security policy can be enforced at runtime through the DDFA runtime library. <br />
<br />
The runtime overhead is kept low by leveraging the semantic information provided by the security policy and a sophisticated dependence analysis to enable optimizations beyond standard compiler techniques. This results in a program that is instrumented with additional code only where provably necessary, so innocuous flows of data are not tracked at runtime. <br />
<br />
Disruption to the development process is minimized through the security policy specification. The security policy is defined once by a security expert using a simple language, which has a direct mapping to the application programming interface to which the program is written. The policy, once defined, can be applied to many different programs. The DDFA approach is easily integrated into the development workflow, adding only an additional compilation step before application deployment. <br />
<br />
The system does not require any modification to the original source code by the programmer, and does not require hardware or operating system changes. In the future, our system can be extended to handle multiple languages and complement new security solutions. <br />
<br />
Presenter Bio: Steve Cook is a senior research analyst in the System Security and High Reliability Software section at the SwRI. His background and expertise are in distributed and parallel computing, compilers, as well as object-oriented and generic programming. He received his master’s degree in computer science from Texas A&amp;M University. While at Texas A&amp;M, he worked as a research assistant for Dr. Bjarne Stroustrup, creator of the C++ Programming Language, where he helped develop a new approach to writing concurrent programs that allows programmers to quickly turn a sequential C++ program into a parallel one that is race and deadlock free. <br />
<br />
<br> Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed May 19th, 2010''' <br />
<br />
Topic: The Open Software Assurance Maturity Model <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group <br />
<br />
Date: Wednesday May 19th, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. <br />
<br />
This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/. <br />
<br />
Presenter Bio: Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications <br />
<br />
<br> Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed March 17, 2010''' <br />
<br />
Topic: Protecting Your Applications: How to Secure Business Critical Applications from Time Bombs, Backdoors &amp; Data Exfiltration <br />
<br />
Presenter: Clint Pollock <br />
<br />
Date: Wednesday, March 17th, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Sponsored by: VERACODE <br />
<br />
Abstract: With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers. Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams. In this session we will cover; · Prevalence of backdoors and malicious code in third party attacks · Definitions and classifications of backdoors and their impact on your applications · Methods to identify, track and remediate these vulnerabilities <br />
<br />
Presenter Bio: Clint Pollock is a Senior Solutions Architect at Veracode. Since 1997, he has also created security solutions for large-scale enterprise environments on behalf of CREDANT Technologies and Netegrity. In his current role, Clint helps globally distributed organizations evaluate, track, and mitigate their online business risk. Clint’s greatest strengths are his enthusiasm, experience and determination to help customers succeed in maintaining secure, compliant systems, and avoid the consequences and bad headlines that come with application security breaches. Clint resides in Chicago, IL. <br />
<br />
<br> FREE PIZZA will be provided, courtesy of our friends from Veracode. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> '''Meeting Schedule for 2010''' <br />
<br />
Dates are set - speakers and topics are firming up as well speak. All meetings are from 11:30am - 1:00pm at the San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229. <br />
<br />
Wednesday January 20th - OWASP LiveCD: An Open Environment for Web Application Security by Matt Tesauro <br />
<br />
Wednesday March 17th - TBD <br />
<br />
Wednesday May 19th - TBD <br />
<br />
Wednesday July 21st - TBD <br />
<br />
Wednesday September 15th - TBD <br />
<br />
Wednesday November 10th - TBD <br />
<br />
<br> '''San Antonio OWASP Chapter: Wed January 20th, 2010''' <br />
<br />
Topic: OWASP LiveCD: An Open Environment for Web Application Security Presenter: Matt Tesauro, OWASP Board Member, LiveCD Project Lead Date: Wednesday January 20th, 2010 11:30am – 1:00pm Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: The OWASP Live CD is a project that collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can boot from this Live CD and have access to a full security testing suite. This allows its users to test for various security issues in web applications and web sites. The Live CD also contains documentation and an interactive learning environment to enhance users’ web application security knowledge. This presentation will cover the current state of the OWASP Live CD as well as the plans for future developments. Time permitting, a live demonstration of the OWASP Live CD will be conducted. The OWASP Live CD is a project of the Open Web Application Security Project (OWASP) and is free for commercial or non-commercial use. More information is available at: http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project <br />
<br />
Presenter Bio: Matt Tesauro has worked in web application development and security since 2000. He has worn many different hats, from developer to DBA to System Administrator to Penetration Tester. Matt also taught graduate and undergraduate classes on web application development and XML at Texas A&amp;M University. Currently, he's focused on implementing a comprehensive web application security program for the Texas Education Agency (TEA). Outside work, he is a member of the OWASP Foundation's Board of Directors, the project lead for the OWASP Live CD, a member of the OWASP Global Projects Committee, assists the OWASP Austin chapters leadership and a member of ISSA of Austin, Texas. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&amp;M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications. <br />
<br />
Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
Recent Meetings: <br />
<br />
<br> '''San Antonio OWASP Chapter: October 21, 2009''' <br />
<br />
Topic: Rolling Out an Enterprise Source Code Review Program <br />
<br />
Presenter: Dan Cornell, Principal at Denim Group Date: October 21, 2009 11:30 a.m. – 1:00 p.m. <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: Source code review technology has rapidly advanced over the past several years and offers great promise of helping organizations detect and address software security defects. However, many organizations stumble as they try to roll out these technologies because they fail to understand the people and process issues that must also be addressed. This talk will present lessons learned from the creation of several enterprise source code review programs, including: identifying all sources of custom code in an organization including custom extensions to ERP systems and enterprise portals, selecting the first round of applications to scan and successfully interpreting results and driving resolution to identified issues. <br />
<br />
<br> Presenter Bio: Dan Cornell has over ten years of experience architecting and developing web-based software systems. As CTO of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group security research team, investigating the application of secure coding and development techniques to the improvement of web-based software development methodologies. <br />
<br />
Dan Cornell has performed as the CTO of BrandDefense, as founder and Vice President of Engineering for Atension prior to its acquisition by Rare Medium, Inc. and as the Vice President, Global Competency Leader for Rare Medium’s Java and Unix Competency Center. Cornell has also developed simulation applications for the Air Force with Southwest Research Institute. <br />
<br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the chapter leader of the San Antonio chapter of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, Denim Group's open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
<br> '''San Antonio OWASP Chapter: August 19, 2009''' <br />
<br />
Topic: Web Application Firewalls (WAFs) <br />
<br />
Presenter: Matt Burriola &amp; Mario Flores, Randolph-Brooks Federal Credit Union Date: August 19, 2009 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: Web Application Firewalls Web application firewalls (WAFs) have gained considerable momentum as web vulnerabilities have grown. WAFs now have a proven record of reducing exposures to web vulnerabilities by blocking malicious activity much like a typical firewall. While WAFs help, it does take time to consider when a WAF is appropriate. It also takes time to evaluate and implement the WAF as well. Come listen to reasons why Randolph-Brooks Federal Credit Union chose a WAF and what they learned in the process. <br />
<br />
Presenter Bio: Matt is a Senior Developer on the RBFCU Web Team, but mainly serves the roles of Configuration Management lead and Systems Admin for the team. Matt maintains the source control repository, application build and release processes, and QA server environments. Matt also works on web infrastructure initiatives such as Web Application Firewall. Matt has 10 years IT industry experience, including Java/web technologies, C, C++, Unix/Linux, shell scripting, and Symbol mobile handheld programming. Matt has a degree in Management Information Systems from Texas A&amp;M University-Corpus Christi. <br />
<br />
Mario is currently the Web Development manager for RBFCU. In this current role, Mario manages the development efforts for the online banking site and the intranet. Mario also has a solid background in web security and has addressed issues with web application penetration assessments. Mario has worked for RBFCU for 14 years and he has a degree in Information Systems from Texas Lutheran University. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: June 17, 2009'''' Topic: What is Cross Site Scripting And Why Is It bad? Date: June 17, 2009 11:30am – 1:00pm Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: The presentation will cover background information on cross-site scripting (XSS) attacks as well as real world examples of what can happen when this type of vulnerability is present and the different ways that it can be exploited. The presentation will also include language agnostic ways to mitigate this sort of risk and how developers and security professionals can identify these risks. <br />
<br />
Presenter Bio: David is currently a Security Architect for Rackspace IT Hosting. In this current role, David is responsible for designing and implementing network security solutions, as well as software development in support of automation. In previous roles he was a software developer on various projects written in a mix of PHP, Python, Perl, Ruby, c#, and asp.net. Prior to Rackspace, David worked for Digital Defense and he holds a B.B.A. in Information Systems from the University of Texas San Antonio. He also has an extensive background in application security and is actively researching botnet mitigation techniques. Certifications held include CISSP, RHCE, and CCNA. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: January 2009 Meeting''' <br />
<br />
Topic: "Vulnerability Management in an Application Security World." <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group Date: January 29, 2009 11:30am – 1:00pm <br />
<br />
Location: <br />
<br />
San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract:Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
Presenter Bio: <br />
<br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
<br> <br />
<br />
----<br />
<br />
'''Previous News''' <br />
The slide deck from OWASP San Antonio July 2013 meeting is available online here: https://owasp.org/index.php/File:Secrets-as-a-Service.pdf<br />
<br />
The slide deck from OWASP San Antonio February 2012 meeting is available online here: https://www.owasp.org/images/b/b0/WTE-Cloud-San_Antonio-2012-02.pdf<br />
<br />
The slide deck from OWASP San Antonio June 2011 meeting is available online here: https://www.owasp.org/images/2/21/How_to_Build_a_Secure_Login_BenBroussard_June2011.pdf<br />
<br />
The slide deck from OWASP San Antonio April 2011 meeting is available online here: https://www.owasp.org/images/0/05/Vulnerable_frameworks_yield_vulnerable_apps.pdf <br />
<br />
The slide deck from OWASP San Antonio March 2011 meeting is available online here: http://www.owasp.org/images/c/cb/MichaelCoates-AppSensor.pdf <br />
<br />
The slide deck from OWASP San Antonio August 2010 meeting available online here: http://www.owasp.org/images/0/0e/OWASP_San_Antonio_0818.pdf.pdf http://www.owasp.org/images/5/5a/WPstats_spring10_9th.pdf <br />
<br />
The slide deck from OWASP San Antonio June 2010 meeting available online here: http://www.owasp.org/images/2/24/OWASPSanAntonio06162010_DDFA_PresentationFinal.pdf <br />
<br />
The slide deck from OWASP San Antonio May 2010 meeting available online here: http://www.owasp.org/images/b/b9/OpenSAMM10_OWASPSanAntonio_20100519.pdf <br />
<br />
The slide deck from OWASP San Antonio March 2010 meeting available online here: http://www.owasp.org/index.php?title=File:Protecting_the_Enterprise_-_Software_Backdoors.pptx&amp;oldid=80140#filelinks <br />
<br />
The slide deck from OWASP San Antonio January 2010 meeting available online here: http://www.owasp.org/index.php/File:San_Antonio_Chapter-OWASP_WTE_Jan-2010.pdf#filelinks <br />
<br />
The slide deck from OWASP San Antonio October 2008 meeting available online here: http://www.owasp.org/index.php/San_Antonio <br />
<br />
The slide deck from OWASP San Antonio September 2007 meeting available online here: [[Image:Fortify-bjenkins-AppSecStrategy-20070906.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio March 2007 meeting will be available online shortly <br />
<br />
The slide deck from OWASP San Antonio September 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 09 AgileAndSecure.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio August 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 08 SingleSignOn.ppt]]. <br />
<br />
The slide deck from OWASP San Antonio June 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 06 Crypto Content.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio May 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 05 ForcefulBrowsing Content.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio September 2004 meeting available online here: [[Image:OWASPSanAntonio 20040922.pdf]]. <br />
<br />
[[Category:Texas]]</div>Dancornellhttps://wiki.owasp.org/index.php?title=San_Antonio&diff=155373San Antonio2013-07-11T16:14:47Z<p>Dancornell: /* Local News */</p>
<hr />
<div>{{Chapter Template|chaptername=San Antonio|extra=The chapter leader is [mailto:dan@denimgroup.com Dan Cornell]<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sanantonio|emailarchives=http://lists.owasp.org/pipermail/owasp-sanantonio}} <br />
<br />
== Local News ==<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, July 10th, 2013'''<br />
<br />
Topic: Cloud Keep: Protect Your Secrets at Scale<br />
<br />
Presenters: Jarret Raim and Matt Tesauro<br />
<br />
Date: Wednesday, July 10, 2013<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
<br />
3463 Magic Drive<br />
<br />
San Antonio, TX 78229<br />
<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
Abstract:<br />
<br />
One saying in the software security world has rung true for longer than any other encryption is easy, key management is hard. Unfortunately, the tools we have for properly generating, storing, using and protecting keys are sorely lacking. This presentation will present a "key management as a service" architecture that allows for rapid scaling, Cloud use cases while achieving high security, auditability and compliance using open source technologies.<br />
<br />
Presenter Bios:<br />
<br />
Jarret Raim is the Security Product Manager at Rackspace Hosting. Since joining Rackspace, he has built a software assurance program for Rackspace’s internal software teams as well as defined strategy for building secure systems on Rackspace’s OpenStack Cloud implementation. Through his experience at Rackspace, and as a consultant for Denim Group, Jarret has assessed and remediated applications in all industries and has experience width a wide variety of both development environments and the tools used to audit them. Jarret has recently taken charge of Rackspace's efforts to secure the Cloud through new product development, training and research. Jarret holds a Masters in Computer Science from Lehigh University and Bachelors in Computer Science from Trinity University.<br />
<br />
Matt has been involved in the information technology and application development for more than 10 years. He is currently the Product Security Engineering lead at Rackspace. Prior to joining Rackspace, Matt spent time as a application security consultant and spent several years as the “appsec guy” at a government agency. Matt's focus has been in application security including testing, code reviews, design reviews and training. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he's driven.<br />
<br />
He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance Workshop, Agile Austin, AppSec EU, AppSec US, AppSec Academia, and AppSec Brazil. Matt is currently active with the OpenStack Security Group (OSSG) and a fomer board member of the OWASP Foundation. He is highly involved in many OWASP projects and committees. Matt is the project leader of the OWASP OpenStack Security project - a project to bring the OpenStack and OWASP communities together.<br />
<br />
He has also run the OWASP WTE (Web Testing Environment) since 2008 which is the source of the OWASP Live CD Project and Virtual Machines pre-configured with tools and documentation for testing web applications - all running on Linux (of course). Industry designations include the RHCE, Linux+, Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University.<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, June 5th, 2013'''<br />
<br />
Topic: Be Mean to Your Code Using Gauntlt [Slides http://www.slideshare.net/wickett/be-mean-to-your-code-owasp-san-antonio]<br />
<br />
Presenter: James Wickett<br />
<br />
Date: Wednesday, June 5, 2013<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
<br />
3463 Magic Drive<br />
<br />
San Antonio, TX 78229<br />
<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
Abstract:<br />
<br />
"Be Mean to Your Code” is the core concept behind the ruggedization framework called Gauntlt (http://gauntlt.org) which brings the benefits of Behaviour Driven Development to the realms of automated security testing, application hardening and ruggedization. Security testing is often done at a cadence set by the audit team and is often obscured from the development and operations teams. This isn't good and this creates an adversarial relationship between security, dev and ops.<br />
<br />
Gauntlt helps security, ops, and development teams work together. Gauntlt is meant to be used by security experts with interest in automation as well as developers with interest in security. It can be used to deliver the results of a security audit or penetration test via failing Gauntlt attacks (tests) which can in turn be added to automated test suites. Developers know they have resolved a particular vulnerability when Gauntlt no longer reports a failure. Gauntlt can also be used in regression tests to detect when a previously resolved vulnerability has been re-introduced.<br />
<br />
Traditional approaches to web security can be less effective in cloud environments, due to the highly dynamic nature of cloud infrastructure. Fortunately, infrastructure-driven, continuous testing can overcome many of these challenges. Netflix uses Gauntlt to continuously validate that the security configuration of its cloud deployment and applications remains as expected, even with a rapid rate of change and high degree of self-service.<br />
<br />
One of the core contributors of the Gauntlt project, James Wickett will talk about the history of the project, the current features, examples of how to use Gauntlt and the future roadmap of Gauntlt. As part of this talk we will do a demo where we will walk through getting started using pre-built Gauntlt attacks and then move to writing our own Gauntlt attacks. Come find out how to "Be Mean to Your Code" and ruggedize your next project.<br />
<br />
Gauntlt is an open source ruggedization framework using cucumber and written in ruby. It has been developed in collaboration with the security engineering teams at Netflix and Twitter. Gauntlt is MIT Licensed and hosted on github at http://github.com/gauntlt/gauntlt.<br />
<br />
Presenter Bio:<br />
<br />
http://about.me/wickett<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400 and mention that you are coming to the OWASP San Antonio meeting.<br />
<br />
<br />
<br />
'''OWASP Developer Security Training at BSides San Antonio: Saturday May 4th, 2013'''<br />
<br />
Attend BSides San Antonio for three mini-courses for developers wanting to learn about security.<br />
<br />
To register: <br />
<br />
https://bsidessatx.eventbrite.com/<br />
<br />
The event is sold out - looking forward to seeing everyone there on Saturday.<br />
<br />
Each mini-course will be around 1.5 hours in length. Attendees will also have full access to the rest of the BSides San Antonio event.<br />
<br />
Main BSides San Antonio site:<br />
<br />
http://bsidestexas.blogspot.com/p/san-antonio-april-2013.html<br />
<br />
''Mini-Course 1''<br />
<br />
Title: Threat Modeling for Developers '''(10:30am - Noon)'''<br />
<br />
Abstract:<br />
<br />
Threat modeling is a valuable technique for identifying potential security<br />
issues in complex applications but many development teams have been slow<br />
to adopt it because of a perception that it can only be done by security<br />
specialists as well as a lack of guidance on how to get the most out of<br />
the activity. This mini-course walks through the process of Threat<br />
modeling from the perspective of a developer trying to identify issues<br />
early in the development process so that problems can be avoided and<br />
controls can be put in place with a minimum level of effort. The materials<br />
include discussion of where threat modeling is best done during the<br />
development lifecycle as well as the process of creating and refining a<br />
threat model. This is an interactive experience, with participants working<br />
together to walk through the threat modeling process.<br />
<br />
''Mini-Course 2''<br />
<br />
Title: Developing Secure Web Applications '''(1:00pm - 2:30pm)'''<br />
<br />
Abstract:<br />
<br />
Web applications are a convenient entry point for attackers because they<br />
are often publicly-available and many are built without a focus on<br />
security. This mini-course provides a developer-focused introduction to<br />
building web applications designed to operate in the face of malicious<br />
attackers. It walks through a basic threat model for a web application and<br />
uses this threat model as a framework for making good decisions when<br />
designing and building applications. The focus of the course is less on<br />
enumerating various types of vulnerabilities but rather on design and<br />
coding techniques that can be used to help create resilient applications.<br />
Some code examples in Java and .NET will be provided, but the techniques<br />
can be applied to any web application environment. [It would be beneficial<br />
to attend the earlier Threat Modeling session, but not required.]<br />
<br />
''Mini-Course 3''<br />
<br />
Title: Developing Secure Mobile Applications '''(3:00pm - 4:30pm)'''<br />
<br />
Abstract:<br />
<br />
Organizations of all sizes are rushing to provide their customers and<br />
employees with applications taking advantage of the power of mobile<br />
computing. As with many new technologies, these organizations often deploy<br />
applications first and come to realize the security implications of these<br />
new systems only post-deployment. This mini-course provides a<br />
developer-focused introduction to security for mobile applications. It<br />
walks through a basic threat model for a mobile application and uses this<br />
threat model as a framework for making good decisions when designing and<br />
building mobile application systems. Examples are provided for both iOS<br />
(iPhone and iPad) and Android platforms but the overall approach can be<br />
applied for all mobile applications. [It would be beneficial to attend the<br />
earlier Threat Modeling and Web Application sessions, but not required.]<br />
<br />
<br />
'''San Antonio OWASP Chapter: Tuesday, September 25, 2012'''<br />
<br />
Topic: Dev/Ops, Continuous Deployment and APIs, Oh My! <br />
<br />
Presenter: Jarret Raim and Matt Tesauro<br />
<br />
Date: Tuesday, September 25, 2012<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
<br />
3463 Magic Drive<br />
<br />
San Antonio, TX 78229<br />
<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
Abstract:<br />
As the world of application development continues to change, the security community needs to change with it. With agile development, continuous deployment, the pace of change in IT has only increased. Add in Dev/Ops and the traditional security processes just don’t work. Even if testing windows exist, they are too short for the traditional scanning or manual testing programs. Then, there’s the lack of viable tools to test API’s. What’s a security professional in charge of rolling out an SDLC supposed to do? This talk will cover methods of adapting traditional security practices into a test driven development (TDD) for security and provide practical advice on how to handle short development and promotion cycles with few or no testing windows. A demonstration of a new testing tool will also be part of the presentation.<br />
<br />
<br />
Presenter Bios:<br />
Jarret Raim is the Security Product Manager at Rackspace Hosting. Since joining Rackspace, he has built a software assurance program for Rackspace’s internal software teams as well as defined strategy for building secure systems on Rackspace’s OpenStack Cloud implementation. Through his experience at Rackspace, and as a consultant at Denim Group, Jarret has assessed and remediated applications in all industries and has experience width a wide variety of both development environments and the tools used to audit them. Jarret has recently taken charge of Rackspace's efforts to secure the Cloud through new product development, training and research. Jarret holds an M.S. in Computer Science from Lehigh University and a B.S. in Computer Science from Trinity University.<br />
<br />
Matt Tesauro has been involved in the Information Technology industry for more than 10 years. Matt's focus has been in application security including testing, code reviews, design reviews and training. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he's driven. Matt is currently on the board of the OWASP Foundation and highly involved in many OWASP projects and committees. Matt is the project leader of the OWASP WTE (Web Testing Environment) which is the source of the OWASP Live CD Project and Virtual Machines pre-configured with tools and documentation for testing web applications. He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance Workshop, AppSec EU, AppSec US, AppSec Academia, and AppSec Brazil. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications. <br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, April 18, 2012'''<br />
<br />
Topic: Secure Coding Practices for 2012<br />
<br />
Presenter: Keith Turpin<br />
<br />
Date: Wednesday, April 18, 2012<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
<br />
3463 Magic Drive<br />
<br />
San Antonio, TX 78229<br />
<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
Abstract:<br />
Keith Turpin will present OWASP's "The Secure Coding Practices Quick Reference Guide." The guide is a technology agnostic set of software security coding practices, in a comprehensive checklist format, that can be integrated into the development life-cycle. At only 17 pages long, it is easy for development teams to read and use. The coding practices are mapped to functional requirements, so you can quickly locate the practices you need. It also provides a brief introduction to security principles and vocabulary to help developers and security folks get on the same page, but the focus is on requirements not vulnerabilities or exploits. This presentation will provide an overview of the guide and discuss some concepts about how to use it. Keith will cover the guide as well as the direction of the project for 2012, and alignment with integrating components of the guide with an organizations application security policy.<br />
<br />
<br />
Presenter Bio:<br />
Keith Turpin, CISSP, CSSLP, CRISC, leads Boeing’s enterprise application security assessment team. He previously served as the lead IT security advisor for all of Boeing’s international operations. <br />
<br />
Keith is a member of the (ISC)2 Application Security Advisory Board and has served as a U.S. delegate to the International Standards Organization's (ISO) sub-committee on cyber security. He is the project leader for the OWASP Secure Coding Practices Quick Reference Guide and is a member of the OWASP Global Projects Committee. He also spent four years as the Director of Communication for the Seattle chapter of the Information Systems Security Association. <br />
<br />
He is a frequent speaker at conferences, professional organizations and corporations on a variety of security topics and in his spare time he is the director of a nationally recognized intercollegiate engineering competition. <br />
<br />
Keith holds a BS in Mechanical Engineering and MS in Computer Systems.<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Tuesday, February 22, 2012'''<br />
<br />
Topic: Testing from the Cloud: Is the Sky Falling?<br />
<br />
Presenter: Matt Tesauro<br />
<br />
Date: Wednesday, February 22, 2012<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
Geekdom<br />
The Weston Centre<br />
112 East Pecan, 11th floor<br />
San Antonio TX 78205<br />
Map: http://www.geekdom.com/location/<br />
Check map for parking info.<br />
<br />
Abstract:<br />
More and more IT is being moved to the cloud, why shouldn't your testing move there too? This talk will cover what it takes to take your testing tools from your laptop to the cloud using new features of the OWASP Web Testing Environment (WTE). WTE allows you to create custom installations of application security tools in the cloud on demand. Has your IP been shunned? No problem, kill that cloud instance and startup another. Is your life as mobile as your phone? No problem, a laptop + Internet = access to all your favorite tools from anywhere. Multiple clients? No problem, start an an instance for each one. By the end of this talk, you'll know all you need to fire up an cloud instance with all of your favorite tools and start having fun.<br />
<br />
<br />
Presenter Bio:<br />
Matt has been involved in the Information Technology industry for more than 10 years. Prior to joining Rackspace, Matt was a security consultant for security firms such as Trustwave as well as running an internal application security effort. Matt's focus has been in application security including testing, code reviews, design reviews and training. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he's driven. He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance Workshop, AppSec EU, AppSec US, AppSec Academia, and AppSec Brazil.<br />
<br />
Matt is currently on the board of the OWASP Foundation and highly involved in many OWASP projects and committees. Matt is the project leader of the OWASP WTE (Web Testing Environment) which is the source of the OWASP Live CD Project and Virtual Machines pre-configured with tools and documentation for testing web applications.<br />
<br />
Industry designations include the Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University.<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, November 16, 2011'''<br />
<br />
Topic: You're Bleeding Sensitive Data - Find it Before They Do<br />
<br />
Presenter: Steve Werby<br />
<br />
Date: Wednesday, November 16, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
3463 Magic Drive<br />
San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
With the proliferation of Internet accessible applications and files within organizations and the number of employees capable of making sensitive content available growing rapidly, knowing what sensitive information is accessible is increasingly difficult. And expensive DLP and scanning tools are not the only option. I will cover management strategies to reduce the risk, as well as demonstrate free and low-cost tools (FOCA, Shodan, Google Hacking Database and more) to discover sensitive data.<br />
<br />
<br />
Presenter Bio:<br />
Steve Werby is Chief Information Security Officer at the University of Texas at San Antonio, where he leads the university's 10-person Office of Information Security. He has also served as CISO for Virginia Commonwealth University and the Virginia Department of Corrections (where he gained a new appreciation for physical security). Prior to that, he operated an information security consultancy with an international client base consisting largely of ISPs, web hosting companies and online businesses. Steve has an engineering degree, an MBA and numerous certs, but he is prouder of the fact that he hasn't signed his name the same way twice since 2009.<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, August 17, 2011'''<br />
<br />
Topic: Secure Development Lifecycle at Symantec<br />
<br />
Presenter: Edward Bonver<br />
<br />
Date: Wednesday, August 17, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
3463 Magic Drive<br />
San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
Given complexities and diversity of development technologies and processes as well as the deployment environments, in combination with customer expectations, software development in modern world is an immense undertaking. Building security into a development lifecycle of a large software vendor could prove quite challenging. This presentation covers how security practices are being followed by various product teams across Symantec, including the related processes and guidelines from Symantec’s Product Security Team. <br />
<br />
<br />
Presenter Bio:<br />
A senior principal software engineer on the product security team at Symantec Corporation, Edward Bonver is responsible for working with software developers and quality assurance professionals across Symantec to continuously enhance the company’s software security practices through the adoption of methodologies, procedures, and tools for secure coding and security testing. Edward teaches secure coding and security testing classes for Symantec engineers and leads the company’s QA Security Task Force, which he founded. He is a Certified Information Systems Security Professional (CISSP) and a Certified Secure Software Lifecycle Professional (CSSLP).<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Thursday, June 16, 2011'''<br />
<br />
Topic: Building a Secure Login<br />
<br />
Presenter: Ben Broussard<br />
<br />
Date: Thursday, June 16, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
3463 Magic Drive<br />
San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
This talk takes the standard, cookie-based login and authorization functionality through its paces. First I will walk through the requirements of common, single sign-on functionality. Then I will walk through attacks and their countermeasures including SQL injection and parameterized queries, session fixation and cookie cycling, session hijacking and about a dozen necessary countermeasures, and so on. The discussion will be programming language agnostic, instead focusing on the functional specifications.<br />
<br />
<br />
Presenter Bio:<br />
Ben Broussard has been involved in the Austin OWASP chapter since 2008, giving technical talks, serving on the LASCON board, the chapter board, and organizing a study group. Outside of OWASP he has worn the hats of mainframe and web application developer, cryptographer, pentester, and he recently launched his own application security business, Kedalion Security, LLC. On the side he does research into brains and AI, and is an avid 80's dancer.<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, April 20, 2011'''<br />
<br />
Topic: Vulnerable Frameworks Yield Vulnerable Apps<br />
<br />
Presenter: Javier Castro<br />
<br />
Date: Wednesday, April 20, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room) 3463 Magic Drive, San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
Major software vendors such as VMware and SAP are getting significantly better at writing <br />
secure software, but all of this effort is lost when they forget to properly configure or secure <br />
the frameworks that their software is built upon. This talk gives an overview of several <br />
recently discovered vulnerabilities in the products of major software companies. In each <br />
case the flaw leads to a complete system compromise and was located in a framework that <br />
the product was built upon. We as software developers can learn from these cases and <br />
avoid similar scenarios.<br />
<br />
Bio: <br />
Javier Castro is a senior vulnerability researcher at Digital Defense, Inc. where he writes explicit vulnerability checks, develops proprietary exploits, and researches popular software deployments. As exciting as vulnerability exploitation is, Javier finds it more rewarding to find ways to develop a secure application in the first place.<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br />
<br><br />
<br />
'''San Antonio OWASP Chapter: Wednesday, March 23, 2011''' <br />
<br />
Topic: Attack Aware Applications <br />
<br />
Presenter: Michael Coates <br />
<br />
Date: Wednesday, March 23, 2011 <br />
<br />
Time: 11:30am-1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: Attack Aware Applications: Imagine being able to detect an attacker in your application while they are searching for vulnerability and then locking out their account before they can do any harm. The OWASP AppSensor project provides a strategy for enabling your applications to detect and respond to attackers in real time. More powerful then generic detection with a WAF, the AppSensor approach allows detection of targeted application attacks attempting to exploit all areas including: business logic, access control, session management, injection attacks and more. This presentation will discuss techniques for implementing such a system within your application using existing technologies or by leveraging ESAPI. <br />
<br />
Presenter Bio: Michael Coates has extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers worldwide. Michael holds a MS in Computer Security from DePaul University and a BS in Computer Science from the University of Illinois. <br />
<br />
Michael is the creator and leader of the AppSensor project and a contributor to the 2010 OWASP Top 10. He is a frequent speaker at international OWASP security conferences and has also spoken at the Chicago Thotcon conference and provided security training at BlackHat. <br />
<br />
As the web security lead at Mozilla, Michael protects web applications used by millions of users each day. <br />
<br />
<br> Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> '''San Antonio OWASP Chapter: Wednesday, January 19, 2011''' <br />
<br />
Topic: Smart Phones with Dumb Apps <br />
<br />
Presenter: Dan Cornell <br />
<br />
Date: Wednesday, January 19, 2011 <br />
<br />
Time: 11:30am-1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 [http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229] <br />
<br />
<br> Abstract: Enterprises are targeting both internal users and customers with smartphone applications for platforms such as Apple iPhone and Google Android. Many of these applications are constructed without fully considering the associated security implications of their deployment. Breaches can impact both users as well as the enterprise distributing the application as attackers take advantage of expanded access to sensitive data and network services. This talk discusses emerging threats associated with deploying smartphone applications and provides an overview of the threat modeling process. The presentation then walks example applications from an attacker’s perspective demonstrating the sort of information they are able to extract allowing for more advanced attacks. <br />
<br />
Presenter Bio: Dan Cornell has over ten years of experience architecting and developing web-based software systems. As CTO of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group security research team, investigating the application of secure coding and development techniques to the improvement of web-based software development methodologies. <br />
<br />
Dan Cornell has performed as the CTO of BrandDefense, as founder and Vice President of Engineering for Atension prior to its acquisition by Rare Medium, Inc. and as the Vice President, Global Competency Leader for Rare Medium’s Java and Unix Competency Center. Cornell has also developed simulation applications for the Air Force with Southwest Research Institute. <br />
<br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the chapter leader of the San Antonio chapter of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, Denim Group's open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Tue, November 16, 2010''' <br />
<br />
Topic: OWASP Top 10: What is it all about? <br />
<br />
Presenter: Dean Bushmiller <br />
<br />
Date: Tuesday, November 16, 2010 <br />
<br />
Time: 12:00pm-1:00pm <br />
<br />
Location: Methodist Health System – System Office 8109 Fredericksburg Road San Antonio, TX 78229-3311 Women’s Center Classroom 1 http://maps.google.com/maps?f=q&amp;source=s_q&amp;hl=en&amp;geocode=&amp;q=8109+fredericksburd+rd,+78229&amp;sll=37.0625,-95.677068&amp;sspn=35.494074,72.070313&amp;ie=UTF8&amp;hq=&amp;hnear=8109+Fredericksburg+Rd,+San+Antonio,+Bexar,+Texas+78229&amp;z=16 <br />
<br />
<br> Abstract: Everyone knows exactly what the OWASP top ten security threats are, right? Well sort of... I ask people if they have heard of the top ten they say yes. I ask them to name a few they pause, then they blurt out 2-3. Then I ask them to explain those 2-3 and they look at me like a deer-in-the-headlights. I want to make sure that everyone who walks out of the presentation can clearly define the top ten and be able to communicate to another what each of the top ten vulnerabilities are. <br />
<br />
<br> Presenter Bio: Dean Bushmiller has taught for 12 years. He is the recipient of five Mission Coins from various military branches. He has led national certification organizations in development, policy, and educational materials for over 10 years. He has presented, consulted, and instructed government, education, military, and private organizations. Dean has worked for SANS, ISC2, and other security training organizations. He has bee the keynote speaker at information security conferences as well as state and local colleges. He is now Director of Training for Expanding Security. <br />
<br />
Feel free to bring a brown bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed August 18, 2010''' <br />
<br />
Topic: Which Web Programming Languages are Most Secure? <br />
<br />
Presenter: Jeremiah Grossman, Founder and CTO, WhiteHat Security <br />
<br />
Date: Wednesday, August 18, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: Security-conscious organizations make implementing a software security development lifecycle a priority. As part of the process, they evaluate a large number of development technologies for building websites. The assumption by many is that not all development environments are created equal. So the question often asked is, “What is the most secure programming language or development framework available?” <br />
<br />
<br> Clearly, familiarity with a specific product, whether it is designed to be secure-by-default or must be configured properly, and whether various libraries are available, can drastically impact the outcome. Still, conventional wisdom suggests that most popular modern languages / frameworks (commercial &amp; open source) perform relatively similarly when it comes to an overall security posture. At least in theory, none is markedly or noticeably more secure than another. Suggesting PHP, Java, C# and others are any more secure than other frameworks is sure to spark heated debate. <br />
<br />
<br> As has been said in the past, “In theory, there is no difference between theory and practice. But, in practice, there is.” Until now, no website security study has provided empirical research measuring how various Web programming languages / frameworks actively perform in the field. To which classes of attack are they most prone, how often and for how long; and, how do they fare against popular alternatives? Is it really true that popular modern languages / frameworks yield similar results in production websites? <br />
<br />
<br> By analyzing the vulnerability assessment results of nearly 1,700 websites under WhiteHat Sentinel management, we may begin to answer some of these questions. These answers may enable the website security community to ask better and deeper questions, which will eventually lead to more secure websites. Organizations deploying these technologies can have a closer look at particularly risk-prone areas; software vendors may focus on areas found lacking; and, developers will increase their familiarity with the strength and weaknesses of their technology stack. All of this is vitally important because security must be baked into development frameworks and be virtually transparent. Only then will application security progress be made. <br />
<br />
<br> Presenter Bio: Jeremiah Grossman founded WhiteHat Security in August 2001. <br />
<br />
<br> A world-renowned expert in Web security, Mr. Grossman is a founder of the Web Application Security Consortium (WASC), and was named to InfoWorld's Top 25 CTOs for 2007. <br />
<br />
<br> Mr. Grossman is a frequent speaker at industry events including the Black Hat Briefings, RSA Conference, ISACA, CSI, InfoSec World, OWASP, ISSA, and Defcon as well as a number of large universities. He has authored dozens of articles and white papers, is credited with the discovery of many cutting-edge attack and defensive techniques and is a co-author of XSS Attacks: Cross Site Scripting Exploits and Defense. <br />
<br />
<br> Mr. Grossman is frequently quoted in major media outlets such as USA Today, the Washington Post, The Financial Times, InformationWeek, InfoWorld, USA Today, PC World, Dark Reading, SC Magazine, CNET, CSO and NBC news. He frequently alerts the media community to the latest attacks and is not only able to offer in-depth commentary, but also provide his perspective of what’s to come. <br />
<br />
<br> Mr. Grossman was named a “friend of Google” and is also an influential blogger (www.jeremiahgrossman.blogspot.com) who offers insight and encourages open dialogue regarding current research and vulnerability trend information. <br />
<br />
<br> Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo! responsible for performing security reviews on the company's hundreds of websites. Before Yahoo!, Mr. Grossman worked for Amgen, Inc. <br />
<br />
Pizza will be served. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> '''San Antonio OWASP Chapter: Fri. August 13, 2010''' <br />
<br />
Topic: 1)How OWASP Works and Guided Tour of OWASP Projects / 2) Using the O2 Platform to Consume OWASP projects <br />
<br />
Presenter: Dinis Cruz <br />
<br />
Date: Friday, August 13, 2010, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: 1) How OWASP Works and Guided Tour of OWASP Projects - This presentation will focus on my experience in getting things done at OWASP, what resources are available and what types of initiatives should the local chapters be doing. In addition to a quick overview of a number of key OWASP projects, this talk will also provide a tutorial on how the OWASP WIKI (MediaWiki based) can be used as a database (using the MediaWiki templates technology) <br />
<br />
2) Using the O2 Platform to Consume OWASP projects - This presentation will focus on how to consume the OWASP Wiki and a number of OWASP projects using the OWASP O2 Platform. The O2 Platform has powerful technology and capabilities for both BlackBox and WhiteBox analysis and this presentation will provide examples on how to use O2 with: WebGoat, WebScarab, Code Crawler, Dir Buster, Testing Guide, Code Review Guide and OpenSAMM <br />
<br />
The O2 Platform is focused on automating application security knowledge and workflows. It is specifically designed for developers and security consultants to be able to perform quick, effective and thorough 'source-code-driven' application security reviews (BlackBox + WhiteBox). In addition to the manual findings created/discovered by security consultants, the OWASP O2 Platform allows the easy consumption of results from multiple OWASP projects and commercial scanning tools. This allows security consultants to find, exploit and automate (via Unit Tests) security vulnerabilities usually dismissed by the community as impossible to find/recreate. More importantly, it provides the Security Consultants a mechanism to: a) 'talk' with developers (via UnitTest) , b) give developers a way to replicate + "check if it's fixed" the vulnerabilities reported and c) engage on a two-way conversion on the best way to fix/remediate those vulnerabilities. <br />
<br />
<br> Presenter Bio: Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development. For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform. Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences At OWASP, Dinis is the leader of the OWASP O2 Platform project, member of the OWASP Global Projects Committee, chair of the OWASP Connections Committee and member of the OWASP <br />
<br />
<br> Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
<br> Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed July 21, 2010''' <br />
<br />
Topic: A Caching Technique (PHP Implementation) <br />
<br />
Presenter: Dan Ross, VP Engineering, PIC Business Systems <br />
<br />
Date: Wednesday July 19, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: Reduce 304's and improve web application performance. A caching technique is demonstrated using PHP. Easy implementation as well as caching override are discussed. <br />
<br />
<br> Presenter Bio: Dan Ross has been VP Engineering for over 20 years at PIC Business Systems, which provides integrated business software for the several industries. He has led the design, development, and maintenance of many commercial web applications and programs. He has a BS in Industrial Engineering from St. Mary's University in San Antonio. <br />
<br />
Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed June 16, 2010''' <br />
<br />
Topic: Securing Software Applications Using Dynamic Dataflow Analysis <br />
<br />
Presenter: Steve Cook, Senior Research Analyst, SwRI <br />
<br />
Date: Wednesday June 16, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: In this presentation, we present an ongoing research effort that ensures that a wide variety of user-defined security policies are enforced on executing C programs while keeping runtime overhead low and with little disruption to the development process by leveraging Dynamic Dataflow Analysis (DDFA). The DDFA system is built upon the Broadway static data flow analysis and error checking system, which is a source-to-source translator for C developed by the computer sciences department at the University of Texas at Austin (UT-Austin). UT-Austin and the Southwest Research Institute (SwRI) recently collaborated to further enhance the system through a government research project funded by Intelligence Advanced Research Projects Activity (IARPA) and a SwRI internal research project. <br />
<br />
The system works by automatically instrumenting the original source, guided by the security policy, with DDFA runtime library calls. The modified program is then compiled for the platform of choice so that its security policy can be enforced at runtime through the DDFA runtime library. <br />
<br />
The runtime overhead is kept low by leveraging the semantic information provided by the security policy and a sophisticated dependence analysis to enable optimizations beyond standard compiler techniques. This results in a program that is instrumented with additional code only where provably necessary, so innocuous flows of data are not tracked at runtime. <br />
<br />
Disruption to the development process is minimized through the security policy specification. The security policy is defined once by a security expert using a simple language, which has a direct mapping to the application programming interface to which the program is written. The policy, once defined, can be applied to many different programs. The DDFA approach is easily integrated into the development workflow, adding only an additional compilation step before application deployment. <br />
<br />
The system does not require any modification to the original source code by the programmer, and does not require hardware or operating system changes. In the future, our system can be extended to handle multiple languages and complement new security solutions. <br />
<br />
Presenter Bio: Steve Cook is a senior research analyst in the System Security and High Reliability Software section at the SwRI. His background and expertise are in distributed and parallel computing, compilers, as well as object-oriented and generic programming. He received his master’s degree in computer science from Texas A&amp;M University. While at Texas A&amp;M, he worked as a research assistant for Dr. Bjarne Stroustrup, creator of the C++ Programming Language, where he helped develop a new approach to writing concurrent programs that allows programmers to quickly turn a sequential C++ program into a parallel one that is race and deadlock free. <br />
<br />
<br> Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed May 19th, 2010''' <br />
<br />
Topic: The Open Software Assurance Maturity Model <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group <br />
<br />
Date: Wednesday May 19th, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. <br />
<br />
This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/. <br />
<br />
Presenter Bio: Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications <br />
<br />
<br> Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed March 17, 2010''' <br />
<br />
Topic: Protecting Your Applications: How to Secure Business Critical Applications from Time Bombs, Backdoors &amp; Data Exfiltration <br />
<br />
Presenter: Clint Pollock <br />
<br />
Date: Wednesday, March 17th, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Sponsored by: VERACODE <br />
<br />
Abstract: With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers. Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams. In this session we will cover; · Prevalence of backdoors and malicious code in third party attacks · Definitions and classifications of backdoors and their impact on your applications · Methods to identify, track and remediate these vulnerabilities <br />
<br />
Presenter Bio: Clint Pollock is a Senior Solutions Architect at Veracode. Since 1997, he has also created security solutions for large-scale enterprise environments on behalf of CREDANT Technologies and Netegrity. In his current role, Clint helps globally distributed organizations evaluate, track, and mitigate their online business risk. Clint’s greatest strengths are his enthusiasm, experience and determination to help customers succeed in maintaining secure, compliant systems, and avoid the consequences and bad headlines that come with application security breaches. Clint resides in Chicago, IL. <br />
<br />
<br> FREE PIZZA will be provided, courtesy of our friends from Veracode. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> '''Meeting Schedule for 2010''' <br />
<br />
Dates are set - speakers and topics are firming up as well speak. All meetings are from 11:30am - 1:00pm at the San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229. <br />
<br />
Wednesday January 20th - OWASP LiveCD: An Open Environment for Web Application Security by Matt Tesauro <br />
<br />
Wednesday March 17th - TBD <br />
<br />
Wednesday May 19th - TBD <br />
<br />
Wednesday July 21st - TBD <br />
<br />
Wednesday September 15th - TBD <br />
<br />
Wednesday November 10th - TBD <br />
<br />
<br> '''San Antonio OWASP Chapter: Wed January 20th, 2010''' <br />
<br />
Topic: OWASP LiveCD: An Open Environment for Web Application Security Presenter: Matt Tesauro, OWASP Board Member, LiveCD Project Lead Date: Wednesday January 20th, 2010 11:30am – 1:00pm Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: The OWASP Live CD is a project that collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can boot from this Live CD and have access to a full security testing suite. This allows its users to test for various security issues in web applications and web sites. The Live CD also contains documentation and an interactive learning environment to enhance users’ web application security knowledge. This presentation will cover the current state of the OWASP Live CD as well as the plans for future developments. Time permitting, a live demonstration of the OWASP Live CD will be conducted. The OWASP Live CD is a project of the Open Web Application Security Project (OWASP) and is free for commercial or non-commercial use. More information is available at: http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project <br />
<br />
Presenter Bio: Matt Tesauro has worked in web application development and security since 2000. He has worn many different hats, from developer to DBA to System Administrator to Penetration Tester. Matt also taught graduate and undergraduate classes on web application development and XML at Texas A&amp;M University. Currently, he's focused on implementing a comprehensive web application security program for the Texas Education Agency (TEA). Outside work, he is a member of the OWASP Foundation's Board of Directors, the project lead for the OWASP Live CD, a member of the OWASP Global Projects Committee, assists the OWASP Austin chapters leadership and a member of ISSA of Austin, Texas. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&amp;M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications. <br />
<br />
Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
Recent Meetings: <br />
<br />
<br> '''San Antonio OWASP Chapter: October 21, 2009''' <br />
<br />
Topic: Rolling Out an Enterprise Source Code Review Program <br />
<br />
Presenter: Dan Cornell, Principal at Denim Group Date: October 21, 2009 11:30 a.m. – 1:00 p.m. <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: Source code review technology has rapidly advanced over the past several years and offers great promise of helping organizations detect and address software security defects. However, many organizations stumble as they try to roll out these technologies because they fail to understand the people and process issues that must also be addressed. This talk will present lessons learned from the creation of several enterprise source code review programs, including: identifying all sources of custom code in an organization including custom extensions to ERP systems and enterprise portals, selecting the first round of applications to scan and successfully interpreting results and driving resolution to identified issues. <br />
<br />
<br> Presenter Bio: Dan Cornell has over ten years of experience architecting and developing web-based software systems. As CTO of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group security research team, investigating the application of secure coding and development techniques to the improvement of web-based software development methodologies. <br />
<br />
Dan Cornell has performed as the CTO of BrandDefense, as founder and Vice President of Engineering for Atension prior to its acquisition by Rare Medium, Inc. and as the Vice President, Global Competency Leader for Rare Medium’s Java and Unix Competency Center. Cornell has also developed simulation applications for the Air Force with Southwest Research Institute. <br />
<br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the chapter leader of the San Antonio chapter of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, Denim Group's open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
<br> '''San Antonio OWASP Chapter: August 19, 2009''' <br />
<br />
Topic: Web Application Firewalls (WAFs) <br />
<br />
Presenter: Matt Burriola &amp; Mario Flores, Randolph-Brooks Federal Credit Union Date: August 19, 2009 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: Web Application Firewalls Web application firewalls (WAFs) have gained considerable momentum as web vulnerabilities have grown. WAFs now have a proven record of reducing exposures to web vulnerabilities by blocking malicious activity much like a typical firewall. While WAFs help, it does take time to consider when a WAF is appropriate. It also takes time to evaluate and implement the WAF as well. Come listen to reasons why Randolph-Brooks Federal Credit Union chose a WAF and what they learned in the process. <br />
<br />
Presenter Bio: Matt is a Senior Developer on the RBFCU Web Team, but mainly serves the roles of Configuration Management lead and Systems Admin for the team. Matt maintains the source control repository, application build and release processes, and QA server environments. Matt also works on web infrastructure initiatives such as Web Application Firewall. Matt has 10 years IT industry experience, including Java/web technologies, C, C++, Unix/Linux, shell scripting, and Symbol mobile handheld programming. Matt has a degree in Management Information Systems from Texas A&amp;M University-Corpus Christi. <br />
<br />
Mario is currently the Web Development manager for RBFCU. In this current role, Mario manages the development efforts for the online banking site and the intranet. Mario also has a solid background in web security and has addressed issues with web application penetration assessments. Mario has worked for RBFCU for 14 years and he has a degree in Information Systems from Texas Lutheran University. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: June 17, 2009'''' Topic: What is Cross Site Scripting And Why Is It bad? Date: June 17, 2009 11:30am – 1:00pm Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: The presentation will cover background information on cross-site scripting (XSS) attacks as well as real world examples of what can happen when this type of vulnerability is present and the different ways that it can be exploited. The presentation will also include language agnostic ways to mitigate this sort of risk and how developers and security professionals can identify these risks. <br />
<br />
Presenter Bio: David is currently a Security Architect for Rackspace IT Hosting. In this current role, David is responsible for designing and implementing network security solutions, as well as software development in support of automation. In previous roles he was a software developer on various projects written in a mix of PHP, Python, Perl, Ruby, c#, and asp.net. Prior to Rackspace, David worked for Digital Defense and he holds a B.B.A. in Information Systems from the University of Texas San Antonio. He also has an extensive background in application security and is actively researching botnet mitigation techniques. Certifications held include CISSP, RHCE, and CCNA. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: January 2009 Meeting''' <br />
<br />
Topic: "Vulnerability Management in an Application Security World." <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group Date: January 29, 2009 11:30am – 1:00pm <br />
<br />
Location: <br />
<br />
San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract:Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
Presenter Bio: <br />
<br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
<br> <br />
<br />
----<br />
<br />
'''Previous News''' <br />
The slide deck from OWASP San Antonio July 2013 meeting is available online here: https://owasp.org/index.php/File:Secrets-as-a-Service.pdf<br />
<br />
The slide deck from OWASP San Antonio February 2012 meeting is available online here: https://www.owasp.org/images/b/b0/WTE-Cloud-San_Antonio-2012-02.pdf<br />
<br />
The slide deck from OWASP San Antonio June 2011 meeting is available online here: https://www.owasp.org/images/2/21/How_to_Build_a_Secure_Login_BenBroussard_June2011.pdf<br />
<br />
The slide deck from OWASP San Antonio April 2011 meeting is available online here: https://www.owasp.org/images/0/05/Vulnerable_frameworks_yield_vulnerable_apps.pdf <br />
<br />
The slide deck from OWASP San Antonio March 2011 meeting is available online here: http://www.owasp.org/images/c/cb/MichaelCoates-AppSensor.pdf <br />
<br />
The slide deck from OWASP San Antonio August 2010 meeting available online here: http://www.owasp.org/images/0/0e/OWASP_San_Antonio_0818.pdf.pdf http://www.owasp.org/images/5/5a/WPstats_spring10_9th.pdf <br />
<br />
The slide deck from OWASP San Antonio June 2010 meeting available online here: http://www.owasp.org/images/2/24/OWASPSanAntonio06162010_DDFA_PresentationFinal.pdf <br />
<br />
The slide deck from OWASP San Antonio May 2010 meeting available online here: http://www.owasp.org/images/b/b9/OpenSAMM10_OWASPSanAntonio_20100519.pdf <br />
<br />
The slide deck from OWASP San Antonio March 2010 meeting available online here: http://www.owasp.org/index.php?title=File:Protecting_the_Enterprise_-_Software_Backdoors.pptx&amp;oldid=80140#filelinks <br />
<br />
The slide deck from OWASP San Antonio January 2010 meeting available online here: http://www.owasp.org/index.php/File:San_Antonio_Chapter-OWASP_WTE_Jan-2010.pdf#filelinks <br />
<br />
The slide deck from OWASP San Antonio October 2008 meeting available online here: http://www.owasp.org/index.php/San_Antonio <br />
<br />
The slide deck from OWASP San Antonio September 2007 meeting available online here: [[Image:Fortify-bjenkins-AppSecStrategy-20070906.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio March 2007 meeting will be available online shortly <br />
<br />
The slide deck from OWASP San Antonio September 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 09 AgileAndSecure.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio August 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 08 SingleSignOn.ppt]]. <br />
<br />
The slide deck from OWASP San Antonio June 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 06 Crypto Content.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio May 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 05 ForcefulBrowsing Content.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio September 2004 meeting available online here: [[Image:OWASPSanAntonio 20040922.pdf]]. <br />
<br />
[[Category:Texas]]</div>Dancornellhttps://wiki.owasp.org/index.php?title=File:Secrets-as-a-Service.pdf&diff=155372File:Secrets-as-a-Service.pdf2013-07-11T16:11:03Z<p>Dancornell: Matt Tesauro (and Jarret Raim)'s presentation on cloud-based key management in OpenStack. Presented at OWASP San Antonio on Wednesday July 10th, 2013.</p>
<hr />
<div>Matt Tesauro (and Jarret Raim)'s presentation on cloud-based key management in OpenStack. Presented at OWASP San Antonio on Wednesday July 10th, 2013.</div>Dancornellhttps://wiki.owasp.org/index.php?title=San_Antonio&diff=153475San Antonio2013-06-11T23:49:06Z<p>Dancornell: /* Local News */</p>
<hr />
<div>{{Chapter Template|chaptername=San Antonio|extra=The chapter leader is [mailto:dan@denimgroup.com Dan Cornell]<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sanantonio|emailarchives=http://lists.owasp.org/pipermail/owasp-sanantonio}} <br />
<br />
== Local News ==<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, July 10th, 2013'''<br />
<br />
Topic: Cloud Keep: Protect Your Secrets at Scale<br />
<br />
Presenters: Jarret Raim and Matt Tesauro<br />
<br />
Date: Wednesday, July 10, 2013<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
<br />
3463 Magic Drive<br />
<br />
San Antonio, TX 78229<br />
<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
Abstract:<br />
<br />
One saying in the software security world has rung true for longer than any other encryption is easy, key management is hard. Unfortunately, the tools we have for properly generating, storing, using and protecting keys are sorely lacking. This presentation will present a "key management as a service" architecture that allows for rapid scaling, Cloud use cases while achieving high security, auditability and compliance using open source technologies.<br />
<br />
Presenter Bios:<br />
<br />
Jarret Raim is the Security Product Manager at Rackspace Hosting. Since joining Rackspace, he has built a software assurance program for Rackspace’s internal software teams as well as defined strategy for building secure systems on Rackspace’s OpenStack Cloud implementation. Through his experience at Rackspace, and as a consultant for Denim Group, Jarret has assessed and remediated applications in all industries and has experience width a wide variety of both development environments and the tools used to audit them. Jarret has recently taken charge of Rackspace's efforts to secure the Cloud through new product development, training and research. Jarret holds a Masters in Computer Science from Lehigh University and Bachelors in Computer Science from Trinity University.<br />
<br />
Matt has been involved in the information technology and application development for more than 10 years. He is currently the Product Security Engineering lead at Rackspace. Prior to joining Rackspace, Matt spent time as a application security consultant and spent several years as the “appsec guy” at a government agency. Matt's focus has been in application security including testing, code reviews, design reviews and training. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he's driven.<br />
<br />
He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance Workshop, Agile Austin, AppSec EU, AppSec US, AppSec Academia, and AppSec Brazil. Matt is currently active with the OpenStack Security Group (OSSG) and a fomer board member of the OWASP Foundation. He is highly involved in many OWASP projects and committees. Matt is the project leader of the OWASP OpenStack Security project - a project to bring the OpenStack and OWASP communities together.<br />
<br />
He has also run the OWASP WTE (Web Testing Environment) since 2008 which is the source of the OWASP Live CD Project and Virtual Machines pre-configured with tools and documentation for testing web applications - all running on Linux (of course). Industry designations include the RHCE, Linux+, Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University.<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, June 5th, 2013'''<br />
<br />
Topic: Be Mean to Your Code Using Gauntlt [Slides http://www.slideshare.net/wickett/be-mean-to-your-code-owasp-san-antonio]<br />
<br />
Presenter: James Wickett<br />
<br />
Date: Wednesday, June 5, 2013<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
<br />
3463 Magic Drive<br />
<br />
San Antonio, TX 78229<br />
<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
Abstract:<br />
<br />
"Be Mean to Your Code” is the core concept behind the ruggedization framework called Gauntlt (http://gauntlt.org) which brings the benefits of Behaviour Driven Development to the realms of automated security testing, application hardening and ruggedization. Security testing is often done at a cadence set by the audit team and is often obscured from the development and operations teams. This isn't good and this creates an adversarial relationship between security, dev and ops.<br />
<br />
Gauntlt helps security, ops, and development teams work together. Gauntlt is meant to be used by security experts with interest in automation as well as developers with interest in security. It can be used to deliver the results of a security audit or penetration test via failing Gauntlt attacks (tests) which can in turn be added to automated test suites. Developers know they have resolved a particular vulnerability when Gauntlt no longer reports a failure. Gauntlt can also be used in regression tests to detect when a previously resolved vulnerability has been re-introduced.<br />
<br />
Traditional approaches to web security can be less effective in cloud environments, due to the highly dynamic nature of cloud infrastructure. Fortunately, infrastructure-driven, continuous testing can overcome many of these challenges. Netflix uses Gauntlt to continuously validate that the security configuration of its cloud deployment and applications remains as expected, even with a rapid rate of change and high degree of self-service.<br />
<br />
One of the core contributors of the Gauntlt project, James Wickett will talk about the history of the project, the current features, examples of how to use Gauntlt and the future roadmap of Gauntlt. As part of this talk we will do a demo where we will walk through getting started using pre-built Gauntlt attacks and then move to writing our own Gauntlt attacks. Come find out how to "Be Mean to Your Code" and ruggedize your next project.<br />
<br />
Gauntlt is an open source ruggedization framework using cucumber and written in ruby. It has been developed in collaboration with the security engineering teams at Netflix and Twitter. Gauntlt is MIT Licensed and hosted on github at http://github.com/gauntlt/gauntlt.<br />
<br />
Presenter Bio:<br />
<br />
http://about.me/wickett<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400 and mention that you are coming to the OWASP San Antonio meeting.<br />
<br />
<br />
<br />
'''OWASP Developer Security Training at BSides San Antonio: Saturday May 4th, 2013'''<br />
<br />
Attend BSides San Antonio for three mini-courses for developers wanting to learn about security.<br />
<br />
To register: <br />
<br />
https://bsidessatx.eventbrite.com/<br />
<br />
The event is sold out - looking forward to seeing everyone there on Saturday.<br />
<br />
Each mini-course will be around 1.5 hours in length. Attendees will also have full access to the rest of the BSides San Antonio event.<br />
<br />
Main BSides San Antonio site:<br />
<br />
http://bsidestexas.blogspot.com/p/san-antonio-april-2013.html<br />
<br />
''Mini-Course 1''<br />
<br />
Title: Threat Modeling for Developers '''(10:30am - Noon)'''<br />
<br />
Abstract:<br />
<br />
Threat modeling is a valuable technique for identifying potential security<br />
issues in complex applications but many development teams have been slow<br />
to adopt it because of a perception that it can only be done by security<br />
specialists as well as a lack of guidance on how to get the most out of<br />
the activity. This mini-course walks through the process of Threat<br />
modeling from the perspective of a developer trying to identify issues<br />
early in the development process so that problems can be avoided and<br />
controls can be put in place with a minimum level of effort. The materials<br />
include discussion of where threat modeling is best done during the<br />
development lifecycle as well as the process of creating and refining a<br />
threat model. This is an interactive experience, with participants working<br />
together to walk through the threat modeling process.<br />
<br />
''Mini-Course 2''<br />
<br />
Title: Developing Secure Web Applications '''(1:00pm - 2:30pm)'''<br />
<br />
Abstract:<br />
<br />
Web applications are a convenient entry point for attackers because they<br />
are often publicly-available and many are built without a focus on<br />
security. This mini-course provides a developer-focused introduction to<br />
building web applications designed to operate in the face of malicious<br />
attackers. It walks through a basic threat model for a web application and<br />
uses this threat model as a framework for making good decisions when<br />
designing and building applications. The focus of the course is less on<br />
enumerating various types of vulnerabilities but rather on design and<br />
coding techniques that can be used to help create resilient applications.<br />
Some code examples in Java and .NET will be provided, but the techniques<br />
can be applied to any web application environment. [It would be beneficial<br />
to attend the earlier Threat Modeling session, but not required.]<br />
<br />
''Mini-Course 3''<br />
<br />
Title: Developing Secure Mobile Applications '''(3:00pm - 4:30pm)'''<br />
<br />
Abstract:<br />
<br />
Organizations of all sizes are rushing to provide their customers and<br />
employees with applications taking advantage of the power of mobile<br />
computing. As with many new technologies, these organizations often deploy<br />
applications first and come to realize the security implications of these<br />
new systems only post-deployment. This mini-course provides a<br />
developer-focused introduction to security for mobile applications. It<br />
walks through a basic threat model for a mobile application and uses this<br />
threat model as a framework for making good decisions when designing and<br />
building mobile application systems. Examples are provided for both iOS<br />
(iPhone and iPad) and Android platforms but the overall approach can be<br />
applied for all mobile applications. [It would be beneficial to attend the<br />
earlier Threat Modeling and Web Application sessions, but not required.]<br />
<br />
<br />
'''San Antonio OWASP Chapter: Tuesday, September 25, 2012'''<br />
<br />
Topic: Dev/Ops, Continuous Deployment and APIs, Oh My! <br />
<br />
Presenter: Jarret Raim and Matt Tesauro<br />
<br />
Date: Tuesday, September 25, 2012<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
<br />
3463 Magic Drive<br />
<br />
San Antonio, TX 78229<br />
<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
Abstract:<br />
As the world of application development continues to change, the security community needs to change with it. With agile development, continuous deployment, the pace of change in IT has only increased. Add in Dev/Ops and the traditional security processes just don’t work. Even if testing windows exist, they are too short for the traditional scanning or manual testing programs. Then, there’s the lack of viable tools to test API’s. What’s a security professional in charge of rolling out an SDLC supposed to do? This talk will cover methods of adapting traditional security practices into a test driven development (TDD) for security and provide practical advice on how to handle short development and promotion cycles with few or no testing windows. A demonstration of a new testing tool will also be part of the presentation.<br />
<br />
<br />
Presenter Bios:<br />
Jarret Raim is the Security Product Manager at Rackspace Hosting. Since joining Rackspace, he has built a software assurance program for Rackspace’s internal software teams as well as defined strategy for building secure systems on Rackspace’s OpenStack Cloud implementation. Through his experience at Rackspace, and as a consultant at Denim Group, Jarret has assessed and remediated applications in all industries and has experience width a wide variety of both development environments and the tools used to audit them. Jarret has recently taken charge of Rackspace's efforts to secure the Cloud through new product development, training and research. Jarret holds an M.S. in Computer Science from Lehigh University and a B.S. in Computer Science from Trinity University.<br />
<br />
Matt Tesauro has been involved in the Information Technology industry for more than 10 years. Matt's focus has been in application security including testing, code reviews, design reviews and training. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he's driven. Matt is currently on the board of the OWASP Foundation and highly involved in many OWASP projects and committees. Matt is the project leader of the OWASP WTE (Web Testing Environment) which is the source of the OWASP Live CD Project and Virtual Machines pre-configured with tools and documentation for testing web applications. He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance Workshop, AppSec EU, AppSec US, AppSec Academia, and AppSec Brazil. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications. <br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, April 18, 2012'''<br />
<br />
Topic: Secure Coding Practices for 2012<br />
<br />
Presenter: Keith Turpin<br />
<br />
Date: Wednesday, April 18, 2012<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
<br />
3463 Magic Drive<br />
<br />
San Antonio, TX 78229<br />
<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
Abstract:<br />
Keith Turpin will present OWASP's "The Secure Coding Practices Quick Reference Guide." The guide is a technology agnostic set of software security coding practices, in a comprehensive checklist format, that can be integrated into the development life-cycle. At only 17 pages long, it is easy for development teams to read and use. The coding practices are mapped to functional requirements, so you can quickly locate the practices you need. It also provides a brief introduction to security principles and vocabulary to help developers and security folks get on the same page, but the focus is on requirements not vulnerabilities or exploits. This presentation will provide an overview of the guide and discuss some concepts about how to use it. Keith will cover the guide as well as the direction of the project for 2012, and alignment with integrating components of the guide with an organizations application security policy.<br />
<br />
<br />
Presenter Bio:<br />
Keith Turpin, CISSP, CSSLP, CRISC, leads Boeing’s enterprise application security assessment team. He previously served as the lead IT security advisor for all of Boeing’s international operations. <br />
<br />
Keith is a member of the (ISC)2 Application Security Advisory Board and has served as a U.S. delegate to the International Standards Organization's (ISO) sub-committee on cyber security. He is the project leader for the OWASP Secure Coding Practices Quick Reference Guide and is a member of the OWASP Global Projects Committee. He also spent four years as the Director of Communication for the Seattle chapter of the Information Systems Security Association. <br />
<br />
He is a frequent speaker at conferences, professional organizations and corporations on a variety of security topics and in his spare time he is the director of a nationally recognized intercollegiate engineering competition. <br />
<br />
Keith holds a BS in Mechanical Engineering and MS in Computer Systems.<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Tuesday, February 22, 2012'''<br />
<br />
Topic: Testing from the Cloud: Is the Sky Falling?<br />
<br />
Presenter: Matt Tesauro<br />
<br />
Date: Wednesday, February 22, 2012<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
Geekdom<br />
The Weston Centre<br />
112 East Pecan, 11th floor<br />
San Antonio TX 78205<br />
Map: http://www.geekdom.com/location/<br />
Check map for parking info.<br />
<br />
Abstract:<br />
More and more IT is being moved to the cloud, why shouldn't your testing move there too? This talk will cover what it takes to take your testing tools from your laptop to the cloud using new features of the OWASP Web Testing Environment (WTE). WTE allows you to create custom installations of application security tools in the cloud on demand. Has your IP been shunned? No problem, kill that cloud instance and startup another. Is your life as mobile as your phone? No problem, a laptop + Internet = access to all your favorite tools from anywhere. Multiple clients? No problem, start an an instance for each one. By the end of this talk, you'll know all you need to fire up an cloud instance with all of your favorite tools and start having fun.<br />
<br />
<br />
Presenter Bio:<br />
Matt has been involved in the Information Technology industry for more than 10 years. Prior to joining Rackspace, Matt was a security consultant for security firms such as Trustwave as well as running an internal application security effort. Matt's focus has been in application security including testing, code reviews, design reviews and training. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he's driven. He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance Workshop, AppSec EU, AppSec US, AppSec Academia, and AppSec Brazil.<br />
<br />
Matt is currently on the board of the OWASP Foundation and highly involved in many OWASP projects and committees. Matt is the project leader of the OWASP WTE (Web Testing Environment) which is the source of the OWASP Live CD Project and Virtual Machines pre-configured with tools and documentation for testing web applications.<br />
<br />
Industry designations include the Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University.<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, November 16, 2011'''<br />
<br />
Topic: You're Bleeding Sensitive Data - Find it Before They Do<br />
<br />
Presenter: Steve Werby<br />
<br />
Date: Wednesday, November 16, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
3463 Magic Drive<br />
San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
With the proliferation of Internet accessible applications and files within organizations and the number of employees capable of making sensitive content available growing rapidly, knowing what sensitive information is accessible is increasingly difficult. And expensive DLP and scanning tools are not the only option. I will cover management strategies to reduce the risk, as well as demonstrate free and low-cost tools (FOCA, Shodan, Google Hacking Database and more) to discover sensitive data.<br />
<br />
<br />
Presenter Bio:<br />
Steve Werby is Chief Information Security Officer at the University of Texas at San Antonio, where he leads the university's 10-person Office of Information Security. He has also served as CISO for Virginia Commonwealth University and the Virginia Department of Corrections (where he gained a new appreciation for physical security). Prior to that, he operated an information security consultancy with an international client base consisting largely of ISPs, web hosting companies and online businesses. Steve has an engineering degree, an MBA and numerous certs, but he is prouder of the fact that he hasn't signed his name the same way twice since 2009.<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, August 17, 2011'''<br />
<br />
Topic: Secure Development Lifecycle at Symantec<br />
<br />
Presenter: Edward Bonver<br />
<br />
Date: Wednesday, August 17, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
3463 Magic Drive<br />
San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
Given complexities and diversity of development technologies and processes as well as the deployment environments, in combination with customer expectations, software development in modern world is an immense undertaking. Building security into a development lifecycle of a large software vendor could prove quite challenging. This presentation covers how security practices are being followed by various product teams across Symantec, including the related processes and guidelines from Symantec’s Product Security Team. <br />
<br />
<br />
Presenter Bio:<br />
A senior principal software engineer on the product security team at Symantec Corporation, Edward Bonver is responsible for working with software developers and quality assurance professionals across Symantec to continuously enhance the company’s software security practices through the adoption of methodologies, procedures, and tools for secure coding and security testing. Edward teaches secure coding and security testing classes for Symantec engineers and leads the company’s QA Security Task Force, which he founded. He is a Certified Information Systems Security Professional (CISSP) and a Certified Secure Software Lifecycle Professional (CSSLP).<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Thursday, June 16, 2011'''<br />
<br />
Topic: Building a Secure Login<br />
<br />
Presenter: Ben Broussard<br />
<br />
Date: Thursday, June 16, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
3463 Magic Drive<br />
San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
This talk takes the standard, cookie-based login and authorization functionality through its paces. First I will walk through the requirements of common, single sign-on functionality. Then I will walk through attacks and their countermeasures including SQL injection and parameterized queries, session fixation and cookie cycling, session hijacking and about a dozen necessary countermeasures, and so on. The discussion will be programming language agnostic, instead focusing on the functional specifications.<br />
<br />
<br />
Presenter Bio:<br />
Ben Broussard has been involved in the Austin OWASP chapter since 2008, giving technical talks, serving on the LASCON board, the chapter board, and organizing a study group. Outside of OWASP he has worn the hats of mainframe and web application developer, cryptographer, pentester, and he recently launched his own application security business, Kedalion Security, LLC. On the side he does research into brains and AI, and is an avid 80's dancer.<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, April 20, 2011'''<br />
<br />
Topic: Vulnerable Frameworks Yield Vulnerable Apps<br />
<br />
Presenter: Javier Castro<br />
<br />
Date: Wednesday, April 20, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room) 3463 Magic Drive, San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
Major software vendors such as VMware and SAP are getting significantly better at writing <br />
secure software, but all of this effort is lost when they forget to properly configure or secure <br />
the frameworks that their software is built upon. This talk gives an overview of several <br />
recently discovered vulnerabilities in the products of major software companies. In each <br />
case the flaw leads to a complete system compromise and was located in a framework that <br />
the product was built upon. We as software developers can learn from these cases and <br />
avoid similar scenarios.<br />
<br />
Bio: <br />
Javier Castro is a senior vulnerability researcher at Digital Defense, Inc. where he writes explicit vulnerability checks, develops proprietary exploits, and researches popular software deployments. As exciting as vulnerability exploitation is, Javier finds it more rewarding to find ways to develop a secure application in the first place.<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br />
<br><br />
<br />
'''San Antonio OWASP Chapter: Wednesday, March 23, 2011''' <br />
<br />
Topic: Attack Aware Applications <br />
<br />
Presenter: Michael Coates <br />
<br />
Date: Wednesday, March 23, 2011 <br />
<br />
Time: 11:30am-1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: Attack Aware Applications: Imagine being able to detect an attacker in your application while they are searching for vulnerability and then locking out their account before they can do any harm. The OWASP AppSensor project provides a strategy for enabling your applications to detect and respond to attackers in real time. More powerful then generic detection with a WAF, the AppSensor approach allows detection of targeted application attacks attempting to exploit all areas including: business logic, access control, session management, injection attacks and more. This presentation will discuss techniques for implementing such a system within your application using existing technologies or by leveraging ESAPI. <br />
<br />
Presenter Bio: Michael Coates has extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers worldwide. Michael holds a MS in Computer Security from DePaul University and a BS in Computer Science from the University of Illinois. <br />
<br />
Michael is the creator and leader of the AppSensor project and a contributor to the 2010 OWASP Top 10. He is a frequent speaker at international OWASP security conferences and has also spoken at the Chicago Thotcon conference and provided security training at BlackHat. <br />
<br />
As the web security lead at Mozilla, Michael protects web applications used by millions of users each day. <br />
<br />
<br> Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> '''San Antonio OWASP Chapter: Wednesday, January 19, 2011''' <br />
<br />
Topic: Smart Phones with Dumb Apps <br />
<br />
Presenter: Dan Cornell <br />
<br />
Date: Wednesday, January 19, 2011 <br />
<br />
Time: 11:30am-1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 [http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229] <br />
<br />
<br> Abstract: Enterprises are targeting both internal users and customers with smartphone applications for platforms such as Apple iPhone and Google Android. Many of these applications are constructed without fully considering the associated security implications of their deployment. Breaches can impact both users as well as the enterprise distributing the application as attackers take advantage of expanded access to sensitive data and network services. This talk discusses emerging threats associated with deploying smartphone applications and provides an overview of the threat modeling process. The presentation then walks example applications from an attacker’s perspective demonstrating the sort of information they are able to extract allowing for more advanced attacks. <br />
<br />
Presenter Bio: Dan Cornell has over ten years of experience architecting and developing web-based software systems. As CTO of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group security research team, investigating the application of secure coding and development techniques to the improvement of web-based software development methodologies. <br />
<br />
Dan Cornell has performed as the CTO of BrandDefense, as founder and Vice President of Engineering for Atension prior to its acquisition by Rare Medium, Inc. and as the Vice President, Global Competency Leader for Rare Medium’s Java and Unix Competency Center. Cornell has also developed simulation applications for the Air Force with Southwest Research Institute. <br />
<br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the chapter leader of the San Antonio chapter of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, Denim Group's open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Tue, November 16, 2010''' <br />
<br />
Topic: OWASP Top 10: What is it all about? <br />
<br />
Presenter: Dean Bushmiller <br />
<br />
Date: Tuesday, November 16, 2010 <br />
<br />
Time: 12:00pm-1:00pm <br />
<br />
Location: Methodist Health System – System Office 8109 Fredericksburg Road San Antonio, TX 78229-3311 Women’s Center Classroom 1 http://maps.google.com/maps?f=q&amp;source=s_q&amp;hl=en&amp;geocode=&amp;q=8109+fredericksburd+rd,+78229&amp;sll=37.0625,-95.677068&amp;sspn=35.494074,72.070313&amp;ie=UTF8&amp;hq=&amp;hnear=8109+Fredericksburg+Rd,+San+Antonio,+Bexar,+Texas+78229&amp;z=16 <br />
<br />
<br> Abstract: Everyone knows exactly what the OWASP top ten security threats are, right? Well sort of... I ask people if they have heard of the top ten they say yes. I ask them to name a few they pause, then they blurt out 2-3. Then I ask them to explain those 2-3 and they look at me like a deer-in-the-headlights. I want to make sure that everyone who walks out of the presentation can clearly define the top ten and be able to communicate to another what each of the top ten vulnerabilities are. <br />
<br />
<br> Presenter Bio: Dean Bushmiller has taught for 12 years. He is the recipient of five Mission Coins from various military branches. He has led national certification organizations in development, policy, and educational materials for over 10 years. He has presented, consulted, and instructed government, education, military, and private organizations. Dean has worked for SANS, ISC2, and other security training organizations. He has bee the keynote speaker at information security conferences as well as state and local colleges. He is now Director of Training for Expanding Security. <br />
<br />
Feel free to bring a brown bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed August 18, 2010''' <br />
<br />
Topic: Which Web Programming Languages are Most Secure? <br />
<br />
Presenter: Jeremiah Grossman, Founder and CTO, WhiteHat Security <br />
<br />
Date: Wednesday, August 18, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: Security-conscious organizations make implementing a software security development lifecycle a priority. As part of the process, they evaluate a large number of development technologies for building websites. The assumption by many is that not all development environments are created equal. So the question often asked is, “What is the most secure programming language or development framework available?” <br />
<br />
<br> Clearly, familiarity with a specific product, whether it is designed to be secure-by-default or must be configured properly, and whether various libraries are available, can drastically impact the outcome. Still, conventional wisdom suggests that most popular modern languages / frameworks (commercial &amp; open source) perform relatively similarly when it comes to an overall security posture. At least in theory, none is markedly or noticeably more secure than another. Suggesting PHP, Java, C# and others are any more secure than other frameworks is sure to spark heated debate. <br />
<br />
<br> As has been said in the past, “In theory, there is no difference between theory and practice. But, in practice, there is.” Until now, no website security study has provided empirical research measuring how various Web programming languages / frameworks actively perform in the field. To which classes of attack are they most prone, how often and for how long; and, how do they fare against popular alternatives? Is it really true that popular modern languages / frameworks yield similar results in production websites? <br />
<br />
<br> By analyzing the vulnerability assessment results of nearly 1,700 websites under WhiteHat Sentinel management, we may begin to answer some of these questions. These answers may enable the website security community to ask better and deeper questions, which will eventually lead to more secure websites. Organizations deploying these technologies can have a closer look at particularly risk-prone areas; software vendors may focus on areas found lacking; and, developers will increase their familiarity with the strength and weaknesses of their technology stack. All of this is vitally important because security must be baked into development frameworks and be virtually transparent. Only then will application security progress be made. <br />
<br />
<br> Presenter Bio: Jeremiah Grossman founded WhiteHat Security in August 2001. <br />
<br />
<br> A world-renowned expert in Web security, Mr. Grossman is a founder of the Web Application Security Consortium (WASC), and was named to InfoWorld's Top 25 CTOs for 2007. <br />
<br />
<br> Mr. Grossman is a frequent speaker at industry events including the Black Hat Briefings, RSA Conference, ISACA, CSI, InfoSec World, OWASP, ISSA, and Defcon as well as a number of large universities. He has authored dozens of articles and white papers, is credited with the discovery of many cutting-edge attack and defensive techniques and is a co-author of XSS Attacks: Cross Site Scripting Exploits and Defense. <br />
<br />
<br> Mr. Grossman is frequently quoted in major media outlets such as USA Today, the Washington Post, The Financial Times, InformationWeek, InfoWorld, USA Today, PC World, Dark Reading, SC Magazine, CNET, CSO and NBC news. He frequently alerts the media community to the latest attacks and is not only able to offer in-depth commentary, but also provide his perspective of what’s to come. <br />
<br />
<br> Mr. Grossman was named a “friend of Google” and is also an influential blogger (www.jeremiahgrossman.blogspot.com) who offers insight and encourages open dialogue regarding current research and vulnerability trend information. <br />
<br />
<br> Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo! responsible for performing security reviews on the company's hundreds of websites. Before Yahoo!, Mr. Grossman worked for Amgen, Inc. <br />
<br />
Pizza will be served. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> '''San Antonio OWASP Chapter: Fri. August 13, 2010''' <br />
<br />
Topic: 1)How OWASP Works and Guided Tour of OWASP Projects / 2) Using the O2 Platform to Consume OWASP projects <br />
<br />
Presenter: Dinis Cruz <br />
<br />
Date: Friday, August 13, 2010, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: 1) How OWASP Works and Guided Tour of OWASP Projects - This presentation will focus on my experience in getting things done at OWASP, what resources are available and what types of initiatives should the local chapters be doing. In addition to a quick overview of a number of key OWASP projects, this talk will also provide a tutorial on how the OWASP WIKI (MediaWiki based) can be used as a database (using the MediaWiki templates technology) <br />
<br />
2) Using the O2 Platform to Consume OWASP projects - This presentation will focus on how to consume the OWASP Wiki and a number of OWASP projects using the OWASP O2 Platform. The O2 Platform has powerful technology and capabilities for both BlackBox and WhiteBox analysis and this presentation will provide examples on how to use O2 with: WebGoat, WebScarab, Code Crawler, Dir Buster, Testing Guide, Code Review Guide and OpenSAMM <br />
<br />
The O2 Platform is focused on automating application security knowledge and workflows. It is specifically designed for developers and security consultants to be able to perform quick, effective and thorough 'source-code-driven' application security reviews (BlackBox + WhiteBox). In addition to the manual findings created/discovered by security consultants, the OWASP O2 Platform allows the easy consumption of results from multiple OWASP projects and commercial scanning tools. This allows security consultants to find, exploit and automate (via Unit Tests) security vulnerabilities usually dismissed by the community as impossible to find/recreate. More importantly, it provides the Security Consultants a mechanism to: a) 'talk' with developers (via UnitTest) , b) give developers a way to replicate + "check if it's fixed" the vulnerabilities reported and c) engage on a two-way conversion on the best way to fix/remediate those vulnerabilities. <br />
<br />
<br> Presenter Bio: Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development. For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform. Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences At OWASP, Dinis is the leader of the OWASP O2 Platform project, member of the OWASP Global Projects Committee, chair of the OWASP Connections Committee and member of the OWASP <br />
<br />
<br> Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
<br> Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed July 21, 2010''' <br />
<br />
Topic: A Caching Technique (PHP Implementation) <br />
<br />
Presenter: Dan Ross, VP Engineering, PIC Business Systems <br />
<br />
Date: Wednesday July 19, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: Reduce 304's and improve web application performance. A caching technique is demonstrated using PHP. Easy implementation as well as caching override are discussed. <br />
<br />
<br> Presenter Bio: Dan Ross has been VP Engineering for over 20 years at PIC Business Systems, which provides integrated business software for the several industries. He has led the design, development, and maintenance of many commercial web applications and programs. He has a BS in Industrial Engineering from St. Mary's University in San Antonio. <br />
<br />
Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed June 16, 2010''' <br />
<br />
Topic: Securing Software Applications Using Dynamic Dataflow Analysis <br />
<br />
Presenter: Steve Cook, Senior Research Analyst, SwRI <br />
<br />
Date: Wednesday June 16, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: In this presentation, we present an ongoing research effort that ensures that a wide variety of user-defined security policies are enforced on executing C programs while keeping runtime overhead low and with little disruption to the development process by leveraging Dynamic Dataflow Analysis (DDFA). The DDFA system is built upon the Broadway static data flow analysis and error checking system, which is a source-to-source translator for C developed by the computer sciences department at the University of Texas at Austin (UT-Austin). UT-Austin and the Southwest Research Institute (SwRI) recently collaborated to further enhance the system through a government research project funded by Intelligence Advanced Research Projects Activity (IARPA) and a SwRI internal research project. <br />
<br />
The system works by automatically instrumenting the original source, guided by the security policy, with DDFA runtime library calls. The modified program is then compiled for the platform of choice so that its security policy can be enforced at runtime through the DDFA runtime library. <br />
<br />
The runtime overhead is kept low by leveraging the semantic information provided by the security policy and a sophisticated dependence analysis to enable optimizations beyond standard compiler techniques. This results in a program that is instrumented with additional code only where provably necessary, so innocuous flows of data are not tracked at runtime. <br />
<br />
Disruption to the development process is minimized through the security policy specification. The security policy is defined once by a security expert using a simple language, which has a direct mapping to the application programming interface to which the program is written. The policy, once defined, can be applied to many different programs. The DDFA approach is easily integrated into the development workflow, adding only an additional compilation step before application deployment. <br />
<br />
The system does not require any modification to the original source code by the programmer, and does not require hardware or operating system changes. In the future, our system can be extended to handle multiple languages and complement new security solutions. <br />
<br />
Presenter Bio: Steve Cook is a senior research analyst in the System Security and High Reliability Software section at the SwRI. His background and expertise are in distributed and parallel computing, compilers, as well as object-oriented and generic programming. He received his master’s degree in computer science from Texas A&amp;M University. While at Texas A&amp;M, he worked as a research assistant for Dr. Bjarne Stroustrup, creator of the C++ Programming Language, where he helped develop a new approach to writing concurrent programs that allows programmers to quickly turn a sequential C++ program into a parallel one that is race and deadlock free. <br />
<br />
<br> Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed May 19th, 2010''' <br />
<br />
Topic: The Open Software Assurance Maturity Model <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group <br />
<br />
Date: Wednesday May 19th, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. <br />
<br />
This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/. <br />
<br />
Presenter Bio: Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications <br />
<br />
<br> Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed March 17, 2010''' <br />
<br />
Topic: Protecting Your Applications: How to Secure Business Critical Applications from Time Bombs, Backdoors &amp; Data Exfiltration <br />
<br />
Presenter: Clint Pollock <br />
<br />
Date: Wednesday, March 17th, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Sponsored by: VERACODE <br />
<br />
Abstract: With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers. Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams. In this session we will cover; · Prevalence of backdoors and malicious code in third party attacks · Definitions and classifications of backdoors and their impact on your applications · Methods to identify, track and remediate these vulnerabilities <br />
<br />
Presenter Bio: Clint Pollock is a Senior Solutions Architect at Veracode. Since 1997, he has also created security solutions for large-scale enterprise environments on behalf of CREDANT Technologies and Netegrity. In his current role, Clint helps globally distributed organizations evaluate, track, and mitigate their online business risk. Clint’s greatest strengths are his enthusiasm, experience and determination to help customers succeed in maintaining secure, compliant systems, and avoid the consequences and bad headlines that come with application security breaches. Clint resides in Chicago, IL. <br />
<br />
<br> FREE PIZZA will be provided, courtesy of our friends from Veracode. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> '''Meeting Schedule for 2010''' <br />
<br />
Dates are set - speakers and topics are firming up as well speak. All meetings are from 11:30am - 1:00pm at the San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229. <br />
<br />
Wednesday January 20th - OWASP LiveCD: An Open Environment for Web Application Security by Matt Tesauro <br />
<br />
Wednesday March 17th - TBD <br />
<br />
Wednesday May 19th - TBD <br />
<br />
Wednesday July 21st - TBD <br />
<br />
Wednesday September 15th - TBD <br />
<br />
Wednesday November 10th - TBD <br />
<br />
<br> '''San Antonio OWASP Chapter: Wed January 20th, 2010''' <br />
<br />
Topic: OWASP LiveCD: An Open Environment for Web Application Security Presenter: Matt Tesauro, OWASP Board Member, LiveCD Project Lead Date: Wednesday January 20th, 2010 11:30am – 1:00pm Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: The OWASP Live CD is a project that collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can boot from this Live CD and have access to a full security testing suite. This allows its users to test for various security issues in web applications and web sites. The Live CD also contains documentation and an interactive learning environment to enhance users’ web application security knowledge. This presentation will cover the current state of the OWASP Live CD as well as the plans for future developments. Time permitting, a live demonstration of the OWASP Live CD will be conducted. The OWASP Live CD is a project of the Open Web Application Security Project (OWASP) and is free for commercial or non-commercial use. More information is available at: http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project <br />
<br />
Presenter Bio: Matt Tesauro has worked in web application development and security since 2000. He has worn many different hats, from developer to DBA to System Administrator to Penetration Tester. Matt also taught graduate and undergraduate classes on web application development and XML at Texas A&amp;M University. Currently, he's focused on implementing a comprehensive web application security program for the Texas Education Agency (TEA). Outside work, he is a member of the OWASP Foundation's Board of Directors, the project lead for the OWASP Live CD, a member of the OWASP Global Projects Committee, assists the OWASP Austin chapters leadership and a member of ISSA of Austin, Texas. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&amp;M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications. <br />
<br />
Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
Recent Meetings: <br />
<br />
<br> '''San Antonio OWASP Chapter: October 21, 2009''' <br />
<br />
Topic: Rolling Out an Enterprise Source Code Review Program <br />
<br />
Presenter: Dan Cornell, Principal at Denim Group Date: October 21, 2009 11:30 a.m. – 1:00 p.m. <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: Source code review technology has rapidly advanced over the past several years and offers great promise of helping organizations detect and address software security defects. However, many organizations stumble as they try to roll out these technologies because they fail to understand the people and process issues that must also be addressed. This talk will present lessons learned from the creation of several enterprise source code review programs, including: identifying all sources of custom code in an organization including custom extensions to ERP systems and enterprise portals, selecting the first round of applications to scan and successfully interpreting results and driving resolution to identified issues. <br />
<br />
<br> Presenter Bio: Dan Cornell has over ten years of experience architecting and developing web-based software systems. As CTO of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group security research team, investigating the application of secure coding and development techniques to the improvement of web-based software development methodologies. <br />
<br />
Dan Cornell has performed as the CTO of BrandDefense, as founder and Vice President of Engineering for Atension prior to its acquisition by Rare Medium, Inc. and as the Vice President, Global Competency Leader for Rare Medium’s Java and Unix Competency Center. Cornell has also developed simulation applications for the Air Force with Southwest Research Institute. <br />
<br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the chapter leader of the San Antonio chapter of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, Denim Group's open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
<br> '''San Antonio OWASP Chapter: August 19, 2009''' <br />
<br />
Topic: Web Application Firewalls (WAFs) <br />
<br />
Presenter: Matt Burriola &amp; Mario Flores, Randolph-Brooks Federal Credit Union Date: August 19, 2009 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: Web Application Firewalls Web application firewalls (WAFs) have gained considerable momentum as web vulnerabilities have grown. WAFs now have a proven record of reducing exposures to web vulnerabilities by blocking malicious activity much like a typical firewall. While WAFs help, it does take time to consider when a WAF is appropriate. It also takes time to evaluate and implement the WAF as well. Come listen to reasons why Randolph-Brooks Federal Credit Union chose a WAF and what they learned in the process. <br />
<br />
Presenter Bio: Matt is a Senior Developer on the RBFCU Web Team, but mainly serves the roles of Configuration Management lead and Systems Admin for the team. Matt maintains the source control repository, application build and release processes, and QA server environments. Matt also works on web infrastructure initiatives such as Web Application Firewall. Matt has 10 years IT industry experience, including Java/web technologies, C, C++, Unix/Linux, shell scripting, and Symbol mobile handheld programming. Matt has a degree in Management Information Systems from Texas A&amp;M University-Corpus Christi. <br />
<br />
Mario is currently the Web Development manager for RBFCU. In this current role, Mario manages the development efforts for the online banking site and the intranet. Mario also has a solid background in web security and has addressed issues with web application penetration assessments. Mario has worked for RBFCU for 14 years and he has a degree in Information Systems from Texas Lutheran University. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: June 17, 2009'''' Topic: What is Cross Site Scripting And Why Is It bad? Date: June 17, 2009 11:30am – 1:00pm Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: The presentation will cover background information on cross-site scripting (XSS) attacks as well as real world examples of what can happen when this type of vulnerability is present and the different ways that it can be exploited. The presentation will also include language agnostic ways to mitigate this sort of risk and how developers and security professionals can identify these risks. <br />
<br />
Presenter Bio: David is currently a Security Architect for Rackspace IT Hosting. In this current role, David is responsible for designing and implementing network security solutions, as well as software development in support of automation. In previous roles he was a software developer on various projects written in a mix of PHP, Python, Perl, Ruby, c#, and asp.net. Prior to Rackspace, David worked for Digital Defense and he holds a B.B.A. in Information Systems from the University of Texas San Antonio. He also has an extensive background in application security and is actively researching botnet mitigation techniques. Certifications held include CISSP, RHCE, and CCNA. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: January 2009 Meeting''' <br />
<br />
Topic: "Vulnerability Management in an Application Security World." <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group Date: January 29, 2009 11:30am – 1:00pm <br />
<br />
Location: <br />
<br />
San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract:Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
Presenter Bio: <br />
<br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
<br> <br />
<br />
----<br />
<br />
'''Previous News''' <br />
The slide deck from OWASP San Antonio February 2012 meeting is available online here: https://www.owasp.org/images/b/b0/WTE-Cloud-San_Antonio-2012-02.pdf<br />
<br />
The slide deck from OWASP San Antonio June 2011 meeting is available online here: https://www.owasp.org/images/2/21/How_to_Build_a_Secure_Login_BenBroussard_June2011.pdf<br />
<br />
The slide deck from OWASP San Antonio April 2011 meeting is available online here: https://www.owasp.org/images/0/05/Vulnerable_frameworks_yield_vulnerable_apps.pdf <br />
<br />
The slide deck from OWASP San Antonio March 2011 meeting is available online here: http://www.owasp.org/images/c/cb/MichaelCoates-AppSensor.pdf <br />
<br />
The slide deck from OWASP San Antonio August 2010 meeting available online here: http://www.owasp.org/images/0/0e/OWASP_San_Antonio_0818.pdf.pdf http://www.owasp.org/images/5/5a/WPstats_spring10_9th.pdf <br />
<br />
The slide deck from OWASP San Antonio June 2010 meeting available online here: http://www.owasp.org/images/2/24/OWASPSanAntonio06162010_DDFA_PresentationFinal.pdf <br />
<br />
The slide deck from OWASP San Antonio May 2010 meeting available online here: http://www.owasp.org/images/b/b9/OpenSAMM10_OWASPSanAntonio_20100519.pdf <br />
<br />
The slide deck from OWASP San Antonio March 2010 meeting available online here: http://www.owasp.org/index.php?title=File:Protecting_the_Enterprise_-_Software_Backdoors.pptx&amp;oldid=80140#filelinks <br />
<br />
The slide deck from OWASP San Antonio January 2010 meeting available online here: http://www.owasp.org/index.php/File:San_Antonio_Chapter-OWASP_WTE_Jan-2010.pdf#filelinks <br />
<br />
The slide deck from OWASP San Antonio October 2008 meeting available online here: http://www.owasp.org/index.php/San_Antonio <br />
<br />
The slide deck from OWASP San Antonio September 2007 meeting available online here: [[Image:Fortify-bjenkins-AppSecStrategy-20070906.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio March 2007 meeting will be available online shortly <br />
<br />
The slide deck from OWASP San Antonio September 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 09 AgileAndSecure.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio August 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 08 SingleSignOn.ppt]]. <br />
<br />
The slide deck from OWASP San Antonio June 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 06 Crypto Content.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio May 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 05 ForcefulBrowsing Content.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio September 2004 meeting available online here: [[Image:OWASPSanAntonio 20040922.pdf]]. <br />
<br />
[[Category:Texas]]</div>Dancornellhttps://wiki.owasp.org/index.php?title=San_Antonio&diff=153474San Antonio2013-06-11T23:29:19Z<p>Dancornell: /* Local News */</p>
<hr />
<div>{{Chapter Template|chaptername=San Antonio|extra=The chapter leader is [mailto:dan@denimgroup.com Dan Cornell]<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sanantonio|emailarchives=http://lists.owasp.org/pipermail/owasp-sanantonio}} <br />
<br />
== Local News ==<br />
'''San Antonio OWASP Chapter: Wednesday, June 5th, 2013'''<br />
<br />
Topic: Be Mean to Your Code Using Gauntlt [Slides http://www.slideshare.net/wickett/be-mean-to-your-code-owasp-san-antonio]<br />
<br />
Presenter: James Wickett<br />
<br />
Date: Wednesday, June 5, 2013<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
<br />
3463 Magic Drive<br />
<br />
San Antonio, TX 78229<br />
<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
Abstract:<br />
<br />
"Be Mean to Your Code” is the core concept behind the ruggedization framework called Gauntlt (http://gauntlt.org) which brings the benefits of Behaviour Driven Development to the realms of automated security testing, application hardening and ruggedization. Security testing is often done at a cadence set by the audit team and is often obscured from the development and operations teams. This isn't good and this creates an adversarial relationship between security, dev and ops.<br />
<br />
Gauntlt helps security, ops, and development teams work together. Gauntlt is meant to be used by security experts with interest in automation as well as developers with interest in security. It can be used to deliver the results of a security audit or penetration test via failing Gauntlt attacks (tests) which can in turn be added to automated test suites. Developers know they have resolved a particular vulnerability when Gauntlt no longer reports a failure. Gauntlt can also be used in regression tests to detect when a previously resolved vulnerability has been re-introduced.<br />
<br />
Traditional approaches to web security can be less effective in cloud environments, due to the highly dynamic nature of cloud infrastructure. Fortunately, infrastructure-driven, continuous testing can overcome many of these challenges. Netflix uses Gauntlt to continuously validate that the security configuration of its cloud deployment and applications remains as expected, even with a rapid rate of change and high degree of self-service.<br />
<br />
One of the core contributors of the Gauntlt project, James Wickett will talk about the history of the project, the current features, examples of how to use Gauntlt and the future roadmap of Gauntlt. As part of this talk we will do a demo where we will walk through getting started using pre-built Gauntlt attacks and then move to writing our own Gauntlt attacks. Come find out how to "Be Mean to Your Code" and ruggedize your next project.<br />
<br />
Gauntlt is an open source ruggedization framework using cucumber and written in ruby. It has been developed in collaboration with the security engineering teams at Netflix and Twitter. Gauntlt is MIT Licensed and hosted on github at http://github.com/gauntlt/gauntlt.<br />
<br />
Presenter Bio:<br />
<br />
http://about.me/wickett<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400 and mention that you are coming to the OWASP San Antonio meeting.<br />
<br />
<br />
<br />
'''OWASP Developer Security Training at BSides San Antonio: Saturday May 4th, 2013'''<br />
<br />
Attend BSides San Antonio for three mini-courses for developers wanting to learn about security.<br />
<br />
To register: <br />
<br />
https://bsidessatx.eventbrite.com/<br />
<br />
The event is sold out - looking forward to seeing everyone there on Saturday.<br />
<br />
Each mini-course will be around 1.5 hours in length. Attendees will also have full access to the rest of the BSides San Antonio event.<br />
<br />
Main BSides San Antonio site:<br />
<br />
http://bsidestexas.blogspot.com/p/san-antonio-april-2013.html<br />
<br />
''Mini-Course 1''<br />
<br />
Title: Threat Modeling for Developers '''(10:30am - Noon)'''<br />
<br />
Abstract:<br />
<br />
Threat modeling is a valuable technique for identifying potential security<br />
issues in complex applications but many development teams have been slow<br />
to adopt it because of a perception that it can only be done by security<br />
specialists as well as a lack of guidance on how to get the most out of<br />
the activity. This mini-course walks through the process of Threat<br />
modeling from the perspective of a developer trying to identify issues<br />
early in the development process so that problems can be avoided and<br />
controls can be put in place with a minimum level of effort. The materials<br />
include discussion of where threat modeling is best done during the<br />
development lifecycle as well as the process of creating and refining a<br />
threat model. This is an interactive experience, with participants working<br />
together to walk through the threat modeling process.<br />
<br />
''Mini-Course 2''<br />
<br />
Title: Developing Secure Web Applications '''(1:00pm - 2:30pm)'''<br />
<br />
Abstract:<br />
<br />
Web applications are a convenient entry point for attackers because they<br />
are often publicly-available and many are built without a focus on<br />
security. This mini-course provides a developer-focused introduction to<br />
building web applications designed to operate in the face of malicious<br />
attackers. It walks through a basic threat model for a web application and<br />
uses this threat model as a framework for making good decisions when<br />
designing and building applications. The focus of the course is less on<br />
enumerating various types of vulnerabilities but rather on design and<br />
coding techniques that can be used to help create resilient applications.<br />
Some code examples in Java and .NET will be provided, but the techniques<br />
can be applied to any web application environment. [It would be beneficial<br />
to attend the earlier Threat Modeling session, but not required.]<br />
<br />
''Mini-Course 3''<br />
<br />
Title: Developing Secure Mobile Applications '''(3:00pm - 4:30pm)'''<br />
<br />
Abstract:<br />
<br />
Organizations of all sizes are rushing to provide their customers and<br />
employees with applications taking advantage of the power of mobile<br />
computing. As with many new technologies, these organizations often deploy<br />
applications first and come to realize the security implications of these<br />
new systems only post-deployment. This mini-course provides a<br />
developer-focused introduction to security for mobile applications. It<br />
walks through a basic threat model for a mobile application and uses this<br />
threat model as a framework for making good decisions when designing and<br />
building mobile application systems. Examples are provided for both iOS<br />
(iPhone and iPad) and Android platforms but the overall approach can be<br />
applied for all mobile applications. [It would be beneficial to attend the<br />
earlier Threat Modeling and Web Application sessions, but not required.]<br />
<br />
<br />
'''San Antonio OWASP Chapter: Tuesday, September 25, 2012'''<br />
<br />
Topic: Dev/Ops, Continuous Deployment and APIs, Oh My! <br />
<br />
Presenter: Jarret Raim and Matt Tesauro<br />
<br />
Date: Tuesday, September 25, 2012<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
<br />
3463 Magic Drive<br />
<br />
San Antonio, TX 78229<br />
<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
Abstract:<br />
As the world of application development continues to change, the security community needs to change with it. With agile development, continuous deployment, the pace of change in IT has only increased. Add in Dev/Ops and the traditional security processes just don’t work. Even if testing windows exist, they are too short for the traditional scanning or manual testing programs. Then, there’s the lack of viable tools to test API’s. What’s a security professional in charge of rolling out an SDLC supposed to do? This talk will cover methods of adapting traditional security practices into a test driven development (TDD) for security and provide practical advice on how to handle short development and promotion cycles with few or no testing windows. A demonstration of a new testing tool will also be part of the presentation.<br />
<br />
<br />
Presenter Bios:<br />
Jarret Raim is the Security Product Manager at Rackspace Hosting. Since joining Rackspace, he has built a software assurance program for Rackspace’s internal software teams as well as defined strategy for building secure systems on Rackspace’s OpenStack Cloud implementation. Through his experience at Rackspace, and as a consultant at Denim Group, Jarret has assessed and remediated applications in all industries and has experience width a wide variety of both development environments and the tools used to audit them. Jarret has recently taken charge of Rackspace's efforts to secure the Cloud through new product development, training and research. Jarret holds an M.S. in Computer Science from Lehigh University and a B.S. in Computer Science from Trinity University.<br />
<br />
Matt Tesauro has been involved in the Information Technology industry for more than 10 years. Matt's focus has been in application security including testing, code reviews, design reviews and training. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he's driven. Matt is currently on the board of the OWASP Foundation and highly involved in many OWASP projects and committees. Matt is the project leader of the OWASP WTE (Web Testing Environment) which is the source of the OWASP Live CD Project and Virtual Machines pre-configured with tools and documentation for testing web applications. He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance Workshop, AppSec EU, AppSec US, AppSec Academia, and AppSec Brazil. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications. <br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, April 18, 2012'''<br />
<br />
Topic: Secure Coding Practices for 2012<br />
<br />
Presenter: Keith Turpin<br />
<br />
Date: Wednesday, April 18, 2012<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
<br />
3463 Magic Drive<br />
<br />
San Antonio, TX 78229<br />
<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
Abstract:<br />
Keith Turpin will present OWASP's "The Secure Coding Practices Quick Reference Guide." The guide is a technology agnostic set of software security coding practices, in a comprehensive checklist format, that can be integrated into the development life-cycle. At only 17 pages long, it is easy for development teams to read and use. The coding practices are mapped to functional requirements, so you can quickly locate the practices you need. It also provides a brief introduction to security principles and vocabulary to help developers and security folks get on the same page, but the focus is on requirements not vulnerabilities or exploits. This presentation will provide an overview of the guide and discuss some concepts about how to use it. Keith will cover the guide as well as the direction of the project for 2012, and alignment with integrating components of the guide with an organizations application security policy.<br />
<br />
<br />
Presenter Bio:<br />
Keith Turpin, CISSP, CSSLP, CRISC, leads Boeing’s enterprise application security assessment team. He previously served as the lead IT security advisor for all of Boeing’s international operations. <br />
<br />
Keith is a member of the (ISC)2 Application Security Advisory Board and has served as a U.S. delegate to the International Standards Organization's (ISO) sub-committee on cyber security. He is the project leader for the OWASP Secure Coding Practices Quick Reference Guide and is a member of the OWASP Global Projects Committee. He also spent four years as the Director of Communication for the Seattle chapter of the Information Systems Security Association. <br />
<br />
He is a frequent speaker at conferences, professional organizations and corporations on a variety of security topics and in his spare time he is the director of a nationally recognized intercollegiate engineering competition. <br />
<br />
Keith holds a BS in Mechanical Engineering and MS in Computer Systems.<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Tuesday, February 22, 2012'''<br />
<br />
Topic: Testing from the Cloud: Is the Sky Falling?<br />
<br />
Presenter: Matt Tesauro<br />
<br />
Date: Wednesday, February 22, 2012<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
Geekdom<br />
The Weston Centre<br />
112 East Pecan, 11th floor<br />
San Antonio TX 78205<br />
Map: http://www.geekdom.com/location/<br />
Check map for parking info.<br />
<br />
Abstract:<br />
More and more IT is being moved to the cloud, why shouldn't your testing move there too? This talk will cover what it takes to take your testing tools from your laptop to the cloud using new features of the OWASP Web Testing Environment (WTE). WTE allows you to create custom installations of application security tools in the cloud on demand. Has your IP been shunned? No problem, kill that cloud instance and startup another. Is your life as mobile as your phone? No problem, a laptop + Internet = access to all your favorite tools from anywhere. Multiple clients? No problem, start an an instance for each one. By the end of this talk, you'll know all you need to fire up an cloud instance with all of your favorite tools and start having fun.<br />
<br />
<br />
Presenter Bio:<br />
Matt has been involved in the Information Technology industry for more than 10 years. Prior to joining Rackspace, Matt was a security consultant for security firms such as Trustwave as well as running an internal application security effort. Matt's focus has been in application security including testing, code reviews, design reviews and training. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he's driven. He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance Workshop, AppSec EU, AppSec US, AppSec Academia, and AppSec Brazil.<br />
<br />
Matt is currently on the board of the OWASP Foundation and highly involved in many OWASP projects and committees. Matt is the project leader of the OWASP WTE (Web Testing Environment) which is the source of the OWASP Live CD Project and Virtual Machines pre-configured with tools and documentation for testing web applications.<br />
<br />
Industry designations include the Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University.<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, November 16, 2011'''<br />
<br />
Topic: You're Bleeding Sensitive Data - Find it Before They Do<br />
<br />
Presenter: Steve Werby<br />
<br />
Date: Wednesday, November 16, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
3463 Magic Drive<br />
San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
With the proliferation of Internet accessible applications and files within organizations and the number of employees capable of making sensitive content available growing rapidly, knowing what sensitive information is accessible is increasingly difficult. And expensive DLP and scanning tools are not the only option. I will cover management strategies to reduce the risk, as well as demonstrate free and low-cost tools (FOCA, Shodan, Google Hacking Database and more) to discover sensitive data.<br />
<br />
<br />
Presenter Bio:<br />
Steve Werby is Chief Information Security Officer at the University of Texas at San Antonio, where he leads the university's 10-person Office of Information Security. He has also served as CISO for Virginia Commonwealth University and the Virginia Department of Corrections (where he gained a new appreciation for physical security). Prior to that, he operated an information security consultancy with an international client base consisting largely of ISPs, web hosting companies and online businesses. Steve has an engineering degree, an MBA and numerous certs, but he is prouder of the fact that he hasn't signed his name the same way twice since 2009.<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, August 17, 2011'''<br />
<br />
Topic: Secure Development Lifecycle at Symantec<br />
<br />
Presenter: Edward Bonver<br />
<br />
Date: Wednesday, August 17, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
3463 Magic Drive<br />
San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
Given complexities and diversity of development technologies and processes as well as the deployment environments, in combination with customer expectations, software development in modern world is an immense undertaking. Building security into a development lifecycle of a large software vendor could prove quite challenging. This presentation covers how security practices are being followed by various product teams across Symantec, including the related processes and guidelines from Symantec’s Product Security Team. <br />
<br />
<br />
Presenter Bio:<br />
A senior principal software engineer on the product security team at Symantec Corporation, Edward Bonver is responsible for working with software developers and quality assurance professionals across Symantec to continuously enhance the company’s software security practices through the adoption of methodologies, procedures, and tools for secure coding and security testing. Edward teaches secure coding and security testing classes for Symantec engineers and leads the company’s QA Security Task Force, which he founded. He is a Certified Information Systems Security Professional (CISSP) and a Certified Secure Software Lifecycle Professional (CSSLP).<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Thursday, June 16, 2011'''<br />
<br />
Topic: Building a Secure Login<br />
<br />
Presenter: Ben Broussard<br />
<br />
Date: Thursday, June 16, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
3463 Magic Drive<br />
San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
This talk takes the standard, cookie-based login and authorization functionality through its paces. First I will walk through the requirements of common, single sign-on functionality. Then I will walk through attacks and their countermeasures including SQL injection and parameterized queries, session fixation and cookie cycling, session hijacking and about a dozen necessary countermeasures, and so on. The discussion will be programming language agnostic, instead focusing on the functional specifications.<br />
<br />
<br />
Presenter Bio:<br />
Ben Broussard has been involved in the Austin OWASP chapter since 2008, giving technical talks, serving on the LASCON board, the chapter board, and organizing a study group. Outside of OWASP he has worn the hats of mainframe and web application developer, cryptographer, pentester, and he recently launched his own application security business, Kedalion Security, LLC. On the side he does research into brains and AI, and is an avid 80's dancer.<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, April 20, 2011'''<br />
<br />
Topic: Vulnerable Frameworks Yield Vulnerable Apps<br />
<br />
Presenter: Javier Castro<br />
<br />
Date: Wednesday, April 20, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room) 3463 Magic Drive, San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
Major software vendors such as VMware and SAP are getting significantly better at writing <br />
secure software, but all of this effort is lost when they forget to properly configure or secure <br />
the frameworks that their software is built upon. This talk gives an overview of several <br />
recently discovered vulnerabilities in the products of major software companies. In each <br />
case the flaw leads to a complete system compromise and was located in a framework that <br />
the product was built upon. We as software developers can learn from these cases and <br />
avoid similar scenarios.<br />
<br />
Bio: <br />
Javier Castro is a senior vulnerability researcher at Digital Defense, Inc. where he writes explicit vulnerability checks, develops proprietary exploits, and researches popular software deployments. As exciting as vulnerability exploitation is, Javier finds it more rewarding to find ways to develop a secure application in the first place.<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br />
<br><br />
<br />
'''San Antonio OWASP Chapter: Wednesday, March 23, 2011''' <br />
<br />
Topic: Attack Aware Applications <br />
<br />
Presenter: Michael Coates <br />
<br />
Date: Wednesday, March 23, 2011 <br />
<br />
Time: 11:30am-1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: Attack Aware Applications: Imagine being able to detect an attacker in your application while they are searching for vulnerability and then locking out their account before they can do any harm. The OWASP AppSensor project provides a strategy for enabling your applications to detect and respond to attackers in real time. More powerful then generic detection with a WAF, the AppSensor approach allows detection of targeted application attacks attempting to exploit all areas including: business logic, access control, session management, injection attacks and more. This presentation will discuss techniques for implementing such a system within your application using existing technologies or by leveraging ESAPI. <br />
<br />
Presenter Bio: Michael Coates has extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers worldwide. Michael holds a MS in Computer Security from DePaul University and a BS in Computer Science from the University of Illinois. <br />
<br />
Michael is the creator and leader of the AppSensor project and a contributor to the 2010 OWASP Top 10. He is a frequent speaker at international OWASP security conferences and has also spoken at the Chicago Thotcon conference and provided security training at BlackHat. <br />
<br />
As the web security lead at Mozilla, Michael protects web applications used by millions of users each day. <br />
<br />
<br> Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> '''San Antonio OWASP Chapter: Wednesday, January 19, 2011''' <br />
<br />
Topic: Smart Phones with Dumb Apps <br />
<br />
Presenter: Dan Cornell <br />
<br />
Date: Wednesday, January 19, 2011 <br />
<br />
Time: 11:30am-1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 [http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229] <br />
<br />
<br> Abstract: Enterprises are targeting both internal users and customers with smartphone applications for platforms such as Apple iPhone and Google Android. Many of these applications are constructed without fully considering the associated security implications of their deployment. Breaches can impact both users as well as the enterprise distributing the application as attackers take advantage of expanded access to sensitive data and network services. This talk discusses emerging threats associated with deploying smartphone applications and provides an overview of the threat modeling process. The presentation then walks example applications from an attacker’s perspective demonstrating the sort of information they are able to extract allowing for more advanced attacks. <br />
<br />
Presenter Bio: Dan Cornell has over ten years of experience architecting and developing web-based software systems. As CTO of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group security research team, investigating the application of secure coding and development techniques to the improvement of web-based software development methodologies. <br />
<br />
Dan Cornell has performed as the CTO of BrandDefense, as founder and Vice President of Engineering for Atension prior to its acquisition by Rare Medium, Inc. and as the Vice President, Global Competency Leader for Rare Medium’s Java and Unix Competency Center. Cornell has also developed simulation applications for the Air Force with Southwest Research Institute. <br />
<br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the chapter leader of the San Antonio chapter of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, Denim Group's open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Tue, November 16, 2010''' <br />
<br />
Topic: OWASP Top 10: What is it all about? <br />
<br />
Presenter: Dean Bushmiller <br />
<br />
Date: Tuesday, November 16, 2010 <br />
<br />
Time: 12:00pm-1:00pm <br />
<br />
Location: Methodist Health System – System Office 8109 Fredericksburg Road San Antonio, TX 78229-3311 Women’s Center Classroom 1 http://maps.google.com/maps?f=q&amp;source=s_q&amp;hl=en&amp;geocode=&amp;q=8109+fredericksburd+rd,+78229&amp;sll=37.0625,-95.677068&amp;sspn=35.494074,72.070313&amp;ie=UTF8&amp;hq=&amp;hnear=8109+Fredericksburg+Rd,+San+Antonio,+Bexar,+Texas+78229&amp;z=16 <br />
<br />
<br> Abstract: Everyone knows exactly what the OWASP top ten security threats are, right? Well sort of... I ask people if they have heard of the top ten they say yes. I ask them to name a few they pause, then they blurt out 2-3. Then I ask them to explain those 2-3 and they look at me like a deer-in-the-headlights. I want to make sure that everyone who walks out of the presentation can clearly define the top ten and be able to communicate to another what each of the top ten vulnerabilities are. <br />
<br />
<br> Presenter Bio: Dean Bushmiller has taught for 12 years. He is the recipient of five Mission Coins from various military branches. He has led national certification organizations in development, policy, and educational materials for over 10 years. He has presented, consulted, and instructed government, education, military, and private organizations. Dean has worked for SANS, ISC2, and other security training organizations. He has bee the keynote speaker at information security conferences as well as state and local colleges. He is now Director of Training for Expanding Security. <br />
<br />
Feel free to bring a brown bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed August 18, 2010''' <br />
<br />
Topic: Which Web Programming Languages are Most Secure? <br />
<br />
Presenter: Jeremiah Grossman, Founder and CTO, WhiteHat Security <br />
<br />
Date: Wednesday, August 18, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: Security-conscious organizations make implementing a software security development lifecycle a priority. As part of the process, they evaluate a large number of development technologies for building websites. The assumption by many is that not all development environments are created equal. So the question often asked is, “What is the most secure programming language or development framework available?” <br />
<br />
<br> Clearly, familiarity with a specific product, whether it is designed to be secure-by-default or must be configured properly, and whether various libraries are available, can drastically impact the outcome. Still, conventional wisdom suggests that most popular modern languages / frameworks (commercial &amp; open source) perform relatively similarly when it comes to an overall security posture. At least in theory, none is markedly or noticeably more secure than another. Suggesting PHP, Java, C# and others are any more secure than other frameworks is sure to spark heated debate. <br />
<br />
<br> As has been said in the past, “In theory, there is no difference between theory and practice. But, in practice, there is.” Until now, no website security study has provided empirical research measuring how various Web programming languages / frameworks actively perform in the field. To which classes of attack are they most prone, how often and for how long; and, how do they fare against popular alternatives? Is it really true that popular modern languages / frameworks yield similar results in production websites? <br />
<br />
<br> By analyzing the vulnerability assessment results of nearly 1,700 websites under WhiteHat Sentinel management, we may begin to answer some of these questions. These answers may enable the website security community to ask better and deeper questions, which will eventually lead to more secure websites. Organizations deploying these technologies can have a closer look at particularly risk-prone areas; software vendors may focus on areas found lacking; and, developers will increase their familiarity with the strength and weaknesses of their technology stack. All of this is vitally important because security must be baked into development frameworks and be virtually transparent. Only then will application security progress be made. <br />
<br />
<br> Presenter Bio: Jeremiah Grossman founded WhiteHat Security in August 2001. <br />
<br />
<br> A world-renowned expert in Web security, Mr. Grossman is a founder of the Web Application Security Consortium (WASC), and was named to InfoWorld's Top 25 CTOs for 2007. <br />
<br />
<br> Mr. Grossman is a frequent speaker at industry events including the Black Hat Briefings, RSA Conference, ISACA, CSI, InfoSec World, OWASP, ISSA, and Defcon as well as a number of large universities. He has authored dozens of articles and white papers, is credited with the discovery of many cutting-edge attack and defensive techniques and is a co-author of XSS Attacks: Cross Site Scripting Exploits and Defense. <br />
<br />
<br> Mr. Grossman is frequently quoted in major media outlets such as USA Today, the Washington Post, The Financial Times, InformationWeek, InfoWorld, USA Today, PC World, Dark Reading, SC Magazine, CNET, CSO and NBC news. He frequently alerts the media community to the latest attacks and is not only able to offer in-depth commentary, but also provide his perspective of what’s to come. <br />
<br />
<br> Mr. Grossman was named a “friend of Google” and is also an influential blogger (www.jeremiahgrossman.blogspot.com) who offers insight and encourages open dialogue regarding current research and vulnerability trend information. <br />
<br />
<br> Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo! responsible for performing security reviews on the company's hundreds of websites. Before Yahoo!, Mr. Grossman worked for Amgen, Inc. <br />
<br />
Pizza will be served. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> '''San Antonio OWASP Chapter: Fri. August 13, 2010''' <br />
<br />
Topic: 1)How OWASP Works and Guided Tour of OWASP Projects / 2) Using the O2 Platform to Consume OWASP projects <br />
<br />
Presenter: Dinis Cruz <br />
<br />
Date: Friday, August 13, 2010, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: 1) How OWASP Works and Guided Tour of OWASP Projects - This presentation will focus on my experience in getting things done at OWASP, what resources are available and what types of initiatives should the local chapters be doing. In addition to a quick overview of a number of key OWASP projects, this talk will also provide a tutorial on how the OWASP WIKI (MediaWiki based) can be used as a database (using the MediaWiki templates technology) <br />
<br />
2) Using the O2 Platform to Consume OWASP projects - This presentation will focus on how to consume the OWASP Wiki and a number of OWASP projects using the OWASP O2 Platform. The O2 Platform has powerful technology and capabilities for both BlackBox and WhiteBox analysis and this presentation will provide examples on how to use O2 with: WebGoat, WebScarab, Code Crawler, Dir Buster, Testing Guide, Code Review Guide and OpenSAMM <br />
<br />
The O2 Platform is focused on automating application security knowledge and workflows. It is specifically designed for developers and security consultants to be able to perform quick, effective and thorough 'source-code-driven' application security reviews (BlackBox + WhiteBox). In addition to the manual findings created/discovered by security consultants, the OWASP O2 Platform allows the easy consumption of results from multiple OWASP projects and commercial scanning tools. This allows security consultants to find, exploit and automate (via Unit Tests) security vulnerabilities usually dismissed by the community as impossible to find/recreate. More importantly, it provides the Security Consultants a mechanism to: a) 'talk' with developers (via UnitTest) , b) give developers a way to replicate + "check if it's fixed" the vulnerabilities reported and c) engage on a two-way conversion on the best way to fix/remediate those vulnerabilities. <br />
<br />
<br> Presenter Bio: Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development. For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform. Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences At OWASP, Dinis is the leader of the OWASP O2 Platform project, member of the OWASP Global Projects Committee, chair of the OWASP Connections Committee and member of the OWASP <br />
<br />
<br> Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
<br> Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed July 21, 2010''' <br />
<br />
Topic: A Caching Technique (PHP Implementation) <br />
<br />
Presenter: Dan Ross, VP Engineering, PIC Business Systems <br />
<br />
Date: Wednesday July 19, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: Reduce 304's and improve web application performance. A caching technique is demonstrated using PHP. Easy implementation as well as caching override are discussed. <br />
<br />
<br> Presenter Bio: Dan Ross has been VP Engineering for over 20 years at PIC Business Systems, which provides integrated business software for the several industries. He has led the design, development, and maintenance of many commercial web applications and programs. He has a BS in Industrial Engineering from St. Mary's University in San Antonio. <br />
<br />
Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed June 16, 2010''' <br />
<br />
Topic: Securing Software Applications Using Dynamic Dataflow Analysis <br />
<br />
Presenter: Steve Cook, Senior Research Analyst, SwRI <br />
<br />
Date: Wednesday June 16, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: In this presentation, we present an ongoing research effort that ensures that a wide variety of user-defined security policies are enforced on executing C programs while keeping runtime overhead low and with little disruption to the development process by leveraging Dynamic Dataflow Analysis (DDFA). The DDFA system is built upon the Broadway static data flow analysis and error checking system, which is a source-to-source translator for C developed by the computer sciences department at the University of Texas at Austin (UT-Austin). UT-Austin and the Southwest Research Institute (SwRI) recently collaborated to further enhance the system through a government research project funded by Intelligence Advanced Research Projects Activity (IARPA) and a SwRI internal research project. <br />
<br />
The system works by automatically instrumenting the original source, guided by the security policy, with DDFA runtime library calls. The modified program is then compiled for the platform of choice so that its security policy can be enforced at runtime through the DDFA runtime library. <br />
<br />
The runtime overhead is kept low by leveraging the semantic information provided by the security policy and a sophisticated dependence analysis to enable optimizations beyond standard compiler techniques. This results in a program that is instrumented with additional code only where provably necessary, so innocuous flows of data are not tracked at runtime. <br />
<br />
Disruption to the development process is minimized through the security policy specification. The security policy is defined once by a security expert using a simple language, which has a direct mapping to the application programming interface to which the program is written. The policy, once defined, can be applied to many different programs. The DDFA approach is easily integrated into the development workflow, adding only an additional compilation step before application deployment. <br />
<br />
The system does not require any modification to the original source code by the programmer, and does not require hardware or operating system changes. In the future, our system can be extended to handle multiple languages and complement new security solutions. <br />
<br />
Presenter Bio: Steve Cook is a senior research analyst in the System Security and High Reliability Software section at the SwRI. His background and expertise are in distributed and parallel computing, compilers, as well as object-oriented and generic programming. He received his master’s degree in computer science from Texas A&amp;M University. While at Texas A&amp;M, he worked as a research assistant for Dr. Bjarne Stroustrup, creator of the C++ Programming Language, where he helped develop a new approach to writing concurrent programs that allows programmers to quickly turn a sequential C++ program into a parallel one that is race and deadlock free. <br />
<br />
<br> Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed May 19th, 2010''' <br />
<br />
Topic: The Open Software Assurance Maturity Model <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group <br />
<br />
Date: Wednesday May 19th, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. <br />
<br />
This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/. <br />
<br />
Presenter Bio: Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications <br />
<br />
<br> Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed March 17, 2010''' <br />
<br />
Topic: Protecting Your Applications: How to Secure Business Critical Applications from Time Bombs, Backdoors &amp; Data Exfiltration <br />
<br />
Presenter: Clint Pollock <br />
<br />
Date: Wednesday, March 17th, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Sponsored by: VERACODE <br />
<br />
Abstract: With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers. Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams. In this session we will cover; · Prevalence of backdoors and malicious code in third party attacks · Definitions and classifications of backdoors and their impact on your applications · Methods to identify, track and remediate these vulnerabilities <br />
<br />
Presenter Bio: Clint Pollock is a Senior Solutions Architect at Veracode. Since 1997, he has also created security solutions for large-scale enterprise environments on behalf of CREDANT Technologies and Netegrity. In his current role, Clint helps globally distributed organizations evaluate, track, and mitigate their online business risk. Clint’s greatest strengths are his enthusiasm, experience and determination to help customers succeed in maintaining secure, compliant systems, and avoid the consequences and bad headlines that come with application security breaches. Clint resides in Chicago, IL. <br />
<br />
<br> FREE PIZZA will be provided, courtesy of our friends from Veracode. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> '''Meeting Schedule for 2010''' <br />
<br />
Dates are set - speakers and topics are firming up as well speak. All meetings are from 11:30am - 1:00pm at the San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229. <br />
<br />
Wednesday January 20th - OWASP LiveCD: An Open Environment for Web Application Security by Matt Tesauro <br />
<br />
Wednesday March 17th - TBD <br />
<br />
Wednesday May 19th - TBD <br />
<br />
Wednesday July 21st - TBD <br />
<br />
Wednesday September 15th - TBD <br />
<br />
Wednesday November 10th - TBD <br />
<br />
<br> '''San Antonio OWASP Chapter: Wed January 20th, 2010''' <br />
<br />
Topic: OWASP LiveCD: An Open Environment for Web Application Security Presenter: Matt Tesauro, OWASP Board Member, LiveCD Project Lead Date: Wednesday January 20th, 2010 11:30am – 1:00pm Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: The OWASP Live CD is a project that collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can boot from this Live CD and have access to a full security testing suite. This allows its users to test for various security issues in web applications and web sites. The Live CD also contains documentation and an interactive learning environment to enhance users’ web application security knowledge. This presentation will cover the current state of the OWASP Live CD as well as the plans for future developments. Time permitting, a live demonstration of the OWASP Live CD will be conducted. The OWASP Live CD is a project of the Open Web Application Security Project (OWASP) and is free for commercial or non-commercial use. More information is available at: http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project <br />
<br />
Presenter Bio: Matt Tesauro has worked in web application development and security since 2000. He has worn many different hats, from developer to DBA to System Administrator to Penetration Tester. Matt also taught graduate and undergraduate classes on web application development and XML at Texas A&amp;M University. Currently, he's focused on implementing a comprehensive web application security program for the Texas Education Agency (TEA). Outside work, he is a member of the OWASP Foundation's Board of Directors, the project lead for the OWASP Live CD, a member of the OWASP Global Projects Committee, assists the OWASP Austin chapters leadership and a member of ISSA of Austin, Texas. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&amp;M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications. <br />
<br />
Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
Recent Meetings: <br />
<br />
<br> '''San Antonio OWASP Chapter: October 21, 2009''' <br />
<br />
Topic: Rolling Out an Enterprise Source Code Review Program <br />
<br />
Presenter: Dan Cornell, Principal at Denim Group Date: October 21, 2009 11:30 a.m. – 1:00 p.m. <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: Source code review technology has rapidly advanced over the past several years and offers great promise of helping organizations detect and address software security defects. However, many organizations stumble as they try to roll out these technologies because they fail to understand the people and process issues that must also be addressed. This talk will present lessons learned from the creation of several enterprise source code review programs, including: identifying all sources of custom code in an organization including custom extensions to ERP systems and enterprise portals, selecting the first round of applications to scan and successfully interpreting results and driving resolution to identified issues. <br />
<br />
<br> Presenter Bio: Dan Cornell has over ten years of experience architecting and developing web-based software systems. As CTO of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group security research team, investigating the application of secure coding and development techniques to the improvement of web-based software development methodologies. <br />
<br />
Dan Cornell has performed as the CTO of BrandDefense, as founder and Vice President of Engineering for Atension prior to its acquisition by Rare Medium, Inc. and as the Vice President, Global Competency Leader for Rare Medium’s Java and Unix Competency Center. Cornell has also developed simulation applications for the Air Force with Southwest Research Institute. <br />
<br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the chapter leader of the San Antonio chapter of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, Denim Group's open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
<br> '''San Antonio OWASP Chapter: August 19, 2009''' <br />
<br />
Topic: Web Application Firewalls (WAFs) <br />
<br />
Presenter: Matt Burriola &amp; Mario Flores, Randolph-Brooks Federal Credit Union Date: August 19, 2009 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: Web Application Firewalls Web application firewalls (WAFs) have gained considerable momentum as web vulnerabilities have grown. WAFs now have a proven record of reducing exposures to web vulnerabilities by blocking malicious activity much like a typical firewall. While WAFs help, it does take time to consider when a WAF is appropriate. It also takes time to evaluate and implement the WAF as well. Come listen to reasons why Randolph-Brooks Federal Credit Union chose a WAF and what they learned in the process. <br />
<br />
Presenter Bio: Matt is a Senior Developer on the RBFCU Web Team, but mainly serves the roles of Configuration Management lead and Systems Admin for the team. Matt maintains the source control repository, application build and release processes, and QA server environments. Matt also works on web infrastructure initiatives such as Web Application Firewall. Matt has 10 years IT industry experience, including Java/web technologies, C, C++, Unix/Linux, shell scripting, and Symbol mobile handheld programming. Matt has a degree in Management Information Systems from Texas A&amp;M University-Corpus Christi. <br />
<br />
Mario is currently the Web Development manager for RBFCU. In this current role, Mario manages the development efforts for the online banking site and the intranet. Mario also has a solid background in web security and has addressed issues with web application penetration assessments. Mario has worked for RBFCU for 14 years and he has a degree in Information Systems from Texas Lutheran University. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: June 17, 2009'''' Topic: What is Cross Site Scripting And Why Is It bad? Date: June 17, 2009 11:30am – 1:00pm Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: The presentation will cover background information on cross-site scripting (XSS) attacks as well as real world examples of what can happen when this type of vulnerability is present and the different ways that it can be exploited. The presentation will also include language agnostic ways to mitigate this sort of risk and how developers and security professionals can identify these risks. <br />
<br />
Presenter Bio: David is currently a Security Architect for Rackspace IT Hosting. In this current role, David is responsible for designing and implementing network security solutions, as well as software development in support of automation. In previous roles he was a software developer on various projects written in a mix of PHP, Python, Perl, Ruby, c#, and asp.net. Prior to Rackspace, David worked for Digital Defense and he holds a B.B.A. in Information Systems from the University of Texas San Antonio. He also has an extensive background in application security and is actively researching botnet mitigation techniques. Certifications held include CISSP, RHCE, and CCNA. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: January 2009 Meeting''' <br />
<br />
Topic: "Vulnerability Management in an Application Security World." <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group Date: January 29, 2009 11:30am – 1:00pm <br />
<br />
Location: <br />
<br />
San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract:Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
Presenter Bio: <br />
<br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
<br> <br />
<br />
----<br />
<br />
'''Previous News''' <br />
The slide deck from OWASP San Antonio February 2012 meeting is available online here: https://www.owasp.org/images/b/b0/WTE-Cloud-San_Antonio-2012-02.pdf<br />
<br />
The slide deck from OWASP San Antonio June 2011 meeting is available online here: https://www.owasp.org/images/2/21/How_to_Build_a_Secure_Login_BenBroussard_June2011.pdf<br />
<br />
The slide deck from OWASP San Antonio April 2011 meeting is available online here: https://www.owasp.org/images/0/05/Vulnerable_frameworks_yield_vulnerable_apps.pdf <br />
<br />
The slide deck from OWASP San Antonio March 2011 meeting is available online here: http://www.owasp.org/images/c/cb/MichaelCoates-AppSensor.pdf <br />
<br />
The slide deck from OWASP San Antonio August 2010 meeting available online here: http://www.owasp.org/images/0/0e/OWASP_San_Antonio_0818.pdf.pdf http://www.owasp.org/images/5/5a/WPstats_spring10_9th.pdf <br />
<br />
The slide deck from OWASP San Antonio June 2010 meeting available online here: http://www.owasp.org/images/2/24/OWASPSanAntonio06162010_DDFA_PresentationFinal.pdf <br />
<br />
The slide deck from OWASP San Antonio May 2010 meeting available online here: http://www.owasp.org/images/b/b9/OpenSAMM10_OWASPSanAntonio_20100519.pdf <br />
<br />
The slide deck from OWASP San Antonio March 2010 meeting available online here: http://www.owasp.org/index.php?title=File:Protecting_the_Enterprise_-_Software_Backdoors.pptx&amp;oldid=80140#filelinks <br />
<br />
The slide deck from OWASP San Antonio January 2010 meeting available online here: http://www.owasp.org/index.php/File:San_Antonio_Chapter-OWASP_WTE_Jan-2010.pdf#filelinks <br />
<br />
The slide deck from OWASP San Antonio October 2008 meeting available online here: http://www.owasp.org/index.php/San_Antonio <br />
<br />
The slide deck from OWASP San Antonio September 2007 meeting available online here: [[Image:Fortify-bjenkins-AppSecStrategy-20070906.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio March 2007 meeting will be available online shortly <br />
<br />
The slide deck from OWASP San Antonio September 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 09 AgileAndSecure.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio August 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 08 SingleSignOn.ppt]]. <br />
<br />
The slide deck from OWASP San Antonio June 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 06 Crypto Content.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio May 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 05 ForcefulBrowsing Content.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio September 2004 meeting available online here: [[Image:OWASPSanAntonio 20040922.pdf]]. <br />
<br />
[[Category:Texas]]</div>Dancornellhttps://wiki.owasp.org/index.php?title=San_Antonio&diff=150878San Antonio2013-05-02T17:12:41Z<p>Dancornell: /* Local News */</p>
<hr />
<div>{{Chapter Template|chaptername=San Antonio|extra=The chapter leader is [mailto:dan@denimgroup.com Dan Cornell]<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sanantonio|emailarchives=http://lists.owasp.org/pipermail/owasp-sanantonio}} <br />
<br />
== Local News ==<br />
'''San Antonio OWASP Chapter: Wednesday, June 5th, 2013'''<br />
<br />
Topic: Be Mean to Your Code Using Gauntlt<br />
<br />
Presenter: James Wickett<br />
<br />
Date: Wednesday, June 5, 2013<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
<br />
3463 Magic Drive<br />
<br />
San Antonio, TX 78229<br />
<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
Abstract:<br />
<br />
"Be Mean to Your Code” is the core concept behind the ruggedization framework called Gauntlt (http://gauntlt.org) which brings the benefits of Behaviour Driven Development to the realms of automated security testing, application hardening and ruggedization. Security testing is often done at a cadence set by the audit team and is often obscured from the development and operations teams. This isn't good and this creates an adversarial relationship between security, dev and ops.<br />
<br />
Gauntlt helps security, ops, and development teams work together. Gauntlt is meant to be used by security experts with interest in automation as well as developers with interest in security. It can be used to deliver the results of a security audit or penetration test via failing Gauntlt attacks (tests) which can in turn be added to automated test suites. Developers know they have resolved a particular vulnerability when Gauntlt no longer reports a failure. Gauntlt can also be used in regression tests to detect when a previously resolved vulnerability has been re-introduced.<br />
<br />
Traditional approaches to web security can be less effective in cloud environments, due to the highly dynamic nature of cloud infrastructure. Fortunately, infrastructure-driven, continuous testing can overcome many of these challenges. Netflix uses Gauntlt to continuously validate that the security configuration of its cloud deployment and applications remains as expected, even with a rapid rate of change and high degree of self-service.<br />
<br />
One of the core contributors of the Gauntlt project, James Wickett will talk about the history of the project, the current features, examples of how to use Gauntlt and the future roadmap of Gauntlt. As part of this talk we will do a demo where we will walk through getting started using pre-built Gauntlt attacks and then move to writing our own Gauntlt attacks. Come find out how to "Be Mean to Your Code" and ruggedize your next project.<br />
<br />
Gauntlt is an open source ruggedization framework using cucumber and written in ruby. It has been developed in collaboration with the security engineering teams at Netflix and Twitter. Gauntlt is MIT Licensed and hosted on github at http://github.com/gauntlt/gauntlt.<br />
<br />
Presenter Bio:<br />
<br />
http://about.me/wickett<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400 and mention that you are coming to the OWASP San Antonio meeting.<br />
<br />
<br />
<br />
'''OWASP Developer Security Training at BSides San Antonio: Saturday May 4th, 2013'''<br />
<br />
Attend BSides San Antonio for three mini-courses for developers wanting to learn about security.<br />
<br />
To register: <br />
<br />
https://bsidessatx.eventbrite.com/<br />
<br />
The event is sold out - looking forward to seeing everyone there on Saturday.<br />
<br />
Each mini-course will be around 1.5 hours in length. Attendees will also have full access to the rest of the BSides San Antonio event.<br />
<br />
Main BSides San Antonio site:<br />
<br />
http://bsidestexas.blogspot.com/p/san-antonio-april-2013.html<br />
<br />
''Mini-Course 1''<br />
<br />
Title: Threat Modeling for Developers '''(10:30am - Noon)'''<br />
<br />
Abstract:<br />
<br />
Threat modeling is a valuable technique for identifying potential security<br />
issues in complex applications but many development teams have been slow<br />
to adopt it because of a perception that it can only be done by security<br />
specialists as well as a lack of guidance on how to get the most out of<br />
the activity. This mini-course walks through the process of Threat<br />
modeling from the perspective of a developer trying to identify issues<br />
early in the development process so that problems can be avoided and<br />
controls can be put in place with a minimum level of effort. The materials<br />
include discussion of where threat modeling is best done during the<br />
development lifecycle as well as the process of creating and refining a<br />
threat model. This is an interactive experience, with participants working<br />
together to walk through the threat modeling process.<br />
<br />
''Mini-Course 2''<br />
<br />
Title: Developing Secure Web Applications '''(1:00pm - 2:30pm)'''<br />
<br />
Abstract:<br />
<br />
Web applications are a convenient entry point for attackers because they<br />
are often publicly-available and many are built without a focus on<br />
security. This mini-course provides a developer-focused introduction to<br />
building web applications designed to operate in the face of malicious<br />
attackers. It walks through a basic threat model for a web application and<br />
uses this threat model as a framework for making good decisions when<br />
designing and building applications. The focus of the course is less on<br />
enumerating various types of vulnerabilities but rather on design and<br />
coding techniques that can be used to help create resilient applications.<br />
Some code examples in Java and .NET will be provided, but the techniques<br />
can be applied to any web application environment. [It would be beneficial<br />
to attend the earlier Threat Modeling session, but not required.]<br />
<br />
''Mini-Course 3''<br />
<br />
Title: Developing Secure Mobile Applications '''(3:00pm - 4:30pm)'''<br />
<br />
Abstract:<br />
<br />
Organizations of all sizes are rushing to provide their customers and<br />
employees with applications taking advantage of the power of mobile<br />
computing. As with many new technologies, these organizations often deploy<br />
applications first and come to realize the security implications of these<br />
new systems only post-deployment. This mini-course provides a<br />
developer-focused introduction to security for mobile applications. It<br />
walks through a basic threat model for a mobile application and uses this<br />
threat model as a framework for making good decisions when designing and<br />
building mobile application systems. Examples are provided for both iOS<br />
(iPhone and iPad) and Android platforms but the overall approach can be<br />
applied for all mobile applications. [It would be beneficial to attend the<br />
earlier Threat Modeling and Web Application sessions, but not required.]<br />
<br />
<br />
'''San Antonio OWASP Chapter: Tuesday, September 25, 2012'''<br />
<br />
Topic: Dev/Ops, Continuous Deployment and APIs, Oh My! <br />
<br />
Presenter: Jarret Raim and Matt Tesauro<br />
<br />
Date: Tuesday, September 25, 2012<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
<br />
3463 Magic Drive<br />
<br />
San Antonio, TX 78229<br />
<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
Abstract:<br />
As the world of application development continues to change, the security community needs to change with it. With agile development, continuous deployment, the pace of change in IT has only increased. Add in Dev/Ops and the traditional security processes just don’t work. Even if testing windows exist, they are too short for the traditional scanning or manual testing programs. Then, there’s the lack of viable tools to test API’s. What’s a security professional in charge of rolling out an SDLC supposed to do? This talk will cover methods of adapting traditional security practices into a test driven development (TDD) for security and provide practical advice on how to handle short development and promotion cycles with few or no testing windows. A demonstration of a new testing tool will also be part of the presentation.<br />
<br />
<br />
Presenter Bios:<br />
Jarret Raim is the Security Product Manager at Rackspace Hosting. Since joining Rackspace, he has built a software assurance program for Rackspace’s internal software teams as well as defined strategy for building secure systems on Rackspace’s OpenStack Cloud implementation. Through his experience at Rackspace, and as a consultant at Denim Group, Jarret has assessed and remediated applications in all industries and has experience width a wide variety of both development environments and the tools used to audit them. Jarret has recently taken charge of Rackspace's efforts to secure the Cloud through new product development, training and research. Jarret holds an M.S. in Computer Science from Lehigh University and a B.S. in Computer Science from Trinity University.<br />
<br />
Matt Tesauro has been involved in the Information Technology industry for more than 10 years. Matt's focus has been in application security including testing, code reviews, design reviews and training. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he's driven. Matt is currently on the board of the OWASP Foundation and highly involved in many OWASP projects and committees. Matt is the project leader of the OWASP WTE (Web Testing Environment) which is the source of the OWASP Live CD Project and Virtual Machines pre-configured with tools and documentation for testing web applications. He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance Workshop, AppSec EU, AppSec US, AppSec Academia, and AppSec Brazil. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications. <br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, April 18, 2012'''<br />
<br />
Topic: Secure Coding Practices for 2012<br />
<br />
Presenter: Keith Turpin<br />
<br />
Date: Wednesday, April 18, 2012<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
<br />
3463 Magic Drive<br />
<br />
San Antonio, TX 78229<br />
<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
Abstract:<br />
Keith Turpin will present OWASP's "The Secure Coding Practices Quick Reference Guide." The guide is a technology agnostic set of software security coding practices, in a comprehensive checklist format, that can be integrated into the development life-cycle. At only 17 pages long, it is easy for development teams to read and use. The coding practices are mapped to functional requirements, so you can quickly locate the practices you need. It also provides a brief introduction to security principles and vocabulary to help developers and security folks get on the same page, but the focus is on requirements not vulnerabilities or exploits. This presentation will provide an overview of the guide and discuss some concepts about how to use it. Keith will cover the guide as well as the direction of the project for 2012, and alignment with integrating components of the guide with an organizations application security policy.<br />
<br />
<br />
Presenter Bio:<br />
Keith Turpin, CISSP, CSSLP, CRISC, leads Boeing’s enterprise application security assessment team. He previously served as the lead IT security advisor for all of Boeing’s international operations. <br />
<br />
Keith is a member of the (ISC)2 Application Security Advisory Board and has served as a U.S. delegate to the International Standards Organization's (ISO) sub-committee on cyber security. He is the project leader for the OWASP Secure Coding Practices Quick Reference Guide and is a member of the OWASP Global Projects Committee. He also spent four years as the Director of Communication for the Seattle chapter of the Information Systems Security Association. <br />
<br />
He is a frequent speaker at conferences, professional organizations and corporations on a variety of security topics and in his spare time he is the director of a nationally recognized intercollegiate engineering competition. <br />
<br />
Keith holds a BS in Mechanical Engineering and MS in Computer Systems.<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Tuesday, February 22, 2012'''<br />
<br />
Topic: Testing from the Cloud: Is the Sky Falling?<br />
<br />
Presenter: Matt Tesauro<br />
<br />
Date: Wednesday, February 22, 2012<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
Geekdom<br />
The Weston Centre<br />
112 East Pecan, 11th floor<br />
San Antonio TX 78205<br />
Map: http://www.geekdom.com/location/<br />
Check map for parking info.<br />
<br />
Abstract:<br />
More and more IT is being moved to the cloud, why shouldn't your testing move there too? This talk will cover what it takes to take your testing tools from your laptop to the cloud using new features of the OWASP Web Testing Environment (WTE). WTE allows you to create custom installations of application security tools in the cloud on demand. Has your IP been shunned? No problem, kill that cloud instance and startup another. Is your life as mobile as your phone? No problem, a laptop + Internet = access to all your favorite tools from anywhere. Multiple clients? No problem, start an an instance for each one. By the end of this talk, you'll know all you need to fire up an cloud instance with all of your favorite tools and start having fun.<br />
<br />
<br />
Presenter Bio:<br />
Matt has been involved in the Information Technology industry for more than 10 years. Prior to joining Rackspace, Matt was a security consultant for security firms such as Trustwave as well as running an internal application security effort. Matt's focus has been in application security including testing, code reviews, design reviews and training. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he's driven. He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance Workshop, AppSec EU, AppSec US, AppSec Academia, and AppSec Brazil.<br />
<br />
Matt is currently on the board of the OWASP Foundation and highly involved in many OWASP projects and committees. Matt is the project leader of the OWASP WTE (Web Testing Environment) which is the source of the OWASP Live CD Project and Virtual Machines pre-configured with tools and documentation for testing web applications.<br />
<br />
Industry designations include the Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University.<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, November 16, 2011'''<br />
<br />
Topic: You're Bleeding Sensitive Data - Find it Before They Do<br />
<br />
Presenter: Steve Werby<br />
<br />
Date: Wednesday, November 16, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
3463 Magic Drive<br />
San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
With the proliferation of Internet accessible applications and files within organizations and the number of employees capable of making sensitive content available growing rapidly, knowing what sensitive information is accessible is increasingly difficult. And expensive DLP and scanning tools are not the only option. I will cover management strategies to reduce the risk, as well as demonstrate free and low-cost tools (FOCA, Shodan, Google Hacking Database and more) to discover sensitive data.<br />
<br />
<br />
Presenter Bio:<br />
Steve Werby is Chief Information Security Officer at the University of Texas at San Antonio, where he leads the university's 10-person Office of Information Security. He has also served as CISO for Virginia Commonwealth University and the Virginia Department of Corrections (where he gained a new appreciation for physical security). Prior to that, he operated an information security consultancy with an international client base consisting largely of ISPs, web hosting companies and online businesses. Steve has an engineering degree, an MBA and numerous certs, but he is prouder of the fact that he hasn't signed his name the same way twice since 2009.<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, August 17, 2011'''<br />
<br />
Topic: Secure Development Lifecycle at Symantec<br />
<br />
Presenter: Edward Bonver<br />
<br />
Date: Wednesday, August 17, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
3463 Magic Drive<br />
San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
Given complexities and diversity of development technologies and processes as well as the deployment environments, in combination with customer expectations, software development in modern world is an immense undertaking. Building security into a development lifecycle of a large software vendor could prove quite challenging. This presentation covers how security practices are being followed by various product teams across Symantec, including the related processes and guidelines from Symantec’s Product Security Team. <br />
<br />
<br />
Presenter Bio:<br />
A senior principal software engineer on the product security team at Symantec Corporation, Edward Bonver is responsible for working with software developers and quality assurance professionals across Symantec to continuously enhance the company’s software security practices through the adoption of methodologies, procedures, and tools for secure coding and security testing. Edward teaches secure coding and security testing classes for Symantec engineers and leads the company’s QA Security Task Force, which he founded. He is a Certified Information Systems Security Professional (CISSP) and a Certified Secure Software Lifecycle Professional (CSSLP).<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Thursday, June 16, 2011'''<br />
<br />
Topic: Building a Secure Login<br />
<br />
Presenter: Ben Broussard<br />
<br />
Date: Thursday, June 16, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
3463 Magic Drive<br />
San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
This talk takes the standard, cookie-based login and authorization functionality through its paces. First I will walk through the requirements of common, single sign-on functionality. Then I will walk through attacks and their countermeasures including SQL injection and parameterized queries, session fixation and cookie cycling, session hijacking and about a dozen necessary countermeasures, and so on. The discussion will be programming language agnostic, instead focusing on the functional specifications.<br />
<br />
<br />
Presenter Bio:<br />
Ben Broussard has been involved in the Austin OWASP chapter since 2008, giving technical talks, serving on the LASCON board, the chapter board, and organizing a study group. Outside of OWASP he has worn the hats of mainframe and web application developer, cryptographer, pentester, and he recently launched his own application security business, Kedalion Security, LLC. On the side he does research into brains and AI, and is an avid 80's dancer.<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, April 20, 2011'''<br />
<br />
Topic: Vulnerable Frameworks Yield Vulnerable Apps<br />
<br />
Presenter: Javier Castro<br />
<br />
Date: Wednesday, April 20, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room) 3463 Magic Drive, San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
Major software vendors such as VMware and SAP are getting significantly better at writing <br />
secure software, but all of this effort is lost when they forget to properly configure or secure <br />
the frameworks that their software is built upon. This talk gives an overview of several <br />
recently discovered vulnerabilities in the products of major software companies. In each <br />
case the flaw leads to a complete system compromise and was located in a framework that <br />
the product was built upon. We as software developers can learn from these cases and <br />
avoid similar scenarios.<br />
<br />
Bio: <br />
Javier Castro is a senior vulnerability researcher at Digital Defense, Inc. where he writes explicit vulnerability checks, develops proprietary exploits, and researches popular software deployments. As exciting as vulnerability exploitation is, Javier finds it more rewarding to find ways to develop a secure application in the first place.<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br />
<br><br />
<br />
'''San Antonio OWASP Chapter: Wednesday, March 23, 2011''' <br />
<br />
Topic: Attack Aware Applications <br />
<br />
Presenter: Michael Coates <br />
<br />
Date: Wednesday, March 23, 2011 <br />
<br />
Time: 11:30am-1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: Attack Aware Applications: Imagine being able to detect an attacker in your application while they are searching for vulnerability and then locking out their account before they can do any harm. The OWASP AppSensor project provides a strategy for enabling your applications to detect and respond to attackers in real time. More powerful then generic detection with a WAF, the AppSensor approach allows detection of targeted application attacks attempting to exploit all areas including: business logic, access control, session management, injection attacks and more. This presentation will discuss techniques for implementing such a system within your application using existing technologies or by leveraging ESAPI. <br />
<br />
Presenter Bio: Michael Coates has extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers worldwide. Michael holds a MS in Computer Security from DePaul University and a BS in Computer Science from the University of Illinois. <br />
<br />
Michael is the creator and leader of the AppSensor project and a contributor to the 2010 OWASP Top 10. He is a frequent speaker at international OWASP security conferences and has also spoken at the Chicago Thotcon conference and provided security training at BlackHat. <br />
<br />
As the web security lead at Mozilla, Michael protects web applications used by millions of users each day. <br />
<br />
<br> Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> '''San Antonio OWASP Chapter: Wednesday, January 19, 2011''' <br />
<br />
Topic: Smart Phones with Dumb Apps <br />
<br />
Presenter: Dan Cornell <br />
<br />
Date: Wednesday, January 19, 2011 <br />
<br />
Time: 11:30am-1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 [http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229] <br />
<br />
<br> Abstract: Enterprises are targeting both internal users and customers with smartphone applications for platforms such as Apple iPhone and Google Android. Many of these applications are constructed without fully considering the associated security implications of their deployment. Breaches can impact both users as well as the enterprise distributing the application as attackers take advantage of expanded access to sensitive data and network services. This talk discusses emerging threats associated with deploying smartphone applications and provides an overview of the threat modeling process. The presentation then walks example applications from an attacker’s perspective demonstrating the sort of information they are able to extract allowing for more advanced attacks. <br />
<br />
Presenter Bio: Dan Cornell has over ten years of experience architecting and developing web-based software systems. As CTO of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group security research team, investigating the application of secure coding and development techniques to the improvement of web-based software development methodologies. <br />
<br />
Dan Cornell has performed as the CTO of BrandDefense, as founder and Vice President of Engineering for Atension prior to its acquisition by Rare Medium, Inc. and as the Vice President, Global Competency Leader for Rare Medium’s Java and Unix Competency Center. Cornell has also developed simulation applications for the Air Force with Southwest Research Institute. <br />
<br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the chapter leader of the San Antonio chapter of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, Denim Group's open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Tue, November 16, 2010''' <br />
<br />
Topic: OWASP Top 10: What is it all about? <br />
<br />
Presenter: Dean Bushmiller <br />
<br />
Date: Tuesday, November 16, 2010 <br />
<br />
Time: 12:00pm-1:00pm <br />
<br />
Location: Methodist Health System – System Office 8109 Fredericksburg Road San Antonio, TX 78229-3311 Women’s Center Classroom 1 http://maps.google.com/maps?f=q&amp;source=s_q&amp;hl=en&amp;geocode=&amp;q=8109+fredericksburd+rd,+78229&amp;sll=37.0625,-95.677068&amp;sspn=35.494074,72.070313&amp;ie=UTF8&amp;hq=&amp;hnear=8109+Fredericksburg+Rd,+San+Antonio,+Bexar,+Texas+78229&amp;z=16 <br />
<br />
<br> Abstract: Everyone knows exactly what the OWASP top ten security threats are, right? Well sort of... I ask people if they have heard of the top ten they say yes. I ask them to name a few they pause, then they blurt out 2-3. Then I ask them to explain those 2-3 and they look at me like a deer-in-the-headlights. I want to make sure that everyone who walks out of the presentation can clearly define the top ten and be able to communicate to another what each of the top ten vulnerabilities are. <br />
<br />
<br> Presenter Bio: Dean Bushmiller has taught for 12 years. He is the recipient of five Mission Coins from various military branches. He has led national certification organizations in development, policy, and educational materials for over 10 years. He has presented, consulted, and instructed government, education, military, and private organizations. Dean has worked for SANS, ISC2, and other security training organizations. He has bee the keynote speaker at information security conferences as well as state and local colleges. He is now Director of Training for Expanding Security. <br />
<br />
Feel free to bring a brown bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed August 18, 2010''' <br />
<br />
Topic: Which Web Programming Languages are Most Secure? <br />
<br />
Presenter: Jeremiah Grossman, Founder and CTO, WhiteHat Security <br />
<br />
Date: Wednesday, August 18, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: Security-conscious organizations make implementing a software security development lifecycle a priority. As part of the process, they evaluate a large number of development technologies for building websites. The assumption by many is that not all development environments are created equal. So the question often asked is, “What is the most secure programming language or development framework available?” <br />
<br />
<br> Clearly, familiarity with a specific product, whether it is designed to be secure-by-default or must be configured properly, and whether various libraries are available, can drastically impact the outcome. Still, conventional wisdom suggests that most popular modern languages / frameworks (commercial &amp; open source) perform relatively similarly when it comes to an overall security posture. At least in theory, none is markedly or noticeably more secure than another. Suggesting PHP, Java, C# and others are any more secure than other frameworks is sure to spark heated debate. <br />
<br />
<br> As has been said in the past, “In theory, there is no difference between theory and practice. But, in practice, there is.” Until now, no website security study has provided empirical research measuring how various Web programming languages / frameworks actively perform in the field. To which classes of attack are they most prone, how often and for how long; and, how do they fare against popular alternatives? Is it really true that popular modern languages / frameworks yield similar results in production websites? <br />
<br />
<br> By analyzing the vulnerability assessment results of nearly 1,700 websites under WhiteHat Sentinel management, we may begin to answer some of these questions. These answers may enable the website security community to ask better and deeper questions, which will eventually lead to more secure websites. Organizations deploying these technologies can have a closer look at particularly risk-prone areas; software vendors may focus on areas found lacking; and, developers will increase their familiarity with the strength and weaknesses of their technology stack. All of this is vitally important because security must be baked into development frameworks and be virtually transparent. Only then will application security progress be made. <br />
<br />
<br> Presenter Bio: Jeremiah Grossman founded WhiteHat Security in August 2001. <br />
<br />
<br> A world-renowned expert in Web security, Mr. Grossman is a founder of the Web Application Security Consortium (WASC), and was named to InfoWorld's Top 25 CTOs for 2007. <br />
<br />
<br> Mr. Grossman is a frequent speaker at industry events including the Black Hat Briefings, RSA Conference, ISACA, CSI, InfoSec World, OWASP, ISSA, and Defcon as well as a number of large universities. He has authored dozens of articles and white papers, is credited with the discovery of many cutting-edge attack and defensive techniques and is a co-author of XSS Attacks: Cross Site Scripting Exploits and Defense. <br />
<br />
<br> Mr. Grossman is frequently quoted in major media outlets such as USA Today, the Washington Post, The Financial Times, InformationWeek, InfoWorld, USA Today, PC World, Dark Reading, SC Magazine, CNET, CSO and NBC news. He frequently alerts the media community to the latest attacks and is not only able to offer in-depth commentary, but also provide his perspective of what’s to come. <br />
<br />
<br> Mr. Grossman was named a “friend of Google” and is also an influential blogger (www.jeremiahgrossman.blogspot.com) who offers insight and encourages open dialogue regarding current research and vulnerability trend information. <br />
<br />
<br> Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo! responsible for performing security reviews on the company's hundreds of websites. Before Yahoo!, Mr. Grossman worked for Amgen, Inc. <br />
<br />
Pizza will be served. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> '''San Antonio OWASP Chapter: Fri. August 13, 2010''' <br />
<br />
Topic: 1)How OWASP Works and Guided Tour of OWASP Projects / 2) Using the O2 Platform to Consume OWASP projects <br />
<br />
Presenter: Dinis Cruz <br />
<br />
Date: Friday, August 13, 2010, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: 1) How OWASP Works and Guided Tour of OWASP Projects - This presentation will focus on my experience in getting things done at OWASP, what resources are available and what types of initiatives should the local chapters be doing. In addition to a quick overview of a number of key OWASP projects, this talk will also provide a tutorial on how the OWASP WIKI (MediaWiki based) can be used as a database (using the MediaWiki templates technology) <br />
<br />
2) Using the O2 Platform to Consume OWASP projects - This presentation will focus on how to consume the OWASP Wiki and a number of OWASP projects using the OWASP O2 Platform. The O2 Platform has powerful technology and capabilities for both BlackBox and WhiteBox analysis and this presentation will provide examples on how to use O2 with: WebGoat, WebScarab, Code Crawler, Dir Buster, Testing Guide, Code Review Guide and OpenSAMM <br />
<br />
The O2 Platform is focused on automating application security knowledge and workflows. It is specifically designed for developers and security consultants to be able to perform quick, effective and thorough 'source-code-driven' application security reviews (BlackBox + WhiteBox). In addition to the manual findings created/discovered by security consultants, the OWASP O2 Platform allows the easy consumption of results from multiple OWASP projects and commercial scanning tools. This allows security consultants to find, exploit and automate (via Unit Tests) security vulnerabilities usually dismissed by the community as impossible to find/recreate. More importantly, it provides the Security Consultants a mechanism to: a) 'talk' with developers (via UnitTest) , b) give developers a way to replicate + "check if it's fixed" the vulnerabilities reported and c) engage on a two-way conversion on the best way to fix/remediate those vulnerabilities. <br />
<br />
<br> Presenter Bio: Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development. For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform. Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences At OWASP, Dinis is the leader of the OWASP O2 Platform project, member of the OWASP Global Projects Committee, chair of the OWASP Connections Committee and member of the OWASP <br />
<br />
<br> Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
<br> Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed July 21, 2010''' <br />
<br />
Topic: A Caching Technique (PHP Implementation) <br />
<br />
Presenter: Dan Ross, VP Engineering, PIC Business Systems <br />
<br />
Date: Wednesday July 19, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: Reduce 304's and improve web application performance. A caching technique is demonstrated using PHP. Easy implementation as well as caching override are discussed. <br />
<br />
<br> Presenter Bio: Dan Ross has been VP Engineering for over 20 years at PIC Business Systems, which provides integrated business software for the several industries. He has led the design, development, and maintenance of many commercial web applications and programs. He has a BS in Industrial Engineering from St. Mary's University in San Antonio. <br />
<br />
Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed June 16, 2010''' <br />
<br />
Topic: Securing Software Applications Using Dynamic Dataflow Analysis <br />
<br />
Presenter: Steve Cook, Senior Research Analyst, SwRI <br />
<br />
Date: Wednesday June 16, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: In this presentation, we present an ongoing research effort that ensures that a wide variety of user-defined security policies are enforced on executing C programs while keeping runtime overhead low and with little disruption to the development process by leveraging Dynamic Dataflow Analysis (DDFA). The DDFA system is built upon the Broadway static data flow analysis and error checking system, which is a source-to-source translator for C developed by the computer sciences department at the University of Texas at Austin (UT-Austin). UT-Austin and the Southwest Research Institute (SwRI) recently collaborated to further enhance the system through a government research project funded by Intelligence Advanced Research Projects Activity (IARPA) and a SwRI internal research project. <br />
<br />
The system works by automatically instrumenting the original source, guided by the security policy, with DDFA runtime library calls. The modified program is then compiled for the platform of choice so that its security policy can be enforced at runtime through the DDFA runtime library. <br />
<br />
The runtime overhead is kept low by leveraging the semantic information provided by the security policy and a sophisticated dependence analysis to enable optimizations beyond standard compiler techniques. This results in a program that is instrumented with additional code only where provably necessary, so innocuous flows of data are not tracked at runtime. <br />
<br />
Disruption to the development process is minimized through the security policy specification. The security policy is defined once by a security expert using a simple language, which has a direct mapping to the application programming interface to which the program is written. The policy, once defined, can be applied to many different programs. The DDFA approach is easily integrated into the development workflow, adding only an additional compilation step before application deployment. <br />
<br />
The system does not require any modification to the original source code by the programmer, and does not require hardware or operating system changes. In the future, our system can be extended to handle multiple languages and complement new security solutions. <br />
<br />
Presenter Bio: Steve Cook is a senior research analyst in the System Security and High Reliability Software section at the SwRI. His background and expertise are in distributed and parallel computing, compilers, as well as object-oriented and generic programming. He received his master’s degree in computer science from Texas A&amp;M University. While at Texas A&amp;M, he worked as a research assistant for Dr. Bjarne Stroustrup, creator of the C++ Programming Language, where he helped develop a new approach to writing concurrent programs that allows programmers to quickly turn a sequential C++ program into a parallel one that is race and deadlock free. <br />
<br />
<br> Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed May 19th, 2010''' <br />
<br />
Topic: The Open Software Assurance Maturity Model <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group <br />
<br />
Date: Wednesday May 19th, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. <br />
<br />
This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/. <br />
<br />
Presenter Bio: Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications <br />
<br />
<br> Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed March 17, 2010''' <br />
<br />
Topic: Protecting Your Applications: How to Secure Business Critical Applications from Time Bombs, Backdoors &amp; Data Exfiltration <br />
<br />
Presenter: Clint Pollock <br />
<br />
Date: Wednesday, March 17th, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Sponsored by: VERACODE <br />
<br />
Abstract: With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers. Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams. In this session we will cover; · Prevalence of backdoors and malicious code in third party attacks · Definitions and classifications of backdoors and their impact on your applications · Methods to identify, track and remediate these vulnerabilities <br />
<br />
Presenter Bio: Clint Pollock is a Senior Solutions Architect at Veracode. Since 1997, he has also created security solutions for large-scale enterprise environments on behalf of CREDANT Technologies and Netegrity. In his current role, Clint helps globally distributed organizations evaluate, track, and mitigate their online business risk. Clint’s greatest strengths are his enthusiasm, experience and determination to help customers succeed in maintaining secure, compliant systems, and avoid the consequences and bad headlines that come with application security breaches. Clint resides in Chicago, IL. <br />
<br />
<br> FREE PIZZA will be provided, courtesy of our friends from Veracode. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> '''Meeting Schedule for 2010''' <br />
<br />
Dates are set - speakers and topics are firming up as well speak. All meetings are from 11:30am - 1:00pm at the San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229. <br />
<br />
Wednesday January 20th - OWASP LiveCD: An Open Environment for Web Application Security by Matt Tesauro <br />
<br />
Wednesday March 17th - TBD <br />
<br />
Wednesday May 19th - TBD <br />
<br />
Wednesday July 21st - TBD <br />
<br />
Wednesday September 15th - TBD <br />
<br />
Wednesday November 10th - TBD <br />
<br />
<br> '''San Antonio OWASP Chapter: Wed January 20th, 2010''' <br />
<br />
Topic: OWASP LiveCD: An Open Environment for Web Application Security Presenter: Matt Tesauro, OWASP Board Member, LiveCD Project Lead Date: Wednesday January 20th, 2010 11:30am – 1:00pm Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: The OWASP Live CD is a project that collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can boot from this Live CD and have access to a full security testing suite. This allows its users to test for various security issues in web applications and web sites. The Live CD also contains documentation and an interactive learning environment to enhance users’ web application security knowledge. This presentation will cover the current state of the OWASP Live CD as well as the plans for future developments. Time permitting, a live demonstration of the OWASP Live CD will be conducted. The OWASP Live CD is a project of the Open Web Application Security Project (OWASP) and is free for commercial or non-commercial use. More information is available at: http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project <br />
<br />
Presenter Bio: Matt Tesauro has worked in web application development and security since 2000. He has worn many different hats, from developer to DBA to System Administrator to Penetration Tester. Matt also taught graduate and undergraduate classes on web application development and XML at Texas A&amp;M University. Currently, he's focused on implementing a comprehensive web application security program for the Texas Education Agency (TEA). Outside work, he is a member of the OWASP Foundation's Board of Directors, the project lead for the OWASP Live CD, a member of the OWASP Global Projects Committee, assists the OWASP Austin chapters leadership and a member of ISSA of Austin, Texas. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&amp;M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications. <br />
<br />
Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
Recent Meetings: <br />
<br />
<br> '''San Antonio OWASP Chapter: October 21, 2009''' <br />
<br />
Topic: Rolling Out an Enterprise Source Code Review Program <br />
<br />
Presenter: Dan Cornell, Principal at Denim Group Date: October 21, 2009 11:30 a.m. – 1:00 p.m. <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: Source code review technology has rapidly advanced over the past several years and offers great promise of helping organizations detect and address software security defects. However, many organizations stumble as they try to roll out these technologies because they fail to understand the people and process issues that must also be addressed. This talk will present lessons learned from the creation of several enterprise source code review programs, including: identifying all sources of custom code in an organization including custom extensions to ERP systems and enterprise portals, selecting the first round of applications to scan and successfully interpreting results and driving resolution to identified issues. <br />
<br />
<br> Presenter Bio: Dan Cornell has over ten years of experience architecting and developing web-based software systems. As CTO of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group security research team, investigating the application of secure coding and development techniques to the improvement of web-based software development methodologies. <br />
<br />
Dan Cornell has performed as the CTO of BrandDefense, as founder and Vice President of Engineering for Atension prior to its acquisition by Rare Medium, Inc. and as the Vice President, Global Competency Leader for Rare Medium’s Java and Unix Competency Center. Cornell has also developed simulation applications for the Air Force with Southwest Research Institute. <br />
<br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the chapter leader of the San Antonio chapter of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, Denim Group's open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
<br> '''San Antonio OWASP Chapter: August 19, 2009''' <br />
<br />
Topic: Web Application Firewalls (WAFs) <br />
<br />
Presenter: Matt Burriola &amp; Mario Flores, Randolph-Brooks Federal Credit Union Date: August 19, 2009 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: Web Application Firewalls Web application firewalls (WAFs) have gained considerable momentum as web vulnerabilities have grown. WAFs now have a proven record of reducing exposures to web vulnerabilities by blocking malicious activity much like a typical firewall. While WAFs help, it does take time to consider when a WAF is appropriate. It also takes time to evaluate and implement the WAF as well. Come listen to reasons why Randolph-Brooks Federal Credit Union chose a WAF and what they learned in the process. <br />
<br />
Presenter Bio: Matt is a Senior Developer on the RBFCU Web Team, but mainly serves the roles of Configuration Management lead and Systems Admin for the team. Matt maintains the source control repository, application build and release processes, and QA server environments. Matt also works on web infrastructure initiatives such as Web Application Firewall. Matt has 10 years IT industry experience, including Java/web technologies, C, C++, Unix/Linux, shell scripting, and Symbol mobile handheld programming. Matt has a degree in Management Information Systems from Texas A&amp;M University-Corpus Christi. <br />
<br />
Mario is currently the Web Development manager for RBFCU. In this current role, Mario manages the development efforts for the online banking site and the intranet. Mario also has a solid background in web security and has addressed issues with web application penetration assessments. Mario has worked for RBFCU for 14 years and he has a degree in Information Systems from Texas Lutheran University. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: June 17, 2009'''' Topic: What is Cross Site Scripting And Why Is It bad? Date: June 17, 2009 11:30am – 1:00pm Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: The presentation will cover background information on cross-site scripting (XSS) attacks as well as real world examples of what can happen when this type of vulnerability is present and the different ways that it can be exploited. The presentation will also include language agnostic ways to mitigate this sort of risk and how developers and security professionals can identify these risks. <br />
<br />
Presenter Bio: David is currently a Security Architect for Rackspace IT Hosting. In this current role, David is responsible for designing and implementing network security solutions, as well as software development in support of automation. In previous roles he was a software developer on various projects written in a mix of PHP, Python, Perl, Ruby, c#, and asp.net. Prior to Rackspace, David worked for Digital Defense and he holds a B.B.A. in Information Systems from the University of Texas San Antonio. He also has an extensive background in application security and is actively researching botnet mitigation techniques. Certifications held include CISSP, RHCE, and CCNA. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: January 2009 Meeting''' <br />
<br />
Topic: "Vulnerability Management in an Application Security World." <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group Date: January 29, 2009 11:30am – 1:00pm <br />
<br />
Location: <br />
<br />
San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract:Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
Presenter Bio: <br />
<br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
<br> <br />
<br />
----<br />
<br />
'''Previous News''' <br />
The slide deck from OWASP San Antonio February 2012 meeting is available online here: https://www.owasp.org/images/b/b0/WTE-Cloud-San_Antonio-2012-02.pdf<br />
<br />
The slide deck from OWASP San Antonio June 2011 meeting is available online here: https://www.owasp.org/images/2/21/How_to_Build_a_Secure_Login_BenBroussard_June2011.pdf<br />
<br />
The slide deck from OWASP San Antonio April 2011 meeting is available online here: https://www.owasp.org/images/0/05/Vulnerable_frameworks_yield_vulnerable_apps.pdf <br />
<br />
The slide deck from OWASP San Antonio March 2011 meeting is available online here: http://www.owasp.org/images/c/cb/MichaelCoates-AppSensor.pdf <br />
<br />
The slide deck from OWASP San Antonio August 2010 meeting available online here: http://www.owasp.org/images/0/0e/OWASP_San_Antonio_0818.pdf.pdf http://www.owasp.org/images/5/5a/WPstats_spring10_9th.pdf <br />
<br />
The slide deck from OWASP San Antonio June 2010 meeting available online here: http://www.owasp.org/images/2/24/OWASPSanAntonio06162010_DDFA_PresentationFinal.pdf <br />
<br />
The slide deck from OWASP San Antonio May 2010 meeting available online here: http://www.owasp.org/images/b/b9/OpenSAMM10_OWASPSanAntonio_20100519.pdf <br />
<br />
The slide deck from OWASP San Antonio March 2010 meeting available online here: http://www.owasp.org/index.php?title=File:Protecting_the_Enterprise_-_Software_Backdoors.pptx&amp;oldid=80140#filelinks <br />
<br />
The slide deck from OWASP San Antonio January 2010 meeting available online here: http://www.owasp.org/index.php/File:San_Antonio_Chapter-OWASP_WTE_Jan-2010.pdf#filelinks <br />
<br />
The slide deck from OWASP San Antonio October 2008 meeting available online here: http://www.owasp.org/index.php/San_Antonio <br />
<br />
The slide deck from OWASP San Antonio September 2007 meeting available online here: [[Image:Fortify-bjenkins-AppSecStrategy-20070906.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio March 2007 meeting will be available online shortly <br />
<br />
The slide deck from OWASP San Antonio September 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 09 AgileAndSecure.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio August 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 08 SingleSignOn.ppt]]. <br />
<br />
The slide deck from OWASP San Antonio June 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 06 Crypto Content.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio May 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 05 ForcefulBrowsing Content.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio September 2004 meeting available online here: [[Image:OWASPSanAntonio 20040922.pdf]]. <br />
<br />
[[Category:Texas]]</div>Dancornellhttps://wiki.owasp.org/index.php?title=San_Antonio&diff=150815San Antonio2013-05-01T16:54:04Z<p>Dancornell: /* Local News */</p>
<hr />
<div>{{Chapter Template|chaptername=San Antonio|extra=The chapter leader is [mailto:dan@denimgroup.com Dan Cornell]<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sanantonio|emailarchives=http://lists.owasp.org/pipermail/owasp-sanantonio}} <br />
<br />
== Local News ==<br />
'''OWASP Developer Security Training at BSides San Antonio: Saturday May 4th, 2013'''<br />
<br />
Attend BSides San Antonio for three mini-courses for developers wanting to learn about security.<br />
<br />
To register: <br />
<br />
https://bsidessatx.eventbrite.com/<br />
<br />
The event is "sold out" for the general public, but you can still register using the promotional code: '''53CUR3c0D3R''' Each mini-course will be around 1.5 hours in length. Attendees will also have full access to the rest of the BSides San Antonio event.<br />
<br />
Main BSides San Antonio site:<br />
<br />
http://bsidestexas.blogspot.com/p/san-antonio-april-2013.html<br />
<br />
''Mini-Course 1''<br />
<br />
Title: Threat Modeling for Developers '''(10:30am - Noon)'''<br />
<br />
Abstract:<br />
<br />
Threat modeling is a valuable technique for identifying potential security<br />
issues in complex applications but many development teams have been slow<br />
to adopt it because of a perception that it can only be done by security<br />
specialists as well as a lack of guidance on how to get the most out of<br />
the activity. This mini-course walks through the process of Threat<br />
modeling from the perspective of a developer trying to identify issues<br />
early in the development process so that problems can be avoided and<br />
controls can be put in place with a minimum level of effort. The materials<br />
include discussion of where threat modeling is best done during the<br />
development lifecycle as well as the process of creating and refining a<br />
threat model. This is an interactive experience, with participants working<br />
together to walk through the threat modeling process.<br />
<br />
''Mini-Course 2''<br />
<br />
Title: Developing Secure Web Applications '''(1:00pm - 2:30pm)'''<br />
<br />
Abstract:<br />
<br />
Web applications are a convenient entry point for attackers because they<br />
are often publicly-available and many are built without a focus on<br />
security. This mini-course provides a developer-focused introduction to<br />
building web applications designed to operate in the face of malicious<br />
attackers. It walks through a basic threat model for a web application and<br />
uses this threat model as a framework for making good decisions when<br />
designing and building applications. The focus of the course is less on<br />
enumerating various types of vulnerabilities but rather on design and<br />
coding techniques that can be used to help create resilient applications.<br />
Some code examples in Java and .NET will be provided, but the techniques<br />
can be applied to any web application environment. [It would be beneficial<br />
to attend the earlier Threat Modeling session, but not required.]<br />
<br />
''Mini-Course 3''<br />
<br />
Title: Developing Secure Mobile Applications '''(3:00pm - 4:30pm)'''<br />
<br />
Abstract:<br />
<br />
Organizations of all sizes are rushing to provide their customers and<br />
employees with applications taking advantage of the power of mobile<br />
computing. As with many new technologies, these organizations often deploy<br />
applications first and come to realize the security implications of these<br />
new systems only post-deployment. This mini-course provides a<br />
developer-focused introduction to security for mobile applications. It<br />
walks through a basic threat model for a mobile application and uses this<br />
threat model as a framework for making good decisions when designing and<br />
building mobile application systems. Examples are provided for both iOS<br />
(iPhone and iPad) and Android platforms but the overall approach can be<br />
applied for all mobile applications. [It would be beneficial to attend the<br />
earlier Threat Modeling and Web Application sessions, but not required.]<br />
<br />
<br />
'''San Antonio OWASP Chapter: Tuesday, September 25, 2012'''<br />
<br />
Topic: Dev/Ops, Continuous Deployment and APIs, Oh My! <br />
<br />
Presenter: Jarret Raim and Matt Tesauro<br />
<br />
Date: Tuesday, September 25, 2012<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
<br />
3463 Magic Drive<br />
<br />
San Antonio, TX 78229<br />
<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
Abstract:<br />
As the world of application development continues to change, the security community needs to change with it. With agile development, continuous deployment, the pace of change in IT has only increased. Add in Dev/Ops and the traditional security processes just don’t work. Even if testing windows exist, they are too short for the traditional scanning or manual testing programs. Then, there’s the lack of viable tools to test API’s. What’s a security professional in charge of rolling out an SDLC supposed to do? This talk will cover methods of adapting traditional security practices into a test driven development (TDD) for security and provide practical advice on how to handle short development and promotion cycles with few or no testing windows. A demonstration of a new testing tool will also be part of the presentation.<br />
<br />
<br />
Presenter Bios:<br />
Jarret Raim is the Security Product Manager at Rackspace Hosting. Since joining Rackspace, he has built a software assurance program for Rackspace’s internal software teams as well as defined strategy for building secure systems on Rackspace’s OpenStack Cloud implementation. Through his experience at Rackspace, and as a consultant at Denim Group, Jarret has assessed and remediated applications in all industries and has experience width a wide variety of both development environments and the tools used to audit them. Jarret has recently taken charge of Rackspace's efforts to secure the Cloud through new product development, training and research. Jarret holds an M.S. in Computer Science from Lehigh University and a B.S. in Computer Science from Trinity University.<br />
<br />
Matt Tesauro has been involved in the Information Technology industry for more than 10 years. Matt's focus has been in application security including testing, code reviews, design reviews and training. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he's driven. Matt is currently on the board of the OWASP Foundation and highly involved in many OWASP projects and committees. Matt is the project leader of the OWASP WTE (Web Testing Environment) which is the source of the OWASP Live CD Project and Virtual Machines pre-configured with tools and documentation for testing web applications. He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance Workshop, AppSec EU, AppSec US, AppSec Academia, and AppSec Brazil. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications. <br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, April 18, 2012'''<br />
<br />
Topic: Secure Coding Practices for 2012<br />
<br />
Presenter: Keith Turpin<br />
<br />
Date: Wednesday, April 18, 2012<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
<br />
3463 Magic Drive<br />
<br />
San Antonio, TX 78229<br />
<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
Abstract:<br />
Keith Turpin will present OWASP's "The Secure Coding Practices Quick Reference Guide." The guide is a technology agnostic set of software security coding practices, in a comprehensive checklist format, that can be integrated into the development life-cycle. At only 17 pages long, it is easy for development teams to read and use. The coding practices are mapped to functional requirements, so you can quickly locate the practices you need. It also provides a brief introduction to security principles and vocabulary to help developers and security folks get on the same page, but the focus is on requirements not vulnerabilities or exploits. This presentation will provide an overview of the guide and discuss some concepts about how to use it. Keith will cover the guide as well as the direction of the project for 2012, and alignment with integrating components of the guide with an organizations application security policy.<br />
<br />
<br />
Presenter Bio:<br />
Keith Turpin, CISSP, CSSLP, CRISC, leads Boeing’s enterprise application security assessment team. He previously served as the lead IT security advisor for all of Boeing’s international operations. <br />
<br />
Keith is a member of the (ISC)2 Application Security Advisory Board and has served as a U.S. delegate to the International Standards Organization's (ISO) sub-committee on cyber security. He is the project leader for the OWASP Secure Coding Practices Quick Reference Guide and is a member of the OWASP Global Projects Committee. He also spent four years as the Director of Communication for the Seattle chapter of the Information Systems Security Association. <br />
<br />
He is a frequent speaker at conferences, professional organizations and corporations on a variety of security topics and in his spare time he is the director of a nationally recognized intercollegiate engineering competition. <br />
<br />
Keith holds a BS in Mechanical Engineering and MS in Computer Systems.<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Tuesday, February 22, 2012'''<br />
<br />
Topic: Testing from the Cloud: Is the Sky Falling?<br />
<br />
Presenter: Matt Tesauro<br />
<br />
Date: Wednesday, February 22, 2012<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
Geekdom<br />
The Weston Centre<br />
112 East Pecan, 11th floor<br />
San Antonio TX 78205<br />
Map: http://www.geekdom.com/location/<br />
Check map for parking info.<br />
<br />
Abstract:<br />
More and more IT is being moved to the cloud, why shouldn't your testing move there too? This talk will cover what it takes to take your testing tools from your laptop to the cloud using new features of the OWASP Web Testing Environment (WTE). WTE allows you to create custom installations of application security tools in the cloud on demand. Has your IP been shunned? No problem, kill that cloud instance and startup another. Is your life as mobile as your phone? No problem, a laptop + Internet = access to all your favorite tools from anywhere. Multiple clients? No problem, start an an instance for each one. By the end of this talk, you'll know all you need to fire up an cloud instance with all of your favorite tools and start having fun.<br />
<br />
<br />
Presenter Bio:<br />
Matt has been involved in the Information Technology industry for more than 10 years. Prior to joining Rackspace, Matt was a security consultant for security firms such as Trustwave as well as running an internal application security effort. Matt's focus has been in application security including testing, code reviews, design reviews and training. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he's driven. He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance Workshop, AppSec EU, AppSec US, AppSec Academia, and AppSec Brazil.<br />
<br />
Matt is currently on the board of the OWASP Foundation and highly involved in many OWASP projects and committees. Matt is the project leader of the OWASP WTE (Web Testing Environment) which is the source of the OWASP Live CD Project and Virtual Machines pre-configured with tools and documentation for testing web applications.<br />
<br />
Industry designations include the Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University.<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, November 16, 2011'''<br />
<br />
Topic: You're Bleeding Sensitive Data - Find it Before They Do<br />
<br />
Presenter: Steve Werby<br />
<br />
Date: Wednesday, November 16, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
3463 Magic Drive<br />
San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
With the proliferation of Internet accessible applications and files within organizations and the number of employees capable of making sensitive content available growing rapidly, knowing what sensitive information is accessible is increasingly difficult. And expensive DLP and scanning tools are not the only option. I will cover management strategies to reduce the risk, as well as demonstrate free and low-cost tools (FOCA, Shodan, Google Hacking Database and more) to discover sensitive data.<br />
<br />
<br />
Presenter Bio:<br />
Steve Werby is Chief Information Security Officer at the University of Texas at San Antonio, where he leads the university's 10-person Office of Information Security. He has also served as CISO for Virginia Commonwealth University and the Virginia Department of Corrections (where he gained a new appreciation for physical security). Prior to that, he operated an information security consultancy with an international client base consisting largely of ISPs, web hosting companies and online businesses. Steve has an engineering degree, an MBA and numerous certs, but he is prouder of the fact that he hasn't signed his name the same way twice since 2009.<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, August 17, 2011'''<br />
<br />
Topic: Secure Development Lifecycle at Symantec<br />
<br />
Presenter: Edward Bonver<br />
<br />
Date: Wednesday, August 17, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
3463 Magic Drive<br />
San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
Given complexities and diversity of development technologies and processes as well as the deployment environments, in combination with customer expectations, software development in modern world is an immense undertaking. Building security into a development lifecycle of a large software vendor could prove quite challenging. This presentation covers how security practices are being followed by various product teams across Symantec, including the related processes and guidelines from Symantec’s Product Security Team. <br />
<br />
<br />
Presenter Bio:<br />
A senior principal software engineer on the product security team at Symantec Corporation, Edward Bonver is responsible for working with software developers and quality assurance professionals across Symantec to continuously enhance the company’s software security practices through the adoption of methodologies, procedures, and tools for secure coding and security testing. Edward teaches secure coding and security testing classes for Symantec engineers and leads the company’s QA Security Task Force, which he founded. He is a Certified Information Systems Security Professional (CISSP) and a Certified Secure Software Lifecycle Professional (CSSLP).<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Thursday, June 16, 2011'''<br />
<br />
Topic: Building a Secure Login<br />
<br />
Presenter: Ben Broussard<br />
<br />
Date: Thursday, June 16, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
3463 Magic Drive<br />
San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
This talk takes the standard, cookie-based login and authorization functionality through its paces. First I will walk through the requirements of common, single sign-on functionality. Then I will walk through attacks and their countermeasures including SQL injection and parameterized queries, session fixation and cookie cycling, session hijacking and about a dozen necessary countermeasures, and so on. The discussion will be programming language agnostic, instead focusing on the functional specifications.<br />
<br />
<br />
Presenter Bio:<br />
Ben Broussard has been involved in the Austin OWASP chapter since 2008, giving technical talks, serving on the LASCON board, the chapter board, and organizing a study group. Outside of OWASP he has worn the hats of mainframe and web application developer, cryptographer, pentester, and he recently launched his own application security business, Kedalion Security, LLC. On the side he does research into brains and AI, and is an avid 80's dancer.<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, April 20, 2011'''<br />
<br />
Topic: Vulnerable Frameworks Yield Vulnerable Apps<br />
<br />
Presenter: Javier Castro<br />
<br />
Date: Wednesday, April 20, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room) 3463 Magic Drive, San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
Major software vendors such as VMware and SAP are getting significantly better at writing <br />
secure software, but all of this effort is lost when they forget to properly configure or secure <br />
the frameworks that their software is built upon. This talk gives an overview of several <br />
recently discovered vulnerabilities in the products of major software companies. In each <br />
case the flaw leads to a complete system compromise and was located in a framework that <br />
the product was built upon. We as software developers can learn from these cases and <br />
avoid similar scenarios.<br />
<br />
Bio: <br />
Javier Castro is a senior vulnerability researcher at Digital Defense, Inc. where he writes explicit vulnerability checks, develops proprietary exploits, and researches popular software deployments. As exciting as vulnerability exploitation is, Javier finds it more rewarding to find ways to develop a secure application in the first place.<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br />
<br><br />
<br />
'''San Antonio OWASP Chapter: Wednesday, March 23, 2011''' <br />
<br />
Topic: Attack Aware Applications <br />
<br />
Presenter: Michael Coates <br />
<br />
Date: Wednesday, March 23, 2011 <br />
<br />
Time: 11:30am-1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: Attack Aware Applications: Imagine being able to detect an attacker in your application while they are searching for vulnerability and then locking out their account before they can do any harm. The OWASP AppSensor project provides a strategy for enabling your applications to detect and respond to attackers in real time. More powerful then generic detection with a WAF, the AppSensor approach allows detection of targeted application attacks attempting to exploit all areas including: business logic, access control, session management, injection attacks and more. This presentation will discuss techniques for implementing such a system within your application using existing technologies or by leveraging ESAPI. <br />
<br />
Presenter Bio: Michael Coates has extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers worldwide. Michael holds a MS in Computer Security from DePaul University and a BS in Computer Science from the University of Illinois. <br />
<br />
Michael is the creator and leader of the AppSensor project and a contributor to the 2010 OWASP Top 10. He is a frequent speaker at international OWASP security conferences and has also spoken at the Chicago Thotcon conference and provided security training at BlackHat. <br />
<br />
As the web security lead at Mozilla, Michael protects web applications used by millions of users each day. <br />
<br />
<br> Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> '''San Antonio OWASP Chapter: Wednesday, January 19, 2011''' <br />
<br />
Topic: Smart Phones with Dumb Apps <br />
<br />
Presenter: Dan Cornell <br />
<br />
Date: Wednesday, January 19, 2011 <br />
<br />
Time: 11:30am-1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 [http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229] <br />
<br />
<br> Abstract: Enterprises are targeting both internal users and customers with smartphone applications for platforms such as Apple iPhone and Google Android. Many of these applications are constructed without fully considering the associated security implications of their deployment. Breaches can impact both users as well as the enterprise distributing the application as attackers take advantage of expanded access to sensitive data and network services. This talk discusses emerging threats associated with deploying smartphone applications and provides an overview of the threat modeling process. The presentation then walks example applications from an attacker’s perspective demonstrating the sort of information they are able to extract allowing for more advanced attacks. <br />
<br />
Presenter Bio: Dan Cornell has over ten years of experience architecting and developing web-based software systems. As CTO of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group security research team, investigating the application of secure coding and development techniques to the improvement of web-based software development methodologies. <br />
<br />
Dan Cornell has performed as the CTO of BrandDefense, as founder and Vice President of Engineering for Atension prior to its acquisition by Rare Medium, Inc. and as the Vice President, Global Competency Leader for Rare Medium’s Java and Unix Competency Center. Cornell has also developed simulation applications for the Air Force with Southwest Research Institute. <br />
<br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the chapter leader of the San Antonio chapter of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, Denim Group's open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Tue, November 16, 2010''' <br />
<br />
Topic: OWASP Top 10: What is it all about? <br />
<br />
Presenter: Dean Bushmiller <br />
<br />
Date: Tuesday, November 16, 2010 <br />
<br />
Time: 12:00pm-1:00pm <br />
<br />
Location: Methodist Health System – System Office 8109 Fredericksburg Road San Antonio, TX 78229-3311 Women’s Center Classroom 1 http://maps.google.com/maps?f=q&amp;source=s_q&amp;hl=en&amp;geocode=&amp;q=8109+fredericksburd+rd,+78229&amp;sll=37.0625,-95.677068&amp;sspn=35.494074,72.070313&amp;ie=UTF8&amp;hq=&amp;hnear=8109+Fredericksburg+Rd,+San+Antonio,+Bexar,+Texas+78229&amp;z=16 <br />
<br />
<br> Abstract: Everyone knows exactly what the OWASP top ten security threats are, right? Well sort of... I ask people if they have heard of the top ten they say yes. I ask them to name a few they pause, then they blurt out 2-3. Then I ask them to explain those 2-3 and they look at me like a deer-in-the-headlights. I want to make sure that everyone who walks out of the presentation can clearly define the top ten and be able to communicate to another what each of the top ten vulnerabilities are. <br />
<br />
<br> Presenter Bio: Dean Bushmiller has taught for 12 years. He is the recipient of five Mission Coins from various military branches. He has led national certification organizations in development, policy, and educational materials for over 10 years. He has presented, consulted, and instructed government, education, military, and private organizations. Dean has worked for SANS, ISC2, and other security training organizations. He has bee the keynote speaker at information security conferences as well as state and local colleges. He is now Director of Training for Expanding Security. <br />
<br />
Feel free to bring a brown bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed August 18, 2010''' <br />
<br />
Topic: Which Web Programming Languages are Most Secure? <br />
<br />
Presenter: Jeremiah Grossman, Founder and CTO, WhiteHat Security <br />
<br />
Date: Wednesday, August 18, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: Security-conscious organizations make implementing a software security development lifecycle a priority. As part of the process, they evaluate a large number of development technologies for building websites. The assumption by many is that not all development environments are created equal. So the question often asked is, “What is the most secure programming language or development framework available?” <br />
<br />
<br> Clearly, familiarity with a specific product, whether it is designed to be secure-by-default or must be configured properly, and whether various libraries are available, can drastically impact the outcome. Still, conventional wisdom suggests that most popular modern languages / frameworks (commercial &amp; open source) perform relatively similarly when it comes to an overall security posture. At least in theory, none is markedly or noticeably more secure than another. Suggesting PHP, Java, C# and others are any more secure than other frameworks is sure to spark heated debate. <br />
<br />
<br> As has been said in the past, “In theory, there is no difference between theory and practice. But, in practice, there is.” Until now, no website security study has provided empirical research measuring how various Web programming languages / frameworks actively perform in the field. To which classes of attack are they most prone, how often and for how long; and, how do they fare against popular alternatives? Is it really true that popular modern languages / frameworks yield similar results in production websites? <br />
<br />
<br> By analyzing the vulnerability assessment results of nearly 1,700 websites under WhiteHat Sentinel management, we may begin to answer some of these questions. These answers may enable the website security community to ask better and deeper questions, which will eventually lead to more secure websites. Organizations deploying these technologies can have a closer look at particularly risk-prone areas; software vendors may focus on areas found lacking; and, developers will increase their familiarity with the strength and weaknesses of their technology stack. All of this is vitally important because security must be baked into development frameworks and be virtually transparent. Only then will application security progress be made. <br />
<br />
<br> Presenter Bio: Jeremiah Grossman founded WhiteHat Security in August 2001. <br />
<br />
<br> A world-renowned expert in Web security, Mr. Grossman is a founder of the Web Application Security Consortium (WASC), and was named to InfoWorld's Top 25 CTOs for 2007. <br />
<br />
<br> Mr. Grossman is a frequent speaker at industry events including the Black Hat Briefings, RSA Conference, ISACA, CSI, InfoSec World, OWASP, ISSA, and Defcon as well as a number of large universities. He has authored dozens of articles and white papers, is credited with the discovery of many cutting-edge attack and defensive techniques and is a co-author of XSS Attacks: Cross Site Scripting Exploits and Defense. <br />
<br />
<br> Mr. Grossman is frequently quoted in major media outlets such as USA Today, the Washington Post, The Financial Times, InformationWeek, InfoWorld, USA Today, PC World, Dark Reading, SC Magazine, CNET, CSO and NBC news. He frequently alerts the media community to the latest attacks and is not only able to offer in-depth commentary, but also provide his perspective of what’s to come. <br />
<br />
<br> Mr. Grossman was named a “friend of Google” and is also an influential blogger (www.jeremiahgrossman.blogspot.com) who offers insight and encourages open dialogue regarding current research and vulnerability trend information. <br />
<br />
<br> Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo! responsible for performing security reviews on the company's hundreds of websites. Before Yahoo!, Mr. Grossman worked for Amgen, Inc. <br />
<br />
Pizza will be served. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> '''San Antonio OWASP Chapter: Fri. August 13, 2010''' <br />
<br />
Topic: 1)How OWASP Works and Guided Tour of OWASP Projects / 2) Using the O2 Platform to Consume OWASP projects <br />
<br />
Presenter: Dinis Cruz <br />
<br />
Date: Friday, August 13, 2010, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: 1) How OWASP Works and Guided Tour of OWASP Projects - This presentation will focus on my experience in getting things done at OWASP, what resources are available and what types of initiatives should the local chapters be doing. In addition to a quick overview of a number of key OWASP projects, this talk will also provide a tutorial on how the OWASP WIKI (MediaWiki based) can be used as a database (using the MediaWiki templates technology) <br />
<br />
2) Using the O2 Platform to Consume OWASP projects - This presentation will focus on how to consume the OWASP Wiki and a number of OWASP projects using the OWASP O2 Platform. The O2 Platform has powerful technology and capabilities for both BlackBox and WhiteBox analysis and this presentation will provide examples on how to use O2 with: WebGoat, WebScarab, Code Crawler, Dir Buster, Testing Guide, Code Review Guide and OpenSAMM <br />
<br />
The O2 Platform is focused on automating application security knowledge and workflows. It is specifically designed for developers and security consultants to be able to perform quick, effective and thorough 'source-code-driven' application security reviews (BlackBox + WhiteBox). In addition to the manual findings created/discovered by security consultants, the OWASP O2 Platform allows the easy consumption of results from multiple OWASP projects and commercial scanning tools. This allows security consultants to find, exploit and automate (via Unit Tests) security vulnerabilities usually dismissed by the community as impossible to find/recreate. More importantly, it provides the Security Consultants a mechanism to: a) 'talk' with developers (via UnitTest) , b) give developers a way to replicate + "check if it's fixed" the vulnerabilities reported and c) engage on a two-way conversion on the best way to fix/remediate those vulnerabilities. <br />
<br />
<br> Presenter Bio: Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development. For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform. Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences At OWASP, Dinis is the leader of the OWASP O2 Platform project, member of the OWASP Global Projects Committee, chair of the OWASP Connections Committee and member of the OWASP <br />
<br />
<br> Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
<br> Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed July 21, 2010''' <br />
<br />
Topic: A Caching Technique (PHP Implementation) <br />
<br />
Presenter: Dan Ross, VP Engineering, PIC Business Systems <br />
<br />
Date: Wednesday July 19, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: Reduce 304's and improve web application performance. A caching technique is demonstrated using PHP. Easy implementation as well as caching override are discussed. <br />
<br />
<br> Presenter Bio: Dan Ross has been VP Engineering for over 20 years at PIC Business Systems, which provides integrated business software for the several industries. He has led the design, development, and maintenance of many commercial web applications and programs. He has a BS in Industrial Engineering from St. Mary's University in San Antonio. <br />
<br />
Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed June 16, 2010''' <br />
<br />
Topic: Securing Software Applications Using Dynamic Dataflow Analysis <br />
<br />
Presenter: Steve Cook, Senior Research Analyst, SwRI <br />
<br />
Date: Wednesday June 16, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: In this presentation, we present an ongoing research effort that ensures that a wide variety of user-defined security policies are enforced on executing C programs while keeping runtime overhead low and with little disruption to the development process by leveraging Dynamic Dataflow Analysis (DDFA). The DDFA system is built upon the Broadway static data flow analysis and error checking system, which is a source-to-source translator for C developed by the computer sciences department at the University of Texas at Austin (UT-Austin). UT-Austin and the Southwest Research Institute (SwRI) recently collaborated to further enhance the system through a government research project funded by Intelligence Advanced Research Projects Activity (IARPA) and a SwRI internal research project. <br />
<br />
The system works by automatically instrumenting the original source, guided by the security policy, with DDFA runtime library calls. The modified program is then compiled for the platform of choice so that its security policy can be enforced at runtime through the DDFA runtime library. <br />
<br />
The runtime overhead is kept low by leveraging the semantic information provided by the security policy and a sophisticated dependence analysis to enable optimizations beyond standard compiler techniques. This results in a program that is instrumented with additional code only where provably necessary, so innocuous flows of data are not tracked at runtime. <br />
<br />
Disruption to the development process is minimized through the security policy specification. The security policy is defined once by a security expert using a simple language, which has a direct mapping to the application programming interface to which the program is written. The policy, once defined, can be applied to many different programs. The DDFA approach is easily integrated into the development workflow, adding only an additional compilation step before application deployment. <br />
<br />
The system does not require any modification to the original source code by the programmer, and does not require hardware or operating system changes. In the future, our system can be extended to handle multiple languages and complement new security solutions. <br />
<br />
Presenter Bio: Steve Cook is a senior research analyst in the System Security and High Reliability Software section at the SwRI. His background and expertise are in distributed and parallel computing, compilers, as well as object-oriented and generic programming. He received his master’s degree in computer science from Texas A&amp;M University. While at Texas A&amp;M, he worked as a research assistant for Dr. Bjarne Stroustrup, creator of the C++ Programming Language, where he helped develop a new approach to writing concurrent programs that allows programmers to quickly turn a sequential C++ program into a parallel one that is race and deadlock free. <br />
<br />
<br> Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed May 19th, 2010''' <br />
<br />
Topic: The Open Software Assurance Maturity Model <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group <br />
<br />
Date: Wednesday May 19th, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. <br />
<br />
This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/. <br />
<br />
Presenter Bio: Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications <br />
<br />
<br> Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed March 17, 2010''' <br />
<br />
Topic: Protecting Your Applications: How to Secure Business Critical Applications from Time Bombs, Backdoors &amp; Data Exfiltration <br />
<br />
Presenter: Clint Pollock <br />
<br />
Date: Wednesday, March 17th, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Sponsored by: VERACODE <br />
<br />
Abstract: With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers. Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams. In this session we will cover; · Prevalence of backdoors and malicious code in third party attacks · Definitions and classifications of backdoors and their impact on your applications · Methods to identify, track and remediate these vulnerabilities <br />
<br />
Presenter Bio: Clint Pollock is a Senior Solutions Architect at Veracode. Since 1997, he has also created security solutions for large-scale enterprise environments on behalf of CREDANT Technologies and Netegrity. In his current role, Clint helps globally distributed organizations evaluate, track, and mitigate their online business risk. Clint’s greatest strengths are his enthusiasm, experience and determination to help customers succeed in maintaining secure, compliant systems, and avoid the consequences and bad headlines that come with application security breaches. Clint resides in Chicago, IL. <br />
<br />
<br> FREE PIZZA will be provided, courtesy of our friends from Veracode. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> '''Meeting Schedule for 2010''' <br />
<br />
Dates are set - speakers and topics are firming up as well speak. All meetings are from 11:30am - 1:00pm at the San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229. <br />
<br />
Wednesday January 20th - OWASP LiveCD: An Open Environment for Web Application Security by Matt Tesauro <br />
<br />
Wednesday March 17th - TBD <br />
<br />
Wednesday May 19th - TBD <br />
<br />
Wednesday July 21st - TBD <br />
<br />
Wednesday September 15th - TBD <br />
<br />
Wednesday November 10th - TBD <br />
<br />
<br> '''San Antonio OWASP Chapter: Wed January 20th, 2010''' <br />
<br />
Topic: OWASP LiveCD: An Open Environment for Web Application Security Presenter: Matt Tesauro, OWASP Board Member, LiveCD Project Lead Date: Wednesday January 20th, 2010 11:30am – 1:00pm Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: The OWASP Live CD is a project that collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can boot from this Live CD and have access to a full security testing suite. This allows its users to test for various security issues in web applications and web sites. The Live CD also contains documentation and an interactive learning environment to enhance users’ web application security knowledge. This presentation will cover the current state of the OWASP Live CD as well as the plans for future developments. Time permitting, a live demonstration of the OWASP Live CD will be conducted. The OWASP Live CD is a project of the Open Web Application Security Project (OWASP) and is free for commercial or non-commercial use. More information is available at: http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project <br />
<br />
Presenter Bio: Matt Tesauro has worked in web application development and security since 2000. He has worn many different hats, from developer to DBA to System Administrator to Penetration Tester. Matt also taught graduate and undergraduate classes on web application development and XML at Texas A&amp;M University. Currently, he's focused on implementing a comprehensive web application security program for the Texas Education Agency (TEA). Outside work, he is a member of the OWASP Foundation's Board of Directors, the project lead for the OWASP Live CD, a member of the OWASP Global Projects Committee, assists the OWASP Austin chapters leadership and a member of ISSA of Austin, Texas. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&amp;M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications. <br />
<br />
Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
Recent Meetings: <br />
<br />
<br> '''San Antonio OWASP Chapter: October 21, 2009''' <br />
<br />
Topic: Rolling Out an Enterprise Source Code Review Program <br />
<br />
Presenter: Dan Cornell, Principal at Denim Group Date: October 21, 2009 11:30 a.m. – 1:00 p.m. <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: Source code review technology has rapidly advanced over the past several years and offers great promise of helping organizations detect and address software security defects. However, many organizations stumble as they try to roll out these technologies because they fail to understand the people and process issues that must also be addressed. This talk will present lessons learned from the creation of several enterprise source code review programs, including: identifying all sources of custom code in an organization including custom extensions to ERP systems and enterprise portals, selecting the first round of applications to scan and successfully interpreting results and driving resolution to identified issues. <br />
<br />
<br> Presenter Bio: Dan Cornell has over ten years of experience architecting and developing web-based software systems. As CTO of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group security research team, investigating the application of secure coding and development techniques to the improvement of web-based software development methodologies. <br />
<br />
Dan Cornell has performed as the CTO of BrandDefense, as founder and Vice President of Engineering for Atension prior to its acquisition by Rare Medium, Inc. and as the Vice President, Global Competency Leader for Rare Medium’s Java and Unix Competency Center. Cornell has also developed simulation applications for the Air Force with Southwest Research Institute. <br />
<br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the chapter leader of the San Antonio chapter of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, Denim Group's open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
<br> '''San Antonio OWASP Chapter: August 19, 2009''' <br />
<br />
Topic: Web Application Firewalls (WAFs) <br />
<br />
Presenter: Matt Burriola &amp; Mario Flores, Randolph-Brooks Federal Credit Union Date: August 19, 2009 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: Web Application Firewalls Web application firewalls (WAFs) have gained considerable momentum as web vulnerabilities have grown. WAFs now have a proven record of reducing exposures to web vulnerabilities by blocking malicious activity much like a typical firewall. While WAFs help, it does take time to consider when a WAF is appropriate. It also takes time to evaluate and implement the WAF as well. Come listen to reasons why Randolph-Brooks Federal Credit Union chose a WAF and what they learned in the process. <br />
<br />
Presenter Bio: Matt is a Senior Developer on the RBFCU Web Team, but mainly serves the roles of Configuration Management lead and Systems Admin for the team. Matt maintains the source control repository, application build and release processes, and QA server environments. Matt also works on web infrastructure initiatives such as Web Application Firewall. Matt has 10 years IT industry experience, including Java/web technologies, C, C++, Unix/Linux, shell scripting, and Symbol mobile handheld programming. Matt has a degree in Management Information Systems from Texas A&amp;M University-Corpus Christi. <br />
<br />
Mario is currently the Web Development manager for RBFCU. In this current role, Mario manages the development efforts for the online banking site and the intranet. Mario also has a solid background in web security and has addressed issues with web application penetration assessments. Mario has worked for RBFCU for 14 years and he has a degree in Information Systems from Texas Lutheran University. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: June 17, 2009'''' Topic: What is Cross Site Scripting And Why Is It bad? Date: June 17, 2009 11:30am – 1:00pm Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: The presentation will cover background information on cross-site scripting (XSS) attacks as well as real world examples of what can happen when this type of vulnerability is present and the different ways that it can be exploited. The presentation will also include language agnostic ways to mitigate this sort of risk and how developers and security professionals can identify these risks. <br />
<br />
Presenter Bio: David is currently a Security Architect for Rackspace IT Hosting. In this current role, David is responsible for designing and implementing network security solutions, as well as software development in support of automation. In previous roles he was a software developer on various projects written in a mix of PHP, Python, Perl, Ruby, c#, and asp.net. Prior to Rackspace, David worked for Digital Defense and he holds a B.B.A. in Information Systems from the University of Texas San Antonio. He also has an extensive background in application security and is actively researching botnet mitigation techniques. Certifications held include CISSP, RHCE, and CCNA. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: January 2009 Meeting''' <br />
<br />
Topic: "Vulnerability Management in an Application Security World." <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group Date: January 29, 2009 11:30am – 1:00pm <br />
<br />
Location: <br />
<br />
San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract:Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
Presenter Bio: <br />
<br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
<br> <br />
<br />
----<br />
<br />
'''Previous News''' <br />
The slide deck from OWASP San Antonio February 2012 meeting is available online here: https://www.owasp.org/images/b/b0/WTE-Cloud-San_Antonio-2012-02.pdf<br />
<br />
The slide deck from OWASP San Antonio June 2011 meeting is available online here: https://www.owasp.org/images/2/21/How_to_Build_a_Secure_Login_BenBroussard_June2011.pdf<br />
<br />
The slide deck from OWASP San Antonio April 2011 meeting is available online here: https://www.owasp.org/images/0/05/Vulnerable_frameworks_yield_vulnerable_apps.pdf <br />
<br />
The slide deck from OWASP San Antonio March 2011 meeting is available online here: http://www.owasp.org/images/c/cb/MichaelCoates-AppSensor.pdf <br />
<br />
The slide deck from OWASP San Antonio August 2010 meeting available online here: http://www.owasp.org/images/0/0e/OWASP_San_Antonio_0818.pdf.pdf http://www.owasp.org/images/5/5a/WPstats_spring10_9th.pdf <br />
<br />
The slide deck from OWASP San Antonio June 2010 meeting available online here: http://www.owasp.org/images/2/24/OWASPSanAntonio06162010_DDFA_PresentationFinal.pdf <br />
<br />
The slide deck from OWASP San Antonio May 2010 meeting available online here: http://www.owasp.org/images/b/b9/OpenSAMM10_OWASPSanAntonio_20100519.pdf <br />
<br />
The slide deck from OWASP San Antonio March 2010 meeting available online here: http://www.owasp.org/index.php?title=File:Protecting_the_Enterprise_-_Software_Backdoors.pptx&amp;oldid=80140#filelinks <br />
<br />
The slide deck from OWASP San Antonio January 2010 meeting available online here: http://www.owasp.org/index.php/File:San_Antonio_Chapter-OWASP_WTE_Jan-2010.pdf#filelinks <br />
<br />
The slide deck from OWASP San Antonio October 2008 meeting available online here: http://www.owasp.org/index.php/San_Antonio <br />
<br />
The slide deck from OWASP San Antonio September 2007 meeting available online here: [[Image:Fortify-bjenkins-AppSecStrategy-20070906.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio March 2007 meeting will be available online shortly <br />
<br />
The slide deck from OWASP San Antonio September 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 09 AgileAndSecure.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio August 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 08 SingleSignOn.ppt]]. <br />
<br />
The slide deck from OWASP San Antonio June 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 06 Crypto Content.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio May 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 05 ForcefulBrowsing Content.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio September 2004 meeting available online here: [[Image:OWASPSanAntonio 20040922.pdf]]. <br />
<br />
[[Category:Texas]]</div>Dancornellhttps://wiki.owasp.org/index.php?title=San_Antonio&diff=149461San Antonio2013-04-08T21:27:21Z<p>Dancornell: /* Local News */</p>
<hr />
<div>{{Chapter Template|chaptername=San Antonio|extra=The chapter leader is [mailto:dan@denimgroup.com Dan Cornell]<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sanantonio|emailarchives=http://lists.owasp.org/pipermail/owasp-sanantonio}} <br />
<br />
== Local News ==<br />
'''OWASP Developer Security Training at BSides San Antonio: Saturday May 4th, 2013'''<br />
<br />
Attend BSides San Antonio for three mini-courses for developers wanting to learn about security.<br />
<br />
To register: <br />
<br />
https://bsidessatx.eventbrite.com/<br />
<br />
The event is "sold out" for the general public, but you can still register using the promotional code: '''53CUR3c0D3R''' Each mini-course will be 1.5 to 2 hours in length and the specific schedule will be released soon and attendees will have full access to the rest of the BSides San Antonio event.<br />
<br />
Main BSides San Antonio site:<br />
<br />
http://bsidestexas.blogspot.com/p/san-antonio-april-2013.html<br />
<br />
''Mini-Course 1''<br />
<br />
Title: Threat Modeling for Developers<br />
<br />
Abstract:<br />
<br />
Threat modeling is a valuable technique for identifying potential security<br />
issues in complex applications but many development teams have been slow<br />
to adopt it because of a perception that it can only be done by security<br />
specialists as well as a lack of guidance on how to get the most out of<br />
the activity. This mini-course walks through the process of Threat<br />
modeling from the perspective of a developer trying to identify issues<br />
early in the development process so that problems can be avoided and<br />
controls can be put in place with a minimum level of effort. The materials<br />
include discussion of where threat modeling is best done during the<br />
development lifecycle as well as the process of creating and refining a<br />
threat model. This is an interactive experience, with participants working<br />
together to walk through the threat modeling process.<br />
<br />
''Mini-Course 2''<br />
<br />
Title: Developing Secure Web Applications<br />
<br />
Abstract:<br />
<br />
Web applications are a convenient entry point for attackers because they<br />
are often publicly-available and many are built without a focus on<br />
security. This mini-course provides a developer-focused introduction to<br />
building web applications designed to operate in the face of malicious<br />
attackers. It walks through a basic threat model for a web application and<br />
uses this threat model as a framework for making good decisions when<br />
designing and building applications. The focus of the course is less on<br />
enumerating various types of vulnerabilities but rather on design and<br />
coding techniques that can be used to help create resilient applications.<br />
Some code examples in Java and .NET will be provided, but the techniques<br />
can be applied to any web application environment. [It would be beneficial<br />
to attend the earlier Threat Modeling session, but not required.]<br />
<br />
''Mini-Course 3''<br />
<br />
Title: Developing Secure Mobile Applications<br />
<br />
Abstract:<br />
<br />
Organizations of all sizes are rushing to provide their customers and<br />
employees with applications taking advantage of the power of mobile<br />
computing. As with many new technologies, these organizations often deploy<br />
applications first and come to realize the security implications of these<br />
new systems only post-deployment. This mini-course provides a<br />
developer-focused introduction to security for mobile applications. It<br />
walks through a basic threat model for a mobile application and uses this<br />
threat model as a framework for making good decisions when designing and<br />
building mobile application systems. Examples are provided for both iOS<br />
(iPhone and iPad) and Android platforms but the overall approach can be<br />
applied for all mobile applications. [It would be beneficial to attend the<br />
earlier Threat Modeling and Web Application sessions, but not required.]<br />
<br />
<br />
'''San Antonio OWASP Chapter: Tuesday, September 25, 2012'''<br />
<br />
Topic: Dev/Ops, Continuous Deployment and APIs, Oh My! <br />
<br />
Presenter: Jarret Raim and Matt Tesauro<br />
<br />
Date: Tuesday, September 25, 2012<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
<br />
3463 Magic Drive<br />
<br />
San Antonio, TX 78229<br />
<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
Abstract:<br />
As the world of application development continues to change, the security community needs to change with it. With agile development, continuous deployment, the pace of change in IT has only increased. Add in Dev/Ops and the traditional security processes just don’t work. Even if testing windows exist, they are too short for the traditional scanning or manual testing programs. Then, there’s the lack of viable tools to test API’s. What’s a security professional in charge of rolling out an SDLC supposed to do? This talk will cover methods of adapting traditional security practices into a test driven development (TDD) for security and provide practical advice on how to handle short development and promotion cycles with few or no testing windows. A demonstration of a new testing tool will also be part of the presentation.<br />
<br />
<br />
Presenter Bios:<br />
Jarret Raim is the Security Product Manager at Rackspace Hosting. Since joining Rackspace, he has built a software assurance program for Rackspace’s internal software teams as well as defined strategy for building secure systems on Rackspace’s OpenStack Cloud implementation. Through his experience at Rackspace, and as a consultant at Denim Group, Jarret has assessed and remediated applications in all industries and has experience width a wide variety of both development environments and the tools used to audit them. Jarret has recently taken charge of Rackspace's efforts to secure the Cloud through new product development, training and research. Jarret holds an M.S. in Computer Science from Lehigh University and a B.S. in Computer Science from Trinity University.<br />
<br />
Matt Tesauro has been involved in the Information Technology industry for more than 10 years. Matt's focus has been in application security including testing, code reviews, design reviews and training. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he's driven. Matt is currently on the board of the OWASP Foundation and highly involved in many OWASP projects and committees. Matt is the project leader of the OWASP WTE (Web Testing Environment) which is the source of the OWASP Live CD Project and Virtual Machines pre-configured with tools and documentation for testing web applications. He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance Workshop, AppSec EU, AppSec US, AppSec Academia, and AppSec Brazil. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications. <br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, April 18, 2012'''<br />
<br />
Topic: Secure Coding Practices for 2012<br />
<br />
Presenter: Keith Turpin<br />
<br />
Date: Wednesday, April 18, 2012<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
<br />
3463 Magic Drive<br />
<br />
San Antonio, TX 78229<br />
<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
Abstract:<br />
Keith Turpin will present OWASP's "The Secure Coding Practices Quick Reference Guide." The guide is a technology agnostic set of software security coding practices, in a comprehensive checklist format, that can be integrated into the development life-cycle. At only 17 pages long, it is easy for development teams to read and use. The coding practices are mapped to functional requirements, so you can quickly locate the practices you need. It also provides a brief introduction to security principles and vocabulary to help developers and security folks get on the same page, but the focus is on requirements not vulnerabilities or exploits. This presentation will provide an overview of the guide and discuss some concepts about how to use it. Keith will cover the guide as well as the direction of the project for 2012, and alignment with integrating components of the guide with an organizations application security policy.<br />
<br />
<br />
Presenter Bio:<br />
Keith Turpin, CISSP, CSSLP, CRISC, leads Boeing’s enterprise application security assessment team. He previously served as the lead IT security advisor for all of Boeing’s international operations. <br />
<br />
Keith is a member of the (ISC)2 Application Security Advisory Board and has served as a U.S. delegate to the International Standards Organization's (ISO) sub-committee on cyber security. He is the project leader for the OWASP Secure Coding Practices Quick Reference Guide and is a member of the OWASP Global Projects Committee. He also spent four years as the Director of Communication for the Seattle chapter of the Information Systems Security Association. <br />
<br />
He is a frequent speaker at conferences, professional organizations and corporations on a variety of security topics and in his spare time he is the director of a nationally recognized intercollegiate engineering competition. <br />
<br />
Keith holds a BS in Mechanical Engineering and MS in Computer Systems.<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Tuesday, February 22, 2012'''<br />
<br />
Topic: Testing from the Cloud: Is the Sky Falling?<br />
<br />
Presenter: Matt Tesauro<br />
<br />
Date: Wednesday, February 22, 2012<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
Geekdom<br />
The Weston Centre<br />
112 East Pecan, 11th floor<br />
San Antonio TX 78205<br />
Map: http://www.geekdom.com/location/<br />
Check map for parking info.<br />
<br />
Abstract:<br />
More and more IT is being moved to the cloud, why shouldn't your testing move there too? This talk will cover what it takes to take your testing tools from your laptop to the cloud using new features of the OWASP Web Testing Environment (WTE). WTE allows you to create custom installations of application security tools in the cloud on demand. Has your IP been shunned? No problem, kill that cloud instance and startup another. Is your life as mobile as your phone? No problem, a laptop + Internet = access to all your favorite tools from anywhere. Multiple clients? No problem, start an an instance for each one. By the end of this talk, you'll know all you need to fire up an cloud instance with all of your favorite tools and start having fun.<br />
<br />
<br />
Presenter Bio:<br />
Matt has been involved in the Information Technology industry for more than 10 years. Prior to joining Rackspace, Matt was a security consultant for security firms such as Trustwave as well as running an internal application security effort. Matt's focus has been in application security including testing, code reviews, design reviews and training. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he's driven. He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance Workshop, AppSec EU, AppSec US, AppSec Academia, and AppSec Brazil.<br />
<br />
Matt is currently on the board of the OWASP Foundation and highly involved in many OWASP projects and committees. Matt is the project leader of the OWASP WTE (Web Testing Environment) which is the source of the OWASP Live CD Project and Virtual Machines pre-configured with tools and documentation for testing web applications.<br />
<br />
Industry designations include the Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University.<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, November 16, 2011'''<br />
<br />
Topic: You're Bleeding Sensitive Data - Find it Before They Do<br />
<br />
Presenter: Steve Werby<br />
<br />
Date: Wednesday, November 16, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
3463 Magic Drive<br />
San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
With the proliferation of Internet accessible applications and files within organizations and the number of employees capable of making sensitive content available growing rapidly, knowing what sensitive information is accessible is increasingly difficult. And expensive DLP and scanning tools are not the only option. I will cover management strategies to reduce the risk, as well as demonstrate free and low-cost tools (FOCA, Shodan, Google Hacking Database and more) to discover sensitive data.<br />
<br />
<br />
Presenter Bio:<br />
Steve Werby is Chief Information Security Officer at the University of Texas at San Antonio, where he leads the university's 10-person Office of Information Security. He has also served as CISO for Virginia Commonwealth University and the Virginia Department of Corrections (where he gained a new appreciation for physical security). Prior to that, he operated an information security consultancy with an international client base consisting largely of ISPs, web hosting companies and online businesses. Steve has an engineering degree, an MBA and numerous certs, but he is prouder of the fact that he hasn't signed his name the same way twice since 2009.<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, August 17, 2011'''<br />
<br />
Topic: Secure Development Lifecycle at Symantec<br />
<br />
Presenter: Edward Bonver<br />
<br />
Date: Wednesday, August 17, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
3463 Magic Drive<br />
San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
Given complexities and diversity of development technologies and processes as well as the deployment environments, in combination with customer expectations, software development in modern world is an immense undertaking. Building security into a development lifecycle of a large software vendor could prove quite challenging. This presentation covers how security practices are being followed by various product teams across Symantec, including the related processes and guidelines from Symantec’s Product Security Team. <br />
<br />
<br />
Presenter Bio:<br />
A senior principal software engineer on the product security team at Symantec Corporation, Edward Bonver is responsible for working with software developers and quality assurance professionals across Symantec to continuously enhance the company’s software security practices through the adoption of methodologies, procedures, and tools for secure coding and security testing. Edward teaches secure coding and security testing classes for Symantec engineers and leads the company’s QA Security Task Force, which he founded. He is a Certified Information Systems Security Professional (CISSP) and a Certified Secure Software Lifecycle Professional (CSSLP).<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Thursday, June 16, 2011'''<br />
<br />
Topic: Building a Secure Login<br />
<br />
Presenter: Ben Broussard<br />
<br />
Date: Thursday, June 16, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
3463 Magic Drive<br />
San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
This talk takes the standard, cookie-based login and authorization functionality through its paces. First I will walk through the requirements of common, single sign-on functionality. Then I will walk through attacks and their countermeasures including SQL injection and parameterized queries, session fixation and cookie cycling, session hijacking and about a dozen necessary countermeasures, and so on. The discussion will be programming language agnostic, instead focusing on the functional specifications.<br />
<br />
<br />
Presenter Bio:<br />
Ben Broussard has been involved in the Austin OWASP chapter since 2008, giving technical talks, serving on the LASCON board, the chapter board, and organizing a study group. Outside of OWASP he has worn the hats of mainframe and web application developer, cryptographer, pentester, and he recently launched his own application security business, Kedalion Security, LLC. On the side he does research into brains and AI, and is an avid 80's dancer.<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, April 20, 2011'''<br />
<br />
Topic: Vulnerable Frameworks Yield Vulnerable Apps<br />
<br />
Presenter: Javier Castro<br />
<br />
Date: Wednesday, April 20, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room) 3463 Magic Drive, San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
Major software vendors such as VMware and SAP are getting significantly better at writing <br />
secure software, but all of this effort is lost when they forget to properly configure or secure <br />
the frameworks that their software is built upon. This talk gives an overview of several <br />
recently discovered vulnerabilities in the products of major software companies. In each <br />
case the flaw leads to a complete system compromise and was located in a framework that <br />
the product was built upon. We as software developers can learn from these cases and <br />
avoid similar scenarios.<br />
<br />
Bio: <br />
Javier Castro is a senior vulnerability researcher at Digital Defense, Inc. where he writes explicit vulnerability checks, develops proprietary exploits, and researches popular software deployments. As exciting as vulnerability exploitation is, Javier finds it more rewarding to find ways to develop a secure application in the first place.<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br />
<br><br />
<br />
'''San Antonio OWASP Chapter: Wednesday, March 23, 2011''' <br />
<br />
Topic: Attack Aware Applications <br />
<br />
Presenter: Michael Coates <br />
<br />
Date: Wednesday, March 23, 2011 <br />
<br />
Time: 11:30am-1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: Attack Aware Applications: Imagine being able to detect an attacker in your application while they are searching for vulnerability and then locking out their account before they can do any harm. The OWASP AppSensor project provides a strategy for enabling your applications to detect and respond to attackers in real time. More powerful then generic detection with a WAF, the AppSensor approach allows detection of targeted application attacks attempting to exploit all areas including: business logic, access control, session management, injection attacks and more. This presentation will discuss techniques for implementing such a system within your application using existing technologies or by leveraging ESAPI. <br />
<br />
Presenter Bio: Michael Coates has extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers worldwide. Michael holds a MS in Computer Security from DePaul University and a BS in Computer Science from the University of Illinois. <br />
<br />
Michael is the creator and leader of the AppSensor project and a contributor to the 2010 OWASP Top 10. He is a frequent speaker at international OWASP security conferences and has also spoken at the Chicago Thotcon conference and provided security training at BlackHat. <br />
<br />
As the web security lead at Mozilla, Michael protects web applications used by millions of users each day. <br />
<br />
<br> Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> '''San Antonio OWASP Chapter: Wednesday, January 19, 2011''' <br />
<br />
Topic: Smart Phones with Dumb Apps <br />
<br />
Presenter: Dan Cornell <br />
<br />
Date: Wednesday, January 19, 2011 <br />
<br />
Time: 11:30am-1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 [http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229] <br />
<br />
<br> Abstract: Enterprises are targeting both internal users and customers with smartphone applications for platforms such as Apple iPhone and Google Android. Many of these applications are constructed without fully considering the associated security implications of their deployment. Breaches can impact both users as well as the enterprise distributing the application as attackers take advantage of expanded access to sensitive data and network services. This talk discusses emerging threats associated with deploying smartphone applications and provides an overview of the threat modeling process. The presentation then walks example applications from an attacker’s perspective demonstrating the sort of information they are able to extract allowing for more advanced attacks. <br />
<br />
Presenter Bio: Dan Cornell has over ten years of experience architecting and developing web-based software systems. As CTO of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group security research team, investigating the application of secure coding and development techniques to the improvement of web-based software development methodologies. <br />
<br />
Dan Cornell has performed as the CTO of BrandDefense, as founder and Vice President of Engineering for Atension prior to its acquisition by Rare Medium, Inc. and as the Vice President, Global Competency Leader for Rare Medium’s Java and Unix Competency Center. Cornell has also developed simulation applications for the Air Force with Southwest Research Institute. <br />
<br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the chapter leader of the San Antonio chapter of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, Denim Group's open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Tue, November 16, 2010''' <br />
<br />
Topic: OWASP Top 10: What is it all about? <br />
<br />
Presenter: Dean Bushmiller <br />
<br />
Date: Tuesday, November 16, 2010 <br />
<br />
Time: 12:00pm-1:00pm <br />
<br />
Location: Methodist Health System – System Office 8109 Fredericksburg Road San Antonio, TX 78229-3311 Women’s Center Classroom 1 http://maps.google.com/maps?f=q&amp;source=s_q&amp;hl=en&amp;geocode=&amp;q=8109+fredericksburd+rd,+78229&amp;sll=37.0625,-95.677068&amp;sspn=35.494074,72.070313&amp;ie=UTF8&amp;hq=&amp;hnear=8109+Fredericksburg+Rd,+San+Antonio,+Bexar,+Texas+78229&amp;z=16 <br />
<br />
<br> Abstract: Everyone knows exactly what the OWASP top ten security threats are, right? Well sort of... I ask people if they have heard of the top ten they say yes. I ask them to name a few they pause, then they blurt out 2-3. Then I ask them to explain those 2-3 and they look at me like a deer-in-the-headlights. I want to make sure that everyone who walks out of the presentation can clearly define the top ten and be able to communicate to another what each of the top ten vulnerabilities are. <br />
<br />
<br> Presenter Bio: Dean Bushmiller has taught for 12 years. He is the recipient of five Mission Coins from various military branches. He has led national certification organizations in development, policy, and educational materials for over 10 years. He has presented, consulted, and instructed government, education, military, and private organizations. Dean has worked for SANS, ISC2, and other security training organizations. He has bee the keynote speaker at information security conferences as well as state and local colleges. He is now Director of Training for Expanding Security. <br />
<br />
Feel free to bring a brown bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed August 18, 2010''' <br />
<br />
Topic: Which Web Programming Languages are Most Secure? <br />
<br />
Presenter: Jeremiah Grossman, Founder and CTO, WhiteHat Security <br />
<br />
Date: Wednesday, August 18, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: Security-conscious organizations make implementing a software security development lifecycle a priority. As part of the process, they evaluate a large number of development technologies for building websites. The assumption by many is that not all development environments are created equal. So the question often asked is, “What is the most secure programming language or development framework available?” <br />
<br />
<br> Clearly, familiarity with a specific product, whether it is designed to be secure-by-default or must be configured properly, and whether various libraries are available, can drastically impact the outcome. Still, conventional wisdom suggests that most popular modern languages / frameworks (commercial &amp; open source) perform relatively similarly when it comes to an overall security posture. At least in theory, none is markedly or noticeably more secure than another. Suggesting PHP, Java, C# and others are any more secure than other frameworks is sure to spark heated debate. <br />
<br />
<br> As has been said in the past, “In theory, there is no difference between theory and practice. But, in practice, there is.” Until now, no website security study has provided empirical research measuring how various Web programming languages / frameworks actively perform in the field. To which classes of attack are they most prone, how often and for how long; and, how do they fare against popular alternatives? Is it really true that popular modern languages / frameworks yield similar results in production websites? <br />
<br />
<br> By analyzing the vulnerability assessment results of nearly 1,700 websites under WhiteHat Sentinel management, we may begin to answer some of these questions. These answers may enable the website security community to ask better and deeper questions, which will eventually lead to more secure websites. Organizations deploying these technologies can have a closer look at particularly risk-prone areas; software vendors may focus on areas found lacking; and, developers will increase their familiarity with the strength and weaknesses of their technology stack. All of this is vitally important because security must be baked into development frameworks and be virtually transparent. Only then will application security progress be made. <br />
<br />
<br> Presenter Bio: Jeremiah Grossman founded WhiteHat Security in August 2001. <br />
<br />
<br> A world-renowned expert in Web security, Mr. Grossman is a founder of the Web Application Security Consortium (WASC), and was named to InfoWorld's Top 25 CTOs for 2007. <br />
<br />
<br> Mr. Grossman is a frequent speaker at industry events including the Black Hat Briefings, RSA Conference, ISACA, CSI, InfoSec World, OWASP, ISSA, and Defcon as well as a number of large universities. He has authored dozens of articles and white papers, is credited with the discovery of many cutting-edge attack and defensive techniques and is a co-author of XSS Attacks: Cross Site Scripting Exploits and Defense. <br />
<br />
<br> Mr. Grossman is frequently quoted in major media outlets such as USA Today, the Washington Post, The Financial Times, InformationWeek, InfoWorld, USA Today, PC World, Dark Reading, SC Magazine, CNET, CSO and NBC news. He frequently alerts the media community to the latest attacks and is not only able to offer in-depth commentary, but also provide his perspective of what’s to come. <br />
<br />
<br> Mr. Grossman was named a “friend of Google” and is also an influential blogger (www.jeremiahgrossman.blogspot.com) who offers insight and encourages open dialogue regarding current research and vulnerability trend information. <br />
<br />
<br> Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo! responsible for performing security reviews on the company's hundreds of websites. Before Yahoo!, Mr. Grossman worked for Amgen, Inc. <br />
<br />
Pizza will be served. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> '''San Antonio OWASP Chapter: Fri. August 13, 2010''' <br />
<br />
Topic: 1)How OWASP Works and Guided Tour of OWASP Projects / 2) Using the O2 Platform to Consume OWASP projects <br />
<br />
Presenter: Dinis Cruz <br />
<br />
Date: Friday, August 13, 2010, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: 1) How OWASP Works and Guided Tour of OWASP Projects - This presentation will focus on my experience in getting things done at OWASP, what resources are available and what types of initiatives should the local chapters be doing. In addition to a quick overview of a number of key OWASP projects, this talk will also provide a tutorial on how the OWASP WIKI (MediaWiki based) can be used as a database (using the MediaWiki templates technology) <br />
<br />
2) Using the O2 Platform to Consume OWASP projects - This presentation will focus on how to consume the OWASP Wiki and a number of OWASP projects using the OWASP O2 Platform. The O2 Platform has powerful technology and capabilities for both BlackBox and WhiteBox analysis and this presentation will provide examples on how to use O2 with: WebGoat, WebScarab, Code Crawler, Dir Buster, Testing Guide, Code Review Guide and OpenSAMM <br />
<br />
The O2 Platform is focused on automating application security knowledge and workflows. It is specifically designed for developers and security consultants to be able to perform quick, effective and thorough 'source-code-driven' application security reviews (BlackBox + WhiteBox). In addition to the manual findings created/discovered by security consultants, the OWASP O2 Platform allows the easy consumption of results from multiple OWASP projects and commercial scanning tools. This allows security consultants to find, exploit and automate (via Unit Tests) security vulnerabilities usually dismissed by the community as impossible to find/recreate. More importantly, it provides the Security Consultants a mechanism to: a) 'talk' with developers (via UnitTest) , b) give developers a way to replicate + "check if it's fixed" the vulnerabilities reported and c) engage on a two-way conversion on the best way to fix/remediate those vulnerabilities. <br />
<br />
<br> Presenter Bio: Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development. For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform. Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences At OWASP, Dinis is the leader of the OWASP O2 Platform project, member of the OWASP Global Projects Committee, chair of the OWASP Connections Committee and member of the OWASP <br />
<br />
<br> Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
<br> Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed July 21, 2010''' <br />
<br />
Topic: A Caching Technique (PHP Implementation) <br />
<br />
Presenter: Dan Ross, VP Engineering, PIC Business Systems <br />
<br />
Date: Wednesday July 19, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: Reduce 304's and improve web application performance. A caching technique is demonstrated using PHP. Easy implementation as well as caching override are discussed. <br />
<br />
<br> Presenter Bio: Dan Ross has been VP Engineering for over 20 years at PIC Business Systems, which provides integrated business software for the several industries. He has led the design, development, and maintenance of many commercial web applications and programs. He has a BS in Industrial Engineering from St. Mary's University in San Antonio. <br />
<br />
Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed June 16, 2010''' <br />
<br />
Topic: Securing Software Applications Using Dynamic Dataflow Analysis <br />
<br />
Presenter: Steve Cook, Senior Research Analyst, SwRI <br />
<br />
Date: Wednesday June 16, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: In this presentation, we present an ongoing research effort that ensures that a wide variety of user-defined security policies are enforced on executing C programs while keeping runtime overhead low and with little disruption to the development process by leveraging Dynamic Dataflow Analysis (DDFA). The DDFA system is built upon the Broadway static data flow analysis and error checking system, which is a source-to-source translator for C developed by the computer sciences department at the University of Texas at Austin (UT-Austin). UT-Austin and the Southwest Research Institute (SwRI) recently collaborated to further enhance the system through a government research project funded by Intelligence Advanced Research Projects Activity (IARPA) and a SwRI internal research project. <br />
<br />
The system works by automatically instrumenting the original source, guided by the security policy, with DDFA runtime library calls. The modified program is then compiled for the platform of choice so that its security policy can be enforced at runtime through the DDFA runtime library. <br />
<br />
The runtime overhead is kept low by leveraging the semantic information provided by the security policy and a sophisticated dependence analysis to enable optimizations beyond standard compiler techniques. This results in a program that is instrumented with additional code only where provably necessary, so innocuous flows of data are not tracked at runtime. <br />
<br />
Disruption to the development process is minimized through the security policy specification. The security policy is defined once by a security expert using a simple language, which has a direct mapping to the application programming interface to which the program is written. The policy, once defined, can be applied to many different programs. The DDFA approach is easily integrated into the development workflow, adding only an additional compilation step before application deployment. <br />
<br />
The system does not require any modification to the original source code by the programmer, and does not require hardware or operating system changes. In the future, our system can be extended to handle multiple languages and complement new security solutions. <br />
<br />
Presenter Bio: Steve Cook is a senior research analyst in the System Security and High Reliability Software section at the SwRI. His background and expertise are in distributed and parallel computing, compilers, as well as object-oriented and generic programming. He received his master’s degree in computer science from Texas A&amp;M University. While at Texas A&amp;M, he worked as a research assistant for Dr. Bjarne Stroustrup, creator of the C++ Programming Language, where he helped develop a new approach to writing concurrent programs that allows programmers to quickly turn a sequential C++ program into a parallel one that is race and deadlock free. <br />
<br />
<br> Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed May 19th, 2010''' <br />
<br />
Topic: The Open Software Assurance Maturity Model <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group <br />
<br />
Date: Wednesday May 19th, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. <br />
<br />
This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/. <br />
<br />
Presenter Bio: Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications <br />
<br />
<br> Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed March 17, 2010''' <br />
<br />
Topic: Protecting Your Applications: How to Secure Business Critical Applications from Time Bombs, Backdoors &amp; Data Exfiltration <br />
<br />
Presenter: Clint Pollock <br />
<br />
Date: Wednesday, March 17th, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Sponsored by: VERACODE <br />
<br />
Abstract: With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers. Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams. In this session we will cover; · Prevalence of backdoors and malicious code in third party attacks · Definitions and classifications of backdoors and their impact on your applications · Methods to identify, track and remediate these vulnerabilities <br />
<br />
Presenter Bio: Clint Pollock is a Senior Solutions Architect at Veracode. Since 1997, he has also created security solutions for large-scale enterprise environments on behalf of CREDANT Technologies and Netegrity. In his current role, Clint helps globally distributed organizations evaluate, track, and mitigate their online business risk. Clint’s greatest strengths are his enthusiasm, experience and determination to help customers succeed in maintaining secure, compliant systems, and avoid the consequences and bad headlines that come with application security breaches. Clint resides in Chicago, IL. <br />
<br />
<br> FREE PIZZA will be provided, courtesy of our friends from Veracode. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> '''Meeting Schedule for 2010''' <br />
<br />
Dates are set - speakers and topics are firming up as well speak. All meetings are from 11:30am - 1:00pm at the San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229. <br />
<br />
Wednesday January 20th - OWASP LiveCD: An Open Environment for Web Application Security by Matt Tesauro <br />
<br />
Wednesday March 17th - TBD <br />
<br />
Wednesday May 19th - TBD <br />
<br />
Wednesday July 21st - TBD <br />
<br />
Wednesday September 15th - TBD <br />
<br />
Wednesday November 10th - TBD <br />
<br />
<br> '''San Antonio OWASP Chapter: Wed January 20th, 2010''' <br />
<br />
Topic: OWASP LiveCD: An Open Environment for Web Application Security Presenter: Matt Tesauro, OWASP Board Member, LiveCD Project Lead Date: Wednesday January 20th, 2010 11:30am – 1:00pm Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: The OWASP Live CD is a project that collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can boot from this Live CD and have access to a full security testing suite. This allows its users to test for various security issues in web applications and web sites. The Live CD also contains documentation and an interactive learning environment to enhance users’ web application security knowledge. This presentation will cover the current state of the OWASP Live CD as well as the plans for future developments. Time permitting, a live demonstration of the OWASP Live CD will be conducted. The OWASP Live CD is a project of the Open Web Application Security Project (OWASP) and is free for commercial or non-commercial use. More information is available at: http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project <br />
<br />
Presenter Bio: Matt Tesauro has worked in web application development and security since 2000. He has worn many different hats, from developer to DBA to System Administrator to Penetration Tester. Matt also taught graduate and undergraduate classes on web application development and XML at Texas A&amp;M University. Currently, he's focused on implementing a comprehensive web application security program for the Texas Education Agency (TEA). Outside work, he is a member of the OWASP Foundation's Board of Directors, the project lead for the OWASP Live CD, a member of the OWASP Global Projects Committee, assists the OWASP Austin chapters leadership and a member of ISSA of Austin, Texas. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&amp;M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications. <br />
<br />
Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
Recent Meetings: <br />
<br />
<br> '''San Antonio OWASP Chapter: October 21, 2009''' <br />
<br />
Topic: Rolling Out an Enterprise Source Code Review Program <br />
<br />
Presenter: Dan Cornell, Principal at Denim Group Date: October 21, 2009 11:30 a.m. – 1:00 p.m. <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: Source code review technology has rapidly advanced over the past several years and offers great promise of helping organizations detect and address software security defects. However, many organizations stumble as they try to roll out these technologies because they fail to understand the people and process issues that must also be addressed. This talk will present lessons learned from the creation of several enterprise source code review programs, including: identifying all sources of custom code in an organization including custom extensions to ERP systems and enterprise portals, selecting the first round of applications to scan and successfully interpreting results and driving resolution to identified issues. <br />
<br />
<br> Presenter Bio: Dan Cornell has over ten years of experience architecting and developing web-based software systems. As CTO of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group security research team, investigating the application of secure coding and development techniques to the improvement of web-based software development methodologies. <br />
<br />
Dan Cornell has performed as the CTO of BrandDefense, as founder and Vice President of Engineering for Atension prior to its acquisition by Rare Medium, Inc. and as the Vice President, Global Competency Leader for Rare Medium’s Java and Unix Competency Center. Cornell has also developed simulation applications for the Air Force with Southwest Research Institute. <br />
<br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the chapter leader of the San Antonio chapter of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, Denim Group's open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
<br> '''San Antonio OWASP Chapter: August 19, 2009''' <br />
<br />
Topic: Web Application Firewalls (WAFs) <br />
<br />
Presenter: Matt Burriola &amp; Mario Flores, Randolph-Brooks Federal Credit Union Date: August 19, 2009 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: Web Application Firewalls Web application firewalls (WAFs) have gained considerable momentum as web vulnerabilities have grown. WAFs now have a proven record of reducing exposures to web vulnerabilities by blocking malicious activity much like a typical firewall. While WAFs help, it does take time to consider when a WAF is appropriate. It also takes time to evaluate and implement the WAF as well. Come listen to reasons why Randolph-Brooks Federal Credit Union chose a WAF and what they learned in the process. <br />
<br />
Presenter Bio: Matt is a Senior Developer on the RBFCU Web Team, but mainly serves the roles of Configuration Management lead and Systems Admin for the team. Matt maintains the source control repository, application build and release processes, and QA server environments. Matt also works on web infrastructure initiatives such as Web Application Firewall. Matt has 10 years IT industry experience, including Java/web technologies, C, C++, Unix/Linux, shell scripting, and Symbol mobile handheld programming. Matt has a degree in Management Information Systems from Texas A&amp;M University-Corpus Christi. <br />
<br />
Mario is currently the Web Development manager for RBFCU. In this current role, Mario manages the development efforts for the online banking site and the intranet. Mario also has a solid background in web security and has addressed issues with web application penetration assessments. Mario has worked for RBFCU for 14 years and he has a degree in Information Systems from Texas Lutheran University. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: June 17, 2009'''' Topic: What is Cross Site Scripting And Why Is It bad? Date: June 17, 2009 11:30am – 1:00pm Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: The presentation will cover background information on cross-site scripting (XSS) attacks as well as real world examples of what can happen when this type of vulnerability is present and the different ways that it can be exploited. The presentation will also include language agnostic ways to mitigate this sort of risk and how developers and security professionals can identify these risks. <br />
<br />
Presenter Bio: David is currently a Security Architect for Rackspace IT Hosting. In this current role, David is responsible for designing and implementing network security solutions, as well as software development in support of automation. In previous roles he was a software developer on various projects written in a mix of PHP, Python, Perl, Ruby, c#, and asp.net. Prior to Rackspace, David worked for Digital Defense and he holds a B.B.A. in Information Systems from the University of Texas San Antonio. He also has an extensive background in application security and is actively researching botnet mitigation techniques. Certifications held include CISSP, RHCE, and CCNA. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: January 2009 Meeting''' <br />
<br />
Topic: "Vulnerability Management in an Application Security World." <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group Date: January 29, 2009 11:30am – 1:00pm <br />
<br />
Location: <br />
<br />
San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract:Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
Presenter Bio: <br />
<br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
<br> <br />
<br />
----<br />
<br />
'''Previous News''' <br />
The slide deck from OWASP San Antonio February 2012 meeting is available online here: https://www.owasp.org/images/b/b0/WTE-Cloud-San_Antonio-2012-02.pdf<br />
<br />
The slide deck from OWASP San Antonio June 2011 meeting is available online here: https://www.owasp.org/images/2/21/How_to_Build_a_Secure_Login_BenBroussard_June2011.pdf<br />
<br />
The slide deck from OWASP San Antonio April 2011 meeting is available online here: https://www.owasp.org/images/0/05/Vulnerable_frameworks_yield_vulnerable_apps.pdf <br />
<br />
The slide deck from OWASP San Antonio March 2011 meeting is available online here: http://www.owasp.org/images/c/cb/MichaelCoates-AppSensor.pdf <br />
<br />
The slide deck from OWASP San Antonio August 2010 meeting available online here: http://www.owasp.org/images/0/0e/OWASP_San_Antonio_0818.pdf.pdf http://www.owasp.org/images/5/5a/WPstats_spring10_9th.pdf <br />
<br />
The slide deck from OWASP San Antonio June 2010 meeting available online here: http://www.owasp.org/images/2/24/OWASPSanAntonio06162010_DDFA_PresentationFinal.pdf <br />
<br />
The slide deck from OWASP San Antonio May 2010 meeting available online here: http://www.owasp.org/images/b/b9/OpenSAMM10_OWASPSanAntonio_20100519.pdf <br />
<br />
The slide deck from OWASP San Antonio March 2010 meeting available online here: http://www.owasp.org/index.php?title=File:Protecting_the_Enterprise_-_Software_Backdoors.pptx&amp;oldid=80140#filelinks <br />
<br />
The slide deck from OWASP San Antonio January 2010 meeting available online here: http://www.owasp.org/index.php/File:San_Antonio_Chapter-OWASP_WTE_Jan-2010.pdf#filelinks <br />
<br />
The slide deck from OWASP San Antonio October 2008 meeting available online here: http://www.owasp.org/index.php/San_Antonio <br />
<br />
The slide deck from OWASP San Antonio September 2007 meeting available online here: [[Image:Fortify-bjenkins-AppSecStrategy-20070906.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio March 2007 meeting will be available online shortly <br />
<br />
The slide deck from OWASP San Antonio September 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 09 AgileAndSecure.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio August 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 08 SingleSignOn.ppt]]. <br />
<br />
The slide deck from OWASP San Antonio June 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 06 Crypto Content.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio May 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 05 ForcefulBrowsing Content.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio September 2004 meeting available online here: [[Image:OWASPSanAntonio 20040922.pdf]]. <br />
<br />
[[Category:Texas]]</div>Dancornellhttps://wiki.owasp.org/index.php?title=San_Antonio&diff=149175San Antonio2013-04-04T19:23:49Z<p>Dancornell: /* Local News */</p>
<hr />
<div>{{Chapter Template|chaptername=San Antonio|extra=The chapter leader is [mailto:dan@denimgroup.com Dan Cornell]<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sanantonio|emailarchives=http://lists.owasp.org/pipermail/owasp-sanantonio}} <br />
<br />
== Local News ==<br />
'''OWASP Developer Security Training at BSides San Antonio: Saturday May 4th, 2013'''<br />
<br />
Attend BSides San Antonio for three mini-courses for developers wanting to learn about security.<br />
<br />
To register: <br />
<br />
https://bsidessatx.eventbrite.com/<br />
<br />
The event is "sold out" for the general public, but you can still register using the promotional code: ['''TO_BE_RELEASED_SOON'''] Each mini-course will be 1.5 to 2 hours in length and the specific schedule will be released soon and attendees will have full access to the rest of the BSides San Antonio event.<br />
<br />
Main BSides San Antonio site:<br />
<br />
http://bsidestexas.blogspot.com/p/san-antonio-april-2013.html<br />
<br />
''Mini-Course 1''<br />
<br />
Title: Threat Modeling for Developers<br />
<br />
Abstract:<br />
<br />
Threat modeling is a valuable technique for identifying potential security<br />
issues in complex applications but many development teams have been slow<br />
to adopt it because of a perception that it can only be done by security<br />
specialists as well as a lack of guidance on how to get the most out of<br />
the activity. This mini-course walks through the process of Threat<br />
modeling from the perspective of a developer trying to identify issues<br />
early in the development process so that problems can be avoided and<br />
controls can be put in place with a minimum level of effort. The materials<br />
include discussion of where threat modeling is best done during the<br />
development lifecycle as well as the process of creating and refining a<br />
threat model. This is an interactive experience, with participants working<br />
together to walk through the threat modeling process.<br />
<br />
''Mini-Course 2''<br />
<br />
Title: Developing Secure Web Applications<br />
<br />
Abstract:<br />
<br />
Web applications are a convenient entry point for attackers because they<br />
are often publicly-available and many are built without a focus on<br />
security. This mini-course provides a developer-focused introduction to<br />
building web applications designed to operate in the face of malicious<br />
attackers. It walks through a basic threat model for a web application and<br />
uses this threat model as a framework for making good decisions when<br />
designing and building applications. The focus of the course is less on<br />
enumerating various types of vulnerabilities but rather on design and<br />
coding techniques that can be used to help create resilient applications.<br />
Some code examples in Java and .NET will be provided, but the techniques<br />
can be applied to any web application environment. [It would be beneficial<br />
to attend the earlier Threat Modeling session, but not required.]<br />
<br />
''Mini-Course 3''<br />
<br />
Title: Developing Secure Mobile Applications<br />
<br />
Abstract:<br />
<br />
Organizations of all sizes are rushing to provide their customers and<br />
employees with applications taking advantage of the power of mobile<br />
computing. As with many new technologies, these organizations often deploy<br />
applications first and come to realize the security implications of these<br />
new systems only post-deployment. This mini-course provides a<br />
developer-focused introduction to security for mobile applications. It<br />
walks through a basic threat model for a mobile application and uses this<br />
threat model as a framework for making good decisions when designing and<br />
building mobile application systems. Examples are provided for both iOS<br />
(iPhone and iPad) and Android platforms but the overall approach can be<br />
applied for all mobile applications. [It would be beneficial to attend the<br />
earlier Threat Modeling and Web Application sessions, but not required.]<br />
<br />
<br />
'''San Antonio OWASP Chapter: Tuesday, September 25, 2012'''<br />
<br />
Topic: Dev/Ops, Continuous Deployment and APIs, Oh My! <br />
<br />
Presenter: Jarret Raim and Matt Tesauro<br />
<br />
Date: Tuesday, September 25, 2012<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
<br />
3463 Magic Drive<br />
<br />
San Antonio, TX 78229<br />
<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
Abstract:<br />
As the world of application development continues to change, the security community needs to change with it. With agile development, continuous deployment, the pace of change in IT has only increased. Add in Dev/Ops and the traditional security processes just don’t work. Even if testing windows exist, they are too short for the traditional scanning or manual testing programs. Then, there’s the lack of viable tools to test API’s. What’s a security professional in charge of rolling out an SDLC supposed to do? This talk will cover methods of adapting traditional security practices into a test driven development (TDD) for security and provide practical advice on how to handle short development and promotion cycles with few or no testing windows. A demonstration of a new testing tool will also be part of the presentation.<br />
<br />
<br />
Presenter Bios:<br />
Jarret Raim is the Security Product Manager at Rackspace Hosting. Since joining Rackspace, he has built a software assurance program for Rackspace’s internal software teams as well as defined strategy for building secure systems on Rackspace’s OpenStack Cloud implementation. Through his experience at Rackspace, and as a consultant at Denim Group, Jarret has assessed and remediated applications in all industries and has experience width a wide variety of both development environments and the tools used to audit them. Jarret has recently taken charge of Rackspace's efforts to secure the Cloud through new product development, training and research. Jarret holds an M.S. in Computer Science from Lehigh University and a B.S. in Computer Science from Trinity University.<br />
<br />
Matt Tesauro has been involved in the Information Technology industry for more than 10 years. Matt's focus has been in application security including testing, code reviews, design reviews and training. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he's driven. Matt is currently on the board of the OWASP Foundation and highly involved in many OWASP projects and committees. Matt is the project leader of the OWASP WTE (Web Testing Environment) which is the source of the OWASP Live CD Project and Virtual Machines pre-configured with tools and documentation for testing web applications. He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance Workshop, AppSec EU, AppSec US, AppSec Academia, and AppSec Brazil. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications. <br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, April 18, 2012'''<br />
<br />
Topic: Secure Coding Practices for 2012<br />
<br />
Presenter: Keith Turpin<br />
<br />
Date: Wednesday, April 18, 2012<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
<br />
3463 Magic Drive<br />
<br />
San Antonio, TX 78229<br />
<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
Abstract:<br />
Keith Turpin will present OWASP's "The Secure Coding Practices Quick Reference Guide." The guide is a technology agnostic set of software security coding practices, in a comprehensive checklist format, that can be integrated into the development life-cycle. At only 17 pages long, it is easy for development teams to read and use. The coding practices are mapped to functional requirements, so you can quickly locate the practices you need. It also provides a brief introduction to security principles and vocabulary to help developers and security folks get on the same page, but the focus is on requirements not vulnerabilities or exploits. This presentation will provide an overview of the guide and discuss some concepts about how to use it. Keith will cover the guide as well as the direction of the project for 2012, and alignment with integrating components of the guide with an organizations application security policy.<br />
<br />
<br />
Presenter Bio:<br />
Keith Turpin, CISSP, CSSLP, CRISC, leads Boeing’s enterprise application security assessment team. He previously served as the lead IT security advisor for all of Boeing’s international operations. <br />
<br />
Keith is a member of the (ISC)2 Application Security Advisory Board and has served as a U.S. delegate to the International Standards Organization's (ISO) sub-committee on cyber security. He is the project leader for the OWASP Secure Coding Practices Quick Reference Guide and is a member of the OWASP Global Projects Committee. He also spent four years as the Director of Communication for the Seattle chapter of the Information Systems Security Association. <br />
<br />
He is a frequent speaker at conferences, professional organizations and corporations on a variety of security topics and in his spare time he is the director of a nationally recognized intercollegiate engineering competition. <br />
<br />
Keith holds a BS in Mechanical Engineering and MS in Computer Systems.<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Tuesday, February 22, 2012'''<br />
<br />
Topic: Testing from the Cloud: Is the Sky Falling?<br />
<br />
Presenter: Matt Tesauro<br />
<br />
Date: Wednesday, February 22, 2012<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
Geekdom<br />
The Weston Centre<br />
112 East Pecan, 11th floor<br />
San Antonio TX 78205<br />
Map: http://www.geekdom.com/location/<br />
Check map for parking info.<br />
<br />
Abstract:<br />
More and more IT is being moved to the cloud, why shouldn't your testing move there too? This talk will cover what it takes to take your testing tools from your laptop to the cloud using new features of the OWASP Web Testing Environment (WTE). WTE allows you to create custom installations of application security tools in the cloud on demand. Has your IP been shunned? No problem, kill that cloud instance and startup another. Is your life as mobile as your phone? No problem, a laptop + Internet = access to all your favorite tools from anywhere. Multiple clients? No problem, start an an instance for each one. By the end of this talk, you'll know all you need to fire up an cloud instance with all of your favorite tools and start having fun.<br />
<br />
<br />
Presenter Bio:<br />
Matt has been involved in the Information Technology industry for more than 10 years. Prior to joining Rackspace, Matt was a security consultant for security firms such as Trustwave as well as running an internal application security effort. Matt's focus has been in application security including testing, code reviews, design reviews and training. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he's driven. He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance Workshop, AppSec EU, AppSec US, AppSec Academia, and AppSec Brazil.<br />
<br />
Matt is currently on the board of the OWASP Foundation and highly involved in many OWASP projects and committees. Matt is the project leader of the OWASP WTE (Web Testing Environment) which is the source of the OWASP Live CD Project and Virtual Machines pre-configured with tools and documentation for testing web applications.<br />
<br />
Industry designations include the Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University.<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, November 16, 2011'''<br />
<br />
Topic: You're Bleeding Sensitive Data - Find it Before They Do<br />
<br />
Presenter: Steve Werby<br />
<br />
Date: Wednesday, November 16, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
3463 Magic Drive<br />
San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
With the proliferation of Internet accessible applications and files within organizations and the number of employees capable of making sensitive content available growing rapidly, knowing what sensitive information is accessible is increasingly difficult. And expensive DLP and scanning tools are not the only option. I will cover management strategies to reduce the risk, as well as demonstrate free and low-cost tools (FOCA, Shodan, Google Hacking Database and more) to discover sensitive data.<br />
<br />
<br />
Presenter Bio:<br />
Steve Werby is Chief Information Security Officer at the University of Texas at San Antonio, where he leads the university's 10-person Office of Information Security. He has also served as CISO for Virginia Commonwealth University and the Virginia Department of Corrections (where he gained a new appreciation for physical security). Prior to that, he operated an information security consultancy with an international client base consisting largely of ISPs, web hosting companies and online businesses. Steve has an engineering degree, an MBA and numerous certs, but he is prouder of the fact that he hasn't signed his name the same way twice since 2009.<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, August 17, 2011'''<br />
<br />
Topic: Secure Development Lifecycle at Symantec<br />
<br />
Presenter: Edward Bonver<br />
<br />
Date: Wednesday, August 17, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
3463 Magic Drive<br />
San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
Given complexities and diversity of development technologies and processes as well as the deployment environments, in combination with customer expectations, software development in modern world is an immense undertaking. Building security into a development lifecycle of a large software vendor could prove quite challenging. This presentation covers how security practices are being followed by various product teams across Symantec, including the related processes and guidelines from Symantec’s Product Security Team. <br />
<br />
<br />
Presenter Bio:<br />
A senior principal software engineer on the product security team at Symantec Corporation, Edward Bonver is responsible for working with software developers and quality assurance professionals across Symantec to continuously enhance the company’s software security practices through the adoption of methodologies, procedures, and tools for secure coding and security testing. Edward teaches secure coding and security testing classes for Symantec engineers and leads the company’s QA Security Task Force, which he founded. He is a Certified Information Systems Security Professional (CISSP) and a Certified Secure Software Lifecycle Professional (CSSLP).<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Thursday, June 16, 2011'''<br />
<br />
Topic: Building a Secure Login<br />
<br />
Presenter: Ben Broussard<br />
<br />
Date: Thursday, June 16, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room)<br />
3463 Magic Drive<br />
San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
This talk takes the standard, cookie-based login and authorization functionality through its paces. First I will walk through the requirements of common, single sign-on functionality. Then I will walk through attacks and their countermeasures including SQL injection and parameterized queries, session fixation and cookie cycling, session hijacking and about a dozen necessary countermeasures, and so on. The discussion will be programming language agnostic, instead focusing on the functional specifications.<br />
<br />
<br />
Presenter Bio:<br />
Ben Broussard has been involved in the Austin OWASP chapter since 2008, giving technical talks, serving on the LASCON board, the chapter board, and organizing a study group. Outside of OWASP he has worn the hats of mainframe and web application developer, cryptographer, pentester, and he recently launched his own application security business, Kedalion Security, LLC. On the side he does research into brains and AI, and is an avid 80's dancer.<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400.<br />
<br />
<br />
<br />
'''San Antonio OWASP Chapter: Wednesday, April 20, 2011'''<br />
<br />
Topic: Vulnerable Frameworks Yield Vulnerable Apps<br />
<br />
Presenter: Javier Castro<br />
<br />
Date: Wednesday, April 20, 2011<br />
<br />
Time: 11:30am-1:00pm<br />
<br />
Location:<br />
San Antonio Technology Center (Web Room) 3463 Magic Drive, San Antonio, TX 78229<br />
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229<br />
<br />
<br />
Abstract:<br />
Major software vendors such as VMware and SAP are getting significantly better at writing <br />
secure software, but all of this effort is lost when they forget to properly configure or secure <br />
the frameworks that their software is built upon. This talk gives an overview of several <br />
recently discovered vulnerabilities in the products of major software companies. In each <br />
case the flaw leads to a complete system compromise and was located in a framework that <br />
the product was built upon. We as software developers can learn from these cases and <br />
avoid similar scenarios.<br />
<br />
Bio: <br />
Javier Castro is a senior vulnerability researcher at Digital Defense, Inc. where he writes explicit vulnerability checks, develops proprietary exploits, and researches popular software deployments. As exciting as vulnerability exploitation is, Javier finds it more rewarding to find ways to develop a secure application in the first place.<br />
<br />
<br />
Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br />
<br><br />
<br />
'''San Antonio OWASP Chapter: Wednesday, March 23, 2011''' <br />
<br />
Topic: Attack Aware Applications <br />
<br />
Presenter: Michael Coates <br />
<br />
Date: Wednesday, March 23, 2011 <br />
<br />
Time: 11:30am-1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: Attack Aware Applications: Imagine being able to detect an attacker in your application while they are searching for vulnerability and then locking out their account before they can do any harm. The OWASP AppSensor project provides a strategy for enabling your applications to detect and respond to attackers in real time. More powerful then generic detection with a WAF, the AppSensor approach allows detection of targeted application attacks attempting to exploit all areas including: business logic, access control, session management, injection attacks and more. This presentation will discuss techniques for implementing such a system within your application using existing technologies or by leveraging ESAPI. <br />
<br />
Presenter Bio: Michael Coates has extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers worldwide. Michael holds a MS in Computer Security from DePaul University and a BS in Computer Science from the University of Illinois. <br />
<br />
Michael is the creator and leader of the AppSensor project and a contributor to the 2010 OWASP Top 10. He is a frequent speaker at international OWASP security conferences and has also spoken at the Chicago Thotcon conference and provided security training at BlackHat. <br />
<br />
As the web security lead at Mozilla, Michael protects web applications used by millions of users each day. <br />
<br />
<br> Lunch will be provided. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> '''San Antonio OWASP Chapter: Wednesday, January 19, 2011''' <br />
<br />
Topic: Smart Phones with Dumb Apps <br />
<br />
Presenter: Dan Cornell <br />
<br />
Date: Wednesday, January 19, 2011 <br />
<br />
Time: 11:30am-1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 [http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229] <br />
<br />
<br> Abstract: Enterprises are targeting both internal users and customers with smartphone applications for platforms such as Apple iPhone and Google Android. Many of these applications are constructed without fully considering the associated security implications of their deployment. Breaches can impact both users as well as the enterprise distributing the application as attackers take advantage of expanded access to sensitive data and network services. This talk discusses emerging threats associated with deploying smartphone applications and provides an overview of the threat modeling process. The presentation then walks example applications from an attacker’s perspective demonstrating the sort of information they are able to extract allowing for more advanced attacks. <br />
<br />
Presenter Bio: Dan Cornell has over ten years of experience architecting and developing web-based software systems. As CTO of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group security research team, investigating the application of secure coding and development techniques to the improvement of web-based software development methodologies. <br />
<br />
Dan Cornell has performed as the CTO of BrandDefense, as founder and Vice President of Engineering for Atension prior to its acquisition by Rare Medium, Inc. and as the Vice President, Global Competency Leader for Rare Medium’s Java and Unix Competency Center. Cornell has also developed simulation applications for the Air Force with Southwest Research Institute. <br />
<br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the chapter leader of the San Antonio chapter of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, Denim Group's open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Tue, November 16, 2010''' <br />
<br />
Topic: OWASP Top 10: What is it all about? <br />
<br />
Presenter: Dean Bushmiller <br />
<br />
Date: Tuesday, November 16, 2010 <br />
<br />
Time: 12:00pm-1:00pm <br />
<br />
Location: Methodist Health System – System Office 8109 Fredericksburg Road San Antonio, TX 78229-3311 Women’s Center Classroom 1 http://maps.google.com/maps?f=q&amp;source=s_q&amp;hl=en&amp;geocode=&amp;q=8109+fredericksburd+rd,+78229&amp;sll=37.0625,-95.677068&amp;sspn=35.494074,72.070313&amp;ie=UTF8&amp;hq=&amp;hnear=8109+Fredericksburg+Rd,+San+Antonio,+Bexar,+Texas+78229&amp;z=16 <br />
<br />
<br> Abstract: Everyone knows exactly what the OWASP top ten security threats are, right? Well sort of... I ask people if they have heard of the top ten they say yes. I ask them to name a few they pause, then they blurt out 2-3. Then I ask them to explain those 2-3 and they look at me like a deer-in-the-headlights. I want to make sure that everyone who walks out of the presentation can clearly define the top ten and be able to communicate to another what each of the top ten vulnerabilities are. <br />
<br />
<br> Presenter Bio: Dean Bushmiller has taught for 12 years. He is the recipient of five Mission Coins from various military branches. He has led national certification organizations in development, policy, and educational materials for over 10 years. He has presented, consulted, and instructed government, education, military, and private organizations. Dean has worked for SANS, ISC2, and other security training organizations. He has bee the keynote speaker at information security conferences as well as state and local colleges. He is now Director of Training for Expanding Security. <br />
<br />
Feel free to bring a brown bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed August 18, 2010''' <br />
<br />
Topic: Which Web Programming Languages are Most Secure? <br />
<br />
Presenter: Jeremiah Grossman, Founder and CTO, WhiteHat Security <br />
<br />
Date: Wednesday, August 18, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: Security-conscious organizations make implementing a software security development lifecycle a priority. As part of the process, they evaluate a large number of development technologies for building websites. The assumption by many is that not all development environments are created equal. So the question often asked is, “What is the most secure programming language or development framework available?” <br />
<br />
<br> Clearly, familiarity with a specific product, whether it is designed to be secure-by-default or must be configured properly, and whether various libraries are available, can drastically impact the outcome. Still, conventional wisdom suggests that most popular modern languages / frameworks (commercial &amp; open source) perform relatively similarly when it comes to an overall security posture. At least in theory, none is markedly or noticeably more secure than another. Suggesting PHP, Java, C# and others are any more secure than other frameworks is sure to spark heated debate. <br />
<br />
<br> As has been said in the past, “In theory, there is no difference between theory and practice. But, in practice, there is.” Until now, no website security study has provided empirical research measuring how various Web programming languages / frameworks actively perform in the field. To which classes of attack are they most prone, how often and for how long; and, how do they fare against popular alternatives? Is it really true that popular modern languages / frameworks yield similar results in production websites? <br />
<br />
<br> By analyzing the vulnerability assessment results of nearly 1,700 websites under WhiteHat Sentinel management, we may begin to answer some of these questions. These answers may enable the website security community to ask better and deeper questions, which will eventually lead to more secure websites. Organizations deploying these technologies can have a closer look at particularly risk-prone areas; software vendors may focus on areas found lacking; and, developers will increase their familiarity with the strength and weaknesses of their technology stack. All of this is vitally important because security must be baked into development frameworks and be virtually transparent. Only then will application security progress be made. <br />
<br />
<br> Presenter Bio: Jeremiah Grossman founded WhiteHat Security in August 2001. <br />
<br />
<br> A world-renowned expert in Web security, Mr. Grossman is a founder of the Web Application Security Consortium (WASC), and was named to InfoWorld's Top 25 CTOs for 2007. <br />
<br />
<br> Mr. Grossman is a frequent speaker at industry events including the Black Hat Briefings, RSA Conference, ISACA, CSI, InfoSec World, OWASP, ISSA, and Defcon as well as a number of large universities. He has authored dozens of articles and white papers, is credited with the discovery of many cutting-edge attack and defensive techniques and is a co-author of XSS Attacks: Cross Site Scripting Exploits and Defense. <br />
<br />
<br> Mr. Grossman is frequently quoted in major media outlets such as USA Today, the Washington Post, The Financial Times, InformationWeek, InfoWorld, USA Today, PC World, Dark Reading, SC Magazine, CNET, CSO and NBC news. He frequently alerts the media community to the latest attacks and is not only able to offer in-depth commentary, but also provide his perspective of what’s to come. <br />
<br />
<br> Mr. Grossman was named a “friend of Google” and is also an influential blogger (www.jeremiahgrossman.blogspot.com) who offers insight and encourages open dialogue regarding current research and vulnerability trend information. <br />
<br />
<br> Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo! responsible for performing security reviews on the company's hundreds of websites. Before Yahoo!, Mr. Grossman worked for Amgen, Inc. <br />
<br />
Pizza will be served. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> '''San Antonio OWASP Chapter: Fri. August 13, 2010''' <br />
<br />
Topic: 1)How OWASP Works and Guided Tour of OWASP Projects / 2) Using the O2 Platform to Consume OWASP projects <br />
<br />
Presenter: Dinis Cruz <br />
<br />
Date: Friday, August 13, 2010, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: 1) How OWASP Works and Guided Tour of OWASP Projects - This presentation will focus on my experience in getting things done at OWASP, what resources are available and what types of initiatives should the local chapters be doing. In addition to a quick overview of a number of key OWASP projects, this talk will also provide a tutorial on how the OWASP WIKI (MediaWiki based) can be used as a database (using the MediaWiki templates technology) <br />
<br />
2) Using the O2 Platform to Consume OWASP projects - This presentation will focus on how to consume the OWASP Wiki and a number of OWASP projects using the OWASP O2 Platform. The O2 Platform has powerful technology and capabilities for both BlackBox and WhiteBox analysis and this presentation will provide examples on how to use O2 with: WebGoat, WebScarab, Code Crawler, Dir Buster, Testing Guide, Code Review Guide and OpenSAMM <br />
<br />
The O2 Platform is focused on automating application security knowledge and workflows. It is specifically designed for developers and security consultants to be able to perform quick, effective and thorough 'source-code-driven' application security reviews (BlackBox + WhiteBox). In addition to the manual findings created/discovered by security consultants, the OWASP O2 Platform allows the easy consumption of results from multiple OWASP projects and commercial scanning tools. This allows security consultants to find, exploit and automate (via Unit Tests) security vulnerabilities usually dismissed by the community as impossible to find/recreate. More importantly, it provides the Security Consultants a mechanism to: a) 'talk' with developers (via UnitTest) , b) give developers a way to replicate + "check if it's fixed" the vulnerabilities reported and c) engage on a two-way conversion on the best way to fix/remediate those vulnerabilities. <br />
<br />
<br> Presenter Bio: Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development. For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform. Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences At OWASP, Dinis is the leader of the OWASP O2 Platform project, member of the OWASP Global Projects Committee, chair of the OWASP Connections Committee and member of the OWASP <br />
<br />
<br> Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
<br> Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed July 21, 2010''' <br />
<br />
Topic: A Caching Technique (PHP Implementation) <br />
<br />
Presenter: Dan Ross, VP Engineering, PIC Business Systems <br />
<br />
Date: Wednesday July 19, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: Reduce 304's and improve web application performance. A caching technique is demonstrated using PHP. Easy implementation as well as caching override are discussed. <br />
<br />
<br> Presenter Bio: Dan Ross has been VP Engineering for over 20 years at PIC Business Systems, which provides integrated business software for the several industries. He has led the design, development, and maintenance of many commercial web applications and programs. He has a BS in Industrial Engineering from St. Mary's University in San Antonio. <br />
<br />
Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed June 16, 2010''' <br />
<br />
Topic: Securing Software Applications Using Dynamic Dataflow Analysis <br />
<br />
Presenter: Steve Cook, Senior Research Analyst, SwRI <br />
<br />
Date: Wednesday June 16, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
<br> Abstract: In this presentation, we present an ongoing research effort that ensures that a wide variety of user-defined security policies are enforced on executing C programs while keeping runtime overhead low and with little disruption to the development process by leveraging Dynamic Dataflow Analysis (DDFA). The DDFA system is built upon the Broadway static data flow analysis and error checking system, which is a source-to-source translator for C developed by the computer sciences department at the University of Texas at Austin (UT-Austin). UT-Austin and the Southwest Research Institute (SwRI) recently collaborated to further enhance the system through a government research project funded by Intelligence Advanced Research Projects Activity (IARPA) and a SwRI internal research project. <br />
<br />
The system works by automatically instrumenting the original source, guided by the security policy, with DDFA runtime library calls. The modified program is then compiled for the platform of choice so that its security policy can be enforced at runtime through the DDFA runtime library. <br />
<br />
The runtime overhead is kept low by leveraging the semantic information provided by the security policy and a sophisticated dependence analysis to enable optimizations beyond standard compiler techniques. This results in a program that is instrumented with additional code only where provably necessary, so innocuous flows of data are not tracked at runtime. <br />
<br />
Disruption to the development process is minimized through the security policy specification. The security policy is defined once by a security expert using a simple language, which has a direct mapping to the application programming interface to which the program is written. The policy, once defined, can be applied to many different programs. The DDFA approach is easily integrated into the development workflow, adding only an additional compilation step before application deployment. <br />
<br />
The system does not require any modification to the original source code by the programmer, and does not require hardware or operating system changes. In the future, our system can be extended to handle multiple languages and complement new security solutions. <br />
<br />
Presenter Bio: Steve Cook is a senior research analyst in the System Security and High Reliability Software section at the SwRI. His background and expertise are in distributed and parallel computing, compilers, as well as object-oriented and generic programming. He received his master’s degree in computer science from Texas A&amp;M University. While at Texas A&amp;M, he worked as a research assistant for Dr. Bjarne Stroustrup, creator of the C++ Programming Language, where he helped develop a new approach to writing concurrent programs that allows programmers to quickly turn a sequential C++ program into a parallel one that is race and deadlock free. <br />
<br />
<br> Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed May 19th, 2010''' <br />
<br />
Topic: The Open Software Assurance Maturity Model <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group <br />
<br />
Date: Wednesday May 19th, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. <br />
<br />
This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/. <br />
<br />
Presenter Bio: Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications <br />
<br />
<br> Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: Wed March 17, 2010''' <br />
<br />
Topic: Protecting Your Applications: How to Secure Business Critical Applications from Time Bombs, Backdoors &amp; Data Exfiltration <br />
<br />
Presenter: Clint Pollock <br />
<br />
Date: Wednesday, March 17th, 2010 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Sponsored by: VERACODE <br />
<br />
Abstract: With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers. Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams. In this session we will cover; · Prevalence of backdoors and malicious code in third party attacks · Definitions and classifications of backdoors and their impact on your applications · Methods to identify, track and remediate these vulnerabilities <br />
<br />
Presenter Bio: Clint Pollock is a Senior Solutions Architect at Veracode. Since 1997, he has also created security solutions for large-scale enterprise environments on behalf of CREDANT Technologies and Netegrity. In his current role, Clint helps globally distributed organizations evaluate, track, and mitigate their online business risk. Clint’s greatest strengths are his enthusiasm, experience and determination to help customers succeed in maintaining secure, compliant systems, and avoid the consequences and bad headlines that come with application security breaches. Clint resides in Chicago, IL. <br />
<br />
<br> FREE PIZZA will be provided, courtesy of our friends from Veracode. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
<br> '''Meeting Schedule for 2010''' <br />
<br />
Dates are set - speakers and topics are firming up as well speak. All meetings are from 11:30am - 1:00pm at the San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229. <br />
<br />
Wednesday January 20th - OWASP LiveCD: An Open Environment for Web Application Security by Matt Tesauro <br />
<br />
Wednesday March 17th - TBD <br />
<br />
Wednesday May 19th - TBD <br />
<br />
Wednesday July 21st - TBD <br />
<br />
Wednesday September 15th - TBD <br />
<br />
Wednesday November 10th - TBD <br />
<br />
<br> '''San Antonio OWASP Chapter: Wed January 20th, 2010''' <br />
<br />
Topic: OWASP LiveCD: An Open Environment for Web Application Security Presenter: Matt Tesauro, OWASP Board Member, LiveCD Project Lead Date: Wednesday January 20th, 2010 11:30am – 1:00pm Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: The OWASP Live CD is a project that collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can boot from this Live CD and have access to a full security testing suite. This allows its users to test for various security issues in web applications and web sites. The Live CD also contains documentation and an interactive learning environment to enhance users’ web application security knowledge. This presentation will cover the current state of the OWASP Live CD as well as the plans for future developments. Time permitting, a live demonstration of the OWASP Live CD will be conducted. The OWASP Live CD is a project of the Open Web Application Security Project (OWASP) and is free for commercial or non-commercial use. More information is available at: http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project <br />
<br />
Presenter Bio: Matt Tesauro has worked in web application development and security since 2000. He has worn many different hats, from developer to DBA to System Administrator to Penetration Tester. Matt also taught graduate and undergraduate classes on web application development and XML at Texas A&amp;M University. Currently, he's focused on implementing a comprehensive web application security program for the Texas Education Agency (TEA). Outside work, he is a member of the OWASP Foundation's Board of Directors, the project lead for the OWASP Live CD, a member of the OWASP Global Projects Committee, assists the OWASP Austin chapters leadership and a member of ISSA of Austin, Texas. Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&amp;M University. He is also has the CISSP, CEH (Certified Ethical Hacker), RHCE (Red Hat Certified Engineer), and Linux+ certifications. <br />
<br />
Sodas and snacks will be provided. Feel free to bring a brown-bag lunch. <br />
<br />
Please RSVP: E-mail owasprsvp@denimgroup.com or call (210) 572-4400. <br />
<br />
<br> <br />
<br />
Recent Meetings: <br />
<br />
<br> '''San Antonio OWASP Chapter: October 21, 2009''' <br />
<br />
Topic: Rolling Out an Enterprise Source Code Review Program <br />
<br />
Presenter: Dan Cornell, Principal at Denim Group Date: October 21, 2009 11:30 a.m. – 1:00 p.m. <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: Source code review technology has rapidly advanced over the past several years and offers great promise of helping organizations detect and address software security defects. However, many organizations stumble as they try to roll out these technologies because they fail to understand the people and process issues that must also be addressed. This talk will present lessons learned from the creation of several enterprise source code review programs, including: identifying all sources of custom code in an organization including custom extensions to ERP systems and enterprise portals, selecting the first round of applications to scan and successfully interpreting results and driving resolution to identified issues. <br />
<br />
<br> Presenter Bio: Dan Cornell has over ten years of experience architecting and developing web-based software systems. As CTO of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group security research team, investigating the application of secure coding and development techniques to the improvement of web-based software development methodologies. <br />
<br />
Dan Cornell has performed as the CTO of BrandDefense, as founder and Vice President of Engineering for Atension prior to its acquisition by Rare Medium, Inc. and as the Vice President, Global Competency Leader for Rare Medium’s Java and Unix Competency Center. Cornell has also developed simulation applications for the Air Force with Southwest Research Institute. <br />
<br />
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the chapter leader of the San Antonio chapter of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, Denim Group's open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
<br> '''San Antonio OWASP Chapter: August 19, 2009''' <br />
<br />
Topic: Web Application Firewalls (WAFs) <br />
<br />
Presenter: Matt Burriola &amp; Mario Flores, Randolph-Brooks Federal Credit Union Date: August 19, 2009 11:30am – 1:00pm <br />
<br />
Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: Web Application Firewalls Web application firewalls (WAFs) have gained considerable momentum as web vulnerabilities have grown. WAFs now have a proven record of reducing exposures to web vulnerabilities by blocking malicious activity much like a typical firewall. While WAFs help, it does take time to consider when a WAF is appropriate. It also takes time to evaluate and implement the WAF as well. Come listen to reasons why Randolph-Brooks Federal Credit Union chose a WAF and what they learned in the process. <br />
<br />
Presenter Bio: Matt is a Senior Developer on the RBFCU Web Team, but mainly serves the roles of Configuration Management lead and Systems Admin for the team. Matt maintains the source control repository, application build and release processes, and QA server environments. Matt also works on web infrastructure initiatives such as Web Application Firewall. Matt has 10 years IT industry experience, including Java/web technologies, C, C++, Unix/Linux, shell scripting, and Symbol mobile handheld programming. Matt has a degree in Management Information Systems from Texas A&amp;M University-Corpus Christi. <br />
<br />
Mario is currently the Web Development manager for RBFCU. In this current role, Mario manages the development efforts for the online banking site and the intranet. Mario also has a solid background in web security and has addressed issues with web application penetration assessments. Mario has worked for RBFCU for 14 years and he has a degree in Information Systems from Texas Lutheran University. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: June 17, 2009'''' Topic: What is Cross Site Scripting And Why Is It bad? Date: June 17, 2009 11:30am – 1:00pm Location: San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 <br />
<br />
http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract: The presentation will cover background information on cross-site scripting (XSS) attacks as well as real world examples of what can happen when this type of vulnerability is present and the different ways that it can be exploited. The presentation will also include language agnostic ways to mitigate this sort of risk and how developers and security professionals can identify these risks. <br />
<br />
Presenter Bio: David is currently a Security Architect for Rackspace IT Hosting. In this current role, David is responsible for designing and implementing network security solutions, as well as software development in support of automation. In previous roles he was a software developer on various projects written in a mix of PHP, Python, Perl, Ruby, c#, and asp.net. Prior to Rackspace, David worked for Digital Defense and he holds a B.B.A. in Information Systems from the University of Texas San Antonio. He also has an extensive background in application security and is actively researching botnet mitigation techniques. Certifications held include CISSP, RHCE, and CCNA. <br />
<br />
<br> <br />
<br />
'''San Antonio OWASP Chapter: January 2009 Meeting''' <br />
<br />
Topic: "Vulnerability Management in an Application Security World." <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group Date: January 29, 2009 11:30am – 1:00pm <br />
<br />
Location: <br />
<br />
San Antonio Technology Center (Web Room) 3463 Magic Drive San Antonio, TX 78229 http://maps.google.com/maps?f=q&amp;hl=en&amp;q=3463+Magic+Drive,+San+Antonio,+TX+78229 <br />
<br />
Abstract:Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
Presenter Bio: <br />
<br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
<br> <br />
<br />
----<br />
<br />
'''Previous News''' <br />
The slide deck from OWASP San Antonio February 2012 meeting is available online here: https://www.owasp.org/images/b/b0/WTE-Cloud-San_Antonio-2012-02.pdf<br />
<br />
The slide deck from OWASP San Antonio June 2011 meeting is available online here: https://www.owasp.org/images/2/21/How_to_Build_a_Secure_Login_BenBroussard_June2011.pdf<br />
<br />
The slide deck from OWASP San Antonio April 2011 meeting is available online here: https://www.owasp.org/images/0/05/Vulnerable_frameworks_yield_vulnerable_apps.pdf <br />
<br />
The slide deck from OWASP San Antonio March 2011 meeting is available online here: http://www.owasp.org/images/c/cb/MichaelCoates-AppSensor.pdf <br />
<br />
The slide deck from OWASP San Antonio August 2010 meeting available online here: http://www.owasp.org/images/0/0e/OWASP_San_Antonio_0818.pdf.pdf http://www.owasp.org/images/5/5a/WPstats_spring10_9th.pdf <br />
<br />
The slide deck from OWASP San Antonio June 2010 meeting available online here: http://www.owasp.org/images/2/24/OWASPSanAntonio06162010_DDFA_PresentationFinal.pdf <br />
<br />
The slide deck from OWASP San Antonio May 2010 meeting available online here: http://www.owasp.org/images/b/b9/OpenSAMM10_OWASPSanAntonio_20100519.pdf <br />
<br />
The slide deck from OWASP San Antonio March 2010 meeting available online here: http://www.owasp.org/index.php?title=File:Protecting_the_Enterprise_-_Software_Backdoors.pptx&amp;oldid=80140#filelinks <br />
<br />
The slide deck from OWASP San Antonio January 2010 meeting available online here: http://www.owasp.org/index.php/File:San_Antonio_Chapter-OWASP_WTE_Jan-2010.pdf#filelinks <br />
<br />
The slide deck from OWASP San Antonio October 2008 meeting available online here: http://www.owasp.org/index.php/San_Antonio <br />
<br />
The slide deck from OWASP San Antonio September 2007 meeting available online here: [[Image:Fortify-bjenkins-AppSecStrategy-20070906.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio March 2007 meeting will be available online shortly <br />
<br />
The slide deck from OWASP San Antonio September 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 09 AgileAndSecure.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio August 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 08 SingleSignOn.ppt]]. <br />
<br />
The slide deck from OWASP San Antonio June 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 06 Crypto Content.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio May 2006 meeting available online here: [[Image:OWASPSanAntonio 2006 05 ForcefulBrowsing Content.pdf]]. <br />
<br />
The slide deck from OWASP San Antonio September 2004 meeting available online here: [[Image:OWASPSanAntonio 20040922.pdf]]. <br />
<br />
[[Category:Texas]]</div>Dancornellhttps://wiki.owasp.org/index.php?title=Automated_Audit_using_w3af&diff=128883Automated Audit using w3af2012-05-01T20:18:54Z<p>Dancornell: Created page with "<pre style="color:#088A08">This type of article aims to provide to development team a easy/quick way to perform automated audit tests against their web application projects o..."</p>
<hr />
<div><pre style="color:#088A08">This type of article aims to provide to development team a easy/quick way to perform automated audit <br />
tests against their web application projects over implementation phase.</pre><br />
<br />
This still needs a bit of work and better documentation, but is intended to be a similar resource to this [https://www.owasp.org/index.php/Automated_Audit_using_SKIPFISH skipfish page]<br />
<br />
== Description ==<br />
<br />
This page have to objective to show a w3af sample script to automate audit of a web application.<br />
<br />
Description taken from website:<br />
<pre><br />
w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework<br />
to find and exploit web application vulnerabilities that is easy to use and extend.<br />
</pre><br />
<br />
[http://w3af.sourceforge.net/ w3af homepage].<br />
<br />
<br />
''This script do not replace a manual audit but can be useful to perform a first validation''.<br />
<br />
== Command To Run ==<br />
<br />
w3af_console.bat -s my_site.w3af -n<br />
<br />
== Contents of my_site.w3af ==<br />
<pre><br />
plugins<br />
output console,xmlFile<br />
output config xmlFile<br />
set fileName my_site.xml<br />
set verbose True<br />
back<br />
output config console<br />
set verbose False<br />
back<br />
audit xss sqli blindSqli xsrf responseSplitting xpath osCommanding eval formatString LDAPi<br />
discovery webSpider<br />
discovery config webSpider<br />
set onlyForward True<br />
back<br />
back<br />
target<br />
set target http://my_site/index.php<br />
back<br />
http-settings<br />
set maxRetrys 0<br />
set timeout 3<br />
back<br />
start<br />
exit<br />
</pre><br />
<br />
[[Category:Code Snippet]]<br />
[[Category:Automated Audit]]<br />
[[Category:Audit Script]]</div>Dancornellhttps://wiki.owasp.org/index.php?title=Global_Projects_and_Tools_Committee_-_Application_7&diff=128843Global Projects and Tools Committee - Application 72012-04-30T14:21:15Z<p>Dancornell: </p>
<hr />
<div>[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]] <br />
<br />
----<br />
<br />
{| style="width:100%" border="0" align="center"<br />
|-<br />
! colspan="2" align="center" style="background:#4058A0; color:white" | <font color="white">'''COMMITTEE APPLICATION FORM'''</font><br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center" | '''Applicant's Name''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left" | <font color="black">Nishi Kumar</font><br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center" | '''Current and past OWASP Roles''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left" | OWASP CBT Project Lead and Past member of Global Industry Committee<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center" | '''Committee Applying for''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left" | Global Projects and Tools Committee<br />
|}<br />
<br />
----<br />
<br />
<br> <br />
<br />
----<br />
<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. An incomplete application will not be considered for vote. <br />
<br />
----<br />
<br />
<br> <br />
<br />
----<br />
<br />
{| style="width:100%" border="0" align="center"<br />
|-<br />
! colspan="8" align="center" style="background:#4058A0; color:white" | <font color="white">'''COMMITTEE RECOMMENDATIONS'''</font><br />
|-<br />
! align="center" style="background:white; color:white" | <font color="black"></font><br />
! align="center" style="background:#7B8ABD; color:white" | <font color="black">'''Who Recommends/Name'''</font><br />
! align="center" style="background:#7B8ABD; color:white" | <font color="black">'''Role in OWASP'''</font><br />
! align="center" style="background:#7B8ABD; color:white" | <font color="black">'''Recommendation Content'''</font><br />
|-<br />
| style="width:3%; background:#cccccc" align="center" | '''1''' <br />
| style="width:20%; background:#cccccc" align="center" | Dan Cornell<br />
| style="width:20%; background:#cccccc" align="center" | Member, Global Membership Committee, Chapter Leader, San Antonio<br />
| style="width:57%; background:#cccccc" align="center" | Nishi has been a long-time OWASP contributor since before the 2008 Summit and has worked on projects such as the OWASP CBT project. She would be an excellent contributor to the OWASP Global Projects and Tools Committee.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center" | '''2''' <br />
| style="width:20%; background:#cccccc" align="center" | <br />
| style="width:20%; background:#cccccc" align="center" | <br />
| style="width:57%; background:#cccccc" align="center" | <br />
|-<br />
| style="width:3%; background:#cccccc" align="center" | '''3''' <br />
| style="width:20%; background:#cccccc" align="center" | <br />
| style="width:20%; background:#cccccc" align="center" | <br />
| style="width:57%; background:#cccccc" align="center" | <br />
|-<br />
| style="width:3%; background:#cccccc" align="center" | '''4''' <br />
| style="width:20%; background:#cccccc" align="center" | <br />
| style="width:20%; background:#cccccc" align="center" | <br />
| style="width:57%; background:#cccccc" align="center" | <br />
|-<br />
| style="width:3%; background:#cccccc" align="center" | '''5''' <br />
| style="width:20%; background:#cccccc" align="center" | <br />
| style="width:20%; background:#cccccc" align="center" | <br />
| style="width:57%; background:#cccccc" align="center" | <br />
<br />
|}<br />
<br />
----</div>Dancornellhttps://wiki.owasp.org/index.php?title=Membership_Revocation&diff=124197Membership Revocation2012-02-14T15:57:50Z<p>Dancornell: Created page with "In situations where an individual has had their OWASP Membership revoked: * A revoked member will no longer have the privilege to use a @OWASP.ORG email address * A revoked m..."</p>
<hr />
<div>In situations where an individual has had their OWASP Membership revoked:<br />
* A revoked member will no longer have the privilege to use a @OWASP.ORG email address <br />
* A revoked member will no longer be allowed to qualify for its membership benefits such as discounts, owasp on the move programs, grants issued by OWASP Foundation or vote.<br />
* A revoked member will no longer be allowed to operate as a chapter leader<br />
* A revoked member will no longer be allowed to be an OWASP Project Leader<br />
* A revoked member will no longer be allowed to access OWASP AppSec global conferences or regional events at no-charge <br />
* A revoked member IS permitted to attend OWASP meetings as they are open and free by design.<br />
* A revoked member IS permitted to utilize OWASP materials as they are under open source licenses and do not require membership in the organization to do so<br />
* A revoked member will not be allowed to reapply for membership for a period not less than 24 months.<br />
* A revoked member is disqualified from participating in OWASP CFPs and from speaking at a Global or regional AppSec conference as well as chapter meetings<br />
* A revoked member, upon inquiry to the OWASP Foundation concerning membership, will show as revoked (Active, Expired, Revoked, Honorary)</div>Dancornellhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Project_Platform_Specific_Guidance_AndroidCode_Draft&diff=119410OWASP Mobile Security Project Platform Specific Guidance AndroidCode Draft2011-10-20T12:40:39Z<p>Dancornell: </p>
<hr />
<div>Deleted. Please navigate to [https://www.owasp.org/index.php?title=OWASP_Mobile_Security_Project_Platform_Specific_Guidance_Android_Code_Draft the updated page].</div>Dancornellhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Project_Platform_Specific_Guidance_Android_Code_Draft&diff=119409OWASP Mobile Security Project Platform Specific Guidance Android Code Draft2011-10-20T12:39:51Z<p>Dancornell: Created page with "== Authentication == == Session Management == == Access Control == == Input Validation == == Output Encoding/Escaping == == Cryptography == == Error Handling and Logging == == Da..."</p>
<hr />
<div>== Authentication ==<br />
== Session Management ==<br />
== Access Control ==<br />
== Input Validation ==<br />
== Output Encoding/Escaping ==<br />
== Cryptography ==<br />
== Error Handling and Logging ==<br />
== Data Protection ==<br />
Android code examples for Data Protection:<br />
<tt><br />
try {<br />
Context context = getApplicationContext();<br />
FileOutputStream stream;<br />
stream = context.openFileOutput("local_filename", Context.MODE_PRIVATE);<br />
OutputStreamWriter bw = new OutputStreamWriter(stream);<br />
bw.write(sb.toString());<br />
bw.flush();<br />
bw.close();<br />
} catch (IOException ioe) {<br />
// Handle the exception<br />
}<br />
</tt><br />
== Communication Security ==<br />
== HTTP Security ==<br />
== Security Configuration ==</div>Dancornellhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Project_Platform_Specific_Guidance_Draft&diff=119408OWASP Mobile Security Project Platform Specific Guidance Draft2011-10-20T12:38:55Z<p>Dancornell: /* Data Protection */</p>
<hr />
<div>== Authentication ==<br />
<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== Session Management ==<br />
<br />
<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== Access Control ==<br />
<br />
<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== Input Validation ==<br />
<br />
<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== Output Encoding/Escaping ==<br />
<br />
<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== Cryptography ==<br />
<br />
<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== Error Handling and Logging ==<br />
<br />
<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== Data Protection ==<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|Data Protection<br />
|-<br />
|colspan="4"|Mobile devices have the ability to store information in files, databases and other constructs. Because devices can be lost or transferred to other users without being wiped, application developers should be very careful about storing sensitive information locally on the device. Avoiding storing sensitive information on the device is preferable because then the risk of compromise is minimized. <br />
* Where can applications store local data on the device?<br />
* What formats are allowed?<br />
|-<br />
|iOS [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project_Platform_Specific_Guidance_iOS_Code_Draft#Data_Protection (code examples)]||Android [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project_Platform_Specific_Guidance_AndroidCode_Draft#Data_Protection (code examples)]||colspan="2"|Mappings<br />
|-valign="top"<br />
|Applications are given access to their own portion of the iOS filesystem that is within the application sandbox and inaccessible to other applications. Files can be designated for Sharing and such files are accessible in the Documents/ directory in iTunes. Files can also be marked as Protected so that they can only be accessed when the device is unlocked. Property List (plist) files can be used to store user preferences and other configuration information in a way that can be moved between OS X and iOS applications. <br />
* Apple overview page on [http://developer.apple.com/technologies/ios/data-management.html iOS Data Management]<br />
* Apple information about File and the Filesystem on iOS<br />
* Apple information about Shared files<br />
* Apple information about Protected files<br />
* Apple's Introduction to Property Lists<br />
||Android applications have a variety of local storage options. They can store files in both internal storage that will be protected by the default Android/Linux permissions model that segregates access to application files via Linux file/group permissions or external storage on an SD card that will not be covered by those protections. Unless there are special circumstances, files should be created with Context.MODE_PRIVATE or Context.MODE_APPEND, which will use Linux permissions to make them readable and writable only to the application that created the file (and the root user on rooted devices). Files that are created using the Context.MODE_WORLD_READABLE can be read by other applications and should not be used to store data that a malicious application should not have access to. Files that are created using the Context.MODE_WORLD_WRITABLE can be written to by other applications and data read from these files should not be trusted. In addition, Android applications can create SQLite databases for storing application information. Also, Shared Preferences can be used to store key/value data. Finally, Content Providers can be used to store data for a given application as well as for sharing with other applications. <br />
* Android documentation on Data Storage<br />
* Android Javadoc for Context.openFileOutput() describing file permission options<br />
||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Controls#section_control_1 1]<br />
<br />
<br />
|}<br />
<br />
== Communication Security ==<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== HTTP Security ==<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== Security Configuration ==<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
----<br />
''''' COPY/PASTE TEMPLATE STUFF BELOW '''''<br />
== EXAMPLE HEADING ==<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}</div>Dancornellhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Project_Platform_Specific_Guidance_Draft&diff=119407OWASP Mobile Security Project Platform Specific Guidance Draft2011-10-20T12:36:18Z<p>Dancornell: </p>
<hr />
<div>== Authentication ==<br />
<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== Session Management ==<br />
<br />
<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== Access Control ==<br />
<br />
<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== Input Validation ==<br />
<br />
<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== Output Encoding/Escaping ==<br />
<br />
<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== Cryptography ==<br />
<br />
<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== Error Handling and Logging ==<br />
<br />
<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== Data Protection ==<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|Data Protection<br />
|-<br />
|colspan="4"|Mobile devices have the ability to store information in files, databases and other constructs. Because devices can be lost or transferred to other users without being wiped, application developers should be very careful about storing sensitive information locally on the device. Avoiding storing sensitive information on the device is preferable because then the risk of compromise is minimized. <br />
* Where can applications store local data on the device?<br />
* What formats are allowed?<br />
|-<br />
|iOS [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project_Platform_Specific_Guidance_iOS_Code_Draft#Local_Storage (code examples)]||Android [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project_Platform_Specific_Guidance_AndroidCode_Draft#Local_Storage (code examples)]||colspan="2"|Mappings<br />
|-valign="top"<br />
|Applications are given access to their own portion of the iOS filesystem that is within the application sandbox and inaccessible to other applications. Files can be designated for Sharing and such files are accessible in the Documents/ directory in iTunes. Files can also be marked as Protected so that they can only be accessed when the device is unlocked. Property List (plist) files can be used to store user preferences and other configuration information in a way that can be moved between OS X and iOS applications. <br />
* Apple overview page on [http://developer.apple.com/technologies/ios/data-management.html iOS Data Management]<br />
* Apple information about File and the Filesystem on iOS<br />
* Apple information about Shared files<br />
* Apple information about Protected files<br />
* Apple's Introduction to Property Lists<br />
||Android applications have a variety of local storage options. They can store files in both internal storage that will be protected by the default Android/Linux permissions model that segregates access to application files via Linux file/group permissions or external storage on an SD card that will not be covered by those protections. Unless there are special circumstances, files should be created with Context.MODE_PRIVATE or Context.MODE_APPEND, which will use Linux permissions to make them readable and writable only to the application that created the file (and the root user on rooted devices). Files that are created using the Context.MODE_WORLD_READABLE can be read by other applications and should not be used to store data that a malicious application should not have access to. Files that are created using the Context.MODE_WORLD_WRITABLE can be written to by other applications and data read from these files should not be trusted. In addition, Android applications can create SQLite databases for storing application information. Also, Shared Preferences can be used to store key/value data. Finally, Content Providers can be used to store data for a given application as well as for sharing with other applications. <br />
* Android documentation on Data Storage<br />
* Android Javadoc for Context.openFileOutput() describing file permission options<br />
||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Controls#section_control_1 1]<br />
<br />
<br />
|}<br />
== Communication Security ==<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== HTTP Security ==<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== Security Configuration ==<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
----<br />
''''' COPY/PASTE TEMPLATE STUFF BELOW '''''<br />
== EXAMPLE HEADING ==<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}</div>Dancornellhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Project_Platform_Specific_Guidance_Draft&diff=119406OWASP Mobile Security Project Platform Specific Guidance Draft2011-10-20T12:24:09Z<p>Dancornell: </p>
<hr />
<div>== Authentication ==<br />
<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== Session Management ==<br />
<br />
<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== Access Control ==<br />
<br />
<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== Input Validation ==<br />
<br />
<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== Output Encoding/Escaping ==<br />
<br />
<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== Cryptography ==<br />
<br />
<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== Error Handling and Logging ==<br />
<br />
<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== Data Protection ==<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|Data Protection<br />
|-<br />
|colspan="4"|Mobile devices have the ability to store information in files, databases and other constructs. Because devices can be lost or transferred to other users without being wiped, application developers should be very careful about storing sensitive information locally on the device. Avoiding storing sensitive information on the device is preferable because then the risk of compromise is minimized. <br />
* Where can applications store local data on the device?<br />
* What formats are allowed?<br />
|-<br />
|iOS [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project_Platform_Specific_Guidance_iOS_Code_Draft#Local_Storage (code examples)]||Android [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project_Platform_Specific_Guidance_AndroidCode_Draft#Local_Storage (code examples)]||colspan="2"|Mappings<br />
|-valign="top"<br />
|Applications are given access to their own portion of the iOS filesystem that is within the application sandbox and inaccessible to other applications. Files can be designated for Sharing and such files are accessible in the Documents/ directory in iTunes. Files can also be marked as Protected so that they can only be accessed when the device is unlocked. Property List (plist) files can be used to store user preferences and other configuration information in a way that can be moved between OS X and iOS applications. <br />
* Apple overview page on [http://developer.apple.com/technologies/ios/data-management.html iOS Data Management]<br />
* Apple information about File and the Filesystem on iOS<br />
* Apple information about Shared files<br />
* Apple information about Protected files<br />
* Apple's Introduction to Property Lists<br />
||Android applications have a variety of local storage options. They can store files in both internal storage that will be protected by the default Android/Linux permissions model that segregates access to application files via Linux file/group permissions or external storage on an SD card that will not be covered by those protections. Unless there are special circumstances, files should be created with Context.MODE_PRIVATE or Context.MODE_APPEND, which will use Linux permissions to make them readable and writable only to the application that created the file (and the root user on rooted devices). Files that are created using the Context.MODE_WORLD_READABLE can be read by other applications and should not be used to store data that a malicious application should not have access to. Files that are created using the Context.MODE_WORLD_WRITABLE can be written to by other applications and data read from these files should not be trusted. In addition, Android applications can create SQLite databases for storing application information. Also, Shared Preferences can be used to store key/value data. Finally, Content Providers can be used to store data for a given application as well as for sharing with other applications. <br />
* Android documentation on Data Storage<br />
* Android Javadoc for Context.openFileOutput() describing file permission options<br />
||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Controls#section_control_1 1]<br />
<br />
<br />
|}<br />
== Communication Security ==<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== HTTP Security ==<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== Security Configuration ==<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
----<br />
''''' COPY/PASTE TEMPLATE STUFF BELOW '''''<br />
== Heading ==<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}</div>Dancornellhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Project_Platform_Specific_Guidance_iOS_Code_Draft&diff=119405OWASP Mobile Security Project Platform Specific Guidance iOS Code Draft2011-10-20T12:17:31Z<p>Dancornell: </p>
<hr />
<div>== Authentication ==<br />
== Session Management ==<br />
== Access Control ==<br />
== Input Validation ==<br />
== Output Encoding/Escaping ==<br />
== Cryptography ==<br />
== Error Handling and Logging ==<br />
== Data Protection ==<br />
iOS code examples for Data Protection:<br />
<tt><br />
/* Look at me! I'm Objective-C code! */<br />
</tt><br />
== Communication Security ==<br />
== HTTP Security ==<br />
== Security Configuration ==</div>Dancornellhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Project_Platform_Specific_Guidance_AndroidCode_Draft&diff=119404OWASP Mobile Security Project Platform Specific Guidance AndroidCode Draft2011-10-20T12:16:50Z<p>Dancornell: </p>
<hr />
<div>== Authentication ==<br />
== Session Management ==<br />
== Access Control ==<br />
== Input Validation ==<br />
== Output Encoding/Escaping ==<br />
== Cryptography ==<br />
== Error Handling and Logging ==<br />
== Data Protection ==<br />
Android code examples for Data Protection:<br />
<tt><br />
try {<br />
Context context = getApplicationContext();<br />
FileOutputStream stream;<br />
stream = context.openFileOutput("local_filename", Context.MODE_PRIVATE);<br />
OutputStreamWriter bw = new OutputStreamWriter(stream);<br />
bw.write(sb.toString());<br />
bw.flush();<br />
bw.close();<br />
} catch (IOException ioe) {<br />
// Handle the exception<br />
}<br />
</tt><br />
== Communication Security ==<br />
== HTTP Security ==<br />
== Security Configuration ==</div>Dancornellhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Project_Platform_Specific_Guidance_Draft&diff=119402OWASP Mobile Security Project Platform Specific Guidance Draft2011-10-20T11:42:37Z<p>Dancornell: /* Local Storage */</p>
<hr />
<div>== Local Storage ==<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|Local Storage<br />
|-<br />
|colspan="4"|Mobile devices have the ability to store information in files, databases and other constructs. Because devices can be lost or transferred to other users without being wiped, application developers should be very careful about storing sensitive information locally on the device. Avoiding storing sensitive information on the device is preferable because then the risk of compromise is minimized. <br />
* Where can applications store local data on the device?<br />
* What formats are allowed?<br />
|-<br />
|iOS [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project_Platform_Specific_Guidance_iOS_Code_Draft#Local_Storage (code examples)]||Android [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project_Platform_Specific_Guidance_AndroidCode_Draft#Local_Storage (code examples)]||colspan="2"|Mappings<br />
|-valign="top"<br />
|Applications are given access to their own portion of the iOS filesystem that is within the application sandbox and inaccessible to other applications. Files can be designated for Sharing and such files are accessible in the Documents/ directory in iTunes. Files can also be marked as Protected so that they can only be accessed when the device is unlocked. Property List (plist) files can be used to store user preferences and other configuration information in a way that can be moved between OS X and iOS applications. <br />
* Apple overview page on [http://developer.apple.com/technologies/ios/data-management.html iOS Data Management]<br />
* Apple information about File and the Filesystem on iOS<br />
* Apple information about Shared files<br />
* Apple information about Protected files<br />
* Apple's Introduction to Property Lists<br />
||Android applications have a variety of local storage options. They can store files in both internal storage that will be protected by the default Android/Linux permissions model that segregates access to application files via Linux file/group permissions or external storage on an SD card that will not be covered by those protections. Unless there are special circumstances, files should be created with Context.MODE_PRIVATE or Context.MODE_APPEND, which will use Linux permissions to make them readable and writable only to the application that created the file (and the root user on rooted devices). Files that are created using the Context.MODE_WORLD_READABLE can be read by other applications and should not be used to store data that a malicious application should not have access to. Files that are created using the Context.MODE_WORLD_WRITABLE can be written to by other applications and data read from these files should not be trusted. In addition, Android applications can create SQLite databases for storing application information. Also, Shared Preferences can be used to store key/value data. Finally, Content Providers can be used to store data for a given application as well as for sharing with other applications. <br />
* Android documentation on Data Storage<br />
* Android Javadoc for Context.openFileOutput() describing file permission options<br />
||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Controls#section_control_1 1]<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== Heading ==<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
<br />
== Heading ==<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
<br />
== Heading ==<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}</div>Dancornellhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Project_Platform_Specific_Guidance_iOS_Code_Draft&diff=119401OWASP Mobile Security Project Platform Specific Guidance iOS Code Draft2011-10-20T11:39:19Z<p>Dancornell: Created page with "== Local Storage == iOS code examples for local storage: <tt> Look at me! I'm Objective-C code! </tt> == Section 2 == Stuff: == Section 3 == Stuff: == Section 4 == Stuff:"</p>
<hr />
<div>== Local Storage ==<br />
iOS code examples for local storage:<br />
<tt><br />
Look at me! I'm Objective-C code!<br />
</tt><br />
<br />
== Section 2 ==<br />
Stuff:<br />
<br />
== Section 3 ==<br />
Stuff:<br />
<br />
== Section 4 ==<br />
Stuff:</div>Dancornellhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Project_Platform_Specific_Guidance_Draft&diff=119400OWASP Mobile Security Project Platform Specific Guidance Draft2011-10-20T11:36:38Z<p>Dancornell: /* Local Storage */</p>
<hr />
<div>== Local Storage ==<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|Local Storage<br />
|-<br />
|colspan="4"|Mobile devices have the ability to store information in files, databases and other constructs. Because devices can be lost or transferred to other users without being wiped, application developers should be very careful about storing sensitive information locally on the device. Avoiding storing sensitive information on the device is preferable because then the risk of compromise is minimized. <br />
* Where can applications store local data on the device?<br />
* What formats are allowed?<br />
|-<br />
|iOS||Android [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project_Platform_Specific_Guidance_AndroidCode_Draft#Local_Storage (code examples)]||colspan="2"|Mappings<br />
|-valign="top"<br />
|Applications are given access to their own portion of the iOS filesystem that is within the application sandbox and inaccessible to other applications. Files can be designated for Sharing and such files are accessible in the Documents/ directory in iTunes. Files can also be marked as Protected so that they can only be accessed when the device is unlocked. Property List (plist) files can be used to store user preferences and other configuration information in a way that can be moved between OS X and iOS applications. <br />
* Apple overview page on [http://developer.apple.com/technologies/ios/data-management.html iOS Data Management]<br />
* Apple information about File and the Filesystem on iOS<br />
* Apple information about Shared files<br />
* Apple information about Protected files<br />
* Apple's Introduction to Property Lists<br />
||Android applications have a variety of local storage options. They can store files in both internal storage that will be protected by the default Android/Linux permissions model that segregates access to application files via Linux file/group permissions or external storage on an SD card that will not be covered by those protections. Unless there are special circumstances, files should be created with Context.MODE_PRIVATE or Context.MODE_APPEND, which will use Linux permissions to make them readable and writable only to the application that created the file (and the root user on rooted devices). Files that are created using the Context.MODE_WORLD_READABLE can be read by other applications and should not be used to store data that a malicious application should not have access to. Files that are created using the Context.MODE_WORLD_WRITABLE can be written to by other applications and data read from these files should not be trusted. In addition, Android applications can create SQLite databases for storing application information. Also, Shared Preferences can be used to store key/value data. Finally, Content Providers can be used to store data for a given application as well as for sharing with other applications. <br />
* Android documentation on Data Storage<br />
* Android Javadoc for Context.openFileOutput() describing file permission options<br />
||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Controls#section_control_1 1]<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== Heading ==<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
<br />
== Heading ==<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
<br />
== Heading ==<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}</div>Dancornellhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Project_Platform_Specific_Guidance_Draft&diff=119399OWASP Mobile Security Project Platform Specific Guidance Draft2011-10-20T11:34:44Z<p>Dancornell: </p>
<hr />
<div>== Local Storage ==<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|Local Storage<br />
|-<br />
|colspan="4"|Mobile devices have the ability to store information in files, databases and other constructs. Because devices can be lost or transferred to other users without being wiped, application developers should be very careful about storing sensitive information locally on the device. Avoiding storing sensitive information on the device is preferable because then the risk of compromise is minimized. <br />
* Where can applications store local data on the device?<br />
* What formats are allowed?<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|Applications are given access to their own portion of the iOS filesystem that is within the application sandbox and inaccessible to other applications. Files can be designated for Sharing and such files are accessible in the Documents/ directory in iTunes. Files can also be marked as Protected so that they can only be accessed when the device is unlocked. Property List (plist) files can be used to store user preferences and other configuration information in a way that can be moved between OS X and iOS applications. <br />
* Apple overview page on [http://developer.apple.com/technologies/ios/data-management.html iOS Data Management]<br />
* Apple information about File and the Filesystem on iOS<br />
* Apple information about Shared files<br />
* Apple information about Protected files<br />
* Apple's Introduction to Property Lists<br />
||Android applications have a variety of local storage options. They can store files in both internal storage that will be protected by the default Android/Linux permissions model that segregates access to application files via Linux file/group permissions or external storage on an SD card that will not be covered by those protections. Unless there are special circumstances, files should be created with Context.MODE_PRIVATE or Context.MODE_APPEND, which will use Linux permissions to make them readable and writable only to the application that created the file (and the root user on rooted devices). Files that are created using the Context.MODE_WORLD_READABLE can be read by other applications and should not be used to store data that a malicious application should not have access to. Files that are created using the Context.MODE_WORLD_WRITABLE can be written to by other applications and data read from these files should not be trusted. In addition, Android applications can create SQLite databases for storing application information. Also, Shared Preferences can be used to store key/value data. Finally, Content Providers can be used to store data for a given application as well as for sharing with other applications. <br />
* Android documentation on Data Storage<br />
* Android Javadoc for Context.openFileOutput() describing file permission options<br />
||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Controls#section_control_1 1]<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
== Heading ==<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
<br />
== Heading ==<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
<br />
== Heading ==<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}</div>Dancornellhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Project_Platform_Specific_Guidance_AndroidCode_Draft&diff=119398OWASP Mobile Security Project Platform Specific Guidance AndroidCode Draft2011-10-20T11:34:34Z<p>Dancornell: Created page with "== Local Storage == Android code examples for local storage: <tt> try { Context context = getApplicationContext(); FileOutputStream stream; stream = c..."</p>
<hr />
<div>== Local Storage ==<br />
Android code examples for local storage:<br />
<tt><br />
try {<br />
Context context = getApplicationContext();<br />
FileOutputStream stream;<br />
stream = context.openFileOutput("local_filename", Context.MODE_PRIVATE);<br />
OutputStreamWriter bw = new OutputStreamWriter(stream);<br />
bw.write(sb.toString());<br />
bw.flush();<br />
bw.close();<br />
} catch (IOException ioe) {<br />
// Handle the exception<br />
}<br />
</tt><br />
<br />
== Section 2 ==<br />
Stuff:<br />
<br />
== Section 3 ==<br />
Stuff:<br />
<br />
== Section 4 ==<br />
Stuff:</div>Dancornellhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Project_Platform_Specific_Guidance_Draft&diff=118998OWASP Mobile Security Project Platform Specific Guidance Draft2011-10-13T09:03:12Z<p>Dancornell: </p>
<hr />
<div>{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|Local Storage<br />
|-<br />
|colspan="4"|Mobile devices have the ability to store information in files, databases and other constructs. Because devices can be lost or transferred to other users without being wiped, application developers should be very careful about storing sensitive information locally on the device. Avoiding storing sensitive information on the device is preferable because then the risk of compromise is minimized. <br />
* Where can applications store local data on the device?<br />
* What formats are allowed?<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|Applications are given access to their own portion of the iOS filesystem that is within the application sandbox and inaccessible to other applications. Files can be designated for Sharing and such files are accessible in the Documents/ directory in iTunes. Files can also be marked as Protected so that they can only be accessed when the device is unlocked. Property List (plist) files can be used to store user preferences and other configuration information in a way that can be moved between OS X and iOS applications. <br />
* Apple overview page on [http://developer.apple.com/technologies/ios/data-management.html iOS Data Management]<br />
* Apple information about File and the Filesystem on iOS<br />
* Apple information about Shared files<br />
* Apple information about Protected files<br />
* Apple's Introduction to Property Lists<br />
||Android applications have a variety of local storage options. They can store files in both internal storage that will be protected by the default Android/Linux permissions model that segregates access to application files via Linux file/group permissions or external storage on an SD card that will not be covered by those protections. Unless there are special circumstances, files should be created with Context.MODE_PRIVATE or Context.MODE_APPEND, which will use Linux permissions to make them readable and writable only to the application that created the file (and the root user on rooted devices). Files that are created using the Context.MODE_WORLD_READABLE can be read by other applications and should not be used to store data that a malicious application should not have access to. Files that are created using the Context.MODE_WORLD_WRITABLE can be written to by other applications and data read from these files should not be trusted. In addition, Android applications can create SQLite databases for storing application information. Also, Shared Preferences can be used to store key/value data. Finally, Content Providers can be used to store data for a given application as well as for sharing with other applications. <br />
* Android documentation on Data Storage<br />
* Android Javadoc for Context.openFileOutput() describing file permission options<br />
||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Controls#section_control_1 1]<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}</div>Dancornellhttps://wiki.owasp.org/index.php?title=Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Controls&diff=118997Projects/OWASP Mobile Security Project - Top Ten Mobile Controls2011-10-13T08:59:51Z<p>Dancornell: /* Top 10 mobile controls and design principles */</p>
<hr />
<div>== Top 10 mobile controls and design principles==<br />
<br />
'''[[#section control_1|1. Identify and protect sensitive data on the mobile device]]'''<br />
<br />
'''Risks:''' Unsafe sensitive data storage, attacks on decommissioned phones unintentional disclosure: Mobile devices (being mobile) have a higher risk of loss or theft. Adequate protection should be built in to minimize the loss of sensitive data on device.<br />
<br />
*1.1 In the design phase classify data storage according to sensitivity and apply controls accordingly (e.g. passwords, personal data, location, error logs etc.). Process, store and use data according to its classification. Validate the security of methods applied to sensitive data.<br />
*1.2 Store sensitive data on the server instead of client-end device. This is based on the assumption that secure network connectivity is always available and that protection mechanisms available to server side storage are superior. The relative security of client vs server-side security also needs to be assessed on a case-by-case basis (see ENISA cloud risk assessment or OWASP Cloud top 10 for decision support). All data transfer should use only secure channels.<br />
*1.3 If server-side storage and encryption is not a possibility, use file encryption APIs provided by the OS or other trusted source (check first for well-known vulnerabilities). Some platforms provide file encryption API’s which use a private key protected by the device unlock code and deleted on remote kill. If this is available, it should be used as it increases the security of the encryption without creating extra burden for the end-user. It also makes stored data safer in the case of loss or theft. However, it should be born in mind that even when protected by the device unlock key, if data is stored on the device, its security is dependent on the security of the device unlock code if remote deletion of the key is for any reason not possible.<br />
*1.4 Do not store/cache sensitive data (including keys) unless they are encrypted and if possible stored in a tamper-proof area (see 2).<br />
*1.5 Consider restricting access to sensitive data based on contextual information such as location (e.g. wallet App not usable outside Europe, car key not usable unless within 100m of car etc...).<br />
*1.6 Do not store historical GPS/tracking or other sensitive information on the device beyond the period required by the application (see 1.8).<br />
*1.7 Assume that shared storage is untrusted - information may easily leak in unexpected ways through any shared storage. In particular:<br />
**Be aware of caches and temporary storage as a possible leakage channel when shared with other apps.<br />
**Be aware of public shared storage such as address book, media gallery, audio files, as a possible leakage channel. For example storing images with location metadata in the media-gallery allows that information to be shared in unintended ways.<br />
**Do not store temp/cached data in a world readable directory.<br />
*1.8 Applications on managed devices should leverage remote wipe and kill switch APIs (OS-level or purpose-built) to remove sensitive information from the device in the event of theft or loss.<br />
*1.9 Data deletion should be scheduled according to a maximum retention period, (to prevent e.g. data remaining in caches indefinitely).<br />
*1.10 Bear in mind that there is no known secure deletion procedure for flash memory (unless wiping the entire media). Therefore data encryption is especially important.<br />
*1.11 Consider the security of the whole data lifecycle in writing your application (collection over the wire, temporary storage, caching, backup, deletion etc...)<br />
*1.12 Apply the principle of minimal disclosure - only collect and disclose data which is required for business use of the application. Identify in the design phase what data is needed, its sensitivity and whether it is appropriate to collect, store and use each data type.<br />
*1.13 Use non-persistent identifiers which are not shared with other apps wherever possible - e.g. do not use the device ID number as an identifier unless there is a good reason to do so (e.g. use a randomly generated number). Apply the same principles to app sessions as to http sessions/cookies etc....<br />
*1.14 Application developers may want to incorporate an application-specific "data kill switch" into their products, to allow the per-app deletion of their application's sensitive data when needed (strong authentication is required to protect misuse of such a feature).<br />
<br />
'''2. Handle password credentials securely on the device'''<br />
<br />
'''Risks:''' Spyware, Surveillance, Financial malware, UI impersonation User's password credentials if stolen not only provides unauthorized access to the mobile backend service but potentially many other services/accounts used by the user. Since a majority of the users reuse their passwords.<br />
<br />
*2.1 Instead of passwords consider using authorization tokens that can be securely stored on the device. Encrypt the tokens while stored on the device and in transit (using https). Tokens can be issued by the backend service after verifying the user credentials initially. The tokens could be time bounded to the specific service as well as revokable (if possible server side), thereby minimizing the damage in loss scenarios. Use the latest versions of the authorization standards (such as OAuth 2.0). Make sure that these tokens expire after an appropriate (not too long) delay. For sensitive applications, tokens should have shorter lifetimes.<br />
*2.2 In case passwords need to be stored on the device, leverage the encryption and key-store mechanisms provided by the mobile OS to securely store passwords, password equivalents and authorization tokens. Never store passwords in clear text. Do not store passwords or long term session IDs without appropriate encryption or hashing.<br />
*2.3 Some devices allow developers to use a Secure Element - sometimes via an SD card module (e.g. http://www.blackberry.com/developers/docs/7.0.0api/net/rim/device/api/io/nfc/se/SecureElement.html , http://code.google.com/p/seek-for-android/) - the number of devices offering this functionality is likely to increase. Developers should use such capability to store keys, credentials and other sensitive data.<br />
*2.4 Provide the ability for the mobile user to change/remove passwords on the device. <br />
*2.5 Password credentials should not be copied to backups.<br />
*2.6 Consider using visual/pattern based passwords to aid usability.<br />
*2.7 Check the entropy (i.e. randomness) of all passwords.<br />
*2.8 Ensure passwords and keys are not visible in caches or logs.<br />
*2.9 SMS is not a secure channel and cannot be relied upon to send sensitive information.<br />
*2.10 Do not store any passwords or secrets in the application binary. Do not use a generic shared secret for integration to backend (like embedded password in code). Mobile application binaries can be easily downloaded and reverse engineered.<br />
<br />
'''3. Ensure sensitive data is protected in transit'''<br />
<br />
'''Risks:''' Network spoofing attacks, Surveillance. The majority of the smartphones are capable of using multiple transport carriers including Wifi, provider network (3G, GSM, CDMA and others), bluetooth. Sensitive data passing through insecure channels could be intercepted.<br />
<br />
*3.1 Assume that the network layer is not private. Modern network layer attacks can decrypt provider many network encryption protocols at low cost, and there is no guarantee that the wifi network will be appropriately encrypted.<br />
*3.2 Applications should enforce the use of an end-to-end secure channel (such as SSL/TLS) when sending sensitive information on wire/air. This includes passing user credentials, or other authentication equivalents. In some cases this may mean encrypting all communication.<br />
*3.3 Enforce strong encryption algorithms and key lengths. Do not allow unsigned certificates and allow only reputable certificate authorities. Do not disable or ignore the SSL chain validation. <br />
*3.4 For sensitive data, to reduce the risk of man-in-middle attacks (like SSL proxy, SSL strip), a secure connection should only be established after verifying the identity of the remote end-point (server). This can be achieved by ensuring that SSL is only established with the end points having the trusted certificates in the key chain.<br />
*3.5 The user interface should make it as easy as possible for the user to find out if a certificate is valid.<br />
*3.6 SMS, MMS or notifications should not be used to send sensitive data to or from mobile end points.<br />
<br />
'''Reference:''' Google vulnerability of Client Login account credentials on unprotected wifi - [http://www.google.com/url?q=http%3A%2F%2Fwww.uni-ulm.de%2Fin%2Fmi%2Fmitarbeiter%2Fkoenings%2Fcatching-authtokens.html&sa=D&sntz=1&usg=AFQjCNGO-Yp1KHqO8USuL0zxL1Lpwq1Usw]<br />
<br />
'''4. Implement user authentication/authorization and session management correctly'''<br />
<br />
'''Risks:''' Unauthorized individuals may obtain access to sensitive data or systems. This can be done by circumventing authentication systems (logins) or by reusing valid tokens or cookies.<br />
<br />
*4.1 Require appropriate strength user authentication to the application. It may be useful to provide feedback on the strength of the password when it is being entered for the first time. The strength of the authentication mechanism used depends on the data being processed by the application and its access to valuable resources (e.g. costing money).<br />
*4.2 It is important to ensure that the session management is done correctly after the initial authentication. Require authentication credentials or tokens to be passed with any subsequent request (especially those granting privileged access or modification). <br />
*4.3 Use high entropy (unpredictable) session identifiers with .<br />
*4.4 Use context to add security to authentication - e.g. device ID, IP location, etc...<br />
*4.5 Consider using additional authentication factors for applications giving access to sensitive data or interfaces where possible - e.g. voice, fingerprint (if available), who-you-know, behavioural etc...<br />
*4.6 Use authentication that ties back to the end user identity (rather than the device identity).<br />
<br />
'''Reference:''' Google's ClientLogin implementation <br />
[http://www.google.com/url?q=http%3A%2F%2Fwww.uni-ulm.de%2Fin%2Fmi%2Fmitarbeiter%2Fkoenings%2Fcatching-authtokens.html&sa=D&sntz=1&usg=AFQjCNGO-Yp1KHqO8USuL0zxL1Lpwq1Usw]<br />
<br />
'''5. Keep the backend APIs (services) and the platform (server) secure''' <br />
<br />
'''Risks:''' Attacks on backend systems, loss of data via cloud storage. Majority of the mobile applications interact with the backend APIs using REST/Web Services or other proprietary protocols. Insecure implementation of backend APIs or services, and not keeping the back-end platform hardened/patched will allow bad guys to directly attack/compromise the back-ends.<br />
<br />
*5.1 Carry out a specific check of all data transferred betwen the mobile device and web-server backends and other external interfaces - (e.g. is location or other information transferred within file metadata)<br />
*5.2 All back-end services (WebServices/REST) for mobile apps should be tested for vulnerabilities periodically e.g. using static code analyzer tools and fuzzing tools for testing and finding security flaws.<br />
*5.3 Ensure that the back-end platform (server) is running with a hardened configuration with the latest security patches applied to the OS, Web Server and other application components.<br />
*5.4 Ensure adequate logs are retained on the back-end in order to detect and respond to incidents and perform forensics (within the limits of data protection law).<br />
*5.6 Employ rate limiting and throttling on a per-user/IP basis (if user identification is available) to reduce the risk from DDoS attack.<br />
*5.7 Test for DoS vulnerabilities where the server may become overwhelmed by certain resource intensive application calls.<br />
*5.8 Web Services, REST and APIs can have similar vulnerabilities to Web Applications. Perform testing of the backend Web Service, REST or API to determine vulnerabilities may exist. Perform abuse case testing, in addition to use case testing.<br />
<br />
'''Reference:''' [https://www.owasp.org/index.php/Web_Services]<br />
[http://code.google.com/apis/accounts/docs/AuthForInstalledApps.html]<br />
<br />
<br />
'''6. Perform data integration with third party services/applications securely'''<br />
<br />
'''Risks:''' Data Leakage<br />
<br />
*6.1 Vet the security/authenticity of any third party code/libraries used in your mobile application (reliable source, supported, no backend Trojans, licensing)<br />
*6.2 Track all third party frameworks/APIs used in the mobile application for security patches. A corresponding security update must be done for the mobile applications using these third party APIs/frameworks.<br />
*6.3 Pay particular attention to validating all data received from and sent to non-trusted third party apps (e.g. check ad network software) before processing in the application. <br />
<br />
'''7. Pay specific attention to the collection and storage of consent for the collection and use of the user’s data'''<br />
<br />
'''Risks:''' Unintentional disclosure of personal or private information. In the European Union, it is mandatory to obtain user consent for the collection of personally identifiable information (PII).<br />
<br />
*7.1 Create a privacy policy covering the usage of personal data and make it available to the user especially when making consent choices.<br />
*7.2 Consent may be collected in 3 main ways:<br />
**At install time<br />
**At run-time when data is sent<br />
**Via “opt-out” mechanisms where a default setting is implemented and the user has to turn it off.<br />
*7.3 Check whether your application is collecting PII - it may not always be obvious - for example do you use persistent identifiers linked to central data stores containing personal information?<br />
*7.4 Audit communication mechanisms to check for unintended leaks (e.g. image metadata).<br />
*7.5 Keep a record of consent to the transfer of PII available to the user (consider also the value of keeping server-side records attached to any user data stored).<br />
*7.6 Check whether your consent collection-mechanism overlaps or conflicts with any other consent-collection within the same stack (e.g. APP-native + webkit HTML)<br />
<br />
'''Reference:''' EU Law [http://democrats.energycommerce.house.gov/sites/default/files/image_uploads/Testimony_05.04.11_Spafford.pdf]<br />
<br />
'''8. Implement controls to prevent unauthorised access to paid-for resources (wallet, SMS, phone calls etc...)'''<br />
'''Risks:''' Smartphone apps give programmatic access to premium rate phone calls, SMS, roaming data, NFC payments etc. Apps with privileged access to such API’s should take particular care to prevent abuse given the financial impact of vulnerabilities giving attackers access to the user’s financial resources.<br />
<br />
*8.1 Maintain logs of access to paid resources in a non-repudiable format and make them available to the end-user for monitoring (e.g. signed receipt sent to server back-end). Logs should be protected from unauthorised access.<br />
*8.2 Check for anomalous usage patterns in paid resource usage and require reauthentication. E.g. when significant change in location occurs, user-language changes etc.<br />
*8.3 Consider using a white-list model by default for paid resource addressing - e.g. address book only unless specifically authorised for phone calls.<br />
*8.4 Authenticate all API calls to paid resources (e.g. using an app developer certificate).<br />
*8.5 Ensure that wallet API callbacks do not pass cleartext account/pricing/ billing/item information.<br />
*8.6 Warn user and obtain consent for any cost implications for app behaviour.<br />
*8.7 Minimise data transfers using techniques such as fast dormancy (3GPP), caching etc... to minimise signalling load on base stations.<br />
<br />
'''Reference:''' Google Wallet Security [http://www.google.com/wallet/how-it-works-security.html]<br />
<br />
'''9. Ensure secure distribution/provisioning of mobile applications'''<br />
<br />
'''Risks:''' <br />
*9.1 Applications must be designed and provisioned to allow updates for security patches, taking into account the requirements for approval by app-stores and the extra delay this may imply.<br />
*9.2 Provide remote kill functionality <br />
*9.3 Feedback channels<br />
*9.4 Code signing for some mobile platforms implies inherent trust between applications (with same code signatures), installed on the same mobile device. Plan code signing mechanisms properly. //Needs elaboration.<br />
<br />
'''10. Carefully check any runtime interpretation of code for errors '''<br />
<br />
'''Risks:''' Runtime interpretation of code covers any opportunity an app gives for untrusted parties to provide unverified text or binary which is interpreted as code. For example, extra levels in a game, scripts, interpreted SMS headers. This gives an opportunity for malware to circumvent walled garden controls. Injection attacks leading to Data leakage, Surveillance, Spyware, Diallerware<br />
<br />
*10.1 Minimise runtime interpretation and capabilities offered to runtime interpreters.<br />
*10.2 Run interpreters at minimal privilege levels.<br />
*10.3 Fuzz test interpreters.<br />
*10.4 Note that it is not always obvious that your code is interpreting text. Look for any capabilities accessible via user-input data and use of third party API’s - e.g. javascript interpreters.<br />
*10.5 Define a comprehensive escape syntax as appropriate.<br />
<br />
=== Candidates (for consideration) ===<br />
<br />
'''A: Some general coding best practices are particularly relevant to mobile coding too'''<br />
*Input Validation and Output Encoding<br />
*Minimise lines of code.<br />
*Use safe languages (e.g. from buffer-overflow).<br />
*Implement a security report handling point (address) security@example.com <br />
*Use static and binary code analyzers to find security flaws.<br />
*Use safe string functions, avoid buffer and Integer overflow.<br />
*Run with the minimum privilege required for the application on the operating system. Be aware of privileges granted by default by API's and disable them.<br />
*Don't authorize code/app to execute with root/sa privilege<br />
*Always perform testing as a standard as well as a privileged user<br />
*Avoid opening application specific server sockets (listener ports) on the client device. Use the communication mechanisms provided by the OS.<br />
*Context aware security: may be able to decrease/increase access based on the context (e.g. location, network) - <br />
*Remove all test code before releasing the application<br />
*Ensure logging is done appropriately but do not record excessive logs, especially including sensitive user information.<br />
*//What sort of information should be recorded in the logs. (Keep audit data on the server, no user specific data - link to the Apple Issue - Signed Timestamps) <br />
<br />
'''B. Enforce higher security posture on the device for sensitive apps used in an enterprise context:''' // Vinay to check<br />
*If a sensitive application needs to be provisioned on a device, application can employ enforcement of the certain security posture on the device (such as PIN, remote management/wipe) // Vinay - Still needs to be clarified<br />
*Enterprise applications can employ this principle of doing a security posture check before deployment of sensitive applications<br />
*Banking Apps<br />
*//(Remote Management, PIN enforcement, encryption, application monitoring)<br />
**Device cert can be used for stronger device identity. // How to make sure that this does not provide linkability between transactions (i.e. using the same cert across different service providers leaks data). I guess zero-knowledge certificates are too far-out for this guidance? Is this a common feature - device-cert - I have not come across it.<br />
<br />
'''C. Protect your application from other malicious applications on the device'''<br />
<br />
Risk: User's are prone to install applications that look cool (may be malicious) and can transmit data about user (or stored data) for malicious purpose.<br />
<br />
*(?? What guidelines could be provided to developers)<br />
U*ser education on using due diligence while installing third party applications on mobile devices<br />
<br />
'''D. Provide or use an existing reporting channel for phishing from apps '''<br />
<br />
(e.g. if you are a browser plugin developer). //APWG? Can we recommend one?</div>Dancornellhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Project_Platform_Specific_Guidance_Draft&diff=118996OWASP Mobile Security Project Platform Specific Guidance Draft2011-10-13T08:55:54Z<p>Dancornell: </p>
<hr />
<div>{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|Local Storage<br />
|-<br />
|colspan="4"|Mobile devices have the ability to store information in files, databases and other constructs. Because devices can be lost or transferred to other users without being wiped, application developers should be very careful about storing sensitive information locally on the device. Avoiding storing sensitive information on the device is preferable because then the risk of compromise is minimized. <br />
* Where can applications store local data on the device?<br />
* What formats are allowed?<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|Applications are given access to their own portion of the iOS filesystem that is within the application sandbox and inaccessible to other applications. Files can be designated for Sharing and such files are accessible in the Documents/ directory in iTunes. Files can also be marked as Protected so that they can only be accessed when the device is unlocked. Property List (plist) files can be used to store user preferences and other configuration information in a way that can be moved between OS X and iOS applications. <br />
* Apple overview page on [http://developer.apple.com/technologies/ios/data-management.html iOS Data Management]<br />
* Apple information about File and the Filesystem on iOS<br />
* Apple information about Shared files<br />
* Apple information about Protected files<br />
* Apple's Introduction to Property Lists<br />
||Android applications have a variety of local storage options. They can store files in both internal storage that will be protected by the default Android/Linux permissions model that segregates access to application files via Linux file/group permissions or external storage on an SD card that will not be covered by those protections. Unless there are special circumstances, files should be created with Context.MODE_PRIVATE or Context.MODE_APPEND, which will use Linux permissions to make them readable and writable only to the application that created the file (and the root user on rooted devices). Files that are created using the Context.MODE_WORLD_READABLE can be read by other applications and should not be used to store data that a malicious application should not have access to. Files that are created using the Context.MODE_WORLD_WRITABLE can be written to by other applications and data read from these files should not be trusted. In addition, Android applications can create SQLite databases for storing application information. Also, Shared Preferences can be used to store key/value data. Finally, Content Providers can be used to store data for a given application as well as for sharing with other applications. <br />
* Android documentation on Data Storage<br />
* Android Javadoc for Context.openFileOutput() describing file permission options<br />
||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}</div>Dancornellhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Project_Platform_Specific_Guidance_Draft&diff=118995OWASP Mobile Security Project Platform Specific Guidance Draft2011-10-13T08:47:59Z<p>Dancornell: </p>
<hr />
<div>{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|Local Storage<br />
|-<br />
|colspan="4"|Mobile devices have the ability to store information in files, databases and other constructs. Because devices can be lost or transferred to other users without being wiped, application developers should be very careful about storing sensitive information locally on the device. Avoiding storing sensitive information on the device is preferable because then the risk of compromise is minimized. <br />
* Where can applications store local data on the device?<br />
* What formats are allowed?<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|Applications are given access to their own portion of the iOS filesystem that is within the application sandbox and inaccessible to other applications. Files can be designated for Sharing and such files are accessible in the Documents/ directory in iTunes. Files can also be marked as Protected so that they can only be accessed when the device is unlocked. Property List (plist) files can be used to store user preferences and other configuration information in a way that can be moved between OS X and iOS applications. <br />
* Apple overview page on iOS Data Management<br />
* Apple information about File and the Filesystem on iOS<br />
* Apple information about Shared files<br />
* Apple information about Protected files<br />
* Apple's Introduction to Property Lists<br />
||Android applications have a variety of local storage options. They can store files in both internal storage that will be protected by the default Android/Linux permissions model that segregates access to application files via Linux file/group permissions or external storage on an SD card that will not be covered by those protections. Unless there are special circumstances, files should be created with Context.MODE_PRIVATE or Context.MODE_APPEND, which will use Linux permissions to make them readable and writable only to the application that created the file (and the root user on rooted devices). Files that are created using the Context.MODE_WORLD_READABLE can be read by other applications and should not be used to store data that a malicious application should not have access to. Files that are created using the Context.MODE_WORLD_WRITABLE can be written to by other applications and data read from these files should not be trusted. In addition, Android applications can create SQLite databases for storing application information. Also, Shared Preferences can be used to store key/value data. Finally, Content Providers can be used to store data for a given application as well as for sharing with other applications. <br />
* Android documentation on Data Storage<br />
* Android Javadoc for Context.openFileOutput() describing file permission options<br />
||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|GUIDANCE TITLE<br />
|-<br />
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-valign="top"<br />
|IOS TEXT||ANDROID TEXT||R<br />
I<br />
<br />
S<br />
<br />
K<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
||<br />
C<br />
<br />
O<br />
<br />
N<br />
<br />
T<br />
<br />
R<br />
<br />
O<br />
<br />
L<br />
<br />
<br />
1<br />
<br />
2<br />
<br />
3<br />
<br />
4<br />
<br />
5<br />
<br />
6<br />
<br />
7<br />
<br />
8<br />
<br />
9<br />
<br />
10<br />
<br />
|}</div>Dancornellhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Project_Platform_Specific_Guidance_Draft&diff=118994OWASP Mobile Security Project Platform Specific Guidance Draft2011-10-13T08:35:13Z<p>Dancornell: Created page with "{| border="1" cellpadding="5" cellspacing="0" |- |colspan="4"|Application Permission Model |- |colspan="4"|Description of application permission model |- |iOS||Android||colspan="..."</p>
<hr />
<div>{| border="1" cellpadding="5" cellspacing="0"<br />
|-<br />
|colspan="4"|Application Permission Model<br />
|-<br />
|colspan="4"|Description of application permission model<br />
|-<br />
|iOS||Android||colspan="2"|Mappings<br />
|-<br />
|iOS text||Android text||RISK||CONTROL<br />
|}</div>Dancornellhttps://wiki.owasp.org/index.php?title=Category:OWASP_Open_Review_Project&diff=115805Category:OWASP Open Review Project2011-08-16T21:00:54Z<p>Dancornell: </p>
<hr />
<div>{{Template:Inactive Projects}}<br />
<br />
[[:Category:OWASP Project|Click here to return to OWASP Projects page.]]<br><br />
[[:Project Information:template Open Review Project|Click here to see (& edit, if wanted) the template.]] <br />
{{:Project Information:template Open Review Project}}<br />
[[Category:OWASP Project|Open Review Project]]<br />
<br />
== Overview ==<br />
We are surrounded by open source software. Not only the open source software all of us use, also many of the commercial applications contain open source libraries. Think of server and desktop software, but don't forget routers, cars, phones. Open source is everywhere.<br />
<br />
The OWASP Open Review Project (ORPRO) exists to act as a resource providing automated static analysis of OWASP projects.<br />
<br />
Fortify Software has made their [https://www.fortify.com/products/fortify-on-demand/index.html Fortify on Demand (FoD) technology] available to OWASP projects at [http://owasp.fortifyondemand.com owasp.fortifyondemand.com].<br />
<br />
== Project Goals ==<br />
* Provide an independent security review of OWASP projects with a record of what has been reviewed and by whom in order to best communicate the security state of the projects. At the current time this includes automated review of OWASP project code<br />
* Engage in responsible disclosure of any security vulnerabilities discovered<br />
<br />
== Project Planning ==<br />
* Settle overlap between OWASP projects: August 2008 (completed)<br />
* Initial tool selection and implementation: September 2008 (completed)<br />
* Roll out automated review capabilities for a limited set of projects: September 2008 (completed)<br />
* First reviews: October 2008<br />
* Shutter original project:June 2011<br />
* Re-start project using Fortify on Demand rather than Fortify SCA: August 2011<br />
<br />
== News ==<br />
* '''5 June 2008''' OWASP ORPRO launched<br />
* '''12 September 2008''' [http://owasp.fortify.com/ owasp.fortify.com] made available as a public beta for automated source code review of open source projects<br />
* '''16 August 2011''' Project re-launched using Fortify on Demand rather than Fortify SCA<br />
<br />
== Get involved ==<br />
We want OWASP project leaders to submit their projects for review. If you run an OWASP project and are interested in participating, please email the mailing list.<br />
<br />
Please go to https://lists.owasp.org/mailman/listinfo/open-review-project to subscribe to the list. You can post to the ORPRO mailing list by emailing [mailto:open-review-project@lists.owasp.org open-review-project@lists.owasp.org].<br />
<br />
== People ==<br />
Project leads: [[User:Dancornell|Dan Cornell]].<br />
<br />
Contributors: [http://www.fortify.com Fortify Software] has generously made their Fortify on Demand (FoD) technology available for use by OWASP projects at [http://owasp.fortifyondemand.com/ owasp.fortifyondemand.com].<br />
<br />
[[Category:OWASP Project]]</div>Dancornellhttps://wiki.owasp.org/index.php?title=August_8,_2011&diff=115293August 8, 20112011-08-08T16:04:24Z<p>Dancornell: /* Global Membership Update */</p>
<hr />
<div>OWASP is a non-profit governed according to its [https://www.owasp.org/index.php/About_OWASP#Core_Values mission, ethics, core purpose], and [https://www.owasp.org/images/d/d6/2011-06-OWASP-BYLAWS.pdf bylaws].'''<br>''' <br />
You may listen to the call by calling: 1-866-534-4754, Code: "OWASP" (69277)<br />
<br />
'''MEETING AGENDA'''<br />
<br />
=CALL MEETING TO ORDER=<br />
<br />
=CERTIFY QUORUM=<br />
<br />
=Director Report w/ Kate=<br />
<br />
Vendors - Konik will be maintaining our merchandice in their warehouse and will distribute it upon request. This service is being provided at no cost to OWASP. We are testing this process and monitoring it for effectiveness. OWASP Gear store still maintained by Rocksports. Lulu still our publisher and book distributer, although for large orders, Omnipress may be able to offer better pricing.<br />
<br />
[https://www.owasp.org/images/d/d8/OWASP_071911.pdf GotoMeeting Proposal] vs [https://www.owasp.org/images/d/d9/Webex_proposal.pdf Webex proposal]<br />
<br />
* Monthly Status Report Employees and Contractors Roll-Up <br />
- Report submitted by: Alison [https://www.owasp.org/images/4/41/June_2011_Financials.xlsx June 2011 P&L and Balance Sheet]<br />
<br />
- Report submitted by: Sarah Baso [[August_8,_2011_SB_Report| July 2011 Monthly Status Report]]<br />
<br />
- Report submitted by Kelly<br />
<br />
=Project Manager Report w/Paulo=<br />
* [[August 8, 2011/Project Manager Report|Monthly Status Report]]<br />
<br />
=REPORT OF CHAIRMAN/PRESIDENT=<br />
<br />
- Jeff<br />
<br />
=REPORT OF OTHER OFFICERS=<br />
<br />
- Seba<br />
<br />
- Matt<br />
<br />
- Dave<br />
<br />
- Eoin<br />
<br />
- Tom <br />
<br />
= Committee reports (regular and special) =<br />
<br />
== Global Connections Update ==<br />
<br />
== Global Membership Update ==<br />
* Election started this morning and runs through midnight Central time, Wednesday August 17th<br />
* Major upcoming discussion items for the committee: handling of Barter-In-Trade memberships, outreach to Chapters with the new Chapter Supporter<br />
<br />
== Global Industry Update ==<br />
<br />
== Global Projects Update ==<br />
*[https://docs.google.com/a/owasp.org/present/view?id=dgf8frmh_17c6k3mscj GPC Update Presentation]<br />
<br />
== Global Education Update ==<br />
<br />
== Global Chapters Update ==<br />
* [https://spreadsheets.google.com/a/owasp.org/spreadsheet/ccc?key=0Ai_clZjtpXPwdEV0cFIySDdMQVhCTnllbHNwbWp4Tmc&hl=en_US&authkey=COX_wIUO Global Chapters Committee Budget] -- $42,425.33 of $50,000 remaining ($7,574.67 spent)<br />
<br />
== Global Conferences Update ==<br />
[https://docs.google.com/present/edit?id=0AcFE6Oyqbn2cZGhmY3Qyc2NfNzFjcnFzOWcy&hl=en_US&authkey=CILmm9UG Committee Update Presentation]<br />
*[https://spreadsheets.google.com/a/owasp.org/spreadsheet/ccc?key=0AsFE6Oyqbn2cdG5OZG1wb04zWXNsV1llOEhyUjA5WFE&hl=en_US Global Conferences Committee Budget] -- $20,255.42 of $38,000 remaining ($17,744.58 spent)<br />
* Request additional $5000 funding for Conference Support and Schwag<br />
<br />
=OLD BUSINESS=<br />
* [https://www.owasp.org/index.php/OWASP_Board_Meetings Unfinished Business]<br />
<br />
=NEW BUSINESS=<br />
<br />
* Board Vote Required:<br />
<br />
Yes/No Will LACSON be grated exception from Conference Committee Oversight<br />
<br />
* Board Vote Required<br />
<br />
Yes/No Will the Foundation allocate $5K - $10K for [https://www.owasp.org/images/1/1e/Website_design.pdf OWASP Brochure Website - Design Funding]<br />
<br />
=SET DATE FOR NEXT MEETING=<br />
<br />
=ADJOURNMENT=</div>Dancornellhttps://wiki.owasp.org/index.php?title=August_8,_2011&diff=115292August 8, 20112011-08-08T16:02:03Z<p>Dancornell: /* Global Membership Update */</p>
<hr />
<div>OWASP is a non-profit governed according to its [https://www.owasp.org/index.php/About_OWASP#Core_Values mission, ethics, core purpose], and [https://www.owasp.org/images/d/d6/2011-06-OWASP-BYLAWS.pdf bylaws].'''<br>''' <br />
You may listen to the call by calling: 1-866-534-4754, Code: "OWASP" (69277)<br />
<br />
'''MEETING AGENDA'''<br />
<br />
=CALL MEETING TO ORDER=<br />
<br />
=CERTIFY QUORUM=<br />
<br />
=Director Report w/ Kate=<br />
<br />
Vendors - Konik will be maintaining our merchandice in their warehouse and will distribute it upon request. This service is being provided at no cost to OWASP. We are testing this process and monitoring it for effectiveness. OWASP Gear store still maintained by Rocksports. Lulu still our publisher and book distributer, although for large orders, Omnipress may be able to offer better pricing.<br />
<br />
[https://www.owasp.org/images/d/d8/OWASP_071911.pdf GotoMeeting Proposal] vs [https://www.owasp.org/images/d/d9/Webex_proposal.pdf Webex proposal]<br />
<br />
* Monthly Status Report Employees and Contractors Roll-Up <br />
- Report submitted by: Alison [https://www.owasp.org/images/4/41/June_2011_Financials.xlsx June 2011 P&L and Balance Sheet]<br />
<br />
- Report submitted by: Sarah Baso [[August_8,_2011_SB_Report| July 2011 Monthly Status Report]]<br />
<br />
- Report submitted by Kelly<br />
<br />
=Project Manager Report w/Paulo=<br />
* [[August 8, 2011/Project Manager Report|Monthly Status Report]]<br />
<br />
=REPORT OF CHAIRMAN/PRESIDENT=<br />
<br />
- Jeff<br />
<br />
=REPORT OF OTHER OFFICERS=<br />
<br />
- Seba<br />
<br />
- Matt<br />
<br />
- Dave<br />
<br />
- Eoin<br />
<br />
- Tom <br />
<br />
= Committee reports (regular and special) =<br />
<br />
== Global Connections Update ==<br />
<br />
== Global Membership Update ==<br />
* Election started this morning and runs through midnight Central time, Wednesday August 17th<br />
<br />
== Global Industry Update ==<br />
<br />
== Global Projects Update ==<br />
*[https://docs.google.com/a/owasp.org/present/view?id=dgf8frmh_17c6k3mscj GPC Update Presentation]<br />
<br />
== Global Education Update ==<br />
<br />
== Global Chapters Update ==<br />
* [https://spreadsheets.google.com/a/owasp.org/spreadsheet/ccc?key=0Ai_clZjtpXPwdEV0cFIySDdMQVhCTnllbHNwbWp4Tmc&hl=en_US&authkey=COX_wIUO Global Chapters Committee Budget] -- $42,425.33 of $50,000 remaining ($7,574.67 spent)<br />
<br />
== Global Conferences Update ==<br />
[https://docs.google.com/present/edit?id=0AcFE6Oyqbn2cZGhmY3Qyc2NfNzFjcnFzOWcy&hl=en_US&authkey=CILmm9UG Committee Update Presentation]<br />
*[https://spreadsheets.google.com/a/owasp.org/spreadsheet/ccc?key=0AsFE6Oyqbn2cdG5OZG1wb04zWXNsV1llOEhyUjA5WFE&hl=en_US Global Conferences Committee Budget] -- $20,255.42 of $38,000 remaining ($17,744.58 spent)<br />
* Request additional $5000 funding for Conference Support and Schwag<br />
<br />
=OLD BUSINESS=<br />
* [https://www.owasp.org/index.php/OWASP_Board_Meetings Unfinished Business]<br />
<br />
=NEW BUSINESS=<br />
<br />
* Board Vote Required:<br />
<br />
Yes/No Will LACSON be grated exception from Conference Committee Oversight<br />
<br />
* Board Vote Required<br />
<br />
Yes/No Will the Foundation allocate $5K - $10K for [https://www.owasp.org/images/1/1e/Website_design.pdf OWASP Brochure Website - Design Funding]<br />
<br />
=SET DATE FOR NEXT MEETING=<br />
<br />
=ADJOURNMENT=</div>Dancornellhttps://wiki.owasp.org/index.php?title=July_11,_2011&diff=113712July 11, 20112011-07-11T15:44:22Z<p>Dancornell: /* Global Membership Update */</p>
<hr />
<div>== Roll call ==<br />
<br />
Board of Directors (Jeff, Tom, Dave, Seba, Matt, Eoin)<br />
<br />
[https://docs.google.com/a/owasp.org/document/d/1VMwYrP6owtZ-SchBxUcWTIF-ITvzUX8PjUkLPwr2ipg/edit?hl=en_US&authkey=CIGTx5sD To track and record mins., of this meeting via your @OWASP account]<br />
<br />
== [https://docs.google.com/a/owasp.org/document/d/1VD9ZHEwht9tmM8FKEQ6DBrtmL_gTAhSSnQhiFXYkJ7I/edit?hl=en_US&authkey=CIavkP4B# Reading and approval of prior month meeting minutes] ==<br />
<br />
== Finance Report ==<br />
<br />
Report Submitted by: Alison<br />
<br />
[https://www.owasp.org/index.php/File:May_2011_Financials.xlsx May 2011 P&L and Balance Sheet]<br />
<br />
[https://www.owasp.org/index.php/File:2011_Numbers_july_11.xlsx Budget Summary]<br />
<br />
[https://www.owasp.org/index.php/About_OWASP#Tax_Filings Status 2010 3rd Party Audit Report] - Follow up completed, final report pending<br />
<br />
[https://www.owasp.org/index.php/About_OWASP#Tax_Filings Status 2010 Tax Filing] - TBD<br />
<br />
= Committee reports (regular and special) =<br />
<br />
== Global Connections Update ==<br />
<br />
== Global Membership Update ==<br />
*Membership Model 3.0 pushed [https://www.owasp.org/index.php/Membership live]<br />
*Need to discuss treatment of Honorary Memberships and the upcoming election (per vote requested by Seba) - [https://spreadsheets.google.com/a/owasp.org/spreadsheet/ccc?key=0Ag5ZloRZ0SmjdElOeE82X25PbmdUX2lPcnZVanhFTFE&hl=en_US#gid=0 See List]<br />
*Other election notes<br />
<br />
== Global Industry Update ==<br />
*[https://spreadsheets.google.com/spreadsheet/ccc?key=0ApZ9zE0hx0LNdHp5VE02V1hDdkFtamwwUzBMdE90b0E&hl=en_US 2011 Meeting Attendance Records]<br />
*[https://spreadsheets.google.com/spreadsheet/ccc?key=0ApZ9zE0hx0LNdEpRbVhBUEljMGpLNnVJa0FHeWZwMkE&hl=en_US&authkey=CPjLgdwNGlobal Industry Committee Budget] -- $39,259.24 of $49,000 remaining ($9740.76 spent)<br />
<br />
== Global Projects Update ==<br />
* [https://docs.google.com/a/owasp.org/present/edit?id=dgf8frmh_16d8vw3sgn GPC Update Presentation] (contains accomplishments, initiatives awaiting Board action, budget update, and future plans)<br />
* [http://sl.owasp.org/gpcws-jun11-proceedings Working Session Proceedings] (48 pages) available<br />
** Includes background on working session planning, budget, agenda, artifacts, lessons learned, future plans<br />
** Final [http://sl.owasp.org/gpc-budget budget impact]: $5,614.09 (original budget: $6,350; 11.5% ''under'' budget)<br />
* [http://sl.owasp.org/gpcws-jun11-projects-handbook Projects Handbook] open for [https://www.google.com/moderator/?authuser=1#16/e=9e1ca community review] (email request for comments to go out this week)<br />
* <span style="color:red">''Waiting for signed SourceForge contract'' from Board</span><br />
* Current list of all [https://spreadsheets.google.com/a/owasp.org/spreadsheet/ccc?key=0Ag5ZloRZ0SmjdElOeE82X25PbmdUX2lPcnZVanhFTFE&hl=en_US#gid=0 project leaders]<br />
<br />
== Global Education Update ==<br />
<br />
== Global Chapters Update ==<br />
*[https://spreadsheets.google.com/spreadsheet/ccc?key=0ApZ9zE0hx0LNdElNOHRwN1hZZzVyNXBBV2JYdWdfbnc&hl=en_US 2011 Meeting Attendance Records]<br />
* [https://spreadsheets.google.com/a/owasp.org/spreadsheet/ccc?key=0Ai_clZjtpXPwdEV0cFIySDdMQVhCTnllbHNwbWp4Tmc&hl=en_US&authkey=COX_wIUO Global Chapters Committee Budget] -- $46,282.71 of $50,000 remaining ($3717.29 spent)<br />
<br />
== Global Conferences Update ==<br />
[https://docs.google.com/present/edit?id=0AcFE6Oyqbn2cZGhmY3Qyc2NfNzBwM2txbXFmMw&hl=en_US&authkey=COqo-_kF GCC Update Presentation]<br />
<br />
*[https://spreadsheets.google.com/a/owasp.org/spreadsheet/ccc?key=0ApZ9zE0hx0LNdE9TTmZsN29JTXZramo4MkdweWxLZ0E&hl=en_US 2011 Meeting Attendance Records]<br />
*[https://spreadsheets.google.com/a/owasp.org/spreadsheet/ccc?key=0AsFE6Oyqbn2cdG5OZG1wb04zWXNsV1llOEhyUjA5WFE&hl=en_US Global Conferences Committee Budget] -- $25,965.43 of $38,000 remaining ($12,034.57 spent)<br />
<br />
==='''BOARD VOTE REQUESTED'''===<br />
'''Conferences/Chapters Responsibility Split'''<br />
* [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNYjVhZTExZTAtNjY0Ny00OGJhLTliNTgtOTVjZjkxYzU5ZjIw&hl=en_US New Policy for Local/Regional events as agreed upon by both the Conferences and Chapters Committees]<br />
* [https://docs.google.com/a/owasp.org/document/d/1gHQU5Oy3xHgvkLq70oDZb2dgsMWgf1YdxcUHECk1yb8/edit?hl=en_US 8-July-2011 Email to Board requesting Vote and including arguments from each side]<br />
*WHAT IS BEING REQUESTED OF THE BOARD:<br />
**If you are in favor of using a required fee as a criteria for committee responsibility determination vote YEA<br />
**If you do not believe that requiring a fee as a criteria for committee responsibility determination is appropriate vote NO<br />
<br />
<br />
==Special==<br />
<br />
*[[July_11,_2011_SB_Report| Sarah Baso - Report of Activities for May and June 2011]]<br />
<br />
*Website budget allocation - https://www.owasp.org/index.php/RFO_Web_Design<br />
<br />
<br />
= Old/unfinished business =<br />
<br />
Vote to adopt Jeff Williams - June 3rd [https://docs.google.com/a/owasp.org/document/d/1ea4jWVDziLcZMTJUC5qW5psWYROpB-oPlqyl4Ei2xHA/edit?hl=en_US&authkey=CKycuTY Proposed OWASP Platform model]<br />
<br />
<br />
OWASP [https://lists.owasp.org/pipermail/committees-chairs/2011-June/000160.html LatAm Tour] 22 registrations for Argentina<br />
<br />
Global Committee Consolidation - Observations and Recommendations submitted 10-Jun via email.<br />
<br />
Proposal made to consolidate Global Committees to 3: Conferences, Chapters, and Projects<br />
<br />
Education, Industry, Connections, and Membership committees would be restructured into task forces which emerge from ecosystems as focused working groups with a budget and a charter to meet a predefined goal.<br />
<br />
<br />
== New business ==<br />
<br />
Seba:<br />
<br />
* New contract Sarah, (re)negotiation Paulo, status Larry<br />
<br />
* Voting Rights for Chapter/Project Leader:<br />
<br />
Dave - Yes; Eoin - open vote to all; Jeff - yes, and make them honorary members; Tom - Yes; Matt - yes; Seba - yes<br />
<br />
So, board vote to allow chapter/project leaders to vote is affirmative.<br />
<br />
Continued vote - do we reinstate the "honorary memberships" as well<br />
<br />
Kate<br />
<br />
* Konik (vendor) will warehouse and ship (provide fulfillment services) approved merchandise at no additional cost (other than shipping) to addresses for approved events. This will eliminate the need for storage and will provided better accounting and tracking.<br />
<br />
OWASP Contact Us Status [https://www.owasp.org/images/d/d5/Inquiry_report.pdf Report]<br />
<br />
<br />
Martin:<br />
* 3rd party envolvement, how to tread free service offers as <br />
**Innovation Security's OWASP TeamMentor<br />
**Hacking-Labs <br />
- What can we offer in means in agreement<br><br />
- Sponsorship for free services to OWASP?<br />
*OWASP European Store, shipping small amounts to European chapters is inefficient.<br />
** I have offered to make space available for OWASP goodies to be stored so they can be shipped around cheaper<br />
** aprovement for shipping and shipping through required / needed?<br />
** Kate as Single Point of Contact, can forward requests to me to send through from NL<br />
<br />
== Closing ==</div>Dancornellhttps://wiki.owasp.org/index.php?title=July_11,_2011&diff=113705July 11, 20112011-07-11T15:29:58Z<p>Dancornell: /* Global Membership Update */</p>
<hr />
<div>== Roll call ==<br />
<br />
Board of Directors (Jeff, Tom, Dave, Seba, Matt, Eoin)<br />
<br />
[https://docs.google.com/a/owasp.org/document/d/1Zc5Rf0AwfN_vA80SMKpr_SS0xGGA2N13AgaVUIVswiM/edit?hl=en_US To track and record mins., of this meeting via your @OWASP account]<br />
<br />
== Reading and approval of prior month meeting minutes ==<br />
<br />
<br />
== Finance Report ==<br />
<br />
Report Submitted by: Alison<br />
<br />
[https://www.owasp.org/index.php/File:May_2011_Financials.xlsx May 2011 P&L and Balance Sheet]<br />
<br />
[https://www.owasp.org/index.php/File:2011_Numbers_july_11.xlsx Budget Summary]<br />
<br />
[https://www.owasp.org/index.php/About_OWASP#Tax_Filings Status 2010 3rd Party Audit Report] - Follow up completed, final report pending<br />
<br />
[https://www.owasp.org/index.php/About_OWASP#Tax_Filings Status 2010 Tax Filing] - TBD<br />
<br />
= Committee reports (regular and special) =<br />
<br />
== Global Connections Update ==<br />
<br />
== Global Membership Update ==<br />
*Membership Model 3.0 pushed live<br />
*Need to discuss treatment of Honorary Memberships and the upcoming election (per vote requested by Seba)<br />
*Other election notes<br />
<br />
== Global Industry Update ==<br />
*[https://spreadsheets.google.com/spreadsheet/ccc?key=0ApZ9zE0hx0LNdHp5VE02V1hDdkFtamwwUzBMdE90b0E&hl=en_US 2011 Meeting Attendance Records]<br />
*[https://spreadsheets.google.com/spreadsheet/ccc?key=0ApZ9zE0hx0LNdEpRbVhBUEljMGpLNnVJa0FHeWZwMkE&hl=en_US&authkey=CPjLgdwNGlobal Industry Committee Budget] -- $39,259.24 of $49,000 remaining ($9740.76 spent)<br />
<br />
== Global Projects Update ==<br />
* [https://docs.google.com/a/owasp.org/present/edit?id=dgf8frmh_16d8vw3sgn GPC Update Presentation] (contains accomplishments, initiatives awaiting Board action, budget update, and future plans)<br />
* [http://sl.owasp.org/gpcws-jun11-proceedings Working Session Proceedings] (48 pages) available<br />
** Includes background on working session planning, budget, agenda, artifacts, lessons learned, future plans<br />
** Final [http://sl.owasp.org/gpc-budget budget impact]: $5,614.09 (original budget: $6,350; 11.5% ''under'' budget)<br />
* [http://sl.owasp.org/gpcws-jun11-projects-handbook Projects Handbook] open for [https://www.google.com/moderator/?authuser=1#16/e=9e1ca community review] (email request for comments to go out this week)<br />
* <span style="color:red">''Waiting for signed SourceForge contract'' from Board</span><br />
<br />
== Global Education Update ==<br />
<br />
== Global Chapters Update ==<br />
*[https://spreadsheets.google.com/spreadsheet/ccc?key=0ApZ9zE0hx0LNdElNOHRwN1hZZzVyNXBBV2JYdWdfbnc&hl=en_US 2011 Meeting Attendance Records]<br />
* [https://spreadsheets.google.com/a/owasp.org/spreadsheet/ccc?key=0Ai_clZjtpXPwdEV0cFIySDdMQVhCTnllbHNwbWp4Tmc&hl=en_US&authkey=COX_wIUO Global Chapters Committee Budget] -- $46,282.71 of $50,000 remaining ($3717.29 spent)<br />
<br />
== Global Conferences Update ==<br />
[https://docs.google.com/present/edit?id=0AcFE6Oyqbn2cZGhmY3Qyc2NfNzBwM2txbXFmMw&hl=en_US&authkey=COqo-_kF GCC Update Presentation]<br />
<br />
*[https://spreadsheets.google.com/a/owasp.org/spreadsheet/ccc?key=0ApZ9zE0hx0LNdE9TTmZsN29JTXZramo4MkdweWxLZ0E&hl=en_US 2011 Meeting Attendance Records]<br />
*[https://spreadsheets.google.com/a/owasp.org/spreadsheet/ccc?key=0AsFE6Oyqbn2cdG5OZG1wb04zWXNsV1llOEhyUjA5WFE&hl=en_US Global Conferences Committee Budget] -- $25,965.43 of $38,000 remaining ($12,034.57 spent)<br />
<br />
==='''BOARD VOTE REQUESTED'''===<br />
'''Conferences/Chapters Responsibility Split'''<br />
* [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNYjVhZTExZTAtNjY0Ny00OGJhLTliNTgtOTVjZjkxYzU5ZjIw&hl=en_US New Policy for Local/Regional events as agreed upon by both the Conferences and Chapters Committees]<br />
* [https://docs.google.com/a/owasp.org/document/d/1gHQU5Oy3xHgvkLq70oDZb2dgsMWgf1YdxcUHECk1yb8/edit?hl=en_US 8-July-2011 Email to Board requesting Vote and including arguments from each side]<br />
*WHAT IS BEING REQUESTED OF THE BOARD:<br />
**If you are in favor of using a required fee as a criteria for committee responsibility determination vote YEA<br />
**If you do not believe that requiring a fee as a criteria for committee responsibility determination is appropriate vote NO<br />
<br />
<br />
==Special==<br />
<br />
*[[July_11,_2011_SB_Report| Sarah Baso - Report of Activities for May and June 2011]]<br />
<br />
*Website budget allocation - https://www.owasp.org/index.php/RFO_Web_Design<br />
<br />
<br />
= Old/unfinished business =<br />
<br />
Vote to adopt Jeff Williams - June 3rd [https://docs.google.com/a/owasp.org/document/d/1ea4jWVDziLcZMTJUC5qW5psWYROpB-oPlqyl4Ei2xHA/edit?hl=en_US&authkey=CKycuTY Proposed OWASP Platform model]<br />
<br />
<br />
OWASP [https://lists.owasp.org/pipermail/committees-chairs/2011-June/000160.html LatAm Tour] 22 registrations for Argentina<br />
<br />
Global Committee Consolidation - Observations and Recommendations submitted 10-Jun via email.<br />
<br />
Proposal made to consolidate Global Committees to 3: Conferences, Chapters, and Projects<br />
<br />
Education, Industry, Connections, and Membership committees would be restructured into task forces which emerge from ecosystems as focused working groups with a budget and a charter to meet a predefined goal.<br />
<br />
<br />
== New business ==<br />
<br />
Seba:<br />
<br />
* New contract Sarah, (re)negotiation Paulo, status Larry<br />
<br />
* Voting Rights for Chapter/Project Leader:<br />
<br />
Dave - Yes; Eoin - open vote to all; Jeff - yes, and make them honorary members; Tom - Yes; Matt - yes; Seba - yes<br />
<br />
So, board vote to allow chapter/project leaders to vote is affirmative.<br />
<br />
Continued vote - do we reinstate the "honorary memberships" as well<br />
<br />
Kate<br />
<br />
* Konik (vendor) will warehouse and ship (provide fulfillment services) approved merchandise at no additional cost (other than shipping) to addresses for approved events. This will eliminate the need for storage and will provided better accounting and tracking.<br />
<br />
OWASP Contact Us Status [https://www.owasp.org/images/d/d5/Inquiry_report.pdf Report]<br />
<br />
<br />
Martin:<br />
* 3rd party envolvement, how to tread free service offers as <br />
**Innovation Security's OWASP TeamMentor<br />
**Hacking-Labs <br />
- What can we offer in means in agreement<br><br />
- Sponsorship for free services to OWASP?<br />
*OWASP European Store, shipping small amounts to European chapters is inefficient.<br />
** I have offered to make space available for OWASP goodies to be stored so they can be shipped around cheaper<br />
** aprovement for shipping and shipping through required / needed?<br />
** Kate as Single Point of Contact, can forward requests to me to send through from NL<br />
<br />
== Closing ==</div>Dancornellhttps://wiki.owasp.org/index.php?title=July_11,_2011&diff=113704July 11, 20112011-07-11T15:29:27Z<p>Dancornell: /* Global Membership Update */</p>
<hr />
<div>== Roll call ==<br />
<br />
Board of Directors (Jeff, Tom, Dave, Seba, Matt, Eoin)<br />
<br />
[https://docs.google.com/a/owasp.org/document/d/1Zc5Rf0AwfN_vA80SMKpr_SS0xGGA2N13AgaVUIVswiM/edit?hl=en_US To track and record mins., of this meeting via your @OWASP account]<br />
<br />
== Reading and approval of prior month meeting minutes ==<br />
<br />
<br />
== Finance Report ==<br />
<br />
Report Submitted by: Alison<br />
<br />
[https://www.owasp.org/index.php/File:May_2011_Financials.xlsx May 2011 P&L and Balance Sheet]<br />
<br />
[https://www.owasp.org/index.php/File:2011_Numbers_july_11.xlsx Budget Summary]<br />
<br />
[https://www.owasp.org/index.php/About_OWASP#Tax_Filings Status 2010 3rd Party Audit Report] - Follow up completed, final report pending<br />
<br />
[https://www.owasp.org/index.php/About_OWASP#Tax_Filings Status 2010 Tax Filing] - TBD<br />
<br />
= Committee reports (regular and special) =<br />
<br />
== Global Connections Update ==<br />
<br />
== Global Membership Update ==<br />
-Membership Model 3.0 pushed live<br />
-Need to discuss treatment of Honorary Memberships and the upcoming election (per vote requested by Seba)<br />
-Other election notes<br />
<br />
== Global Industry Update ==<br />
*[https://spreadsheets.google.com/spreadsheet/ccc?key=0ApZ9zE0hx0LNdHp5VE02V1hDdkFtamwwUzBMdE90b0E&hl=en_US 2011 Meeting Attendance Records]<br />
*[https://spreadsheets.google.com/spreadsheet/ccc?key=0ApZ9zE0hx0LNdEpRbVhBUEljMGpLNnVJa0FHeWZwMkE&hl=en_US&authkey=CPjLgdwNGlobal Industry Committee Budget] -- $39,259.24 of $49,000 remaining ($9740.76 spent)<br />
<br />
== Global Projects Update ==<br />
* [https://docs.google.com/a/owasp.org/present/edit?id=dgf8frmh_16d8vw3sgn GPC Update Presentation] (contains accomplishments, initiatives awaiting Board action, budget update, and future plans)<br />
* [http://sl.owasp.org/gpcws-jun11-proceedings Working Session Proceedings] (48 pages) available<br />
** Includes background on working session planning, budget, agenda, artifacts, lessons learned, future plans<br />
** Final [http://sl.owasp.org/gpc-budget budget impact]: $5,614.09 (original budget: $6,350; 11.5% ''under'' budget)<br />
* [http://sl.owasp.org/gpcws-jun11-projects-handbook Projects Handbook] open for [https://www.google.com/moderator/?authuser=1#16/e=9e1ca community review] (email request for comments to go out this week)<br />
* <span style="color:red">''Waiting for signed SourceForge contract'' from Board</span><br />
<br />
== Global Education Update ==<br />
<br />
== Global Chapters Update ==<br />
*[https://spreadsheets.google.com/spreadsheet/ccc?key=0ApZ9zE0hx0LNdElNOHRwN1hZZzVyNXBBV2JYdWdfbnc&hl=en_US 2011 Meeting Attendance Records]<br />
* [https://spreadsheets.google.com/a/owasp.org/spreadsheet/ccc?key=0Ai_clZjtpXPwdEV0cFIySDdMQVhCTnllbHNwbWp4Tmc&hl=en_US&authkey=COX_wIUO Global Chapters Committee Budget] -- $46,282.71 of $50,000 remaining ($3717.29 spent)<br />
<br />
== Global Conferences Update ==<br />
[https://docs.google.com/present/edit?id=0AcFE6Oyqbn2cZGhmY3Qyc2NfNzBwM2txbXFmMw&hl=en_US&authkey=COqo-_kF GCC Update Presentation]<br />
<br />
*[https://spreadsheets.google.com/a/owasp.org/spreadsheet/ccc?key=0ApZ9zE0hx0LNdE9TTmZsN29JTXZramo4MkdweWxLZ0E&hl=en_US 2011 Meeting Attendance Records]<br />
*[https://spreadsheets.google.com/a/owasp.org/spreadsheet/ccc?key=0AsFE6Oyqbn2cdG5OZG1wb04zWXNsV1llOEhyUjA5WFE&hl=en_US Global Conferences Committee Budget] -- $25,965.43 of $38,000 remaining ($12,034.57 spent)<br />
<br />
==='''BOARD VOTE REQUESTED'''===<br />
'''Conferences/Chapters Responsibility Split'''<br />
* [https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNYjVhZTExZTAtNjY0Ny00OGJhLTliNTgtOTVjZjkxYzU5ZjIw&hl=en_US New Policy for Local/Regional events as agreed upon by both the Conferences and Chapters Committees]<br />
* [https://docs.google.com/a/owasp.org/document/d/1gHQU5Oy3xHgvkLq70oDZb2dgsMWgf1YdxcUHECk1yb8/edit?hl=en_US 8-July-2011 Email to Board requesting Vote and including arguments from each side]<br />
*WHAT IS BEING REQUESTED OF THE BOARD:<br />
**If you are in favor of using a required fee as a criteria for committee responsibility determination vote YEA<br />
**If you do not believe that requiring a fee as a criteria for committee responsibility determination is appropriate vote NO<br />
<br />
<br />
==Special==<br />
<br />
*[[July_11,_2011_SB_Report| Sarah Baso - Report of Activities for May and June 2011]]<br />
<br />
*Website budget allocation - https://www.owasp.org/index.php/RFO_Web_Design<br />
<br />
<br />
= Old/unfinished business =<br />
<br />
Vote to adopt Jeff Williams - June 3rd [https://docs.google.com/a/owasp.org/document/d/1ea4jWVDziLcZMTJUC5qW5psWYROpB-oPlqyl4Ei2xHA/edit?hl=en_US&authkey=CKycuTY Proposed OWASP Platform model]<br />
<br />
<br />
OWASP [https://lists.owasp.org/pipermail/committees-chairs/2011-June/000160.html LatAm Tour] 22 registrations for Argentina<br />
<br />
Global Committee Consolidation - Observations and Recommendations submitted 10-Jun via email.<br />
<br />
Proposal made to consolidate Global Committees to 3: Conferences, Chapters, and Projects<br />
<br />
Education, Industry, Connections, and Membership committees would be restructured into task forces which emerge from ecosystems as focused working groups with a budget and a charter to meet a predefined goal.<br />
<br />
<br />
== New business ==<br />
<br />
Seba:<br />
<br />
* New contract Sarah, (re)negotiation Paulo, status Larry<br />
<br />
* Voting Rights for Chapter/Project Leader:<br />
<br />
Dave - Yes; Eoin - open vote to all; Jeff - yes, and make them honorary members; Tom - Yes; Matt - yes; Seba - yes<br />
<br />
So, board vote to allow chapter/project leaders to vote is affirmative.<br />
<br />
Continued vote - do we reinstate the "honorary memberships" as well<br />
<br />
Kate<br />
<br />
* Konik (vendor) will warehouse and ship (provide fulfillment services) approved merchandise at no additional cost (other than shipping) to addresses for approved events. This will eliminate the need for storage and will provided better accounting and tracking.<br />
<br />
OWASP Contact Us Status [https://www.owasp.org/images/d/d5/Inquiry_report.pdf Report]<br />
<br />
<br />
Martin:<br />
* 3rd party envolvement, how to tread free service offers as <br />
**Innovation Security's OWASP TeamMentor<br />
**Hacking-Labs <br />
- What can we offer in means in agreement<br><br />
- Sponsorship for free services to OWASP?<br />
*OWASP European Store, shipping small amounts to European chapters is inefficient.<br />
** I have offered to make space available for OWASP goodies to be stored so they can be shipped around cheaper<br />
** aprovement for shipping and shipping through required / needed?<br />
** Kate as Single Point of Contact, can forward requests to me to send through from NL<br />
<br />
== Closing ==</div>Dancornellhttps://wiki.owasp.org/index.php?title=June_6,_2011&diff=112523June 6, 20112011-06-20T15:42:37Z<p>Dancornell: /* Global Membership Update */</p>
<hr />
<div>Meeting rescheduled for 6/20/2011<br />
<br />
== Roll call ==<br />
<br />
Board of Directors (Jeff, Tom, Dave, Seba, Matt, Eoin)<br />
<br />
To track and record mins., of this meeting via your @OWASP account [https://docs.google.com/a/owasp.org/document/d/1VD9ZHEwht9tmM8FKEQ6DBrtmL_gTAhSSnQhiFXYkJ7I/edit?hl=en_US&authkey=CIavkP4B Click Here] <br />
<br />
== Reading and approval of prior month meeting minutes ==<br />
<br />
[https://www.owasp.org/index.php/Minutes_May_2,_2011 May 2nd meeting mins]<br />
<br />
== Finance Report ==<br />
<br />
Report Submitted by: Alison<br />
[https://www.owasp.org/images/5/5c/April_2011_Financials.xlsx April 2011 P&L and Balance Sheet]<br />
<br />
[https://www.owasp.org/index.php/About_OWASP#Tax_Filings Status 2010 3rd Party Audit Report] - TBD<br />
<br />
[https://www.owasp.org/index.php/About_OWASP#Tax_Filings Status 2010 Tax Filing] - TBD<br />
<br />
= Committee reports (regular and special) =<br />
<br />
Seba - International OWASP Foundation EU - Update<br />
<br />
== Global Connections Update ==<br />
http://www.owasp.org/index.php/OWASP_Connections_Committee<br />
<br />
== Global Membership Update ==<br />
http://www.owasp.org/index.php/Global_Membership_Committee<br />
<br />
Notes for June Board Meeting [https://docs.google.com/a/owasp.org/document/d/1oLwPAVS6NOwzEM3k5ZOBkbL6wKXReTTf99Dtc2cupqY/edit?hl=en_US]<br />
<br />
Membership [https://lists.owasp.org/pipermail/global_membership_committee/2011-June/000565.html report] 2-June<br />
<br />
Total Individual Members - [https://www.owasp.org/index.php/Membership/members Click Here]<br />
<br />
== Global Industry Update ==<br />
[[Media:GIC_update_4_29_2011.pdf| Global Industry Committee]] - none<br />
<br />
[https://docs.google.com/a/owasp.org/document/d/1WTTmmpc2bx3IZ9f5zU2ubTG_BrCxxrXzVHnUQUIzAWI/edit?hl=en_US Industry Outreach Notes from AppSec EU]<br />
<br />
== Global Projects Update ==<br />
* GPC [https://docs.google.com/present/view?id=dgf8frmh_12hm95qcg9 update]<br />
* Project Hosting Infrastructure [http://sl.owasp.org/project-hosting-rfp RFP]<br />
<br />
* OWASP Website<br />
**[https://www.owasp.org/index.php/RFO_and_hosting_information Request for OPEN Quotations (RFO-Q) For Dedicated Hosting Requirements - Update Matt T.]<br />
**NING [http://my.owasp.org http://my.owasp.org] updated status<br />
<br />
* Recent accomplishments [https://www.owasp.org/index.php/June_6,_2011/Project_Manager%27s_Report Status Report by Paulo] and Future Goals<br />
<br />
== Global Education Update ==<br />
http://www.owasp.org/index.php/Global_Education_Committee<br />
* University contacts<br />
**zaki's success with another university supporter<br />
** Kuai's successes (I only know from word) in the US (Tom was involved?)<br />
* Partner effort<br />
** in contact with a European Goverment sponsored initiative of European Universities goal is the creation of an Euorpean standarized security curriculum<br />
** In contact with ENISA: discussing possibilities to join Education Project efforts (conference call planned for next week)<br />
** In negotiation with Hacking-Labs (https://www.hacking-lab.com/) they want to offer free usage of teh "Hacking-Labs Remote" services question I am currently try to work out, on what base we can make this happen (would be a great push for the OWASP Academy Portal (OWASP)<br />
** renewed contact with Security Innovations about using (and linkin) the OWASP TeamMentor with the OWASP Academy Portal<br />
<br />
== Global Chapters Update ==<br />
[[Media:Chapters_update_April2011.pdf| Global Chapters Committee]]<br />
<br />
[[Global Chapter Committee/Meetings/May 2011|Meeting minutes may Meeting]]<br />
<br />
OWASP [https://lists.owasp.org/pipermail/committees-chairs/2011-June/000160.html LatAm Tour]<br />
<br />
[https://spreadsheets.google.com/a/owasp.org/spreadsheet/ccc?key=0ApZ9zE0hx0LNdENJNmo5SmxLcEg3MzVXZG9NVklEdUE&hl=en_US#gid=0 Chapter Health Report]<br />
<br />
[https://docs.google.com/a/owasp.org/document/d/1PrGmwy1pxs2cb4LyewXS4TonbzAY7nORWvj-NJYaEnk/edit?hl=en_US AppSecEU 2011 chapters workshop outcome]<br />
<br />
== Global Conferences Update ==<br />
[https://docs.google.com/present/edit?id=0AcFE6Oyqbn2cZGhmY3Qyc2NfNjlkanBjZ25mMg&hl=en_US&authkey=CLnn4ooG Committee Update Presentation]<br />
<br />
[https://www.owasp.org/images/f/f3/OWASP_Global_Conference_Sponsorships.pdf Global Conference Sponsorship Doc]<br />
<br />
==='''BOARD VOTE REQUESTED'''===<br />
Updates and Changes to Conference Supervision by Committees<br />
<br />
1. Global AppSec Events will remain under the Supervision of the Global Conference Committee.<br />
<br />
2. Partner Events and Outreach (representation) will remain under the Supervision of the Global Conference Committee.<br />
<br />
3. Local and Regional Events will move underneath the umbrella of the Global Chapter Committee.<br />
<br />
Additional Documentation<br />
<br />
[[Rational]] - [[Committee Supervison of Events Rational|Counter Argument]]<br />
<br />
[[Chapter Finance Policy and Procedure]]<br />
<br />
[[OCMS]]<br />
<br />
==='''Counter proposal A'''===<br />
<br />
Updates and Changes to Conference Supervision by Committees (counter proposal)<br />
*Conferences and Chapters will continue their existing roles.<br />
*Conferences will work to bolster support for local events and define events.<br />
[[Committee Supervison of Events Rational]]<br />
<br />
==='''Counter proposal B'''===<br />
#Events expecting over 100 attendees* shall remain under the Supervision of the Global Conference Committee.<br />
#Events expecting less than 100 will move underneath the umbrella of the Global Chapter Committee.<br />
#Partner Events and Outreach (representation) will remain under the Supervision of the Global Conference Committee.<br />
<nowiki>*</nowiki> With the exception of regular chapter meetings which on very few occasions will be larger than this, I believe only NY/NJ has this issue currently<br />
<br />
= Old/unfinished business =<br />
<br />
[https://docs.google.com/a/owasp.org/document/d/1r_hS2ioEBcNOKqmEjSJmlLUOdQEb5qPb_0GU_VU1Arw/edit?hl=en ByLaws]<br />
<br />
[https://docs.google.com/a/owasp.org/document/pub?id=1sFhc0Twbsd5NaQPtkAfGEzcB0vdjuIlW1fA2WFLFCd0 Election Policy] - <br />
Updated - 2011 Election Candidates - [https://www.owasp.org/index.php/Membership/2011Election Click Here]<br />
<br />
OWASP - [https://docs.google.com/a/owasp.org/document/d/1X5uH7vqKH3aqRIBka11N05xFZ2_jddXAkz_8GcVCr_c/edit?hl=en Budgeting thoughts by Matt Tesauro]<br />
<br />
<br />
== New business ==<br />
<br />
OWASP Contact Us Status [https://spreadsheets.google.com/a/owasp.org/spreadsheet/gform?key=0AhtB029bdcxGdFN1R2NIMTNROXN3dml4ZEcxXzJQYXc&hl=en_US&gridId=0#chart Report]<br />
<br />
OWASP Backoffice Systems: RegOnline, Salesforce, Other - Update.<br />
<br />
== Suggestions for the good of OWASP / New Business ==<br />
<br />
Jeff Williams - June 3rd [https://docs.google.com/a/owasp.org/document/d/1ea4jWVDziLcZMTJUC5qW5psWYROpB-oPlqyl4Ei2xHA/edit?hl=en_US&authkey=CKycuTY Proposed OWASP Platform model]<br />
<br />
Tom - Retain 3rd party international global accounting company and provide legal recommendations (heath check) [https://www.owasp.org/images/0/09/OWASP_Finalized_Engagement_Letter_June_20_2011.pdf Proposal] for review of international organization structure 5k<br />
<br />
AppSecEU Good of OWASP Feedback<br />
-Remove conflict of interest from global committees limiting (1) member per company as part of application process and governance<br />
-OWASP Website project update: [https://www.owasp.org/index.php/Talk:Summit_2011_Working_Sessions/Session023#On_Designs.2C_Layout_and_Standards project] activities in-progress [https://lists.owasp.org/pipermail/owasp-website/ Mailing List] <br />
-Experiment status with NING see: [http://www.my.owasp.org http://my.owasp.org] 135 site members, [http://myowasp.ning.com/forum Fourms], [http://myowasp.ning.com/profiles/blog/list Blogs]<br />
-Global Committee Consolidation - Observations and Recommendations submitted 10-Jun via email.<br />
<br />
Eoin<br />
<br />
Seba<br />
<br />
Matt<br />
<br />
Dave<br />
<br />
== Closing ==<br />
<br />
Next meeting date/time</div>Dancornellhttps://wiki.owasp.org/index.php?title=AppSecEU_2011_chapters_workshop_agenda&diff=111964AppSecEU 2011 chapters workshop agenda2011-06-09T13:40:06Z<p>Dancornell: /* Participants */</p>
<hr />
<div>As part of [[AppSecEU2011]] On '''June 9, 14h40-17h20''' we organize a chapter leader workshop for all the chapter leaders that attend the conference.<br />
<br />
Items that need discussion are:<br />
* How to improve the current Chapter Leader Handbook?<br />
* How to start new chapters within Europe?<br />
* How to support inactive chapters within Europe?<br />
* What Governance model is required for OWASP chapters?<br />
* How can the global chapters committee facilitate the European chapters?<br />
* ...<br />
<br />
<br />
== Agenda ==<br />
Proposed agenda (open for discussion):<br />
<br />
{| border="0" align="center" style="width: 80%;"<br />
|-<br />
! align="center" colspan="3" | Trinity College - Arts Building room 3126<br />
|-<br />
| style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; width: 15%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | 14:40 - 14:55 <br />
| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 75%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" colspan="2" | Welcome and roundtable<br />
|-<br />
| style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; width: 15%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | 14:55 - 15:25 <br />
| align="center" style="background: rgb(242, 242, 242) none repeat scroll 0% 0%; width: 75%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" colspan="2" | '''Handling chapter finances'''<br />
''Introduction & moderation: Seba, Participation: All '' <br />
<br />
Current chapter handbook [[:Chapter Handbook: Managing Money| section]] to be elaborated.<br />
<br />
|-<br />
| style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; width: 15%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | 15:25 - 15:40 <br />
| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 75%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" colspan="2" | Coffee Break<br />
|-<br />
| style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; width: 15%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | 15:40 - 16:25 <br />
| align="center" style="background: rgb(242, 242, 242) none repeat scroll 0% 0%; width: 75%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" colspan="2" | '''Top 10 advice for new and veteran chapter leaders''' <br />
''Introduction & moderation: Seba, Participation: All''<br />
<br />
Create list [https://www.owasp.org/index.php/Talk:AppSecEU_2011_chapters_workshop_agenda upfront and add action, impact and required support] from the chapters committee.<br />
<br />
|-<br />
| style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; width: 15%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | 16:25 - 16:35 <br />
| align="left" style="background: rgb(194, 194, 194) none repeat scroll 0% 0%; width: 75%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" colspan="2" | Break<br />
|-<br />
| style="background: rgb(123, 138, 189) none repeat scroll 0% 0%; width: 15%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" | 16:35 - 17:20 <br />
| align="center" style="background: rgb(242, 242, 242) none repeat scroll 0% 0%; width: 75%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;" colspan="2" | '''How to cross-pollinate success between EU chapters?'''<br />
''Introduction & moderation: Seba, Participation: All''<br />
<br />
Look for good pollinator mechanisms and [https://www.owasp.org/index.php/Talk:AppSecEU_2011_chapters_workshop_agenda define 7 goals] to be accomplished by AppSecEU 2012 in Greece<br />
<br />
|}<br />
<br />
== Participants ==<br />
<br />
If you plan to attend, please fill in your name and chapter below:<br />
* Tom Brennan, New York / New Jersey chapter<br />
* Seba Deleersnyder, Belgium chapter<br />
* Fabio Cerullo, Ireland chapter<br />
* Justin Clarke, London chapter<br />
* Sebastien Gioria, France chapter - Only 9th June<br />
* Ferdinand Vroom, Netherlands chapter<br />
* Ofer Maor, Israel chapter<br />
* Antonio Fontes, Geneva chapter (Western Switzerland)<br />
* Boris Hemkemeier, German chapter<br />
* Marco Morana, Cincinnati U.S.A. chapter<br />
* Sven Vetsch, Switzerland chapter<br />
* Konstantinos Papapanagiotou, Greek chapter<br />
* Lieven Desmet, Belgium chapter - tentative<br />
* Rory McCune, Scotland chapter<br />
* Marian Ventuneac, Ireland Limerick chapter<br />
* Sarah Baso, Global Chapters Committee Administrator<br />
* Wojciech Dworakowski, Poland Chapter<br />
* Adrian Winckles, (possible Cambridge Chapter)<br />
* Dan Cornell (San Antonio Chapter)<br />
* Martin Knobloch (Netherlands Chapter)<br />
*...<br />
<br />
== Remote participation ==<br />
<br />
There will be WiFi, so we can set up a Skype conference call for people who want to listen in or participate remotely.<br />
<br />
Contact [mailto:seba@owasp.org Seba] with your skype id.<br />
<br />
[[Category:Global_Chapters_Committee]]</div>Dancornellhttps://wiki.owasp.org/index.php?title=GlobalMembershipCommittee_Notes_20110315&diff=108286GlobalMembershipCommittee Notes 201103152011-04-06T17:13:52Z<p>Dancornell: </p>
<hr />
<div>'''Tuesday March 15, 2011''' <br />
<br />
Held via conference line <br />
<br />
'''Attendees''' <br />
<br />
- PRESENT - <br />
<br />
Dan Cornell <br />
<br />
Michael Coates <br />
<br />
Kate Hartmann <br />
<br />
Tony UV <br />
<br />
Helen Gao <br />
<br />
- NOT&nbsp;PRESENT - <br />
<br />
Ofer Maor <br />
<br />
<br> '''Notes''' <br />
<br />
All-committee-chair call was held.&nbsp; Membership-relevant items that came out of that include: <br />
<br />
*The Industry Committee has had folks express a desire for an NDA-like environment where members could discuss issues within OWASP&nbsp;but not have the results of those discussions broadcast.&nbsp; This may be of value, but would need to be reconciled with OWASP's requirement for Openness. <br />
*The Conference Committee is in the process of creating a model for organizations to sign up for a package of sponsorships for conferences throughout the year.&nbsp; We may be able to link Membership with this to accomplish our goal of allowing organizations who want to give more than that $5k USD supporter fee to do so. <br />
*There is talk of creating student chapters and people participating in those chapters would need some sort of membership.&nbsp; This needs to be deconflicted with University Supporters and other educational efforts coming out of OWASP<br />
<br />
Helen spoke with OWASP&nbsp;chatpers around the world: <br />
<br />
*Based on Helen's research talking to parties interested in OWASP&nbsp;around the world, it appears that a $20 Individual Membership fee and a $2000 Organizational Supporter fee is what the market will bear in non-US and non-Western Europe economies (note: Singapore folks appear to be all right with the existing fees of $50 and $5000 respectively). <br />
*However we still need to address the issue of incentives to become a Member/Supporter because the altruistic model promoted to US/Wester European folks does not necessarily have a cultural analog in other parts of the world. <br />
*"Certificates of participation" might be a potential benefit <br />
*We could also partner with other developer and security organizations to try and drive awareness of OWASP&nbsp;membership and participation <br />
*We need to be aware that having foreign organizations pay OWASP&nbsp;might be challenging.&nbsp; Using a personal account (specifically a credit card account) as an intermediary might be an option in some cases.&nbsp; Tax-free contributions to nonprofits are less common in other parts of the world.&nbsp; For example in China most organizations are either State-owned or private - there is less of a concept of non-profits<br />
<br />
Regional Supporters<br> <br />
<br />
*We made a "one-off" deal with a pseudo-government agency in Malaysia to make them an Organizational Supporter for $2k USD. They may be able to additionally donate space, etc.<br />
*We will try to test the waters with this approach and see how it progresses<br />
*Ofer Maor provided a draft model for expanding Regional Supporters and that will be reviewed and discussed at the next meeting<br />
<br />
The list of Organizational and Educational Supporters on the OWASP&nbsp;Membership page is getting a bit crowded.<br />
<br />
*Perhaps create a separate page that is searchable?<br />
*Perhaps move to a model with different levels of support - organizations that gave money versus those that provide other support such as meeting space, etc.<br />
<br />
Ongoing hard question: How does OWASP&nbsp;Membership best provide value to "Industry" members versus "Vendor" members<br />
<br />
*OWASP&nbsp;NDA-like relationship (as mentioned above)<br />
*Need to have more discussions with Industry folks - likely brokered by the Industry Committee<br />
<br />
Plan for using administrative support for OWASP&nbsp;Membership Committee<br />
<br />
*Use same person who is providing support for NY/NJ - will need to provide clear guidance to deconflict and create an actual job description before she starts<br />
*Main thrust - provide consistent "touches" with Organizational Supporters to get feedback from them and maintain more ongoing relationship<br />
<br />
Budget:<br />
<br />
*Administrative support<br />
*Marketing ?<br />
<br />
<br />
<br />
For next meeting:<br />
<br />
*Distill notes from Helen's efforts as well as Ofer's draft Regional Supporter plan</div>Dancornellhttps://wiki.owasp.org/index.php?title=GlobalMembershipCommittee_Notes_20110315&diff=108285GlobalMembershipCommittee Notes 201103152011-04-06T17:01:22Z<p>Dancornell: </p>
<hr />
<div>'''Tuesday March 15, 2011''' <br />
<br />
Held via conference line <br />
<br />
'''Attendees''' <br />
<br />
- PRESENT - <br />
<br />
Dan Cornell <br />
<br />
Michael Coates <br />
<br />
Kate Hartmann <br />
<br />
Tony UV <br />
<br />
Helen Gao <br />
<br />
- NOT&nbsp;PRESENT - <br />
<br />
Ofer Maor <br />
<br />
<br> '''Notes''' <br />
<br />
All-committee-chair call was held.&nbsp; Membership-relevant items that came out of that include: <br />
<br />
*The Industry Committee has had folks express a desire for an NDA-like environment where members could discuss issues within OWASP&nbsp;but not have the results of those discussions broadcast.&nbsp; This may be of value, but would need to be reconciled with OWASP's requirement for Openness. <br />
*The Conference Committee is in the process of creating a model for organizations to sign up for a package of sponsorships for conferences throughout the year.&nbsp; We may be able to link Membership with this to accomplish our goal of allowing organizations who want to give more than that $5k USD supporter fee to do so.<br />
*There is talk of creating student chapters and people participating in those chapters would need some sort of membership.&nbsp; This needs to be deconflicted with University Supporters and other educational efforts coming out of OWASP<br />
<br />
Helen spoke with OWASP&nbsp;chatpers around the world:<br />
<br />
*Based on Helen's research talking to parties interested in OWASP&nbsp;around the world, it appears that a $20 Individual Membership fee and a $2000 Organizational Supporter fee is what the market will bear in non-US and non-Western Europe economies (note: Singapore folks appear to be all right with the existing fees of $50 and $5000 respectively).<br />
*However we still need to address the issue of incentives to become a Member/Supporter because the altruistic model promoted to US/Wester European folks does not necessarily have a cultural analog in other parts of the world.<br />
*"Certificates of participation" might be a potential benefit<br />
*We could also partner with other developer and security organizations to try and drive awareness of OWASP&nbsp;membership and participation<br />
*We need to be aware that having foreign organizations pay OWASP&nbsp;might be challenging.&nbsp; Using a personal account (specifically a credit card account) as an intermediary might be an option in some cases.&nbsp; Tax-free contributions to nonprofits are less common in other parts of the world.&nbsp; For example in China most organizations are either State-owned or private - there is less of a concept of non-profits<br />
<br />
<br />
<br />
<br> <br></div>Dancornellhttps://wiki.owasp.org/index.php?title=GlobalMembershipCommittee_Notes_20110315&diff=108284GlobalMembershipCommittee Notes 201103152011-04-06T16:50:42Z<p>Dancornell: </p>
<hr />
<div>'''Tuesday March 15, 2011''' <br />
<br />
Held via conference line<br />
<br />
'''Attendees''' <br />
<br />
- PRESENT - <br />
<br />
Dan Cornell <br />
<br />
Michael Coates <br />
<br />
Kate Hartmann <br />
<br />
Tony UV <br />
<br />
Helen Gao <br />
<br />
- NOT&nbsp;PRESENT - <br />
<br />
Ofer Maor<br />
<br />
<br />
'''Notes'''<br />
<br />
All-committee-chair call was held.&nbsp; Membership-relevant items that came out of that include:<br />
<br />
*The Industry Committee has a desire<br />
<br />
<br> <br></div>Dancornellhttps://wiki.owasp.org/index.php?title=GlobalMembershipCommittee_Notes_20110315&diff=108281GlobalMembershipCommittee Notes 201103152011-04-06T16:21:14Z<p>Dancornell: Created page with "'''Tuesday March 15, 2011''' Held via conference line<br>'''Attendees''' - PRESENT - Dan Cornell Michael Coates Kate Hartmann Tony UV Helen Gao - NOT&nbsp;PRESENT..."</p>
<hr />
<div>'''Tuesday March 15, 2011''' <br />
<br />
Held via conference line<br>'''Attendees''' <br />
<br />
- PRESENT - <br />
<br />
Dan Cornell <br />
<br />
Michael Coates <br />
<br />
Kate Hartmann <br />
<br />
Tony UV <br />
<br />
Helen Gao <br />
<br />
- NOT&nbsp;PRESENT - <br />
<br />
Ofer Maor (scheduling mix-up)<br> <br></div>Dancornellhttps://wiki.owasp.org/index.php?title=Global_Education_Committee_-_Application_7&diff=107219Global Education Committee - Application 72011-03-20T18:45:15Z<p>Dancornell: </p>
<hr />
<div>{| style="width:100%" border="0" align="center"<br />
! colspan="2" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE APPLICATION FORM''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Applicant's Name'''<br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|<font color="black">Dr. A.L. Gottlieb.<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Current and past OWASP Roles''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|Coordinator/facility host for N. Virginia, OWASP Presenter.<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Committee Applying for''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|Global Education Committee<br />
|}<br />
----<br />
<br />
<br />
----<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. <br />
An incomplete application will not be considered for vote.<br />
----<br />
<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE RECOMMENDATIONS''' <br />
|- <br />
! align="center" style="background:white; color:white"|<font color="black"><br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Who Recommends/Name''' <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Role in OWASP'''<br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Recommendation Content''' <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''1'''<br />
| style="width:20%; background:#cccccc" align="center"|Benjamin Tomhave<br />
| style="width:20%; background:#cccccc" align="center"|OWASP NoVA Program Committee, OWASP GCC member (pending final board approval)<br />
| style="width:57%; background:#cccccc" align="center"|Tony's contributions to OWASP NoVA have been outstanding! He has helped host several chapter meetings, has presented in the past, will be presenting again in April 2011, and is overall a strong supporter of OWASP Education initiatives.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''2'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''3'''<br />
| style="width:20%; background:#cccccc" align="center"|Dan Cornell<br />
| style="width:20%; background:#cccccc" align="center"|San Antonio Chapter Leader, Global Membership Committee Chair<br />
| style="width:57%; background:#cccccc" align="center"|Every time I have been to the OWASP NoVA chapter Tony has been an active and valuable contributor. The Global Education Committee would benefit from his perspective and enthusiasm.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''4'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''5'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|}</div>Dancornellhttps://wiki.owasp.org/index.php?title=User:Dancornell&diff=107128User:Dancornell2011-03-17T20:45:11Z<p>Dancornell: </p>
<hr />
<div>Howdy my name is Dan Cornell and I am CTO at [http://www.denimgroup.com/ Denim Group]. <br />
<br />
I am the [https://www.owasp.org/index.php/San_Antonio San Antonio chapter] lead and chair of the Global Membership Committee.<br><br />
<br />
I can be reached at [mailto:dan(at)denimgroup.com dan(at)denimgroup.com].</div>Dancornellhttps://wiki.owasp.org/index.php?title=GlobalMembershipCommittee_Notes_2011015&diff=106859GlobalMembershipCommittee Notes 20110152011-03-15T15:15:35Z<p>Dancornell: Created page with "Attendees: -Dan Cornell -Helen Gao -Tony UV -Michael Coates -Kate Hartmann Recap of Committee Chairs call: 1: 2: 3: Helen's info from interviewing OWASP AsiaPac contributors: -"</p>
<hr />
<div>Attendees:<br />
-Dan Cornell<br />
-Helen Gao<br />
-Tony UV<br />
-Michael Coates<br />
-Kate Hartmann<br />
<br />
Recap of Committee Chairs call:<br />
1: <br />
2: <br />
3: <br />
<br />
Helen's info from interviewing OWASP AsiaPac contributors:<br />
-</div>Dancornellhttps://wiki.owasp.org/index.php?title=Global_Projects_and_Tools_Committee_-_Application_6&diff=106368Global Projects and Tools Committee - Application 62011-03-08T01:32:53Z<p>Dancornell: </p>
<hr />
<div>[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="2" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE APPLICATION FORM''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Applicant's Name'''<br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|<font color="black">Keith Turpin <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Current and past OWASP Roles''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|OWASP Secure Coding Practices Project Leader <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Committee Applying for''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|Global Projects and Tools Committee<br />
|}<br />
----<br />
<br />
<br />
----<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. <br />
An incomplete application will not be considered for vote.<br />
----<br />
<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE RECOMMENDATIONS''' <br />
|- <br />
! align="center" style="background:white; color:white"|<font color="black"><br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Who Recommends/Name''' <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Role in OWASP'''<br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Recommendation Content''' <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''1'''<br />
| style="width:20%; background:#cccccc" align="center"|Nishi Kumar<br />
| style="width:20%; background:#cccccc" align="center"|OWASP Global Education Committee an OWASP CBT Project Lead <br />
| style="width:57%; background:#cccccc" align="center"|Keith is very talented and has extensive experience in application security field. His leadership in security assessment is commendable. His vast international experience and organizational skill will be extremely valuable for this committee. He would be ideal for OWASP Projects committee. I whole heartedly recommend Keith for this committee.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''2'''<br />
| style="width:20%; background:#cccccc" align="center"| Mark Bristow<br />
| style="width:20%; background:#cccccc" align="center"| Global Conferences Committee Chair, AppSec DC Organizer, OWASP DC Chapter Lead<br />
| style="width:57%; background:#cccccc" align="center"| Keith is an energetic and motivated individual with OWASP project experience and a demonstrated ability to lead. He will make an excellent addition to the projects team.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''3'''<br />
| style="width:20%; background:#cccccc" align="center"| Jim Manico<br />
| style="width:20%; background:#cccccc" align="center"| Connections Committee Chair<br />
| style="width:57%; background:#cccccc" align="center"| Keith is a smart, professional solid OWASP contributor!<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''4'''<br />
| style="width:20%; background:#cccccc" align="center"| Dan Cornell<br />
| style="width:20%; background:#cccccc" align="center"| Membership Committee Chair<br />
| style="width:57%; background:#cccccc" align="center"| Keith is a solid OWASP contributor. His Secure Coding Quick References is a great example of a practical, valuable project.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''5'''<br />
| style="width:20%; background:#cccccc" align="center"| <br />
| style="width:20%; background:#cccccc" align="center"| <br />
| style="width:57%; background:#cccccc" align="center"| <br />
|}<br />
----</div>Dancornellhttps://wiki.owasp.org/index.php?title=Global_Conferences_Committee_-_Application_9&diff=105571Global Conferences Committee - Application 92011-02-22T22:45:15Z<p>Dancornell: </p>
<hr />
<div>[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="2" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE APPLICATION FORM''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Applicant's Name'''<br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|<font color="black">Benjamin (Ben) Tomhave<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Current and past OWASP Roles''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|OWASP NoVA Program Committee member, OWASP Summit 2011 attendee<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Committee Applying for''' <br />
| colspan="1" style="width:85%; background:#cccccc" align="left"|Global Conferences Committee<br />
|}<br />
----<br />
<br />
<br />
----<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. <br />
An incomplete application will not be considered for vote.<br />
----<br />
<br />
<br />
----<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''COMMITTEE RECOMMENDATIONS''' <br />
|- <br />
! align="center" style="background:white; color:white"|<font color="black"><br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Who Recommends/Name''' <br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Role in OWASP'''<br />
! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Recommendation Content''' <br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''1'''<br />
| style="width:20%; background:#cccccc" align="center"|Dan Cornell<br />
| style="width:20%; background:#cccccc" align="center"|Global Membership Committee Chair<br />
| style="width:57%; background:#cccccc" align="center"|Ben's involvement in the OWASP NoVA chapter as well as his outreach to other organizations such as Security BSides make him an excellent candidate to be on the Global Conference Committee.<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''2'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''3'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''4'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|-<br />
| style="width:3%; background:#cccccc" align="center"|'''5'''<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:20%; background:#cccccc" align="center"|<br />
| style="width:57%; background:#cccccc" align="center"|<br />
|}<br />
----</div>Dancornellhttps://wiki.owasp.org/index.php?title=Summit_2011_Working_Sessions/Session030&diff=103749Summit 2011 Working Sessions/Session0302011-02-06T22:54:48Z<p>Dancornell: </p>
<hr />
<div>{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Summit 2011 Working Sessions test tab</noinclude><br />
|-<br />
<br />
| summit_session_attendee_name1 = <br />
| summit_session_attendee_email1 = <br />
| summit_session_attendee_username1 = <br />
| summit_session_attendee_company1=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=<br />
<br />
| summit_session_attendee_name2 = Chris Schmidt<br />
| summit_session_attendee_email2 = chris.schmidt@owasp.org<br />
| summit_session_attendee_username2 = <br />
| summit_session_attendee_company2=Aspect Security<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=<br />
<br />
| summit_session_attendee_name3 = Justin Clarke<br />
| summit_session_attendee_email3 = justin.clarke@owasp.org<br />
| summit_session_attendee_username3 = <br />
| summit_session_attendee_company3=Gotham Digital Science<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3=<br />
<br />
| summit_session_attendee_name4 = Dan Cornell<br />
| summit_session_attendee_email4 = dan@denimgroup.com<br />
| summit_session_attendee_username4 = <br />
| summit_session_attendee_company4=Denim Group<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4=<br />
<br />
| summit_session_attendee_name5 = John Steven<br />
| summit_session_attendee_email5 = john.steven@owasp.org<br />
| summit_session_attendee_username5 = <br />
| summit_session_attendee_company5= Cigital.com<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5=<br />
<br />
| summit_session_attendee_name6 = Ralph Durkee<br />
| summit_session_attendee_email6 = Ralph.Durkee@owasp.org<br />
| summit_session_attendee_username6 = <br />
| summit_session_attendee_company6= Durkee Consulting, Inc.<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6=<br />
<br />
| summit_session_attendee_name7 = <br />
| summit_session_attendee_email7 = <br />
| summit_session_attendee_username7 = <br />
| summit_session_attendee_company7=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7=<br />
<br />
| summit_session_attendee_name8 = <br />
| summit_session_attendee_email8 = <br />
| summit_session_attendee_username8 = <br />
| summit_session_attendee_company8=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8=<br />
<br />
| summit_session_attendee_name9 = <br />
| summit_session_attendee_email9 = <br />
| summit_session_attendee_username9 = <br />
| summit_session_attendee_company9=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9=<br />
<br />
| summit_session_attendee_name10 = <br />
| summit_session_attendee_email10 = <br />
| summit_session_attendee_username10 = <br />
| summit_session_attendee_company10=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10=<br />
<br />
| summit_session_attendee_name11 = <br />
| summit_session_attendee_email11 = <br />
| summit_session_attendee_username11 = <br />
| summit_session_attendee_company11=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11=<br />
<br />
| summit_session_attendee_name12 = <br />
| summit_session_attendee_email12 = <br />
| summit_session_attendee_username12 = <br />
| summit_session_attendee_company12=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12=<br />
<br />
| summit_session_attendee_name13 = <br />
| summit_session_attendee_email13 = <br />
| summit_session_attendee_username13 = <br />
| summit_session_attendee_company13=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13=<br />
<br />
| summit_session_attendee_name14 = <br />
| summit_session_attendee_email14 = <br />
| summit_session_attendee_username14 = <br />
| summit_session_attendee_company14=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14= <br />
<br />
| summit_session_attendee_name15 = <br />
| summit_session_attendee_email15 = <br />
| summit_session_attendee_username15 = <br />
| summit_session_attendee_company15=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15=<br />
<br />
| summit_session_attendee_name16 = <br />
| summit_session_attendee_email16 = <br />
| summit_session_attendee_username16 = <br />
| summit_session_attendee_company16=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16=<br />
<br />
| summit_session_attendee_name17 = <br />
| summit_session_attendee_email17 = <br />
| summit_session_attendee_username17 = <br />
| summit_session_attendee_company17=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17=<br />
<br />
| summit_session_attendee_name18 = <br />
| summit_session_attendee_email18 = <br />
| summit_session_attendee_username18 = <br />
| summit_session_attendee_company18=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18=<br />
<br />
| summit_session_attendee_name19 = <br />
| summit_session_attendee_email19 = <br />
| summit_session_attendee_username19 = <br />
| summit_session_attendee_company19=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19=<br />
<br />
| summit_session_attendee_name20 = <br />
| summit_session_attendee_email20 = <br />
| summit_session_attendee_username20 = <br />
| summit_session_attendee_company20=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20=<br />
<br />
|-<br />
| summit_track_logo = [[Image:T._secure_coding.jpg]]<br />
| summit_ws_logo = [[Image:WS._secure_coding.jpg]]<br />
| summit_session_name = Providing Access to Persisted Data<br />
| summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session030<br />
| mailing_list =<br />
|-<br />
<br />
| short_working_session_description=This session will focus on developing patterns for protecting data while at rest and generating example code samples for different frameworks and technologies.<br />
<br />
|-<br />
<br />
| related_project_name1 = <br />
| related_project_url_1 = <br />
<br />
| related_project_name2 = <br />
| related_project_url_2 = <br />
<br />
| related_project_name3 = <br />
| related_project_url_3 = <br />
<br />
| related_project_name4 = <br />
| related_project_url_4 = <br />
<br />
| related_project_name5 = <br />
| related_project_url_5 = <br />
<br />
|-<br />
<br />
| summit_session_objective_name1= Create design and code examples for protecting access to database tables and rows by role<br />
<br />
| summit_session_objective_name2 = Create design and code examples for protecting access to data when 'auto-wiring' and marshalling<br />
<br />
| summit_session_objective_name3 = Create design and code examples for protecting sensitive data at rest<br />
<br />
| summit_session_objective_name4 = <br />
<br />
| summit_session_objective_name5 = <br />
<br />
|-<br />
<br />
| working_session_date_and_time = <br />
<br />
|-<br />
<br />
| discussion_model = participants and attendees<br />
<br />
|-<br />
<br />
| operational_resources = Projector, whiteboards, markers, Internet connectivity, power<br />
<br />
|-<br />
<br />
| working_session_additional_details = <br />
<br />
|-<br />
<br />
|summit_session_deliverable_name1 = A short reference architecture/coding examples type of guideline that clearly explains positive and negative examples of accessing persisted data. <br />
<br />
|summit_session_deliverable_name2 = <br />
<br />
|summit_session_deliverable_name3 = <br />
<br />
|summit_session_deliverable_name4 = <br />
<br />
|summit_session_deliverable_name5 = <br />
<br />
|summit_session_deliverable_name6 = <br />
<br />
|summit_session_deliverable_name7 = <br />
<br />
|summit_session_deliverable_name8 = <br />
<br />
|-<br />
<br />
| summit_session_leader_name1 = Dan Cornell<br />
| summit_session_leader_email1 = dan@denimgroup.com<br />
<br />
| summit_session_leader_name2 = <br />
| summit_session_leader_email2 = <br />
| summit_session_leader_username2 = <br />
<br />
| summit_session_leader_name3 = <br />
| summit_session_leader_email3 = <br />
| summit_session_leader_username3 = <br />
<br />
|-<br />
<br />
| operational_leader_name1 =<br />
| operational_leader_email1 =<br />
| operational_leader_username1 = <br />
<br />
|-<br />
<br />
| meeting_notes = <br />
<br />
|-<br />
| session_name_mask = <!--Please replace DO NOT EDIT this string --> Session030<br />
| session_home_page = <!--Please replace DO NOT EDIT this string --> Summit_2011_Working_Sessions/Session030<br />
}}</div>Dancornellhttps://wiki.owasp.org/index.php?title=Summit_2011_Working_Sessions/Session065&diff=102409Summit 2011 Working Sessions/Session0652011-01-28T15:58:12Z<p>Dancornell: </p>
<hr />
<div>{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Summit 2011 Working Sessions test tab</noinclude><br />
|-<br />
<br />
| summit_session_attendee_name1 = Colin Watson<br />
| summit_session_attendee_email1 = colin.watson@owasp.org <br />
| summit_session_attendee_company1=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=<br />
<br />
| summit_session_attendee_name2 = Tom Neaves<br />
| summit_session_attendee_email2 = tom.neaves@verizonbusiness.com<br />
| summit_session_attendee_company2= Verizon Business<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=<br />
<br />
| summit_session_attendee_name3 = Mateo Martinez<br />
| summit_session_attendee_email3 = mateo.martinez@owasp.org<br />
| summit_session_attendee_company3=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3=<br />
<br />
| summit_session_attendee_name4 = Justin Clarke<br />
| summit_session_attendee_email4 = justin.clarke@owasp.org<br />
| summit_session_attendee_company4=Gotham Digital Science<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4=<br />
<br />
| summit_session_attendee_name5 = Sherif Koussa<br />
| summit_session_attendee_email5 = sherif.koussa@owasp.org<br />
| summit_session_attendee_company5= Software Secured<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5=<br />
<br />
| summit_session_attendee_name6 = Vishal Garg<br />
| summit_session_attendee_email6 = vishalgrg@gmail.com<br />
| summit_session_attendee_company6= AppSecure Labs<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6=<br />
<br />
| summit_session_attendee_name7 = Dan Cornell<br />
| summit_session_attendee_email7 = dan@denimgroup.com<br />
| summit_session_attendee_company7=Denim Group<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7=<br />
<br />
| summit_session_attendee_name8 = <br />
| summit_session_attendee_email8 = <br />
| summit_session_attendee_company8=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8=<br />
<br />
| summit_session_attendee_name9 = <br />
| summit_session_attendee_email9 = <br />
| summit_session_attendee_company9=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9=<br />
<br />
| summit_session_attendee_name10 = <br />
| summit_session_attendee_email10 = <br />
| summit_session_attendee_company10=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10=<br />
<br />
| summit_session_attendee_name11 = <br />
| summit_session_attendee_email11 = <br />
| summit_session_attendee_company11=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11=<br />
<br />
| summit_session_attendee_name12 = <br />
| summit_session_attendee_email12 = <br />
| summit_session_attendee_company12=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12=<br />
<br />
| summit_session_attendee_name13 = <br />
| summit_session_attendee_email13 = <br />
| summit_session_attendee_company13=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13=<br />
<br />
| summit_session_attendee_name14 = <br />
| summit_session_attendee_email14 = <br />
| summit_session_attendee_company14=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14= <br />
<br />
| summit_session_attendee_name15 = <br />
| summit_session_attendee_email15 = <br />
| summit_session_attendee_company15=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15=<br />
<br />
| summit_session_attendee_name16 = <br />
| summit_session_attendee_email16 = <br />
| summit_session_attendee_company16=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16=<br />
<br />
| summit_session_attendee_name17 = <br />
| summit_session_attendee_email17 = <br />
| summit_session_attendee_company17=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17=<br />
<br />
| summit_session_attendee_name18 = <br />
| summit_session_attendee_email18 = <br />
| summit_session_attendee_company18=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18=<br />
<br />
| summit_session_attendee_name19 = <br />
| summit_session_attendee_email19 = <br />
| summit_session_attendee_company19=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19=<br />
<br />
| summit_session_attendee_name20 = <br />
| summit_session_attendee_email20 = <br />
| summit_session_attendee_company20=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20=<br />
<br />
|-<br />
| summit_track_logo = [[Image:T._individual_projects.jpg]]<br />
| summit_ws_logo = [[Image:WS._individual_projects.jpg]]<br />
| summit_session_name = Mobile Security<br />
| summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session065<br />
| mailing_list =<br />
<br />
|-<br />
<br />
| short_working_session_description=<br />
<br />
|-<br />
<br />
| related_project_name1 = Project wiki page<br />
| related_project_url_1 = http://www.owasp.org/index.php/OWASP_Mobile_Security_Project <br />
<br />
| related_project_name2 = <br />
| related_project_url_2 = <br />
<br />
| related_project_name3 = <br />
| related_project_url_3 = <br />
<br />
| related_project_name4 = <br />
| related_project_url_4 = <br />
<br />
| related_project_name5 = <br />
| related_project_url_5 = <br />
<br />
|-<br />
| summit_session_objective_name1 = '''Primary: Create core knowledge base on project wiki site'''<br />
| summit_session_objective_name2 = Recruit volunteers to contribute to project<br />
| summit_session_objective_name3 = Establish relationships with key players (i.e. Apple/Google/etc)<br />
<br />
| summit_session_objective_name4 = <br />
<br />
| summit_session_objective_name5 = <br />
<br />
|-<br />
<br />
| working_session_date_and_time = <br />
<br />
|-<br />
<br />
| discussion_model = participants and attendees<br />
<br />
|-<br />
<br />
| operational_resources = Projector, whiteboards, markers, Internet connectivity, power<br />
<br />
|-<br />
<br />
| working_session_additional_details = <br />
<br />
|-<br />
<br />
|summit_session_deliverable_name1 = Project wiki page <br />
<br />
|summit_session_deliverable_name2 = A project home page, roadmap, and action plan. Look at the OWASP Ecosystem concept to see what all you should have in place.<br />
<br />
|summit_session_deliverable_name3 = <br />
<br />
|summit_session_deliverable_name4 = <br />
<br />
|summit_session_deliverable_name5 = <br />
<br />
|summit_session_deliverable_name6 = <br />
<br />
|summit_session_deliverable_name7 = <br />
<br />
|summit_session_deliverable_name8 = <br />
<br />
|-<br />
<br />
| summit_session_leader_name1 = Mike Zusman<br />
| summit_session_leader_email1 = mike.zusman@intrepidusgroup.com<br />
<br />
| summit_session_leader_name2 = David Campbell<br />
| summit_session_leader_email2 = dcampbell@owasp.org<br />
<br />
| summit_session_leader_name3 = <br />
| summit_session_leader_email3 = <br />
<br />
|-<br />
<br />
| operational_leader_name1 =<br />
| operational_leader_email1 =<br />
|-<br />
<br />
| meeting_notes = <br />
<br />
|-<br />
<br />
| session_name_mask = <!--Please replace DO NOT EDIT this string --> Session065<br />
| session_home_page = <!--Please replace DO NOT EDIT this string --> Summit_2011_Working_Sessions/Session065<br />
}}</div>Dancornellhttps://wiki.owasp.org/index.php?title=Summit_2011_Working_Sessions/Session030&diff=102408Summit 2011 Working Sessions/Session0302011-01-28T15:56:09Z<p>Dancornell: </p>
<hr />
<div>{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Summit 2011 Working Sessions test tab</noinclude><br />
|-<br />
<br />
| summit_session_attendee_name1 = Colin Watson<br />
| summit_session_attendee_email1 = colin.watson@owasp.org <br />
| summit_session_attendee_company1=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=<br />
<br />
| summit_session_attendee_name2 = Chris Schmidt<br />
| summit_session_attendee_email2 = chris.schmidt@owasp.org<br />
| summit_session_attendee_company2=Aspect Security<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=<br />
<br />
| summit_session_attendee_name3 = Justin Clarke<br />
| summit_session_attendee_email3 = justin.clarke@owasp.org<br />
| summit_session_attendee_company3=Gotham Digital Science<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3=<br />
<br />
| summit_session_attendee_name4 = Dan Cornell<br />
| summit_session_attendee_email4 = dan@denimgroup.com<br />
| summit_session_attendee_company4=Denim Group<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4=<br />
<br />
| summit_session_attendee_name5 = John Steven<br />
| summit_session_attendee_email5 = john.steven@owasp.org<br />
| summit_session_attendee_company5= Cigital.com<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5=<br />
<br />
| summit_session_attendee_name6 = <br />
| summit_session_attendee_email6 = <br />
| summit_session_attendee_company6=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6=<br />
<br />
| summit_session_attendee_name7 = <br />
| summit_session_attendee_email7 = <br />
| summit_session_attendee_company7=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7=<br />
<br />
| summit_session_attendee_name8 = <br />
| summit_session_attendee_email8 = <br />
| summit_session_attendee_company8=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8=<br />
<br />
| summit_session_attendee_name9 = <br />
| summit_session_attendee_email9 = <br />
| summit_session_attendee_company9=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9=<br />
<br />
| summit_session_attendee_name10 = <br />
| summit_session_attendee_email10 = <br />
| summit_session_attendee_company10=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10=<br />
<br />
| summit_session_attendee_name11 = <br />
| summit_session_attendee_email11 = <br />
| summit_session_attendee_company11=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11=<br />
<br />
| summit_session_attendee_name12 = <br />
| summit_session_attendee_email12 = <br />
| summit_session_attendee_company12=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12=<br />
<br />
| summit_session_attendee_name13 = <br />
| summit_session_attendee_email13 = <br />
| summit_session_attendee_company13=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13=<br />
<br />
| summit_session_attendee_name14 = <br />
| summit_session_attendee_email14 = <br />
| summit_session_attendee_company14=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14= <br />
<br />
| summit_session_attendee_name15 = <br />
| summit_session_attendee_email15 = <br />
| summit_session_attendee_company15=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15=<br />
<br />
| summit_session_attendee_name16 = <br />
| summit_session_attendee_email16 = <br />
| summit_session_attendee_company16=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16=<br />
<br />
| summit_session_attendee_name17 = <br />
| summit_session_attendee_email17 = <br />
| summit_session_attendee_company17=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17=<br />
<br />
| summit_session_attendee_name18 = <br />
| summit_session_attendee_email18 = <br />
| summit_session_attendee_company18=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18=<br />
<br />
| summit_session_attendee_name19 = <br />
| summit_session_attendee_email19 = <br />
| summit_session_attendee_company19=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19=<br />
<br />
| summit_session_attendee_name20 = <br />
| summit_session_attendee_email20 = <br />
| summit_session_attendee_company20=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20=<br />
<br />
|-<br />
| summit_track_logo = [[Image:T._secure_coding.jpg]]<br />
| summit_ws_logo = [[Image:WS._secure_coding.jpg]]<br />
| summit_session_name = Providing Access to Persisted Data<br />
| summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session030<br />
| mailing_list =<br />
|-<br />
<br />
| short_working_session_description=This session will focus on developing patterns for protecting data while at rest and generating example code samples for different frameworks and technologies.<br />
<br />
|-<br />
<br />
| related_project_name1 = <br />
| related_project_url_1 = <br />
<br />
| related_project_name2 = <br />
| related_project_url_2 = <br />
<br />
| related_project_name3 = <br />
| related_project_url_3 = <br />
<br />
| related_project_name4 = <br />
| related_project_url_4 = <br />
<br />
| related_project_name5 = <br />
| related_project_url_5 = <br />
<br />
|-<br />
<br />
| summit_session_objective_name1= Create design and code examples for protecting access to database tables and rows by role<br />
<br />
| summit_session_objective_name2 = Create design and code examples for protecting access to data when 'auto-wiring' and marshalling<br />
<br />
| summit_session_objective_name3 = Create design and code examples for protecting sensitive data at rest<br />
<br />
| summit_session_objective_name4 = Create design and code examples for providing SQL-like querying capabilities in a safe manner<br />
<br />
| summit_session_objective_name5 = <br />
<br />
|-<br />
<br />
| working_session_date_and_time = <br />
<br />
|-<br />
<br />
| discussion_model = participants and attendees<br />
<br />
|-<br />
<br />
| operational_resources = Projector, whiteboards, markers, Internet connectivity, power<br />
<br />
|-<br />
<br />
| working_session_additional_details = <br />
<br />
|-<br />
<br />
|summit_session_deliverable_name1 = A short reference architecture/coding examples type of guideline that clearly explains positive and negative examples of accessing persisted data. <br />
<br />
|summit_session_deliverable_name2 = <br />
<br />
|summit_session_deliverable_name3 = <br />
<br />
|summit_session_deliverable_name4 = <br />
<br />
|summit_session_deliverable_name5 = <br />
<br />
|summit_session_deliverable_name6 = <br />
<br />
|summit_session_deliverable_name7 = <br />
<br />
|summit_session_deliverable_name8 = <br />
<br />
|-<br />
<br />
| summit_session_leader_name1 = Dan Cornell<br />
| summit_session_leader_email1 = dan@denimgroup.com<br />
<br />
| summit_session_leader_name2 = <br />
| summit_session_leader_email2 = <br />
<br />
| summit_session_leader_name3 = <br />
| summit_session_leader_email3 = <br />
<br />
|-<br />
<br />
| operational_leader_name1 =<br />
| operational_leader_email1 =<br />
<br />
|-<br />
<br />
| meeting_notes = <br />
<br />
|-<br />
| session_name_mask = <!--Please replace DO NOT EDIT this string --> Session030<br />
| session_home_page = <!--Please replace DO NOT EDIT this string --> Summit_2011_Working_Sessions/Session030<br />
}}</div>Dancornellhttps://wiki.owasp.org/index.php?title=Summit_2011_Working_Sessions/Session056&diff=102406Summit 2011 Working Sessions/Session0562011-01-28T15:53:54Z<p>Dancornell: </p>
<hr />
<div>{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Summit 2011 Working Sessions test tab</noinclude><br />
|-<br />
<br />
| summit_session_attendee_name1 = Stefano Di Paola<br />
| summit_session_attendee_email1 = stefano@owasp.org<br />
| summit_session_attendee_company1= Minded Security<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=<br />
<br />
| summit_session_attendee_name2 = Dan Cornell<br />
| summit_session_attendee_email2 = dan@denimgroup.com<br />
| summit_session_attendee_company2=Denim Group<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=<br />
<br />
| summit_session_attendee_name3 = <br />
| summit_session_attendee_email3 = <br />
| summit_session_attendee_company3=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3=<br />
<br />
| summit_session_attendee_name4 = <br />
| summit_session_attendee_email4 = <br />
| summit_session_attendee_company4=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4=<br />
<br />
| summit_session_attendee_name5 = <br />
| summit_session_attendee_email5 = <br />
| summit_session_attendee_company5=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5=<br />
<br />
| summit_session_attendee_name6 = <br />
| summit_session_attendee_email6 = <br />
| summit_session_attendee_company6=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6=<br />
<br />
| summit_session_attendee_name7 = <br />
| summit_session_attendee_email7 = <br />
| summit_session_attendee_company7=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7=<br />
<br />
| summit_session_attendee_name8 = <br />
| summit_session_attendee_email8 = <br />
| summit_session_attendee_company8=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8=<br />
<br />
| summit_session_attendee_name9 = <br />
| summit_session_attendee_email9 = <br />
| summit_session_attendee_company9=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9=<br />
<br />
| summit_session_attendee_name10 = <br />
| summit_session_attendee_email10 = <br />
| summit_session_attendee_company10=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10=<br />
<br />
| summit_session_attendee_name11 = <br />
| summit_session_attendee_email11 = <br />
| summit_session_attendee_company11=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11=<br />
<br />
| summit_session_attendee_name12 = <br />
| summit_session_attendee_email12 = <br />
| summit_session_attendee_company12=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12=<br />
<br />
| summit_session_attendee_name13 = <br />
| summit_session_attendee_email13 = <br />
| summit_session_attendee_company13=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13=<br />
<br />
| summit_session_attendee_name14 = <br />
| summit_session_attendee_email14 = <br />
| summit_session_attendee_company14=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14= <br />
<br />
| summit_session_attendee_name15 = <br />
| summit_session_attendee_email15 = <br />
| summit_session_attendee_company15=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15=<br />
<br />
| summit_session_attendee_name16 = <br />
| summit_session_attendee_email16 = <br />
| summit_session_attendee_company16=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16=<br />
<br />
| summit_session_attendee_name17 = <br />
| summit_session_attendee_email17 = <br />
| summit_session_attendee_company17=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17=<br />
<br />
| summit_session_attendee_name18 = <br />
| summit_session_attendee_email18 = <br />
| summit_session_attendee_company18=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18=<br />
<br />
| summit_session_attendee_name19 = <br />
| summit_session_attendee_email19 = <br />
| summit_session_attendee_company19=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19=<br />
<br />
| summit_session_attendee_name20 = <br />
| summit_session_attendee_email20 = <br />
| summit_session_attendee_company20=<br />
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20=<br />
<br />
|-<br />
| summit_track_logo = [[Image:T._metrics.jpg]]<br />
| summit_ws_logo = [[Image:WS._metrics.jpg]]<br />
| summit_session_name = Tools Interoperability (Data Instrumentation)<br />
| summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session056<br />
| mailing_list =<br />
|-<br />
<br />
| short_working_session_description=<br />
<br />
|-<br />
<br />
| related_project_name1 = <br />
| related_project_url_1 = <br />
<br />
| related_project_name2 = <br />
| related_project_url_2 = <br />
<br />
| related_project_name3 = <br />
| related_project_url_3 = <br />
<br />
| related_project_name4 = <br />
| related_project_url_4 = <br />
<br />
| related_project_name5 = <br />
| related_project_url_5 = <br />
<br />
|-<br />
<br />
| summit_session_objective_name1= <br />
<br />
| summit_session_objective_name2 = <br />
<br />
| summit_session_objective_name3 = <br />
<br />
| summit_session_objective_name4 = <br />
<br />
| summit_session_objective_name5 = <br />
<br />
|-<br />
<br />
| working_session_date_and_time = <br />
<br />
|-<br />
<br />
| discussion_model = participants and attendees<br />
<br />
|-<br />
<br />
| operational_resources = Projector, whiteboards, markers, Internet connectivity, power<br />
<br />
|-<br />
<br />
| working_session_additional_details = <br />
<br />
|-<br />
<br />
|summit_session_deliverable_name1 = <br />
A standard schema for describing application security risks of all types, with a place for all relevant information – whether derived statically, dynamically, manually, or architecturally.<br />
<br />
|summit_session_deliverable_name2 = <br />
<br />
|summit_session_deliverable_name3 = <br />
<br />
|summit_session_deliverable_name4 = <br />
<br />
|summit_session_deliverable_name5 = <br />
<br />
|summit_session_deliverable_name6 = <br />
<br />
|summit_session_deliverable_name7 = <br />
<br />
|summit_session_deliverable_name8 = <br />
<br />
|-<br />
<br />
| summit_session_leader_name1 = Dinis Cruz<br />
| summit_session_leader_email1 = dinis.cruz@owasp.org<br />
| summit_session_leader_username1 = Dinis.cruz<br />
<br />
| summit_session_leader_name2 = <br />
| summit_session_leader_email2 = <br />
| summit_session_leader_username2 = <br />
<br />
| summit_session_leader_name3 = <br />
| summit_session_leader_email3 = <br />
| summit_session_leader_username3 = <br />
<br />
|-<br />
<br />
| operational_leader_name1 =<br />
| operational_leader_email1 =<br />
<br />
|-<br />
<br />
| meeting_notes = <br />
<br />
|-<br />
| session_name_mask = <!--Please replace DO NOT EDIT this string --> Session056<br />
| session_home_page = <!--Please replace DO NOT EDIT this string --> Summit_2011_Working_Sessions/Session056<br />
}}</div>Dancornell