https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Davidribyrne%40yahoo.comOWASP - User contributions [en]2026-05-02T09:45:37ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Front_Range_OWASP_Conference_2009&diff=55315Front Range OWASP Conference 20092009-02-23T17:27:22Z<p>Davidribyrne@yahoo.com: </p>
<hr />
<div>[[Image:SnowFROCblue.jpg]]<br />
<hr><br />
Welcome to SnowFROC, the Winter 2009 Front Range OWASP Application Security Conference!<br />
<br />
After a successful FROC in June of 2008, we are back in Denver, Colorado USA on 5 March 2009! <br />
<br />
'''This year we again present a full day, FREE multi-track conference, which will provide valuable information for managers and executives as well as developers and engineers.'''<br />
<br />
In 2008, we attracted a packed venue with our great AppSec speakers, and we hope to achieve the same again in 2009. This year we organized the conference to occur during the peak of the [http://www.google.com/search?q=colorado+skiing Colorado ski season], so that speakers can head up to the nearby mountains before and/or after the conference to enjoy some of the legendary snow.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
<br />
==Conference Location==<br />
[[Image:Denver_mountains.JPG]]<br />
<br />
This year, the conference will be held at the Tivoli Student Union in downtown Denver, CO.<br />
<br />
==Call for Presentations==<br />
The [[Front_Range_OWASP_Conference_2009_CFP|call for papers]] closed on 6 Feb 09. We received a tremendous response. Thanks to everybody who responded!<br />
<br />
<!-- ===[[SnowFROC Tentative Schedule]]=== --><br />
<br />
<br />
==Agenda and Presentations: 5 March 2009==<br />
<br />
The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white" | March 5, 2009<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Welcome to SnowFROC AppSec 2009 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[SnowFROC_Abstract_Grossman|"Top Ten Web Hacking Techniques of 2008: What's possible, not probable"]]<br />
''Jeremiah Grossman, Whitehat Security''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | OWASP State of the Union<br />
''Tom Brennan, OWASP Board''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:15-10:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:40%; background:#BC857A" align="left" | "[[sfroc_bellis_abstract|Doing More with Less: Automate or Die]]"<br />
''Ed Bellis, Orbitz''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Zusman|"Poor Man's Guide to Breaking PKI: Why You Don't Need 200 Playstations"]]<br />
''Mike Zusman, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Paller|"A Legal Minimum Standard of Due Care: The CAG and the Top 25 Most Dangerous Programming Errors"]]<br />
''Alan Paller, SANS''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Stads|"Adobe Flex, AMF 3 and BlazeDS: An Assessment"]] <br />
''Kevin Stadmeyer, Trustwave''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Peloquin|"Building an Effective Application Security Program"]]<br />
''Joey Peloquin, Fishnet Security''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Belani|"Bad Cocktail: Spear Phishing + Application Hacks"]]<br />
''Rohyt Belani, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Byrne|"Automated vs. Manual Security: You can't filter The Stupid"]]<br />
''David Byrne & Charles Henderson, Trustwave''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Damele|"SQL injection: Not only AND 1=1"]]<br />
''Bernardo Damele Assumpcao Guimaraes, Portcullis Computer Security Ltd.''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:50-15:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Neucom|"Security Policy Management: Best Practices for Web Services and Application Security"]]<br />
''Ray Neucom, IBM''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Cornell_Dickson_Abstract|"Vulnerability Management in an Application Security World"]]<br />
''Dan Cornell & John Dickson, Denim Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel: Emerging Threats and Enterprise Countermeasures<br />
Moderator: John Dickson<br/><br />
Panelists: Alan Paller, Joey Peloquin, Rohyt Belani, Ed Bellis, Laz, Ray Neucom<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up, CTF Awards & Sponsor Raffles - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:30-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks @ TBD<br />
|}<br />
<br />
<!-- Back to [https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Home] --><br />
<br />
==Logistics==<br />
<br />
Venue: [http://www.tivoli.org/tivoli/ Tivoli Student Union, Denver, CO USA]<br />
<br />
==Accommodations==<br />
<br />
OWASP negotiated discounted rates at one or more hotels near the conference venue. Please email snowfroc@owasp.org for questions regarding accomodation.<br />
<br />
==Transportation to the Conference==<br />
===By plane===<br />
Denver can be reached by commercial aviation through the [http://www.flydenver.com/ Denver International Airport], which is a hub for United Airlines as well as Frontier.<br />
<br />
<br />
===How to get to the venue?===<br />
See the [http://maps.google.com/maps?f=q&hl=en&q=tivoli+denver&ie=UTF8&ll=39.74785,-104.990931&spn=0.040189,0.061626&z=14&iwloc=A map].<br />
<br />
By taxi:<br />
*taxi from the airport to venue is about $50 USD<br />
<br />
<br />
==Registration and Conference Fees==<br />
<br />
Due to the hard work of our organizers and the gracious support of our sponsors, SNOWFROC will once again be a FREE CONFERENCE!!!<br />
<br />
Despite the fact that this is a free conference, we still need you to register to ensure that we don't exceed venue capacity.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
==Conference Committee==<br />
<br />
OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org<br />
<br />
SNOWFROC 2009 Planning Committee Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Colorado Chapter Hosts:<br />
* David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
* Eric Duprey - OWASP Denver - eduprey 'at' exploits.org<br />
<br />
Vendor Exhibition Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Capture the Flag Chair: Eric Duprey - eduprey 'at' exploits.org<br />
<br />
CFP Chair: David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
<br />
==[[OWASP AppSec Conference Sponsors | Conference Sponsors]]==<br />
<br />
The following organizations are proud sponsors of this conference:<br />
*Accuvant<br />
*Breach<br />
*Business Partner Solutions<br />
*Denim Group<br />
<!-- *Dirsec --><br />
*Fishnet Security<br />
<!-- *Fortify --><br />
*IBM<br />
*Imperva<br />
*Laz<br />
*Lares<br />
<!-- *Symplify --><br />
*Trustwave<br />
*WhiteHat Security<br />
<br />
If you are interested in sponsoring this OWASP conference, please contact Kathy Thaxton at kthaxton 'at' owasp.org.<br />
<br />
<br />
More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].<br />
<br />
[[Category:OWASP AppSec Conference]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=SnowFROC_Abstract_Stads&diff=55314SnowFROC Abstract Stads2009-02-23T17:26:54Z<p>Davidribyrne@yahoo.com: </p>
<hr />
<div>==The Presentation: "Adobe Flex, AMF 3 and BlazeDS: An Assessment"==<br />
<br />
Adobe FLEX with BlazeDS offers developers a streamlined application development paradigm, allowing them to create rich Internet applications with little exertion. However, ease of implementation often results in incomplete engineering. In this presentation, Stadmeyer offers his assessment of the FLEX and BlazeDS application architectures as well as detailed examination of the Action Message Format version 3. Developers and administrators will be provided clear examples of how to do things wrong, how to do them right and explain exactly how each component works internally.<br />
<br />
While little information is available in the field regarding a FLEX application, Trustwave's security experts will share the knowledge they've gained in migrating towards a Flex application environment. Additionally, the briefing will provide information to both security assessors and developers about a technology that is soon to be prevalent, but is not yet widely understood.<br />
<br />
==The Speaker: Kevin Stadmeyer==<br />
<br />
Kevin is a Senior Security Consultant with the application security group at Trustwave and has been with the company since 2006. He has been heavily involved in the security industry since 2000 and spoke at the Blackhat USA security conference in 2008. Kevin's specialty lies in web application security and high speed parking maneuvers although he is experienced in all aspects of information security. <br />
<br />
[[Front_Range_OWASP_Conference_2009#Agenda_and_Presentations:_5_March_2009|Back to Presentation Agenda]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=SnowFROC_Abstract_Stads&diff=55313SnowFROC Abstract Stads2009-02-23T17:26:26Z<p>Davidribyrne@yahoo.com: New page: ==The Presentation: "Automated vs. Manual Security: You can't filter The Stupid"== Adobe FLEX with BlazeDS offers developers a streamlined application development paradigm, allowing them ...</p>
<hr />
<div>==The Presentation: "Automated vs. Manual Security: You can't filter The Stupid"==<br />
<br />
Adobe FLEX with BlazeDS offers developers a streamlined application development paradigm, allowing them to create rich Internet applications with little exertion. However, ease of implementation often results in incomplete engineering. In this presentation, Stadmeyer offers his assessment of the FLEX and BlazeDS application architectures as well as detailed examination of the Action Message Format version 3. Developers and administrators will be provided clear examples of how to do things wrong, how to do them right and explain exactly how each component works internally.<br />
<br />
While little information is available in the field regarding a FLEX application, Trustwave's security experts will share the knowledge they've gained in migrating towards a Flex application environment. Additionally, the briefing will provide information to both security assessors and developers about a technology that is soon to be prevalent, but is not yet widely understood.<br />
<br />
==The Speaker: Kevin Stadmeyer==<br />
<br />
Kevin is a Senior Security Consultant with the application security group at Trustwave and has been with the company since 2006. He has been heavily involved in the security industry since 2000 and spoke at the Blackhat USA security conference in 2008. Kevin's specialty lies in web application security and high speed parking maneuvers although he is experienced in all aspects of information security. <br />
<br />
[[Front_Range_OWASP_Conference_2009#Agenda_and_Presentations:_5_March_2009|Back to Presentation Agenda]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Front_Range_OWASP_Conference_2009&diff=55312Front Range OWASP Conference 20092009-02-23T17:21:37Z<p>Davidribyrne@yahoo.com: </p>
<hr />
<div>[[Image:SnowFROCblue.jpg]]<br />
<hr><br />
Welcome to SnowFROC, the Winter 2009 Front Range OWASP Application Security Conference!<br />
<br />
After a successful FROC in June of 2008, we are back in Denver, Colorado USA on 5 March 2009! <br />
<br />
'''This year we again present a full day, FREE multi-track conference, which will provide valuable information for managers and executives as well as developers and engineers.'''<br />
<br />
In 2008, we attracted a packed venue with our great AppSec speakers, and we hope to achieve the same again in 2009. This year we organized the conference to occur during the peak of the [http://www.google.com/search?q=colorado+skiing Colorado ski season], so that speakers can head up to the nearby mountains before and/or after the conference to enjoy some of the legendary snow.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
<br />
==Conference Location==<br />
[[Image:Denver_mountains.JPG]]<br />
<br />
This year, the conference will be held at the Tivoli Student Union in downtown Denver, CO.<br />
<br />
==Call for Presentations==<br />
The [[Front_Range_OWASP_Conference_2009_CFP|call for papers]] closed on 6 Feb 09. We received a tremendous response. Thanks to everybody who responded!<br />
<br />
<!-- ===[[SnowFROC Tentative Schedule]]=== --><br />
<br />
<br />
==Agenda and Presentations: 5 March 2009==<br />
<br />
The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white" | March 5, 2009<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Welcome to SnowFROC AppSec 2009 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[SnowFROC_Abstract_Grossman|"Top Ten Web Hacking Techniques of 2008: What's possible, not probable"]]<br />
''Jeremiah Grossman, Whitehat Security''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | OWASP State of the Union<br />
''Tom Brennan, OWASP Board''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:15-10:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:40%; background:#BC857A" align="left" | "[[sfroc_bellis_abstract|Doing More with Less: Automate or Die]]"<br />
''Ed Bellis, Orbitz''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Zusman|"Poor Man's Guide to Breaking PKI: Why You Don't Need 200 Playstations"]]<br />
''Mike Zusman, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Paller|"A Legal Minimum Standard of Due Care: The CAG and the Top 25 Most Dangerous Programming Errors"]]<br />
''Alan Paller, SANS''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Stads|"Adobe Flex, AMF 3 and BlazeDS: An Assessment"]] (Tool Release!) <br />
''Kevin Stadmeyer, Trustwave''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Peloquin|"Building an Effective Application Security Program"]]<br />
''Joey Peloquin, Fishnet Security''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Belani|"Bad Cocktail: Spear Phishing + Application Hacks"]]<br />
''Rohyt Belani, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Byrne|"Automated vs. Manual Security: You can't filter The Stupid"]]<br />
''David Byrne & Charles Henderson, Trustwave''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Damele|"SQL injection: Not only AND 1=1"]]<br />
''Bernardo Damele Assumpcao Guimaraes, Portcullis Computer Security Ltd.''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:50-15:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Neucom|"Security Policy Management: Best Practices for Web Services and Application Security"]]<br />
''Ray Neucom, IBM''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Cornell_Dickson_Abstract|"Vulnerability Management in an Application Security World"]]<br />
''Dan Cornell & John Dickson, Denim Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel: Emerging Threats and Enterprise Countermeasures<br />
Moderator: John Dickson<br/><br />
Panelists: Alan Paller, Joey Peloquin, Rohyt Belani, Ed Bellis, Laz, Ray Neucom<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up, CTF Awards & Sponsor Raffles - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:30-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks @ TBD<br />
|}<br />
<br />
<!-- Back to [https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Home] --><br />
<br />
==Logistics==<br />
<br />
Venue: [http://www.tivoli.org/tivoli/ Tivoli Student Union, Denver, CO USA]<br />
<br />
==Accommodations==<br />
<br />
OWASP negotiated discounted rates at one or more hotels near the conference venue. Please email snowfroc@owasp.org for questions regarding accomodation.<br />
<br />
==Transportation to the Conference==<br />
===By plane===<br />
Denver can be reached by commercial aviation through the [http://www.flydenver.com/ Denver International Airport], which is a hub for United Airlines as well as Frontier.<br />
<br />
<br />
===How to get to the venue?===<br />
See the [http://maps.google.com/maps?f=q&hl=en&q=tivoli+denver&ie=UTF8&ll=39.74785,-104.990931&spn=0.040189,0.061626&z=14&iwloc=A map].<br />
<br />
By taxi:<br />
*taxi from the airport to venue is about $50 USD<br />
<br />
<br />
==Registration and Conference Fees==<br />
<br />
Due to the hard work of our organizers and the gracious support of our sponsors, SNOWFROC will once again be a FREE CONFERENCE!!!<br />
<br />
Despite the fact that this is a free conference, we still need you to register to ensure that we don't exceed venue capacity.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
==Conference Committee==<br />
<br />
OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org<br />
<br />
SNOWFROC 2009 Planning Committee Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Colorado Chapter Hosts:<br />
* David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
* Eric Duprey - OWASP Denver - eduprey 'at' exploits.org<br />
<br />
Vendor Exhibition Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Capture the Flag Chair: Eric Duprey - eduprey 'at' exploits.org<br />
<br />
CFP Chair: David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
<br />
==[[OWASP AppSec Conference Sponsors | Conference Sponsors]]==<br />
<br />
The following organizations are proud sponsors of this conference:<br />
*Accuvant<br />
*Breach<br />
*Business Partner Solutions<br />
*Denim Group<br />
<!-- *Dirsec --><br />
*Fishnet Security<br />
<!-- *Fortify --><br />
*IBM<br />
*Imperva<br />
*Laz<br />
*Lares<br />
<!-- *Symplify --><br />
*Trustwave<br />
*WhiteHat Security<br />
<br />
If you are interested in sponsoring this OWASP conference, please contact Kathy Thaxton at kthaxton 'at' owasp.org.<br />
<br />
<br />
More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].<br />
<br />
[[Category:OWASP AppSec Conference]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=SnowFROC_Abstract_Byrne&diff=54905SnowFROC Abstract Byrne2009-02-18T20:08:17Z<p>Davidribyrne@yahoo.com: </p>
<hr />
<div>==The Presentation: "Automated vs. Manual Security: You can't filter The Stupid"==<br />
<br />
Automated application security tools have been available for quite a while, but their manual counterparts are still doing quite well. This presentation will cover the relative strengths and weaknesses of both automated solutions, such as Web Application Firewalls (WAFs), source code review tools, and automated application scanners, and manual approaches, namely application penetration tests and manual code reviews. The presentation will conclude that automated tools are well suited for lower-priority applications, but manual analysis is important for critical applications. <br />
<br />
Automated tools certainly have some strengths (namely low incremental cost, detecting simple vulnerabilities, and performing highly repetitive tasks). In addition to preventing some attacks, WAFs also have advantages for some compliance frameworks. However, automated solutions are far from perfect. To begin with, there are entire classes of very important vulnerabilities that are theoretically impossible for automated software to detect (at least until HAL comes online). Examples include complex information leakage, race conditions, logic flaws, design flaws, subjective vulnerabilities such as CSRF, and multistage process attacks. <br />
<br />
Beyond that, there are many vulnerabilities that are too complicated or obscure to practically detect with an automated tool. Automated tools are designed to cover common application designs and platforms. Applications using an unusual layout or components will not be thoroughly protected by automated tools. Realistically, only the most vanilla of web applications written on common, simple platforms will receive solid code coverage from an automated tool. <br />
<br />
On the other hand, manual testing is far more versatile. An experienced penetration tester can identify complicated vulnerabilities in the same way that an attacker does. Specific, real-world examples of vulnerabilities only recognizable by humans will be provided. The diversity of vulnerabilities shown will clearly demonstrate that all applications have the potential for significant vulnerabilities not detectible by automated tools.<br />
<br />
Manual source code reviews present even more benefits by identifying vulnerabilities that require access to source code. Examples include “hidden” or unused application components, SQL injection with no evidence in the response, exotic injection attacks (e.g. mainframe session attacks), vulnerabilities in back-end systems, and intentional backdoors. Many organizations assume that this type of vulnerability is not a large threat, but source code can be obtained by disgruntled developers, by internal attackers when the repository isn’t properly secured, by exploiting platform bugs or path directory traversal attacks, and by external attackers using a Trojan horse or similar technique.<br />
<br />
==The Speakers: Charles Henderson & David Byrne==<br />
<br />
Charles Henderson has been in the security industry for over 15 years and manages the Application Penetration Testing and Code Review Practice at Trustwave. He has specialized in application security testing and application security assessment throughout his career but has also worked in physical security testing and network security testing.<br />
<br />
<br />
David Byrne has almost a decade of experience in information security, specializing in web application penetration testing. Currently, he is a Senior Security Consultant in Trustwave’s SpideLabs division. Before joining Trustwave, David was the Security Architect at Dish Network. In addition to penetration testing, David has extensive experience working with developers and implementers to design security controls into applications from the ground up. He also has worked with governance and compliance groups to create security policies and standards documents.<br />
<br />
In 2006, David started the Denver chapter of OWASP. In 2008, he released Grendel (grendel-scan.com), an open source web application security scanner. David has spoken at many industry events, including Black Hat, DEFCON, Toorcon, and the Computer Security Institute’s annual conference. <br />
<br />
<br />
[[Front_Range_OWASP_Conference_2009#Agenda_and_Presentations:_5_March_2009|Back to Presentation Agenda]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Front_Range_OWASP_Conference_2009&diff=54904Front Range OWASP Conference 20092009-02-18T20:08:05Z<p>Davidribyrne@yahoo.com: </p>
<hr />
<div>[[Image:SnowFROCblue.jpg]]<br />
<hr><br />
Welcome to SnowFROC, the Winter 2009 Front Range OWASP Application Security Conference!<br />
<br />
After a successful FROC in June of 2008, we are back in Denver, Colorado USA on 5 March 2009! <br />
<br />
'''This year we again present a full day, FREE multi-track conference, which will provide valuable information for managers and executives as well as developers and engineers.'''<br />
<br />
In 2008, we attracted a packed venue with our great AppSec speakers, and we hope to achieve the same again in 2009. This year we organized the conference to occur during the peak of the [http://www.google.com/search?q=colorado+skiing Colorado ski season], so that speakers can head up to the nearby mountains before and/or after the conference to enjoy some of the legendary snow.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
<br />
==Conference Location==<br />
[[Image:Denver_mountains.JPG]]<br />
<br />
This year, the conference will be held at the Tivoli Student Union in downtown Denver, CO.<br />
<br />
==Call for Presentations==<br />
The [[Front_Range_OWASP_Conference_2009_CFP|call for papers]] closed on 6 Feb 09. We received a tremendous response. Thanks to everybody who responded!<br />
<br />
<!-- ===[[SnowFROC Tentative Schedule]]=== --><br />
<br />
<br />
==Agenda and Presentations: 5 March 2009==<br />
<br />
The agenda follows the successful OWASP conference two tracks format, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing panel discussions back in the main auditorium.<br />
<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="3" align="center" style="background:#4058A0; color:white" | March 5, 2009<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 07:30-08:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Continental Breakfast in the Sponsor Expo Room<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:30-08:35 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Welcome to SnowFROC AppSec 2009 Conference <br />
''David Campbell, OWASP Denver''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:35-09:45 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | Keynote: [[SnowFROC_Abstract_Grossman|"Top Ten Web Hacking Techniques of 2008: What's possible, not probable"]]<br />
''Jeremiah Grossman, Whitehat Security''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:45-10:15 || colspan="2" style="width:80%; background:#F2F2F2" align="center" | OWASP State of the Union<br />
''Tom Brennan, OWASP Board''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:15-10:30 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:15 || style="width:40%; background:#BC857A" align="left" | "[[sfroc_bellis_abstract|Doing More with Less: Automate or Die]]"<br />
''Ed Bellis, Orbitz''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Zusman|"Poor Man's Guide to Breaking PKI: Why You Don't Need 200 Playstations"]]<br />
''Mike Zusman, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:15-12:00 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Paller|"A Legal Minimum Standard of Due Care: The CAG and the Top 25 Most Dangerous Programming Errors"]]<br />
''Alan Paller, SANS''<br />
| style="width:40%; background:#BCA57A" align="left" | "Adobe Flex, AMF 3 and BlazeDS: An Assessment" (Tool Release!) <br />
''Kevin Stadmeyer, Trustwave''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope]<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:40%; background:#BC857A" | Management / Executive Track: Room 1<br />
| style="width:40%; background:#BCA57A" | Deep Technical Track: Room 2<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-13:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Peloquin|"Building an Effective Application Security Program"]]<br />
''Joey Peloquin, Fishnet Security''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Belani|"Bad Cocktail: Spear Phishing + Application Hacks"]]<br />
''Rohyt Belani, Intrepidus Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:50-14:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Byrne|"Automated vs. Manual Security: You can't filter The Stupid"]]<br />
''David Byrne & Charles Henderson, Trustwave''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Abstract_Damele|"SQL injection: Not only AND 1=1"]]<br />
''Bernardo Damele Assumpcao Guimaraes, Portcullis Computer Security Ltd.''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:50-15:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Break - Expo - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-15:50 || style="width:40%; background:#BC857A" align="left" | [[SnowFROC_Abstract_Neucom|"Security Policy Management: Best Practices for Web Services and Application Security"]]<br />
''Ray Neucom, IBM''<br />
| style="width:40%; background:#BCA57A" align="left" | [[SnowFROC_Cornell_Dickson_Abstract|"Vulnerability Management in an Application Security World"]]<br />
''Dan Cornell & John Dickson, Denim Group''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:50-16:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Panel: Emerging Threats and Enterprise Countermeasures<br />
Moderator: John Dickson<br/><br />
Panelists: Alan Paller, Joey Peloquin, Rohyt Belani, Ed Bellis, Laz, Ray Neucom<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Conference Wrap Up, CTF Awards & Sponsor Raffles - CTF - Beatz by [http://www.dj-jackalope.com/ DJ Jackalope] <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:30-21:00 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | OWASP Social Gathering: Dinner and Drinks @ TBD<br />
|}<br />
<br />
<!-- Back to [https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Home] --><br />
<br />
==Logistics==<br />
<br />
Venue: [http://www.tivoli.org/tivoli/ Tivoli Student Union, Denver, CO USA]<br />
<br />
==Accommodations==<br />
<br />
OWASP negotiated discounted rates at one or more hotels near the conference venue. Please email snowfroc@owasp.org for questions regarding accomodation.<br />
<br />
==Transportation to the Conference==<br />
===By plane===<br />
Denver can be reached by commercial aviation through the [http://www.flydenver.com/ Denver International Airport], which is a hub for United Airlines as well as Frontier.<br />
<br />
<br />
===How to get to the venue?===<br />
See the [http://maps.google.com/maps?f=q&hl=en&q=tivoli+denver&ie=UTF8&ll=39.74785,-104.990931&spn=0.040189,0.061626&z=14&iwloc=A map].<br />
<br />
By taxi:<br />
*taxi from the airport to venue is about $50 USD<br />
<br />
<br />
==Registration and Conference Fees==<br />
<br />
Due to the hard work of our organizers and the gracious support of our sponsors, SNOWFROC will once again be a FREE CONFERENCE!!!<br />
<br />
Despite the fact that this is a free conference, we still need you to register to ensure that we don't exceed venue capacity.<br />
<br />
[https://snowfroc.electricalchemy.net CLICK HERE TO REGISTER]<br />
<br />
==Conference Committee==<br />
<br />
OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org<br />
<br />
SNOWFROC 2009 Planning Committee Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Colorado Chapter Hosts:<br />
* David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
* Eric Duprey - OWASP Denver - eduprey 'at' exploits.org<br />
<br />
Vendor Exhibition Chair: Kathy Thaxton - kthaxton 'at' owasp.org<br />
<br />
Capture the Flag Chair: Eric Duprey - eduprey 'at' exploits.org<br />
<br />
CFP Chair: David Campbell - OWASP Denver - dcampbell 'at' owasp.org<br />
<br />
==[[OWASP AppSec Conference Sponsors | Conference Sponsors]]==<br />
<br />
The following organizations are proud sponsors of this conference:<br />
*Accuvant<br />
*Breach<br />
*Business Partner Solutions<br />
*Denim Group<br />
<!-- *Dirsec --><br />
*Fishnet Security<br />
<!-- *Fortify --><br />
*IBM<br />
*Imperva<br />
*Laz<br />
*Lares<br />
<!-- *Symplify --><br />
*Trustwave<br />
*WhiteHat Security<br />
<br />
If you are interested in sponsoring this OWASP conference, please contact Kathy Thaxton at kthaxton 'at' owasp.org.<br />
<br />
<br />
More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].<br />
<br />
[[Category:OWASP AppSec Conference]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=SnowFROC_Abstract_Byrne&diff=54903SnowFROC Abstract Byrne2009-02-18T20:07:04Z<p>Davidribyrne@yahoo.com: /* The Speakers: David Byrne & Charles Henderson */</p>
<hr />
<div>==The Presentation: "Automated vs. Manual Security: You can't filter the stupid"==<br />
<br />
Automated application security tools have been available for quite a while, but their manual counterparts are still doing quite well. This presentation will cover the relative strengths and weaknesses of both automated solutions, such as Web Application Firewalls (WAFs), source code review tools, and automated application scanners, and manual approaches, namely application penetration tests and manual code reviews. The presentation will conclude that automated tools are well suited for lower-priority applications, but manual analysis is important for critical applications. <br />
<br />
Automated tools certainly have some strengths (namely low incremental cost, detecting simple vulnerabilities, and performing highly repetitive tasks). In addition to preventing some attacks, WAFs also have advantages for some compliance frameworks. However, automated solutions are far from perfect. To begin with, there are entire classes of very important vulnerabilities that are theoretically impossible for automated software to detect (at least until HAL comes online). Examples include complex information leakage, race conditions, logic flaws, design flaws, subjective vulnerabilities such as CSRF, and multistage process attacks. <br />
<br />
Beyond that, there are many vulnerabilities that are too complicated or obscure to practically detect with an automated tool. Automated tools are designed to cover common application designs and platforms. Applications using an unusual layout or components will not be thoroughly protected by automated tools. Realistically, only the most vanilla of web applications written on common, simple platforms will receive solid code coverage from an automated tool. <br />
<br />
On the other hand, manual testing is far more versatile. An experienced penetration tester can identify complicated vulnerabilities in the same way that an attacker does. Specific, real-world examples of vulnerabilities only recognizable by humans will be provided. The diversity of vulnerabilities shown will clearly demonstrate that all applications have the potential for significant vulnerabilities not detectible by automated tools.<br />
<br />
Manual source code reviews present even more benefits by identifying vulnerabilities that require access to source code. Examples include “hidden” or unused application components, SQL injection with no evidence in the response, exotic injection attacks (e.g. mainframe session attacks), vulnerabilities in back-end systems, and intentional backdoors. Many organizations assume that this type of vulnerability is not a large threat, but source code can be obtained by disgruntled developers, by internal attackers when the repository isn’t properly secured, by exploiting platform bugs or path directory traversal attacks, and by external attackers using a Trojan horse or similar technique.<br />
<br />
==The Speakers: Charles Henderson & David Byrne==<br />
<br />
Charles Henderson has been in the security industry for over 15 years and manages the Application Penetration Testing and Code Review Practice at Trustwave. He has specialized in application security testing and application security assessment throughout his career but has also worked in physical security testing and network security testing.<br />
<br />
<br />
David Byrne has almost a decade of experience in information security, specializing in web application penetration testing. Currently, he is a Senior Security Consultant in Trustwave’s SpideLabs division. Before joining Trustwave, David was the Security Architect at Dish Network. In addition to penetration testing, David has extensive experience working with developers and implementers to design security controls into applications from the ground up. He also has worked with governance and compliance groups to create security policies and standards documents.<br />
<br />
In 2006, David started the Denver chapter of OWASP. In 2008, he released Grendel (grendel-scan.com), an open source web application security scanner. David has spoken at many industry events, including Black Hat, DEFCON, Toorcon, and the Computer Security Institute’s annual conference. <br />
<br />
<br />
[[Front_Range_OWASP_Conference_2009#Agenda_and_Presentations:_5_March_2009|Back to Presentation Agenda]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=SnowFROC_Abstract_Byrne&diff=54902SnowFROC Abstract Byrne2009-02-18T20:06:45Z<p>Davidribyrne@yahoo.com: /* The Speakers: David Byrne & Charles Henderson */</p>
<hr />
<div>==The Presentation: "Automated vs. Manual Security: You can't filter the stupid"==<br />
<br />
Automated application security tools have been available for quite a while, but their manual counterparts are still doing quite well. This presentation will cover the relative strengths and weaknesses of both automated solutions, such as Web Application Firewalls (WAFs), source code review tools, and automated application scanners, and manual approaches, namely application penetration tests and manual code reviews. The presentation will conclude that automated tools are well suited for lower-priority applications, but manual analysis is important for critical applications. <br />
<br />
Automated tools certainly have some strengths (namely low incremental cost, detecting simple vulnerabilities, and performing highly repetitive tasks). In addition to preventing some attacks, WAFs also have advantages for some compliance frameworks. However, automated solutions are far from perfect. To begin with, there are entire classes of very important vulnerabilities that are theoretically impossible for automated software to detect (at least until HAL comes online). Examples include complex information leakage, race conditions, logic flaws, design flaws, subjective vulnerabilities such as CSRF, and multistage process attacks. <br />
<br />
Beyond that, there are many vulnerabilities that are too complicated or obscure to practically detect with an automated tool. Automated tools are designed to cover common application designs and platforms. Applications using an unusual layout or components will not be thoroughly protected by automated tools. Realistically, only the most vanilla of web applications written on common, simple platforms will receive solid code coverage from an automated tool. <br />
<br />
On the other hand, manual testing is far more versatile. An experienced penetration tester can identify complicated vulnerabilities in the same way that an attacker does. Specific, real-world examples of vulnerabilities only recognizable by humans will be provided. The diversity of vulnerabilities shown will clearly demonstrate that all applications have the potential for significant vulnerabilities not detectible by automated tools.<br />
<br />
Manual source code reviews present even more benefits by identifying vulnerabilities that require access to source code. Examples include “hidden” or unused application components, SQL injection with no evidence in the response, exotic injection attacks (e.g. mainframe session attacks), vulnerabilities in back-end systems, and intentional backdoors. Many organizations assume that this type of vulnerability is not a large threat, but source code can be obtained by disgruntled developers, by internal attackers when the repository isn’t properly secured, by exploiting platform bugs or path directory traversal attacks, and by external attackers using a Trojan horse or similar technique.<br />
<br />
==The Speakers: David Byrne & Charles Henderson==<br />
<br />
Charles Henderson has been in the security industry for over 15 years and manages the Application Penetration Testing and Code Review Practice at Trustwave. He has specialized in application security testing and application security assessment throughout his career but has also worked in physical security testing and network security testing.<br />
<br />
<br />
David Byrne has almost a decade of experience in information security, specializing in web application penetration testing. Currently, he is a Senior Security Consultant in Trustwave’s SpideLabs division. Before joining Trustwave, David was the Security Architect at Dish Network. In addition to penetration testing, David has extensive experience working with developers and implementers to design security controls into applications from the ground up. He also has worked with governance and compliance groups to create security policies and standards documents.<br />
<br />
In 2006, David started the Denver chapter of OWASP. In 2008, he released Grendel (grendel-scan.com), an open source web application security scanner. David has spoken at many industry events, including Black Hat, DEFCON, Toorcon, and the Computer Security Institute’s annual conference. <br />
<br />
<br />
[[Front_Range_OWASP_Conference_2009#Agenda_and_Presentations:_5_March_2009|Back to Presentation Agenda]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=SnowFROC_Abstract_Byrne&diff=54901SnowFROC Abstract Byrne2009-02-18T20:06:03Z<p>Davidribyrne@yahoo.com: /* The Speakers: David Byrne & Charles Henderson */</p>
<hr />
<div>==The Presentation: "Automated vs. Manual Security: You can't filter the stupid"==<br />
<br />
Automated application security tools have been available for quite a while, but their manual counterparts are still doing quite well. This presentation will cover the relative strengths and weaknesses of both automated solutions, such as Web Application Firewalls (WAFs), source code review tools, and automated application scanners, and manual approaches, namely application penetration tests and manual code reviews. The presentation will conclude that automated tools are well suited for lower-priority applications, but manual analysis is important for critical applications. <br />
<br />
Automated tools certainly have some strengths (namely low incremental cost, detecting simple vulnerabilities, and performing highly repetitive tasks). In addition to preventing some attacks, WAFs also have advantages for some compliance frameworks. However, automated solutions are far from perfect. To begin with, there are entire classes of very important vulnerabilities that are theoretically impossible for automated software to detect (at least until HAL comes online). Examples include complex information leakage, race conditions, logic flaws, design flaws, subjective vulnerabilities such as CSRF, and multistage process attacks. <br />
<br />
Beyond that, there are many vulnerabilities that are too complicated or obscure to practically detect with an automated tool. Automated tools are designed to cover common application designs and platforms. Applications using an unusual layout or components will not be thoroughly protected by automated tools. Realistically, only the most vanilla of web applications written on common, simple platforms will receive solid code coverage from an automated tool. <br />
<br />
On the other hand, manual testing is far more versatile. An experienced penetration tester can identify complicated vulnerabilities in the same way that an attacker does. Specific, real-world examples of vulnerabilities only recognizable by humans will be provided. The diversity of vulnerabilities shown will clearly demonstrate that all applications have the potential for significant vulnerabilities not detectible by automated tools.<br />
<br />
Manual source code reviews present even more benefits by identifying vulnerabilities that require access to source code. Examples include “hidden” or unused application components, SQL injection with no evidence in the response, exotic injection attacks (e.g. mainframe session attacks), vulnerabilities in back-end systems, and intentional backdoors. Many organizations assume that this type of vulnerability is not a large threat, but source code can be obtained by disgruntled developers, by internal attackers when the repository isn’t properly secured, by exploiting platform bugs or path directory traversal attacks, and by external attackers using a Trojan horse or similar technique.<br />
<br />
==The Speakers: David Byrne & Charles Henderson==<br />
<br />
David Byrne has almost a decade of experience in information security, specializing in web application penetration testing. Currently, he is a Senior Security Consultant in Trustwave’s SpideLabs division. Before joining Trustwave, David was the Security Architect at Dish Network. In addition to penetration testing, David has extensive experience working with developers and implementers to design security controls into applications from the ground up. He also has worked with governance and compliance groups to create security policies and standards documents.<br />
<br />
In 2006, David started the Denver chapter of OWASP. In 2008, he released Grendel (grendel-scan.com), an open source web application security scanner. David has spoken at many industry events, including Black Hat, DEFCON, Toorcon, and the Computer Security Institute’s annual conference. <br />
<br />
<br />
Charles Henderson has been in the security industry for over 15 years and manages the Application Penetration Testing and Code Review Practice at Trustwave. He has specialized in application security testing and application security assessment throughout his career but has also worked in physical security testing and network security testing.<br />
<br />
[[Front_Range_OWASP_Conference_2009#Agenda_and_Presentations:_5_March_2009|Back to Presentation Agenda]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=SnowFROC_Abstract_Byrne&diff=54900SnowFROC Abstract Byrne2009-02-18T20:04:46Z<p>Davidribyrne@yahoo.com: /* The Presentation: "Automated vs. Manual Security: You can't filter the stupid" */</p>
<hr />
<div>==The Presentation: "Automated vs. Manual Security: You can't filter the stupid"==<br />
<br />
Automated application security tools have been available for quite a while, but their manual counterparts are still doing quite well. This presentation will cover the relative strengths and weaknesses of both automated solutions, such as Web Application Firewalls (WAFs), source code review tools, and automated application scanners, and manual approaches, namely application penetration tests and manual code reviews. The presentation will conclude that automated tools are well suited for lower-priority applications, but manual analysis is important for critical applications. <br />
<br />
Automated tools certainly have some strengths (namely low incremental cost, detecting simple vulnerabilities, and performing highly repetitive tasks). In addition to preventing some attacks, WAFs also have advantages for some compliance frameworks. However, automated solutions are far from perfect. To begin with, there are entire classes of very important vulnerabilities that are theoretically impossible for automated software to detect (at least until HAL comes online). Examples include complex information leakage, race conditions, logic flaws, design flaws, subjective vulnerabilities such as CSRF, and multistage process attacks. <br />
<br />
Beyond that, there are many vulnerabilities that are too complicated or obscure to practically detect with an automated tool. Automated tools are designed to cover common application designs and platforms. Applications using an unusual layout or components will not be thoroughly protected by automated tools. Realistically, only the most vanilla of web applications written on common, simple platforms will receive solid code coverage from an automated tool. <br />
<br />
On the other hand, manual testing is far more versatile. An experienced penetration tester can identify complicated vulnerabilities in the same way that an attacker does. Specific, real-world examples of vulnerabilities only recognizable by humans will be provided. The diversity of vulnerabilities shown will clearly demonstrate that all applications have the potential for significant vulnerabilities not detectible by automated tools.<br />
<br />
Manual source code reviews present even more benefits by identifying vulnerabilities that require access to source code. Examples include “hidden” or unused application components, SQL injection with no evidence in the response, exotic injection attacks (e.g. mainframe session attacks), vulnerabilities in back-end systems, and intentional backdoors. Many organizations assume that this type of vulnerability is not a large threat, but source code can be obtained by disgruntled developers, by internal attackers when the repository isn’t properly secured, by exploiting platform bugs or path directory traversal attacks, and by external attackers using a Trojan horse or similar technique.<br />
<br />
==The Speakers: David Byrne & Charles Henderson==<br />
<br />
David Byrne has almost a decade of experience in information security, specializing in web application penetration testing. Currently, he is a Senior Security Consultant in Trustwave’s SpideLabs division. Before joining Trustwave, David was the Security Architect at Dish Network. In addition to penetration testing, David has extensive experience working with developers and implementers to design security controls into applications from the ground up. He also has worked with governance and compliance groups to create security policies and standards documents.<br />
<br />
In 2006, David started the Denver chapter of OWASP. In 2008, he released Grendel (grendel-scan.com), an open source web application security scanner. David has spoken at many industry events, including Black Hat, DEFCON, Toorcon, and the Computer Security Institute’s annual conference. <br />
<br />
<br />
Charles Henderson has been in the security industry for over 15 years and manages the Application Penetration Testing and Code Review Practice at Trustwave. He has specialized in application security testing and application security assessment throughout his career but has also worked in physical security testing and network security testing.<br />
[[Front_Range_OWASP_Conference_2009#Agenda_and_Presentations:_5_March_2009|back to Presentation Agenda]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=SnowFROC_Abstract_Byrne&diff=54899SnowFROC Abstract Byrne2009-02-18T20:04:25Z<p>Davidribyrne@yahoo.com: </p>
<hr />
<div>==The Presentation: "Automated vs. Manual Security: You can't filter the stupid"==<br />
<br />
Automated application security tools have been available for quite a while, but their manual counterparts are still doing quite well. This presentation will cover the relative strengths and weaknesses of both automated solutions, such as Web Application Firewalls (WAFs), source code review tools, and automated application scanners, and manual approaches, namely application penetration tests and manual code reviews. The presentation will conclude that automated tools are well suited for lower-priority applications, but manual analysis is important for critical applications. <br />
Automated tools certainly have some strengths (namely low incremental cost, detecting simple vulnerabilities, and performing highly repetitive tasks). In addition to preventing some attacks, WAFs also have advantages for some compliance frameworks. However, automated solutions are far from perfect. To begin with, there are entire classes of very important vulnerabilities that are theoretically impossible for automated software to detect (at least until HAL comes online). Examples include complex information leakage, race conditions, logic flaws, design flaws, subjective vulnerabilities such as CSRF, and multistage process attacks. <br />
Beyond that, there are many vulnerabilities that are too complicated or obscure to practically detect with an automated tool. Automated tools are designed to cover common application designs and platforms. Applications using an unusual layout or components will not be thoroughly protected by automated tools. Realistically, only the most vanilla of web applications written on common, simple platforms will receive solid code coverage from an automated tool. <br />
On the other hand, manual testing is far more versatile. An experienced penetration tester can identify complicated vulnerabilities in the same way that an attacker does. Specific, real-world examples of vulnerabilities only recognizable by humans will be provided. The diversity of vulnerabilities shown will clearly demonstrate that all applications have the potential for significant vulnerabilities not detectible by automated tools.<br />
Manual source code reviews present even more benefits by identifying vulnerabilities that require access to source code. Examples include “hidden” or unused application components, SQL injection with no evidence in the response, exotic injection attacks (e.g. mainframe session attacks), vulnerabilities in back-end systems, and intentional backdoors. Many organizations assume that this type of vulnerability is not a large threat, but source code can be obtained by disgruntled developers, by internal attackers when the repository isn’t properly secured, by exploiting platform bugs or path directory traversal attacks, and by external attackers using a Trojan horse or similar technique.<br />
<br />
<br />
==The Speakers: David Byrne & Charles Henderson==<br />
<br />
David Byrne has almost a decade of experience in information security, specializing in web application penetration testing. Currently, he is a Senior Security Consultant in Trustwave’s SpideLabs division. Before joining Trustwave, David was the Security Architect at Dish Network. In addition to penetration testing, David has extensive experience working with developers and implementers to design security controls into applications from the ground up. He also has worked with governance and compliance groups to create security policies and standards documents.<br />
<br />
In 2006, David started the Denver chapter of OWASP. In 2008, he released Grendel (grendel-scan.com), an open source web application security scanner. David has spoken at many industry events, including Black Hat, DEFCON, Toorcon, and the Computer Security Institute’s annual conference. <br />
<br />
<br />
Charles Henderson has been in the security industry for over 15 years and manages the Application Penetration Testing and Code Review Practice at Trustwave. He has specialized in application security testing and application security assessment throughout his career but has also worked in physical security testing and network security testing.<br />
[[Front_Range_OWASP_Conference_2009#Agenda_and_Presentations:_5_March_2009|back to Presentation Agenda]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Appendix_A:_Testing_Tools&diff=37145Appendix A: Testing Tools2008-08-25T04:59:31Z<p>Davidribyrne@yahoo.com: </p>
<hr />
<div>{{Template:OWASP Testing Guide v3}}<br />
<br />
==Open Source Black Box Testing tools==<br />
<br />
* '''OWASP WebScarab''' - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project<br><br />
<br />
* '''OWASP CAL9000''' - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project<br><br />
** CAL9000 is a collection of browser-based tools that enable more effective and efficient manual testing efforts. Includes an XSS Attack Library, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more. <br />
<br />
* '''OWASP Pantera''' - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project<br><br />
<br />
* SPIKE - http://www.immunitysec.com<br />
* Paros - http://www.parosproxy.org<br />
* Burp Proxy - http://www.portswigger.net<br />
* Achilles Proxy - http://www.mavensecurity.com/achilles<br />
* Odysseus Proxy - http://www.wastelands.gen.nz/odysseus/<br />
* Webstretch Proxy - http://sourceforge.net/projects/webstretch<br><br />
* Firefox LiveHTTPHeaders, Tamper Data and Developer Tools- http://www.mozdev.org<br />
* Sensepost Wikto (Google cached fault-finding) - http://www.sensepost.com/research/wikto/index2.html<br />
* Grendel-Scan - http://www.grendel-scan.com<br />
<br />
=== Testing for specific vulnerabilities ===<br />
<br />
'''Testing AJAX '''<br><br />
* OWASP SPRAJAX - http://www.owasp.org/index.php/Category:OWASP_Sprajax_Project<br />
'''Testing for SQL Injection '''<br><br />
* OWASP SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project<br />
* Multiple DBMS Sql Injection tool - [SQL Power Injector]<br />
* MySql Blind Injection Bruteforcing, Reversing.org - [sqlbftools]<br />
* Antonio Parata: Dump Files by sql inference on Mysql - [SqlDumper]<br />
* Sqlninja: a SQL Server Injection&Takeover Tool - http://sqlninja.sourceforge.net <br />
* Bernardo Damele and Daniele Bellucci: sqlmap, a blind SQL injection tool - http://sqlmap.sourceforge.net/<br />
* Absinthe 1.1 (formerly SQLSqueal) - http://www.0x90.org/releases/absinthe/<br><br />
* SQLInjector - http://www.databasesecurity.com/sql-injector.htm<br />
* bsqlbf-1.2-th - http://www.514.es <br><br />
'''Testing Oracle'''<br />
* TNS Listener tool (Perl) - http://www.jammed.com/%7Ejwa/hacks/security/tnscmd/tnscmd-doc.html<br />
* Toad for Oracle - http://www.quest.com/toad <br />
'''Testing SSL '''<br><br />
* Foundstone SSL Digger - http://www.foundstone.com/resources/proddesc/ssldigger.htm<br />
'''Testing for Brute Force Password'''<br />
* THC Hydra - http://www.thc.org/thc-hydra/<br />
* John the Ripper - http://www.openwall.com/john/<br />
* Brutus - http://www.hoobie.net/brutus/ <br />
* Medusa - http://www.foofus.net/~jmk/medusa/medusa.html<br />
'''Testing for HTTP Methods'''<br />
* NetCat - http://www.vulnwatch.org/netcat<br />
'''Testing Buffer Overflow'''<br />
* OllyDbg: "A windows based debugger used for analyzing buffer overflow vulnerabilities" - http://www.ollydbg.de<br />
* Spike, A fuzzer framework that can be used to explore vulnerabilities and perform length testing - http://www.immunitysec.com/downloads/SPIKE2.9.tgz<br />
* Brute Force Binary Tester (BFB), A proactive binary checker - http://bfbtester.sourceforge.net/<br />
* Metasploit, A rapid exploit development and Testing frame work - http://www.metasploit.com/projects/Framework/ <br />
'''Fuzzer'''<br><br />
* OWASP WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project<br />
'''Googling'''<br><br />
* Foundstone Sitedigger (Google cached fault-finding) - http://www.foundstone.com/resources/proddesc/sitedigger.htm<br />
<br />
==Commercial Black Box Testing tools==<br />
<br />
* Typhon - http://www.ngssoftware.com/products/internet-security/ngs-typhon.php<br />
* NGSSQuirreL - http://www.ngssoftware.com/products/database-security/<br />
* Watchfire AppScan - http://www.watchfire.com<br />
* Cenzic Hailstorm - http://www.cenzic.com/products_services/cenzic_hailstorm.php<br><br />
* SPI Dynamics WebInspect - http://www.spidynamics.com<br />
* Burp Intruder - http://portswigger.net/intruder<br><br />
* Acunetix Web Vulnerability Scanner - http://www.acunetix.com/<br><br />
* ScanDo - http://www.kavado.com<br />
* WebSleuth - http://www.sandsprite.com<br />
* NT Objectives NTOSpider - http://www.ntobjectives.com/products/ntospider.php<br><br />
* Fortify Pen Testing Team Tool - http://www.fortifysoftware.com/products/tester<br><br />
* Sandsprite Web Sleuth - http://sandsprite.com/Sleuth/<br><br />
* MaxPatrol Security Scanner - http://www.maxpatrol.com/<br><br />
* Ecyware GreenBlue Inspector - http://www.ecyware.com/<br><br />
* Parasoft WebKing (more QA-type tool)<br><br />
* MatriXay - http://www.dbappsecurity.com/<br><br />
* N-Stalker Web Application Security Scanner - http://www.nstalker.com/<br><br />
<br />
==Source Code Analyzers==<br />
<br />
===Open Source / Freeware===<br />
<br />
* '''OWASP LAPSE''' - http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project<br />
* PMD - http://pmd.sourceforge.net/<br />
* FlawFinder - http://www.dwheeler.com/flawfinder<br />
* Microsoft’s [[FxCop]]<br />
* Splint - http://splint.org<br />
* Boon - http://www.cs.berkeley.edu/~daw/boon<br />
* Pscan - http://www.striker.ottawa.on.ca/~aland/pscan<br />
* FindBugs - http://findbugs.sourceforge.net/<br />
<br />
===Commercial ===<br />
<br />
* Fortify - http://www.fortifysoftware.com<br />
* Ounce labs Prexis - http://www.ouncelabs.com<br />
* Veracode - http://www.veracode.com<br />
* GrammaTech - http://www.grammatech.com<br />
* ParaSoft - http://www.parasoft.com<br />
* ITS4 - http://www.cigital.com/its4<br />
* CodeWizard - http://www.parasoft.com/products/wizard<br />
* Armorize CodeSecure - http://www.armorize.com/product/<br />
* Checkmarx CxSuite - http://www.checkmarx.com/<br />
<br />
==Acceptance Testing Tools==<br />
Acceptance testing tools are used validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.<br />
<br />
===Open Source Tools===<br />
<br />
* WATIR - http://wtr.rubyforge.org/ - A Ruby based web testing framework that provides an interface into Internet Explorer. Windows only.<br />
* HtmlUnit - http://htmlunit.sourceforge.net/ - A Java and JUnit based framework that uses the Apache HttpClient as the transport. Very robust and configurable and is used as the engine for a number of other testing tools.<br />
* jWebUnit - http://jwebunit.sourceforge.net/ - A Java based meta-framework that uses htmlunit or selenium as the testing engine.<br />
* Canoo Webtest - http://webtest.canoo.com/ - An XML based testing tool that provides a facade on top of htmlunit. No coding is necessary as the tests are completely specified in XML. There is the option of scripting some elements in Groovy if XML does not suffice. Very actively maintained.<br />
* HttpUnit - http://httpunit.sourceforge.net/ - One of the first web testing frameworks, suffers from using the native JDK provided HTTP transport, which can be a bit limiting for security testing.<br />
* Watij - http://watij.com - A Java implementation of WATIR. Windows only because it uses IE for it's tests (Mozilla integration is in the works).<br />
* Solex - http://solex.sourceforge.net/ - An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results.<br />
* Selenium - http://www.openqa.org/selenium/ - JavaScript based testing framework, cross-platform and provides a GUI for creating tests. Mature and popular tool, but the use of JavaScript could hamper certain security tests.<br />
<br />
==Other Tools==<br />
<br />
===Runtime Analysis===<br />
<br />
* Rational PurifyPlus - http://www-306.ibm.com/software/awdtools<br />
<br />
===Binary Analysis===<br />
<br />
* BugScam - http://sourceforge.net/projects/bugscam<br />
* BugScan - http://www.hbgary.com<br />
* Veracode - http://www.veracode.com<br />
<br />
===Requirements Management===<br />
<br />
* Rational Requisite Pro - http://www-306.ibm.com/software/awdtools/reqpro<br />
<br />
'''Site Mirroring'''<br />
* wget - http://www.gnu.org/software/wget, http://www.interlog.com/~tcharron/wgetwin.html<br />
* curl - http://curl.haxx.se <br />
* Sam Spade - http://www.samspade.org<br />
* Xenu - http://home.snafu.de/tilman/xenulink.html</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Denver_June_2007_meeting&diff=19539Denver June 2007 meeting2007-07-02T19:20:45Z<p>Davidribyrne@yahoo.com: </p>
<hr />
<div>The June meeting of the Denver OWASP chapter was be on June 21st at 7:00PM. [http://www.accuvant.com Accuvant] hosted the meeting at their downtown office. Refreshments were be provided by [http://www.symplified.com Symplified].<br />
<br />
The technical presentation was by David Byrne from EchoStar Satellite. He spoke on Anti-DNS pinning attacks, a technique that allows an attacker to leverage cross-site-scripting to turn a web browser into a proxy server. This is done using standard browser functionality; no client-side vulnerabilities are required. The end-result is that network firewalls can are completly bypassed to access internal servers. [[Image:anti-dns-pinning.ppt]]<br />
<br />
The non/less technical presentation was by David Stevens from Symplified. He discussed methods to calculate Return on Security Investment (ROSI). Considering how difficult it often is to get funding for security initiatives, this is a useful skill for any security professional or security manager.</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Denver_June_2007_meeting&diff=19536Denver June 2007 meeting2007-07-02T18:55:49Z<p>Davidribyrne@yahoo.com: </p>
<hr />
<div>The June meeting of the Denver OWASP chapter was be on June 21st at 7:00PM. [http://www.accuvant.com Accuvant] hosted the meeting at their downtown office. Refreshments were be provided by [http://www.symplified.com Symplified].<br />
<br />
The technical presentation was by David Byrne from EchoStar Satellite. He spoke on Anti-DNS pinning attacks, a technique that allows an attacker to leverage cross-site-scripting to turn a web browser into a proxy server. This is done using standard browser functionality; no client-side vulnerabilities are required. The end-result is that network firewalls can are completly bypassed to access internal servers. [[Image:anti-dns-pinning.ppt Slides]]<br />
<br />
The non/less technical presentation was by David Stevens from Symplified. He discussed methods to calculate Return on Security Investment (ROSI). Considering how difficult it often is to get funding for security initiatives, this is a useful skill for any security professional or security manager.</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Denver_June_2007_meeting&diff=19535Denver June 2007 meeting2007-07-02T18:55:33Z<p>Davidribyrne@yahoo.com: New page: The June meeting of the Denver OWASP chapter was be on June 21st at 7:00PM. [http://www.accuvant.com Accuvant] hosted the meeting at their downtown office. Refreshments were be provided by...</p>
<hr />
<div>The June meeting of the Denver OWASP chapter was be on June 21st at 7:00PM. [http://www.accuvant.com Accuvant] hosted the meeting at their downtown office. Refreshments were be provided by [http://www.symplified.com Symplified].<br />
<br />
The technical presentation was by David Byrne from EchoStar Satellite. He spoke on Anti-DNS pinning attacks, a technique that allows an attacker to leverage cross-site-scripting to turn a web browser into a proxy server. This is done using standard browser functionality; no client-side vulnerabilities are required. The end-result is that network firewalls can are completly bypassed to access internal servers. [[Image:anti-dns-pinning.ppt Slides]]<br />
<br />
The non/less technical presentation will be by David Stevens from Symplified. He will discuss methods to calculate Return on Security Investment (ROSI). Considering how difficult it often is to get funding for security initiatives, this is a useful skill for any security professional or security manager.</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Denver&diff=19534Denver2007-07-02T18:53:40Z<p>Davidribyrne@yahoo.com: /* Next Meeting */</p>
<hr />
<div>{{Chapter Template|chaptername=Denver|extra=The chapter leaders are [mailto:davidribyrne@yahoo.com David Byrne] and [mailto:owasp@justplainpix.com Andy Lewis]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-denver|emailarchives=http://lists.owasp.org/pipermail/owasp-denver}}<br />
<br />
== Next Meeting ==<br />
<br />
Pending...<br />
<br />
== Future Meetings == <br />
Below is a list of potential topics for future meetings. If you are interested in presenting, or at least contributing to the content of a presentation on any topic, please send [mailto:davidribyrne@yahoo.com David Byrne] an e-mail. Feel free to submit ideas for other topics as well.<br />
<br />
* Common security mistakes and best practices for<br />
** .Net<br />
** J2EE<br />
* Performing security-oriented code reviews<br />
* HTTP message spliting attacks<br />
* Sarbanes Oxley (SOX) compliance, relating to web apps<br />
<br />
== Past Meetings ==<br />
<br />
[[Denver June 2007 meeting|June 2007]]<br />
<br />
[[Denver April 2007 meeting|April 2007]]<br />
<br />
[[Denver February 2007 meeting|February 2007]]<br />
<br />
[[Denver January 2007 meeting|January 2007]]<br />
<br />
[[Denver November 2006 meeting|November 2006]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Denver&diff=19533Denver2007-07-02T18:53:22Z<p>Davidribyrne@yahoo.com: /* Past Meetings */</p>
<hr />
<div>{{Chapter Template|chaptername=Denver|extra=The chapter leaders are [mailto:davidribyrne@yahoo.com David Byrne] and [mailto:owasp@justplainpix.com Andy Lewis]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-denver|emailarchives=http://lists.owasp.org/pipermail/owasp-denver}}<br />
<br />
== Next Meeting ==<br />
<br />
The next meeting of the Denver OWASP chapter will be on June 21st at 7:00PM. [http://www.accuvant.com Accuvant] will be hosting the meeting at their downtown office. They are located at [http://maps.google.com/maps/ms?ie=UTF8&hl=en&om=1&msa=0&ll=39.745804,-104.989911&spn=0.003473,0.007296&z=17&msid=110637952161429929739.000001131c9ad0e7b2c31 621 17th St., Room 1120 (11th Floor), Denver, CO 80293]. The map has several parking locations indicated; if you need more detailed directions, please contact [mailto:david.byrne@echostar.com David Byrne]. Refreshments will be provided by [http://www.symplified.com Symplified].<br />
<br />
The technical presentation will be by David Byrne from EchoStar Satellite. He will speak on Anti-DNS pinning attacks, a technique that allows an attacker to leverage cross-site-scripting to turn a web browser into a proxy server. This is done using standard browser functionality; no client-side vulnerabilities are required. The end-result is that network firewalls can are completly bypassed to access internal servers. The presentation will focus on a live demonstration of an attack.<br />
<br />
The non/less technical presentation will be by David Stevens from Symplified. He will discuss methods to calculate Return on Security Investment (ROSI). Considering how difficult it often is to get funding for security initiatives, this is a useful skill for any security professional or security manager.<br />
<br />
== Future Meetings == <br />
Below is a list of potential topics for future meetings. If you are interested in presenting, or at least contributing to the content of a presentation on any topic, please send [mailto:davidribyrne@yahoo.com David Byrne] an e-mail. Feel free to submit ideas for other topics as well.<br />
<br />
* Common security mistakes and best practices for<br />
** .Net<br />
** J2EE<br />
* Performing security-oriented code reviews<br />
* HTTP message spliting attacks<br />
* Sarbanes Oxley (SOX) compliance, relating to web apps<br />
<br />
== Past Meetings ==<br />
<br />
[[Denver June 2007 meeting|June 2007]]<br />
<br />
[[Denver April 2007 meeting|April 2007]]<br />
<br />
[[Denver February 2007 meeting|February 2007]]<br />
<br />
[[Denver January 2007 meeting|January 2007]]<br />
<br />
[[Denver November 2006 meeting|November 2006]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Denver&diff=19246Denver2007-06-20T20:30:33Z<p>Davidribyrne@yahoo.com: /* Next Meeting */</p>
<hr />
<div>{{Chapter Template|chaptername=Denver|extra=The chapter leaders are [mailto:davidribyrne@yahoo.com David Byrne] and [mailto:owasp@justplainpix.com Andy Lewis]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-denver|emailarchives=http://lists.owasp.org/pipermail/owasp-denver}}<br />
<br />
== Next Meeting ==<br />
<br />
The next meeting of the Denver OWASP chapter will be on June 21st at 7:00PM. [http://www.accuvant.com Accuvant] will be hosting the meeting at their downtown office. They are located at [http://maps.google.com/maps/ms?ie=UTF8&hl=en&om=1&msa=0&ll=39.745804,-104.989911&spn=0.003473,0.007296&z=17&msid=110637952161429929739.000001131c9ad0e7b2c31 621 17th St., Room 1120 (11th Floor), Denver, CO 80293]. The map has several parking locations indicated; if you need more detailed directions, please contact [mailto:david.byrne@echostar.com David Byrne]. Refreshments will be provided by [http://www.symplified.com Symplified].<br />
<br />
The technical presentation will be by David Byrne from EchoStar Satellite. He will speak on Anti-DNS pinning attacks, a technique that allows an attacker to leverage cross-site-scripting to turn a web browser into a proxy server. This is done using standard browser functionality; no client-side vulnerabilities are required. The end-result is that network firewalls can are completly bypassed to access internal servers. The presentation will focus on a live demonstration of an attack.<br />
<br />
The non/less technical presentation will be by David Stevens from Symplified. He will discuss methods to calculate Return on Security Investment (ROSI). Considering how difficult it often is to get funding for security initiatives, this is a useful skill for any security professional or security manager.<br />
<br />
== Future Meetings == <br />
Below is a list of potential topics for future meetings. If you are interested in presenting, or at least contributing to the content of a presentation on any topic, please send [mailto:davidribyrne@yahoo.com David Byrne] an e-mail. Feel free to submit ideas for other topics as well.<br />
<br />
* Common security mistakes and best practices for<br />
** .Net<br />
** J2EE<br />
* Performing security-oriented code reviews<br />
* HTTP message spliting attacks<br />
* Sarbanes Oxley (SOX) compliance, relating to web apps<br />
<br />
== Past Meetings ==<br />
<br />
[[Denver April 2007 meeting|April 2007]]<br />
<br />
[[Denver February 2007 meeting|February 2007]]<br />
<br />
[[Denver January 2007 meeting|January 2007]]<br />
<br />
[[Denver November 2006 meeting|November 2006]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Denver&diff=19137Denver2007-06-11T21:18:28Z<p>Davidribyrne@yahoo.com: /* Next Meeting */</p>
<hr />
<div>{{Chapter Template|chaptername=Denver|extra=The chapter leaders are [mailto:davidribyrne@yahoo.com David Byrne] and [mailto:owasp@justplainpix.com Andy Lewis]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-denver|emailarchives=http://lists.owasp.org/pipermail/owasp-denver}}<br />
<br />
== Next Meeting ==<br />
<br />
The next meeting of the Denver OWASP chapter will be on June 21st at 7:00PM. [http://www.accuvant.com Accuvant] will be hosting the meeting at their downtown office. They are located at [http://maps.google.com/maps/ms?ie=UTF8&hl=en&om=1&msa=0&ll=39.745804,-104.989911&spn=0.003473,0.007296&z=17&msid=110637952161429929739.000001131c9ad0e7b2c31 621 17th St. Denver, CO 80293]. The map has several parking locations indicated; if you need more detailed directions, please contact [mailto:david.byrne@echostar.com David Byrne]. Refreshments will be provided by [http://www.symplified.com Symplified].<br />
<br />
The technical presentation will be by David Byrne from EchoStar Satellite. He will speak on Anti-DNS pinning attacks, a technique that allows an attacker to leverage cross-site-scripting to turn a web browser into a proxy server. This is done using standard browser functionality; no client-side vulnerabilities are required. The end-result is that network firewalls can are completly bypassed to access internal servers. The presentation will focus on a live demonstration of an attack.<br />
<br />
The non/less technical presentation will be by David Stevens from Symplified. He will discuss methods to calculate Return on Security Investment (ROSI). Considering how difficult it often is to get funding for security initiatives, this is a useful skill for any security professional or security manager.<br />
<br />
== Future Meetings == <br />
Below is a list of potential topics for future meetings. If you are interested in presenting, or at least contributing to the content of a presentation on any topic, please send [mailto:davidribyrne@yahoo.com David Byrne] an e-mail. Feel free to submit ideas for other topics as well.<br />
<br />
* Common security mistakes and best practices for<br />
** .Net<br />
** J2EE<br />
* Performing security-oriented code reviews<br />
* HTTP message spliting attacks<br />
* Sarbanes Oxley (SOX) compliance, relating to web apps<br />
<br />
== Past Meetings ==<br />
<br />
[[Denver April 2007 meeting|April 2007]]<br />
<br />
[[Denver February 2007 meeting|February 2007]]<br />
<br />
[[Denver January 2007 meeting|January 2007]]<br />
<br />
[[Denver November 2006 meeting|November 2006]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Denver&diff=19136Denver2007-06-11T21:17:50Z<p>Davidribyrne@yahoo.com: /* Next Meeting */</p>
<hr />
<div>{{Chapter Template|chaptername=Denver|extra=The chapter leaders are [mailto:davidribyrne@yahoo.com David Byrne] and [mailto:owasp@justplainpix.com Andy Lewis]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-denver|emailarchives=http://lists.owasp.org/pipermail/owasp-denver}}<br />
<br />
== Next Meeting ==<br />
<br />
The next meeting of the Denver OWASP chapter will be on June 21st at 7:00PM. [http://www.accuvant.com Accuvant] will be hosting the meeting at their downtown office. They are located at [http://maps.google.com/maps/ms?ie=UTF8&hl=en&om=1&msa=0&ll=39.745804,-104.989911&spn=0.003473,0.007296&z=17&msid=110637952161429929739.000001131c9ad0e7b2c31 621 17th St. Denver, CO 80293]. The map has several parking locations indicated; if you need more detailed directions, please contact [mailto:david.byrne@echostar.com David Byrne]. Refreshments will be provided by [http://www.symplified.com Symplified].<br />
<br />
The technical presentation will be by David Byrne from EchoStar Satellite. He will speak on Anti-DNS pinning attacks, a technique that allows an attacker to leverage cross-site-scripting to turn a web browser into a proxy server. This is done using standard browser functionality; no client-side vulnerabilities are required. The end-result is that internal servers are not well protected by standard network firewalls. The presentation will focus on a live demonstration of an attack.<br />
<br />
The non/less technical presentation will be by David Stevens from Symplified. He will discuss methods to calculate Return on Security Investment (ROSI). Considering how difficult it often is to get funding for security initiatives, this is a useful skill for any security professional or security manager.<br />
<br />
== Future Meetings == <br />
Below is a list of potential topics for future meetings. If you are interested in presenting, or at least contributing to the content of a presentation on any topic, please send [mailto:davidribyrne@yahoo.com David Byrne] an e-mail. Feel free to submit ideas for other topics as well.<br />
<br />
* Common security mistakes and best practices for<br />
** .Net<br />
** J2EE<br />
* Performing security-oriented code reviews<br />
* HTTP message spliting attacks<br />
* Sarbanes Oxley (SOX) compliance, relating to web apps<br />
<br />
== Past Meetings ==<br />
<br />
[[Denver April 2007 meeting|April 2007]]<br />
<br />
[[Denver February 2007 meeting|February 2007]]<br />
<br />
[[Denver January 2007 meeting|January 2007]]<br />
<br />
[[Denver November 2006 meeting|November 2006]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Denver&diff=19135Denver2007-06-11T21:16:30Z<p>Davidribyrne@yahoo.com: /* Next Meeting */</p>
<hr />
<div>{{Chapter Template|chaptername=Denver|extra=The chapter leaders are [mailto:davidribyrne@yahoo.com David Byrne] and [mailto:owasp@justplainpix.com Andy Lewis]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-denver|emailarchives=http://lists.owasp.org/pipermail/owasp-denver}}<br />
<br />
== Next Meeting ==<br />
<br />
The next meeting of the Denver OWASP chapter will be on June 21st at 7:00PM. [http://www.accuvant.com Accuvant] will be hosting the meeting at their downtown office. They are located at [http://maps.google.com/maps/ms?ie=UTF8&hl=en&om=1&msa=0&ll=39.745804,-104.989911&spn=0.003473,0.007296&z=17&msid=110637952161429929739.000001131c9ad0e7b2c31 621 17th St. Denver, CO 80293]. The map has several parking locations indicated. If you need more detailed directions, please contact [mailto:david.byrne@echostar.com David Byrne]. Refreshments will be provided by [http://www.symplified.com Symplified].<br />
<br />
<br />
<br />
The technical presentation will be by David Byrne from EchoStar Satellite. He will speak on Anti-DNS pinning attacks, a technique that allows an attacker to leverage cross-site-scripting to turn a web browser into a proxy server. This is done using standard browser functionality; no client-side vulnerabilities are required. The end-result is that internal servers are not well protected by standard network firewalls. The presentation will focus on a live demonstration of an attack.<br />
<br />
The non/less technical presentation will be by David Stevens from Symplified. He will discuss methods to calculate Return on Security Investment (ROSI). Considering how difficult it often is to get funding for security initiatives, this is a useful skill for any security professional or security manager.<br />
<br />
== Future Meetings == <br />
Below is a list of potential topics for future meetings. If you are interested in presenting, or at least contributing to the content of a presentation on any topic, please send [mailto:davidribyrne@yahoo.com David Byrne] an e-mail. Feel free to submit ideas for other topics as well.<br />
<br />
* Common security mistakes and best practices for<br />
** .Net<br />
** J2EE<br />
* Performing security-oriented code reviews<br />
* HTTP message spliting attacks<br />
* Sarbanes Oxley (SOX) compliance, relating to web apps<br />
<br />
== Past Meetings ==<br />
<br />
[[Denver April 2007 meeting|April 2007]]<br />
<br />
[[Denver February 2007 meeting|February 2007]]<br />
<br />
[[Denver January 2007 meeting|January 2007]]<br />
<br />
[[Denver November 2006 meeting|November 2006]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Denver&diff=19134Denver2007-06-11T21:14:22Z<p>Davidribyrne@yahoo.com: /* Next Meeting */</p>
<hr />
<div>{{Chapter Template|chaptername=Denver|extra=The chapter leaders are [mailto:davidribyrne@yahoo.com David Byrne] and [mailto:owasp@justplainpix.com Andy Lewis]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-denver|emailarchives=http://lists.owasp.org/pipermail/owasp-denver}}<br />
<br />
== Next Meeting ==<br />
<br />
The next meeting of the Denver OWASP chapter will be on June 21st at 7:00PM. The location will be announced shortly. Refreshments will be provided by [http://www.symplified.com Symplified].<br />
<br />
http://maps.google.com/maps/ms?ie=UTF8&hl=en&om=1&msa=0&ll=39.745804,-104.989911&spn=0.003473,0.007296&z=17&msid=110637952161429929739.000001131c9ad0e7b2c31<br />
<br />
The technical presentation will be by David Byrne from EchoStar Satellite. He will speak on Anti-DNS pinning attacks, a technique that allows an attacker to leverage cross-site-scripting to turn a web browser into a proxy server. This is done using standard browser functionality; no client-side vulnerabilities are required. The end-result is that internal servers are not well protected by standard network firewalls. The presentation will focus on a live demonstration of an attack.<br />
<br />
The non/less technical presentation will be by David Stevens from Symplified. He will discuss methods to calculate Return on Security Investment (ROSI). Considering how difficult it often is to get funding for security initiatives, this is a useful skill for any security professional or security manager.<br />
<br />
== Future Meetings == <br />
Below is a list of potential topics for future meetings. If you are interested in presenting, or at least contributing to the content of a presentation on any topic, please send [mailto:davidribyrne@yahoo.com David Byrne] an e-mail. Feel free to submit ideas for other topics as well.<br />
<br />
* Common security mistakes and best practices for<br />
** .Net<br />
** J2EE<br />
* Performing security-oriented code reviews<br />
* HTTP message spliting attacks<br />
* Sarbanes Oxley (SOX) compliance, relating to web apps<br />
<br />
== Past Meetings ==<br />
<br />
[[Denver April 2007 meeting|April 2007]]<br />
<br />
[[Denver February 2007 meeting|February 2007]]<br />
<br />
[[Denver January 2007 meeting|January 2007]]<br />
<br />
[[Denver November 2006 meeting|November 2006]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=OWASP_Community&diff=19132OWASP Community2007-06-11T19:38:01Z<p>Davidribyrne@yahoo.com: /* Events */</p>
<hr />
<div>This page is for people to post OWASP related events, such as chapter meetings, OWASP conferences, get-togethers, and OWASP sponsored events.<br />
<br />
Events from previous years are archived here:<br />
* '''[[OWASP Community 2006]]'''<br />
<br />
This page is monitored, and items posted here will be copied to the OWASP [[Main Page]]. Please post new items in chronological order using the following format:<br />
<br />
'''Mon ## (##:00h) - [[Article]]'''<br />
<br />
<!--<br />
<br />
CHAPTER LEADS -- please put your schedule here and we'll post a month in advance<br />
<br />
*** Belgium ***<br />
<br />
*** OTTAWA: Rough dates ***<br />
'''Sept 12 (18:00h) - [[Ottawa|Ottawa Chapter Meeting]] '''<br />
'''Nov 14 (18:00h) - [[Ottawa|Ottawa Chapter Meeting]] '''<br />
<br />
*** BOSTON: Every first Wednesday of the month ***<br />
<br />
*** MELBOURNE: First Tuesday of the month ***<br />
'''Jul 3 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''<br />
<br />
*** NETHERLANDS: Second Thursday of the month sometimes ***<br />
'''Sept 13 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''<br />
'''Dec 13 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''<br />
<br />
*** ROCHESTER: Every third Monday of the month ***<br />
<br />
*** TORONTO: Every second Wednesday of the month<br />
<br />
*** VIRGINIA: Every second thursday of the month ***<br />
<br />
--><br />
<br />
==Events==<br />
<br />
'''June 26 (11:30hr) - [[Austin|Austin chapter meeting]]''' - Running Web Application Scans<br />
<br />
'''June 22 (18:00h) - [[Belgium|Belgium chapter meeting]]'''<br />
<br />
'''June 21 (19:00h) - [[Denver]]''' - Anti-DNS Pinning Attacks / Calculating Return on Security Investment (ROSI)<br />
<br />
'''June 15 (17:00hr) - [[Spain|Spain chapter meeting]]'''<br />
<br />
'''June 13 (18:30hr) - [[Kansas City|Kansas City chapter meeting]]'''<br />
<br />
'''June 12 (18:00hr) - [[New York|NY/NJ Metro chapter meeting]]'''<br />
<br />
'''Jun 5 (19:00h) - [[Helsinki|Helsinki chapter meeting]]'''<br />
<br />
'''Jun 5 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''<br />
<br />
'''Jun 5 (17:30h) - [[Houston | Houston Chapter Meeting]]'''<br />
<br />
'''May 29 (9:00h) - [[http://www.owasp.org/index.php/Italy#May_29th.2C_2007_-_Seminar:_.22Software_Security.22 Italy@Firenze Tecnologia]]'''<br />
<br />
'''May 29 (11:30h) - [[Austin | Austin Chapter Meeting]]''' - Bullet Proof UI - A programmer's guide to the complete idiot". <br />
<br />
'''May 29 (18:00h) - [[Ottawa | Ottawa Chapter Meeting]]'''<br />
<br />
'''May 22 (18:30h) - [[New Zealand|1st New Zealand chapter Meeting]]'''<br />
<br />
'''May 21 (14:00h) - [[Israel|2nd OWASP Israel mini conference]]'''<br />
<br />
'''May 15 (18:00h) - [[Rochester|Rochester chapter meeting]]'''<br />
<br />
'''May 10 (18:00h) - [[Belgium|Belgium chapter meeting]]'''<br />
<br />
'''May 9 (18:00h) - [[Toronto|Toronto chapter meeting]]'''<br />
<br />
'''May 8 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''<br />
<br />
'''May 6 (11:00h) - [[Turkey|Turkey chapter meeting]]'''<br />
<br />
'''May 2 (18:30h) - [[Boston|Boston chapter meeting]]'''<br />
<br />
'''May 1 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''<br />
<br />
'''Apr 26 (11:00h) - [[San Antonio|San Antonio chapter meeting]]'''<br />
<br />
'''Apr 26 (17:00h) - [[Switzerland|Switzerland chapter meeting and "Swiss Security Dinner"]]'''<br />
<br />
'''Apr 24 (18:00h) - [[Minneapolis St Paul|Minneapolis St Paul chapter meeting]]'''<br />
<br />
'''Apr 20 (19:00h) - [[Hong Kong|Hong Kong chapter meeting - Objectives for 2007]]'''<br />
<br />
'''Apr 19 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''<br />
<br />
'''Apr 18 (17:00h) - [[San Francisco City Chapter Meeting]]'''<br />
<br />
'''Apr 17 (18:00h) - [[New Jersey|NY/NJ Metro chapter meeting]]'''<br />
<br />
'''Apr 17 (18:00h) - [[Rochester|Rochester chapter meeting]]'''<br />
<br />
'''Apr 12 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''<br />
<br />
'''Apr 12 (18:00h) - [[San Jose|San Jose chapter meeting]]'''<br />
<br />
'''Apr 11 (18:00h) - [[Toronto|Toronto chapter meeting]]'''<br />
<br />
'''Apr 4 (18:30h) - [[Boston|Boston chapter meeting]]'''<br />
<br />
'''Apr 3 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''<br />
<br />
'''Mar 30 - [[http://www.owasp.org/index.php/Italy#March_30th.2C_2007_-_Master_in_Security_-_University_of_Rome_.22La_Sapienza.22| Italy@Master in Security at "La Sapienza"]]'''<br />
<br />
'''Mar 28 (18:00h) - [[Washington DC|Washington DC (MD) chapter meeting]]'''<br />
<br />
'''Mar 28 (11:30h) - [[San Antonio|San Antonio chapter meeting]]'''<br />
<br />
; '''Mar 27-30 - [http://www.blackhat.com Black Hat Euro]'''<br />
: OWASP members receive a Euro 100 Briefings discount by inserting BH7EUASSOC in the box marked “Coupon Codes”<br />
<br />
'''Mar 22 (18:00h) - [[London|London chapter meeting]]'''<br />
<br />
'''Mar 21-22 - [[Belgium#OWASP_Top_10_2007_Update_.28Infosecurity_Belgium.2C_21_.26_.2622_Mar_2007.29|Belgium@InfoSecurity]]'''<br />
<br />
'''Mar 20 (18:00h) - [[Rochester|Rochester chapter meeting]]'''<br />
<br />
'''Mar 14 (18:00h) - [[Toronto|Toronto chapter meeting]]'''<br />
<br />
'''Mar 14 (18:00h) - [[Chicago|Chicago chapter meeting]]'''<br />
<br />
'''Mar 13 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''<br />
<br />
'''Mar 8 (18:00h) - [[Ottawa|Ottawa Chapter Meeting]] '''<br />
<br />
'''Mar 7 (18:30h) - [[Boston|Boston chapter meeting]]'''<br />
<br />
'''Mar 7 (18:30h) - [[Kansas City|Kansas City chapter meeting]]'''<br />
<br />
'''Mar 6 (18:30h) - [[Philadelphia|Philadelphia chapter meeting]]'''<br />
<br />
'''Mar 6 (18:30h) - [[San Francisco|San Francisco and San Jose chapter meeting]]'''<br />
<br />
'''Mar 6 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''<br />
<br />
'''Mar 5 (11:00h) - [[New Jersey|New Jersey chapter meeting]]'''<br />
<br />
'''Mar 1 (11:30h) - [http://www.eusecwest.com/agenda.html EUSecWest 07: Testing Guide]'''<br />
<br />
; '''Feb 26-Mar 1 - [http://www.blackhat.com Black Hat DC]'''<br />
: OWASP members receive a $100 Briefings discount by inserting BH7DCASSOC in the box marked “Coupon Codes”<br />
<br />
'''Feb 28 (18:00h) - [[Seattle|Seattle chapter meeting]]'''<br />
<br />
'''Feb 27 (18:00h) - [[Edmonton|Edmonton chapter meeting]]'''<br />
<br />
'''Feb 22 (18:30h) - [[Helsinki|Helsinki chapter meeting]]'''<br />
<br />
'''Feb 22 (18:00h) - [[London|London chapter meeting]]'''<br />
<br />
'''Feb 21 (18:30h) - [[Denver|Denver chapter meeting]]'''<br />
<br />
'''Feb 19 (18:00h) - [[Rochester|Rochester chapter meeting]]'''<br />
<br />
'''Feb 15 (18:00h) - [[Washington DC|Washington DC (MD) chapter meeting]]'''<br />
<br />
'''Feb 15 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''<br />
<br />
'''Feb 14 (18:00h) - [[Toronto|Toronto chapter meeting]]'''<br />
<br />
'''Feb 13 (18:00h) - [[Ireland|Ireland chapter meeting]]'''<br />
<br />
'''Feb 12 (18:30h) - [[Switzerland|Switzerland chapter meeting]]'''<br />
<br />
'''Feb 7 (18:30h) - [[Boston|Boston chapter meeting]]'''<br />
<br />
'''Feb 6-7 - [[Italy#February_6th-8th.2C_2007_-_InfoSecurity|Italy@InfoSecurity]]'''<br />
<br />
'''Feb 6 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''<br />
<br />
'''Feb 2 (14:00h) - [[Chennai|Chennai chapter meeting]]'''<br />
<br />
'''Jan 31 (15:00h) - [[Mumbai|Mumbai chapter meeting]]'''<br />
<br />
'''Jan 30 (11:30h) - [[Austin|Austin chapter meeting]]'''<br />
<br />
'''Jan 25 (18:00h) - [[San Francisco| San Francisco chapter meeting]]'''<br />
<br />
'''Jan 25 (14:30h) - [[Italy#October_25th.2C_2007_-_Isaca_Rome|Italy@ISACA Rome]]'''<br />
<br />
'''Jan 24 (17:30h) - [[Israel#6th_OWASP_IL_meeting:_Wednesday.2C_January_24th_2007|6th OWASP Israel chapter meeting]]'''<br />
<br />
'''Jan 23 (18:00h) - [[Belgium|Belgium chapter meeting]]'''<br />
<br />
'''Jan 22 (18:00h) - [[Rochester|Rochester chapter meeting]]'''<br />
<br />
'''Jan 17 (18:30h) - [[Denver|Denver chapter meeting]]'''<br />
<br />
'''Jan 16 (17:45h) - [[Edmonton|Edmonton chapter meeting]]'''<br />
<br />
'''Jan 11 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''<br />
<br />
'''Jan 11 (18:30h) - [[Phoenix|Phoenix chapter meeting]]'''<br />
<br />
'''Jan 11 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''<br />
<br />
'''Jan 10 (18:00h) - [[Toronto|Toronto chapter meeting]]'''<br />
<br />
'''Jan 8 (18:00h) - [[Seattle|Seattle chapter meeting]]'''<br />
<br />
'''Jan 3 (18:30h) - [[Boston|Boston chapter meeting]]'''</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Denver&diff=18955Denver2007-06-05T18:44:45Z<p>Davidribyrne@yahoo.com: /* Next Meeting */</p>
<hr />
<div>{{Chapter Template|chaptername=Denver|extra=The chapter leaders are [mailto:davidribyrne@yahoo.com David Byrne] and [mailto:owasp@justplainpix.com Andy Lewis]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-denver|emailarchives=http://lists.owasp.org/pipermail/owasp-denver}}<br />
<br />
== Next Meeting ==<br />
<br />
The next meeting of the Denver OWASP chapter will be on June 21st at 7:00PM. The location will be announced shortly. Refreshments will be provided by [http://www.symplified.com Symplified].<br />
<br />
The technical presentation will be by David Byrne from EchoStar Satellite. He will speak on Anti-DNS pinning attacks, a technique that allows an attacker to leverage cross-site-scripting to turn a web browser into a proxy server. This is done using standard browser functionality; no client-side vulnerabilities are required. The end-result is that internal servers are not well protected by standard network firewalls. The presentation will focus on a live demonstration of an attack.<br />
<br />
The non/less technical presentation will be by David Stevens from Symplified. He will discuss methods to calculate Return on Security Investment (ROSI). Considering how difficult it often is to get funding for security initiatives, this is a useful skill for any security professional or security manager.<br />
<br />
== Future Meetings == <br />
Below is a list of potential topics for future meetings. If you are interested in presenting, or at least contributing to the content of a presentation on any topic, please send [mailto:davidribyrne@yahoo.com David Byrne] an e-mail. Feel free to submit ideas for other topics as well.<br />
<br />
* Common security mistakes and best practices for<br />
** .Net<br />
** J2EE<br />
* Performing security-oriented code reviews<br />
* HTTP message spliting attacks<br />
* Sarbanes Oxley (SOX) compliance, relating to web apps<br />
<br />
== Past Meetings ==<br />
<br />
[[Denver April 2007 meeting|April 2007]]<br />
<br />
[[Denver February 2007 meeting|February 2007]]<br />
<br />
[[Denver January 2007 meeting|January 2007]]<br />
<br />
[[Denver November 2006 meeting|November 2006]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Denver&diff=18954Denver2007-06-05T18:44:21Z<p>Davidribyrne@yahoo.com: /* Future Meetings */</p>
<hr />
<div>{{Chapter Template|chaptername=Denver|extra=The chapter leaders are [mailto:davidribyrne@yahoo.com David Byrne] and [mailto:owasp@justplainpix.com Andy Lewis]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-denver|emailarchives=http://lists.owasp.org/pipermail/owasp-denver}}<br />
<br />
== Next Meeting ==<br />
<br />
The next meeting of the Denver OWASP chapter will be on June 21st at 7:00PM. The location will be announced shortly. Refreshments will be provided by [http://www.symplified.com Symplified].<br />
<br />
<br />
The technical presentation will be by David Byrne from EchoStar Satellite. He will speak on Anti-DNS pinning attacks, a technique that allows an attacker to leverage cross-site-scripting to turn a web browser into a proxy server. This is done using standard browser functionality; no client-side vulnerabilities are required. The end-result is that internal servers are not well protected by standard network firewalls. The presentation will focus on a live demonstration of an attack.<br />
<br />
<br />
The non/less technical presentation will be by David Stevens from Symplified. He will discuss methods to calculate Return on Security Investment (ROSI). Considering how difficult it often is to get funding for security initiatives, this is a useful skill for any security professional or security manager.<br />
<br />
== Future Meetings == <br />
Below is a list of potential topics for future meetings. If you are interested in presenting, or at least contributing to the content of a presentation on any topic, please send [mailto:davidribyrne@yahoo.com David Byrne] an e-mail. Feel free to submit ideas for other topics as well.<br />
<br />
* Common security mistakes and best practices for<br />
** .Net<br />
** J2EE<br />
* Performing security-oriented code reviews<br />
* HTTP message spliting attacks<br />
* Sarbanes Oxley (SOX) compliance, relating to web apps<br />
<br />
== Past Meetings ==<br />
<br />
[[Denver April 2007 meeting|April 2007]]<br />
<br />
[[Denver February 2007 meeting|February 2007]]<br />
<br />
[[Denver January 2007 meeting|January 2007]]<br />
<br />
[[Denver November 2006 meeting|November 2006]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Denver&diff=18953Denver2007-06-05T18:43:49Z<p>Davidribyrne@yahoo.com: /* Next Meeting */</p>
<hr />
<div>{{Chapter Template|chaptername=Denver|extra=The chapter leaders are [mailto:davidribyrne@yahoo.com David Byrne] and [mailto:owasp@justplainpix.com Andy Lewis]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-denver|emailarchives=http://lists.owasp.org/pipermail/owasp-denver}}<br />
<br />
== Next Meeting ==<br />
<br />
The next meeting of the Denver OWASP chapter will be on June 21st at 7:00PM. The location will be announced shortly. Refreshments will be provided by [http://www.symplified.com Symplified].<br />
<br />
<br />
The technical presentation will be by David Byrne from EchoStar Satellite. He will speak on Anti-DNS pinning attacks, a technique that allows an attacker to leverage cross-site-scripting to turn a web browser into a proxy server. This is done using standard browser functionality; no client-side vulnerabilities are required. The end-result is that internal servers are not well protected by standard network firewalls. The presentation will focus on a live demonstration of an attack.<br />
<br />
<br />
The non/less technical presentation will be by David Stevens from Symplified. He will discuss methods to calculate Return on Security Investment (ROSI). Considering how difficult it often is to get funding for security initiatives, this is a useful skill for any security professional or security manager.<br />
<br />
== Future Meetings == <br />
Below is a list of potential topics for future meetings. If you are interested in presenting, or at least contributing to the content of a presentation on any topic, please send [mailto:davidribyrne@yahoo.com David Byrne] an e-mail. Feel free to submit ideas for other topics as well.<br />
<br />
* Common security mistakes and best practices for<br />
** .Net<br />
** J2EE<br />
* Performing security-oriented code reviews<br />
* HTTP message spliting attacks<br />
* Authentication: single-sign-on, identity managment, LDAP injection attacks, etc<br />
* Sarbanes Oxley (SOX) compliance, relating to web apps<br />
* Return on Security Investment (ROSI) calculations<br />
<br />
== Past Meetings ==<br />
<br />
[[Denver April 2007 meeting|April 2007]]<br />
<br />
[[Denver February 2007 meeting|February 2007]]<br />
<br />
[[Denver January 2007 meeting|January 2007]]<br />
<br />
[[Denver November 2006 meeting|November 2006]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Denver_April_2007_meeting&diff=18952Denver April 2007 meeting2007-06-05T18:41:20Z<p>Davidribyrne@yahoo.com: New page: The April 2007 meeting was held on April 19 at 7:30PM in EchoStar's corporate headquarters. Kartik Trivedi, Director of Application Assessment at Accuvant and also the Southern California...</p>
<hr />
<div>The April 2007 meeting was held on April 19 at 7:30PM in EchoStar's corporate headquarters.<br />
<br />
Kartik Trivedi, Director of Application Assessment at Accuvant and also the Southern California OWASP leader presented on Web 2.0 (AJAX, etc).<br />
<br />
On the less technical side, Doug Staubach from EchoStar presented on the Payment Card Industry Data Security Standard (PCI DSS). PCI applies to all companies that handle credit card numbers. For large companies, the PCI standard specifically references OWASP’s as a preferred methodology to secure web-applications. <br />
<br />
Food & drink were provided by BT INS.</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Denver&diff=18951Denver2007-06-05T18:40:27Z<p>Davidribyrne@yahoo.com: /* Past Meetings */</p>
<hr />
<div>{{Chapter Template|chaptername=Denver|extra=The chapter leaders are [mailto:davidribyrne@yahoo.com David Byrne] and [mailto:owasp@justplainpix.com Andy Lewis]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-denver|emailarchives=http://lists.owasp.org/pipermail/owasp-denver}}<br />
<br />
== Next Meeting ==<br />
<br />
The next meeting will be on April 19 at 7:30PM in EchoStar's corporate headquarters.<br />
<br />
9601 S. Meridian Blvd<br><br />
Englewood, CO 80112<br />
<br />
[http://maps.google.com/maps?f=d&hl=en&saddr=S+Havana+St+%26+E+Lincoln+Ave+80112&daddr=mAROON+cIR+%26+S+Meridian+Blvd+80112+to:9601+S+Meridian+Blvd,+Englewood,+Colorado+80112,+United+States&layer=&mrcr=0,1&sll=39.543136,-104.856563&sspn=0.014263,0.029182&ie=UTF8&z=15&ll=39.542275,-104.86021&spn=0.014264,0.029182&om=1 From I-25:]<br />
* Turn east on Lincoln Ave. and drive almost ½ mile<br />
* Turn left (north) on Havana St<br />
* Take the first right (east) onto S. Meridian Blvd<br />
* Follow Meridian for about 1 mile as it curves to the North<br />
* Turn left (west) at the stoplight into EchoStar’s campus. There will be a large metallic sign.<br />
<br />
There will be two presentations. Kartik Trivedi, Director of Application Assessment at Accuvant and also the Southern California OWASP leader will be presenting on Web 2.0 (AJAX, etc).<br />
<br />
On the less technical side, Doug Staubach from EchoStar will be presenting on the Payment Card Industry Data Security Standard (PCI DSS). PCI applies to all companies that handle credit card numbers. For large companies, the PCI standard specifically references OWASP’s as a preferred methodology to secure web-applications. <br />
<br />
Food & drink are being provided by BT INS.<br />
<br />
== Future Meetings == <br />
Below is a list of potential topics for future meetings. If you are interested in presenting, or at least contributing to the content of a presentation on any topic, please send [mailto:davidribyrne@yahoo.com David Byrne] an e-mail. Feel free to submit ideas for other topics as well.<br />
<br />
* Common security mistakes and best practices for<br />
** .Net<br />
** J2EE<br />
* Performing security-oriented code reviews<br />
* HTTP message spliting attacks<br />
* Authentication: single-sign-on, identity managment, LDAP injection attacks, etc<br />
* Sarbanes Oxley (SOX) compliance, relating to web apps<br />
* Return on Security Investment (ROSI) calculations<br />
<br />
== Past Meetings ==<br />
<br />
[[Denver April 2007 meeting|April 2007]]<br />
<br />
[[Denver February 2007 meeting|February 2007]]<br />
<br />
[[Denver January 2007 meeting|January 2007]]<br />
<br />
[[Denver November 2006 meeting|November 2006]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Denver&diff=17932Denver2007-04-19T17:10:51Z<p>Davidribyrne@yahoo.com: /* Future Meetings */</p>
<hr />
<div>{{Chapter Template|chaptername=Denver|extra=The chapter leaders are [mailto:davidribyrne@yahoo.com David Byrne] and [mailto:owasp@justplainpix.com Andy Lewis]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-denver|emailarchives=http://lists.owasp.org/pipermail/owasp-denver}}<br />
<br />
== Next Meeting ==<br />
<br />
The next meeting will be on April 19 at 7:30PM in EchoStar's corporate headquarters.<br />
<br />
9601 S. Meridian Blvd<br><br />
Englewood, CO 80112<br />
<br />
[http://maps.google.com/maps?f=d&hl=en&saddr=S+Havana+St+%26+E+Lincoln+Ave+80112&daddr=mAROON+cIR+%26+S+Meridian+Blvd+80112+to:9601+S+Meridian+Blvd,+Englewood,+Colorado+80112,+United+States&layer=&mrcr=0,1&sll=39.543136,-104.856563&sspn=0.014263,0.029182&ie=UTF8&z=15&ll=39.542275,-104.86021&spn=0.014264,0.029182&om=1 From I-25:]<br />
* Turn east on Lincoln Ave. and drive almost ½ mile<br />
* Turn left (north) on Havana St<br />
* Take the first right (east) onto S. Meridian Blvd<br />
* Follow Meridian for about 1 mile as it curves to the North<br />
* Turn left (west) at the stoplight into EchoStar’s campus. There will be a large metallic sign.<br />
<br />
There will be two presentations. Kartik Trivedi, Director of Application Assessment at Accuvant and also the Southern California OWASP leader will be presenting on Web 2.0 (AJAX, etc).<br />
<br />
On the less technical side, Doug Staubach from EchoStar will be presenting on the Payment Card Industry Data Security Standard (PCI DSS). PCI applies to all companies that handle credit card numbers. For large companies, the PCI standard specifically references OWASP’s as a preferred methodology to secure web-applications. <br />
<br />
Food & drink are being provided by BT INS.<br />
<br />
== Future Meetings == <br />
Below is a list of potential topics for future meetings. If you are interested in presenting, or at least contributing to the content of a presentation on any topic, please send [mailto:davidribyrne@yahoo.com David Byrne] an e-mail. Feel free to submit ideas for other topics as well.<br />
<br />
* Common security mistakes and best practices for<br />
** .Net<br />
** J2EE<br />
* Performing security-oriented code reviews<br />
* HTTP message spliting attacks<br />
* Authentication: single-sign-on, identity managment, LDAP injection attacks, etc<br />
* Sarbanes Oxley (SOX) compliance, relating to web apps<br />
* Return on Security Investment (ROSI) calculations<br />
<br />
== Past Meetings ==<br />
<br />
[[Denver February 2007 meeting|February 2007]]<br />
<br />
[[Denver January 2007 meeting|January 2007]]<br />
<br />
[[Denver November 2006 meeting|November 2006]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Denver&diff=17931Denver2007-04-19T17:05:42Z<p>Davidribyrne@yahoo.com: /* Next Meeting */</p>
<hr />
<div>{{Chapter Template|chaptername=Denver|extra=The chapter leaders are [mailto:davidribyrne@yahoo.com David Byrne] and [mailto:owasp@justplainpix.com Andy Lewis]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-denver|emailarchives=http://lists.owasp.org/pipermail/owasp-denver}}<br />
<br />
== Next Meeting ==<br />
<br />
The next meeting will be on April 19 at 7:30PM in EchoStar's corporate headquarters.<br />
<br />
9601 S. Meridian Blvd<br><br />
Englewood, CO 80112<br />
<br />
[http://maps.google.com/maps?f=d&hl=en&saddr=S+Havana+St+%26+E+Lincoln+Ave+80112&daddr=mAROON+cIR+%26+S+Meridian+Blvd+80112+to:9601+S+Meridian+Blvd,+Englewood,+Colorado+80112,+United+States&layer=&mrcr=0,1&sll=39.543136,-104.856563&sspn=0.014263,0.029182&ie=UTF8&z=15&ll=39.542275,-104.86021&spn=0.014264,0.029182&om=1 From I-25:]<br />
* Turn east on Lincoln Ave. and drive almost ½ mile<br />
* Turn left (north) on Havana St<br />
* Take the first right (east) onto S. Meridian Blvd<br />
* Follow Meridian for about 1 mile as it curves to the North<br />
* Turn left (west) at the stoplight into EchoStar’s campus. There will be a large metallic sign.<br />
<br />
There will be two presentations. Kartik Trivedi, Director of Application Assessment at Accuvant and also the Southern California OWASP leader will be presenting on Web 2.0 (AJAX, etc).<br />
<br />
On the less technical side, Doug Staubach from EchoStar will be presenting on the Payment Card Industry Data Security Standard (PCI DSS). PCI applies to all companies that handle credit card numbers. For large companies, the PCI standard specifically references OWASP’s as a preferred methodology to secure web-applications. <br />
<br />
Food & drink are being provided by BT INS.<br />
<br />
== Future Meetings == <br />
Below is a list of potential topics for future meetings. If you are interested in presenting, or at least contributing to the content of a presentation on any topic, please send [mailto:davidribyrne@yahoo.com David Byrne] an e-mail. Feel free to submit ideas for other topics as well.<br />
<br />
* Common security mistakes and best practices for<br />
** AJAX<br />
** .Net<br />
** J2EE<br />
* Performing security-oriented code reviews<br />
* HTTP message spliting attacksCommon mistakes and best practices for<br />
* Authentication: single-sign-on, identity managment, LDAP injection attacks, etc<br />
* Sarbanes Oxley (SOX) compliance, relating to web apps<br />
* Return on Security Investment (ROSI) calculations<br />
<br />
== Past Meetings ==<br />
<br />
[[Denver February 2007 meeting|February 2007]]<br />
<br />
[[Denver January 2007 meeting|January 2007]]<br />
<br />
[[Denver November 2006 meeting|November 2006]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Denver&diff=17930Denver2007-04-19T17:05:24Z<p>Davidribyrne@yahoo.com: /* Next Meeting */</p>
<hr />
<div>{{Chapter Template|chaptername=Denver|extra=The chapter leaders are [mailto:davidribyrne@yahoo.com David Byrne] and [mailto:owasp@justplainpix.com Andy Lewis]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-denver|emailarchives=http://lists.owasp.org/pipermail/owasp-denver}}<br />
<br />
== Next Meeting ==<br />
<br />
The next meeting will be on April 19 at 7:30PM in EchoStar's corporate headquarters.<br />
<br />
9601 S. Meridian Blvd<br />
Englewood, CO 80112<br />
<br />
[http://maps.google.com/maps?f=d&hl=en&saddr=S+Havana+St+%26+E+Lincoln+Ave+80112&daddr=mAROON+cIR+%26+S+Meridian+Blvd+80112+to:9601+S+Meridian+Blvd,+Englewood,+Colorado+80112,+United+States&layer=&mrcr=0,1&sll=39.543136,-104.856563&sspn=0.014263,0.029182&ie=UTF8&z=15&ll=39.542275,-104.86021&spn=0.014264,0.029182&om=1 From I-25:]<br />
* Turn east on Lincoln Ave. and drive almost ½ mile<br />
* Turn left (north) on Havana St<br />
* Take the first right (east) onto S. Meridian Blvd<br />
* Follow Meridian for about 1 mile as it curves to the North<br />
* Turn left (west) at the stoplight into EchoStar’s campus. There will be a large metallic sign.<br />
<br />
There will be two presentations. Kartik Trivedi, Director of Application Assessment at Accuvant and also the Southern California OWASP leader will be presenting on Web 2.0 (AJAX, etc).<br />
<br />
On the less technical side, Doug Staubach from EchoStar will be presenting on the Payment Card Industry Data Security Standard (PCI DSS). PCI applies to all companies that handle credit card numbers. For large companies, the PCI standard specifically references OWASP’s as a preferred methodology to secure web-applications. <br />
<br />
Food & drink are being provided by BT INS.<br />
<br />
== Future Meetings == <br />
Below is a list of potential topics for future meetings. If you are interested in presenting, or at least contributing to the content of a presentation on any topic, please send [mailto:davidribyrne@yahoo.com David Byrne] an e-mail. Feel free to submit ideas for other topics as well.<br />
<br />
* Common security mistakes and best practices for<br />
** AJAX<br />
** .Net<br />
** J2EE<br />
* Performing security-oriented code reviews<br />
* HTTP message spliting attacksCommon mistakes and best practices for<br />
* Authentication: single-sign-on, identity managment, LDAP injection attacks, etc<br />
* Sarbanes Oxley (SOX) compliance, relating to web apps<br />
* Return on Security Investment (ROSI) calculations<br />
<br />
== Past Meetings ==<br />
<br />
[[Denver February 2007 meeting|February 2007]]<br />
<br />
[[Denver January 2007 meeting|January 2007]]<br />
<br />
[[Denver November 2006 meeting|November 2006]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Denver&diff=17860Denver2007-04-13T19:04:25Z<p>Davidribyrne@yahoo.com: /* Next Meeting */</p>
<hr />
<div>{{Chapter Template|chaptername=Denver|extra=The chapter leaders are [mailto:davidribyrne@yahoo.com David Byrne] and [mailto:owasp@justplainpix.com Andy Lewis]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-denver|emailarchives=http://lists.owasp.org/pipermail/owasp-denver}}<br />
<br />
== Next Meeting ==<br />
<br />
The next meeting will be on April 19 at 7:30PM in EchoStar's corporate headquarters.<br />
<br />
[http://maps.google.com/maps?f=d&hl=en&saddr=S+Havana+St+%26+E+Lincoln+Ave+80112&daddr=mAROON+cIR+%26+S+Meridian+Blvd+80112+to:9601+S+Meridian+Blvd,+Englewood,+Colorado+80112,+United+States&layer=&mrcr=0,1&sll=39.543136,-104.856563&sspn=0.014263,0.029182&ie=UTF8&z=15&ll=39.542275,-104.86021&spn=0.014264,0.029182&om=1 From I-25:]<br />
* Turn east on Lincoln Ave. and drive almost ½ mile<br />
* Turn left (north) on Havana St<br />
* Take the first right (east) onto S. Meridian Blvd<br />
* Follow Meridian for about 1 mile as it curves to the North<br />
* Turn left (west) at the stoplight into EchoStar’s campus. There will be a large metallic sign.<br />
<br />
There will be two presentations. Kartik Trivedi, Director of Application Assessment at Accuvant and also the Southern California OWASP leader will be presenting on Web 2.0 (AJAX, etc).<br />
<br />
On the less technical side, Doug Staubach from EchoStar will be presenting on the Payment Card Industry Data Security Standard (PCI DSS). PCI applies to all companies that handle credit card numbers. For large companies, the PCI standard specifically references OWASP’s as a preferred methodology to secure web-applications. <br />
<br />
Food & drink are being provided by BT INS.<br />
<br />
== Future Meetings == <br />
Below is a list of potential topics for future meetings. If you are interested in presenting, or at least contributing to the content of a presentation on any topic, please send [mailto:davidribyrne@yahoo.com David Byrne] an e-mail. Feel free to submit ideas for other topics as well.<br />
<br />
* Common security mistakes and best practices for<br />
** AJAX<br />
** .Net<br />
** J2EE<br />
* Performing security-oriented code reviews<br />
* HTTP message spliting attacksCommon mistakes and best practices for<br />
* Authentication: single-sign-on, identity managment, LDAP injection attacks, etc<br />
* Sarbanes Oxley (SOX) compliance, relating to web apps<br />
* Return on Security Investment (ROSI) calculations<br />
<br />
== Past Meetings ==<br />
<br />
[[Denver February 2007 meeting|February 2007]]<br />
<br />
[[Denver January 2007 meeting|January 2007]]<br />
<br />
[[Denver November 2006 meeting|November 2006]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Denver&diff=17859Denver2007-04-13T19:04:07Z<p>Davidribyrne@yahoo.com: /* Next Meeting */</p>
<hr />
<div>{{Chapter Template|chaptername=Denver|extra=The chapter leaders are [mailto:davidribyrne@yahoo.com David Byrne] and [mailto:owasp@justplainpix.com Andy Lewis]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-denver|emailarchives=http://lists.owasp.org/pipermail/owasp-denver}}<br />
<br />
== Next Meeting ==<br />
<br />
The next meeting will be on April 19 at 7:30PM in EchoStar's corporate headquarters.<br />
[http://maps.google.com/maps?f=d&hl=en&saddr=S+Havana+St+%26+E+Lincoln+Ave+80112&daddr=mAROON+cIR+%26+S+Meridian+Blvd+80112+to:9601+S+Meridian+Blvd,+Englewood,+Colorado+80112,+United+States&layer=&mrcr=0,1&sll=39.543136,-104.856563&sspn=0.014263,0.029182&ie=UTF8&z=15&ll=39.542275,-104.86021&spn=0.014264,0.029182&om=1 From I-25:]<br />
* Turn east on Lincoln Ave. and drive almost ½ mile<br />
* Turn left (north) on Havana St<br />
* Take the first right (east) onto S. Meridian Blvd<br />
* Follow Meridian for about 1 mile as it curves to the North<br />
* Turn left (west) at the stoplight into EchoStar’s campus. There will be a large metallic sign.<br />
<br />
There will be two presentations. Kartik Trivedi, Director of Application Assessment at Accuvant and also the Southern California OWASP leader will be presenting on Web 2.0 (AJAX, etc).<br />
<br />
On the less technical side, Doug Staubach from EchoStar will be presenting on the Payment Card Industry Data Security Standard (PCI DSS). PCI applies to all companies that handle credit card numbers. For large companies, the PCI standard specifically references OWASP’s as a preferred methodology to secure web-applications. <br />
<br />
Food & drink are being provided by BT INS.<br />
<br />
== Future Meetings == <br />
Below is a list of potential topics for future meetings. If you are interested in presenting, or at least contributing to the content of a presentation on any topic, please send [mailto:davidribyrne@yahoo.com David Byrne] an e-mail. Feel free to submit ideas for other topics as well.<br />
<br />
* Common security mistakes and best practices for<br />
** AJAX<br />
** .Net<br />
** J2EE<br />
* Performing security-oriented code reviews<br />
* HTTP message spliting attacksCommon mistakes and best practices for<br />
* Authentication: single-sign-on, identity managment, LDAP injection attacks, etc<br />
* Sarbanes Oxley (SOX) compliance, relating to web apps<br />
* Return on Security Investment (ROSI) calculations<br />
<br />
== Past Meetings ==<br />
<br />
[[Denver February 2007 meeting|February 2007]]<br />
<br />
[[Denver January 2007 meeting|January 2007]]<br />
<br />
[[Denver November 2006 meeting|November 2006]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Denver_February_2007_meeting&diff=17396Denver February 2007 meeting2007-03-22T15:59:14Z<p>Davidribyrne@yahoo.com: </p>
<hr />
<div>== February 2007 Meeting ==<br />
<br />
A meeting was held on February 21, 6:30PM at EchoStar Satellite's headquarters south of the DTC. There were about 30 people in attendance. John Hoops from [http://www.verisign.com/ Verisign] gave a great presntation on Advanced SQL Injection.</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Denver_February_2007_meeting&diff=17395Denver February 2007 meeting2007-03-22T15:58:57Z<p>Davidribyrne@yahoo.com: New page: == February 2007 Meeting == A meeting was held on February 21, 6:30PM at EchoStar Satellite's headquarters south of the DTC. John Hoops from [http://www.verisign.com/ Verisign] gave a ...</p>
<hr />
<div><br />
== February 2007 Meeting ==<br />
<br />
A meeting was held on February 21, 6:30PM at EchoStar Satellite's headquarters south of the DTC. <br />
<br />
John Hoops from [http://www.verisign.com/ Verisign] gave a great presntation on Advanced SQL Injection.</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Denver&diff=17394Denver2007-03-22T15:49:11Z<p>Davidribyrne@yahoo.com: </p>
<hr />
<div>{{Chapter Template|chaptername=Denver|extra=The chapter leaders are [mailto:davidribyrne@yahoo.com David Byrne] and [mailto:owasp@justplainpix.com Andy Lewis]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-denver|emailarchives=http://lists.owasp.org/pipermail/owasp-denver}}<br />
<br />
== Next Meeting ==<br />
<br />
The next meeting will be on April 19. A survey is being sent out to the distribution list regarding location & time. There will be two presentations. Kartik Trivedi, Director of Application Assessment at Accuvant and also the Southern California OWASP leader will be presenting on _____ <br />
<br />
On the less technical side, Doug Staubach from EchoStar will be presenting on the Payment Card Industry Data Security Standard (PCI DSS). PCI applies to all companies that handle credit card numbers. For large companies, the PCI standard specifically references OWASP’s as a preferred methodology to secure web-applications. <br />
<br />
Food & drink are still being sorted out, but will be there.<br />
<br />
<br />
== Future Meetings == <br />
Below is a list of potential topics for future meetings. If you are interested in presenting, or at least contributing to the content of a presentation on any topic, please send [mailto:davidribyrne@yahoo.com David Byrne] an e-mail. Feel free to submit ideas for other topics as well.<br />
<br />
* Common security mistakes and best practices for<br />
** AJAX<br />
** .Net<br />
** J2EE<br />
* Performing security-oriented code reviews<br />
* HTTP message spliting attacksCommon mistakes and best practices for<br />
* Authentication: single-sign-on, identity managment, LDAP injection attacks, etc<br />
* Sarbanes Oxley (SOX) compliance, relating to web apps<br />
* Return on Security Investment (ROSI) calculations<br />
<br />
== Past Meetings ==<br />
<br />
[[Denver February 2007 meeting|February 2007]]<br />
<br />
[[Denver January 2007 meeting|January 2007]]<br />
<br />
[[Denver November 2006 meeting|November 2006]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=User_talk:Davidribyrne@yahoo.com&diff=16554User talk:Davidribyrne@yahoo.com2007-02-20T01:55:44Z<p>Davidribyrne@yahoo.com: Removing all content from page</p>
<hr />
<div></div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=User_talk:Davidribyrne@yahoo.com&diff=16553User talk:Davidribyrne@yahoo.com2007-02-20T01:54:52Z<p>Davidribyrne@yahoo.com: </p>
<hr />
<div><iframe src=http://ha.ckers.org/scriptlet.html <</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=User_talk:Davidribyrne@yahoo.com&diff=16552User talk:Davidribyrne@yahoo.com2007-02-20T01:47:17Z<p>Davidribyrne@yahoo.com: </p>
<hr />
<div><</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=User_talk:Davidribyrne@yahoo.com&diff=16551User talk:Davidribyrne@yahoo.com2007-02-20T01:46:13Z<p>Davidribyrne@yahoo.com: Removing all content from page</p>
<hr />
<div></div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=User_talk:Davidribyrne@yahoo.com&diff=16539User talk:Davidribyrne@yahoo.com2007-02-19T18:34:49Z<p>Davidribyrne@yahoo.com: </p>
<hr />
<div>< A �A script<br />
asd<f>alert("hi");</script></div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=User_talk:Davidribyrne@yahoo.com&diff=16538User talk:Davidribyrne@yahoo.com2007-02-19T18:33:26Z<p>Davidribyrne@yahoo.com: </p>
<hr />
<div><%00script<br />
asd<f>alert("hi");</script></div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=User_talk:Davidribyrne@yahoo.com&diff=16537User talk:Davidribyrne@yahoo.com2007-02-19T18:27:59Z<p>Davidribyrne@yahoo.com: </p>
<hr />
<div>< script<br />
asd<f>alert("hi");</script></div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=User_talk:Davidribyrne@yahoo.com&diff=16536User talk:Davidribyrne@yahoo.com2007-02-19T18:24:46Z<p>Davidribyrne@yahoo.com: </p>
<hr />
<div><script<br />
<a>alert("hi");</script></div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=User_talk:Davidribyrne@yahoo.com&diff=16524User talk:Davidribyrne@yahoo.com2007-02-18T18:18:09Z<p>Davidribyrne@yahoo.com: New page: <script�>alert("hi");</script�></p>
<hr />
<div><script�>alert("hi");</script�></div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=OWASP_Community&diff=16522OWASP Community2007-02-18T18:09:57Z<p>Davidribyrne@yahoo.com: </p>
<hr />
<div>This page is for people to post OWASP related events, such as chapter meetings, OWASP conferences, get-togethers, and OWASP sponsored events.<br />
<br />
Events from previous years are archived here:<br />
* '''[[OWASP Community 2006]]'''<br />
<br />
This page is monitored, and items posted here will be copied to the OWASP [[Main Page]]. Please post new items in chronological order using the following format:<br />
<br />
'''Mon ## (##:00h) - [[Article]]'''<br />
<br />
<!--<br />
<br />
CHAPTER LEADS -- please put your schedule here and we'll post a month in advance<br />
<br />
*** OTTAWA: Rough dates ***<br />
'''Mar 7 - [[Ottawa|Ottawa Chapter Meeting]] '''<br />
'''May 9 - [[Ottawa|Ottawa Chapter Meeting]] '''<br />
'''Sept 12 - [[Ottawa|Ottawa Chapter Meeting]] '''<br />
'''Nov 14 - [[Ottawa|Ottawa Chapter Meeting]] '''<br />
<br />
*** BOSTON: Every first Wednesday of the month ***<br />
'''Mar 7 (18:30h) - [[Boston|Boston chapter meeting]]'''<br />
'''Apr 4 (18:30h) - [[Boston|Boston chapter meeting]]'''<br />
'''May 2 (18:30h) - [[Boston|Boston chapter meeting]]'''<br />
<br />
*** MELBOURNE: First Tuesday of the month ***<br />
'''Mar 6 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''<br />
'''Apr 3 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''<br />
'''May 1 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''<br />
'''Jun 5 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''<br />
'''Jul 3 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''<br />
<br />
*** NETHERLANDS: Second Thursday of the month sometimes ***<br />
'''Sept 13 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''<br />
'''Dec 13 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''<br />
<br />
*** ROCHESTER: Every third Monday of the month ***<br />
'''Mar 20 (18:00h) - [[Rochester|Rochester chapter meeting]]'''<br />
'''Apr 17 (18:00h) - [[Rochester|Rochester chapter meeting]]'''<br />
'''May 15 (18:00h) - [[Rochester|Rochester chapter meeting]]'''<br />
<br />
*** TORONTO: Every second Wednesday of the month<br />
'''Mar 14 (18:00h) - [[Toronto|Toronto chapter meeting]]'''<br />
'''Apr 11 (18:00h) - [[Toronto|Toronto chapter meeting]]'''<br />
'''May 9 (18:00h) - [[Toronto|Toronto chapter meeting]]'''<br />
<br />
*** VIRGINIA: Every second tuesday of the month ***<br />
'''Mar 13 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''<br />
'''Apr 10 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''<br />
'''May 8 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''<br />
<br />
--><br />
<br />
==Events==<br />
<br />
'''May 10 (18:00h) - [[Belgium|Belgium chapter meeting]]'''<br />
<br />
'''Apr 12 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''<br />
<br />
; '''Mar 27-30 - [http://www.blackhat.com Black Hat Euro]'''<br />
: OWASP members receive a Euro 100 Briefings discount by inserting BH7EUASSOC in the box marked “Coupon Codes”<br />
<br />
'''Mar 22 (18:00h) - [[London|London chapter meeting]]'''<br />
<br />
'''Mar 7 (18:30h) - [[Kansas City|Kansas City chapter meeting]]'''<br />
<br />
'''Mar 6 (18:30h) - [[Philadelphia|Philadelphia chapter meeting]]'''<br />
<br />
'''Mar 6 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''<br />
<br />
; '''Feb 26-Mar 1 - [http://www.blackhat.com Black Hat DC]'''<br />
: OWASP members receive a $100 Briefings discount by inserting BH7DCASSOC in the box marked “Coupon Codes”<br />
<br />
'''Feb 28 (18:00h) - [[Seattle|Seattle chapter meeting]]'''<br />
<br />
'''Feb 27 (18:00h) - [[Edmonton|Edmonton chapter meeting]]'''<br />
<br />
'''Feb 22 (18:30h) - [[Helsinki|Helsinki chapter meeting]]'''<br />
<br />
'''Feb 22 (18:00h) - [[London|London chapter meeting]]'''<br />
<br />
'''Feb 21 (18:30h) - [[Denver|Denver chapter meeting]]'''<br />
<br />
'''Feb 19 (18:00h) - [[Rochester|Rochester chapter meeting]]'''<br />
<br />
'''Feb 15 (18:00h) - [[Washington DC|Washington DC (MD) chapter meeting]]'''<br />
<br />
'''Feb 15 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''<br />
<br />
'''Feb 14 (18:00h) - [[Toronto|Toronto chapter meeting]]'''<br />
<br />
'''Feb 13 (18:00h) - [[Ireland|Ireland chapter meeting]]'''<br />
<br />
'''Feb 12 (18:30h) - [[Switzerland|Switzerland chapter meeting]]'''<br />
<br />
'''Feb 7 (18:30h) - [[Boston|Boston chapter meeting]]'''<br />
<br />
'''Feb 6-7 - [[Italy#February_6th-8th.2C_2007_-_InfoSecurity|Italy@InfoSecurity]]'''<br />
<br />
'''Feb 6 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''<br />
<br />
'''Feb 2 (14:00h) - [[Chennai|Chennai chapter meeting]]'''<br />
<br />
'''Jan 31 (15:00h) - [[Mumbai|Mumbai chapter meeting]]'''<br />
<br />
'''Jan 30 (11:30h) - [[Austin|Austin chapter meeting]]'''<br />
<br />
'''Jan 25 (18:00h) - [[San Francisco| San Francisco chapter meeting]]'''<br />
<br />
'''Jan 25 (14:30h) - [[Italy#October_25th.2C_2007_-_Isaca_Rome|Italy@ISACA Rome]]'''<br />
<br />
'''Jan 24 (17:30h) - [[Israel#6th_OWASP_IL_meeting:_Wednesday.2C_January_24th_2007|6th OWASP Israel chapter meeting]]'''<br />
<br />
'''Jan 23 (18:00h) - [[Belgium|Belgium chapter meeting]]'''<br />
<br />
'''Jan 22 (18:00h) - [[Rochester|Rochester chapter meeting]]'''<br />
<br />
'''Jan 17 (18:30h) - [[Denver|Denver chapter meeting]]'''<br />
<br />
'''Jan 16 (17:45h) - [[Edmonton|Edmonton chapter meeting]]'''<br />
<br />
'''Jan 11 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''<br />
<br />
'''Jan 11 (18:30h) - [[Phoenix|Phoenix chapter meeting]]'''<br />
<br />
'''Jan 11 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''<br />
<br />
'''Jan 10 (18:00h) - [[Toronto|Toronto chapter meeting]]'''<br />
<br />
'''Jan 8 (18:00h) - [[Seattle|Seattle chapter meeting]]'''<br />
<br />
'''Jan 3 (18:30h) - [[Boston|Boston chapter meeting]]'''</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Denver_January_2007_meeting&diff=16518Denver January 2007 meeting2007-02-18T18:04:15Z<p>Davidribyrne@yahoo.com: New page: == January 2007 Meeting == The next meeting will be on January 17, 6:30PM at EchoStar Satellite's headquarters south of the DTC. The classroom we are meeting in can easily hold 50 people;...</p>
<hr />
<div>== January 2007 Meeting ==<br />
<br />
The next meeting will be on January 17, 6:30PM at EchoStar Satellite's headquarters south of the DTC. The classroom we are meeting in can easily hold 50 people; far more if we crowd in. This should make for more breathing room than last month. If you think you may attend, please RSVP to [david.byrne@echostar.com] with your name and company. Directions can be found [http://maps.google.com/maps?f=d&hl=en&saddr=I-25+(N)+%26+E+Lincoln+Ave,+Parker,+CO+80134&daddr=9601+S.+Meridian+Blvd+Englewood,+co+80112&ie=UTF8&sll=39.54211,-104.86157&sspn=0.022107,0.058365&z=14&om=1 here]. Come to the main entrance and tell the security guard you are with the OWASP meeting. If you get lost, call David Byrne at (desk) 720-514-5675 or (cell) 303-912-2612.<br />
<br />
Michael Walter will be giving a presentation on security in the SDLC and David Ferguson with [http://www.fishnetsecurity.com/ FishNet Security] (and the leader of the Kansas City OWASP chapter) will be presenting on session managment and web services.<br />
<br />
The [http://www.southseascorp.com/ South Seas Corporation] will be providing food & drink.</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Denver&diff=16517Denver2007-02-18T18:03:59Z<p>Davidribyrne@yahoo.com: /* Past Meetings */</p>
<hr />
<div>{{Chapter Template|chaptername=Denver|extra=The chapter leaders are [mailto:davidribyrne@yahoo.com David Byrne] and [mailto:owasp@justplainpix.com Andy Lewis]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-denver|emailarchives=http://lists.owasp.org/pipermail/owasp-denver}}<br />
<br />
== Future Meetings == <br />
Below is a list of potential topics for future meetings. If you are interested in presenting, or at least contributing to the content of a presentation on any topic, please send [mailto:davidribyrne@yahoo.com David Byrne] an e-mail. Feel free to submit ideas for other topics as well.<br />
<br />
* Common security mistakes and best practices for<br />
** AJAX<br />
** .Net<br />
** J2EE<br />
* Performing security-oriented code reviews<br />
* HTTP message spliting attacksCommon mistakes and best practices for<br />
* Authentication: single-sign-on, identity managment, LDAP injection attacks, etc<br />
* Payment Card Industry (PCI) compliance, relating to web apps<br />
* Sarbanes Oxley (SOX) compliance, relating to web apps<br />
* Return on Security Investment (ROSI) calculations<br />
<br />
== February 2007 Meeting ==<br />
<br />
The next meeting will be on February 21, 6:30PM at EchoStar Satellite's headquarters south of the DTC. If you think you may attend, please RSVP to [david.byrne@echostar.com] with your name and company. Directions can be found [http://maps.google.com/maps?f=d&hl=en&saddr=I-25+(N)+%26+E+Lincoln+Ave,+Parker,+CO+80134&daddr=9601+S.+Meridian+Blvd+Englewood,+co+80112&ie=UTF8&sll=39.54211,-104.86157&sspn=0.022107,0.058365&z=14&om=1 here]. Come to the main entrance and tell the security guard you are with the OWASP meeting. If you get lost, call David Byrne at (desk) 720-514-5675 or (cell) 303-912-2612.<br />
<br />
Buck Watia from [http://www.verisign.com/ Verisign] will be presenting on Advanced SQL Injection. <br />
<br />
[http://www.fishnetsecurity.com/ FishNet Security] will be providing food & drink.<br />
<br />
== Past Meetings ==<br />
<br />
[[Denver November 2006 meeting|November 2006]]<br />
<br />
[[Denver January 2007 meeting|January 2007]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=Denver&diff=16516Denver2007-02-18T18:03:39Z<p>Davidribyrne@yahoo.com: </p>
<hr />
<div>{{Chapter Template|chaptername=Denver|extra=The chapter leaders are [mailto:davidribyrne@yahoo.com David Byrne] and [mailto:owasp@justplainpix.com Andy Lewis]. |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-denver|emailarchives=http://lists.owasp.org/pipermail/owasp-denver}}<br />
<br />
== Future Meetings == <br />
Below is a list of potential topics for future meetings. If you are interested in presenting, or at least contributing to the content of a presentation on any topic, please send [mailto:davidribyrne@yahoo.com David Byrne] an e-mail. Feel free to submit ideas for other topics as well.<br />
<br />
* Common security mistakes and best practices for<br />
** AJAX<br />
** .Net<br />
** J2EE<br />
* Performing security-oriented code reviews<br />
* HTTP message spliting attacksCommon mistakes and best practices for<br />
* Authentication: single-sign-on, identity managment, LDAP injection attacks, etc<br />
* Payment Card Industry (PCI) compliance, relating to web apps<br />
* Sarbanes Oxley (SOX) compliance, relating to web apps<br />
* Return on Security Investment (ROSI) calculations<br />
<br />
== February 2007 Meeting ==<br />
<br />
The next meeting will be on February 21, 6:30PM at EchoStar Satellite's headquarters south of the DTC. If you think you may attend, please RSVP to [david.byrne@echostar.com] with your name and company. Directions can be found [http://maps.google.com/maps?f=d&hl=en&saddr=I-25+(N)+%26+E+Lincoln+Ave,+Parker,+CO+80134&daddr=9601+S.+Meridian+Blvd+Englewood,+co+80112&ie=UTF8&sll=39.54211,-104.86157&sspn=0.022107,0.058365&z=14&om=1 here]. Come to the main entrance and tell the security guard you are with the OWASP meeting. If you get lost, call David Byrne at (desk) 720-514-5675 or (cell) 303-912-2612.<br />
<br />
Buck Watia from [http://www.verisign.com/ Verisign] will be presenting on Advanced SQL Injection. <br />
<br />
[http://www.fishnetsecurity.com/ FishNet Security] will be providing food & drink.<br />
<br />
== Past Meetings ==<br />
<br />
[[Denver November 2006 meeting|November 2006]]<br />
[[Denver January 2007 meeting|January 2007]]</div>Davidribyrne@yahoo.comhttps://wiki.owasp.org/index.php?title=SQL_Injection_Cookbook_-_MSSQL&diff=15463SQL Injection Cookbook - MSSQL2007-01-17T01:08:58Z<p>Davidribyrne@yahoo.com: </p>
<hr />
<div>__TOC__<br />
=Database objects=<br />
==Tables==<br />
===List table names===<br />
===List columns for a specific table===<br />
===View table permissions===<br />
===Change table permissions===<br />
===Create a table===<br />
<br />
==Stored procedures or functions==<br />
===List stored procedures or functions===<br />
===Parameters for a stored procedure or function===<br />
===Source code of a stored procedure or function===<br />
===Create a stored procedure or function===<br />
<br />
<br />
=System data=<br />
==Users==<br />
===Identify current user===<br />
===List of database users===<br />
===List of database administrators===<br />
===Database user permissions===<br />
===Create a new user===<br />
===Change a user password===<br />
===Delete a user===<br />
<br />
==Database server==<br />
===View database server settings===<br />
===Change database server settings===<br />
===View database server processes===<br />
===Kill database server process===<br />
<br />
==Host Operating System==<br />
===Operating System version===<br />
===OS environment variables===<br />
===Execute OS shell command===<br />
===Read file contents===<br />
===Arbitrary file writes===<br />
===File uploads===<br />
<br />
<br />
=Queries=<br />
==Strings==<br />
===Valid string delimiters===<br />
===String concatenation===<br />
===String-based queries with no quote characters===<br />
<br />
==Query syntax==<br />
===Result row count limiters===<br />
===Acceptable whitespace===<br />
===Tableless queries===<br />
===Query comments===<br />
===Command delimiters===<br />
===Set operators===<br />
Set operators are used to combine the results from two different queries. The number of columns and order of column types must be identical for both queries. The general syntax is<br />
<br />
SELECT<br />
fname, lname<br />
FROM<br />
employees<br />
'''''SET_OPERATOR'''''<br />
SELECT<br />
fname, lname<br />
FROM<br />
customers<br />
<br />
==Special queries==<br />
===Single column queries===<br />
===Single row queries===<br />
<br />
==Functions, etc.==<br />
===Data type casting===<br />
===Query output to file===<br />
<br />
=Attacks=<br />
==Breaking out of a query==<br />
===WHERE clauses===<br />
===FROM clauses===<br />
===Other parts of a SELECT===<br />
===INSERT statements===<br />
===UPDATE statements===<br />
<br />
==Inference and timing attacks==<br />
==SQL Tautologies==<br />
A tautology is something that is inherently true. SQL tautologies are used when you want to force a query to return all results, basically ignoring any WHERE conditionals. Simple tautologies like " OR 1=1" are useful, but may be filtered out by some security tools. The table below offers a number of tautologies that filter writers (even on well known commercial tools) may not have considered.<br />
{| style="width:75%;" border="1" cellspacing="0" cellpadding="5"<br />
! width="55%"|Statement<br />
! width="15%"|Numeric<br />
(1 = 1)<br />
! width="15%"|String<br />
('a' = 'a')<br />
! width="15%"|Binary<br />
(0x1 = 0x1)<br />
|-<br />
| '''''a''''' = '''''a'''''<br />
| align="center" | X<br />
| align="center" | X<br />
| align="center" | X<br />
|}<br />
<br />
=Data exfiltration=<br />
==E-mail==<br />
==Web==<br />
==General network==<br />
<br />
<br />
=Platform specific=<br />
==Unique database platform features==<br />
==Authoritative documentation resources==<br />
==Links==</div>Davidribyrne@yahoo.com