https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=GgeeOWASP - User contributions [en]2026-05-20T05:58:30ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Bay_Area&diff=63722Bay Area2009-06-08T01:22:02Z<p>Ggee: </p>
<hr />
<div>{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
==== Local News ====<br />
<paypal>Bay Area</paypal><br />
<br />
==== Chapter Meetings ====<br />
==Date and Location==<br />
<br />
OWASP Meeting<br />
Monday, June 22nd * 5:30 pm <br />
San Francisco Federal Reserve Bank Office <br />
<br />
OWASP Bay Area will host its next meeting at the Federal Reserve Bank of San Francisco on Monday, June 22nd. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security.<br />
<br />
'''<br />
Please note, because of high security measures at the Federal Reserve Bank, pre-registration is REQUIRED, so you can be issued a badge before entering the meeting'''. <br />
<br />
http://www.eventbrite.com/event/355543440<br />
<br />
==Agenda==<br />
5:30 PM - 6:15 PM ... Check-in and networking<br />
6:15 PM - 7:15 PM ... Analyzing Web Malware by Jeremy Brotherton<br />
7:15 PM - 7:30 PM ... Break<br />
7:30 PM - 8:30 PM ... Mobile Device Security by Dave Maynor<br />
<br />
===Analyzing Web Malware===<br />
In its "State of Internet Security Q3/Q4 2008", Websense reported that 70% of the top 100 websites either hosted malicious content or contained a masked redirect to compromised websites. Most recently, gumblar.cn successfully injected redirects into upwards of 3,000 websites. Analyzing web-based malicious content can be time-consuming and complex. This presentation will describe several common Javascript obfuscation techniques and how to use open-source tools to reveal the exploits hidden behind them. Additionally, this presentation will describe the techniques used within the malicious Flash file which was being hosted by gumblar.cn.<br />
<br />
===Mobile Device Security===<br />
This presentation will detail auditing and development techniques for exploits that target mobile phones with a heavy emphasis on threats that come from the web. Windows mobile and Google Android devices that will target the auditing and exploit discovery.<br />
<br />
==About the Speakers==<br />
===Jeremy Brotherton===<br />
Jeremy graduated from Iowa State University in 2006 with a Bachelor’s degree in Computer Engineering with an emphasis in Information Assurance. Currently, he is pursuing a Master’s degree in Computer Science at Stanford specializing in Computer and Network Security. Research interests include web-based malware and exploits, Intrusion Detection Systems and Forensics. <br />
<br />
===Dave Maynor===<br />
Mr. Maynor has a strong background in application security, reverse engineering and exploit development. Before joining Accuvant, Dave cofounded Errata Security - a think tank organization that specializes in rapid application development and security research. Prior to Errata, Dave was the Senior Researcher for Secureworks and a research engineer with the ISS X-Force R&D team. A well recognized personality in the information security world, Dave is a popular author and has been featured in multiple publications over the last several years including Fox News, CNN, the Associated Press, Security Focus and a multitude of other information security news sources. Dave has been both a primary and contributing author to several industry leading security books including: Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research, Syngress Force Emerging Threat Analysis: From Mischief to Malicious, and War Driving and Wireless Penetration Testing.<br />
<br />
<br />
==RSVP==<br />
'''REGISTER EARLY AS SEATING IS LIMITED'''<br />
<br />
http://www.eventbrite.com/event/355543440<br />
<br />
=Bay Area Past Events=<br />
[[Bay Area Past Events]]<br />
<br />
==== Bay Area OWASP Chapter Leaders ====<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*[http://garrettgee.com Garrett Gee]<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]<br />
__NOTOC__<br />
<headertabs/></div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=63721Bay Area2009-06-08T01:14:29Z<p>Ggee: </p>
<hr />
<div>{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
==== Local News ====<br />
<paypal>Bay Area</paypal><br />
<br />
==== Chapter Meetings ====<br />
==Date and Location==<br />
<br />
OWASP Meeting<br />
Monday, June 22nd * 5:30 pm <br />
San Francisco Federal Reserve Bank Office <br />
<br />
OWASP Bay Area will host its next meeting at the Federal Reserve Bank of San Francisco on Monday, June 22nd. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security.<br />
<br />
'''<br />
Please note, because of high security measures at the Federal Reserve Bank, pre-registration is REQUIRED, so you can be issued a badge before entering the meeting'''. <br />
<br />
http://www.eventbrite.com/event/355543440<br />
<br />
==Agenda==<br />
5:30 PM - 6:15 PM ... Check-in and networking<br />
6:15 PM - 7:15 PM ... Analyzing Web Malware by Jeremy Brotherton<br />
7:15 PM - 7:30 PM ... Break<br />
7:30 PM - 8:30 PM ... Mobile Device Security by Dave Maynor<br />
<br />
==Presentations==<br />
===Analyzing Web Malware===<br />
In its "State of Internet Security Q3/Q4 2008", Websense reported that 70% of the top 100 websites either hosted malicious content or contained a masked redirect to compromised websites. Most recently, gumblar.cn successfully injected redirects into upwards of 3,000 websites. Analyzing web-based malicious content can be time-consuming and complex. This presentation will describe several common Javascript obfuscation techniques and how to use open-source tools to reveal the exploits hidden behind them. Additionally, this presentation will describe the techniques used within the malicious Flash file which was being hosted by gumblar.cn.<br />
<br />
===Mobile Device Security===<br />
This presentation will detail auditing and development techniques for exploits that target mobile phones with a heavy emphasis on threats that come from the web. Windows mobile and Google Android devices that will target the auditing and exploit discovery.<br />
<br />
==Speakers==<br />
===Jeremy Brotherton===<br />
Jeremy graduated from Iowa State University in 2006 with a Bachelor’s degree in Computer Engineering with an emphasis in Information Assurance. Currently, he is pursuing a Master’s degree in Computer Science at Stanford specializing in Computer and Network Security. Research interests include web-based malware and exploits, Intrusion Detection Systems and Forensics. <br />
<br />
===Dave Maynor===<br />
Mr. Maynor has a strong background in application security, reverse engineering and exploit development. Before joining Accuvant, Dave cofounded Errata Security - a think tank organization that specializes in rapid application development and security research. Prior to Errata, Dave was the Senior Researcher for Secureworks and a research engineer with the ISS X-Force R&D team. A well recognized personality in the information security world, Dave is a popular author and has been featured in multiple publications over the last several years including Fox News, CNN, the Associated Press, Security Focus and a multitude of other information security news sources. Dave has been both a primary and contributing author to several industry leading security books including: Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research, Syngress Force Emerging Threat Analysis: From Mischief to Malicious, and War Driving and Wireless Penetration Testing.<br />
<br />
<br />
==RSVP==<br />
'''REGISTER EARLY AS SEATING IS LIMITED'''<br />
<br />
http://www.eventbrite.com/event/355543440<br />
<br />
=Bay Area Past Events=<br />
[[Bay Area Past Events]]<br />
<br />
==== Bay Area OWASP Chapter Leaders ====<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*[http://garrettgee.com Garrett Gee]<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]<br />
__NOTOC__<br />
<headertabs/></div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=63720Bay Area2009-06-08T01:12:38Z<p>Ggee: /* Speakers */</p>
<hr />
<div>{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
==== Local News ====<br />
<paypal>Bay Area</paypal><br />
<br />
==== Chapter Meetings ====<br />
==Date and Location==<br />
<br />
OWASP Meeting<br />
Monday, June 22nd * 5:30 pm <br />
San Francisco Federal Reserve Bank Office <br />
<br />
OWASP Bay Area will host its next meeting at the Federal Reserve Bank of San Francisco on Monday, June 22nd. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security.<br />
<br />
'''<br />
Please note, because of high security measures at the Federal Reserve Bank, pre-registration is REQUIRED, so you can be issued a badge before entering the meeting'''. <br />
<br />
http://www.eventbrite.com/event/355543440<br />
<br />
==Agenda==<br />
5:30 PM - 6:15 PM ... Check-in and networking<br />
6:15 PM - 7:15 PM ... Analyzing Web Malware by Jeremy Brotherton<br />
7:15 PM - 7:30 PM ... Break<br />
7:30 PM - 8:30 PM ... Mobile Device Security by Dave Maynor<br />
<br />
==Speakers==<br />
=Jeremy Brotherton=<br />
Jeremy graduated from Iowa State University in 2006 with a Bachelor’s degree in Computer Engineering with an emphasis in Information Assurance. Currently, he is pursuing a Master’s degree in Computer Science at Stanford specializing in Computer and Network Security. Research interests include web-based malware and exploits, Intrusion Detection Systems and Forensics. <br />
<br />
=Dave Maynor=<br />
Mr. Maynor has a strong background in application security, reverse engineering and exploit development. Before joining Accuvant, Dave cofounded Errata Security - a think tank organization that specializes in rapid application development and security research. Prior to Errata, Dave was the Senior Researcher for Secureworks and a research engineer with the ISS X-Force R&D team. A well recognized personality in the information security world, Dave is a popular author and has been featured in multiple publications over the last several years including Fox News, CNN, the Associated Press, Security Focus and a multitude of other information security news sources. Dave has been both a primary and contributing author to several industry leading security books including: Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research, Syngress Force Emerging Threat Analysis: From Mischief to Malicious, and War Driving and Wireless Penetration Testing.<br />
<br />
Presentation - Analyzing Web Malware<br />
In its "State of Internet Security Q3/Q4 2008", Websense reported that 70% of the top 100 websites either hosted malicious content or contained a masked redirect to compromised websites. Most recently, gumblar.cn successfully injected redirects into upwards of 3,000 websites. Analyzing web-based malicious content can be time-consuming and complex. This presentation will describe several common Javascript obfuscation techniques and how to use open-source tools to reveal the exploits hidden behind them. Additionally, this presentation will describe the techniques used within the malicious Flash file which was being hosted by gumblar.cn.<br />
<br />
<br />
Presentation - Mobile Device Security<br />
This presentation will detail auditing and development techniques for exploits that target mobile phones with a heavy emphasis on threats that come from the web. Windows mobile and Google Android devices that will target the auditing and exploit discovery.<br />
<br />
==RSVP==<br />
'''REGISTER EARLY AS SEATING IS LIMITED'''<br />
<br />
http://www.eventbrite.com/event/355543440<br />
<br />
=Bay Area Past Events=<br />
[[Bay Area Past Events]]<br />
<br />
==== Bay Area OWASP Chapter Leaders ====<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*[http://garrettgee.com Garrett Gee]<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]<br />
__NOTOC__<br />
<headertabs/></div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=63719Bay Area2009-06-08T01:11:23Z<p>Ggee: /* Agenda */</p>
<hr />
<div>{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
==== Local News ====<br />
<paypal>Bay Area</paypal><br />
<br />
==== Chapter Meetings ====<br />
==Date and Location==<br />
<br />
OWASP Meeting<br />
Monday, June 22nd * 5:30 pm <br />
San Francisco Federal Reserve Bank Office <br />
<br />
OWASP Bay Area will host its next meeting at the Federal Reserve Bank of San Francisco on Monday, June 22nd. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security.<br />
<br />
'''<br />
Please note, because of high security measures at the Federal Reserve Bank, pre-registration is REQUIRED, so you can be issued a badge before entering the meeting'''. <br />
<br />
http://www.eventbrite.com/event/355543440<br />
<br />
==Agenda==<br />
5:30 PM - 6:15 PM ... Check-in and networking<br />
6:15 PM - 7:15 PM ... Analyzing Web Malware by Jeremy Brotherton<br />
7:15 PM - 7:30 PM ... Break<br />
7:30 PM - 8:30 PM ... Mobile Device Security by Dave Maynor<br />
<br />
==Speakers==<br />
Jeremy Brotherton<br />
Jeremy graduated from Iowa State University in 2006 with a Bachelor’s degree in Computer Engineering with an emphasis in Information Assurance. Currently, he is pursuing a Master’s degree in Computer Science at Stanford specializing in Computer and Network Security. Research interests include web-based malware and exploits, Intrusion Detection Systems and Forensics. <br />
<br />
Presentation - Analyzing Web Malware<br />
In its "State of Internet Security Q3/Q4 2008", Websense reported that 70% of the top 100 websites either hosted malicious content or contained a masked redirect to compromised websites. Most recently, gumblar.cn successfully injected redirects into upwards of 3,000 websites. Analyzing web-based malicious content can be time-consuming and complex. This presentation will describe several common Javascript obfuscation techniques and how to use open-source tools to reveal the exploits hidden behind them. Additionally, this presentation will describe the techniques used within the malicious Flash file which was being hosted by gumblar.cn.<br />
<br />
Dave Maynor<br />
Mr. Maynor has a strong background in application security, reverse engineering and exploit development. Before joining Accuvant, Dave cofounded Errata Security - a think tank organization that specializes in rapid application development and security research. Prior to Errata, Dave was the Senior Researcher for Secureworks and a research engineer with the ISS X-Force R&D team. A well recognized personality in the information security world, Dave is a popular author and has been featured in multiple publications over the last several years including Fox News, CNN, the Associated Press, Security Focus and a multitude of other information security news sources. Dave has been both a primary and contributing author to several industry leading security books including: Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research, Syngress Force Emerging Threat Analysis: From Mischief to Malicious, and War Driving and Wireless Penetration Testing.<br />
<br />
Presentation - Mobile Device Security<br />
This presentation will detail auditing and development techniques for exploits that target mobile phones with a heavy emphasis on threats that come from the web. Windows mobile and Google Android devices that will target the auditing and exploit discovery.<br />
<br />
<br />
<br />
<br />
<br />
<br />
==RSVP==<br />
'''REGISTER EARLY AS SEATING IS LIMITED'''<br />
<br />
http://www.eventbrite.com/event/355543440<br />
<br />
=Bay Area Past Events=<br />
[[Bay Area Past Events]]<br />
<br />
==== Bay Area OWASP Chapter Leaders ====<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*[http://garrettgee.com Garrett Gee]<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]<br />
__NOTOC__<br />
<headertabs/></div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=63718Bay Area2009-06-08T01:10:59Z<p>Ggee: /* Bold text=Date and Location= */</p>
<hr />
<div>{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
==== Local News ====<br />
<paypal>Bay Area</paypal><br />
<br />
==== Chapter Meetings ====<br />
==Date and Location==<br />
<br />
OWASP Meeting<br />
Monday, June 22nd * 5:30 pm <br />
San Francisco Federal Reserve Bank Office <br />
<br />
OWASP Bay Area will host its next meeting at the Federal Reserve Bank of San Francisco on Monday, June 22nd. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security.<br />
<br />
'''<br />
Please note, because of high security measures at the Federal Reserve Bank, pre-registration is REQUIRED, so you can be issued a badge before entering the meeting'''. <br />
<br />
http://www.eventbrite.com/event/355543440<br />
<br />
==Agenda==<br />
5:30 PM - 6:15 PM ... Check-in and networking<br />
6:15 PM - 7:15 PM ... Analyzing Web Malware by Jeremy Brotherton<br />
7:15 PM - 7:30 PM ... Break<br />
7:30 PM - 8:30 PM ... Mobile Device Security by Dave Maynor <br />
<br />
==Speakers==<br />
Jeremy Brotherton<br />
Jeremy graduated from Iowa State University in 2006 with a Bachelor’s degree in Computer Engineering with an emphasis in Information Assurance. Currently, he is pursuing a Master’s degree in Computer Science at Stanford specializing in Computer and Network Security. Research interests include web-based malware and exploits, Intrusion Detection Systems and Forensics. <br />
<br />
Presentation - Analyzing Web Malware<br />
In its "State of Internet Security Q3/Q4 2008", Websense reported that 70% of the top 100 websites either hosted malicious content or contained a masked redirect to compromised websites. Most recently, gumblar.cn successfully injected redirects into upwards of 3,000 websites. Analyzing web-based malicious content can be time-consuming and complex. This presentation will describe several common Javascript obfuscation techniques and how to use open-source tools to reveal the exploits hidden behind them. Additionally, this presentation will describe the techniques used within the malicious Flash file which was being hosted by gumblar.cn.<br />
<br />
Dave Maynor<br />
Mr. Maynor has a strong background in application security, reverse engineering and exploit development. Before joining Accuvant, Dave cofounded Errata Security - a think tank organization that specializes in rapid application development and security research. Prior to Errata, Dave was the Senior Researcher for Secureworks and a research engineer with the ISS X-Force R&D team. A well recognized personality in the information security world, Dave is a popular author and has been featured in multiple publications over the last several years including Fox News, CNN, the Associated Press, Security Focus and a multitude of other information security news sources. Dave has been both a primary and contributing author to several industry leading security books including: Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research, Syngress Force Emerging Threat Analysis: From Mischief to Malicious, and War Driving and Wireless Penetration Testing.<br />
<br />
Presentation - Mobile Device Security<br />
This presentation will detail auditing and development techniques for exploits that target mobile phones with a heavy emphasis on threats that come from the web. Windows mobile and Google Android devices that will target the auditing and exploit discovery.<br />
<br />
<br />
<br />
<br />
<br />
<br />
==RSVP==<br />
'''REGISTER EARLY AS SEATING IS LIMITED'''<br />
<br />
http://www.eventbrite.com/event/355543440<br />
<br />
=Bay Area Past Events=<br />
[[Bay Area Past Events]]<br />
<br />
==== Bay Area OWASP Chapter Leaders ====<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*[http://garrettgee.com Garrett Gee]<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]<br />
__NOTOC__<br />
<headertabs/></div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=55499Bay Area2009-02-25T21:39:16Z<p>Ggee: </p>
<hr />
<div>{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
<paypal>Bay Area</paypal><br />
<br />
=Next Event=<br />
==Date and Location==<br />
'''March 18th @ 6PM - Gap Inc'''<br />
Conference Center C<br />
2 Folsom Street,<br />
San Francisco , CA 94105<br />
<br />
OWASP Bay Area will host its next meeting at Gap Inc in San Francisco on Wednesday, March 18th. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security.<br />
<br />
Special thanks to Gap Inc for hosting this event and to ___, ___ for sponsoring.<br />
<br />
==Agenda==<br />
5:45 PM - 6:15 PM ... Check-in and registration<br />
6:15 PM - 7:15 PM ... Back to the Future - Phishing and Malware by Brendan O’Conner, Saleforce.com<br />
7:15 PM - 7:30 PM ... Break<br />
7:30 PM - 8:30 PM ... Testing Methodologies: White-box, Gray-Box, Black-box or Something Else by Kirk Greene, Accuvant<br />
<br />
==Speakers==<br />
<br />
'''Back to the Future - Phishing and Malware''' by Brendan O’Conner, Saleforce.com<br />
<br />
Abstract: The more things change, the more they stay the same. We'll take a trip back in time to look at the phishing and anti-malware solutions of the past. Why did they fail? With companies investing hundreds of thousands of dollars or more in these solutions, what does the future of this space look like and what tricks can you apply to stay one step ahead?<br />
<br />
Bio: Brendan O'Connor is originally from the Midwest , currently residing in the Bay Area as a security engineer . He worked in security for a communications company for four years before switching to the financial sector in 2004 and onto Software as a Service in 2008. Brendan currently works on the Product Security team at Salesforce.com, where his duties include vulnerability research, security architecture, and application security.<br />
<br />
'''Testing Methodologies: White-box, Gray-Box, Black-box or Something Else''' by Kirk Greene, Accuvant<br />
<br />
Abstract: In this presentation we will discuss the different testing methodologies used when assessing the security of both binary applications as well as web-based applications. We will focus on the differences and advantages as they relate to black-box testing, white-box testing, gray-box testing, reverse engineering, and fuzzing. Unfortunately there is no one testing methodology that provides the best balance of time and accuracy for every application, in this talk we will provide metrics for helping decide what methodology should be used for what types of applications.<br />
<br />
Bio: Kirk has been providing security consulting services for over a decade. Through that time Kirk has served clients in a variety of industries including federal and local government, healthcare, financial services, telecommunications, e-Commerce, fuel and natural gases, manufacturing, application service providers, gaming, Internet start-ups, and Internet service providers. In his tenure with Accuvant, Kirk has performed a variety of consulting and managerial responsibilities from developing and performing financial institution regulation audits to managing performing enterprise assessments for multi-national corporations. Kirk is a Certified Information Systems Security Professional (CISSP), ISS Certified Engineer, PCI Qualified Data Security Professional (QDSP), Qualified Payment Application Security Professional (QPASP).<br />
<br />
==RSVP==<br />
'''REGISTER EARLY AS SEATING IS LIMITED'''<br />
<br />
Please RSVP at http://bayareaowasp.eventbrite.com<br />
<br />
=Bay Area Chapter Leaders=<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*[http://garrettgee.com Garrett Gee]<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]<br />
<br />
=Bay Area Past Events=<br />
[[Bay Area Past Events]]<br />
<br />
[[Category:California]]</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=55498Bay Area2009-02-25T21:37:57Z<p>Ggee: </p>
<hr />
<div>{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
<paypal>Bay Area</paypal><br />
<br />
=Next Event=<br />
==Date and Location==<br />
'''March 18th @ 6PM - Gap Inc'''<br />
Conference Center C<br />
2 Folsom Street,<br />
San Francisco , CA 94105<br />
<br />
OWASP Bay Area will host its next meeting at Gap Inc in San Francisco on Wednesday, March 18th. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security.<br />
<br />
Special thanks to Gap Inc for hosting this event and to ___, ___ for sponsoring.<br />
<br />
==Agenda==<br />
6:00 PM - 6:45 PM ... Check-in and registration<br />
6:45 PM - 7:45 PM ... Back to the Future - Phishing and Malware by Brendan O’Conner, Saleforce.com<br />
7:45 PM - 8:00 PM ... Break<br />
8:00 PM - 9:00 PM ... Testing Methodologies: White-box, Gray-Box, Black-box or Something Else by Kirk Greene, Accuvant<br />
<br />
==Speakers==<br />
<br />
'''Back to the Future - Phishing and Malware''' by Brendan O’Conner, Saleforce.com<br />
<br />
Abstract: The more things change, the more they stay the same. We'll take a trip back in time to look at the phishing and anti-malware solutions of the past. Why did they fail? With companies investing hundreds of thousands of dollars or more in these solutions, what does the future of this space look like and what tricks can you apply to stay one step ahead?<br />
<br />
Bio: Brendan O'Connor is originally from the Midwest , currently residing in the Bay Area as a security engineer . He worked in security for a communications company for four years before switching to the financial sector in 2004 and onto Software as a Service in 2008. Brendan currently works on the Product Security team at Salesforce.com, where his duties include vulnerability research, security architecture, and application security.<br />
<br />
'''Testing Methodologies: White-box, Gray-Box, Black-box or Something Else''' by Kirk Greene, Accuvant<br />
<br />
Abstract: In this presentation we will discuss the different testing methodologies used when assessing the security of both binary applications as well as web-based applications. We will focus on the differences and advantages as they relate to black-box testing, white-box testing, gray-box testing, reverse engineering, and fuzzing. Unfortunately there is no one testing methodology that provides the best balance of time and accuracy for every application, in this talk we will provide metrics for helping decide what methodology should be used for what types of applications.<br />
<br />
Bio: Kirk has been providing security consulting services for over a decade. Through that time Kirk has served clients in a variety of industries including federal and local government, healthcare, financial services, telecommunications, e-Commerce, fuel and natural gases, manufacturing, application service providers, gaming, Internet start-ups, and Internet service providers. In his tenure with Accuvant, Kirk has performed a variety of consulting and managerial responsibilities from developing and performing financial institution regulation audits to managing performing enterprise assessments for multi-national corporations. Kirk is a Certified Information Systems Security Professional (CISSP), ISS Certified Engineer, PCI Qualified Data Security Professional (QDSP), Qualified Payment Application Security Professional (QPASP).<br />
<br />
==RSVP==<br />
'''REGISTER EARLY AS SEATING IS LIMITED'''<br />
<br />
Please RSVP at http://bayareaowasp.eventbrite.com<br />
<br />
=Bay Area Chapter Leaders=<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*[http://garrettgee.com Garrett Gee]<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]<br />
<br />
=Bay Area Past Events=<br />
[[Bay Area Past Events]]<br />
<br />
[[Category:California]]</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area_Past_Events&diff=55420Bay Area Past Events2009-02-25T06:08:45Z<p>Ggee: </p>
<hr />
<div>This is an archive page of all the Bay Area OWASP past events. The chapter home is at [[Bay Area]]. <br />
<br />
*2009-03-18<br />
**Location: Gap Inc, Conference Center C, 2 Folsom Street, San Francisco, CA 94105<br />
**Speaker: Brendan O’Conner: Back to the Future - Phishing and Malware<br />
**Speaker: Kirk Greene: Testing Methodologies: White-box, Gray-Box, Black-box or Something Else<br />
<br />
*2008-12-11<br />
**Location: Network Meeting Center, TechMart Center, 5201 Great America Parkway, Santa Clara, CA 95054 <br />
**Speaker: Brian Shura: Protecting Website Users from Each Other<br />
**Speaker: Trey Ford: Making Money the Black Hat Way<br />
<br />
*2008-06-25<br />
**Location: Microsoft, 1065 La Avenida St, Mountain View, CA 94043<br />
**[https://www.owasp.org/index.php/Image:OWASP-BayArea-June08.pdf All Presentations] | [https://www.owasp.org/index.php/Image:BayArea-June08-Evaluation.Data.zip Evaluation Data]<br />
**Speaker: Mandeep Khera: Overview of the OWASP Bay Area Chapter<br />
**Speaker: Dr. Chenxi Wang: Consumerization of enterprises<br />
**Speaker: Collin Jackson: Cross-Site Request Forgery<br />
**Speaker: Tom Stracener: Google Gadget Security<br />
**Speaker: Neil Daswani: How Cybercriminals Steal Money<br />
<br />
*2008-02-21<br />
**Location: Robert Half International, 5720 Stoneridge Dr, Pleasanton CA 94588<br />
**Speaker: Kurt Grutzmacher: [https://www.owasp.org/index.php/Image:Your_Client_Security_Sucks_-_OWASP.pdf Your Client-Side Security Sucks. Stop Using It.]<br />
**Speaker: Eric Rachner: [https://www.owasp.org/index.php/Image:NTLM_Relay_Attacks.pdf NTLM attacks and countermeasures]<br />
<br />
*2008-01-24<br />
**Location: PG&E,245 Market Street, San Francisco, CA 94105<br />
**Speaker: Erick Lee, Adobe Systems: Securing Flash® & Flex® Applications<br />
**Speaker: Jim Cowing, Digital Resource Group: Application Security and PCI Compliance<br />
<br />
*2007-12-13<br />
**Location: Stanford University Alumni Association Center, 326 Galvez Street, Stanford, CA 94305<br />
**Speaker: Niels Provos, Google: Ghosts in the Browser<br/><br />
**Speaker: Adam Barth & Collin Jackson, Stanford University: Ph.D. Student Presentations<br/><br />
**Sponsors: Cenzic and AppSec Consulting</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area_Past_Events&diff=55419Bay Area Past Events2009-02-25T06:07:25Z<p>Ggee: </p>
<hr />
<div>This is an archive page of all the Bay Area OWASP past events. The chapter home is at [[Bay Area]]. <br />
<br />
*2008-12-11<br />
**Location: Network Meeting Center, TechMart Center, 5201 Great America Parkway, Santa Clara, CA 95054 <br />
**Speaker: Brian Shura: Protecting Website Users from Each Other<br />
**Speaker: Trey Ford: Making Money the Black Hat Way<br />
<br />
*2008-06-25<br />
**Location: Microsoft, 1065 La Avenida St, Mountain View, CA 94043<br />
**[https://www.owasp.org/index.php/Image:OWASP-BayArea-June08.pdf All Presentations] | [https://www.owasp.org/index.php/Image:BayArea-June08-Evaluation.Data.zip Evaluation Data]<br />
**Speaker: Mandeep Khera: Overview of the OWASP Bay Area Chapter<br />
**Speaker: Dr. Chenxi Wang: Consumerization of enterprises<br />
**Speaker: Collin Jackson: Cross-Site Request Forgery<br />
**Speaker: Tom Stracener: Google Gadget Security<br />
**Speaker: Neil Daswani: How Cybercriminals Steal Money<br />
<br />
*2008-02-21<br />
**Location: Robert Half International, 5720 Stoneridge Dr, Pleasanton CA 94588<br />
**Speaker: Kurt Grutzmacher: [https://www.owasp.org/index.php/Image:Your_Client_Security_Sucks_-_OWASP.pdf Your Client-Side Security Sucks. Stop Using It.]<br />
**Speaker: Eric Rachner: [https://www.owasp.org/index.php/Image:NTLM_Relay_Attacks.pdf NTLM attacks and countermeasures]<br />
<br />
*2008-01-24<br />
**Location: PG&E,245 Market Street, San Francisco, CA 94105<br />
**Speaker: Erick Lee, Adobe Systems: Securing Flash® & Flex® Applications<br />
**Speaker: Jim Cowing, Digital Resource Group: Application Security and PCI Compliance<br />
<br />
*2007-12-13<br />
**Location: Stanford University Alumni Association Center, 326 Galvez Street, Stanford, CA 94305<br />
**Speaker: Niels Provos, Google: Ghosts in the Browser<br/><br />
**Speaker: Adam Barth & Collin Jackson, Stanford University: Ph.D. Student Presentations<br/><br />
**Sponsors: Cenzic and AppSec Consulting</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=55418Bay Area2009-02-25T06:01:19Z<p>Ggee: </p>
<hr />
<div>{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
<paypal>Bay Area</paypal><br />
<br />
=Next Event=<br />
==Date and Location==<br />
'''March 18th @ 6PM - Gap Inc'''<br />
Conference Center C<br />
2 Folsom Street,<br />
San Francisco , CA 94105<br />
<br />
OWASP Bay Area will host its next meeting at Gap Inc in San Francisco on Wednesday, March 18th. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security.<br />
<br />
Special thanks to Gap Inc for hosting this event and to ___, ___ for sponsoring.<br />
<br />
==Agenda==<br />
6:00 PM - 6:45 PM ... Check-in and registration<br />
6:45 PM - 7:45 PM ... Back to the Future - Phishing and Malware by Brendan O’Conner, Saleforce.com<br />
7:45 PM - 8:00 PM ... Break<br />
8:00 PM - 9:00 PM ... Testing Methodologies: White-box, Gray-Box, Black-box or Something Else by Kirk Greene, Accuvant<br />
<br />
==Speakers==<br />
<br />
'''Back to the Future - Phishing and Malware''' by Brendan O’Conner, Saleforce.com<br />
<br />
Abstract: The more things change, the more they stay the same. We'll take a trip back in time to look at the phishing and anti-malware solutions of the past. Why did they fail? With companies investing hundreds of thousands of dollars or more in these solutions, what does the future of this space look like and what tricks can you apply to stay one step ahead?<br />
<br />
Bio: Brendan O'Connor is originally from the Midwest , currently residing in the Bay Area as a security engineer . He worked in security for a communications company for four years before switching to the financial sector in 2004 and onto Software as a Service in 2008. Brendan currently works on the Product Security team at Salesforce.com, where his duties include vulnerability research, security architecture, and application security.<br />
<br />
'''Testing Methodologies: White-box, Gray-Box, Black-box or Something Else''' by Kirk Greene, Accuvant<br />
<br />
Abstract: In this presentation we will discuss the different testing methodologies used when assessing the security of both binary applications as well as web-based applications. We will focus on the differences and advantages as they relate to black-box testing, white-box testing, gray-box testing, reverse engineering, and fuzzing. Unfortunately there is no one testing methodology that provides the best balance of time and accuracy for every application, in this talk we will provide metrics for helping decide what methodology should be used for what types of applications.<br />
<br />
Bio: Kirk has been providing security consulting services for over a decade. Through that time Kirk has served clients in a variety of industries including federal and local government, healthcare, financial services, telecommunications, e-Commerce, fuel and natural gases, manufacturing, application service providers, gaming, Internet start-ups, and Internet service providers. In his tenure with Accuvant, Kirk has performed a variety of consulting and managerial responsibilities from developing and performing financial institution regulation audits to managing performing enterprise assessments for multi-national corporations. Kirk is a Certified Information Systems Security Professional (CISSP), ISS Certified Engineer, PCI Qualified Data Security Professional (QDSP), Qualified Payment Application Security Professional (QPASP).<br />
<br />
==RSVP==<br />
'''REGISTER EARLY AS SEATING IS LIMITED'''<br />
<br />
Please RSVP at http://owaspbajune2008.eventbrite.com <br />
<br />
=Bay Area Chapter Leaders=<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*[http://garrettgee.com Garrett Gee]<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]<br />
<br />
=Bay Area Past Events=<br />
[[Bay Area Past Events]]<br />
<br />
[[Category:California]]</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=55417Bay Area2009-02-25T06:00:47Z<p>Ggee: </p>
<hr />
<div>{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
<paypal>Bay Area</paypal><br />
<br />
=Next Event=<br />
==Date and Location==<br />
'''March 18th @ 6PM - Gap Inc'''<br />
Conference Center C<br />
2 Folsom Street,<br />
San Francisco , CA 94105<br />
<br />
OWASP Bay Area will host its next meeting at Gap Inc in San Francisco on Wednesday, March 18th. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security.<br />
<br />
Special thanks to Gap Inc for hosting this event and to ___, ___ for sponsoring.<br />
<br />
==Agenda==<br />
6:15 PM - 6:45 PM ... Check-in and registration<br />
6:45 PM - 7:45 PM ... Back to the Future - Phishing and Malware by Brendan O’Conner, Saleforce.com<br />
7:45 PM - 8:00 PM ... Break<br />
8:00 PM - 9:00 PM ... Testing Methodologies: White-box, Gray-Box, Black-box or Something Else by Kirk Greene, Accuvant<br />
<br />
==Speakers==<br />
<br />
'''Back to the Future - Phishing and Malware''' by Brendan O’Conner, Saleforce.com<br />
<br />
Abstract: The more things change, the more they stay the same. We'll take a trip back in time to look at the phishing and anti-malware solutions of the past. Why did they fail? With companies investing hundreds of thousands of dollars or more in these solutions, what does the future of this space look like and what tricks can you apply to stay one step ahead?<br />
<br />
Bio: Brendan O'Connor is originally from the Midwest , currently residing in the Bay Area as a security engineer . He worked in security for a communications company for four years before switching to the financial sector in 2004 and onto Software as a Service in 2008. Brendan currently works on the Product Security team at Salesforce.com, where his duties include vulnerability research, security architecture, and application security.<br />
<br />
'''Testing Methodologies: White-box, Gray-Box, Black-box or Something Else''' by Kirk Greene, Accuvant<br />
<br />
Abstract: In this presentation we will discuss the different testing methodologies used when assessing the security of both binary applications as well as web-based applications. We will focus on the differences and advantages as they relate to black-box testing, white-box testing, gray-box testing, reverse engineering, and fuzzing. Unfortunately there is no one testing methodology that provides the best balance of time and accuracy for every application, in this talk we will provide metrics for helping decide what methodology should be used for what types of applications.<br />
<br />
Bio: Kirk has been providing security consulting services for over a decade. Through that time Kirk has served clients in a variety of industries including federal and local government, healthcare, financial services, telecommunications, e-Commerce, fuel and natural gases, manufacturing, application service providers, gaming, Internet start-ups, and Internet service providers. In his tenure with Accuvant, Kirk has performed a variety of consulting and managerial responsibilities from developing and performing financial institution regulation audits to managing performing enterprise assessments for multi-national corporations. Kirk is a Certified Information Systems Security Professional (CISSP), ISS Certified Engineer, PCI Qualified Data Security Professional (QDSP), Qualified Payment Application Security Professional (QPASP).<br />
<br />
==RSVP==<br />
'''REGISTER EARLY AS SEATING IS LIMITED'''<br />
<br />
Please RSVP at http://owaspbajune2008.eventbrite.com <br />
<br />
=Bay Area Chapter Leaders=<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*[http://garrettgee.com Garrett Gee]<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]<br />
<br />
=Bay Area Past Events=<br />
[[Bay Area Past Events]]<br />
<br />
[[Category:California]]</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=55416Bay Area2009-02-25T06:00:32Z<p>Ggee: </p>
<hr />
<div>{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
<paypal>Bay Area</paypal><br />
<br />
=Next Event=<br />
==Date and Location==<br />
'''March 18th @ 6PM - Gap Inc'''<br />
Conference Center C<br />
2 Folsom Street,<br />
San Francisco , CA 94105<br />
<br />
OWASP Bay Area will host its next meeting at Gap Inc in San Francisco on Wednesday, March 18th. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security.<br />
<br />
Special thanks to Gap Inc for hosting this event and to ___, ___ for sponsoring.<br />
<br />
==Agenda==<br />
6.15 PM - 6.45 PM ... Check-in and registration<br />
6:45 PM - 7:45 PM ... Back to the Future - Phishing and Malware by Brendan O’Conner, Saleforce.com<br />
7:45 PM - 8:00 PM ... Break<br />
8:00 PM - 9:00 PM ... Testing Methodologies: White-box, Gray-Box, Black-box or Something Else by Kirk Greene, Accuvant<br />
<br />
==Speakers==<br />
<br />
'''Back to the Future - Phishing and Malware''' by Brendan O’Conner, Saleforce.com<br />
<br />
Abstract: The more things change, the more they stay the same. We'll take a trip back in time to look at the phishing and anti-malware solutions of the past. Why did they fail? With companies investing hundreds of thousands of dollars or more in these solutions, what does the future of this space look like and what tricks can you apply to stay one step ahead?<br />
<br />
Bio: Brendan O'Connor is originally from the Midwest , currently residing in the Bay Area as a security engineer . He worked in security for a communications company for four years before switching to the financial sector in 2004 and onto Software as a Service in 2008. Brendan currently works on the Product Security team at Salesforce.com, where his duties include vulnerability research, security architecture, and application security.<br />
<br />
'''Testing Methodologies: White-box, Gray-Box, Black-box or Something Else''' by Kirk Greene, Accuvant<br />
<br />
Abstract: In this presentation we will discuss the different testing methodologies used when assessing the security of both binary applications as well as web-based applications. We will focus on the differences and advantages as they relate to black-box testing, white-box testing, gray-box testing, reverse engineering, and fuzzing. Unfortunately there is no one testing methodology that provides the best balance of time and accuracy for every application, in this talk we will provide metrics for helping decide what methodology should be used for what types of applications.<br />
<br />
Bio: Kirk has been providing security consulting services for over a decade. Through that time Kirk has served clients in a variety of industries including federal and local government, healthcare, financial services, telecommunications, e-Commerce, fuel and natural gases, manufacturing, application service providers, gaming, Internet start-ups, and Internet service providers. In his tenure with Accuvant, Kirk has performed a variety of consulting and managerial responsibilities from developing and performing financial institution regulation audits to managing performing enterprise assessments for multi-national corporations. Kirk is a Certified Information Systems Security Professional (CISSP), ISS Certified Engineer, PCI Qualified Data Security Professional (QDSP), Qualified Payment Application Security Professional (QPASP).<br />
<br />
==RSVP==<br />
'''REGISTER EARLY AS SEATING IS LIMITED'''<br />
<br />
Please RSVP at http://owaspbajune2008.eventbrite.com <br />
<br />
=Bay Area Chapter Leaders=<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*[http://garrettgee.com Garrett Gee]<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]<br />
<br />
=Bay Area Past Events=<br />
[[Bay Area Past Events]]<br />
<br />
[[Category:California]]</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=55415Bay Area2009-02-25T05:58:18Z<p>Ggee: </p>
<hr />
<div>{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
<paypal>Bay Area</paypal><br />
<br />
=Next Event=<br />
==Date and Location==<br />
'''March 18th @ 6PM - Gap Inc'''<br />
Conference Center C<br />
2 Folsom Street,<br />
San Francisco , CA 94105<br />
<br />
OWASP Bay Area will host its next meeting at Gap Inc in San Francisco on Wednesday, March 18th. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security.<br />
<br />
Special thanks to Gap Inc for hosting this event and to ___, ___ for sponsoring.<br />
<br />
==Agenda==<br />
1.30 PM - 2.00 PM ... Check-in and registration<br />
2:00 PM - 2:10 PM ... Overview of the OWASP Bay Area Chapter - Mandeep Khera, Bay Area Chapter Leader<br />
2:10 PM - 2:55 PM ... Consumerization of enterprises: a security conundrum – Dr. Chenxi Wang, Principal Analyst, Forrester Group<br />
2:55 PM - 3:40 PM ... Cross-Site Request Forgery- New Attacks and Defenses - Collin Jackson, PH.D. student, Stanford University<br />
3:40 PM - 4:00 PM ... Networking Break<br />
4:00 PM - 4.45 PM ... Google Gadget Security - Tom Stracener, Cenzic<br />
4:45 PM - 5:30 PM ... How Cybercriminals Steal Money - Neil Daswani, Google <br />
<br />
==Speakers==<br />
<br />
'''Back to the Future - Phishing and Malware''' by Brendan O’Conner, Saleforce.com<br />
<br />
Abstract: The more things change, the more they stay the same. We'll take a trip back in time to look at the phishing and anti-malware solutions of the past. Why did they fail? With companies investing hundreds of thousands of dollars or more in these solutions, what does the future of this space look like and what tricks can you apply to stay one step ahead?<br />
<br />
Bio: Brendan O'Connor is originally from the Midwest , currently residing in the Bay Area as a security engineer . He worked in security for a communications company for four years before switching to the financial sector in 2004 and onto Software as a Service in 2008. Brendan currently works on the Product Security team at Salesforce.com, where his duties include vulnerability research, security architecture, and application security.<br />
<br />
'''Testing Methodologies: White-box, Gray-Box, Black-box or Something Else''' by Kirk Greene, Accuvant<br />
<br />
Abstract: In this presentation we will discuss the different testing methodologies used when assessing the security of both binary applications as well as web-based applications. We will focus on the differences and advantages as they relate to black-box testing, white-box testing, gray-box testing, reverse engineering, and fuzzing. Unfortunately there is no one testing methodology that provides the best balance of time and accuracy for every application, in this talk we will provide metrics for helping decide what methodology should be used for what types of applications.<br />
<br />
Bio: Kirk has been providing security consulting services for over a decade. Through that time Kirk has served clients in a variety of industries including federal and local government, healthcare, financial services, telecommunications, e-Commerce, fuel and natural gases, manufacturing, application service providers, gaming, Internet start-ups, and Internet service providers. In his tenure with Accuvant, Kirk has performed a variety of consulting and managerial responsibilities from developing and performing financial institution regulation audits to managing performing enterprise assessments for multi-national corporations. Kirk is a Certified Information Systems Security Professional (CISSP), ISS Certified Engineer, PCI Qualified Data Security Professional (QDSP), Qualified Payment Application Security Professional (QPASP).<br />
<br />
==RSVP==<br />
'''REGISTER EARLY AS SEATING IS LIMITED'''<br />
<br />
Please RSVP at http://owaspbajune2008.eventbrite.com <br />
<br />
=Bay Area Chapter Leaders=<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*[http://garrettgee.com Garrett Gee]<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]<br />
<br />
=Bay Area Past Events=<br />
[[Bay Area Past Events]]<br />
<br />
[[Category:California]]</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=55414Bay Area2009-02-25T05:51:32Z<p>Ggee: </p>
<hr />
<div>{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
<paypal>Bay Area</paypal><br />
<br />
=Next Event=<br />
==Date and Location==<br />
'''March 18th @ 6PM - Gap Inc'''<br />
Conference Center C<br />
2 Folsom Street,<br />
San Francisco , CA 94105<br />
<br />
OWASP Bay Area will host its '''half day Application Security Summit''' at the Microsoft Facility in Mountain View on Wednesday, June 25th. As usual attendance is free and food and beverages will be provided. '''We have some excellent speakers lined up for this and it should be an event not to be missed.''' The event is open to the public. Please forward this invite to your colleagues and friends who are interested in computer and application security.<br />
<br />
Special thanks to Microsoft for hosting this event and to Cenzic and AppSec Consulting, Rapid7, and Imperva for sponsoring.<br />
<br />
==Agenda==<br />
1.30 PM - 2.00 PM ... Check-in and registration<br />
2:00 PM - 2:10 PM ... Overview of the OWASP Bay Area Chapter - Mandeep Khera, Bay Area Chapter Leader<br />
2:10 PM - 2:55 PM ... Consumerization of enterprises: a security conundrum – Dr. Chenxi Wang, Principal Analyst, Forrester Group<br />
2:55 PM - 3:40 PM ... Cross-Site Request Forgery- New Attacks and Defenses - Collin Jackson, PH.D. student, Stanford University<br />
3:40 PM - 4:00 PM ... Networking Break<br />
4:00 PM - 4.45 PM ... Google Gadget Security - Tom Stracener, Cenzic<br />
4:45 PM - 5:30 PM ... How Cybercriminals Steal Money - Neil Daswani, Google <br />
<br />
==Speakers==<br />
'''Consumerization of enterprises: a security conundrum''' by Dr. Chenxi Wang, Principal Analyst, Forrester Group<br />
<br />
Dr. Chenxi Wang is a principal analyst with Forrester. She leads Forrester's research in areas including content security, application security, threats and vulnerability management, and software security. Chenxi brings to Forrester years of sophisticated research experience; her previous experience includes a five-year stint as an associate research professor at Carnegie Mellon University, where she published many research papers on network security and distributed systems. <br />
<br />
Previously, Chenxi served as the chief scientist for KSR, a managed security service startup in the San Francisco bay area. Chenxi also serves as an investigative forensics expert for the Federal Trade Commission. She is the recipient of a Critical Infrastructure Protection Fellowship from the Army Research Office and the Samuel Alexander Fellowship of ACM for outstanding Ph.D. thesis research.<br />
<br />
'''Cross-Site Request Forgery- New Attacks and Defenses''' by Collin Jackson, PH.D. Student, Stanford University<br />
<br />
Cross-Site Request Forgery (CSRF) is a widely exploited web site vulnerability, but none of the three major CSRF defenses are satisfactory and many web sites neglect to prevent login CSRF. In a login CSRF attack, an attacker uses the victim's browser to forge a cross-site request to the honest site's login URL, supplying the attacker's user name and password. This forged request can disrupt the integrity of the session and enable theft of confidential information.<br />
<br />
Although the HTTP Referer header could be used as an effective general CSRF defense, our experiments indicate that the header is widely blocked at the network layer due to privacy concerns. Our experimental data shows, however, that the header can be used today as a reliable CSRF defense over HTTPS, which is ideal for login CSRF prevention. For the long term, we propose the Origin header, which provides the security benefits of the Referer header while responding to privacy concerns. Additionally, we show that a network attacker can often disrupt session integrity even when the site deploys CSRF defenses, and propose additional defenses against these identity-misbinding attacks.<br />
<br />
Collin Jackson is a fourth-year Ph.D. student in Computer Science at Stanford University. His research focuses on browser vulnerabilities, web authentication, mashups, and web application security.<br />
<br />
'''Google Gadget Security''' by Tom Stracener, Sr. Security Analyst, Cenzic<br />
<br />
Google Gadgets are HTML and Javascript applications that can be embedded in other web applications or the user's desktop (provided they are using Google Desktop). Gadget code is highly portable and can run on multiple sites or applications with few changes to the underlying code. This talk will focus on gadget security, an area where the current implementation is deeply flawed. We will examine Rsnake's XSS vulnerability in Google gadgets, consider possible attack scenarios, and also look at the reasons why Google chose not to fix this vulnerability. We take a critical look on they ways attackers can exploit the current Gadget implementation when performing attacks. This talk will provide the audience with background information for the upcoming Blackhat 2008 session "Xploiting Google Gadgets: Gmalware and Beyond" by Robert Hansen and Tom Stracener.<br />
<br />
Tom is the Senior Security Analyst for Cenzic’s CIA Labs. Mr. Stracener was one of the founding members of nCircle Network Security. While at nCircle he served as the head of vulnerability research from 1999 to 2001, developing one of the industry’s first quantitative vulnerability scoring systems, and co-inventing several patented technologies. Mr. Stracener is an experienced security consultant, penetration tester, and vulnerability researcher. One of his patents, “Interoperability of vulnerability and intrusion detection systems,” was granted by the USPTO in October 2005. Tom has spoken at various conferences including New York Security Conference, ISSA, OWASP, Defcon, and others.<br />
<br />
'''How Cybercriminals Steal Money''' by Neil Daswani, Google<br />
<br />
This talk discusses how we can prevent cybercrime due to the most significant emerging application security vulnerabilities. Such vulnerabilities are used to commit various types of wide-scale fraud, and attacks based on them steal money right out of people's bank accounts, capture tens of millions of credit card numbers, and aid in the construction of next-generation botnets.<br />
<br />
In the talk, I will present some industry-wide statistics on software security vulnerabilities reported to various databases, and emerging trends in the field of software security. This talk will then:<br />
<br />
* review how attacks such as XSRF (Cross-Site-Request-Forgery), XSSI (Cross-Site-Script-Inclusion), and SQL Injection work,<br />
* discuss their impact on Web 2.0, AJAX, mashup, and social networking applications,<br />
* outline how to defend against them, and<br />
* describe how to modify a software development process to achieve security.<br />
<br />
Finally, the talk will discuss the current state of security education, and provide pointers to certification programs, books, and organizations where you and your colleagues can learn more.<br />
<br />
Neil Daswani has served in a variety of research , development, teaching, and managerial roles at Google, Stanford University , DoCoMo USA Labs, Yodlee, and Bellcore (now Telcordia Technologies). While at Stanford, Neil co-founded the Stanford Center Professional Development (SCPD) Security Certification Program (http://proed.stanford.edu/?security). His areas of expertise include security, wireless data technology, and peer-to-peer systems. He has published extensively in these areas, frequently gives talks at industry and academic conferences, and has been granted several U.S. patents. He received a Ph.D. and a master's in computer science from Stanford University, and earned a bachelor's in computer science with honors with distinction from Columbia University. Neil is also the lead author of "Foundations of Security: What Every Programmer Needs To Know" (published by Apress; ISBN 1590597842; http://tinyurl.com/33xs6g ) More information about Neil is available at http://www.neildaswani.com/<br />
<br />
==RSVP==<br />
'''REGISTER EARLY AS SEATING IS LIMITED'''<br />
<br />
Please RSVP at http://owaspbajune2008.eventbrite.com <br />
<br />
=Bay Area Chapter Leaders=<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*[http://garrettgee.com Garrett Gee]<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]<br />
<br />
=Bay Area Past Events=<br />
[[Bay Area Past Events]]<br />
<br />
[[Category:California]]</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=36162Bay Area2008-08-14T21:35:32Z<p>Ggee: </p>
<hr />
<div>{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
=Next Event=<br />
==Date and Location==<br />
'''June 25th @ 2PM - Microsoft'''<br />
1065 La Avenida St.<br />
Mountain View, CA 94043<br />
Conference Room - Galileo<br />
<br />
OWASP Bay Area will host its '''half day Application Security Summit''' at the Microsoft Facility in Mountain View on Wednesday, June 25th. As usual attendance is free and food and beverages will be provided. '''We have some excellent speakers lined up for this and it should be an event not to be missed.''' The event is open to the public. Please forward this invite to your colleagues and friends who are interested in computer and application security.<br />
<br />
Special thanks to Microsoft for hosting this event and to Cenzic and AppSec Consulting, Rapid7, and Imperva for sponsoring.<br />
<br />
==Agenda==<br />
1.30 PM - 2.00 PM ... Check-in and registration<br />
2:00 PM - 2:10 PM ... Overview of the OWASP Bay Area Chapter - Mandeep Khera, Bay Area Chapter Leader<br />
2:10 PM - 2:55 PM ... Consumerization of enterprises: a security conundrum – Dr. Chenxi Wang, Principal Analyst, Forrester Group<br />
2:55 PM - 3:40 PM ... Cross-Site Request Forgery- New Attacks and Defenses - Collin Jackson, PH.D. student, Stanford University<br />
3:40 PM - 4:00 PM ... Networking Break<br />
4:00 PM - 4.45 PM ... Google Gadget Security - Tom Stracener, Cenzic<br />
4:45 PM - 5:30 PM ... How Cybercriminals Steal Money - Neil Daswani, Google <br />
<br />
==Speakers==<br />
'''Consumerization of enterprises: a security conundrum''' by Dr. Chenxi Wang, Principal Analyst, Forrester Group<br />
<br />
Dr. Chenxi Wang is a principal analyst with Forrester. She leads Forrester's research in areas including content security, application security, threats and vulnerability management, and software security. Chenxi brings to Forrester years of sophisticated research experience; her previous experience includes a five-year stint as an associate research professor at Carnegie Mellon University, where she published many research papers on network security and distributed systems. <br />
<br />
Previously, Chenxi served as the chief scientist for KSR, a managed security service startup in the San Francisco bay area. Chenxi also serves as an investigative forensics expert for the Federal Trade Commission. She is the recipient of a Critical Infrastructure Protection Fellowship from the Army Research Office and the Samuel Alexander Fellowship of ACM for outstanding Ph.D. thesis research.<br />
<br />
'''Cross-Site Request Forgery- New Attacks and Defenses''' by Collin Jackson, PH.D. Student, Stanford University<br />
<br />
Cross-Site Request Forgery (CSRF) is a widely exploited web site vulnerability, but none of the three major CSRF defenses are satisfactory and many web sites neglect to prevent login CSRF. In a login CSRF attack, an attacker uses the victim's browser to forge a cross-site request to the honest site's login URL, supplying the attacker's user name and password. This forged request can disrupt the integrity of the session and enable theft of confidential information.<br />
<br />
Although the HTTP Referer header could be used as an effective general CSRF defense, our experiments indicate that the header is widely blocked at the network layer due to privacy concerns. Our experimental data shows, however, that the header can be used today as a reliable CSRF defense over HTTPS, which is ideal for login CSRF prevention. For the long term, we propose the Origin header, which provides the security benefits of the Referer header while responding to privacy concerns. Additionally, we show that a network attacker can often disrupt session integrity even when the site deploys CSRF defenses, and propose additional defenses against these identity-misbinding attacks.<br />
<br />
Collin Jackson is a fourth-year Ph.D. student in Computer Science at Stanford University. His research focuses on browser vulnerabilities, web authentication, mashups, and web application security.<br />
<br />
'''Google Gadget Security''' by Tom Stracener, Sr. Security Analyst, Cenzic<br />
<br />
Google Gadgets are HTML and Javascript applications that can be embedded in other web applications or the user's desktop (provided they are using Google Desktop). Gadget code is highly portable and can run on multiple sites or applications with few changes to the underlying code. This talk will focus on gadget security, an area where the current implementation is deeply flawed. We will examine Rsnake's XSS vulnerability in Google gadgets, consider possible attack scenarios, and also look at the reasons why Google chose not to fix this vulnerability. We take a critical look on they ways attackers can exploit the current Gadget implementation when performing attacks. This talk will provide the audience with background information for the upcoming Blackhat 2008 session "Xploiting Google Gadgets: Gmalware and Beyond" by Robert Hansen and Tom Stracener.<br />
<br />
Tom is the Senior Security Analyst for Cenzic’s CIA Labs. Mr. Stracener was one of the founding members of nCircle Network Security. While at nCircle he served as the head of vulnerability research from 1999 to 2001, developing one of the industry’s first quantitative vulnerability scoring systems, and co-inventing several patented technologies. Mr. Stracener is an experienced security consultant, penetration tester, and vulnerability researcher. One of his patents, “Interoperability of vulnerability and intrusion detection systems,” was granted by the USPTO in October 2005. Tom has spoken at various conferences including New York Security Conference, ISSA, OWASP, Defcon, and others.<br />
<br />
'''How Cybercriminals Steal Money''' by Neil Daswani, Google<br />
<br />
This talk discusses how we can prevent cybercrime due to the most significant emerging application security vulnerabilities. Such vulnerabilities are used to commit various types of wide-scale fraud, and attacks based on them steal money right out of people's bank accounts, capture tens of millions of credit card numbers, and aid in the construction of next-generation botnets.<br />
<br />
In the talk, I will present some industry-wide statistics on software security vulnerabilities reported to various databases, and emerging trends in the field of software security. This talk will then:<br />
<br />
* review how attacks such as XSRF (Cross-Site-Request-Forgery), XSSI (Cross-Site-Script-Inclusion), and SQL Injection work,<br />
* discuss their impact on Web 2.0, AJAX, mashup, and social networking applications,<br />
* outline how to defend against them, and<br />
* describe how to modify a software development process to achieve security.<br />
<br />
Finally, the talk will discuss the current state of security education, and provide pointers to certification programs, books, and organizations where you and your colleagues can learn more.<br />
<br />
Neil Daswani has served in a variety of research , development, teaching, and managerial roles at Google, Stanford University , DoCoMo USA Labs, Yodlee, and Bellcore (now Telcordia Technologies). While at Stanford, Neil co-founded the Stanford Center Professional Development (SCPD) Security Certification Program (http://proed.stanford.edu/?security). His areas of expertise include security, wireless data technology, and peer-to-peer systems. He has published extensively in these areas, frequently gives talks at industry and academic conferences, and has been granted several U.S. patents. He received a Ph.D. and a master's in computer science from Stanford University, and earned a bachelor's in computer science with honors with distinction from Columbia University. Neil is also the lead author of "Foundations of Security: What Every Programmer Needs To Know" (published by Apress; ISBN 1590597842; http://tinyurl.com/33xs6g ) More information about Neil is available at http://www.neildaswani.com/<br />
<br />
==RSVP==<br />
'''REGISTER EARLY AS SEATING IS LIMITED'''<br />
<br />
Please RSVP at http://owaspbajune2008.eventbrite.com <br />
<br />
=Bay Area Chapter Leaders=<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*[http://garrettgee.com Garrett Gee]<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]<br />
<br />
=Bay Area Past Events=<br />
[[Bay Area Past Events]]<br />
<br />
[[Category:California]]</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area_Past_Events&diff=33248Bay Area Past Events2008-07-03T01:54:03Z<p>Ggee: </p>
<hr />
<div>This is an archive page of all the Bay Area OWASP past events. The chapter home is at [[Bay Area]]. <br />
<br />
*2008-06-25<br />
**Location: Microsoft, 1065 La Avenida St, Mountain View, CA 94043<br />
**[https://www.owasp.org/index.php/Image:OWASP-BayArea-June08.pdf All Presentations] | [https://www.owasp.org/index.php/Image:BayArea-June08-Evaluation.Data.zip Evaluation Data]<br />
**Speaker: Mandeep Khera: Overview of the OWASP Bay Area Chapter<br />
**Speaker: Dr. Chenxi Wang: Consumerization of enterprises<br />
**Speaker: Collin Jackson: Cross-Site Request Forgery<br />
**Speaker: Tom Stracener: Google Gadget Security<br />
**Speaker: Neil Daswani: How Cybercriminals Steal Money<br />
<br />
*2008-02-21<br />
**Location: Robert Half International, 5720 Stoneridge Dr, Pleasanton CA 94588<br />
**Speaker: Kurt Grutzmacher: [https://www.owasp.org/index.php/Image:Your_Client_Security_Sucks_-_OWASP.pdf Your Client-Side Security Sucks. Stop Using It.]<br />
**Speaker: Eric Rachner: [https://www.owasp.org/index.php/Image:NTLM_Relay_Attacks.pdf NTLM attacks and countermeasures]<br />
<br />
*2008-01-24<br />
**Location: PG&E,245 Market Street, San Francisco, CA 94105<br />
**Speaker: Erick Lee, Adobe Systems: Securing Flash® & Flex® Applications<br />
**Speaker: Jim Cowing, Digital Resource Group: Application Security and PCI Compliance<br />
<br />
*2007-12-13<br />
**Location: Stanford University Alumni Association Center, 326 Galvez Street, Stanford, CA 94305<br />
**Speaker: Niels Provos, Google: Ghosts in the Browser<br/><br />
**Speaker: Adam Barth & Collin Jackson, Stanford University: Ph.D. Student Presentations<br/><br />
**Sponsors: Cenzic and AppSec Consulting</div>Ggeehttps://wiki.owasp.org/index.php?title=File:BayArea-June08-Evaluation.Data.zip&diff=33247File:BayArea-June08-Evaluation.Data.zip2008-07-03T01:53:32Z<p>Ggee: </p>
<hr />
<div></div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area_Past_Events&diff=33041Bay Area Past Events2008-07-02T02:40:03Z<p>Ggee: </p>
<hr />
<div>This is an archive page of all the Bay Area OWASP past events. The chapter home is at [[Bay Area]]. <br />
<br />
*2008-06-25<br />
**Location: Microsoft, 1065 La Avenida St, Mountain View, CA 94043<br />
**[https://www.owasp.org/index.php/Image:OWASP-BayArea-June08.pdf All Presentations]<br />
**Speaker: Mandeep Khera: Overview of the OWASP Bay Area Chapter<br />
**Speaker: Dr. Chenxi Wang: Consumerization of enterprises<br />
**Speaker: Collin Jackson: Cross-Site Request Forgery<br />
**Speaker: Tom Stracener: Google Gadget Security<br />
**Speaker: Neil Daswani: How Cybercriminals Steal Money<br />
<br />
*2008-02-21<br />
**Location: Robert Half International, 5720 Stoneridge Dr, Pleasanton CA 94588<br />
**Speaker: Kurt Grutzmacher: [https://www.owasp.org/index.php/Image:Your_Client_Security_Sucks_-_OWASP.pdf Your Client-Side Security Sucks. Stop Using It.]<br />
**Speaker: Eric Rachner: [https://www.owasp.org/index.php/Image:NTLM_Relay_Attacks.pdf NTLM attacks and countermeasures]<br />
<br />
*2008-01-24<br />
**Location: PG&E,245 Market Street, San Francisco, CA 94105<br />
**Speaker: Erick Lee, Adobe Systems: Securing Flash® & Flex® Applications<br />
**Speaker: Jim Cowing, Digital Resource Group: Application Security and PCI Compliance<br />
<br />
*2007-12-13<br />
**Location: Stanford University Alumni Association Center, 326 Galvez Street, Stanford, CA 94305<br />
**Speaker: Niels Provos, Google: Ghosts in the Browser<br/><br />
**Speaker: Adam Barth & Collin Jackson, Stanford University: Ph.D. Student Presentations<br/><br />
**Sponsors: Cenzic and AppSec Consulting</div>Ggeehttps://wiki.owasp.org/index.php?title=File:OWASP-BayArea-June08.pdf&diff=33038File:OWASP-BayArea-June08.pdf2008-07-02T02:33:57Z<p>Ggee: </p>
<hr />
<div></div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=32146Bay Area2008-06-22T04:50:08Z<p>Ggee: </p>
<hr />
<div>{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
=Next Event=<br />
==Date and Location==<br />
'''June 25th @ 2PM - Microsoft'''<br />
1065 La Avenida St.<br />
Mountain View, CA 94043<br />
Conference Room - Galileo<br />
<br />
OWASP Bay Area will host its '''half day Application Security Summit''' at the Microsoft Facility in Mountain View on Wednesday, June 25th. As usual attendance is free and food and beverages will be provided. '''We have some excellent speakers lined up for this and it should be an event not to be missed.''' The event is open to the public. Please forward this invite to your colleagues and friends who are interested in computer and application security.<br />
<br />
Special thanks to Microsoft for hosting this event and to Cenzic and AppSec Consulting, Rapid7, and Imperva for sponsoring.<br />
<br />
==Agenda==<br />
1.30 PM - 2.00 PM ... Check-in and registration<br />
2:00 PM - 2:10 PM ... Overview of the OWASP Bay Area Chapter - Mandeep Khera, Bay Area Chapter Leader<br />
2:10 PM - 2:55 PM ... Consumerization of enterprises: a security conundrum – Dr. Chenxi Wang, Principal Analyst, Forrester Group<br />
2:55 PM - 3:40 PM ... Cross-Site Request Forgery- New Attacks and Defenses - Collin Jackson, PH.D. student, Stanford University<br />
3:40 PM - 4:00 PM ... Networking Break<br />
4:00 PM - 4.45 PM ... Google Gadget Security - Tom Stracener, Cenzic<br />
4:45 PM - 5:30 PM ... How Cybercriminals Steal Money - Neil Daswani, Google <br />
<br />
==Speakers==<br />
'''Consumerization of enterprises: a security conundrum''' by Dr. Chenxi Wang, Principal Analyst, Forrester Group<br />
<br />
Dr. Chenxi Wang is a principal analyst with Forrester. She leads Forrester's research in areas including content security, application security, threats and vulnerability management, and software security. Chenxi brings to Forrester years of sophisticated research experience; her previous experience includes a five-year stint as an associate research professor at Carnegie Mellon University, where she published many research papers on network security and distributed systems. <br />
<br />
Previously, Chenxi served as the chief scientist for KSR, a managed security service startup in the San Francisco bay area. Chenxi also serves as an investigative forensics expert for the Federal Trade Commission. She is the recipient of a Critical Infrastructure Protection Fellowship from the Army Research Office and the Samuel Alexander Fellowship of ACM for outstanding Ph.D. thesis research.<br />
<br />
'''Cross-Site Request Forgery- New Attacks and Defenses''' by Collin Jackson, PH.D. Student, Stanford University<br />
<br />
Cross-Site Request Forgery (CSRF) is a widely exploited web site vulnerability, but none of the three major CSRF defenses are satisfactory and many web sites neglect to prevent login CSRF. In a login CSRF attack, an attacker uses the victim's browser to forge a cross-site request to the honest site's login URL, supplying the attacker's user name and password. This forged request can disrupt the integrity of the session and enable theft of confidential information.<br />
<br />
Although the HTTP Referer header could be used as an effective general CSRF defense, our experiments indicate that the header is widely blocked at the network layer due to privacy concerns. Our experimental data shows, however, that the header can be used today as a reliable CSRF defense over HTTPS, which is ideal for login CSRF prevention. For the long term, we propose the Origin header, which provides the security benefits of the Referer header while responding to privacy concerns. Additionally, we show that a network attacker can often disrupt session integrity even when the site deploys CSRF defenses, and propose additional defenses against these identity-misbinding attacks.<br />
<br />
Collin Jackson is a fourth-year Ph.D. student in Computer Science at Stanford University. His research focuses on browser vulnerabilities, web authentication, mashups, and web application security.<br />
<br />
'''Google Gadget Security''' by Tom Stracener, Sr. Security Analyst, Cenzic<br />
<br />
Google Gadgets are HTML and Javascript applications that can be embedded in other web applications or the user's desktop (provided they are using Google Desktop). Gadget code is highly portable and can run on multiple sites or applications with few changes to the underlying code. This talk will focus on gadget security, an area where the current implementation is deeply flawed. We will examine Rsnake's XSS vulnerability in Google gadgets, consider possible attack scenarios, and also look at the reasons why Google chose not to fix this vulnerability. We take a critical look on they ways attackers can exploit the current Gadget implementation when performing attacks. This talk will provide the audience with background information for the upcoming Blackhat 2008 session "Xploiting Google Gadgets: Gmalware and Beyond" by Robert Hansen and Tom Stracener.<br />
<br />
Tom is the Senior Security Analyst for Cenzic’s CIA Labs. Mr. Stracener was one of the founding members of nCircle Network Security. While at nCircle he served as the head of vulnerability research from 1999 to 2001, developing one of the industry’s first quantitative vulnerability scoring systems, and co-inventing several patented technologies. Mr. Stracener is an experienced security consultant, penetration tester, and vulnerability researcher. One of his patents, “Interoperability of vulnerability and intrusion detection systems,” was granted by the USPTO in October 2005. Tom has spoken at various conferences including New York Security Conference, ISSA, OWASP, Defcon, and others.<br />
<br />
'''How Cybercriminals Steal Money''' by Neil Daswani, Google<br />
<br />
This talk discusses how we can prevent cybercrime due to the most significant emerging application security vulnerabilities. Such vulnerabilities are used to commit various types of wide-scale fraud, and attacks based on them steal money right out of people's bank accounts, capture tens of millions of credit card numbers, and aid in the construction of next-generation botnets.<br />
<br />
In the talk, I will present some industry-wide statistics on software security vulnerabilities reported to various databases, and emerging trends in the field of software security. This talk will then:<br />
<br />
* review how attacks such as XSRF (Cross-Site-Request-Forgery), XSSI (Cross-Site-Script-Inclusion), and SQL Injection work,<br />
* discuss their impact on Web 2.0, AJAX, mashup, and social networking applications,<br />
* outline how to defend against them, and<br />
* describe how to modify a software development process to achieve security.<br />
<br />
Finally, the talk will discuss the current state of security education, and provide pointers to certification programs, books, and organizations where you and your colleagues can learn more.<br />
<br />
Neil Daswani has served in a variety of research , development, teaching, and managerial roles at Google, Stanford University , DoCoMo USA Labs, Yodlee, and Bellcore (now Telcordia Technologies). While at Stanford, Neil co-founded the Stanford Center Professional Development (SCPD) Security Certification Program (http://proed.stanford.edu/?security). His areas of expertise include security, wireless data technology, and peer-to-peer systems. He has published extensively in these areas, frequently gives talks at industry and academic conferences, and has been granted several U.S. patents. He received a Ph.D. and a master's in computer science from Stanford University, and earned a bachelor's in computer science with honors with distinction from Columbia University. Neil is also the lead author of "Foundations of Security: What Every Programmer Needs To Know" (published by Apress; ISBN 1590597842; http://tinyurl.com/33xs6g ) More information about Neil is available at http://www.neildaswani.com/<br />
<br />
==RSVP==<br />
'''REGISTER EARLY AS SEATING IS LIMITED'''<br />
<br />
Please RSVP at http://owaspbajune2008.eventbrite.com <br />
<br />
=Bay Area Chapter Leaders=<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*[http://ggee.org Garrett Gee]<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]<br />
<br />
=Bay Area Past Events=<br />
[[Bay Area Past Events]]</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=31939Bay Area2008-06-18T02:24:37Z<p>Ggee: </p>
<hr />
<div>{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
=Next Event=<br />
==Date and Location==<br />
'''June 25th @ 2PM - Microsoft'''<br />
1065 La Avenida St.<br />
Mountain View, CA 94043<br />
Conference Room - Galileo<br />
<br />
OWASP Bay Area will host its '''half day Application Security Summit''' at the Microsoft Facility in Mountain View on Wednesday, June 25th. As usual attendance is free and food and beverages will be provided. '''We have some excellent speakers lined up for this and it should be an event not to be missed.''' The event is open to the public. Please forward this invite to your colleagues and friends who are interested in computer and application security.<br />
<br />
Special thanks to Microsoft for hosting this event and to Cenzic and AppSec Consulting, Rapid7, and Imperva for sponsoring.<br />
<br />
==Agenda==<br />
1.30 PM - 2.00 PM ... Check-in and registration<br />
2:00 PM - 2:10 PM ... Overview of the OWASP Bay Area Chapter - Mandeep Khera, Bay Area Chapter Leader<br />
2:10 PM - 2:55 PM ... Consumerization of enterprises: a security conundrum – Dr. Chenxi Wang, Principal Analyst, Forrester Group<br />
2:55 PM - 3:40 PM ... Cross-Site Request Forgery- New Attacks and Defenses - Collin Jackson, PH.D. student, Stanford University<br />
3:40 PM - 4:00 PM ... Networking Break<br />
4:00 PM - 4.45 PM ... Google Gadget Security - Tom Stracener, Cenzic<br />
4:45 PM - 5:30 PM ... How Cybercriminals Steal Money - Neil Daswani, Google <br />
<br />
==RSVP==<br />
'''REGISTER EARLY AS SEATING IS LIMITED'''<br />
<br />
Please RSVP at http://owaspbajune2008.eventbrite.com <br />
<br />
=Bay Area Chapter Leaders=<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*[http://ggee.org Garrett Gee]<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]<br />
<br />
=Bay Area Past Events=<br />
[[Bay Area Past Events]]</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=31938Bay Area2008-06-18T02:24:22Z<p>Ggee: </p>
<hr />
<div>{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
=Next Event=<br />
==Date and Location==<br />
'''June 25th @ 2PM - Microsoft'''<br />
1065 La Avenida St.<br />
Mountain View, CA 94043<br />
Conference Room - Galileo<br />
<br />
OWASP Bay Area will host its '''half day Application Security Summit''' at the Microsoft Facility in Mountain View on Wednesday, June 25th. As usual attendance is free and food and beverages will be provided. '''We have some excellent speakers lined up for this and it should be an event not to be missed.''' The event is open to the public. Please forward this invite to your colleagues and friends who are interested in computer and application security.<br />
<br />
Special thanks to Microsoft for hosting this event and to Cenzic and AppSec Consulting, Rapid7, and Imperva for sponsoring.<br />
<br />
==Agenda==<br />
1.30 PM - 2.00 PM ... Check-in and registration<br />
2:00 PM - 2:10 PM ... Overview of the OWASP Bay Area Chapter - Mandeep Khera, Bay Area Chapter Leader<br />
2:10 PM - 2:55 PM ... Consumerization of enterprises: a security conundrum – Dr. Chenxi Wang, Principal Analyst, Forrester Group<br />
2:55 PM - 3:40 PM ... Cross-Site Request Forgery- New Attacks and Defenses - Collin Jackson, PH.D. student, Stanford University<br />
3:40 PM - 4:00 PM ... Networking Break<br />
4:00 PM - 4.45 PM ... Google Gadget Security - Tom Stracener, Cenzic<br />
4:45 PM - 5:30 PM ... How Cybercriminals Steal Money - Neil Daswani, Google <br />
<br />
==RSVP==<br />
'''REGISTER EARLY AS SEATING IS LIMITED'''<br />
Please RSVP at http://owaspbajune2008.eventbrite.com <br />
<br />
=Bay Area Chapter Leaders=<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*[http://ggee.org Garrett Gee]<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]<br />
<br />
=Bay Area Past Events=<br />
[[Bay Area Past Events]]</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=31937Bay Area2008-06-18T02:22:27Z<p>Ggee: </p>
<hr />
<div>{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
=Next Event=<br />
==Date and Location==<br />
'''June 25th @ 2PM - Microsoft'''<br />
1065 La Avenida St.<br />
Mountain View, CA 94043<br />
Conference Room - Galileo<br />
<br />
OWASP Bay Area will host its '''half day Application Security Summit''' at the Microsoft Facility in Mountain View on Wednesday, June 25th. As usual attendance is free and food and beverages will be provided. '''We have some excellent speakers lined up for this and it should be an event not to be missed.''' The event is open to the public. Please forward this invite to your colleagues and friends who are interested in computer and application security.<br />
<br />
Special thanks to Microsoft for hosting this event and to Cenzic and AppSec Consulting, Rapid7, and Imperva for sponsoring.<br />
<br />
==Agenda==<br />
6:00pm - 6:30pm ... Check-in and Reception (food & beverages)<br />
6:30pm - 7:15pm ... '''Your Client-Side Security Sucks. Stop Using It.''' – Kurt Grutzmacher<br />
7:15pm - 8:00pm ... '''NTLM attacks and countermeasures''' – Eric Rachner<br />
8:00pm - 8:30pm ... Networking Session <br />
<br />
==Speakers==<br />
'''Your Client-Side Security Sucks. Stop Using It.''' - [https://www.owasp.org/index.php/Image:Your_Client_Security_Sucks_-_OWASP.pdf slides]<br />
<br />
Presented by: Kurt Grutzmacher<br />
<br />
Abstract: Browser-based security has been used for many years to 'protect' back-end systems from attack or to enhance the user experience. This should not be your only protection and can even open your application to business logic flaws that scanning tools can not detect nor report upon! This talk will show some real world examples of client-side security and the failures they introduced. Business logic flaws such as the MacWorld Expo Platinum Pass will be examined in depth.<br />
<br />
Bio: Kurt Grutzmacher has been performing Penetration Testing for a "very large financial institution" for nearly a decade and recently moved to a "very large utility company" to start their internal testing program. For two years in a row he has exposed the methods required to obtain free Platinum Passes to MacWorld and is hoping they'll get it right the third time, he's tired of explaining it to them. Kurt contributes to the Metasploit project occasionally and is currently working on enhancing the project's support for NTLM in web-based attacks. He also randomly blogs at http://grutztopia.jingojango.net/ -- very randomly.<br />
<br />
'''NTLM attacks and countermeasures''' - [https://www.owasp.org/index.php/Image:NTLM_Relay_Attacks.pdf slides]<br />
<br />
Presented by: Eric Rachner<br />
<br />
Abstract: Eric will demonstrate the NTLM relay attack, in which an attacker accesses arbitrary web sites and file shares using the credentials of any user who can be lured into visiting the attacker's web site. Since NTLM is enabled by default as part of the Windows integrated authentication protocol suite, this attack is a potential concern in any enterprise where Windows is widely used. Following the demonstration, we will explore the history and mechanics of the attack, as well as mitigation options. <br />
<br />
Bio: Eric Rachner is a security researcher and lead consultant specializing in threat analysis, vulnerability assessment and penetrating testing of complex mission critical applications and systems. Mr. Rachner began his career in IT at Microsoft in 1994. As a senior member of Microsoft's Security Team, Eric led several projects including application penetration testing, code reviews, design reviews and security awareness training for internal application teams throughout Microsoft's global IT organization. In 2005, Eric became an independent security consultant and researcher providing services to large global enterprises in North America and Europe. Away from the office Eric has many hobbies; he also participated as a core member of the hacking team that won the prestigious "Capture the Flag" contest at Def Con three years in a row. <br />
<br />
==RSVP==<br />
'''REGISTER EARLY AS SEATING IS LIMITED'''<br />
Please RSVP at http://owaspbajune2008.eventbrite.com <br />
<br />
=Bay Area Chapter Leaders=<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*[http://ggee.org Garrett Gee]<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]<br />
<br />
=Bay Area Past Events=<br />
[[Bay Area Past Events]]</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=25937Bay Area2008-02-24T19:05:19Z<p>Ggee: </p>
<hr />
<div>{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
=Next Event=<br />
==Date and Location==<br />
'''February, 21st @ 6PM - Robert Half International'''<br />
5720 Stoneridge Dr<br />
Pleasanton CA 94588<br />
<br />
OWASP Bay Area will host its next meeting at the Robert Half International on Thursday, February 21. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security. <br />
<br />
Special thanks to Robert Half International for hosting this event and to Cenzic and AppSec Consulting for sponsoring.<br />
<br />
==Agenda==<br />
6:00pm - 6:30pm ... Check-in and Reception (food & beverages)<br />
6:30pm - 7:15pm ... '''Your Client-Side Security Sucks. Stop Using It.''' – Kurt Grutzmacher<br />
7:15pm - 8:00pm ... '''NTLM attacks and countermeasures''' – Eric Rachner<br />
8:00pm - 8:30pm ... Networking Session <br />
<br />
==Speakers==<br />
'''Your Client-Side Security Sucks. Stop Using It.''' - [https://www.owasp.org/index.php/Image:Your_Client_Security_Sucks_-_OWASP.pdf slides]<br />
<br />
Presented by: Kurt Grutzmacher<br />
<br />
Abstract: Browser-based security has been used for many years to 'protect' back-end systems from attack or to enhance the user experience. This should not be your only protection and can even open your application to business logic flaws that scanning tools can not detect nor report upon! This talk will show some real world examples of client-side security and the failures they introduced. Business logic flaws such as the MacWorld Expo Platinum Pass will be examined in depth.<br />
<br />
Bio: Kurt Grutzmacher has been performing Penetration Testing for a "very large financial institution" for nearly a decade and recently moved to a "very large utility company" to start their internal testing program. For two years in a row he has exposed the methods required to obtain free Platinum Passes to MacWorld and is hoping they'll get it right the third time, he's tired of explaining it to them. Kurt contributes to the Metasploit project occasionally and is currently working on enhancing the project's support for NTLM in web-based attacks. He also randomly blogs at http://grutztopia.jingojango.net/ -- very randomly.<br />
<br />
'''NTLM attacks and countermeasures''' - [https://www.owasp.org/index.php/Image:NTLM_Relay_Attacks.pdf slides]<br />
<br />
Presented by: Eric Rachner<br />
<br />
Abstract: Eric will demonstrate the NTLM relay attack, in which an attacker accesses arbitrary web sites and file shares using the credentials of any user who can be lured into visiting the attacker's web site. Since NTLM is enabled by default as part of the Windows integrated authentication protocol suite, this attack is a potential concern in any enterprise where Windows is widely used. Following the demonstration, we will explore the history and mechanics of the attack, as well as mitigation options. <br />
<br />
Bio: Eric Rachner is a security researcher and lead consultant specializing in threat analysis, vulnerability assessment and penetrating testing of complex mission critical applications and systems. Mr. Rachner began his career in IT at Microsoft in 1994. As a senior member of Microsoft's Security Team, Eric led several projects including application penetration testing, code reviews, design reviews and security awareness training for internal application teams throughout Microsoft's global IT organization. In 2005, Eric became an independent security consultant and researcher providing services to large global enterprises in North America and Europe. Away from the office Eric has many hobbies; he also participated as a core member of the hacking team that won the prestigious "Capture the Flag" contest at Def Con three years in a row. <br />
<br />
==RSVP==<br />
Please RSVP at http://owaspfeb2008.eventbrite.com<br />
<br />
=Bay Area Chapter Leaders=<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*[http://ggee.org Garrett Gee]<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]<br />
<br />
=Bay Area Past Events=<br />
[[Bay Area Past Events]]</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area_Past_Events&diff=25936Bay Area Past Events2008-02-24T19:04:36Z<p>Ggee: </p>
<hr />
<div>This is an archive page of all the Bay Area OWASP past events. The chapter home is at [[Bay Area]]. <br />
<br />
*2008-02-21<br />
**Location: Robert Half International, 5720 Stoneridge Dr, Pleasanton CA 94588<br />
**Speaker: Kurt Grutzmacher: [https://www.owasp.org/index.php/Image:Your_Client_Security_Sucks_-_OWASP.pdf Your Client-Side Security Sucks. Stop Using It.]<br />
**Speaker: Eric Rachner: [https://www.owasp.org/index.php/Image:NTLM_Relay_Attacks.pdf NTLM attacks and countermeasures]<br />
<br />
*2008-01-24<br />
**Location: PG&E,245 Market Street, San Francisco, CA 94105<br />
**Speaker: Erick Lee, Adobe Systems: Securing Flash® & Flex® Applications<br />
**Speaker: Jim Cowing, Digital Resource Group: Application Security and PCI Compliance<br />
<br />
*2007-12-13<br />
**Location: Stanford University Alumni Association Center, 326 Galvez Street, Stanford, CA 94305<br />
**Speaker: Niels Provos, Google: Ghosts in the Browser<br/><br />
**Speaker: Adam Barth & Collin Jackson, Stanford University: Ph.D. Student Presentations<br/><br />
**Sponsors: Cenzic and AppSec Consulting</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area_Past_Events&diff=25935Bay Area Past Events2008-02-24T19:03:40Z<p>Ggee: </p>
<hr />
<div>This is an archive page of all the Bay Area OWASP past events. The chapter home is here. <br />
<br />
*2008-02-21<br />
**Location: Robert Half International, 5720 Stoneridge Dr, Pleasanton CA 94588<br />
**Speaker: Kurt Grutzmacher: [https://www.owasp.org/index.php/Image:Your_Client_Security_Sucks_-_OWASP.pdf Your Client-Side Security Sucks. Stop Using It.]<br />
**Speaker: Eric Rachner: [https://www.owasp.org/index.php/Image:NTLM_Relay_Attacks.pdf NTLM attacks and countermeasures]<br />
<br />
*2008-01-24<br />
**Location: PG&E,245 Market Street, San Francisco, CA 94105<br />
**Speaker: Erick Lee, Adobe Systems: Securing Flash® & Flex® Applications<br />
**Speaker: Jim Cowing, Digital Resource Group: Application Security and PCI Compliance<br />
<br />
*2007-12-13<br />
**Location: Stanford University Alumni Association Center, 326 Galvez Street, Stanford, CA 94305<br />
**Speaker: Niels Provos, Google: Ghosts in the Browser<br/><br />
**Speaker: Adam Barth & Collin Jackson, Stanford University: Ph.D. Student Presentations<br/><br />
**Sponsors: Cenzic and AppSec Consulting</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area_Past_Events&diff=25934Bay Area Past Events2008-02-24T19:02:39Z<p>Ggee: </p>
<hr />
<div>This is an archive page of all the Bay Area OWASP past events. The chapter home is here. <br />
<br />
*2008-02-21<br />
**Location: Robert Half International, 5720 Stoneridge Dr, Pleasanton CA 94588<br />
**Speaker: Kurt Grutzmacher: Your Client-Side Security Sucks. Stop Using It. - [https://www.owasp.org/index.php/Image:Your_Client_Security_Sucks_-_OWASP.pdf slides]<br />
**Speaker: Eric Rachner: NTLM attacks and countermeasures - [https://www.owasp.org/index.php/Image:NTLM_Relay_Attacks.pdf slides]<br />
<br />
*2008-01-24<br />
**Location: PG&E,245 Market Street, San Francisco, CA 94105<br />
**Speaker: Erick Lee, Adobe Systems: Securing Flash® & Flex® Applications<br />
**Speaker: Jim Cowing, Digital Resource Group: Application Security and PCI Compliance<br />
<br />
*2007-12-13<br />
**Location: Stanford University Alumni Association Center, 326 Galvez Street, Stanford, CA 94305<br />
**Speaker: Niels Provos, Google: Ghosts in the Browser<br/><br />
**Speaker: Adam Barth & Collin Jackson, Stanford University: Ph.D. Student Presentations<br/><br />
**Sponsors: Cenzic and AppSec Consulting</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area_Past_Events&diff=25933Bay Area Past Events2008-02-24T19:00:45Z<p>Ggee: </p>
<hr />
<div>This is an archive page of all the Bay Area OWASP past events. The chapter home is here. <br />
<br />
*2008-01-24<br />
**Location: PG&E,245 Market Street, San Francisco, CA 94105<br />
**Speaker: Erick Lee, Adobe Systems: Securing Flash® & Flex® Applications<br />
**Speaker: Jim Cowing, Digital Resource Group: Application Security and PCI Compliance<br />
<br />
*2007-12-13<br />
**Location: Stanford University Alumni Association Center, 326 Galvez Street, Stanford, CA 94305<br />
**Speaker: Niels Provos, Google: Ghosts in the Browser<br/><br />
**Speaker: Adam Barth & Collin Jackson, Stanford University: Ph.D. Student Presentations<br/><br />
**Sponsors: Cenzic and AppSec Consulting</div>Ggeehttps://wiki.owasp.org/index.php?title=San_Jose&diff=25932San Jose2008-02-24T18:54:00Z<p>Ggee: Redirecting to Bay Area</p>
<hr />
<div>#REDIRECT [[Bay Area]]<br />
<br />
{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}</div>Ggeehttps://wiki.owasp.org/index.php?title=San_Francisco&diff=25931San Francisco2008-02-24T18:53:03Z<p>Ggee: Redirecting to Bay Area</p>
<hr />
<div>#REDIRECT [[Bay Area]]<br />
<br />
{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=25929Bay Area2008-02-24T18:51:33Z<p>Ggee: San Francisco Bay Area moved to Bay Area</p>
<hr />
<div>{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
=Next Event=<br />
==Date and Location==<br />
'''February, 21st @ 6PM - Robert Half International'''<br />
5720 Stoneridge Dr<br />
Pleasanton CA 94588<br />
<br />
OWASP Bay Area will host its next meeting at the Robert Half International on Thursday, February 21. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security. <br />
<br />
Special thanks to Robert Half International for hosting this event and to Cenzic and AppSec Consulting for sponsoring.<br />
<br />
==Agenda==<br />
6:00pm - 6:30pm ... Check-in and Reception (food & beverages)<br />
6:30pm - 7:15pm ... '''Your Client-Side Security Sucks. Stop Using It.''' – Kurt Grutzmacher<br />
7:15pm - 8:00pm ... '''NTLM attacks and countermeasures''' – Eric Rachner<br />
8:00pm - 8:30pm ... Networking Session <br />
<br />
==Speakers==<br />
'''Your Client-Side Security Sucks. Stop Using It.''' - [https://www.owasp.org/index.php/Image:Your_Client_Security_Sucks_-_OWASP.pdf slides]<br />
<br />
Presented by: Kurt Grutzmacher<br />
<br />
Abstract: Browser-based security has been used for many years to 'protect' back-end systems from attack or to enhance the user experience. This should not be your only protection and can even open your application to business logic flaws that scanning tools can not detect nor report upon! This talk will show some real world examples of client-side security and the failures they introduced. Business logic flaws such as the MacWorld Expo Platinum Pass will be examined in depth.<br />
<br />
Bio: Kurt Grutzmacher has been performing Penetration Testing for a "very large financial institution" for nearly a decade and recently moved to a "very large utility company" to start their internal testing program. For two years in a row he has exposed the methods required to obtain free Platinum Passes to MacWorld and is hoping they'll get it right the third time, he's tired of explaining it to them. Kurt contributes to the Metasploit project occasionally and is currently working on enhancing the project's support for NTLM in web-based attacks. He also randomly blogs at http://grutztopia.jingojango.net/ -- very randomly.<br />
<br />
'''NTLM attacks and countermeasures''' - [https://www.owasp.org/index.php/Image:NTLM_Relay_Attacks.pdf slides]<br />
<br />
Presented by: Eric Rachner<br />
<br />
Abstract: Eric will demonstrate the NTLM relay attack, in which an attacker accesses arbitrary web sites and file shares using the credentials of any user who can be lured into visiting the attacker's web site. Since NTLM is enabled by default as part of the Windows integrated authentication protocol suite, this attack is a potential concern in any enterprise where Windows is widely used. Following the demonstration, we will explore the history and mechanics of the attack, as well as mitigation options. <br />
<br />
Bio: Eric Rachner is a security researcher and lead consultant specializing in threat analysis, vulnerability assessment and penetrating testing of complex mission critical applications and systems. Mr. Rachner began his career in IT at Microsoft in 1994. As a senior member of Microsoft's Security Team, Eric led several projects including application penetration testing, code reviews, design reviews and security awareness training for internal application teams throughout Microsoft's global IT organization. In 2005, Eric became an independent security consultant and researcher providing services to large global enterprises in North America and Europe. Away from the office Eric has many hobbies; he also participated as a core member of the hacking team that won the prestigious "Capture the Flag" contest at Def Con three years in a row. <br />
<br />
==RSVP==<br />
Please RSVP at http://owaspfeb2008.eventbrite.com<br />
<br />
=Bay Area Chapter Leaders=<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*[http://ggee.org Garrett Gee]<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]<br />
<br />
=Bay Area Past Events=<br />
[[Bay_Area_Past_Events]]</div>Ggeehttps://wiki.owasp.org/index.php?title=San_Francisco_Bay_Area&diff=25930San Francisco Bay Area2008-02-24T18:51:33Z<p>Ggee: San Francisco Bay Area moved to Bay Area</p>
<hr />
<div>#REDIRECT [[Bay Area]]</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=25928Bay Area2008-02-24T18:51:10Z<p>Ggee: </p>
<hr />
<div>{{Chapter Template|chaptername=Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
=Next Event=<br />
==Date and Location==<br />
'''February, 21st @ 6PM - Robert Half International'''<br />
5720 Stoneridge Dr<br />
Pleasanton CA 94588<br />
<br />
OWASP Bay Area will host its next meeting at the Robert Half International on Thursday, February 21. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security. <br />
<br />
Special thanks to Robert Half International for hosting this event and to Cenzic and AppSec Consulting for sponsoring.<br />
<br />
==Agenda==<br />
6:00pm - 6:30pm ... Check-in and Reception (food & beverages)<br />
6:30pm - 7:15pm ... '''Your Client-Side Security Sucks. Stop Using It.''' – Kurt Grutzmacher<br />
7:15pm - 8:00pm ... '''NTLM attacks and countermeasures''' – Eric Rachner<br />
8:00pm - 8:30pm ... Networking Session <br />
<br />
==Speakers==<br />
'''Your Client-Side Security Sucks. Stop Using It.''' - [https://www.owasp.org/index.php/Image:Your_Client_Security_Sucks_-_OWASP.pdf slides]<br />
<br />
Presented by: Kurt Grutzmacher<br />
<br />
Abstract: Browser-based security has been used for many years to 'protect' back-end systems from attack or to enhance the user experience. This should not be your only protection and can even open your application to business logic flaws that scanning tools can not detect nor report upon! This talk will show some real world examples of client-side security and the failures they introduced. Business logic flaws such as the MacWorld Expo Platinum Pass will be examined in depth.<br />
<br />
Bio: Kurt Grutzmacher has been performing Penetration Testing for a "very large financial institution" for nearly a decade and recently moved to a "very large utility company" to start their internal testing program. For two years in a row he has exposed the methods required to obtain free Platinum Passes to MacWorld and is hoping they'll get it right the third time, he's tired of explaining it to them. Kurt contributes to the Metasploit project occasionally and is currently working on enhancing the project's support for NTLM in web-based attacks. He also randomly blogs at http://grutztopia.jingojango.net/ -- very randomly.<br />
<br />
'''NTLM attacks and countermeasures''' - [https://www.owasp.org/index.php/Image:NTLM_Relay_Attacks.pdf slides]<br />
<br />
Presented by: Eric Rachner<br />
<br />
Abstract: Eric will demonstrate the NTLM relay attack, in which an attacker accesses arbitrary web sites and file shares using the credentials of any user who can be lured into visiting the attacker's web site. Since NTLM is enabled by default as part of the Windows integrated authentication protocol suite, this attack is a potential concern in any enterprise where Windows is widely used. Following the demonstration, we will explore the history and mechanics of the attack, as well as mitigation options. <br />
<br />
Bio: Eric Rachner is a security researcher and lead consultant specializing in threat analysis, vulnerability assessment and penetrating testing of complex mission critical applications and systems. Mr. Rachner began his career in IT at Microsoft in 1994. As a senior member of Microsoft's Security Team, Eric led several projects including application penetration testing, code reviews, design reviews and security awareness training for internal application teams throughout Microsoft's global IT organization. In 2005, Eric became an independent security consultant and researcher providing services to large global enterprises in North America and Europe. Away from the office Eric has many hobbies; he also participated as a core member of the hacking team that won the prestigious "Capture the Flag" contest at Def Con three years in a row. <br />
<br />
==RSVP==<br />
Please RSVP at http://owaspfeb2008.eventbrite.com<br />
<br />
=Bay Area Chapter Leaders=<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*[http://ggee.org Garrett Gee]<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]<br />
<br />
=Bay Area Past Events=<br />
[[Bay_Area_Past_Events]]</div>Ggeehttps://wiki.owasp.org/index.php?title=San_Jose&diff=25927San Jose2008-02-24T18:49:48Z<p>Ggee: Redirecting to San Francisco Bay Area</p>
<hr />
<div>#REDIRECT [[San Francisco Bay Area]]<br />
<br />
{{Chapter Template|chaptername=SF Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}</div>Ggeehttps://wiki.owasp.org/index.php?title=San_Jose&diff=25926San Jose2008-02-24T18:47:20Z<p>Ggee: Redirecting to San Francisco Bay Area</p>
<hr />
<div>#REDIRECT [[San Francisco Bay Area]]</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=25925Bay Area2008-02-24T18:46:01Z<p>Ggee: </p>
<hr />
<div>{{Chapter Template|chaptername=SF Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
=Next Event=<br />
==Date and Location==<br />
'''February, 21st @ 6PM - Robert Half International'''<br />
5720 Stoneridge Dr<br />
Pleasanton CA 94588<br />
<br />
OWASP Bay Area will host its next meeting at the Robert Half International on Thursday, February 21. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security. <br />
<br />
Special thanks to Robert Half International for hosting this event and to Cenzic and AppSec Consulting for sponsoring.<br />
<br />
==Agenda==<br />
6:00pm - 6:30pm ... Check-in and Reception (food & beverages)<br />
6:30pm - 7:15pm ... '''Your Client-Side Security Sucks. Stop Using It.''' – Kurt Grutzmacher<br />
7:15pm - 8:00pm ... '''NTLM attacks and countermeasures''' – Eric Rachner<br />
8:00pm - 8:30pm ... Networking Session <br />
<br />
==Speakers==<br />
'''Your Client-Side Security Sucks. Stop Using It.''' - [https://www.owasp.org/index.php/Image:Your_Client_Security_Sucks_-_OWASP.pdf slides]<br />
<br />
Presented by: Kurt Grutzmacher<br />
<br />
Abstract: Browser-based security has been used for many years to 'protect' back-end systems from attack or to enhance the user experience. This should not be your only protection and can even open your application to business logic flaws that scanning tools can not detect nor report upon! This talk will show some real world examples of client-side security and the failures they introduced. Business logic flaws such as the MacWorld Expo Platinum Pass will be examined in depth.<br />
<br />
Bio: Kurt Grutzmacher has been performing Penetration Testing for a "very large financial institution" for nearly a decade and recently moved to a "very large utility company" to start their internal testing program. For two years in a row he has exposed the methods required to obtain free Platinum Passes to MacWorld and is hoping they'll get it right the third time, he's tired of explaining it to them. Kurt contributes to the Metasploit project occasionally and is currently working on enhancing the project's support for NTLM in web-based attacks. He also randomly blogs at http://grutztopia.jingojango.net/ -- very randomly.<br />
<br />
'''NTLM attacks and countermeasures''' - [https://www.owasp.org/index.php/Image:NTLM_Relay_Attacks.pdf slides]<br />
<br />
Presented by: Eric Rachner<br />
<br />
Abstract: Eric will demonstrate the NTLM relay attack, in which an attacker accesses arbitrary web sites and file shares using the credentials of any user who can be lured into visiting the attacker's web site. Since NTLM is enabled by default as part of the Windows integrated authentication protocol suite, this attack is a potential concern in any enterprise where Windows is widely used. Following the demonstration, we will explore the history and mechanics of the attack, as well as mitigation options. <br />
<br />
Bio: Eric Rachner is a security researcher and lead consultant specializing in threat analysis, vulnerability assessment and penetrating testing of complex mission critical applications and systems. Mr. Rachner began his career in IT at Microsoft in 1994. As a senior member of Microsoft's Security Team, Eric led several projects including application penetration testing, code reviews, design reviews and security awareness training for internal application teams throughout Microsoft's global IT organization. In 2005, Eric became an independent security consultant and researcher providing services to large global enterprises in North America and Europe. Away from the office Eric has many hobbies; he also participated as a core member of the hacking team that won the prestigious "Capture the Flag" contest at Def Con three years in a row. <br />
<br />
==RSVP==<br />
Please RSVP at http://owaspfeb2008.eventbrite.com<br />
<br />
=Bay Area Chapter Leaders=<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*[http://ggee.org Garrett Gee]<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]<br />
<br />
=Bay Area Past Events=<br />
[[Bay_Area_Past_Events]]</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area_Past_Events&diff=25924Bay Area Past Events2008-02-24T18:44:40Z<p>Ggee: New page: This is an archive page of all the Bay Area OWASP past events. The chapter home is here. *2007-12-13 **Location: Stanford University Alumni Association Center, 326 Galvez Street, Stanfor...</p>
<hr />
<div>This is an archive page of all the Bay Area OWASP past events. The chapter home is here. <br />
<br />
*2007-12-13<br />
**Location: Stanford University Alumni Association Center, 326 Galvez Street, Stanford, CA 94305<br />
**Speaker: Niels Provos, Google: Ghosts in the Browser<br/><br />
**Speaker: Adam Barth & Collin Jackson, Stanford University: Ph.D. Student Presentations<br/><br />
**Sponsors: Cenzic and AppSec Consulting</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=25923Bay Area2008-02-24T18:37:08Z<p>Ggee: </p>
<hr />
<div>{{Chapter Template|chaptername=SF Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
=Next Event=<br />
==Date and Location==<br />
'''February, 21st @ 6PM - Robert Half International'''<br />
5720 Stoneridge Dr<br />
Pleasanton CA 94588<br />
<br />
OWASP Bay Area will host its next meeting at the Robert Half International on Thursday, February 21. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security. <br />
<br />
Special thanks to Robert Half International for hosting this event and to Cenzic and AppSec Consulting for sponsoring.<br />
<br />
==Agenda==<br />
6:00pm - 6:30pm ... Check-in and Reception (food & beverages)<br />
6:30pm - 7:15pm ... '''Your Client-Side Security Sucks. Stop Using It.''' – Kurt Grutzmacher<br />
7:15pm - 8:00pm ... '''NTLM attacks and countermeasures''' – Eric Rachner<br />
8:00pm - 8:30pm ... Networking Session <br />
<br />
==Speakers==<br />
'''Your Client-Side Security Sucks. Stop Using It.''' - [https://www.owasp.org/index.php/Image:Your_Client_Security_Sucks_-_OWASP.pdf slides]<br />
<br />
Presented by: Kurt Grutzmacher<br />
<br />
Abstract: Browser-based security has been used for many years to 'protect' back-end systems from attack or to enhance the user experience. This should not be your only protection and can even open your application to business logic flaws that scanning tools can not detect nor report upon! This talk will show some real world examples of client-side security and the failures they introduced. Business logic flaws such as the MacWorld Expo Platinum Pass will be examined in depth.<br />
<br />
Bio: Kurt Grutzmacher has been performing Penetration Testing for a "very large financial institution" for nearly a decade and recently moved to a "very large utility company" to start their internal testing program. For two years in a row he has exposed the methods required to obtain free Platinum Passes to MacWorld and is hoping they'll get it right the third time, he's tired of explaining it to them. Kurt contributes to the Metasploit project occasionally and is currently working on enhancing the project's support for NTLM in web-based attacks. He also randomly blogs at http://grutztopia.jingojango.net/ -- very randomly.<br />
<br />
'''NTLM attacks and countermeasures''' - [https://www.owasp.org/index.php/Image:NTLM_Relay_Attacks.pdf slides]<br />
<br />
Presented by: Eric Rachner<br />
<br />
Abstract: Eric will demonstrate the NTLM relay attack, in which an attacker accesses arbitrary web sites and file shares using the credentials of any user who can be lured into visiting the attacker's web site. Since NTLM is enabled by default as part of the Windows integrated authentication protocol suite, this attack is a potential concern in any enterprise where Windows is widely used. Following the demonstration, we will explore the history and mechanics of the attack, as well as mitigation options. <br />
<br />
Bio: Eric Rachner is a security researcher and lead consultant specializing in threat analysis, vulnerability assessment and penetrating testing of complex mission critical applications and systems. Mr. Rachner began his career in IT at Microsoft in 1994. As a senior member of Microsoft's Security Team, Eric led several projects including application penetration testing, code reviews, design reviews and security awareness training for internal application teams throughout Microsoft's global IT organization. In 2005, Eric became an independent security consultant and researcher providing services to large global enterprises in North America and Europe. Away from the office Eric has many hobbies; he also participated as a core member of the hacking team that won the prestigious "Capture the Flag" contest at Def Con three years in a row. <br />
<br />
==RSVP==<br />
Please RSVP at http://owaspfeb2008.eventbrite.com<br />
<br />
=Bay Area Chapter Leaders=<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*[http://ggee.org Garrett Gee]<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]</div>Ggeehttps://wiki.owasp.org/index.php?title=File:Your_Client_Security_Sucks_-_OWASP.pdf&diff=25922File:Your Client Security Sucks - OWASP.pdf2008-02-24T18:36:14Z<p>Ggee: </p>
<hr />
<div></div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=25921Bay Area2008-02-24T18:34:44Z<p>Ggee: </p>
<hr />
<div>{{Chapter Template|chaptername=SF Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
=Next Event=<br />
==Date and Location==<br />
'''February, 21st @ 6PM - Robert Half International'''<br />
5720 Stoneridge Dr<br />
Pleasanton CA 94588<br />
<br />
OWASP Bay Area will host its next meeting at the Robert Half International on Thursday, February 21. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security. <br />
<br />
Special thanks to Robert Half International for hosting this event and to Cenzic and AppSec Consulting for sponsoring.<br />
<br />
==Agenda==<br />
6:00pm - 6:30pm ... Check-in and Reception (food & beverages)<br />
6:30pm - 7:15pm ... '''Your Client-Side Security Sucks. Stop Using It.''' – Kurt Grutzmacher<br />
7:15pm - 8:00pm ... '''NTLM attacks and countermeasures''' – Eric Rachner<br />
8:00pm - 8:30pm ... Networking Session <br />
<br />
==Speakers==<br />
'''Your Client-Side Security Sucks. Stop Using It.''' - <br />
<br />
Presented by: Kurt Grutzmacher<br />
<br />
Abstract: Browser-based security has been used for many years to 'protect' back-end systems from attack or to enhance the user experience. This should not be your only protection and can even open your application to business logic flaws that scanning tools can not detect nor report upon! This talk will show some real world examples of client-side security and the failures they introduced. Business logic flaws such as the MacWorld Expo Platinum Pass will be examined in depth.<br />
<br />
Bio: Kurt Grutzmacher has been performing Penetration Testing for a "very large financial institution" for nearly a decade and recently moved to a "very large utility company" to start their internal testing program. For two years in a row he has exposed the methods required to obtain free Platinum Passes to MacWorld and is hoping they'll get it right the third time, he's tired of explaining it to them. Kurt contributes to the Metasploit project occasionally and is currently working on enhancing the project's support for NTLM in web-based attacks. He also randomly blogs at http://grutztopia.jingojango.net/ -- very randomly.<br />
<br />
'''NTLM attacks and countermeasures''' - [https://www.owasp.org/index.php/Image:NTLM_Relay_Attacks.pdf slides]<br />
<br />
Presented by: Eric Rachner<br />
<br />
Abstract: Eric will demonstrate the NTLM relay attack, in which an attacker accesses arbitrary web sites and file shares using the credentials of any user who can be lured into visiting the attacker's web site. Since NTLM is enabled by default as part of the Windows integrated authentication protocol suite, this attack is a potential concern in any enterprise where Windows is widely used. Following the demonstration, we will explore the history and mechanics of the attack, as well as mitigation options. <br />
<br />
Bio: Eric Rachner is a security researcher and lead consultant specializing in threat analysis, vulnerability assessment and penetrating testing of complex mission critical applications and systems. Mr. Rachner began his career in IT at Microsoft in 1994. As a senior member of Microsoft's Security Team, Eric led several projects including application penetration testing, code reviews, design reviews and security awareness training for internal application teams throughout Microsoft's global IT organization. In 2005, Eric became an independent security consultant and researcher providing services to large global enterprises in North America and Europe. Away from the office Eric has many hobbies; he also participated as a core member of the hacking team that won the prestigious "Capture the Flag" contest at Def Con three years in a row. <br />
<br />
==RSVP==<br />
Please RSVP at http://owaspfeb2008.eventbrite.com<br />
<br />
=Bay Area Chapter Leaders=<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*[http://ggee.org Garrett Gee]<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]</div>Ggeehttps://wiki.owasp.org/index.php?title=File:NTLM_Relay_Attacks.pdf&diff=25881File:NTLM Relay Attacks.pdf2008-02-23T07:27:22Z<p>Ggee: </p>
<hr />
<div></div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=25722Bay Area2008-02-21T18:21:16Z<p>Ggee: </p>
<hr />
<div>{{Chapter Template|chaptername=SF Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
=Next Event=<br />
==Date and Location==<br />
'''February, 21st @ 6PM - Robert Half International'''<br />
5720 Stoneridge Dr<br />
Pleasanton CA 94588<br />
<br />
OWASP Bay Area will host its next meeting at the Robert Half International on Thursday, February 21. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security. <br />
<br />
Special thanks to Robert Half International for hosting this event and to Cenzic and AppSec Consulting for sponsoring.<br />
<br />
==Agenda==<br />
6:00pm - 6:30pm ... Check-in and Reception (food & beverages)<br />
6:30pm - 7:15pm ... '''Your Client-Side Security Sucks. Stop Using It.''' – Kurt Grutzmacher<br />
7:15pm - 8:00pm ... '''NTLM attacks and countermeasures''' – Eric Rachner<br />
8:00pm - 8:30pm ... Networking Session <br />
<br />
==Speakers==<br />
'''Your Client-Side Security Sucks. Stop Using It.'''<br />
<br />
Presented by: Kurt Grutzmacher<br />
<br />
Abstract: Browser-based security has been used for many years to 'protect' back-end systems from attack or to enhance the user experience. This should not be your only protection and can even open your application to business logic flaws that scanning tools can not detect nor report upon! This talk will show some real world examples of client-side security and the failures they introduced. Business logic flaws such as the MacWorld Expo Platinum Pass will be examined in depth.<br />
<br />
Bio: Kurt Grutzmacher has been performing Penetration Testing for a "very large financial institution" for nearly a decade and recently moved to a "very large utility company" to start their internal testing program. For two years in a row he has exposed the methods required to obtain free Platinum Passes to MacWorld and is hoping they'll get it right the third time, he's tired of explaining it to them. Kurt contributes to the Metasploit project occasionally and is currently working on enhancing the project's support for NTLM in web-based attacks. He also randomly blogs at http://grutztopia.jingojango.net/ -- very randomly.<br />
<br />
'''NTLM attacks and countermeasures'''<br />
<br />
Presented by: Eric Rachner<br />
<br />
Abstract: Eric will demonstrate the NTLM relay attack, in which an attacker accesses arbitrary web sites and file shares using the credentials of any user who can be lured into visiting the attacker's web site. Since NTLM is enabled by default as part of the Windows integrated authentication protocol suite, this attack is a potential concern in any enterprise where Windows is widely used. Following the demonstration, we will explore the history and mechanics of the attack, as well as mitigation options. <br />
<br />
Bio: Eric Rachner is a security researcher and lead consultant specializing in threat analysis, vulnerability assessment and penetrating testing of complex mission critical applications and systems. Mr. Rachner began his career in IT at Microsoft in 1994. As a senior member of Microsoft's Security Team, Eric led several projects including application penetration testing, code reviews, design reviews and security awareness training for internal application teams throughout Microsoft's global IT organization. In 2005, Eric became an independent security consultant and researcher providing services to large global enterprises in North America and Europe. Away from the office Eric has many hobbies; he also participated as a core member of the hacking team that won the prestigious "Capture the Flag" contest at Def Con three years in a row. <br />
<br />
==RSVP==<br />
Please RSVP at http://owaspfeb2008.eventbrite.com<br />
<br />
=Bay Area Chapter Leaders=<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*[http://ggee.org Garrett Gee]<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=25465Bay Area2008-02-15T21:53:42Z<p>Ggee: </p>
<hr />
<div>{{Chapter Template|chaptername=SF Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
=Next Event=<br />
==Date and Location==<br />
'''February, 21st @ 6PM - Robert Half International'''<br />
5720 Stoneridge Dr<br />
Pleasanton CA 94588<br />
<br />
OWASP Bay Area will host its next meeting at the Robert Half International on Thursday, February 21. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security. <br />
<br />
Special thanks to Robert Half International for hosting this event and to Cenzic for sponsoring.<br />
<br />
==Agenda==<br />
6:00pm - 6:30pm ... Check-in and Reception (food & beverages)<br />
6:30pm - 7:15pm ... '''Your Client-Side Security Sucks. Stop Using It.''' – Kurt Grutzmacher<br />
7:15pm - 8:00pm ... '''NTLM attacks and countermeasures''' – Eric Rachner<br />
8:00pm - 8:30pm ... Networking Session <br />
<br />
==Speakers==<br />
'''Your Client-Side Security Sucks. Stop Using It.'''<br />
<br />
Presented by: Kurt Grutzmacher<br />
<br />
Abstract: Browser-based security has been used for many years to 'protect' back-end systems from attack or to enhance the user experience. This should not be your only protection and can even open your application to business logic flaws that scanning tools can not detect nor report upon! This talk will show some real world examples of client-side security and the failures they introduced. Business logic flaws such as the MacWorld Expo Platinum Pass will be examined in depth.<br />
<br />
Bio: Kurt Grutzmacher has been performing Penetration Testing for a "very large financial institution" for nearly a decade and recently moved to a "very large utility company" to start their internal testing program. For two years in a row he has exposed the methods required to obtain free Platinum Passes to MacWorld and is hoping they'll get it right the third time, he's tired of explaining it to them. Kurt contributes to the Metasploit project occasionally and is currently working on enhancing the project's support for NTLM in web-based attacks. He also randomly blogs at http://grutztopia.jingojango.net/ -- very randomly.<br />
<br />
'''NTLM attacks and countermeasures'''<br />
<br />
Presented by: Eric Rachner<br />
<br />
Abstract: Eric will demonstrate the NTLM relay attack, in which an attacker accesses arbitrary web sites and file shares using the credentials of any user who can be lured into visiting the attacker's web site. Since NTLM is enabled by default as part of the Windows integrated authentication protocol suite, this attack is a potential concern in any enterprise where Windows is widely used. Following the demonstration, we will explore the history and mechanics of the attack, as well as mitigation options. <br />
<br />
Bio: Eric Rachner is a security researcher and lead consultant specializing in threat analysis, vulnerability assessment and penetrating testing of complex mission critical applications and systems. Mr. Rachner began his career in IT at Microsoft in 1994. As a senior member of Microsoft's Security Team, Eric led several projects including application penetration testing, code reviews, design reviews and security awareness training for internal application teams throughout Microsoft's global IT organization. In 2005, Eric became an independent security consultant and researcher providing services to large global enterprises in North America and Europe. Away from the office Eric has many hobbies; he also participated as a core member of the hacking team that won the prestigious "Capture the Flag" contest at Def Con three years in a row. <br />
<br />
==RSVP==<br />
Please RSVP at http://owaspfeb2008.eventbrite.com<br />
<br />
=Bay Area Chapter Leaders=<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*[http://ggee.org Garrett Gee]<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=25450Bay Area2008-02-15T18:14:40Z<p>Ggee: Undo revision 25449 by Ggee (Talk)</p>
<hr />
<div>{{Chapter Template|chaptername=SF Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
=Next Event=<br />
==Date and Location==<br />
'''February, 21st @ 6PM - Robert Half International'''<br />
5720 Stoneridge Dr<br />
Pleasanton CA 94588<br />
<br />
OWASP Bay Area will host its next meeting at the Robert Half International on Thursday, February 21. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security. <br />
<br />
Special thanks to Robert Half International for hosting this event and to Cenzic for sponsoring.<br />
<br />
==Agenda==<br />
6:00pm - 6:30pm ... Check-in and Reception (food & beverages)<br />
6:30pm - 7:15pm ... '''Your Client-Side Security Sucks. Stop Using It.''' – Kurt Grutzmacher<br />
7:15pm - 8:00pm ... '''NTLM attacks and countermeasures''' – Eric Rachner<br />
8:00pm - 8:30pm ... Networking Session <br />
<br />
==Speakers==<br />
'''Your Client-Side Security Sucks. Stop Using It.'''<br />
<br />
Presented by: Kurt Grutzmacher<br />
<br />
Abstract: Browser-based security has been used for many years to 'protect' back-end systems from attack or to enhance the user experience. This should not be your only protection and can even open your application to business logic flaws that scanning tools can not detect nor report upon! This talk will show some real world examples of client-side security and the failures they introduced. Business logic flaws such as the MacWorld Expo Platinum Pass will be examined in depth.<br />
<br />
Bio: Kurt Grutzmacher has been performing Penetration Testing for a "very large financial institution" for nearly a decade and recently moved to a "very large utility company" to start their internal testing program. For two years in a row he has exposed the methods required to obtain free Platinum Passes to MacWorld and is hoping they'll get it right the third time, he's tired of explaining it to them. Kurt contributes to the Metasploit project occasionally and is currently working on enhancing the project's support for NTLM in web-based attacks. He also randomly blogs at http://grutztopia.jingojango.net/ -- very randomly.<br />
<br />
'''NTLM attacks and countermeasures'''<br />
<br />
Presented by: Eric Rachner<br />
<br />
Abstract: Eric will demonstrate the NTLM relay attack, in which an attacker accesses arbitrary web sites and file shares using the credentials of any user who can be lured into visiting the attacker's web site. Since NTLM is enabled by default as part of the Windows integrated authentication protocol suite, this attack is a potential concern in any enterprise where Windows is widely used. Following the demonstration, we will explore the history and mechanics of the attack, as well as mitigation options. <br />
<br />
Bio: Eric Rachner is a security researcher and lead consultant specializing in threat analysis, vulnerability assessment and penetrating testing of complex mission critical applications and systems. Mr. Rachner began his career in IT at Microsoft in 1994. As a senior member of Microsoft's Security Team, Eric led several projects including application penetration testing, code reviews, design reviews and security awareness training for internal application teams throughout Microsoft's global IT organization. In 2005, Eric became an independent security consultant and researcher providing services to large global enterprises in North America and Europe. Away from the office Eric has many hobbies; he also participated as a core member of the hacking team that won the prestigious "Capture the Flag" contest at Def Con three years in a row. <br />
<br />
==RSVP==<br />
Please RSVP at http://owaspfeb2008.eventbrite.com<br />
<br />
=Bay Area Chapter Leaders=<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*Garrett Gee<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=25449Bay Area2008-02-15T18:13:53Z<p>Ggee: Replacing page with '{{Chapter Template|chaptername=SF Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bay...'</p>
<hr />
<div>{{Chapter Template|chaptername=SF Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
#redirect [[Bay Area]]</div>Ggeehttps://wiki.owasp.org/index.php?title=Talk:Bay_Area&diff=25448Talk:Bay Area2008-02-15T18:13:06Z<p>Ggee: New page: {{Chapter Template|chaptername=Bay Area|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}} =Next ...</p>
<hr />
<div>{{Chapter Template|chaptername=Bay Area|extra= |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
=Next Event=<br />
==Date and Location==<br />
'''February, 21st @ 6PM - Robert Half International'''<br />
5720 Stoneridge Dr<br />
Pleasanton CA 94588<br />
<br />
OWASP Bay Area will host its next meeting at the Robert Half International on Thursday, February 21. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security. <br />
<br />
Special thanks to Robert Half International for hosting this event and to Cenzic for sponsoring.<br />
<br />
==Agenda==<br />
6:00pm - 6:30pm ... Check-in and Reception (food & beverages)<br />
6:30pm - 7:15pm ... '''Your Client-Side Security Sucks. Stop Using It.''' – Kurt Grutzmacher<br />
7:15pm - 8:00pm ... '''NTLM attacks and countermeasures''' – Eric Rachner<br />
8:00pm - 8:30pm ... Networking Session <br />
<br />
==Speakers==<br />
'''Your Client-Side Security Sucks. Stop Using It.'''<br />
<br />
Presented by: Kurt Grutzmacher<br />
<br />
Abstract: Browser-based security has been used for many years to 'protect' back-end systems from attack or to enhance the user experience. This should not be your only protection and can even open your application to business logic flaws that scanning tools can not detect nor report upon! This talk will show some real world examples of client-side security and the failures they introduced. Business logic flaws such as the MacWorld Expo Platinum Pass will be examined in depth.<br />
<br />
Bio: Kurt Grutzmacher has been performing Penetration Testing for a "very large financial institution" for nearly a decade and recently moved to a "very large utility company" to start their internal testing program. For two years in a row he has exposed the methods required to obtain free Platinum Passes to MacWorld and is hoping they'll get it right the third time, he's tired of explaining it to them. Kurt contributes to the Metasploit project occasionally and is currently working on enhancing the project's support for NTLM in web-based attacks. He also randomly blogs at http://grutztopia.jingojango.net/ -- very randomly.<br />
<br />
'''NTLM attacks and countermeasures'''<br />
<br />
Presented by: Eric Rachner<br />
<br />
Abstract: Eric will demonstrate the NTLM relay attack, in which an attacker accesses arbitrary web sites and file shares using the credentials of any user who can be lured into visiting the attacker's web site. Since NTLM is enabled by default as part of the Windows integrated authentication protocol suite, this attack is a potential concern in any enterprise where Windows is widely used. Following the demonstration, we will explore the history and mechanics of the attack, as well as mitigation options. <br />
<br />
Bio: Eric Rachner is a security researcher and lead consultant specializing in threat analysis, vulnerability assessment and penetrating testing of complex mission critical applications and systems. Mr. Rachner began his career in IT at Microsoft in 1994. As a senior member of Microsoft's Security Team, Eric led several projects including application penetration testing, code reviews, design reviews and security awareness training for internal application teams throughout Microsoft's global IT organization. In 2005, Eric became an independent security consultant and researcher providing services to large global enterprises in North America and Europe. Away from the office Eric has many hobbies; he also participated as a core member of the hacking team that won the prestigious "Capture the Flag" contest at Def Con three years in a row. <br />
<br />
==RSVP==<br />
Please RSVP at http://owaspfeb2008.eventbrite.com<br />
<br />
=Bay Area Chapter Leaders=<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*Garrett Gee<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=25447Bay Area2008-02-15T18:04:32Z<p>Ggee: </p>
<hr />
<div>{{Chapter Template|chaptername=SF Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
=Next Event=<br />
==Date and Location==<br />
'''February, 21st @ 6PM - Robert Half International'''<br />
5720 Stoneridge Dr<br />
Pleasanton CA 94588<br />
<br />
OWASP Bay Area will host its next meeting at the Robert Half International on Thursday, February 21. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security. <br />
<br />
Special thanks to Robert Half International for hosting this event and to Cenzic for sponsoring.<br />
<br />
==Agenda==<br />
6:00pm - 6:30pm ... Check-in and Reception (food & beverages)<br />
6:30pm - 7:15pm ... '''Your Client-Side Security Sucks. Stop Using It.''' – Kurt Grutzmacher<br />
7:15pm - 8:00pm ... '''NTLM attacks and countermeasures''' – Eric Rachner<br />
8:00pm - 8:30pm ... Networking Session <br />
<br />
==Speakers==<br />
'''Your Client-Side Security Sucks. Stop Using It.'''<br />
<br />
Presented by: Kurt Grutzmacher<br />
<br />
Abstract: Browser-based security has been used for many years to 'protect' back-end systems from attack or to enhance the user experience. This should not be your only protection and can even open your application to business logic flaws that scanning tools can not detect nor report upon! This talk will show some real world examples of client-side security and the failures they introduced. Business logic flaws such as the MacWorld Expo Platinum Pass will be examined in depth.<br />
<br />
Bio: Kurt Grutzmacher has been performing Penetration Testing for a "very large financial institution" for nearly a decade and recently moved to a "very large utility company" to start their internal testing program. For two years in a row he has exposed the methods required to obtain free Platinum Passes to MacWorld and is hoping they'll get it right the third time, he's tired of explaining it to them. Kurt contributes to the Metasploit project occasionally and is currently working on enhancing the project's support for NTLM in web-based attacks. He also randomly blogs at http://grutztopia.jingojango.net/ -- very randomly.<br />
<br />
'''NTLM attacks and countermeasures'''<br />
<br />
Presented by: Eric Rachner<br />
<br />
Abstract: Eric will demonstrate the NTLM relay attack, in which an attacker accesses arbitrary web sites and file shares using the credentials of any user who can be lured into visiting the attacker's web site. Since NTLM is enabled by default as part of the Windows integrated authentication protocol suite, this attack is a potential concern in any enterprise where Windows is widely used. Following the demonstration, we will explore the history and mechanics of the attack, as well as mitigation options. <br />
<br />
Bio: Eric Rachner is a security researcher and lead consultant specializing in threat analysis, vulnerability assessment and penetrating testing of complex mission critical applications and systems. Mr. Rachner began his career in IT at Microsoft in 1994. As a senior member of Microsoft's Security Team, Eric led several projects including application penetration testing, code reviews, design reviews and security awareness training for internal application teams throughout Microsoft's global IT organization. In 2005, Eric became an independent security consultant and researcher providing services to large global enterprises in North America and Europe. Away from the office Eric has many hobbies; he also participated as a core member of the hacking team that won the prestigious "Capture the Flag" contest at Def Con three years in a row. <br />
<br />
==RSVP==<br />
Please RSVP at http://owaspfeb2008.eventbrite.com<br />
<br />
=Bay Area Chapter Leaders=<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*Garrett Gee<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=25408Bay Area2008-02-15T04:33:50Z<p>Ggee: </p>
<hr />
<div>{{Chapter Template|chaptername=SF Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
=Next Event=<br />
==Date and Location==<br />
'''February, 21st @ 6PM - Robert Half International'''<br />
5720 Stoneridge Dr<br />
Pleasanton CA 94588<br />
<br />
OWASP Bay Area will host its next meeting at the Robert Half International on Thursday, February 21. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security. <br />
<br />
Special thanks to Robert Half International for hosting this event and to Cenzic for sponsoring.<br />
<br />
==Agenda==<br />
6:00pm - 6:30pm ... Check-in and Reception (food & beverages)<br />
6:30pm - 7:15pm ... '''Your Client-Side Security Sucks. Stop Using It.''' – Kurt Grutzmacher<br />
7:15pm - 8:00pm ... '''NTLM attacks and countermeasures''' – Eric Rachner<br />
8:00pm - 8:30pm ... Networking Session <br />
<br />
==Speakers==<br />
'''Your Client-Side Security Sucks. Stop Using It.'''<br />
<br />
Presented by: Kurt Grutzmacher<br />
<br />
Abstract: Browser-based security has been used for many years to 'protect' back-end systems from attack or to enhance the user experience. This should not be your only protection and can even open your application to business logic flaws that scanning tools can not detect nor report upon! This talk will show some real world examples of client-side security and the failures they introduced. Business logic flaws such as the MacWorld Expo Platinum Pass will be examined in depth.<br />
<br />
Bio: Kurt Grutzmacher has been performing Penetration Testing for a "very large financial institution" for nearly a decade and recently moved to a "very large utility company" to start their internal testing program. For two years in a row he has exposed the methods required to obtain free Platinum Passes to MacWorld and is hoping<br />
they'll get it right the third time, he's tired of explaining it to them. Kurt contributes to the Metasploit project occasionally and is currently working on enhancing the project's support for NTLM in web-based attacks. He also randomly blogs at http://grutztopia.jingojango.net/ -- very randomly.<br />
<br />
'''NTLM attacks and countermeasures'''<br />
<br />
Presented by: Eric Rachner<br />
<br />
Abstract: Coming soon.<br />
<br />
Bio: Coming soon.<br />
<br />
==RSVP==<br />
Please RSVP at http://owaspfeb2008.eventbrite.com<br />
<br />
=Bay Area Chapter Leaders=<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*Garrett Gee<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=25407Bay Area2008-02-15T04:17:23Z<p>Ggee: </p>
<hr />
<div>{{Chapter Template|chaptername=SF Bay Area|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-bayarea|emailarchives=http://lists.owasp.org/pipermail/owasp-bayarea}}<br />
<br />
=Next Event=<br />
<br />
'''February, 21st @ 6PM - Robert Half International'''<br />
<br />
<br />
OWASP Bay Area will host its next meeting at the Robert Half International on Thursday, February 21. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security. <br />
<br />
'''Agenda and Presentations:'''<br />
<br />
6:00pm - 6:30pm ... Check-in and Reception (food & beverages)<br />
<br />
6:30pm - 7:15pm ... ''Your Client-Side Security Sucks. Stop Using It.'' – Kurt Grutzmacher<br />
<br />
7:15pm - 8:00pm ... ''NTLM attacks and countermeasures'' – Eric Rachner<br />
<br />
8:00pm - 8:30pm ... Networking Session <br />
<br />
<br />
'''Venue:'''<br />
Robert Half International<br />
5720 Stoneridge Dr<br />
Pleasanton CA 94588<br />
<br />
''Your Client-Side Security Sucks. Stop Using It.''<br />
<br />
'''Presented by:''' Kurt Grutzmacher<br />
<br />
'''Abstract:''' Browser-based security has been used for many years to 'protect' back-end systems from attack or to enhance the user experience. This should not be your only protection and can even open your application to business logic flaws that scanning tools can not detect nor report upon! This talk will show some real world examples of client-side security and the failures they introduced. Business logic flaws such as the MacWorld Expo Platinum Pass will be examined in depth.<br />
<br />
'''Bio:''' Kurt Grutzmacher has been performing Penetration Testing for a "very large financial institution" for nearly a decade and recently moved to a "very large utility company" to start their internal testing program. For two years in a row he has exposed the methods required to obtain free Platinum Passes to MacWorld and is hoping<br />
they'll get it right the third time, he's tired of explaining it to them. Kurt contributes to the Metasploit project occasionally and is currently working on enhancing the project's support for NTLM in web-based attacks. He also randomly blogs at http://grutztopia.jingojango.net/ -- very randomly.<br />
<br />
''NTLM attacks and countermeasures''<br />
<br />
'''Presented by:''' Eric Rachner<br />
<br />
'''Abstract:''' Coming soon.<br />
<br />
'''Bio:''' Coming soon.<br />
<br />
Please RSVP by responding to this email or visit ''http://owaspfeb2008.eventbrite.com''<br />
<br />
Special thanks to Robert Half International for hosting this event and to Cenzic for sponsoring.<br />
<br />
=Bay Area Chapter Leaders=<br />
*[mailto:brian@appsecconsulting.com Brian Bertacini]<br />
*Garrett Gee<br />
*[mailto:mandeep@cenzic.com Mandeep Khera]<br />
*[mailto:robipapp@yahoo.com Robi Papp]</div>Ggeehttps://wiki.owasp.org/index.php?title=Bay_Area&diff=25406Bay Area2008-02-15T04:07:42Z<p>Ggee: </p>
<hr />
<div>{{Chapter Template|chaptername=San Francisco|extra=The chapter leader is [mailto:robipapp@yahoo.com Robi Papp]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sanfran|emailarchives=http://lists.owasp.org/pipermail/owasp-sanfran}}<br />
<br />
NEXT EVENT:<br />
<br />
'''February, 21st @ 6PM - Robert Half International'''<br />
<br />
<br />
OWASP Bay Area will host its next meeting at the Robert Half International on Thursday, February 21. As usual attendance is free and food and beverages will be provided. This will be an awesome event and a great opportunity to network with industry peers. The event is open to the public; please forward this invite to your colleagues and friends who are interested in computer and application security. <br />
<br />
'''Agenda and Presentations:'''<br />
<br />
6:00pm - 6:30pm ... Check-in and Reception (food & beverages)<br />
<br />
6:30pm - 7:15pm ... ''Your Client-Side Security Sucks. Stop Using It.'' – Kurt Grutzmacher<br />
<br />
7:15pm - 8:00pm ... ''NTLM attacks and countermeasures'' – Eric Rachner<br />
<br />
8:00pm - 8:30pm ... Networking Session <br />
<br />
<br />
'''Venue:'''<br />
Robert Half International<br />
5720 Stoneridge Dr<br />
Pleasanton CA 94588<br />
<br />
''Your Client-Side Security Sucks. Stop Using It.''<br />
<br />
'''Presented by:''' Kurt Grutzmacher<br />
<br />
'''Abstract:''' Browser-based security has been used for many years to 'protect' back-end systems from attack or to enhance the user experience. This should not be your only protection and can even open your application to business logic flaws that scanning tools can not detect nor report upon! This talk will show some real world examples of client-side security and the failures they introduced. Business logic flaws such as the MacWorld Expo Platinum Pass will be examined in depth.<br />
<br />
'''Bio:''' Kurt Grutzmacher has been performing Penetration Testing for a "very large financial institution" for nearly a decade and recently moved to a "very large utility company" to start their internal testing program. For two years in a row he has exposed the methods required to obtain free Platinum Passes to MacWorld and is hoping<br />
they'll get it right the third time, he's tired of explaining it to them. Kurt contributes to the Metasploit project occasionally and is currently working on enhancing the project's support for NTLM in web-based attacks. He also randomly blogs at http://grutztopia.jingojango.net/ -- very randomly.<br />
<br />
''NTLM attacks and countermeasures''<br />
<br />
'''Presented by:''' Eric Rachner<br />
<br />
'''Abstract:''' Coming soon.<br />
<br />
'''Bio:''' Coming soon.<br />
<br />
Please RSVP by responding to this email or visit ''http://owaspfeb2008.eventbrite.com''<br />
<br />
Special thanks to Robert Half International for hosting this event and to Cenzic for sponsoring.</div>Ggee