OWASP - User contributions [en]

Password Storage Cheat Sheet

2013-03-12T15:03:39Z

John Steven: /* Introduction */

= Introduction =

Media covers the theft of large collections of passwords on an almost daily basis. Media coverage of password theft discloses the password storage scheme, the weakness of that scheme, and often discloses a large population of compromised credentials that can affect multiple web sites or other applications. This article provides guidance on properly storing passwords, secret question responses, and similar credential information. Proper storage helps prevent theft, compromise, and malicious use of credentials.
Information systems store passwords and other credentials in a variety of protected forms. Common vulnerabilities allow the theft of protected passwords through attack vectors such as SQL Injection. Protected passwords can also be stolen from artifacts such as logs, dumps, and backups.

Specific guidance herein protects against stored credential theft but the bulk of guidance aims to prevent credential compromise. That is, this guidance helps designs resist revealing users’ credentials or allowing system access in the event threats steal protected credential information. For more information and a thorough treatment of this topic, refer to the Secure Password Storage Threat Model here [http://goo.gl/Spvzs http://goo.gl/Spvzs]. The link to this document is here [http://goo.gl/2loKu http://goo.gl/2loKu].

= Guidance =

== Do not limit the character set or length of credentials ==

Some organizations restrict the 1) types of special characters and 2) length of credentials accepted by systems because of their inability to prevent SQL Injection, Cross-site scripting, command-injection and other forms of injection attacks. These restrictions, while well-intentioned, facilitate certain simple attacks such as brute force.

Do not apply length, character set, or encoding restrictions on the entry or storage of credentials. Continue applying encoding, escaping, masking, outright omission, and other best practices to eliminate injection risks.

== Use a cryptographically strong credential-specific salt ==

A salt is fixed-length cryptographically-strong random value. Append credential data to the salt and use this as input to a protective function. Store the protected form appended to the salt as follows:

<code>[protected form] = [salt] + protect([protection func], [salt] + [credential]);</code>

Follow these practices to properly implement credential-specific salts:

* Generate a unique salt upon creation of each stored credential (not just per user or system wide);
* Use cryptographically-strong random [*3] data;
* As storage permits, use a 32bit or 64b salt (actual size dependent on protection function);
* Scheme security does not depend on hiding, splitting, or otherwise obscuring the salt.

Salts serve two purposes: 1) prevent the protected form from revealing two identical credentials and 2) augment entropy fed to protecting function without relying on credential complexity. The second aims to make pre-computed lookup attacks [*2] on an individual credential and time-based attacks on a population intractable.

Virginia

2012-10-15T16:36:36Z

John Steven: /* Next Meeting */

==== About ====

[[Image:Owasp-nova.JPG|right|275px|Owasp-nova.JPG]]The '''OWASP Northern VA Local Chapter''' meetings are FREE and OPEN to anyone interested in learning more about application security. We encourage individuals to provide knowledge transfer via hands-on training and presentations of specific OWASP projects and research topics and sharing SDLC knowledge.

We the encourage vendor-agnostic presentations to utilize the OWASP Powerpoint template when applicable and individual volunteerism to enable perpetual growth. As a 501(3)c non-profit association donations of meeting space or refreshments sponsorship is encouraged, simply contact the local chapter leaders listed on this page to discuss. Prior to participating with OWASP please review the Chapter Rules.

The chapter is committed to providing an engaging experience for a variety of audience types ranging from local students and those beginning in app-sec, to those experienced and accomplished professionals who are looking for competent collaborators for OWASP-related projects. To this end, we will continue to conduct both monthly chapter meetings as well as out-of-band curricula, on application security topics.

{{Chapter Template|chaptername=Virginia|extra =Come see us at a chapter meeting, jump on our Google Group, or email any of us directly.

=== Chapter Board ===
Previously having had a Chapter Leader, then a Chapter "Program Committee", the chapter is now run by a full board (alphabetical order):
* Jeremy Long
* Jack Mannino
* John Steven - Board Chair

Board member responsibilities include:

<pre style="white-space: pre-wrap;"> * Providing governance for chapter and member activities in terms chapter mission and OWASP code of ethics
* Recruiting OWASP membership
* Driving OWASP NoVA Chapter attendance and involvement
* Deferring to, facilitating, and supporting the activities and projects of chapter membership
* Eliciting, scheduling, and coordinating chapter panels, speakers, and other sessions
* Scouting, clearing, and scheduling chapter meeting venues and catering
* Identifying opportunities for collaboration between chapter membership, OWASP global committees, and other organizations
* Collecting and auditing use of chapter funds
* Voting on chapter matters
</pre>
For more information on how the board was elected and what it's responsibilities are, please see: [https://docs.google.com/document/d/1h8GTqsWg2xiTwWAWS-Ra6_GU4eJGt44aa1hFc9EQloU/edit?hl=en_US&authkey=CIS9zFM Chapter Board Election] |mailinglistsite=https://groups.google.com/forum/#!forum/owasp-nova|emailarchives=https://groups.google.com/forum/#!forum/owasp-nova}}

You may also want to follow [http://twitter.com/OWASPNoVA/ @OWASPNoVA] on Twitter.

----
=== Schedule ===

Meetings are (generally) held the first Thursday of the month.

==== Next Meeting ====

'''Date/Time:''' October 4th, 2012 @ 6:30pm

'''Location:''' [http://corporate.livingsocial.com/home LivingSocial], 11600 Sunrise Valley Drive, Reston, VA

'''Registration:''' [http://www.eventbrite.com/event/4430947082 Eventbrite]

'''AGENDA:'''
* News / Updates
* Talk: [https://www.owasp.org/index.php/Dan_Cornell Dan Cornell] - "Benchmarking Web Application Scanners for YOUR Organization", [https://www.owasp.org/images/7/73/OWASP_BenchmarkingWebApplicationScannersForYourOrganization_Content-1.pptx Presentation Slides]
* Firetalks!

'''Presentation Title:'''
Benchmarking Web Application Scanners for YOUR Organization

'''Abstract:'''
Web applications pose significant risks for organizations. The selection of an appropriate scanning product or service can be challenging because every organization develops their web applications differently and decisions made by developers can cause wide swings in the value of different scanning technologies. To make a solid, informed decision, organizations need to create development team- and organization-specific benchmarks for the effectiveness of potential scanning technologies. This involves creating a comprehensive model of false positives, false negatives and other factors prior to mandating analysis technologies and making decisions about application risk management. This presentation provides a model for evaluating application analysis technologies, introduces an open source tool for benchmarking and comparing tool effectiveness, and outlines a process for making organization-specific decisions about analysis technology selection.

'''Speaker Bio:'''
Dan Cornell has over 15 years experience architecting and developing web-based software systems. As CTO, he leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies. He also heads the Denim Group security research team, investigating the application of secure coding and development techniques to the improvement of web-based software development methodologies. Dan currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at numerous security conferences, such as RSA in San Francisco, OWASP EU Research in Athens and OWASP AppSec USA in Minneapolis.

Please check back for updates, join the mailing list, or follow us on Twitter ([http://twitter.com/OWASPNoVA/ @OWASPNoVA]).

==== Upcoming Speakers ====

We need speakers and topics! If you want to present, please contact [mailto:John.Steven@owasp.org John] or [mailto:benjamin.tomhave@owasp.org Ben]. We're very open to hearing from all our members.

[http://www.google.com/calendar/hosted/owasp.org/embed?src=owasp.org_1ht5oegk8kd0dtat5cko71e7dc%40group.calendar.google.com&ctz=America/New_York View the OWASP NoVA Chapter Calendar] 

 

----

==== Past meetings ====

=== July 2012 ===
'''Date/Time:''' July 12th, 2012 @ 6:30pm

'''Location Sponsor:''' [http://corporate.livingsocial.com/home LivingSocial], 11600 Sunrise Valley Drive, Reston, VA

'''AGENDA:'''
* News / Updates
* Talk: [https://www.owasp.org/index.php/John_Steven| John Steven] - "Password Storage Security"
* Firetalks!

'''Presentation Title:'''
"Password Storage Security" [https://www.owasp.org/images/7/78/PSM_-_Problem_Definition.pdf|Password Storage Security.pdf]

'''Abstract:'''
During the June meeting we discussed the LinkedIn password theft which was just beginning its the news cycle. We'll use the July chapter meeting to discuss issues around password hashing and a solution. While wholly different schemes for protecting passwords at rest are preferable, it's instructive to look at hashing passwords as a threat modeling exercise and take the time to follow through to a fix.

To read up on the issue, look at my latest blog post on the topic: [http://goo.gl/sGyi8|Justice League Blog - Securing Password Storage]

For those who were sufficiently intrigued, mystified, or inspired by the presentation on password protection at the last chapter meeting, Coursera is offering a free 6-week Stanford course on cryptography that begins on August 27th ("Learn about the inner workings of cryptographic primitives and how to apply this knowledge in real-world applications!"): [https://www.coursera.org/course/crypto|Crypto Course]

'''Speaker Bio:'''

See [https://www.owasp.org/index.php/John_Steven| John Steven Bio]

=== June 2012 ===
'''Date/Time:''' June 7th, 2012 @ 6:30pm

'''Location Sponsor:''' [http://corporate.livingsocial.com/home LivingSocial], 11600 Sunrise Valley Drive, Reston, VA

'''AGENDA:'''
* News / Updates
* Talk: Ken Johnson (LivingSocial) - "AppSec, Ritalin, and Failing Fast"
* Firetalks!

'''Presentation Title:'''
"AppSec, Ritalin, and Failing Fast" [https://www.owasp.org/images/e/e9/Ken_Johnson_July_2012.pptx|AppSec, Ritalin, and Failing Fast.pptx]

'''Abstract:'''
In early April Ken Johnson and Matt Ahrens presented a high-level overview of building an Application Security program at LivingSocial. This talk will differ in that it will focus on the granular aspects involved with introducing security into an incredibly intense development environment. The discussion will be compromised of experiences in:
* Developing technical solutions to solving difficult challenges
* Remaining proactive with an increased workload
* What it means to innovate

'''Speaker Bio:'''

Ken Johnson is the Application Security Manager for LivingSocial.com. Prior to joining LivingSocial.com, Ken worked in various application security consulting roles. Ken is the primary developer of the Web Exploitation Framework (wXf) and enjoys contributing to other open source projects as often as time permits. Ken has spoken at AppSec DC 2010 & 2012, OWASP DC and Phoenix chapters and is a member of the Attack Research Team.

=== May 2012 ===
'''Date/Time:''' May 3rd, 2012 @ 6pm

'''Location Sponsor:''' [http://corporate.livingsocial.com/home Living Social], 11600 Sunrise Valley Drive, Reston, VA

'''AGENDA:'''
* News / Updates
* "Chill Out" conversations (formal talked pushed back due to logistical issues)

=== April 2012 ===
'''Date/Time:''' April 16th, 2012 @ 6pm

'''Location Sponsor:''' [http://corporate.livingsocial.com/home Living Social], 11600 Sunrise Valley Drive, Reston, VA

'''Food Sponsor:''' Jeremy Long - jeremy.long[at]owasp.org

'''AGENDA:'''
* News / Updates
* Talk: "Malicious Code Detection or BRIC Breaking Through Static Analysis" by Masha Khainson (Cigital)
* Firetalks!
* ISSA NoVA Social @Champps!  :)

'''Presentation Title:''' "Malicious Code Detection or BRIC Breaking Through Static Analysis"

'''Abstract:'''
Malicious Code Detection or BRIC Breaking Through Static Analysis: As
organizations outsource development to less trustworthy providers
malware becomes as much a problem as introduction of honest
vulnerability by one's own development shop. Assessment practices
currently look for vulnerability within source code and a running
systems but these are but a few of windows of opportunity for malware
introduction. This presentation demonstrates an approach for
augmenting an existing security practice with the capability to detect
potentially malicious code through secure code review. First, we show
how to break malicious intent--often quite subtle--into concrete
patterns we can reliably detect. The framework then demonstrates how
to build suspicion around reliance of particular patterns' use in
concert which, increasingly, imply malicious intent. These techniques
will be explained through a demonstration in a real world application.

'''Bio'''
Masha (a.k.a Marina) has dreamed of becoming a security consultant
before she ever knew what a ballerina was, and that's a good thing -
because she does not intend her talk to be a ballet recital. Having
been in software security for over seven years, Ms. Khainson has
delivered Architecture Risk Assessment, Secure Code Review, and
Ethical Hacking on many architectures, platforms and technologies.
Marina has also developed training materials for clients and led
remediation assistance teams.

Prior to joining Cigital, Marina was a member of a research team at a
leading security research provider, where using disassembly as well as
protocol and source code analysis, she provided key information on
newly released vulnerabilities. Before that, Marina assisted the same
research team in producing detailed reports on critical malware and
spyware threats, as well as developing and testing content for network
security devices from some of the top providers of intrusion detection
and prevention technologies.

Download: https://www.owasp.org/index.php/File:MCD-OWASPNoVA.pdf

=== November 2011 ===
'''Date/Time:''' November 3rd, 2011 @ 6pm

'''Location Sponsor:''' [http://www.qinetiq.com/ QinetiQ], 2677 Prosperity Ave Fairfax, VA 22031

'''AGENDA:'''
# News / Updates
# Talk: "Lessons Learned from the SQL Injection Challenge" by Ryan Barnett (Trustwave SpiderLabs)
# Firetalks! :)

'''Presentation Title:''' "Lessons Learned from the SQL Injection Challenge"

'''Abstract:'''
How effective are blacklist filters vs. SQL Injection attacks? What is the failure rate vs. automated scanning or manual testing? Are there any "Time-to-Bypass" metrics? In an attempt to answer these questions, Trustwave SpiderLabs' Research Team (the development team behind the ModSecurity WAF and the OWASP ModSecurity Core Rule Set) held a community "SQL Injection Challenge" to test the effectiveness of the OWASP ModSecurity Core Rule Set protections. This presentation will provide an overview of the challenge, a step-by-step walk-through of the bypass tactics used by the winners, as well as, present a new approach to attack detection using ModSecurity's Lua API to perform Bayesian analysis.

'''Speaker Bio:'''
[mailto:ryan.barnett@owasp.org Ryan C. Barnett] (Twitter: [http://twitter.com/#!/ryancbarnett @ryancbarnett]) is a senior security researcher on Trustwave's SpiderLabs Team. He is a SANS Institute certified instructor and a member of both the Top 20 Vulnerabilities and CWE/SANS Top 25 Most Dangerous Programming Errors teams. In addition to working with SANS, he is also a WASC Member where he leads the Web Hacking Incidents Database (WHID) and Distributed Web Honeypots Projects and is also the OWASP ModSecurity Core Rule Set (CRS) project leader. Mr. Barnett has also authored a Web security book for Addison/Wesley Publishing entitled "Preventing Web Attacks with Apache".

=== October 2011 ===
'''Date/Time:''' October 6th, 2011 @ 6pm

'''Location/Food Sponsor:''' [http://www.cigital.com/ Cigital], 21351 Ridgetop Circle, Suite 400, Sterling, VA 20166

'''AGENDA:'''
# News / Updates
# AppSec USA 2011 Recap
# Talk: Jack Mannino: [http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks "OWASP Top 10 Mobile Risks"]
# Firetalks! :)

=== September 2011 ===

The September meeting was cancelled due to inclement weather (flash flooding).

=== August 2011 ===

We held a "social" event at Sweetwater Tavern in Sterling, VA.

=== July 2011 ===

'''Date/Time:''' July 7th, 2011 @ 6pm '''Location Sponsor:''' [http://www.cigital.com Cigital], Suite 400 21351 Ridgetop Circle, Dulles, VA, 20166 '''Food Sponsor:''' '''AGENDA:'''

* News / Updates
* Topic of the Month: iGoat - Ken Van Wyk

=== June 2011 ===

'''Date/Time:''' June 9th, 2011 @ 6pm (*Note: 2nd Thursday of June!) '''Location Sponsor:''' [http://about.collegeboard.org/ The College Board], 11955 Democracy Drive Reston, VA 20190 '''Food Sponsor:''' The College Board '''AGENDA:'''

* News / Updates
* Topic of the Month: [https://www.owasp.org/index.php/Top_10_2010-A4 A4 "Insecure Direct Object References"]
* College Board Speaker: "Attack-in-Depth: Exploits of the OWASP Top Ten in Action"
* Firetalks! :)
- Jack Mannino: "Android Security 101"
- Others!

=== May 2011 ===

'''Date/Time:''' Cinco de Mayo (May 5th), 2011 @ 6pm '''Location Sponsor:''' [http://www.akamai.com/ Akamai], 11111 Sunset Hills Dr, Suite 250, Reston, VA 20190 '''Food Sponsor:''' Akamai '''AGENDA:'''

* News / Updates
* 2011 Election (voice vote on the entire slate)
* Topic of the Month: [http://www.owasp.org/index.php/Top_10_2010-A3 A3 "Broken Authentication and Session Management"]
* Speaker: Steve Witmer on A3 from the "breakers" perspective
* Speaker: ??? on A3 from the "fixers/defenders" perspective
* Firetalks! :)
* '''Update:''' All election candidates were elected by voice vote.
* Please see: [https://docs.google.com/document/d/1h8GTqsWg2xiTwWAWS-Ra6_GU4eJGt44aa1hFc9EQloU/edit?hl=en_US&authkey=CIS9zFM '11 Chapter Board Election Material]

=== April 2011 ===

'''Date/Time:''' April 7, 2011 @ 6pm '''Location Sponsor:''' [http://www.reversespace.com/ ReverseSpace], 13505 Dulles Technology Dr, Suite 3, Herndon, VA 20171 '''Food Sponsor:''' [https://www.cigital.com Cigital] '''AGENDA:'''

* News / Updates
* 2011 Election
* Topic of the Month: [http://www.owasp.org/index.php/Top_10_2010-A2 A2 "Cross-Site Scripting (XSS)"]
* Preso:"Cross-Site Scripting is Not Your Friend: XSS and the Facebook Platform" by Joey Tyson ([https://www.owasp.org/images/9/92/Xssnotfriend-edited.pptx PPTX] or [https://www.owasp.org/images/0/06/Xssnotfriend-edited.pdf PDF])
* Preso:“XSS Remediation” by Cassia Martin ([https://www.owasp.org/images/6/66/XSS_Remediation.ppt PPT])
* Preso:"Growing the secure application developer community through expanded curricula" by Tony Gottlieb
* FireTalks (bring it!)

 

=== March 2011 ===

'''Date/Time:''' March 3, 2011 @ 6pm '''Location Sponsor:''' [http://www.boozallen.com/ Booz Allen Hamilton], 13200 Woodland Park Road, Herndon, VA 20171 '''AGENDA:'''

* News / Updates
* [http://www.owasp.org/index.php/OWASP_Summit_2011 OWASP Summit 2011] In Review
* Preso: [http://www.owasp.org/index.php/Top_10_2010-A1-Injection A1 "Injection"]
* Briefing: Training/Preso Plan for the Year

=== February 2011 ===

'''Date/Time:''' February 3, 2011 @ 6pm '''Location Sponsor:''' [http://www.akamai.com/ Akamai], 11111 Sunset HIlls Dr, Suite 250, Reston, VA 20190 '''AGENDA:'''

* News / Updates
* Feedback for [http://www.owasp.org/index.php/OWASP_Summit_2011 OWASP Summit 2011]
* Preso: Intro to [http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top 10] + 2
* Briefing: Training/Preso Plan for the Year

=== December 2010 ===

'''Date/Time:''' December 2, 2010 @ 6pm '''Location Sponsor:''' [http://hackerspaces.org/wiki/Reverse_Space ReverseSpace], 13505 Dulles Technology Drive, Herndon, VA '''AGENDA:'''

* 2011 Planning Session (Schedule, Volunteers, Speakers, Topics)
* Lightning Talks!! (Bring an idea, a question, a topic, whatever - 5-10 minute talks max!)
* Social / Networking (BYOB!)

=== November 2010 ===

'''Date/Time:''' November 4, 2010 @ 6pm '''Location Sponsor:''' Akamai, 11111 Sunset Hills Rd, Suite #250, Reston, VA '''Speaker:''' Ben Tomhave '''Title:''' The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thoughts on Security Reform '''Description:''' What we're doing today is not working and isn't sustainable. The fundamental culture of the average business does not encourage making good security decisions. Software shops continue to focus on functionality and timelines, neglecting information security. In spite of regulations like PCI and HIPAA+HITECH, which are levying fines against organizations for their security failures, the tipping point has clearly not been reached to cause meaningful change. Much of this problem can be attributed to the excessive use of negative incentives (sticks) instead of providing positive incentives (carrots) that inspire better decision making and motivate true change. Fortunately, it's not too late to change tactics and start achieving demonstrable success. '''Speaker Bio:''' Ben Tomhave is a Senior Security Analyst with Gemini Security Solutions in Chantilly, VA, specializing in solutions architecture, security planning, program development and management, and other strategic security solutions. He holds a MS in Engineering Management with an Information Security Management concentration from The George Washington University and is a CISSP.

=== June 2010 ===

'''DATE''': Thursday, June 3rd, 6pm Eastern Daylight Time '''LOCATION''': Booz Allen Hamilton - 13200 Woodland Park Road Herndon, VA 20171 '''SPEAKER''': Alex Hutton, Verizon Business and http://www.newschoolsecurity.com/ '''TOPIC''': Risk Management - Time to blow it up and start over? 

'''DESCRIPTION''':

A redux of the presentation that Alex delivered at B-Sides San Francisco during RSA 2010. "Now that the industry is trying to formalize the concept of risk management into neat little compartments like standards (ISO 27005/31000), certifications (CRISC) and products (GRC) guess what? We're doing it wrong. Fundamentally wrong. This talk will discuss why all this current risk management stuff is goofy and what sort of alternatives we have that might help us understand our ability to protect, our tendency towards failure, and how to match that up with what management will stomach."

Slides are available from: http://www.slideshare.net/BSides/risk-management-time-to-blow-it-up-and-start-over-alex-hutton

 '''SPECIAL SPEAKER''':

[http://twitter.com/tiffanyrad Tiffany Rad] provided an overview and update on [http://twitter.com/reversespace Reverse Space] in Herndon, VA. For more information, or to help out, please join the [http://groups.google.com/group/ReverseSpace Reverse Space Google Group].

 

=== May 2010 ===

'''DATE''': Tuesday, May 18th, 6pm Eastern Daylight Time '''LOCATION''': Booz Allen Hamilton - 13200 Woodland Park Road Herndon, VA 20171 '''SPEAKER'''': Jeff Ennis, Senior Solutions Architect, Veracode '''TITLE''': State of Software Security ([[Image:State of Software Security-Ennis.ppsx.zip]]) '''DESCRIPTION''':

A discussion of the current state of software security based on the compiled findings by Veracode from the dynamic and static code analysis they have performed for customers.

 

=== September 2009 ===

'''DATE''': Thursday, September 17, 2009. 6:00pm Eastern Daylight Time '''LOCATION''': 22260 Pacific blvd, Sterling, VA. 20166 '''TOPIC''': "Fortify 360" '''SPEAKER''': Erik Klein (Fortify Software), Eric Dalci (Cigital) '''DESCRIPTION''':

We're pleased to invite you to our next week's OWASP Session (Thursday September 17th). We will be hosting a presentation, demo and hands on session of Fortify 360 (http://www.fortify.com). Fortify 360 includes Fortify SCA (Source Code Analyzer) and the Fortify 360 Server which is Fortify's solution for an enterprise deployment of SCA. The session will start with a presentation by Fortify engineers, followed by a demo and finally a hands on session where the audience will be free to install Fortify SCA on the machine and try it the SCA tool on a sample application that we will provide. The audience will also be introduced with the Fortify 360 Server and try some of the enterprise level features such as collaborative code review, metrics and so on. Bring your laptop if you want to try Fortify 360!

The target audience is anyone interested in Secure Code Review with a Static Analysis tool at the desktop level and/or enterprise level. We will need to register visitors before hand...please email wade.woolwine@owasp.org for registration and confirm attendance. Pizza and refreshments will be served.

 

'''DATE''': Thursday, September 3, 2009. 6:00pm. '''LOCATION''': 13200 Woodland Park Road Herndon, VA 20171 '''TOPIC''': "Conducting Application Assessment" '''SPEAKER''': Jeremy Epstein, SRI '''DESCRIPTION''':

After the 2000 election, many states launched headlong into electronic voting systems to avoid the problems with "hanging chads". Once problems with those systems started appearing, many localities started moving to optical scan, which was used by a majority of US voters in the 2008 election. There are other technologies in use around the country, including lever machines, vote-by-mail, vote-by-phone, and Internet voting. What are the tradeoffs among these technologies? Particularly relevant to OWASP, what are the security issues associated with different types of equipment, and what measures do vendors of voting equipment use to try to address the security problems? Are software security problems important, or can non-technical measures protect against them? In this talk, we'll discuss a wide variety of voting technologies, and their pros and cons from both a technical and societal perspective.

'''ABOUT THE SPEAKER''':

Jeremy Epstein is Senior Computer Scientist at SRI International. His background includes more than 20 years experience in computer security research, product development, and consulting. Prior to joining SRI International, he was Principal Consultant with Cigital, and before that spent nine years as Senior Director of Product Security at Software AG, an international business software company. Within the area of voting systems, Jeremy has been involved for over five years in voting technology and advocacy, both as an employee and as an independent consultant.

 

=== July 2009 ===

'''DATE''': July 9th 6pm-9pm EST '''LOCATION''': 13200 Woodland Park Road Herndon, VA 20171 '''TOPIC''': "Ounce's 02" '''SPEAKER(S)''': Dinis Cruz, OWASP, Ounce Labs. '''DESCRIPTION''': So what is O2?

Well in my mind O2 is a combination of advanced tools (Technology) which are designed to be used on a particular way (Process) by knowledgeable Individuals (People)

Think about it as a Fighter Jet who is able to go very fast, has tons of controls, needs to be piloted by somebody who knows what they are doing and needs to have a purpose (i.e. mission).

Basically what I did with O2 was to automate the workflow that I have when I'm engaged on a source-code security review.

Now, here is the catch, this version is NOT for the faint-of-heart. I designed this to suit my needs, which although are the same as most other security consultants, have its own particularities :)

The whole model of O2 development is based around the concept of automating a security consultant’s brain, so I basically ensure that the main O2 Developer (Dinis Cruz) has a very good understanding of the feature requirements of the targeted Security Consultant (Dinis Cruz) :) . And this proved (even to my surprise) spectacularly productive, since suddenly I (i.e. the security consultant) didn't had to wait months for new features to be added to its toolkit. If there was something that needed to be added, it would just be added in days or hours.

=== June 2009 ===

''Gary McGraw, Cigital Inc.'':''Building Security In Maturity Model'' Later, an interview: ''Jim Routh, formerly of DTCC'':''The Economic Advantages of a Resilient Supply Chain- Software Security'' '' ''

Gary McGraw talked about the experience he, Sammy Migues, and Brian Chess gained conducting a survey of some of America's top Software Security groups. Study results are available under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Share Alike license] at [http://www.bsi-mm.com www.bsi-mm.com]. Gary described the common structural elements and activities of successful software security programs, present the maturity model that resulted from survey data, and discuss lessons learned from listening to those leading these groups.

Jim Routh gave an incredibly insightful interview regarding his own experiences crafting their security group.

Download presentation notes at: [http://www.owasp.org/images/0/03/JMR-Economics_of_Security_Goups.ppt The Economic Advantages of a Resilient Supply Chain- Software Security]

=== May 2009 ===

''Eric Dalci, Cigital Inc.'':''Introduction to Static Analysis'' Later, a panel:

*Steven Lavenhar, Booz Allen Hamilton;
*Eric Dalci, Cigital Inc.

Panel moderated by John Steven 

This session is an introductory to Static Analysis. This session presents the different types of analysis used by today's Static Analysis tools. Examples of direct application to find vulnerabilities will be shown (ex: Data Flow Analysis, Semantic, Control Flow, etc.). Current limitations of Static Analysis will also be exposed. This session is tool agnostic, but will cover the approach taken by various leading commercial (as well as open-source) tools.

Download: [http://www.owasp.org/images/e/ea/OWASP_Virginia_Edalci_May09.pdf Intro to Static Analysis]

=== April 2009 ===

''Jeremiah Grossman, Whitehat Security'': '''Top 10 Web Hacking Techniques 2008''' Jeremiah Spoke on (what he and colleagues determined were the) top ten web hacking techniques of 2008. This talk was a preview of his RSA '09 talk. 

Download http://www.whitehatsec.com/home/assets/presentations/09PPT/PPT_OWASPNoVA04082008.pdf

 Later,

*Nate Miller, Stratum Security;
*Jeremiah Grossman, Whitehat Security;
*Tom Brennan, Whitehat Security; and
*Wade Woolwine, AOL

served as penetration testing panels answering questions posed and moderated by Ken Van Wyk.

=== February 2009 ===

''Ryan C. Barnett, Breach Security'': '''Patching Challenge: Securing WebGoat with ModSecurity'''

Identification of web application vulnerabilities is only half the battle with remediation efforts as the other. Let's face the facts, there are many real world business scenarios where it is not possible to update web application code in either a timely manner or at all. This is where the tactical use-case of implementing a web application firewall to address identified issues proves its worth.

This talk will provide an overview of the recommended practices for utilizing a web application firewall for virtual patching. After discussing the framework to use, we will then present a very interesting OWASP Summer of Code Project where the challenge was to attempt to mitigate as many of the OWASP WebGoat vulnerabilities as possible using the open source ModSecurity web application firewall. During the talk, we will discuss both WebGoat and ModSecurity and provide in-depth walk-throughs of some of the complex fixes. Examples will include addressing not only attacks but the underlying vulnerabilities, using data persistence for multiple-step processes, content injection and even examples of the new LUA programming language API. The goal of this talk is to both highlight cutting edge mitigation options using a web application firewall and to show how it can effectively be used by security consultants who traditionally could only offer source code fixes.

Ryan C. Barnett is the Director of Application Security Research at Breach Security and leads Breach Security Labs. He is also a Faculty Member for the SANS Institute, Team Lead for the Center for Internet Security Apache Benchmark Project and a Member of the Web Application Security Consortium where he leads the Distributed Open Proxy Honeypot Project. Mr. Barnett has also authored a web security book for Addison/Wesley Publishing entitled "Preventing Web Attacks with Apache."

(This talk is a preview of Ryan's talk at Blackhat Federal the following week - see https://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Barnett )

Download [[Media:Virtual_Patching_Ryan_Barnett_Blackhat_Federal_09.zip|WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity]]

''John Steven, Cigital'': '''Moving Beyond Top N Lists'''

Download [[Media:Moving_Beyond_Top_N_Lists.ppt.zip|Moving Beyond Top N Lists]]

 Cigital published an article: The Top 11 Reasons Why Top 10 (or 25) Lists Don’t Work. Yet, these lists are a staple of conference abstracts, industry best practice lists, and the like. Are they good or bad? We’ll explore how to get beyond the Top 10 (or 25) list in making your software security effort real.

John is Senior Director, Advanced Technology Consulting at Cigital. His experience includes research in static code analysis and hands-on architecture and implementation of high-performance, scalable Java EE systems. John has provided security consulting services to a broad variety of commercial clients including two of the largest trading platforms in the world and has advised America's largest internet provider in the Midwest on security and forensics. John led the development of Cigital's architectural analysis methodology and its approach to deploying enterprise software security frameworks. He has demonstrated success in building Cigital's intellectual property for providing cutting-edge security. He brings this experience and a track record of effective strategic innovation to clients seeking to change, whether to adopt more cutting-edge approaches, or to solidify ROI. John currently chairs the SD Best Practices security track and co-edits the building security in department of IEEE's Security and Privacy magazine. John has served on numerous conference panels regarding software security, wireless security and Java EE system development. He holds a B.S. in Computer Engineering and an M.S. in Computer Science from Case Western Reserve University.

=== January 2009 ===

To kick off 2009, our January meeting featured a discussion of the relationship between application security and CMMI, and an overview of the OWASP ASVS project.

''Michele Moss, Booz Allen Hamilton'': '''Evolutions In The Relationship Between Application Security And The CMMI'''

Addressing new and complex threats and IT security challenges requires repeatable, reliable, rapid, and cost effective solutions. To implement these solutions, organizations have begun to align their security improvement efforts with their system and software development practices. During a “Birds of a Feather” at the March 2007 SEPG, a group of industry representatives initiated an effort which led to the definition of assurance practices that can be applied in the context of the CMMI. This presentation will provide an understanding how applying the assurance practices in the context of security contribute to the overall increased quality of products and services, illustrate how the a focus on assurance in the context of CMMI practices is related to application security practices, and present and approach to evaluate and improve the repeatability and reliability of assurance practices.

Michele Moss, CISSP, is a security engineer with more than 12 years of experience in process improvement. She specializes in integrating assurance processes and practices into project lifecycles. Michele is the Co-Chair of the DHS Software Assurance Working Group on Processes & Practices. She has assisted numerous organizations with maturing their information technology, information assurance, project management, and support practices through the use of the capability maturity models including the CMMI, and the SSE-CMM. She is one of the key contributors in an effort to apply an assurance focus to CMMI.

Slides available: [[http://www.epsteinmania.com/owasp/Moss-AppSecurityAndCMMI.pdf]]

''Mike Boberski, Booz Allen Hamilton'': '''About OWASP ASVS'''

The primary aim of the OWASP ASVS Project is to normalize the range of coverage and level of rigor available in the market when it comes to performing application-level security verification. The goal is to create a set of commercially-workable open standards that are tailored to specific web-based technologies.

Mike Boberski works at Booz Allen Hamilton. He has a background in application security and the use of cryptography by applications. He is experienced in trusted product evaluation, security-related software development and integration, and cryptomodule testing. For OWASP, he is the project lead and a co-author of the OWASP Application Security Verification Standard, the first OWASP standard.

Slides available: [[https://www.owasp.org/images/5/52/About_OWASP_ASVS_Web_Edition.ppt]]

=== November 2008 ===

For our November 2008 meeting, we had two great presentations on software assurance and security testing.

''Nadya Bartol, Booz Allen Hamilton'': '''Framework for Software Assurance'''

Nadya's presentation will provide an update on the Software Assurance Forum efforts to establish a comprehensive framework for software assurance (SwA) and security measurement. The Framework addresses measuring achievement of SwA goals and objectives within the context of individual projects, programs, or enterprises. It targets a variety of audiences including executives, developers, vendors, suppliers, and buyers. The Framework leverages existing measurement methodologies, including Practical Software and System Measurement (PSM); CMMI Goal, Question, Indicator, Measure (GQ(I)M); NIST SP 800-55 Rev1; and ISO/IEC 27004 and identifies commonalities among the methodologies to help organizations integrate SwA measurement in their overall measurement efforts cost-effectively and as seamlessly as possible, rather than establish a standalone SwA measurement effort within an organization. The presentation will provide an update on the SwA Forum Measurement Working Group work, present the current version of the Framework and underlying measures development and implementation processes, and propose example SwA measures applicable to a variety of SwA stakeholders. The presentation will update the group on the latest NIST and ISO standards on information security measurement that are being integrated into the Framework as the standards are being developed.

Slides available: [[http://www.epsteinmania.com/owasp/Bartol-MeasurementForOWASP11-13-08.pdf]]

''Paco Hope, Cigital'': '''The Web Security Testing Cookbook'''

The Web Security Testing Cookbook (O'Reilly & Associates, October 2008) gives developers and testers the tools they need to make security testing a regular part of their development lifecycle. Its recipe style approach covers manual, exploratory testing as well automated techniques that you can make part of your unit tests or regression cycle. The recipes cover the basics like observing messages between clients and servers, to multi-phase tests that script the login and execution of web application features. This book complements many of the security texts in the market that tell you what a vulnerability is, but not how to systematically test it day in and day out. Leverage the recipes in this book to add significant security coverage to your testing without adding significant time and cost to your effort.

Congratulations to Tim Bond who won an autographed copy of Paco's book. Get your copy here [[http://www.amazon.com/Security-Testing-Cookbook-Paco-Hope/dp/0596514832]]

Slides available: [[http://www.epsteinmania.com/owasp/PacoHope-WebSecCookbook.pdf]]

=== October 2008 ===

For our October 2008 meeting, we had two fascinating talks relating to forensics.

''Dave Merkel, Mandiant'': '''Enterprise Grade Incident Management - Responding to Persistent Threats'''

Dave Merkel is Vice President of Products at Mandiant, a leading provider of information security services, education and products. Mr. Merkel has worked in the information security and incident response industry for over 10 years. His background includes service as a federal agent in the US Air Force and over 7 years experience directing security operations at America Online. He currently oversees the product business at Mandiant, and is in charge of building Mandiant Intelligent Response - an enterprise incident response solution. But no, he won't be selling you anything today.

Slides available: [[http://www.epsteinmania.com/owasp/Mandiant-EnterpriseIRandAPTpresentation.pdf]]

''Inno Eroraha, NetSecurity'': '''[Responding to the Digital Crime Scene: Gathering Volatile Data'''

Inno Eroraha is the founder and chief strategist of NetSecurity Corporation, a company that provides digital forensics, hands-on security consulting, and Hands-on How-To® training solutions that are high-quality, timely, and customer-focused. In this role, Mr. Eroraha helps clients plan, formulate, and execute the best security and forensics strategy that aligns with their business goals and priorities. He has consulted with Fortune 500 companies, IRS, DHS, VA, DoD, and other entities.

Slides available: [[http://www.epsteinmania.com/owasp/NetSecurity-RespondingToTheDigitalCrimeScene-GatheringVolatileData-TechnoForensics-102908.pdf] ]

=== History ===

The original DC Chapter was founded in June 2004 by [mailto:jeff.williams@owasp.org Jeff Williams] and has had members from Virginia to Delaware. In April 2005 a new chapter, OWASP Washington VA Local Chapter, was formed and the DC Chapter was renamed to DC-Maryland. The two are sister chapters and include common members and shared discourse. The chapters meet in opposite halves of the month to facilitate this relationship.

==== Chapter Groups ====

Within the chapter, various common interests spring up. We've created Google groups to manage collaboration amongst participants for these topics. Feel free to join and participate in:

*[http://groups.google.com/group/novaowasp_threatmodeling Threat Modeling]
*[http://groups.google.com/group/novaowasp_mobile Mobile]

=== OWASP NoVa Members On Twitter ===

John Steven [http://twitter.com/m1splacedsoul http://twitter.com/m1splacedsoul]

Jack Mannino [http://twitter.com/jack_mannino http://twitter.com/jack_mannino]

Ben Tomhave [http://twitter.com/falconsview http://twitter.com/falconsview]

Ken Johnson [http://twitter.com/cktricky http://twitter.com/cktricky]

Mike Smith [http://twitter.com/rybolov http://twitter.com/rybolov]

Trevor Hawthorn [http://twitter.com/packetwerks http://twitter.com/packetwerks]

Jeremy Long [http://twitter.com/ctxt http://twitter.com/ctxt]

Ari Elias-Bachrach [http://twitter.com/angelofsecurity http://twitter.com/angelofsecurity]

Venkat Sundaram [http://twitter.com/Vnk3889 http://twitter.com/Vnk3889]

==== Knowledge ====

The Northern Virginia (NoVA) chapter is committed to compiling resources on interesting and valuable topic areas. We hope that this structure helps you access information pertinent to your tasks at hand as you move through a secure application development life cycle. Currently, our topic areas of focus include activities such as:

*Threat Modeling
*[[Code Review and Static Analysis with tools]]
*Penetration Testing and Dynamic Analysis tools
*Monitoring/Dynamic patching (WAFs)

Certain projects our members are involved in cross-cut these activities, providing value throughout. They include:

*ASVS

=== Static Analysis Curriculum ===

*For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].

The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].

[[Image:Owasp SAtrack plan.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]

'''Contacts''' Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.

 

=== Flash Talk Resources ===

Chandu Ketkar on OFS. Download: [http://www.owasp.org/images/1/1c/OFS.pptx OFS Presentation.] [http://jack-mannino.blogspot.com/ Jack Mannino] on Google and Searching for Personal Information Jesse Ou on XML Bombs. Download: [http://www.owasp.org/images/1/18/OWASP_JOU_XML_DTD_Attacks.pptx XML DTD Presentation] 

__NOTOC__ <headertabs />

<paypal>Northern Virginia</paypal>

[[Category:Virginia]] [[Category:Washington,_DC]]

File:OWASP BenchmarkingWebApplicationScannersForYourOrganization Content-1.pptx

2012-10-15T16:34:58Z

John Steven:

Virginia

2012-10-15T16:32:33Z

John Steven:

==== About ====

[[Image:Owasp-nova.JPG|right|275px|Owasp-nova.JPG]]The '''OWASP Northern VA Local Chapter''' meetings are FREE and OPEN to anyone interested in learning more about application security. We encourage individuals to provide knowledge transfer via hands-on training and presentations of specific OWASP projects and research topics and sharing SDLC knowledge.

We the encourage vendor-agnostic presentations to utilize the OWASP Powerpoint template when applicable and individual volunteerism to enable perpetual growth. As a 501(3)c non-profit association donations of meeting space or refreshments sponsorship is encouraged, simply contact the local chapter leaders listed on this page to discuss. Prior to participating with OWASP please review the Chapter Rules.

The chapter is committed to providing an engaging experience for a variety of audience types ranging from local students and those beginning in app-sec, to those experienced and accomplished professionals who are looking for competent collaborators for OWASP-related projects. To this end, we will continue to conduct both monthly chapter meetings as well as out-of-band curricula, on application security topics.

{{Chapter Template|chaptername=Virginia|extra =Come see us at a chapter meeting, jump on our Google Group, or email any of us directly.

=== Chapter Board ===
Previously having had a Chapter Leader, then a Chapter "Program Committee", the chapter is now run by a full board (alphabetical order):
* Jeremy Long
* Jack Mannino
* John Steven - Board Chair

Board member responsibilities include:

<pre style="white-space: pre-wrap;"> * Providing governance for chapter and member activities in terms chapter mission and OWASP code of ethics
* Recruiting OWASP membership
* Driving OWASP NoVA Chapter attendance and involvement
* Deferring to, facilitating, and supporting the activities and projects of chapter membership
* Eliciting, scheduling, and coordinating chapter panels, speakers, and other sessions
* Scouting, clearing, and scheduling chapter meeting venues and catering
* Identifying opportunities for collaboration between chapter membership, OWASP global committees, and other organizations
* Collecting and auditing use of chapter funds
* Voting on chapter matters
</pre>
For more information on how the board was elected and what it's responsibilities are, please see: [https://docs.google.com/document/d/1h8GTqsWg2xiTwWAWS-Ra6_GU4eJGt44aa1hFc9EQloU/edit?hl=en_US&authkey=CIS9zFM Chapter Board Election] |mailinglistsite=https://groups.google.com/forum/#!forum/owasp-nova|emailarchives=https://groups.google.com/forum/#!forum/owasp-nova}}

You may also want to follow [http://twitter.com/OWASPNoVA/ @OWASPNoVA] on Twitter.

----
=== Schedule ===

Meetings are (generally) held the first Thursday of the month.

==== Next Meeting ====

'''Date/Time:''' October 4th, 2012 @ 6:30pm

'''Location:''' [http://corporate.livingsocial.com/home LivingSocial], 11600 Sunrise Valley Drive, Reston, VA

'''Registration:''' [http://www.eventbrite.com/event/4430947082 Eventbrite]

'''AGENDA:'''
* News / Updates
* Talk: [https://www.owasp.org/index.php/Dan_Cornell Dan Cornell] - "Benchmarking Web Application Scanners for YOUR Organization"
* Firetalks!

'''Presentation Title:'''
Benchmarking Web Application Scanners for YOUR Organization

'''Abstract:'''
Web applications pose significant risks for organizations. The selection of an appropriate scanning product or service can be challenging because every organization develops their web applications differently and decisions made by developers can cause wide swings in the value of different scanning technologies. To make a solid, informed decision, organizations need to create development team- and organization-specific benchmarks for the effectiveness of potential scanning technologies. This involves creating a comprehensive model of false positives, false negatives and other factors prior to mandating analysis technologies and making decisions about application risk management. This presentation provides a model for evaluating application analysis technologies, introduces an open source tool for benchmarking and comparing tool effectiveness, and outlines a process for making organization-specific decisions about analysis technology selection.

'''Speaker Bio:'''
Dan Cornell has over 15 years experience architecting and developing web-based software systems. As CTO, he leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies. He also heads the Denim Group security research team, investigating the application of secure coding and development techniques to the improvement of web-based software development methodologies. Dan currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at numerous security conferences, such as RSA in San Francisco, OWASP EU Research in Athens and OWASP AppSec USA in Minneapolis.

Please check back for updates, join the mailing list, or follow us on Twitter ([http://twitter.com/OWASPNoVA/ @OWASPNoVA]).

==== Upcoming Speakers ====

We need speakers and topics! If you want to present, please contact [mailto:John.Steven@owasp.org John] or [mailto:benjamin.tomhave@owasp.org Ben]. We're very open to hearing from all our members.

[http://www.google.com/calendar/hosted/owasp.org/embed?src=owasp.org_1ht5oegk8kd0dtat5cko71e7dc%40group.calendar.google.com&ctz=America/New_York View the OWASP NoVA Chapter Calendar] 

 

----

==== Past meetings ====

=== July 2012 ===
'''Date/Time:''' July 12th, 2012 @ 6:30pm

'''Location Sponsor:''' [http://corporate.livingsocial.com/home LivingSocial], 11600 Sunrise Valley Drive, Reston, VA

'''AGENDA:'''
* News / Updates
* Talk: [https://www.owasp.org/index.php/John_Steven| John Steven] - "Password Storage Security"
* Firetalks!

'''Presentation Title:'''
"Password Storage Security" [https://www.owasp.org/images/7/78/PSM_-_Problem_Definition.pdf|Password Storage Security.pdf]

'''Abstract:'''
During the June meeting we discussed the LinkedIn password theft which was just beginning its the news cycle. We'll use the July chapter meeting to discuss issues around password hashing and a solution. While wholly different schemes for protecting passwords at rest are preferable, it's instructive to look at hashing passwords as a threat modeling exercise and take the time to follow through to a fix.

To read up on the issue, look at my latest blog post on the topic: [http://goo.gl/sGyi8|Justice League Blog - Securing Password Storage]

For those who were sufficiently intrigued, mystified, or inspired by the presentation on password protection at the last chapter meeting, Coursera is offering a free 6-week Stanford course on cryptography that begins on August 27th ("Learn about the inner workings of cryptographic primitives and how to apply this knowledge in real-world applications!"): [https://www.coursera.org/course/crypto|Crypto Course]

'''Speaker Bio:'''

See [https://www.owasp.org/index.php/John_Steven| John Steven Bio]

=== June 2012 ===
'''Date/Time:''' June 7th, 2012 @ 6:30pm

'''Location Sponsor:''' [http://corporate.livingsocial.com/home LivingSocial], 11600 Sunrise Valley Drive, Reston, VA

'''AGENDA:'''
* News / Updates
* Talk: Ken Johnson (LivingSocial) - "AppSec, Ritalin, and Failing Fast"
* Firetalks!

'''Presentation Title:'''
"AppSec, Ritalin, and Failing Fast" [https://www.owasp.org/images/e/e9/Ken_Johnson_July_2012.pptx|AppSec, Ritalin, and Failing Fast.pptx]

'''Abstract:'''
In early April Ken Johnson and Matt Ahrens presented a high-level overview of building an Application Security program at LivingSocial. This talk will differ in that it will focus on the granular aspects involved with introducing security into an incredibly intense development environment. The discussion will be compromised of experiences in:
* Developing technical solutions to solving difficult challenges
* Remaining proactive with an increased workload
* What it means to innovate

'''Speaker Bio:'''

Ken Johnson is the Application Security Manager for LivingSocial.com. Prior to joining LivingSocial.com, Ken worked in various application security consulting roles. Ken is the primary developer of the Web Exploitation Framework (wXf) and enjoys contributing to other open source projects as often as time permits. Ken has spoken at AppSec DC 2010 & 2012, OWASP DC and Phoenix chapters and is a member of the Attack Research Team.

=== May 2012 ===
'''Date/Time:''' May 3rd, 2012 @ 6pm

'''Location Sponsor:''' [http://corporate.livingsocial.com/home Living Social], 11600 Sunrise Valley Drive, Reston, VA

'''AGENDA:'''
* News / Updates
* "Chill Out" conversations (formal talked pushed back due to logistical issues)

=== April 2012 ===
'''Date/Time:''' April 16th, 2012 @ 6pm

'''Location Sponsor:''' [http://corporate.livingsocial.com/home Living Social], 11600 Sunrise Valley Drive, Reston, VA

'''Food Sponsor:''' Jeremy Long - jeremy.long[at]owasp.org

'''AGENDA:'''
* News / Updates
* Talk: "Malicious Code Detection or BRIC Breaking Through Static Analysis" by Masha Khainson (Cigital)
* Firetalks!
* ISSA NoVA Social @Champps!  :)

'''Presentation Title:''' "Malicious Code Detection or BRIC Breaking Through Static Analysis"

'''Abstract:'''
Malicious Code Detection or BRIC Breaking Through Static Analysis: As
organizations outsource development to less trustworthy providers
malware becomes as much a problem as introduction of honest
vulnerability by one's own development shop. Assessment practices
currently look for vulnerability within source code and a running
systems but these are but a few of windows of opportunity for malware
introduction. This presentation demonstrates an approach for
augmenting an existing security practice with the capability to detect
potentially malicious code through secure code review. First, we show
how to break malicious intent--often quite subtle--into concrete
patterns we can reliably detect. The framework then demonstrates how
to build suspicion around reliance of particular patterns' use in
concert which, increasingly, imply malicious intent. These techniques
will be explained through a demonstration in a real world application.

'''Bio'''
Masha (a.k.a Marina) has dreamed of becoming a security consultant
before she ever knew what a ballerina was, and that's a good thing -
because she does not intend her talk to be a ballet recital. Having
been in software security for over seven years, Ms. Khainson has
delivered Architecture Risk Assessment, Secure Code Review, and
Ethical Hacking on many architectures, platforms and technologies.
Marina has also developed training materials for clients and led
remediation assistance teams.

Prior to joining Cigital, Marina was a member of a research team at a
leading security research provider, where using disassembly as well as
protocol and source code analysis, she provided key information on
newly released vulnerabilities. Before that, Marina assisted the same
research team in producing detailed reports on critical malware and
spyware threats, as well as developing and testing content for network
security devices from some of the top providers of intrusion detection
and prevention technologies.

Download: https://www.owasp.org/index.php/File:MCD-OWASPNoVA.pdf

=== November 2011 ===
'''Date/Time:''' November 3rd, 2011 @ 6pm

'''Location Sponsor:''' [http://www.qinetiq.com/ QinetiQ], 2677 Prosperity Ave Fairfax, VA 22031

'''AGENDA:'''
# News / Updates
# Talk: "Lessons Learned from the SQL Injection Challenge" by Ryan Barnett (Trustwave SpiderLabs)
# Firetalks! :)

'''Presentation Title:''' "Lessons Learned from the SQL Injection Challenge"

'''Abstract:'''
How effective are blacklist filters vs. SQL Injection attacks? What is the failure rate vs. automated scanning or manual testing? Are there any "Time-to-Bypass" metrics? In an attempt to answer these questions, Trustwave SpiderLabs' Research Team (the development team behind the ModSecurity WAF and the OWASP ModSecurity Core Rule Set) held a community "SQL Injection Challenge" to test the effectiveness of the OWASP ModSecurity Core Rule Set protections. This presentation will provide an overview of the challenge, a step-by-step walk-through of the bypass tactics used by the winners, as well as, present a new approach to attack detection using ModSecurity's Lua API to perform Bayesian analysis.

'''Speaker Bio:'''
[mailto:ryan.barnett@owasp.org Ryan C. Barnett] (Twitter: [http://twitter.com/#!/ryancbarnett @ryancbarnett]) is a senior security researcher on Trustwave's SpiderLabs Team. He is a SANS Institute certified instructor and a member of both the Top 20 Vulnerabilities and CWE/SANS Top 25 Most Dangerous Programming Errors teams. In addition to working with SANS, he is also a WASC Member where he leads the Web Hacking Incidents Database (WHID) and Distributed Web Honeypots Projects and is also the OWASP ModSecurity Core Rule Set (CRS) project leader. Mr. Barnett has also authored a Web security book for Addison/Wesley Publishing entitled "Preventing Web Attacks with Apache".

=== October 2011 ===
'''Date/Time:''' October 6th, 2011 @ 6pm

'''Location/Food Sponsor:''' [http://www.cigital.com/ Cigital], 21351 Ridgetop Circle, Suite 400, Sterling, VA 20166

'''AGENDA:'''
# News / Updates
# AppSec USA 2011 Recap
# Talk: Jack Mannino: [http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks "OWASP Top 10 Mobile Risks"]
# Firetalks! :)

=== September 2011 ===

The September meeting was cancelled due to inclement weather (flash flooding).

=== August 2011 ===

We held a "social" event at Sweetwater Tavern in Sterling, VA.

=== July 2011 ===

'''Date/Time:''' July 7th, 2011 @ 6pm '''Location Sponsor:''' [http://www.cigital.com Cigital], Suite 400 21351 Ridgetop Circle, Dulles, VA, 20166 '''Food Sponsor:''' '''AGENDA:'''

* News / Updates
* Topic of the Month: iGoat - Ken Van Wyk

=== June 2011 ===

'''Date/Time:''' June 9th, 2011 @ 6pm (*Note: 2nd Thursday of June!) '''Location Sponsor:''' [http://about.collegeboard.org/ The College Board], 11955 Democracy Drive Reston, VA 20190 '''Food Sponsor:''' The College Board '''AGENDA:'''

* News / Updates
* Topic of the Month: [https://www.owasp.org/index.php/Top_10_2010-A4 A4 "Insecure Direct Object References"]
* College Board Speaker: "Attack-in-Depth: Exploits of the OWASP Top Ten in Action"
* Firetalks! :)
- Jack Mannino: "Android Security 101"
- Others!

=== May 2011 ===

'''Date/Time:''' Cinco de Mayo (May 5th), 2011 @ 6pm '''Location Sponsor:''' [http://www.akamai.com/ Akamai], 11111 Sunset Hills Dr, Suite 250, Reston, VA 20190 '''Food Sponsor:''' Akamai '''AGENDA:'''

* News / Updates
* 2011 Election (voice vote on the entire slate)
* Topic of the Month: [http://www.owasp.org/index.php/Top_10_2010-A3 A3 "Broken Authentication and Session Management"]
* Speaker: Steve Witmer on A3 from the "breakers" perspective
* Speaker: ??? on A3 from the "fixers/defenders" perspective
* Firetalks! :)
* '''Update:''' All election candidates were elected by voice vote.
* Please see: [https://docs.google.com/document/d/1h8GTqsWg2xiTwWAWS-Ra6_GU4eJGt44aa1hFc9EQloU/edit?hl=en_US&authkey=CIS9zFM '11 Chapter Board Election Material]

=== April 2011 ===

'''Date/Time:''' April 7, 2011 @ 6pm '''Location Sponsor:''' [http://www.reversespace.com/ ReverseSpace], 13505 Dulles Technology Dr, Suite 3, Herndon, VA 20171 '''Food Sponsor:''' [https://www.cigital.com Cigital] '''AGENDA:'''

* News / Updates
* 2011 Election
* Topic of the Month: [http://www.owasp.org/index.php/Top_10_2010-A2 A2 "Cross-Site Scripting (XSS)"]
* Preso:"Cross-Site Scripting is Not Your Friend: XSS and the Facebook Platform" by Joey Tyson ([https://www.owasp.org/images/9/92/Xssnotfriend-edited.pptx PPTX] or [https://www.owasp.org/images/0/06/Xssnotfriend-edited.pdf PDF])
* Preso:“XSS Remediation” by Cassia Martin ([https://www.owasp.org/images/6/66/XSS_Remediation.ppt PPT])
* Preso:"Growing the secure application developer community through expanded curricula" by Tony Gottlieb
* FireTalks (bring it!)

 

=== March 2011 ===

'''Date/Time:''' March 3, 2011 @ 6pm '''Location Sponsor:''' [http://www.boozallen.com/ Booz Allen Hamilton], 13200 Woodland Park Road, Herndon, VA 20171 '''AGENDA:'''

* News / Updates
* [http://www.owasp.org/index.php/OWASP_Summit_2011 OWASP Summit 2011] In Review
* Preso: [http://www.owasp.org/index.php/Top_10_2010-A1-Injection A1 "Injection"]
* Briefing: Training/Preso Plan for the Year

=== February 2011 ===

'''Date/Time:''' February 3, 2011 @ 6pm '''Location Sponsor:''' [http://www.akamai.com/ Akamai], 11111 Sunset HIlls Dr, Suite 250, Reston, VA 20190 '''AGENDA:'''

* News / Updates
* Feedback for [http://www.owasp.org/index.php/OWASP_Summit_2011 OWASP Summit 2011]
* Preso: Intro to [http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top 10] + 2
* Briefing: Training/Preso Plan for the Year

=== December 2010 ===

'''Date/Time:''' December 2, 2010 @ 6pm '''Location Sponsor:''' [http://hackerspaces.org/wiki/Reverse_Space ReverseSpace], 13505 Dulles Technology Drive, Herndon, VA '''AGENDA:'''

* 2011 Planning Session (Schedule, Volunteers, Speakers, Topics)
* Lightning Talks!! (Bring an idea, a question, a topic, whatever - 5-10 minute talks max!)
* Social / Networking (BYOB!)

=== November 2010 ===

'''Date/Time:''' November 4, 2010 @ 6pm '''Location Sponsor:''' Akamai, 11111 Sunset Hills Rd, Suite #250, Reston, VA '''Speaker:''' Ben Tomhave '''Title:''' The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thoughts on Security Reform '''Description:''' What we're doing today is not working and isn't sustainable. The fundamental culture of the average business does not encourage making good security decisions. Software shops continue to focus on functionality and timelines, neglecting information security. In spite of regulations like PCI and HIPAA+HITECH, which are levying fines against organizations for their security failures, the tipping point has clearly not been reached to cause meaningful change. Much of this problem can be attributed to the excessive use of negative incentives (sticks) instead of providing positive incentives (carrots) that inspire better decision making and motivate true change. Fortunately, it's not too late to change tactics and start achieving demonstrable success. '''Speaker Bio:''' Ben Tomhave is a Senior Security Analyst with Gemini Security Solutions in Chantilly, VA, specializing in solutions architecture, security planning, program development and management, and other strategic security solutions. He holds a MS in Engineering Management with an Information Security Management concentration from The George Washington University and is a CISSP.

=== June 2010 ===

'''DATE''': Thursday, June 3rd, 6pm Eastern Daylight Time '''LOCATION''': Booz Allen Hamilton - 13200 Woodland Park Road Herndon, VA 20171 '''SPEAKER''': Alex Hutton, Verizon Business and http://www.newschoolsecurity.com/ '''TOPIC''': Risk Management - Time to blow it up and start over? 

'''DESCRIPTION''':

A redux of the presentation that Alex delivered at B-Sides San Francisco during RSA 2010. "Now that the industry is trying to formalize the concept of risk management into neat little compartments like standards (ISO 27005/31000), certifications (CRISC) and products (GRC) guess what? We're doing it wrong. Fundamentally wrong. This talk will discuss why all this current risk management stuff is goofy and what sort of alternatives we have that might help us understand our ability to protect, our tendency towards failure, and how to match that up with what management will stomach."

Slides are available from: http://www.slideshare.net/BSides/risk-management-time-to-blow-it-up-and-start-over-alex-hutton

 '''SPECIAL SPEAKER''':

[http://twitter.com/tiffanyrad Tiffany Rad] provided an overview and update on [http://twitter.com/reversespace Reverse Space] in Herndon, VA. For more information, or to help out, please join the [http://groups.google.com/group/ReverseSpace Reverse Space Google Group].

 

=== May 2010 ===

'''DATE''': Tuesday, May 18th, 6pm Eastern Daylight Time '''LOCATION''': Booz Allen Hamilton - 13200 Woodland Park Road Herndon, VA 20171 '''SPEAKER'''': Jeff Ennis, Senior Solutions Architect, Veracode '''TITLE''': State of Software Security ([[Image:State of Software Security-Ennis.ppsx.zip]]) '''DESCRIPTION''':

A discussion of the current state of software security based on the compiled findings by Veracode from the dynamic and static code analysis they have performed for customers.

 

=== September 2009 ===

'''DATE''': Thursday, September 17, 2009. 6:00pm Eastern Daylight Time '''LOCATION''': 22260 Pacific blvd, Sterling, VA. 20166 '''TOPIC''': "Fortify 360" '''SPEAKER''': Erik Klein (Fortify Software), Eric Dalci (Cigital) '''DESCRIPTION''':

We're pleased to invite you to our next week's OWASP Session (Thursday September 17th). We will be hosting a presentation, demo and hands on session of Fortify 360 (http://www.fortify.com). Fortify 360 includes Fortify SCA (Source Code Analyzer) and the Fortify 360 Server which is Fortify's solution for an enterprise deployment of SCA. The session will start with a presentation by Fortify engineers, followed by a demo and finally a hands on session where the audience will be free to install Fortify SCA on the machine and try it the SCA tool on a sample application that we will provide. The audience will also be introduced with the Fortify 360 Server and try some of the enterprise level features such as collaborative code review, metrics and so on. Bring your laptop if you want to try Fortify 360!

The target audience is anyone interested in Secure Code Review with a Static Analysis tool at the desktop level and/or enterprise level. We will need to register visitors before hand...please email wade.woolwine@owasp.org for registration and confirm attendance. Pizza and refreshments will be served.

 

'''DATE''': Thursday, September 3, 2009. 6:00pm. '''LOCATION''': 13200 Woodland Park Road Herndon, VA 20171 '''TOPIC''': "Conducting Application Assessment" '''SPEAKER''': Jeremy Epstein, SRI '''DESCRIPTION''':

After the 2000 election, many states launched headlong into electronic voting systems to avoid the problems with "hanging chads". Once problems with those systems started appearing, many localities started moving to optical scan, which was used by a majority of US voters in the 2008 election. There are other technologies in use around the country, including lever machines, vote-by-mail, vote-by-phone, and Internet voting. What are the tradeoffs among these technologies? Particularly relevant to OWASP, what are the security issues associated with different types of equipment, and what measures do vendors of voting equipment use to try to address the security problems? Are software security problems important, or can non-technical measures protect against them? In this talk, we'll discuss a wide variety of voting technologies, and their pros and cons from both a technical and societal perspective.

'''ABOUT THE SPEAKER''':

Jeremy Epstein is Senior Computer Scientist at SRI International. His background includes more than 20 years experience in computer security research, product development, and consulting. Prior to joining SRI International, he was Principal Consultant with Cigital, and before that spent nine years as Senior Director of Product Security at Software AG, an international business software company. Within the area of voting systems, Jeremy has been involved for over five years in voting technology and advocacy, both as an employee and as an independent consultant.

 

=== July 2009 ===

'''DATE''': July 9th 6pm-9pm EST '''LOCATION''': 13200 Woodland Park Road Herndon, VA 20171 '''TOPIC''': "Ounce's 02" '''SPEAKER(S)''': Dinis Cruz, OWASP, Ounce Labs. '''DESCRIPTION''': So what is O2?

Well in my mind O2 is a combination of advanced tools (Technology) which are designed to be used on a particular way (Process) by knowledgeable Individuals (People)

Think about it as a Fighter Jet who is able to go very fast, has tons of controls, needs to be piloted by somebody who knows what they are doing and needs to have a purpose (i.e. mission).

Basically what I did with O2 was to automate the workflow that I have when I'm engaged on a source-code security review.

Now, here is the catch, this version is NOT for the faint-of-heart. I designed this to suit my needs, which although are the same as most other security consultants, have its own particularities :)

The whole model of O2 development is based around the concept of automating a security consultant’s brain, so I basically ensure that the main O2 Developer (Dinis Cruz) has a very good understanding of the feature requirements of the targeted Security Consultant (Dinis Cruz) :) . And this proved (even to my surprise) spectacularly productive, since suddenly I (i.e. the security consultant) didn't had to wait months for new features to be added to its toolkit. If there was something that needed to be added, it would just be added in days or hours.

=== June 2009 ===

''Gary McGraw, Cigital Inc.'':''Building Security In Maturity Model'' Later, an interview: ''Jim Routh, formerly of DTCC'':''The Economic Advantages of a Resilient Supply Chain- Software Security'' '' ''

Gary McGraw talked about the experience he, Sammy Migues, and Brian Chess gained conducting a survey of some of America's top Software Security groups. Study results are available under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Share Alike license] at [http://www.bsi-mm.com www.bsi-mm.com]. Gary described the common structural elements and activities of successful software security programs, present the maturity model that resulted from survey data, and discuss lessons learned from listening to those leading these groups.

Jim Routh gave an incredibly insightful interview regarding his own experiences crafting their security group.

Download presentation notes at: [http://www.owasp.org/images/0/03/JMR-Economics_of_Security_Goups.ppt The Economic Advantages of a Resilient Supply Chain- Software Security]

=== May 2009 ===

''Eric Dalci, Cigital Inc.'':''Introduction to Static Analysis'' Later, a panel:

*Steven Lavenhar, Booz Allen Hamilton;
*Eric Dalci, Cigital Inc.

Panel moderated by John Steven 

This session is an introductory to Static Analysis. This session presents the different types of analysis used by today's Static Analysis tools. Examples of direct application to find vulnerabilities will be shown (ex: Data Flow Analysis, Semantic, Control Flow, etc.). Current limitations of Static Analysis will also be exposed. This session is tool agnostic, but will cover the approach taken by various leading commercial (as well as open-source) tools.

Download: [http://www.owasp.org/images/e/ea/OWASP_Virginia_Edalci_May09.pdf Intro to Static Analysis]

=== April 2009 ===

''Jeremiah Grossman, Whitehat Security'': '''Top 10 Web Hacking Techniques 2008''' Jeremiah Spoke on (what he and colleagues determined were the) top ten web hacking techniques of 2008. This talk was a preview of his RSA '09 talk. 

Download http://www.whitehatsec.com/home/assets/presentations/09PPT/PPT_OWASPNoVA04082008.pdf

 Later,

*Nate Miller, Stratum Security;
*Jeremiah Grossman, Whitehat Security;
*Tom Brennan, Whitehat Security; and
*Wade Woolwine, AOL

served as penetration testing panels answering questions posed and moderated by Ken Van Wyk.

=== February 2009 ===

''Ryan C. Barnett, Breach Security'': '''Patching Challenge: Securing WebGoat with ModSecurity'''

Identification of web application vulnerabilities is only half the battle with remediation efforts as the other. Let's face the facts, there are many real world business scenarios where it is not possible to update web application code in either a timely manner or at all. This is where the tactical use-case of implementing a web application firewall to address identified issues proves its worth.

This talk will provide an overview of the recommended practices for utilizing a web application firewall for virtual patching. After discussing the framework to use, we will then present a very interesting OWASP Summer of Code Project where the challenge was to attempt to mitigate as many of the OWASP WebGoat vulnerabilities as possible using the open source ModSecurity web application firewall. During the talk, we will discuss both WebGoat and ModSecurity and provide in-depth walk-throughs of some of the complex fixes. Examples will include addressing not only attacks but the underlying vulnerabilities, using data persistence for multiple-step processes, content injection and even examples of the new LUA programming language API. The goal of this talk is to both highlight cutting edge mitigation options using a web application firewall and to show how it can effectively be used by security consultants who traditionally could only offer source code fixes.

Ryan C. Barnett is the Director of Application Security Research at Breach Security and leads Breach Security Labs. He is also a Faculty Member for the SANS Institute, Team Lead for the Center for Internet Security Apache Benchmark Project and a Member of the Web Application Security Consortium where he leads the Distributed Open Proxy Honeypot Project. Mr. Barnett has also authored a web security book for Addison/Wesley Publishing entitled "Preventing Web Attacks with Apache."

(This talk is a preview of Ryan's talk at Blackhat Federal the following week - see https://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Barnett )

Download [[Media:Virtual_Patching_Ryan_Barnett_Blackhat_Federal_09.zip|WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity]]

''John Steven, Cigital'': '''Moving Beyond Top N Lists'''

Download [[Media:Moving_Beyond_Top_N_Lists.ppt.zip|Moving Beyond Top N Lists]]

 Cigital published an article: The Top 11 Reasons Why Top 10 (or 25) Lists Don’t Work. Yet, these lists are a staple of conference abstracts, industry best practice lists, and the like. Are they good or bad? We’ll explore how to get beyond the Top 10 (or 25) list in making your software security effort real.

John is Senior Director, Advanced Technology Consulting at Cigital. His experience includes research in static code analysis and hands-on architecture and implementation of high-performance, scalable Java EE systems. John has provided security consulting services to a broad variety of commercial clients including two of the largest trading platforms in the world and has advised America's largest internet provider in the Midwest on security and forensics. John led the development of Cigital's architectural analysis methodology and its approach to deploying enterprise software security frameworks. He has demonstrated success in building Cigital's intellectual property for providing cutting-edge security. He brings this experience and a track record of effective strategic innovation to clients seeking to change, whether to adopt more cutting-edge approaches, or to solidify ROI. John currently chairs the SD Best Practices security track and co-edits the building security in department of IEEE's Security and Privacy magazine. John has served on numerous conference panels regarding software security, wireless security and Java EE system development. He holds a B.S. in Computer Engineering and an M.S. in Computer Science from Case Western Reserve University.

=== January 2009 ===

To kick off 2009, our January meeting featured a discussion of the relationship between application security and CMMI, and an overview of the OWASP ASVS project.

''Michele Moss, Booz Allen Hamilton'': '''Evolutions In The Relationship Between Application Security And The CMMI'''

Addressing new and complex threats and IT security challenges requires repeatable, reliable, rapid, and cost effective solutions. To implement these solutions, organizations have begun to align their security improvement efforts with their system and software development practices. During a “Birds of a Feather” at the March 2007 SEPG, a group of industry representatives initiated an effort which led to the definition of assurance practices that can be applied in the context of the CMMI. This presentation will provide an understanding how applying the assurance practices in the context of security contribute to the overall increased quality of products and services, illustrate how the a focus on assurance in the context of CMMI practices is related to application security practices, and present and approach to evaluate and improve the repeatability and reliability of assurance practices.

Michele Moss, CISSP, is a security engineer with more than 12 years of experience in process improvement. She specializes in integrating assurance processes and practices into project lifecycles. Michele is the Co-Chair of the DHS Software Assurance Working Group on Processes & Practices. She has assisted numerous organizations with maturing their information technology, information assurance, project management, and support practices through the use of the capability maturity models including the CMMI, and the SSE-CMM. She is one of the key contributors in an effort to apply an assurance focus to CMMI.

Slides available: [[http://www.epsteinmania.com/owasp/Moss-AppSecurityAndCMMI.pdf]]

''Mike Boberski, Booz Allen Hamilton'': '''About OWASP ASVS'''

The primary aim of the OWASP ASVS Project is to normalize the range of coverage and level of rigor available in the market when it comes to performing application-level security verification. The goal is to create a set of commercially-workable open standards that are tailored to specific web-based technologies.

Mike Boberski works at Booz Allen Hamilton. He has a background in application security and the use of cryptography by applications. He is experienced in trusted product evaluation, security-related software development and integration, and cryptomodule testing. For OWASP, he is the project lead and a co-author of the OWASP Application Security Verification Standard, the first OWASP standard.

Slides available: [[https://www.owasp.org/images/5/52/About_OWASP_ASVS_Web_Edition.ppt]]

=== November 2008 ===

For our November 2008 meeting, we had two great presentations on software assurance and security testing.

''Nadya Bartol, Booz Allen Hamilton'': '''Framework for Software Assurance'''

Nadya's presentation will provide an update on the Software Assurance Forum efforts to establish a comprehensive framework for software assurance (SwA) and security measurement. The Framework addresses measuring achievement of SwA goals and objectives within the context of individual projects, programs, or enterprises. It targets a variety of audiences including executives, developers, vendors, suppliers, and buyers. The Framework leverages existing measurement methodologies, including Practical Software and System Measurement (PSM); CMMI Goal, Question, Indicator, Measure (GQ(I)M); NIST SP 800-55 Rev1; and ISO/IEC 27004 and identifies commonalities among the methodologies to help organizations integrate SwA measurement in their overall measurement efforts cost-effectively and as seamlessly as possible, rather than establish a standalone SwA measurement effort within an organization. The presentation will provide an update on the SwA Forum Measurement Working Group work, present the current version of the Framework and underlying measures development and implementation processes, and propose example SwA measures applicable to a variety of SwA stakeholders. The presentation will update the group on the latest NIST and ISO standards on information security measurement that are being integrated into the Framework as the standards are being developed.

Slides available: [[http://www.epsteinmania.com/owasp/Bartol-MeasurementForOWASP11-13-08.pdf]]

''Paco Hope, Cigital'': '''The Web Security Testing Cookbook'''

The Web Security Testing Cookbook (O'Reilly & Associates, October 2008) gives developers and testers the tools they need to make security testing a regular part of their development lifecycle. Its recipe style approach covers manual, exploratory testing as well automated techniques that you can make part of your unit tests or regression cycle. The recipes cover the basics like observing messages between clients and servers, to multi-phase tests that script the login and execution of web application features. This book complements many of the security texts in the market that tell you what a vulnerability is, but not how to systematically test it day in and day out. Leverage the recipes in this book to add significant security coverage to your testing without adding significant time and cost to your effort.

Congratulations to Tim Bond who won an autographed copy of Paco's book. Get your copy here [[http://www.amazon.com/Security-Testing-Cookbook-Paco-Hope/dp/0596514832]]

Slides available: [[http://www.epsteinmania.com/owasp/PacoHope-WebSecCookbook.pdf]]

=== October 2008 ===

For our October 2008 meeting, we had two fascinating talks relating to forensics.

''Dave Merkel, Mandiant'': '''Enterprise Grade Incident Management - Responding to Persistent Threats'''

Dave Merkel is Vice President of Products at Mandiant, a leading provider of information security services, education and products. Mr. Merkel has worked in the information security and incident response industry for over 10 years. His background includes service as a federal agent in the US Air Force and over 7 years experience directing security operations at America Online. He currently oversees the product business at Mandiant, and is in charge of building Mandiant Intelligent Response - an enterprise incident response solution. But no, he won't be selling you anything today.

Slides available: [[http://www.epsteinmania.com/owasp/Mandiant-EnterpriseIRandAPTpresentation.pdf]]

''Inno Eroraha, NetSecurity'': '''[Responding to the Digital Crime Scene: Gathering Volatile Data'''

Inno Eroraha is the founder and chief strategist of NetSecurity Corporation, a company that provides digital forensics, hands-on security consulting, and Hands-on How-To® training solutions that are high-quality, timely, and customer-focused. In this role, Mr. Eroraha helps clients plan, formulate, and execute the best security and forensics strategy that aligns with their business goals and priorities. He has consulted with Fortune 500 companies, IRS, DHS, VA, DoD, and other entities.

Slides available: [[http://www.epsteinmania.com/owasp/NetSecurity-RespondingToTheDigitalCrimeScene-GatheringVolatileData-TechnoForensics-102908.pdf] ]

=== History ===

The original DC Chapter was founded in June 2004 by [mailto:jeff.williams@owasp.org Jeff Williams] and has had members from Virginia to Delaware. In April 2005 a new chapter, OWASP Washington VA Local Chapter, was formed and the DC Chapter was renamed to DC-Maryland. The two are sister chapters and include common members and shared discourse. The chapters meet in opposite halves of the month to facilitate this relationship.

==== Chapter Groups ====

Within the chapter, various common interests spring up. We've created Google groups to manage collaboration amongst participants for these topics. Feel free to join and participate in:

*[http://groups.google.com/group/novaowasp_threatmodeling Threat Modeling]
*[http://groups.google.com/group/novaowasp_mobile Mobile]

=== OWASP NoVa Members On Twitter ===

John Steven [http://twitter.com/m1splacedsoul http://twitter.com/m1splacedsoul]

Jack Mannino [http://twitter.com/jack_mannino http://twitter.com/jack_mannino]

Ben Tomhave [http://twitter.com/falconsview http://twitter.com/falconsview]

Ken Johnson [http://twitter.com/cktricky http://twitter.com/cktricky]

Mike Smith [http://twitter.com/rybolov http://twitter.com/rybolov]

Trevor Hawthorn [http://twitter.com/packetwerks http://twitter.com/packetwerks]

Jeremy Long [http://twitter.com/ctxt http://twitter.com/ctxt]

Ari Elias-Bachrach [http://twitter.com/angelofsecurity http://twitter.com/angelofsecurity]

Venkat Sundaram [http://twitter.com/Vnk3889 http://twitter.com/Vnk3889]

==== Knowledge ====

The Northern Virginia (NoVA) chapter is committed to compiling resources on interesting and valuable topic areas. We hope that this structure helps you access information pertinent to your tasks at hand as you move through a secure application development life cycle. Currently, our topic areas of focus include activities such as:

*Threat Modeling
*[[Code Review and Static Analysis with tools]]
*Penetration Testing and Dynamic Analysis tools
*Monitoring/Dynamic patching (WAFs)

Certain projects our members are involved in cross-cut these activities, providing value throughout. They include:

*ASVS

=== Static Analysis Curriculum ===

*For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].

The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].

[[Image:Owasp SAtrack plan.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]

'''Contacts''' Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.

 

=== Flash Talk Resources ===

Chandu Ketkar on OFS. Download: [http://www.owasp.org/images/1/1c/OFS.pptx OFS Presentation.] [http://jack-mannino.blogspot.com/ Jack Mannino] on Google and Searching for Personal Information Jesse Ou on XML Bombs. Download: [http://www.owasp.org/images/1/18/OWASP_JOU_XML_DTD_Attacks.pptx XML DTD Presentation] 

__NOTOC__ <headertabs />

<paypal>Northern Virginia</paypal>

[[Category:Virginia]] [[Category:Washington,_DC]]

Virginia

2012-10-15T16:31:52Z

John Steven:

==== About ====

[[Image:Owasp-nova.JPG|right|275px|Owasp-nova.JPG]]The '''OWASP Northern VA Local Chapter''' meetings are FREE and OPEN to anyone interested in learning more about application security. We encourage individuals to provide knowledge transfer via hands-on training and presentations of specific OWASP projects and research topics and sharing SDLC knowledge.

We the encourage vendor-agnostic presentations to utilize the OWASP Powerpoint template when applicable and individual volunteerism to enable perpetual growth. As a 501(3)c non-profit association donations of meeting space or refreshments sponsorship is encouraged, simply contact the local chapter leaders listed on this page to discuss. Prior to participating with OWASP please review the Chapter Rules.

The chapter is committed to providing an engaging experience for a variety of audience types ranging from local students and those beginning in app-sec, to those experienced and accomplished professionals who are looking for competent collaborators for OWASP-related projects. To this end, we will continue to conduct both monthly chapter meetings as well as out-of-band curricula, on application security topics.

{{Chapter Template|chaptername=Virginia|extra =Come see us at a chapter meeting, jump on our Google Group, or email any of us directly.

=== Chapter Board ===
Previously having had a Chapter Leader, then a Chapter "Program Committee", the chapter is now run by a full board (alphabetical order):
* Jeremy Long
* Jack Mannino
* John Steven - Board Chair

Board member responsibilities include:

<pre style="white-space: pre-wrap;"> * Providing governance for chapter and member activities in terms chapter mission and OWASP code of ethics
* Recruiting OWASP membership
* Driving OWASP NoVA Chapter attendance and involvement
* Deferring to, facilitating, and supporting the activities and projects of chapter membership
* Eliciting, scheduling, and coordinating chapter panels, speakers, and other sessions
* Scouting, clearing, and scheduling chapter meeting venues and catering
* Identifying opportunities for collaboration between chapter membership, OWASP global committees, and other organizations
* Collecting and auditing use of chapter funds
* Voting on chapter matters
</pre>
For more information on how the board was elected and what it's responsibilities are, please see: [https://docs.google.com/document/d/1h8GTqsWg2xiTwWAWS-Ra6_GU4eJGt44aa1hFc9EQloU/edit?hl=en_US&authkey=CIS9zFM Chapter Board Election]fckLRfckLR|mailinglistsite=https://groups.google.com/forum/#!forum/owasp-nova|emailarchives=https://groups.google.com/forum/#!forum/owasp-nova}}

You may also want to follow [http://twitter.com/OWASPNoVA/ @OWASPNoVA] on Twitter.

----
=== Schedule ===

Meetings are (generally) held the first Thursday of the month.

==== Next Meeting ====

'''Date/Time:''' October 4th, 2012 @ 6:30pm

'''Location:''' [http://corporate.livingsocial.com/home LivingSocial], 11600 Sunrise Valley Drive, Reston, VA

'''Registration:''' [http://www.eventbrite.com/event/4430947082 Eventbrite]

'''AGENDA:'''
* News / Updates
* Talk: [https://www.owasp.org/index.php/Dan_Cornell Dan Cornell] - "Benchmarking Web Application Scanners for YOUR Organization"
* Firetalks!

'''Presentation Title:'''
Benchmarking Web Application Scanners for YOUR Organization

'''Abstract:'''
Web applications pose significant risks for organizations. The selection of an appropriate scanning product or service can be challenging because every organization develops their web applications differently and decisions made by developers can cause wide swings in the value of different scanning technologies. To make a solid, informed decision, organizations need to create development team- and organization-specific benchmarks for the effectiveness of potential scanning technologies. This involves creating a comprehensive model of false positives, false negatives and other factors prior to mandating analysis technologies and making decisions about application risk management. This presentation provides a model for evaluating application analysis technologies, introduces an open source tool for benchmarking and comparing tool effectiveness, and outlines a process for making organization-specific decisions about analysis technology selection.

'''Speaker Bio:'''
Dan Cornell has over 15 years experience architecting and developing web-based software systems. As CTO, he leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies. He also heads the Denim Group security research team, investigating the application of secure coding and development techniques to the improvement of web-based software development methodologies. Dan currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at numerous security conferences, such as RSA in San Francisco, OWASP EU Research in Athens and OWASP AppSec USA in Minneapolis.

Please check back for updates, join the mailing list, or follow us on Twitter ([http://twitter.com/OWASPNoVA/ @OWASPNoVA]).

==== Upcoming Speakers ====

We need speakers and topics! If you want to present, please contact [mailto:John.Steven@owasp.org John] or [mailto:benjamin.tomhave@owasp.org Ben]. We're very open to hearing from all our members.

[http://www.google.com/calendar/hosted/owasp.org/embed?src=owasp.org_1ht5oegk8kd0dtat5cko71e7dc%40group.calendar.google.com&ctz=America/New_York View the OWASP NoVA Chapter Calendar] 

 

----

==== Past meetings ====

=== July 2012 ===
'''Date/Time:''' July 12th, 2012 @ 6:30pm

'''Location Sponsor:''' [http://corporate.livingsocial.com/home LivingSocial], 11600 Sunrise Valley Drive, Reston, VA

'''AGENDA:'''
* News / Updates
* Talk: [https://www.owasp.org/index.php/John_Steven| John Steven] - "Password Storage Security"
* Firetalks!

'''Presentation Title:'''
"Password Storage Security" [https://www.owasp.org/images/7/78/PSM_-_Problem_Definition.pdf|Password Storage Security.pdf]

'''Abstract:'''
During the June meeting we discussed the LinkedIn password theft which was just beginning its the news cycle. We'll use the July chapter meeting to discuss issues around password hashing and a solution. While wholly different schemes for protecting passwords at rest are preferable, it's instructive to look at hashing passwords as a threat modeling exercise and take the time to follow through to a fix.

To read up on the issue, look at my latest blog post on the topic: [http://goo.gl/sGyi8|Justice League Blog - Securing Password Storage]

For those who were sufficiently intrigued, mystified, or inspired by the presentation on password protection at the last chapter meeting, Coursera is offering a free 6-week Stanford course on cryptography that begins on August 27th ("Learn about the inner workings of cryptographic primitives and how to apply this knowledge in real-world applications!"): [https://www.coursera.org/course/crypto|Crypto Course]

'''Speaker Bio:'''

See [https://www.owasp.org/index.php/John_Steven| John Steven Bio]

=== June 2012 ===
'''Date/Time:''' June 7th, 2012 @ 6:30pm

'''Location Sponsor:''' [http://corporate.livingsocial.com/home LivingSocial], 11600 Sunrise Valley Drive, Reston, VA

'''AGENDA:'''
* News / Updates
* Talk: Ken Johnson (LivingSocial) - "AppSec, Ritalin, and Failing Fast"
* Firetalks!

'''Presentation Title:'''
"AppSec, Ritalin, and Failing Fast" [https://www.owasp.org/images/e/e9/Ken_Johnson_July_2012.pptx|AppSec, Ritalin, and Failing Fast.pptx]

'''Abstract:'''
In early April Ken Johnson and Matt Ahrens presented a high-level overview of building an Application Security program at LivingSocial. This talk will differ in that it will focus on the granular aspects involved with introducing security into an incredibly intense development environment. The discussion will be compromised of experiences in:
* Developing technical solutions to solving difficult challenges
* Remaining proactive with an increased workload
* What it means to innovate

'''Speaker Bio:'''

Ken Johnson is the Application Security Manager for LivingSocial.com. Prior to joining LivingSocial.com, Ken worked in various application security consulting roles. Ken is the primary developer of the Web Exploitation Framework (wXf) and enjoys contributing to other open source projects as often as time permits. Ken has spoken at AppSec DC 2010 & 2012, OWASP DC and Phoenix chapters and is a member of the Attack Research Team.

=== May 2012 ===
'''Date/Time:''' May 3rd, 2012 @ 6pm

'''Location Sponsor:''' [http://corporate.livingsocial.com/home Living Social], 11600 Sunrise Valley Drive, Reston, VA

'''AGENDA:'''
* News / Updates
* "Chill Out" conversations (formal talked pushed back due to logistical issues)

=== April 2012 ===
'''Date/Time:''' April 16th, 2012 @ 6pm

'''Location Sponsor:''' [http://corporate.livingsocial.com/home Living Social], 11600 Sunrise Valley Drive, Reston, VA

'''Food Sponsor:''' Jeremy Long - jeremy.long[at]owasp.org

'''AGENDA:'''
* News / Updates
* Talk: "Malicious Code Detection or BRIC Breaking Through Static Analysis" by Masha Khainson (Cigital)
* Firetalks!
* ISSA NoVA Social @Champps!  :)

'''Presentation Title:''' "Malicious Code Detection or BRIC Breaking Through Static Analysis"

'''Abstract:'''
Malicious Code Detection or BRIC Breaking Through Static Analysis: As
organizations outsource development to less trustworthy providers
malware becomes as much a problem as introduction of honest
vulnerability by one's own development shop. Assessment practices
currently look for vulnerability within source code and a running
systems but these are but a few of windows of opportunity for malware
introduction. This presentation demonstrates an approach for
augmenting an existing security practice with the capability to detect
potentially malicious code through secure code review. First, we show
how to break malicious intent--often quite subtle--into concrete
patterns we can reliably detect. The framework then demonstrates how
to build suspicion around reliance of particular patterns' use in
concert which, increasingly, imply malicious intent. These techniques
will be explained through a demonstration in a real world application.

'''Bio'''
Masha (a.k.a Marina) has dreamed of becoming a security consultant
before she ever knew what a ballerina was, and that's a good thing -
because she does not intend her talk to be a ballet recital. Having
been in software security for over seven years, Ms. Khainson has
delivered Architecture Risk Assessment, Secure Code Review, and
Ethical Hacking on many architectures, platforms and technologies.
Marina has also developed training materials for clients and led
remediation assistance teams.

Prior to joining Cigital, Marina was a member of a research team at a
leading security research provider, where using disassembly as well as
protocol and source code analysis, she provided key information on
newly released vulnerabilities. Before that, Marina assisted the same
research team in producing detailed reports on critical malware and
spyware threats, as well as developing and testing content for network
security devices from some of the top providers of intrusion detection
and prevention technologies.

Download: https://www.owasp.org/index.php/File:MCD-OWASPNoVA.pdf

=== November 2011 ===
'''Date/Time:''' November 3rd, 2011 @ 6pm

'''Location Sponsor:''' [http://www.qinetiq.com/ QinetiQ], 2677 Prosperity Ave Fairfax, VA 22031

'''AGENDA:'''
# News / Updates
# Talk: "Lessons Learned from the SQL Injection Challenge" by Ryan Barnett (Trustwave SpiderLabs)
# Firetalks! :)

'''Presentation Title:''' "Lessons Learned from the SQL Injection Challenge"

'''Abstract:'''
How effective are blacklist filters vs. SQL Injection attacks? What is the failure rate vs. automated scanning or manual testing? Are there any "Time-to-Bypass" metrics? In an attempt to answer these questions, Trustwave SpiderLabs' Research Team (the development team behind the ModSecurity WAF and the OWASP ModSecurity Core Rule Set) held a community "SQL Injection Challenge" to test the effectiveness of the OWASP ModSecurity Core Rule Set protections. This presentation will provide an overview of the challenge, a step-by-step walk-through of the bypass tactics used by the winners, as well as, present a new approach to attack detection using ModSecurity's Lua API to perform Bayesian analysis.

'''Speaker Bio:'''
[mailto:ryan.barnett@owasp.org Ryan C. Barnett] (Twitter: [http://twitter.com/#!/ryancbarnett @ryancbarnett]) is a senior security researcher on Trustwave's SpiderLabs Team. He is a SANS Institute certified instructor and a member of both the Top 20 Vulnerabilities and CWE/SANS Top 25 Most Dangerous Programming Errors teams. In addition to working with SANS, he is also a WASC Member where he leads the Web Hacking Incidents Database (WHID) and Distributed Web Honeypots Projects and is also the OWASP ModSecurity Core Rule Set (CRS) project leader. Mr. Barnett has also authored a Web security book for Addison/Wesley Publishing entitled "Preventing Web Attacks with Apache".

=== October 2011 ===
'''Date/Time:''' October 6th, 2011 @ 6pm

'''Location/Food Sponsor:''' [http://www.cigital.com/ Cigital], 21351 Ridgetop Circle, Suite 400, Sterling, VA 20166

'''AGENDA:'''
# News / Updates
# AppSec USA 2011 Recap
# Talk: Jack Mannino: [http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks "OWASP Top 10 Mobile Risks"]
# Firetalks! :)

=== September 2011 ===

The September meeting was cancelled due to inclement weather (flash flooding).

=== August 2011 ===

We held a "social" event at Sweetwater Tavern in Sterling, VA.

=== July 2011 ===

'''Date/Time:''' July 7th, 2011 @ 6pm '''Location Sponsor:''' [http://www.cigital.com Cigital], Suite 400 21351 Ridgetop Circle, Dulles, VA, 20166 '''Food Sponsor:''' '''AGENDA:'''

* News / Updates
* Topic of the Month: iGoat - Ken Van Wyk

=== June 2011 ===

'''Date/Time:''' June 9th, 2011 @ 6pm (*Note: 2nd Thursday of June!) '''Location Sponsor:''' [http://about.collegeboard.org/ The College Board], 11955 Democracy Drive Reston, VA 20190 '''Food Sponsor:''' The College Board '''AGENDA:'''

* News / Updates
* Topic of the Month: [https://www.owasp.org/index.php/Top_10_2010-A4 A4 "Insecure Direct Object References"]
* College Board Speaker: "Attack-in-Depth: Exploits of the OWASP Top Ten in Action"
* Firetalks! :)
- Jack Mannino: "Android Security 101"
- Others!

=== May 2011 ===

'''Date/Time:''' Cinco de Mayo (May 5th), 2011 @ 6pm '''Location Sponsor:''' [http://www.akamai.com/ Akamai], 11111 Sunset Hills Dr, Suite 250, Reston, VA 20190 '''Food Sponsor:''' Akamai '''AGENDA:'''

* News / Updates
* 2011 Election (voice vote on the entire slate)
* Topic of the Month: [http://www.owasp.org/index.php/Top_10_2010-A3 A3 "Broken Authentication and Session Management"]
* Speaker: Steve Witmer on A3 from the "breakers" perspective
* Speaker: ??? on A3 from the "fixers/defenders" perspective
* Firetalks! :)
* '''Update:''' All election candidates were elected by voice vote.
* Please see: [https://docs.google.com/document/d/1h8GTqsWg2xiTwWAWS-Ra6_GU4eJGt44aa1hFc9EQloU/edit?hl=en_US&authkey=CIS9zFM '11 Chapter Board Election Material]

=== April 2011 ===

'''Date/Time:''' April 7, 2011 @ 6pm '''Location Sponsor:''' [http://www.reversespace.com/ ReverseSpace], 13505 Dulles Technology Dr, Suite 3, Herndon, VA 20171 '''Food Sponsor:''' [https://www.cigital.com Cigital] '''AGENDA:'''

* News / Updates
* 2011 Election
* Topic of the Month: [http://www.owasp.org/index.php/Top_10_2010-A2 A2 "Cross-Site Scripting (XSS)"]
* Preso:"Cross-Site Scripting is Not Your Friend: XSS and the Facebook Platform" by Joey Tyson ([https://www.owasp.org/images/9/92/Xssnotfriend-edited.pptx PPTX] or [https://www.owasp.org/images/0/06/Xssnotfriend-edited.pdf PDF])
* Preso:“XSS Remediation” by Cassia Martin ([https://www.owasp.org/images/6/66/XSS_Remediation.ppt PPT])
* Preso:"Growing the secure application developer community through expanded curricula" by Tony Gottlieb
* FireTalks (bring it!)

 

=== March 2011 ===

'''Date/Time:''' March 3, 2011 @ 6pm '''Location Sponsor:''' [http://www.boozallen.com/ Booz Allen Hamilton], 13200 Woodland Park Road, Herndon, VA 20171 '''AGENDA:'''

* News / Updates
* [http://www.owasp.org/index.php/OWASP_Summit_2011 OWASP Summit 2011] In Review
* Preso: [http://www.owasp.org/index.php/Top_10_2010-A1-Injection A1 "Injection"]
* Briefing: Training/Preso Plan for the Year

=== February 2011 ===

'''Date/Time:''' February 3, 2011 @ 6pm '''Location Sponsor:''' [http://www.akamai.com/ Akamai], 11111 Sunset HIlls Dr, Suite 250, Reston, VA 20190 '''AGENDA:'''

* News / Updates
* Feedback for [http://www.owasp.org/index.php/OWASP_Summit_2011 OWASP Summit 2011]
* Preso: Intro to [http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top 10] + 2
* Briefing: Training/Preso Plan for the Year

=== December 2010 ===

'''Date/Time:''' December 2, 2010 @ 6pm '''Location Sponsor:''' [http://hackerspaces.org/wiki/Reverse_Space ReverseSpace], 13505 Dulles Technology Drive, Herndon, VA '''AGENDA:'''

* 2011 Planning Session (Schedule, Volunteers, Speakers, Topics)
* Lightning Talks!! (Bring an idea, a question, a topic, whatever - 5-10 minute talks max!)
* Social / Networking (BYOB!)

=== November 2010 ===

'''Date/Time:''' November 4, 2010 @ 6pm '''Location Sponsor:''' Akamai, 11111 Sunset Hills Rd, Suite #250, Reston, VA '''Speaker:''' Ben Tomhave '''Title:''' The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thoughts on Security Reform '''Description:''' What we're doing today is not working and isn't sustainable. The fundamental culture of the average business does not encourage making good security decisions. Software shops continue to focus on functionality and timelines, neglecting information security. In spite of regulations like PCI and HIPAA+HITECH, which are levying fines against organizations for their security failures, the tipping point has clearly not been reached to cause meaningful change. Much of this problem can be attributed to the excessive use of negative incentives (sticks) instead of providing positive incentives (carrots) that inspire better decision making and motivate true change. Fortunately, it's not too late to change tactics and start achieving demonstrable success. '''Speaker Bio:''' Ben Tomhave is a Senior Security Analyst with Gemini Security Solutions in Chantilly, VA, specializing in solutions architecture, security planning, program development and management, and other strategic security solutions. He holds a MS in Engineering Management with an Information Security Management concentration from The George Washington University and is a CISSP.

=== June 2010 ===

'''DATE''': Thursday, June 3rd, 6pm Eastern Daylight Time '''LOCATION''': Booz Allen Hamilton - 13200 Woodland Park Road Herndon, VA 20171 '''SPEAKER''': Alex Hutton, Verizon Business and http://www.newschoolsecurity.com/ '''TOPIC''': Risk Management - Time to blow it up and start over? 

'''DESCRIPTION''':

A redux of the presentation that Alex delivered at B-Sides San Francisco during RSA 2010. "Now that the industry is trying to formalize the concept of risk management into neat little compartments like standards (ISO 27005/31000), certifications (CRISC) and products (GRC) guess what? We're doing it wrong. Fundamentally wrong. This talk will discuss why all this current risk management stuff is goofy and what sort of alternatives we have that might help us understand our ability to protect, our tendency towards failure, and how to match that up with what management will stomach."

Slides are available from: http://www.slideshare.net/BSides/risk-management-time-to-blow-it-up-and-start-over-alex-hutton

 '''SPECIAL SPEAKER''':

[http://twitter.com/tiffanyrad Tiffany Rad] provided an overview and update on [http://twitter.com/reversespace Reverse Space] in Herndon, VA. For more information, or to help out, please join the [http://groups.google.com/group/ReverseSpace Reverse Space Google Group].

 

=== May 2010 ===

'''DATE''': Tuesday, May 18th, 6pm Eastern Daylight Time '''LOCATION''': Booz Allen Hamilton - 13200 Woodland Park Road Herndon, VA 20171 '''SPEAKER'''': Jeff Ennis, Senior Solutions Architect, Veracode '''TITLE''': State of Software Security ([[Image:State of Software Security-Ennis.ppsx.zip]]) '''DESCRIPTION''':

A discussion of the current state of software security based on the compiled findings by Veracode from the dynamic and static code analysis they have performed for customers.

 

=== September 2009 ===

'''DATE''': Thursday, September 17, 2009. 6:00pm Eastern Daylight Time '''LOCATION''': 22260 Pacific blvd, Sterling, VA. 20166 '''TOPIC''': "Fortify 360" '''SPEAKER''': Erik Klein (Fortify Software), Eric Dalci (Cigital) '''DESCRIPTION''':

We're pleased to invite you to our next week's OWASP Session (Thursday September 17th). We will be hosting a presentation, demo and hands on session of Fortify 360 (http://www.fortify.com). Fortify 360 includes Fortify SCA (Source Code Analyzer) and the Fortify 360 Server which is Fortify's solution for an enterprise deployment of SCA. The session will start with a presentation by Fortify engineers, followed by a demo and finally a hands on session where the audience will be free to install Fortify SCA on the machine and try it the SCA tool on a sample application that we will provide. The audience will also be introduced with the Fortify 360 Server and try some of the enterprise level features such as collaborative code review, metrics and so on. Bring your laptop if you want to try Fortify 360!

The target audience is anyone interested in Secure Code Review with a Static Analysis tool at the desktop level and/or enterprise level. We will need to register visitors before hand...please email wade.woolwine@owasp.org for registration and confirm attendance. Pizza and refreshments will be served.

 

'''DATE''': Thursday, September 3, 2009. 6:00pm. '''LOCATION''': 13200 Woodland Park Road Herndon, VA 20171 '''TOPIC''': "Conducting Application Assessment" '''SPEAKER''': Jeremy Epstein, SRI '''DESCRIPTION''':

After the 2000 election, many states launched headlong into electronic voting systems to avoid the problems with "hanging chads". Once problems with those systems started appearing, many localities started moving to optical scan, which was used by a majority of US voters in the 2008 election. There are other technologies in use around the country, including lever machines, vote-by-mail, vote-by-phone, and Internet voting. What are the tradeoffs among these technologies? Particularly relevant to OWASP, what are the security issues associated with different types of equipment, and what measures do vendors of voting equipment use to try to address the security problems? Are software security problems important, or can non-technical measures protect against them? In this talk, we'll discuss a wide variety of voting technologies, and their pros and cons from both a technical and societal perspective.

'''ABOUT THE SPEAKER''':

Jeremy Epstein is Senior Computer Scientist at SRI International. His background includes more than 20 years experience in computer security research, product development, and consulting. Prior to joining SRI International, he was Principal Consultant with Cigital, and before that spent nine years as Senior Director of Product Security at Software AG, an international business software company. Within the area of voting systems, Jeremy has been involved for over five years in voting technology and advocacy, both as an employee and as an independent consultant.

 

=== July 2009 ===

'''DATE''': July 9th 6pm-9pm EST '''LOCATION''': 13200 Woodland Park Road Herndon, VA 20171 '''TOPIC''': "Ounce's 02" '''SPEAKER(S)''': Dinis Cruz, OWASP, Ounce Labs. '''DESCRIPTION''': So what is O2?

Well in my mind O2 is a combination of advanced tools (Technology) which are designed to be used on a particular way (Process) by knowledgeable Individuals (People)

Think about it as a Fighter Jet who is able to go very fast, has tons of controls, needs to be piloted by somebody who knows what they are doing and needs to have a purpose (i.e. mission).

Basically what I did with O2 was to automate the workflow that I have when I'm engaged on a source-code security review.

Now, here is the catch, this version is NOT for the faint-of-heart. I designed this to suit my needs, which although are the same as most other security consultants, have its own particularities :)

The whole model of O2 development is based around the concept of automating a security consultant’s brain, so I basically ensure that the main O2 Developer (Dinis Cruz) has a very good understanding of the feature requirements of the targeted Security Consultant (Dinis Cruz) :) . And this proved (even to my surprise) spectacularly productive, since suddenly I (i.e. the security consultant) didn't had to wait months for new features to be added to its toolkit. If there was something that needed to be added, it would just be added in days or hours.

=== June 2009 ===

''Gary McGraw, Cigital Inc.'':''Building Security In Maturity Model'' Later, an interview: ''Jim Routh, formerly of DTCC'':''The Economic Advantages of a Resilient Supply Chain- Software Security'' '' ''

Gary McGraw talked about the experience he, Sammy Migues, and Brian Chess gained conducting a survey of some of America's top Software Security groups. Study results are available under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Share Alike license] at [http://www.bsi-mm.com www.bsi-mm.com]. Gary described the common structural elements and activities of successful software security programs, present the maturity model that resulted from survey data, and discuss lessons learned from listening to those leading these groups.

Jim Routh gave an incredibly insightful interview regarding his own experiences crafting their security group.

Download presentation notes at: [http://www.owasp.org/images/0/03/JMR-Economics_of_Security_Goups.ppt The Economic Advantages of a Resilient Supply Chain- Software Security]

=== May 2009 ===

''Eric Dalci, Cigital Inc.'':''Introduction to Static Analysis'' Later, a panel:

*Steven Lavenhar, Booz Allen Hamilton;
*Eric Dalci, Cigital Inc.

Panel moderated by John Steven 

This session is an introductory to Static Analysis. This session presents the different types of analysis used by today's Static Analysis tools. Examples of direct application to find vulnerabilities will be shown (ex: Data Flow Analysis, Semantic, Control Flow, etc.). Current limitations of Static Analysis will also be exposed. This session is tool agnostic, but will cover the approach taken by various leading commercial (as well as open-source) tools.

Download: [http://www.owasp.org/images/e/ea/OWASP_Virginia_Edalci_May09.pdf Intro to Static Analysis]

=== April 2009 ===

''Jeremiah Grossman, Whitehat Security'': '''Top 10 Web Hacking Techniques 2008''' Jeremiah Spoke on (what he and colleagues determined were the) top ten web hacking techniques of 2008. This talk was a preview of his RSA '09 talk. 

Download http://www.whitehatsec.com/home/assets/presentations/09PPT/PPT_OWASPNoVA04082008.pdf

 Later,

*Nate Miller, Stratum Security;
*Jeremiah Grossman, Whitehat Security;
*Tom Brennan, Whitehat Security; and
*Wade Woolwine, AOL

served as penetration testing panels answering questions posed and moderated by Ken Van Wyk.

=== February 2009 ===

''Ryan C. Barnett, Breach Security'': '''Patching Challenge: Securing WebGoat with ModSecurity'''

Identification of web application vulnerabilities is only half the battle with remediation efforts as the other. Let's face the facts, there are many real world business scenarios where it is not possible to update web application code in either a timely manner or at all. This is where the tactical use-case of implementing a web application firewall to address identified issues proves its worth.

This talk will provide an overview of the recommended practices for utilizing a web application firewall for virtual patching. After discussing the framework to use, we will then present a very interesting OWASP Summer of Code Project where the challenge was to attempt to mitigate as many of the OWASP WebGoat vulnerabilities as possible using the open source ModSecurity web application firewall. During the talk, we will discuss both WebGoat and ModSecurity and provide in-depth walk-throughs of some of the complex fixes. Examples will include addressing not only attacks but the underlying vulnerabilities, using data persistence for multiple-step processes, content injection and even examples of the new LUA programming language API. The goal of this talk is to both highlight cutting edge mitigation options using a web application firewall and to show how it can effectively be used by security consultants who traditionally could only offer source code fixes.

Ryan C. Barnett is the Director of Application Security Research at Breach Security and leads Breach Security Labs. He is also a Faculty Member for the SANS Institute, Team Lead for the Center for Internet Security Apache Benchmark Project and a Member of the Web Application Security Consortium where he leads the Distributed Open Proxy Honeypot Project. Mr. Barnett has also authored a web security book for Addison/Wesley Publishing entitled "Preventing Web Attacks with Apache."

(This talk is a preview of Ryan's talk at Blackhat Federal the following week - see https://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Barnett )

Download [[Media:Virtual_Patching_Ryan_Barnett_Blackhat_Federal_09.zip|WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity]]

''John Steven, Cigital'': '''Moving Beyond Top N Lists'''

Download [[Media:Moving_Beyond_Top_N_Lists.ppt.zip|Moving Beyond Top N Lists]]

 Cigital published an article: The Top 11 Reasons Why Top 10 (or 25) Lists Don’t Work. Yet, these lists are a staple of conference abstracts, industry best practice lists, and the like. Are they good or bad? We’ll explore how to get beyond the Top 10 (or 25) list in making your software security effort real.

John is Senior Director, Advanced Technology Consulting at Cigital. His experience includes research in static code analysis and hands-on architecture and implementation of high-performance, scalable Java EE systems. John has provided security consulting services to a broad variety of commercial clients including two of the largest trading platforms in the world and has advised America's largest internet provider in the Midwest on security and forensics. John led the development of Cigital's architectural analysis methodology and its approach to deploying enterprise software security frameworks. He has demonstrated success in building Cigital's intellectual property for providing cutting-edge security. He brings this experience and a track record of effective strategic innovation to clients seeking to change, whether to adopt more cutting-edge approaches, or to solidify ROI. John currently chairs the SD Best Practices security track and co-edits the building security in department of IEEE's Security and Privacy magazine. John has served on numerous conference panels regarding software security, wireless security and Java EE system development. He holds a B.S. in Computer Engineering and an M.S. in Computer Science from Case Western Reserve University.

=== January 2009 ===

To kick off 2009, our January meeting featured a discussion of the relationship between application security and CMMI, and an overview of the OWASP ASVS project.

''Michele Moss, Booz Allen Hamilton'': '''Evolutions In The Relationship Between Application Security And The CMMI'''

Addressing new and complex threats and IT security challenges requires repeatable, reliable, rapid, and cost effective solutions. To implement these solutions, organizations have begun to align their security improvement efforts with their system and software development practices. During a “Birds of a Feather” at the March 2007 SEPG, a group of industry representatives initiated an effort which led to the definition of assurance practices that can be applied in the context of the CMMI. This presentation will provide an understanding how applying the assurance practices in the context of security contribute to the overall increased quality of products and services, illustrate how the a focus on assurance in the context of CMMI practices is related to application security practices, and present and approach to evaluate and improve the repeatability and reliability of assurance practices.

Michele Moss, CISSP, is a security engineer with more than 12 years of experience in process improvement. She specializes in integrating assurance processes and practices into project lifecycles. Michele is the Co-Chair of the DHS Software Assurance Working Group on Processes & Practices. She has assisted numerous organizations with maturing their information technology, information assurance, project management, and support practices through the use of the capability maturity models including the CMMI, and the SSE-CMM. She is one of the key contributors in an effort to apply an assurance focus to CMMI.

Slides available: [[http://www.epsteinmania.com/owasp/Moss-AppSecurityAndCMMI.pdf]]

''Mike Boberski, Booz Allen Hamilton'': '''About OWASP ASVS'''

The primary aim of the OWASP ASVS Project is to normalize the range of coverage and level of rigor available in the market when it comes to performing application-level security verification. The goal is to create a set of commercially-workable open standards that are tailored to specific web-based technologies.

Mike Boberski works at Booz Allen Hamilton. He has a background in application security and the use of cryptography by applications. He is experienced in trusted product evaluation, security-related software development and integration, and cryptomodule testing. For OWASP, he is the project lead and a co-author of the OWASP Application Security Verification Standard, the first OWASP standard.

Slides available: [[https://www.owasp.org/images/5/52/About_OWASP_ASVS_Web_Edition.ppt]]

=== November 2008 ===

For our November 2008 meeting, we had two great presentations on software assurance and security testing.

''Nadya Bartol, Booz Allen Hamilton'': '''Framework for Software Assurance'''

Nadya's presentation will provide an update on the Software Assurance Forum efforts to establish a comprehensive framework for software assurance (SwA) and security measurement. The Framework addresses measuring achievement of SwA goals and objectives within the context of individual projects, programs, or enterprises. It targets a variety of audiences including executives, developers, vendors, suppliers, and buyers. The Framework leverages existing measurement methodologies, including Practical Software and System Measurement (PSM); CMMI Goal, Question, Indicator, Measure (GQ(I)M); NIST SP 800-55 Rev1; and ISO/IEC 27004 and identifies commonalities among the methodologies to help organizations integrate SwA measurement in their overall measurement efforts cost-effectively and as seamlessly as possible, rather than establish a standalone SwA measurement effort within an organization. The presentation will provide an update on the SwA Forum Measurement Working Group work, present the current version of the Framework and underlying measures development and implementation processes, and propose example SwA measures applicable to a variety of SwA stakeholders. The presentation will update the group on the latest NIST and ISO standards on information security measurement that are being integrated into the Framework as the standards are being developed.

Slides available: [[http://www.epsteinmania.com/owasp/Bartol-MeasurementForOWASP11-13-08.pdf]]

''Paco Hope, Cigital'': '''The Web Security Testing Cookbook'''

The Web Security Testing Cookbook (O'Reilly & Associates, October 2008) gives developers and testers the tools they need to make security testing a regular part of their development lifecycle. Its recipe style approach covers manual, exploratory testing as well automated techniques that you can make part of your unit tests or regression cycle. The recipes cover the basics like observing messages between clients and servers, to multi-phase tests that script the login and execution of web application features. This book complements many of the security texts in the market that tell you what a vulnerability is, but not how to systematically test it day in and day out. Leverage the recipes in this book to add significant security coverage to your testing without adding significant time and cost to your effort.

Congratulations to Tim Bond who won an autographed copy of Paco's book. Get your copy here [[http://www.amazon.com/Security-Testing-Cookbook-Paco-Hope/dp/0596514832]]

Slides available: [[http://www.epsteinmania.com/owasp/PacoHope-WebSecCookbook.pdf]]

=== October 2008 ===

For our October 2008 meeting, we had two fascinating talks relating to forensics.

''Dave Merkel, Mandiant'': '''Enterprise Grade Incident Management - Responding to Persistent Threats'''

Dave Merkel is Vice President of Products at Mandiant, a leading provider of information security services, education and products. Mr. Merkel has worked in the information security and incident response industry for over 10 years. His background includes service as a federal agent in the US Air Force and over 7 years experience directing security operations at America Online. He currently oversees the product business at Mandiant, and is in charge of building Mandiant Intelligent Response - an enterprise incident response solution. But no, he won't be selling you anything today.

Slides available: [[http://www.epsteinmania.com/owasp/Mandiant-EnterpriseIRandAPTpresentation.pdf]]

''Inno Eroraha, NetSecurity'': '''[Responding to the Digital Crime Scene: Gathering Volatile Data'''

Inno Eroraha is the founder and chief strategist of NetSecurity Corporation, a company that provides digital forensics, hands-on security consulting, and Hands-on How-To® training solutions that are high-quality, timely, and customer-focused. In this role, Mr. Eroraha helps clients plan, formulate, and execute the best security and forensics strategy that aligns with their business goals and priorities. He has consulted with Fortune 500 companies, IRS, DHS, VA, DoD, and other entities.

Slides available: [[http://www.epsteinmania.com/owasp/NetSecurity-RespondingToTheDigitalCrimeScene-GatheringVolatileData-TechnoForensics-102908.pdf] ]

=== History ===

The original DC Chapter was founded in June 2004 by [mailto:jeff.williams@owasp.org Jeff Williams] and has had members from Virginia to Delaware. In April 2005 a new chapter, OWASP Washington VA Local Chapter, was formed and the DC Chapter was renamed to DC-Maryland. The two are sister chapters and include common members and shared discourse. The chapters meet in opposite halves of the month to facilitate this relationship.

==== Chapter Groups ====

Within the chapter, various common interests spring up. We've created Google groups to manage collaboration amongst participants for these topics. Feel free to join and participate in:

*[http://groups.google.com/group/novaowasp_threatmodeling Threat Modeling]
*[http://groups.google.com/group/novaowasp_mobile Mobile]

=== OWASP NoVa Members On Twitter ===

John Steven [http://twitter.com/m1splacedsoul http://twitter.com/m1splacedsoul]

Jack Mannino [http://twitter.com/jack_mannino http://twitter.com/jack_mannino]

Ben Tomhave [http://twitter.com/falconsview http://twitter.com/falconsview]

Ken Johnson [http://twitter.com/cktricky http://twitter.com/cktricky]

Mike Smith [http://twitter.com/rybolov http://twitter.com/rybolov]

Trevor Hawthorn [http://twitter.com/packetwerks http://twitter.com/packetwerks]

Jeremy Long [http://twitter.com/ctxt http://twitter.com/ctxt]

Ari Elias-Bachrach [http://twitter.com/angelofsecurity http://twitter.com/angelofsecurity]

Venkat Sundaram [http://twitter.com/Vnk3889 http://twitter.com/Vnk3889]

==== Knowledge ====

The Northern Virginia (NoVA) chapter is committed to compiling resources on interesting and valuable topic areas. We hope that this structure helps you access information pertinent to your tasks at hand as you move through a secure application development life cycle. Currently, our topic areas of focus include activities such as:

*Threat Modeling
*[[Code Review and Static Analysis with tools]]
*Penetration Testing and Dynamic Analysis tools
*Monitoring/Dynamic patching (WAFs)

Certain projects our members are involved in cross-cut these activities, providing value throughout. They include:

*ASVS

=== Static Analysis Curriculum ===

*For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].

The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].

[[Image:Owasp SAtrack plan.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]

'''Contacts''' Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.

 

=== Flash Talk Resources ===

Chandu Ketkar on OFS. Download: [http://www.owasp.org/images/1/1c/OFS.pptx OFS Presentation.] [http://jack-mannino.blogspot.com/ Jack Mannino] on Google and Searching for Personal Information Jesse Ou on XML Bombs. Download: [http://www.owasp.org/images/1/18/OWASP_JOU_XML_DTD_Attacks.pptx XML DTD Presentation] 

__NOTOC__ <headertabs />

<paypal>Northern Virginia</paypal>

[[Category:Virginia]] [[Category:Washington,_DC]]

Chicago

Virginia

2012-04-25T20:31:39Z

John Steven: /* April 2012 */

==== About ====

[[Image:Owasp-nova.JPG|right|275px|Owasp-nova.JPG]]The '''OWASP Northern VA Local Chapter''' meetings are FREE and OPEN to anyone interested in learning more about application security. We encourage individuals to provide knowledge transfer via hands-on training and presentations of specific OWASP projects and research topics and sharing SDLC knowledge.

We the encourage vendor-agnostic presentations to utilize the OWASP Powerpoint template when applicable and individual volunteerism to enable perpetual growth. As a 501(3)c non-profit association donations of meeting space or refreshments sponsorship is encouraged, simply contact the local chapter leaders listed on this page to discuss. Prior to participating with OWASP please review the Chapter Rules.

The chapter is committed to providing an engaging experience for a variety of audience types ranging from local students and those beginning in app-sec, to those experienced and accomplished professionals who are looking for competent collaborators for OWASP-related projects. To this end, we will continue to conduct both monthly chapter meetings as well as out-of-band curricula, on application security topics.

{{Chapter Template|chaptername=Virginia|extra =Come see us at a chapter meeting, jump on our Google Group, or email any of us directly.

=== Chapter Board ===
Previously having had a Chapter Leader, then a Chapter "Program Committee", the chapter is now run by a full board (alphabetical order):

* Jeremy Long
* Jack Mannino
* John Steven - Board Chair
* Ben Tomhave

Board member responsibilities include:

<pre style="white-space: pre-wrap;"> * Providing governance for chapter and member activities in terms chapter mission and OWASP code of ethics
* Recruiting OWASP membership
* Driving OWASP NoVA Chapter attendance and involvement
* Deferring to, facilitating, and supporting the activities and projects of chapter membership
* Eliciting, scheduling, and coordinating chapter panels, speakers, and other sessions
* Scouting, clearing, and scheduling chapter meeting venues and catering
* Identifying opportunities for collaboration between chapter membership, OWASP global committees, and other organizations
* Collecting and auditing use of chapter funds
* Voting on chapter matters
</pre>
fckLRFor more information on how the board was elected and what it's responsibilities are, please see:fckLRfckLR[https://docs.google.com/document/d/1h8GTqsWg2xiTwWAWS-Ra6_GU4eJGt44aa1hFc9EQloU/edit?hl=en_US&authkey=CIS9zFM Chapter Board Election]fckLRfckLR|mailinglistsite=https://groups.google.com/forum/#!forum/owasp-nova|emailarchives=https://groups.google.com/forum/#!forum/owasp-nova}}

You may also want to follow [http://twitter.com/OWASPNoVA/ @OWASPNoVA] on Twitter.

==== Schedule ====

Meetings are (generally) held the first Thursday of the month.

=== Next Meeting ===
'''Date/Time:''' December 1st, 2011 @ 6pm

'''Location Sponsor:''' [http://www.qinetiq.com/ QinetiQ], 11091 Sunset Hills Road, ''1st floor (Rooms 207/208)'', Reston VA 20190

'''AGENDA:'''
# News / Updates
# Talk: "Cloud Control: Assurance in a Massively Scalable World" by Ben Tomhave
# Firetalks! :)

'''[http://owaspnova120111.eventbrite.com/ Please RSVP]'''

'''Presentation Title:''' "Cloud Control: Assurance in a Massively Scalable World"

'''Abstract:'''
Ubiquitous access to data and applications is here. No longer are our resources confined to enterprise networks and data centers of our own making. Rather, applications and platforms are now available on-demand, anywhere, anytime, to virtually anybody. Moreover, these environments can scale on demand, automating what has traditionally required expertise in system design and capacity planning. Assuring security in this environment poses new and evolving challenges. While they may resemble the same obstacles we've been managing for decades, they are increasingly more difficult to address. Now, more than ever, companies need to extend their governance, risk, and compliance initiatives to take cloud-related strategies and initiatives into account to proactively protect their data and their bottom line.

'''Speaker Bio:'''
[mailto:benjamin.tomhave@owasp.org Ben Tomhave] (Twitter: [http://twitter.com/#!/falconsview @falconsview]) Ben Tomhave, MS, CISSP, helps global enterprises, SMBs and service partners unlock the real promise of integrated governance, risk and compliance in his current role as Principal Consultant for LockPath, a market-changing GRC software company. A distinguished author and experienced speaker, he currently serves on the OWASP NoVA chapter board and as the co-vice-chair of the ABA InfoSec Committee. He is also a member of ISSA and the IEEE Computer Society, and earned a MS in Engineering Management from The George Washington University with an InfoSec Management concentration.

Please check back for updates, join the mailing list, or follow us on Twitter ([http://twitter.com/OWASPNoVA/ @OWASPNoVA]).

----

=== Upcoming Speakers ===

We need speakers and topics! If you want to present, please contact [mailto:John.Steven@owasp.org John] or [mailto:benjamin.tomhave@owasp.org Ben]. We're very open to hearing from all our members.

[http://www.google.com/calendar/hosted/owasp.org/embed?src=owasp.org_1ht5oegk8kd0dtat5cko71e7dc%40group.calendar.google.com&ctz=America/New_York View the OWASP NoVA Chapter Calendar] 

 

----

==== Past meetings ====

=== April 2012 ===
'''Date/Time:''' April 16th, 2012 @ 6pm

'''Location Sponsor:''' [http://corporate.livingsocial.com/home Living Social], 11600 Sunrise Valley Drive, Reston, VA

'''AGENDA:'''
# News / Updates
# Talk: "Malicious Code Detection or BRIC Breaking Through Static Analysis" by Masha Khainson (Cigital)
# Firetalks!
# ISSA NoVA Social @Champps!
 :)

'''Presentation Title:''' "Malicious Code Detection or BRIC Breaking Through Static Analysis"

'''Abstract:'''
Malicious Code Detection or BRIC Breaking Through Static Analysis: As
organizations outsource development to less trustworthy providers
malware becomes as much a problem as introduction of honest
vulnerability by one's own development shop. Assessment practices
currently look for vulnerability within source code and a running
systems but these are but a few of windows of opportunity for malware
introduction. This presentation demonstrates an approach for
augmenting an existing security practice with the capability to detect
potentially malicious code through secure code review. First, we show
how to break malicious intent--often quite subtle--into concrete
patterns we can reliably detect. The framework then demonstrates how
to build suspicion around reliance of particular patterns' use in
concert which, increasingly, imply malicious intent. These techniques
will be explained through a demonstration in a real world application.

'''Bio'''
Masha (a.k.a Marina) has dreamed of becoming a security consultant
before she ever knew what a ballerina was, and that's a good thing -
because she does not intend her talk to be a ballet recital. Having
been in software security for over seven years, Ms. Khainson has
delivered Architecture Risk Assessment, Secure Code Review, and
Ethical Hacking on many architectures, platforms and technologies.
Marina has also developed training materials for clients and led
remediation assistance teams.

Prior to joining Cigital, Marina was a member of a research team at a
leading security research provider, where using disassembly as well as
protocol and source code analysis, she provided key information on
newly released vulnerabilities. Before that, Marina assisted the same
research team in producing detailed reports on critical malware and
spyware threats, as well as developing and testing content for network
security devices from some of the top providers of intrusion detection
and prevention technologies.

Download: https://www.owasp.org/index.php/File:MCD-OWASPNoVA.pdf

=== November 2011 ===
'''Date/Time:''' November 3rd, 2011 @ 6pm

'''Location Sponsor:''' [http://www.qinetiq.com/ QinetiQ], 2677 Prosperity Ave Fairfax, VA 22031

'''AGENDA:'''
# News / Updates
# Talk: "Lessons Learned from the SQL Injection Challenge" by Ryan Barnett (Trustwave SpiderLabs)
# Firetalks! :)

'''Presentation Title:''' "Lessons Learned from the SQL Injection Challenge"

'''Abstract:'''
How effective are blacklist filters vs. SQL Injection attacks? What is the failure rate vs. automated scanning or manual testing? Are there any "Time-to-Bypass" metrics? In an attempt to answer these questions, Trustwave SpiderLabs' Research Team (the development team behind the ModSecurity WAF and the OWASP ModSecurity Core Rule Set) held a community "SQL Injection Challenge" to test the effectiveness of the OWASP ModSecurity Core Rule Set protections. This presentation will provide an overview of the challenge, a step-by-step walk-through of the bypass tactics used by the winners, as well as, present a new approach to attack detection using ModSecurity's Lua API to perform Bayesian analysis.

'''Speaker Bio:'''
[mailto:ryan.barnett@owasp.org Ryan C. Barnett] (Twitter: [http://twitter.com/#!/ryancbarnett @ryancbarnett]) is a senior security researcher on Trustwave's SpiderLabs Team. He is a SANS Institute certified instructor and a member of both the Top 20 Vulnerabilities and CWE/SANS Top 25 Most Dangerous Programming Errors teams. In addition to working with SANS, he is also a WASC Member where he leads the Web Hacking Incidents Database (WHID) and Distributed Web Honeypots Projects and is also the OWASP ModSecurity Core Rule Set (CRS) project leader. Mr. Barnett has also authored a Web security book for Addison/Wesley Publishing entitled "Preventing Web Attacks with Apache".

=== October 2011 ===
'''Date/Time:''' October 6th, 2011 @ 6pm

'''Location/Food Sponsor:''' [http://www.cigital.com/ Cigital], 21351 Ridgetop Circle, Suite 400, Sterling, VA 20166

'''AGENDA:'''
# News / Updates
# AppSec USA 2011 Recap
# Talk: Jack Mannino: [http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks "OWASP Top 10 Mobile Risks"]
# Firetalks! :)

=== September 2011 ===

The September meeting was cancelled due to inclement weather (flash flooding).

=== August 2011 ===

We held a "social" event at Sweetwater Tavern in Sterling, VA.

=== July 2011 ===

'''Date/Time:''' July 7th, 2011 @ 6pm '''Location Sponsor:''' [http://www.cigital.com Cigital], Suite 400 21351 Ridgetop Circle, Dulles, VA, 20166 '''Food Sponsor:''' '''AGENDA:'''

* News / Updates
* Topic of the Month: iGoat - Ken Van Wyk

=== June 2011 ===

'''Date/Time:''' June 9th, 2011 @ 6pm (*Note: 2nd Thursday of June!) '''Location Sponsor:''' [http://about.collegeboard.org/ The College Board], 11955 Democracy Drive Reston, VA 20190 '''Food Sponsor:''' The College Board '''AGENDA:'''

* News / Updates
* Topic of the Month: [https://www.owasp.org/index.php/Top_10_2010-A4 A4 "Insecure Direct Object References"]
* College Board Speaker: "Attack-in-Depth: Exploits of the OWASP Top Ten in Action"
* Firetalks! :)
- Jack Mannino: "Android Security 101"
- Others!

=== May 2011 ===

'''Date/Time:''' Cinco de Mayo (May 5th), 2011 @ 6pm '''Location Sponsor:''' [http://www.akamai.com/ Akamai], 11111 Sunset Hills Dr, Suite 250, Reston, VA 20190 '''Food Sponsor:''' Akamai '''AGENDA:'''

* News / Updates
* 2011 Election (voice vote on the entire slate)
* Topic of the Month: [http://www.owasp.org/index.php/Top_10_2010-A3 A3 "Broken Authentication and Session Management"]
* Speaker: Steve Witmer on A3 from the "breakers" perspective
* Speaker: ??? on A3 from the "fixers/defenders" perspective
* Firetalks! :)
* '''Update:''' All election candidates were elected by voice vote.
* Please see: [https://docs.google.com/document/d/1h8GTqsWg2xiTwWAWS-Ra6_GU4eJGt44aa1hFc9EQloU/edit?hl=en_US&authkey=CIS9zFM '11 Chapter Board Election Material]

=== April 2011 ===

'''Date/Time:''' April 7, 2011 @ 6pm '''Location Sponsor:''' [http://www.reversespace.com/ ReverseSpace], 13505 Dulles Technology Dr, Suite 3, Herndon, VA 20171 '''Food Sponsor:''' [https://www.cigital.com Cigital] '''AGENDA:'''

* News / Updates
* 2011 Election
* Topic of the Month: [http://www.owasp.org/index.php/Top_10_2010-A2 A2 "Cross-Site Scripting (XSS)"]
* Preso:"Cross-Site Scripting is Not Your Friend: XSS and the Facebook Platform" by Joey Tyson ([https://www.owasp.org/images/9/92/Xssnotfriend-edited.pptx PPTX] or [https://www.owasp.org/images/0/06/Xssnotfriend-edited.pdf PDF])
* Preso:“XSS Remediation” by Cassia Martin ([https://www.owasp.org/images/6/66/XSS_Remediation.ppt PPT])
* Preso:"Growing the secure application developer community through expanded curricula" by Tony Gottlieb
* FireTalks (bring it!)

 

=== March 2011 ===

'''Date/Time:''' March 3, 2011 @ 6pm '''Location Sponsor:''' [http://www.boozallen.com/ Booz Allen Hamilton], 13200 Woodland Park Road, Herndon, VA 20171 '''AGENDA:'''

* News / Updates
* [http://www.owasp.org/index.php/OWASP_Summit_2011 OWASP Summit 2011] In Review
* Preso: [http://www.owasp.org/index.php/Top_10_2010-A1-Injection A1 "Injection"]
* Briefing: Training/Preso Plan for the Year

=== February 2011 ===

'''Date/Time:''' February 3, 2011 @ 6pm '''Location Sponsor:''' [http://www.akamai.com/ Akamai], 11111 Sunset HIlls Dr, Suite 250, Reston, VA 20190 '''AGENDA:'''

* News / Updates
* Feedback for [http://www.owasp.org/index.php/OWASP_Summit_2011 OWASP Summit 2011]
* Preso: Intro to [http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top 10] + 2
* Briefing: Training/Preso Plan for the Year

=== December 2010 ===

'''Date/Time:''' December 2, 2010 @ 6pm '''Location Sponsor:''' [http://hackerspaces.org/wiki/Reverse_Space ReverseSpace], 13505 Dulles Technology Drive, Herndon, VA '''AGENDA:'''

* 2011 Planning Session (Schedule, Volunteers, Speakers, Topics)
* Lightning Talks!! (Bring an idea, a question, a topic, whatever - 5-10 minute talks max!)
* Social / Networking (BYOB!)

=== November 2010 ===

'''Date/Time:''' November 4, 2010 @ 6pm '''Location Sponsor:''' Akamai, 11111 Sunset Hills Rd, Suite #250, Reston, VA '''Speaker:''' Ben Tomhave '''Title:''' The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thoughts on Security Reform '''Description:''' What we're doing today is not working and isn't sustainable. The fundamental culture of the average business does not encourage making good security decisions. Software shops continue to focus on functionality and timelines, neglecting information security. In spite of regulations like PCI and HIPAA+HITECH, which are levying fines against organizations for their security failures, the tipping point has clearly not been reached to cause meaningful change. Much of this problem can be attributed to the excessive use of negative incentives (sticks) instead of providing positive incentives (carrots) that inspire better decision making and motivate true change. Fortunately, it's not too late to change tactics and start achieving demonstrable success. '''Speaker Bio:''' Ben Tomhave is a Senior Security Analyst with Gemini Security Solutions in Chantilly, VA, specializing in solutions architecture, security planning, program development and management, and other strategic security solutions. He holds a MS in Engineering Management with an Information Security Management concentration from The George Washington University and is a CISSP.

=== June 2010 ===

'''DATE''': Thursday, June 3rd, 6pm Eastern Daylight Time '''LOCATION''': Booz Allen Hamilton - 13200 Woodland Park Road Herndon, VA 20171 '''SPEAKER''': Alex Hutton, Verizon Business and http://www.newschoolsecurity.com/ '''TOPIC''': Risk Management - Time to blow it up and start over? 

'''DESCRIPTION''':

A redux of the presentation that Alex delivered at B-Sides San Francisco during RSA 2010. "Now that the industry is trying to formalize the concept of risk management into neat little compartments like standards (ISO 27005/31000), certifications (CRISC) and products (GRC) guess what? We're doing it wrong. Fundamentally wrong. This talk will discuss why all this current risk management stuff is goofy and what sort of alternatives we have that might help us understand our ability to protect, our tendency towards failure, and how to match that up with what management will stomach."

Slides are available from: http://www.slideshare.net/BSides/risk-management-time-to-blow-it-up-and-start-over-alex-hutton

 '''SPECIAL SPEAKER''':

[http://twitter.com/tiffanyrad Tiffany Rad] provided an overview and update on [http://twitter.com/reversespace Reverse Space] in Herndon, VA. For more information, or to help out, please join the [http://groups.google.com/group/ReverseSpace Reverse Space Google Group].

 

=== May 2010 ===

'''DATE''': Tuesday, May 18th, 6pm Eastern Daylight Time '''LOCATION''': Booz Allen Hamilton - 13200 Woodland Park Road Herndon, VA 20171 '''SPEAKER'''': Jeff Ennis, Senior Solutions Architect, Veracode '''TITLE''': State of Software Security ([[Image:State of Software Security-Ennis.ppsx.zip]]) '''DESCRIPTION''':

A discussion of the current state of software security based on the compiled findings by Veracode from the dynamic and static code analysis they have performed for customers.

 

=== September 2009 ===

'''DATE''': Thursday, September 17, 2009. 6:00pm Eastern Daylight Time '''LOCATION''': 22260 Pacific blvd, Sterling, VA. 20166 '''TOPIC''': "Fortify 360" '''SPEAKER''': Erik Klein (Fortify Software), Eric Dalci (Cigital) '''DESCRIPTION''':

We're pleased to invite you to our next week's OWASP Session (Thursday September 17th). We will be hosting a presentation, demo and hands on session of Fortify 360 (http://www.fortify.com). Fortify 360 includes Fortify SCA (Source Code Analyzer) and the Fortify 360 Server which is Fortify's solution for an enterprise deployment of SCA. The session will start with a presentation by Fortify engineers, followed by a demo and finally a hands on session where the audience will be free to install Fortify SCA on the machine and try it the SCA tool on a sample application that we will provide. The audience will also be introduced with the Fortify 360 Server and try some of the enterprise level features such as collaborative code review, metrics and so on. Bring your laptop if you want to try Fortify 360!

The target audience is anyone interested in Secure Code Review with a Static Analysis tool at the desktop level and/or enterprise level. We will need to register visitors before hand...please email wade.woolwine@owasp.org for registration and confirm attendance. Pizza and refreshments will be served.

 

'''DATE''': Thursday, September 3, 2009. 6:00pm. '''LOCATION''': 13200 Woodland Park Road Herndon, VA 20171 '''TOPIC''': "Conducting Application Assessment" '''SPEAKER''': Jeremy Epstein, SRI '''DESCRIPTION''':

After the 2000 election, many states launched headlong into electronic voting systems to avoid the problems with "hanging chads". Once problems with those systems started appearing, many localities started moving to optical scan, which was used by a majority of US voters in the 2008 election. There are other technologies in use around the country, including lever machines, vote-by-mail, vote-by-phone, and Internet voting. What are the tradeoffs among these technologies? Particularly relevant to OWASP, what are the security issues associated with different types of equipment, and what measures do vendors of voting equipment use to try to address the security problems? Are software security problems important, or can non-technical measures protect against them? In this talk, we'll discuss a wide variety of voting technologies, and their pros and cons from both a technical and societal perspective.

'''ABOUT THE SPEAKER''':

Jeremy Epstein is Senior Computer Scientist at SRI International. His background includes more than 20 years experience in computer security research, product development, and consulting. Prior to joining SRI International, he was Principal Consultant with Cigital, and before that spent nine years as Senior Director of Product Security at Software AG, an international business software company. Within the area of voting systems, Jeremy has been involved for over five years in voting technology and advocacy, both as an employee and as an independent consultant.

 

=== July 2009 ===

'''DATE''': July 9th 6pm-9pm EST '''LOCATION''': 13200 Woodland Park Road Herndon, VA 20171 '''TOPIC''': "Ounce's 02" '''SPEAKER(S)''': Dinis Cruz, OWASP, Ounce Labs. '''DESCRIPTION''': So what is O2?

Well in my mind O2 is a combination of advanced tools (Technology) which are designed to be used on a particular way (Process) by knowledgeable Individuals (People)

Think about it as a Fighter Jet who is able to go very fast, has tons of controls, needs to be piloted by somebody who knows what they are doing and needs to have a purpose (i.e. mission).

Basically what I did with O2 was to automate the workflow that I have when I'm engaged on a source-code security review.

Now, here is the catch, this version is NOT for the faint-of-heart. I designed this to suit my needs, which although are the same as most other security consultants, have its own particularities :)

The whole model of O2 development is based around the concept of automating a security consultant’s brain, so I basically ensure that the main O2 Developer (Dinis Cruz) has a very good understanding of the feature requirements of the targeted Security Consultant (Dinis Cruz) :) . And this proved (even to my surprise) spectacularly productive, since suddenly I (i.e. the security consultant) didn't had to wait months for new features to be added to its toolkit. If there was something that needed to be added, it would just be added in days or hours.

=== June 2009 ===

''Gary McGraw, Cigital Inc.'':''Building Security In Maturity Model'' Later, an interview: ''Jim Routh, formerly of DTCC'':''The Economic Advantages of a Resilient Supply Chain- Software Security'' '' ''

Gary McGraw talked about the experience he, Sammy Migues, and Brian Chess gained conducting a survey of some of America's top Software Security groups. Study results are available under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Share Alike license] at [http://www.bsi-mm.com www.bsi-mm.com]. Gary described the common structural elements and activities of successful software security programs, present the maturity model that resulted from survey data, and discuss lessons learned from listening to those leading these groups.

Jim Routh gave an incredibly insightful interview regarding his own experiences crafting their security group.

Download presentation notes at: [http://www.owasp.org/images/0/03/JMR-Economics_of_Security_Goups.ppt The Economic Advantages of a Resilient Supply Chain- Software Security]

=== May 2009 ===

''Eric Dalci, Cigital Inc.'':''Introduction to Static Analysis'' Later, a panel:

*Steven Lavenhar, Booz Allen Hamilton;
*Eric Dalci, Cigital Inc.

Panel moderated by John Steven 

This session is an introductory to Static Analysis. This session presents the different types of analysis used by today's Static Analysis tools. Examples of direct application to find vulnerabilities will be shown (ex: Data Flow Analysis, Semantic, Control Flow, etc.). Current limitations of Static Analysis will also be exposed. This session is tool agnostic, but will cover the approach taken by various leading commercial (as well as open-source) tools.

Download: [http://www.owasp.org/images/e/ea/OWASP_Virginia_Edalci_May09.pdf Intro to Static Analysis]

=== April 2009 ===

''Jeremiah Grossman, Whitehat Security'': '''Top 10 Web Hacking Techniques 2008''' Jeremiah Spoke on (what he and colleagues determined were the) top ten web hacking techniques of 2008. This talk was a preview of his RSA '09 talk. 

Download http://www.whitehatsec.com/home/assets/presentations/09PPT/PPT_OWASPNoVA04082008.pdf

 Later,

*Nate Miller, Stratum Security;
*Jeremiah Grossman, Whitehat Security;
*Tom Brennan, Whitehat Security; and
*Wade Woolwine, AOL

served as penetration testing panels answering questions posed and moderated by Ken Van Wyk.

=== February 2009 ===

''Ryan C. Barnett, Breach Security'': '''Patching Challenge: Securing WebGoat with ModSecurity'''

Identification of web application vulnerabilities is only half the battle with remediation efforts as the other. Let's face the facts, there are many real world business scenarios where it is not possible to update web application code in either a timely manner or at all. This is where the tactical use-case of implementing a web application firewall to address identified issues proves its worth.

This talk will provide an overview of the recommended practices for utilizing a web application firewall for virtual patching. After discussing the framework to use, we will then present a very interesting OWASP Summer of Code Project where the challenge was to attempt to mitigate as many of the OWASP WebGoat vulnerabilities as possible using the open source ModSecurity web application firewall. During the talk, we will discuss both WebGoat and ModSecurity and provide in-depth walk-throughs of some of the complex fixes. Examples will include addressing not only attacks but the underlying vulnerabilities, using data persistence for multiple-step processes, content injection and even examples of the new LUA programming language API. The goal of this talk is to both highlight cutting edge mitigation options using a web application firewall and to show how it can effectively be used by security consultants who traditionally could only offer source code fixes.

Ryan C. Barnett is the Director of Application Security Research at Breach Security and leads Breach Security Labs. He is also a Faculty Member for the SANS Institute, Team Lead for the Center for Internet Security Apache Benchmark Project and a Member of the Web Application Security Consortium where he leads the Distributed Open Proxy Honeypot Project. Mr. Barnett has also authored a web security book for Addison/Wesley Publishing entitled "Preventing Web Attacks with Apache."

(This talk is a preview of Ryan's talk at Blackhat Federal the following week - see https://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Barnett )

Download [[Media:Virtual_Patching_Ryan_Barnett_Blackhat_Federal_09.zip|WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity]]

''John Steven, Cigital'': '''Moving Beyond Top N Lists'''

Download [[Media:Moving_Beyond_Top_N_Lists.ppt.zip|Moving Beyond Top N Lists]]

 Cigital published an article: The Top 11 Reasons Why Top 10 (or 25) Lists Don’t Work. Yet, these lists are a staple of conference abstracts, industry best practice lists, and the like. Are they good or bad? We’ll explore how to get beyond the Top 10 (or 25) list in making your software security effort real.

John is Senior Director, Advanced Technology Consulting at Cigital. His experience includes research in static code analysis and hands-on architecture and implementation of high-performance, scalable Java EE systems. John has provided security consulting services to a broad variety of commercial clients including two of the largest trading platforms in the world and has advised America's largest internet provider in the Midwest on security and forensics. John led the development of Cigital's architectural analysis methodology and its approach to deploying enterprise software security frameworks. He has demonstrated success in building Cigital's intellectual property for providing cutting-edge security. He brings this experience and a track record of effective strategic innovation to clients seeking to change, whether to adopt more cutting-edge approaches, or to solidify ROI. John currently chairs the SD Best Practices security track and co-edits the building security in department of IEEE's Security and Privacy magazine. John has served on numerous conference panels regarding software security, wireless security and Java EE system development. He holds a B.S. in Computer Engineering and an M.S. in Computer Science from Case Western Reserve University.

=== January 2009 ===

To kick off 2009, our January meeting featured a discussion of the relationship between application security and CMMI, and an overview of the OWASP ASVS project.

''Michele Moss, Booz Allen Hamilton'': '''Evolutions In The Relationship Between Application Security And The CMMI'''

Addressing new and complex threats and IT security challenges requires repeatable, reliable, rapid, and cost effective solutions. To implement these solutions, organizations have begun to align their security improvement efforts with their system and software development practices. During a “Birds of a Feather” at the March 2007 SEPG, a group of industry representatives initiated an effort which led to the definition of assurance practices that can be applied in the context of the CMMI. This presentation will provide an understanding how applying the assurance practices in the context of security contribute to the overall increased quality of products and services, illustrate how the a focus on assurance in the context of CMMI practices is related to application security practices, and present and approach to evaluate and improve the repeatability and reliability of assurance practices.

Michele Moss, CISSP, is a security engineer with more than 12 years of experience in process improvement. She specializes in integrating assurance processes and practices into project lifecycles. Michele is the Co-Chair of the DHS Software Assurance Working Group on Processes & Practices. She has assisted numerous organizations with maturing their information technology, information assurance, project management, and support practices through the use of the capability maturity models including the CMMI, and the SSE-CMM. She is one of the key contributors in an effort to apply an assurance focus to CMMI.

Slides available: [[http://www.epsteinmania.com/owasp/Moss-AppSecurityAndCMMI.pdf]]

''Mike Boberski, Booz Allen Hamilton'': '''About OWASP ASVS'''

The primary aim of the OWASP ASVS Project is to normalize the range of coverage and level of rigor available in the market when it comes to performing application-level security verification. The goal is to create a set of commercially-workable open standards that are tailored to specific web-based technologies.

Mike Boberski works at Booz Allen Hamilton. He has a background in application security and the use of cryptography by applications. He is experienced in trusted product evaluation, security-related software development and integration, and cryptomodule testing. For OWASP, he is the project lead and a co-author of the OWASP Application Security Verification Standard, the first OWASP standard.

Slides available: [[https://www.owasp.org/images/5/52/About_OWASP_ASVS_Web_Edition.ppt]]

=== November 2008 ===

For our November 2008 meeting, we had two great presentations on software assurance and security testing.

''Nadya Bartol, Booz Allen Hamilton'': '''Framework for Software Assurance'''

Nadya's presentation will provide an update on the Software Assurance Forum efforts to establish a comprehensive framework for software assurance (SwA) and security measurement. The Framework addresses measuring achievement of SwA goals and objectives within the context of individual projects, programs, or enterprises. It targets a variety of audiences including executives, developers, vendors, suppliers, and buyers. The Framework leverages existing measurement methodologies, including Practical Software and System Measurement (PSM); CMMI Goal, Question, Indicator, Measure (GQ(I)M); NIST SP 800-55 Rev1; and ISO/IEC 27004 and identifies commonalities among the methodologies to help organizations integrate SwA measurement in their overall measurement efforts cost-effectively and as seamlessly as possible, rather than establish a standalone SwA measurement effort within an organization. The presentation will provide an update on the SwA Forum Measurement Working Group work, present the current version of the Framework and underlying measures development and implementation processes, and propose example SwA measures applicable to a variety of SwA stakeholders. The presentation will update the group on the latest NIST and ISO standards on information security measurement that are being integrated into the Framework as the standards are being developed.

Slides available: [[http://www.epsteinmania.com/owasp/Bartol-MeasurementForOWASP11-13-08.pdf]]

''Paco Hope, Cigital'': '''The Web Security Testing Cookbook'''

The Web Security Testing Cookbook (O'Reilly & Associates, October 2008) gives developers and testers the tools they need to make security testing a regular part of their development lifecycle. Its recipe style approach covers manual, exploratory testing as well automated techniques that you can make part of your unit tests or regression cycle. The recipes cover the basics like observing messages between clients and servers, to multi-phase tests that script the login and execution of web application features. This book complements many of the security texts in the market that tell you what a vulnerability is, but not how to systematically test it day in and day out. Leverage the recipes in this book to add significant security coverage to your testing without adding significant time and cost to your effort.

Congratulations to Tim Bond who won an autographed copy of Paco's book. Get your copy here [[http://www.amazon.com/Security-Testing-Cookbook-Paco-Hope/dp/0596514832]]

Slides available: [[http://www.epsteinmania.com/owasp/PacoHope-WebSecCookbook.pdf]]

=== October 2008 ===

For our October 2008 meeting, we had two fascinating talks relating to forensics.

''Dave Merkel, Mandiant'': '''Enterprise Grade Incident Management - Responding to Persistent Threats'''

Dave Merkel is Vice President of Products at Mandiant, a leading provider of information security services, education and products. Mr. Merkel has worked in the information security and incident response industry for over 10 years. His background includes service as a federal agent in the US Air Force and over 7 years experience directing security operations at America Online. He currently oversees the product business at Mandiant, and is in charge of building Mandiant Intelligent Response - an enterprise incident response solution. But no, he won't be selling you anything today.

Slides available: [[http://www.epsteinmania.com/owasp/Mandiant-EnterpriseIRandAPTpresentation.pdf]]

''Inno Eroraha, NetSecurity'': '''[Responding to the Digital Crime Scene: Gathering Volatile Data'''

Inno Eroraha is the founder and chief strategist of NetSecurity Corporation, a company that provides digital forensics, hands-on security consulting, and Hands-on How-To® training solutions that are high-quality, timely, and customer-focused. In this role, Mr. Eroraha helps clients plan, formulate, and execute the best security and forensics strategy that aligns with their business goals and priorities. He has consulted with Fortune 500 companies, IRS, DHS, VA, DoD, and other entities.

Slides available: [[http://www.epsteinmania.com/owasp/NetSecurity-RespondingToTheDigitalCrimeScene-GatheringVolatileData-TechnoForensics-102908.pdf] ]

=== History ===

The original DC Chapter was founded in June 2004 by [mailto:jeff.williams@owasp.org Jeff Williams] and has had members from Virginia to Delaware. In April 2005 a new chapter, OWASP Washington VA Local Chapter, was formed and the DC Chapter was renamed to DC-Maryland. The two are sister chapters and include common members and shared discourse. The chapters meet in opposite halves of the month to facilitate this relationship.

==== Chapter Groups ====

Within the chapter, various common interests spring up. We've created Google groups to manage collaboration amongst participants for these topics. Feel free to join and participate in:

*[http://groups.google.com/group/novaowasp_threatmodeling Threat Modeling]
*[http://groups.google.com/group/novaowasp_mobile Mobile]

=== OWASP NoVa Members On Twitter ===

John Steven [http://twitter.com/m1splacedsoul http://twitter.com/m1splacedsoul]

Jack Mannino [http://twitter.com/jack_mannino http://twitter.com/jack_mannino]

Ben Tomhave [http://twitter.com/falconsview http://twitter.com/falconsview]

Ken Johnson [http://twitter.com/cktricky http://twitter.com/cktricky]

Mike Smith [http://twitter.com/rybolov http://twitter.com/rybolov]

Trevor Hawthorn [http://twitter.com/packetwerks http://twitter.com/packetwerks]

Joey Tyson [http://twitter.com/theharmonyguy http://twitter.com/theharmonyguy]

Jeremy Long [http://twitter.com/ctxt http://twitter.com/ctxt]

Ari Elias-Bachrach [http://twitter.com/angelofsecurity http://twitter.com/angelofsecurity]

Venkat Sundaram [http://twitter.com/Vnk3889 http://twitter.com/Vnk3889]

==== Knowledge ====

The Northern Virginia (NoVA) chapter is committed to compiling resources on interesting and valuable topic areas. We hope that this structure helps you access information pertinent to your tasks at hand as you move through a secure application development life cycle. Currently, our topic areas of focus include activities such as:

*Threat Modeling
*[[Code Review and Static Analysis with tools]]
*Penetration Testing and Dynamic Analysis tools
*Monitoring/Dynamic patching (WAFs)

Certain projects our members are involved in cross-cut these activities, providing value throughout. They include:

*ASVS

=== Static Analysis Curriculum ===

*For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].

The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].

[[Image:Owasp SAtrack plan.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]

'''Contacts''' Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.

 

=== Flash Talk Resources ===

Chandu Ketkar on OFS. Download: [http://www.owasp.org/images/1/1c/OFS.pptx OFS Presentation.] [http://jack-mannino.blogspot.com/ Jack Mannino] on Google and Searching for Personal Information Jesse Ou on XML Bombs. Download: [http://www.owasp.org/images/1/18/OWASP_JOU_XML_DTD_Attacks.pptx XML DTD Presentation] 

__NOTOC__ <headertabs />

<paypal>Northern Virginia</paypal>

[[Category:Virginia]] [[Category:Washington,_DC]]

2011-03-16T20:32:23Z

John Steven:

==== '11 Election ====

=== Letter from Chapter President - John Steven ===

=== Chapter Board Responsibilities ===
<A NAME="Responsibilities" />
TBD.

=== Election Procedures ===
<A NAME="Responsibilities" />
TBD.

=== Candidates ===
<A NAME="Candidates" />
TBD.

==== About ====

[[Image:Owasp-nova.JPG|right|275px|Owasp-nova.JPG]]The '''OWASP Northern VA Local Chapter''' meetings are FREE and OPEN to anyone interested in learning more about application security. We encourage individuals to provide knowledge transfer via hands-on training and presentations of specific OWASP projects and research topics and sharing SDLC knowledge.

We the encourage vendor-agnostic presentations to utilize the OWASP Powerpoint template when applicable and individual volunteerism to enable perpetual growth. As a 501(3)c non-profit association donations of meeting space or refreshments sponsorship is encouraged, simply contact the local chapter leaders listed on this page to discuss. Prior to participating with OWASP please review the Chapter Rules.

The chapter is committed to providing an engaging experience for a variety of audience types ranging from local students and those beginning in app-sec, to those experienced and accomplished professionals who are looking for competent collaborators for OWASP-related projects. To this end, we will continue to conduct both monthly chapter meetings as well as out-of-band curricula, on application security topics.

{{Chapter Template|chaptername=Virginia|extra=The chapter leader is [mailto:John.Steven@owasp.org John Steven].

=== Program Committee ===
The OWASP NoVA Chapter Program Committee aims to:

Actively shepherd speakers and and speaking process within the NoVA chapter in order to assure that chapter meetings provide maximum practical benefit to our constituency.

Benefit the broader OWASP community by creating and supporting a 'preferred speaker' list through explicitly gauging, documenting, and sharing speaker quality data gained through feedback from chapter participants.

In pursuit of this charter, we will elect as many as five program committee members that will, over the course of 2010:

* Create easy-to-apply vetting criteria from existing OWASP chapter guidance and ethics rules.
* Assure one program committee personnel applies vetting criteria to each-and-every proposed chapter speaker/material
* Design, document, and implement a chapter participant "speaker survey" / voting mechanism
* Implement a "speaker survey" results display on the OWASP Wiki for the broader OWASP community to consume
* Coordinate with other chapters to set up a 'preferred speaker' list that aggregates data about high-scoring speakers (for the OWASP on-the-move project)

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-wash_dc_va|emailarchives=http://lists.owasp.org/pipermail/owasp-wash_dc_va}}

You may also want to follow [http://twitter.com/OWASPNoVA/ @OWASPNoVA] on Twitter.

==== Schedule ====

Meetings are (generally) held the first Thursday of the month.

=== Next Meeting ===

'''Date/Time:''' April 7, 2011 @ 6pm

'''Location Sponsor:''' [http://www.reversespace.com/ ReverseSpace], 13505 Dulles Technology Dr, Suite 3, Herndon, VA 20171

'''AGENDA:'''

* News / Updates
* Topic of the Month: [http://www.owasp.org/index.php/Top_10_2010-A2 A2 "Cross-Site Scripting (XSS)"]
* Preso:"Cross-Site Scripting is Not Your Friend: XSS and the Facebook Platform" by Joey Tyson
* Preso:“XSS Remediation” by Cassia Martin
* Preso:"Growing the secure application developer community through expanded curricula" by Tony Gottlieb
* FireTalks (bring it!)

'''[http://www.regonline.com/owaspnova-april2011 PLEASE RSVP]'''

Please check back for updates, join the mailing list, or follow us on Twitter ([http://twitter.com/OWASPNoVA/ @OWASPNoVA]).

----

=== Upcoming Speakers ===

'''NEWS:''' We will be spending the next few months doing a deep-dive into the OWASP Top 10 list. You will learn from these sessions what the problem is, how it's exploited, and how to mitigate the weakness. We anticipate this being at least 5 months of sessions. We will also potentially supplement

If you want to present, please contact [mailto:John.Steven@owasp.org John] or [mailto:benjamin.tomhave@owasp.org Ben]. We're very open to hearing from all our members.

[http://www.google.com/calendar/hosted/owasp.org/embed?src=owasp.org_1ht5oegk8kd0dtat5cko71e7dc%40group.calendar.google.com&ctz=America/New_York View the OWASP NoVA Chapter Calendar] 

 

----

==== Past meetings ====

=== March 2011 ===

'''Date/Time:''' March 3, 2011 @ 6pm '''Location Sponsor:''' [http://www.boozallen.com/ Booz Allen Hamilton], 13200 Woodland Park Road, Herndon, VA 20171 '''AGENDA:'''

* News / Updates
* [http://www.owasp.org/index.php/OWASP_Summit_2011 OWASP Summit 2011] In Review
* Preso: [http://www.owasp.org/index.php/Top_10_2010-A1-Injection A1 "Injection"]
* Briefing: Training/Preso Plan for the Year

=== February 2011 ===

'''Date/Time:''' February 3, 2011 @ 6pm '''Location Sponsor:''' [http://www.akamai.com/ Akamai], 11111 Sunset HIlls Dr, Suite 250, Reston, VA 20190 '''AGENDA:'''

* News / Updates
* Feedback for [http://www.owasp.org/index.php/OWASP_Summit_2011 OWASP Summit 2011]
* Preso: Intro to [http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top 10] + 2
* Briefing: Training/Preso Plan for the Year

=== December 2010 ===

'''Date/Time:''' December 2, 2010 @ 6pm '''Location Sponsor:''' [http://hackerspaces.org/wiki/Reverse_Space ReverseSpace], 13505 Dulles Technology Drive, Herndon, VA '''AGENDA:'''

* 2011 Planning Session (Schedule, Volunteers, Speakers, Topics)
* Lightning Talks!! (Bring an idea, a question, a topic, whatever - 5-10 minute talks max!)
* Social / Networking (BYOB!)

=== November 2010 ===

'''Date/Time:''' November 4, 2010 @ 6pm '''Location Sponsor:''' Akamai, 11111 Sunset Hills Rd, Suite #250, Reston, VA '''Speaker:''' Ben Tomhave '''Title:''' The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thoughts on Security Reform '''Description:''' What we're doing today is not working and isn't sustainable. The fundamental culture of the average business does not encourage making good security decisions. Software shops continue to focus on functionality and timelines, neglecting information security. In spite of regulations like PCI and HIPAA+HITECH, which are levying fines against organizations for their security failures, the tipping point has clearly not been reached to cause meaningful change. Much of this problem can be attributed to the excessive use of negative incentives (sticks) instead of providing positive incentives (carrots) that inspire better decision making and motivate true change. Fortunately, it's not too late to change tactics and start achieving demonstrable success. '''Speaker Bio:''' Ben Tomhave is a Senior Security Analyst with Gemini Security Solutions in Chantilly, VA, specializing in solutions architecture, security planning, program development and management, and other strategic security solutions. He holds a MS in Engineering Management with an Information Security Management concentration from The George Washington University and is a CISSP.

=== June 2010 ===

'''DATE''': Thursday, June 3rd, 6pm Eastern Daylight Time '''LOCATION''': Booz Allen Hamilton - 13200 Woodland Park Road Herndon, VA 20171 '''SPEAKER''': Alex Hutton, Verizon Business and http://www.newschoolsecurity.com/ '''TOPIC''': Risk Management - Time to blow it up and start over? 

'''DESCRIPTION''':

A redux of the presentation that Alex delivered at B-Sides San Francisco during RSA 2010. "Now that the industry is trying to formalize the concept of risk management into neat little compartments like standards (ISO 27005/31000), certifications (CRISC) and products (GRC) guess what? We're doing it wrong. Fundamentally wrong. This talk will discuss why all this current risk management stuff is goofy and what sort of alternatives we have that might help us understand our ability to protect, our tendency towards failure, and how to match that up with what management will stomach."

Slides are available from: http://www.slideshare.net/BSides/risk-management-time-to-blow-it-up-and-start-over-alex-hutton

 '''SPECIAL SPEAKER''':

[http://twitter.com/tiffanyrad Tiffany Rad] provided an overview and update on [http://twitter.com/reversespace Reverse Space] in Herndon, VA. For more information, or to help out, please join the [http://groups.google.com/group/ReverseSpace Reverse Space Google Group].

 

=== May 2010 ===

'''DATE''': Tuesday, May 18th, 6pm Eastern Daylight Time '''LOCATION''': Booz Allen Hamilton - 13200 Woodland Park Road Herndon, VA 20171 '''SPEAKER'''': Jeff Ennis, Senior Solutions Architect, Veracode '''TITLE''': State of Software Security ([[Image:State of Software Security-Ennis.ppsx.zip]]) '''DESCRIPTION''':

A discussion of the current state of software security based on the compiled findings by Veracode from the dynamic and static code analysis they have performed for customers.

=== September 2009 ===

'''DATE''': Thursday, September 17, 2009. 6:00pm Eastern Daylight Time '''LOCATION''': 22260 Pacific blvd, Sterling, VA. 20166 '''TOPIC''': "Fortify 360" '''SPEAKER''': Erik Klein (Fortify Software), Eric Dalci (Cigital) '''DESCRIPTION''':

We're pleased to invite you to our next week's OWASP Session (Thursday September 17th). We will be hosting a presentation, demo and hands on session of Fortify 360 (http://www.fortify.com). Fortify 360 includes Fortify SCA (Source Code Analyzer) and the Fortify 360 Server which is Fortify's solution for an enterprise deployment of SCA. The session will start with a presentation by Fortify engineers, followed by a demo and finally a hands on session where the audience will be free to install Fortify SCA on the machine and try it the SCA tool on a sample application that we will provide. The audience will also be introduced with the Fortify 360 Server and try some of the enterprise level features such as collaborative code review, metrics and so on. Bring your laptop if you want to try Fortify 360!

The target audience is anyone interested in Secure Code Review with a Static Analysis tool at the desktop level and/or enterprise level. We will need to register visitors before hand...please email wade.woolwine@owasp.org for registration and confirm attendance. Pizza and refreshments will be served.

'''DATE''': Thursday, September 3, 2009. 6:00pm. '''LOCATION''': 13200 Woodland Park Road Herndon, VA 20171 '''TOPIC''': "Conducting Application Assessment" '''SPEAKER''': Jeremy Epstein, SRI '''DESCRIPTION''':

After the 2000 election, many states launched headlong into electronic voting systems to avoid the problems with "hanging chads". Once problems with those systems started appearing, many localities started moving to optical scan, which was used by a majority of US voters in the 2008 election. There are other technologies in use around the country, including lever machines, vote-by-mail, vote-by-phone, and Internet voting. What are the tradeoffs among these technologies? Particularly relevant to OWASP, what are the security issues associated with different types of equipment, and what measures do vendors of voting equipment use to try to address the security problems? Are software security problems important, or can non-technical measures protect against them? In this talk, we'll discuss a wide variety of voting technologies, and their pros and cons from both a technical and societal perspective.

'''ABOUT THE SPEAKER''':

Jeremy Epstein is Senior Computer Scientist at SRI International. His background includes more than 20 years experience in computer security research, product development, and consulting. Prior to joining SRI International, he was Principal Consultant with Cigital, and before that spent nine years as Senior Director of Product Security at Software AG, an international business software company. Within the area of voting systems, Jeremy has been involved for over five years in voting technology and advocacy, both as an employee and as an independent consultant.

 

=== July 2009 ===

'''DATE''': July 9th 6pm-9pm EST '''LOCATION''': 13200 Woodland Park Road Herndon, VA 20171 '''TOPIC''': "Ounce's 02" '''SPEAKER(S)''': Dinis Cruz, OWASP, Ounce Labs. '''DESCRIPTION''': So what is O2?

Well in my mind O2 is a combination of advanced tools (Technology) which are designed to be used on a particular way (Process) by knowledgeable Individuals (People)

Think about it as a Fighter Jet who is able to go very fast, has tons of controls, needs to be piloted by somebody who knows what they are doing and needs to have a purpose (i.e. mission).

Basically what I did with O2 was to automate the workflow that I have when I'm engaged on a source-code security review.

Now, here is the catch, this version is NOT for the faint-of-heart. I designed this to suit my needs, which although are the same as most other security consultants, have its own particularities :)

The whole model of O2 development is based around the concept of automating a security consultant’s brain, so I basically ensure that the main O2 Developer (Dinis Cruz) has a very good understanding of the feature requirements of the targeted Security Consultant (Dinis Cruz) :) . And this proved (even to my surprise) spectacularly productive, since suddenly I (i.e. the security consultant) didn't had to wait months for new features to be added to its toolkit. If there was something that needed to be added, it would just be added in days or hours.

=== June 2009 ===

''Gary McGraw, Cigital Inc.'':''Building Security In Maturity Model'' Later, an interview: ''Jim Routh, formerly of DTCC'':''The Economic Advantages of a Resilient Supply Chain- Software Security'' '' ''

Gary McGraw talked about the experience he, Sammy Migues, and Brian Chess gained conducting a survey of some of America's top Software Security groups. Study results are available under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Share Alike license] at [http://www.bsi-mm.com www.bsi-mm.com]. Gary described the common structural elements and activities of successful software security programs, present the maturity model that resulted from survey data, and discuss lessons learned from listening to those leading these groups.

Jim Routh gave an incredibly insightful interview regarding his own experiences crafting their security group.

Download presentation notes at: [http://www.owasp.org/images/0/03/JMR-Economics_of_Security_Goups.ppt The Economic Advantages of a Resilient Supply Chain- Software Security]

=== May 2009 ===

''Eric Dalci, Cigital Inc.'':''Introduction to Static Analysis'' Later, a panel:

*Steven Lavenhar, Booz Allen Hamilton;
*Eric Dalci, Cigital Inc.

Panel moderated by John Steven 

This session is an introductory to Static Analysis. This session presents the different types of analysis used by today's Static Analysis tools. Examples of direct application to find vulnerabilities will be shown (ex: Data Flow Analysis, Semantic, Control Flow, etc.). Current limitations of Static Analysis will also be exposed. This session is tool agnostic, but will cover the approach taken by various leading commercial (as well as open-source) tools.

Download: [http://www.owasp.org/images/e/ea/OWASP_Virginia_Edalci_May09.pdf Intro to Static Analysis]

=== April 2009 ===

''Jeremiah Grossman, Whitehat Security'': '''Top 10 Web Hacking Techniques 2008''' Jeremiah Spoke on (what he and colleagues determined were the) top ten web hacking techniques of 2008. This talk was a preview of his RSA '09 talk. 

Download http://www.whitehatsec.com/home/assets/presentations/09PPT/PPT_OWASPNoVA04082008.pdf

 Later,

*Nate Miller, Stratum Security;
*Jeremiah Grossman, Whitehat Security;
*Tom Brennan, Whitehat Security; and
*Wade Woolwine, AOL

served as penetration testing panels answering questions posed and moderated by Ken Van Wyk.

=== February 2009 ===

''Ryan C. Barnett, Breach Security'': '''Patching Challenge: Securing WebGoat with ModSecurity'''

Identification of web application vulnerabilities is only half the battle with remediation efforts as the other. Let's face the facts, there are many real world business scenarios where it is not possible to update web application code in either a timely manner or at all. This is where the tactical use-case of implementing a web application firewall to address identified issues proves its worth.

This talk will provide an overview of the recommended practices for utilizing a web application firewall for virtual patching. After discussing the framework to use, we will then present a very interesting OWASP Summer of Code Project where the challenge was to attempt to mitigate as many of the OWASP WebGoat vulnerabilities as possible using the open source ModSecurity web application firewall. During the talk, we will discuss both WebGoat and ModSecurity and provide in-depth walk-throughs of some of the complex fixes. Examples will include addressing not only attacks but the underlying vulnerabilities, using data persistence for multiple-step processes, content injection and even examples of the new LUA programming language API. The goal of this talk is to both highlight cutting edge mitigation options using a web application firewall and to show how it can effectively be used by security consultants who traditionally could only offer source code fixes.

Ryan C. Barnett is the Director of Application Security Research at Breach Security and leads Breach Security Labs. He is also a Faculty Member for the SANS Institute, Team Lead for the Center for Internet Security Apache Benchmark Project and a Member of the Web Application Security Consortium where he leads the Distributed Open Proxy Honeypot Project. Mr. Barnett has also authored a web security book for Addison/Wesley Publishing entitled "Preventing Web Attacks with Apache."

(This talk is a preview of Ryan's talk at Blackhat Federal the following week - see https://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Barnett )

Download [[Media:Virtual_Patching_Ryan_Barnett_Blackhat_Federal_09.zip|WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity]]

''John Steven, Cigital'': '''Moving Beyond Top N Lists'''

Download [[Media:Moving_Beyond_Top_N_Lists.ppt.zip|Moving Beyond Top N Lists]]

 Cigital published an article: The Top 11 Reasons Why Top 10 (or 25) Lists Don’t Work. Yet, these lists are a staple of conference abstracts, industry best practice lists, and the like. Are they good or bad? We’ll explore how to get beyond the Top 10 (or 25) list in making your software security effort real.

John is Senior Director, Advanced Technology Consulting at Cigital. His experience includes research in static code analysis and hands-on architecture and implementation of high-performance, scalable Java EE systems. John has provided security consulting services to a broad variety of commercial clients including two of the largest trading platforms in the world and has advised America's largest internet provider in the Midwest on security and forensics. John led the development of Cigital's architectural analysis methodology and its approach to deploying enterprise software security frameworks. He has demonstrated success in building Cigital's intellectual property for providing cutting-edge security. He brings this experience and a track record of effective strategic innovation to clients seeking to change, whether to adopt more cutting-edge approaches, or to solidify ROI. John currently chairs the SD Best Practices security track and co-edits the building security in department of IEEE's Security and Privacy magazine. John has served on numerous conference panels regarding software security, wireless security and Java EE system development. He holds a B.S. in Computer Engineering and an M.S. in Computer Science from Case Western Reserve University.

=== January 2009 ===

To kick off 2009, our January meeting featured a discussion of the relationship between application security and CMMI, and an overview of the OWASP ASVS project.

''Michele Moss, Booz Allen Hamilton'': '''Evolutions In The Relationship Between Application Security And The CMMI'''

Addressing new and complex threats and IT security challenges requires repeatable, reliable, rapid, and cost effective solutions. To implement these solutions, organizations have begun to align their security improvement efforts with their system and software development practices. During a “Birds of a Feather” at the March 2007 SEPG, a group of industry representatives initiated an effort which led to the definition of assurance practices that can be applied in the context of the CMMI. This presentation will provide an understanding how applying the assurance practices in the context of security contribute to the overall increased quality of products and services, illustrate how the a focus on assurance in the context of CMMI practices is related to application security practices, and present and approach to evaluate and improve the repeatability and reliability of assurance practices.

Michele Moss, CISSP, is a security engineer with more than 12 years of experience in process improvement. She specializes in integrating assurance processes and practices into project lifecycles. Michele is the Co-Chair of the DHS Software Assurance Working Group on Processes & Practices. She has assisted numerous organizations with maturing their information technology, information assurance, project management, and support practices through the use of the capability maturity models including the CMMI, and the SSE-CMM. She is one of the key contributors in an effort to apply an assurance focus to CMMI.

Slides available: [[http://www.epsteinmania.com/owasp/Moss-AppSecurityAndCMMI.pdf]]

''Mike Boberski, Booz Allen Hamilton'': '''About OWASP ASVS'''

The primary aim of the OWASP ASVS Project is to normalize the range of coverage and level of rigor available in the market when it comes to performing application-level security verification. The goal is to create a set of commercially-workable open standards that are tailored to specific web-based technologies.

Mike Boberski works at Booz Allen Hamilton. He has a background in application security and the use of cryptography by applications. He is experienced in trusted product evaluation, security-related software development and integration, and cryptomodule testing. For OWASP, he is the project lead and a co-author of the OWASP Application Security Verification Standard, the first OWASP standard.

Slides available: [[https://www.owasp.org/images/5/52/About_OWASP_ASVS_Web_Edition.ppt]]

=== November 2008 ===

For our November 2008 meeting, we had two great presentations on software assurance and security testing.

''Nadya Bartol, Booz Allen Hamilton'': '''Framework for Software Assurance'''

Nadya's presentation will provide an update on the Software Assurance Forum efforts to establish a comprehensive framework for software assurance (SwA) and security measurement. The Framework addresses measuring achievement of SwA goals and objectives within the context of individual projects, programs, or enterprises. It targets a variety of audiences including executives, developers, vendors, suppliers, and buyers. The Framework leverages existing measurement methodologies, including Practical Software and System Measurement (PSM); CMMI Goal, Question, Indicator, Measure (GQ(I)M); NIST SP 800-55 Rev1; and ISO/IEC 27004 and identifies commonalities among the methodologies to help organizations integrate SwA measurement in their overall measurement efforts cost-effectively and as seamlessly as possible, rather than establish a standalone SwA measurement effort within an organization. The presentation will provide an update on the SwA Forum Measurement Working Group work, present the current version of the Framework and underlying measures development and implementation processes, and propose example SwA measures applicable to a variety of SwA stakeholders. The presentation will update the group on the latest NIST and ISO standards on information security measurement that are being integrated into the Framework as the standards are being developed.

Slides available: [[http://www.epsteinmania.com/owasp/Bartol-MeasurementForOWASP11-13-08.pdf]]

''Paco Hope, Cigital'': '''The Web Security Testing Cookbook'''

The Web Security Testing Cookbook (O'Reilly & Associates, October 2008) gives developers and testers the tools they need to make security testing a regular part of their development lifecycle. Its recipe style approach covers manual, exploratory testing as well automated techniques that you can make part of your unit tests or regression cycle. The recipes cover the basics like observing messages between clients and servers, to multi-phase tests that script the login and execution of web application features. This book complements many of the security texts in the market that tell you what a vulnerability is, but not how to systematically test it day in and day out. Leverage the recipes in this book to add significant security coverage to your testing without adding significant time and cost to your effort.

Congratulations to Tim Bond who won an autographed copy of Paco's book. Get your copy here [[http://www.amazon.com/Security-Testing-Cookbook-Paco-Hope/dp/0596514832]]

Slides available: [[http://www.epsteinmania.com/owasp/PacoHope-WebSecCookbook.pdf]]

=== October 2008 ===

For our October 2008 meeting, we had two fascinating talks relating to forensics.

''Dave Merkel, Mandiant'': '''Enterprise Grade Incident Management - Responding to Persistent Threats'''

Dave Merkel is Vice President of Products at Mandiant, a leading provider of information security services, education and products. Mr. Merkel has worked in the information security and incident response industry for over 10 years. His background includes service as a federal agent in the US Air Force and over 7 years experience directing security operations at America Online. He currently oversees the product business at Mandiant, and is in charge of building Mandiant Intelligent Response - an enterprise incident response solution. But no, he won't be selling you anything today.

Slides available: [[http://www.epsteinmania.com/owasp/Mandiant-EnterpriseIRandAPTpresentation.pdf]]

''Inno Eroraha, NetSecurity'': '''[Responding to the Digital Crime Scene: Gathering Volatile Data'''

Inno Eroraha is the founder and chief strategist of NetSecurity Corporation, a company that provides digital forensics, hands-on security consulting, and Hands-on How-To® training solutions that are high-quality, timely, and customer-focused. In this role, Mr. Eroraha helps clients plan, formulate, and execute the best security and forensics strategy that aligns with their business goals and priorities. He has consulted with Fortune 500 companies, IRS, DHS, VA, DoD, and other entities.

Slides available: [[http://www.epsteinmania.com/owasp/NetSecurity-RespondingToTheDigitalCrimeScene-GatheringVolatileData-TechnoForensics-102908.pdf] ]

=== History ===

The original DC Chapter was founded in June 2004 by [mailto:jeff.williams@owasp.org Jeff Williams] and has had members from Virginia to Delaware. In April 2005 a new chapter, OWASP Washington VA Local Chapter, was formed and the DC Chapter was renamed to DC-Maryland. The two are sister chapters and include common members and shared discourse. The chapters meet in opposite halves of the month to facilitate this relationship.

==== Chapter Groups ====

Within the chapter, various common interests spring up. We've created Google groups to manage collaboration amongst participants for these topics. Feel free to join and participate in:

*[http://groups.google.com/group/novaowasp_threatmodeling Threat Modeling]
*[http://groups.google.com/group/novaowasp_mobile Mobile]

==== Knowledge ====

The Northern Virginia (NoVA) chapter is committed to compiling resources on interesting and valuable topic areas. We hope that this structure helps you access information pertinent to your tasks at hand as you move through a secure application development life cycle. Currently, our topic areas of focus include activities such as:

*Threat Modeling
*[[Code Review and Static Analysis with tools]]
*Penetration Testing and Dynamic Analysis tools
*Monitoring/Dynamic patching (WAFs)

Certain projects our members are involved in cross-cut these activities, providing value throughout. They include:

*ASVS

=== Static Analysis Curriculum ===

*For an introduction to the OWASP Static Analysis (SA) Track goals, objectives, and session roadmap, please see [http://www.owasp.org/index.php/Image:OWASP_NoVA_SA_Track_Final_20090408.ppt this presentation].

The following is the agenda of the OWASP Static Analysis track roadmap for the [http://www.owasp.org/index.php/Virginia_(Northern_Virginia) Northern Virginia Chapter].

[[Image:Owasp SAtrack plan.png|OWASP Static Analysis Roadmap - Northern Virginia Chapter 2009]]

'''Contacts''' Questions related to this curriculum should be sent to [mailto:John.Steven@owasp.org John Steven], who is the Northern Virginia chapter leader.

 

=== Flash Talk Resources ===

Chandu Ketkar on OFS. Download: [http://www.owasp.org/images/1/1c/OFS.pptx OFS Presentation.] [http://jack-mannino.blogspot.com/ Jack Mannino] on Google and Searching for Personal Information Jesse Ou on XML Bombs. Download: [http://www.owasp.org/images/1/18/OWASP_JOU_XML_DTD_Attacks.pptx XML DTD Presentation] 

__NOTOC__ <headertabs />

<paypal>Northern Virginia</paypal>

[[Category:Virginia]] [[Category:Washington,_DC]]

Virginia

2011-03-13T20:00:51Z

John Steven:

Global Conferences Committee - Application 9

2011-02-23T13:08:32Z

John Steven:

[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]

----
{| style="width:100%" border="0" align="center"
! colspan="2" align="center" style="background:#4058A0; color:white"|'''COMMITTEE APPLICATION FORM'''
|-
| style="width:25%; background:#7B8ABD" align="center"|'''Applicant's Name'''
| colspan="1" style="width:85%; background:#cccccc" align="left"|Benjamin (Ben) Tomhave
|-
| style="width:25%; background:#7B8ABD" align="center"| '''Current and past OWASP Roles'''
| colspan="1" style="width:85%; background:#cccccc" align="left"|OWASP NoVA Program Committee member, OWASP Summit 2011 attendee
|-
| style="width:25%; background:#7B8ABD" align="center"| '''Committee Applying for'''
| colspan="1" style="width:85%; background:#cccccc" align="left"|Global Conferences Committee
|}
----

----
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''.
An incomplete application will not be considered for vote.
----

----
{| style="width:100%" border="0" align="center"
! colspan="8" align="center" style="background:#4058A0; color:white"|'''COMMITTEE RECOMMENDATIONS'''
|-
! align="center" style="background:white; color:white"|
! align="center" style="background:#7B8ABD; color:white"|'''Who Recommends/Name'''
! align="center" style="background:#7B8ABD; color:white"|'''Role in OWASP'''
! align="center" style="background:#7B8ABD; color:white"|'''Recommendation Content'''
|-
| style="width:3%; background:#cccccc" align="center"|'''1'''
| style="width:20%; background:#cccccc" align="center"|Dan Cornell
| style="width:20%; background:#cccccc" align="center"|Global Membership Committee Chair
| style="width:57%; background:#cccccc" align="center"|Ben's involvement in the OWASP NoVA chapter as well as his outreach to other organizations such as Security BSides make him an excellent candidate to be on the Global Conference Committee.
|-
| style="width:3%; background:#cccccc" align="center"|'''2'''
| style="width:20%; background:#cccccc" align="center"|John Steven
| style="width:20%; background:#cccccc" align="center"|NoVA Chapter President
| style="width:57%; background:#cccccc" align="center"|Ben's work in the chapter has been exemplary and he has concrete, practical, and good ideas.
|-
| style="width:3%; background:#cccccc" align="center"|'''3'''
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:57%; background:#cccccc" align="center"|
|-
| style="width:3%; background:#cccccc" align="center"|'''4'''
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:57%; background:#cccccc" align="center"|
|-
| style="width:3%; background:#cccccc" align="center"|'''5'''
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:57%; background:#cccccc" align="center"|
|}
----

User:John Steven

2011-02-06T02:05:07Z

John Steven: Created page with "John leads the Virginia OWASP Northern Virginia (NoVA) chapter. Follow the chapter on [http://www.twitter.com/OWASPNoVA OWASPNoVA] '''Projects''' John has: *Contri..."

John leads the [[Virginia OWASP Northern Virginia (NoVA) chapter]]. Follow the chapter on [http://www.twitter.com/OWASPNoVA OWASPNoVA]

 '''Projects'''

John has:

*Contributed to  [[O2]]
*Created the [http://www.owasp.org/index.php/Category:Summit_2011_OWASP_Secure_Coding_Workshop_Track Secure Coding Workshop] 

 '''Professional'''

John Steven is Senior Director of Advanced Technology Consulting at Cigital with over a decade of hands-on experience in software security. John's expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction as a trusted adviser to many multi-national corporations. John's keen interest in automation keeps Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine and speaks with regularity at conferences and trade shows. John holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.

'''Resources'''

*[http://www.cigital.com/justiceleague/author/jOHN/ Cigital Blog]
*[http://codepoetic.blogspot.com Development Blog]
*[http://www.twitter.com/m1splacedsoul Twitter]

Summit 2011 Working Sessions/Session054

2011-02-06T01:44:31Z

John Steven:

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Summit 2011 Working Sessions test tab</noinclude>
|-

| summit_session_attendee_name1 = John Steven
| summit_session_attendee_email1 = John.Steven@owasp.org
| summit_session_attendee_username1 = John Steven
| summit_session_attendee_company1= Cigital
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=

| summit_session_attendee_name2 =
| summit_session_attendee_email2 =
| summit_session_attendee_username2 =
| summit_session_attendee_company2=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=

| summit_session_attendee_name3 =
| summit_session_attendee_email3 =
| summit_session_attendee_username3 =
| summit_session_attendee_company3=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3=

| summit_session_attendee_name4 =
| summit_session_attendee_email4 =
| summit_session_attendee_username4 =
| summit_session_attendee_company4=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4=

| summit_session_attendee_name5 =
| summit_session_attendee_email5 =
| summit_session_attendee_username5 =
| summit_session_attendee_company5=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5=

| summit_session_attendee_name6 =
| summit_session_attendee_email6 =
| summit_session_attendee_username6 =
| summit_session_attendee_company6=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6=

| summit_session_attendee_name7 =
| summit_session_attendee_email7 =
| summit_session_attendee_username7 =
| summit_session_attendee_company7=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7=

| summit_session_attendee_name8 =
| summit_session_attendee_email8 =
| summit_session_attendee_username8 =
| summit_session_attendee_company8=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8=

| summit_session_attendee_name9 =
| summit_session_attendee_email9 =
| summit_session_attendee_username9 =
| summit_session_attendee_company9=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9=

| summit_session_attendee_name10 =
| summit_session_attendee_email10 =
| summit_session_attendee_username10 =
| summit_session_attendee_company10=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10=

| summit_session_attendee_name11 =
| summit_session_attendee_email11 =
| summit_session_attendee_username11 =
| summit_session_attendee_company11=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11=

| summit_session_attendee_name12 =
| summit_session_attendee_email12 =
| summit_session_attendee_username12 =
| summit_session_attendee_company12=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12=

| summit_session_attendee_name13 =
| summit_session_attendee_email13 =
| summit_session_attendee_username13 =
| summit_session_attendee_company13=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13=

| summit_session_attendee_name14 =
| summit_session_attendee_email14 =
| summit_session_attendee_username14 =
| summit_session_attendee_company14=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14=

| summit_session_attendee_name15 =
| summit_session_attendee_email15 =
| summit_session_attendee_username15 =
| summit_session_attendee_company15=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15=

| summit_session_attendee_name16 =
| summit_session_attendee_email16 =
| summit_session_attendee_username16 =
| summit_session_attendee_company16=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16=

| summit_session_attendee_name17 =
| summit_session_attendee_email17 =
| summit_session_attendee_username17 =
| summit_session_attendee_company17=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17=

| summit_session_attendee_name18 =
| summit_session_attendee_email18 =
| summit_session_attendee_username18 =
| summit_session_attendee_company18=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18=

| summit_session_attendee_name19 =
| summit_session_attendee_email19 =
| summit_session_attendee_username19 =
| summit_session_attendee_company19=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19=

| summit_session_attendee_name20 =
| summit_session_attendee_email20 =
| summit_session_attendee_username20 =
| summit_session_attendee_company20=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20=

|-
| summit_track_logo = [[Image:T._global_committees.jpg]]
| summit_ws_logo = [[Image:WS._global_commitee.jpg‎]]
| summit_session_name = Board Structure
| summit_session_url = http://www.owasp.org/index.php?title=Summit_2011_Working_Sessions/Session054
| mailing_list =
|-

| short_working_session_description=

|-

| related_project_name1 =
| related_project_url_1 =

| related_project_name2 =
| related_project_url_2 =

| related_project_name3 =
| related_project_url_3 =

| related_project_name4 =
| related_project_url_4 =

| related_project_name5 =
| related_project_url_5 =

|-

| summit_session_objective_name1=

| summit_session_objective_name2 =

| summit_session_objective_name3 =

| summit_session_objective_name4 =

| summit_session_objective_name5 =

|-

| working_session_date_and_time =

|-

| discussion_model = participants and attendees

|-

| operational_resources = Projector, whiteboards, markers, Internet connectivity, power

|-

| working_session_additional_details =

|-

|summit_session_deliverable_name1 =

|summit_session_deliverable_name2 =

|summit_session_deliverable_name3 =

|summit_session_deliverable_name4 =

|summit_session_deliverable_name5 =

|summit_session_deliverable_name6 =

|summit_session_deliverable_name7 =

|summit_session_deliverable_name8 =

|-

| summit_session_leader_name1 =
| summit_session_leader_email1 =
| summit_session_leader_username1 =

| summit_session_leader_name2 =
| summit_session_leader_email2 =
| summit_session_leader_username2 =

| summit_session_leader_name3 =
| summit_session_leader_email3 =
| summit_session_leader_username3 =
|-

| operational_leader_name1 =
| operational_leader_email1 =
| operational_leader_username1 =

|-

| meeting_notes =

|-
| session_name_mask =  Session054
| session_home_page =  Summit_2011_Working_Sessions/Session054
}}

Summit 2011 Working Sessions/Session028

2011-02-02T17:12:17Z

John Steven:

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Summit 2011 Working Sessions test tab</noinclude>
|-

| summit_session_attendee_name1 = Elke Roth-Mandutz
| summit_session_attendee_email1 = elke.roth-mandutz@ohm-hochschule.de
| summit_session_attendee_username1 =
| summit_session_attendee_company1= GSO-University of Applied Sciences
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=

| summit_session_attendee_name2 =
| summit_session_attendee_email2 =
| summit_session_attendee_username2 =
| summit_session_attendee_company2=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=

| summit_session_attendee_name3 = Chris Schmidt
| summit_session_attendee_email3 = chris.schmidt@owasp.org
| summit_session_attendee_username3 =
| summit_session_attendee_company3=Aspect Security
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3=

| summit_session_attendee_name4 = Justin Clarke
| summit_session_attendee_email4 = justin.clarke@owasp.org
| summit_session_attendee_username4 =
| summit_session_attendee_company4=Gotham Digital Science
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4=

| summit_session_attendee_name5 =
| summit_session_attendee_email5 =
| summit_session_attendee_username5 =
| summit_session_attendee_company5=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5=

| summit_session_attendee_name6 =
| summit_session_attendee_email6 =
| summit_session_attendee_username6 =
| summit_session_attendee_company6=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6=

| summit_session_attendee_name7 =
| summit_session_attendee_email7 =
| summit_session_attendee_username7 =
| summit_session_attendee_company7=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7=

| summit_session_attendee_name8 =
| summit_session_attendee_email8 =
| summit_session_attendee_username8 =
| summit_session_attendee_company8=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8=

| summit_session_attendee_name9 =
| summit_session_attendee_email9 =
| summit_session_attendee_username9 =
| summit_session_attendee_company9=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9=

| summit_session_attendee_name10 =
| summit_session_attendee_email10 =
| summit_session_attendee_username10 =
| summit_session_attendee_company10=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10=

| summit_session_attendee_name11 =
| summit_session_attendee_email11 =
| summit_session_attendee_username11 =
| summit_session_attendee_company11=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11=

| summit_session_attendee_name12 =
| summit_session_attendee_email12 =
| summit_session_attendee_username12 =
| summit_session_attendee_company12=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12=

| summit_session_attendee_name13 =
| summit_session_attendee_email13 =
| summit_session_attendee_username13 =
| summit_session_attendee_company13=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13=

| summit_session_attendee_name14 =
| summit_session_attendee_email14 =
| summit_session_attendee_username14 =
| summit_session_attendee_company14=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14=

| summit_session_attendee_name15 =
| summit_session_attendee_email15 =
| summit_session_attendee_username15 =
| summit_session_attendee_company15=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15=

| summit_session_attendee_name16 =
| summit_session_attendee_email16 =
| summit_session_attendee_username16 =
| summit_session_attendee_company16=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16=

| summit_session_attendee_name17 =
| summit_session_attendee_email17 =
| summit_session_attendee_username17 =
| summit_session_attendee_company17=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17=

| summit_session_attendee_name18 =
| summit_session_attendee_email18 =
| summit_session_attendee_username18 =
| summit_session_attendee_company18=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18=

| summit_session_attendee_name19 =
| summit_session_attendee_email19 =
| summit_session_attendee_username19 =
| summit_session_attendee_company19=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19=

| summit_session_attendee_name20 =
| summit_session_attendee_email20 =
| summit_session_attendee_username20 =
| summit_session_attendee_company20=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20=

|-
| summit_track_logo = [[Image:T._secure_coding.jpg]]
| summit_ws_logo = [[Image:WS._secure_coding.jpg]]
| summit_session_name = Protecting Information Stored Client-Side
| summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session028
| mailing_list =
|-

| short_working_session_description=This section will focus on providing mechanisms for protecting important or sensitive data applications and services need to store client-side. Contexts this section aims to cover include:

* Personal or user-specific information
* Application-specific information (tokens, secrets)
* Key configuration data, other EIS/service information

For the purpose of the Portugal Summit, the session will focus on development within a "classic" N-tier Java application environment.

|-

| related_project_name1 =
| related_project_url_1 =

| related_project_name2 =
| related_project_url_2 =

| related_project_name3 =
| related_project_url_3 =

| related_project_name4 =
| related_project_url_4 =

| related_project_name5 =
| related_project_url_5 =

|-

| summit_session_objective_name1= Produce an informal threat model for each development scenario

| summit_session_objective_name2 = Impart clear and simple shared understanding of threats associated with each development scenario (and dispel common misunderstandings/idioms)

| summit_session_objective_name3 = Define solution that resists defined attacks

| summit_session_objective_name4 = Deliver solution implementation (snippets) to https://code.google.com/p/secure-coding-workshop/

| summit_session_objective_name5 =

|-

| working_session_date_and_time =

|-

| discussion_model = participants and attendees

|-

| operational_resources = Projector, whiteboards, markers, Internet connectivity, power

|-

| working_session_additional_details = Within the N-tier Java environment, the session will tackle the following development scenarios:

1) - Coat Check
* Removing information from a client
* Server-side storage, memento pattern
* Solving scale issues
2) - Purse
* Storing app-important information (like a purse)
* Resisting attack with augmented plain-text storage!
* Supporting back, reload, etc.
* Patterns & design for anti-tampering protocols
3) - Nuclear Briefcase
* Sensitive, opaque information
* Shuttling information between 3rd parties

Future summits will address the following two contexts as well:

* Phones (ios, Android)
* RIA

However, for the purpose of this coming session, we will only conduct planning and 'homework assignments' for these contexts in the next session (likely Minnesota).

The session will work each of the three above development scenarios within the n-tier environment using the following work stream:

* Define problem
* Conduct Cigital-style Threat Model (TM) exercise
* Co-design solution based on particular threats and attack vectors
* Implement solution within provided sample application-ette
* Discuss testing and verification strategies for solution.

Participants will be taken through the above work stream, an abbreviated 'build security in' process designed to focus on implementation (rather than documentation or assurance), to restructure applications to demonstrate security patterns, integrate existing security functionality, or build security controls as necessary.

|-

|summit_session_deliverable_name1 = (see objectives) Threat Models
|summit_session_deliverable_name2 = (see objectives) Code Snippets

|summit_session_deliverable_name3 = Plan and Extra-summit work-items for exercises in Phone and RIA contexts during next summit

|summit_session_deliverable_name4 =

|summit_session_deliverable_name5 =

|summit_session_deliverable_name6 =

|summit_session_deliverable_name7 =

|summit_session_deliverable_name8 =

|-

| summit_session_leader_name1 = John Steven
| summit_session_leader_email1 = John.Steven@owasp.org

| summit_session_leader_name2 =
| summit_session_leader_email2 =
| summit_session_leader_username2 =

| summit_session_leader_name3 =
| summit_session_leader_email3 =
| summit_session_leader_username3 =

|-

| operational_leader_name1 =
| operational_leader_email1 =
| operational_leader_username1 =

|-
| meeting_notes =

|-
| session_name_mask =  Session028
| session_home_page =  Summit_2011_Working_Sessions/Session028
}}