OWASP - User contributions [en]

Source Code Analysis Tools

2019-10-21T19:13:35Z

Koussa:

[[Static_Code_Analysis | Source code analysis]] tools, also referred to as Static Application Security Testing (SAST) Tools, are designed to analyze source code and/or compiled versions of code to help find security flaws.

Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development life cycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful, especially when compared to finding vulnerabilities much later in the development cycle.

== Strengths and Weaknesses ==

=== Strengths ===

* Scales well -- can be run on lots of software, and can be run repeatedly (as with nightly builds or continuous integration)
* Useful for things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, and so forth
* Output is good for developers -- highlights the precise source files, line numbers, and even subsections of lines that are affected

=== Weaknesses ===

* Many types of security vulnerabilities are difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. However, tools of this type are getting better.
* High numbers of false positives.
* Frequently can't find configuration issues, since they are not represented in the code.
* Difficult to 'prove' that an identified security issue is an actual vulnerability.
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.

==Important Selection Criteria==

* Requirement: Must support your programming language, but not usually a key factor once it does.
* Types of vulnerabilities it can detect (out of the [[OWASP Top Ten]]?) (plus more?)
* How accurate is it? False Positive/False Negative rates?
** Does the tool have an OWASP [[Benchmark]] score?
* Does it understand the libraries/frameworks you use?
* Does it require a fully buildable set of source?
* Can it run against binaries instead of source?
* Can it be integrated into the developer's IDE?
* How hard is it to setup/use?
* Can it be run continuously and automatically?
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)

==OWASP Tools Of This Type==

* [[OWASP SonarQube Project]]
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]]
* [[OWASP O2 Platform]]
* [[OWASP WAP-Web Application Protection]]

==Disclaimer==

Disclaimer: The tools listed in the tables below are presented in alphabetical order. OWASP does not endorse any of the vendors or tools by listing them in the table below. We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think that this information is incomplete or incorrect, please send an e-mail to our mailing list and we will make every effort to correct this information.

==Open Source or Free Tools Of This Type==

* [https://wiki.openstack.org/wiki/Security/Projects/Bandit Bandit] - bandit is a comprehensive source vulnerability scanner for Python
* [http://brakemanscanner.org/ Brakeman] - Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications
* [http://rubygems.org/gems/codesake-dawn Codesake Dawn] - Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino for Ruby on Rails applications. It also works on non-web applications written in Ruby
* [https://discotek.ca/deepdive.xhtml Deep Dive] - Byte code analysis tool for discovering vulnerabilities in Java deployments (Ear, War, Jar).
* [http://findbugs.sourceforge.net/ FindBugs] - (Legacy - NOT Maintained - Use SpotBugs (see below) instead) - Find bugs (including a few security flaws) in Java programs
* [https://find-sec-bugs.github.io/ FindSecBugs] - A security specific plugin for SpotBugs that significantly improves SpotBugs's ability to find security vulnerabilities in Java programs. Works with the old FindBugs too,
* [http://www.dwheeler.com/flawfinder/ Flawfinder] Flawfinder - Scans C and C++
* [https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/ Google CodeSearchDiggity] - Uses Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. ''Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.''
* [https://github.com/wireghoul/graudit/ Graudit] - Scans multiple languages for various security flaws.
* [https://lgtm.com/help/lgtm/about-lgtm LGTM] - A free for open source static analysis service that automatically monitors commits to publicly accessible code in: Bitbucket Cloud, GitHub, or GitLab. Supports C/C++, C#, COBOL (in beta), Java, JavaScript/TypeScript, Python
* [https://dotnet-security-guard.github.io/ .NET Security Guard] - Roslyn analyzers that aim to help security audits on .NET applications. It will find SQL injections, LDAP injections, XXE, cryptography weakness, XSS and more.
* [https://github.com/FloeDesignTechnologies/phpcs-security-audit phpcs-security-audit] - phpcs-security-audit is a set of PHP_CodeSniffer rules that finds flaws or weaknesses related to security in PHP and its popular CMS or frameworks. It currently has core PHP rules as well as Drupal 7 specific rules.
* [http://pmd.sourceforge.net/ PMD] - PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx PreFast] (Microsoft) - PREfast is a static analysis tool that identifies defects in C/C++ programs. Last update 2006.
* [https://github.com/designsecurity/progpilot Progpilot] - Progpilot is a static analyzer tool for PHP that detects security vulnerabilities such as XSS and SQL Injection.
* [https://pumascan.com/ Puma Scan] - Puma Scan is a .NET C# open source static source code analyzer that runs as an IDE plugin for Visual Studio and via MSBuild in CI pipelines.
* [https://pyre-check.org/ Pyre] - A performant type-checker for Python 3, that also has [https://pyre-check.org/docs/static-analysis.html limited security/data flow analysis] capabilities.
* [http://rips-scanner.sourceforge.net/ RIPS] - RIPS Open Source is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the sourceforge.net site.
* [https://discotek.ca/sinktank.xhtml Sink Tank] - Byte code static code analyzer for performing source/sink (taint) analysis.
* [http://www.sonarqube.org/ SonarQube] - Scans source code for more than 20 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by [http://www.sonarlint.org/ SonarLint].
* [https://spotbugs.github.io/ SpotBugs] - This is the active fork replacement for FindBugs, which is not maintained anymore.
* [http://sourceforge.net/projects/visualcodegrepp/ VisualCodeGrepper (VCG)] - Scans C/C++, C#, VB, PHP, Java, and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.

[https://docs.gitlab.com/ee/user/application_security/sast/index.html#supported-languages-and-frameworks GitLab has lashed a free SAST tool for a bunch of different languages natively into GitLab. So you might be able to use that, or at least identify a free SAST tool for the language you need from that list].

==Commercial Tools Of This Type==
* [https://www.ptsecurity.com/ww-en/products/ai/ Application Inspector] (Positive Technologies) - combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation; has capability to generate test queries (exploits) to verify detected vulnerabilities during SAST analysis; Supported languages include: Java, C#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others.
* [https://www.ibm.com/us-en/marketplace/application-security-on-cloud Application Security on Cloud] (IBM) - Provides SAST, DAST and mobile security testing as well as OpenSource library known vulnerability detection as a cloud service.
* [https://www.ibm.com/us-en/marketplace/ibm-appscan-source AppScan Source] (IBM)
* [https://www.blueclosure.com BlueClosure BC Detect] (BlueClosure) - Analyzes client-side JavaScript.
* [https://bugscout.io/en/ bugScout] (Nalbatech, Formally Buguroo)
* [https://www.castsoftware.com/products/application-intelligence-platform CAST AIP] (CAST) Performs static and architectural analysis to identify numerous types of security issues. Supports over 30 languages. [https://www.castsoftware.com/solutions/application-security/cwe#SupportedSecurityStandards AIP's security specific coverage is here].
* [https://www.codacy.com/ Codacy] Offers security patterns for languages such as Python, Ruby, Scala, Java, JavaScript and more. Integrates with tools such as Brakeman, Bandit, FindBugs, and others. (free for open source projects)
* [https://www.grammatech.com/products/codesonar CodeSonar] tool that supports C, C++, Java and C# and maps against the OWASP top 10 vulnerabilities.
* [https://www.contrastsecurity.com/interactive-application-security-testing-iast Contrast Assess] (Contrast Security) - Contrast performs code security without actually doing static analysis. Contrast does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code level results without actually relying on static analysis.
* [http://www.coverity.com/products/code-advisor/ Coverity Code Advisor] (Synopsys)
* [https://www.checkmarx.com/technology/static-code-analysis-sca/ CxSAST] (Checkmarx)
* [https://www.microfocus.com/en-us/products/static-code-analysis-sast Fortify] (Micro Focus, Formally HP)
* [https://hdivsecurity.com/interactive-application-security-testing-iast Hdiv Detection] (Hdiv Security) - Hdiv performs code security without actually doing static analysis. Hdiv does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code-level results without actually relying on static analysis.
* [http://www.juliasoft.com/solutions Julia] (JuliaSoft) - SaaS Java static analysis
* [http://www.klocwork.com/capabilities/static-code-analysis KlocWork] (KlocWork)
* [https://www.kiuwan.com/code-analysis/ Kiuwan] (an [http://www.optimyth.com Optimyth] company) - SaaS Software Quality & Security Analysis
* [http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547 Parasoft Test] (Parasoft)
* [https://pitss.com/products/pitss-con/ PITSS.CON] (PITTS)
* [https://www.ptsecurity.com/ww-en/products/ai/ PT Application Inspector] combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation for high accuracy rate with minimum false positives; has a unique capability to generate special test queries (exploits) to verify detected vulnerabilities during SAST analysis; integrates with CI/CD, VCS, etc. PT AI helps to easily understand, verify, and fix flaws; has a simple UI; is highly automated and easy to use. Supported languages are Java, C#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others.
* [https://pumascanpro.com/ Puma Scan Professional] - A .NET C# static source code analyzer that runs as a Visual Studio IDE extension, Azure DevOps extension, and Command Line (CLI) executable.
* [http://www.viva64.com/en/ PVS-Studio] (PVS-Studio) - For C/C++, C#
* [https://www.reshiftsecurity.com reshift] - A CI/CD tool that uses static code analysis to scan for vulnerabilities and uses machine learning to give a prediction on false positives. Supports Java with future support for NodeJS and JavaScript planned for sometime in 2019.
* [https://www.ripstech.com/ RIPS Code Analysis] (RIPS Technologies) - A SAST solution specialized for Java and PHP that detects unknown security vulnerabilities and code quality issues.
* [https://www.synopsys.com/software-integrity/resources/datasheets/secureassist.html SecureAssist] (Synopsys) - Scans code for insecure coding and configurations automatically as an IDE plugin for Eclipse, IntelliJ, and Visual Studio etc. Supports (Java, .NET, PHP, and JavaScript)
* [https://www.whitehatsec.com/products/static-application-security-testing/ Sentinel Source] (Whitehat)
* [https://www.synopsys.com/software-integrity/products/interactive-application-security-testing.html Seeker] (Synopsys) Seeker performs code security without actually doing static analysis. Seeker does Interactive Application Security Testing (IAST), correlating runtime code & data analysis with simulated attacks. It provides code level results without actually relying on static analysis.
* [http://www.sourcepatrol.co.uk/ Source Patrol] (Pentest)
* [https://www.defensecode.com/thunderscan.php Thunderscan SAST] (DefenseCode)
* [http://www.veracode.com/products/binary-static-analysis-sast Veracode Static Analysis] (Veracode)
* [http://www.xanitizer.net Xanitizer] - Scans Java and Scala for security vulnerabilities, mainly via taint analysis. Free for academic and open source projects (see [https://www.rigs-it.com/xanitizer-pricing/]).

==More info==

* [[Appendix_A:_Testing_Tools | Appendix A: Testing Tools]]
* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html NIST's list of Source Code Security Analysis Tools]
* [[:Category:Vulnerability_Scanning_Tools | DAST Tools]] - Similar info on Dynamic Application Security Testing (DAST) Tools
* [[Free for Open Source Application Security Tools]] - This page lists the Commercial Source Code Analysis Tools (SAST) we know of that are free for Open Source

[[Category:OWASP .NET Project]]
[[Category:SAMM-CR-2]]
__NOTOC__

Free for Open Source Application Security Tools

2019-10-21T19:12:57Z

Koussa: Changed the reshift link to point to the new website.

__NOTOC__
== Introduction ==
OWASP's mission is to help the world improve the security of its software. One of the best ways OWASP can do that is to help Open Source developers improve the software they are producing that everyone else relies on. As such, the following lists of '''automated vulnerability detection tools''' that are '''free for open source''' projects have been gathered together here to raise awareness of their availability.

We would encourage open source projects to use the following types of tools to improve the security and quality of their code:
* Static Application Security Testing ([[SAST]]) Tools
* Dynamic Application Security Testing ([[DAST]]) Tools - (Primarily for web apps)
* Interactive Application Security Testing (IAST) Tools - (Primarily for web apps and web APIs)
* Keeping Open Source libraries up-to-date (to avoid [[Top 10-2017 A9-Using Components with Known Vulnerabilities|Using Components with Known Vulnerabilities (OWASP Top 10-2017 A9)]])
* Static Code Quality Tools

 '''Disclaimer:''' OWASP does not endorse any of the Vendors or Scanning Tools by listing them below. They are simply listed if we believe they are free for use by open source projects. We have made every effort to provide this information as accurately as possible. If you are the vendor of a free for open source tool and think this information is incomplete or incorrect, please send an e-mail to dave.wichers (at) owasp.org and we will make every effort to correct this information.

== Free for Open Source Tools ==
Tools that are free for open source projects in each of the above categories are listed below.

=== SAST Tools ===
OWASP already maintains a page of known SAST tools: [[Source Code Analysis Tools]], which includes a list of those that are "Open Source or Free Tools Of This Type". Any such tools could certainly be used. One such cloud service that looks promising is:
* [https://lgtm.com/help/lgtm/about-lgtm LGTM.com] - A free for open source static analysis service that automatically monitors commits to publicly accessible code in: Bitbucket Cloud, GitHub, or GitLab. Supports C/C++, C#, COBOL (in beta), Java, JavaScript/TypeScript, Python
In addition, we are aware of the following commercial SAST tools that are free for Open Source projects:
* [https://scan.coverity.com/ Coverity Scan Static Analysis] - Can be lashed into Travis-CI so it's done automatically with online resources. Supports over a dozen programming languages as documented here in the section [https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html Comprehensive support for these programming languages and frameworks].
* [https://www.reshiftsecurity.com reshift] - A CI/CD tool that uses static code analysis to scan for vulnerabilities and uses machine learning to give a prediction on false positives. Supports Java with future support for NodeJS and JavaScript planned for sometime in 2019. If you go to the Pricing section on this page, it says it is free for public repositories.

=== DAST Tools ===
If your project has a web application component, we recommend running automated scans against it to look for vulnerabilities. OWASP maintains a page of known DAST Tools: [[:Category:Vulnerability Scanning Tools|Vulnerability Scanning Tools]], and the '''Licence''' column on this page indicates which of those tools have free capabilities. Our primary recommendation is to use one of these:
* [[OWASP Zed Attack Proxy Project|OWASP ZAP]] - A full featured free and open source DAST tool that includes both automated scanning for vulnerabilities and tools to assist expert manual web app pen testing.
** The ZAP team has also been working hard to make it easier to integrate ZAP into your CI/CD pipeline. (e.g., here's a [https://www.we45.com/blog/how-to-integrate-zap-into-jenkins-ci-pipeline-we45-blog blog post on how to integrate ZAP with Jenkins]).
* [http://www.arachni-scanner.com/ Arachni] - Arachni is a commercially supported scanner, but its free for most use cases, including scanning open source projects.
We are not aware of any other commercial grade tools that offer their full featured DAST product free for open source projects.

=== IAST Tools ===
IAST tools are typically geared to analyze Web Applications and Web APIs, but that is vendor specific. There may be IAST products that can perform good security analysis on non-web applications as well.

We are aware of only one IAST Tool that is free after registration at this time:
* [https://www.contrastsecurity.com/contrast-community-edition Contrast Community Edition (CE)] - Fully featured version for 1 app and up to 5 users (some Enterprise features disabled). Contrast CE supports Java only.

=== Open Source Software (OSS) Security Tools ===
OSS refers to the open source libraries or components that application developers leverage to quickly develop new applications and add features to existing apps. Gartner refers to the analysis of the security of these components as software composition analysis (SCA). So OSS Analysis and SCA are the same thing.

OWASP recommends that all software projects generally try to keep the libraries they use as up-to-date as possible to reduce the likelihood of [[Top 10-2017 A9-Using Components with Known Vulnerabilities|Using Components with Known Vulnerabilities (OWASP Top 10-2017 A9)]]. There are two recommended approaches for this:

==== Keeping Your Libraries Updated ====
Using the latest version of each library is recommended because security issues are frequently fixed 'silently' by the component maintainer. By silently, we mean without publishing a [https://cve.mitre.org/ CVE] for the security fix.
* [https://www.mojohaus.org/versions-maven-plugin/ Maven Versions plugin]
** For Maven projects, can be used to generate a report of all dependencies used and when upgrades are available for them. Either a direct report, or part of the overall project documentation using: mvn site.
* Dependabot - https://dependabot.com/
** A GitHub only service that creates pull requests to keep your dependencies up-to-date. It automatically generates a pull request for each dependency you can upgrade, which you can then ignore, or accept, as you like. It supports tons of languages.
** Recommended for all open source projects maintained on GitHub!

==== Detecting Known Vulnerable Components ====
As an alternative, or in addition to, trying to keep all your components up-to-date, a project can specifically monitor whether any of the components they use have known vulnerable components.

Free tools of this type:
* OWASP has its own free open source tool [[OWASP Dependency Check]] that is free for anyone to use.
* GitHub: Security alerts for vulnerable dependencies - https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/
** A native GitHub feature that reports known vulnerable dependencies in your GitHub projects. Supports: Java, .NET, JavaScript, Ruby, and Python. Your GitHub projects are automatically signed up for this service.
Commercial tools of this type that are free for open source:
* Contrast Community Edition (CE) (mentioned earlier) also has both Known Vulnerable Component detection and Available Updates reporting for OSS. CE supports Java only.
* Snyk - https://www.snyk.io - Supports Node.js, Ruby, Java, Python, Scala, Golang, .NET, PHP - Latest list here: https://snyk.io/docs
** A Commercial tool that identifies vulnerable components and integrates with numerous CI/CD pipelines. It is free for open source: https://snyk.io/plans
** If you don't want to grant Snyk write access to your repo (see it can auto-create pull requests) you can use the Command Line Interface (CLI) instead. See: https://snyk.io/docs/using-snyk. If you do this and want it to be free, you have to configure Snyk so it know its open source: https://support.snyk.io/snyk-cli/how-can-i-set-a-snyk-cli-project-as-open-source
*** Another benefit of using the Snyk CLI is that it won't auto create Pull requests for you (which makes these 'issues' more public than you might prefer)
** They also provide detailed information and remediation guidance for known vulnerabilities here: https://snyk.io/vuln
* SourceClear - https://www.sourceclear.com/ - Supports: Java, Ruby, JavaScript, Python, Objective C, GO, PHP
** They have a free trial right from their [https://www.sourceclear.com/ home page]. When the 30 day trial expires, it converts into a free "Personal Account" per: "Upgrade at any time to get the features that matter most to you, or choose the Personal plan when your trial ends." Personal Account described here: https://www.sourceclear.com/pricing/
** They also make their component vulnerability data (for publicly known vulns) free to search: https://www.sourceclear.com/vulnerability-database/search#_ (Very useful when trying to research a particular library)
* WhiteSource Bolt - Supports 200+ programming languages. https://www.whitesourcesoftware.com/
** Azure version: https://marketplace.visualstudio.com/items?itemName=whitesource.ws-bolt
** GitHub version: https://github.com/apps/whitesource-bolt-for-github Available starting in Nov. 2018.

=== Code Quality tools ===
Quality has a significant correlation to security. As such, we recommend open source projects also consider using good code quality tools. A few that we are aware of are:
* SpotBugs (https://github.com/spotbugs/spotbugs) - Open source code quality tool for Java
** This is the active fork for FindBugs, so if you use Findbugs, you should switch to this.
** SpotBugs users should add the FindSecBugs plugin (http://find-sec-bugs.github.io/) to their SpotBugs setup, as it significantly improves on the very basic security checking native to SpotBugs.

* SonarQube (https://www.sonarqube.org/)
** This is a commercially supported, very popular, free (and commercial) code quality tool. It includes most if not all the FindSecBugs security rules plus lots more for quality, including a free, internet online CI setup to run it against your open source projects. SonarQube supports numerous languages: https://www.sonarqube.org/features/multi-languages/

Please let us know if you are aware of any other high quality application security tools that are free for open source (or simply add them to this page). We are particularly interested in identifying and listing commercial tools that are free for open source, as they tend to be better and easier to use than open source (free) tools. If you are aware of any missing from this list, please add them, or let us know (dave.wichers (at) owasp.org) and we'll confirm they are free, and add them for you. Please encourage your favorite commercial tool vendor to make their tool free for open source projects as well!!

Finally, please forward this page to the open source projects you rely on and encourage them to use these free tools!

Source Code Analysis Tools

2018-12-12T18:48:30Z

Koussa: /* Commercial Tools Of This Type */ Added reshift to the list

Source code analysis tools, also referred to as Static Application Security Testing (SAST) Tools, are designed to analyze source code and/or compiled versions of code to help find security flaws.

Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development life cycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful, especially when compared to finding vulnerabilities much later in the development cycle.

== Strengths and Weaknesses ==

=== Strengths ===

* Scales well -- can be run on lots of software, and can be run repeatedly (as with nightly builds or continuous integration)
* Useful for things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, and so forth
* Output is good for developers -- highlights the precise source files, line numbers, and even subsections of lines that are affected

=== Weaknesses ===

* Many types of security vulnerabilities are difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. However, tools of this type are getting better.
* High numbers of false positives.
* Frequently can't find configuration issues, since they are not represented in the code.
* Difficult to 'prove' that an identified security issue is an actual vulnerability.
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.

==Important Selection Criteria==

* Requirement: Must support your programming language, but not usually a key factor once it does.
* Types of vulnerabilities it can detect (out of the [[OWASP Top Ten]]?) (plus more?)
* How accurate is it? False Positive/False Negative rates?
** Does the tool have an OWASP [[Benchmark]] score?
* Does it understand the libraries/frameworks you use?
* Does it require a fully buildable set of source?
* Can it run against binaries instead of source?
* Can it be integrated into the developer's IDE?
* How hard is it to setup/use?
* Can it be run continuously and automatically?
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)

==OWASP Tools Of This Type==

* [[OWASP SonarQube Project]]
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]]
* [[OWASP O2 Platform]]
* [[OWASP WAP-Web Application Protection]]

==Disclaimer==

Disclaimer: The tools listed in the tables below are presented in alphabetical order. OWASP does not endorse any of the vendors or tools by listing them in the table below. We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think that this information is incomplete or incorrect, please send an e-mail to our mailing list and we will make every effort to correct this information.

==Open Source or Free Tools Of This Type==

* [https://wiki.openstack.org/wiki/Security/Projects/Bandit Bandit] - bandit is a comprehensive source vulnerability scanner for Python
* [http://brakemanscanner.org/ Brakeman] - Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications
* [http://rubygems.org/gems/codesake-dawn Codesake Dawn] - Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino for Ruby on Rails applications. It also works on non-web applications written in Ruby
* [http://findbugs.sourceforge.net/ FindBugs] - (Legacy - NOT Maintained - Use SpotBugs (see below) instead) - Find bugs (including a few security flaws) in Java programs
* [https://find-sec-bugs.github.io/ FindSecBugs] - A security specific plugin for SpotBugs that significantly improves SpotBugs's ability to find security vulnerabilities in Java programs. Works with the old FindBugs too,
* [http://www.dwheeler.com/flawfinder/ Flawfinder] Flawfinder - Scans C and C++
* [https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/ Google CodeSearchDiggity] - Uses Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. ''Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.''
* [https://github.com/wireghoul/graudit/ Graudit] - Scans multiple languages for various security flaws.
* [https://lgtm.com/help/lgtm/about-lgtm LGTM] - A free for open source static analysis service that automatically monitors commits to publicly accessible code in: Bitbucket Cloud, GitHub, or GitLab. Supports C/C++, C#, COBOL (in beta), Java, JavaScript/TypeScript, Python
* [http://pmd.sourceforge.net/ PMD] - PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)
* [https://github.com/designsecurity/progpilot Progpilot] - Progpilot is a static analyzer tool for PHP that detects security vulnerabilities such as XSS and SQL Injection.
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx PreFast] (Microsoft) - PREfast is a static analysis tool that identifies defects in C/C++ programs. Last update 2006.
* [https://pumascan.com/ Puma Scan] - Puma Scan is a .NET C# open source static source code analyzer that runs as an IDE plugin for Visual Studio and via MSBuild in CI pipelines.
* [https://dotnet-security-guard.github.io/ .NET Security Guard] - Roslyn analyzers that aim to help security audits on .NET applications. It will find SQL injections, LDAP injections, XXE, cryptography weakness, XSS and more.
* [http://rips-scanner.sourceforge.net/ RIPS] - RIPS is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the sourceforge.net site.
* [https://github.com/FloeDesignTechnologies/phpcs-security-audit phpcs-security-audit] - phpcs-security-audit is a set of PHP_CodeSniffer rules that finds flaws or weaknesses related to security in PHP and its popular CMS or frameworks. It currently has core PHP rules as well as Drupal 7 specific rules.
* [http://www.sonarqube.org/ SonarQube] - Scans source code for more than 20 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by [http://www.sonarlint.org/ SonarLint].
* [https://spotbugs.github.io/ SpotBugs] - This is the active fork replacement for FindBugs, which is not maintained anymore.
* [http://sourceforge.net/projects/visualcodegrepp/ VisualCodeGrepper (VCG)] - Scans C/C++, C#, VB, PHP, Java, and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.

==Commercial Tools Of This Type==
* [https://www.ptsecurity.com/ww-en/products/ai/ Application Inspector] (Positive Technologies) - combines SAST, DAST, IAST, SCA, configuration analysis and other technologies, incl. unique abstract interpretation; has capability to generate test queries (exploits) to verify detected vulnerabilities during SAST analysis; Supported languages include: Java, C#, PHP, JavaScript, Objective C, VB.Net, PL/SQL, T-SQL, and others.
* [https://www.ibm.com/us-en/marketplace/application-security-on-cloud Application Security on Cloud] (IBM) - Provides SAST, DAST and mobile security testing as well as OpenSource library known vulnerability detection as a cloud service.
* [http://www-01.ibm.com/software/rational/products/appscan/source/ AppScan Source] (IBM)
* [http://www.blueclosure.com BlueClosure BC Detect] (BlueClosure) - Analyzes client-side JavaScript.
* [https://buguroo.com/products/bugblast-next-gen-appsec-platform/bugscout-sca bugScout] (Buguroo Offensive Security)
* [http://www.castsoftware.com/solutions/application-security/cwe#SupportedSecurityStandards CAST AIP] (CAST) Performs static and architectural analysis to identify numerous types of security issues. Supports over 30 languages.
* [https://www.codacy.com/ Codacy] Offers security patterns for languages such as Python, Ruby, Scala, Java, JavaScript and more. Integrates with tools such as Brakeman, Bandit, FindBugs, and others. (free for open source projects)
* [http://www.contrastsecurity.com/ Contrast] (Contrast Security) - Contrast performs code security without actually doing static analysis. Contrast does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code level results without actually relying on static analysis.
* [http://www.coverity.com/products/code-advisor/ Coverity Code Advisor] (Synopsys)
* [https://www.checkmarx.com/technology/static-code-analysis-sca/ CxSAST] (Checkmarx)
* [http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/ Fortify] (Micro Focus, Formally HP)
* [http://www.juliasoft.com/solutions Julia] (JuliaSoft) - SaaS Java static analysis
* [http://www.klocwork.com/capabilities/static-code-analysis KlocWork] (KlocWork)
* [https://www.kiuwan.com/code-analysis/ Kiuwan] (an [http://www.optimyth.com Optimyth] company) - SaaS Software Quality & Security Analysis
* [http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547 Parasoft Test] (Parasoft)
* [https://pitss.com/products/pitss-con/ PITSS.CON] (PITTS)
* [http://www.viva64.com/en/ PVS-Studio] (PVS-Studio) - For C/C++, C#
* [https://pumascanpro.com/ Puma Scan Professional] - A .NET C# static source code analyzer that runs as an IDE plugin for Visual Studio and via MSBuild in CI pipelines.
* [https://www.softwaresecured.com/reshift reshift] - A CI/CD tool that uses static code analysis to scan for vulnerabilities and use machine learning to give a prediction on false positives.
* [https://www.ripstech.com/ RIPS Code Analysis] (RIPS Technologies) - A SAST solution specialized for PHP that detects unknown security vulnerabilities and code quality issues.
* [https://www.synopsys.com/software-integrity/resources/datasheets/secureassist.html SecureAssist] (Synopsys) - Scans code for insecure coding and configurations automatically as an IDE plugin for Eclipse, IntelliJ, and Visual Studio etc. Supports (Java, .NET, PHP, and JavaScript)
* [https://www.whitehatsec.com/products/static-application-security-testing/ Sentinel Source] (Whitehat)
* [https://www.synopsys.com/software-integrity/products/interactive-application-security-testing.html Seeker] (Synopsys) Seeker performs code security without actually doing static analysis. Seeker does Interactive Application Security Testing (IAST), correlating runtime code & data analysis with simulated attacks. It provides code level results without actually relying on static analysis.
* [http://www.sourcepatrol.co.uk/ Source Patrol] (Pentest)
* [https://www.defensecode.com/thunderscan.php Thunderscan SAST] (DefenseCode)
* [http://www.veracode.com/products/binary-static-analysis-sast Veracode Static Analysis] (Veracode)
* [http://www.xanitizer.net Xanitizer] - Scans Java for security vulnerabilities, mainly via taint analysis. Free for academic and open source projects (see [https://www.rigs-it.com/xanitizer-pricing/]).

==More info==

* [[Appendix_A:_Testing_Tools | Appendix A: Testing Tools]]
* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html NIST's list of Source Code Security Analysis Tools]
* [[:Category:Vulnerability_Scanning_Tools | DAST Tools]] - Similar info on Dynamic Application Security Testing (DAST) Tools

[[Category:OWASP .NET Project]]
[[Category:SAMM-CR-2]]
__NOTOC__

Ottawa

2017-06-21T23:06:34Z

Koussa: /* Slides from the Previous Meeting: */

{{Chapter Template|chaptername=Ottawa|extra=The chapter's president is [mailto:sherif.koussa@owasp.org Sherif Koussa] and Chapter Co-Leader is [mailto:tanya.janca@owasp.org Tanya Janca]

Follow us on [http://twitter.com/#!/owasp_ottawa Twitter] 

<paypal>Ottawa</paypal>

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-ottawa|emailarchives=http://lists.owasp.org/mailman/listinfo/owasp-ottawa}}

 

==Your Local Chapter==
Hi Ottawa, welcome to your local OWASP chapter! We are a place to come and meet local developers and information security professionals, share ideas, and learn. We try to hold a meeting at least once every two months in the downtown core. We provide a mix of infosec rockstar talks, hands on training sessions, and special interest discussion groups. We are always looking for new ideas for events so let us know if you have an idea. Email one of us: [mailto:sherif.koussa@owasp.org Sherif] or [mailto:tanya.janca@owasp.org Tanya]

For updates, events, membership; please visit our meetup page: http://www.meetup.com/OWASP-Ottawa/

 

== Chapter Leadership ==

Chapter Leader: [mailto:sherif.koussa@owasp.org Sherif Koussa] 
Chapter Coordinator: [mailto:tanya.janca@owasp.org Tanya Janca]

Organization Committee: Garth Boyd, Pierre Ernst, Phil Dorman, Nancy Gariche, Adam Janzen

 
 
__NOTOC__ <headertabs></headertabs>

=== Slides from the Previous Meeting: ===
Threat Modeling Toolkit - Jonathan Marcil - [https://www.owasp.org/images/0/02/Threat_Modeling_Toolkit_-_OWASP-ottawa-publish.pptx Slides]
[[Category:Canada]]

Ottawa

2017-06-21T23:06:19Z

Koussa:

{{Chapter Template|chaptername=Ottawa|extra=The chapter's president is [mailto:sherif.koussa@owasp.org Sherif Koussa] and Chapter Co-Leader is [mailto:tanya.janca@owasp.org Tanya Janca]

Follow us on [http://twitter.com/#!/owasp_ottawa Twitter] 

<paypal>Ottawa</paypal>

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-ottawa|emailarchives=http://lists.owasp.org/mailman/listinfo/owasp-ottawa}}

 

==Your Local Chapter==
Hi Ottawa, welcome to your local OWASP chapter! We are a place to come and meet local developers and information security professionals, share ideas, and learn. We try to hold a meeting at least once every two months in the downtown core. We provide a mix of infosec rockstar talks, hands on training sessions, and special interest discussion groups. We are always looking for new ideas for events so let us know if you have an idea. Email one of us: [mailto:sherif.koussa@owasp.org Sherif] or [mailto:tanya.janca@owasp.org Tanya]

For updates, events, membership; please visit our meetup page: http://www.meetup.com/OWASP-Ottawa/

 

== Chapter Leadership ==

Chapter Leader: [mailto:sherif.koussa@owasp.org Sherif Koussa] 
Chapter Coordinator: [mailto:tanya.janca@owasp.org Tanya Janca]

Organization Committee: Garth Boyd, Pierre Ernst, Phil Dorman, Nancy Gariche, Adam Janzen

 
 
__NOTOC__ <headertabs></headertabs>

=== Slides from the Previous Meeting: ===

=== Threat Modeling Toolkit - Jonathan Marcil - [https://www.owasp.org/images/0/02/Threat_Modeling_Toolkit_-_OWASP-ottawa-publish.pptx Slides] ===
[[Category:Canada]]

File:Threat Modeling Toolkit - OWASP-ottawa-publish.pptx

2017-06-21T23:06:02Z

Koussa:

Ottawa

2017-06-19T18:24:14Z

Koussa: Added Tanya as chapter co-leader

Ottawa

2017-01-01T20:08:34Z

Koussa: /* Chapter Leadership */

Ottawa

2017-01-01T20:08:09Z

Koussa:

Ottawa

2015-11-02T00:27:02Z

Koussa:

Ottawa

2015-11-02T00:21:52Z

Koussa:

Ottawa

2015-11-02T00:20:39Z

Koussa:

Ottawa

2015-11-02T00:14:23Z

Koussa:

Ottawa

2015-11-02T00:13:38Z

Koussa:

Ottawa

2014-11-24T19:43:46Z

Koussa: /* Upcoming Events */

{{Chapter Template|chaptername=Ottawa|extra=The chapter's president is [mailto:sherif.koussa@gmail.com Sherif Koussa]

Follow us on [http://twitter.com/#!/owasp_ottawa Twitter] 

<paypal>Ottawa</paypal>

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-ottawa|emailarchives=http://lists.owasp.org/mailman/listinfo/owasp-ottawa}}

 

==Thanks to Our 2014 Sponsor==
{| border="0" align="left" cellpadding="1" cellspacing="1"
[[Image:2Keys_Security_Solutions.jpg|240x120px|2Keys_Security_Solutions.jpg|link=http://www.2keys.ca]]
|}

 

==Your Local Chapter==
Hi Ottawa, welcome to your local OWASP chapter! We are a place to come and meet local developers and information security professionals, share ideas, and learn. We try to hold a meeting at least once every two months in the downtown core. We provide a mix of infosec rockstar talks, hands on training sessions, and special interest discussion groups. We are always looking for new ideas for events so let us know if you have an idea. Email one of us: [mailto:sherif.koussa@owasp.org Sherif], [mailto:sean.wilson@owasp.org Sean], [mailto:joel.hebert@opulentasp.com Joel] or tweet at us [http://twitter.com/#!/owasp_ottawa owasp_ottawa].

Hope to see you at a meeting soon.

 

==Upcoming Events==
=== DATE CHANGED: ROP It Like It's Hot: A 101 on BOFs, ROPs, and Shellcode Development on Linux ===

'''Who'''

Nadeem Douba

'''What'''

To a normal human, hacking things like browsers and software seems like black voodoo magic. Even people in IT security struggle with the basic understanding of how a buffer overflow works. This workshop aims to demystify the art of exploiting vulnerabilities in binary software and equips you with the tools to pwn software on your own! We'll cover the following topics:

1. A brief introduction to Assembly

2. A brief overview of the Linux Stack

3. Our Toolkit for Exploit Development

4. Controlling the Instruction Pointer
*Classic BOF (no strings attached)
*ROP till' you drop (Defeating NX)
*Where am I? (Defeating ASLR)
*Silence the Canary (Defeating Stack Canaries)

5. Advanced Topics to Research

Students are expected to bring a laptop as this workshop is hands-on. The following tools/software is required:

*A VMWare image of 32-bit Kali Linux (download: http://cdimage.kali.org/kali-1.0.9a/kali-linux-1.0.9a-i386.iso)
*PEDA (https://github.com/longld/peda)- Metasploit (apt-get install metasploit)- Shelln00b (apt-get install shellnoob)- ROPGadget (git clone https://github.com/0vercl0k/rp)
*IDA Demo 6.6 for Linux (http://out7.hex-rays.com/files/idademo66_linux.tgz)

Students are encouraged to work in groups so encourage your friends to come along!

WARNING: We are in no way responsible for any hair loss during the course of this workshop. Successfully exploiting software may result in unusual happy dance behaviour.

'''Where'''

Microsoft Glacier Room 100 Queen Street, Suite 500 - World Exchange Plaza

''Find the 100 Queen Street Building, Take the elevator to the 5th floor. Be there before 6:00 PM as the elevators stop working then.''

'''When (NEW DATE)'''

Tuesday, December 2nd, 2014 from 5:30PM to 7:30PM

'''Registration'''

Register for free: [http://www.meetup.com/OWASP-Ottawa-Meetup-Web-Application-Security/events/188223862/ here]

 

 
 
 

= Upcoming Event Ideas =
We are always looking for ideas for upcoming meetings. If you have a speaker you would like to see, a tutorial you would like to participate in, or just some ideas for discussion topics let us know. We maintain a list of your ideas here. To add to the list you can edit it directly, send one of us an e-mail ([mailto:sherif.koussa@owasp.org Sherif], [mailto:sean.wilson@owasp.org Sean]), or tweet it at our [http://twitter.com/#!/owasp_ottawa Twitter account].
 
*<del>N00bs Night: Understanding and Exploiting the OWASP Top 10 (Top 10 discussion, live exploit demos, test lab to practice your skills)</del>
*Secure Code review
*(ISC)2 CSSLP introduction
*Metasploit introduction
*Web Application Forensics
*xPath Injection (SQL/CSS etc get lots of press but I’d like to hear more about this)
*HTML5 - What's new for security specially for Offline Applications
*Web 2.0 Security Evolution - How security challenges are changing with technology evolultion
*ASP.NET MVC Security for WebForms Developers
*Hack proofing your web application by using reverse engineering
*Using Windows Communication Foundation (WCF) Securely in your applications

= Past Meetings =

==== September 2014 ====

'''Title: ''' Cloud Computing – Security and Interoperability Perspectives

'''What''' Many organizations are evaluating and migrating toward cloud computing solutions. In 2013, some the key challenges pertain to security and interoperability. Open cloud standards can help manage risks, while fostering efficient solution delivery.

Steven Woodward shares updates from numerous international cloud standards related organizations. In Canada, he leads several of the cloud computing initiatives in both the private and public sectors. This includes being one of the founding board members of the Cloud Security Alliance Canadian Chapter.

Steven describes key cloud ecosystems models; highlighting where security considerations fit, along with different perspectives on interoperability. Several real-life scenarios will be used, highlighting cloud concepts, security, interoperability and the impacts these can have on commitments (functionality, costs, time-to-value and quality). Service Agreements and Service Level Agreements will also be addressed to identify where you may find security and interoperability considerations specified in the contracts.

'''Who''' Steven Woodward, CEO, Cloud Perspectives

==== August 2014 ====

'''Title:''' Social Engineering - ASP.Net Defense Systems

'''What'''
Social Engineering from the ground up. From creation of the attack vectors in the Social Engineering Toolkit, to execution, to defense in ASP.Net. We shall oversee what defense mechanisms or techniques exist to defend against certain Social Engineering Attacks.

The take away: ASP.Net Techniques and modules, SET Experience and techniques.

'''Who'''
Joel Hebert - MVP

Joel Hebert is a Software Architect who resides in Ottawa. He is passionate about Security and Architecture. He is a seven time ASP.Net MVP and is one of the User Group Leaders in Ottawa. He would like to share his knowledge of Social Engineering, Web Application Defences and Continuous Audit with you to allow you to think about the modern attack vectors that are present.

==== June 2014====

'''Title:''' Another Bug? Secure Software Development Lifecycle

'''What'''
As dev and test most of us have been in the situation where a security bug is found by a customer and we find ourselves asking – 'how did we miss that'. With a focus on the challenges facing development and test teams, we'll explore some of the issues and solutions that can help improve your SDLC.

'''Who'''
Sean Wilson from CBN will be presenting on Secure Software Development.

==== May 2014====

'''Title:'''Gone in 60 Milliseconds: Mobile devices, free WiFi and your data

'''What'''
Smart phones and tablets broadcast information that anyone can use to discover where you live, where you work and the places you go. Free WiFi networks allow attackers to intercept and alter your communications. This presentation shows a series of live demonstrations showing exactly how this is done and how easy it is.

We show in real time what information the broadcasts your mobile devices send 24/7 reveal about you, and how attackers use fake WiFi access points and man-in-the-middle attacks to capture passwords, subvert VPNs, and install malicious software. The root causes of these issues are explored, and we present solutions, both simple and complex, to safeguard your data, your privacy and your identity.

'''Who'''
Derrick Webber from CGI will be presenting on mobile device security.

====September 2013====
'''Title:'''What's Hiding in Your Software Components?

'''What'''
Software is no longer written, it's assembled. With 80% of a typical application now being assembled from components, it's time to take a hard look at the new risks posed by this type of development -- and the processes and tools that we'll need in order to keep them in check.

On the just released OWASP Top 10 for 2013, entry A9 highlights the potential problems associated with the widespread use of open-source components with known security vulnerabilities in modern-day application development.

Join Ryan Berg, Sonatype CSO, as he shares real world data on component risks, outlines the scope of the problem, and proposes approaches for managing these risk. You'll learn how security professionals can work cooperatively with application developers to reduce risk AND boost developer efficiency.

'''Who'''
Ryan Berg is the Chief Security Officer at Sonatype. Before joining Sonatype, Ryan was a co-founder and chief scientist for Ounce Labs which was acquired by IBM in 2009. Ryan holds multiple patents and is a popular speaker, instructor and author, in the fields of security, risk management, and secure application development.

====June 2013====
'''Title:'''China: All up in your business - Annoying Persistent Threat edition

'''What'''
For the past few years, Dave has been involved in examining intrusions by a group informally known as Comment Crew -- which are now better known as 'APT1' following the recent release of the report from Mandiant. This group falls into the class of the 'Advanced Persistent Threat' and are known to use compromised web sites to supply command/control to compromised systems.
The talk contains a live demo of an annotated attack against a fictitious company, using custom malware and metasploit. It shows how attackers initially compromise a system, supply commands, install additional malware, gain privileges in post-exploit and loot the network for fun and profit!
This talk is targeted toward beginner/intermediate security practitioners and provides an overview of these types of attack. Whether you are simulating an APT style attack as a penetration tester or trying to defend your organization against similar threats this talk is a great starting point. Depending on interest it will be possible to focus some of the talk on the demo-malware code itself.

'''Who'''
Dave Ockwell-Jenner has an extensive background in technology: from building one of the Internet’s earliest major web sites, to helping secure some of the world’s most critical systems. He has led the development of solutions for some of Canada’s most prominent technology companies, including Research In Motion and Nortel. He currently works for a Swiss-based company that specializes in IT and communications for the Air Transport Industry. In this role he has focused on designing and delivering the company's secure software development lifecycle. Through this, Dave regularly trains developers in secure software techniques, and has co-authored the SANS course on Developing Defensible Java EE Solutions. Dave also runs a boutique security consultancy called Prime Information Security, concentrating on information security within Small-to-Medium Businesses. He is a security blogger for TELUS and also co-founded a business networking organization called the Small Business Community Network (SBCN).

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/china-all-up-in-your-business-doj Slides]
[https://www.youtube.com/watch?v=2rJ2tHeb5yQ Video Demo]

====May 2013====
'''Title:''' Ottawa IT Camp 2013

'''What'''
Ottawa IT Camp is a fun filled day of "meat only" presentations. By technical people, for technical people! The OWASP track focuses on application security talks covering threat modelling, code review, and the OWASP top 10.

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/security-codereview-1 Secure Code Review for .NET]
[http://ottawaitcamp.codeplex.com/ Conference presentations and code]

====January 2013====
'''Title:''' XML Attack Surface

'''What'''
Security vulnerabilities with XML processing can be a real threat to applications, especially when malicious XML can be submitted remotely. Fortunately, these issues can be easily avoided by properly configuring XML parsers.

Several attack types will be presented with a live demo covering the following: Denial of Service, Arbitrary file Content disclosure, and Remote OS command injection. Vulnerabilities caused by misconfiguration of XML parsing, XML transforms and Xpath queries will be investigated and suggestions on how to prevent these type of attacks will be provided with a developer perspective.

'''Who'''
Pierre Ernst is a senior member of the IBM Business Analytics Security Competency Group at the Ottawa Lab in Canada. A former software developer turned penetration tester, he's responsible for finding security vulnerabilities in IBM applications before they are released. Using a combination of manual testing and secure code review, his work complements automated vulnerability scanners. Pierre is also responsible for giving guidance to developers on how to mitigate and fix security issues.

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/pierre-ernst-xml-attack-surface-owasp-ottawa Download Here]

====December 2012====
'''Title:''' Sploitego - Maltego's (Local) Partner in Crime

'''What'''
Have you ever wished for the power of Maltego when performing internal assessments? Ever hoped to map the internal network within seconds? Or that Maltego had a tad more aggression? Sploitego is the answer. In the presentation we'll show how we've carefully crafted several local transforms that gives Maltego the ooomph to operate nicely within internal networks. Can you say Metasploit integration? ARP spoofing? Passive fingerprinting? SNMP hunting? This all is Sploitego. But wait - there's more. Along the way we'll show you how to use our awesome Python framework that makes writing local transforms as easy as 'Hello World'.
Sploitego makes it easy to quickly develop, install, distribute, and maintain Maltego Local transforms. The framework comes with a rich set of auxiliary libraries to aid transform developers with integrating attack, reconnaissance, and post exploitation tools. It also provides a slew of web tools for interacting with public repositories.
Sploitego and its underlying Python framework will be released at DEF CON as open source - yup - you can extend it to your heart's content. During the presentation we'll show the awesome power of the tool with live demos and scenarios as well as fun and laughter.

'''Who'''
Nadeem Douba - GWAPT, GPEN: Currently situated in the Ottawa (Ontario, Canada) valley, Nadeem provides technical security consulting services primarily to clients in the health, education, and public sectors. Nadeem has been involved within the security community for over 10 years and has frequently presented at ISSA and company seminars and training sessions. He is also an active member of the open source software community and has contributed to projects such as libnet, Backtrack, and Maltego.

'''Slides'''
[http://cloud.github.com/downloads/allfro/sploitego/Sploitego%20-%20Hackfest%20Revolution.pdf Download Here]

====N00bs Night: Secure Code Review====
Come join us for a night of free hands on tutorials in secure code review. Learn the OWASP top 10 from a developer's perspective.

'''What'''
During this session, we will review an Online Movie Ticket Booking Application pulled from SourceForge for OWASP Top, specifically Cross-Site Scripting, SQL Injection and Access Control. You will learn how to review your code for these issues, how to fix them and how to automate the whole process. Expect lots of code, tools and fun (Please note that the exercises will be mainly in Java)

'''Who'''
The tutorial will be given by Sherif Koussa. Sherif is the leader of our very own OWASP Ottawa, leader of Static Analysis Tools Evaluation Criteria at the Web Application Security Consortium (WASC) and a Steering Committee Member for SANS/GIAC GSSP-NET and GSSP-JAVA. He is also the founder of Software Secured (www.softwaresecured.com) and Secure Code Gurus (www.securecodegurus.com).

====May 2012====
'''Title:''' OWASP Tutorial Night: Threat Modeling Express

Threat Modeling Express is a lightweight threat modeling process suited for agile development environments. If you want to quickly add threat modeling to your development process without slowing it down this is the process for you. The evening will be composed of an interactive tutorial which will walk the participants through some examples using the The Modeling Express process.

'''Who:'''The tutorial will be given by Rohit Sethi a software security specialist and Vice President of SD Elements. Rohit is a SANS course developer and instructor and leads the OWASP Design Patterns Security Analysis project.

'''When:''' The event will start at 6PM on May 3, 2012.Please RSVP [http://www.eventbrite.com/event/3413274195 here]

'''Where:''' Shopify have kindly offered the board room of their brand new location for the event.

'''Speaker Notes:''' [http://www.scribd.com/doc/94372478/Threat-Model-Express?secret_password=wspz2g4rjvlob3bx2in Download Here]

==== December 12, 2011 ====
'''Location:''' Bell Canada - 160 Elgin St, Ottawa 

'''Title:''' n00bs night out...exploiting the owasp top 10

Hey Ottawa, come join us for a FREE night of web application hacking. We have tutorials explaining how to exploit the OWASP Top 10 web application vulnerabilities and hands on labs to practice your skills. Bring your laptop and a copy of the Backtrack 5 LiveCD (or VM) http://www.backtrack-linux.org/downloads/

'''Who:''' all skill levels are welcome (especially n00bs)

'''When:''' December 12 from 6:00pm - 9:00pm (open at 5:30)

'''RSVP:''' http://n00bs-night.eventbrite.com/

==== September 27th, 2011 ====

'''Location''': Shopify - 61a York St (Above Tucker's Marketplace)

'''Speaker Notes:''' [https://www.owasp.org/images/a/a2/OWASP_Sep_2011_Hacking_Silverlight.ppt Download Here]

'''Microsoft Silverlight Security - A Hacker's Perspective'''

'''Abstract'''

It’s not news for anyone how the internet has revolutionized all aspects of our lives. In the past few years there has been unprecedented growth in web applications and their user base. One of the core technologies driving this widespread phenomenon is Rich Internet Applications (RIAs) because it offers the same level of responsiveness & interactivity on web that is available to desktop applications. Microsoft offered its vision of RIA through Silverlight - a framework that allows web applications running in a browser to behave more like desktop applications.

One of the major enhancements in Silverlight was the incorporation of mini-CLR engine, that on one hand, adds amazing capabilities for web developers but, on the other hand, also broadens the surface area of attack by opening previously nonexistent entry points into web applications. In this presentation Angelo & Kamran will demonstrate how modern hackers can use reverse engineering techniques to take advantage of weak security implementation. They will also show some effective ways of defending against these types of attacks.

'''Speakers:'''

Angelo Chan is an experienced versatile software developer who has developed applications, middleware and low-level software for various platforms. With an initial background in Telecom, Angelo has since worked with different technologies and has discovered a passion for .NET. His interests include virtual machines, operating systems, network/application reverse engineering and security. Angelo can be reached at Angelo@WindowsDebugging.com

Kamran Bilgrami is a seasoned software developer with proven track record of transforming complex business problems into viable technical solution. He has been instrumental in orchestrating highly available, performance centric, fault-tolerant real-time systems in a wide variety of industries including Telecom, Security and Human/Health Services. His areas of expertise include .NET, CLR Internals, Patterns and Security. Kamran can be reached at Kamran@WindowsDebugging.com

 

==== May, Thursday 12th 2011 ====

'''Location:''' Bell - 160 Elgin St, Ottawa '''Session 1 - Chris Pierre: Beyond Facebook: How Hackers Might Obtain Information Individual for Social Engineering attacks''' As the old saying goes “Know your enemy as you know yourself.” This discussion will examine several sources of publicly available information which an attacker might use to gain background information on a target for the purposes of a social engineering attack. The talk is expected to be interactive, lively and will provoke a discussion on how these systems and processes can be hardened against this type of attack. 

 '''About The Speaker'''

Chris Pierre BA, CFE, CISSP is an Ottawa-based forensic investigation professional. Having worked with several forensic firms prior to starting Evince Services, Inc., he has experience in many types of engagements in both the private & public sectors & specializes in investigations involving the internet. Forensic engagements have included information leaks, general corporate fraud investigations, investor fraud, intellectual property cases, administrative/internal investigations, background investigations, grants & contributions fraud, corruption investigations & the provision of training on the use of the Internet as an investigative tool. Preventative engagements have included training, background due diligence & compliance consulting.

Chris is an instructor at Algonquin College, the Canadian Police College, Past-President of the Ottawa Chapter of the High Tech Crime Investigators Association (HTCIA) & a member of the Ottawa Chapter of the Association of Certified Fraud Examiners. '''Session 2: - David Mirza Ahmed: Introducing Vega, a New Open Source Web Vulnerability Scanner'''

David will be presenting Vega, a new free and open source vulnerability scanner for web applications developed by Subgraph, his Montreal-based security startup. Vega allows anyone to scan their web applications for vulnerabilities such as cross-site scripting or SQL injection. Written in Java, Vega is cross-platform. It's also extensible, with a built-in Javascript interpreter and API for custom module development. Vega also includes an intercepting proxy for manual inspection of possible vulnerabilities and penetration testing.

 '''About The Speaker''' David has over 10 years in the information security business. He started his professional experience as a founding member of Security Focus, which was acquired by Symantec in 2002. David also moderated the Bugtraq mailing list, a historically important forum for discussion of security vulnerabilities, for over four years. He has spoken at Black Hat, Can Sec West, AusCERT and numerous other security conferences, as well as made contributions to books, magazines and other publications. David also participated in a NIAC working group on behalf of Symantec to develop the first version of the CVSS (Common Vulnerability Scoring System) model and was an editor for IEEE Security & Privacy. His current obsession is building Subgraph, his information security startup in Montréal. 

==== March, Thursday 10th 2011 ====

Speaker: Shan Gu - Accenture - Large enterprises are increasing their adoption of SOA at a rapid rate as interoperability standards and vendor product implementations mature and stabilize. However, moving enterprises into a loosely coupled IT paradigm introduces challenges around security and compliance. How do we address accountability, confidentiality, integrity, and trust in a large loosely couple ecosystem where consumers and providers don’t always maintain a permanent or stateful relationship? There are standards of course that help integrators and Architects design systems to communicate with each other in a secure manner, however these standards, when interpreted in their purest sense are complex and expensive to implement/maintain in large organizations. And systems that are operationally complex in terms of security are ironically the least secure.

About The Speaker Shan Gu - Manager in the Security Technologies Practice at Accenture Shan is a Security Architect from Accenture who specializes in Identity and Access Management and SOA Security. He has worked with clients in both the Public and Private sectors and in various industries spanning from Health, to Transport, to Financial Services. Shan has spent his recent years focused on helping clients adopt SOA within the enterprise and to do it in a secure and cost effective manner. Shan is a graduate from Carleton University’s Systems and Computer Engineering program, with a B.Eng and a Minor in Business.

==== More Previous Meetings ====

*September 10th, 2009 - Justin Foster - '''Speaker Notes:''' [http://www.developingsecurity.com/weblog/2009/09/crossing-the-border-javascript-exploits.html Download Here]
*April 6th, 2009 - Rafal Los - '''Speaker Notes:''' [http://www.owasp.org/images/3/3a/A_Laugh_RIAt2.zip Download Here]
*July 16th, 2008 - John Linehan - '''Speaker Notes:''' [https://www.owasp.org/index.php/Image:John_Linehan_OWASP_Dist.pdf Download Here]
*[[November 28th, 2007 - Eric Klien - Make my day]]

= Chapter Leadership =

Chapter President: [mailto:sherif.koussa@owasp.org Sherif Koussa] 
Chapter Committee: [mailto:sean.wilson@owasp.org Sean Wilson] and [mailto:mike.sues@owasp.org Mike Sues] 

 
 
__NOTOC__ <headertabs />

[[Category:Canada]]

Ottawa

2014-09-02T10:58:46Z

Koussa: /* Your Local Chapter */

{{Chapter Template|chaptername=Ottawa|extra=The chapter's president is [mailto:sherif.koussa@gmail.com Sherif Koussa]

Follow us on [http://twitter.com/#!/owasp_ottawa Twitter] 

<paypal>Ottawa</paypal>

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-ottawa|emailarchives=http://lists.owasp.org/mailman/listinfo/owasp-ottawa}}

 

==Thanks to Our 2014 Sponsor==
{| border="0" align="left" cellpadding="1" cellspacing="1"
[[Image:2Keys_Security_Solutions.jpg|240x120px|2Keys_Security_Solutions.jpg|link=http://www.2keys.ca]]
|}

 

==Your Local Chapter==
Hi Ottawa, welcome to your local OWASP chapter! We are a place to come and meet local developers and information security professionals, share ideas, and learn. We try to hold a meeting at least once every two months in the downtown core. We provide a mix of infosec rockstar talks, hands on training sessions, and special interest discussion groups. We are always looking for new ideas for events so let us know if you have an idea. Email one of us: [mailto:sherif.koussa@owasp.org Sherif], [mailto:sean.wilson@owasp.org Sean], [mailto:joel.hebert@opulentasp.com Joel] or tweet at us [http://twitter.com/#!/owasp_ottawa owasp_ottawa].

Hope to see you at a meeting soon.

 

==Upcoming Events==
=== Social Engineering - ASP.Net Defense Systems - KANATA Edition ===

'''Who'''

Joel Hebert - MVP

Joel Hebert is a Software Architect who resides in Ottawa. He is passionate about Security and Architecture. He is a seven time ASP.Net MVP and is one of the User Group Leaders in Ottawa. He would like to share his knowledge of Social Engineering, Web Application Defences and Continuous Audit with you to allow you to think about the modern attack vectors that are present.

'''What'''

Social Engineering from the ground up. From creation of the attack vectors in the Social Engineering Toolkit, to execution, to defense in ASP.Net. We shall oversee what defense mechanisms or techniques exist to defend against certain Social Engineering Attacks.

The take away: ASP.Net Techniques and modules, SET Experience and techniques.

'''Where'''

Entrust - 1000 Innovation Drive, Kanata

'''When'''

Tuesday, August 26 from 5:30PM to 7:30PM

'''Registration'''

Register for free: [http://www.meetup.com/OWASP-Ottawa-Meetup-Web-Application-Security/events/200891962/ here]

 

 
 
 

= Upcoming Event Ideas =
We are always looking for ideas for upcoming meetings. If you have a speaker you would like to see, a tutorial you would like to participate in, or just some ideas for discussion topics let us know. We maintain a list of your ideas here. To add to the list you can edit it directly, send one of us an e-mail ([mailto:sherif.koussa@owasp.org Sherif], [mailto:sean.wilson@owasp.org Sean]), or tweet it at our [http://twitter.com/#!/owasp_ottawa Twitter account].
 
*<del>N00bs Night: Understanding and Exploiting the OWASP Top 10 (Top 10 discussion, live exploit demos, test lab to practice your skills)</del>
*Secure Code review
*(ISC)2 CSSLP introduction
*Metasploit introduction
*Web Application Forensics
*xPath Injection (SQL/CSS etc get lots of press but I’d like to hear more about this)
*HTML5 - What's new for security specially for Offline Applications
*Web 2.0 Security Evolution - How security challenges are changing with technology evolultion
*ASP.NET MVC Security for WebForms Developers
*Hack proofing your web application by using reverse engineering
*Using Windows Communication Foundation (WCF) Securely in your applications

= Past Meetings =

==== June 2014====

'''Title:''' Another Bug? Secure Software Development Lifecycle

'''What'''
As dev and test most of us have been in the situation where a security bug is found by a customer and we find ourselves asking – 'how did we miss that'. With a focus on the challenges facing development and test teams, we'll explore some of the issues and solutions that can help improve your SDLC.

'''Who'''
Sean Wilson from CBN will be presenting on Secure Software Development.

==== May 2014====

'''Title:'''Gone in 60 Milliseconds: Mobile devices, free WiFi and your data

'''What'''
Smart phones and tablets broadcast information that anyone can use to discover where you live, where you work and the places you go. Free WiFi networks allow attackers to intercept and alter your communications. This presentation shows a series of live demonstrations showing exactly how this is done and how easy it is.

We show in real time what information the broadcasts your mobile devices send 24/7 reveal about you, and how attackers use fake WiFi access points and man-in-the-middle attacks to capture passwords, subvert VPNs, and install malicious software. The root causes of these issues are explored, and we present solutions, both simple and complex, to safeguard your data, your privacy and your identity.

'''Who'''
Derrick Webber from CGI will be presenting on mobile device security.

====September 2013====
'''Title:'''What's Hiding in Your Software Components?

'''What'''
Software is no longer written, it's assembled. With 80% of a typical application now being assembled from components, it's time to take a hard look at the new risks posed by this type of development -- and the processes and tools that we'll need in order to keep them in check.

On the just released OWASP Top 10 for 2013, entry A9 highlights the potential problems associated with the widespread use of open-source components with known security vulnerabilities in modern-day application development.

Join Ryan Berg, Sonatype CSO, as he shares real world data on component risks, outlines the scope of the problem, and proposes approaches for managing these risk. You'll learn how security professionals can work cooperatively with application developers to reduce risk AND boost developer efficiency.

'''Who'''
Ryan Berg is the Chief Security Officer at Sonatype. Before joining Sonatype, Ryan was a co-founder and chief scientist for Ounce Labs which was acquired by IBM in 2009. Ryan holds multiple patents and is a popular speaker, instructor and author, in the fields of security, risk management, and secure application development.

====June 2013====
'''Title:'''China: All up in your business - Annoying Persistent Threat edition

'''What'''
For the past few years, Dave has been involved in examining intrusions by a group informally known as Comment Crew -- which are now better known as 'APT1' following the recent release of the report from Mandiant. This group falls into the class of the 'Advanced Persistent Threat' and are known to use compromised web sites to supply command/control to compromised systems.
The talk contains a live demo of an annotated attack against a fictitious company, using custom malware and metasploit. It shows how attackers initially compromise a system, supply commands, install additional malware, gain privileges in post-exploit and loot the network for fun and profit!
This talk is targeted toward beginner/intermediate security practitioners and provides an overview of these types of attack. Whether you are simulating an APT style attack as a penetration tester or trying to defend your organization against similar threats this talk is a great starting point. Depending on interest it will be possible to focus some of the talk on the demo-malware code itself.

'''Who'''
Dave Ockwell-Jenner has an extensive background in technology: from building one of the Internet’s earliest major web sites, to helping secure some of the world’s most critical systems. He has led the development of solutions for some of Canada’s most prominent technology companies, including Research In Motion and Nortel. He currently works for a Swiss-based company that specializes in IT and communications for the Air Transport Industry. In this role he has focused on designing and delivering the company's secure software development lifecycle. Through this, Dave regularly trains developers in secure software techniques, and has co-authored the SANS course on Developing Defensible Java EE Solutions. Dave also runs a boutique security consultancy called Prime Information Security, concentrating on information security within Small-to-Medium Businesses. He is a security blogger for TELUS and also co-founded a business networking organization called the Small Business Community Network (SBCN).

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/china-all-up-in-your-business-doj Slides]
[https://www.youtube.com/watch?v=2rJ2tHeb5yQ Video Demo]

====May 2013====
'''Title:''' Ottawa IT Camp 2013

'''What'''
Ottawa IT Camp is a fun filled day of "meat only" presentations. By technical people, for technical people! The OWASP track focuses on application security talks covering threat modelling, code review, and the OWASP top 10.

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/security-codereview-1 Secure Code Review for .NET]
[http://ottawaitcamp.codeplex.com/ Conference presentations and code]

====January 2013====
'''Title:''' XML Attack Surface

'''What'''
Security vulnerabilities with XML processing can be a real threat to applications, especially when malicious XML can be submitted remotely. Fortunately, these issues can be easily avoided by properly configuring XML parsers.

Several attack types will be presented with a live demo covering the following: Denial of Service, Arbitrary file Content disclosure, and Remote OS command injection. Vulnerabilities caused by misconfiguration of XML parsing, XML transforms and Xpath queries will be investigated and suggestions on how to prevent these type of attacks will be provided with a developer perspective.

'''Who'''
Pierre Ernst is a senior member of the IBM Business Analytics Security Competency Group at the Ottawa Lab in Canada. A former software developer turned penetration tester, he's responsible for finding security vulnerabilities in IBM applications before they are released. Using a combination of manual testing and secure code review, his work complements automated vulnerability scanners. Pierre is also responsible for giving guidance to developers on how to mitigate and fix security issues.

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/pierre-ernst-xml-attack-surface-owasp-ottawa Download Here]

====December 2012====
'''Title:''' Sploitego - Maltego's (Local) Partner in Crime

'''What'''
Have you ever wished for the power of Maltego when performing internal assessments? Ever hoped to map the internal network within seconds? Or that Maltego had a tad more aggression? Sploitego is the answer. In the presentation we'll show how we've carefully crafted several local transforms that gives Maltego the ooomph to operate nicely within internal networks. Can you say Metasploit integration? ARP spoofing? Passive fingerprinting? SNMP hunting? This all is Sploitego. But wait - there's more. Along the way we'll show you how to use our awesome Python framework that makes writing local transforms as easy as 'Hello World'.
Sploitego makes it easy to quickly develop, install, distribute, and maintain Maltego Local transforms. The framework comes with a rich set of auxiliary libraries to aid transform developers with integrating attack, reconnaissance, and post exploitation tools. It also provides a slew of web tools for interacting with public repositories.
Sploitego and its underlying Python framework will be released at DEF CON as open source - yup - you can extend it to your heart's content. During the presentation we'll show the awesome power of the tool with live demos and scenarios as well as fun and laughter.

'''Who'''
Nadeem Douba - GWAPT, GPEN: Currently situated in the Ottawa (Ontario, Canada) valley, Nadeem provides technical security consulting services primarily to clients in the health, education, and public sectors. Nadeem has been involved within the security community for over 10 years and has frequently presented at ISSA and company seminars and training sessions. He is also an active member of the open source software community and has contributed to projects such as libnet, Backtrack, and Maltego.

'''Slides'''
[http://cloud.github.com/downloads/allfro/sploitego/Sploitego%20-%20Hackfest%20Revolution.pdf Download Here]

====N00bs Night: Secure Code Review====
Come join us for a night of free hands on tutorials in secure code review. Learn the OWASP top 10 from a developer's perspective.

'''What'''
During this session, we will review an Online Movie Ticket Booking Application pulled from SourceForge for OWASP Top, specifically Cross-Site Scripting, SQL Injection and Access Control. You will learn how to review your code for these issues, how to fix them and how to automate the whole process. Expect lots of code, tools and fun (Please note that the exercises will be mainly in Java)

'''Who'''
The tutorial will be given by Sherif Koussa. Sherif is the leader of our very own OWASP Ottawa, leader of Static Analysis Tools Evaluation Criteria at the Web Application Security Consortium (WASC) and a Steering Committee Member for SANS/GIAC GSSP-NET and GSSP-JAVA. He is also the founder of Software Secured (www.softwaresecured.com) and Secure Code Gurus (www.securecodegurus.com).

====May 2012====
'''Title:''' OWASP Tutorial Night: Threat Modeling Express

Threat Modeling Express is a lightweight threat modeling process suited for agile development environments. If you want to quickly add threat modeling to your development process without slowing it down this is the process for you. The evening will be composed of an interactive tutorial which will walk the participants through some examples using the The Modeling Express process.

'''Who:'''The tutorial will be given by Rohit Sethi a software security specialist and Vice President of SD Elements. Rohit is a SANS course developer and instructor and leads the OWASP Design Patterns Security Analysis project.

'''When:''' The event will start at 6PM on May 3, 2012.Please RSVP [http://www.eventbrite.com/event/3413274195 here]

'''Where:''' Shopify have kindly offered the board room of their brand new location for the event.

'''Speaker Notes:''' [http://www.scribd.com/doc/94372478/Threat-Model-Express?secret_password=wspz2g4rjvlob3bx2in Download Here]

==== December 12, 2011 ====
'''Location:''' Bell Canada - 160 Elgin St, Ottawa 

'''Title:''' n00bs night out...exploiting the owasp top 10

Hey Ottawa, come join us for a FREE night of web application hacking. We have tutorials explaining how to exploit the OWASP Top 10 web application vulnerabilities and hands on labs to practice your skills. Bring your laptop and a copy of the Backtrack 5 LiveCD (or VM) http://www.backtrack-linux.org/downloads/

'''Who:''' all skill levels are welcome (especially n00bs)

'''When:''' December 12 from 6:00pm - 9:00pm (open at 5:30)

'''RSVP:''' http://n00bs-night.eventbrite.com/

==== September 27th, 2011 ====

'''Location''': Shopify - 61a York St (Above Tucker's Marketplace)

'''Speaker Notes:''' [https://www.owasp.org/images/a/a2/OWASP_Sep_2011_Hacking_Silverlight.ppt Download Here]

'''Microsoft Silverlight Security - A Hacker's Perspective'''

'''Abstract'''

It’s not news for anyone how the internet has revolutionized all aspects of our lives. In the past few years there has been unprecedented growth in web applications and their user base. One of the core technologies driving this widespread phenomenon is Rich Internet Applications (RIAs) because it offers the same level of responsiveness & interactivity on web that is available to desktop applications. Microsoft offered its vision of RIA through Silverlight - a framework that allows web applications running in a browser to behave more like desktop applications.

One of the major enhancements in Silverlight was the incorporation of mini-CLR engine, that on one hand, adds amazing capabilities for web developers but, on the other hand, also broadens the surface area of attack by opening previously nonexistent entry points into web applications. In this presentation Angelo & Kamran will demonstrate how modern hackers can use reverse engineering techniques to take advantage of weak security implementation. They will also show some effective ways of defending against these types of attacks.

'''Speakers:'''

Angelo Chan is an experienced versatile software developer who has developed applications, middleware and low-level software for various platforms. With an initial background in Telecom, Angelo has since worked with different technologies and has discovered a passion for .NET. His interests include virtual machines, operating systems, network/application reverse engineering and security. Angelo can be reached at Angelo@WindowsDebugging.com

Kamran Bilgrami is a seasoned software developer with proven track record of transforming complex business problems into viable technical solution. He has been instrumental in orchestrating highly available, performance centric, fault-tolerant real-time systems in a wide variety of industries including Telecom, Security and Human/Health Services. His areas of expertise include .NET, CLR Internals, Patterns and Security. Kamran can be reached at Kamran@WindowsDebugging.com

 

==== May, Thursday 12th 2011 ====

'''Location:''' Bell - 160 Elgin St, Ottawa '''Session 1 - Chris Pierre: Beyond Facebook: How Hackers Might Obtain Information Individual for Social Engineering attacks''' As the old saying goes “Know your enemy as you know yourself.” This discussion will examine several sources of publicly available information which an attacker might use to gain background information on a target for the purposes of a social engineering attack. The talk is expected to be interactive, lively and will provoke a discussion on how these systems and processes can be hardened against this type of attack. 

 '''About The Speaker'''

Chris Pierre BA, CFE, CISSP is an Ottawa-based forensic investigation professional. Having worked with several forensic firms prior to starting Evince Services, Inc., he has experience in many types of engagements in both the private & public sectors & specializes in investigations involving the internet. Forensic engagements have included information leaks, general corporate fraud investigations, investor fraud, intellectual property cases, administrative/internal investigations, background investigations, grants & contributions fraud, corruption investigations & the provision of training on the use of the Internet as an investigative tool. Preventative engagements have included training, background due diligence & compliance consulting.

Chris is an instructor at Algonquin College, the Canadian Police College, Past-President of the Ottawa Chapter of the High Tech Crime Investigators Association (HTCIA) & a member of the Ottawa Chapter of the Association of Certified Fraud Examiners. '''Session 2: - David Mirza Ahmed: Introducing Vega, a New Open Source Web Vulnerability Scanner'''

David will be presenting Vega, a new free and open source vulnerability scanner for web applications developed by Subgraph, his Montreal-based security startup. Vega allows anyone to scan their web applications for vulnerabilities such as cross-site scripting or SQL injection. Written in Java, Vega is cross-platform. It's also extensible, with a built-in Javascript interpreter and API for custom module development. Vega also includes an intercepting proxy for manual inspection of possible vulnerabilities and penetration testing.

 '''About The Speaker''' David has over 10 years in the information security business. He started his professional experience as a founding member of Security Focus, which was acquired by Symantec in 2002. David also moderated the Bugtraq mailing list, a historically important forum for discussion of security vulnerabilities, for over four years. He has spoken at Black Hat, Can Sec West, AusCERT and numerous other security conferences, as well as made contributions to books, magazines and other publications. David also participated in a NIAC working group on behalf of Symantec to develop the first version of the CVSS (Common Vulnerability Scoring System) model and was an editor for IEEE Security & Privacy. His current obsession is building Subgraph, his information security startup in Montréal. 

==== March, Thursday 10th 2011 ====

Speaker: Shan Gu - Accenture - Large enterprises are increasing their adoption of SOA at a rapid rate as interoperability standards and vendor product implementations mature and stabilize. However, moving enterprises into a loosely coupled IT paradigm introduces challenges around security and compliance. How do we address accountability, confidentiality, integrity, and trust in a large loosely couple ecosystem where consumers and providers don’t always maintain a permanent or stateful relationship? There are standards of course that help integrators and Architects design systems to communicate with each other in a secure manner, however these standards, when interpreted in their purest sense are complex and expensive to implement/maintain in large organizations. And systems that are operationally complex in terms of security are ironically the least secure.

About The Speaker Shan Gu - Manager in the Security Technologies Practice at Accenture Shan is a Security Architect from Accenture who specializes in Identity and Access Management and SOA Security. He has worked with clients in both the Public and Private sectors and in various industries spanning from Health, to Transport, to Financial Services. Shan has spent his recent years focused on helping clients adopt SOA within the enterprise and to do it in a secure and cost effective manner. Shan is a graduate from Carleton University’s Systems and Computer Engineering program, with a B.Eng and a Minor in Business.

==== More Previous Meetings ====

*September 10th, 2009 - Justin Foster - '''Speaker Notes:''' [http://www.developingsecurity.com/weblog/2009/09/crossing-the-border-javascript-exploits.html Download Here]
*April 6th, 2009 - Rafal Los - '''Speaker Notes:''' [http://www.owasp.org/images/3/3a/A_Laugh_RIAt2.zip Download Here]
*July 16th, 2008 - John Linehan - '''Speaker Notes:''' [https://www.owasp.org/index.php/Image:John_Linehan_OWASP_Dist.pdf Download Here]
*[[November 28th, 2007 - Eric Klien - Make my day]]

= Chapter Leadership =

Chapter President: [mailto:sherif.koussa@owasp.org Sherif Koussa] 
Chapter Committee: [mailto:sean.wilson@owasp.org Sean Wilson] and [mailto:mike.sues@owasp.org Mike Sues] 

 
 
__NOTOC__ <headertabs />

[[Category:Canada]]

Ottawa

2014-08-14T10:45:14Z

Koussa: /* Social Engineering - ASP.Net Defense Systems */

{{Chapter Template|chaptername=Ottawa|extra=The chapter's president is [mailto:sherif.koussa@gmail.com Sherif Koussa]

Follow us on [http://twitter.com/#!/owasp_ottawa Twitter] 

<paypal>Ottawa</paypal>

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-ottawa|emailarchives=http://lists.owasp.org/mailman/listinfo/owasp-ottawa}}

 

==Thanks to Our 2014 Sponsor==
{| border="0" align="left" cellpadding="1" cellspacing="1"
[[Image:2Keys_Security_Solutions.jpg|240x120px|2Keys_Security_Solutions.jpg|link=http://www.2keys.ca]]
|}

 

==Your Local Chapter==
Hi Ottawa, welcome to your local OWASP chapter! We are a place to come and meet local developers and information security professionals, share ideas, and learn. We try to hold a meeting at least once every two months in the downtown core. We provide a mix of infosec rockstar talks, hands on training sessions, and special interest discussion groups. We are always looking for new ideas for events so let us know if you have an idea. Email one of us: [mailto:sherif.koussa@owasp.org Sherif], [mailto:sean.wilson@owasp.org Sean], [mailto:mike.sues@owasp.org Mike] or tweet at us [http://twitter.com/#!/owasp_ottawa owasp_ottawa].

Hope to see you at a meeting soon.

 

==Upcoming Events==
=== Social Engineering - ASP.Net Defense Systems - KANATA Edition ===

'''Who'''

Joel Hebert - MVP

Joel Hebert is a Software Architect who resides in Ottawa. He is passionate about Security and Architecture. He is a seven time ASP.Net MVP and is one of the User Group Leaders in Ottawa. He would like to share his knowledge of Social Engineering, Web Application Defences and Continuous Audit with you to allow you to think about the modern attack vectors that are present.

'''What'''

Social Engineering from the ground up. From creation of the attack vectors in the Social Engineering Toolkit, to execution, to defense in ASP.Net. We shall oversee what defense mechanisms or techniques exist to defend against certain Social Engineering Attacks.

The take away: ASP.Net Techniques and modules, SET Experience and techniques.

'''Where'''

Entrust - 1000 Innovation Drive, Kanata

'''When'''

Tuesday, August 26 from 5:30PM to 7:30PM

'''Registration'''

Register for free: [http://www.meetup.com/OWASP-Ottawa-Meetup-Web-Application-Security/events/200891962/ here]

 

 
 
 

= Upcoming Event Ideas =
We are always looking for ideas for upcoming meetings. If you have a speaker you would like to see, a tutorial you would like to participate in, or just some ideas for discussion topics let us know. We maintain a list of your ideas here. To add to the list you can edit it directly, send one of us an e-mail ([mailto:sherif.koussa@owasp.org Sherif], [mailto:sean.wilson@owasp.org Sean]), or tweet it at our [http://twitter.com/#!/owasp_ottawa Twitter account].
 
*<del>N00bs Night: Understanding and Exploiting the OWASP Top 10 (Top 10 discussion, live exploit demos, test lab to practice your skills)</del>
*Secure Code review
*(ISC)2 CSSLP introduction
*Metasploit introduction
*Web Application Forensics
*xPath Injection (SQL/CSS etc get lots of press but I’d like to hear more about this)
*HTML5 - What's new for security specially for Offline Applications
*Web 2.0 Security Evolution - How security challenges are changing with technology evolultion
*ASP.NET MVC Security for WebForms Developers
*Hack proofing your web application by using reverse engineering
*Using Windows Communication Foundation (WCF) Securely in your applications

= Past Meetings =

==== June 2014====

'''Title:''' Another Bug? Secure Software Development Lifecycle

'''What'''
As dev and test most of us have been in the situation where a security bug is found by a customer and we find ourselves asking – 'how did we miss that'. With a focus on the challenges facing development and test teams, we'll explore some of the issues and solutions that can help improve your SDLC.

'''Who'''
Sean Wilson from CBN will be presenting on Secure Software Development.

==== May 2014====

'''Title:'''Gone in 60 Milliseconds: Mobile devices, free WiFi and your data

'''What'''
Smart phones and tablets broadcast information that anyone can use to discover where you live, where you work and the places you go. Free WiFi networks allow attackers to intercept and alter your communications. This presentation shows a series of live demonstrations showing exactly how this is done and how easy it is.

We show in real time what information the broadcasts your mobile devices send 24/7 reveal about you, and how attackers use fake WiFi access points and man-in-the-middle attacks to capture passwords, subvert VPNs, and install malicious software. The root causes of these issues are explored, and we present solutions, both simple and complex, to safeguard your data, your privacy and your identity.

'''Who'''
Derrick Webber from CGI will be presenting on mobile device security.

====September 2013====
'''Title:'''What's Hiding in Your Software Components?

'''What'''
Software is no longer written, it's assembled. With 80% of a typical application now being assembled from components, it's time to take a hard look at the new risks posed by this type of development -- and the processes and tools that we'll need in order to keep them in check.

On the just released OWASP Top 10 for 2013, entry A9 highlights the potential problems associated with the widespread use of open-source components with known security vulnerabilities in modern-day application development.

Join Ryan Berg, Sonatype CSO, as he shares real world data on component risks, outlines the scope of the problem, and proposes approaches for managing these risk. You'll learn how security professionals can work cooperatively with application developers to reduce risk AND boost developer efficiency.

'''Who'''
Ryan Berg is the Chief Security Officer at Sonatype. Before joining Sonatype, Ryan was a co-founder and chief scientist for Ounce Labs which was acquired by IBM in 2009. Ryan holds multiple patents and is a popular speaker, instructor and author, in the fields of security, risk management, and secure application development.

====June 2013====
'''Title:'''China: All up in your business - Annoying Persistent Threat edition

'''What'''
For the past few years, Dave has been involved in examining intrusions by a group informally known as Comment Crew -- which are now better known as 'APT1' following the recent release of the report from Mandiant. This group falls into the class of the 'Advanced Persistent Threat' and are known to use compromised web sites to supply command/control to compromised systems.
The talk contains a live demo of an annotated attack against a fictitious company, using custom malware and metasploit. It shows how attackers initially compromise a system, supply commands, install additional malware, gain privileges in post-exploit and loot the network for fun and profit!
This talk is targeted toward beginner/intermediate security practitioners and provides an overview of these types of attack. Whether you are simulating an APT style attack as a penetration tester or trying to defend your organization against similar threats this talk is a great starting point. Depending on interest it will be possible to focus some of the talk on the demo-malware code itself.

'''Who'''
Dave Ockwell-Jenner has an extensive background in technology: from building one of the Internet’s earliest major web sites, to helping secure some of the world’s most critical systems. He has led the development of solutions for some of Canada’s most prominent technology companies, including Research In Motion and Nortel. He currently works for a Swiss-based company that specializes in IT and communications for the Air Transport Industry. In this role he has focused on designing and delivering the company's secure software development lifecycle. Through this, Dave regularly trains developers in secure software techniques, and has co-authored the SANS course on Developing Defensible Java EE Solutions. Dave also runs a boutique security consultancy called Prime Information Security, concentrating on information security within Small-to-Medium Businesses. He is a security blogger for TELUS and also co-founded a business networking organization called the Small Business Community Network (SBCN).

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/china-all-up-in-your-business-doj Slides]
[https://www.youtube.com/watch?v=2rJ2tHeb5yQ Video Demo]

====May 2013====
'''Title:''' Ottawa IT Camp 2013

'''What'''
Ottawa IT Camp is a fun filled day of "meat only" presentations. By technical people, for technical people! The OWASP track focuses on application security talks covering threat modelling, code review, and the OWASP top 10.

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/security-codereview-1 Secure Code Review for .NET]
[http://ottawaitcamp.codeplex.com/ Conference presentations and code]

====January 2013====
'''Title:''' XML Attack Surface

'''What'''
Security vulnerabilities with XML processing can be a real threat to applications, especially when malicious XML can be submitted remotely. Fortunately, these issues can be easily avoided by properly configuring XML parsers.

Several attack types will be presented with a live demo covering the following: Denial of Service, Arbitrary file Content disclosure, and Remote OS command injection. Vulnerabilities caused by misconfiguration of XML parsing, XML transforms and Xpath queries will be investigated and suggestions on how to prevent these type of attacks will be provided with a developer perspective.

'''Who'''
Pierre Ernst is a senior member of the IBM Business Analytics Security Competency Group at the Ottawa Lab in Canada. A former software developer turned penetration tester, he's responsible for finding security vulnerabilities in IBM applications before they are released. Using a combination of manual testing and secure code review, his work complements automated vulnerability scanners. Pierre is also responsible for giving guidance to developers on how to mitigate and fix security issues.

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/pierre-ernst-xml-attack-surface-owasp-ottawa Download Here]

====December 2012====
'''Title:''' Sploitego - Maltego's (Local) Partner in Crime

'''What'''
Have you ever wished for the power of Maltego when performing internal assessments? Ever hoped to map the internal network within seconds? Or that Maltego had a tad more aggression? Sploitego is the answer. In the presentation we'll show how we've carefully crafted several local transforms that gives Maltego the ooomph to operate nicely within internal networks. Can you say Metasploit integration? ARP spoofing? Passive fingerprinting? SNMP hunting? This all is Sploitego. But wait - there's more. Along the way we'll show you how to use our awesome Python framework that makes writing local transforms as easy as 'Hello World'.
Sploitego makes it easy to quickly develop, install, distribute, and maintain Maltego Local transforms. The framework comes with a rich set of auxiliary libraries to aid transform developers with integrating attack, reconnaissance, and post exploitation tools. It also provides a slew of web tools for interacting with public repositories.
Sploitego and its underlying Python framework will be released at DEF CON as open source - yup - you can extend it to your heart's content. During the presentation we'll show the awesome power of the tool with live demos and scenarios as well as fun and laughter.

'''Who'''
Nadeem Douba - GWAPT, GPEN: Currently situated in the Ottawa (Ontario, Canada) valley, Nadeem provides technical security consulting services primarily to clients in the health, education, and public sectors. Nadeem has been involved within the security community for over 10 years and has frequently presented at ISSA and company seminars and training sessions. He is also an active member of the open source software community and has contributed to projects such as libnet, Backtrack, and Maltego.

'''Slides'''
[http://cloud.github.com/downloads/allfro/sploitego/Sploitego%20-%20Hackfest%20Revolution.pdf Download Here]

====N00bs Night: Secure Code Review====
Come join us for a night of free hands on tutorials in secure code review. Learn the OWASP top 10 from a developer's perspective.

'''What'''
During this session, we will review an Online Movie Ticket Booking Application pulled from SourceForge for OWASP Top, specifically Cross-Site Scripting, SQL Injection and Access Control. You will learn how to review your code for these issues, how to fix them and how to automate the whole process. Expect lots of code, tools and fun (Please note that the exercises will be mainly in Java)

'''Who'''
The tutorial will be given by Sherif Koussa. Sherif is the leader of our very own OWASP Ottawa, leader of Static Analysis Tools Evaluation Criteria at the Web Application Security Consortium (WASC) and a Steering Committee Member for SANS/GIAC GSSP-NET and GSSP-JAVA. He is also the founder of Software Secured (www.softwaresecured.com) and Secure Code Gurus (www.securecodegurus.com).

====May 2012====
'''Title:''' OWASP Tutorial Night: Threat Modeling Express

Threat Modeling Express is a lightweight threat modeling process suited for agile development environments. If you want to quickly add threat modeling to your development process without slowing it down this is the process for you. The evening will be composed of an interactive tutorial which will walk the participants through some examples using the The Modeling Express process.

'''Who:'''The tutorial will be given by Rohit Sethi a software security specialist and Vice President of SD Elements. Rohit is a SANS course developer and instructor and leads the OWASP Design Patterns Security Analysis project.

'''When:''' The event will start at 6PM on May 3, 2012.Please RSVP [http://www.eventbrite.com/event/3413274195 here]

'''Where:''' Shopify have kindly offered the board room of their brand new location for the event.

'''Speaker Notes:''' [http://www.scribd.com/doc/94372478/Threat-Model-Express?secret_password=wspz2g4rjvlob3bx2in Download Here]

==== December 12, 2011 ====
'''Location:''' Bell Canada - 160 Elgin St, Ottawa 

'''Title:''' n00bs night out...exploiting the owasp top 10

Hey Ottawa, come join us for a FREE night of web application hacking. We have tutorials explaining how to exploit the OWASP Top 10 web application vulnerabilities and hands on labs to practice your skills. Bring your laptop and a copy of the Backtrack 5 LiveCD (or VM) http://www.backtrack-linux.org/downloads/

'''Who:''' all skill levels are welcome (especially n00bs)

'''When:''' December 12 from 6:00pm - 9:00pm (open at 5:30)

'''RSVP:''' http://n00bs-night.eventbrite.com/

==== September 27th, 2011 ====

'''Location''': Shopify - 61a York St (Above Tucker's Marketplace)

'''Speaker Notes:''' [https://www.owasp.org/images/a/a2/OWASP_Sep_2011_Hacking_Silverlight.ppt Download Here]

'''Microsoft Silverlight Security - A Hacker's Perspective'''

'''Abstract'''

It’s not news for anyone how the internet has revolutionized all aspects of our lives. In the past few years there has been unprecedented growth in web applications and their user base. One of the core technologies driving this widespread phenomenon is Rich Internet Applications (RIAs) because it offers the same level of responsiveness & interactivity on web that is available to desktop applications. Microsoft offered its vision of RIA through Silverlight - a framework that allows web applications running in a browser to behave more like desktop applications.

One of the major enhancements in Silverlight was the incorporation of mini-CLR engine, that on one hand, adds amazing capabilities for web developers but, on the other hand, also broadens the surface area of attack by opening previously nonexistent entry points into web applications. In this presentation Angelo & Kamran will demonstrate how modern hackers can use reverse engineering techniques to take advantage of weak security implementation. They will also show some effective ways of defending against these types of attacks.

'''Speakers:'''

Angelo Chan is an experienced versatile software developer who has developed applications, middleware and low-level software for various platforms. With an initial background in Telecom, Angelo has since worked with different technologies and has discovered a passion for .NET. His interests include virtual machines, operating systems, network/application reverse engineering and security. Angelo can be reached at Angelo@WindowsDebugging.com

Kamran Bilgrami is a seasoned software developer with proven track record of transforming complex business problems into viable technical solution. He has been instrumental in orchestrating highly available, performance centric, fault-tolerant real-time systems in a wide variety of industries including Telecom, Security and Human/Health Services. His areas of expertise include .NET, CLR Internals, Patterns and Security. Kamran can be reached at Kamran@WindowsDebugging.com

 

==== May, Thursday 12th 2011 ====

'''Location:''' Bell - 160 Elgin St, Ottawa '''Session 1 - Chris Pierre: Beyond Facebook: How Hackers Might Obtain Information Individual for Social Engineering attacks''' As the old saying goes “Know your enemy as you know yourself.” This discussion will examine several sources of publicly available information which an attacker might use to gain background information on a target for the purposes of a social engineering attack. The talk is expected to be interactive, lively and will provoke a discussion on how these systems and processes can be hardened against this type of attack. 

 '''About The Speaker'''

Chris Pierre BA, CFE, CISSP is an Ottawa-based forensic investigation professional. Having worked with several forensic firms prior to starting Evince Services, Inc., he has experience in many types of engagements in both the private & public sectors & specializes in investigations involving the internet. Forensic engagements have included information leaks, general corporate fraud investigations, investor fraud, intellectual property cases, administrative/internal investigations, background investigations, grants & contributions fraud, corruption investigations & the provision of training on the use of the Internet as an investigative tool. Preventative engagements have included training, background due diligence & compliance consulting.

Chris is an instructor at Algonquin College, the Canadian Police College, Past-President of the Ottawa Chapter of the High Tech Crime Investigators Association (HTCIA) & a member of the Ottawa Chapter of the Association of Certified Fraud Examiners. '''Session 2: - David Mirza Ahmed: Introducing Vega, a New Open Source Web Vulnerability Scanner'''

David will be presenting Vega, a new free and open source vulnerability scanner for web applications developed by Subgraph, his Montreal-based security startup. Vega allows anyone to scan their web applications for vulnerabilities such as cross-site scripting or SQL injection. Written in Java, Vega is cross-platform. It's also extensible, with a built-in Javascript interpreter and API for custom module development. Vega also includes an intercepting proxy for manual inspection of possible vulnerabilities and penetration testing.

 '''About The Speaker''' David has over 10 years in the information security business. He started his professional experience as a founding member of Security Focus, which was acquired by Symantec in 2002. David also moderated the Bugtraq mailing list, a historically important forum for discussion of security vulnerabilities, for over four years. He has spoken at Black Hat, Can Sec West, AusCERT and numerous other security conferences, as well as made contributions to books, magazines and other publications. David also participated in a NIAC working group on behalf of Symantec to develop the first version of the CVSS (Common Vulnerability Scoring System) model and was an editor for IEEE Security & Privacy. His current obsession is building Subgraph, his information security startup in Montréal. 

==== March, Thursday 10th 2011 ====

Speaker: Shan Gu - Accenture - Large enterprises are increasing their adoption of SOA at a rapid rate as interoperability standards and vendor product implementations mature and stabilize. However, moving enterprises into a loosely coupled IT paradigm introduces challenges around security and compliance. How do we address accountability, confidentiality, integrity, and trust in a large loosely couple ecosystem where consumers and providers don’t always maintain a permanent or stateful relationship? There are standards of course that help integrators and Architects design systems to communicate with each other in a secure manner, however these standards, when interpreted in their purest sense are complex and expensive to implement/maintain in large organizations. And systems that are operationally complex in terms of security are ironically the least secure.

About The Speaker Shan Gu - Manager in the Security Technologies Practice at Accenture Shan is a Security Architect from Accenture who specializes in Identity and Access Management and SOA Security. He has worked with clients in both the Public and Private sectors and in various industries spanning from Health, to Transport, to Financial Services. Shan has spent his recent years focused on helping clients adopt SOA within the enterprise and to do it in a secure and cost effective manner. Shan is a graduate from Carleton University’s Systems and Computer Engineering program, with a B.Eng and a Minor in Business.

==== More Previous Meetings ====

*September 10th, 2009 - Justin Foster - '''Speaker Notes:''' [http://www.developingsecurity.com/weblog/2009/09/crossing-the-border-javascript-exploits.html Download Here]
*April 6th, 2009 - Rafal Los - '''Speaker Notes:''' [http://www.owasp.org/images/3/3a/A_Laugh_RIAt2.zip Download Here]
*July 16th, 2008 - John Linehan - '''Speaker Notes:''' [https://www.owasp.org/index.php/Image:John_Linehan_OWASP_Dist.pdf Download Here]
*[[November 28th, 2007 - Eric Klien - Make my day]]

= Chapter Leadership =

Chapter President: [mailto:sherif.koussa@owasp.org Sherif Koussa] 
Chapter Committee: [mailto:sean.wilson@owasp.org Sean Wilson] and [mailto:mike.sues@owasp.org Mike Sues] 

 
 
__NOTOC__ <headertabs />

[[Category:Canada]]

Ottawa

2014-06-10T12:27:40Z

Koussa: /* Thanks to Our 2014 Sponsor */

{{Chapter Template|chaptername=Ottawa|extra=The chapter's president is [mailto:sherif.koussa@gmail.com Sherif Koussa]

Follow us on [http://twitter.com/#!/owasp_ottawa Twitter] 

<paypal>Ottawa</paypal>

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-ottawa|emailarchives=http://lists.owasp.org/mailman/listinfo/owasp-ottawa}}

 

==Thanks to Our 2014 Sponsor==
{| border="0" align="left" cellpadding="1" cellspacing="1"
[[Image:2Keys_Security_Solutions.jpg|240x120px|2Keys_Security_Solutions.jpg|link=http://www.2keys.ca]]
|}

 

==Your Local Chapter==
Hi Ottawa, welcome to your local OWASP chapter! We are a place to come and meet local developers and information security professionals, share ideas, and learn. We try to hold a meeting at least once every two months in the downtown core. We provide a mix of infosec rockstar talks, hands on training sessions, and special interest discussion groups. We are always looking for new ideas for events so let us know if you have an idea. Email one of us: [mailto:sherif.koussa@owasp.org Sherif], [mailto:sean.wilson@owasp.org Sean], [mailto:mike.sues@owasp.org Mike] or tweet at us [http://twitter.com/#!/owasp_ottawa owasp_ottawa].

Hope to see you at a meeting soon.

 

==Upcoming Events==
=== Another Bug? Secure Software Development Lifecycle===

'''Who'''

Sean Wilson from CBN will be presenting on Secure Software Development.

'''What'''

As dev and test most of us have been in the situation where a security bug is found by a customer and we find ourselves asking – 'how did we miss that'. With a focus on the challenges facing development and test teams, we'll explore some of the issues and solutions that can help improve your SDLC.

'''Where'''

Microsoft Glacier Room 100 Queen Street, Suite 500 - World Exchange Plaza

''Find the 100 Queen Street Building, Take the elevator to the 5th floor. Be there before 6:00 PM as the elevators stop working then.''

'''When'''

Wednesday, June 11 from 5:30PM to 7:30PM

'''Registration'''

Register for free [http://www.meetup.com/OWASP-Ottawa-Meetup-Web-Application-Security/events/181674482/ here]
 

 
 
 

= Upcoming Event Ideas =
We are always looking for ideas for upcoming meetings. If you have a speaker you would like to see, a tutorial you would like to participate in, or just some ideas for discussion topics let us know. We maintain a list of your ideas here. To add to the list you can edit it directly, send one of us an e-mail ([mailto:sherif.koussa@owasp.org Sherif], [mailto:sean.wilson@owasp.org Sean]), or tweet it at our [http://twitter.com/#!/owasp_ottawa Twitter account].
 
*<del>N00bs Night: Understanding and Exploiting the OWASP Top 10 (Top 10 discussion, live exploit demos, test lab to practice your skills)</del>
*Secure Code review
*(ISC)2 CSSLP introduction
*Metasploit introduction
*Web Application Forensics
*xPath Injection (SQL/CSS etc get lots of press but I’d like to hear more about this)
*HTML5 - What's new for security specially for Offline Applications
*Web 2.0 Security Evolution - How security challenges are changing with technology evolultion
*ASP.NET MVC Security for WebForms Developers
*Hack proofing your web application by using reverse engineering
*Using Windows Communication Foundation (WCF) Securely in your applications

= Past Meetings =
==== May 2014====

'''Title:'''Gone in 60 Milliseconds: Mobile devices, free WiFi and your data
'''Who'''

Derrick Webber from CGI will be presenting on mobile device security.

'''What'''

Smart phones and tablets broadcast information that anyone can use to discover where you live, where you work and the places you go. Free WiFi networks allow attackers to intercept and alter your communications. This presentation shows a series of live demonstrations showing exactly how this is done and how easy it is.

We show in real time what information the broadcasts your mobile devices send 24/7 reveal about you, and how attackers use fake WiFi access points and man-in-the-middle attacks to capture passwords, subvert VPNs, and install malicious software. The root causes of these issues are explored, and we present solutions, both simple and complex, to safeguard your data, your privacy and your identity.

====September 2013====
'''Title:'''What's Hiding in Your Software Components?

'''What'''
Software is no longer written, it's assembled. With 80% of a typical application now being assembled from components, it's time to take a hard look at the new risks posed by this type of development -- and the processes and tools that we'll need in order to keep them in check.

On the just released OWASP Top 10 for 2013, entry A9 highlights the potential problems associated with the widespread use of open-source components with known security vulnerabilities in modern-day application development.

Join Ryan Berg, Sonatype CSO, as he shares real world data on component risks, outlines the scope of the problem, and proposes approaches for managing these risk. You'll learn how security professionals can work cooperatively with application developers to reduce risk AND boost developer efficiency.

'''Who'''
Ryan Berg is the Chief Security Officer at Sonatype. Before joining Sonatype, Ryan was a co-founder and chief scientist for Ounce Labs which was acquired by IBM in 2009. Ryan holds multiple patents and is a popular speaker, instructor and author, in the fields of security, risk management, and secure application development.

====June 2013====
'''Title:'''China: All up in your business - Annoying Persistent Threat edition

'''What'''
For the past few years, Dave has been involved in examining intrusions by a group informally known as Comment Crew -- which are now better known as 'APT1' following the recent release of the report from Mandiant. This group falls into the class of the 'Advanced Persistent Threat' and are known to use compromised web sites to supply command/control to compromised systems.
The talk contains a live demo of an annotated attack against a fictitious company, using custom malware and metasploit. It shows how attackers initially compromise a system, supply commands, install additional malware, gain privileges in post-exploit and loot the network for fun and profit!
This talk is targeted toward beginner/intermediate security practitioners and provides an overview of these types of attack. Whether you are simulating an APT style attack as a penetration tester or trying to defend your organization against similar threats this talk is a great starting point. Depending on interest it will be possible to focus some of the talk on the demo-malware code itself.

'''Who'''
Dave Ockwell-Jenner has an extensive background in technology: from building one of the Internet’s earliest major web sites, to helping secure some of the world’s most critical systems. He has led the development of solutions for some of Canada’s most prominent technology companies, including Research In Motion and Nortel. He currently works for a Swiss-based company that specializes in IT and communications for the Air Transport Industry. In this role he has focused on designing and delivering the company's secure software development lifecycle. Through this, Dave regularly trains developers in secure software techniques, and has co-authored the SANS course on Developing Defensible Java EE Solutions. Dave also runs a boutique security consultancy called Prime Information Security, concentrating on information security within Small-to-Medium Businesses. He is a security blogger for TELUS and also co-founded a business networking organization called the Small Business Community Network (SBCN).

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/china-all-up-in-your-business-doj Slides]
[https://www.youtube.com/watch?v=2rJ2tHeb5yQ Video Demo]

====May 2013====
'''Title:''' Ottawa IT Camp 2013

'''What'''
Ottawa IT Camp is a fun filled day of "meat only" presentations. By technical people, for technical people! The OWASP track focuses on application security talks covering threat modelling, code review, and the OWASP top 10.

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/security-codereview-1 Secure Code Review for .NET]
[http://ottawaitcamp.codeplex.com/ Conference presentations and code]

====January 2013====
'''Title:''' XML Attack Surface

'''What'''
Security vulnerabilities with XML processing can be a real threat to applications, especially when malicious XML can be submitted remotely. Fortunately, these issues can be easily avoided by properly configuring XML parsers.

Several attack types will be presented with a live demo covering the following: Denial of Service, Arbitrary file Content disclosure, and Remote OS command injection. Vulnerabilities caused by misconfiguration of XML parsing, XML transforms and Xpath queries will be investigated and suggestions on how to prevent these type of attacks will be provided with a developer perspective.

'''Who'''
Pierre Ernst is a senior member of the IBM Business Analytics Security Competency Group at the Ottawa Lab in Canada. A former software developer turned penetration tester, he's responsible for finding security vulnerabilities in IBM applications before they are released. Using a combination of manual testing and secure code review, his work complements automated vulnerability scanners. Pierre is also responsible for giving guidance to developers on how to mitigate and fix security issues.

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/pierre-ernst-xml-attack-surface-owasp-ottawa Download Here]

====December 2012====
'''Title:''' Sploitego - Maltego's (Local) Partner in Crime

'''What'''
Have you ever wished for the power of Maltego when performing internal assessments? Ever hoped to map the internal network within seconds? Or that Maltego had a tad more aggression? Sploitego is the answer. In the presentation we'll show how we've carefully crafted several local transforms that gives Maltego the ooomph to operate nicely within internal networks. Can you say Metasploit integration? ARP spoofing? Passive fingerprinting? SNMP hunting? This all is Sploitego. But wait - there's more. Along the way we'll show you how to use our awesome Python framework that makes writing local transforms as easy as 'Hello World'.
Sploitego makes it easy to quickly develop, install, distribute, and maintain Maltego Local transforms. The framework comes with a rich set of auxiliary libraries to aid transform developers with integrating attack, reconnaissance, and post exploitation tools. It also provides a slew of web tools for interacting with public repositories.
Sploitego and its underlying Python framework will be released at DEF CON as open source - yup - you can extend it to your heart's content. During the presentation we'll show the awesome power of the tool with live demos and scenarios as well as fun and laughter.

'''Who'''
Nadeem Douba - GWAPT, GPEN: Currently situated in the Ottawa (Ontario, Canada) valley, Nadeem provides technical security consulting services primarily to clients in the health, education, and public sectors. Nadeem has been involved within the security community for over 10 years and has frequently presented at ISSA and company seminars and training sessions. He is also an active member of the open source software community and has contributed to projects such as libnet, Backtrack, and Maltego.

'''Slides'''
[http://cloud.github.com/downloads/allfro/sploitego/Sploitego%20-%20Hackfest%20Revolution.pdf Download Here]

====N00bs Night: Secure Code Review====
Come join us for a night of free hands on tutorials in secure code review. Learn the OWASP top 10 from a developer's perspective.

'''What'''
During this session, we will review an Online Movie Ticket Booking Application pulled from SourceForge for OWASP Top, specifically Cross-Site Scripting, SQL Injection and Access Control. You will learn how to review your code for these issues, how to fix them and how to automate the whole process. Expect lots of code, tools and fun (Please note that the exercises will be mainly in Java)

'''Who'''
The tutorial will be given by Sherif Koussa. Sherif is the leader of our very own OWASP Ottawa, leader of Static Analysis Tools Evaluation Criteria at the Web Application Security Consortium (WASC) and a Steering Committee Member for SANS/GIAC GSSP-NET and GSSP-JAVA. He is also the founder of Software Secured (www.softwaresecured.com) and Secure Code Gurus (www.securecodegurus.com).

====May 2012====
'''Title:''' OWASP Tutorial Night: Threat Modeling Express

Threat Modeling Express is a lightweight threat modeling process suited for agile development environments. If you want to quickly add threat modeling to your development process without slowing it down this is the process for you. The evening will be composed of an interactive tutorial which will walk the participants through some examples using the The Modeling Express process.

'''Who:'''The tutorial will be given by Rohit Sethi a software security specialist and Vice President of SD Elements. Rohit is a SANS course developer and instructor and leads the OWASP Design Patterns Security Analysis project.

'''When:''' The event will start at 6PM on May 3, 2012.Please RSVP [http://www.eventbrite.com/event/3413274195 here]

'''Where:''' Shopify have kindly offered the board room of their brand new location for the event.

'''Speaker Notes:''' [http://www.scribd.com/doc/94372478/Threat-Model-Express?secret_password=wspz2g4rjvlob3bx2in Download Here]

==== December 12, 2011 ====
'''Location:''' Bell Canada - 160 Elgin St, Ottawa 

'''Title:''' n00bs night out...exploiting the owasp top 10

Hey Ottawa, come join us for a FREE night of web application hacking. We have tutorials explaining how to exploit the OWASP Top 10 web application vulnerabilities and hands on labs to practice your skills. Bring your laptop and a copy of the Backtrack 5 LiveCD (or VM) http://www.backtrack-linux.org/downloads/

'''Who:''' all skill levels are welcome (especially n00bs)

'''When:''' December 12 from 6:00pm - 9:00pm (open at 5:30)

'''RSVP:''' http://n00bs-night.eventbrite.com/

==== September 27th, 2011 ====

'''Location''': Shopify - 61a York St (Above Tucker's Marketplace)

'''Speaker Notes:''' [https://www.owasp.org/images/a/a2/OWASP_Sep_2011_Hacking_Silverlight.ppt Download Here]

'''Microsoft Silverlight Security - A Hacker's Perspective'''

'''Abstract'''

It’s not news for anyone how the internet has revolutionized all aspects of our lives. In the past few years there has been unprecedented growth in web applications and their user base. One of the core technologies driving this widespread phenomenon is Rich Internet Applications (RIAs) because it offers the same level of responsiveness & interactivity on web that is available to desktop applications. Microsoft offered its vision of RIA through Silverlight - a framework that allows web applications running in a browser to behave more like desktop applications.

One of the major enhancements in Silverlight was the incorporation of mini-CLR engine, that on one hand, adds amazing capabilities for web developers but, on the other hand, also broadens the surface area of attack by opening previously nonexistent entry points into web applications. In this presentation Angelo & Kamran will demonstrate how modern hackers can use reverse engineering techniques to take advantage of weak security implementation. They will also show some effective ways of defending against these types of attacks.

'''Speakers:'''

Angelo Chan is an experienced versatile software developer who has developed applications, middleware and low-level software for various platforms. With an initial background in Telecom, Angelo has since worked with different technologies and has discovered a passion for .NET. His interests include virtual machines, operating systems, network/application reverse engineering and security. Angelo can be reached at Angelo@WindowsDebugging.com

Kamran Bilgrami is a seasoned software developer with proven track record of transforming complex business problems into viable technical solution. He has been instrumental in orchestrating highly available, performance centric, fault-tolerant real-time systems in a wide variety of industries including Telecom, Security and Human/Health Services. His areas of expertise include .NET, CLR Internals, Patterns and Security. Kamran can be reached at Kamran@WindowsDebugging.com

 

==== May, Thursday 12th 2011 ====

'''Location:''' Bell - 160 Elgin St, Ottawa '''Session 1 - Chris Pierre: Beyond Facebook: How Hackers Might Obtain Information Individual for Social Engineering attacks''' As the old saying goes “Know your enemy as you know yourself.” This discussion will examine several sources of publicly available information which an attacker might use to gain background information on a target for the purposes of a social engineering attack. The talk is expected to be interactive, lively and will provoke a discussion on how these systems and processes can be hardened against this type of attack. 

 '''About The Speaker'''

Chris Pierre BA, CFE, CISSP is an Ottawa-based forensic investigation professional. Having worked with several forensic firms prior to starting Evince Services, Inc., he has experience in many types of engagements in both the private & public sectors & specializes in investigations involving the internet. Forensic engagements have included information leaks, general corporate fraud investigations, investor fraud, intellectual property cases, administrative/internal investigations, background investigations, grants & contributions fraud, corruption investigations & the provision of training on the use of the Internet as an investigative tool. Preventative engagements have included training, background due diligence & compliance consulting.

Chris is an instructor at Algonquin College, the Canadian Police College, Past-President of the Ottawa Chapter of the High Tech Crime Investigators Association (HTCIA) & a member of the Ottawa Chapter of the Association of Certified Fraud Examiners. '''Session 2: - David Mirza Ahmed: Introducing Vega, a New Open Source Web Vulnerability Scanner'''

David will be presenting Vega, a new free and open source vulnerability scanner for web applications developed by Subgraph, his Montreal-based security startup. Vega allows anyone to scan their web applications for vulnerabilities such as cross-site scripting or SQL injection. Written in Java, Vega is cross-platform. It's also extensible, with a built-in Javascript interpreter and API for custom module development. Vega also includes an intercepting proxy for manual inspection of possible vulnerabilities and penetration testing.

 '''About The Speaker''' David has over 10 years in the information security business. He started his professional experience as a founding member of Security Focus, which was acquired by Symantec in 2002. David also moderated the Bugtraq mailing list, a historically important forum for discussion of security vulnerabilities, for over four years. He has spoken at Black Hat, Can Sec West, AusCERT and numerous other security conferences, as well as made contributions to books, magazines and other publications. David also participated in a NIAC working group on behalf of Symantec to develop the first version of the CVSS (Common Vulnerability Scoring System) model and was an editor for IEEE Security & Privacy. His current obsession is building Subgraph, his information security startup in Montréal. 

==== March, Thursday 10th 2011 ====

Speaker: Shan Gu - Accenture - Large enterprises are increasing their adoption of SOA at a rapid rate as interoperability standards and vendor product implementations mature and stabilize. However, moving enterprises into a loosely coupled IT paradigm introduces challenges around security and compliance. How do we address accountability, confidentiality, integrity, and trust in a large loosely couple ecosystem where consumers and providers don’t always maintain a permanent or stateful relationship? There are standards of course that help integrators and Architects design systems to communicate with each other in a secure manner, however these standards, when interpreted in their purest sense are complex and expensive to implement/maintain in large organizations. And systems that are operationally complex in terms of security are ironically the least secure.

About The Speaker Shan Gu - Manager in the Security Technologies Practice at Accenture Shan is a Security Architect from Accenture who specializes in Identity and Access Management and SOA Security. He has worked with clients in both the Public and Private sectors and in various industries spanning from Health, to Transport, to Financial Services. Shan has spent his recent years focused on helping clients adopt SOA within the enterprise and to do it in a secure and cost effective manner. Shan is a graduate from Carleton University’s Systems and Computer Engineering program, with a B.Eng and a Minor in Business.

==== More Previous Meetings ====

*September 10th, 2009 - Justin Foster - '''Speaker Notes:''' [http://www.developingsecurity.com/weblog/2009/09/crossing-the-border-javascript-exploits.html Download Here]
*April 6th, 2009 - Rafal Los - '''Speaker Notes:''' [http://www.owasp.org/images/3/3a/A_Laugh_RIAt2.zip Download Here]
*July 16th, 2008 - John Linehan - '''Speaker Notes:''' [https://www.owasp.org/index.php/Image:John_Linehan_OWASP_Dist.pdf Download Here]
*[[November 28th, 2007 - Eric Klien - Make my day]]

= Chapter Leadership =

Chapter President: [mailto:sherif.koussa@owasp.org Sherif Koussa] 
Chapter Committee: [mailto:sean.wilson@owasp.org Sean Wilson] and [mailto:mike.sues@owasp.org Mike Sues] 

 
 
__NOTOC__ <headertabs />

[[Category:Canada]]

Ottawa

2014-06-09T15:44:04Z

Koussa: /* Another Bug? Secure Software Development Lifecycle */

{{Chapter Template|chaptername=Ottawa|extra=The chapter's president is [mailto:sherif.koussa@gmail.com Sherif Koussa]

Follow us on [http://twitter.com/#!/owasp_ottawa Twitter] 

<paypal>Ottawa</paypal>

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-ottawa|emailarchives=http://lists.owasp.org/mailman/listinfo/owasp-ottawa}}

 

==Thanks to Our 2014 Sponsor==
{| width="900" border="0" align="left" cellpadding="1" cellspacing="1"
[[Image:2Keys_Security_Solutions.jpg|240x120px|2Keys_Security_Solutions.jpg|link=http://www.2keys.ca]]
|}

 
==Your Local Chapter==
Hi Ottawa, welcome to your local OWASP chapter! We are a place to come and meet local developers and information security professionals, share ideas, and learn. We try to hold a meeting at least once every two months in the downtown core. We provide a mix of infosec rockstar talks, hands on training sessions, and special interest discussion groups. We are always looking for new ideas for events so let us know if you have an idea. Email one of us: [mailto:sherif.koussa@owasp.org Sherif], [mailto:sean.wilson@owasp.org Sean], [mailto:mike.sues@owasp.org Mike] or tweet at us [http://twitter.com/#!/owasp_ottawa owasp_ottawa].

Hope to see you at a meeting soon.

 

==Upcoming Events==
=== Another Bug? Secure Software Development Lifecycle===

'''Who'''

Sean Wilson from CBN will be presenting on Secure Software Development.

'''What'''

As dev and test most of us have been in the situation where a security bug is found by a customer and we find ourselves asking – 'how did we miss that'. With a focus on the challenges facing development and test teams, we'll explore some of the issues and solutions that can help improve your SDLC.

'''Where'''

Microsoft Glacier Room 100 Queen Street, Suite 500 - World Exchange Plaza

''Find the 100 Queen Street Building, Take the elevator to the 5th floor. Be there before 6:00 PM as the elevators stop working then.''

'''When'''

Wednesday, June 11 from 5:30PM to 7:30PM

'''Registration'''

Register for free [http://www.meetup.com/OWASP-Ottawa-Meetup-Web-Application-Security/events/181674482/ here]
 

 
 
 

= Upcoming Event Ideas =
We are always looking for ideas for upcoming meetings. If you have a speaker you would like to see, a tutorial you would like to participate in, or just some ideas for discussion topics let us know. We maintain a list of your ideas here. To add to the list you can edit it directly, send one of us an e-mail ([mailto:sherif.koussa@owasp.org Sherif], [mailto:sean.wilson@owasp.org Sean]), or tweet it at our [http://twitter.com/#!/owasp_ottawa Twitter account].
 
*<del>N00bs Night: Understanding and Exploiting the OWASP Top 10 (Top 10 discussion, live exploit demos, test lab to practice your skills)</del>
*Secure Code review
*(ISC)2 CSSLP introduction
*Metasploit introduction
*Web Application Forensics
*xPath Injection (SQL/CSS etc get lots of press but I’d like to hear more about this)
*HTML5 - What's new for security specially for Offline Applications
*Web 2.0 Security Evolution - How security challenges are changing with technology evolultion
*ASP.NET MVC Security for WebForms Developers
*Hack proofing your web application by using reverse engineering
*Using Windows Communication Foundation (WCF) Securely in your applications

= Past Meetings =
==== May 2014====

'''Title:'''Gone in 60 Milliseconds: Mobile devices, free WiFi and your data
'''Who'''

Derrick Webber from CGI will be presenting on mobile device security.

'''What'''

Smart phones and tablets broadcast information that anyone can use to discover where you live, where you work and the places you go. Free WiFi networks allow attackers to intercept and alter your communications. This presentation shows a series of live demonstrations showing exactly how this is done and how easy it is.

We show in real time what information the broadcasts your mobile devices send 24/7 reveal about you, and how attackers use fake WiFi access points and man-in-the-middle attacks to capture passwords, subvert VPNs, and install malicious software. The root causes of these issues are explored, and we present solutions, both simple and complex, to safeguard your data, your privacy and your identity.

====September 2013====
'''Title:'''What's Hiding in Your Software Components?

'''What'''
Software is no longer written, it's assembled. With 80% of a typical application now being assembled from components, it's time to take a hard look at the new risks posed by this type of development -- and the processes and tools that we'll need in order to keep them in check.

On the just released OWASP Top 10 for 2013, entry A9 highlights the potential problems associated with the widespread use of open-source components with known security vulnerabilities in modern-day application development.

Join Ryan Berg, Sonatype CSO, as he shares real world data on component risks, outlines the scope of the problem, and proposes approaches for managing these risk. You'll learn how security professionals can work cooperatively with application developers to reduce risk AND boost developer efficiency.

'''Who'''
Ryan Berg is the Chief Security Officer at Sonatype. Before joining Sonatype, Ryan was a co-founder and chief scientist for Ounce Labs which was acquired by IBM in 2009. Ryan holds multiple patents and is a popular speaker, instructor and author, in the fields of security, risk management, and secure application development.

====June 2013====
'''Title:'''China: All up in your business - Annoying Persistent Threat edition

'''What'''
For the past few years, Dave has been involved in examining intrusions by a group informally known as Comment Crew -- which are now better known as 'APT1' following the recent release of the report from Mandiant. This group falls into the class of the 'Advanced Persistent Threat' and are known to use compromised web sites to supply command/control to compromised systems.
The talk contains a live demo of an annotated attack against a fictitious company, using custom malware and metasploit. It shows how attackers initially compromise a system, supply commands, install additional malware, gain privileges in post-exploit and loot the network for fun and profit!
This talk is targeted toward beginner/intermediate security practitioners and provides an overview of these types of attack. Whether you are simulating an APT style attack as a penetration tester or trying to defend your organization against similar threats this talk is a great starting point. Depending on interest it will be possible to focus some of the talk on the demo-malware code itself.

'''Who'''
Dave Ockwell-Jenner has an extensive background in technology: from building one of the Internet’s earliest major web sites, to helping secure some of the world’s most critical systems. He has led the development of solutions for some of Canada’s most prominent technology companies, including Research In Motion and Nortel. He currently works for a Swiss-based company that specializes in IT and communications for the Air Transport Industry. In this role he has focused on designing and delivering the company's secure software development lifecycle. Through this, Dave regularly trains developers in secure software techniques, and has co-authored the SANS course on Developing Defensible Java EE Solutions. Dave also runs a boutique security consultancy called Prime Information Security, concentrating on information security within Small-to-Medium Businesses. He is a security blogger for TELUS and also co-founded a business networking organization called the Small Business Community Network (SBCN).

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/china-all-up-in-your-business-doj Slides]
[https://www.youtube.com/watch?v=2rJ2tHeb5yQ Video Demo]

====May 2013====
'''Title:''' Ottawa IT Camp 2013

'''What'''
Ottawa IT Camp is a fun filled day of "meat only" presentations. By technical people, for technical people! The OWASP track focuses on application security talks covering threat modelling, code review, and the OWASP top 10.

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/security-codereview-1 Secure Code Review for .NET]
[http://ottawaitcamp.codeplex.com/ Conference presentations and code]

====January 2013====
'''Title:''' XML Attack Surface

'''What'''
Security vulnerabilities with XML processing can be a real threat to applications, especially when malicious XML can be submitted remotely. Fortunately, these issues can be easily avoided by properly configuring XML parsers.

Several attack types will be presented with a live demo covering the following: Denial of Service, Arbitrary file Content disclosure, and Remote OS command injection. Vulnerabilities caused by misconfiguration of XML parsing, XML transforms and Xpath queries will be investigated and suggestions on how to prevent these type of attacks will be provided with a developer perspective.

'''Who'''
Pierre Ernst is a senior member of the IBM Business Analytics Security Competency Group at the Ottawa Lab in Canada. A former software developer turned penetration tester, he's responsible for finding security vulnerabilities in IBM applications before they are released. Using a combination of manual testing and secure code review, his work complements automated vulnerability scanners. Pierre is also responsible for giving guidance to developers on how to mitigate and fix security issues.

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/pierre-ernst-xml-attack-surface-owasp-ottawa Download Here]

====December 2012====
'''Title:''' Sploitego - Maltego's (Local) Partner in Crime

'''What'''
Have you ever wished for the power of Maltego when performing internal assessments? Ever hoped to map the internal network within seconds? Or that Maltego had a tad more aggression? Sploitego is the answer. In the presentation we'll show how we've carefully crafted several local transforms that gives Maltego the ooomph to operate nicely within internal networks. Can you say Metasploit integration? ARP spoofing? Passive fingerprinting? SNMP hunting? This all is Sploitego. But wait - there's more. Along the way we'll show you how to use our awesome Python framework that makes writing local transforms as easy as 'Hello World'.
Sploitego makes it easy to quickly develop, install, distribute, and maintain Maltego Local transforms. The framework comes with a rich set of auxiliary libraries to aid transform developers with integrating attack, reconnaissance, and post exploitation tools. It also provides a slew of web tools for interacting with public repositories.
Sploitego and its underlying Python framework will be released at DEF CON as open source - yup - you can extend it to your heart's content. During the presentation we'll show the awesome power of the tool with live demos and scenarios as well as fun and laughter.

'''Who'''
Nadeem Douba - GWAPT, GPEN: Currently situated in the Ottawa (Ontario, Canada) valley, Nadeem provides technical security consulting services primarily to clients in the health, education, and public sectors. Nadeem has been involved within the security community for over 10 years and has frequently presented at ISSA and company seminars and training sessions. He is also an active member of the open source software community and has contributed to projects such as libnet, Backtrack, and Maltego.

'''Slides'''
[http://cloud.github.com/downloads/allfro/sploitego/Sploitego%20-%20Hackfest%20Revolution.pdf Download Here]

====N00bs Night: Secure Code Review====
Come join us for a night of free hands on tutorials in secure code review. Learn the OWASP top 10 from a developer's perspective.

'''What'''
During this session, we will review an Online Movie Ticket Booking Application pulled from SourceForge for OWASP Top, specifically Cross-Site Scripting, SQL Injection and Access Control. You will learn how to review your code for these issues, how to fix them and how to automate the whole process. Expect lots of code, tools and fun (Please note that the exercises will be mainly in Java)

'''Who'''
The tutorial will be given by Sherif Koussa. Sherif is the leader of our very own OWASP Ottawa, leader of Static Analysis Tools Evaluation Criteria at the Web Application Security Consortium (WASC) and a Steering Committee Member for SANS/GIAC GSSP-NET and GSSP-JAVA. He is also the founder of Software Secured (www.softwaresecured.com) and Secure Code Gurus (www.securecodegurus.com).

====May 2012====
'''Title:''' OWASP Tutorial Night: Threat Modeling Express

Threat Modeling Express is a lightweight threat modeling process suited for agile development environments. If you want to quickly add threat modeling to your development process without slowing it down this is the process for you. The evening will be composed of an interactive tutorial which will walk the participants through some examples using the The Modeling Express process.

'''Who:'''The tutorial will be given by Rohit Sethi a software security specialist and Vice President of SD Elements. Rohit is a SANS course developer and instructor and leads the OWASP Design Patterns Security Analysis project.

'''When:''' The event will start at 6PM on May 3, 2012.Please RSVP [http://www.eventbrite.com/event/3413274195 here]

'''Where:''' Shopify have kindly offered the board room of their brand new location for the event.

'''Speaker Notes:''' [http://www.scribd.com/doc/94372478/Threat-Model-Express?secret_password=wspz2g4rjvlob3bx2in Download Here]

==== December 12, 2011 ====
'''Location:''' Bell Canada - 160 Elgin St, Ottawa 

'''Title:''' n00bs night out...exploiting the owasp top 10

Hey Ottawa, come join us for a FREE night of web application hacking. We have tutorials explaining how to exploit the OWASP Top 10 web application vulnerabilities and hands on labs to practice your skills. Bring your laptop and a copy of the Backtrack 5 LiveCD (or VM) http://www.backtrack-linux.org/downloads/

'''Who:''' all skill levels are welcome (especially n00bs)

'''When:''' December 12 from 6:00pm - 9:00pm (open at 5:30)

'''RSVP:''' http://n00bs-night.eventbrite.com/

==== September 27th, 2011 ====

'''Location''': Shopify - 61a York St (Above Tucker's Marketplace)

'''Speaker Notes:''' [https://www.owasp.org/images/a/a2/OWASP_Sep_2011_Hacking_Silverlight.ppt Download Here]

'''Microsoft Silverlight Security - A Hacker's Perspective'''

'''Abstract'''

It’s not news for anyone how the internet has revolutionized all aspects of our lives. In the past few years there has been unprecedented growth in web applications and their user base. One of the core technologies driving this widespread phenomenon is Rich Internet Applications (RIAs) because it offers the same level of responsiveness & interactivity on web that is available to desktop applications. Microsoft offered its vision of RIA through Silverlight - a framework that allows web applications running in a browser to behave more like desktop applications.

One of the major enhancements in Silverlight was the incorporation of mini-CLR engine, that on one hand, adds amazing capabilities for web developers but, on the other hand, also broadens the surface area of attack by opening previously nonexistent entry points into web applications. In this presentation Angelo & Kamran will demonstrate how modern hackers can use reverse engineering techniques to take advantage of weak security implementation. They will also show some effective ways of defending against these types of attacks.

'''Speakers:'''

Angelo Chan is an experienced versatile software developer who has developed applications, middleware and low-level software for various platforms. With an initial background in Telecom, Angelo has since worked with different technologies and has discovered a passion for .NET. His interests include virtual machines, operating systems, network/application reverse engineering and security. Angelo can be reached at Angelo@WindowsDebugging.com

Kamran Bilgrami is a seasoned software developer with proven track record of transforming complex business problems into viable technical solution. He has been instrumental in orchestrating highly available, performance centric, fault-tolerant real-time systems in a wide variety of industries including Telecom, Security and Human/Health Services. His areas of expertise include .NET, CLR Internals, Patterns and Security. Kamran can be reached at Kamran@WindowsDebugging.com

 

==== May, Thursday 12th 2011 ====

'''Location:''' Bell - 160 Elgin St, Ottawa '''Session 1 - Chris Pierre: Beyond Facebook: How Hackers Might Obtain Information Individual for Social Engineering attacks''' As the old saying goes “Know your enemy as you know yourself.” This discussion will examine several sources of publicly available information which an attacker might use to gain background information on a target for the purposes of a social engineering attack. The talk is expected to be interactive, lively and will provoke a discussion on how these systems and processes can be hardened against this type of attack. 

 '''About The Speaker'''

Chris Pierre BA, CFE, CISSP is an Ottawa-based forensic investigation professional. Having worked with several forensic firms prior to starting Evince Services, Inc., he has experience in many types of engagements in both the private & public sectors & specializes in investigations involving the internet. Forensic engagements have included information leaks, general corporate fraud investigations, investor fraud, intellectual property cases, administrative/internal investigations, background investigations, grants & contributions fraud, corruption investigations & the provision of training on the use of the Internet as an investigative tool. Preventative engagements have included training, background due diligence & compliance consulting.

Chris is an instructor at Algonquin College, the Canadian Police College, Past-President of the Ottawa Chapter of the High Tech Crime Investigators Association (HTCIA) & a member of the Ottawa Chapter of the Association of Certified Fraud Examiners. '''Session 2: - David Mirza Ahmed: Introducing Vega, a New Open Source Web Vulnerability Scanner'''

David will be presenting Vega, a new free and open source vulnerability scanner for web applications developed by Subgraph, his Montreal-based security startup. Vega allows anyone to scan their web applications for vulnerabilities such as cross-site scripting or SQL injection. Written in Java, Vega is cross-platform. It's also extensible, with a built-in Javascript interpreter and API for custom module development. Vega also includes an intercepting proxy for manual inspection of possible vulnerabilities and penetration testing.

 '''About The Speaker''' David has over 10 years in the information security business. He started his professional experience as a founding member of Security Focus, which was acquired by Symantec in 2002. David also moderated the Bugtraq mailing list, a historically important forum for discussion of security vulnerabilities, for over four years. He has spoken at Black Hat, Can Sec West, AusCERT and numerous other security conferences, as well as made contributions to books, magazines and other publications. David also participated in a NIAC working group on behalf of Symantec to develop the first version of the CVSS (Common Vulnerability Scoring System) model and was an editor for IEEE Security & Privacy. His current obsession is building Subgraph, his information security startup in Montréal. 

==== March, Thursday 10th 2011 ====

Speaker: Shan Gu - Accenture - Large enterprises are increasing their adoption of SOA at a rapid rate as interoperability standards and vendor product implementations mature and stabilize. However, moving enterprises into a loosely coupled IT paradigm introduces challenges around security and compliance. How do we address accountability, confidentiality, integrity, and trust in a large loosely couple ecosystem where consumers and providers don’t always maintain a permanent or stateful relationship? There are standards of course that help integrators and Architects design systems to communicate with each other in a secure manner, however these standards, when interpreted in their purest sense are complex and expensive to implement/maintain in large organizations. And systems that are operationally complex in terms of security are ironically the least secure.

About The Speaker Shan Gu - Manager in the Security Technologies Practice at Accenture Shan is a Security Architect from Accenture who specializes in Identity and Access Management and SOA Security. He has worked with clients in both the Public and Private sectors and in various industries spanning from Health, to Transport, to Financial Services. Shan has spent his recent years focused on helping clients adopt SOA within the enterprise and to do it in a secure and cost effective manner. Shan is a graduate from Carleton University’s Systems and Computer Engineering program, with a B.Eng and a Minor in Business.

==== More Previous Meetings ====

*September 10th, 2009 - Justin Foster - '''Speaker Notes:''' [http://www.developingsecurity.com/weblog/2009/09/crossing-the-border-javascript-exploits.html Download Here]
*April 6th, 2009 - Rafal Los - '''Speaker Notes:''' [http://www.owasp.org/images/3/3a/A_Laugh_RIAt2.zip Download Here]
*July 16th, 2008 - John Linehan - '''Speaker Notes:''' [https://www.owasp.org/index.php/Image:John_Linehan_OWASP_Dist.pdf Download Here]
*[[November 28th, 2007 - Eric Klien - Make my day]]

= Chapter Leadership =

Chapter President: [mailto:sherif.koussa@owasp.org Sherif Koussa] 
Chapter Committee: [mailto:sean.wilson@owasp.org Sean Wilson] and [mailto:mike.sues@owasp.org Mike Sues] 

 
 
__NOTOC__ <headertabs />

[[Category:Canada]]

Ottawa

2014-06-09T15:43:40Z

Koussa: /* Another Bug? Secure Software Development Lifecycle */

{{Chapter Template|chaptername=Ottawa|extra=The chapter's president is [mailto:sherif.koussa@gmail.com Sherif Koussa]

Follow us on [http://twitter.com/#!/owasp_ottawa Twitter] 

<paypal>Ottawa</paypal>

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-ottawa|emailarchives=http://lists.owasp.org/mailman/listinfo/owasp-ottawa}}

 

==Thanks to Our 2014 Sponsor==
{| width="900" border="0" align="left" cellpadding="1" cellspacing="1"
[[Image:2Keys_Security_Solutions.jpg|240x120px|2Keys_Security_Solutions.jpg|link=http://www.2keys.ca]]
|}

 
==Your Local Chapter==
Hi Ottawa, welcome to your local OWASP chapter! We are a place to come and meet local developers and information security professionals, share ideas, and learn. We try to hold a meeting at least once every two months in the downtown core. We provide a mix of infosec rockstar talks, hands on training sessions, and special interest discussion groups. We are always looking for new ideas for events so let us know if you have an idea. Email one of us: [mailto:sherif.koussa@owasp.org Sherif], [mailto:sean.wilson@owasp.org Sean], [mailto:mike.sues@owasp.org Mike] or tweet at us [http://twitter.com/#!/owasp_ottawa owasp_ottawa].

Hope to see you at a meeting soon.

 

==Upcoming Events==
=== Another Bug? Secure Software Development Lifecycle===

'''Who'''

Sean Wilson from CBN will be presenting on Secure Software Development.

'''What'''

As dev and test most of us have been in the situation where a security bug is found by a customer and we find ourselves asking – 'how did we miss that'. With a focus on the challenges facing development and test teams, we'll explore some of the issues and solutions that can help improve your SDLC.

'''Where'''

Microsoft Glacier Room 100 Queen Street, Suite 500 - World Exchange Plaza

''Find the 100 Queen Street Building, Take the elevator to the 5th floor. Be there before 6:00 PM as the elevators stop working then.''

'''When'''

Wednesday, June 11 from 5:30PM to 7:30PM

'''Registration'''

Register for free [http://www.meetup.com/OWASP-Ottawa-Meetup-Web-Application-Security/events/178280042/ here]
 

 
 
 

= Upcoming Event Ideas =
We are always looking for ideas for upcoming meetings. If you have a speaker you would like to see, a tutorial you would like to participate in, or just some ideas for discussion topics let us know. We maintain a list of your ideas here. To add to the list you can edit it directly, send one of us an e-mail ([mailto:sherif.koussa@owasp.org Sherif], [mailto:sean.wilson@owasp.org Sean]), or tweet it at our [http://twitter.com/#!/owasp_ottawa Twitter account].
 
*<del>N00bs Night: Understanding and Exploiting the OWASP Top 10 (Top 10 discussion, live exploit demos, test lab to practice your skills)</del>
*Secure Code review
*(ISC)2 CSSLP introduction
*Metasploit introduction
*Web Application Forensics
*xPath Injection (SQL/CSS etc get lots of press but I’d like to hear more about this)
*HTML5 - What's new for security specially for Offline Applications
*Web 2.0 Security Evolution - How security challenges are changing with technology evolultion
*ASP.NET MVC Security for WebForms Developers
*Hack proofing your web application by using reverse engineering
*Using Windows Communication Foundation (WCF) Securely in your applications

= Past Meetings =
==== May 2014====

'''Title:'''Gone in 60 Milliseconds: Mobile devices, free WiFi and your data
'''Who'''

Derrick Webber from CGI will be presenting on mobile device security.

'''What'''

Smart phones and tablets broadcast information that anyone can use to discover where you live, where you work and the places you go. Free WiFi networks allow attackers to intercept and alter your communications. This presentation shows a series of live demonstrations showing exactly how this is done and how easy it is.

We show in real time what information the broadcasts your mobile devices send 24/7 reveal about you, and how attackers use fake WiFi access points and man-in-the-middle attacks to capture passwords, subvert VPNs, and install malicious software. The root causes of these issues are explored, and we present solutions, both simple and complex, to safeguard your data, your privacy and your identity.

====September 2013====
'''Title:'''What's Hiding in Your Software Components?

'''What'''
Software is no longer written, it's assembled. With 80% of a typical application now being assembled from components, it's time to take a hard look at the new risks posed by this type of development -- and the processes and tools that we'll need in order to keep them in check.

On the just released OWASP Top 10 for 2013, entry A9 highlights the potential problems associated with the widespread use of open-source components with known security vulnerabilities in modern-day application development.

Join Ryan Berg, Sonatype CSO, as he shares real world data on component risks, outlines the scope of the problem, and proposes approaches for managing these risk. You'll learn how security professionals can work cooperatively with application developers to reduce risk AND boost developer efficiency.

'''Who'''
Ryan Berg is the Chief Security Officer at Sonatype. Before joining Sonatype, Ryan was a co-founder and chief scientist for Ounce Labs which was acquired by IBM in 2009. Ryan holds multiple patents and is a popular speaker, instructor and author, in the fields of security, risk management, and secure application development.

====June 2013====
'''Title:'''China: All up in your business - Annoying Persistent Threat edition

'''What'''
For the past few years, Dave has been involved in examining intrusions by a group informally known as Comment Crew -- which are now better known as 'APT1' following the recent release of the report from Mandiant. This group falls into the class of the 'Advanced Persistent Threat' and are known to use compromised web sites to supply command/control to compromised systems.
The talk contains a live demo of an annotated attack against a fictitious company, using custom malware and metasploit. It shows how attackers initially compromise a system, supply commands, install additional malware, gain privileges in post-exploit and loot the network for fun and profit!
This talk is targeted toward beginner/intermediate security practitioners and provides an overview of these types of attack. Whether you are simulating an APT style attack as a penetration tester or trying to defend your organization against similar threats this talk is a great starting point. Depending on interest it will be possible to focus some of the talk on the demo-malware code itself.

'''Who'''
Dave Ockwell-Jenner has an extensive background in technology: from building one of the Internet’s earliest major web sites, to helping secure some of the world’s most critical systems. He has led the development of solutions for some of Canada’s most prominent technology companies, including Research In Motion and Nortel. He currently works for a Swiss-based company that specializes in IT and communications for the Air Transport Industry. In this role he has focused on designing and delivering the company's secure software development lifecycle. Through this, Dave regularly trains developers in secure software techniques, and has co-authored the SANS course on Developing Defensible Java EE Solutions. Dave also runs a boutique security consultancy called Prime Information Security, concentrating on information security within Small-to-Medium Businesses. He is a security blogger for TELUS and also co-founded a business networking organization called the Small Business Community Network (SBCN).

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/china-all-up-in-your-business-doj Slides]
[https://www.youtube.com/watch?v=2rJ2tHeb5yQ Video Demo]

====May 2013====
'''Title:''' Ottawa IT Camp 2013

'''What'''
Ottawa IT Camp is a fun filled day of "meat only" presentations. By technical people, for technical people! The OWASP track focuses on application security talks covering threat modelling, code review, and the OWASP top 10.

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/security-codereview-1 Secure Code Review for .NET]
[http://ottawaitcamp.codeplex.com/ Conference presentations and code]

====January 2013====
'''Title:''' XML Attack Surface

'''What'''
Security vulnerabilities with XML processing can be a real threat to applications, especially when malicious XML can be submitted remotely. Fortunately, these issues can be easily avoided by properly configuring XML parsers.

Several attack types will be presented with a live demo covering the following: Denial of Service, Arbitrary file Content disclosure, and Remote OS command injection. Vulnerabilities caused by misconfiguration of XML parsing, XML transforms and Xpath queries will be investigated and suggestions on how to prevent these type of attacks will be provided with a developer perspective.

'''Who'''
Pierre Ernst is a senior member of the IBM Business Analytics Security Competency Group at the Ottawa Lab in Canada. A former software developer turned penetration tester, he's responsible for finding security vulnerabilities in IBM applications before they are released. Using a combination of manual testing and secure code review, his work complements automated vulnerability scanners. Pierre is also responsible for giving guidance to developers on how to mitigate and fix security issues.

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/pierre-ernst-xml-attack-surface-owasp-ottawa Download Here]

====December 2012====
'''Title:''' Sploitego - Maltego's (Local) Partner in Crime

'''What'''
Have you ever wished for the power of Maltego when performing internal assessments? Ever hoped to map the internal network within seconds? Or that Maltego had a tad more aggression? Sploitego is the answer. In the presentation we'll show how we've carefully crafted several local transforms that gives Maltego the ooomph to operate nicely within internal networks. Can you say Metasploit integration? ARP spoofing? Passive fingerprinting? SNMP hunting? This all is Sploitego. But wait - there's more. Along the way we'll show you how to use our awesome Python framework that makes writing local transforms as easy as 'Hello World'.
Sploitego makes it easy to quickly develop, install, distribute, and maintain Maltego Local transforms. The framework comes with a rich set of auxiliary libraries to aid transform developers with integrating attack, reconnaissance, and post exploitation tools. It also provides a slew of web tools for interacting with public repositories.
Sploitego and its underlying Python framework will be released at DEF CON as open source - yup - you can extend it to your heart's content. During the presentation we'll show the awesome power of the tool with live demos and scenarios as well as fun and laughter.

'''Who'''
Nadeem Douba - GWAPT, GPEN: Currently situated in the Ottawa (Ontario, Canada) valley, Nadeem provides technical security consulting services primarily to clients in the health, education, and public sectors. Nadeem has been involved within the security community for over 10 years and has frequently presented at ISSA and company seminars and training sessions. He is also an active member of the open source software community and has contributed to projects such as libnet, Backtrack, and Maltego.

'''Slides'''
[http://cloud.github.com/downloads/allfro/sploitego/Sploitego%20-%20Hackfest%20Revolution.pdf Download Here]

====N00bs Night: Secure Code Review====
Come join us for a night of free hands on tutorials in secure code review. Learn the OWASP top 10 from a developer's perspective.

'''What'''
During this session, we will review an Online Movie Ticket Booking Application pulled from SourceForge for OWASP Top, specifically Cross-Site Scripting, SQL Injection and Access Control. You will learn how to review your code for these issues, how to fix them and how to automate the whole process. Expect lots of code, tools and fun (Please note that the exercises will be mainly in Java)

'''Who'''
The tutorial will be given by Sherif Koussa. Sherif is the leader of our very own OWASP Ottawa, leader of Static Analysis Tools Evaluation Criteria at the Web Application Security Consortium (WASC) and a Steering Committee Member for SANS/GIAC GSSP-NET and GSSP-JAVA. He is also the founder of Software Secured (www.softwaresecured.com) and Secure Code Gurus (www.securecodegurus.com).

====May 2012====
'''Title:''' OWASP Tutorial Night: Threat Modeling Express

Threat Modeling Express is a lightweight threat modeling process suited for agile development environments. If you want to quickly add threat modeling to your development process without slowing it down this is the process for you. The evening will be composed of an interactive tutorial which will walk the participants through some examples using the The Modeling Express process.

'''Who:'''The tutorial will be given by Rohit Sethi a software security specialist and Vice President of SD Elements. Rohit is a SANS course developer and instructor and leads the OWASP Design Patterns Security Analysis project.

'''When:''' The event will start at 6PM on May 3, 2012.Please RSVP [http://www.eventbrite.com/event/3413274195 here]

'''Where:''' Shopify have kindly offered the board room of their brand new location for the event.

'''Speaker Notes:''' [http://www.scribd.com/doc/94372478/Threat-Model-Express?secret_password=wspz2g4rjvlob3bx2in Download Here]

==== December 12, 2011 ====
'''Location:''' Bell Canada - 160 Elgin St, Ottawa 

'''Title:''' n00bs night out...exploiting the owasp top 10

Hey Ottawa, come join us for a FREE night of web application hacking. We have tutorials explaining how to exploit the OWASP Top 10 web application vulnerabilities and hands on labs to practice your skills. Bring your laptop and a copy of the Backtrack 5 LiveCD (or VM) http://www.backtrack-linux.org/downloads/

'''Who:''' all skill levels are welcome (especially n00bs)

'''When:''' December 12 from 6:00pm - 9:00pm (open at 5:30)

'''RSVP:''' http://n00bs-night.eventbrite.com/

==== September 27th, 2011 ====

'''Location''': Shopify - 61a York St (Above Tucker's Marketplace)

'''Speaker Notes:''' [https://www.owasp.org/images/a/a2/OWASP_Sep_2011_Hacking_Silverlight.ppt Download Here]

'''Microsoft Silverlight Security - A Hacker's Perspective'''

'''Abstract'''

It’s not news for anyone how the internet has revolutionized all aspects of our lives. In the past few years there has been unprecedented growth in web applications and their user base. One of the core technologies driving this widespread phenomenon is Rich Internet Applications (RIAs) because it offers the same level of responsiveness & interactivity on web that is available to desktop applications. Microsoft offered its vision of RIA through Silverlight - a framework that allows web applications running in a browser to behave more like desktop applications.

One of the major enhancements in Silverlight was the incorporation of mini-CLR engine, that on one hand, adds amazing capabilities for web developers but, on the other hand, also broadens the surface area of attack by opening previously nonexistent entry points into web applications. In this presentation Angelo & Kamran will demonstrate how modern hackers can use reverse engineering techniques to take advantage of weak security implementation. They will also show some effective ways of defending against these types of attacks.

'''Speakers:'''

Angelo Chan is an experienced versatile software developer who has developed applications, middleware and low-level software for various platforms. With an initial background in Telecom, Angelo has since worked with different technologies and has discovered a passion for .NET. His interests include virtual machines, operating systems, network/application reverse engineering and security. Angelo can be reached at Angelo@WindowsDebugging.com

Kamran Bilgrami is a seasoned software developer with proven track record of transforming complex business problems into viable technical solution. He has been instrumental in orchestrating highly available, performance centric, fault-tolerant real-time systems in a wide variety of industries including Telecom, Security and Human/Health Services. His areas of expertise include .NET, CLR Internals, Patterns and Security. Kamran can be reached at Kamran@WindowsDebugging.com

 

==== May, Thursday 12th 2011 ====

'''Location:''' Bell - 160 Elgin St, Ottawa '''Session 1 - Chris Pierre: Beyond Facebook: How Hackers Might Obtain Information Individual for Social Engineering attacks''' As the old saying goes “Know your enemy as you know yourself.” This discussion will examine several sources of publicly available information which an attacker might use to gain background information on a target for the purposes of a social engineering attack. The talk is expected to be interactive, lively and will provoke a discussion on how these systems and processes can be hardened against this type of attack. 

 '''About The Speaker'''

Chris Pierre BA, CFE, CISSP is an Ottawa-based forensic investigation professional. Having worked with several forensic firms prior to starting Evince Services, Inc., he has experience in many types of engagements in both the private & public sectors & specializes in investigations involving the internet. Forensic engagements have included information leaks, general corporate fraud investigations, investor fraud, intellectual property cases, administrative/internal investigations, background investigations, grants & contributions fraud, corruption investigations & the provision of training on the use of the Internet as an investigative tool. Preventative engagements have included training, background due diligence & compliance consulting.

Chris is an instructor at Algonquin College, the Canadian Police College, Past-President of the Ottawa Chapter of the High Tech Crime Investigators Association (HTCIA) & a member of the Ottawa Chapter of the Association of Certified Fraud Examiners. '''Session 2: - David Mirza Ahmed: Introducing Vega, a New Open Source Web Vulnerability Scanner'''

David will be presenting Vega, a new free and open source vulnerability scanner for web applications developed by Subgraph, his Montreal-based security startup. Vega allows anyone to scan their web applications for vulnerabilities such as cross-site scripting or SQL injection. Written in Java, Vega is cross-platform. It's also extensible, with a built-in Javascript interpreter and API for custom module development. Vega also includes an intercepting proxy for manual inspection of possible vulnerabilities and penetration testing.

 '''About The Speaker''' David has over 10 years in the information security business. He started his professional experience as a founding member of Security Focus, which was acquired by Symantec in 2002. David also moderated the Bugtraq mailing list, a historically important forum for discussion of security vulnerabilities, for over four years. He has spoken at Black Hat, Can Sec West, AusCERT and numerous other security conferences, as well as made contributions to books, magazines and other publications. David also participated in a NIAC working group on behalf of Symantec to develop the first version of the CVSS (Common Vulnerability Scoring System) model and was an editor for IEEE Security & Privacy. His current obsession is building Subgraph, his information security startup in Montréal. 

==== March, Thursday 10th 2011 ====

Speaker: Shan Gu - Accenture - Large enterprises are increasing their adoption of SOA at a rapid rate as interoperability standards and vendor product implementations mature and stabilize. However, moving enterprises into a loosely coupled IT paradigm introduces challenges around security and compliance. How do we address accountability, confidentiality, integrity, and trust in a large loosely couple ecosystem where consumers and providers don’t always maintain a permanent or stateful relationship? There are standards of course that help integrators and Architects design systems to communicate with each other in a secure manner, however these standards, when interpreted in their purest sense are complex and expensive to implement/maintain in large organizations. And systems that are operationally complex in terms of security are ironically the least secure.

About The Speaker Shan Gu - Manager in the Security Technologies Practice at Accenture Shan is a Security Architect from Accenture who specializes in Identity and Access Management and SOA Security. He has worked with clients in both the Public and Private sectors and in various industries spanning from Health, to Transport, to Financial Services. Shan has spent his recent years focused on helping clients adopt SOA within the enterprise and to do it in a secure and cost effective manner. Shan is a graduate from Carleton University’s Systems and Computer Engineering program, with a B.Eng and a Minor in Business.

==== More Previous Meetings ====

*September 10th, 2009 - Justin Foster - '''Speaker Notes:''' [http://www.developingsecurity.com/weblog/2009/09/crossing-the-border-javascript-exploits.html Download Here]
*April 6th, 2009 - Rafal Los - '''Speaker Notes:''' [http://www.owasp.org/images/3/3a/A_Laugh_RIAt2.zip Download Here]
*July 16th, 2008 - John Linehan - '''Speaker Notes:''' [https://www.owasp.org/index.php/Image:John_Linehan_OWASP_Dist.pdf Download Here]
*[[November 28th, 2007 - Eric Klien - Make my day]]

= Chapter Leadership =

Chapter President: [mailto:sherif.koussa@owasp.org Sherif Koussa] 
Chapter Committee: [mailto:sean.wilson@owasp.org Sean Wilson] and [mailto:mike.sues@owasp.org Mike Sues] 

 
 
__NOTOC__ <headertabs />

[[Category:Canada]]

Ottawa

2014-01-27T15:38:01Z

Koussa: /* OWASP Planning Meeting for 2014 */

{{Chapter Template|chaptername=Ottawa|extra=The chapter's president is [mailto:sherif.koussa@gmail.com Sherif Koussa]

Follow us on [http://twitter.com/#!/owasp_ottawa Twitter] 

<paypal>Ottawa</paypal>

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-ottawa|emailarchives=http://lists.owasp.org/mailman/listinfo/owasp-ottawa}}

 

==Thanks to Our 2013 Sponsor==
{| width="900" border="0" align="left" cellpadding="1" cellspacing="1"
[[Image:2keys (big).jpg|200x100px|2keys%20(big).jpg|link=http://www.2keys.ca]]
|}

 
==Your Local Chapter==
Hi Ottawa, welcome to your local OWASP chapter! We are a place to come and meet local developers and information security professionals, share ideas, and learn. We try to hold a meeting at least once every two months in the downtown core. We provide a mix of infosec rockstar talks, hands on training sessions, and special interest discussion groups. We are always looking for new ideas for events so let us know if you have an idea. Email one of us: [mailto:sherif.koussa@owasp.org Sherif], [mailto:sergei.frankoff@owasp.org Sergei], [mailto:mike.sues@owasp.org Mike] or tweet at us [http://twitter.com/#!/owasp_ottawa owasp_ottawa].

Hope to see you at a meeting soon.

 

==Upcoming Events==
=== OWASP Planning Meeting for 2014===

'''What'''

This is OWASP Ottawa's annual connector meeting. Come out, meet your fellow OWASPers, and help us plan the chapter agenda for 2014.

If you want to be part of the Chapter's core management team, come prepared with a plan on how and where you can add value.

Topics to be discussed:
*Meeting frequency
*Meeting location
*Topics
*Training-days

'''Where'''

Microsoft Glacier Room 100 Queen Street, Suite 500 - World Exchange Plaza

'''When'''

Monday, February 3 from 5:30PM to 7:30PM

'''Registration'''

Register for free [http://www.eventbrite.com/e/owasp-ottawa-planning-meeting-for-2014-tickets-10186601399 here]
 

 
 
 

= Upcoming Event Ideas =
We are always looking for ideas for upcoming meetings. If you have a speaker you would like to see, a tutorial you would like to participate in, or just some ideas for discussion topics let us know. We maintain a list of your ideas here. To add to the list you can edit it directly, send one of us an e-mail ([mailto:sherif.koussa@owasp.org Sherif], [mailto:sergei.frankoff@owasp.org Sergei]), or tweet it at our [http://twitter.com/#!/owasp_ottawa Twitter account].
 
*<del>N00bs Night: Understanding and Exploiting the OWASP Top 10 (Top 10 discussion, live exploit demos, test lab to practice your skills)</del>
*Secure Code review
*(ISC)2 CSSLP introduction
*Metasploit introduction
*Web Application Forensics
*xPath Injection (SQL/CSS etc get lots of press but I’d like to hear more about this)
*HTML5 - What's new for security specially for Offline Applications
*Web 2.0 Security Evolution - How security challenges are changing with technology evolultion
*ASP.NET MVC Security for WebForms Developers
*Hack proofing your web application by using reverse engineering
*Using Windows Communication Foundation (WCF) Securely in your applications

= Past Meetings =
====September 2013====
'''Title:'''What's Hiding in Your Software Components?

'''What'''
Software is no longer written, it's assembled. With 80% of a typical application now being assembled from components, it's time to take a hard look at the new risks posed by this type of development -- and the processes and tools that we'll need in order to keep them in check.

On the just released OWASP Top 10 for 2013, entry A9 highlights the potential problems associated with the widespread use of open-source components with known security vulnerabilities in modern-day application development.

Join Ryan Berg, Sonatype CSO, as he shares real world data on component risks, outlines the scope of the problem, and proposes approaches for managing these risk. You'll learn how security professionals can work cooperatively with application developers to reduce risk AND boost developer efficiency.

'''Who'''
Ryan Berg is the Chief Security Officer at Sonatype. Before joining Sonatype, Ryan was a co-founder and chief scientist for Ounce Labs which was acquired by IBM in 2009. Ryan holds multiple patents and is a popular speaker, instructor and author, in the fields of security, risk management, and secure application development.

====June 2013====
'''Title:'''China: All up in your business - Annoying Persistent Threat edition

'''What'''
For the past few years, Dave has been involved in examining intrusions by a group informally known as Comment Crew -- which are now better known as 'APT1' following the recent release of the report from Mandiant. This group falls into the class of the 'Advanced Persistent Threat' and are known to use compromised web sites to supply command/control to compromised systems.
The talk contains a live demo of an annotated attack against a fictitious company, using custom malware and metasploit. It shows how attackers initially compromise a system, supply commands, install additional malware, gain privileges in post-exploit and loot the network for fun and profit!
This talk is targeted toward beginner/intermediate security practitioners and provides an overview of these types of attack. Whether you are simulating an APT style attack as a penetration tester or trying to defend your organization against similar threats this talk is a great starting point. Depending on interest it will be possible to focus some of the talk on the demo-malware code itself.

'''Who'''
Dave Ockwell-Jenner has an extensive background in technology: from building one of the Internet’s earliest major web sites, to helping secure some of the world’s most critical systems. He has led the development of solutions for some of Canada’s most prominent technology companies, including Research In Motion and Nortel. He currently works for a Swiss-based company that specializes in IT and communications for the Air Transport Industry. In this role he has focused on designing and delivering the company's secure software development lifecycle. Through this, Dave regularly trains developers in secure software techniques, and has co-authored the SANS course on Developing Defensible Java EE Solutions. Dave also runs a boutique security consultancy called Prime Information Security, concentrating on information security within Small-to-Medium Businesses. He is a security blogger for TELUS and also co-founded a business networking organization called the Small Business Community Network (SBCN).

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/china-all-up-in-your-business-doj Slides]
[https://www.youtube.com/watch?v=2rJ2tHeb5yQ Video Demo]

====May 2013====
'''Title:''' Ottawa IT Camp 2013

'''What'''
Ottawa IT Camp is a fun filled day of "meat only" presentations. By technical people, for technical people! The OWASP track focuses on application security talks covering threat modelling, code review, and the OWASP top 10.

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/security-codereview-1 Secure Code Review for .NET]
[http://ottawaitcamp.codeplex.com/ Conference presentations and code]

====January 2013====
'''Title:''' XML Attack Surface

'''What'''
Security vulnerabilities with XML processing can be a real threat to applications, especially when malicious XML can be submitted remotely. Fortunately, these issues can be easily avoided by properly configuring XML parsers.

Several attack types will be presented with a live demo covering the following: Denial of Service, Arbitrary file Content disclosure, and Remote OS command injection. Vulnerabilities caused by misconfiguration of XML parsing, XML transforms and Xpath queries will be investigated and suggestions on how to prevent these type of attacks will be provided with a developer perspective.

'''Who'''
Pierre Ernst is a senior member of the IBM Business Analytics Security Competency Group at the Ottawa Lab in Canada. A former software developer turned penetration tester, he's responsible for finding security vulnerabilities in IBM applications before they are released. Using a combination of manual testing and secure code review, his work complements automated vulnerability scanners. Pierre is also responsible for giving guidance to developers on how to mitigate and fix security issues.

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/pierre-ernst-xml-attack-surface-owasp-ottawa Download Here]

====December 2012====
'''Title:''' Sploitego - Maltego's (Local) Partner in Crime

'''What'''
Have you ever wished for the power of Maltego when performing internal assessments? Ever hoped to map the internal network within seconds? Or that Maltego had a tad more aggression? Sploitego is the answer. In the presentation we'll show how we've carefully crafted several local transforms that gives Maltego the ooomph to operate nicely within internal networks. Can you say Metasploit integration? ARP spoofing? Passive fingerprinting? SNMP hunting? This all is Sploitego. But wait - there's more. Along the way we'll show you how to use our awesome Python framework that makes writing local transforms as easy as 'Hello World'.
Sploitego makes it easy to quickly develop, install, distribute, and maintain Maltego Local transforms. The framework comes with a rich set of auxiliary libraries to aid transform developers with integrating attack, reconnaissance, and post exploitation tools. It also provides a slew of web tools for interacting with public repositories.
Sploitego and its underlying Python framework will be released at DEF CON as open source - yup - you can extend it to your heart's content. During the presentation we'll show the awesome power of the tool with live demos and scenarios as well as fun and laughter.

'''Who'''
Nadeem Douba - GWAPT, GPEN: Currently situated in the Ottawa (Ontario, Canada) valley, Nadeem provides technical security consulting services primarily to clients in the health, education, and public sectors. Nadeem has been involved within the security community for over 10 years and has frequently presented at ISSA and company seminars and training sessions. He is also an active member of the open source software community and has contributed to projects such as libnet, Backtrack, and Maltego.

'''Slides'''
[http://cloud.github.com/downloads/allfro/sploitego/Sploitego%20-%20Hackfest%20Revolution.pdf Download Here]

====N00bs Night: Secure Code Review====
Come join us for a night of free hands on tutorials in secure code review. Learn the OWASP top 10 from a developer's perspective.

'''What'''
During this session, we will review an Online Movie Ticket Booking Application pulled from SourceForge for OWASP Top, specifically Cross-Site Scripting, SQL Injection and Access Control. You will learn how to review your code for these issues, how to fix them and how to automate the whole process. Expect lots of code, tools and fun (Please note that the exercises will be mainly in Java)

'''Who'''
The tutorial will be given by Sherif Koussa. Sherif is the leader of our very own OWASP Ottawa, leader of Static Analysis Tools Evaluation Criteria at the Web Application Security Consortium (WASC) and a Steering Committee Member for SANS/GIAC GSSP-NET and GSSP-JAVA. He is also the founder of Software Secured (www.softwaresecured.com) and Secure Code Gurus (www.securecodegurus.com).

====May 2012====
'''Title:''' OWASP Tutorial Night: Threat Modeling Express

Threat Modeling Express is a lightweight threat modeling process suited for agile development environments. If you want to quickly add threat modeling to your development process without slowing it down this is the process for you. The evening will be composed of an interactive tutorial which will walk the participants through some examples using the The Modeling Express process.

'''Who:'''The tutorial will be given by Rohit Sethi a software security specialist and Vice President of SD Elements. Rohit is a SANS course developer and instructor and leads the OWASP Design Patterns Security Analysis project.

'''When:''' The event will start at 6PM on May 3, 2012.Please RSVP [http://www.eventbrite.com/event/3413274195 here]

'''Where:''' Shopify have kindly offered the board room of their brand new location for the event.

'''Speaker Notes:''' [http://www.scribd.com/doc/94372478/Threat-Model-Express?secret_password=wspz2g4rjvlob3bx2in Download Here]

==== December 12, 2011 ====
'''Location:''' Bell Canada - 160 Elgin St, Ottawa 

'''Title:''' n00bs night out...exploiting the owasp top 10

Hey Ottawa, come join us for a FREE night of web application hacking. We have tutorials explaining how to exploit the OWASP Top 10 web application vulnerabilities and hands on labs to practice your skills. Bring your laptop and a copy of the Backtrack 5 LiveCD (or VM) http://www.backtrack-linux.org/downloads/

'''Who:''' all skill levels are welcome (especially n00bs)

'''When:''' December 12 from 6:00pm - 9:00pm (open at 5:30)

'''RSVP:''' http://n00bs-night.eventbrite.com/

==== September 27th, 2011 ====

'''Location''': Shopify - 61a York St (Above Tucker's Marketplace)

'''Speaker Notes:''' [https://www.owasp.org/images/a/a2/OWASP_Sep_2011_Hacking_Silverlight.ppt Download Here]

'''Microsoft Silverlight Security - A Hacker's Perspective'''

'''Abstract'''

It’s not news for anyone how the internet has revolutionized all aspects of our lives. In the past few years there has been unprecedented growth in web applications and their user base. One of the core technologies driving this widespread phenomenon is Rich Internet Applications (RIAs) because it offers the same level of responsiveness & interactivity on web that is available to desktop applications. Microsoft offered its vision of RIA through Silverlight - a framework that allows web applications running in a browser to behave more like desktop applications.

One of the major enhancements in Silverlight was the incorporation of mini-CLR engine, that on one hand, adds amazing capabilities for web developers but, on the other hand, also broadens the surface area of attack by opening previously nonexistent entry points into web applications. In this presentation Angelo & Kamran will demonstrate how modern hackers can use reverse engineering techniques to take advantage of weak security implementation. They will also show some effective ways of defending against these types of attacks.

'''Speakers:'''

Angelo Chan is an experienced versatile software developer who has developed applications, middleware and low-level software for various platforms. With an initial background in Telecom, Angelo has since worked with different technologies and has discovered a passion for .NET. His interests include virtual machines, operating systems, network/application reverse engineering and security. Angelo can be reached at Angelo@WindowsDebugging.com

Kamran Bilgrami is a seasoned software developer with proven track record of transforming complex business problems into viable technical solution. He has been instrumental in orchestrating highly available, performance centric, fault-tolerant real-time systems in a wide variety of industries including Telecom, Security and Human/Health Services. His areas of expertise include .NET, CLR Internals, Patterns and Security. Kamran can be reached at Kamran@WindowsDebugging.com

 

==== May, Thursday 12th 2011 ====

'''Location:''' Bell - 160 Elgin St, Ottawa '''Session 1 - Chris Pierre: Beyond Facebook: How Hackers Might Obtain Information Individual for Social Engineering attacks''' As the old saying goes “Know your enemy as you know yourself.” This discussion will examine several sources of publicly available information which an attacker might use to gain background information on a target for the purposes of a social engineering attack. The talk is expected to be interactive, lively and will provoke a discussion on how these systems and processes can be hardened against this type of attack. 

 '''About The Speaker'''

Chris Pierre BA, CFE, CISSP is an Ottawa-based forensic investigation professional. Having worked with several forensic firms prior to starting Evince Services, Inc., he has experience in many types of engagements in both the private & public sectors & specializes in investigations involving the internet. Forensic engagements have included information leaks, general corporate fraud investigations, investor fraud, intellectual property cases, administrative/internal investigations, background investigations, grants & contributions fraud, corruption investigations & the provision of training on the use of the Internet as an investigative tool. Preventative engagements have included training, background due diligence & compliance consulting.

Chris is an instructor at Algonquin College, the Canadian Police College, Past-President of the Ottawa Chapter of the High Tech Crime Investigators Association (HTCIA) & a member of the Ottawa Chapter of the Association of Certified Fraud Examiners. '''Session 2: - David Mirza Ahmed: Introducing Vega, a New Open Source Web Vulnerability Scanner'''

David will be presenting Vega, a new free and open source vulnerability scanner for web applications developed by Subgraph, his Montreal-based security startup. Vega allows anyone to scan their web applications for vulnerabilities such as cross-site scripting or SQL injection. Written in Java, Vega is cross-platform. It's also extensible, with a built-in Javascript interpreter and API for custom module development. Vega also includes an intercepting proxy for manual inspection of possible vulnerabilities and penetration testing.

 '''About The Speaker''' David has over 10 years in the information security business. He started his professional experience as a founding member of Security Focus, which was acquired by Symantec in 2002. David also moderated the Bugtraq mailing list, a historically important forum for discussion of security vulnerabilities, for over four years. He has spoken at Black Hat, Can Sec West, AusCERT and numerous other security conferences, as well as made contributions to books, magazines and other publications. David also participated in a NIAC working group on behalf of Symantec to develop the first version of the CVSS (Common Vulnerability Scoring System) model and was an editor for IEEE Security & Privacy. His current obsession is building Subgraph, his information security startup in Montréal. 

==== March, Thursday 10th 2011 ====

Speaker: Shan Gu - Accenture - Large enterprises are increasing their adoption of SOA at a rapid rate as interoperability standards and vendor product implementations mature and stabilize. However, moving enterprises into a loosely coupled IT paradigm introduces challenges around security and compliance. How do we address accountability, confidentiality, integrity, and trust in a large loosely couple ecosystem where consumers and providers don’t always maintain a permanent or stateful relationship? There are standards of course that help integrators and Architects design systems to communicate with each other in a secure manner, however these standards, when interpreted in their purest sense are complex and expensive to implement/maintain in large organizations. And systems that are operationally complex in terms of security are ironically the least secure.

About The Speaker Shan Gu - Manager in the Security Technologies Practice at Accenture Shan is a Security Architect from Accenture who specializes in Identity and Access Management and SOA Security. He has worked with clients in both the Public and Private sectors and in various industries spanning from Health, to Transport, to Financial Services. Shan has spent his recent years focused on helping clients adopt SOA within the enterprise and to do it in a secure and cost effective manner. Shan is a graduate from Carleton University’s Systems and Computer Engineering program, with a B.Eng and a Minor in Business.

==== More Previous Meetings ====

*September 10th, 2009 - Justin Foster - '''Speaker Notes:''' [http://www.developingsecurity.com/weblog/2009/09/crossing-the-border-javascript-exploits.html Download Here]
*April 6th, 2009 - Rafal Los - '''Speaker Notes:''' [http://www.owasp.org/images/3/3a/A_Laugh_RIAt2.zip Download Here]
*July 16th, 2008 - John Linehan - '''Speaker Notes:''' [https://www.owasp.org/index.php/Image:John_Linehan_OWASP_Dist.pdf Download Here]
*[[November 28th, 2007 - Eric Klien - Make my day]]

= Chapter Leadership =

Chapter President: [mailto:sherif.koussa@owasp.org Sherif Koussa] 
Chapter Committee: [mailto:sergei.frankoff@owasp.org Sergei Frankoff] and [mailto:mike.sues@owasp.org Mike Sues] 

 
 
__NOTOC__ <headertabs />

[[Category:Canada]]

Ottawa

2013-08-29T14:14:47Z

Koussa: /* What's Hiding in Your Software Components? */

{{Chapter Template|chaptername=Ottawa|extra=The chapter's president is [mailto:sherif.koussa@gmail.com Sherif Koussa]

Follow us on [http://twitter.com/#!/owasp_ottawa Twitter] 

<paypal>Ottawa</paypal>

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-ottawa|emailarchives=http://lists.owasp.org/mailman/listinfo/owasp-ottawa}}

 

==Thanks to Our 2013 Sponsor==
{| width="900" border="0" align="left" cellpadding="1" cellspacing="1"
[[Image:2keys (big).jpg|200x100px|2keys%20(big).jpg|link=http://www.2keys.ca]]
|}

 
==Your Local Chapter==
Hi Ottawa, welcome to your local OWASP chapter! We are a place to come and meet local developers and information security professionals, share ideas, and learn. We try to hold a meeting at least once every two months in the downtown core. We provide a mix of infosec rockstar talks, hands on training sessions, and special interest discussion groups. We are always looking for new ideas for events so let us know if you have an idea. Email one of us: [mailto:sherif.koussa@owasp.org Sherif], [mailto:sergei.frankoff@owasp.org Sergei], [mailto:mike.sues@owasp.org Mike] or tweet at us [http://twitter.com/#!/owasp_ottawa owasp_ottawa].

Hope to see you at a meeting soon.

 

=== What's Hiding in Your Software Components?===

'''What'''

Software is no longer written, it's assembled. With 80% of a typical application now being assembled from components, it's time to take a hard look at the new risks posed by this type of development -- and the processes and tools that we'll need in order to keep them in check.

On the just released OWASP Top 10 for 2013, entry A9 highlights the potential problems associated with the widespread use of open-source components with known security vulnerabilities in modern-day application development.

Join Ryan Berg, Sonatype CSO, as he shares real world data on component risks, outlines the scope of the problem, and proposes approaches for managing these risk. You'll learn how security professionals can work cooperatively with application developers to reduce risk AND boost developer efficiency.

'''Who'''

Ryan Berg is the Chief Security Officer at Sonatype. Before joining Sonatype, Ryan was a co-founder and chief scientist for Ounce Labs which was acquired by IBM in 2009. Ryan holds multiple patents and is a popular speaker, instructor and author, in the fields of security, risk management, and secure application development.

'''When''': Thursday, Sept 5ht, 2013 : 6:00 PM

==Countermeasure 2013==
{|
|[[Image:cmeasure2013.jpg|400x200px|cmeasure2013.jpg|link=http://www.countermeasure2013.com/]]
|COUNTERMEASURE is Ottawa's premier annual IT security conference and training event featuring the best of both offensive and defensive tactics. Past speakers have included globally recognized industry security researchers, Government of Canada representatives and seasoned enterprise security experts from the private sector.
OWASP Ottawa is offering a 10% discount on Countermeasure 2013 registration for all OWASP members. Just e-mail one of the chapter members with your OWASP membership number or DM us @OWASP_Ottawa and we will send you the discount code.
|}

 
 
 
= Upcoming Event Ideas =
We are always looking for ideas for upcoming meetings. If you have a speaker you would like to see, a tutorial you would like to participate in, or just some ideas for discussion topics let us know. We maintain a list of your ideas here. To add to the list you can edit it directly, send one of us an e-mail ([mailto:sherif.koussa@owasp.org Sherif], [mailto:sergei.frankoff@owasp.org Sergei]), or tweet it at our [http://twitter.com/#!/owasp_ottawa Twitter account].
 
*<del>N00bs Night: Understanding and Exploiting the OWASP Top 10 (Top 10 discussion, live exploit demos, test lab to practice your skills)</del>
*Secure Code review
*(ISC)2 CSSLP introduction
*Metasploit introduction
*Web Application Forensics
*xPath Injection (SQL/CSS etc get lots of press but I’d like to hear more about this)
*HTML5 - What's new for security specially for Offline Applications
*Web 2.0 Security Evolution - How security challenges are changing with technology evolultion
*ASP.NET MVC Security for WebForms Developers
*Hack proofing your web application by using reverse engineering
*Using Windows Communication Foundation (WCF) Securely in your applications

= Past Meetings =
====June 2013====
'''Title:'''China: All up in your business - Annoying Persistent Threat edition

'''What'''
For the past few years, Dave has been involved in examining intrusions by a group informally known as Comment Crew -- which are now better known as 'APT1' following the recent release of the report from Mandiant. This group falls into the class of the 'Advanced Persistent Threat' and are known to use compromised web sites to supply command/control to compromised systems.
The talk contains a live demo of an annotated attack against a fictitious company, using custom malware and metasploit. It shows how attackers initially compromise a system, supply commands, install additional malware, gain privileges in post-exploit and loot the network for fun and profit!
This talk is targeted toward beginner/intermediate security practitioners and provides an overview of these types of attack. Whether you are simulating an APT style attack as a penetration tester or trying to defend your organization against similar threats this talk is a great starting point. Depending on interest it will be possible to focus some of the talk on the demo-malware code itself.

'''Who'''
Dave Ockwell-Jenner has an extensive background in technology: from building one of the Internet’s earliest major web sites, to helping secure some of the world’s most critical systems. He has led the development of solutions for some of Canada’s most prominent technology companies, including Research In Motion and Nortel. He currently works for a Swiss-based company that specializes in IT and communications for the Air Transport Industry. In this role he has focused on designing and delivering the company's secure software development lifecycle. Through this, Dave regularly trains developers in secure software techniques, and has co-authored the SANS course on Developing Defensible Java EE Solutions. Dave also runs a boutique security consultancy called Prime Information Security, concentrating on information security within Small-to-Medium Businesses. He is a security blogger for TELUS and also co-founded a business networking organization called the Small Business Community Network (SBCN).

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/china-all-up-in-your-business-doj Slides]
[https://www.youtube.com/watch?v=2rJ2tHeb5yQ Video Demo]

====May 2013====
'''Title:''' Ottawa IT Camp 2013

'''What'''
Ottawa IT Camp is a fun filled day of "meat only" presentations. By technical people, for technical people! The OWASP track focuses on application security talks covering threat modelling, code review, and the OWASP top 10.

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/security-codereview-1 Secure Code Review for .NET]
[http://ottawaitcamp.codeplex.com/ Conference presentations and code]

====January 2013====
'''Title:''' XML Attack Surface

'''What'''
Security vulnerabilities with XML processing can be a real threat to applications, especially when malicious XML can be submitted remotely. Fortunately, these issues can be easily avoided by properly configuring XML parsers.

Several attack types will be presented with a live demo covering the following: Denial of Service, Arbitrary file Content disclosure, and Remote OS command injection. Vulnerabilities caused by misconfiguration of XML parsing, XML transforms and Xpath queries will be investigated and suggestions on how to prevent these type of attacks will be provided with a developer perspective.

'''Who'''
Pierre Ernst is a senior member of the IBM Business Analytics Security Competency Group at the Ottawa Lab in Canada. A former software developer turned penetration tester, he's responsible for finding security vulnerabilities in IBM applications before they are released. Using a combination of manual testing and secure code review, his work complements automated vulnerability scanners. Pierre is also responsible for giving guidance to developers on how to mitigate and fix security issues.

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/pierre-ernst-xml-attack-surface-owasp-ottawa Download Here]

====December 2012====
'''Title:''' Sploitego - Maltego's (Local) Partner in Crime

'''What'''
Have you ever wished for the power of Maltego when performing internal assessments? Ever hoped to map the internal network within seconds? Or that Maltego had a tad more aggression? Sploitego is the answer. In the presentation we'll show how we've carefully crafted several local transforms that gives Maltego the ooomph to operate nicely within internal networks. Can you say Metasploit integration? ARP spoofing? Passive fingerprinting? SNMP hunting? This all is Sploitego. But wait - there's more. Along the way we'll show you how to use our awesome Python framework that makes writing local transforms as easy as 'Hello World'.
Sploitego makes it easy to quickly develop, install, distribute, and maintain Maltego Local transforms. The framework comes with a rich set of auxiliary libraries to aid transform developers with integrating attack, reconnaissance, and post exploitation tools. It also provides a slew of web tools for interacting with public repositories.
Sploitego and its underlying Python framework will be released at DEF CON as open source - yup - you can extend it to your heart's content. During the presentation we'll show the awesome power of the tool with live demos and scenarios as well as fun and laughter.

'''Who'''
Nadeem Douba - GWAPT, GPEN: Currently situated in the Ottawa (Ontario, Canada) valley, Nadeem provides technical security consulting services primarily to clients in the health, education, and public sectors. Nadeem has been involved within the security community for over 10 years and has frequently presented at ISSA and company seminars and training sessions. He is also an active member of the open source software community and has contributed to projects such as libnet, Backtrack, and Maltego.

'''Slides'''
[http://cloud.github.com/downloads/allfro/sploitego/Sploitego%20-%20Hackfest%20Revolution.pdf Download Here]

====N00bs Night: Secure Code Review====
Come join us for a night of free hands on tutorials in secure code review. Learn the OWASP top 10 from a developer's perspective.

'''What'''
During this session, we will review an Online Movie Ticket Booking Application pulled from SourceForge for OWASP Top, specifically Cross-Site Scripting, SQL Injection and Access Control. You will learn how to review your code for these issues, how to fix them and how to automate the whole process. Expect lots of code, tools and fun (Please note that the exercises will be mainly in Java)

'''Who'''
The tutorial will be given by Sherif Koussa. Sherif is the leader of our very own OWASP Ottawa, leader of Static Analysis Tools Evaluation Criteria at the Web Application Security Consortium (WASC) and a Steering Committee Member for SANS/GIAC GSSP-NET and GSSP-JAVA. He is also the founder of Software Secured (www.softwaresecured.com) and Secure Code Gurus (www.securecodegurus.com).

====May 2012====
'''Title:''' OWASP Tutorial Night: Threat Modeling Express

Threat Modeling Express is a lightweight threat modeling process suited for agile development environments. If you want to quickly add threat modeling to your development process without slowing it down this is the process for you. The evening will be composed of an interactive tutorial which will walk the participants through some examples using the The Modeling Express process.

'''Who:'''The tutorial will be given by Rohit Sethi a software security specialist and Vice President of SD Elements. Rohit is a SANS course developer and instructor and leads the OWASP Design Patterns Security Analysis project.

'''When:''' The event will start at 6PM on May 3, 2012.Please RSVP [http://www.eventbrite.com/event/3413274195 here]

'''Where:''' Shopify have kindly offered the board room of their brand new location for the event.

'''Speaker Notes:''' [http://www.scribd.com/doc/94372478/Threat-Model-Express?secret_password=wspz2g4rjvlob3bx2in Download Here]

==== December 12, 2011 ====
'''Location:''' Bell Canada - 160 Elgin St, Ottawa 

'''Title:''' n00bs night out...exploiting the owasp top 10

Hey Ottawa, come join us for a FREE night of web application hacking. We have tutorials explaining how to exploit the OWASP Top 10 web application vulnerabilities and hands on labs to practice your skills. Bring your laptop and a copy of the Backtrack 5 LiveCD (or VM) http://www.backtrack-linux.org/downloads/

'''Who:''' all skill levels are welcome (especially n00bs)

'''When:''' December 12 from 6:00pm - 9:00pm (open at 5:30)

'''RSVP:''' http://n00bs-night.eventbrite.com/

==== September 27th, 2011 ====

'''Location''': Shopify - 61a York St (Above Tucker's Marketplace)

'''Speaker Notes:''' [https://www.owasp.org/images/a/a2/OWASP_Sep_2011_Hacking_Silverlight.ppt Download Here]

'''Microsoft Silverlight Security - A Hacker's Perspective'''

'''Abstract'''

It’s not news for anyone how the internet has revolutionized all aspects of our lives. In the past few years there has been unprecedented growth in web applications and their user base. One of the core technologies driving this widespread phenomenon is Rich Internet Applications (RIAs) because it offers the same level of responsiveness & interactivity on web that is available to desktop applications. Microsoft offered its vision of RIA through Silverlight - a framework that allows web applications running in a browser to behave more like desktop applications.

One of the major enhancements in Silverlight was the incorporation of mini-CLR engine, that on one hand, adds amazing capabilities for web developers but, on the other hand, also broadens the surface area of attack by opening previously nonexistent entry points into web applications. In this presentation Angelo & Kamran will demonstrate how modern hackers can use reverse engineering techniques to take advantage of weak security implementation. They will also show some effective ways of defending against these types of attacks.

'''Speakers:'''

Angelo Chan is an experienced versatile software developer who has developed applications, middleware and low-level software for various platforms. With an initial background in Telecom, Angelo has since worked with different technologies and has discovered a passion for .NET. His interests include virtual machines, operating systems, network/application reverse engineering and security. Angelo can be reached at Angelo@WindowsDebugging.com

Kamran Bilgrami is a seasoned software developer with proven track record of transforming complex business problems into viable technical solution. He has been instrumental in orchestrating highly available, performance centric, fault-tolerant real-time systems in a wide variety of industries including Telecom, Security and Human/Health Services. His areas of expertise include .NET, CLR Internals, Patterns and Security. Kamran can be reached at Kamran@WindowsDebugging.com

 

==== May, Thursday 12th 2011 ====

'''Location:''' Bell - 160 Elgin St, Ottawa '''Session 1 - Chris Pierre: Beyond Facebook: How Hackers Might Obtain Information Individual for Social Engineering attacks''' As the old saying goes “Know your enemy as you know yourself.” This discussion will examine several sources of publicly available information which an attacker might use to gain background information on a target for the purposes of a social engineering attack. The talk is expected to be interactive, lively and will provoke a discussion on how these systems and processes can be hardened against this type of attack. 

 '''About The Speaker'''

Chris Pierre BA, CFE, CISSP is an Ottawa-based forensic investigation professional. Having worked with several forensic firms prior to starting Evince Services, Inc., he has experience in many types of engagements in both the private & public sectors & specializes in investigations involving the internet. Forensic engagements have included information leaks, general corporate fraud investigations, investor fraud, intellectual property cases, administrative/internal investigations, background investigations, grants & contributions fraud, corruption investigations & the provision of training on the use of the Internet as an investigative tool. Preventative engagements have included training, background due diligence & compliance consulting.

Chris is an instructor at Algonquin College, the Canadian Police College, Past-President of the Ottawa Chapter of the High Tech Crime Investigators Association (HTCIA) & a member of the Ottawa Chapter of the Association of Certified Fraud Examiners. '''Session 2: - David Mirza Ahmed: Introducing Vega, a New Open Source Web Vulnerability Scanner'''

David will be presenting Vega, a new free and open source vulnerability scanner for web applications developed by Subgraph, his Montreal-based security startup. Vega allows anyone to scan their web applications for vulnerabilities such as cross-site scripting or SQL injection. Written in Java, Vega is cross-platform. It's also extensible, with a built-in Javascript interpreter and API for custom module development. Vega also includes an intercepting proxy for manual inspection of possible vulnerabilities and penetration testing.

 '''About The Speaker''' David has over 10 years in the information security business. He started his professional experience as a founding member of Security Focus, which was acquired by Symantec in 2002. David also moderated the Bugtraq mailing list, a historically important forum for discussion of security vulnerabilities, for over four years. He has spoken at Black Hat, Can Sec West, AusCERT and numerous other security conferences, as well as made contributions to books, magazines and other publications. David also participated in a NIAC working group on behalf of Symantec to develop the first version of the CVSS (Common Vulnerability Scoring System) model and was an editor for IEEE Security & Privacy. His current obsession is building Subgraph, his information security startup in Montréal. 

==== March, Thursday 10th 2011 ====

Speaker: Shan Gu - Accenture - Large enterprises are increasing their adoption of SOA at a rapid rate as interoperability standards and vendor product implementations mature and stabilize. However, moving enterprises into a loosely coupled IT paradigm introduces challenges around security and compliance. How do we address accountability, confidentiality, integrity, and trust in a large loosely couple ecosystem where consumers and providers don’t always maintain a permanent or stateful relationship? There are standards of course that help integrators and Architects design systems to communicate with each other in a secure manner, however these standards, when interpreted in their purest sense are complex and expensive to implement/maintain in large organizations. And systems that are operationally complex in terms of security are ironically the least secure.

About The Speaker Shan Gu - Manager in the Security Technologies Practice at Accenture Shan is a Security Architect from Accenture who specializes in Identity and Access Management and SOA Security. He has worked with clients in both the Public and Private sectors and in various industries spanning from Health, to Transport, to Financial Services. Shan has spent his recent years focused on helping clients adopt SOA within the enterprise and to do it in a secure and cost effective manner. Shan is a graduate from Carleton University’s Systems and Computer Engineering program, with a B.Eng and a Minor in Business.

==== More Previous Meetings ====

*September 10th, 2009 - Justin Foster - '''Speaker Notes:''' [http://www.developingsecurity.com/weblog/2009/09/crossing-the-border-javascript-exploits.html Download Here]
*April 6th, 2009 - Rafal Los - '''Speaker Notes:''' [http://www.owasp.org/images/3/3a/A_Laugh_RIAt2.zip Download Here]
*July 16th, 2008 - John Linehan - '''Speaker Notes:''' [https://www.owasp.org/index.php/Image:John_Linehan_OWASP_Dist.pdf Download Here]
*[[November 28th, 2007 - Eric Klien - Make my day]]

= Chapter Leadership =

Chapter President: [mailto:sherif.koussa@owasp.org Sherif Koussa] 
Chapter Committee: [mailto:sergei.frankoff@owasp.org Sergei Frankoff] and [mailto:mike.sues@owasp.org Mike Sues] 

 
 
__NOTOC__ <headertabs />

[[Category:Canada]]

Ottawa

2013-08-29T13:57:13Z

Koussa:

{{Chapter Template|chaptername=Ottawa|extra=The chapter's president is [mailto:sherif.koussa@gmail.com Sherif Koussa]

Follow us on [http://twitter.com/#!/owasp_ottawa Twitter] 

<paypal>Ottawa</paypal>

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-ottawa|emailarchives=http://lists.owasp.org/mailman/listinfo/owasp-ottawa}}

 

==Thanks to Our 2013 Sponsor==
{| width="900" border="0" align="left" cellpadding="1" cellspacing="1"
[[Image:2keys (big).jpg|200x100px|2keys%20(big).jpg|link=http://www.2keys.ca]]
|}

 
==Your Local Chapter==
Hi Ottawa, welcome to your local OWASP chapter! We are a place to come and meet local developers and information security professionals, share ideas, and learn. We try to hold a meeting at least once every two months in the downtown core. We provide a mix of infosec rockstar talks, hands on training sessions, and special interest discussion groups. We are always looking for new ideas for events so let us know if you have an idea. Email one of us: [mailto:sherif.koussa@owasp.org Sherif], [mailto:sergei.frankoff@owasp.org Sergei], [mailto:mike.sues@owasp.org Mike] or tweet at us [http://twitter.com/#!/owasp_ottawa owasp_ottawa].

Hope to see you at a meeting soon.

 

== What's Hiding in Your Software Components?==

'''What'''

Software is no longer written, it's assembled. With 80% of a typical application now being assembled from components, it's time to take a hard look at the new risks posed by this type of development -- and the processes and tools that we'll need in order to keep them in check.

On the just released OWASP Top 10 for 2013, entry A9 highlights the potential problems associated with the widespread use of open-source components with known security vulnerabilities in modern-day application development.

Join Ryan Berg, Sonatype CSO, as he shares real world data on component risks, outlines the scope of the problem, and proposes approaches for managing these risk. You'll learn how security professionals can work cooperatively with application developers to reduce risk AND boost developer efficiency.

'''Who'''

Ryan Berg is the Chief Security Officer at Sonatype. Before joining Sonatype, Ryan was a co-founder and chief scientist for Ounce Labs which was acquired by IBM in 2009. Ryan holds multiple patents and is a popular speaker, instructor and author, in the fields of security, risk management, and secure application development.

'''When''': Thursday, Sept 5ht, 2013 : 6:00 PM

==Countermeasure 2013==
{|
|[[Image:cmeasure2013.jpg|400x200px|cmeasure2013.jpg|link=http://www.countermeasure2013.com/]]
|COUNTERMEASURE is Ottawa's premier annual IT security conference and training event featuring the best of both offensive and defensive tactics. Past speakers have included globally recognized industry security researchers, Government of Canada representatives and seasoned enterprise security experts from the private sector.
OWASP Ottawa is offering a 10% discount on Countermeasure 2013 registration for all OWASP members. Just e-mail one of the chapter members with your OWASP membership number or DM us @OWASP_Ottawa and we will send you the discount code.
|}

 
 
 
= Upcoming Event Ideas =
We are always looking for ideas for upcoming meetings. If you have a speaker you would like to see, a tutorial you would like to participate in, or just some ideas for discussion topics let us know. We maintain a list of your ideas here. To add to the list you can edit it directly, send one of us an e-mail ([mailto:sherif.koussa@owasp.org Sherif], [mailto:sergei.frankoff@owasp.org Sergei]), or tweet it at our [http://twitter.com/#!/owasp_ottawa Twitter account].
 
*<del>N00bs Night: Understanding and Exploiting the OWASP Top 10 (Top 10 discussion, live exploit demos, test lab to practice your skills)</del>
*Secure Code review
*(ISC)2 CSSLP introduction
*Metasploit introduction
*Web Application Forensics
*xPath Injection (SQL/CSS etc get lots of press but I’d like to hear more about this)
*HTML5 - What's new for security specially for Offline Applications
*Web 2.0 Security Evolution - How security challenges are changing with technology evolultion
*ASP.NET MVC Security for WebForms Developers
*Hack proofing your web application by using reverse engineering
*Using Windows Communication Foundation (WCF) Securely in your applications

= Past Meetings =
====June 2013====
'''Title:'''China: All up in your business - Annoying Persistent Threat edition

'''What'''
For the past few years, Dave has been involved in examining intrusions by a group informally known as Comment Crew -- which are now better known as 'APT1' following the recent release of the report from Mandiant. This group falls into the class of the 'Advanced Persistent Threat' and are known to use compromised web sites to supply command/control to compromised systems.
The talk contains a live demo of an annotated attack against a fictitious company, using custom malware and metasploit. It shows how attackers initially compromise a system, supply commands, install additional malware, gain privileges in post-exploit and loot the network for fun and profit!
This talk is targeted toward beginner/intermediate security practitioners and provides an overview of these types of attack. Whether you are simulating an APT style attack as a penetration tester or trying to defend your organization against similar threats this talk is a great starting point. Depending on interest it will be possible to focus some of the talk on the demo-malware code itself.

'''Who'''
Dave Ockwell-Jenner has an extensive background in technology: from building one of the Internet’s earliest major web sites, to helping secure some of the world’s most critical systems. He has led the development of solutions for some of Canada’s most prominent technology companies, including Research In Motion and Nortel. He currently works for a Swiss-based company that specializes in IT and communications for the Air Transport Industry. In this role he has focused on designing and delivering the company's secure software development lifecycle. Through this, Dave regularly trains developers in secure software techniques, and has co-authored the SANS course on Developing Defensible Java EE Solutions. Dave also runs a boutique security consultancy called Prime Information Security, concentrating on information security within Small-to-Medium Businesses. He is a security blogger for TELUS and also co-founded a business networking organization called the Small Business Community Network (SBCN).

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/china-all-up-in-your-business-doj Slides]
[https://www.youtube.com/watch?v=2rJ2tHeb5yQ Video Demo]

====May 2013====
'''Title:''' Ottawa IT Camp 2013

'''What'''
Ottawa IT Camp is a fun filled day of "meat only" presentations. By technical people, for technical people! The OWASP track focuses on application security talks covering threat modelling, code review, and the OWASP top 10.

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/security-codereview-1 Secure Code Review for .NET]
[http://ottawaitcamp.codeplex.com/ Conference presentations and code]

====January 2013====
'''Title:''' XML Attack Surface

'''What'''
Security vulnerabilities with XML processing can be a real threat to applications, especially when malicious XML can be submitted remotely. Fortunately, these issues can be easily avoided by properly configuring XML parsers.

Several attack types will be presented with a live demo covering the following: Denial of Service, Arbitrary file Content disclosure, and Remote OS command injection. Vulnerabilities caused by misconfiguration of XML parsing, XML transforms and Xpath queries will be investigated and suggestions on how to prevent these type of attacks will be provided with a developer perspective.

'''Who'''
Pierre Ernst is a senior member of the IBM Business Analytics Security Competency Group at the Ottawa Lab in Canada. A former software developer turned penetration tester, he's responsible for finding security vulnerabilities in IBM applications before they are released. Using a combination of manual testing and secure code review, his work complements automated vulnerability scanners. Pierre is also responsible for giving guidance to developers on how to mitigate and fix security issues.

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/pierre-ernst-xml-attack-surface-owasp-ottawa Download Here]

====December 2012====
'''Title:''' Sploitego - Maltego's (Local) Partner in Crime

'''What'''
Have you ever wished for the power of Maltego when performing internal assessments? Ever hoped to map the internal network within seconds? Or that Maltego had a tad more aggression? Sploitego is the answer. In the presentation we'll show how we've carefully crafted several local transforms that gives Maltego the ooomph to operate nicely within internal networks. Can you say Metasploit integration? ARP spoofing? Passive fingerprinting? SNMP hunting? This all is Sploitego. But wait - there's more. Along the way we'll show you how to use our awesome Python framework that makes writing local transforms as easy as 'Hello World'.
Sploitego makes it easy to quickly develop, install, distribute, and maintain Maltego Local transforms. The framework comes with a rich set of auxiliary libraries to aid transform developers with integrating attack, reconnaissance, and post exploitation tools. It also provides a slew of web tools for interacting with public repositories.
Sploitego and its underlying Python framework will be released at DEF CON as open source - yup - you can extend it to your heart's content. During the presentation we'll show the awesome power of the tool with live demos and scenarios as well as fun and laughter.

'''Who'''
Nadeem Douba - GWAPT, GPEN: Currently situated in the Ottawa (Ontario, Canada) valley, Nadeem provides technical security consulting services primarily to clients in the health, education, and public sectors. Nadeem has been involved within the security community for over 10 years and has frequently presented at ISSA and company seminars and training sessions. He is also an active member of the open source software community and has contributed to projects such as libnet, Backtrack, and Maltego.

'''Slides'''
[http://cloud.github.com/downloads/allfro/sploitego/Sploitego%20-%20Hackfest%20Revolution.pdf Download Here]

====N00bs Night: Secure Code Review====
Come join us for a night of free hands on tutorials in secure code review. Learn the OWASP top 10 from a developer's perspective.

'''What'''
During this session, we will review an Online Movie Ticket Booking Application pulled from SourceForge for OWASP Top, specifically Cross-Site Scripting, SQL Injection and Access Control. You will learn how to review your code for these issues, how to fix them and how to automate the whole process. Expect lots of code, tools and fun (Please note that the exercises will be mainly in Java)

'''Who'''
The tutorial will be given by Sherif Koussa. Sherif is the leader of our very own OWASP Ottawa, leader of Static Analysis Tools Evaluation Criteria at the Web Application Security Consortium (WASC) and a Steering Committee Member for SANS/GIAC GSSP-NET and GSSP-JAVA. He is also the founder of Software Secured (www.softwaresecured.com) and Secure Code Gurus (www.securecodegurus.com).

====May 2012====
'''Title:''' OWASP Tutorial Night: Threat Modeling Express

Threat Modeling Express is a lightweight threat modeling process suited for agile development environments. If you want to quickly add threat modeling to your development process without slowing it down this is the process for you. The evening will be composed of an interactive tutorial which will walk the participants through some examples using the The Modeling Express process.

'''Who:'''The tutorial will be given by Rohit Sethi a software security specialist and Vice President of SD Elements. Rohit is a SANS course developer and instructor and leads the OWASP Design Patterns Security Analysis project.

'''When:''' The event will start at 6PM on May 3, 2012.Please RSVP [http://www.eventbrite.com/event/3413274195 here]

'''Where:''' Shopify have kindly offered the board room of their brand new location for the event.

'''Speaker Notes:''' [http://www.scribd.com/doc/94372478/Threat-Model-Express?secret_password=wspz2g4rjvlob3bx2in Download Here]

==== December 12, 2011 ====
'''Location:''' Bell Canada - 160 Elgin St, Ottawa 

'''Title:''' n00bs night out...exploiting the owasp top 10

Hey Ottawa, come join us for a FREE night of web application hacking. We have tutorials explaining how to exploit the OWASP Top 10 web application vulnerabilities and hands on labs to practice your skills. Bring your laptop and a copy of the Backtrack 5 LiveCD (or VM) http://www.backtrack-linux.org/downloads/

'''Who:''' all skill levels are welcome (especially n00bs)

'''When:''' December 12 from 6:00pm - 9:00pm (open at 5:30)

'''RSVP:''' http://n00bs-night.eventbrite.com/

==== September 27th, 2011 ====

'''Location''': Shopify - 61a York St (Above Tucker's Marketplace)

'''Speaker Notes:''' [https://www.owasp.org/images/a/a2/OWASP_Sep_2011_Hacking_Silverlight.ppt Download Here]

'''Microsoft Silverlight Security - A Hacker's Perspective'''

'''Abstract'''

It’s not news for anyone how the internet has revolutionized all aspects of our lives. In the past few years there has been unprecedented growth in web applications and their user base. One of the core technologies driving this widespread phenomenon is Rich Internet Applications (RIAs) because it offers the same level of responsiveness & interactivity on web that is available to desktop applications. Microsoft offered its vision of RIA through Silverlight - a framework that allows web applications running in a browser to behave more like desktop applications.

One of the major enhancements in Silverlight was the incorporation of mini-CLR engine, that on one hand, adds amazing capabilities for web developers but, on the other hand, also broadens the surface area of attack by opening previously nonexistent entry points into web applications. In this presentation Angelo & Kamran will demonstrate how modern hackers can use reverse engineering techniques to take advantage of weak security implementation. They will also show some effective ways of defending against these types of attacks.

'''Speakers:'''

Angelo Chan is an experienced versatile software developer who has developed applications, middleware and low-level software for various platforms. With an initial background in Telecom, Angelo has since worked with different technologies and has discovered a passion for .NET. His interests include virtual machines, operating systems, network/application reverse engineering and security. Angelo can be reached at Angelo@WindowsDebugging.com

Kamran Bilgrami is a seasoned software developer with proven track record of transforming complex business problems into viable technical solution. He has been instrumental in orchestrating highly available, performance centric, fault-tolerant real-time systems in a wide variety of industries including Telecom, Security and Human/Health Services. His areas of expertise include .NET, CLR Internals, Patterns and Security. Kamran can be reached at Kamran@WindowsDebugging.com

 

==== May, Thursday 12th 2011 ====

'''Location:''' Bell - 160 Elgin St, Ottawa '''Session 1 - Chris Pierre: Beyond Facebook: How Hackers Might Obtain Information Individual for Social Engineering attacks''' As the old saying goes “Know your enemy as you know yourself.” This discussion will examine several sources of publicly available information which an attacker might use to gain background information on a target for the purposes of a social engineering attack. The talk is expected to be interactive, lively and will provoke a discussion on how these systems and processes can be hardened against this type of attack. 

 '''About The Speaker'''

Chris Pierre BA, CFE, CISSP is an Ottawa-based forensic investigation professional. Having worked with several forensic firms prior to starting Evince Services, Inc., he has experience in many types of engagements in both the private & public sectors & specializes in investigations involving the internet. Forensic engagements have included information leaks, general corporate fraud investigations, investor fraud, intellectual property cases, administrative/internal investigations, background investigations, grants & contributions fraud, corruption investigations & the provision of training on the use of the Internet as an investigative tool. Preventative engagements have included training, background due diligence & compliance consulting.

Chris is an instructor at Algonquin College, the Canadian Police College, Past-President of the Ottawa Chapter of the High Tech Crime Investigators Association (HTCIA) & a member of the Ottawa Chapter of the Association of Certified Fraud Examiners. '''Session 2: - David Mirza Ahmed: Introducing Vega, a New Open Source Web Vulnerability Scanner'''

David will be presenting Vega, a new free and open source vulnerability scanner for web applications developed by Subgraph, his Montreal-based security startup. Vega allows anyone to scan their web applications for vulnerabilities such as cross-site scripting or SQL injection. Written in Java, Vega is cross-platform. It's also extensible, with a built-in Javascript interpreter and API for custom module development. Vega also includes an intercepting proxy for manual inspection of possible vulnerabilities and penetration testing.

 '''About The Speaker''' David has over 10 years in the information security business. He started his professional experience as a founding member of Security Focus, which was acquired by Symantec in 2002. David also moderated the Bugtraq mailing list, a historically important forum for discussion of security vulnerabilities, for over four years. He has spoken at Black Hat, Can Sec West, AusCERT and numerous other security conferences, as well as made contributions to books, magazines and other publications. David also participated in a NIAC working group on behalf of Symantec to develop the first version of the CVSS (Common Vulnerability Scoring System) model and was an editor for IEEE Security & Privacy. His current obsession is building Subgraph, his information security startup in Montréal. 

==== March, Thursday 10th 2011 ====

Speaker: Shan Gu - Accenture - Large enterprises are increasing their adoption of SOA at a rapid rate as interoperability standards and vendor product implementations mature and stabilize. However, moving enterprises into a loosely coupled IT paradigm introduces challenges around security and compliance. How do we address accountability, confidentiality, integrity, and trust in a large loosely couple ecosystem where consumers and providers don’t always maintain a permanent or stateful relationship? There are standards of course that help integrators and Architects design systems to communicate with each other in a secure manner, however these standards, when interpreted in their purest sense are complex and expensive to implement/maintain in large organizations. And systems that are operationally complex in terms of security are ironically the least secure.

About The Speaker Shan Gu - Manager in the Security Technologies Practice at Accenture Shan is a Security Architect from Accenture who specializes in Identity and Access Management and SOA Security. He has worked with clients in both the Public and Private sectors and in various industries spanning from Health, to Transport, to Financial Services. Shan has spent his recent years focused on helping clients adopt SOA within the enterprise and to do it in a secure and cost effective manner. Shan is a graduate from Carleton University’s Systems and Computer Engineering program, with a B.Eng and a Minor in Business.

==== More Previous Meetings ====

*September 10th, 2009 - Justin Foster - '''Speaker Notes:''' [http://www.developingsecurity.com/weblog/2009/09/crossing-the-border-javascript-exploits.html Download Here]
*April 6th, 2009 - Rafal Los - '''Speaker Notes:''' [http://www.owasp.org/images/3/3a/A_Laugh_RIAt2.zip Download Here]
*July 16th, 2008 - John Linehan - '''Speaker Notes:''' [https://www.owasp.org/index.php/Image:John_Linehan_OWASP_Dist.pdf Download Here]
*[[November 28th, 2007 - Eric Klien - Make my day]]

= Chapter Leadership =

Chapter President: [mailto:sherif.koussa@owasp.org Sherif Koussa] 
Chapter Committee: [mailto:sergei.frankoff@owasp.org Sergei Frankoff] and [mailto:mike.sues@owasp.org Mike Sues] 

 
 
__NOTOC__ <headertabs />

[[Category:Canada]]

Ottawa

2013-08-29T13:54:50Z

Koussa:

{{Chapter Template|chaptername=Ottawa|extra=The chapter's president is [mailto:sherif.koussa@gmail.com Sherif Koussa]

Follow us on [http://twitter.com/#!/owasp_ottawa Twitter] 

<paypal>Ottawa</paypal>

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-ottawa|emailarchives=http://lists.owasp.org/mailman/listinfo/owasp-ottawa}}

 

==Thanks to Our 2013 Sponsor==
{| width="900" border="0" align="left" cellpadding="1" cellspacing="1"
[[Image:2keys (big).jpg|200x100px|2keys%20(big).jpg|link=http://www.2keys.ca]]
|}

 
==Your Local Chapter==
Hi Ottawa, welcome to your local OWASP chapter! We are a place to come and meet local developers and information security professionals, share ideas, and learn. We try to hold a meeting at least once every two months in the downtown core. We provide a mix of infosec rockstar talks, hands on training sessions, and special interest discussion groups. We are always looking for new ideas for events so let us know if you have an idea. Email one of us: [mailto:sherif.koussa@owasp.org Sherif], [mailto:sergei.frankoff@owasp.org Sergei], [mailto:mike.sues@owasp.org Mike] or tweet at us [http://twitter.com/#!/owasp_ottawa owasp_ottawa].

Hope to see you at a meeting soon.

 

== '''Update: Slides Posted!''' China: All up in your business - Annoying Persistent Threat edition==

'''What'''

Software is no longer written, it's assembled. With 80% of a typical application now being assembled from components, it's time to take a hard look at the new risks posed by this type of development -- and the processes and tools that we'll need in order to keep them in check.

On the just released OWASP Top 10 for 2013, entry A9 highlights the potential problems associated with the widespread use of open-source components with known security vulnerabilities in modern-day application development.

Join Ryan Berg, Sonatype CSO, as he shares real world data on component risks, outlines the scope of the problem, and proposes approaches for managing these risk. You'll learn how security professionals can work cooperatively with application developers to reduce risk AND boost developer efficiency.

'''Who'''

Ryan Berg is the Chief Security Officer at Sonatype. Before joining Sonatype, Ryan was a co-founder and chief scientist for Ounce Labs which was acquired by IBM in 2009. Ryan holds multiple patents and is a popular speaker, instructor and author, in the fields of security, risk management, and secure application development.

'''When''': Thursday, Sept 5ht, 2013 : 6:00 PM

==Countermeasure 2013==
{|
|[[Image:cmeasure2013.jpg|400x200px|cmeasure2013.jpg|link=http://www.countermeasure2013.com/]]
|COUNTERMEASURE is Ottawa's premier annual IT security conference and training event featuring the best of both offensive and defensive tactics. Past speakers have included globally recognized industry security researchers, Government of Canada representatives and seasoned enterprise security experts from the private sector.
OWASP Ottawa is offering a 10% discount on Countermeasure 2013 registration for all OWASP members. Just e-mail one of the chapter members with your OWASP membership number or DM us @OWASP_Ottawa and we will send you the discount code.
|}

 
 
 
= Upcoming Event Ideas =
We are always looking for ideas for upcoming meetings. If you have a speaker you would like to see, a tutorial you would like to participate in, or just some ideas for discussion topics let us know. We maintain a list of your ideas here. To add to the list you can edit it directly, send one of us an e-mail ([mailto:sherif.koussa@owasp.org Sherif], [mailto:sergei.frankoff@owasp.org Sergei]), or tweet it at our [http://twitter.com/#!/owasp_ottawa Twitter account].
 
*<del>N00bs Night: Understanding and Exploiting the OWASP Top 10 (Top 10 discussion, live exploit demos, test lab to practice your skills)</del>
*Secure Code review
*(ISC)2 CSSLP introduction
*Metasploit introduction
*Web Application Forensics
*xPath Injection (SQL/CSS etc get lots of press but I’d like to hear more about this)
*HTML5 - What's new for security specially for Offline Applications
*Web 2.0 Security Evolution - How security challenges are changing with technology evolultion
*ASP.NET MVC Security for WebForms Developers
*Hack proofing your web application by using reverse engineering
*Using Windows Communication Foundation (WCF) Securely in your applications

= Past Meetings =
====June 2013====
'''Title:'''China: All up in your business - Annoying Persistent Threat edition

'''What'''
For the past few years, Dave has been involved in examining intrusions by a group informally known as Comment Crew -- which are now better known as 'APT1' following the recent release of the report from Mandiant. This group falls into the class of the 'Advanced Persistent Threat' and are known to use compromised web sites to supply command/control to compromised systems.
The talk contains a live demo of an annotated attack against a fictitious company, using custom malware and metasploit. It shows how attackers initially compromise a system, supply commands, install additional malware, gain privileges in post-exploit and loot the network for fun and profit!
This talk is targeted toward beginner/intermediate security practitioners and provides an overview of these types of attack. Whether you are simulating an APT style attack as a penetration tester or trying to defend your organization against similar threats this talk is a great starting point. Depending on interest it will be possible to focus some of the talk on the demo-malware code itself.

'''Who'''
Dave Ockwell-Jenner has an extensive background in technology: from building one of the Internet’s earliest major web sites, to helping secure some of the world’s most critical systems. He has led the development of solutions for some of Canada’s most prominent technology companies, including Research In Motion and Nortel. He currently works for a Swiss-based company that specializes in IT and communications for the Air Transport Industry. In this role he has focused on designing and delivering the company's secure software development lifecycle. Through this, Dave regularly trains developers in secure software techniques, and has co-authored the SANS course on Developing Defensible Java EE Solutions. Dave also runs a boutique security consultancy called Prime Information Security, concentrating on information security within Small-to-Medium Businesses. He is a security blogger for TELUS and also co-founded a business networking organization called the Small Business Community Network (SBCN).

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/china-all-up-in-your-business-doj Slides]
[https://www.youtube.com/watch?v=2rJ2tHeb5yQ Video Demo]

====May 2013====
'''Title:''' Ottawa IT Camp 2013

'''What'''
Ottawa IT Camp is a fun filled day of "meat only" presentations. By technical people, for technical people! The OWASP track focuses on application security talks covering threat modelling, code review, and the OWASP top 10.

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/security-codereview-1 Secure Code Review for .NET]
[http://ottawaitcamp.codeplex.com/ Conference presentations and code]

====January 2013====
'''Title:''' XML Attack Surface

'''What'''
Security vulnerabilities with XML processing can be a real threat to applications, especially when malicious XML can be submitted remotely. Fortunately, these issues can be easily avoided by properly configuring XML parsers.

Several attack types will be presented with a live demo covering the following: Denial of Service, Arbitrary file Content disclosure, and Remote OS command injection. Vulnerabilities caused by misconfiguration of XML parsing, XML transforms and Xpath queries will be investigated and suggestions on how to prevent these type of attacks will be provided with a developer perspective.

'''Who'''
Pierre Ernst is a senior member of the IBM Business Analytics Security Competency Group at the Ottawa Lab in Canada. A former software developer turned penetration tester, he's responsible for finding security vulnerabilities in IBM applications before they are released. Using a combination of manual testing and secure code review, his work complements automated vulnerability scanners. Pierre is also responsible for giving guidance to developers on how to mitigate and fix security issues.

'''Slides'''
[http://www.slideshare.net/OWASP_Ottawa/pierre-ernst-xml-attack-surface-owasp-ottawa Download Here]

====December 2012====
'''Title:''' Sploitego - Maltego's (Local) Partner in Crime

'''What'''
Have you ever wished for the power of Maltego when performing internal assessments? Ever hoped to map the internal network within seconds? Or that Maltego had a tad more aggression? Sploitego is the answer. In the presentation we'll show how we've carefully crafted several local transforms that gives Maltego the ooomph to operate nicely within internal networks. Can you say Metasploit integration? ARP spoofing? Passive fingerprinting? SNMP hunting? This all is Sploitego. But wait - there's more. Along the way we'll show you how to use our awesome Python framework that makes writing local transforms as easy as 'Hello World'.
Sploitego makes it easy to quickly develop, install, distribute, and maintain Maltego Local transforms. The framework comes with a rich set of auxiliary libraries to aid transform developers with integrating attack, reconnaissance, and post exploitation tools. It also provides a slew of web tools for interacting with public repositories.
Sploitego and its underlying Python framework will be released at DEF CON as open source - yup - you can extend it to your heart's content. During the presentation we'll show the awesome power of the tool with live demos and scenarios as well as fun and laughter.

'''Who'''
Nadeem Douba - GWAPT, GPEN: Currently situated in the Ottawa (Ontario, Canada) valley, Nadeem provides technical security consulting services primarily to clients in the health, education, and public sectors. Nadeem has been involved within the security community for over 10 years and has frequently presented at ISSA and company seminars and training sessions. He is also an active member of the open source software community and has contributed to projects such as libnet, Backtrack, and Maltego.

'''Slides'''
[http://cloud.github.com/downloads/allfro/sploitego/Sploitego%20-%20Hackfest%20Revolution.pdf Download Here]

====N00bs Night: Secure Code Review====
Come join us for a night of free hands on tutorials in secure code review. Learn the OWASP top 10 from a developer's perspective.

'''What'''
During this session, we will review an Online Movie Ticket Booking Application pulled from SourceForge for OWASP Top, specifically Cross-Site Scripting, SQL Injection and Access Control. You will learn how to review your code for these issues, how to fix them and how to automate the whole process. Expect lots of code, tools and fun (Please note that the exercises will be mainly in Java)

'''Who'''
The tutorial will be given by Sherif Koussa. Sherif is the leader of our very own OWASP Ottawa, leader of Static Analysis Tools Evaluation Criteria at the Web Application Security Consortium (WASC) and a Steering Committee Member for SANS/GIAC GSSP-NET and GSSP-JAVA. He is also the founder of Software Secured (www.softwaresecured.com) and Secure Code Gurus (www.securecodegurus.com).

====May 2012====
'''Title:''' OWASP Tutorial Night: Threat Modeling Express

Threat Modeling Express is a lightweight threat modeling process suited for agile development environments. If you want to quickly add threat modeling to your development process without slowing it down this is the process for you. The evening will be composed of an interactive tutorial which will walk the participants through some examples using the The Modeling Express process.

'''Who:'''The tutorial will be given by Rohit Sethi a software security specialist and Vice President of SD Elements. Rohit is a SANS course developer and instructor and leads the OWASP Design Patterns Security Analysis project.

'''When:''' The event will start at 6PM on May 3, 2012.Please RSVP [http://www.eventbrite.com/event/3413274195 here]

'''Where:''' Shopify have kindly offered the board room of their brand new location for the event.

'''Speaker Notes:''' [http://www.scribd.com/doc/94372478/Threat-Model-Express?secret_password=wspz2g4rjvlob3bx2in Download Here]

==== December 12, 2011 ====
'''Location:''' Bell Canada - 160 Elgin St, Ottawa 

'''Title:''' n00bs night out...exploiting the owasp top 10

Hey Ottawa, come join us for a FREE night of web application hacking. We have tutorials explaining how to exploit the OWASP Top 10 web application vulnerabilities and hands on labs to practice your skills. Bring your laptop and a copy of the Backtrack 5 LiveCD (or VM) http://www.backtrack-linux.org/downloads/

'''Who:''' all skill levels are welcome (especially n00bs)

'''When:''' December 12 from 6:00pm - 9:00pm (open at 5:30)

'''RSVP:''' http://n00bs-night.eventbrite.com/

==== September 27th, 2011 ====

'''Location''': Shopify - 61a York St (Above Tucker's Marketplace)

'''Speaker Notes:''' [https://www.owasp.org/images/a/a2/OWASP_Sep_2011_Hacking_Silverlight.ppt Download Here]

'''Microsoft Silverlight Security - A Hacker's Perspective'''

'''Abstract'''

It’s not news for anyone how the internet has revolutionized all aspects of our lives. In the past few years there has been unprecedented growth in web applications and their user base. One of the core technologies driving this widespread phenomenon is Rich Internet Applications (RIAs) because it offers the same level of responsiveness & interactivity on web that is available to desktop applications. Microsoft offered its vision of RIA through Silverlight - a framework that allows web applications running in a browser to behave more like desktop applications.

One of the major enhancements in Silverlight was the incorporation of mini-CLR engine, that on one hand, adds amazing capabilities for web developers but, on the other hand, also broadens the surface area of attack by opening previously nonexistent entry points into web applications. In this presentation Angelo & Kamran will demonstrate how modern hackers can use reverse engineering techniques to take advantage of weak security implementation. They will also show some effective ways of defending against these types of attacks.

'''Speakers:'''

Angelo Chan is an experienced versatile software developer who has developed applications, middleware and low-level software for various platforms. With an initial background in Telecom, Angelo has since worked with different technologies and has discovered a passion for .NET. His interests include virtual machines, operating systems, network/application reverse engineering and security. Angelo can be reached at Angelo@WindowsDebugging.com

Kamran Bilgrami is a seasoned software developer with proven track record of transforming complex business problems into viable technical solution. He has been instrumental in orchestrating highly available, performance centric, fault-tolerant real-time systems in a wide variety of industries including Telecom, Security and Human/Health Services. His areas of expertise include .NET, CLR Internals, Patterns and Security. Kamran can be reached at Kamran@WindowsDebugging.com

 

==== May, Thursday 12th 2011 ====

'''Location:''' Bell - 160 Elgin St, Ottawa '''Session 1 - Chris Pierre: Beyond Facebook: How Hackers Might Obtain Information Individual for Social Engineering attacks''' As the old saying goes “Know your enemy as you know yourself.” This discussion will examine several sources of publicly available information which an attacker might use to gain background information on a target for the purposes of a social engineering attack. The talk is expected to be interactive, lively and will provoke a discussion on how these systems and processes can be hardened against this type of attack. 

 '''About The Speaker'''

Chris Pierre BA, CFE, CISSP is an Ottawa-based forensic investigation professional. Having worked with several forensic firms prior to starting Evince Services, Inc., he has experience in many types of engagements in both the private & public sectors & specializes in investigations involving the internet. Forensic engagements have included information leaks, general corporate fraud investigations, investor fraud, intellectual property cases, administrative/internal investigations, background investigations, grants & contributions fraud, corruption investigations & the provision of training on the use of the Internet as an investigative tool. Preventative engagements have included training, background due diligence & compliance consulting.

Chris is an instructor at Algonquin College, the Canadian Police College, Past-President of the Ottawa Chapter of the High Tech Crime Investigators Association (HTCIA) & a member of the Ottawa Chapter of the Association of Certified Fraud Examiners. '''Session 2: - David Mirza Ahmed: Introducing Vega, a New Open Source Web Vulnerability Scanner'''

David will be presenting Vega, a new free and open source vulnerability scanner for web applications developed by Subgraph, his Montreal-based security startup. Vega allows anyone to scan their web applications for vulnerabilities such as cross-site scripting or SQL injection. Written in Java, Vega is cross-platform. It's also extensible, with a built-in Javascript interpreter and API for custom module development. Vega also includes an intercepting proxy for manual inspection of possible vulnerabilities and penetration testing.

 '''About The Speaker''' David has over 10 years in the information security business. He started his professional experience as a founding member of Security Focus, which was acquired by Symantec in 2002. David also moderated the Bugtraq mailing list, a historically important forum for discussion of security vulnerabilities, for over four years. He has spoken at Black Hat, Can Sec West, AusCERT and numerous other security conferences, as well as made contributions to books, magazines and other publications. David also participated in a NIAC working group on behalf of Symantec to develop the first version of the CVSS (Common Vulnerability Scoring System) model and was an editor for IEEE Security & Privacy. His current obsession is building Subgraph, his information security startup in Montréal. 

==== March, Thursday 10th 2011 ====

Speaker: Shan Gu - Accenture - Large enterprises are increasing their adoption of SOA at a rapid rate as interoperability standards and vendor product implementations mature and stabilize. However, moving enterprises into a loosely coupled IT paradigm introduces challenges around security and compliance. How do we address accountability, confidentiality, integrity, and trust in a large loosely couple ecosystem where consumers and providers don’t always maintain a permanent or stateful relationship? There are standards of course that help integrators and Architects design systems to communicate with each other in a secure manner, however these standards, when interpreted in their purest sense are complex and expensive to implement/maintain in large organizations. And systems that are operationally complex in terms of security are ironically the least secure.

About The Speaker Shan Gu - Manager in the Security Technologies Practice at Accenture Shan is a Security Architect from Accenture who specializes in Identity and Access Management and SOA Security. He has worked with clients in both the Public and Private sectors and in various industries spanning from Health, to Transport, to Financial Services. Shan has spent his recent years focused on helping clients adopt SOA within the enterprise and to do it in a secure and cost effective manner. Shan is a graduate from Carleton University’s Systems and Computer Engineering program, with a B.Eng and a Minor in Business.

==== More Previous Meetings ====

*September 10th, 2009 - Justin Foster - '''Speaker Notes:''' [http://www.developingsecurity.com/weblog/2009/09/crossing-the-border-javascript-exploits.html Download Here]
*April 6th, 2009 - Rafal Los - '''Speaker Notes:''' [http://www.owasp.org/images/3/3a/A_Laugh_RIAt2.zip Download Here]
*July 16th, 2008 - John Linehan - '''Speaker Notes:''' [https://www.owasp.org/index.php/Image:John_Linehan_OWASP_Dist.pdf Download Here]
*[[November 28th, 2007 - Eric Klien - Make my day]]

= Chapter Leadership =

Chapter President: [mailto:sherif.koussa@owasp.org Sherif Koussa] 
Chapter Committee: [mailto:sergei.frankoff@owasp.org Sergei Frankoff] and [mailto:mike.sues@owasp.org Mike Sues] 

 
 
__NOTOC__ <headertabs />

[[Category:Canada]]

Ottawa IT Camp OWASP Track

2013-02-17T03:05:08Z

Koussa:

==<center>'''Overview'''</center>==
OWASP Ottawa have partnered with the Ottawa IT Camp 2013 to host an application security track at the sixth annual Ottawa IT Camp. The event will be held on May 4, 2013 at Algonquin College. Details can be found here: [http://www.ottawacodecamp.ca/pages2013/default.aspx http://www.ottawacodecamp.ca/pages2013/default.aspx]
=<center>'''Ottawa IT Camp 2013 and OWASP Ottawa Call For Papers'''</center>=

The OWASP track of the Ottawa IT Code Camp is looking for hot talks on Application Security. We are interested in all topics related to Application Security, in particular:

<dl>
<dd>- Secure development: frameworks, best practices, secure coding, methods, processes, SDLC
<dd>- Vulnerability analysis: code review, pentesting, static analysis
<dd>- Mobile security
<dd>- HTML5 security
<dd>- OWASP tools or projects in practice
<dd>- New technologies, paradigms, tools
</dl>

All sessions are 60 minutes in duration.

Proposals may be submitted here: [http://www.ottawacodecamp.ca/Pages2013/speaker.aspx http://www.ottawacodecamp.ca/Pages2013/speaker.aspx]

Please note that we will be accepting quality submissions as they are received so get your submissions in ASAP. The final deadline for submitting any talks is March, 15th 2013

Please fill in as much information in the CFP submission form, and included the following inside the "Content" section:

# Presentation Outline (provide bullet points of what is to be covered)
# Name of person/people presenting. Please attach bios for each presenter
# Explain what you hope attendees will gain from the presentation
# Provide reasons why your topic should be presented at the OWASP track of the IT Code Camp.
# Advise if a demonstration will be provided and, if so, provide details of any special equipment needed to support your presentation or demonstration

Please note that we will not be entertaining presentations that are focused

on selling services or products.

Unfortunately we are unable to cover travel and accommodations are for speakers.

Feel free to contact [mailto:sherif.koussa@owasp.orgo sherif.koussa@owasp.org] for any questions.

Ottawa

2012-12-04T19:19:23Z

Koussa:

Ottawa

2012-12-04T02:54:18Z

Koussa:

Ottawa

2012-12-04T02:48:25Z

Koussa: /* Your Local Chapter */

Ottawa

2012-12-04T02:46:52Z

Koussa:

Ottawa

2012-12-04T02:44:04Z

Koussa:

Ottawa

2012-06-02T15:56:10Z

Koussa:

Ottawa

2012-04-30T14:46:58Z

Koussa:

Ottawa

2012-04-30T14:45:58Z

Koussa:

File:RK logo-rgb.jpg

2012-04-30T14:44:42Z

Koussa:

Ottawa

2012-04-23T14:53:01Z

Koussa:

Access Control Cheat Sheet

2012-03-11T21:14:16Z

Koussa: /* Best Practice: Centralized ACL Controller */

=Introduction=

This article is focused on providing clear, simple, actionable guidance for providing Access Control security in your applications.

==What is Access Control / Authorization?==

Authorization is the process where requests to access a particular resource should be granted or denied. It should be noted that authorization is not equivalent to authentication - as these terms and their defininitions are frequently confused.

Access Control is the method or mechanism of authorization to enfore that requests to a system resource or functionality should be granted.

'''Role Based Access Control (RBAC)''' is commonly used to manage permissions within an application. Permissions are assigned to users in a many to many relationship.

'''Discretioinary Access Control (DAC)''' is commonly used to manage permissions within an operating system.

'''Mandatory Access Control (MAC)''' is a classification based system of objects and subjects. To "write up", a subject's clearance level must be dominated by the object being written to the system. To "read down", a subject's clearance level must govern the security level of the object being read. In this system, a subject may be able to write to an object, but will never be able to read it. This prevents malicious software from being able to leak data from different classification levels. "Write up" prevents leakage from high to low.
(See the [http://csrc.nist.gov/publications/history/dod85.pdf Orange Book] for more information about classification levels and confidentiality controls in "DAC" and "MAC".)

=Attacks on Access Control=

Vertical Access Control Attacks - A standard user accessing administration functionality

Horizontal Access Control attacks - Same role, but accessing another user's private data

Business Logic Access Control Attacks - Abuse of one or more linked activities that collectively realize a business objective

=Access Control Issues=
*Many applications used the "All or Nothing" approach - Once authenticated, all users have equal privileges

*Authorization Logic often relies on Security by Obscurity (STO) by assuming:
**Users will not find unlinked or hidden paths or functionality
**Users will not find and tamper with "obscured" client side parameters (i.e. "hidden" form fields, cookies, etc.)

*Applications with multiple permission levels/roles often increases the possibility of conflicting permission sets resulting in unanticipated privileges

*Many administrative interfaces require only a password for authentication
*Shared accounts combined with a lack of auditing and logging make it extremely difficult to differentiate between malicious and honest administrators
*Administrative interfaces are often not designed as “secure” as user-level interfaces given the assumption that administrators are trusted users
*Authorization/Access Control relies on client-side information (e.g., hidden fields)

<input type="text" name="fname" value="Derek">
<input type="text" name="lname" value="Jeter">
<input type="hidden" name="usertype" value="admin">

=Access Control Anti-Patterns=

*Hard-coded role checks in application code
*Lack of centralized access control logic
*Untrusted data driving access control decisions
*Access control that is "open by default"
*Lack of addressing horizontal access control in a standardized way (if at all)
*Access control logic that needs to be manually added to every endpoint in code

==Hard Coded Roles==

if (user.isManager() ||
user.isAdministrator() ||
user.isEditor() ||
user.isUser()) {
//execute action
}

'''Hard Codes Roles can create several issues including:'''

*Making the policy of an application difficult to "prove" for audit or Q/A purposes
*Causing new code to be pushed each time an access control policy needs to be changed.
*They are fragile and easy to make mistakes

==Order Specific Operations==

Imagine the following parameters

http://example.com/buy?action=chooseDataPackage
http://example.com/buy?action=customizePackage
http://example.com/buy?action=makePayment
http://example.com/buy?action=downloadData

'''Can an attacker control the sequence?'''

'''Can an attacker abuse this with concurency?'''

==Never Depend on Untrusted Data==

*Never trust user data for access control decisions
*Never make access control decisions in JavaScript
*Never depend on the order of values sent from the client
*Never make authorization decisions based solely on
**hidden fields
**cookie values
**form parameters
**URL parameters
**anything else from the request

=Attacking Access Controls=

*Elevation of privileges
*Disclosure of confidential data - Compromising admin-level accounts often result in access to a user's confidential data
*Data tampering - Privilege levels do not distinguish users who can only view data and users permitted to modify data

=Testing for Broken Access Control=

*Attempt to access administrative components or functions as an anonymous or regular user
**Scour HTML source for “interesting” hidden form fields
**Test web accessible directory structure for names like admin, administrator, manager, etc (i.e. attempt to directly browse to “restricted” areas)
*Determine how administrators are authenticated. Ensure that adequate authentication is used and enforced
*For each user role, ensure that only the appropriate pages or components are accessible for that role.
*Login as a low-level user, browse history for a higher level user’s cache, load the page to see if the original authorization is passed to a previous session.
*If able to compromise administrator-level account, test for all other common web application vulnerabilities (poor input validation, privileged database access, etc)

=Defenses Against Access Control Attacks=

*Implement role based access control to assign permissions to application users for vertical access control requirements
*Implement data-contextual access control to assign permissions to application users in the context of specific data items for horizontal access control requirements
*Avoid assigning permissions on a per-user basis
*Perform consistent authorization checking routines on all application pages
*Where applicable, apply DENY privileges last, issue ALLOW privileges on a case-by-case basis
*Where possible restrict administrator access to machines located on the local area network (i.e. it’s best to avoid remote administrator access from public facing access points)
*Log all failed access authorization requests to a secure location for review by administrators
*Perform reviews of failed login attempts on a periodic basis
*Utilize the strengths and functionality provided by the SSO solution you chose

=Best Practices=

==Best Practice: Code to the Activity==

if (AC.hasAccess(ARTICLE_EDIT)) {
//execute activity
}
*Code it once, never needs to change again
*Implies policy is persisted/centralized in some way
*Avoid assigning permissions on a per-user basis
*Requires more design/work up front to get right

==Best Practice: Centralized ACL Controller==

*Define a centralized access controller
ACLService.isAuthorized(ACTION_CONSTANT)
ACLService.assertAuthorized(ACTION_CONSTANT)
*Access control decisions go through these simple API’s
*Centralized logic to drive policy behavior and persistence
*May contain data-driven access control policy information
*Policy language needs to support ability to express both access rights and prohibitions

==Best Practice: Using a Centralized Access Controller==

*In Presentation Layer

if (isAuthorized(VIEW_LOG_PANEL))
{
Here are the logs
<%=getLogs();%/>
}

*In Controller

try (assertAuthorized(DELETE_USER))
{
deleteUser();
}

==Best Practice: Verifying policy server-side==

*Keep user identity verification in session
*Load entitlements server side from trusted sources
*Force authorization checks on ALL requests
**JS file, image, AJAX and FLASH requests as well!
**Force this check using a filter if possible

=SQL Integrated Access Control=

'''Example Feature'''

http://mail.example.com/viewMessage?msgid=2356342

'''This SQL would be vulnerable to tampering'''

select * from messages where messageid = 2356342

'''Ensure the owner is referenced in the query!'''

select * from messages where messageid = 2356342 AND messages.message_owner =

=Access Control Positive Patterns=

*Code to the activity, not the role
*Centralize access control logic
*Design access control as a filter
*Deny by default, fail securely
*Build centralized access control mechanism
*Apply same core logic to presentation and server-side access control decisions
*Determine access control through Server-side trusted data

=Data Contextual Access Control=

'''Data Contextual / Horizontal Access Control API examples'''

ACLService.isAuthorized(EDIT_ORG, 142)
ACLService.assertAuthorized(VIEW_ORG, 900)

Long Form

isAuthorized(user, EDIT_ORG, Organization.class, 14)

*Essentially checking if the user has the right role in the context of a specific object
*Centralize access control logic
*Protecting data at the lowest level!

=Authors and Primary Editors=

Jim Manico = jim [manico] dot net

Fred Donovan - fred.donovan [at] owasp dot org

Access Control Cheat Sheet

2012-03-11T17:30:46Z

Koussa:

=Introduction=

This article is focused on providing clear, simple, actionable guidance for providing Access Control security in your applications.

==What is Access Control / Authorization?==

Authorization is the process where requests to access a particular resource should be granted or denied. It should be noted that authorization is not equivalent to authentication - as these terms and their defininitions are frequently confused.

Access Control is the method or mechanism of authorization to enfore that requests to a system resource or functionality should be granted.

'''Role Based Access Control (RBAC)''' is commonly used to manage permissions within an application. Permissions are assigned to users in a many to many relationship.

'''Discretioinary Access Control (DAC)''' is commonly used to manage permissions within an application.

'''Mandatory Access Control (MAC)''' is a classification based system of objects and subjects. To "write up", a subject's clearance level must be

=Attacks on Access Control=

Vertical Access Control Attacks - A standard user accessing administration functionality

Horizontal Access Control attacks - Same role, but accessing another user's private data

Business Logic Access Control Attacks - Abuse of one or more linked activities that collectively realize a business objective

=Access Control Issues=
*Many applications used the "All or Nothing" approach - Once authenticated, all users have equal privileges

*Authorization Logic often relies on Security by Obscurity (STO) by assuming:
**Users will not find unlinked or hidden paths or functionality
**Users will not find and tamper with "obscured" client side parameters (i.e. "hidden" form fields, cookies, etc.)

*Applications with multiple permission levels/roles often increases the possibility of conflicting permission sets resulting in unanticipated privileges

*Many administrative interfaces require only a password for authentication
*Shared accounts combined with a lack of auditing and logging make it extremely difficult to differentiate between malicious and honest administrators
*Administrative interfaces are often not designed as “secure” as user-level interfaces given the assumption that administrators are trusted users
*Authorization/Access Control relies on client-side information (e.g., hidden fields)

input type="text" name="fname" value="Derek"
input type="text" name="lname" value="Jeter"
input type="hidden" name="usertype" value="admin"

=Access Control Anti-Patterns=

*Hard-coded role checks in application code
*Lack of centralized access control logic
*Untrusted data driving access control decisions
*Access control that is "open by default"
*Lack of addressing horizontal access control in a standardized way (if at all)
*Access control logic that needs to be manually added to every endpoint in code

==Hard Coded Roles==

if (user.isManager() ||
user.isAdministrator() ||
user.isEditor() ||
user.isUser()) {
//execute action
}

'''Hard Codes Roles can create several issues including:'''

*Making the policy of an application difficult to "prove" for audit or Q/A purposes
*Causing new code to be pushed each time an access control policy needs to be changed.
*They are fragile and easy to make mistakes Order Specific Operations

==Order Specific Operations==

Imagine the following parameters

http://example.com/buy?action=chooseDataPackage
http://example.com/buy?action=customizePackage
http://example.com/buy?action=makePayment
http://example.com/buy?action=downloadData

'''Can an attacker control the sequence?'''

'''Can an attacker abuse this with concurency?'''

==Never Depend on Untrusted Data==

*Never trust user data for access control decisions
*Never make access control decisions in JavaScript
*Never depend on the order of values sent from the client
*Never make authorization decisions based solely on
**hidden fields
**cookie values
**form parameters
**URL parameters
**anything else from the request

=Attacking Access Controls=

*Elevation of privileges
*Disclosure of confidential data - Compromising admin-level accounts often result in access to a user's confidential data
*Data tampering - Privilege levels do not distinguish users who can only view data and users permitted to modify data

=Testing for Broken Access Control=

*Attempt to access administrative components or functions as an anonymous or regular user
**Scour HTML source for “interesting” hidden form fields
**Test web accessible directory structure for names like admin, administrator, manager, etc (i.e. attempt to directly browse to “restricted” areas)
*Determine how administrators are authenticated. Ensure that adequate authentication is used and enforced
*For each user role, ensure that only the appropriate pages or components are accessible for that role.
*Login as a low-level user, browse history for a higher level user’s cache, load the page to see if the original authorization is passed to a previous session.
*If able to compromise administrator-level account, test for all other common web application vulnerabilities (poor input validation, privileged database access, etc)

=Defenses Against Access Control Attacks=

*Implement role based access control to assign permissions to application users for vertical access control requirements
*Implement data-contextual access control to assign permissions to application users in the context of specific data items for horizontal access control requirements
*Avoid assigning permissions on a per-user basis
*Perform consistent authorization checking routines on all application pages
*Where applicable, apply DENY privileges last, issue ALLOW privileges on a case-by-case basis
*Where possible restrict administrator access to machines located on the local area network (i.e. it’s best to avoid remote administrator access from public facing access points)
*Log all failed access authorization requests to a secure location for review by administrators
*Perform reviews of failed login attempts on a periodic basis
*Utilize the strengths and functionality provided by the SSO solution you chose

=Best Practices=

==Best Practice: Code to the Activity==

if (AC.hasAccess(ARTICLE_EDIT)) {
//execute activity
}
*Code it once, never needs to change again
*Implies policy is persisted/centralized in some way
*Avoid assigning permissions on a per-user basis
*Requires more design/work up front to get right

==Best Practice: Centralized ACL Controller==

*Define a centralized access controller
ACLService.isAuthorized(ACTION_CONSTANT)
ACLService.assertAuthorized(ACTION_CONSTANT)
*Access control decisions go through these simple API’s
*Centralized logic to drive policy behavior and persistence
*May contain data-driven access control policy information
*Policy language needs to support ability to express both access rights and prohibitions

==Best Practice: Using a Centralized Access Controller==

*In Presentation Layer

if (isAuthorized(VIEW_LOG_PANEL))
{
Here are the logs
<%=getLogs();%/>
}

*In Controller

try (assertAuthorized(DELETE_USER))
{
deleteUser();
}

==Best Practice: Verifying policy server-side==

*Keep user identity verification in session
*Load entitlements server side from trusted sources
*Force authorization checks on ALL requests
**JS file, image, AJAX and FLASH requests as well!
**Force this check using a filter if possible

=SQL Integrated Access Control=

'''Example Feature'''

http://mail.example.com/viewMessage?msgid=2356342

'''This SQL would be vulnerable to tampering'''

select * from messages where messageid = 2356342

'''Ensure the owner is referenced in the query!'''

select * from messages where messageid = 2356342 AND messages.message_owner =

=Access Control Positive Patterns=

*Code to the activity, not the role
*Centralize access control logic
*Design access control as a filter
*Deny by default, fail securely
*Build centralized access control mechanism
*Apply same core logic to presentation and server-side access control decisions
*Determine access control through Server-side trusted data

=Data Contextual Access Control=

'''Data Contextual / Horizontal Access Control API examples'''

ACLService.isAuthorized(EDIT_ORG, 142)
ACLService.assertAuthorized(VIEW_ORG, 900)

Long Form

isAuthorized(user, EDIT_ORG, Organization.class, 14)

*Essentially checking if the user has the right role in the context of a specific object
*Centralize access control logic
*Protecting data a the lowest level!

=Authors and Primary Editors=

Jim Manico = jim [manico] dot net

Fred Donovan - fred.donovan [at] owasp dot org

Access Control Cheat Sheet

2012-03-11T04:23:59Z

Koussa: /* Access Control Issues */

=Introduction=

This article is focused on providing clear, simple, actionable guidance for providing Access Control security in your applications.

==What is Access Control / Authorization?==

Authorization is the process where requests to access a particular resource should be granted or denied. It should be noted that authorization is not equivalent to authentication - as these terms and their defininitions are frequently confused.

Access Control is the method or mechanism of authorization to enfore that requests to a system resource or functionality should be granted.

'''Role Based Access Control (RBAC)''' is commonly used to manage permissions within an application. Permissions are assigned to users in a many to many relationship.

'''Discretioinary Access Control (DAC)''' is commonly used to manage permissions within an application.

'''Mandatory Access Control (MAC)''' is a classification based system of objects and subjects. To "write up", a subject's clearance level must be

==Attacks on Access Control==

Vertical Access Control Attacks - A standard user accessing administration functionality

Horizontal Access Control attacks - Same role, but accessing another user's private data

Business Logic Access Control Attacks - Abuse of one or more linked activities that collectively realize a business objective

==Access Control Issues==

Many applications used the "All or Nothing" approach - Once authenticated, all users have equal privileges

Authorization Logic often relies on Security by Obscurity (STO) by assuming:

*Users will not find unlinked or hidden paths or functionality
*Users will not find and tamper with "obscured" client side parameters (i.e. "hidden" form fields, cookies, etc.)

Applications with multiple permission levels/roles often increases the possibility of conflicting permission sets resulting in unanticipated privileges

'''Access Control Anti-Patterns'''

*Hard-coded role checks in application code
*Lack of centralized access control logic
*Untrusted data driving access control decisions
*Access control that is "open by default"
*Lack of addressing horizontal access control in a standardized way (if at all)
*Access control logic that needs to be manually added to every endpoint in code
*Hard Coded Roles

if (user.isManager() ||
user.isAdministrator() ||
user.isEditor() ||
user.isUser()) {
//execute action
}

'''Hard Codes Roles can create several issues including:'''

Making the policy of an application difficult to "prove" for audit or Q/A purposes causing new code to be pushed each time an access control policy needs to be changed. They are fragile and easy to make mistakes Order Specific Operations

Imagine the following parameters

http://example.com/buy?action=chooseDataPackage
http://example.com/buy?action=customizePackage
http://example.com/buy?action=makePayment
http://example.com/buy?action=downloadData

Can an attacker control the sequence?

Can an attacker abuse this with concurency?

Never Depend on Untrusted Data

Never trust user data for access control decisions
Never make access control decisions in JavaScript
Never depend on the order of values sent from the client
Never make authorization decisions based solely on
*hidden fields
*cookie values
*form parameters
*URL parameters
*anything else from the request

'''Access Control Issues'''

Many administrative interfaces require only a password for authentication
Shared accounts combined with a lack of auditing and logging make it extremely difficult to differentiate between malicious and honest administrators
Administrative interfaces are often not designed as “secure” as user-level interfaces given the assumption that administrators are trusted users
Authorization/Access Control relies on client-side information (e.g., hidden fields)

input type="text" name="fname" value="Derek"
input type="text" name="lname" value="Jeter"
input type="hidden" name="usertype" value="admin"

'''Attacking Access Controls'''

*Elevation of privileges
*Disclosure of confidential data - Compromising admin-level accounts often result in access to a user's confidential data
*Data tampering - Privilege levels do not distinguish users who can only view data and users permitted to modify data
*Testing for Broken Access Control

Attempt to access administrative components or functions as an anonymous or regular user
*Scour HTML source for “interesting” hidden form fields
*Test web accessible directory structure for names like admin, administrator, manager, etc (i.e. attempt to directly browse to “restricted” areas)

Determine how administrators are authenticated.
Ensure that adequate authentication is used and enforced
For each user role, ensure that only the appropriate pages or components are accessible for that role.
Login as a low-level user, browse history for a higher level user’s cache, load the page to see if the original authorization is passed to a previous session.
If able to compromise administrator-level account, test for all other common web application vulnerabilities (poor input validation, privileged database access, etc)
Defenses Against Access Control Attacks

Implement role based access control to assign permissions to application users for vertical access control requirements
Implement data-contextual access control to assign permissions to application users in the context of specific data items for horizontal access control requirements
Avoid assigning permissions on a per-user basis
Perform consistent authorization checking routines on all application pages
Where applicable, apply DENY privileges last, issue ALLOW privileges on a case-by-case basis
Where possible restrict administrator access to machines located on the local area network (i.e. it’s best to avoid remote administrator access from public facing access points)
Log all failed access authorization requests to a secure location for review by administrators
Perform reviews of failed login attempts on a periodic basis
Utilize the strengths and functionality provided by the SSO solution you chose
Best Practice: Code to the Activity

if (AC.hasAccess(ARTICLE_EDIT)) {
//execute activity
}
Code it once, never needs to change again
Implies policy is persisted/centralized in some way
Avoid assigning permissions on a per-user basis
Requires more design/work up front to get right
Best Practice: Centralized ACL Controler

Define a centralized access controller
ACLService.isAuthorized(ACTION_CONSTANT)
ACLService.assertAuthorized(ACTION_CONSTANT)
Access control decisions go through these simple API’s
Centralized logic to drive policy behavior and persistence
May contain data-driven access control policy information
Policy language needs to support ability to express both access rights and prohibitions
Best Practice: Using a Centralized Access Controller

In Presentation Layer
if (isAuthorized(VIEW_LOG_PANEL))
{
Here are the logs
<%=getLogs();%/>
}
In Controller
try (assertAuthorized(DELETE_USER))
{
deleteUser();
}

Best Practice:

Verifying policy server-side
Keep user identity verification in session
Load entitlements server side from trusted sources
Force authorization checks on ALL requests
*JS file, image, AJAX and FLASH requests as well!
*Force this check using a filter if possible
SQL Integrated Access Control

Example Feature

http://mail.example.com/viewMessage?msgid=2356342

This SQL would be vulnerable to tampering

select * from messages where messageid = 2356342
Ensure the owner is referenced in the query!
select * from messages where messageid = 2356342 AND messages.message_owner =
Access Control Positive Patterns

Code to the activity, not the role
Centralize access control logic
Design access control as a filter
Deny by default, fail securely
Build centralized access control mechanism
Apply same core logic to presentation and server-side access control decisions
Determine access control through Server-side trusted data
Data Contextual Access Control

Data Contextual / Horizontal Access Control API examples

ACLService.isAuthorized(EDIT_ORG, 142)
ACLService.assertAuthorized(VIEW_ORG, 900)

Long Form

isAuthorized(user, EDIT_ORG, Organization.class, 14)

Essentially checking if the user has the right role in the context of a specific object
Centralize access control logic
Protecting data a the lowest level!

Access Control Cheat Sheet

2012-03-11T04:13:53Z

Koussa:

=Introduction=

This article is focused on providing clear, simple, actionable guidance for providing Access Control security in your applications.

==What is Access Control / Authorization?==

Authorization is the process where requests to access a particular resource should be granted or denied. It should be noted that authorization is not equivalent to authentication - as these terms and their defininitions are frequently confused.

Access Control is the method or mechanism of authorization to enfore that requests to a system resource or functionality should be granted.

'''Role Based Access Control (RBAC)''' is commonly used to manage permissions within an application. Permissions are assigned to users in a many to many relationship.

'''Discretioinary Access Control (DAC)''' is commonly used to manage permissions within an application.

'''Mandatory Access Control (MAC)''' is a classification based system of objects and subjects. To "write up", a subject's clearance level must be

==Attacks on Access Control==

Vertical Access Control Attacks - A standard user accessing administration functionality

Horizontal Access Control attacks - Same role, but accessing another user's private data

Business Logic Access Control Attacks - Abuse of one or more linked activities that collectively realize a business objective

==Access Control Issues==

Many applications used the "All or Nothing" approach - Once authenticated, all users have equal privileges

Authorization Logic often relies on Security by Obscurity (STO) by assuming:

*Users will not find unlinked or hidden paths or functionality
*Users will not find and tamper with "obscured" client side parameters (i.e. "hidden" form fields, cookies, etc.)

Applications with multiple permission levels/roles often increases the possibility of conflicting permission sets resulting in unanticipated privileges

'''Access Control Anti-Patterns'''

*Hard-coded role checks in application code
*Lack of centralized access control logic
*Untrusted data driving access control decisions
*Access control that is "open by default"
*Lack of addressing horizontal access control in a standardized way (if at all)
*Access control logic that needs to be manually added to every endpoint in code
*Hard Coded Roles

if (user.isManager() ||
user.isAdministrator() ||
user.isEditor() ||
user.isUser()) {
//execute action
}

'''Hard Codes Roles can create several issues including:'''

Making the policy of an application difficult to "prove" for audit or Q/A purposes causing new code to be pushed each time an access control policy needs to be changed. They are fragile and easy to make mistakes Order Specific Operations

Imagine the following parameters

http://example.com/buy?action=chooseDataPackage
http://example.com/buy?action=customizePackage
http://example.com/buy?action=makePayment
http://example.com/buy?action=downloadData

Can an attacker control the sequence?

Can an attacker abuse this with concurency?

Never Depend on Untrusted Data

Never trust user data for access control decisions
Never make access control decisions in JavaScript
Never depend on the order of values sent from the client
Never make authorization decisions based solely on
*hidden fields
*cookie values
*form parameters
*URL parameters
*anything else from the request

'''Access Control Issues'''

Many administrative interfaces require only a password for authentication
Shared accounts combined with a lack of auditing and logging make it extremely difficult to differentiate between malicious and honest administrators
Administrative interfaces are often not designed as “secure” as user-level interfaces given the assumption that administrators are trusted users
Authorization/Access Control relies on client-side information (e.g., hidden fields)
input type="text" name="fname" value="Derek"
input type="text" name="lname" value="Jeter"
input type="hidden" name="usertype" value="admin"

'''Attacking Access Controls'''

*Elevation of privileges
*Disclosure of confidential data - Compromising admin-level accounts often result in access to a user's confidential data
*Data tampering - Privilege levels do not distinguish users who can only view data and users permitted to modify data
*Testing for Broken Access Control

Attempt to access administrative components or functions as an anonymous or regular user
*Scour HTML source for “interesting” hidden form fields
*Test web accessible directory structure for names like admin, administrator, manager, etc (i.e. attempt to directly browse to “restricted” areas)

Determine how administrators are authenticated. Ensure that adequate authentication is used and enforced
For each user role, ensure that only the appropriate pages or components are accessible for that role.
Login as a low-level user, browse history for a higher level user’s cache, load the page to see if the original authorization is passed to a previous session.
If able to compromise administrator-level account, test for all other common web application vulnerabilities (poor input validation, privileged database access, etc)
Defenses Against Access Control Attacks

Implement role based access control to assign permissions to application users for vertical access control requirements
Implement data-contextual access control to assign permissions to application users in the context of specific data items for horizontal access control requirements
Avoid assigning permissions on a per-user basis
Perform consistent authorization checking routines on all application pages
Where applicable, apply DENY privileges last, issue ALLOW privileges on a case-by-case basis
Where possible restrict administrator access to machines located on the local area network (i.e. it’s best to avoid remote administrator access from public facing access points)
Log all failed access authorization requests to a secure location for review by administrators
Perform reviews of failed login attempts on a periodic basis
Utilize the strengths and functionality provided by the SSO solution you chose
Best Practice: Code to the Activity

if (AC.hasAccess(ARTICLE_EDIT)) {
//execute activity
}
Code it once, never needs to change again
Implies policy is persisted/centralized in some way
Avoid assigning permissions on a per-user basis
Requires more design/work up front to get right
Best Practice: Centralized ACL Controler

Define a centralized access controller
ACLService.isAuthorized(ACTION_CONSTANT)
ACLService.assertAuthorized(ACTION_CONSTANT)
Access control decisions go through these simple API’s
Centralized logic to drive policy behavior and persistence
May contain data-driven access control policy information
Policy language needs to support ability to express both access rights and prohibitions
Best Practice: Using a Centralized Access Controller

In Presentation Layer

if (isAuthorized(VIEW_LOG_PANEL))
{
Here are the logs
<%=getLogs();%/>
}
In Controller

try (assertAuthorized(DELETE_USER))
{
deleteUser();
}
Best Practice: Verifying policy server-side

Keep user identity verification in session
Load entitlements server side from trusted sources
Force authorization checks on ALL requests
- JS file, image, AJAX and FLASH requests as well!
- Force this check using a filter if possible
SQL Integrated Access Control

Example Feature

http://mail.example.com/viewMessage?msgid=2356342
This SQL would be vulnerable to tampering

select * from messages where messageid = 2356342
Ensure the owner is referenced in the query!

select * from messages where messageid = 2356342 AND messages.message_owner =
Access Control Positive Patterns

Code to the activity, not the role
Centralize access control logic
Design access control as a filter
Deny by default, fail securely
Build centralized access control mechanism
Apply same core logic to presentation and server-side access control decisions
Determine access control through Server-side trusted data
Data Contextual Access Control

Data Contextual / Horizontal Access Control API examples

ACLService.isAuthorized(EDIT_ORG, 142)
ACLService.assertAuthorized(VIEW_ORG, 900)
Long Form

isAuthorized(user, EDIT_ORG, Organization.class, 14)

Essentially checking if the user has the right role in the context of a specific object
Centralize access control logic
Protecting data a the lowest level!

Access Control Cheat Sheet

2012-03-11T04:05:59Z

Koussa: Created page with "=Introduction= This article is focused on providing clear, simple, actionable guidance for providing Access Control security in your applications. ==What is Access Control /..."

=Introduction=

This article is focused on providing clear, simple, actionable guidance for providing Access Control security in your applications.

==What is Access Control / Authorization?==

Authorization is the process where requests to access a particular resource should be granted or denied. It should be noted that authorization is not equivalent to authentication - as these terms and their defininitions are frequently confused.

Access Control is the method or mechanism of authorization to enfore that requests to a system resource or functionality should be granted.

===Role Based Access Control (RBAC)=== is commonly used to manage permissions within an application. Permissions are assigned to users in a many to many relationship.

===Discretioinary Access Control (DAC)=== is commonly used to manage permissions within an application.

===Mandatory Access Control (MAC)=== is a classification based system of objects and subjects. To "write up", a subject's clearance level must be

==Attacks on Access Control==

Vertical Access Control Attacks - A standard user accessing administration functionality

Horizontal Access Control attacks - Same role, but accessing another user's private data

Business Logic Access Control Attacks - Abuse of one or more linked activities that collectively realize a business objective

==Access Control Issues==

Many applications used the "All or Nothing" approach - Once authenticated, all users have equal privileges

Authorization Logic often relies on Security by Obscurity (STO) by assuming:

- Users will not find unlinked or hidden paths or functionality
- Users will not find and tamper with "obscured" client side parameters (i.e. "hidden" form fields, cookies, etc.)

Applications with multiple permission levels/roles often increases the possibility of conflicting permission sets resulting in unanticipated privileges

Access Control Anti-Patterns

Hard-coded role checks in application code
Lack of centralized access control logic
Untrusted data driving access control decisions
Access control that is "open by default"
Lack of addressing horizontal access control in a standardized way (if at all)
Access control logic that needs to be manually added to every endpoint in code
Hard Coded Roles

if (user.isManager() ||
user.isAdministrator() ||
user.isEditor() ||
user.isUser()) {

// execute action

}
Hard Codes Roles can create several issues including:

Making the policy of an application difficult to "prove" for audit or Q/A purposes
Causing new code to be pushed each time an access control policy needs to be changed
They are fragile and easy to make mistakes
Order Specific Operations

Imagine the following parameters

http://example.com/buy?action=chooseDataPackage
http://example.com/buy?action=customizePackage
http://example.com/buy?action=makePayment
http://example.com/buy?action=downloadData
Can an attacker control the sequence?

Can an attacker abuse this with concurency?

Never Depend on Untrusted Data

Never trust user data for access control decisions
Never make access control decisions in JavaScript
Never depend on the order of values sent from the client
Never make authorization decisions based solely on
- hidden fields
- cookie values
- form parameters
- URL parameters
- anything else from the request

Access Control Issues

Many administrative interfaces require only a password for authentication
Shared accounts combined with a lack of auditing and logging make it extremely difficult to differentiate between malicious and honest administrators
Administrative interfaces are often not designed as “secure” as user-level interfaces given the assumption that administrators are trusted users
Authorization/Access Control relies on client-side information (e.g., hidden fields)
input type="text" name="fname" value="Derek"
input type="text" name="lname" value="Jeter"
input type="hidden" name="usertype" value="admin"
Attacking Access Controls

Elevation of privileges
Disclosure of confidential data - Compromising admin-level accounts often result in access to a user's confidential data
Data tampering - Privilege levels do not distinguish users who can only view data and users permitted to modify data
Testing for Broken Access Control

Attempt to access administrative components or functions as an anonymous or regular user
- Scour HTML source for “interesting” hidden form fields
- Test web accessible directory structure for names like admin, administrator, manager, etc (i.e. attempt to directly browse to “restricted” areas)
Determine how administrators are authenticated. Ensure that adequate authentication is used and enforced
For each user role, ensure that only the appropriate pages or components are accessible for that role.
Login as a low-level user, browse history for a higher level user’s cache, load the page to see if the original authorization is passed to a previous session.
If able to compromise administrator-level account, test for all other common web application vulnerabilities (poor input validation, privileged database access, etc)
Defenses Against Access Control Attacks

Implement role based access control to assign permissions to application users for vertical access control requirements
Implement data-contextual access control to assign permissions to application users in the context of specific data items for horizontal access control requirements
Avoid assigning permissions on a per-user basis
Perform consistent authorization checking routines on all application pages
Where applicable, apply DENY privileges last, issue ALLOW privileges on a case-by-case basis
Where possible restrict administrator access to machines located on the local area network (i.e. it’s best to avoid remote administrator access from public facing access points)
Log all failed access authorization requests to a secure location for review by administrators
Perform reviews of failed login attempts on a periodic basis
Utilize the strengths and functionality provided by the SSO solution you chose
Best Practice: Code to the Activity

if (AC.hasAccess(ARTICLE_EDIT)) {
//execute activity
}
Code it once, never needs to change again
Implies policy is persisted/centralized in some way
Avoid assigning permissions on a per-user basis
Requires more design/work up front to get right
Best Practice: Centralized ACL Controler

Define a centralized access controller
ACLService.isAuthorized(ACTION_CONSTANT)
ACLService.assertAuthorized(ACTION_CONSTANT)
Access control decisions go through these simple API’s
Centralized logic to drive policy behavior and persistence
May contain data-driven access control policy information
Policy language needs to support ability to express both access rights and prohibitions
Best Practice: Using a Centralized Access Controller

In Presentation Layer

if (isAuthorized(VIEW_LOG_PANEL))
{
Here are the logs
<%=getLogs();%/>
}
In Controller

try (assertAuthorized(DELETE_USER))
{
deleteUser();
}
Best Practice: Verifying policy server-side

Keep user identity verification in session
Load entitlements server side from trusted sources
Force authorization checks on ALL requests
- JS file, image, AJAX and FLASH requests as well!
- Force this check using a filter if possible
SQL Integrated Access Control

Example Feature

http://mail.example.com/viewMessage?msgid=2356342
This SQL would be vulnerable to tampering

select * from messages where messageid = 2356342
Ensure the owner is referenced in the query!

select * from messages where messageid = 2356342 AND messages.message_owner =
Access Control Positive Patterns

Code to the activity, not the role
Centralize access control logic
Design access control as a filter
Deny by default, fail securely
Build centralized access control mechanism
Apply same core logic to presentation and server-side access control decisions
Determine access control through Server-side trusted data
Data Contextual Access Control

Data Contextual / Horizontal Access Control API examples

ACLService.isAuthorized(EDIT_ORG, 142)
ACLService.assertAuthorized(VIEW_ORG, 900)
Long Form

isAuthorized(user, EDIT_ORG, Organization.class, 14)

Essentially checking if the user has the right role in the context of a specific object
Centralize access control logic
Protecting data a the lowest level!

Template:Cheatsheet Navigation

2012-03-11T04:00:35Z

Koussa:

'''OWASP Cheat Sheets Project Homepage'''
* [[Cheat Sheets]]

'''OWASP Cheat Sheet Series'''
* [[Access Control Cheat Sheet]]
* [[Authentication Cheat Sheet]]
* [[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet]]
* [[Transport Layer Protection Cheat Sheet]]
* [[Cryptographic Storage Cheat Sheet]]
* [[Input Validation Cheat Sheet]]
* [[XSS Prevention Cheat Sheet]]
* [[DOM based XSS Prevention Cheat Sheet]]
* [[Forgot Password Cheat Sheet]]
* [[Query Parameterization Cheat Sheet]]
* [[SQL Injection Prevention Cheat Sheet]]
* [[Session Management Cheat Sheet]]
* [[HTML5 Security Cheat Sheet]]
* [[Web Service Security Cheat Sheet]]
* [[Application Security Architecture Cheat Sheet]]

'''Draft OWASP Cheat Sheets'''
* [[REST Security Cheat Sheet]]
* [[Abridged XSS Prevention Cheat Sheet]]
* [[PHP Security Cheat Sheet]]
* [[Password Storage Cheat Sheet]]
* [[Secure Coding Cheat Sheet]]
* [[Threat Modeling Cheat Sheet]]
* [[Clickjacking Cheat Sheet]]
* [[Virtual Patching Cheat Sheet]]

Projects/OWASP Cheat Sheets Project

2012-03-11T03:59:49Z

Koussa:

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude>
| project_name = OWASP Cheat Sheets Project
| project_home_page = Cheat Sheets
| project_description = This project was created to provide a concise collection of high value information on specific security topics. These cheat sheets were created by multiple application security experts and provide excellent security guidance in an easy to read format.

| project_license = [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution ShareAlike 3.0 license]

| leader_name2 = Jim Manico
| leader_email2 = jim.manico@owasp.org
| leader_username2 = Jmanico

| leader_name[3-10] =
| leader_email[3-10] =
| leader_username[3-10] =

| contributor_name1 = Michael Coates
| contributor_email1 = Michael.Coates@owasp.org
| contributor_username1 = MichaelCoates

| contributor_name[2-10] =
| contributor_email[2-10] =
| contributor_username[2-10] =

| pamphlet_link =

| presentation_link =

| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-cheat-sheets

| project_road_map = https://www.owasp.org/index.php/Cheat_Sheets/Roadmap

| links_url1 =
| links_name1 =

| links_url2 =
| links_name2 =

| links_url3 =
| links_name3 =

| links_url4 =
| links_name4 =

| links_url5 =
| links_name5 =

| links_url6 =
| links_name6 =

| links_url7 =
| links_name7 =

| links_url8 =
| links_name8 =

| links_url9 =
| links_name9 =

| links_url10 =
| links_name10 =

| release_1 =
| release_2 =
| release_3 =
| release_4 =

| project_about_page = Projects/OWASP Cheat Sheets Project
}}

Ottawa

2012-02-05T01:26:15Z

Koussa:

Ottawa

2012-02-05T01:25:56Z

Koussa:

Ottawa

2012-02-05T01:25:35Z

Koussa:

Ottawa

2012-02-05T01:22:41Z

Koussa:

Ottawa

2012-02-03T22:04:11Z

Koussa:

Ottawa

2012-02-03T16:46:52Z

Koussa:

Ottawa

2012-02-03T16:46:35Z

Koussa:

Ottawa

2012-02-03T16:44:06Z

Koussa: