https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Leah+TeutschOWASP - User contributions [en]2026-04-24T06:54:25ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Dallas&diff=87864Dallas2010-08-23T03:38:15Z<p>Leah Teutsch: </p>
<hr />
<div>{{Chapter Template|chaptername=Dallas|extra=The chapter leaders are [mailto:teutsch@utdallas.edu Leah Teutsch], [mailto:andrea.wendeln@gmail.com Andrea Wendeln] and [mailto:Don.McMillian@acs-inc.com Don McMillian].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-dallas|emailarchives=http://lists.owasp.org/pipermail/owasp-dallas}}<br />
==== Local News ====<br />
<paypal>Dallas Chapter</paypal><br />
<br />
'''When:''' Tuesday, September 21, 2010 11:30 AM – 1:00 PM<br />
<br />
'''Topic: ''' Securing the Smart Grid's Software<br />
<br />
'''Who:''' Andy Bochman<br />
<br />
Andy Bochman is Energy Security Lead for IBM's Rational Division, where the focus is on securing the software that runs the Smart Grid. Andy is a contributor to industry and national security working groups on energy security and cyber security. He lives in Boston, is an active member of the MIT Energy Club, and is the founder of the Smart Grid Security and DOD Energy Blogs.<br />
<br />
'''Where:''' CoreLogic, 1 CoreLogic Drive, Westlake, TX 76262 (@15 min from DFW Airport)<br />
<br />
From Dallas:<br />
Take 183-West to 114-West (Toward Grapevine)<br />
Exit on Solana/Kirkwood Blvd<br />
Turn Left onto Kirkwood Blvd<br />
Turn Right onto Campus Circle (You will see the CoreLogic sign)<br />
<br />
From Fort Worth:<br />
Take I-35W North<br />
Take exit 70 toward Dallas/Bridgeport/Tx-114<br />
Turn Right onto 114 East<br />
Exit on Solana Blvd<br />
Turn Right onto Kirkwood Blvd<br />
Turn Right onto Campus Circle (You will see the CoreLogic sign)<br />
<br />
Link to Directions <br />
(Please Note: CoreLogic (formerly First American) is still listed on Google Maps and other applications as “First American”)<br />
<br />
<br />
'''Parking:''' Upon arrival at Circle Drive, please pull into the Visitor Kiosk to your right where you will be issued a Visitor’s Parking Pass. Once parked, proceed to Building 5 for your Visitor Badge. The Southlake conference room is located in Building 4, Floor 1. <br />
<br />
'''Cost:''' Always Free<br />
<br />
'''Lunch:''' Bring your own lunch or purchase lunch at the Café in Building 7. <br />
<br />
'''RSVP:''' [mailto:OWASPDallas@utdallas.edu OWASPDallas@utdallas.edu] This will help expedite the check-in process. Thanks.<br />
<br />
<br />
'''======================================================'''<br />
<br />
<br />
'''When:''' Tuesday, June 29, 2010 11:30 AM – 1:00 PM<br />
<br />
'''Topic: ''' Protecting Your Applications from Backdoors: How to Security Your Business Critical <br />
Applications from Time Bombs, BAckdoors & More<br />
<br />
With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers.<br />
Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams.<br />
In this session we will cover;<br />
• Prevalence of backdoors and malicious code in third party attacks <br />
• Definitions and classifications of backdoors and their impact on your applications <br />
• Methods to identify, track and remediate these vulnerabilities<br />
<br />
<br />
'''Who:''' Clint Pollock, Senior Solutions Architect, Veracode<br />
<br />
Mr. Pollock is a Senior Solutions Architect at Veracode. Since 1997, he has also created security solutions for large-scale enterprise environments on behalf of CREDANT Technologies and Netegrity. In his current role, Clint helps globally distributed organizations evaluate, track, and mitigate their application security risk. Clint’s greatest strengths are his enthusiasm, experience and determination to help customers succeed in maintaining secure, compliant systems, and avoid the consequences and bad headlines that come with application security breaches. Clint resides in Chicago, IL.<br />
<br />
'''Where:''' University of Texas at Dallas Campus - School of Management (SOM), Executive Dining Room A, 800 W. Campbell Rd., Richardson, TX 75080<br />
<br />
'''Parking:''' Park in lot M. I will send a permit to those who have RSVP'd by Monday, June 29. Those who do not have the permit will need to stop at the Visitor Center on University Parkway to pick up a pass. Place the permit on the dash. <br />
<br />
'''Cost:''' Always Free<br />
<br />
'''Lunch:''' Bring your own lunch or purchase lunch or come early and purchase lunch at one of the many fast-food restaurants located on the top floor of the Student Union. We are meeting in a differnt building than for previous meetings so be sure to check the on-line map for construction changes. http://www.utdallas.edu/maps/ <br />
<br />
'''RSVP:''' [mailto:OWASPDallas@utdallas.edu OWASPDallas@utdallas.edu] This will help expedite the check-in process. Thanks.<br />
<br />
<br />
'''======================================================'''<br />
<br />
'''When:''' Thursday, May 20, 2010 6:00 PM<br />
<br />
'''Topic: ''' Spring 2010 Networking Event - Network With Your Peers <br />
<br />
FREE EVENT!!! Your Dallas OWASP Chapter is pleased to host a networking event open to all those involved in OWASP. Our friends at Fortify Software are sponsoring this happy hour. <br />
<br />
• Mix and mingle with fellow OWASP chapter members • Bring your business cards and resume • Appetizers will be served, and drinks will be free • Enter to win prizes and great gifts (must be present to win)<br />
<br />
Dallas OWASP Website: http://www.owasp.org/index.php/Dallas <br />
<br />
Don't miss the first Spring 2010 Networking event! We look forward to seeing you there!<br />
<br />
'''Where:''' Humperdink's at Loop 12 and NW HWY, 2208 W NW Hwy, Dallas, TX 75220, (214) 358-4159<br />
<br />
'''Cost:''' Always Free<br />
<br />
'''RSVP:''' [mailto:OWASPDallas@utdallas.edu OWASPDallas@utdallas.edu] <br />
<br />
'''======================================================'''<br />
<br />
'''When:''' Thursday, March 4, 2010 11:30 AM – 1:00 PM<br />
<br />
'''Topic: ''' Technology and Business Risk Management: How Application Security Fits In<br />
<br />
This presentation demonstrates how important application security is to the<br />
overall stability and security of the infrastructure and ultimately, the business. Presented from<br />
the Information Security Officer/Risk Manager point of view, it shows how a strong information<br />
security program reduces levels of reputational, operational, legal, and strategic risk by limiting<br />
vulnerabilities, increasing stability, and maintaining customer confidence and trust. It focuses on<br />
the top concerns of risk managers and how application security fits into the overall risk<br />
management process. The audience will be given recommendations on how to improve cost<br />
effectiveness and efficiency to achieve business, security, audit, and compliance objectives<br />
relative to applications.<br />
<br />
'''Who:''' Peter Perfetti, IMPACT Security LLC<br />
<br />
Mr. Perfetti has been working in information security for fifteen years. He has<br />
been involved in IT Security for the financial services industry for ten years where he has worked<br />
as an Information Security Officer as well as having been responsible for vulnerability and threat<br />
management, and security engineering. Mr. Perfetti worked for Viacom and MTV as the Manager<br />
of Systems Administration and was the Director of IT Risk Management for the National<br />
Basketball Association. He has a broad range of experience in both operations and security. Mr.<br />
Perfetti provided governance and guidance over risk and compliance issues for the Americas<br />
region of ABN AMRO as the Local Information Security Officer for New York. His responsibilities<br />
were primarily to manage the risk for infrastructure related technology and operations. Other<br />
duties included audit, business continuity, investigations, and security operations oversight. Most<br />
recently, he was head of IT Security & Governance at Tygris Commercial Finance. He was<br />
formerly the VP of the NY/NJ Metro Chapter of OWASP and is currently a board member of the<br />
local chapter. He has served on the IT Security Advisory Board for the Technology Manager’s<br />
Forum. Mr. Perfetti’s accomplishments have been discussed in two books on achieving <br />
high-performing, stable, and secure infrastructure. Currently Mr. Perfetti operates IMPACT Security<br />
LLC, a private security contractor firm, that specializes in Incident & Audit Response, Prevention,<br />
and Recovery; as well as developing, enhancing, and implementing Security and Risk<br />
Management programs.<br />
<br />
'''Where:''' University of Texas at Dallas Campus - Galaxy Room C of the Student Union, 800 W. Campbell Rd., Richardson, TX 75080<br />
<br />
'''Parking:''' Park in lot C. I will send a permit to those who have RSVP'd by Tuesday, March 2nd. Those who do not have the permit will need to stop at the Visitor Center on University Parkway to pick up a pass. Place the permit on the dash. <br />
<br />
'''Cost:''' Always Free<br />
<br />
'''Lunch:''' Bring your own lunch or purchase lunch at one of the many fast-food<br />
restaurants located on the top floor of the Student Union.<br />
<br />
'''RSVP:''' [mailto:OWASPDallas@utdallas.edu OWASPDallas@utdallas.edu] This will help expedite the check-in process. Thanks.<br />
<br />
<br />
'''======================================================'''<br />
<br />
<br />
'''When:''' September 15, 2009, 11:30am - 1:30pm <br />
<br />
'''Topic: ''' Detective Work for Testers. Finding Workflow-based Defects.<br />
<br />
Workflow-based security defects in Web applications are especially difficult to identify because they evade traditional, point-and-scan vulnerability detection techniques. Understanding these potential defects and why black-box scanners typically miss them, are key to creating a testing strategy for successful detection and mitigation. Rafal Los describes the critical role that testers play in assessing application work flows and how business process-based testing techniques can uncover these flaws. Rafal demystifies the two main types of workflow-based application vulnerabilities-business process logic vulnerabilities and parameter-based vulnerabilities-and provides you with a sound basis to improve your testing strategies. Become a security testing sleuth and learn to find the workflow-based security defects before your system is compromised.<br />
<br />
'''Who:''' Rafal Los, Sr. Web Security Specialist, HP Software<br />
<br />
Senior Security Specialist with Hewlett-Packard’s Application Security Center (ASC), Rafal Los has more than thirteen years of experience in network and system design, security policy and process design, risk analysis, penetration testing, and consulting. For the past eight years, he has focused on information security and risk management, leading security architecture teams, and managing successful enterprise security programs for General Electric and other Fortune 100 companies, as well as SMB enterprises. Previously, Rafal spent three years in-house with GE Consumer Finance, leading its web application security programs. <br />
<br />
'''Where:''' The First American Co, 1 First American Way, Westlake, TX 76262 (@15 min from DFW Airport)<br />
<br />
'''Parking:''' Upon arrival at Circle Drive, please pull into the Visitor Kiosk to your right where you will be issued a Visitor’s Parking Pass. Once parked, proceed to Building 5 for your Visitor Badge. See Map for Directions. [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1+first+american+way,+westlake,+tx&sll=37.0625,-95.677068&sspn=48.641855,78.837891&ie=UTF8&mrt=rblall&ll=32.980777,-97.174437&spn=0.006336,0.009624&z=17&iwloc=A Link to Directions].<br />
<br />
'''Cost:''' Always Free<br />
<br />
'''Lunch:''' Bring your own lunch or purchase lunch at the Café in Building 7.<br />
<br />
'''RSVP:''' [mailto:OWASPDallas@utdallas.edu OWASPDallas@utdallas.edu] This will help expedite the check-in process. Thanks.<br />
<br />
<br />
'''======================================================'''<br />
<br />
'''When:''' Dallas February 25, 2009 11:30am – 1:30pm<br />
<br />
'''Topic:''' Vulnerability Management in an Application Security World.<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
'''Who:''' Dan Cornell, Principal, Denim Group <br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
'''Where:''' UTD Campus - Galaxy Room of the Student Union, Room SU 2.602 Doors open at 11:00 am.<br />
<br />
==== Chapter Meetings ====<br />
Dallas OWASP Chapter: February 2009 Meeting <br />
<br />
Topic: "Vulnerability Management in an Application Security World." <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group <br />
<br />
Date: February 25, 2009 11:30am – 1:30pm <br />
<br />
Location: <br />
UTD Campus - Galaxy Room of the Student Union, Room SU 2.602<br />
Doors open at 11:00 am.<br />
<br />
Abstract:<br />
<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
Presenter Bio: <br />
<br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
<br />
<br />
[[Dallas_OWASP_Flyer.pdf]]<br />
<br />
==== Dallas OWASP Chapter Leaders ====<br />
The chapter leaders are [mailto:teutsch@utdallas.edu Leah Teutsch], [mailto:andrea.wendeln@gmail.com Andrea Wendeln] and [mailto:Don.McMillian@acs-inc.com Don McMillian].__NOTOC__<br />
<headertabs/></div>Leah Teutschhttps://wiki.owasp.org/index.php?title=Dallas&diff=87715Dallas2010-08-17T23:04:35Z<p>Leah Teutsch: </p>
<hr />
<div>{{Chapter Template|chaptername=Dallas|extra=The chapter leaders are [mailto:teutsch@utdallas.edu Leah Teutsch], [mailto:andrea.wendeln@gmail.com Andrea Wendeln] and [mailto:Don.McMillian@acs-inc.com Don McMillian].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-dallas|emailarchives=http://lists.owasp.org/pipermail/owasp-dallas}}<br />
==== Local News ====<br />
<paypal>Dallas Chapter</paypal><br />
<br />
'''When:''' Tuesday, September 21, 2010 11:30 AM – 1:00 PM<br />
<br />
'''Topic: ''' Securing the Smart Grid's Software<br />
<br />
'''Who:''' Andy Bochman<br />
<br />
Andy Bochman is Energy Security Lead for IBM's Rational Division, where the focus is on securing the software that runs the Smart Grid. Andy is a contributor to industry and national security working groups on energy security and cyber security. He lives in Boston, is an active member of the MIT Energy Club, and is the founder of the Smart Grid Security and DOD Energy Blogs.<br />
<br />
'''Where:''' CoreLogic, 1 CoreLogic Drive, Westlake, TX 76262 (@15 min from DFW Airport)<br />
<br />
'''Parking:''' Upon arrival at Circle Drive, please pull into the Visitor Kiosk to your right where you will be issued a Visitor’s Parking Pass. Once parked, proceed to Building 5 for your Visitor Badge. <br />
<br />
'''Cost:''' Always Free<br />
<br />
'''Lunch:''' Bring your own lunch or purchase lunch at the Café in Building 7. <br />
<br />
'''RSVP:''' [mailto:OWASPDallas@utdallas.edu OWASPDallas@utdallas.edu] This will help expedite the check-in process. Thanks.<br />
<br />
<br />
'''======================================================'''<br />
<br />
<br />
'''When:''' Tuesday, June 29, 2010 11:30 AM – 1:00 PM<br />
<br />
'''Topic: ''' Protecting Your Applications from Backdoors: How to Security Your Business Critical <br />
Applications from Time Bombs, BAckdoors & More<br />
<br />
With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers.<br />
Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams.<br />
In this session we will cover;<br />
• Prevalence of backdoors and malicious code in third party attacks <br />
• Definitions and classifications of backdoors and their impact on your applications <br />
• Methods to identify, track and remediate these vulnerabilities<br />
<br />
<br />
'''Who:''' Clint Pollock, Senior Solutions Architect, Veracode<br />
<br />
Mr. Pollock is a Senior Solutions Architect at Veracode. Since 1997, he has also created security solutions for large-scale enterprise environments on behalf of CREDANT Technologies and Netegrity. In his current role, Clint helps globally distributed organizations evaluate, track, and mitigate their application security risk. Clint’s greatest strengths are his enthusiasm, experience and determination to help customers succeed in maintaining secure, compliant systems, and avoid the consequences and bad headlines that come with application security breaches. Clint resides in Chicago, IL.<br />
<br />
'''Where:''' University of Texas at Dallas Campus - School of Management (SOM), Executive Dining Room A, 800 W. Campbell Rd., Richardson, TX 75080<br />
<br />
'''Parking:''' Park in lot M. I will send a permit to those who have RSVP'd by Monday, June 29. Those who do not have the permit will need to stop at the Visitor Center on University Parkway to pick up a pass. Place the permit on the dash. <br />
<br />
'''Cost:''' Always Free<br />
<br />
'''Lunch:''' Bring your own lunch or purchase lunch or come early and purchase lunch at one of the many fast-food restaurants located on the top floor of the Student Union. We are meeting in a differnt building than for previous meetings so be sure to check the on-line map for construction changes. http://www.utdallas.edu/maps/ <br />
<br />
'''RSVP:''' [mailto:OWASPDallas@utdallas.edu OWASPDallas@utdallas.edu] This will help expedite the check-in process. Thanks.<br />
<br />
<br />
'''======================================================'''<br />
<br />
'''When:''' Thursday, May 20, 2010 6:00 PM<br />
<br />
'''Topic: ''' Spring 2010 Networking Event - Network With Your Peers <br />
<br />
FREE EVENT!!! Your Dallas OWASP Chapter is pleased to host a networking event open to all those involved in OWASP. Our friends at Fortify Software are sponsoring this happy hour. <br />
<br />
• Mix and mingle with fellow OWASP chapter members • Bring your business cards and resume • Appetizers will be served, and drinks will be free • Enter to win prizes and great gifts (must be present to win)<br />
<br />
Dallas OWASP Website: http://www.owasp.org/index.php/Dallas <br />
<br />
Don't miss the first Spring 2010 Networking event! We look forward to seeing you there!<br />
<br />
'''Where:''' Humperdink's at Loop 12 and NW HWY, 2208 W NW Hwy, Dallas, TX 75220, (214) 358-4159<br />
<br />
'''Cost:''' Always Free<br />
<br />
'''RSVP:''' [mailto:OWASPDallas@utdallas.edu OWASPDallas@utdallas.edu] <br />
<br />
'''======================================================'''<br />
<br />
'''When:''' Thursday, March 4, 2010 11:30 AM – 1:00 PM<br />
<br />
'''Topic: ''' Technology and Business Risk Management: How Application Security Fits In<br />
<br />
This presentation demonstrates how important application security is to the<br />
overall stability and security of the infrastructure and ultimately, the business. Presented from<br />
the Information Security Officer/Risk Manager point of view, it shows how a strong information<br />
security program reduces levels of reputational, operational, legal, and strategic risk by limiting<br />
vulnerabilities, increasing stability, and maintaining customer confidence and trust. It focuses on<br />
the top concerns of risk managers and how application security fits into the overall risk<br />
management process. The audience will be given recommendations on how to improve cost<br />
effectiveness and efficiency to achieve business, security, audit, and compliance objectives<br />
relative to applications.<br />
<br />
'''Who:''' Peter Perfetti, IMPACT Security LLC<br />
<br />
Mr. Perfetti has been working in information security for fifteen years. He has<br />
been involved in IT Security for the financial services industry for ten years where he has worked<br />
as an Information Security Officer as well as having been responsible for vulnerability and threat<br />
management, and security engineering. Mr. Perfetti worked for Viacom and MTV as the Manager<br />
of Systems Administration and was the Director of IT Risk Management for the National<br />
Basketball Association. He has a broad range of experience in both operations and security. Mr.<br />
Perfetti provided governance and guidance over risk and compliance issues for the Americas<br />
region of ABN AMRO as the Local Information Security Officer for New York. His responsibilities<br />
were primarily to manage the risk for infrastructure related technology and operations. Other<br />
duties included audit, business continuity, investigations, and security operations oversight. Most<br />
recently, he was head of IT Security & Governance at Tygris Commercial Finance. He was<br />
formerly the VP of the NY/NJ Metro Chapter of OWASP and is currently a board member of the<br />
local chapter. He has served on the IT Security Advisory Board for the Technology Manager’s<br />
Forum. Mr. Perfetti’s accomplishments have been discussed in two books on achieving <br />
high-performing, stable, and secure infrastructure. Currently Mr. Perfetti operates IMPACT Security<br />
LLC, a private security contractor firm, that specializes in Incident & Audit Response, Prevention,<br />
and Recovery; as well as developing, enhancing, and implementing Security and Risk<br />
Management programs.<br />
<br />
'''Where:''' University of Texas at Dallas Campus - Galaxy Room C of the Student Union, 800 W. Campbell Rd., Richardson, TX 75080<br />
<br />
'''Parking:''' Park in lot C. I will send a permit to those who have RSVP'd by Tuesday, March 2nd. Those who do not have the permit will need to stop at the Visitor Center on University Parkway to pick up a pass. Place the permit on the dash. <br />
<br />
'''Cost:''' Always Free<br />
<br />
'''Lunch:''' Bring your own lunch or purchase lunch at one of the many fast-food<br />
restaurants located on the top floor of the Student Union.<br />
<br />
'''RSVP:''' [mailto:OWASPDallas@utdallas.edu OWASPDallas@utdallas.edu] This will help expedite the check-in process. Thanks.<br />
<br />
<br />
'''======================================================'''<br />
<br />
<br />
'''When:''' September 15, 2009, 11:30am - 1:30pm <br />
<br />
'''Topic: ''' Detective Work for Testers. Finding Workflow-based Defects.<br />
<br />
Workflow-based security defects in Web applications are especially difficult to identify because they evade traditional, point-and-scan vulnerability detection techniques. Understanding these potential defects and why black-box scanners typically miss them, are key to creating a testing strategy for successful detection and mitigation. Rafal Los describes the critical role that testers play in assessing application work flows and how business process-based testing techniques can uncover these flaws. Rafal demystifies the two main types of workflow-based application vulnerabilities-business process logic vulnerabilities and parameter-based vulnerabilities-and provides you with a sound basis to improve your testing strategies. Become a security testing sleuth and learn to find the workflow-based security defects before your system is compromised.<br />
<br />
'''Who:''' Rafal Los, Sr. Web Security Specialist, HP Software<br />
<br />
Senior Security Specialist with Hewlett-Packard’s Application Security Center (ASC), Rafal Los has more than thirteen years of experience in network and system design, security policy and process design, risk analysis, penetration testing, and consulting. For the past eight years, he has focused on information security and risk management, leading security architecture teams, and managing successful enterprise security programs for General Electric and other Fortune 100 companies, as well as SMB enterprises. Previously, Rafal spent three years in-house with GE Consumer Finance, leading its web application security programs. <br />
<br />
'''Where:''' The First American Co, 1 First American Way, Westlake, TX 76262 (@15 min from DFW Airport)<br />
<br />
'''Parking:''' Upon arrival at Circle Drive, please pull into the Visitor Kiosk to your right where you will be issued a Visitor’s Parking Pass. Once parked, proceed to Building 5 for your Visitor Badge. See Map for Directions. [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1+first+american+way,+westlake,+tx&sll=37.0625,-95.677068&sspn=48.641855,78.837891&ie=UTF8&mrt=rblall&ll=32.980777,-97.174437&spn=0.006336,0.009624&z=17&iwloc=A Link to Directions].<br />
<br />
'''Cost:''' Always Free<br />
<br />
'''Lunch:''' Bring your own lunch or purchase lunch at the Café in Building 7.<br />
<br />
'''RSVP:''' [mailto:OWASPDallas@utdallas.edu OWASPDallas@utdallas.edu] This will help expedite the check-in process. Thanks.<br />
<br />
<br />
'''======================================================'''<br />
<br />
'''When:''' Dallas February 25, 2009 11:30am – 1:30pm<br />
<br />
'''Topic:''' Vulnerability Management in an Application Security World.<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
'''Who:''' Dan Cornell, Principal, Denim Group <br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
'''Where:''' UTD Campus - Galaxy Room of the Student Union, Room SU 2.602 Doors open at 11:00 am.<br />
<br />
==== Chapter Meetings ====<br />
Dallas OWASP Chapter: February 2009 Meeting <br />
<br />
Topic: "Vulnerability Management in an Application Security World." <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group <br />
<br />
Date: February 25, 2009 11:30am – 1:30pm <br />
<br />
Location: <br />
UTD Campus - Galaxy Room of the Student Union, Room SU 2.602<br />
Doors open at 11:00 am.<br />
<br />
Abstract:<br />
<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
Presenter Bio: <br />
<br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
<br />
<br />
[[Dallas_OWASP_Flyer.pdf]]<br />
<br />
==== Dallas OWASP Chapter Leaders ====<br />
The chapter leaders are [mailto:teutsch@utdallas.edu Leah Teutsch], [mailto:andrea.wendeln@gmail.com Andrea Wendeln] and [mailto:Don.McMillian@acs-inc.com Don McMillian].__NOTOC__<br />
<headertabs/></div>Leah Teutschhttps://wiki.owasp.org/index.php?title=Dallas&diff=85002Dallas2010-06-17T01:19:36Z<p>Leah Teutsch: </p>
<hr />
<div>{{Chapter Template|chaptername=Dallas|extra=The chapter leaders are [mailto:teutsch@utdallas.edu Leah Teutsch], [mailto:andrea.wendeln@gmail.com Andrea Wendeln] and [mailto:Don.McMillian@acs-inc.com Don McMillian].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-dallas|emailarchives=http://lists.owasp.org/pipermail/owasp-dallas}}<br />
==== Local News ====<br />
<paypal>Dallas Chapter</paypal><br />
<br />
'''When:''' Tuesday, June 29, 2010 11:30 AM – 1:00 PM<br />
<br />
'''Topic: ''' Protecting Your Applications from Backdoors: How to Security Your Business Critical <br />
Applications from Time Bombs, BAckdoors & More<br />
<br />
With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers.<br />
Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams.<br />
In this session we will cover;<br />
• Prevalence of backdoors and malicious code in third party attacks <br />
• Definitions and classifications of backdoors and their impact on your applications <br />
• Methods to identify, track and remediate these vulnerabilities<br />
<br />
<br />
'''Who:''' Clint Pollock, Senior Solutions Architect, Veracode<br />
<br />
Mr. Pollock is a Senior Solutions Architect at Veracode. Since 1997, he has also created security solutions for large-scale enterprise environments on behalf of CREDANT Technologies and Netegrity. In his current role, Clint helps globally distributed organizations evaluate, track, and mitigate their application security risk. Clint’s greatest strengths are his enthusiasm, experience and determination to help customers succeed in maintaining secure, compliant systems, and avoid the consequences and bad headlines that come with application security breaches. Clint resides in Chicago, IL.<br />
<br />
'''Where:''' University of Texas at Dallas Campus - School of Management (SOM), Executive Dining Room A, 800 W. Campbell Rd., Richardson, TX 75080<br />
<br />
'''Parking:''' Park in lot M. I will send a permit to those who have RSVP'd by Monday, June 29. Those who do not have the permit will need to stop at the Visitor Center on University Parkway to pick up a pass. Place the permit on the dash. <br />
<br />
'''Cost:''' Always Free<br />
<br />
'''Lunch:''' Bring your own lunch or purchase lunch or come early and purchase lunch at one of the many fast-food restaurants located on the top floor of the Student Union. We are meeting in a differnt building than for previous meetings so be sure to check the on-line map for construction changes. http://www.utdallas.edu/maps/ <br />
<br />
'''RSVP:''' [mailto:OWASPDallas@utdallas.edu OWASPDallas@utdallas.edu] This will help expedite the check-in process. Thanks.<br />
<br />
<br />
'''======================================================'''<br />
<br />
'''When:''' Thursday, May 20, 2010 6:00 PM<br />
<br />
'''Topic: ''' Spring 2010 Networking Event - Network With Your Peers <br />
<br />
FREE EVENT!!! Your Dallas OWASP Chapter is pleased to host a networking event open to all those involved in OWASP. Our friends at Fortify Software are sponsoring this happy hour. <br />
<br />
• Mix and mingle with fellow OWASP chapter members • Bring your business cards and resume • Appetizers will be served, and drinks will be free • Enter to win prizes and great gifts (must be present to win)<br />
<br />
Dallas OWASP Website: http://www.owasp.org/index.php/Dallas <br />
<br />
Don't miss the first Spring 2010 Networking event! We look forward to seeing you there!<br />
<br />
'''Where:''' Humperdink's at Loop 12 and NW HWY, 2208 W NW Hwy, Dallas, TX 75220, (214) 358-4159<br />
<br />
'''Cost:''' Always Free<br />
<br />
'''RSVP:''' [mailto:OWASPDallas@utdallas.edu OWASPDallas@utdallas.edu] <br />
<br />
'''======================================================'''<br />
<br />
'''When:''' Thursday, March 4, 2010 11:30 AM – 1:00 PM<br />
<br />
'''Topic: ''' Technology and Business Risk Management: How Application Security Fits In<br />
<br />
This presentation demonstrates how important application security is to the<br />
overall stability and security of the infrastructure and ultimately, the business. Presented from<br />
the Information Security Officer/Risk Manager point of view, it shows how a strong information<br />
security program reduces levels of reputational, operational, legal, and strategic risk by limiting<br />
vulnerabilities, increasing stability, and maintaining customer confidence and trust. It focuses on<br />
the top concerns of risk managers and how application security fits into the overall risk<br />
management process. The audience will be given recommendations on how to improve cost<br />
effectiveness and efficiency to achieve business, security, audit, and compliance objectives<br />
relative to applications.<br />
<br />
'''Who:''' Peter Perfetti, IMPACT Security LLC<br />
<br />
Mr. Perfetti has been working in information security for fifteen years. He has<br />
been involved in IT Security for the financial services industry for ten years where he has worked<br />
as an Information Security Officer as well as having been responsible for vulnerability and threat<br />
management, and security engineering. Mr. Perfetti worked for Viacom and MTV as the Manager<br />
of Systems Administration and was the Director of IT Risk Management for the National<br />
Basketball Association. He has a broad range of experience in both operations and security. Mr.<br />
Perfetti provided governance and guidance over risk and compliance issues for the Americas<br />
region of ABN AMRO as the Local Information Security Officer for New York. His responsibilities<br />
were primarily to manage the risk for infrastructure related technology and operations. Other<br />
duties included audit, business continuity, investigations, and security operations oversight. Most<br />
recently, he was head of IT Security & Governance at Tygris Commercial Finance. He was<br />
formerly the VP of the NY/NJ Metro Chapter of OWASP and is currently a board member of the<br />
local chapter. He has served on the IT Security Advisory Board for the Technology Manager’s<br />
Forum. Mr. Perfetti’s accomplishments have been discussed in two books on achieving <br />
high-performing, stable, and secure infrastructure. Currently Mr. Perfetti operates IMPACT Security<br />
LLC, a private security contractor firm, that specializes in Incident & Audit Response, Prevention,<br />
and Recovery; as well as developing, enhancing, and implementing Security and Risk<br />
Management programs.<br />
<br />
'''Where:''' University of Texas at Dallas Campus - Galaxy Room C of the Student Union, 800 W. Campbell Rd., Richardson, TX 75080<br />
<br />
'''Parking:''' Park in lot C. I will send a permit to those who have RSVP'd by Tuesday, March 2nd. Those who do not have the permit will need to stop at the Visitor Center on University Parkway to pick up a pass. Place the permit on the dash. <br />
<br />
'''Cost:''' Always Free<br />
<br />
'''Lunch:''' Bring your own lunch or purchase lunch at one of the many fast-food<br />
restaurants located on the top floor of the Student Union.<br />
<br />
'''RSVP:''' [mailto:OWASPDallas@utdallas.edu OWASPDallas@utdallas.edu] This will help expedite the check-in process. Thanks.<br />
<br />
<br />
'''======================================================'''<br />
<br />
<br />
'''When:''' September 15, 2009, 11:30am - 1:30pm <br />
<br />
'''Topic: ''' Detective Work for Testers. Finding Workflow-based Defects.<br />
<br />
Workflow-based security defects in Web applications are especially difficult to identify because they evade traditional, point-and-scan vulnerability detection techniques. Understanding these potential defects and why black-box scanners typically miss them, are key to creating a testing strategy for successful detection and mitigation. Rafal Los describes the critical role that testers play in assessing application work flows and how business process-based testing techniques can uncover these flaws. Rafal demystifies the two main types of workflow-based application vulnerabilities-business process logic vulnerabilities and parameter-based vulnerabilities-and provides you with a sound basis to improve your testing strategies. Become a security testing sleuth and learn to find the workflow-based security defects before your system is compromised.<br />
<br />
'''Who:''' Rafal Los, Sr. Web Security Specialist, HP Software<br />
<br />
Senior Security Specialist with Hewlett-Packard’s Application Security Center (ASC), Rafal Los has more than thirteen years of experience in network and system design, security policy and process design, risk analysis, penetration testing, and consulting. For the past eight years, he has focused on information security and risk management, leading security architecture teams, and managing successful enterprise security programs for General Electric and other Fortune 100 companies, as well as SMB enterprises. Previously, Rafal spent three years in-house with GE Consumer Finance, leading its web application security programs. <br />
<br />
'''Where:''' The First American Co, 1 First American Way, Westlake, TX 76262 (@15 min from DFW Airport)<br />
<br />
'''Parking:''' Upon arrival at Circle Drive, please pull into the Visitor Kiosk to your right where you will be issued a Visitor’s Parking Pass. Once parked, proceed to Building 5 for your Visitor Badge. See Map for Directions. [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1+first+american+way,+westlake,+tx&sll=37.0625,-95.677068&sspn=48.641855,78.837891&ie=UTF8&mrt=rblall&ll=32.980777,-97.174437&spn=0.006336,0.009624&z=17&iwloc=A Link to Directions].<br />
<br />
'''Cost:''' Always Free<br />
<br />
'''Lunch:''' Bring your own lunch or purchase lunch at the First American Café in Building 7.<br />
<br />
'''RSVP:''' [mailto:OWASPDallas@utdallas.edu OWASPDallas@utdallas.edu] This will help expedite the check-in process. Thanks.<br />
<br />
<br />
'''======================================================'''<br />
<br />
'''When:''' Dallas February 25, 2009 11:30am – 1:30pm<br />
<br />
'''Topic:''' Vulnerability Management in an Application Security World.<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
'''Who:''' Dan Cornell, Principal, Denim Group <br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
'''Where:''' UTD Campus - Galaxy Room of the Student Union, Room SU 2.602 Doors open at 11:00 am.<br />
<br />
==== Chapter Meetings ====<br />
Dallas OWASP Chapter: February 2009 Meeting <br />
<br />
Topic: "Vulnerability Management in an Application Security World." <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group <br />
<br />
Date: February 25, 2009 11:30am – 1:30pm <br />
<br />
Location: <br />
UTD Campus - Galaxy Room of the Student Union, Room SU 2.602<br />
Doors open at 11:00 am.<br />
<br />
Abstract:<br />
<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
Presenter Bio: <br />
<br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
<br />
<br />
[[Dallas_OWASP_Flyer.pdf]]<br />
<br />
==== Dallas OWASP Chapter Leaders ====<br />
The chapter leaders are [mailto:teutsch@utdallas.edu Leah Teutsch], [mailto:andrea.wendeln@gmail.com Andrea Wendeln] and [mailto:Don.McMillian@acs-inc.com Don McMillian].__NOTOC__<br />
<headertabs/></div>Leah Teutschhttps://wiki.owasp.org/index.php?title=Dallas&diff=83025Dallas2010-05-04T15:58:10Z<p>Leah Teutsch: /* Local News */</p>
<hr />
<div>{{Chapter Template|chaptername=Dallas|extra=The chapter leaders are [mailto:teutsch@utdallas.edu Leah Teutsch], [mailto:andrea.wendeln@gmail.com Andrea Wendeln] and [mailto:Don.McMillian@acs-inc.com Don McMillian].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-dallas|emailarchives=http://lists.owasp.org/pipermail/owasp-dallas}}<br />
==== Local News ====<br />
<paypal>Dallas Chapter</paypal><br />
<br />
'''When:''' Thursday, May 20, 2010 6:00 PM<br />
<br />
'''Topic: ''' Spring 2010 Networking Event - Network With Your Peers <br />
<br />
FREE EVENT!!! Your Dallas OWASP Chapter is pleased to host a networking event open to all those involved in OWASP. Our friends at Fortify Software are sponsoring this happy hour. <br />
<br />
• Mix and mingle with fellow OWASP chapter members • Bring your business cards and resume • Appetizers will be served, and drinks will be free • Enter to win prizes and great gifts (must be present to win)<br />
<br />
Dallas OWASP Website: http://www.owasp.org/index.php/Dallas <br />
<br />
Don't miss the first Spring 2010 Networking event! We look forward to seeing you there!<br />
<br />
'''Where:''' Humperdink's at Loop 12 and NW HWY, 2208 W NW Hwy, Dallas, TX 75220, (214) 358-4159<br />
<br />
'''Cost:''' Always Free<br />
<br />
'''RSVP:''' [mailto:OWASPDallas@utdallas.edu OWASPDallas@utdallas.edu] <br />
<br />
'''======================================================'''<br />
<br />
'''When:''' Thursday, March 4, 2010 11:30 AM – 1:00 PM<br />
<br />
'''Topic: ''' Technology and Business Risk Management: How Application Security Fits In<br />
<br />
This presentation demonstrates how important application security is to the<br />
overall stability and security of the infrastructure and ultimately, the business. Presented from<br />
the Information Security Officer/Risk Manager point of view, it shows how a strong information<br />
security program reduces levels of reputational, operational, legal, and strategic risk by limiting<br />
vulnerabilities, increasing stability, and maintaining customer confidence and trust. It focuses on<br />
the top concerns of risk managers and how application security fits into the overall risk<br />
management process. The audience will be given recommendations on how to improve cost<br />
effectiveness and efficiency to achieve business, security, audit, and compliance objectives<br />
relative to applications.<br />
<br />
'''Who:''' Peter Perfetti, IMPACT Security LLC<br />
<br />
Mr. Perfetti has been working in information security for fifteen years. He has<br />
been involved in IT Security for the financial services industry for ten years where he has worked<br />
as an Information Security Officer as well as having been responsible for vulnerability and threat<br />
management, and security engineering. Mr. Perfetti worked for Viacom and MTV as the Manager<br />
of Systems Administration and was the Director of IT Risk Management for the National<br />
Basketball Association. He has a broad range of experience in both operations and security. Mr.<br />
Perfetti provided governance and guidance over risk and compliance issues for the Americas<br />
region of ABN AMRO as the Local Information Security Officer for New York. His responsibilities<br />
were primarily to manage the risk for infrastructure related technology and operations. Other<br />
duties included audit, business continuity, investigations, and security operations oversight. Most<br />
recently, he was head of IT Security & Governance at Tygris Commercial Finance. He was<br />
formerly the VP of the NY/NJ Metro Chapter of OWASP and is currently a board member of the<br />
local chapter. He has served on the IT Security Advisory Board for the Technology Manager’s<br />
Forum. Mr. Perfetti’s accomplishments have been discussed in two books on achieving <br />
high-performing, stable, and secure infrastructure. Currently Mr. Perfetti operates IMPACT Security<br />
LLC, a private security contractor firm, that specializes in Incident & Audit Response, Prevention,<br />
and Recovery; as well as developing, enhancing, and implementing Security and Risk<br />
Management programs.<br />
<br />
'''Where:''' University of Texas at Dallas Campus - Galaxy Room C of the Student Union, 800 W. Campbell Rd., Richardson, TX 75080<br />
<br />
'''Parking:''' Park in lot C. I will send a permit to those who have RSVP'd by Tuesday, March 2nd. Those who do not have the permit will need to stop at the Visitor Center on University Parkway to pick up a pass. Place the permit on the dash. <br />
<br />
'''Cost:''' Always Free<br />
<br />
'''Lunch:''' Bring your own lunch or purchase lunch at one of the many fast-food<br />
restaurants located on the top floor of the Student Union.<br />
<br />
'''RSVP:''' [mailto:OWASPDallas@utdallas.edu OWASPDallas@utdallas.edu] This will help expedite the check-in process. Thanks.<br />
<br />
<br />
'''======================================================'''<br />
<br />
<br />
'''When:''' September 15, 2009, 11:30am - 1:30pm <br />
<br />
'''Topic: ''' Detective Work for Testers. Finding Workflow-based Defects.<br />
<br />
Workflow-based security defects in Web applications are especially difficult to identify because they evade traditional, point-and-scan vulnerability detection techniques. Understanding these potential defects and why black-box scanners typically miss them, are key to creating a testing strategy for successful detection and mitigation. Rafal Los describes the critical role that testers play in assessing application work flows and how business process-based testing techniques can uncover these flaws. Rafal demystifies the two main types of workflow-based application vulnerabilities-business process logic vulnerabilities and parameter-based vulnerabilities-and provides you with a sound basis to improve your testing strategies. Become a security testing sleuth and learn to find the workflow-based security defects before your system is compromised.<br />
<br />
'''Who:''' Rafal Los, Sr. Web Security Specialist, HP Software<br />
<br />
Senior Security Specialist with Hewlett-Packard’s Application Security Center (ASC), Rafal Los has more than thirteen years of experience in network and system design, security policy and process design, risk analysis, penetration testing, and consulting. For the past eight years, he has focused on information security and risk management, leading security architecture teams, and managing successful enterprise security programs for General Electric and other Fortune 100 companies, as well as SMB enterprises. Previously, Rafal spent three years in-house with GE Consumer Finance, leading its web application security programs. <br />
<br />
'''Where:''' The First American Co, 1 First American Way, Westlake, TX 76262 (@15 min from DFW Airport)<br />
<br />
'''Parking:''' Upon arrival at Circle Drive, please pull into the Visitor Kiosk to your right where you will be issued a Visitor’s Parking Pass. Once parked, proceed to Building 5 for your Visitor Badge. See Map for Directions. [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1+first+american+way,+westlake,+tx&sll=37.0625,-95.677068&sspn=48.641855,78.837891&ie=UTF8&mrt=rblall&ll=32.980777,-97.174437&spn=0.006336,0.009624&z=17&iwloc=A Link to Directions].<br />
<br />
'''Cost:''' Always Free<br />
<br />
'''Lunch:''' Bring your own lunch or purchase lunch at the First American Café in Building 7.<br />
<br />
'''RSVP:''' [mailto:OWASPDallas@utdallas.edu OWASPDallas@utdallas.edu] This will help expedite the check-in process. Thanks.<br />
<br />
<br />
'''======================================================'''<br />
<br />
'''When:''' Dallas February 25, 2009 11:30am – 1:30pm<br />
<br />
'''Topic:''' Vulnerability Management in an Application Security World.<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
'''Who:''' Dan Cornell, Principal, Denim Group <br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
'''Where:''' UTD Campus - Galaxy Room of the Student Union, Room SU 2.602 Doors open at 11:00 am.<br />
<br />
==== Chapter Meetings ====<br />
Dallas OWASP Chapter: February 2009 Meeting <br />
<br />
Topic: "Vulnerability Management in an Application Security World." <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group <br />
<br />
Date: February 25, 2009 11:30am – 1:30pm <br />
<br />
Location: <br />
UTD Campus - Galaxy Room of the Student Union, Room SU 2.602<br />
Doors open at 11:00 am.<br />
<br />
Abstract:<br />
<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
Presenter Bio: <br />
<br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
<br />
<br />
[[Dallas_OWASP_Flyer.pdf]]<br />
<br />
==== Dallas OWASP Chapter Leaders ====<br />
The chapter leaders are [mailto:teutsch@utdallas.edu Leah Teutsch], [mailto:andrea.wendeln@gmail.com Andrea Wendeln] and [mailto:Don.McMillian@acs-inc.com Don McMillian].__NOTOC__<br />
<headertabs/></div>Leah Teutschhttps://wiki.owasp.org/index.php?title=Dallas&diff=78966Dallas2010-02-25T23:03:47Z<p>Leah Teutsch: /* Local News */</p>
<hr />
<div>{{Chapter Template|chaptername=Dallas|extra=The chapter leaders are [mailto:teutsch@utdallas.edu Leah Teutsch], [mailto:andrea.wendeln@gmail.com Andrea Wendeln] and [mailto:Don.McMillian@acs-inc.com Don McMillian].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-dallas|emailarchives=http://lists.owasp.org/pipermail/owasp-dallas}}<br />
==== Local News ====<br />
<paypal>Dallas Chapter</paypal><br />
<br />
<br />
'''When:''' Thursday, March 4, 2010 11:30 AM – 1:00 PM<br />
<br />
'''Topic: ''' Technology and Business Risk Management: How Application Security Fits In<br />
<br />
This presentation demonstrates how important application security is to the<br />
overall stability and security of the infrastructure and ultimately, the business. Presented from<br />
the Information Security Officer/Risk Manager point of view, it shows how a strong information<br />
security program reduces levels of reputational, operational, legal, and strategic risk by limiting<br />
vulnerabilities, increasing stability, and maintaining customer confidence and trust. It focuses on<br />
the top concerns of risk managers and how application security fits into the overall risk<br />
management process. The audience will be given recommendations on how to improve cost<br />
effectiveness and efficiency to achieve business, security, audit, and compliance objectives<br />
relative to applications.<br />
<br />
'''Who:''' Peter Perfetti, IMPACT Security LLC<br />
<br />
Mr. Perfetti has been working in information security for fifteen years. He has<br />
been involved in IT Security for the financial services industry for ten years where he has worked<br />
as an Information Security Officer as well as having been responsible for vulnerability and threat<br />
management, and security engineering. Mr. Perfetti worked for Viacom and MTV as the Manager<br />
of Systems Administration and was the Director of IT Risk Management for the National<br />
Basketball Association. He has a broad range of experience in both operations and security. Mr.<br />
Perfetti provided governance and guidance over risk and compliance issues for the Americas<br />
region of ABN AMRO as the Local Information Security Officer for New York. His responsibilities<br />
were primarily to manage the risk for infrastructure related technology and operations. Other<br />
duties included audit, business continuity, investigations, and security operations oversight. Most<br />
recently, he was head of IT Security & Governance at Tygris Commercial Finance. He was<br />
formerly the VP of the NY/NJ Metro Chapter of OWASP and is currently a board member of the<br />
local chapter. He has served on the IT Security Advisory Board for the Technology Manager’s<br />
Forum. Mr. Perfetti’s accomplishments have been discussed in two books on achieving <br />
high-performing, stable, and secure infrastructure. Currently Mr. Perfetti operates IMPACT Security<br />
LLC, a private security contractor firm, that specializes in Incident & Audit Response, Prevention,<br />
and Recovery; as well as developing, enhancing, and implementing Security and Risk<br />
Management programs.<br />
<br />
'''Where:''' University of Texas at Dallas Campus - Galaxy Room C of the Student Union, 800 W. Campbell Rd., Richardson, TX 75080<br />
<br />
'''Parking:''' Park in lot C. I will send a permit to those who have RSVP'd by Tuesday, March 2nd. Those who do not have the permit will need to stop at the Visitor Center on University Parkway to pick up a pass. Place the permit on the dash. <br />
<br />
'''Cost:''' Always Free<br />
<br />
'''Lunch:''' Bring your own lunch or purchase lunch at one of the many fast-food<br />
restaurants located on the top floor of the Student Union.<br />
<br />
'''RSVP:''' [mailto:OWASPDallas@utdallas.edu OWASPDallas@utdallas.edu] This will help expedite the check-in process. Thanks.<br />
<br />
<br />
'''======================================================'''<br />
<br />
<br />
'''When:''' September 15, 2009, 11:30am - 1:30pm <br />
<br />
'''Topic: ''' Detective Work for Testers. Finding Workflow-based Defects.<br />
<br />
Workflow-based security defects in Web applications are especially difficult to identify because they evade traditional, point-and-scan vulnerability detection techniques. Understanding these potential defects and why black-box scanners typically miss them, are key to creating a testing strategy for successful detection and mitigation. Rafal Los describes the critical role that testers play in assessing application work flows and how business process-based testing techniques can uncover these flaws. Rafal demystifies the two main types of workflow-based application vulnerabilities-business process logic vulnerabilities and parameter-based vulnerabilities-and provides you with a sound basis to improve your testing strategies. Become a security testing sleuth and learn to find the workflow-based security defects before your system is compromised.<br />
<br />
'''Who:''' Rafal Los, Sr. Web Security Specialist, HP Software<br />
<br />
Senior Security Specialist with Hewlett-Packard’s Application Security Center (ASC), Rafal Los has more than thirteen years of experience in network and system design, security policy and process design, risk analysis, penetration testing, and consulting. For the past eight years, he has focused on information security and risk management, leading security architecture teams, and managing successful enterprise security programs for General Electric and other Fortune 100 companies, as well as SMB enterprises. Previously, Rafal spent three years in-house with GE Consumer Finance, leading its web application security programs. <br />
<br />
'''Where:''' The First American Co, 1 First American Way, Westlake, TX 76262 (@15 min from DFW Airport)<br />
<br />
'''Parking:''' Upon arrival at Circle Drive, please pull into the Visitor Kiosk to your right where you will be issued a Visitor’s Parking Pass. Once parked, proceed to Building 5 for your Visitor Badge. See Map for Directions. [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1+first+american+way,+westlake,+tx&sll=37.0625,-95.677068&sspn=48.641855,78.837891&ie=UTF8&mrt=rblall&ll=32.980777,-97.174437&spn=0.006336,0.009624&z=17&iwloc=A Link to Directions].<br />
<br />
'''Cost:''' Always Free<br />
<br />
'''Lunch:''' Bring your own lunch or purchase lunch at the First American Café in Building 7.<br />
<br />
'''RSVP:''' [mailto:OWASPDallas@utdallas.edu OWASPDallas@utdallas.edu] This will help expedite the check-in process. Thanks.<br />
<br />
<br />
'''======================================================'''<br />
<br />
'''When:''' Dallas February 25, 2009 11:30am – 1:30pm<br />
<br />
'''Topic:''' Vulnerability Management in an Application Security World.<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
'''Who:''' Dan Cornell, Principal, Denim Group <br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
'''Where:''' UTD Campus - Galaxy Room of the Student Union, Room SU 2.602 Doors open at 11:00 am.<br />
<br />
==== Chapter Meetings ====<br />
Dallas OWASP Chapter: February 2009 Meeting <br />
<br />
Topic: "Vulnerability Management in an Application Security World." <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group <br />
<br />
Date: February 25, 2009 11:30am – 1:30pm <br />
<br />
Location: <br />
UTD Campus - Galaxy Room of the Student Union, Room SU 2.602<br />
Doors open at 11:00 am.<br />
<br />
Abstract:<br />
<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
Presenter Bio: <br />
<br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
<br />
<br />
[[Dallas_OWASP_Flyer.pdf]]<br />
<br />
==== Dallas OWASP Chapter Leaders ====<br />
The chapter leaders are [mailto:teutsch@utdallas.edu Leah Teutsch], [mailto:andrea.wendeln@gmail.com Andrea Wendeln] and [mailto:Don.McMillian@acs-inc.com Don McMillian].__NOTOC__<br />
<headertabs/></div>Leah Teutschhttps://wiki.owasp.org/index.php?title=Dallas&diff=78965Dallas2010-02-25T21:51:43Z<p>Leah Teutsch: /* Local News */</p>
<hr />
<div>{{Chapter Template|chaptername=Dallas|extra=The chapter leaders are [mailto:teutsch@utdallas.edu Leah Teutsch], [mailto:andrea.wendeln@gmail.com Andrea Wendeln] and [mailto:Don.McMillian@acs-inc.com Don McMillian].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-dallas|emailarchives=http://lists.owasp.org/pipermail/owasp-dallas}}<br />
==== Local News ====<br />
<paypal>Dallas Chapter</paypal><br />
<br />
<br />
'''When:''' Thursday, March 4, 2010 11:30 AM – 1:00 PM<br />
<br />
'''Topic: ''' Technology and Business Risk Management: How Application Security Fits In<br />
<br />
This presentation demonstrates how important application security is to the<br />
overall stability and security of the infrastructure and the ultimately, the business. Presented from<br />
the Information Security Officer/Risk Manager point of view, it shows how a strong information<br />
security program reduces levels of reputational, operational, legal, and strategic risk by limiting<br />
vulnerabilities, increasing stability, and maintaining customer confidence and trust. It focuses on<br />
the top concerns of risk managers and how application security fits into the overall risk<br />
management process. The audience will be given recommendations on how to improve cost<br />
effectiveness and efficiency to achieve business, security, audit, and compliance objectives<br />
relative to applications.<br />
<br />
'''Who:''' Peter Perfetti, IMPACT Security LLC<br />
<br />
Mr. Perfetti has been working in information security for fifteen years. He has<br />
been involved in IT Security for the financial services industry for ten years where he has worked<br />
as an Information Security Officer as well as having been responsible for vulnerability and threat<br />
management, and security engineering. Mr. Perfetti worked for Viacom and MTV as the Manager<br />
of Systems Administration and was the Director of IT Risk Management for the National<br />
Basketball Association. He has a broad range of experience in both operations and security. Mr.<br />
Perfetti provided governance and guidance over risk and compliance issues for the Americas<br />
region of ABN AMRO as the Local Information Security Officer for New York. His responsibilities<br />
were primarily to manage the risk for infrastructure related technology and operations. Other<br />
duties included audit, business continuity, investigations, and security operations oversight. Most<br />
recently, he was head of IT Security & Governance at Tygris Commercial Finance. He was<br />
formerly the VP of the NY/NJ Metro Chapter of OWASP and is currently a board member of the<br />
local chapter. He has served on the IT Security Advisory Board for the Technology Manager’s<br />
Forum. Mr. Perfetti’s accomplishments have been discussed in two books on achieving high<br />
performing, stable, and secure infrastructure. Currently Mr. Perfetti operates IMPACT Security<br />
LLC, a private security contractor firm, that specializes in Incident & Audit Response, Prevention,<br />
and Recovery; as well as developing, enhancing, and implementing Security and Risk<br />
Management programs.<br />
<br />
'''Where:''' University of Texas at Dallas Campus - Galaxy Room C of the Student Union, 800 W. Campbell Rd., Richardson, TX 75080<br />
<br />
'''Parking:''' Park in lot C. I will send a permit to those who have RSVP'd by Tuesday, March 2nd. Those who do not have the permit will need to stop at the Visitor Center on University Parkway to pick up a pass. <br />
<br />
'''Cost:''' Always Free<br />
<br />
'''Lunch:''' Bring your own lunch or purchase lunch at one of the many fast-food<br />
restaurants located on the top floor of the Student Union.<br />
<br />
'''RSVP:''' [mailto:OWASPDallas@utdallas.edu OWASPDallas@utdallas.edu] This will help expedite the check-in process. Thanks.<br />
<br />
<br />
'''======================================================'''<br />
<br />
<br />
'''When:''' September 15, 2009, 11:30am - 1:30pm <br />
<br />
'''Topic: ''' Detective Work for Testers. Finding Workflow-based Defects.<br />
<br />
Workflow-based security defects in Web applications are especially difficult to identify because they evade traditional, point-and-scan vulnerability detection techniques. Understanding these potential defects and why black-box scanners typically miss them, are key to creating a testing strategy for successful detection and mitigation. Rafal Los describes the critical role that testers play in assessing application work flows and how business process-based testing techniques can uncover these flaws. Rafal demystifies the two main types of workflow-based application vulnerabilities-business process logic vulnerabilities and parameter-based vulnerabilities-and provides you with a sound basis to improve your testing strategies. Become a security testing sleuth and learn to find the workflow-based security defects before your system is compromised.<br />
<br />
'''Who:''' Rafal Los, Sr. Web Security Specialist, HP Software<br />
<br />
Senior Security Specialist with Hewlett-Packard’s Application Security Center (ASC), Rafal Los has more than thirteen years of experience in network and system design, security policy and process design, risk analysis, penetration testing, and consulting. For the past eight years, he has focused on information security and risk management, leading security architecture teams, and managing successful enterprise security programs for General Electric and other Fortune 100 companies, as well as SMB enterprises. Previously, Rafal spent three years in-house with GE Consumer Finance, leading its web application security programs. <br />
<br />
'''Where:''' The First American Co, 1 First American Way, Westlake, TX 76262 (@15 min from DFW Airport)<br />
<br />
'''Parking:''' Upon arrival at Circle Drive, please pull into the Visitor Kiosk to your right where you will be issued a Visitor’s Parking Pass. Once parked, proceed to Building 5 for your Visitor Badge. See Map for Directions. [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1+first+american+way,+westlake,+tx&sll=37.0625,-95.677068&sspn=48.641855,78.837891&ie=UTF8&mrt=rblall&ll=32.980777,-97.174437&spn=0.006336,0.009624&z=17&iwloc=A Link to Directions].<br />
<br />
'''Cost:''' Always Free<br />
<br />
'''Lunch:''' Bring your own lunch or purchase lunch at the First American Café in Building 7.<br />
<br />
'''RSVP:''' [mailto:OWASPDallas@utdallas.edu OWASPDallas@utdallas.edu] This will help expedite the check-in process. Thanks.<br />
<br />
<br />
'''======================================================'''<br />
<br />
'''When:''' Dallas February 25, 2009 11:30am – 1:30pm<br />
<br />
'''Topic:''' Vulnerability Management in an Application Security World.<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
'''Who:''' Dan Cornell, Principal, Denim Group <br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
'''Where:''' UTD Campus - Galaxy Room of the Student Union, Room SU 2.602 Doors open at 11:00 am.<br />
<br />
==== Chapter Meetings ====<br />
Dallas OWASP Chapter: February 2009 Meeting <br />
<br />
Topic: "Vulnerability Management in an Application Security World." <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group <br />
<br />
Date: February 25, 2009 11:30am – 1:30pm <br />
<br />
Location: <br />
UTD Campus - Galaxy Room of the Student Union, Room SU 2.602<br />
Doors open at 11:00 am.<br />
<br />
Abstract:<br />
<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
Presenter Bio: <br />
<br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
<br />
<br />
[[Dallas_OWASP_Flyer.pdf]]<br />
<br />
==== Dallas OWASP Chapter Leaders ====<br />
The chapter leaders are [mailto:teutsch@utdallas.edu Leah Teutsch], [mailto:andrea.wendeln@gmail.com Andrea Wendeln] and [mailto:Don.McMillian@acs-inc.com Don McMillian].__NOTOC__<br />
<headertabs/></div>Leah Teutschhttps://wiki.owasp.org/index.php?title=OWASP_Community&diff=68735OWASP Community2009-09-11T21:50:19Z<p>Leah Teutsch: /* 2009 */</p>
<hr />
<div>This page is for people to post OWASP related events, such as chapter meetings, OWASP conferences, get-togethers, and OWASP sponsored events.<br />
<br />
Events from previous years are archived here:<br />
* '''[[OWASP Community 2006]]'''<br />
<br />
This page is monitored, and items posted here will be copied to the OWASP Calendar [[Main Page]]. Please post new items in chronological order using the following format:<br />
<br />
'''Mon ## (##:00h) - [[Article]]'''<br />
<br />
<!--<br />
<br />
CHAPTER LEADS -- please put your schedule here and we'll post a month in advance<br />
<br />
*** Belgium ***<br />
<br />
*** OTTAWA: Rough dates ***<br />
<br />
*** BOSTON: Every first Wednesday of the month ***<br />
<br />
*** BOULDER: Every third Thursday of the month except Nov and Dec ***<br />
<br />
*** MELBOURNE: First Tuesday of the month ***<br />
<br />
*** NETHERLANDS: Second Thursday of the month sometimes ***<br />
<br />
*** ROCHESTER: Every third Monday of the month ***<br />
<br />
*** TORONTO: Every second Wednesday of the month<br />
<br />
*** VIRGINIA: Every second thursday of the month ***<br />
<br />
*** SINGAPORE: Every first Thursday of the month ***<br />
<br />
--><br />
<br />
==Upcoming Events==<br />
=== 2009 ===<br />
<br />
'''Feb 10 (17:15h) - [http://www.owasp.org/index.php/Perth_Australia#Threat_Modelling_in_the_Software_Development_Lifecycle_.28Feb_2009.29 Perth Chapter Meeting]'''<br />
<br />
'''April 1 Boston OWASP Chapter meeting - Breaking Browsers - [http://www.owasp.org/index.php/boston Boston Chapter Meeting]'''<br />
<br />
'''September 15 (11:30 to 1:30 pm) Dallas OWASP Chapter meeting - Detective Work for Testers Finding Workflow-based Defects - [http://www.owasp.org/index.php/Dallas Dallas Chapter Meeting]'''<br />
<br />
=== 2008 ===<br />
<br />
'''Dec 11 (17:30h) - [http://www.owasp.org/index.php/Netherlands#Announcement_December_11th_2008:_Architectural_and_design_risk_analysis Netherlands Chapter Meeting]'''<br />
<br />
'''Dec 3 (17:30h) - [https://www.owasp.org/index.php/Denmark#Local_News Denmark Chapter Meeting]'''<br />
<br />
'''Sept 22nd-25th - [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference NY/NJ Metro]'''<br />
<br />
'''Aug 21 (18:00h) - [http://www.owasp.org/index.php/Boulder#Next_Meeting Boulder Chapter Meeting]'''<br />
<br />
==Past Events==<br />
<br />
'''Dec 11 (18:00h) - [[Switzerland|Switzerland chapter meeting]]'''<br />
<br />
'''Mar 26 (17:30h) - [[Netherlands|Netherlands chapter meeting]]'''<br />
<br />
'''Jan 29 (11:15h) - [[Helsinki|Helsinki chapter and RWSUG seminar]]'''<br />
<br />
'''Jan 29 (11:30h) - [[Cincinnati|Cincinnati chapter meeting]]'''<br />
<br />
'''Dec 20 (17:30h) - [[Netherlands|Netherlands chapter meeting]]'''<br />
<br />
'''Dec 15 (11:00h) - [[Pune|Pune chapter meeting]]'''<br />
<br />
'''Dec 12 (18:00h) - [[Chicago|Chicago chapter meeting]]'''<br />
<br />
'''Dec 6 (18:00h) - [[London|London chapter meeting]]'''<br />
<br />
'''Dec 5 (18:00h) - [[Boston|Possible Boston OWASP Chapter Meeting]] '''<br />
<br />
'''Dec 3 (13:00h) - [[Israel|OWASP Israel 2007]] '''<br />
<br />
'''Nov 29 (18:00h) -[[Seattle|Seattle Chapter Meeting]] '''<br />
<br />
'''Nov 29 (18:00h) -[[Sacramento|Sacramento Chapter Meeting]] '''<br />
<br />
'''Nov 26 (18:00h) - [[Rochester|Rochester chapter meeting]]'''<br />
<br />
'''Nov 26 (09:30h) - [[Turkey|Turkey Chapter Meeting - Izmir]] '''<br />
<br />
'''Nov 24 (13:30h) - [[Turkey|Turkey Chapter Meeting - Ankara]] '''<br />
<br />
'''Nov 20 (18:00h) - [[Belgium|Belgium Chapter Meeting]] '''<br />
<br />
'''Nov 14 (18:00h) - [[Ottawa|Ottawa Chapter Meeting]] '''<br />
<br />
'''Nov 14 (18:00h) - [[Houston|Houston Chapter Meeting]] '''<br />
<br />
'''Nov 11 (18:00h) - [[Ireland|Ireland Chapter Meeting]] '''<br />
<br />
'''Nov 7 (18:00h) - [[Boston|Possible Boston OWASP Chapter Meeting]] '''<br />
<br />
'''Nov 7 (19:00h) - [[Singapore|Singapore OWASP Chapter Meeting]] '''<br />
<br />
'''Nov 3 (18:30h) - [[Malaysia|Malaysia OWASP Chapter Meeting]] '''<br />
<br />
'''Oct 9 (19:30h) - [[Singapore|Singapore OWASP chapter meeting]]'''<br />
<br />
'''Oct 2 (18:30h) - [[Helsinki|Helsinki chapter meeting]]'''<br />
<br />
'''Sept 27 (1800h) - [[New York|NY/NJ Metro chapter meeting]]'''<br />
<br />
'''Sept 27 (13:00h) - [[Taiwan|Taiwan chapter meeting]]'''<br />
<br />
'''Sept 13 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''<br />
<br />
'''Sept 10 (18:00h) - [[Rochester|Rochester chapter meeting]]'''<br />
<br />
'''Sept 7 (15:00h) [[Germany|German chapter meeting]]''' - Restart of the German Chapter<br />
<br />
'''Sept (12:00h) - [[Belgium|Belgium OWASP Day Event]] '''<br />
<br />
'''Sept 6 (18:00h) - [[Kansas_City|Kansas City Chapter meeting]]'''<br />
<br />
'''Sept 5 (18:00h) - [[Chicago|Chicago Chapter Meeting]]'''<br />
<br />
'''Sept 5 (17:00h) - [[Israel|Israeli chapter meeting]]'''<br />
<br />
'''Sept 5 (18:00h) - [[London|London chapter meeting]]'''<br />
<br />
'''July 25 (18:00h) - [[San Jose|San Jose Chapter Meeting]]'''<br />
<br />
'''July 24 (17:00h) - [[Switzerland|Switzerland chapter meeting]]'''<br />
<br />
'''July 14 (11:00h) - [[Turkey|Turkey chapter meeting - 1st Web Security Days]]'''<br />
<br />
'''July 6 (17:00h) - [[Spain|Spain chapter meeting]]'''<br />
<br />
'''June 26 (11:30h) - [[Austin|Austin chapter meeting]]''' - Running Web Application Scans<br />
<br />
'''June 22 (18:00h) - [[Belgium|Belgium chapter meeting]]'''<br />
<br />
'''June 21 (19:00h) - [[Denver]]''' - Anti-DNS Pinning Attacks / Calculating Return on Security Investment (ROSI)<br />
<br />
'''June 19 (18:00h) - [[Minneapolis St Paul|Minneapolis St Paul chapter meeting]]'''<br />
<br />
'''June 15 (17:00h) - [[Spain|Spain chapter meeting]]'''<br />
<br />
'''June 14 (08:00h) - [[Vietnam|Vietnam chapter meeting]]'''<br />
<br />
'''June 13 (18:30h) - [[Kansas City|Kansas City chapter meeting]]'''<br />
<br />
'''June 12 (18:00h) - [[New York|NY/NJ Metro chapter meeting]]'''<br />
<br />
'''Jun 5 (19:00h) - [[Helsinki|Helsinki chapter meeting]]'''<br />
<br />
'''Jun 5 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''<br />
<br />
'''Jun 5 (17:30h) - [[Houston | Houston Chapter Meeting]]'''<br />
<br />
'''May 29 (9:00h) - [[http://www.owasp.org/index.php/Italy#May_29th.2C_2007_-_Seminar:_.22Software_Security.22 Italy@Firenze Tecnologia]]'''<br />
<br />
'''May 29 (11:30h) - [[Austin | Austin Chapter Meeting]]''' - Bullet Proof UI - A programmer's guide to the complete idiot". <br />
<br />
'''May 29 (18:00h) - [[Ottawa | Ottawa Chapter Meeting]]'''<br />
<br />
'''May 22 (18:30h) - [[New Zealand|1st New Zealand chapter Meeting]]'''<br />
<br />
'''May 21 (14:00h) - [[Israel|2nd OWASP Israel mini conference]]'''<br />
<br />
'''May 15 (18:00h) - [[Rochester|Rochester chapter meeting]]'''<br />
<br />
'''May 10 (18:00h) - [[Belgium|Belgium chapter meeting]]'''<br />
<br />
'''May 9 (18:00h) - [[Toronto|Toronto chapter meeting]]'''<br />
<br />
'''May 8 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''<br />
<br />
'''May 6 (11:00h) - [[Turkey|Turkey chapter meeting]]'''<br />
<br />
'''May 2 (18:30h) - [[Boston|Boston chapter meeting]]'''<br />
<br />
'''May 1 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''<br />
<br />
'''Apr 26 (11:00h) - [[San Antonio|San Antonio chapter meeting]]'''<br />
<br />
'''Apr 26 (17:00h) - [[Switzerland|Switzerland chapter meeting and "Swiss Security Dinner"]]'''<br />
<br />
'''Apr 24 (18:00h) - [[Minneapolis St Paul|Minneapolis St Paul chapter meeting]]'''<br />
<br />
'''Apr 20 (19:00h) - [[Hong Kong|Hong Kong chapter meeting - Objectives for 2007]]'''<br />
<br />
'''Apr 19 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''<br />
<br />
'''Apr 18 (17:00h) - [[San Francisco City Chapter Meeting]]'''<br />
<br />
'''Apr 17 (18:00h) - [[New Jersey|NY/NJ Metro chapter meeting]]'''<br />
<br />
'''Apr 17 (18:00h) - [[Rochester|Rochester chapter meeting]]'''<br />
<br />
'''Apr 12 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''<br />
<br />
'''Apr 12 (18:00h) - [[San Jose|San Jose chapter meeting]]'''<br />
<br />
'''Apr 11 (18:00h) - [[Toronto|Toronto chapter meeting]]'''<br />
<br />
'''Apr 4 (18:30h) - [[Boston|Boston chapter meeting]]'''<br />
<br />
'''Apr 3 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''<br />
<br />
'''Mar 30 - [[http://www.owasp.org/index.php/Italy#March_30th.2C_2007_-_Master_in_Security_-_University_of_Rome_.22La_Sapienza.22| Italy@Master in Security at "La Sapienza"]]'''<br />
<br />
'''Mar 28 (18:00h) - [[Washington DC|Washington DC (MD) chapter meeting]]'''<br />
<br />
'''Mar 28 (11:30h) - [[San Antonio|San Antonio chapter meeting]]'''<br />
<br />
; '''Mar 27-30 - [http://www.blackhat.com Black Hat Euro]'''<br />
: OWASP members receive a Euro 100 Briefings discount by inserting BH7EUASSOC in the box marked “Coupon Codes”<br />
<br />
'''Mar 22 (18:00h) - [[London|London chapter meeting]]'''<br />
<br />
'''Mar 21-22 - [[Belgium#OWASP_Top_10_2007_Update_.28Infosecurity_Belgium.2C_21_.26_.2622_Mar_2007.29|Belgium@InfoSecurity]]'''<br />
<br />
'''Mar 20 (18:00h) - [[Rochester|Rochester chapter meeting]]'''<br />
<br />
'''Mar 14 (18:00h) - [[Toronto|Toronto chapter meeting]]'''<br />
<br />
'''Mar 14 (18:00h) - [[Chicago|Chicago chapter meeting]]'''<br />
<br />
'''Mar 13 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''<br />
<br />
'''Mar 8 (18:00h) - [[Ottawa|Ottawa Chapter Meeting]] '''<br />
<br />
'''Mar 7 (18:30h) - [[Boston|Boston chapter meeting]]'''<br />
<br />
'''Mar 7 (18:30h) - [[Kansas City|Kansas City chapter meeting]]'''<br />
<br />
'''Mar 6 (18:30h) - [[Philadelphia|Philadelphia chapter meeting]]'''<br />
<br />
'''Mar 6 (18:30h) - [[San Francisco|San Francisco and San Jose chapter meeting]]'''<br />
<br />
'''Mar 6 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''<br />
<br />
'''Mar 5 (11:00h) - [[New Jersey|New Jersey chapter meeting]]'''<br />
<br />
'''Mar 1 (11:30h) - [http://www.eusecwest.com/agenda.html EUSecWest 07: Testing Guide]'''<br />
<br />
; '''Feb 26-Mar 1 - [http://www.blackhat.com Black Hat DC]'''<br />
: OWASP members receive a $100 Briefings discount by inserting BH7DCASSOC in the box marked “Coupon Codes”<br />
<br />
'''Feb 28 (18:00h) - [[Seattle|Seattle chapter meeting]]'''<br />
<br />
'''Feb 27 (18:00h) - [[Edmonton|Edmonton chapter meeting]]'''<br />
<br />
'''Feb 22 (18:30h) - [[Helsinki|Helsinki chapter meeting]]'''<br />
<br />
'''Feb 22 (18:00h) - [[London|London chapter meeting]]'''<br />
<br />
'''Feb 21 (18:30h) - [[Denver|Denver chapter meeting]]'''<br />
<br />
'''Feb 19 (18:00h) - [[Rochester|Rochester chapter meeting]]'''<br />
<br />
'''Feb 15 (18:00h) - [[Washington DC|Washington DC (MD) chapter meeting]]'''<br />
<br />
'''Feb 15 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''<br />
<br />
'''Feb 14 (18:00h) - [[Toronto|Toronto chapter meeting]]'''<br />
<br />
'''Feb 13 (18:00h) - [[Ireland|Ireland chapter meeting]]'''<br />
<br />
'''Feb 12 (18:30h) - [[Switzerland|Switzerland chapter meeting]]'''<br />
<br />
'''Feb 7 (18:30h) - [[Boston|Boston chapter meeting]]'''<br />
<br />
'''Feb 6-7 - [[Italy#February_6th-8th.2C_2007_-_InfoSecurity|Italy@InfoSecurity]]'''<br />
<br />
'''Feb 6 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''<br />
<br />
'''Feb 2 (14:00h) - [[Chennai|Chennai chapter meeting]]'''<br />
<br />
'''Jan 31 (15:00h) - [[Mumbai|Mumbai chapter meeting]]'''<br />
<br />
'''Jan 30 (11:30h) - [[Austin|Austin chapter meeting]]'''<br />
<br />
'''Jan 25 (18:00h) - [[San Francisco| San Francisco chapter meeting]]'''<br />
<br />
'''Jan 25 (14:30h) - [[Italy#October_25th.2C_2007_-_Isaca_Rome|Italy@ISACA Rome]]'''<br />
<br />
'''Jan 24 (17:30h) - [[Israel#6th_OWASP_IL_meeting:_Wednesday.2C_January_24th_2007|6th OWASP Israel chapter meeting]]'''<br />
<br />
'''Jan 23 (18:00h) - [[Belgium|Belgium chapter meeting]]'''<br />
<br />
'''Jan 22 (18:00h) - [[Rochester|Rochester chapter meeting]]'''<br />
<br />
'''Jan 17 (18:30h) - [[Denver|Denver chapter meeting]]'''<br />
<br />
'''Jan 16 (17:45h) - [[Edmonton|Edmonton chapter meeting]]'''<br />
<br />
'''Jan 11 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''<br />
<br />
'''Jan 11 (18:30h) - [[Phoenix|Phoenix chapter meeting]]'''<br />
<br />
'''Jan 11 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''<br />
<br />
'''Jan 10 (18:00h) - [[Toronto|Toronto chapter meeting]]'''<br />
<br />
'''Jan 8 (18:00h) - [[Seattle|Seattle chapter meeting]]'''<br />
<br />
'''Jan 3 (18:30h) - [[Boston|Boston chapter meeting]]'''<br />
<br />
'''May 1 - [[Melbourne | Melbourne chapter meeting]]'''<br />
<br />
'''May 2 - [[Boston]]'''<br />
<br />
'''May 6 - [[Turkey]]'''<br />
<br />
'''May 8 - [[Virginia (Northern Virginia)|Washington DC (VA)]]'''<br />
<br />
'''May 9 - [[Toronto]]'''<br />
<br />
'''May 10 - [[Belgium]]'''<br />
<br />
'''May 15 - [[Rochester]]'''<br />
<br />
'''May 21 - [[Israel]]'''<br />
<br />
'''May 22 - [[New Zealand]]'''<br />
<br />
'''May 29 - [[Italy]]'''<br />
<br />
'''June 5 - [[Houston]]'''<br />
<br />
'''June 5 - [[Melbourne]]'''<br />
<br />
'''June 5 - [[Helsinki]]'''<br />
<br />
'''June 12 - [[New Jersey]]'''<br />
<br />
'''June 15 - [[Spain]]'''<br />
<br />
'''July 14 - [[Turkey]]'''</div>Leah Teutschhttps://wiki.owasp.org/index.php?title=Dallas&diff=68121Dallas2009-08-27T20:12:44Z<p>Leah Teutsch: </p>
<hr />
<div>{{Chapter Template|chaptername=Dallas|extra=The chapter leaders are [mailto:teutsch@utdallas.edu Leah Teutsch], [mailto:andrea.wendeln@gmail.com Andrea Wendeln] and [mailto:Don.McMillian@acs-inc.com Don McMillian].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-dallas|emailarchives=http://lists.owasp.org/pipermail/owasp-dallas}}<br />
==== Local News ====<br />
<paypal>Dallas Chapter</paypal><br />
<br />
<br />
<br />
'''When:''' September 15, 2009, 11:30am - 1:30pm <br />
<br />
'''Topic: ''' Detective Work for Testers. Finding Workflow-based Defects.<br />
<br />
Workflow-based security defects in Web applications are especially difficult to identify because they evade traditional, point-and-scan vulnerability detection techniques. Understanding these potential defects and why black-box scanners typically miss them, are key to creating a testing strategy for successful detection and mitigation. Rafal Los describes the critical role that testers play in assessing application work flows and how business process-based testing techniques can uncover these flaws. Rafal demystifies the two main types of workflow-based application vulnerabilities-business process logic vulnerabilities and parameter-based vulnerabilities-and provides you with a sound basis to improve your testing strategies. Become a security testing sleuth and learn to find the workflow-based security defects before your system is compromised.<br />
<br />
'''Who:''' Rafal Los, Sr. Web Security Specialist, HP Software<br />
<br />
Senior Security Specialist with Hewlett-Packard’s Application Security Center (ASC), Rafal Los has more than thirteen years of experience in network and system design, security policy and process design, risk analysis, penetration testing, and consulting. For the past eight years, he has focused on information security and risk management, leading security architecture teams, and managing successful enterprise security programs for General Electric and other Fortune 100 companies, as well as SMB enterprises. Previously, Rafal spent three years in-house with GE Consumer Finance, leading its web application security programs. <br />
<br />
'''Where:''' The First American Co, 1 First American Way, Westlake, TX 76262 (@15 min from DFW Airport)<br />
<br />
'''Parking:''' Upon arrival at Circle Drive, please pull into the Visitor Kiosk to your right where you will be issued a Visitor’s Parking Pass. Once parked, proceed to Building 5 for your Visitor Badge. See Map for Directions. [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1+first+american+way,+westlake,+tx&sll=37.0625,-95.677068&sspn=48.641855,78.837891&ie=UTF8&mrt=rblall&ll=32.980777,-97.174437&spn=0.006336,0.009624&z=17&iwloc=A Link to Directions].<br />
<br />
'''Cost:''' Always Free<br />
<br />
'''Lunch:''' Bring your own lunch or purchase lunch at the First American Café in Building 7.<br />
<br />
'''RSVP:''' [mailto:OWASPDallas@utdallas.edu OWASPDallas@utdallas.edu] This will help expedite the check-in process. Thanks.<br />
<br />
<br />
'''======================================================'''<br />
<br />
'''When:''' Dallas February 25, 2009 11:30am – 1:30pm<br />
<br />
'''Topic:''' Vulnerability Management in an Application Security World.<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
'''Who:''' Dan Cornell, Principal, Denim Group <br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
'''Where:''' UTD Campus - Galaxy Room of the Student Union, Room SU 2.602 Doors open at 11:00 am. <br />
<br />
<br />
<br />
==== Chapter Meetings ====<br />
Dallas OWASP Chapter: February 2009 Meeting <br />
<br />
Topic: "Vulnerability Management in an Application Security World." <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group <br />
<br />
Date: February 25, 2009 11:30am – 1:30pm <br />
<br />
Location: <br />
UTD Campus - Galaxy Room of the Student Union, Room SU 2.602<br />
Doors open at 11:00 am.<br />
<br />
Abstract:<br />
<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
Presenter Bio: <br />
<br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
<br />
<br />
[[Dallas_OWASP_Flyer.pdf]]<br />
<br />
==== Dallas OWASP Chapter Leaders ====<br />
The chapter leaders are [mailto:teutsch@utdallas.edu Leah Teutsch], [mailto:andrea.wendeln@gmail.com Andrea Wendeln] and [mailto:Don.McMillian@acs-inc.com Don McMillian].__NOTOC__<br />
<headertabs/></div>Leah Teutschhttps://wiki.owasp.org/index.php?title=Dallas&diff=68120Dallas2009-08-27T20:11:02Z<p>Leah Teutsch: </p>
<hr />
<div>{{Chapter Template|chaptername=Dallas|extra=The chapter leader is [mailto:teutsch@utdallas.edu Leah Teutsch], [mailto:andrea.wendeln@gmail.com Andrea Wendeln] and [mailto:Don.McMillian@acs-inc.com Don McMillian].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-dallas|emailarchives=http://lists.owasp.org/pipermail/owasp-dallas}}<br />
==== Local News ====<br />
<paypal>Dallas Chapter</paypal><br />
<br />
<br />
<br />
'''When:''' September 15, 2009, 11:30am - 1:30pm <br />
<br />
'''Topic: ''' Detective Work for Testers. Finding Workflow-based Defects.<br />
<br />
Workflow-based security defects in Web applications are especially difficult to identify because they evade traditional, point-and-scan vulnerability detection techniques. Understanding these potential defects and why black-box scanners typically miss them, are key to creating a testing strategy for successful detection and mitigation. Rafal Los describes the critical role that testers play in assessing application work flows and how business process-based testing techniques can uncover these flaws. Rafal demystifies the two main types of workflow-based application vulnerabilities-business process logic vulnerabilities and parameter-based vulnerabilities-and provides you with a sound basis to improve your testing strategies. Become a security testing sleuth and learn to find the workflow-based security defects before your system is compromised.<br />
<br />
'''Who:''' Rafal Los, Sr. Web Security Specialist, HP Software<br />
<br />
Senior Security Specialist with Hewlett-Packard’s Application Security Center (ASC), Rafal Los has more than thirteen years of experience in network and system design, security policy and process design, risk analysis, penetration testing, and consulting. For the past eight years, he has focused on information security and risk management, leading security architecture teams, and managing successful enterprise security programs for General Electric and other Fortune 100 companies, as well as SMB enterprises. Previously, Rafal spent three years in-house with GE Consumer Finance, leading its web application security programs. <br />
<br />
'''Where:''' The First American Co, 1 First American Way, Westlake, TX 76262 (@15 min from DFW Airport)<br />
<br />
'''Parking:''' Upon arrival at Circle Drive, please pull into the Visitor Kiosk to your right where you will be issued a Visitor’s Parking Pass. Once parked, proceed to Building 5 for your Visitor Badge. See Map for Directions. [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1+first+american+way,+westlake,+tx&sll=37.0625,-95.677068&sspn=48.641855,78.837891&ie=UTF8&mrt=rblall&ll=32.980777,-97.174437&spn=0.006336,0.009624&z=17&iwloc=A Link to Directions].<br />
<br />
'''Cost:''' Always Free<br />
<br />
'''Lunch:''' Bring your own lunch or purchase lunch at the First American Café in Building 7.<br />
<br />
'''RSVP:''' [mailto:OWASPDallas@utdallas.edu OWASPDallas@utdallas.edu] This will help expedite the check-in process. Thanks.<br />
<br />
<br />
'''======================================================'''<br />
<br />
'''When:''' Dallas February 25, 2009 11:30am – 1:30pm<br />
<br />
'''Topic:''' Vulnerability Management in an Application Security World.<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
'''Who:''' Dan Cornell, Principal, Denim Group <br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
'''Where:''' UTD Campus - Galaxy Room of the Student Union, Room SU 2.602 Doors open at 11:00 am. <br />
<br />
<br />
<br />
==== Chapter Meetings ====<br />
Dallas OWASP Chapter: February 2009 Meeting <br />
<br />
Topic: "Vulnerability Management in an Application Security World." <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group <br />
<br />
Date: February 25, 2009 11:30am – 1:30pm <br />
<br />
Location: <br />
UTD Campus - Galaxy Room of the Student Union, Room SU 2.602<br />
Doors open at 11:00 am.<br />
<br />
Abstract:<br />
<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
Presenter Bio: <br />
<br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
<br />
<br />
[[Dallas_OWASP_Flyer.pdf]]<br />
<br />
==== Dallas OWASP Chapter Leaders ====<br />
The chapter leader is [mailto:teutsch@utdallas.edu Leah Teutsch]__NOTOC__<br />
<headertabs/></div>Leah Teutschhttps://wiki.owasp.org/index.php?title=Dallas&diff=68119Dallas2009-08-27T20:09:59Z<p>Leah Teutsch: </p>
<hr />
<div>{{Chapter Template|chaptername=Dallas|extra=The chapter leader is [mailto:teutsch@utdallas.edu Leah Teutsch], [mailto:andrea.wendeln@gmail.com Andrea Wendeln] and [mailto:Don.McMillian@acs-inc.com Don McMillian].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-dallas|emailarchives=http://lists.owasp.org/pipermail/owasp-dallas}}<br />
==== Local News ====<br />
<paypal>Dallas Chapter</paypal><br />
<br />
<br />
<br />
'''When:''' September 15, 2009, 11:30am - 1:30pm <br />
<br />
'''Topic: ''' Detective Work for Testers. Finding Workflow-based Defects.<br />
<br />
Workflow-based security defects in Web applications are especially difficult to identify because they evade traditional, point-and-scan vulnerability detection techniques. Understanding these potential defects and why black-box scanners typically miss them, are key to creating a testing strategy for successful detection and mitigation. Rafal Los describes the critical role that testers play in assessing application work flows and how business process-based testing techniques can uncover these flaws. Rafal demystifies the two main types of workflow-based application vulnerabilities-business process logic vulnerabilities and parameter-based vulnerabilities-and provides you with a sound basis to improve your testing strategies. Become a security testing sleuth and learn to find the workflow-based security defects before your system is compromised.<br />
<br />
'''Who:''' Rafal Los, Sr. Web Security Specialist, HP Software<br />
<br />
Senior Security Specialist with Hewlett-Packard’s Application Security Center (ASC), Rafal Los has more than thirteen years of experience in network and system design, security policy and process design, risk analysis, penetration testing, and consulting. For the past eight years, he has focused on information security and risk management, leading security architecture teams, and managing successful enterprise security programs for General Electric and other Fortune 100 companies, as well as SMB enterprises. Previously, Rafal spent three years in-house with GE Consumer Finance, leading its web application security programs. <br />
<br />
'''Where:''' The First American Co, 1 First American Way, Westlake, TX 76262 (@15 min from DFW Airport)<br />
<br />
'''Parking:''' Upon arrival at Circle Drive, please pull into the Visitor Kiosk to your right where you will be issued a Visitor’s Parking Pass. Once parked, proceed to Building 5 for your Visitor Badge. See Map for Directions. [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1+first+american+way,+westlake,+tx&sll=37.0625,-95.677068&sspn=48.641855,78.837891&ie=UTF8&mrt=rblall&ll=32.980777,-97.174437&spn=0.006336,0.009624&z=17&iwloc=A Link to Directions].<br />
<br />
'''Cost:''' Always Free<br />
<br />
'''Lunch:''' Bring your own lunch or purchase lunch at the First American Café in Building 7.<br />
<br />
'''RSVP:''' [mailto:OWASPDallas@utdallas.edu OWASPDallas@utdallas.edu] This will help expedite the check-in process. Thanks.<br />
<br />
<br />
'''======================================================'''<br />
<br />
'''When:''' Dallas February 25, 2009 11:30am – 1:30pm<br />
<br />
'''Topic:''' Vulnerability Management in an Application Security World.<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
'''Who:''' Dan Cornell, Principal, Denim Group <br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
'''Where:''' UTD Campus - Galaxy Room of the Student Union, Room SU 2.602 Doors open at 11:00 am. <br />
<br />
'''RSVP: ''' OWASP.DFW.RSVP@denimgroup.com<br />
<br />
==== Chapter Meetings ====<br />
Dallas OWASP Chapter: February 2009 Meeting <br />
<br />
Topic: "Vulnerability Management in an Application Security World." <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group <br />
<br />
Date: February 25, 2009 11:30am – 1:30pm <br />
<br />
Location: <br />
UTD Campus - Galaxy Room of the Student Union, Room SU 2.602<br />
Doors open at 11:00 am.<br />
<br />
Abstract:<br />
<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
Presenter Bio: <br />
<br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
<br />
<br />
[[Dallas_OWASP_Flyer.pdf]]<br />
<br />
==== Dallas OWASP Chapter Leaders ====<br />
The chapter leader is [mailto:teutsch@utdallas.edu Leah Teutsch]__NOTOC__<br />
<headertabs/></div>Leah Teutschhttps://wiki.owasp.org/index.php?title=Dallas&diff=68118Dallas2009-08-27T20:08:56Z<p>Leah Teutsch: </p>
<hr />
<div>{{Chapter Template|chaptername=Dallas|extra=The chapter leader is [mailto:teutsch@utdallas.edu Leah Teutsch], [mailto:andrea.wendeln@gmail.com Andrea Wendeln] and [mailto:Don.McMillian@acs-inc.com Don McMillian].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-dallas|emailarchives=http://lists.owasp.org/pipermail/owasp-dallas}}<br />
==== Local News ====<br />
<paypal>Dallas Chapter</paypal><br />
<br />
<br />
<br />
'''When:''' September 15, 2009, 11:30am - 1:30pm <br />
<br />
'''Topic: ''' Detective Work for Testers. Finding Workflow-based Defects.<br />
<br />
Workflow-based security defects in Web applications are especially difficult to identify because they evade traditional, point-and-scan vulnerability detection techniques. Understanding these potential defects and why black-box scanners typically miss them, are key to creating a testing strategy for successful detection and mitigation. Rafal Los describes the critical role that testers play in assessing application work flows and how business process-based testing techniques can uncover these flaws. Rafal demystifies the two main types of workflow-based application vulnerabilities-business process logic vulnerabilities and parameter-based vulnerabilities-and provides you with a sound basis to improve your testing strategies. Become a security testing sleuth and learn to find the workflow-based security defects before your system is compromised.<br />
<br />
'''Who:''' Rafal Los, Sr. Web Security Specialist, HP Software<br />
<br />
Senior Security Specialist with Hewlett-Packard’s Application Security Center (ASC), Rafal Los has more than thirteen years of experience in network and system design, security policy and process design, risk analysis, penetration testing, and consulting. For the past eight years, he has focused on information security and risk management, leading security architecture teams, and managing successful enterprise security programs for General Electric and other Fortune 100 companies, as well as SMB enterprises. Previously, Rafal spent three years in-house with GE Consumer Finance, leading its web application security programs. <br />
<br />
'''Where:''' The First American Co, 1 First American Way, Westlake, TX 76262 (@15 min from DFW Airport)<br />
<br />
'''Parking:''' Upon arrival at Circle Drive, please pull into the Visitor Kiosk to your right where you will be issued a Visitor’s Parking Pass. Once parked, proceed to Building 5 for your Visitor Badge. See Map for Directions. [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1+first+american+way,+westlake,+tx&sll=37.0625,-95.677068&sspn=48.641855,78.837891&ie=UTF8&mrt=rblall&ll=32.980777,-97.174437&spn=0.006336,0.009624&z=17&iwloc=A Link to Directions].<br />
<br />
'''Cost:''' Always Free<br />
<br />
'''Lunch:''' Bring your own lunch or purchase lunch at the First American Café in Building 7.<br />
<br />
'''RSVP:''' [mailto:OWASPDallas@utdallas.edu OWASPDallas@utdallas.edu] This will help expedite the check-in process. Thanks.<br />
<br />
<br />
'''======================================================'''<br />
<br />
'''When:''' Dallas February 25, 2009 11:30am – 1:30pm<br />
<br />
'''Topic:''' Vulnerability Management in an Application Security World.<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
'''Who:''' Dan Cornell, Principal, Denim Group <br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
'''Where:''' UTD Campus - Galaxy Room of the Student Union, Room SU 2.602 Doors open at 11:00 am. <br />
<br />
'''RSVP: ''' OWASP.DFW.RSVP@denimgroup.com<br />
<br />
==== Chapter Meetings ====<br />
Dallas OWASP Chapter: February 2009 Meeting <br />
<br />
Topic: "Vulnerability Management in an Application Security World." <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group <br />
<br />
Date: February 25, 2009 11:30am – 1:30pm <br />
<br />
Location: <br />
UTD Campus - Galaxy Room of the Student Union, Room SU 2.602<br />
Doors open at 11:00 am.<br />
<br />
Abstract:<br />
<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
Presenter Bio: <br />
<br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
Please RSVP: OWASP.DFW.RSVP@denimgroup.com<br />
<br />
[[Dallas_OWASP_Flyer.pdf]]<br />
<br />
==== Dallas OWASP Chapter Leaders ====<br />
The chapter leader is [mailto:teutsch@utdallas.edu Leah Teutsch]__NOTOC__<br />
<headertabs/></div>Leah Teutschhttps://wiki.owasp.org/index.php?title=Dallas&diff=68117Dallas2009-08-27T20:08:10Z<p>Leah Teutsch: </p>
<hr />
<div>{{Chapter Template|chaptername=Dallas|extra=The chapter leader is [mailto:teutsch@utdallas.edu Leah Teutsch], [mailto:andrea.wendeln@gmail.com Andrea Wendeln] and [mailto:Don.McMillian@acs-inc.com Don McMillian].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-dallas|emailarchives=http://lists.owasp.org/pipermail/owasp-dallas}}<br />
==== Local News ====<br />
<paypal>Dallas Chapter</paypal><br />
<br />
<br />
<br />
'''When:''' September 15, 2009, 11:30am - 1:30pm <br />
<br />
'''Topic: ''' Detective Work for Testers. Finding Workflow-based Defects.<br />
<br />
Workflow-based security defects in Web applications are especially difficult to identify because they evade traditional, point-and-scan vulnerability detection techniques. Understanding these potential defects and why black-box scanners typically miss them, are key to creating a testing strategy for successful detection and mitigation. Rafal Los describes the critical role that testers play in assessing application work flows and how business process-based testing techniques can uncover these flaws. Rafal demystifies the two main types of workflow-based application vulnerabilities-business process logic vulnerabilities and parameter-based vulnerabilities-and provides you with a sound basis to improve your testing strategies. Become a security testing sleuth and learn to find the workflow-based security defects before your system is compromised.<br />
<br />
'''Who:''' Rafal Los, Sr. Web Security Specialist, HP Software<br />
<br />
Senior Security Specialist with Hewlett-Packard’s Application Security Center (ASC), Rafal Los has more than thirteen years of experience in network and system design, security policy and process design, risk analysis, penetration testing, and consulting. For the past eight years, he has focused on information security and risk management, leading security architecture teams, and managing successful enterprise security programs for General Electric and other Fortune 100 companies, as well as SMB enterprises. Previously, Rafal spent three years in-house with GE Consumer Finance, leading its web application security programs. <br />
<br />
'''Where:''' The First American Co, 1 First American Way, Westlake, TX 76262 (@15 min from DFW Airport)<br />
<br />
'''Parking:''' Upon arrival at Circle Drive, please pull into the Visitor Kiosk to your right where you will be issued a Visitor’s Parking Pass. Once parked, proceed to Building 5 for your Visitor Badge. See Map for Directions. [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1+first+american+way,+westlake,+tx&sll=37.0625,-95.677068&sspn=48.641855,78.837891&ie=UTF8&mrt=rblall&ll=32.980777,-97.174437&spn=0.006336,0.009624&z=17&iwloc=A].<br />
<br />
'''Cost:''' Always Free<br />
<br />
'''Lunch:''' Bring your own lunch or purchase lunch at the First American Café in Building 7.<br />
<br />
'''RSVP:''' [mailto:OWASPDallas@utdallas.edu OWASPDallas@utdallas.edu] This will help expedite the check-in process. Thanks.<br />
<br />
<br />
'''======================================================'''<br />
<br />
'''When:''' Dallas February 25, 2009 11:30am – 1:30pm<br />
<br />
'''Topic:''' Vulnerability Management in an Application Security World.<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
'''Who:''' Dan Cornell, Principal, Denim Group <br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
'''Where:''' UTD Campus - Galaxy Room of the Student Union, Room SU 2.602 Doors open at 11:00 am. <br />
<br />
'''RSVP: ''' OWASP.DFW.RSVP@denimgroup.com<br />
<br />
==== Chapter Meetings ====<br />
Dallas OWASP Chapter: February 2009 Meeting <br />
<br />
Topic: "Vulnerability Management in an Application Security World." <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group <br />
<br />
Date: February 25, 2009 11:30am – 1:30pm <br />
<br />
Location: <br />
UTD Campus - Galaxy Room of the Student Union, Room SU 2.602<br />
Doors open at 11:00 am.<br />
<br />
Abstract:<br />
<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
Presenter Bio: <br />
<br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
Please RSVP: OWASP.DFW.RSVP@denimgroup.com<br />
<br />
[[Dallas_OWASP_Flyer.pdf]]<br />
<br />
==== Dallas OWASP Chapter Leaders ====<br />
The chapter leader is [mailto:teutsch@utdallas.edu Leah Teutsch]__NOTOC__<br />
<headertabs/></div>Leah Teutschhttps://wiki.owasp.org/index.php?title=Dallas&diff=68116Dallas2009-08-27T20:07:39Z<p>Leah Teutsch: </p>
<hr />
<div>{{Chapter Template|chaptername=Dallas|extra=The chapter leader is [mailto:teutsch@utdallas.edu Leah Teutsch], [mailto:andrea.wendeln@gmail.com Andrea Wendeln] and [mailto:Don.McMillian@acs-inc.com Don McMillian].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-dallas|emailarchives=http://lists.owasp.org/pipermail/owasp-dallas}}<br />
==== Local News ====<br />
<paypal>Dallas Chapter</paypal><br />
<br />
<br />
<br />
'''When:''' September 15, 2009, 11:30am - 1:30pm <br />
<br />
'''Topic: ''' Detective Work for Testers. Finding Workflow-based Defects.<br />
<br />
Workflow-based security defects in Web applications are especially difficult to identify because they evade traditional, point-and-scan vulnerability detection techniques. Understanding these potential defects and why black-box scanners typically miss them, are key to creating a testing strategy for successful detection and mitigation. Rafal Los describes the critical role that testers play in assessing application work flows and how business process-based testing techniques can uncover these flaws. Rafal demystifies the two main types of workflow-based application vulnerabilities-business process logic vulnerabilities and parameter-based vulnerabilities-and provides you with a sound basis to improve your testing strategies. Become a security testing sleuth and learn to find the workflow-based security defects before your system is compromised.<br />
<br />
'''Who:''' Rafal Los, Sr. Web Security Specialist, HP Software<br />
<br />
Senior Security Specialist with Hewlett-Packard’s Application Security Center (ASC), Rafal Los has more than thirteen years of experience in network and system design, security policy and process design, risk analysis, penetration testing, and consulting. For the past eight years, he has focused on information security and risk management, leading security architecture teams, and managing successful enterprise security programs for General Electric and other Fortune 100 companies, as well as SMB enterprises. Previously, Rafal spent three years in-house with GE Consumer Finance, leading its web application security programs. <br />
<br />
'''Where:''' The First American Co, 1 First American Way, Westlake, TX 76262 (@15 min from DFW Airport)<br />
<br />
'''Parking:''' Upon arrival at Circle Drive, please pull into the Visitor Kiosk to your right where you will be issued a Visitor’s Parking Pass. Once parked, proceed to Building 5 for your Visitor Badge. See Map for Directions. [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1+first+american+way,+westlake,+tx&sll=37.0625,-95.677068&sspn=48.641855,78.837891&ie=UTF8&mrt=rblall&ll=32.980777,-97.174437&spn=0.006336,0.009624&z=17&iwloc=A].<br />
<br />
'''Cost:''' Always Free<br />
<br />
'''Lunch:''' Bring your own lunch or purchase lunch at the First American Café in Building 7.<br />
<br />
'''RSVP:''' [mailto:OWASPDallas@utdallas.edu] This will help expedite the check-in process. Thanks.<br />
<br />
<br />
'''======================================================'''<br />
<br />
'''When:''' Dallas February 25, 2009 11:30am – 1:30pm<br />
<br />
'''Topic:''' Vulnerability Management in an Application Security World.<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
'''Who:''' Dan Cornell, Principal, Denim Group <br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
'''Where:''' UTD Campus - Galaxy Room of the Student Union, Room SU 2.602 Doors open at 11:00 am. <br />
<br />
'''RSVP: ''' OWASP.DFW.RSVP@denimgroup.com<br />
<br />
==== Chapter Meetings ====<br />
Dallas OWASP Chapter: February 2009 Meeting <br />
<br />
Topic: "Vulnerability Management in an Application Security World." <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group <br />
<br />
Date: February 25, 2009 11:30am – 1:30pm <br />
<br />
Location: <br />
UTD Campus - Galaxy Room of the Student Union, Room SU 2.602<br />
Doors open at 11:00 am.<br />
<br />
Abstract:<br />
<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
Presenter Bio: <br />
<br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
Please RSVP: OWASP.DFW.RSVP@denimgroup.com<br />
<br />
[[Dallas_OWASP_Flyer.pdf]]<br />
<br />
==== Dallas OWASP Chapter Leaders ====<br />
The chapter leader is [mailto:teutsch@utdallas.edu Leah Teutsch]__NOTOC__<br />
<headertabs/></div>Leah Teutschhttps://wiki.owasp.org/index.php?title=Dallas&diff=68115Dallas2009-08-27T20:07:02Z<p>Leah Teutsch: </p>
<hr />
<div>{{Chapter Template|chaptername=Dallas|extra=The chapter leader is [mailto:teutsch@utdallas.edu Leah Teutsch], [mailto:andrea.wendeln@gmail.com Andrea Wendeln] and [mailto:Don.McMillian@acs-inc.com Don McMillian].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-dallas|emailarchives=http://lists.owasp.org/pipermail/owasp-dallas}}<br />
==== Local News ====<br />
<paypal>Dallas Chapter</paypal><br />
<br />
<br />
<br />
'''When:''' September 15, 2009, 11:30am - 1:30pm <br />
<br />
'''Topic: ''' Detective Work for Testers. Finding Workflow-based Defects.<br />
<br />
Workflow-based security defects in Web applications are especially difficult to identify because they evade traditional, point-and-scan vulnerability detection techniques. Understanding these potential defects and why black-box scanners typically miss them, are key to creating a testing strategy for successful detection and mitigation. Rafal Los describes the critical role that testers play in assessing application work flows and how business process-based testing techniques can uncover these flaws. Rafal demystifies the two main types of workflow-based application vulnerabilities-business process logic vulnerabilities and parameter-based vulnerabilities-and provides you with a sound basis to improve your testing strategies. Become a security testing sleuth and learn to find the workflow-based security defects before your system is compromised.<br />
<br />
'''Who:''' Rafal Los, Sr. Web Security Specialist, HP Software<br />
<br />
Senior Security Specialist with Hewlett-Packard’s Application Security Center (ASC), Rafal Los has more than thirteen years of experience in network and system design, security policy and process design, risk analysis, penetration testing, and consulting. For the past eight years, he has focused on information security and risk management, leading security architecture teams, and managing successful enterprise security programs for General Electric and other Fortune 100 companies, as well as SMB enterprises. Previously, Rafal spent three years in-house with GE Consumer Finance, leading its web application security programs. <br />
<br />
'''Where:''' The First American Co, 1 First American Way, Westlake, TX 76262 (@15 min from DFW Airport)<br />
<br />
'''Parking:''' Upon arrival at Circle Drive, please pull into the Visitor Kiosk to your right where you will be issued a Visitor’s Parking Pass. Once parked, proceed to Building 5 for your Visitor Badge. See Map for Directions. [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1+first+american+way,+westlake,+tx&sll=37.0625,-95.677068&sspn=48.641855,78.837891&ie=UTF8&mrt=rblall&ll=32.980777,-97.174437&spn=0.006336,0.009624&z=17&iwloc=A].<br />
<br />
'''Cost:''' Always Free<br />
<br />
'''Lunch:''' Bring your own lunch or purchase lunch at the First American Café in Building 7.<br />
<br />
'''RSVP:''' OWASPDallas@utdallas.edu This will help expedite the check-in process. Thanks.<br />
<br />
<br />
'''======================================================'''<br />
<br />
'''When:''' Dallas February 25, 2009 11:30am – 1:30pm<br />
<br />
'''Topic:''' Vulnerability Management in an Application Security World.<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
'''Who:''' Dan Cornell, Principal, Denim Group <br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
'''Where:''' UTD Campus - Galaxy Room of the Student Union, Room SU 2.602 Doors open at 11:00 am. <br />
<br />
'''RSVP: ''' OWASP.DFW.RSVP@denimgroup.com<br />
<br />
==== Chapter Meetings ====<br />
Dallas OWASP Chapter: February 2009 Meeting <br />
<br />
Topic: "Vulnerability Management in an Application Security World." <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group <br />
<br />
Date: February 25, 2009 11:30am – 1:30pm <br />
<br />
Location: <br />
UTD Campus - Galaxy Room of the Student Union, Room SU 2.602<br />
Doors open at 11:00 am.<br />
<br />
Abstract:<br />
<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
Presenter Bio: <br />
<br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
Please RSVP: OWASP.DFW.RSVP@denimgroup.com<br />
<br />
[[Dallas_OWASP_Flyer.pdf]]<br />
<br />
==== Dallas OWASP Chapter Leaders ====<br />
The chapter leader is [mailto:teutsch@utdallas.edu Leah Teutsch]__NOTOC__<br />
<headertabs/></div>Leah Teutschhttps://wiki.owasp.org/index.php?title=Dallas&diff=68114Dallas2009-08-27T20:01:09Z<p>Leah Teutsch: </p>
<hr />
<div>{{Chapter Template|chaptername=Dallas|extra=The chapter leader is [mailto:teutsch@utdallas.edu Leah Teutsch]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-dallas|emailarchives=http://lists.owasp.org/pipermail/owasp-dallas}}<br />
==== Local News ====<br />
<paypal>Dallas Chapter</paypal><br />
<br />
<br />
<br />
'''When:''' September 15, 2009, 11:30am - 1:30pm <br />
<br />
'''Topic: ''' Detective Work for Testers. Finding Workflow-based Defects.<br />
<br />
Workflow-based security defects in Web applications are especially difficult to identify because they evade traditional, point-and-scan vulnerability detection techniques. Understanding these potential defects and why black-box scanners typically miss them, are key to creating a testing strategy for successful detection and mitigation. Rafal Los describes the critical role that testers play in assessing application work flows and how business process-based testing techniques can uncover these flaws. Rafal demystifies the two main types of workflow-based application vulnerabilities-business process logic vulnerabilities and parameter-based vulnerabilities-and provides you with a sound basis to improve your testing strategies. Become a security testing sleuth and learn to find the workflow-based security defects before your system is compromised.<br />
<br />
'''Who:''' Rafal Los, Sr. Web Security Specialist, HP Software<br />
<br />
Senior Security Specialist with Hewlett-Packard’s Application Security Center (ASC), Rafal Los has more than thirteen years of experience in network and system design, security policy and process design, risk analysis, penetration testing, and consulting. For the past eight years, he has focused on information security and risk management, leading security architecture teams, and managing successful enterprise security programs for General Electric and other Fortune 100 companies, as well as SMB enterprises. Previously, Rafal spent three years in-house with GE Consumer Finance, leading its web application security programs. <br />
<br />
'''Where:''' The First American Co, 1 First American Way, Westlake, TX 76262 (@15 min from DFW Airport)<br />
<br />
'''Parking:''' Upon arrival at Circle Drive, please pull into the Visitor Kiosk to your right where you will be issued a Visitor’s Parking Pass. Once parked, proceed to Building 5 for your Visitor Badge. See Map for Directions. [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1+first+american+way,+westlake,+tx&sll=37.0625,-95.677068&sspn=48.641855,78.837891&ie=UTF8&mrt=rblall&ll=32.980777,-97.174437&spn=0.006336,0.009624&z=17&iwloc=A].<br />
<br />
'''Cost:''' Always Free<br />
<br />
'''Lunch:''' Bring your own lunch or purchase lunch at the First American Café in Building 7.<br />
<br />
'''RSVP:''' OWASPDallas@utdallas.edu This will help expedite the check-in process. Thanks.<br />
<br />
<br />
'''======================================================'''<br />
<br />
'''When:''' Dallas February 25, 2009 11:30am – 1:30pm<br />
<br />
'''Topic:''' Vulnerability Management in an Application Security World.<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
'''Who:''' Dan Cornell, Principal, Denim Group <br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
'''Where:''' UTD Campus - Galaxy Room of the Student Union, Room SU 2.602 Doors open at 11:00 am. <br />
<br />
'''RSVP: ''' OWASP.DFW.RSVP@denimgroup.com<br />
<br />
==== Chapter Meetings ====<br />
Dallas OWASP Chapter: February 2009 Meeting <br />
<br />
Topic: "Vulnerability Management in an Application Security World." <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group <br />
<br />
Date: February 25, 2009 11:30am – 1:30pm <br />
<br />
Location: <br />
UTD Campus - Galaxy Room of the Student Union, Room SU 2.602<br />
Doors open at 11:00 am.<br />
<br />
Abstract:<br />
<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
Presenter Bio: <br />
<br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
Please RSVP: OWASP.DFW.RSVP@denimgroup.com<br />
<br />
[[Dallas_OWASP_Flyer.pdf]]<br />
<br />
==== Dallas OWASP Chapter Leaders ====<br />
The chapter leader is [mailto:teutsch@utdallas.edu Leah Teutsch]__NOTOC__<br />
<headertabs/></div>Leah Teutschhttps://wiki.owasp.org/index.php?title=Dallas&diff=68113Dallas2009-08-27T19:56:06Z<p>Leah Teutsch: /* Local News */</p>
<hr />
<div>{{Chapter Template|chaptername=Dallas|extra=The chapter leader is [mailto:teutsch@utdallas.edu Leah Teutsch]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-dallas|emailarchives=http://lists.owasp.org/pipermail/owasp-dallas}}<br />
==== Local News ====<br />
<paypal>Dallas Chapter</paypal><br />
==== Chapter Meetings ====<br />
<br />
<br />
'''When:''' September 15, 2009, 11:30am - 1:30pm <br />
<br />
'''Topic: ''' Detective Work for Testers. Finding Workflow-based Defects.<br />
<br />
Workflow-based security defects in Web applications are especially difficult to identify because they evade traditional, point-and-scan vulnerability detection techniques. Understanding these potential defects and why black-box scanners typically miss them, are key to creating a testing strategy for successful detection and mitigation. Rafal Los describes the critical role that testers play in assessing application work flows and how business process-based testing techniques can uncover these flaws. Rafal demystifies the two main types of workflow-based application vulnerabilities-business process logic vulnerabilities and parameter-based vulnerabilities-and provides you with a sound basis to improve your testing strategies. Become a security testing sleuth and learn to find the workflow-based security defects before your system is compromised.<br />
<br />
'''Who:''' Rafal Los, Sr. Web Security Specialist, HP Software<br />
<br />
Senior Security Specialist with Hewlett-Packard’s Application Security Center (ASC), Rafal Los has more than thirteen years of experience in network and system design, security policy and process design, risk analysis, penetration testing, and consulting. For the past eight years, he has focused on information security and risk management, leading security architecture teams, and managing successful enterprise security programs for General Electric and other Fortune 100 companies, as well as SMB enterprises. Previously, Rafal spent three years in-house with GE Consumer Finance, leading its web application security programs. <br />
<br />
'''Where:''' The First American Co, 1 First American Way, Westlake, TX 76262 (@15 min from DFW Airport)<br />
<br />
'''Parking:''' Upon arrival at Circle Drive, please pull into the Visitor Kiosk to your right where you will be issued a Visitor’s Parking Pass. Once parked, proceed to Building 5 for your Visitor Badge. See Map for Directions. [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1+first+american+way,+westlake,+tx&sll=37.0625,-95.677068&sspn=48.641855,78.837891&ie=UTF8&mrt=rblall&ll=32.980777,-97.174437&spn=0.006336,0.009624&z=17&iwloc=A].<br />
<br />
'''Cost:''' Always Free<br />
<br />
'''Lunch:''' Bring your own lunch or purchase lunch at the First American Café in Building 7.<br />
<br />
'''RSVP:''' OWASPDallas@utdallas.edu This will help expedite the check-in process. Thanks.<br />
<br />
<br />
'''======================================================'''<br />
<br />
'''When:''' Dallas February 25, 2009 11:30am – 1:30pm<br />
<br />
'''Topic:''' Vulnerability Management in an Application Security World.<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
'''Who:''' Dan Cornell, Principal, Denim Group <br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
'''Where:''' UTD Campus - Galaxy Room of the Student Union, Room SU 2.602 Doors open at 11:00 am. <br />
<br />
'''RSVP: ''' OWASP.DFW.RSVP@denimgroup.com<br />
<br />
==== Chapter Meetings ====<br />
Dallas OWASP Chapter: February 2009 Meeting <br />
<br />
Topic: "Vulnerability Management in an Application Security World." <br />
<br />
Presenter: Dan Cornell, Principal, Denim Group <br />
<br />
Date: February 25, 2009 11:30am – 1:30pm <br />
<br />
Location: <br />
UTD Campus - Galaxy Room of the Student Union, Room SU 2.602<br />
Doors open at 11:00 am.<br />
<br />
Abstract:<br />
<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
Presenter Bio: <br />
<br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
Please RSVP: OWASP.DFW.RSVP@denimgroup.com<br />
<br />
[[Dallas_OWASP_Flyer.pdf]]<br />
<br />
==== Dallas OWASP Chapter Leaders ====<br />
The chapter leader is [mailto:teutsch@utdallas.edu Leah Teutsch]__NOTOC__<br />
<headertabs/></div>Leah Teutschhttps://wiki.owasp.org/index.php?title=Template:Chapter_Template&diff=67979Template:Chapter Template2009-08-24T22:50:47Z<p>Leah Teutsch: /* Chapter Meetings */</p>
<hr />
<div>{{Chapter Template|chaptername=Dallas|extra=The chapter leadership includes: [mailto:teutsch@utdallas.edu Leah Teutsch, Group Leader], [mailto:andrea.wendeln@gmail.com Andrea Wendeln, Group Leader] and [mailto:Don.McMillian@acs-inc.com Don McMillian, Group Leader.]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-dallas|emailarchives=http://lists.owasp.org/pipermail/owasp-dallas}}</div>Leah Teutschhttps://wiki.owasp.org/index.php?title=Template:Chapter_Template&diff=67978Template:Chapter Template2009-08-24T22:45:54Z<p>Leah Teutsch: /* OWASP {{{chaptername}}} Local Chapter */</p>
<hr />
<div>{{Chapter Template|chaptername=Dallas|extra=The chapter leadership includes: [mailto:teutsch@utdallas.edu Leah Teutsch, Group Leader], [mailto:andrea.wendeln@gmail.com Andrea Wendeln, Group Leader] and [mailto:Don.McMillian@acs-inc.com Don McMillian, Group Leader.]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-dallas|emailarchives=http://lists.owasp.org/pipermail/owasp-dallas}}<br />
<br />
==== Chapter Meetings ====<br />
<br />
<br />
'''When:''' September 15, 2009, 11:30am - 1:30pm <br />
<br />
'''Topic: ''' Detective Work for Testers. Finding Workflow-based Defects.<br />
<br />
Workflow-based security defects in Web applications are especially difficult to identify because they evade traditional, point-and-scan vulnerability detection techniques. Understanding these potential defects and why black-box scanners typically miss them, are key to creating a testing strategy for successful detection and mitigation. Rafal Los describes the critical role that testers play in assessing application work flows and how business process-based testing techniques can uncover these flaws. Rafal demystifies the two main types of workflow-based application vulnerabilities-business process logic vulnerabilities and parameter-based vulnerabilities-and provides you with a sound basis to improve your testing strategies. Become a security testing sleuth and learn to find the workflow-based security defects before your system is compromised.<br />
<br />
'''Who:''' Rafal Los, Sr. Web Security Specialist, HP Software<br />
<br />
Senior Security Specialist with Hewlett-Packard’s Application Security Center (ASC), Rafal Los has more than thirteen years of experience in network and system design, security policy and process design, risk analysis, penetration testing, and consulting. For the past eight years, he has focused on information security and risk management, leading security architecture teams, and managing successful enterprise security programs for General Electric and other Fortune 100 companies, as well as SMB enterprises. Previously, Rafal spent three years in-house with GE Consumer Finance, leading its web application security programs. <br />
<br />
'''Where:''' The First American Co, 1 First American Way, Westlake, TX 76262 (@15 min from DFW Airport)<br />
<br />
'''Parking:''' Upon arrival at Circle Drive, please pull into the Visitor Kiosk to your right where you will be issued a Visitor’s Parking Pass. Once parked, proceed to Building 5 for your Visitor Badge. See Map for Directions. [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1+first+american+way,+westlake,+tx&sll=37.0625,-95.677068&sspn=48.641855,78.837891&ie=UTF8&mrt=rblall&ll=32.980777,-97.174437&spn=0.006336,0.009624&z=17&iwloc=A].<br />
<br />
'''Cost:''' Always Free<br />
<br />
'''Lunch:''' Bring your own lunch or purchase lunch at the First American Café in Building 7.<br />
<br />
'''RSVP:''' OWASPDallas@utdallas.edu This will help expidite the check-in process. Thanks.<br />
<br />
<br />
'''======================================================'''<br />
<br />
'''When:''' Dallas February 25, 2009 11:30am – 1:30pm<br />
<br />
'''Topic:''' Vulnerability Management in an Application Security World.<br />
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups. <br />
<br />
'''Who:''' Dan Cornell, Principal, Denim Group <br />
Dan Cornell has over ten years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies. He is also the primary author of sprajax, Denim Group’s open source tool for assessing the security of AJAX-enabled web applications. <br />
<br />
'''Where:''' UTD Campus - Galaxy Room of the Student Union, Room SU 2.602 Doors open at 11:00 am. <br />
<br />
'''RSVP: ''' OWASP.DFW.RSVP@denimgroup.com</div>Leah Teutsch