OWASP - User contributions [en]

Chicago

2013-01-03T22:29:23Z

Michael Tracy: Jan 10 updates

== Next Chapter Meeting: January 10th, 2013 ==

The next OWASP Chicago chapter will be on '''January 10th, 2013''' from 6PM to approximately 9:30PM. Space for the meeting is being graciously provided by [http://www.morningstar.com/ Morningstar] at their [http://goo.gl/maps/wfqQ8 Chicago headquarters location] (22 West Washington Street, Chicago, IL 60602).

'''Tell your friends!''' Many people just don't hear about these meetings and most people I ask say they heard about it from a friend or co-worker.

'''This is event is completely free and open to everyone, but you must RSVP.''' Please RSVP at the following EventBrite page so that security can let you into the building: https://owaspchicago.eventbrite.com/

When you arrive, you will need to sign in with security in the lobby of the building, who will direct you to the cafeteria for refreshments. We will then move to the Auditorium for talks.

The schedule is as follows:

* 6:00PM - 6:30PM - Refreshments @ Cafeteria - Light snacks. If you want food, you can bring your own and eat here. Food is not allowed in the auditorium.
* 6:30PM - ~9:30PM - Talks! @ Auditorium

Stay tuned to this page for more information.

==Agenda==

This time, we will be doing short-format talks -- about 25-30 minutes each. There will be time for Q&A.

* '''Common Ruby on Rails Pitfalls''' by Matt Konda and Jonathan Claudius

* '''Automation Domination''' by Brandon Spruth:

''You have either bought some really expensive static and/or dynamic web scanning tools, or you are looking to go on the "cheap" with some free ones. The next decision you will need to make will be either running these in scanning tools manually or dominate with automation! Our discussion will explore some popular options on how to best automate the implementation of your scanning tools, with Continuous Integration, OWASP Projects, and to Normalizing your scanning metrics/findings/vulnerabilities.
''

* '''Static analysis, or CSP, or Python evented stuff (one of them, not all)''' by Ben Toews

* '''Basic Analysis of iOS applications''' by John Downey

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

Follow (and/or DM us) on Twitter: [https://twitter.com/owaspchicago @owaspchicago]

If you have any questions about the Chicago chapter, please send an email to [mailto:vitaly.mclain+owasp@gmail.com Vitaly McLain].

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

'''[https://www.owasp.org/images/8/88/Secure_Password_Storage_%40OWASPChicago.pdf]Secure Password Storage'''
John Steven, Cigital

This talk discusses the pros and cons of the current practices such as salted-hashes, adaptive hashes and proposes an alternative solution for strengthening these existing practices. The talk will discuss the cryptographic properties of the current practices, but does not require a PhD in mathematics to understand the details.

'''[http://www.offenseindepth.com/slides/Stripe_OWASP.pdf]Stripe CTF 2.0; A Walkthrough'''
Jeff Jarmoc, Dell SecureWorks
Zack Fasel, Dubsec Labs

In this presentation, we walk through our solutions to Stripe CTF 2.0. Focus is on how we discovered the vulnerabilities, and how we went about finding and exploiting them.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
* [mailto:vitaly.mclain+owasp@gmail.com Vitaly McLain]
* Mahmood Khan

__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2012-12-26T02:06:20Z

Michael Tracy: Jan 10 meeting

== Next Chapter Meeting: January 10th, 2013 ==

The next OWASP Chicago chapter will be on '''January 10th, 2013''' from 6PM to approximately 9:30PM. Space for the meeting is being graciously provided by [http://www.morningstar.com/ Morningstar] at their [http://goo.gl/maps/wfqQ8 Chicago headquarters location] (22 West Washington Street, Chicago, IL 60602).

'''This is event is completely free and open to everyone, but you must RSVP.''' Please RSVP at the following EventBrite page so that security can let you into the building: https://owaspchicago.eventbrite.com/

When you arrive, you will need to sign in with security in the lobby of the building, who will direct you to the cafeteria for refreshments. We will then move to the Auditorium for talks.

'''The format for this meeting will consist of 20-minute lightning talks. We are still short on talks (no pun intended) -- if you have a talk in mind, please [mailto:vitaly.mclain+owasp@gmail.com let me know].'''

The schedule is as follows:

* 6:00PM - 6:30PM - Refreshments @ Cafeteria - Light snacks. If you want food, you can bring your own and eat here. Food is not allowed in the auditorium.
* 6:30PM - ~9:30PM - Talks! @ Auditorium

Stay tuned to this page for more information.

==Agenda==

TBA.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

Follow (and/or DM us) on Twitter: [https://twitter.com/owaspchicago @owaspchicago]

If you have any questions about the Chicago chapter, please send an email to [mailto:vitaly.mclain+owasp@gmail.com Vitaly McLain].

==Presentation abstracts==

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

'''[https://www.owasp.org/images/8/88/Secure_Password_Storage_%40OWASPChicago.pdf]Secure Password Storage'''
John Steven, Cigital

This talk discusses the pros and cons of the current practices such as salted-hashes, adaptive hashes and proposes an alternative solution for strengthening these existing practices. The talk will discuss the cryptographic properties of the current practices, but does not require a PhD in mathematics to understand the details.

'''[http://www.offenseindepth.com/slides/Stripe_OWASP.pdf]Stripe CTF 2.0; A Walkthrough'''
Jeff Jarmoc, Dell SecureWorks
Zack Fasel, Dubsec Labs

In this presentation, we walk through our solutions to Stripe CTF 2.0. Focus is on how we discovered the vulnerabilities, and how we went about finding and exploiting them.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
* [mailto:vitaly.mclain+owasp@gmail.com Vitaly McLain]
* Mahmood Khan

__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2012-10-08T02:12:51Z

Michael Tracy:

== Next Chapter Meeting: October 11th, 2012 ==

The next OWASP Chicago chapter will be on '''October 11th, 2012''' from 6PM to approximately 9:30PM. Space for the meeting is being graciously provided by [http://www.morningstar.com/ Morningstar] at their [http://goo.gl/maps/wfqQ8 Chicago headquarters location] (22 West Washington Street, Chicago, IL 60602).

'''This is event is completely free and open to everyone, but you must RSVP.''' Please RSVP at the following EventBrite page so that security can let you into the building: https://owaspchicago.eventbrite.com/

When you arrive, you will need to sign in with security in the lobby of the building, who will direct you to the cafeteria for refreshments. We will then move to the Auditorium for talks.

The schedule is as follows:

* 6:00PM - 6:30PM - Refreshments @ Cafeteria - Light snacks. If you want food, you can bring your own and eat here. Food is not allowed in the auditorium.
* 6:30PM - ~9:30PM - Talks! @ Auditorium

Stay tuned to this page for more information.

==Agenda==

'''10/7 update:''' We now have two talks, which should give more time for Q/A and interaction.

'''John Steven''' on '''Secure Password Storage: Increasing Resistance to Brute Force Attacks''' -- 6:30 - 7:30pm + Q/A time

'''Jeff Jarmoc''' and '''Zack Fasel''' on the '''Stripe CTF 2.0''' -- ~7:45 - 8:45pm + Q/A time

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

Follow (and/or DM us) on Twitter: [https://twitter.com/owaspchicago @owaspchicago]

If you have any questions about the Chicago chapter, please send an email to [mailto:vitaly.mclain+owasp@gmail.com Vitaly McLain].

==Presentation abstracts==

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
* [mailto:vitaly.mclain+owasp@gmail.com Vitaly McLain]
* Mahmood Khan

__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2012-10-08T01:51:19Z

Michael Tracy:

== Next Chapter Meeting: October 11th, 2012 ==

The next OWASP Chicago chapter will be on '''October 11th, 2012''' from 6PM to approximately 9:30PM. Space for the meeting is being graciously provided by [http://www.morningstar.com/ Morningstar] at their [http://goo.gl/maps/wfqQ8 Chicago headquarters location] (22 West Washington Street, Chicago, IL 60602).

'''This is event is completely free and open to everyone, but you must RSVP.''' Please RSVP at the following EventBrite page so that security can let you into the building: https://owaspchicago.eventbrite.com/

When you arrive, you will need to sign in with security in the lobby of the building, who will direct you to the cafeteria for refreshments. We will then move to the Auditorium for talks.

The schedule is as follows:

* 6:00PM - 6:30PM - Refreshments
* 6:30PM - ~9:30PM - Talks!

Stay tuned to this page for more information.

==Agenda==

'''10/7 update:''' We now have two talks, which should give more time for Q/A and interaction.

'''John Steven''' on '''Secure Password Storage: Increasing Resistance to Brute Force Attacks''' -- 6:30 - 7:30pm + Q/A time

'''Jeff Jarmoc''' and '''Zack Fasel''' on the '''Stripe CTF 2.0''' -- ~7:45 - 8:45pm + Q/A time

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

Follow (and/or DM us) on Twitter: [https://twitter.com/owaspchicago @owaspchicago]

If you have any questions about the Chicago chapter, please send an email to [mailto:vitaly.mclain+owasp@gmail.com Vitaly McLain].

==Presentation abstracts==

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
* [mailto:vitaly.mclain+owasp@gmail.com Vitaly McLain]
* Mahmood Khan

__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2012-10-08T01:46:27Z

Michael Tracy:

== Next Chapter Meeting: October 11th, 2012 ==

The next OWASP Chicago chapter will be on '''October 11th, 2012''' from 6PM to approximately 9:30PM. Space for the meeting is being graciously provided by [http://www.morningstar.com/ Morningstar] at their [http://goo.gl/maps/wfqQ8 Chicago headquarters location] (22 West Washington Street, Chicago, IL 60602).

'''This is event is completely free and open to everyone, but you must RSVP.''' Please RSVP at the following EventBrite page so that security can let you into the building: https://owaspchicago.eventbrite.com/

When you arrive, you will need to sign in with security in the lobby of the building, who will direct you to the cafeteria for refreshments. We will then move to the Auditorium for talks.

The schedule is as follows:

* 6:00PM - 6:30PM - Refreshments
* 6:30PM - ~9:30PM - Talks!

Stay tuned to this page for more information.

==Agenda==

'''Oct 7th update:'' 'We now have two talks, which should give more time for Q/A and interaction.

'''John Steven''' on '''Secure Password Storage: Increasing Resistance to Brute Force Attacks''' -- 6:30 - 7:30pm + Q/A time

'''Jeff Jarmoc''' and '''Zack Fasel''' on the '''Stripe CTF 2.0''' -- ~7:30 - 8:30 + Q/A time

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

Follow (and/or DM us) on Twitter: [https://twitter.com/owaspchicago @owaspchicago]

If you have any questions about the Chicago chapter, please send an email to [mailto:vitaly.mclain+owasp@gmail.com Vitaly McLain].

==Presentation abstracts==

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
* [mailto:vitaly.mclain+owasp@gmail.com Vitaly McLain]
* Mahmood Khan

__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2012-09-22T23:57:53Z

Michael Tracy: Meeting updates

== Next Chapter Meeting: October 11th, 2012 ==

The next OWASP Chicago chapter will be on '''October 11th, 2012''' from 6PM to approximately 9:30PM. Space for the meeting is being graciously provided by [http://www.morningstar.com/ Morningstar] at their [http://goo.gl/maps/wfqQ8 Chicago headquarters location] (22 West Washington Street, Chicago, IL 60602).

'''This is event is completely free and open to everyone, but you must RSVP.''' Please RSVP at the following EventBrite page so that security can let you into the building: https://owaspchicago.eventbrite.com/

When you arrive, you will need to sign in with security in the lobby of the building, who will direct you to the cafeteria for refreshments. We will then move to the Auditorium for talks.

The schedule is as follows:

* 6:00PM - 6:30PM - Refreshments
* 6:30PM - ~9:30PM - Talks!

Stay tuned to this page for more information.

==Agenda==

'''Jacob Kitchel''' on '''Static nonces in an embedded digest access auth implementation''' -- 6:30 - 7:00pm

'''John Steven''' on '''Secure Password Storage: Increasing Resistance to Brute Force Attacks''' -- 7:00 - 8:00pm

'''Jeff Jarmoc''' and '''Zack Fasel''' on the '''Stripe CTF 2.0''' -- 8:00 - 9:00pm

We'll firm up the evening's agenda as the date nears.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

Follow (and/or DM us) on Twitter: [https://twitter.com/owaspchicago @owaspchicago]

If you have any questions about the Chicago chapter, please send an email to [mailto:vitaly.mclain+owasp@gmail.com Vitaly McLain].

==Presentation abstracts==

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
* [mailto:vitaly.mclain+owasp@gmail.com Vitaly McLain]
* Mahmood Khan

__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2012-09-05T22:25:50Z

Michael Tracy:

== Next Chapter Meeting: October 11th, 2012 ==

The next OWASP Chicago chapter will be on '''October 11th, 2012''' from 6PM to approximately 9:30PM. Space for the meeting is being graciously provided by [http://www.morningstar.com/ Morningstar] at their [http://goo.gl/maps/wfqQ8 Chicago headquarters location] (22 West Washington Street, Chicago, IL 60602).

'''We are in need of speakers!''' If you have a talk, anywhere from 20min - 1hr, please let me know. [mailto:vitaly.mclain+owasp@gmail.com Send me] a quick abstract (doesn't need to be formal) so I have an idea about what you want to talk about. Even if you've asked before, please let me know again.

Otherwise:

When you arrive, you will need to sign in with security in the lobby of the building, who will direct you to the cafeteria for refreshments. We will then move to the Auditorium for talks. The meeting is open to everyone and is free to attend!

The schedule is as follows:

* 6:00PM - 6:30PM - Refreshments
* 6:30PM - ~9:30PM - Talks!

Stay tuned to this page for more information.

==Agenda==

??????

Also, follow (and/or DM us) on twitter @owaspchicago

We'll firm up the evening's agenda as the date nears.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to [mailto:vitaly.mclain+owasp@gmail.com Vitaly McLain].

==Presentation abstracts==

TBA

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
* [mailto:vitaly.mclain+owasp@gmail.com Vitaly McLain]
* Mahmood Khan

__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2012-09-05T22:24:57Z

Michael Tracy:

== Next Chapter Meeting: October 11th, 2012 ==

The next OWASP Chicago chapter will be on '''October 11th, 2012''' from 6PM to approximately 9:30PM. Space for the meeting is being graciously provided by [http://www.morningstar.com/ Morningstar] at their [http://goo.gl/maps/wfqQ8 Chicago headquarters location] (22 West Washington Street, Chicago, IL 60602).

'''We are in need of speakers!''' If you have a talk, anywhere from 20min - 1hr, please let me know. [mailto:vitaly.mclain+owasp@gmail.com Send me] quick abstract (doesn't need to be formal) so I have an idea about what you want to talk about. Even if you've asked before, please let me know again.

When you arrive, you will need to sign in with security in the lobby of the building, who will direct you to the cafeteria for refreshments. We will then move to the Auditorium for talks. The meeting is open to everyone and is free to attend!

The schedule is as follows:

* 6:00PM - 6:30PM - Refreshments
* 6:30PM - ~9:30PM - Talks!

==Agenda==

??????

Also, follow (and/or DM us) on twitter @owaspchicago

We'll firm up the evening's agenda as the date nears.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to [mailto:vitaly.mclain+owasp@gmail.com Vitaly McLain].

==Presentation abstracts==

TBA

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
* [mailto:vitaly.mclain+owasp@gmail.com Vitaly McLain]
* Mahmood Khan

__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2012-09-05T21:11:07Z

Michael Tracy:

== Next Chapter Meeting: October 11th, 2012 ==

The next OWASP Chicago chapter will be on '''October 11th, 2012''' from 6PM to approximately 9:30PM. Space for the meeting is being graciously provided by [http://www.morningstar.com/ Morningstar] at their [http://goo.gl/maps/wfqQ8 Chicago headquarters location] (22 West Washington Street, Chicago, IL 60602).

When you arrive, you will need to sign in with security in the lobby of the building, who will direct you to the cafeteria for refreshments. We will then move to the Auditorium for talks. The meeting is open to everyone and is free to attend!

The schedule is as follows:

* 6:00PM - 6:30PM - Refreshments
* 6:30PM - ~9:30PM - Talks!

==Agenda==

??????

Also, follow (and/or DM us) on twitter @owaspchicago

We'll firm up the evening's agenda as the date nears.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to [mailto:vitaly.mclain+owasp@gmail.com Vitaly McLain].

==Presentation abstracts==

TBA

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
* [mailto:vitaly.mclain+owasp@gmail.com Vitaly McLain]
* Mahmood Khan

__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2012-09-05T21:10:37Z

Michael Tracy:

== Next Chapter Meeting: October 11th, 2012 ==

The next OWASP Chicago chapter will be on '''October 11th, 2012''' from 6PM to approximately 9:30PM. Space for the meeting is being graciously provided by [http://www.morningstar.com/ Morningstar] at their [http://goo.gl/maps/wfqQ8 Chicago headquarters location] (22 West Washington Street, Chicago, IL 60602).

When you arrive, you will need to sign in with security in the lobby of the building, who will direct you to the cafeteria for refreshments. We will then move to the Auditorium for talks. The meeting is open to everyone and is free to attend!

The schedule is as follows:

* 6:00PM - 6:30PM - Refreshments
* 6:30PM - ~9:30PM - Talks!

==Agenda==

??????

Also, follow (and/or DM us) on twitter @owaspchicago

We'll firm up the evening's agenda as the date nears.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to [mailto:vitaly.mclain@gmail.com Vitaly McLain].

==Presentation abstracts==

TBA

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
* [mailto:vitaly.mclain@gmail.com Vitaly McLain]
* Mahmood Khan

__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2012-09-05T20:45:04Z

Michael Tracy: Editing for next meeting

== Next Chapter Meeting: October 11th, 2012 ==

The next OWASP Chicago chapter will be on '''October 11th, 2012''' from 6PM to approximately 9:30PM. Space for the meeting is being graciously provided by [http://www.morningstar.com/ Morningstar] at their [http://goo.gl/maps/wfqQ8 Chicago headquarters location] (22 West Washington Street, Chicago, IL 60602).

When you arrive, you will need to sign in with security in the lobby of the building, who will direct you to the cafeteria for refreshments. We will then move to the Auditorium for talks. The meeting is open to everyone and is free to attend!

The schedule is as follows:

* 6:00PM - 6:30PM - Refreshments
* 6:30PM - ~9:30PM - Talks!

==Agenda==

??????

Also, follow (and/or DM us) on twitter @owaspchicago

We'll firm up the evening's agenda as the date nears.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:mtracy@matasano.com Mike Tracy] or [mailto:jason@wittys.com Jason Witty.] Any questions about the January meeting please contact [mailto:vitaly.mclain@gmail.com Vitaly McLain].

==Presentation abstracts==

TBA

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
* [mailto:vitaly.mclain@gmail.com Vitaly McLain]
* Mahmood Khan

__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2012-01-09T04:00:29Z

Michael Tracy: Updating schedule

== Next Chapter Meeting: January 19th, 2012 ==

The next OWASP Chicago chapter will be on '''January 19th, 2012''' from 6PM to approximately 9:30PM. Space for the meeting is being graciously provided by Morningstar at their [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=22+West+Washington+Street+Chicago,+IL+60602&aq=&sll=37.0625,-95.677068&sspn=30.599615,68.554688&ie=UTF8&hq=&hnear=22+W+Washington+St,+Chicago,+Illinois+60602&z=16 downtown Chicago headquarters location] (22 West Washington Street Chicago, IL 60602).

'''You must RSVP for this event''' by sending an email to [mailto:vitaly.mclain@gmail.com Vitaly McLain]. Please try to include "OWASP" in the subject, and send your name no later than 4PM on January 18th. When you arrive, you will need to sign in with security in the lobby of the building, who will direct you to the cafeteria for refreshments. We will then move to the Auditorium for talks. The meeting is open to everyone and is free to attend!

The schedule is as follows:

* 6:00PM - 6:30PM - Refreshments
* 6:30PM - ~9:30PM - Talks!

==Agenda==

'''Speakers''':

* '''Abraham Kang - DOM-based XSS and output encoding'''

An interactive presentation that intends to turn all of the listeners of the presentation into XSS experts and help them understand how to mitigate XSS properly using output encoding.

* '''Luca Carettoni - From CVE-2010-0738 to the recent JBoss worm'''

Being a widely deployed enterprise application server, JBoss has always been a juicy target for attackers. Security vulnerabilities and misconfigurations in critical components, such as the infamous JMX-console, can be exploited in order to execute arbitrary code and harm the confidentiality, integrity and availability of the entire system. Our quick journey through JBoss insecurity will start from the analysis of a critical authentication bypass flaw to the recent JBoss worm which affected numerous installations worldwide. This presentation will also cover practical aspects on how to detect misconfigurations and secure your application server.

Also, follow (and/or DM us) on twitter @owaspchicago

We'll firm up the evening's agenda as the date nears.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:mtracy@matasano.com Mike Tracy] or [mailto:jason@wittys.com Jason Witty.] Any questions about the January meeting please contact [mailto:vitaly.mclain@gmail.com Vitaly McLain].

==Presentation abstracts==

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
[mailto:mtracy@matasano.com Mike Tracy]

[mailto:jason@wittys.com Jason Witty]

__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2012-01-06T21:12:39Z

Michael Tracy:

== Next Chapter Meeting: January 19th, 2012 ==

The next OWASP Chicago chapter will be on '''January 19th, 2012''' from 6PM to approximately 9:30PM. Space for the meeting is being graciously provided by Morningstar at their [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=22+West+Washington+Street+Chicago,+IL+60602&aq=&sll=37.0625,-95.677068&sspn=30.599615,68.554688&ie=UTF8&hq=&hnear=22+W+Washington+St,+Chicago,+Illinois+60602&z=16 downtown Chicago headquarters location] (22 West Washington Street Chicago, IL 60602).

'''You must RSVP for this event''' by sending an email to [mailto:vitaly.mclain@gmail.com Vitaly McLain]. Please try to include "OWASP" in the subject, and send your name no later than 4PM on January 18th. When you arrive, you will need to sign in with security in the lobby of the building, who will direct you to the cafeteria for refreshments. We will then move to the Auditorium for talks. The meeting is open to everyone and is free to attend.

The schedule is as follows:

* 6:00PM - 6:30PM - Refreshments
* 6:30PM - ~9:30PM - Talks!

==Agenda==

'''Speakers''':

* Abraham Kang - DOM-based XSS and output encoding
* Luca Carettoni - From CVE-2010-0738 to the recent JBoss worm

Also, follow (and/or DM us) on twitter @owaspchicago

We'll firm up the evening's agenda as the date nears.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:mtracy@matasano.com Mike Tracy] or [mailto:jason@wittys.com Jason Witty.] Any questions about the January meeting please contact [mailto:vitaly.mclain@gmail.com Vitaly McLain].

==Presentation abstracts==

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
[mailto:mtracy@matasano.com Mike Tracy]

[mailto:jason@wittys.com Jason Witty]

__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2012-01-06T21:12:12Z

Michael Tracy:

== Next Chapter Meeting: January 19th, 2012 ==

The next OWASP Chicago chapter will be on '''January 19th, 2012''' from 6PM to approximately 9:30PM. Space for the meeting is being graciously provided by Morningstar at their [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=22+West+Washington+Street+Chicago,+IL+60602&aq=&sll=37.0625,-95.677068&sspn=30.599615,68.554688&ie=UTF8&hq=&hnear=22+W+Washington+St,+Chicago,+Illinois+60602&z=16 downtown Chicago headquarters location] (22 West Washington Street Chicago, IL 60602).

'''You must RSVP for this event''' by sending an email to [mailto:vitaly.mclain@gmail.com Vitaly McLain]. Please try to include "OWASP" in the subject, and send your name no later than 4PM on January 18th. When you arrive, you will need to sign in with security in the lobby of the building, who will direct you to the cafeteria for refreshments. We will then move to the Auditorium for talks.

The schedule is as follows:

* 6:00PM - 6:30PM - Refreshments
* 6:30PM - ~9:30PM - Talks!

==Agenda==

'''Speakers''':

* Abraham Kang - DOM-based XSS and output encoding
* Luca Carettoni - From CVE-2010-0738 to the recent JBoss worm

Also, follow (and/or DM us) on twitter @owaspchicago

We'll firm up the evening's agenda as the date nears.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:mtracy@matasano.com Mike Tracy] or [mailto:jason@wittys.com Jason Witty.] Any questions about the January meeting please contact [mailto:vitaly.mclain@gmail.com Vitaly McLain].

==Presentation abstracts==

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
[mailto:mtracy@matasano.com Mike Tracy]

[mailto:jason@wittys.com Jason Witty]

__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2012-01-06T01:45:27Z

Michael Tracy:

== Next Chapter Meeting: January 19th, 2012 ==

The next OWASP Chicago chapter will be on '''January 19th, 2012''' from 6PM to approximately 9:30PM. Space for the meeting is being graciously provided by Morningstar at their [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=22+West+Washington+Street+Chicago,+IL+60602&aq=&sll=37.0625,-95.677068&sspn=30.599615,68.554688&ie=UTF8&hq=&hnear=22+W+Washington+St,+Chicago,+Illinois+60602&z=16 downtown Chicago headquarters location] (22 West Washington Street Chicago, IL 60602).

'''You must RSVP for this event''' by sending an email to [mailto:vitaly.mclain@gmail.com Vitaly McLain]. Please try to include "OWASP" in the subject, and send your name no later than 4PM on January 18th. When you arrive, you will need to sign in with security in the lobby of the building, who will direct you to the cafeteria for refreshments. We will then move to the Auditorium for talks.

The schedule is as follows:

* 6:00PM - 6:30PM - Refreshments
* 6:30PM - ~9:30PM - Talks!

==Agenda==

'''Speakers''':

* Abraham Kang - TBA
* Luca Carettoni - TBA

Also, follow (and/or DM us) on twitter @owaspchicago

We'll firm up the evening's agenda as the date nears.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:mtracy@matasano.com Mike Tracy] or [mailto:jason@wittys.com Jason Witty.] Any questions about the January meeting please contact [mailto:vitaly.mclain@gmail.com Vitaly McLain].

==Presentation abstracts==

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
[mailto:mtracy@matasano.com Mike Tracy]

[mailto:jason@wittys.com Jason Witty]

__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2012-01-05T21:15:47Z

Michael Tracy: Prepping page for January announcement

== Next Chapter Meeting: January ==

'''Please stay tuned for an announcement of the January meeting. Anyone with questions about this meeting please contact Vitaly McLain <vitaly.mclain@gmail.com>'''

==Agenda==

Submit talks or ideas for talks to mike.tracy@gmail.com and we'll get things rolling.

Also, follow (and/or DM us) on twitter @owaspchicago

We'll firm up the evening's agenda as we get submissions.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:mtracy@matasano.com Mike Tracy] or [mailto:jason@wittys.com Jason Witty.] Any questions about the January meeting please contact [mailto:vitaly.mclain@gmail.com Vitaly McLain].

==Presentation abstracts==

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
[mailto:mtracy@matasano.com Mike Tracy]

[mailto:jason@wittys.com Jason Witty]

__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2011-05-27T21:19:49Z

Michael Tracy:

=== It's been a long time coming and here it is! ===
== Next Chapter Meeting: June 2nd, 2011 ==

The next Chicago chapter meeting will be June 2nd starting at 6:00pm and running until about 8:30. Space for the meeting is being graciously provided by Morningstar at their [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=22+West+Washington+Street+Chicago,+IL+60602&aq=&sll=37.0625,-95.677068&sspn=30.599615,68.554688&ie=UTF8&hq=&hnear=22+W+Washington+St,+Chicago,+Illinois+60602&z=16 downtown Chicago headquarters location] (22 West Washington Street Chicago, IL 60602)

Please RSVP (to mike.tracy@gmail.com) no later than 4:00pm June 1st to make sure we can get you in the building.

==Agenda==

* 6:00-6:30 punch and pie
* 6:30-8:30 another round of lightning talks

We had so much fun doing the first round of lightning talks that we're going to give it another go.

Have a subject you can talk about in 10-15 minutes? Have a subject you'd like to see talked about in the same span? OWASP Chicago chapter is hosting an evening of lightning talks on the subjects you want to hear.

Tentatively scheduled:

* Tom Brennan "OWASP where we are... where we are going"
* Daniel Crowley "Jack of all Formats"
* Kuai Hinojosa TBD
* Jacob Kitchel TBD
* Rafal Los "This is a Talk I Pulled from My Magic Hat"
* Peter Morgan TBD
* Greg Ose TBD
* YOU!

Submit talks or ideas for talks to mike.tracy@gmail.com and we'll get things rolling.

Also, follow (and/or DM us) on twitter @owaspchicago

We'll firm up the evening's agenda as we get submissions.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:mtracy@matasano.com Mike Tracy] or [mailto:jason@wittys.com Jason Witty.]

==Presentation abstracts==

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
[mailto:mtracy@matasano.com Mike Tracy]

[mailto:jason@wittys.com Jason Witty]
__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2011-05-13T13:30:40Z

Michael Tracy:

=== It's been a long time coming and here it is! ===
== Next Chapter Meeting: June 2nd, 2011 ==

The next Chicago chapter meeting will be June 2nd starting at 6:00pm and running until about 8:30. Space for the meeting is being graciously provided by Morningstar at their [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=22+West+Washington+Street+Chicago,+IL+60602&aq=&sll=37.0625,-95.677068&sspn=30.599615,68.554688&ie=UTF8&hq=&hnear=22+W+Washington+St,+Chicago,+Illinois+60602&z=16 downtown Chicago headquarters location] (22 West Washington Street Chicago, IL 60602)

Please RSVP (to mike.tracy@gmail.com) no later than 4:00pm June 1st to make sure we can get you in the building.

==Agenda==

* 6:00-6:30 punch and pie
* 6:30-8:30 another round of lightning talks

We had so much fun doing the first round of lightning talks that we're going to give it another go.

Have a subject you can talk about in 10-15 minutes? Have a subject you'd like to see talked about in the same span? OWASP Chicago chapter is hosting an evening of lightning talks on the subjects you want to hear.

Tentatively scheduled:

* Tom Brennan "OWASP where we are... where we are going"
* Daniel Crowley "Jack of all Formats"
* William Cummins "Donald Rumsfeld is my Co-Pilot: a cautionary tale"
* Kuai Hinojosa TBD
* Jacob Kitchel TBD
* Rafal Los "This is a Talk I Pulled from My Magic Hat"
* Peter Morgan TBD
* Greg Ose TBD
* YOU!

Submit talks or ideas for talks to mike.tracy@gmail.com and we'll get things rolling.

Also, follow (and/or DM us) on twitter @owaspchicago

We'll firm up the evening's agenda as we get submissions.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:mtracy@matasano.com Mike Tracy] or [mailto:jason@wittys.com Jason Witty.]

==Presentation abstracts==

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
[mailto:mtracy@matasano.com Mike Tracy]

[mailto:jason@wittys.com Jason Witty]
__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2011-05-13T13:28:41Z

Michael Tracy:

=== It's been a long time coming and here it is! ===
== Next Chapter Meeting: June 2nd, 2011 ==

The next Chicago chapter meeting will be June 2nd starting at 6:00pm and running until about 8:30. Space for the meeting is being graciously provided by Morningstar at their [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=22+West+Washington+Street+Chicago,+IL+60602&aq=&sll=37.0625,-95.677068&sspn=30.599615,68.554688&ie=UTF8&hq=&hnear=22+W+Washington+St,+Chicago,+Illinois+60602&z=16 downtown Chicago headquarters location] (22 West Washington Street Chicago, IL 60602)

Please RSVP (to mike.tracy@gmail.com) no later than 4:00pm June 1st to make sure we can get you in the building.

==Agenda==

* 6:00-6:30 punch and pie
* 6:30-8:30 another round of lightning talks

We has so much fun doing the first round of lightning talks that we're going to give it another go.

Have a subject you can talk about in 10-20 minutes? Have a subject you'd like to see talked about in the same span? OWASP Chicago chapter is hosting an evening of lightning talks on the subjects you want to hear.

Tentatively scheduled:

* Tom Brennan "OWASP where we are... where we are going"
* Daniel Crowley "Jack of all Formats"
* William Cummins "Donald Rumsfeld is my Co-Pilot: a cautionary tale"
* Kuai Hinojosa TBD
* Jacob Kitchel TBD
* Rafal Los "This is a Talk I Pulled from My Magic Hat"
* Peter Morgan TBD
* Greg Ose TBD
* YOU!

Submit talks or ideas for talks to mike.tracy@gmail.com and we'll get things rolling.

Also, follow (and/or DM us) on twitter @owaspchicago

We'll firm up the evening's agenda as we get submissions.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:mtracy@matasano.com Mike Tracy] or [mailto:jason@wittys.com Jason Witty.]

==Presentation abstracts==

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
[mailto:mtracy@matasano.com Mike Tracy]

[mailto:jason@wittys.com Jason Witty]
__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2011-04-21T16:29:34Z

Michael Tracy:

=== It's been a long time coming and here it is! ===
== Next Chapter Meeting: June 2nd, 2011 ==

The next Chicago chapter meeting will be June 2nd starting at 6:00pm and running until about 8:30. Space for the meeting is being graciously provided by Morningstar at their downtown Chicago headquarters location (22 West Washington Street Chicago, IL 60602).

Please RSVP (to mike.tracy@gmail.com) no later than 4:00pm June 1st to make sure we can get you in the building.

==Agenda==

* 6:00-6:30 punch and pie
* 6:30-8:30 another round of lightning talks

We has so much fun doing the first round of lightning talks that we're going to give it another go.

Have a subject you can talk about in 10-20 minutes? Have a subject you'd like to see talked about in the same span? OWASP Chicago chapter is hosting an evening of lightning talks on the subjects you want to hear.

Tentatively scheduled:

* YOU!

Submit talks or ideas for talks to mike.tracy@gmail.com and we'll get things rolling.

Also, follow (and/or DM us) on twitter @owaspchicago

We'll firm up the evening's agenda as we get submissions.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:mtracy@matasano.com Mike Tracy] or [mailto:jason@wittys.com Jason Witty.]

==Presentation abstracts==

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
[mailto:mtracy@matasano.com Mike Tracy]

[mailto:jason@wittys.com Jason Witty]
__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2010-10-26T21:18:30Z

Michael Tracy:

== Next Chapter Meeting: November 11th, 2010 ==

The next Chicago chapter meeting will be November 11th starting at 6:00pm and running until about 8:30. Space for the meeting is being graciously provided by Morningstar at their downtown Chicago headquarters location (22 West Washington Street Chicago, IL 60602).

Please RSVP (to mike.tracy@gmail.com) no later than 4:00pm November 10th to make sure we can get you in the building.

==Agenda==

* 6:00-6:30 punch and pie
* 6:30-8:30 presentations (that may or May Not include a slide deck)

The theme for this quarter's meeting is "Slides Optional, Demos Awesome".

Have a tool, technique or [censored] you can demonstrate to a crowd of information-hungry webappsec people? Bring it in and bring it on.

Tentatively scheduled:

* Scriptable Hit Tracing and Debugging Using Nerve and Ragweed (Mike Tracy & Timur Duehr)
* "Teenage Mutant HTTP Headers" (Cory Scott)
* Assessing Android Apps (Mike Zusman)

Submit ideas for talks to mike.tracy@gmail.com and we'll get things rolling.

Also, follow (and/or DM us) on twitter @owaspchicago

We'll firm up the evening's agenda as we get submissions.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:mtracy@matasano.com Mike Tracy] or [mailto:jason@wittys.com Jason Witty.]

==Presentation abstracts==

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
[mailto:mtracy@matasano.com Mike Tracy]

[mailto:jason@wittys.com Jason Witty]
__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2010-10-26T14:24:54Z

Michael Tracy:

== Next Chapter Meeting: November 11th, 2010 ==

The next Chicago chapter meeting will be November 11th starting at 6:00pm and running until about 8:30. Space for the meeting is being graciously provided by Morningstar at their downtown Chicago headquarters location (22 West Washington Street Chicago, IL 60602).

Please RSVP (to mike.tracy@gmail.com) no later than 4:00pm November 10th to make sure we can get you in the building.

==Agenda==

* 6:00-6:30 punch and pie
* 6:30-8:30 presentations (that may or May Not include a slide deck)

The theme for this quarter's meeting is "Slides Optional, Demos Awesome".

Have a tool, technique or [censored] you can demonstrate to a crowd of information-hungry webappsec people? Bring it in and bring it on.

Tentatively scheduled:

* Scriptable Hit Tracing and Debugging Using Nerve and Ragweed (Mike Tracy & Timur Duehr)
* "Teenage Mutant HTTP Headers" (Cory Scott)
* Untitled [but awesome] (Mike Zusman)

Submit ideas for talks to mike.tracy@gmail.com and we'll get things rolling.

Also, follow (and/or DM us) on twitter @owaspchicago

We'll firm up the evening's agenda as we get submissions.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:mtracy@matasano.com Mike Tracy] or [mailto:jason@wittys.com Jason Witty.]

==Presentation abstracts==

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
[mailto:mtracy@matasano.com Mike Tracy]

[mailto:jason@wittys.com Jason Witty]
__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2010-10-26T14:24:34Z

Michael Tracy:

== Next Chapter Meeting: November 11th, 2010 ==

The next Chicago chapter meeting will be November 11th starting at 6:00pm and running until about 8:30. Space for the meeting is being graciously provided by Morningstar at their downtown Chicago headquarters location (22 West Washington Street Chicago, IL 60602).

Please RSVP (to mike.tracy@gmail.com) no later than 4:00pm November 10th to make sure we can get you in the building.

==Agenda==

* 6:00-6:30 punch and pie
* 6:30-8:30 presentations (that may or May Not include a slide deck)

The theme for this quarter's meeting is "Slides Optional, Demos Awesome".

Have a tool, technique or [censored] you can demonstrate to a crowd of information-hungry webappsec people? Bring it in and bring it on.

Tentatively scheduled:

* Scriptable Hit Tracing and Debugging Using Nerve and Ragweed (Mike Tracy & Timur Duehr)
* "Teenage MutantHTTP Headers" (Cory Scott)
* Untitled [but awesome] (Mike Zusman)

Submit ideas for talks to mike.tracy@gmail.com and we'll get things rolling.

Also, follow (and/or DM us) on twitter @owaspchicago

We'll firm up the evening's agenda as we get submissions.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:mtracy@matasano.com Mike Tracy] or [mailto:jason@wittys.com Jason Witty.]

==Presentation abstracts==

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
[mailto:mtracy@matasano.com Mike Tracy]

[mailto:jason@wittys.com Jason Witty]
__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2010-10-15T12:30:07Z

Michael Tracy:

== Next Chapter Meeting: November 11th, 2010 ==

The next Chicago chapter meeting will be November 11th starting at 6:00pm and running until about 8:30. Space for the meeting is being graciously provided by Morningstar at their downtown Chicago headquarters location (22 West Washington Street Chicago, IL 60602).

Please RSVP (to mike.tracy@gmail.com) no later than 4:00pm November 10th to make sure we can get you in the building.

==Agenda==

* 6:00-6:30 punch and pie
* 6:30-8:30 presentations (that may or May Not include a slide deck)

The theme for this quarter's meeting is "Slides Optional, Demos Awesome".

Have a tool, technique or [censored] you can demonstrate to a crowd of information-hungry webappsec people? Bring it in and bring it on.

Tentatively scheduled:

* Scriptable Hit Tracing and Debugging Using Nerve and Ragweed (Matasano)

Submit ideas for talks to mike.tracy@gmail.com and we'll get things rolling.

Also, follow (and/or DM us) on twitter @owaspchicago

We'll firm up the evening's agenda as we get submissions.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:mtracy@matasano.com Mike Tracy] or [mailto:jason@wittys.com Jason Witty.]

==Presentation abstracts==

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
[mailto:mtracy@matasano.com Mike Tracy]

[mailto:jason@wittys.com Jason Witty]
__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2010-10-15T12:26:32Z

Michael Tracy:

== Next Chapter Meeting: November 11th, 2010 ==

The next Chicago chapter meeting will be November 11th starting at 6:00pm and running until about 8:30. Space for the meeting is being graciously provided by Morningstar at their downtown Chicago headquarters location (22 West Washington Street Chicago, IL 60602).

Please RSVP (to mike.tracy@gmail.com) no later than 4:00pm September 20th to make sure we can get you in the building.

==Agenda==

* 6:00-6:30 punch and pie
* 6:30-8:30 presentations (that may or May Not include a slide deck)

The theme for this quarter's meeting is "Slides Optional, Demos Awesome".

Have a tool, technique or [censored] you can demonstrate to a crowd of information-hungry webappsec people? Bring it in and bring it on.

Tentatively scheduled:

* Scriptable Hit Tracing and Debugging Using Nerve and Ragweed (Matasano)

Submit ideas for talks to mike.tracy@gmail.com and we'll get things rolling.

Also, follow (and/or DM us) on twitter @owaspchicago

We'll firm up the evening's agenda as we get submissions.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:mtracy@matasano.com Mike Tracy] or [mailto:jason@wittys.com Jason Witty.]

==Presentation abstracts==

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
[mailto:mtracy@matasano.com Mike Tracy]

[mailto:jason@wittys.com Jason Witty]
__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2010-10-15T12:26:06Z

Michael Tracy:

== Next Chapter Meeting: November 11th, 2010 ==

The next Chicago chapter meeting will be November 11th starting at 6:00pm and running until about 8:30. Space for the meeting is being graciously provided by Morningstar at their downtown Chicago headquarters location (22 West Washington Street Chicago, IL 60602).

Please RSVP (to mike.tracy@gmail.com) no later than 4:00pm September 20th to make sure we can get you in the building.

==Agenda==

* 6:00-6:30 punch and pie
* 6:30-8:30 presentations (that may or May Not include a slide deck)

The theme for this quarter's meeting is "Slides Optional, Demos Awesome".

Have a tool, technique or [censored] you can demonstrate to a crowd of information-hungry webappsec people? Bring it in and bring it on.

Tentatively scheduled:

* Scriptable Debugging and Hit Tracing Using Nerve and Ragweed (Matasano)

Submit ideas for talks to mike.tracy@gmail.com and we'll get things rolling.

Also, follow (and/or DM us) on twitter @owaspchicago

We'll firm up the evening's agenda as we get submissions.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:mtracy@matasano.com Mike Tracy] or [mailto:jason@wittys.com Jason Witty.]

==Presentation abstracts==

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
[mailto:mtracy@matasano.com Mike Tracy]

[mailto:jason@wittys.com Jason Witty]
__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2010-06-16T17:24:30Z

Michael Tracy:

Chicago

2010-06-11T18:27:14Z

Michael Tracy:

Chicago

2010-06-11T17:49:52Z

Michael Tracy:

Chicago

2010-06-07T21:29:06Z

Michael Tracy: /* Agenda */

Chicago

2010-06-07T17:38:46Z

Michael Tracy: /* Agenda */

Chicago

2010-06-06T00:43:04Z

Michael Tracy: /* Next Chapter Meeting: June 17th, 2010 *New Location* */

Chicago

2010-06-05T11:44:29Z

Michael Tracy: /* Agenda */

Chicago

2010-06-05T11:44:05Z

Michael Tracy: /* Agenda */

Chicago

2010-06-04T22:46:00Z

Michael Tracy: /* Agenda */

Chicago

2010-06-04T18:23:13Z

Michael Tracy: /* Agenda */

Chicago

2010-06-04T15:21:55Z

Michael Tracy: /* Agenda */

Chicago

2010-06-04T14:02:06Z

Michael Tracy: /* Presentation abstracts */

Chicago

2010-06-04T14:01:23Z

Michael Tracy: /* Agenda */

== Next Chapter Meeting: June 17th, 2010 *New Location* ==

The next Chicago chapter meeting will be June 17th starting at 6:00pm and running until about 8:30. Space for the meeting is being graciously provided by Morningstar at their downtown Chicago headquarters location (22 West Washington Street Chicago, IL 60602).

Please RSVP no later than 4:00pm June 16th to make sure we can get you in the building.

==Agenda==

6:00-6:30 punch and pie
6:30-8:30 more talks than you can shake a stick at

Have a subject you can talk about in 10-20 minutes? Have a subject you'd like to see talked about in the same span? OWASP Chicago chapter is hosting an evening of lightning talks on the subjects you want to hear.

Tentatively scheduled:

* Paul Petefish on the new OWASP Top 10 list
* Clint Pollock "The State of Software Security"
* Thomas Ptacek on an interesting subject.
* Bill Cummins "You down with OPB (Other People's Bugs)"
* Brandon Spruth (TBD)
* <insert your talk or subject here>

Submit talks or ideas for talks to mike.tracy@gmail.com and we'll get things rolling.

Also, follow (and/or DM us) on twitter @owaspchicago

We'll firm up the evening's agenda as we get submissions.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:mtracy@matasano.com Mike Tracy] or [mailto:jason@wittys.com Jason Witty.]

==Presentation abstracts==

''Protecting Your Applications from Backdoors: How to Secure Your Business Critical Applications from Time Bombs, Backdoors & Data''

ABSTRACT

With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers.
Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams.
In this session we will cover;
* Prevalence of backdoors and malicious code in third party attacks
* Definitions and classifications of backdoors and their impact on your applications
* Methods to identify, track and remediate these vulnerabilities

SPEAKER BIO

Erik Peterson from Veracode will be presenting.

''Open Software Assurance Maturity Model (OpenSAMM)''

ABSTRACT

The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/.

SPEAKER BIO

Pravir Chandra is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL.

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
[mailto:mtracy@matasano.com Mike Tracy]

[mailto:jason@wittys.com Jason Witty]
__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2010-06-02T22:45:17Z

Michael Tracy: /* Next Chapter Meeting: June 17th, 2010 *New Location* */

== Next Chapter Meeting: June 17th, 2010 *New Location* ==

The next Chicago chapter meeting will be June 17th starting at 6:00pm and running until about 8:30. Space for the meeting is being graciously provided by Morningstar at their downtown Chicago headquarters location (22 West Washington Street Chicago, IL 60602).

Please RSVP no later than 4:00pm June 16th to make sure we can get you in the building.

==Agenda==

Have a subject you can talk about in 10-20 minutes? Have a subject you'd like to see talked about in the same span? OWASP Chicago chapter is hosting an evening of lightning talks on the subjects you want to hear.

Tentatively scheduled:

* Paul Petefish on the new OWASP Top 10 list.
* Thomas Ptacek on an interesting subject.
* Bill Cummins "You down with OPB (Other People's Bugs)"
* Brandon Spruth (TBD)
* <insert your talk or subject here>

Submit talks or ideas for talks to mike.tracy@gmail.com and we'll get things rolling.

Also, follow (and/or DM us) on twitter @owaspchicago

We'll firm up the evening's agenda as we get submissions.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:mtracy@matasano.com Mike Tracy] or [mailto:jason@wittys.com Jason Witty.]

==Presentation abstracts==

''Protecting Your Applications from Backdoors: How to Secure Your Business Critical Applications from Time Bombs, Backdoors & Data''

ABSTRACT

With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers.
Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams.
In this session we will cover;
* Prevalence of backdoors and malicious code in third party attacks
* Definitions and classifications of backdoors and their impact on your applications
* Methods to identify, track and remediate these vulnerabilities

SPEAKER BIO

Erik Peterson from Veracode will be presenting.

''Open Software Assurance Maturity Model (OpenSAMM)''

ABSTRACT

The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/.

SPEAKER BIO

Pravir Chandra is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL.

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
[mailto:mtracy@matasano.com Mike Tracy]

[mailto:jason@wittys.com Jason Witty]
__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2010-06-02T22:44:30Z

Michael Tracy: /* Agenda */

== Next Chapter Meeting: June 17th, 2010 *New Location* ==

The next quarterly Chicago OWASP Chapter meeting will be June 17th 2010 at a location yet to be determined at 6pm. Please RSVP to mike.tracy@gmail.com by EOB on the 16th so we can enter your name into the venue's security system.

==Agenda==

Have a subject you can talk about in 10-20 minutes? Have a subject you'd like to see talked about in the same span? OWASP Chicago chapter is hosting an evening of lightning talks on the subjects you want to hear.

Tentatively scheduled:

* Paul Petefish on the new OWASP Top 10 list.
* Thomas Ptacek on an interesting subject.
* Bill Cummins "You down with OPB (Other People's Bugs)"
* Brandon Spruth (TBD)
* <insert your talk or subject here>

Submit talks or ideas for talks to mike.tracy@gmail.com and we'll get things rolling.

Also, follow (and/or DM us) on twitter @owaspchicago

We'll firm up the evening's agenda as we get submissions.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:mtracy@matasano.com Mike Tracy] or [mailto:jason@wittys.com Jason Witty.]

==Presentation abstracts==

''Protecting Your Applications from Backdoors: How to Secure Your Business Critical Applications from Time Bombs, Backdoors & Data''

ABSTRACT

With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers.
Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams.
In this session we will cover;
* Prevalence of backdoors and malicious code in third party attacks
* Definitions and classifications of backdoors and their impact on your applications
* Methods to identify, track and remediate these vulnerabilities

SPEAKER BIO

Erik Peterson from Veracode will be presenting.

''Open Software Assurance Maturity Model (OpenSAMM)''

ABSTRACT

The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/.

SPEAKER BIO

Pravir Chandra is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL.

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
[mailto:mtracy@matasano.com Mike Tracy]

[mailto:jason@wittys.com Jason Witty]
__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2010-06-02T22:44:04Z

Michael Tracy: /* Agenda */

== Next Chapter Meeting: June 17th, 2010 *New Location* ==

The next quarterly Chicago OWASP Chapter meeting will be June 17th 2010 at a location yet to be determined at 6pm. Please RSVP to mike.tracy@gmail.com by EOB on the 16th so we can enter your name into the venue's security system.

==Agenda==

Have a subject you can talk about in 10-20 minutes? Have a subject you'd like to see talked about in the same span? OWASP Chicago chapter is hosting an evening of lightning talks on the subjects you want to hear.

The meeting will be June 17th starting at 6:00pm and running until about 8:30. Space for the meeting is being graciously provided by Morningstar at their downtown Chicago headquarters location (22 West Washington Street Chicago, IL 60602). Please RSVP no later than 4:00pm June 16th to make sure we can get you in the building.

Tentatively scheduled:

* Paul Petefish on the new OWASP Top 10 list.
* Thomas Ptacek on an interesting subject.
* Bill Cummins "You down with OPB (Other People's Bugs)"
* Brandon Spruth (TBD)
* <insert your talk or subject here>

Submit talks or ideas for talks to mike.tracy@gmail.com and we'll get things rolling.

Also, follow (and/or DM us) on twitter @owaspchicago

We'll firm up the evening's agenda as we get submissions.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:mtracy@matasano.com Mike Tracy] or [mailto:jason@wittys.com Jason Witty.]

==Presentation abstracts==

''Protecting Your Applications from Backdoors: How to Secure Your Business Critical Applications from Time Bombs, Backdoors & Data''

ABSTRACT

With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers.
Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams.
In this session we will cover;
* Prevalence of backdoors and malicious code in third party attacks
* Definitions and classifications of backdoors and their impact on your applications
* Methods to identify, track and remediate these vulnerabilities

SPEAKER BIO

Erik Peterson from Veracode will be presenting.

''Open Software Assurance Maturity Model (OpenSAMM)''

ABSTRACT

The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/.

SPEAKER BIO

Pravir Chandra is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL.

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
[mailto:mtracy@matasano.com Mike Tracy]

[mailto:jason@wittys.com Jason Witty]
__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2010-06-02T01:51:08Z

Michael Tracy: /* Agenda */

== Next Chapter Meeting: June 17th, 2010 *New Location* ==

The next quarterly Chicago OWASP Chapter meeting will be June 17th 2010 at a location yet to be determined at 6pm. Please RSVP to mike.tracy@gmail.com by EOB on the 16th so we can enter your name into the venue's security system.

==Agenda==

Have a subject you can talk about in 10-20 minutes? Have a subject you'd like to see talked about in the same span? OWASP Chicago chapter is hosting an evening of lightning talks on the subjects you want to hear.

We're hoping to meet Thursday, June 17th at a venue still to be determined.

Tentatively scheduled:

* Paul Petefish will give a short presentation on the new OWASP Top 10 list.
* Thomas Ptacek will give a short presentation on an interesting subject.
* <insert your talk or subject here>

Submit talks or ideas for talks to mike.tracy@gmail.com and we'll get things rolling.

Also, follow (and/or DM us) on twitter @owaspchicago

We'll firm up the evening's agenda as we get submissions.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:mtracy@matasano.com Mike Tracy] or [mailto:jason@wittys.com Jason Witty.]

==Presentation abstracts==

''Protecting Your Applications from Backdoors: How to Secure Your Business Critical Applications from Time Bombs, Backdoors & Data''

ABSTRACT

With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers.
Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams.
In this session we will cover;
* Prevalence of backdoors and malicious code in third party attacks
* Definitions and classifications of backdoors and their impact on your applications
* Methods to identify, track and remediate these vulnerabilities

SPEAKER BIO

Erik Peterson from Veracode will be presenting.

''Open Software Assurance Maturity Model (OpenSAMM)''

ABSTRACT

The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/.

SPEAKER BIO

Pravir Chandra is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL.

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
[mailto:mtracy@matasano.com Mike Tracy]

[mailto:jason@wittys.com Jason Witty]
__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2010-06-01T16:57:59Z

Michael Tracy: /* Next Chapter Meeting: February 2, 2010 *New Location* */

== Next Chapter Meeting: June 17th, 2010 *New Location* ==

The next quarterly Chicago OWASP Chapter meeting will be June 17th 2010 at a location yet to be determined at 6pm. Please RSVP to mike.tracy@gmail.com by EOB on the 16th so we can enter your name into the venue's security system.

==Agenda==

Have a subject you can talk about in 10-20 minutes? Have a subject you'd like to see talked about in the same span? OWASP Chicago chapter is hosting an evening of lightning talks on the subjects you want to hear.

We're hoping to meet Thursday, June 17th at a venue still to be determined.

Tentatively scheduled:

Paul Petefish will give a short presentation on the new OWASP Top 10 list.
Thomas Ptacek will give a short presentation on an interesting subject.
<insert your talk or subject here>

Submit talks or ideas for talks to mike.tracy@gmail.com and we'll get things rolling.

Also, follow (and/or DM us) on twitter @owaspchicago

We'll firm up the evening's agenda as we get submissions.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:mtracy@matasano.com Mike Tracy] or [mailto:jason@wittys.com Jason Witty.]

==Presentation abstracts==

''Protecting Your Applications from Backdoors: How to Secure Your Business Critical Applications from Time Bombs, Backdoors & Data''

ABSTRACT

With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers.
Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams.
In this session we will cover;
* Prevalence of backdoors and malicious code in third party attacks
* Definitions and classifications of backdoors and their impact on your applications
* Methods to identify, track and remediate these vulnerabilities

SPEAKER BIO

Erik Peterson from Veracode will be presenting.

''Open Software Assurance Maturity Model (OpenSAMM)''

ABSTRACT

The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/.

SPEAKER BIO

Pravir Chandra is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL.

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
[mailto:mtracy@matasano.com Mike Tracy]

[mailto:jason@wittys.com Jason Witty]
__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]

Chicago

2010-06-01T16:56:01Z

Michael Tracy: /* Agenda */

== Next Chapter Meeting: February 2, 2010 *New Location* ==

The next quarterly Chicago OWASP Chapter meeting will be February 2nd, 2010 in the Monadnock Building conference room (53 W Jackson, 8th floor) at 6pm. Please RSVP to cory.scott@owasp.org by February 1st so we can enter your name into the building's security system.

==Agenda==

Have a subject you can talk about in 10-20 minutes? Have a subject you'd like to see talked about in the same span? OWASP Chicago chapter is hosting an evening of lightning talks on the subjects you want to hear.

We're hoping to meet Thursday, June 17th at a venue still to be determined.

Tentatively scheduled:

Paul Petefish will give a short presentation on the new OWASP Top 10 list.
Thomas Ptacek will give a short presentation on an interesting subject.
<insert your talk or subject here>

Submit talks or ideas for talks to mike.tracy@gmail.com and we'll get things rolling.

Also, follow (and/or DM us) on twitter @owaspchicago

We'll firm up the evening's agenda as we get submissions.

== General Information ==

Anyone in our area interested in information security is welcome to attend. Our meetings are informal and encourage open discussion of all aspects of application security. We invite attendees to give short presentations about specific topics.

Make sure you sign up for the mailing list to receive meeting announcements.

We have a mailing list at: https://lists.owasp.org/mailman/listinfo/owasp-chicago

If you have any questions about the Chicago chapter, please send an email to our chapter leaders [mailto:mtracy@matasano.com Mike Tracy] or [mailto:jason@wittys.com Jason Witty.]

==Presentation abstracts==

''Protecting Your Applications from Backdoors: How to Secure Your Business Critical Applications from Time Bombs, Backdoors & Data''

ABSTRACT

With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers.
Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams.
In this session we will cover;
* Prevalence of backdoors and malicious code in third party attacks
* Definitions and classifications of backdoors and their impact on your applications
* Methods to identify, track and remediate these vulnerabilities

SPEAKER BIO

Erik Peterson from Veracode will be presenting.

''Open Software Assurance Maturity Model (OpenSAMM)''

ABSTRACT

The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/.

SPEAKER BIO

Pravir Chandra is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL.

== Presentation Archives ==

Bad Cocktail: Spear Phishing - Mike Zusman - Presentation slides [https://www.owasp.org/images/6/60/Zusman_Chicago_2008.pdf here]

Making Money on the Web The Blackhat Way - Jeremiah Grossman - Presentation slides [https://www.owasp.org/images/2/24/Grossman_Chicago_2008.pdf here]

Extreme Client-Side Exploitation - Nate McFeters - Presentation slides [http://www.blackhat.com/presentations/bh-usa-08/McFeters_Carter_Heasman/BH_US_08_Mcfeters_Carter_Heasman_Extreme_Client-Side_Exploitation.pdf here]

Automated Thrash Testing - Andre Gironda - Presentation slides [http://www.owasp.org/images/3/32/Auto-thrash-testing.pdf here] 

Defeating Information Leak Prevention - Eric Monti - Presentation slides [https://www.owasp.org/images/4/4a/OWASP-CHI07-Defeating_Extrusion_Detection.pdf here] 

'''[http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf]Webapps In Name Only'''
Thomas Ptacek, Matasano Security

Where modern network architecture meets legacy application design, we get "The Port 80 Problem": vendors wrapping every conceivable network protocol in a series of POSTs and calling them "safe". These "Webapps In Name Only" are a nightmare for application security specialists.

In this talk, we'll discuss, with case studies, how tools from protocol reverse engineering can be brought to bear on web application security, covering the following areas:

- Locating and Decompiling Java and .NET Code
- Structure and Interpretation of Binary Protocols in HTTP
- Protocol Debugging Tools
- Web App Crypto Tricks

'''[http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt]Token-less strong authentication for web applications: A Security Review'''
Cory Scott, ABN AMRO

A short presentation on the threat models and attack vectors for token-less schemes used to reduce the risk of password-only authentication, but yet do not implement "true" two-factor technologies for logistical costs or user acceptance reasons. We'll go over how device fingerprinting and IP geo-location work and discuss the pros and cons of the solutions.

<paypal>Chicago</paypal>

==== Chicago OWASP Chapter Leaders ====
[mailto:mtracy@matasano.com Mike Tracy]

[mailto:jason@wittys.com Jason Witty]
__NOTOC__
<headertabs/>
[[Category:OWASP Chapter]]
[[Category:Illinois]]