https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Ryan+BehanOWASP - User contributions [en]2026-05-23T01:47:02ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Long_Island&diff=173699Long Island2014-04-28T18:52:15Z<p>Ryan Behan: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/ '''Long Island chapter is a proud sponsor of Women in AppSec 2013'''] <br />
<br />
<br />
[https://myowasp.force.com/memberappregion '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br> Corporate Silver Supporter: [[File:Secdec-logo_division.png|200x100px|link=http://securedecisions.com/]]<br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
<ul><br />
<li><strong>April 28 2014</strong></li><br />
* Time: Monday April 28, 2014 @ 7:00PM<br />
* Location TIBCO Office 200 Garden City Plaza, Suite 220, Garden City, NY 11530 <br />
* Directions: [https://maps.google.com/maps?hl=en&q=200++Garden+City+Plaza,+Garden+City,+NY+11530&ie=UTF-8&hq=&hnear=0x89c27d7c971cb6db:0x3b25e3102c9f3ded,200+Garden+City+Plaza,+Garden+City,+NY+11530&gl=us&daddr=200+Garden+City+Plaza,+Garden+City,+NY+11530&ei=yIRUUcqLI5HE4AP2sYGACg&ved=0CC4QwwUwAA Map]<br />
<br />
A simple dinner will be provided. RSVP requested.<br />
<br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
This is a meeting to brainstorm ideas on how to outreach and organize chapter activities. This is also a greet and meet opportunity for people who want to join the chapter board. Whether you are ready to join the board or not, you are welcome to the meeting or email your suggestions to helen.gao at owasp.org.<br />
<br />
<li><strong>May 2014</strong></li><br />
* Time: May, 2014. Details to be determined.<br />
* Location (tentative): '''TIBCO Office''' 200 Garden City Plaza, Suite 220, Garden City, NY 11530 <br />
* Directions: [https://maps.google.com/maps?hl=en&q=200++Garden+City+Plaza,+Garden+City,+NY+11530&ie=UTF-8&hq=&hnear=0x89c27d7c971cb6db:0x3b25e3102c9f3ded,200+Garden+City+Plaza,+Garden+City,+NY+11530&gl=us&daddr=200+Garden+City+Plaza,+Garden+City,+NY+11530&ei=yIRUUcqLI5HE4AP2sYGACg&ved=0CC4QwwUwAA Map]<br />
<br />
[http://securedecisions.com/ Secure Decisions], a division of [http://www.avi.com/ Applied Visions Inc.] is a sponsor of this meeting.<br><br />
[http://www.tibco.com/ TIBCO Software Inc.] is a sponsor of this meeting.<br />
<br />
<li><strong>Sept. 2014</strong></li><br />
* Details to be determined.<br />
<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].</center><br />
<br />
=Calendar=<br />
<br />
'''2012 Meeting Schedule''' <br> ''The information on this page is subject to change, please check back frequently for updates'' <br><br> <br />
<br />
----<br />
<br />
----<br />
<br />
<br />
=Past Meetings=<br />
<br />
==''' September Meeting '''==<br />
Session Recording: http://www.youtube.com/watch?v=r12yiXnagbY&sns=em''' <br/><br/><br />
<br />
<ul><br />
* Date: Monday, September 24, 2012<br />
* Time: 6:30pm - 9:00 pm<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi <br />
</ul><br />
<br />
<br />
*Agenda:Jim Manico will be presenting on the topic of Top 10 Web Defenses through Secure Application Programming<br />
<br />
<strong>Abstract:</strong> Top Ten Web Defenses We cannot hack or firewall our way<br />
secure. Application programmers need to learn to code in a secure<br />
fashion if we have any chance of providing organizations with proper<br />
defenses in the current threatscape. This talk will discuss the 10<br />
most important security-centric computer programming techniques<br />
necessary to build low-risk web-based applications.<br />
<br />
<strong>Speaker Bio:</strong> Jim Manico is the VP of Security Architecture for WhiteHat<br />
Security, a web security firm. Jim is a participant and project<br />
manager of the OWASP Developer Cheatsheet series. He is also the<br />
producer and host of the OWASP Podcast Series.<br />
<br />
<br />
=='''May Meeting'''==<br />
<br />
''' Guest Speaker Jack Mannino discusses the OWASP Top 10 Mobile Risks ''' <br> <br><br />
<br />
* Date: Thursday, May 10, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. Directions: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map] Enter the building from the North and go down the stairs.<br />
<br />
* Time: 7:00pm-9:30pm<br />
*''Free pizza and beverage will be provided.'' <br />
<br />
<br />
<br><br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Practical Android Security'''<br />
<br />
Abstract:<br />
<br />
Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
<br />
The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
<br />
Topics:<br />
*Mobile Application Security<br />
*OWASP GoatDroid<br />
*OWASP MobiSec<br />
<br />
[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br><br />
<hr><br />
<br />
'''About the Speaker''' - <br />
<br />
Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
<br />
<br />
=='''February Meeting'''==<br />
<br />
'''In a continuation of the previous meeting we have once again organized a lab to demonstrate the OWASP top 10 vulnerabilities. Please find the details below''' <br> <br><br />
<br />
* Date: Thursday, February 16, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
RSVP Requested [http://www.regonline.com/OWASP_LI_Feb2012 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
=='''November'''==<br />
<br />
* Date: Thursday, November 17, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
<br />
=='''September'''==<br />
*Date: Thursday, September 22, 2011 <br />
*Time: 6:30pm - 9:30pm <br />
*Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' <br><br />
Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
<br />
<br><br />
'''About the Speaker -''' Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br />
<br />
<br />
'''Round Table Discussions Coordinated by Ryan Behan:''' <br><br />
Topics - <br />
Recent Attack on Infraguard Website.<br />
Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like? <br />
LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
<br><br><br />
'''About the Speaker -''' Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect <br><br />
<br />
<br />
<br />
<br />
'''March''' <br><br />
'''Date:''' 3/27/2011 Sunday<br> '''Time:''' 12pm-3pm<br> '''Place:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> <br><br> Rajendra Umadas, OWASP Member<br> <br />
<br />
'''Intro to the OWASP Mobile Project''' <br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
<br />
<br><br> [http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br />
'''The Exploit Intelligence Project''' <br />
<br />
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year. <br />
<br />
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
<br />
<br> <br><br> [http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br><br />
<br />
'''[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro''' WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
<br />
<br> <br />
<br />
''Free pizza and beverage will be provided. After event networking will be held at a local bar.'' <br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
*[mailto:heleng@owasp.org Helen Gao, CISSP] <br />
<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=141089Long Island2012-12-13T02:09:36Z<p>Ryan Behan: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://www.cvent.com/d/gcqpwh/3W '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
<br />
<h4><i>The 12/13/2012 meeting room has changed to room 204 on the second floor of Hagedorn Hall of Enterprise.</i></h4><br />
<br />
'''Dr. Kees Leune - Threat Modeling'''<br/><br/><br />
RSVP Requested [http://www.eventbrite.com/event/4962223143 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<ul><br />
<li><strong>12/13/2012</strong></li><br />
*Time: 6:30pm - 9:00 pm<br />
* Location: '''Room 204 on the second floor of Hagedorn Hall of Enterprise''' (Building HHE on Map upper right), Adelphi University. Directions: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map].<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].</center><br />
<br />
=Calendar=<br />
<br />
'''2012 Meeting Schedule''' <br> ''The information on this page is subject to change, please check back frequently for updates'' <br><br> <br />
<br />
----<br />
<br />
----<br />
<br />
<br />
=Past Meetings=<br />
<br />
==''' September Meeting '''==<br />
Session Recording: http://www.youtube.com/watch?v=r12yiXnagbY&sns=em''' <br/><br/><br />
<br />
<ul><br />
* Date: Monday, September 24, 2012<br />
* Time: 6:30pm - 9:00 pm<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi <br />
</ul><br />
<br />
<br />
*Agenda:Jim Manico will be presenting on the topic of Top 10 Web Defenses through Secure Application Programming<br />
<br />
<strong>Abstract:</strong> Top Ten Web Defenses We cannot hack or firewall our way<br />
secure. Application programmers need to learn to code in a secure<br />
fashion if we have any chance of providing organizations with proper<br />
defenses in the current threatscape. This talk will discuss the 10<br />
most important security-centric computer programming techniques<br />
necessary to build low-risk web-based applications.<br />
<br />
<strong>Speaker Bio:</strong> Jim Manico is the VP of Security Architecture for WhiteHat<br />
Security, a web security firm. Jim is a participant and project<br />
manager of the OWASP Developer Cheatsheet series. He is also the<br />
producer and host of the OWASP Podcast Series.<br />
<br />
<br />
=='''May Meeting'''==<br />
<br />
''' Guest Speaker Jack Mannino discusses the OWASP Top 10 Mobile Risks ''' <br> <br><br />
<br />
* Date: Thursday, May 10, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. Directions: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map] Enter the building from the North and go down the stairs.<br />
<br />
* Time: 7:00pm-9:30pm<br />
*''Free pizza and beverage will be provided.'' <br />
<br />
<br />
<br><br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Practical Android Security'''<br />
<br />
Abstract:<br />
<br />
Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
<br />
The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
<br />
Topics:<br />
*Mobile Application Security<br />
*OWASP GoatDroid<br />
*OWASP MobiSec<br />
<br />
[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br><br />
<hr><br />
<br />
'''About the Speaker''' - <br />
<br />
Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
<br />
<br />
=='''February Meeting'''==<br />
<br />
'''In a continuation of the previous meeting we have once again organized a lab to demonstrate the OWASP top 10 vulnerabilities. Please find the details below''' <br> <br><br />
<br />
* Date: Thursday, February 16, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
RSVP Requested [http://www.regonline.com/OWASP_LI_Feb2012 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
=='''November'''==<br />
<br />
* Date: Thursday, November 17, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
<br />
=='''September'''==<br />
*Date: Thursday, September 22, 2011 <br />
*Time: 6:30pm - 9:30pm <br />
*Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' <br><br />
Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
<br />
<br><br />
'''About the Speaker -''' Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br />
<br />
<br />
'''Round Table Discussions Coordinated by Ryan Behan:''' <br><br />
Topics - <br />
Recent Attack on Infraguard Website.<br />
Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like? <br />
LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
<br><br><br />
'''About the Speaker -''' Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect <br><br />
<br />
<br />
<br />
<br />
'''March''' <br><br />
'''Date:''' 3/27/2011 Sunday<br> '''Time:''' 12pm-3pm<br> '''Place:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> <br><br> Rajendra Umadas, OWASP Member<br> <br />
<br />
'''Intro to the OWASP Mobile Project''' <br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
<br />
<br><br> [http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br />
'''The Exploit Intelligence Project''' <br />
<br />
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year. <br />
<br />
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
<br />
<br> <br><br> [http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br><br />
<br />
'''[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro''' WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
<br />
<br> <br />
<br />
''Free pizza and beverage will be provided. After event networking will be held at a local bar.'' <br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
*[mailto:heleng@owasp.org Helen Gao, CISSP] <br />
*[mailto:ryan.behan@owasp.org Ryan C Behan] <br />
<br />
<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=140595Long Island2012-12-03T02:34:47Z<p>Ryan Behan: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://www.cvent.com/d/gcqpwh/3W '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
'''Dr. Kees Leune - Threat Modeling'''<br/><br/><br />
RSVP Requested [http://www.eventbrite.com/event/4962223143 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<ul><br />
<li><strong>12/13/2012</strong></li><br />
*Time: 6:30pm - 9:00 pm<br />
* Location: '''Room 108 on the first level of Hagedorn Hall of Enterprise''' (Building HHE on Map upper right), Adelphi University. Directions: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map].<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].</center><br />
<br />
=Calendar=<br />
<br />
'''2012 Meeting Schedule''' <br> ''The information on this page is subject to change, please check back frequently for updates'' <br><br> <br />
<br />
----<br />
<br />
----<br />
<br />
<br />
=Past Meetings=<br />
<br />
==''' September Meeting '''==<br />
Session Recording: http://www.youtube.com/watch?v=r12yiXnagbY&sns=em''' <br/><br/><br />
<br />
<ul><br />
* Date: Monday, September 24, 2012<br />
* Time: 6:30pm - 9:00 pm<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi <br />
</ul><br />
<br />
<br />
*Agenda:Jim Manico will be presenting on the topic of Top 10 Web Defenses through Secure Application Programming<br />
<br />
<strong>Abstract:</strong> Top Ten Web Defenses We cannot hack or firewall our way<br />
secure. Application programmers need to learn to code in a secure<br />
fashion if we have any chance of providing organizations with proper<br />
defenses in the current threatscape. This talk will discuss the 10<br />
most important security-centric computer programming techniques<br />
necessary to build low-risk web-based applications.<br />
<br />
<strong>Speaker Bio:</strong> Jim Manico is the VP of Security Architecture for WhiteHat<br />
Security, a web security firm. Jim is a participant and project<br />
manager of the OWASP Developer Cheatsheet series. He is also the<br />
producer and host of the OWASP Podcast Series.<br />
<br />
<br />
=='''May Meeting'''==<br />
<br />
''' Guest Speaker Jack Mannino discusses the OWASP Top 10 Mobile Risks ''' <br> <br><br />
<br />
* Date: Thursday, May 10, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. Directions: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map] Enter the building from the North and go down the stairs.<br />
<br />
* Time: 7:00pm-9:30pm<br />
*''Free pizza and beverage will be provided.'' <br />
<br />
<br />
<br><br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Practical Android Security'''<br />
<br />
Abstract:<br />
<br />
Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
<br />
The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
<br />
Topics:<br />
*Mobile Application Security<br />
*OWASP GoatDroid<br />
*OWASP MobiSec<br />
<br />
[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br><br />
<hr><br />
<br />
'''About the Speaker''' - <br />
<br />
Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
<br />
<br />
=='''February Meeting'''==<br />
<br />
'''In a continuation of the previous meeting we have once again organized a lab to demonstrate the OWASP top 10 vulnerabilities. Please find the details below''' <br> <br><br />
<br />
* Date: Thursday, February 16, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
RSVP Requested [http://www.regonline.com/OWASP_LI_Feb2012 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
=='''November'''==<br />
<br />
* Date: Thursday, November 17, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
<br />
=='''September'''==<br />
*Date: Thursday, September 22, 2011 <br />
*Time: 6:30pm - 9:30pm <br />
*Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' <br><br />
Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
<br />
<br><br />
'''About the Speaker -''' Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br />
<br />
<br />
'''Round Table Discussions Coordinated by Ryan Behan:''' <br><br />
Topics - <br />
Recent Attack on Infraguard Website.<br />
Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like? <br />
LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
<br><br><br />
'''About the Speaker -''' Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect <br><br />
<br />
<br />
<br />
<br />
'''March''' <br><br />
'''Date:''' 3/27/2011 Sunday<br> '''Time:''' 12pm-3pm<br> '''Place:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> <br><br> Rajendra Umadas, OWASP Member<br> <br />
<br />
'''Intro to the OWASP Mobile Project''' <br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
<br />
<br><br> [http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br />
'''The Exploit Intelligence Project''' <br />
<br />
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year. <br />
<br />
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
<br />
<br> <br><br> [http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br><br />
<br />
'''[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro''' WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
<br />
<br> <br />
<br />
''Free pizza and beverage will be provided. After event networking will be held at a local bar.'' <br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
*[mailto:heleng@owasp.org Helen Gao, CISSP] <br />
*[mailto:ryan.behan@owasp.org Ryan C Behan] <br />
<br />
<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=140594Long Island2012-12-03T01:46:49Z<p>Ryan Behan: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://www.cvent.com/d/gcqpwh/3W '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
'''Dr. Kees Leune - Threat Modeling'''<br />
<br />
<ul><br />
<li><strong>12/13/2012</strong></li><br />
*Time: 6:30pm - 9:00 pm<br />
* Location: '''Room 108 on the first level of Hagedorn Hall of Enterprise''' (Building HHE on Map upper right), Adelphi University. Directions: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map].<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].</center><br />
<br />
=Calendar=<br />
<br />
'''2012 Meeting Schedule''' <br> ''The information on this page is subject to change, please check back frequently for updates'' <br><br> <br />
<br />
----<br />
<br />
----<br />
<br />
<br />
=Past Meetings=<br />
<br />
==''' September Meeting '''==<br />
Session Recording: http://www.youtube.com/watch?v=r12yiXnagbY&sns=em''' <br/><br/><br />
<br />
<ul><br />
* Date: Monday, September 24, 2012<br />
* Time: 6:30pm - 9:00 pm<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi <br />
</ul><br />
<br />
<br />
*Agenda:Jim Manico will be presenting on the topic of Top 10 Web Defenses through Secure Application Programming<br />
<br />
<strong>Abstract:</strong> Top Ten Web Defenses We cannot hack or firewall our way<br />
secure. Application programmers need to learn to code in a secure<br />
fashion if we have any chance of providing organizations with proper<br />
defenses in the current threatscape. This talk will discuss the 10<br />
most important security-centric computer programming techniques<br />
necessary to build low-risk web-based applications.<br />
<br />
<strong>Speaker Bio:</strong> Jim Manico is the VP of Security Architecture for WhiteHat<br />
Security, a web security firm. Jim is a participant and project<br />
manager of the OWASP Developer Cheatsheet series. He is also the<br />
producer and host of the OWASP Podcast Series.<br />
<br />
<br />
=='''May Meeting'''==<br />
<br />
''' Guest Speaker Jack Mannino discusses the OWASP Top 10 Mobile Risks ''' <br> <br><br />
<br />
* Date: Thursday, May 10, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. Directions: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map] Enter the building from the North and go down the stairs.<br />
<br />
* Time: 7:00pm-9:30pm<br />
*''Free pizza and beverage will be provided.'' <br />
<br />
<br />
<br><br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Practical Android Security'''<br />
<br />
Abstract:<br />
<br />
Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
<br />
The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
<br />
Topics:<br />
*Mobile Application Security<br />
*OWASP GoatDroid<br />
*OWASP MobiSec<br />
<br />
[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br><br />
<hr><br />
<br />
'''About the Speaker''' - <br />
<br />
Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
<br />
<br />
=='''February Meeting'''==<br />
<br />
'''In a continuation of the previous meeting we have once again organized a lab to demonstrate the OWASP top 10 vulnerabilities. Please find the details below''' <br> <br><br />
<br />
* Date: Thursday, February 16, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
RSVP Requested [http://www.regonline.com/OWASP_LI_Feb2012 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
=='''November'''==<br />
<br />
* Date: Thursday, November 17, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
<br />
=='''September'''==<br />
*Date: Thursday, September 22, 2011 <br />
*Time: 6:30pm - 9:30pm <br />
*Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' <br><br />
Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
<br />
<br><br />
'''About the Speaker -''' Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br />
<br />
<br />
'''Round Table Discussions Coordinated by Ryan Behan:''' <br><br />
Topics - <br />
Recent Attack on Infraguard Website.<br />
Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like? <br />
LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
<br><br><br />
'''About the Speaker -''' Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect <br><br />
<br />
<br />
<br />
<br />
'''March''' <br><br />
'''Date:''' 3/27/2011 Sunday<br> '''Time:''' 12pm-3pm<br> '''Place:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> <br><br> Rajendra Umadas, OWASP Member<br> <br />
<br />
'''Intro to the OWASP Mobile Project''' <br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
<br />
<br><br> [http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br />
'''The Exploit Intelligence Project''' <br />
<br />
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year. <br />
<br />
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
<br />
<br> <br><br> [http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br><br />
<br />
'''[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro''' WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
<br />
<br> <br />
<br />
''Free pizza and beverage will be provided. After event networking will be held at a local bar.'' <br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
*[mailto:heleng@owasp.org Helen Gao, CISSP] <br />
*[mailto:ryan.behan@owasp.org Ryan C Behan] <br />
<br />
<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=136470Long Island2012-09-25T16:35:12Z<p>Ryan Behan: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://www.cvent.com/d/gcqpwh/3W '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''A Message From The Chapter''' ==<br />
<br />
Important update:<br/><br />
'''September 24th, Chapter Meeting Session Recording: http://www.youtube.com/watch?v=r12yiXnagbY&sns=em''' <br/><br/><br />
<br />
'''The September 25 meeting has been moved to September 24''' <br/><br/><br />
Important :: Due to scheduling conflicts the chapter leaders have made the decision to move the September meeting date to Monday September 24th. Please modify your registration accordingly or register using the link below.... <br/><br />
<br />
OWASP LI greatly apologize for any Inconvenience this may cause and look forward to seeing you at the meeting. <br />
<br />
<br />
== '''Next Meetings''' ==<br />
In order to accommodate a larger group for the Monday September 24th meeting, the room has changed. Please see the meeting details below.<br/><br />
<br />
For those who cannot make the trip or unable to get a registration slot, Adelphi University will be graciously providing a live feed. You can connect to the feed one hour prior to the meeting. Please sign in as guest, there will be an option provided on the login form prior to the meeting.<br />
<br/><ul><li><br />
<strong>[https://adelphi.adobeconnect.com/_a839711231/owasp The URL for this live feed can be found here].</strong><br />
</li></ul><br />
<br/><br />
<br />
<ul><br />
<li><strong>9/24/2012</strong></li><br />
*Time: 6:30pm - 9:00 pm<br />
* Location: '''Room 108 on the first level of Hagedorn Hall of Enterprise''' (Building HHE on Map upper right), Adelphi University. Directions: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map].<br />
<br />
*Agenda:Jim Manico will be presenting on the topic of Top 10 Web Defenses through Secure Application Programming<br />
<br />
<strong>Abstract:</strong> Top Ten Web Defenses We cannot hack or firewall our way<br />
secure. Application programmers need to learn to code in a secure<br />
fashion if we have any chance of providing organizations with proper<br />
defenses in the current threatscape. This talk will discuss the 10<br />
most important security-centric computer programming techniques<br />
necessary to build low-risk web-based applications.<br />
<br />
<strong>Speaker Bio:</strong> Jim Manico is the VP of Security Architecture for WhiteHat<br />
Security, a web security firm. Jim is a participant and project<br />
manager of the OWASP Developer Cheatsheet series. He is also the<br />
producer and host of the OWASP Podcast Series.<br />
<br />
RSVP Requested [http://owaspli_sept2012.eventbrite.com http://www.owasp.org/images/7/7f/Register.gif]<br />
<br><br> Important:: RegOnline has been deactivated as of August 1st., If you had RSVP'd previously using regonline, We ask that you please redo your RSVP. Apologies for the Inconvenience.<br><br />
<br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
<li><strong>12/13/2012</strong></li><br />
*Details TBD<br />
</ul><br />
<br />
<br />
<br />
<br />
<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].</center><br />
<br />
=Calendar=<br />
<br />
'''2012 Meeting Schedule''' <br> ''The information on this page is subject to change, please check back frequently for updates'' <br><br> <br />
<br />
----<br />
<ul><br />
<li><strong>December 13, 2012</strong></li><br />
*Details TBD<br />
</ul><br />
<br />
----<br />
<br />
<br />
=Past Meetings=<br />
<br />
=='''May Meeting'''==<br />
<br />
''' Guest Speaker Jack Mannino discusses the OWASP Top 10 Mobile Risks ''' <br> <br><br />
<br />
* Date: Thursday, May 10, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. Directions: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map] Enter the building from the North and go down the stairs.<br />
<br />
* Time: 7:00pm-9:30pm<br />
*''Free pizza and beverage will be provided.'' <br />
<br />
<br />
<br><br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Practical Android Security'''<br />
<br />
Abstract:<br />
<br />
Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
<br />
The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
<br />
Topics:<br />
*Mobile Application Security<br />
*OWASP GoatDroid<br />
*OWASP MobiSec<br />
<br />
[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br><br />
<hr><br />
<br />
'''About the Speaker''' - <br />
<br />
Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
<br />
<br />
=='''February Meeting'''==<br />
<br />
'''In a continuation of the previous meeting we have once again organized a lab to demonstrate the OWASP top 10 vulnerabilities. Please find the details below''' <br> <br><br />
<br />
* Date: Thursday, February 16, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
RSVP Requested [http://www.regonline.com/OWASP_LI_Feb2012 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
=='''November'''==<br />
<br />
* Date: Thursday, November 17, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
<br />
=='''September'''==<br />
*Date: Thursday, September 22, 2011 <br />
*Time: 6:30pm - 9:30pm <br />
*Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' <br><br />
Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
<br />
<br><br />
'''About the Speaker -''' Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br />
<br />
<br />
'''Round Table Discussions Coordinated by Ryan Behan:''' <br><br />
Topics - <br />
Recent Attack on Infraguard Website.<br />
Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like? <br />
LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
<br><br><br />
'''About the Speaker -''' Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect <br><br />
<br />
<br />
<br />
<br />
'''March''' <br><br />
'''Date:''' 3/27/2011 Sunday<br> '''Time:''' 12pm-3pm<br> '''Place:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> <br><br> Rajendra Umadas, OWASP Member<br> <br />
<br />
'''Intro to the OWASP Mobile Project''' <br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
<br />
<br><br> [http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br />
'''The Exploit Intelligence Project''' <br />
<br />
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year. <br />
<br />
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
<br />
<br> <br><br> [http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br><br />
<br />
'''[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro''' WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
<br />
<br> <br />
<br />
''Free pizza and beverage will be provided. After event networking will be held at a local bar.'' <br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
*[mailto:heleng@owasp.org Helen Gao, CISSP] <br />
*[mailto:ryan.behan@owasp.org Ryan C Behan] <br />
<br />
<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=136297Long Island2012-09-22T02:17:02Z<p>Ryan Behan: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://www.cvent.com/d/gcqpwh/3W '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''A Message From The Chapter''' ==<br />
<br />
Important update:<br/><br />
'''The September 25 meeting has been moved to September 24''' <br/><br/><br />
Important :: Due to scheduling conflicts the chapter leaders have made the decision to move the September meeting date to Monday September 24th. Please modify your registration accordingly or register using the link below.... <br/><br />
<br />
OWASP LI greatly apologize for any Inconvenience this may cause and look forward to seeing you at the meeting. <br />
<br />
<br />
== '''Next Meetings''' ==<br />
In order to accommodate a larger group for the Monday September 24th meeting, the room has changed. Please see the meeting details below.<br/><br />
<br />
For those who cannot make the trip or unable to get a registration slot, Adelphi University will be graciously providing a live feed. You can connect to the feed one hour prior to the meeting. Please sign in as guest, there will be an option provided on the login form prior to the meeting.<br />
<br/><ul><li><br />
<strong>[https://adelphi.adobeconnect.com/_a839711231/owasp The URL for this live feed can be found here].</strong><br />
</li></ul><br />
<br/><br />
<br />
<ul><br />
<li><strong>9/24/2012</strong></li><br />
*Time: 6:30pm - 9:00 pm<br />
* Location: '''Room 108 on the first level of Hagedorn Hall of Enterprise''' (Building HHE on Map upper right), Adelphi University. Directions: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map].<br />
<br />
*Agenda:Jim Manico will be presenting on the topic of Top 10 Web Defenses through Secure Application Programming<br />
<br />
<strong>Abstract:</strong> Top Ten Web Defenses We cannot hack or firewall our way<br />
secure. Application programmers need to learn to code in a secure<br />
fashion if we have any chance of providing organizations with proper<br />
defenses in the current threatscape. This talk will discuss the 10<br />
most important security-centric computer programming techniques<br />
necessary to build low-risk web-based applications.<br />
<br />
<strong>Speaker Bio:</strong> Jim Manico is the VP of Security Architecture for WhiteHat<br />
Security, a web security firm. Jim is a participant and project<br />
manager of the OWASP Developer Cheatsheet series. He is also the<br />
producer and host of the OWASP Podcast Series.<br />
<br />
RSVP Requested [http://owaspli_sept2012.eventbrite.com http://www.owasp.org/images/7/7f/Register.gif]<br />
<br><br> Important:: RegOnline has been deactivated as of August 1st., If you had RSVP'd previously using regonline, We ask that you please redo your RSVP. Apologies for the Inconvenience.<br><br />
<br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
<li><strong>12/13/2012</strong></li><br />
*Details TBD<br />
</ul><br />
<br />
<br />
<br />
<br />
<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].</center><br />
<br />
=Calendar=<br />
<br />
'''2012 Meeting Schedule''' <br> ''The information on this page is subject to change, please check back frequently for updates'' <br><br> <br />
<br />
----<br />
<ul><br />
<li><strong>December 13, 2012</strong></li><br />
*Details TBD<br />
</ul><br />
<br />
----<br />
<br />
<br />
=Past Meetings=<br />
<br />
=='''May Meeting'''==<br />
<br />
''' Guest Speaker Jack Mannino discusses the OWASP Top 10 Mobile Risks ''' <br> <br><br />
<br />
* Date: Thursday, May 10, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. Directions: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map] Enter the building from the North and go down the stairs.<br />
<br />
* Time: 7:00pm-9:30pm<br />
*''Free pizza and beverage will be provided.'' <br />
<br />
<br />
<br><br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Practical Android Security'''<br />
<br />
Abstract:<br />
<br />
Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
<br />
The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
<br />
Topics:<br />
*Mobile Application Security<br />
*OWASP GoatDroid<br />
*OWASP MobiSec<br />
<br />
[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br><br />
<hr><br />
<br />
'''About the Speaker''' - <br />
<br />
Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
<br />
<br />
=='''February Meeting'''==<br />
<br />
'''In a continuation of the previous meeting we have once again organized a lab to demonstrate the OWASP top 10 vulnerabilities. Please find the details below''' <br> <br><br />
<br />
* Date: Thursday, February 16, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
RSVP Requested [http://www.regonline.com/OWASP_LI_Feb2012 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
=='''November'''==<br />
<br />
* Date: Thursday, November 17, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
<br />
=='''September'''==<br />
*Date: Thursday, September 22, 2011 <br />
*Time: 6:30pm - 9:30pm <br />
*Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' <br><br />
Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
<br />
<br><br />
'''About the Speaker -''' Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br />
<br />
<br />
'''Round Table Discussions Coordinated by Ryan Behan:''' <br><br />
Topics - <br />
Recent Attack on Infraguard Website.<br />
Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like? <br />
LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
<br><br><br />
'''About the Speaker -''' Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect <br><br />
<br />
<br />
<br />
<br />
'''March''' <br><br />
'''Date:''' 3/27/2011 Sunday<br> '''Time:''' 12pm-3pm<br> '''Place:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> <br><br> Rajendra Umadas, OWASP Member<br> <br />
<br />
'''Intro to the OWASP Mobile Project''' <br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
<br />
<br><br> [http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br />
'''The Exploit Intelligence Project''' <br />
<br />
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year. <br />
<br />
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
<br />
<br> <br><br> [http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br><br />
<br />
'''[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro''' WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
<br />
<br> <br />
<br />
''Free pizza and beverage will be provided. After event networking will be held at a local bar.'' <br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
*[mailto:heleng@owasp.org Helen Gao, CISSP] <br />
*[mailto:ryan.behan@owasp.org Ryan C Behan] <br />
<br />
<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=136296Long Island2012-09-22T02:14:24Z<p>Ryan Behan: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://www.cvent.com/d/gcqpwh/3W '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''A Message From The Chapter''' ==<br />
<br />
Important update:<br/><br />
'''The September 25 meeting has been moved to September 24''' <br/><br/><br />
Important :: Due to scheduling conflicts the chapter leaders have made the decision to move the September meeting date to Monday September 24th. Please modify your registration accordingly or register using the link below.... <br/><br />
<br />
OWASP LI greatly apologize for any Inconvenience this may cause and look forward to seeing you at the meeting. <br />
<br />
<br />
== '''Next Meetings''' ==<br />
In order to accommodate a larger group for the Monday September 24th meeting, the room has changed. Please see the meeting details below.<br/><br />
<br />
For those who cannot make the trip or unable to get a registration slot, Adelphi University will be graciously providing a live feed. <br />
<br/><ul><li><br />
<strong>[https://adelphi.adobeconnect.com/_a839711231/owasp The URL for this live feed can be found here].</strong><br />
</li></ul><br />
<br/><br />
<br />
<ul><br />
<li><strong>9/24/2012</strong></li><br />
*Time: 6:30pm - 9:00 pm<br />
* Location: '''Room 108 on the first level of Hagedorn Hall of Enterprise''' (Building HHE on Map upper right), Adelphi University. Directions: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map].<br />
<br />
*Agenda:Jim Manico will be presenting on the topic of Top 10 Web Defenses through Secure Application Programming<br />
<br />
<strong>Abstract:</strong> Top Ten Web Defenses We cannot hack or firewall our way<br />
secure. Application programmers need to learn to code in a secure<br />
fashion if we have any chance of providing organizations with proper<br />
defenses in the current threatscape. This talk will discuss the 10<br />
most important security-centric computer programming techniques<br />
necessary to build low-risk web-based applications.<br />
<br />
<strong>Speaker Bio:</strong> Jim Manico is the VP of Security Architecture for WhiteHat<br />
Security, a web security firm. Jim is a participant and project<br />
manager of the OWASP Developer Cheatsheet series. He is also the<br />
producer and host of the OWASP Podcast Series.<br />
<br />
RSVP Requested [http://owaspli_sept2012.eventbrite.com http://www.owasp.org/images/7/7f/Register.gif]<br />
<br><br> Important:: RegOnline has been deactivated as of August 1st., If you had RSVP'd previously using regonline, We ask that you please redo your RSVP. Apologies for the Inconvenience.<br><br />
<br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
<li><strong>12/13/2012</strong></li><br />
*Details TBD<br />
</ul><br />
<br />
<br />
<br />
<br />
<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].</center><br />
<br />
=Calendar=<br />
<br />
'''2012 Meeting Schedule''' <br> ''The information on this page is subject to change, please check back frequently for updates'' <br><br> <br />
<br />
----<br />
<ul><br />
<li><strong>December 13, 2012</strong></li><br />
*Details TBD<br />
</ul><br />
<br />
----<br />
<br />
<br />
=Past Meetings=<br />
<br />
=='''May Meeting'''==<br />
<br />
''' Guest Speaker Jack Mannino discusses the OWASP Top 10 Mobile Risks ''' <br> <br><br />
<br />
* Date: Thursday, May 10, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. Directions: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map] Enter the building from the North and go down the stairs.<br />
<br />
* Time: 7:00pm-9:30pm<br />
*''Free pizza and beverage will be provided.'' <br />
<br />
<br />
<br><br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Practical Android Security'''<br />
<br />
Abstract:<br />
<br />
Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
<br />
The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
<br />
Topics:<br />
*Mobile Application Security<br />
*OWASP GoatDroid<br />
*OWASP MobiSec<br />
<br />
[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br><br />
<hr><br />
<br />
'''About the Speaker''' - <br />
<br />
Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
<br />
<br />
=='''February Meeting'''==<br />
<br />
'''In a continuation of the previous meeting we have once again organized a lab to demonstrate the OWASP top 10 vulnerabilities. Please find the details below''' <br> <br><br />
<br />
* Date: Thursday, February 16, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
RSVP Requested [http://www.regonline.com/OWASP_LI_Feb2012 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
=='''November'''==<br />
<br />
* Date: Thursday, November 17, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
<br />
=='''September'''==<br />
*Date: Thursday, September 22, 2011 <br />
*Time: 6:30pm - 9:30pm <br />
*Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' <br><br />
Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
<br />
<br><br />
'''About the Speaker -''' Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br />
<br />
<br />
'''Round Table Discussions Coordinated by Ryan Behan:''' <br><br />
Topics - <br />
Recent Attack on Infraguard Website.<br />
Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like? <br />
LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
<br><br><br />
'''About the Speaker -''' Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect <br><br />
<br />
<br />
<br />
<br />
'''March''' <br><br />
'''Date:''' 3/27/2011 Sunday<br> '''Time:''' 12pm-3pm<br> '''Place:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> <br><br> Rajendra Umadas, OWASP Member<br> <br />
<br />
'''Intro to the OWASP Mobile Project''' <br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
<br />
<br><br> [http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br />
'''The Exploit Intelligence Project''' <br />
<br />
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year. <br />
<br />
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
<br />
<br> <br><br> [http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br><br />
<br />
'''[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro''' WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
<br />
<br> <br />
<br />
''Free pizza and beverage will be provided. After event networking will be held at a local bar.'' <br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
*[mailto:heleng@owasp.org Helen Gao, CISSP] <br />
*[mailto:ryan.behan@owasp.org Ryan C Behan] <br />
<br />
<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=130840Long Island2012-06-01T13:12:38Z<p>Ryan Behan: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://www.cvent.com/d/gcqpwh/3W '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''A Message From The Chapter''' ==<br />
<br />
To our membership and prospective learners, the May meeting was great. Many thanks to Kees Leune and Adelphi University for hosting the event. Jack Mannino was great, the presentation on Android was catalyst for great dialog amongst a full room of attendees. Looking forwards to seeing everyone in September. If anyone is interested in having a summer meeting, please [mailto:ryan.behan@owasp.org contact me]. <br />
<br />
<br />
== '''Next Meetings''' ==<br />
<ul><br />
<li><strong>9/13/2012</strong></li><br />
*Details TBD<br />
<li><strong>12/13/2012</strong></li><br />
*Details TBD<br />
</ul><br />
<br />
<br />
<br />
<br />
== '''May Meeting''' ==<br />
<br />
''' Guest Speaker Jack Mannino discusses the OWASP Top 10 Mobile Risks ''' <br> <br><br />
<br />
* Date: Thursday, May 10, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. Directions: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map] Enter the building from the North and go down the stairs.<br />
<br />
* Time: 7:00pm-9:30pm<br />
*''Free pizza and beverage will be provided.'' <br />
<br />
RSVP Requested [http://www.regonline.com/Register/Checkin.aspx?EventID=1089917 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Practical Android Security'''<br />
<br />
Abstract:<br />
<br />
Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
<br />
The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
<br />
Topics:<br />
*Mobile Application Security<br />
*OWASP GoatDroid<br />
*OWASP MobiSec<br />
<br />
[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br><br />
<hr><br />
<br />
'''About the Speaker''' - <br />
<br />
Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].</center><br />
<br />
=Calendar=<br />
<br />
'''2012 Meeting Schedule''' <br> ''The information on this page is subject to change'' <br><br> <br />
<br />
----<br />
<br> February 2012<br />
<br />
*Time: 7:00pm-9:30pm <br> <br />
*Location: Adelphi University <br> <br />
*Topics: OWASP top 10 Vulnerability Lab <br><br />
<br />
----<br />
<br />
<br />
=Past Meetings=<br />
<br />
'''February Meeting'''<br />
<br />
'''In a continuation of the previous meeting we have once again organized a lab to demonstrate the OWASP top 10 vulnerabilities. Please find the details below''' <br> <br><br />
<br />
* Date: Thursday, February 16, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
RSVP Requested [http://www.regonline.com/OWASP_LI_Feb2012 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
'''November'''<br />
<br />
* Date: Thursday, November 17, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
<br />
'''September'''<br />
*Date: Thursday, September 22, 2011 <br />
*Time: 6:30pm - 9:30pm <br />
*Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' <br><br />
Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
<br />
<br><br />
'''About the Speaker -''' Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br />
<br />
<br />
'''Round Table Discussions Coordinated by Ryan Behan:''' <br><br />
Topics - <br />
Recent Attack on Infraguard Website.<br />
Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like? <br />
LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
<br><br><br />
'''About the Speaker -''' Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect <br><br />
<br />
<br />
<br />
<br />
'''March''' <br><br />
'''Date:''' 3/27/2011 Sunday<br> '''Time:''' 12pm-3pm<br> '''Place:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> <br><br> Rajendra Umadas, OWASP Member<br> <br />
<br />
'''Intro to the OWASP Mobile Project''' <br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
<br />
<br><br> [http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br />
'''The Exploit Intelligence Project''' <br />
<br />
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year. <br />
<br />
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
<br />
<br> <br><br> [http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br><br />
<br />
'''[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro''' WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
<br />
<br> <br />
<br />
''Free pizza and beverage will be provided. After event networking will be held at a local bar.'' <br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
*[mailto:heleng@owasp.org Helen Gao, CISSP] <br />
*[mailto:ryan.behan@owasp.org Ryan C Behan] <br />
<br />
<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=130839Long Island2012-06-01T12:59:02Z<p>Ryan Behan: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
[http://www.cvent.com/d/gcqpwh/3W '''Become a Member NOW''']<br />
<br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''Next Meetings''' ==<br />
<ul><br />
<li><strong>9/13/2012</strong></li><br />
*Details TBD<br />
<li><strong>12/13/2012</strong></li><br />
*Details TBD<br />
</ul><br />
<br />
<br />
<br />
<br />
== '''May Meeting''' ==<br />
<br />
''' Guest Speaker Jack Mannino discusses the OWASP Top 10 Mobile Risks ''' <br> <br><br />
<br />
* Date: Thursday, May 10, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. Directions: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map] Enter the building from the North and go down the stairs.<br />
<br />
* Time: 7:00pm-9:30pm<br />
*''Free pizza and beverage will be provided.'' <br />
<br />
RSVP Requested [http://www.regonline.com/Register/Checkin.aspx?EventID=1089917 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br />
*Registration Details: The meeting space is limited; register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly or email one of the leaders. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Practical Android Security'''<br />
<br />
Abstract:<br />
<br />
Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
<br />
The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
<br />
Topics:<br />
*Mobile Application Security<br />
*OWASP GoatDroid<br />
*OWASP MobiSec<br />
<br />
[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks One of Jack's presentations on mobile security]<br />
<br><br />
<hr><br />
<br />
'''About the Speaker''' - <br />
<br />
Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].</center><br />
<br />
=Calendar=<br />
<br />
'''2012 Meeting Schedule''' <br> ''The information on this page is subject to change'' <br><br> <br />
<br />
----<br />
<br> February 2012<br />
<br />
*Time: 7:00pm-9:30pm <br> <br />
*Location: Adelphi University <br> <br />
*Topics: OWASP top 10 Vulnerability Lab <br><br />
<br />
----<br />
<br />
<br />
=Past Meetings=<br />
<br />
'''February Meeting'''<br />
<br />
'''In a continuation of the previous meeting we have once again organized a lab to demonstrate the OWASP top 10 vulnerabilities. Please find the details below''' <br> <br><br />
<br />
* Date: Thursday, February 16, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
RSVP Requested [http://www.regonline.com/OWASP_LI_Feb2012 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
'''November'''<br />
<br />
* Date: Thursday, November 17, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
<br />
'''September'''<br />
*Date: Thursday, September 22, 2011 <br />
*Time: 6:30pm - 9:30pm <br />
*Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' <br><br />
Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
<br />
<br><br />
'''About the Speaker -''' Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br />
<br />
<br />
'''Round Table Discussions Coordinated by Ryan Behan:''' <br><br />
Topics - <br />
Recent Attack on Infraguard Website.<br />
Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like? <br />
LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
<br><br><br />
'''About the Speaker -''' Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect <br><br />
<br />
<br />
<br />
<br />
'''March''' <br><br />
'''Date:''' 3/27/2011 Sunday<br> '''Time:''' 12pm-3pm<br> '''Place:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> <br><br> Rajendra Umadas, OWASP Member<br> <br />
<br />
'''Intro to the OWASP Mobile Project''' <br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
<br />
<br><br> [http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br />
'''The Exploit Intelligence Project''' <br />
<br />
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year. <br />
<br />
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
<br />
<br> <br><br> [http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br><br />
<br />
'''[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro''' WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
<br />
<br> <br />
<br />
''Free pizza and beverage will be provided. After event networking will be held at a local bar.'' <br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
*[mailto:heleng@owasp.org Helen Gao, CISSP] <br />
*[mailto:ryan.behan@owasp.org Ryan C Behan] <br />
<br />
<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks OWASP Top 10 Mobile Risk presentation in AppSec DC on April, 2012. By Jack Mannino, Mike Zusman, Zach Lanier]<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=128174Long Island2012-04-20T01:24:06Z<p>Ryan Behan: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
<paypal>Long Island</paypal> <br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''May Meeting''' ==<br />
<br />
''' Guest Speaker Jack Mannino discusses the OWASP Top 10 Mobile Risks ''' <br> <br><br />
<br />
* Date: Thursday, May 10, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
*''Free pizza and beverage will be provided.'' <br />
<br />
RSVP Requested [http://www.regonline.com/Register/Checkin.aspx?EventID=1089917 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br><br />
*Registration Details: Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Practical Android Security'''<br />
<br />
Abstract:<br />
<br />
Building secure Android applications can be achieved with a mix of common sense, leveraging platform security features, and following secure development best practices. This presentation will focus on security “quick wins” during development and will cover techniques that can reduce the overall attack surface within Android applications.<br />
<br />
The OWASP GoatDroid and OWASP MobiSec tools will be used throughout the presentation to demonstrate issues encountered in the real world. We will cover the attack surface for Android and highlight the most prevalent security flaws found within production applications.<br />
<br />
<br />
<br />
Topics:<br />
*Mobile Application Security<br />
*OWASP GoatDroid<br />
*OWASP MobiSec<br />
<br />
<br><br />
<hr><br />
<br />
'''About the Speaker''' - <br />
<br />
Jack Mannino is the CEO of nVisium Security, an application security firm located within the Washington DC area. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful application security initiatives. He is an active Android security researcher, and has a keen interest in identifying security issues and trends on a large scale. Jack is the leader and founder of the OWASP Mobile Security Project. He also serves as a board member on the OWASP Northern Virginia chapter. Jack is also the lead developer for the OWASP GoatDroid Project, which is a collection of vulnerable Android applications used for training and education.<br />
<br />
<br />
<br />
Directions to Adelphi University: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map] <br><br />
Once at the building, enter the building from the North and go down the stairs.<br />
<br />
<br />
<!-- <br><br> Directions to Hofstra University (It is just off of Hempstead Turnpike):To get to the Student Center from the Meadowbrook Parkway: Go West on Hempstead Turnpike to the 4th traffic light and make a right on to Oak street, then make another right 100 feet into Hofstra’s parking lot. [http://maps.google.com/maps?hl=en&biw=1219&bih=809&um=1&ie=UTF-8&cid=0,0,18137204279734354163&fb=1&hq=hofstra+university&hnear=Old+Westbury,+NY&gl=us&daddr=Hofstra+University,+Hempstead,+NY+11549-1000&geocode=1582588550823583642,40.714111,-73.600523&ei=1ZixTb2EOeTs0gH3m7SLCQ&sa=X&oi=local_result&ct=directions-to&resnum=2&ved=0CB8QngIwAQ Map] --><br />
<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].<br />
<br />
<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].</center><br />
<br />
=Calendar=<br />
<br />
'''2012 Meeting Schedule''' <br> ''The information on this page is subject to change'' <br><br> <br />
<br />
----<br />
<br> February 2012<br />
<br />
*Time: 7:00pm-9:30pm <br> <br />
*Location: Adelphi University <br> <br />
*Topics: OWASP top 10 Vulnerability Lab <br><br />
<br />
----<br />
<br />
<br />
=Past Meetings=<br />
<br />
'''February Meeting'''<br />
<br />
'''In a continuation of the previous meeting we have once again organized a lab to demonstrate the OWASP top 10 vulnerabilities. Please find the details below''' <br> <br><br />
<br />
* Date: Thursday, February 16, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
RSVP Requested [http://www.regonline.com/OWASP_LI_Feb2012 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
'''November'''<br />
<br />
* Date: Thursday, November 17, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
<br />
'''September'''<br />
*Date: Thursday, September 22, 2011 <br />
*Time: 6:30pm - 9:30pm <br />
*Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' <br><br />
Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
<br />
<br><br />
'''About the Speaker -''' Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br />
<br />
<br />
'''Round Table Discussions Coordinated by Ryan Behan:''' <br><br />
Topics - <br />
Recent Attack on Infraguard Website.<br />
Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like? <br />
LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
<br><br><br />
'''About the Speaker -''' Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect <br><br />
<br />
<br />
<br />
<br />
'''March''' <br><br />
'''Date:''' 3/27/2011 Sunday<br> '''Time:''' 12pm-3pm<br> '''Place:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> <br><br> Rajendra Umadas, OWASP Member<br> <br />
<br />
'''Intro to the OWASP Mobile Project''' <br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
<br />
<br><br> [http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br />
'''The Exploit Intelligence Project''' <br />
<br />
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year. <br />
<br />
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
<br />
<br> <br><br> [http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br><br />
<br />
'''[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro''' WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
<br />
<br> <br />
<br />
''Free pizza and beverage will be provided. After event networking will be held at a local bar.'' <br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
*[mailto:heleng@owasp.org Helen Gao, CISSP] <br />
*[mailto:ryan.behan@owasp.org Ryan C Behan] <br />
<br />
<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=127616Long Island2012-04-10T01:42:57Z<p>Ryan Behan: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
<paypal>Long Island</paypal> <br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''May Meeting''' ==<br />
<br />
''' Guest Speaker Jack Mannino discusses the OWASP Top 10 Mobile Risks ''' <br> <br><br />
<br />
* Date: Thursday, May 20<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
*''Free pizza and beverage will be provided.'' <br />
<br />
RSVP Requested [http://www.regonline.com/Register/Checkin.aspx?EventID=1089917 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br><br />
*Registration Details: Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''OWASP Top 10 Mobile Risks'''<br />
<br />
Topics:<br />
**Mobile Application Security<br />
<br />
'''About the Speaker''' - <br />
<br />
Jack Mannino is the CEO of nVisium Security, a leading provider of mobile application and web application security services. At nVisium he is responsible for ensuring that all services are delivered at the highest levels of quality and with keen attention to detail. He focuses on mobile application security research (especially Android), and is the co-leader of the OWASP Mobile Security Project. In addition to the Mobile Security Project, Jack is also heavily involved with the OWASP Northern Virginia Chapter where he serves as a member of the chapter's board.<br />
In the past, Jack honorably served in the United States Navy. He has spoken at OWASP events, ISSA events, and cyber security conferences for the Department of Defense.<br />
<br />
<br />
<br />
<br />
<br />
Directions to Adelphi University: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map] <br><br />
Once at the building, enter the building from the North and go down the stairs.<br />
<br />
<br />
<!-- <br><br> Directions to Hofstra University (It is just off of Hempstead Turnpike):To get to the Student Center from the Meadowbrook Parkway: Go West on Hempstead Turnpike to the 4th traffic light and make a right on to Oak street, then make another right 100 feet into Hofstra’s parking lot. [http://maps.google.com/maps?hl=en&biw=1219&bih=809&um=1&ie=UTF-8&cid=0,0,18137204279734354163&fb=1&hq=hofstra+university&hnear=Old+Westbury,+NY&gl=us&daddr=Hofstra+University,+Hempstead,+NY+11549-1000&geocode=1582588550823583642,40.714111,-73.600523&ei=1ZixTb2EOeTs0gH3m7SLCQ&sa=X&oi=local_result&ct=directions-to&resnum=2&ved=0CB8QngIwAQ Map] --><br />
<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].<br />
<br />
<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].</center> <br />
<br />
=Calendar=<br />
<br />
'''2012 Meeting Schedule''' <br> ''The information on this page is subject to change'' <br><br> <br />
<br />
----<br />
<br> February 2012<br />
<br />
*Time: 7:00pm-9:30pm <br> <br />
*Location: Adelphi University <br> <br />
*Topics: OWASP top 10 Vulnerability Lab <br><br />
<br />
----<br />
<br />
<br />
=Past Meetings=<br />
<br />
'''February Meeting'''<br />
<br />
'''In a continuation of the previous meeting we have once again organized a lab to demonstrate the OWASP top 10 vulnerabilities. Please find the details below''' <br> <br><br />
<br />
* Date: Thursday, February 16, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
RSVP Requested [http://www.regonline.com/OWASP_LI_Feb2012 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
'''November'''<br />
<br />
* Date: Thursday, November 17, 2012<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
<br />
'''September'''<br />
*Date: Thursday, September 22, 2011 <br />
*Time: 6:30pm - 9:30pm <br />
*Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' <br><br />
Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
<br />
<br><br />
'''About the Speaker -''' Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br />
<br />
<br />
'''Round Table Discussions Coordinated by Ryan Behan:''' <br><br />
Topics - <br />
Recent Attack on Infraguard Website.<br />
Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like? <br />
LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
<br><br><br />
'''About the Speaker -''' Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect <br><br />
<br />
<br />
<br />
<br />
'''March''' <br><br />
'''Date:''' 3/27/2011 Sunday<br> '''Time:''' 12pm-3pm<br> '''Place:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> <br><br> Rajendra Umadas, OWASP Member<br> <br />
<br />
'''Intro to the OWASP Mobile Project''' <br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
<br />
<br><br> [http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br />
'''The Exploit Intelligence Project''' <br />
<br />
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year. <br />
<br />
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
<br />
<br> <br><br> [http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br><br />
<br />
'''[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro''' WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
<br />
<br> <br />
<br />
''Free pizza and beverage will be provided. After event networking will be held at a local bar.'' <br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
*[mailto:heleng@owasp.org Helen Gao, CISSP] <br />
*[mailto:ryan.behan@owasp.org Ryan C Behan] <br />
<br />
<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[https://www.owasp.org/index.php/OWASP_Jobs OWASP Job Board]<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=126715Long Island2012-03-22T14:11:34Z<p>Ryan Behan: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
<paypal>Long Island</paypal> <br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
cor<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''February Meeting''' ==<br />
<br />
'''In a continuation of the previous meeting we have once again organized a lab to demonstrate the OWASP top 10 vulnerabilities. Please find the details below''' <br> <br><br />
<br />
* Date: Thursday, February 16<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
RSVP Requested [http://www.regonline.com/OWASP_LI_Feb2012 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
<br />
<br />
Directions to Adelphi University: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map] <br><br />
Once at the building, enter the building from the North and go down the stairs.<br />
<br />
<br />
<!-- <br><br> Directions to Hofstra University (It is just off of Hempstead Turnpike):To get to the Student Center from the Meadowbrook Parkway: Go West on Hempstead Turnpike to the 4th traffic light and make a right on to Oak street, then make another right 100 feet into Hofstra’s parking lot. [http://maps.google.com/maps?hl=en&biw=1219&bih=809&um=1&ie=UTF-8&cid=0,0,18137204279734354163&fb=1&hq=hofstra+university&hnear=Old+Westbury,+NY&gl=us&daddr=Hofstra+University,+Hempstead,+NY+11549-1000&geocode=1582588550823583642,40.714111,-73.600523&ei=1ZixTb2EOeTs0gH3m7SLCQ&sa=X&oi=local_result&ct=directions-to&resnum=2&ved=0CB8QngIwAQ Map] --><br />
<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].<br />
<br />
<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].</center> <br />
<br />
=Calendar=<br />
<br />
'''2012 Meeting Schedule''' <br> ''The information on this page is subject to change'' <br><br> <br />
<br />
----<br />
<br> February 2012<br />
<br />
*Time: 7:00pm-9:30pm <br> <br />
*Location: Adelphi University <br> <br />
*Topics: OWASP top 10 Vulnerability Lab <br><br />
<br />
----<br />
<br />
<br />
=Past Meetings=<br />
<br />
'''November'''<br />
<br />
* Date: Thursday, November 17<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
<br />
'''September'''<br />
*Date: Thursday, September 22, 2011 <br />
*Time: 6:30pm - 9:30pm <br />
*Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' <br><br />
Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
<br />
<br><br />
'''About the Speaker -''' Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br />
<br />
<br />
'''Round Table Discussions Coordinated by Ryan Behan:''' <br><br />
Topics - <br />
Recent Attack on Infraguard Website.<br />
Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like? <br />
LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
<br><br><br />
'''About the Speaker -''' Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect <br><br />
<br />
<br />
<br />
<br />
'''March''' <br><br />
'''Date:''' 3/27/2011 Sunday<br> '''Time:''' 12pm-3pm<br> '''Place:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> <br><br> Rajendra Umadas, OWASP Member<br> <br />
<br />
'''Intro to the OWASP Mobile Project''' <br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
<br />
<br><br> [http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br />
'''The Exploit Intelligence Project''' <br />
<br />
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year. <br />
<br />
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
<br />
<br> <br><br> [http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br><br />
<br />
'''[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro''' WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
<br />
<br> <br />
<br />
''Free pizza and beverage will be provided. After event networking will be held at a local bar.'' <br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
*[mailto:heleng@owasp.org Helen Gao, CISSP] <br />
*[mailto:ryan.behan@owasp.org Ryan C Behan] <br />
<br />
<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=126714Long Island2012-03-22T14:10:27Z<p>Ryan Behan: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
<paypal>Long Island</paypal> <br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
cor<br />
__NOTOC__ <br />
<br />
=News and Chapter Meetings=<br />
<br />
== '''February Meeting''' ==<br />
<br />
'''In a continuation of the previous meeting we have once again organized a lab to demonstrate the OWASP top 10 vulnerabilities. Please find the details below''' <br> <br><br />
<br />
* Date: Thursday, February 16<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
RSVP Requested [http://www.regonline.com/OWASP_LI_Feb2012 http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
<br />
<br />
Directions to Adelphi University: [http://maps.google.com/maps?hl=en&sugexp=kjrmc&cp=8&gs_id=v&xhr=t&qe=QWRlbHBoaSA&qesig=JiDWqoZNuHjzxH4mu6hKFg&pkc=AFgZ2tkIdEHC3xl3TdCwzVHV-FzgNlMu6AZnN1IK_YD8inckTi6GpPNW_NXm1BSV3gh-c-dec9v32CZ8YRCkAnZnP8Jja8WVtw&gs_upl=&bav=on.2,or.r_gc.r_pw.,cf.osb&biw=1302&bih=938&um=1&ie=UTF-8&cid=0,0,9404387279279361491&fb=1&hq=adelphi+university&hnear=0x89c286e540a98237:0x6a5b71f23a74346c,Old+Westbury,+NY&gl=us&daddr=1+South+Avenue,+Garden+City,+NY+11530-0701&geocode=0,40.721203,-73.652149&ei=xHScTsqnMefm0QGXhpiaBA&sa=X&oi=local_result&ct=directions-to&resnum=1&ved=0CFYQngIwAA Map] | [http://www.adelphi.edu/visitors/campus.php Campus Map] <br><br />
Once at the building, enter the building from the North and go down the stairs.<br />
<br />
<br />
<!-- <br><br> Directions to Hofstra University (It is just off of Hempstead Turnpike):To get to the Student Center from the Meadowbrook Parkway: Go West on Hempstead Turnpike to the 4th traffic light and make a right on to Oak street, then make another right 100 feet into Hofstra’s parking lot. [http://maps.google.com/maps?hl=en&biw=1219&bih=809&um=1&ie=UTF-8&cid=0,0,18137204279734354163&fb=1&hq=hofstra+university&hnear=Old+Westbury,+NY&gl=us&daddr=Hofstra+University,+Hempstead,+NY+11549-1000&geocode=1582588550823583642,40.714111,-73.600523&ei=1ZixTb2EOeTs0gH3m7SLCQ&sa=X&oi=local_result&ct=directions-to&resnum=2&ved=0CB8QngIwAQ Map] --><br />
<br />
----<br />
<br />
'''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at a future meeting, please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].<br />
<br />
<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].</center> <br />
<br />
=Calendar=<br />
<br />
'''2012 Meeting Schedule''' <br> ''The information on this page is subject to change'' <br><br> <br />
<br />
----<br />
<br> February 2012<br />
<br />
*Time: 7:00pm-9:30pm <br> <br />
*Location: Adelphi University <br> <br />
*Topics: OWASP top 10 Vulnerability Lab <br><br />
<br />
----<br />
<br />
<br />
=Past Meetings=<br />
<br />
'''November'''<br />
<br />
* Date: Thursday, November 17<br />
* Location: IT conference room in the lower level of Hagedorn Hall of Enterprise (Building HHE on Map upper right), Adelphi University. <br />
* Time: 7:00pm-9:30pm<br />
<br />
<br><br><br />
*Registration Details: This chapter meeting has been organized to be a lab; as a result, space is limited in the room to a maximum of 21 people. Register early and be considerate of others; if you find that you cannot attend afterwards, please modify your registration accordingly. <br><br><br />
<br />
* Meeting Agenda:<br />
<br />
'''Dr. Kees Leune - Lab utilizing some of the OWASP 10 vulnerabilities with BackTrack 5.'''<br />
<br />
Topics:<br />
**Overview of BackTrack<br />
**Overview of some tools on BackTrack (nmap, JohnTheRipper,MetaSploit)<br />
**Overview of the lab challenge (covers multiple owasp top 10 vulns)<br />
<br />
'''''Laptops are needed if you wish to participate in the lab exercise!'''''<br />
<br />
<br />
'''About the Speaker''' - <br />
<br />
Dr. Kees Leune is an Information Security Officer, Strategist, Professor, Mentor, Adviser, Consultant, Speaker and occasional open source developer. He blogs at http://www.leune.org and can be found on Twitter as @leune. Kees has extensive experience in information security and holds several professional certifications, including the CISSP, GCIH, GCFA, CISM, and CISA.<br />
<br />
<br />
<br />
<br />
'''September'''<br />
*Date: Thursday, September 22, 2011 <br />
*Time: 6:30pm - 9:30pm <br />
*Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
'''Helen Gao - [https://www.owasp.org/images/c/c3/OWASPTop10XSSLongIsland.pdf Cross-site scripting], the most prevalent. Web application vulnerability:''' <br><br />
Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself.<br />
<br />
<br><br />
'''About the Speaker -''' Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles.<br />
<br />
<br />
<br />
'''Round Table Discussions Coordinated by Ryan Behan:''' <br><br />
Topics - <br />
Recent Attack on Infraguard Website.<br />
Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like? <br />
LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets?<br />
<br><br><br />
'''About the Speaker -''' Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure. <br />
<br />
<br />
<br />
<br />
'''May'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: Student Center, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect <br><br />
<br />
<br />
<br />
<br />
'''March''' <br><br />
'''Date:''' 3/27/2011 Sunday<br> '''Time:''' 12pm-3pm<br> '''Place:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> <br><br> Rajendra Umadas, OWASP Member<br> <br />
<br />
'''Intro to the OWASP Mobile Project''' <br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
<br />
<br><br> [http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br />
'''The Exploit Intelligence Project''' <br />
<br />
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year. <br />
<br />
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
<br />
<br> <br><br> [http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br><br />
<br />
'''[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro''' WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
<br />
<br> <br />
<br />
''Free pizza and beverage will be provided. After event networking will be held at a local bar.'' <br />
<br />
<br />
=Chapter Board Members and Contacts=<br />
<br />
*[mailto:heleng@owasp.org Helen Gao, CISSP] <br />
*[mailto:ryan.behan@owasp.org Ryan C Behan] <br />
*[mailto:blake@owasp.org Blake Cornell] 212-202-6704<br />
<br />
<br />
<headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
[[Category:New York]]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=114439Long Island2011-07-22T18:40:23Z<p>Ryan Behan: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }} <br />
<br />
<paypal>Long Island</paypal> <br />
<br />
<br> Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}} <br />
<br />
==== News &amp; Chapter Meeting ====<br />
<br />
''' UPDATED - Details for the next Long Island Chapter meeting are below:''' <br> <br><br />
<br />
* Date: Thursday July, 28<br />
* Location: Student Center #143, Hofstra University, Hempstead, NY 11549-1000 <br />
* Time: 6:30pm-9:30pm<br />
* Agenda:<br />
<br />
'''Helen Gao - Cross-site scripting, the most prevalent. Web application vulnerability:''' <br><br />
Helen will discuss one of the most widespread Web application Vulnerabilities. How can an application be attacked and how to protect yourself. <br><br />
<br><br />
About the Speaker - Helen Gao has worked in the field of information security since 1991. Helen has worked as an application developer, project manager, and software architect. Her employment history includes working at a financial institution, a market research company, a high-tech device manufacturer and a software company. Helen is currently a senior architect at TIBCO Software Inc. Her job duties include the design and development of complex event processing software. The protection of information security in such systems is challenging, due to their strict performance requirements in terms of high event throughput and low processing latency. Helen welcomes the challenge and uses the knowledge she obtained from OWASP to manage project life cycles. <br><br><br />
<br />
'''Round Table Discussions Coordinated by Ryan Behan:''' <br />
** Recent Attack on Infraguard Website.<br />
** Security as a Service Model vs. Internally Managed Security -Five years from now, what will IT look like?<br />
** LulzSec, Anonymous, A-Team - Motivations for attacks? How do small-medium size businesses protect themselves from this? Insurance, increased IT budgets, executive management awareness of these new movements? These are interesting groups that deserve our attention.<br />
<br />
About the Speaker - Ryan Behan is the Director of Internal IT at Netsmart Technologies Inc. He is a strong proponent of information sharing, application security and improving business agility through automation and scalable infrastructure.<br />
<br />
<!-- ---- --><br />
<br />
<!-- '''Call For Topics & Speakers''' <br><br><br />
If you are interested in presenting or have a topic you'd like discussed at the July meeting, Please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member]. Topics and Requests to be a speaker should be submitted by June 28th. --><br />
<br />
*Pizza and refreshments will be provided<br />
<br><br />
RSVP Requested [http://www.regonline.com/OWASPLI http://www.owasp.org/images/7/7f/Register.gif]<br />
<br><br />
<br />
<br />
<br><br> Directions to Hofstra University (It is just off of Hempstead Turnpike): To get to the Student Center from the Meadowbrook Parkway: Go West on Hempstead Turnpike to the 4th traffic light and make a right on to Oak street, then make another right 100 feet into Hofstra’s parking lot. <!-- From Meadowbrook Parkway - Going West on Hempstead Turnpike (Route 24), go to the 3rd traffic light and make a right through the main entrance to Hofstra. It is the first building on the right. The parking lot is on the side of the building. --> [http://maps.google.com/maps?hl=en&biw=1219&bih=809&um=1&ie=UTF-8&cid=0,0,18137204279734354163&fb=1&hq=hofstra+university&hnear=Old+Westbury,+NY&gl=us&daddr=Hofstra+University,+Hempstead,+NY+11549-1000&geocode=1582588550823583642,40.714111,-73.600523&ei=1ZixTb2EOeTs0gH3m7SLCQ&sa=X&oi=local_result&ct=directions-to&resnum=2&ved=0CB8QngIwAQ Map]<br />
<br />
<br />
<br />
<br />
<br> <br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].</center> <br />
<br><br />
<br />
==== Calendar ====<br />
<br />
'''2011 Meeting Schedule''' <br> ''The information on this page is subject to change'' <br><br> <br />
<br />
<br />
<br> Thursday, July 28 <br> <br />
<br />
*Time: 6:30pm-9:30pm <br> <br />
*Location: Student Center, Hofstra University, Hempstead, NY <br> <br />
*Topics: Round Table Discussions <br><br />
<br />
<br> <br />
<br />
----<br />
<br />
<br> Sunday, September 18 <br> <br />
<br />
*Time: 12:30pm-3:30pm <br> <br />
*Location: TBD <br> <br />
*Topics: TBD <br><br />
<br />
<br> <br />
<br />
----<br />
<br />
<br> Sunday, November 13 <br />
<br />
*Time: 12:30pm-3:30pm <br> <br />
*Location: TBD <br> <br />
*Topics: TBD <br><br />
<br />
<br> <br />
<br />
<br> <br />
<br />
==== Past Meetings ====<br />
<br />
'''May Meeting'''<br />
*Date: Saturday, May 14, 2011 <br />
*Time: 12:30pm - 3:30pm <br />
*Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000 <br />
*Topics & Speakers: <br><br />
<br>Robert Gezelter - <br><br />
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' <br><br />
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). <br><br />
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.<br />
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. <br><br><br />
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect <br><br />
<br />
<br />
<br />
<br />
'''March Meeting''' <br> '''Date:''' 3/27/2011 Sunday<br> '''Time:''' 12pm-3pm<br> '''Place:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> <br><br> Rajendra Umadas, OWASP Member<br> <br />
<br />
'''Intro to the OWASP Mobile Project''' <br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications. <br />
<br />
<br><br> [http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member <br />
<br />
'''The Exploit Intelligence Project''' <br />
<br />
In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year. <br />
<br />
In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats. <br />
<br />
<br> <br><br> [http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br> [http://www.linkedin.com/in/blakecornell Blake Cornell], OWASP Board Member NY/NJ/LI <br />
<br />
'''[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro''' WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell. <br />
<br />
<br> <br />
<br />
''Free pizza and beverage will be provided. After event networking will be held at a local bar.''<br><br> <br />
<br />
<br> <br />
<br />
==== Chapter Board Members/Contacts ====<br />
<br />
*[mailto:heleng@owasp.org Helen Gao, CISSP] <br />
*[mailto:ryan.behan@owasp.org Ryan C Behan] <br />
*[mailto:blake@owasp.org Blake Cornell] 212-202-6704 <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
== External Links ==<br />
<br />
*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube] <br />
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos] <br />
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations] <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]<br />
<br />
[[Category:New York]]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=107309Long Island2011-03-22T03:11:03Z<p>Ryan Behan: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }}<br />
<br />
<paypal>Long Island</paypal><br />
<br />
<br />
Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}}<br />
<br />
<br />
==== Chapter Meetings ====<br />
<br />
RSVP REQUESTED [https://spreadsheets.google.com/embeddedform?formkey=dF9NOW5BQTBLbVNPdGdrNzFhWWJMMnc6MQ http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<b>Date:</b> 3/27/2011 Sunday<br><br />
<b>Time:</b> 12pm-3pm<br><br />
<b>Place:</b> 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=Jericho+Public+Library+1+Merry+Lane+Jericho,+New+York+11753&aq=&sll=37.0625,-95.677068&sspn=45.553578,95.800781&ie=UTF8&hq=Jericho+Public+Library&hnear=1+Merry+Ln,+Jericho,+Nassau,+New+York+11753&ll=40.79414,-73.535979&spn=0.010299,0.023389&z=16 Google Map Link]<br />
<br><br><br />
Rajendra Umadas, OWASP Member<br><br />
<br />
<b>Intro to the OWASP Mobile Project</b><br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications.<br />
<br />
<br><br><br />
[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member<br />
<br />
<b>The Exploit Intelligence Project</b><br />
<br />
In 2011, mass malware is still the most common source of compromise on<br />
corporate networks. Bots like Zeus, Gozi, and Clampi successfully<br />
infect devices despite organizations carefully managing disclosed<br />
vulnerabilities and subscribing to detailed analysis of the latest<br />
malware families. Existing efforts at malware prevention focus broadly<br />
on vulnerabilities and their impact yet ignore the means by which they<br />
are exploited and the motivations, opportunities and capabilities of<br />
attackers, which has allowed this problem to become worse<br />
year-after-year.<br />
<br />
In this talk, I introduce an intelligence-driven approach to malware<br />
defense, focusing on attacker's capabilities and methods, with data<br />
collected from the most popular crimeware packs currently deployed<br />
in-the-wild. This analysis identifies the means by which exploits are<br />
developed and selected for inclusion in crimeware packs, identifies<br />
defenses that are outside the capability of malware exploit writers to<br />
bypass, and helps attendees evaluate not just the exploitability, but<br />
the probability of a vulnerability being exploited. This study shows<br />
that, until crimeware packs substantially advance in sophistication,<br />
only a few simple defensive tactics are required to protect users from<br />
such opportunistic threats.<br />
<br />
<br />
<br><br><br />
[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br />
<br><br />
[http://www.linkedin.com/in/blakecornell Blake Cornell], OWASP Board Member NY/NJ/LI<br />
<br />
<b>[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro</b><br />
WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell.<br />
<br />
<br />
<br />
<i>Free pizza and beverage will be provided. After event networking will be held at a local bar.</i><br><br><br />
<br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center><br />
<center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center><br />
<center>If you can host an upcoming meeting please contact a [http://www.owasp.org/index.php?title=Long_Island&action=submit#tab=Chapter_Leaders.2FContacts LI board member].</center><br />
<br />
==== Chapter Board Members/Contacts ====<br />
<ul><br />
*[mailto:heleng@owasp.org Helen Gao, CISSP]<br />
*[mailto:ryan.behan@owasp.org Ryan C Behan]<br />
*[mailto:blake@owasp.org Blake Cornell] 212-202-6704<br />
</ul><br />
__NOTOC__<br />
<headertabs/><br />
<br />
==External Links==<br />
* [http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube]<br />
* [http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos]<br />
* [http://www.owasp.org/index.php/Industry:Citations Industry Citations]<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=107308Long Island2011-03-22T03:09:28Z<p>Ryan Behan: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }}<br />
<br />
<paypal>Long Island</paypal><br />
<br />
<br />
Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}}<br />
<br />
<br />
==== Chapter Meetings ====<br />
<br />
RSVP REQUESTED [https://spreadsheets.google.com/embeddedform?formkey=dF9NOW5BQTBLbVNPdGdrNzFhWWJMMnc6MQ http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<b>Date:</b> 3/27/2011 Sunday<br><br />
<b>Time:</b> 12pm-3pm<br><br />
<b>Place:</b> Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=Jericho+Public+Library+1+Merry+Lane+Jericho,+New+York+11753&aq=&sll=37.0625,-95.677068&sspn=45.553578,95.800781&ie=UTF8&hq=Jericho+Public+Library&hnear=1+Merry+Ln,+Jericho,+Nassau,+New+York+11753&ll=40.79414,-73.535979&spn=0.010299,0.023389&z=16 Google Map Link]<br />
<br><br><br />
Rajendra Umadas, OWASP Member<br><br />
<br />
<b>Intro to the OWASP Mobile Project</b><br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications.<br />
<br />
<br><br><br />
[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member<br />
<br />
<b>The Exploit Intelligence Project</b><br />
<br />
In 2011, mass malware is still the most common source of compromise on<br />
corporate networks. Bots like Zeus, Gozi, and Clampi successfully<br />
infect devices despite organizations carefully managing disclosed<br />
vulnerabilities and subscribing to detailed analysis of the latest<br />
malware families. Existing efforts at malware prevention focus broadly<br />
on vulnerabilities and their impact yet ignore the means by which they<br />
are exploited and the motivations, opportunities and capabilities of<br />
attackers, which has allowed this problem to become worse<br />
year-after-year.<br />
<br />
In this talk, I introduce an intelligence-driven approach to malware<br />
defense, focusing on attacker's capabilities and methods, with data<br />
collected from the most popular crimeware packs currently deployed<br />
in-the-wild. This analysis identifies the means by which exploits are<br />
developed and selected for inclusion in crimeware packs, identifies<br />
defenses that are outside the capability of malware exploit writers to<br />
bypass, and helps attendees evaluate not just the exploitability, but<br />
the probability of a vulnerability being exploited. This study shows<br />
that, until crimeware packs substantially advance in sophistication,<br />
only a few simple defensive tactics are required to protect users from<br />
such opportunistic threats.<br />
<br />
<br />
<br><br><br />
[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br />
<br><br />
[http://www.linkedin.com/in/blakecornell Blake Cornell], OWASP Board Member NY/NJ/LI<br />
<br />
<b>[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro</b><br />
WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell.<br />
<br />
<br />
<br />
<i>Free pizza and beverage will be provided. After event networking will be held at a local bar.</i><br><br><br />
<br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center><br />
<center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center><br />
<center>If you can host an upcoming meeting please contact a [http://www.owasp.org/index.php?title=Long_Island&action=submit#tab=Chapter_Leaders.2FContacts LI board member].</center><br />
<br />
==== Chapter Board Members/Contacts ====<br />
<ul><br />
*[mailto:heleng@owasp.org Helen Gao, CISSP]<br />
*[mailto:ryan.behan@owasp.org Ryan C Behan]<br />
*[mailto:blake@owasp.org Blake Cornell] 212-202-6704<br />
</ul><br />
__NOTOC__<br />
<headertabs/><br />
<br />
==External Links==<br />
* [http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube]<br />
* [http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos]<br />
* [http://www.owasp.org/index.php/Industry:Citations Industry Citations]<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=106972Long Island2011-03-16T13:56:36Z<p>Ryan Behan: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }}<br />
<br />
<paypal>Long Island</paypal><br />
<br />
<br />
Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}}<br />
<br />
<br />
==== Chapter Meetings ====<br />
<b>Date:</b> 3/27/2011 Sunday<br><br />
<b>Time:</b> 12pm-3pm<br><br />
<b>Place:</b> Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 <br> [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=Jericho+Public+Library+1+Merry+Lane+Jericho,+New+York+11753&aq=&sll=37.0625,-95.677068&sspn=45.553578,95.800781&ie=UTF8&hq=Jericho+Public+Library&hnear=1+Merry+Ln,+Jericho,+Nassau,+New+York+11753&ll=40.79414,-73.535979&spn=0.010299,0.023389&z=16 Google Map Link]<br />
<br><br><br />
Rajendra Umadas, OWASP Member<br><br />
<br />
<b>Intro to the OWASP Mobile Project</b><br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications.<br />
<br />
<br><br><br />
[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member<br />
<br />
<b>The Exploit Intelligence Project</b><br />
<br />
In 2011, mass malware is still the most common source of compromise on<br />
corporate networks. Bots like Zeus, Gozi, and Clampi successfully<br />
infect devices despite organizations carefully managing disclosed<br />
vulnerabilities and subscribing to detailed analysis of the latest<br />
malware families. Existing efforts at malware prevention focus broadly<br />
on vulnerabilities and their impact yet ignore the means by which they<br />
are exploited and the motivations, opportunities and capabilities of<br />
attackers, which has allowed this problem to become worse<br />
year-after-year.<br />
<br />
In this talk, I introduce an intelligence-driven approach to malware<br />
defense, focusing on attacker's capabilities and methods, with data<br />
collected from the most popular crimeware packs currently deployed<br />
in-the-wild. This analysis identifies the means by which exploits are<br />
developed and selected for inclusion in crimeware packs, identifies<br />
defenses that are outside the capability of malware exploit writers to<br />
bypass, and helps attendees evaluate not just the exploitability, but<br />
the probability of a vulnerability being exploited. This study shows<br />
that, until crimeware packs substantially advance in sophistication,<br />
only a few simple defensive tactics are required to protect users from<br />
such opportunistic threats.<br />
<br />
<br />
<br><br><br />
[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br />
<br><br />
[http://www.linkedin.com/in/blakecornell Blake Cornell], OWASP Board Member NY/NJ/LI<br />
<br />
<b>[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro</b><br />
WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell.<br />
<br />
<br />
<br />
<i>Free pizza and beverage will be provided. After event networking will be held at a local bar.</i><br><br><br />
<br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center><br />
<center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center><br />
<center>If you can host an upcoming meeting please contact a [http://www.owasp.org/index.php?title=Long_Island&action=submit#tab=Chapter_Leaders.2FContacts LI board member].</center><br />
<br />
==== Chapter Board Members/Contacts ====<br />
<ul><br />
*[mailto:heleng@owasp.org Helen Gao, CISSP]<br />
*[mailto:ryan.behan@owasp.org Ryan C Behan]<br />
*[mailto:blake@owasp.org Blake Cornell] 212-202-6704<br />
</ul><br />
__NOTOC__<br />
<headertabs/><br />
<br />
==External Links==<br />
* [http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube]<br />
* [http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos]<br />
* [http://www.owasp.org/index.php/Industry:Citations Industry Citations]<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=106971Long Island2011-03-16T13:56:20Z<p>Ryan Behan: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }}<br />
<br />
<paypal>Long Island</paypal><br />
<br />
<br />
Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}}<br />
<br />
<br />
==== Chapter Meetings ====<br />
<b>Date:</b> 3/27/2011 Sunday<br><br />
<b>Time:</b> 12pm-3pm<br><br />
<b>Place:</b> Jericho Public Library, 1 Merry Lane Jericho, New York 11753 <br> [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=Jericho+Public+Library+1+Merry+Lane+Jericho,+New+York+11753&aq=&sll=37.0625,-95.677068&sspn=45.553578,95.800781&ie=UTF8&hq=Jericho+Public+Library&hnear=1+Merry+Ln,+Jericho,+Nassau,+New+York+11753&ll=40.79414,-73.535979&spn=0.010299,0.023389&z=16 Google Map Link]<br />
<br><br><br />
Rajendra Umadas, OWASP Member<br><br />
<br />
<b>Intro to the OWASP Mobile Project</b><br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications.<br />
<br />
<br><br><br />
[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member<br />
<br />
<b>The Exploit Intelligence Project</b><br />
<br />
In 2011, mass malware is still the most common source of compromise on<br />
corporate networks. Bots like Zeus, Gozi, and Clampi successfully<br />
infect devices despite organizations carefully managing disclosed<br />
vulnerabilities and subscribing to detailed analysis of the latest<br />
malware families. Existing efforts at malware prevention focus broadly<br />
on vulnerabilities and their impact yet ignore the means by which they<br />
are exploited and the motivations, opportunities and capabilities of<br />
attackers, which has allowed this problem to become worse<br />
year-after-year.<br />
<br />
In this talk, I introduce an intelligence-driven approach to malware<br />
defense, focusing on attacker's capabilities and methods, with data<br />
collected from the most popular crimeware packs currently deployed<br />
in-the-wild. This analysis identifies the means by which exploits are<br />
developed and selected for inclusion in crimeware packs, identifies<br />
defenses that are outside the capability of malware exploit writers to<br />
bypass, and helps attendees evaluate not just the exploitability, but<br />
the probability of a vulnerability being exploited. This study shows<br />
that, until crimeware packs substantially advance in sophistication,<br />
only a few simple defensive tactics are required to protect users from<br />
such opportunistic threats.<br />
<br />
<br />
<br><br><br />
[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br />
<br><br />
[http://www.linkedin.com/in/blakecornell Blake Cornell], OWASP Board Member NY/NJ/LI<br />
<br />
<b>[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro</b><br />
WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell.<br />
<br />
<br />
<br />
<i>Free pizza and beverage will be provided. After event networking will be held at a local bar.</i><br><br><br />
<br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center><br />
<center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center><br />
<center>If you can host an upcoming meeting please contact a [http://www.owasp.org/index.php?title=Long_Island&action=submit#tab=Chapter_Leaders.2FContacts LI board member].</center><br />
<br />
==== Chapter Board Members/Contacts ====<br />
<ul><br />
*[mailto:heleng@owasp.org Helen Gao, CISSP]<br />
*[mailto:ryan.behan@owasp.org Ryan C Behan]<br />
*[mailto:blake@owasp.org Blake Cornell] 212-202-6704<br />
</ul><br />
__NOTOC__<br />
<headertabs/><br />
<br />
==External Links==<br />
* [http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube]<br />
* [http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos]<br />
* [http://www.owasp.org/index.php/Industry:Citations Industry Citations]<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=106970Long Island2011-03-16T13:55:58Z<p>Ryan Behan: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }}<br />
<br />
<paypal>Long Island</paypal><br />
<br />
<br />
Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}}<br />
<br />
<br />
==== Chapter Meetings ====<br />
<b>Date:</b> 3/27/2011 Sunday<br><br />
<b>Time:</b> 12pm-3pm<br><br />
<b>Place:</b> Jericho Public Library 1 Merry Lane Jericho, New York 11753 <br> [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=Jericho+Public+Library+1+Merry+Lane+Jericho,+New+York+11753&aq=&sll=37.0625,-95.677068&sspn=45.553578,95.800781&ie=UTF8&hq=Jericho+Public+Library&hnear=1+Merry+Ln,+Jericho,+Nassau,+New+York+11753&ll=40.79414,-73.535979&spn=0.010299,0.023389&z=16 Google Map Link]<br />
<br><br><br />
Rajendra Umadas, OWASP Member<br><br />
<br />
<b>Intro to the OWASP Mobile Project</b><br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications.<br />
<br />
<br><br><br />
[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member<br />
<br />
<b>The Exploit Intelligence Project</b><br />
<br />
In 2011, mass malware is still the most common source of compromise on<br />
corporate networks. Bots like Zeus, Gozi, and Clampi successfully<br />
infect devices despite organizations carefully managing disclosed<br />
vulnerabilities and subscribing to detailed analysis of the latest<br />
malware families. Existing efforts at malware prevention focus broadly<br />
on vulnerabilities and their impact yet ignore the means by which they<br />
are exploited and the motivations, opportunities and capabilities of<br />
attackers, which has allowed this problem to become worse<br />
year-after-year.<br />
<br />
In this talk, I introduce an intelligence-driven approach to malware<br />
defense, focusing on attacker's capabilities and methods, with data<br />
collected from the most popular crimeware packs currently deployed<br />
in-the-wild. This analysis identifies the means by which exploits are<br />
developed and selected for inclusion in crimeware packs, identifies<br />
defenses that are outside the capability of malware exploit writers to<br />
bypass, and helps attendees evaluate not just the exploitability, but<br />
the probability of a vulnerability being exploited. This study shows<br />
that, until crimeware packs substantially advance in sophistication,<br />
only a few simple defensive tactics are required to protect users from<br />
such opportunistic threats.<br />
<br />
<br />
<br><br><br />
[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br />
<br><br />
[http://www.linkedin.com/in/blakecornell Blake Cornell], OWASP Board Member NY/NJ/LI<br />
<br />
<b>[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro</b><br />
WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell.<br />
<br />
<br />
<br />
<i>Free pizza and beverage will be provided. After event networking will be held at a local bar.</i><br><br><br />
<br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center><br />
<center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center><br />
<center>If you can host an upcoming meeting please contact a [http://www.owasp.org/index.php?title=Long_Island&action=submit#tab=Chapter_Leaders.2FContacts LI board member].</center><br />
<br />
==== Chapter Board Members/Contacts ====<br />
<ul><br />
*[mailto:heleng@owasp.org Helen Gao, CISSP]<br />
*[mailto:ryan.behan@owasp.org Ryan C Behan]<br />
*[mailto:blake@owasp.org Blake Cornell] 212-202-6704<br />
</ul><br />
__NOTOC__<br />
<headertabs/><br />
<br />
==External Links==<br />
* [http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube]<br />
* [http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos]<br />
* [http://www.owasp.org/index.php/Industry:Citations Industry Citations]<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=106969Long Island2011-03-16T13:55:23Z<p>Ryan Behan: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }}<br />
<br />
<paypal>Long Island</paypal><br />
<br />
<br />
Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}}<br />
<br />
<br />
==== Chapter Meetings ====<br />
<b>Date:</b> 3/27/2011 Sunday<br><br />
<b>Time:</b> 12pm-3pm<br><br />
<b>Place:</b> Jericho Public Library 1 Merry Lane Jericho, New York 11753 <br> [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=Jericho+Public+Library+1+Merry+Lane+Jericho,+New+York+11753&aq=&sll=37.0625,-95.677068&sspn=45.553578,95.800781&ie=UTF8&hq=Jericho+Public+Library&hnear=1+Merry+Ln,+Jericho,+Nassau,+New+York+11753&ll=40.79414,-73.535979&spn=0.010299,0.023389&z=16 Google Map Link]<br />
<br />
Rajendra Umadas, OWASP Member<br><br />
<br />
<b>Intro to the OWASP Mobile Project</b><br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications.<br />
<br />
<br><br><br />
[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member<br />
<br />
<b>The Exploit Intelligence Project</b><br />
<br />
In 2011, mass malware is still the most common source of compromise on<br />
corporate networks. Bots like Zeus, Gozi, and Clampi successfully<br />
infect devices despite organizations carefully managing disclosed<br />
vulnerabilities and subscribing to detailed analysis of the latest<br />
malware families. Existing efforts at malware prevention focus broadly<br />
on vulnerabilities and their impact yet ignore the means by which they<br />
are exploited and the motivations, opportunities and capabilities of<br />
attackers, which has allowed this problem to become worse<br />
year-after-year.<br />
<br />
In this talk, I introduce an intelligence-driven approach to malware<br />
defense, focusing on attacker's capabilities and methods, with data<br />
collected from the most popular crimeware packs currently deployed<br />
in-the-wild. This analysis identifies the means by which exploits are<br />
developed and selected for inclusion in crimeware packs, identifies<br />
defenses that are outside the capability of malware exploit writers to<br />
bypass, and helps attendees evaluate not just the exploitability, but<br />
the probability of a vulnerability being exploited. This study shows<br />
that, until crimeware packs substantially advance in sophistication,<br />
only a few simple defensive tactics are required to protect users from<br />
such opportunistic threats.<br />
<br />
<br />
<br><br><br />
[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member <br />
<br><br />
[http://www.linkedin.com/in/blakecornell Blake Cornell], OWASP Board Member NY/NJ/LI<br />
<br />
<b>[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro</b><br />
WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. <br />
<br />
In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell.<br />
<br />
<br />
<br />
<i>Free pizza and beverage will be provided. After event networking will be held at a local bar.</i><br><br><br />
<br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center><br />
<center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center><br />
<center>If you can host an upcoming meeting please contact a [http://www.owasp.org/index.php?title=Long_Island&action=submit#tab=Chapter_Leaders.2FContacts LI board member].</center><br />
<br />
==== Chapter Board Members/Contacts ====<br />
<ul><br />
*[mailto:heleng@owasp.org Helen Gao, CISSP]<br />
*[mailto:ryan.behan@owasp.org Ryan C Behan]<br />
*[mailto:blake@owasp.org Blake Cornell] 212-202-6704<br />
</ul><br />
__NOTOC__<br />
<headertabs/><br />
<br />
==External Links==<br />
* [http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube]<br />
* [http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos]<br />
* [http://www.owasp.org/index.php/Industry:Citations Industry Citations]<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=106476Long Island2011-03-08T19:39:23Z<p>Ryan Behan: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }}<br />
<br />
<paypal>Long Island</paypal><br />
<br />
<br />
Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}}<br />
<br />
<br />
==== Chapter Meetings ====<br />
<b>Date:</b> 3/27/2011 Sunday<br><br />
<b>Time:</b> 12pm-3pm<br><br />
<b>Place:</b> TBD <br><br />
<br />
Rajendra Umadas, OWASP Member<br><br />
<br />
<b>Intro to the OWASP Mobile Project</b><br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications.<br />
<br />
<br><br><br />
[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member<br />
<br />
<b>The Exploit Intelligence Project</b><br />
<br />
In 2011, mass malware is still the most common source of compromise on<br />
corporate networks. Bots like Zeus, Gozi, and Clampi successfully<br />
infect devices despite organizations carefully managing disclosed<br />
vulnerabilities and subscribing to detailed analysis of the latest<br />
malware families. Existing efforts at malware prevention focus broadly<br />
on vulnerabilities and their impact yet ignore the means by which they<br />
are exploited and the motivations, opportunities and capabilities of<br />
attackers, which has allowed this problem to become worse<br />
year-after-year.<br />
<br />
In this talk, I introduce an intelligence-driven approach to malware<br />
defense, focusing on attacker's capabilities and methods, with data<br />
collected from the most popular crimeware packs currently deployed<br />
in-the-wild. This analysis identifies the means by which exploits are<br />
developed and selected for inclusion in crimeware packs, identifies<br />
defenses that are outside the capability of malware exploit writers to<br />
bypass, and helps attendees evaluate not just the exploitability, but<br />
the probability of a vulnerability being exploited. This study shows<br />
that, until crimeware packs substantially advance in sophistication,<br />
only a few simple defensive tactics are required to protect users from<br />
such opportunistic threats.<br />
<br />
<br />
<br><br><br />
[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member<br />
<br />
<b>Tool Demo TBD</b><br />
<br />
<br />
<br />
<i>Free pizza and beverage will be provided. After event networking will be held at a local bar.</i><br><br><br />
<br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center><br />
<center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center><br />
<center>If you can host an upcoming meeting please contact a [http://www.owasp.org/index.php?title=Long_Island&action=submit#tab=Chapter_Leaders.2FContacts LI board member].</center><br />
<br />
==== Chapter Board Members/Contacts ====<br />
<ul><br />
*[mailto:heleng@owasp.org Helen Gao, CISSP]<br />
*[mailto:ryan.behan@owasp.org Ryan C Behan]<br />
*[mailto:blake@owasp.org Blake Cornell] 212-202-6704<br />
</ul><br />
__NOTOC__<br />
<headertabs/><br />
<br />
==External Links==<br />
* [http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube]<br />
* [http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos]<br />
* [http://www.owasp.org/index.php/Industry:Citations Industry Citations]<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=106475Long Island2011-03-08T19:38:58Z<p>Ryan Behan: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }}<br />
<br />
<paypal>Long Island</paypal><br />
<br />
<br />
Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}}<br />
<br />
<br />
==== Chapter Meetings ====<br />
<b>Date:</b> 3/27/2011 Sunday<br><br />
<b>Time:</b> 12pm-3pm<br><br />
<b>Place:</b> TBD <br><br />
<br />
<b>Rajendra Umadas, OWASP Member</b><br><br />
<b>Intro to the OWASP Mobile Project</b><br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications.<br />
<br />
<br><br><br />
[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member<br />
<br />
<b>The Exploit Intelligence Project</b><br />
<br />
In 2011, mass malware is still the most common source of compromise on<br />
corporate networks. Bots like Zeus, Gozi, and Clampi successfully<br />
infect devices despite organizations carefully managing disclosed<br />
vulnerabilities and subscribing to detailed analysis of the latest<br />
malware families. Existing efforts at malware prevention focus broadly<br />
on vulnerabilities and their impact yet ignore the means by which they<br />
are exploited and the motivations, opportunities and capabilities of<br />
attackers, which has allowed this problem to become worse<br />
year-after-year.<br />
<br />
In this talk, I introduce an intelligence-driven approach to malware<br />
defense, focusing on attacker's capabilities and methods, with data<br />
collected from the most popular crimeware packs currently deployed<br />
in-the-wild. This analysis identifies the means by which exploits are<br />
developed and selected for inclusion in crimeware packs, identifies<br />
defenses that are outside the capability of malware exploit writers to<br />
bypass, and helps attendees evaluate not just the exploitability, but<br />
the probability of a vulnerability being exploited. This study shows<br />
that, until crimeware packs substantially advance in sophistication,<br />
only a few simple defensive tactics are required to protect users from<br />
such opportunistic threats.<br />
<br />
<br />
<br><br><br />
[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member<br />
<br />
<b>Tool Demo TBD</b><br />
<br />
<br />
<br />
<i>Free pizza and beverage will be provided. After event networking will be held at a local bar.</i><br><br><br />
<br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center><br />
<center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center><br />
<center>If you can host an upcoming meeting please contact a [http://www.owasp.org/index.php?title=Long_Island&action=submit#tab=Chapter_Leaders.2FContacts LI board member].</center><br />
<br />
==== Chapter Board Members/Contacts ====<br />
<ul><br />
*[mailto:heleng@owasp.org Helen Gao, CISSP]<br />
*[mailto:ryan.behan@owasp.org Ryan C Behan]<br />
*[mailto:blake@owasp.org Blake Cornell] 212-202-6704<br />
</ul><br />
__NOTOC__<br />
<headertabs/><br />
<br />
==External Links==<br />
* [http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube]<br />
* [http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos]<br />
* [http://www.owasp.org/index.php/Industry:Citations Industry Citations]<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=106474Long Island2011-03-08T19:38:09Z<p>Ryan Behan: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }}<br />
<br />
<paypal>Long Island</paypal><br />
<br />
<br />
Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}}<br />
<br />
<br />
==== Chapter Meetings ====<br />
<b>Date:</b> 3/27/2011 Sunday<br><br />
<b>Time:</b> 12pm-3pm<br><br />
<b>Place:</b> TBD <br><br />
<br />
<b>Rajendra Umadas</b><br />
<b>Intro to the OWASP Mobile Project</b><br />
<br />
The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications.<br />
<br />
<br><br><br />
[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member<br />
<br />
<b>The Exploit Intelligence Project</b><br />
<br />
In 2011, mass malware is still the most common source of compromise on<br />
corporate networks. Bots like Zeus, Gozi, and Clampi successfully<br />
infect devices despite organizations carefully managing disclosed<br />
vulnerabilities and subscribing to detailed analysis of the latest<br />
malware families. Existing efforts at malware prevention focus broadly<br />
on vulnerabilities and their impact yet ignore the means by which they<br />
are exploited and the motivations, opportunities and capabilities of<br />
attackers, which has allowed this problem to become worse<br />
year-after-year.<br />
<br />
In this talk, I introduce an intelligence-driven approach to malware<br />
defense, focusing on attacker's capabilities and methods, with data<br />
collected from the most popular crimeware packs currently deployed<br />
in-the-wild. This analysis identifies the means by which exploits are<br />
developed and selected for inclusion in crimeware packs, identifies<br />
defenses that are outside the capability of malware exploit writers to<br />
bypass, and helps attendees evaluate not just the exploitability, but<br />
the probability of a vulnerability being exploited. This study shows<br />
that, until crimeware packs substantially advance in sophistication,<br />
only a few simple defensive tactics are required to protect users from<br />
such opportunistic threats.<br />
<br />
<br />
<br><br><br />
[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member<br />
<br />
<b>Tool Demo TBD</b><br />
<br />
<br />
<br />
<i>Free pizza and beverage will be provided. After event networking will be held at a local bar.</i><br><br><br />
<br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center><br />
<center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center><br />
<center>If you can host an upcoming meeting please contact a [http://www.owasp.org/index.php?title=Long_Island&action=submit#tab=Chapter_Leaders.2FContacts LI board member].</center><br />
<br />
==== Chapter Board Members/Contacts ====<br />
<ul><br />
*[mailto:heleng@owasp.org Helen Gao, CISSP]<br />
*[mailto:ryan.behan@owasp.org Ryan C Behan]<br />
*[mailto:blake@owasp.org Blake Cornell] 212-202-6704<br />
</ul><br />
__NOTOC__<br />
<headertabs/><br />
<br />
==External Links==<br />
* [http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube]<br />
* [http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos]<br />
* [http://www.owasp.org/index.php/Industry:Citations Industry Citations]<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=79525Long Island2010-03-10T16:26:31Z<p>Ryan Behan: Added Dan Guido's presentation subject. -RCB</p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }}<br />
<br />
==== Chapter Meetings ====<br />
<p style="margin:0; background:#cef2e0; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em; ">Scroll down to see the upcoming Long Island OWASP events</p> <br />
<br />
RSVP REQUESTED [http://fs18.formsite.com/owaspli/form995438520/index.html http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<b>Date:</b> 3/18/10 Thursday<br><br />
<b>Time:</b> 6:30 - 8pm<br><br />
<b>Place:</b> Adelphi Garden City Campus Ruth S. Harley University Center, room 210 [http://www.adelphi.edu/visitors/campus.php Campus Map]<i>The University Center is in the center of the campus, all the way to the North (marked as UNC)</i><br><br />
<b>Directions:</b> Via the Long Island Expressway (Route 495) <br><br />
<br />
Traveling east<br><br />
Take the L.I.E. to Exit 34 South or the Northern State Parkway to Exit 26 South (New Hyde Park Road). Turn right onto New Hyde Park Road. Continue south on New Hyde Park Road for approximately 3 miles. Turn left onto Stewart Avenue. At the fourth light, turn right onto Nassau Boulevard. Continue approximately for a quarter of a mile. At the first light (as soon as you cross over the railroad tracks), make a left onto South Avenue. The entrance to campus will be on your right.<br><br />
<br />
Traveling west<br><br />
Take the L.I.E. to Exit 39 South or the Northern State Parkway to Exit 31 (Glen Cove Road). Go south. (Note: the road will change from Guinea Woods Road to Glen Cove Road to Clinton Road). Turn right onto Stewart Avenue. Go one mile and at T-junction turn left onto Hilton Avenue. Immediately after crossing the railroad tracks, turn right onto Sixth Street. Continue onto South Avenue. The entrance to campus will be on your left..<br><br />
<br><br />
<b>Speakers: (TBD)</b><br><br><br />
<br />
[http://www.linkedin.com/in/blakecornell Blake Cornell], OWASP Board Member NY/NJ/LI<br />
<br />
<b>Session Initiation Protocol Bounce Attacks: Enumeration of Networked Addressing and Services With Timing Attacks and Other Vectors</b><br />
<br />
The SIP Bounce Attack is similar in nature to the File Transfer Protocol (FTP) Bounce Attack. SIP allows an attacker the ability to communicate with any Internet Protocol (IP) address or Fully Qualified Domain Name (FQDN) and their respective UDP or TCP port numbers. Utilizing precise timing algorithms it is possible to enumerate the address allocation of private networks (2) and determine the state of their ports. This is possible without authentication.<br />
<br />
There is an increasing trend to host SIP services publicly on the internet behind Demilitarized Zones (DMZ), firewalls and Access Control Lists (ACLs). Having the ability to bounce traffic through a protected system and allowing analysis of response data is quite risky.<br />
<br />
If a consumer grade VoIP product were reliably vulnerable to SIP bouncing an attacker could have a plethora of possible zombie proxies to choose from.<br />
<br />
These and other risks will be discussed.<br />
<br />
<br><br><br />
[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member<br />
<br />
<b>Threat Modeling APT: A discussion of tactics behind recent targeted intrusions.</b><br />
<br />
<br />
<i>Free pizza and beverage will be provided. After event networking will be held at a local bar.</i><br><br><br />
<br />
<center>Come prepared for an evening of networking with your industry peers.</center><br />
<center>We invite all attendees to food and libations after the meeting at a local venue TBA.</center><br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center><br />
<center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center><br />
<center>If you can host an upcoming meeting please contact a LI board member.</center><br />
<br />
==== Chapter Leaders/Contacts ====<br />
<ul><br />
*[mailto:heleng@owasp.org Helen Gao, CISSP]<br />
*[mailto:ryan.behan@owasp.org Ryan C Behan]<br />
*[mailto:blake@owasp.org Blake Cornell] 212-202-6704<br />
</ul><br />
__NOTOC__<br />
<headertabs/><br />
<br />
<br />
<br />
==External Links==<br />
* [http://www.qualityit.net/Resources/WhitePapers/IEEEP1074-2005-RoadmapForOptimizingSecurityInTheSystemAndSoftwareLifeCycle.pdf IEEE considers security as a software lifecycle development requirement]<br />
* [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf OWASP is a recommended secure coding guideline in PCI DSS]<br />
* [http://www.ietf.org/rfc/rfc2828.txt Internet Security Glossary]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=71112Long Island2009-10-08T13:48:25Z<p>Ryan Behan: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }}<br />
<br />
==== Chapter Meetings ====<br />
<p style="margin:0; background:#cef2e0; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em; ">Scroll down to see the upcoming Long Island OWASP events</p> <br />
<br />
RSVP REQUESTED [http://fs18.formsite.com/owaspli/form933354881/index.html http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<b>Date:</b> 10/24/2009<br><br />
<b>Time:</b> 11:00-14:00<br><br />
<b>Place:</b> Sunrise Business Center, 3500 Sunrise Hwy, Great River, NY 11730, Building 200 [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=3500+Sunrise+Hwy,+NY,+Great+River,+NY,+Building+200&sll=40.748249,-73.163388&sspn=0.009298,0.022745&ie=UTF8&ll=40.748249,-73.163388&spn=0.009298,0.022745&t=h&z=16&iwloc=A MAP]<br><br />
<b>Directions:</b> Enter from the service road on the East Bound side of Sunrise Hwy. Turn right after passing the security gate. Attendees can park in front of Building 200 and enter through the Building 200 entrance. We must ask that all attendees do not park in any spot marked as RESERVED. Once you enter building 200, pass through security, turn right and head down the hall, pass through the first set of doors. Our conference room is your first right. There will be signs posted along this path directing attendees to the room.<br><br />
<br><br />
<u>Agenda:</u><br><br><br />
;11-00 - Opening Remarks & Welcome to [http://www.owasp.org/images/9/9f/2009-OWASP_KeyNote-V2.pdf OWASP Foundation]<br />
:--'''Helen Gao, OWASP LI Board <br />
;11-20 - Attacking VoIP With The OWASP Top 10<br />
:VoIP systems allow for cheap and easy telephony communication. Current VoIP implementations may be more vulnerable then you believe. How could an attacker own your PBX with the OWASP Top 10? Topics will include Vulnerability Research, Protocol Fuzzing, VoIP and the OWASP Top 10. Proof of concept zero day vectors will be discovered and exploited. This is going to be fun!<br />
:--'''[http://www.linkedin.com/in/blakecornell Blake Cornell] Security Consultant [http://www.net2s-us.com/ Net2S/BT-INS], OWASP NY/NJ/LI Board Member<br />
<br />
;12-10 - Lunch<br />
:<br />
<br />
;12-20 - Network Version Control<br />
:Leveraging Python, Nmap, Ndiff and Subversion to create baselines of your hosts and services. Together, these form a basic foundation to detect unapproved changes and alert accordingly.<br />
:--'''[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member<br />
;13-20 - Passive Web Application Analysis <br />
:Discover ways to leverage the tools you currently use to find potential vulnerabilities in web applications as early as during an initial application walk through. This talk will cover the current state of passive web application analysis as well as discuss how to set up a framework for your own testing needs.<br />
:--'''[http://www.linkedin.com/in/phillipames Phil Ames], Security Consultant<br />
<br />
;All Day Event - Capture the Flag<br />
:There will be a day long CTF event. Test your skills, learn new exploitation techniques, hack in a team, get the highest score, win prizes? Hack the day away with your friends and peers.<br />
:--'''[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member<br />
<br />
;AFTER EVENT NETWORKING WILL BE HELD AT '''[http://www.bluepointbrewing.com/ THE BLUE POINT BREWERY]!!<br />
;>>> We have arranged for a private tour for all OWASP attendees. <<<<br />
Rides will be provided to the Blue Point Brewery. When you are done with enjoying the best brews on the East Coast, the train station is only '''[http://maps.google.com/maps?saddr=161+River+Ave,+Patchogue,+NY+11772-3304+(Blue+Point+Brewing+Co)&geocode=CcnpYL67h5V6FVfvbQIdy8el-yEHMT9JQF0-7g&dirflg=&daddr=patchogue+train+station,+patchogue,+ny+11772&f=d&dq=blue+point+brewery,+loc:+patchogue,+ny+11772&sll=40.759127,-73.021493&sspn=0.014359,0.014046&ie=UTF8&ll=40.761691,-73.020887&spn=0.02919,0.055876&z=15 a short walk]''' away!<br />
<br />
<center>Come prepared for a day of networking with your industry peers.</center><br />
<center>We invite all attendees to food and libations after the meeting at a local venue TBA.</center><br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center><br />
<center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center><br />
<center>If you can host an upcoming meeting please contact a LI board member.</center><br />
<br />
==== Chapter Leaders/Contacts ====<br />
<ul><br />
*[mailto:heleng@owasp.org Helen Gao, CISSP]<br />
*[mailto:ryan.behan@owasp.org Ryan C Behan]<br />
*[mailto:blake@owasp.org Blake Cornell] 212-202-6704<br />
</ul><br />
__NOTOC__<br />
<headertabs/><br />
<br />
<br />
<br />
==External Links==<br />
* [http://www.qualityit.net/Resources/WhitePapers/IEEEP1074-2005-RoadmapForOptimizingSecurityInTheSystemAndSoftwareLifeCycle.pdf IEEE considers security as a software lifecycle development requirement]<br />
* [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf OWASP is a recommended secure coding guideline in PCI DSS]<br />
* [http://www.ietf.org/rfc/rfc2828.txt Internet Security Glossary]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=71095Long Island2009-10-08T12:23:53Z<p>Ryan Behan: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }}<br />
<br />
==== Chapter Meetings ====<br />
<p style="margin:0; background:#cef2e0; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em; ">Scroll down to see the upcoming Long Island OWASP events</p> <br />
<br />
RSVP REQUESTED [http://fs18.formsite.com/owaspli/form933354881/index.html http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<b>Date:</b> 10/24/2009<br><br />
<b>Time:</b> 11:00-14:00<br><br />
<b>Place:</b> Sunrise Business Center, 3500 Sunrise Hwy, Great River, NY 11730, Building 200 [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=3500+Sunrise+Hwy,+NY,+Great+River,+NY,+Building+200&sll=40.748249,-73.163388&sspn=0.009298,0.022745&ie=UTF8&ll=40.748249,-73.163388&spn=0.009298,0.022745&t=h&z=16&iwloc=A MAP]<br><br />
<b>Directions:</b> Enter from the service road on the East Bound side of Sunrise Hwy. Turn right after passing the security gate. Attendees can park in front of Building 200 and enter through the Building 200 entrance. We must ask that all attendees do not park in any spot marked as RESERVED. Once you enter building 200, pass through security, turn right and head down the hall, pass through the first set of doors. Our conference room is your first right. There will be signs posted along this path directing attendees to the room.<br><br />
<br><br />
<u>Agenda:</u><br><br><br />
;11-00 - Opening Remarks & Welcome to [http://www.owasp.org/images/9/9f/2009-OWASP_KeyNote-V2.pdf OWASP Foundation]<br />
:--'''Helen Gao, OWASP LI Board <br />
;11-20 - Attacking VoIP With The OWASP Top 10<br />
:VoIP systems allow for cheap and easy telephony communication. Current VoIP implimentations may be more vulnerable then you believe. How could an attacker 0wn your PBX with the OWASP Top 10? Topics will include Vulnerability Research, Protocol Fuzzing, VoIP and the OWASP Top 10. Proof of concept 0day vectors will be discovered and exploited. This is going to be fun!<br />
:--'''[http://www.linkedin.com/in/blakecornell Blake Cornell] Security Consultant [http://www.net2s-us.com/ Net2S/BT-INS], OWASP NY/NJ/LI Board Member<br />
<br />
;12-10 - Lunch<br />
:<br />
<br />
;12-20 - Network Version Control<br />
:Leveraging Python, Nmap, Ndiff and Subversion to create baselines of your hosts and services. Together, these form a basic foundation to detect unapproved changes and alert accordingly.<br />
:--'''[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member<br />
;13-20 - Passive Web Application Analysis <br />
:Discover ways to leverage the tools you currently use to find potential vulnerabilities in web applications as early as during an initial application walk through. This talk will cover the current state of passive web application analysis as well as discuss how to set up a framework for your own testing needs.<br />
:--'''[http://www.linkedin.com/in/phillipames Phil Ames], Security Consultant<br />
<br />
;All Day Event - Capture the Flag<br />
:There will be a day long CTF event. Test your skills, learn new exploitation techniques, hack in a team, get the highest score, win prizes? Hack the day away with your friends and peers.<br />
:--'''[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member<br />
<br />
;AFTER EVENT NETWORKING WILL BE HELD AT '''[http://www.bluepointbrewing.com/ THE BLUE POINT BREWERY]!!<br />
Rides will be provided to the Blue Point Brewery. When you are done with enjoying the best brews on the East Coast, the train station is only '''[http://maps.google.com/maps?saddr=161+River+Ave,+Patchogue,+NY+11772-3304+(Blue+Point+Brewing+Co)&geocode=CcnpYL67h5V6FVfvbQIdy8el-yEHMT9JQF0-7g&dirflg=&daddr=patchogue+train+station,+patchogue,+ny+11772&f=d&dq=blue+point+brewery,+loc:+patchogue,+ny+11772&sll=40.759127,-73.021493&sspn=0.014359,0.014046&ie=UTF8&ll=40.761691,-73.020887&spn=0.02919,0.055876&z=15 a short walk]''' away!<br />
<br />
<center>Come prepared for a day of networking with your industry peers.</center><br />
<center>We invite all attendees to food and libations after the meeting at a local venue TBA.</center><br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center><br />
<center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center><br />
<center>If you can host an upcoming meeting please contact a LI board member.</center><br />
<br />
==== Chapter Leaders/Contacts ====<br />
<ul><br />
*[mailto:heleng@owasp.org Helen Gao, CISSP]<br />
*[mailto:ryan.behan@owasp.org Ryan C Behan]<br />
*[mailto:blake@owasp.org Blake Cornell] 212-202-6704<br />
</ul><br />
__NOTOC__<br />
<headertabs/><br />
<br />
<br />
<br />
==External Links==<br />
* [http://www.qualityit.net/Resources/WhitePapers/IEEEP1074-2005-RoadmapForOptimizingSecurityInTheSystemAndSoftwareLifeCycle.pdf IEEE considers security as a software lifecycle development requirement]<br />
* [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf OWASP is a recommended secure coding guideline in PCI DSS]<br />
* [http://www.ietf.org/rfc/rfc2828.txt Internet Security Glossary]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=71094Long Island2009-10-08T12:22:31Z<p>Ryan Behan: Final updates for the 10/24/2009 meeting</p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }}<br />
<br />
==== Chapter Meetings ====<br />
<p style="margin:0; background:#cef2e0; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em; ">Scroll down to see the upcoming Long Island OWASP events</p> <br />
<br />
RSVP REQUESTED [http://fs18.formsite.com/owaspli/form933354881/index.html http://www.owasp.org/images/7/7f/Register.gif]<br />
<br />
<b>Date:</b> 10/24/2009<br><br />
<b>Time:</b> 11:00-14:00<br><br />
<b>Place:</b> Sunrise Business Center, 3500 Sunrise Hwy, Great River, NY 11730, Building 200 [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=3500+Sunrise+Hwy,+NY,+Great+River,+NY,+Building+200&sll=40.748249,-73.163388&sspn=0.009298,0.022745&ie=UTF8&ll=40.748249,-73.163388&spn=0.009298,0.022745&t=h&z=16&iwloc=A MAP]<br><br />
<b>Directions:</b> Enter from the service road on the East Bound side of Sunrise Hwy. Turn right after passing the security gate. Attendees can park in front of Building 200 and enter through the Building 200 entrance. We must ask that all attendees do not park in any spot marked as RESERVED. Once you enter building 200, pass through security, turn right and head down the hall, pass through the first set of doors. Our conference room is your first right. There will be signs posted along this path directing attendees to the room.<br><br />
<br><br />
<u>Agenda:</u><br><br><br />
;11-00 - Opening Remarks & Welcome to [http://www.owasp.org/images/9/9f/2009-OWASP_KeyNote-V2.pdf OWASP Foundation]<br />
:--'''Helen Gao, OWASP LI Board <br />
;11-20 - Attacking VoIP With The OWASP Top 10<br />
:VoIP systems allow for cheap and easy telephony communication. Current VoIP implimentations may be more vulnerable then you believe. How could an attacker 0wn your PBX with the OWASP Top 10? Topics will include Vulnerability Research, Protocol Fuzzing, VoIP and the OWASP Top 10. Proof of concept 0day vectors will be discovered and exploited. This is going to be fun!<br />
:--'''[http://www.linkedin.com/in/blakecornell Blake Cornell] Security Consultant [http://www.net2s-us.com/ Net2S/BT-INS], OWASP NY/NJ/LI Board Member<br />
<br />
;12-10 - Lunch<br />
:<br />
<br />
;12-20 - Network Version Control<br />
:Leveraging Python, Nmap, Ndiff and Subversion to create baselines of your hosts and services. Together, these form a basic foundation to detect unapproved changes and alert accordingly.<br />
:--'''[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member<br />
;13-20 - Passive Web Application Analysis <br />
:Discover ways to leverage the tools you currently use to find potential vulnerabilities in web applications as early as during an initial application walk through. This talk will cover the current state of passive web application analysis as well as discuss how to set up a framework for your own testing needs.<br />
:--'''[http://www.linkedin.com/in/phillipames Phil Ames], Security Consultant<br />
<br />
;All Day Event - Capture the Flag<br />
:There will be a day long CTF event. Test your skills, learn new exploitation techniques, hack in a team, get the highest score, win prizes? Hack the day away with your friends and peers.<br />
:--'''[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member<br />
<br />
;AFTER EVENT NETWORKING WILL BE HELD AT '''[http://www.bluepointbrewing.com/ THE BLUE POINT BREWERY]!!<br />
Rides will be provided to the Blue Point Brewery. When you are done with enjoying the best brews on the East Coast, the train station is only '''[http://maps.google.com/maps?saddr=161+River+Ave,+Patchogue,+NY+11772-3304+(Blue+Point+Brewing+Co)&geocode=CcnpYL67h5V6FVfvbQIdy8el-yEHMT9JQF0-7g&dirflg=&daddr=patchogue+train+station,+patchogue,+ny+11772&f=d&dq=blue+point+brewery,+loc:+patchogue,+ny+11772&sll=40.759127,-73.021493&sspn=0.014359,0.014046&ie=UTF8&ll=40.761691,-73.020887&spn=0.02919,0.055876&z=15 a short walk]''' from the Brewery.<br />
<br />
<center>Come prepared for a day of networking with your industry peers.</center><br />
<center>We invite all attendees to food and libations after the meeting at a local venue TBA.</center><br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center><br />
<center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center><br />
<center>If you can host an upcoming meeting please contact a LI board member.</center><br />
<br />
==== Chapter Leaders/Contacts ====<br />
<ul><br />
*[mailto:heleng@owasp.org Helen Gao, CISSP]<br />
*[mailto:ryan.behan@owasp.org Ryan C Behan]<br />
*[mailto:blake@owasp.org Blake Cornell] 212-202-6704<br />
</ul><br />
__NOTOC__<br />
<headertabs/><br />
<br />
<br />
<br />
==External Links==<br />
* [http://www.qualityit.net/Resources/WhitePapers/IEEEP1074-2005-RoadmapForOptimizingSecurityInTheSystemAndSoftwareLifeCycle.pdf IEEE considers security as a software lifecycle development requirement]<br />
* [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf OWASP is a recommended secure coding guideline in PCI DSS]<br />
* [http://www.ietf.org/rfc/rfc2828.txt Internet Security Glossary]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=68391Long Island2009-09-01T16:19:15Z<p>Ryan Behan: </p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }}<br />
<br />
==== Chapter Meetings ====<br />
<p style="margin:0; background:#cef2e0; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em; ">Scroll down to see the upcoming Long Island OWASP events</p> <br />
<br />
<b>Date:</b> 10/24/2009<br><br />
<b>Time:</b> 11:00-14:00<br><br />
<b>Place:</b> Sunrise Business Center, 3500 Sunrise Hwy, Great River, NY 11730, Building 200 [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=3500+Sunrise+Hwy,+NY,+Great+River,+NY,+Building+200&sll=40.748249,-73.163388&sspn=0.009298,0.022745&ie=UTF8&ll=40.748249,-73.163388&spn=0.009298,0.022745&t=h&z=16&iwloc=A MAP]<br><br />
<b>Directions:</b> Enter from the service road on the East Bound side of Sunrise Hwy. Turn right after passing the security gate. Attendees can park in front of Building 200 and enter through the Building 200 entrance. We must ask that all attendees do not park in any spot marked as RESERVED. Once you enter building 200, pass through security, turn right and head down the hall, pass through the first set of doors. Our conference room is your first right. There will be signs posted along this path directing attendees to the room.<br><br />
<center>RSVP REQUIRED [http://fs18.formsite.com/owaspli/form562038653/index.html http://www.owasp.org/images/7/7f/Register.gif] </center><br />
<br><br />
<u>Agenda:</u><br><br><br />
;11-00 - Opening Remarks & Welcome to [http://www.owasp.org/images/9/9f/2009-OWASP_KeyNote-V2.pdf OWASP Foundation]<br />
:--'''Helen Gao, OWASP LI Board <br />
;11-20 - Attacking VoIP With The OWASP Top 10<br />
:VoIP systems allow for cheap and easy telephony communication. How can an attacker 0wn your PBX with the OWASP Top 10? Proof of concept 0day attacks will be demonstrated and detailed.<br />
:--'''[http://www.linkedin.com/in/blakecornell Blake Cornell] Security Consultant [http://www.net2s-us.com/ Net2S/BT-INS], OWASP NY/NJ/LI Board Member<br />
<br />
;12-10 - Lunch<br />
:<br />
<br />
;12-20 - Network Version Control<br />
:Leveraging Python, Nmap, Ndiff and Subversion to create baselines of your hosts and services. Together, these form a basic foundation to detect unapproved changes and alert accordingly.<br />
:--'''[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member<br />
;13-20 - TBD<br />
:--TBD<br />
<br />
<br />
<br />
AFTER EVENT NETWORKING ON THE WATER!!<br />
<br />
'''[http://maps.google.com/maps?f=d&source=s_d&saddr=3500+Sunrise+Hwy,+Great+River,+NY+11739&daddr=445+Vanderbilt+Blvd,+Oakdale,+NY+11769-2009&hl=en&geocode=%3BFTN1bQIdVfuj-w&gl=us&mra=ls&sll=40.727859,-73.139371&sspn=0.011155,0.027938&ie=UTF8&ll=40.737925,-73.149204&spn=0.022307,0.055876&t=h&z=15 THE WHARF]<br />
<br />
445 Vanderbilt Blvd, Oakdale, NY 11769<br />
<br />
<center>Come prepared for a day of networking with your industry peers.</center><br />
<center>We invite all attendees to food and libations after the meeting at a local restaurant TBA.</center><br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center><br />
<center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center><br />
<br />
==== Chapter Leaders/Contacts ====<br />
<ul><br />
*[mailto:heleng@owasp.org Helen Gao, CISSP]<br />
*[mailto:ryan.behan@owasp.org Ryan C Behan]<br />
*[mailto:blake@owasp.org Blake Cornell] 212-202-6704<br />
</ul><br />
__NOTOC__<br />
<headertabs/><br />
<br />
<br />
<br />
==External Links==<br />
* [http://www.qualityit.net/Resources/WhitePapers/IEEEP1074-2005-RoadmapForOptimizingSecurityInTheSystemAndSoftwareLifeCycle.pdf IEEE considers security as a software lifecycle development requirement]<br />
* [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf OWASP is a recommended secure coding guideline in PCI DSS]<br />
* [http://www.ietf.org/rfc/rfc2828.txt Internet Security Glossary]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=68390Long Island2009-09-01T16:18:06Z<p>Ryan Behan: Added the event's data and Ryan Behan's Topic</p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }}<br />
<br />
==== Chapter Meetings ====<br />
<p style="margin:0; background:#cef2e0; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em; ">Scroll down to see the upcoming Long Island OWASP events</p> <br />
<br />
<b>Date:</b> 10/24/2009<br><br />
<b>Time:</b> 11:00-14:00<br><br />
<b>Place:</b> Sunrise Business Center, 3500 Sunrise Hwy, Great River, NY 11730, Building 200 [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=3500+Sunrise+Hwy,+NY,+Great+River,+NY,+Building+200&sll=40.748249,-73.163388&sspn=0.009298,0.022745&ie=UTF8&ll=40.748249,-73.163388&spn=0.009298,0.022745&t=h&z=16&iwloc=A MAP]<br><br />
<b>Directions:</b> Enter from the service road on the East Bound side of Sunrise Hwy. Turn right after passing the security gate. Attendees can park in front of Building 200 and enter through the Building 200 entrance. We must ask that all attendees do not park in any spot marked as RESERVED. Once you enter building 200, pass through security, turn right and head down the hall, pass through the first set of doors. Our conference room is your first right. There will be signs posted along this path directing attendees to the room.<br><br />
<center>RSVP REQUIRED [http://fs18.formsite.com/owaspli/form562038653/index.html http://www.owasp.org/images/7/7f/Register.gif] </center><br />
<br><br />
<u>Agenda:</u><br><br><br />
;11-00 - Opening Remarks & Welcome to [http://www.owasp.org/images/9/9f/2009-OWASP_KeyNote-V2.pdf OWASP Foundation]<br />
:--'''Helen Gao, OWASP LI Board <br />
;11-20 - Attacking VoIP With The OWASP Top 10<br />
:VoIP systems allow for cheap and easy telephony communication. How can an attacker 0wn your PBX with the OWASP Top 10? Proof of concept 0day attacks will be demonstrated and detailed.<br />
:--'''[http://www.linkedin.com/in/blakecornell Blake Cornell] Security Consultant [http://www.net2s-us.com/ Net2S/BT-INS], OWASP NY/NJ/LI Board Member<br />
<br />
;12-10 - Lunch<br />
:<br />
<br />
;12-20 - Network Version Control<br />
:--Leveraging Python, Nmap, Ndiff and Subversion to create baselines of your hosts and services. Together, these form a basic foundation to detect unapproved changes and alert accordingly.<br />
:--'''[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member<br />
;13-20 - TBD<br />
:--TBD<br />
<br />
<br />
<br />
AFTER EVENT NETWORKING ON THE WATER!!<br />
<br />
'''[http://maps.google.com/maps?f=d&source=s_d&saddr=3500+Sunrise+Hwy,+Great+River,+NY+11739&daddr=445+Vanderbilt+Blvd,+Oakdale,+NY+11769-2009&hl=en&geocode=%3BFTN1bQIdVfuj-w&gl=us&mra=ls&sll=40.727859,-73.139371&sspn=0.011155,0.027938&ie=UTF8&ll=40.737925,-73.149204&spn=0.022307,0.055876&t=h&z=15 THE WHARF]<br />
<br />
445 Vanderbilt Blvd, Oakdale, NY 11769<br />
<br />
<center>Come prepared for a day of networking with your industry peers.</center><br />
<center>We invite all attendees to food and libations after the meeting at a local restaurant TBA.</center><br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center><br />
<center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center><br />
<br />
==== Chapter Leaders/Contacts ====<br />
<ul><br />
*[mailto:heleng@owasp.org Helen Gao, CISSP]<br />
*[mailto:ryan.behan@owasp.org Ryan C Behan]<br />
*[mailto:blake@owasp.org Blake Cornell] 212-202-6704<br />
</ul><br />
__NOTOC__<br />
<headertabs/><br />
<br />
<br />
<br />
==External Links==<br />
* [http://www.qualityit.net/Resources/WhitePapers/IEEEP1074-2005-RoadmapForOptimizingSecurityInTheSystemAndSoftwareLifeCycle.pdf IEEE considers security as a software lifecycle development requirement]<br />
* [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf OWASP is a recommended secure coding guideline in PCI DSS]<br />
* [http://www.ietf.org/rfc/rfc2828.txt Internet Security Glossary]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=64935Long Island2009-06-26T02:10:16Z<p>Ryan Behan: Updated the directions for attendees once they are onsite. -RCB- 6/25/2009</p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }}<br />
<br />
==== Chapter Meetings ====<br />
<p style="margin:0; background:#cef2e0; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em; ">Scroll down to see the upcoming Long Island OWASP events</p> <br />
<br />
<b>Date:</b> Saturday June 27th 2009<br><br />
<b>Time:</b> 10:00-14:00<br><br />
<b>Place:</b> Sunrise Business Center, 3500 Sunrise Hwy, Great River, NY 11730, Building 200 [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=3500+Sunrise+Hwy,+NY,+Great+River,+NY,+Building+200&sll=40.748249,-73.163388&sspn=0.009298,0.022745&ie=UTF8&ll=40.748249,-73.163388&spn=0.009298,0.022745&t=h&z=16&iwloc=A MAP]<br><br />
<b>Directions:</b> Enter from the service road on the East Bound side of Sunrise Hwy. Turn right after passing the security gate. Attendees can park in front of Building 200 and enter through the Building 200 entrance. We must ask that all attendees do not park in any spot marked as RESERVED. Once you enter building 200, pass through security, turn right and head down the hall, pass through the first set of doors. Our conference room is your first right. There will be signs posted along this path directing attendees to the room.<br><br />
<center>RSVP REQUIRED [http://fs18.formsite.com/owaspli/form562038653/index.html http://www.owasp.org/images/7/7f/Register.gif] </center><br />
<br><br />
<u>Agenda:</u><br><br><br />
;10-00 - Opening Remarks & Welcome to [http://www.owasp.org/images/9/9f/2009-OWASP_KeyNote-V2.pdf OWASP Foundation]<br />
:--'''Helen Gao, OWASP LI Board <br />
;10-20 - Incident Response - Identify, Contain, Eradicate, Recover, Lessons Learned<br />
:Breaches happen. Proper audit compliance enables an organization the ability to detect and prevent attacks. A case study will be examined.<br />
:--'''[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan] Manager of Network Technologies at [http://www.ntst.com/ Netsmart Technologies]<br />
;11-20 - Code Blue - The Unhealthy State of Your Medical Records (And What Can Be Done to Save Them)<br />
:Millions of patient records have been disclosed to unauthorized third parties. Some of these records were stolen, some were lost yet all could have been prevented.<br />
<br />
:A North Carolina hospital loses a laptop with 14,000 records. The Peninsula Orthopedic Associates lost backup tapes that help 100,000 patient records. The Wallgreens Health Initiative emailed 28,000 records to the state of Kentucky without using encryption. Confiker infects three University of Utah hospitals. Kaiser fires 15 employees for inappropriately accessing medical records. Two Scottish hospitals were infected by a computer worm. Researchers find 20,000 medical records using peer-to-peer software. The Mytob worm infects 4,700 computers at three UK hospitals. Confiker infects 8,000 computers at the Sheffield Teaching Hospitals Trust. Criminals tried to extort Express Scripts with the threat of releasing millions of patient records. SRA International was breached when malicious software allowed an attacker the ability to access patient data maintained by SRA. The list goes on.<br />
<br />
:All of these incidents were reported in the news within a five month period of each other. News like this is being reported with an increasing frequency. <br />
<br />
:Most of these incidents could have been easily avoided by conducting compliance audits and vulnerability assessments.<br />
<br />
:--'''[http://www.linkedin.com/in/blakecornell Blake Cornell] Security Consultant [http://www.net2s-us.com/ Net2S/BT-INS], OWASP NY/NJ/LI Board Member<br />
<br />
;12-10 - Lunch<br />
:<br />
<br />
;12-25 - Education, "So you want to train an army of ninjas..." - Teaching offensive techniques to college students<br />
:Dan will discuss the challenges, successes, surprises, and lessons learned creating and delivering a penetration testing course for undergraduate and graduate students at NYU:Poly. The course, which ran on-campus during the Fall 2008 semester, was taught to 30 students and with the help of 5 instructors from outside the university: After 6 weeks, students were given a takehome midterm that tested their ability to apply theoretical techniques discussed in class and that tracked the evolution of their "hacker's mindset." This talk presents lessons learned as "design patterns" that conference attendees can apply to their own courses to increase their effectiveness and train their own army of ninjas in a university setting. Additionally, all course material, videotaped lectures, and student work from the Fall 2008 NYU:Poly Penetration Testing and Vulnerability Analysis course have been made freely available online at: [http://pentest.cryptocity.net/]<br />
<br />
:--'''[http://cryptocity.net Dan Guido], Board Member OWASP NYNJ<br />
;13-25 - Round Table Discussion - Successes, challenges, efforts, hopes and predictions for OWASP Long Island<br />
:--'''[http://www.linkedin.com/in/helengao Helen Gao], Board Member, OWASP LI<br />
:--'''[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], Board Member, OWASP LI<br />
:--'''[http://www.linkedin.com/in/blakecornell Blake Cornell], Board Member, OWASP NYNJ/LI<br />
:--'''[[User:Dguido|Dan Guido]], Board Member OWASP NYNJ<br />
<br />
<br />
<br />
AFTER EVENT NETWORKING ON THE WATER !!<br />
<br />
'''[http://maps.google.com/maps?f=d&source=s_d&saddr=3500+Sunrise+Hwy,+Great+River,+NY+11739&daddr=445+Vanderbilt+Blvd,+Oakdale,+NY+11769-2009&hl=en&geocode=%3BFTN1bQIdVfuj-w&gl=us&mra=ls&sll=40.727859,-73.139371&sspn=0.011155,0.027938&ie=UTF8&ll=40.737925,-73.149204&spn=0.022307,0.055876&t=h&z=15 THE WHARF]<br />
<br />
445 Vanderbilt Blvd, Oakdale, NY 11769<br />
<br />
<center>Come prepared for a day of networking with your industry peers.</center><br />
<center>We invite all attendees to food and libations after the meeting at a local restaurant TBA.</center><br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center><br />
<center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center><br />
<br />
==== Chapter Leaders/Contacts ====<br />
<ul><br />
*[mailto:heleng@owasp.org Helen Gao, CISSP]<br />
*[mailto:ryan.behan@owasp.org Ryan C Behan]<br />
*[mailto:blake@owasp.org Blake Cornell] 212-202-6704<br />
</ul><br />
__NOTOC__<br />
<headertabs/><br />
<br />
<br />
<br />
==External Links==<br />
* [http://www.qualityit.net/Resources/WhitePapers/IEEEP1074-2005-RoadmapForOptimizingSecurityInTheSystemAndSoftwareLifeCycle.pdf IEEE considers security as a software lifecycle development requirement]<br />
* [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf OWASP is a recommended secure coding guideline in PCI DSS]<br />
* [http://www.ietf.org/rfc/rfc2828.txt Internet Security Glossary]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=64647Long Island2009-06-21T12:22:47Z<p>Ryan Behan: Added directions to The Wharf. -RCB - 6-21-2009 Happy Solstice</p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }}<br />
<br />
==== Chapter Meetings ====<br />
<p style="margin:0; background:#cef2e0; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em; ">Scroll down to see the upcoming Long Island OWASP events</p> <br />
<br />
<b>Date:</b> Saturday June 27th 2009<br><br />
<b>Time:</b> 10:00-14:00<br><br />
<b>Place:</b> Sunrise Business Center, 3500 Sunrise Hwy, Great River, NY 11730, Building 200 [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=3500+Sunrise+Hwy,+NY,+Great+River,+NY,+Building+200&sll=40.748249,-73.163388&sspn=0.009298,0.022745&ie=UTF8&ll=40.748249,-73.163388&spn=0.009298,0.022745&t=h&z=16&iwloc=A MAP]<br><br />
<b>Directions:</b> Enter from the service road on the East Bound side of Sunrise Hwy. Attendees can park in front of Building 200 and enter through the Building 200 entrance. We must ask that all Attendees do not park in any spot marked as RESERVED.<br><br />
<center>RSVP REQUIRED [http://fs18.formsite.com/owaspli/form562038653/index.html http://www.owasp.org/images/7/7f/Register.gif] </center><br />
<br><br />
<u>Agenda:</u><br><br><br />
;10-00 - Opening Remarks & Welcome to [http://www.owasp.org/images/9/9f/2009-OWASP_KeyNote-V2.pdf OWASP Foundation]<br />
:--'''Helen Gao, OWASP LI Board <br />
;10-20 - Incident Response - Identify, Contain, Eradicate, Recover, Lessons Learned<br />
:Breaches happen. Proper audit compliance enables an organization the ability to detect and prevent attacks. A case study will be examined.<br />
:--'''[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan] Manager of Network Technologies at [http://www.ntst.com/ Netsmart Technologies]<br />
;11-20 - Code Blue - The Unhealthy State of Your Medical Records (And What Can Be Done to Save Them)<br />
:Millions of patient records have been disclosed to unauthorized third parties. Some of these records were stolen, some were lost yet all could have been prevented.<br />
<br />
:A North Carolina hospital loses a laptop with 14,000 records. The Peninsula Orthopedic Associates lost backup tapes that help 100,000 patient records. The Wallgreens Health Initiative emailed 28,000 records to the state of Kentucky without using encryption. Confiker infects three University of Utah hospitals. Kaiser fires 15 employees for inappropriately accessing medical records. Two Scottish hospitals were infected by a computer worm. Researchers find 20,000 medical records using peer-to-peer software. The Mytob worm infects 4,700 computers at three UK hospitals. Confiker infects 8,000 computers at the Sheffield Teaching Hospitals Trust. Criminals tried to extort Express Scripts with the threat of releasing millions of patient records. SRA International was breached when malicious software allowed an attacker the ability to access patient data maintained by SRA. The list goes on.<br />
<br />
:All of these incidents were reported in the news within a five month period of each other. News like this is being reported with an increasing frequency. <br />
<br />
:Most of these incidents could have been easily avoided by conducting compliance audits and vulnerability assessments.<br />
<br />
:--'''[http://www.linkedin.com/in/blakecornell Blake Cornell] Security Consultant [http://www.net2s-us.com/ Net2S/BT-INS], OWASP NY/NJ/LI Board Member<br />
<br />
;12-10 - Lunch TBD<br />
:TBD<br />
;12-25 - Education, Penetration Testing and Vulnerability Analysis<br />
:A course in Penetration Testing has existed at NYU:Poly as far back as 2002, in large part because of a NSA Center of Excellence in Education certification requirement. Professors for the course have come and gone and the course content has changed with them, sometimes for the better, but mostly for the worse. In the Summer of 2008, with no instructor in sight for the coming semester and the course material seriously neglected, I offered to teach it and rewrite it from scratch.<br />
<br />
:These are my experiences.<br />
:--'''[http://pentest.cryptocity.net/history/ Dan Guido], Board Member OWASP NYNJ<br />
;13-25 - Round Table Discussion - Successes, challenges, efforts, hopes and predictions for OWASP Long Island<br />
:--'''[http://www.linkedin.com/in/helengao Helen Gao], Board Member, OWASP LIhttp://maps.google.com/maps?f=d&source=s_d&saddr=3500+Sunrise+Hwy,+Great+River,+NY+11739&daddr=445+Vanderbilt+Blvd,+Oakdale,+NY+11769-2009&hl=en&geocode=%3BFTN1bQIdVfuj-w&gl=us&mra=ls&sll=40.727859,-73.139371&sspn=0.011155,0.027938&ie=UTF8&ll=40.737925,-73.149204&spn=0.022307,0.055876&t=h&z=15<br />
:--'''[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], Board Member, OWASP LI<br />
:--'''[http://www.linkedin.com/in/blakecornell Blake Cornell], Board Member, OWASP NYNJ/LI<br />
<br />
<br />
<br />
AFTER EVENT NETWORKING ON THE WATER !!<br />
<br />
'''[http://maps.google.com/maps?f=d&source=s_d&saddr=3500+Sunrise+Hwy,+Great+River,+NY+11739&daddr=445+Vanderbilt+Blvd,+Oakdale,+NY+11769-2009&hl=en&geocode=%3BFTN1bQIdVfuj-w&gl=us&mra=ls&sll=40.727859,-73.139371&sspn=0.011155,0.027938&ie=UTF8&ll=40.737925,-73.149204&spn=0.022307,0.055876&t=h&z=15 THE WHARF]<br />
<br />
445 Vanderbilt Blvd, Oakdale, NY 11769<br />
<br />
<center>Come prepared for a day of networking with your industry peers.</center><br />
<center>We invite all attendees to food and libations after the meeting at a local restaurant TBA.</center><br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center><br />
<center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center><br />
<br />
==== Chapter Leaders/Contacts ====<br />
<ul><br />
*[mailto:heleng@owasp.org Helen Gao, CISSP]<br />
*[mailto:ryan.behan@owasp.org Ryan C Behan]<br />
*[mailto:blake@owasp.org Blake Cornell] 212-202-6704<br />
</ul><br />
__NOTOC__<br />
<headertabs/><br />
<br />
<br />
<br />
==External Links==<br />
* [http://www.qualityit.net/Resources/WhitePapers/IEEEP1074-2005-RoadmapForOptimizingSecurityInTheSystemAndSoftwareLifeCycle.pdf IEEE considers security as a software lifecycle development requirement]<br />
* [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf OWASP is a recommended secure coding guideline in PCI DSS]<br />
* [http://www.ietf.org/rfc/rfc2828.txt Internet Security Glossary]</div>Ryan Behanhttps://wiki.owasp.org/index.php?title=Long_Island&diff=64103Long Island2009-06-12T01:46:26Z<p>Ryan Behan: Mispelled "Reound", this has been corrected. - RCB</p>
<hr />
<div>{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }}<br />
<br />
==== Chapter Meetings ====<br />
<p style="margin:0; background:#cef2e0; font-size:120%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em; ">Scroll down to see the upcoming Long Island OWASP events</p> <br />
<br />
<b>Date:</b> Saturday June 27th 2009<br><br />
<b>Time:</b> 10:00-14:00<br><br />
<b>Place:</b> Sunrise Business Center, 3500 Sunrise Hwy, Great River, NY 11730, Building 200 [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=3500+Sunrise+Hwy,+NY,+Great+River,+NY,+Building+200&sll=40.748249,-73.163388&sspn=0.009298,0.022745&ie=UTF8&ll=40.748249,-73.163388&spn=0.009298,0.022745&t=h&z=16&iwloc=A MAP]<br><br />
<b>Directions:</b> Enter from the service road on the East Bound side of Sunrise Hwy. Attendees can park in front of Building 200 and enter through the Building 200 entrance. We must ask that all Attendees do not park in any spot marked as RESERVED.<br><br />
<center>RSVP REQUIRED [http://fs18.formsite.com/owaspli/form562038653/index.html http://www.owasp.org/images/7/7f/Register.gif] </center><br />
<br><br />
<u>Agenda:</u><br><br><br />
;10-00 - Opening Remarks & Welcome<br />
:--'''Helen Gao, OWASP LI Board<br />
;10-20 - Who is OWASP and how could we help you?<br />
:--'''[http://www.linkedin.com/in/tombrennan Tom Brennan]<br />
;11-20 - Incident Response - Identify, Contain, Eradicate, Recover, Lessons Learned<br />
:Breaches happen. Proper audit compliance enables an organization the ability to detect and prevent attacks. A case study will be examined.<br />
:--'''[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan] Manager of Network Technologies at [http://www.ntst.com/ Netsmart Technologies]<br />
;12-10 - Lunch TBD<br />
:TBD<br />
;12-25 - Code Blue - The Unhealthy State of Your Medical Records (And What Can Be Done to Save Them)<br />
:Millions of patient records have been disclosed to unauthorized third parties. Some of these records were stolen, some were lost yet all could have been prevented.<br />
<br />
:A North Carolina hospital loses a laptop with 14,000 records. The Peninsula Orthopedic Associates lost backup tapes that help 100,000 patient records. The Wallgreens Health Initiative emailed 28,000 records to the state of Kentucky without using encryption. Confiker infects three University of Utah hospitals. Kaiser fires 15 employees for inappropriately accessing medical records. Two Scottish hospitals were infected by a computer worm. Researchers find 20,000 medical records using peer-to-peer software. The Mytob worm infects 4,700 computers at three UK hospitals. Confiker infects 8,000 computers at the Sheffield Teaching Hospitals Trust. Criminals tried to extort Express Scripts with the threat of releasing millions of patient records. SRA International was breached when malicious software allowed an attacker the ability to access patient data maintained by SRA. The list goes on.<br />
<br />
:All of these incidents were reported in the news within a five month period of each other. News like this is being reported with an increasing frequency. <br />
<br />
:Most of these incidents could have been easily avoided by conducting compliance audits and vulnerability assessments.<br />
<br />
We will walk through some recent incidents involving health care facilities around the world and detail how they could have been prevented.<br />
:--'''[http://www.linkedin.com/in/blakecornell Blake Cornell] Security Consultant [http://www.net2s-us.com/ Net2S/BT-INS], OWASP NY/NJ/LI Board Member<br />
;13-25 - Round Table Discussion - Successes, challenges, efforts, hopes and predictions for OWASP Long Island<br />
:--'''[http://www.linkedin.com/in/tombrennan Tom Brennan], Global Board Member, OWASP Foundation<br />
:--'''Helen Gao, Board Member, OWASP LI<br />
:--'''[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], Board Member, OWASP LI<br />
:--'''[http://www.linkedin.com/in/blakecornell Blake Cornell], Board Member, OWASP NYNJ/LI<br />
<center>Come prepared for a day of networking with your industry peers.</center><br />
<center>We invite all attendees to food and libations after the meeting at a local restaurant TBA.</center><br />
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center><br />
<center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center><br />
<br />
<br />
<br />
==== Chapter Leaders/Contacts ====<br />
<ul><br />
*[mailto:heleng@owasp.org Helen Gao, CISSP]<br />
*[mailto:ryan.behan@owasp.org Ryan C Behan]<br />
*[mailto:blake@owasp.org Blake Cornell] 212-202-6704<br />
</ul><br />
__NOTOC__<br />
<headertabs/><br />
<br />
<br />
<br />
==External Links==<br />
* [http://www.qualityit.net/Resources/WhitePapers/IEEEP1074-2005-RoadmapForOptimizingSecurityInTheSystemAndSoftwareLifeCycle.pdf IEEE considers security as a software lifecycle development requirement]<br />
* [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf OWASP is a recommended secure coding guideline in PCI DSS]<br />
* [http://www.ietf.org/rfc/rfc2828.txt Internet Security Glossary]</div>Ryan Behan