OWASP - User contributions [en]

San Jose

2007-12-03T18:43:38Z

Steingra: /* Thursday, December 13, 2007 */

San Jose

2007-12-03T18:42:52Z

Steingra: /* Thursday, December 13, 2007 */

San Jose

2007-12-03T18:41:53Z

Steingra: /* Thursday, December 13, 2007 */

San Jose

2007-12-03T18:40:12Z

Steingra: /* Thursday, December 13, 2007 */

San Jose

2007-12-03T18:37:41Z

Steingra: /* Thursday, September 6, 2007 */

San Jose-Archive

2007-12-03T18:18:35Z

Steingra: /* Meeting - Tuesday, December 19, 2006 */

== Meeting - Tuesday, December 19, 2006 ==

'''Venue:''' 
Fujitsu Advanced Networking Solutions 
1240 E. Arques Ave. 
Sunnyvale, CA 94085 

'''New Trends and Web Application Security Statistics''' 
'''''Presented by: Jeremiah Grossman, Founder & CTO, WhiteHat Security''''' 

'''Abstract:''' First Look at New Web Application Security Statistics. The Top 10 Web Application Vulnerabilities and their Impact on the Enterprise Web applications are the newest attack target, hitting the biggest and best brands on the Internet. And yet, until now, there has been limited information available about the most prevalent and most severe vulnerabilities that are facilitating the rapidly rising number of attacks.

WhiteHat Security founder and CTO, Jeremiah Grossman, will present the findings from the first WhiteHat Security Web Application Security Risk Report. Based on WhiteHat’s aggregate data from hundreds of web application assessments, Mr.Grossman's presentation will provide a first-of-its-kind look at the top vulnerabilities that attackers are exploiting at businesses across the Web.
 
• Identify and discuss the top ten vulnerabilities 
• Define the severity levels of web application vulnerabilities 
• Present strategies for web application vulnerability management 

'''Bio:''' Mr. Grossman is a world-renowned expert in Web security and a founding member of the Web Application Security Consortium. He is a frequent speaker at industry events including the BlackHat Briefings, ISACA’s Networks Security Conference, NASA, the Air Force and Technology Conference, ISSA and Defcon. Mr. Grossman is also a featured expert and frequent contributor on TechTarget’s SearchAppSecurity.com.

 

== Thursday, September 6, 2007 ==

'''Pictures From the Event''' 
Garrett Gee was nice enough to take some pictures of the September 6th event. They can be found here: 
http://flickr.com/photos/ggee/sets/72157601905839040/

Open to the public, attendance is free 

'''Agenda and Presentations:''' 
5:00pm – 5:30pm Check-in and Reception (food and beverages) 
5:30pm – 6:45pm Malicious Code Injection Workshop 
6:45pm – 6:55pm Break 
6:55pm – 8:10pm Panel Discussion – Privacy, Security and Breaches, Oh My! 
8:10pm – 8:30pm Networking Session 

'''Venue:''' 
eBay - Town Square B 
2161 North First Street 
San Jose, CA 95131 

''Map and Directions:'' 
[http://maps.yahoo.com/broadband#mvt=m&q1=2211+N+1st+Street%2C+San+Jose%2C+CA&trf=0&lon=-121.921484&lat=37.377166&mag=3 Map] 

'''Malicious Code Injection Workshop''' 

SQL Injection, Cross-site Scripting (XSS) and other injection attacks techniques have become pervasive on the web. This hands-on workshop takes an in-depth look at common methods used to exploit web applications. Attendees will learn step-by-step techniques used by attackers allowing them to better understand how web applications are exploited. Each attack method is followed up with a discussion about effective countermeasures to defend against such attacks. 

This interactive workshop includes a victim web application that contains built-in vulnerabilities. Attendees can bring their own laptop computers and participate in hands-on lab sessions. The objective of this workshop is to learn secure development practices used to harden the security of applications. Attendee participation is encouraged and door prizes will be awarded at random. 

''Note:'' To participate in the exercise bring an 802.11b/g equipped laptop with IE or Firefox installed. No hostile code will be put on your laptop by the instructors, but do have a firewall running to protect yourself. No wired connection to the class network will be provided. 

'''Workshop Instructors:''' 
Siva Ram, CISA - Senior Consultant, AppSec Consulting 
Tom Stracener - Cenzic 
Arian Evans - WhiteHat Security 

'''Panel Discussion: “Privacy, Security and Breaches, Oh My!” ''' 

This panel discussion will review the current state of information privacy and the security of web applications. Security breaches are occurring at an alarming rate and consumers are loosing faith. What, if anything can be done to restore confidence in e-commerce? 

What can we learn from events at Card Systems are more recently Monster.com? What can be done to ensure your company is not the next victim of a class action and/or hackers and data thieves? Join an all-star panel of Information Privacy and Data Security professionals to better understand what’s at stake and how to stay out of the headlines. 

'''Moderator:''' Alex Stamos, iSEC Partners 

'''Panelists:''' 

Doran Rotman, KPMG (co-author, Generally Accepted Privacy Principles 
David Pollino, Washington Mutual Bank 
Robert Fly, Salesforce.com 
Larry Pingree, Safeway (co-founder, Digital Forensics Association) 
Kurt Opsahl, EFF 

Please RSVP at http://owaspday.eventbrite.com or send an email to brian.bertacini at owasp.org. Feel free to invite like minded IT Security Professionals and help grow OWASP.

San Jose

2007-09-12T16:06:52Z

Steingra: /* Next Meeting - Thursday, September 6, 2007 */

San Jose Archive

2007-09-12T15:48:37Z

Steingra:

==Wednesday, July 25, 2007 ==
Open to the public, attendance is free

'''Agenda and Presentations:''' 
6:00pm - 6:30pm ... Check-in and reception (food & bev) 
6:30pm - 7:15pm ... Attacking XML Security - Brad Hill 
7:15pm - 8:00pm ... Development of a Security Metric System to Rate Enterprise Software - Fredrick Lee 
8:00pm - 8:30pm ... Networking Session 

'''Venue:''' 
Ariba 
807 11th Avenue 
Sunnyvale, Ca 94089 
[http://www.ariba.com/company/hq_map.cfm Map and Directions] 

'''Attacking XML Security''' 
'''''Presented by: Brad Hill, iSEC Partners''''' 

'''Abstract:'''
Brad will present his ongoing research into attacking the XML Digital Signature and Encryption standards that underpin the security of Web Services, mobile code, SAML, federated identity systems and more. The talk will begin with a high-level, critical take on the emerging conventional wisdom about message-oriented security and continue with a detailed discussion of design and implementation weaknesses in the standards. Technical material will include a root cause analysis of the recent iSEC advisory on cross-platform, remote code execution vulnerabilities discovered in multiple XML Digital Signature products. 

[http://www.isecpartners.com/files/iSEC_HILL_AttackingXMLSecurity_bh07.pdf Presentation Link] 

'''Bio:''' Based out of Seattle, Brad Hill is a Senior Security Consultant at iSEC Partners, a full-service security consulting firm that provides penetration testing, secure systems development, security education and software design verification. Brad brings a ten year background as a software developer and architect in the technology and financial services sectors to his work at iSEC, where he does design review, application assessment and development lifecycle improvement for some of the world’s leading software companies.
 
 
 
'''Development of a Security Metric System to Rate Enterprise Software''' 
'''''Presented by: Fredrick Lee, Fortify Software''''' 

'''Abstract:'''
As part of Fortify Software’s Java Open Review (JOR) project, both security defects and quality issues discovered in open source software are collected. The projects being analyzed are diverse in their development methodologies, development stages, and application styles. The projects range from small utility packages (e.g. Apache Commons), to mid-size intranet applications (e.g. JSPWiki), to large-scale, commercial grade enterprise projects (e.g. JBoss). In essence, participants in the Java Open Review project reflect the typical enterprise organization’s code base: a large collection of several small utility/internal applications and a handful of enterprise “flagship” products.

As part of the project, we have been challenged to answer the question: Which
application is more “secure.” To answer this question, Fortify has sought to develop a set of metrics that combine lessons learned from our experience working on various enterprise code bases and our work on the JOR project. The metrics are designed to incorporate diverse criteria, including the size of the application, the types of vulnerabilities identified, and time required to fix the vulnerabilities. The metrics provide a mechanism to rate software components for security concerns and enable enterprises to:

- Evaluate which open source projects offer an acceptable level of security 
- Compare competing open source software solutions based on their security 
- Measure internal development efforts against open source open source counterparts

Ultimately, with sufficient industry adoption, the metrics can also enable enterprises to compare their internal efforts against other enterprises within the same vertical. As part of the talk we will present our experience to date working with companies to develop an effective mechanism for evaluating the security of enterprise software.

'''Bio:''' Fredrick Lee is a member of Fortify Software’s Security Research Group, where he manages the Java Open Review Project. Scanning the code of over 100 applications so far, Fredrick is helping assess and improve the security of open source software. Fredrick also helps the Security Research Group develop the secure coding rules that are use to run Fortify’s suite of products.

Prior to joining Fortify Software, Fredrick was a Senior Information Security Engineer at Bank of America, where he helped roll out a secure development framework, performed security assessments, and developed enterprise security solutions.

Fredrick graduated from the University of Oklahoma, with a BS in Computer Engineering.

 

'''Upcoming Security Workshops''' 
'''''Presented by: Brian Bertacini, Volunteer Chapter Organizer''''' 

'''Abstract:''' Introduce local volunteer expert trainers that are planning web application and infrastructure security workshops.

Please RSVP to via email [mailto:brian.bertacini@owasp.org Brian Bertacini], call 408-979-0571 or visit [http://owasp.mollyguard.com OWASP.Mollyguard.com]

Special thanks to [http://www.ariba.com Ariba] for hosting this event and to [http://www.appsecconsulting.com AppSec Consulting] and [http://www.isecpartners.com iSEC Partners] for sponsoring.

== Thursday, April 12, 2007 ==
Open to the public, attendance is free

'''Agenda and Presentations:''' 
6:00pm - 6:30pm ... Check-in and reception (food & bev) 
6:30pm - 7:30pm ... Past, Present and Future of Web Application Security in PCI - Bernie Weidel 
7:30pm - 8:30pm ... Top Web Application Vulnerabilities, Exploits and Countermeasures - Josh Daymont 

'''Venue:''' 
Ariba 
807 11th Avenue 
Sunnyvale, Ca 94089 
[http://www.ariba.com/company/hq_map.cfm Map and Directions] 

'''Past, Present and Future of Web Application Security in PCI''' 
'''''Presented by: Bernie Weidel - PCI Product Manager, Qualys''''' 

'''Abstract:'''
This presentation will start off with a holistic view of Ecommerce Data Security in contrast to the overall scope of Fraud in the Financial Services Industry, thereby giving insights as to why the PCI DSS was created by the Credit Card Brands and developed into its current form. Next, we will explore the current state of Web Application Security in the PCI DSS v1.1 and attempt to bring clarity to some of the more confusing items. We will also outline the structure of the PCI DSS Council; reviewing its key concepts and requirements. Lastly, we will outline methods you can use to proactively get involved in shaping future versions of the PCI DSS. 

'''Bio:''' Bernie Weidel, Product Manager for QualysGuard PCI is responsible for evaluating customer/partner requirements, integrating them into the product, and driving PCI to market. Bernie has been developing methods to achieve and evidence compliance since 2000, when he designed a HIPAA compliance program for Scarborough Insurance Agency. Prior to joining Qualys, Bernie was an Infrastructure Security Project Manager at Adobe Systems where he implemented, managed and streamlined SOX and PCI compliance programs. He was also responsible for various aspects of security such as Web Application Security, Database Security, PDA Security and Vulnerability Management. Before Adobe, Bernie worked for Symbol Wireless Technologies as a Wireless Systems Analyst; designing, installing and troubleshooting/fine tuning Enterprise Wireless Networks.
 
 
 
'''Top Web Application Vulnerabilities, Exploits and Countermeasures''' 
'''''Presented by: Josh Daymont - Sr. Security Consultant, Fortify''''' 

'''Abstract:'''
This presentation will take a look at Web Application Security from the Front lines to the back offices of systems development. First, a look at the top vulnerabilities and how are they exploited. Then look beyond the front lines and explore countermeasures that can be implemented during the development process to protect applications and sensitive data after deployment. 

'''About OWASP''' 
'''''Presented by: Brian Bertacini, Volunteer chapter organizer''''' 

'''Abstract:''' An overview of the Open Web Application Security Project (OWASP), current projects and feedback from the recent WebAppSec Conference in Seattle.

Please RSVP to via email [mailto:brian.bertacini@owasp.org Brian Bertacini], call 408-979-0571 or visit [http://owasp.mollyguard.com OWASP.Mollyguard.com]

Special thanks to [http://www.aribe.com Ariba] for hosting this event.

San Jose Archive

2007-09-12T15:46:48Z

Steingra: New page: ==Wednesday, July 25, 2007 == Open to the public, attendance is free '''Agenda and Presentations:''' 6:00pm - 6:30pm ... Check-in and reception (food & bev) 6:30pm - 7:15pm ... ...

San Jose

2007-08-29T22:22:13Z

Steingra: /* Next Meeting - Thursday, September 6, 2007 */

San Jose

2007-08-28T21:51:14Z

Steingra: /* Next Meeting - Thursday, September 6, 2007 */

San Jose

2007-08-24T18:31:06Z

Steingra: /* Next Meeting - Thursday, September 6, 2007 */

San Jose

2007-08-24T18:30:40Z

Steingra: /* Next Meeting - Thursday, September 6, 2007 */

San Jose

2007-08-24T18:28:40Z

Steingra: /* Next Meeting - Thursday, September 6, 2007 */

San Jose

2007-08-24T18:27:18Z

Steingra: /* Next Meeting - Thursday, September 6, 2007 */

San Jose

2007-08-24T18:26:32Z

Steingra: /* Next Meeting - Thursday, September 6, 2007 */

San Jose

2007-08-24T18:25:16Z

Steingra: /* Next Meeting - Thursday, September 6, 2007 */

San Jose

2007-08-24T18:24:36Z

Steingra: /* Next Meeting - Thursday, September 6, 2007 */

San Jose

2007-08-24T18:24:03Z

Steingra: /* Next Meeting - Thursday, September 6, 2007 */

San Jose

2007-08-24T18:22:24Z

Steingra: /* Next Meeting - Thursday, September 6, 2007 */

San Jose

2007-08-24T18:21:36Z

Steingra: /* Next Meeting - Thursday, September 6, 2007 */

San Jose

2007-08-24T18:20:23Z

Steingra: /* Next Meeting - Thursday, September 6, 2007 */

San Jose

2007-08-03T18:23:37Z

Steingra: /* Next Meeting - Wednesday, July 25, 2007 */

{{Chapter Template|chaptername=San Jose|extra=The chapter leader is [mailto:brian.bertacini@owasp.org Brian Bertacini]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-sanjose|emailarchives=http://lists.owasp.org/pipermail/owasp-sanjose}}

== Next Meeting - Wednesday, July 25, 2007 ==
Open to the public, attendance is free

'''Agenda and Presentations:''' 
6:00pm - 6:30pm ... Check-in and reception (food & bev) 
6:30pm - 7:15pm ... Attacking XML Security - Brad Hill 
7:15pm - 8:00pm ... Development of a Security Metric System to Rate Enterprise Software - Fredrick Lee 
8:00pm - 8:30pm ... Networking Session 

'''Venue:''' 
Ariba 
807 11th Avenue 
Sunnyvale, Ca 94089 
[http://www.ariba.com/company/hq_map.cfm Map and Directions] 

'''Attacking XML Security''' 
'''''Presented by: Brad Hill, iSEC Partners''''' 

'''Abstract:'''
Brad will present his ongoing research into attacking the XML Digital Signature and Encryption standards that underpin the security of Web Services, mobile code, SAML, federated identity systems and more. The talk will begin with a high-level, critical take on the emerging conventional wisdom about message-oriented security and continue with a detailed discussion of design and implementation weaknesses in the standards. Technical material will include a root cause analysis of the recent iSEC advisory on cross-platform, remote code execution vulnerabilities discovered in multiple XML Digital Signature products. 

[http://www.isecpartners.com/files/iSEC_HILL_AttackingXMLSecurity_bh07.pdf Presentation Link] 

'''Bio:''' Based out of Seattle, Brad Hill is a Senior Security Consultant at iSEC Partners, a full-service security consulting firm that provides penetration testing, secure systems development, security education and software design verification. Brad brings a ten year background as a software developer and architect in the technology and financial services sectors to his work at iSEC, where he does design review, application assessment and development lifecycle improvement for some of the world’s leading software companies.
 
 
 
'''Development of a Security Metric System to Rate Enterprise Software''' 
'''''Presented by: Fredrick Lee, Fortify Software''''' 

'''Abstract:'''
As part of Fortify Software’s Java Open Review (JOR) project, both security defects and quality issues discovered in open source software are collected. The projects being analyzed are diverse in their development methodologies, development stages, and application styles. The projects range from small utility packages (e.g. Apache Commons), to mid-size intranet applications (e.g. JSPWiki), to large-scale, commercial grade enterprise projects (e.g. JBoss). In essence, participants in the Java Open Review project reflect the typical enterprise organization’s code base: a large collection of several small utility/internal applications and a handful of enterprise “flagship” products.

As part of the project, we have been challenged to answer the question: Which
application is more “secure.” To answer this question, Fortify has sought to develop a set of metrics that combine lessons learned from our experience working on various enterprise code bases and our work on the JOR project. The metrics are designed to incorporate diverse criteria, including the size of the application, the types of vulnerabilities identified, and time required to fix the vulnerabilities. The metrics provide a mechanism to rate software components for security concerns and enable enterprises to:

- Evaluate which open source projects offer an acceptable level of security 
- Compare competing open source software solutions based on their security 
- Measure internal development efforts against open source open source counterparts

Ultimately, with sufficient industry adoption, the metrics can also enable enterprises to compare their internal efforts against other enterprises within the same vertical. As part of the talk we will present our experience to date working with companies to develop an effective mechanism for evaluating the security of enterprise software.

'''Bio:''' Fredrick Lee is a member of Fortify Software’s Security Research Group, where he manages the Java Open Review Project. Scanning the code of over 100 applications so far, Fredrick is helping assess and improve the security of open source software. Fredrick also helps the Security Research Group develop the secure coding rules that are use to run Fortify’s suite of products.

Prior to joining Fortify Software, Fredrick was a Senior Information Security Engineer at Bank of America, where he helped roll out a secure development framework, performed security assessments, and developed enterprise security solutions.

Fredrick graduated from the University of Oklahoma, with a BS in Computer Engineering.

 

'''Upcoming Security Workshops''' 
'''''Presented by: Brian Bertacini, Volunteer Chapter Organizer''''' 

'''Abstract:''' Introduce local volunteer expert trainers that are planning web application and infrastructure security workshops.

Please RSVP to via email [mailto:brian.bertacini@owasp.org Brian Bertacini], call 408-979-0571 or visit [http://owasp.mollyguard.com OWASP.Mollyguard.com]

Special thanks to [http://www.ariba.com Ariba] for hosting this event and to [http://www.appsecconsulting.com AppSec Consulting] and [http://www.isecpartners.com iSEC Partners] for sponsoring.

San Jose

2007-04-02T03:54:08Z

Steingra:

San Jose

2007-04-02T03:52:57Z

Steingra:

San Jose-Archive

2007-04-02T03:34:59Z

Steingra: New page: == Meeting - Tuesday, December 19, 2006 == '''Venue:''' Fujitsu Advanced Networking Solutions 1240 E. Arques Ave. Sunnyvale, CA 94085 '''New Trends and Web Applicati...