OWASP - User contributions [en]

Virginia

2008-09-06T02:01:51Z

Swisseman: /* Next Meeting */

Virginia

2008-09-06T02:00:12Z

Swisseman: /* Last Month */

{{Chapter Template|chaptername=Washington VA|extra=The chapter leader is [mailto:wisseman_stan@bah.com Stan Wisseman]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-wash_dc_va|emailarchives=http://lists.owasp.org/pipermail/owasp-wash_dc_va}}

== Last Month ==

In August, our talks were:

"Software Assurance and the Insider Threat" by Karen Mercedes Goertzel, Booz Allen. Karen is a subject matter expert in software assurance and information assurance, particularly multilevel secure systems and cross-domain information sharing. She supports the DHS SwA Program and the National Security Agency’s Center for Assured Software, and was lead technologist for 3 years on the Defense Information Systems Agency (DISA) Application Security Program. Karen was lead author of IATAC's the state-of-the-art reports in software security assurance and insider threats. This talk will combine the two topics.

"Protecting Your Applications From Backdoors: How Static Binary Analysis Helps Build High-Assurance Applications" by Shawn Hank of Veracode. Backdoors and malicious code pose operational risk to software at a level too significant for organizations to ignore. The common practices of outsourcing and using third-party libraries are making modern application development increasingly complex. As a result, it is nearly impossible for an enterprise to identify the pedigree and security level of the software running their business-critical applications and handling their customers' personally identifiable information.

== Next Meeting ==

Our next meeting will be on 14 August from 6-9pm at the Booz Allen Herndon facility. Our talks will be:

"Software Assurance and the Insider Threat" by Karen Mercedes Goertzel, Booz Allen. Karen is a subject matter expert in software assurance and information assurance, particularly multilevel secure systems and cross-domain information sharing. She supports the DHS SwA Program and the National Security Agency’s Center for Assured Software, and was lead technologist for 3 years on the Defense Information Systems Agency (DISA) Application Security Program. Karen was lead author of IATAC's the state-of-the-art reports in software security
assurance and insider threats. This talk will combine the two topics.

"Protecting Your Applications From Backdoors: How Static Binary Analysis Helps Build High-Assurance Applications" by Shawn Hank of Veracode. Backdoors and malicious code pose operational risk to software at a level too significant for organizations to ignore. The common practices of outsourcing and using third-party libraries are making modern application development increasingly complex. As a result, it is nearly impossible for an enterprise to identify the pedigree and security level of the software running their business-critical applications and handling their customers' personally identifiable information.

As you can see, there is a theme for this meeting.

Pizza will be provided for a small fee. If you plan on attending, RSVP so I can get you badge processing started.

==Directions==

To Booz Allen's One Dulles facility:

13200 Woodland Park Road
Herndon, VA 20171

From Tyson's Corner:

1. Take LEESBURG PIKE / VA-7 WEST
2. Merge onto VA-267 WEST / DULLES TOLL ROAD (Portions Toll)
3. Take the VA-657 Exit (Exit Number 10 towards Herndon / Chantilly)
4. Take the ramp toward CHANTILLY
5. Turn Left onto CENTERVILLE ROAD (at end of ramp)
6. Turn Left onto WOODLAND PARK ROAD (less than 1⁄2 mile)
7. End at 13200 WOODLAND PARK ROAD

[[Category:Virginia]]

Virginia

2008-08-07T21:24:58Z

Swisseman: /* Next Meeting */

Virginia

2008-08-07T21:06:47Z

Swisseman: /* Last Month */

Virginia

2008-07-08T12:14:40Z

Swisseman: /* Next Meeting */

Virginia

2008-07-08T12:00:10Z

Swisseman: /* Last Month */

Virginia

2008-05-29T22:07:22Z

Swisseman: /* Next Meeting */

Virginia

2008-05-15T21:48:55Z

Swisseman: /* Next Meeting */

Virginia

2008-05-14T19:17:25Z

Swisseman: /* Next Meeting */

Virginia

2008-05-14T19:11:24Z

Swisseman: /* Last Month */

{{Chapter Template|chaptername=Washington VA|extra=The chapter leader is [mailto:wisseman_stan@bah.com Stan Wisseman]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-wash_dc_va|emailarchives=http://lists.owasp.org/pipermail/owasp-wash_dc_va}}

== Last Month ==

In May, Fortify Software provided a private viewing of the film “The New Face of CyberCrime,” by Academy Award-nominated Filmmaker Fredric Golding. This was a good film that generated some discussion afterward. A teaser for the video is avaialble at: http://www.fortify.com/security-resources/ If interested in arranging a full viewing, contact Brian Fox (bfox@fortify.com.)

Fortify's Rob Rachwald then gave a presentation entitled “Integrating Security Into the QA Group”.

== Next Meeting ==

Our next meeting will be on 8 May from 6-9pm at the Booz Allen Herndon facility.

- Attend a private viewing of the film, “The New Face of CyberCrime,” by Academy Award-nominated Filmmaker Fredric Golding. This revealing documentary features candid interviews with criminal hackers and those industry executives taking steps against their persistent attacks. The film is 20 minutes in length and we will follow up with discussion.

- “Integrating Security Into the QA Group”, Robert Rachwald, Director of Product Management, Fortify Software.

Abstract: Until recently, Web Application Testing was left to security teams and ethical hackers who used advanced tools, such as Web application scanners, to analyze running Web applications. However, security groups are becoming overburdened by product releases, and many organizations are attempting to move security testing earlier in the development cycle. The QA group is a natural candidate, since it generally has the infrastructure in place to test applications for quality issues. However, for many organizations, integrating security into the QA group has been incredibly difficult. The process of running a security test is a learned skill, and not something one can teach a QA tester in a matter of days. On top of that, most security testing tools were designed for penetration testers (since they require an in-depth knowledge of application security theory) and are not generally usable by QA professionals. As a result, very few QA groups have successfully adopted security testing.

Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed U.S. product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services.

Pizza is being provided by Fortify this month. If you need/want to provide a contribution, you can. If you plan on attending, RSVP so I can get you badge processing started.

==Directions==

To Booz Allen's One Dulles facility:

13200 Woodland Park Road
Herndon, VA 20171

From Tyson's Corner:

1. Take LEESBURG PIKE / VA-7 WEST
2. Merge onto VA-267 WEST / DULLES TOLL ROAD (Portions Toll)
3. Take the VA-657 Exit (Exit Number 10 towards Herndon / Chantilly)
4. Take the ramp toward CHANTILLY
5. Turn Left onto CENTERVILLE ROAD (at end of ramp)
6. Turn Left onto WOODLAND PARK ROAD (less than 1⁄2 mile)
7. End at 13200 WOODLAND PARK ROAD

Virginia

2008-04-30T23:43:13Z

Swisseman: /* Next Meeting */

{{Chapter Template|chaptername=Washington VA|extra=The chapter leader is [mailto:wisseman_stan@bah.com Stan Wisseman]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-wash_dc_va|emailarchives=http://lists.owasp.org/pipermail/owasp-wash_dc_va}}

== Last Month ==

In April we had two good talks/discussions:

- SANS Software security institute and the GSSP certification. Ed Tracy is an Associate of Booz Allen. Ed has been very involved with the SANS software security activities and the creation of the GSSP-J certification which is the first of its kind. We had a great discussion about what SANS is doing and some of the challenges in putting together this exam.

- "Building Usable Security" by Zed Abbadi. Zed believes that one of the main reasons why application security violations continue to rise is the fact that many deployed security mechanism are not user friendly, limiting their effectiveness. He had some good examples.

I mentioned a useful Web site one of the participants recent stood up to help those in the NoVA area be aware of local infosec events. Here is the link:

http://www.novainfosecportal.com/

== Next Meeting ==

Our next meeting will be on 8 May from 6-9pm at the Booz Allen Herndon facility.

- Attend a private viewing of the film, “The New Face of CyberCrime,” by Academy Award-nominated Filmmaker Fredric Golding. This revealing documentary features candid interviews with criminal hackers and those industry executives taking steps against their persistent attacks. The film is 20 minutes in length and we will follow up with discussion.

- “Integrating Security Into the QA Group”, Robert Rachwald, Director of Product Management, Fortify Software.

Abstract: Until recently, Web Application Testing was left to security teams and ethical hackers who used advanced tools, such as Web application scanners, to analyze running Web applications. However, security groups are becoming overburdened by product releases, and many organizations are attempting to move security testing earlier in the development cycle. The QA group is a natural candidate, since it generally has the infrastructure in place to test applications for quality issues. However, for many organizations, integrating security into the QA group has been incredibly difficult. The process of running a security test is a learned skill, and not something one can teach a QA tester in a matter of days. On top of that, most security testing tools were designed for penetration testers (since they require an in-depth knowledge of application security theory) and are not generally usable by QA professionals. As a result, very few QA groups have successfully adopted security testing.

Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed U.S. product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services.

Pizza is being provided by Fortify this month. If you need/want to provide a contribution, you can. If you plan on attending, RSVP so I can get you badge processing started.

==Directions==

To Booz Allen's One Dulles facility:

13200 Woodland Park Road
Herndon, VA 20171

From Tyson's Corner:

1. Take LEESBURG PIKE / VA-7 WEST
2. Merge onto VA-267 WEST / DULLES TOLL ROAD (Portions Toll)
3. Take the VA-657 Exit (Exit Number 10 towards Herndon / Chantilly)
4. Take the ramp toward CHANTILLY
5. Turn Left onto CENTERVILLE ROAD (at end of ramp)
6. Turn Left onto WOODLAND PARK ROAD (less than 1⁄2 mile)
7. End at 13200 WOODLAND PARK ROAD

Virginia

2008-04-28T11:53:01Z

Swisseman: /* Next Meeting */

{{Chapter Template|chaptername=Washington VA|extra=The chapter leader is [mailto:wisseman_stan@bah.com Stan Wisseman]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-wash_dc_va|emailarchives=http://lists.owasp.org/pipermail/owasp-wash_dc_va}}

== Last Month ==

In April we had two good talks/discussions:

- SANS Software security institute and the GSSP certification. Ed Tracy is an Associate of Booz Allen. Ed has been very involved with the SANS software security activities and the creation of the GSSP-J certification which is the first of its kind. We had a great discussion about what SANS is doing and some of the challenges in putting together this exam.

- "Building Usable Security" by Zed Abbadi. Zed believes that one of the main reasons why application security violations continue to rise is the fact that many deployed security mechanism are not user friendly, limiting their effectiveness. He had some good examples.

I mentioned a useful Web site one of the participants recent stood up to help those in the NoVA area be aware of local infosec events. Here is the link:

http://www.novainfosecportal.com/

== Next Meeting ==

Our next meeting will be on 8 May from 6-9pm at the Booz Allen Herndon facility.

- Movie on software security - produced by Fortify

- “Integrating Security Into the QA Group”, Robert Rachwald, Director of Product Management, Fortify Software.

Abstract: Until recently, Web Application Testing was left to security teams and ethical hackers who used advanced tools, such as Web application scanners, to analyze running Web applications. However, security groups are becoming overburdened by product releases, and many organizations are attempting to move security testing earlier in the development cycle. The QA group is a natural candidate, since it generally has the infrastructure in place to test applications for quality issues. However, for many organizations, integrating security into the QA group has been incredibly difficult. The process of running a security test is a learned skill, and not something one can teach a QA tester in a matter of days. On top of that, most security testing tools were designed for penetration testers (since they require an in-depth knowledge of application security theory) and are not generally usable by QA professionals. As a result, very few QA groups have successfully adopted security testing.

Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed U.S. product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services.

Pizza will be available for a small fee. If you plan on attending, RSVP so I can get you badge processing started.

==Directions==

To Booz Allen's One Dulles facility:

13200 Woodland Park Road
Herndon, VA 20171

From Tyson's Corner:

1. Take LEESBURG PIKE / VA-7 WEST
2. Merge onto VA-267 WEST / DULLES TOLL ROAD (Portions Toll)
3. Take the VA-657 Exit (Exit Number 10 towards Herndon / Chantilly)
4. Take the ramp toward CHANTILLY
5. Turn Left onto CENTERVILLE ROAD (at end of ramp)
6. Turn Left onto WOODLAND PARK ROAD (less than 1⁄2 mile)
7. End at 13200 WOODLAND PARK ROAD

Virginia

2008-04-28T11:45:00Z

Swisseman: /* Last Month */

{{Chapter Template|chaptername=Washington VA|extra=The chapter leader is [mailto:wisseman_stan@bah.com Stan Wisseman]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-wash_dc_va|emailarchives=http://lists.owasp.org/pipermail/owasp-wash_dc_va}}

== Last Month ==

In April we had two good talks/discussions:

- SANS Software security institute and the GSSP certification. Ed Tracy is an Associate of Booz Allen. Ed has been very involved with the SANS software security activities and the creation of the GSSP-J certification which is the first of its kind. We had a great discussion about what SANS is doing and some of the challenges in putting together this exam.

- "Building Usable Security" by Zed Abbadi. Zed believes that one of the main reasons why application security violations continue to rise is the fact that many deployed security mechanism are not user friendly, limiting their effectiveness. He had some good examples.

I mentioned a useful Web site one of the participants recent stood up to help those in the NoVA area be aware of local infosec events. Here is the link:

http://www.novainfosecportal.com/

== Next Meeting ==

Our next meeting will be on 10 April from 6-8pm at the Booz Allen Herndon facility. Talks will include:

- SANS Software security institute and the GSSP certification. Ed Tracy is an Associate of Booz Allen. Ed has been very involved with the SANS software security activities and the creation of the GSSP certification which is the first of its kind. He is also very involved with OWASP, especially the Washington DC chapter. It will be great to have him join our chapter meeting.

- "Building Usable Security" by Zed Abbadi. Zed believes that one of the main reasons why application security violations continue to rise is the fact that many deployed security mechanism are not user friendly, limiting their effectiveness. Unless security engineers start thinking more about how to make security more usable, progress in securing systems will be limited. Zed, a long time participant of our chapter, is a Senior Security Engineer with the Public Company Accounting Oversight Board (PCAOB). He has over 15 years of experience in software and security engineering. His experience ranges from providing security consulting services to building large-scale software systems. In his current role he is responsible for the security of all software applications that run on PCAOB’s infrastructure.

Pizza will be available for a small fee. If you plan on attending, RSVP so I can get you badge processing started.

==Directions==

To Booz Allen's One Dulles facility:

13200 Woodland Park Road
Herndon, VA 20171

From Tyson's Corner:

1. Take LEESBURG PIKE / VA-7 WEST
2. Merge onto VA-267 WEST / DULLES TOLL ROAD (Portions Toll)
3. Take the VA-657 Exit (Exit Number 10 towards Herndon / Chantilly)
4. Take the ramp toward CHANTILLY
5. Turn Left onto CENTERVILLE ROAD (at end of ramp)
6. Turn Left onto WOODLAND PARK ROAD (less than 1⁄2 mile)
7. End at 13200 WOODLAND PARK ROAD

Virginia

2008-04-07T21:37:59Z

Swisseman: /* Next Meeting */

Virginia

2008-04-07T21:31:00Z

Swisseman: /* Next Meeting */

Virginia

2008-04-07T21:30:46Z

Swisseman: /* Last Month */

Virginia

2008-03-13T04:54:43Z

Swisseman: /* Next Meeting */

Virginia

2008-03-11T02:10:25Z

Swisseman: /* Next Meeting */

Virginia

2008-03-11T02:02:44Z

Swisseman: /* Next Meeting */

Virginia

2008-03-11T01:59:19Z

Swisseman: /* Last Month */

Virginia

2008-02-08T14:59:45Z

Swisseman: /* Next Meeting */

Virginia

2008-02-05T18:39:30Z

Swisseman: /* Next Meeting */

Virginia

2008-02-05T18:36:40Z

Swisseman: /* Last Month */

Virginia

2008-01-09T14:26:59Z

Swisseman: /* Next Meeting */

Virginia

2007-11-29T15:52:24Z

Swisseman: /* Next Meeting */

Virginia

2007-11-29T15:49:39Z

Swisseman: /* Last Month */

Virginia

2007-11-29T15:46:59Z

Swisseman: /* Next Meeting */

Virginia

2007-10-29T18:56:14Z

Swisseman: /* Last Month */

Virginia

2007-10-29T18:47:04Z

Swisseman: /* Last Month */

File:DeMystifying WS Security.pdf

2007-10-29T18:44:42Z

Swisseman:

Virginia

2007-10-29T18:36:44Z

Swisseman: /* Next Meeting */

Virginia

2007-10-19T21:23:45Z

Swisseman: /* Next Meeting */

Virginia

2007-10-19T19:22:28Z

Swisseman: /* Next Meeting */

Virginia

2007-10-19T19:16:25Z

Swisseman: /* Last Month */

Virginia

2007-10-05T16:47:32Z

Swisseman: /* Next Meeting */

Virginia

2007-09-08T23:40:15Z

Swisseman: /* Next Meeting */

Virginia

2007-09-08T23:38:30Z

Swisseman: /* Last Month */

Virginia

2007-09-08T23:36:42Z

Swisseman: /* Next Meeting */

Virginia

2007-09-06T12:12:08Z

Swisseman: /* Next Meeting */

Virginia

2007-09-06T12:11:49Z

Swisseman: /* Next Meeting */

Virginia

2007-07-27T19:27:36Z

Swisseman: /* Next Meeting */

Virginia

2007-07-27T19:27:00Z

Swisseman: /* Next Meeting */

Virginia

2007-07-27T19:23:50Z

Swisseman: /* Last Month */

Virginia

2007-07-27T19:22:39Z

Swisseman: /* Next Meeting */

Virginia

2007-07-10T12:40:53Z

Swisseman: /* Next Meeting */

{{Chapter Template|chaptername=Washington VA|extra=The chapter leader is [mailto:wisseman_stan@bah.com Stan Wisseman]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-wash_dc_va|emailarchives=http://lists.owasp.org/pipermail/owasp-wash_dc_va}}

== Last Month ==

We had two talks on 10 May:

- Brian Chess, Fortify (Chief Scientist and co-founder) talked about the Fortify open source project and the impact it is having [[Image:Java_Open_Review.ppt]]. He also shared his opinions about black box testing/appsec scanners, their effectiveness and alternatives [[Image:Bytecode_injection.ppt‎]].

- "Security at the VMM Layer", Theodore Winograd, Booz Allen Hamilton. Ted did this talk for one of his Master's courses. He is very active supporting NIST with Special Publications, including plans for an upcoming SP on Virtualization.
[[Image:Security_at_the_VMM_Layer_-_OWASP.ppt]]

== Next Meeting ==

Our next meeting will be on 12 July at 6pm at Booz Allen's Herndon facility. See directions below. Our speakers are:

- "Ten Secrets to securing your Java EE Web Applications", Karthik Shyamsunder. Karthik has 15 years of experience in the software industry, strengths include Architecture, Design and Development of both web and standalone enterprise applications using Distributed and Object Oriented technologies. His expertise also includes performance tuning enterprise applications and building highly scalable and secure solutions. Karthik Shyamsunder also serves as an adjunct faculty at Johns Hopkins University, Computer Science School (EPP Program), teaching undergraduate and graduate level courses in the the field of Distributed computing. Some of the courses he teaches are "Distributed Computing on the World Wide Web" and "Enterprise Computing Using Java".

- SANS Secure Developer test and an overview of XSS Proxy being developed, Dave Wichers. Dave is the COO of Aspect Security and OWASP conference chair and co-author of the OWASP Top Ten. Dave has 17 years of experience in the INFOSEC field, in areas such as application security, security architectures, secure designs, security poliies, database security, MLS security and system/software development. He supports the design and development of enterprise web applications, trusted OSs, trusted databases, MLS secure guards, and large integrated systems for a wide variety of commercial and government customers. Dave and I work together at Arca Systems and Exodus Communications and I'm pleased he will be able to speak at one of our chapter meetings.

Pizza will be provided for a small donation.

==Directions==

To Booz Allen's One Dulles facility:

13200 Woodland Park Road
Herndon, VA 20171

From Tyson's Corner:

1. Take LEESBURG PIKE / VA-7 WEST
2. Merge onto VA-267 WEST / DULLES TOLL ROAD (Portions Toll)
3. Take the VA-657 Exit (Exit Number 10 towards Herndon / Chantilly)
4. Take the ramp toward CHANTILLY
5. Turn Left onto CENTERVILLE ROAD (at end of ramp)
6. Turn Left onto WOODLAND PARK ROAD (less than 1⁄2 mile)
7. End at 13200 WOODLAND PARK ROAD

Virginia

2007-07-10T12:31:04Z

Swisseman: /* Next Meeting */

Virginia

2007-07-10T12:25:57Z

Swisseman: /* Last Month */

File:Bytecode injection.ppt

2007-07-10T12:25:08Z

Swisseman: Brian Chess from Fortify, presentation to NoVA OWASP chapter in June 2007.

Brian Chess from Fortify, presentation to NoVA OWASP chapter in June 2007.

Virginia

2007-07-10T12:24:10Z

Swisseman: /* Last Month */

File:Java Open Review.ppt

2007-07-10T12:22:05Z

Swisseman: Brian Chess from Fortify shared what's going on with the Java Open Source review project at the June NoVA OWASP meeting.

Brian Chess from Fortify shared what's going on with the Java Open Source review project at the June NoVA OWASP meeting.