{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }}

<paypal>Long Island</paypal>

 Educational Supporter: {{MemberLinks|link=http://www.adelphi.edu|logo=AdelphiLogo-150x64.png}}

==== News & Chapter Meeting ====

'''The Next Long Island Chapter meeting will be held:''' 

* Date: Thursday July, 28
* Location: Hofstra University (Tentative)
* Time: 6:30pm-9:30pm
* Topics: TBD
 
----

'''Call For Topics & Speakers''' 
If you are interested in presenting or have a topic you'd like discussed at the July meeting, Please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member]. Topics and Requests to be a speaker should be submitted by June 28th.

 

 
RSVP Requested [http://www.regonline.com/OWASP_LI http://www.owasp.org/images/7/7f/Register.gif]
 



 
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center> <center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center> <center>If you can host an upcoming meeting please contact a [https://www.owasp.org/index.php/Long_Island#tab=Chapter_Board_Members.2FContacts LI board member].</center>
 

==== Calendar ====

'''2011 Meeting Schedule''' ''The information on this page is subject to change'' 

 Thursday, July 28 

*Time: 6:30pm-9:30pm 
*Location: TBD 
*Topics: TBD 

 

----

 Sunday, September 18 

*Time: 12:30pm-3:30pm 
*Location: TBD 
*Topics: TBD 

 

----

 Sunday, November 13

*Time: 12:30pm-3:30pm 
*Location: TBD 
*Topics: TBD 

 

 

==== Past Meetings ====

'''May Meeting'''
*Date: Saturday, May 14, 2011
*Time: 12:30pm - 3:30pm
*Location: University Club Facility at David Mack Hall, Hosftra University, Hempstead, NY 11549-1000
*Topics & Speakers: 
 Robert Gezelter - 
'''Minimum Necessary Implementation: Reducing Attack Surface increase Security''' 
Ensuring the security and integrity of web-based applications is a constant challenge. Web-based applications are inherently customer-facing, and an attractive avenue of attack. However, vulnerability is often unnecessarily increased by poor technology choices. Different technologies have different degrees of vulnerability. ActiveX creates a higher exposure than Java or JavaScript, which in turn has more potential for abuse than simple CSS. Some approaches (e.g., unguarded SQL queries) are particularly vulnerable to attack (e.g., SQL injection); other approaches unnecessarily create exposures by requiring unrestricted trust (e.g., ActiveX). 
Judicious division of responsibilities between clients and servers is another aspect of the same problem, as clients are inherently less-trustable than servers.
We will examine how using the minimum necessary technology reduces attack surface, decreases vulnerabilities, and decreases costs. 
About the speaker - Mr. Gezelter has more than 30 years of international consulting experience on architectures, protocols, and implementation techniques in both the private and public sectors. He has spoken widely at conferences throughout the United States and internationally. He has also published numerous technical papers and book chapters, including two chapters in the Computer Security Handbook, 5th Edition and two chapters in the Handbook of Information Security. He also publishes Ruminations - An IT Blog on a variety of topics relating to Information Technology and systems architect 

'''March Meeting''' '''Date:''' 3/27/2011 Sunday '''Time:''' 12pm-3pm '''Place:''' 2nd Floor, Jericho Public Library, 1 Merry Lane, Jericho, New York 11753 Rajendra Umadas, OWASP Member 

'''Intro to the OWASP Mobile Project'''

The OWASP Mobile Project is in its infancy, but has generated a lot of interest in the security and mobile development communities. Recently, delegates at the OWASP Summit in Portugal started laying the ground work to help guide the project through its inaugural year. One of the objectives for this year will be to ratify the current, unofficial OWASP Mobile Top 10 List. This presentation will do a deep dive into the current list, citing real world examples of insecure mobile applications.

 [http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member

'''The Exploit Intelligence Project'''

In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year.

In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats.

 [http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member [http://www.linkedin.com/in/blakecornell Blake Cornell], OWASP Board Member NY/NJ/LI

'''[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Demo / Web Vulnerabilities Intro''' WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab.

In this demo we'll use WebScarab against some emulated vulnerabilities developed by Blake Cornell.

 

''Free pizza and beverage will be provided. After event networking will be held at a local bar.'' 

 

==== Chapter Board Members/Contacts ====

*[mailto:heleng@owasp.org Helen Gao, CISSP]
*[mailto:ryan.behan@owasp.org Ryan C Behan]
*[mailto:blake@owasp.org Blake Cornell] 212-202-6704

__NOTOC__ <headertabs />

== External Links ==

*[http://www.youtube.com/user/AppsecTutorialSeries AppSec Tutorial on YouTube]
*[http://www.owasp.org/index.php/OWASP_Training#tab=Videos_.26_Pictures OWASP video and photos]
*[http://www.owasp.org/index.php/Industry:Citations Industry Citations]
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]

[[Category:New York]]